# Upstream parameters for a GitLab instance
#
# Selected parameters - main ones - names and advanced defaults taken from omnibus-gitlab
#   https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-config-template/gitlab.rb.template
#   https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/attributes/default.rb
#
# TODO better autogenerate from ^^^ (?)
#
# (last updated for omnibus-gitlab 8.8.9+ce.0-g25376053)

[gitlab-parameters]
configuration.external_url              = http://lab.example.com

# db advanced
configuration.db_pool                   = 10

# rack-attack
configuration.rate_limit_requests_per_period    = 10
configuration.rate_limit_period                 = 60

configuration.time_zone                 = UTC

configuration.email_enabled             = true
configuration.email_from                = lab@example.com
configuration.email_display_name        = GitLab
configuration.email_reply_to            = noreply@example.com

configuration.smtp_enable               = true
configuration.smtp_address              = smtp.server
configuration.smtp_port                 = 465
configuration.smtp_user_name            = smtp user
configuration.smtp_password             = smtp password
configuration.smtp_domain               = lab.example.com
configuration.smtp_authentication       = login
configuration.smtp_enable_starttls_auto = true

# none | peer | client_once | fail_if_no_peer_cert -> see gitlab-omnibus links at top
configuration.smtp_openssl_verify_mode  = peer

configuration.default_can_create_group  = true
configuration.username_changing_enabled = true
configuration.default_theme             = 2

configuration.default_projects_features.issues          = true
configuration.default_projects_features.merge_requests  = true
configuration.default_projects_features.wiki            = true
configuration.default_projects_features.snippets        = true
#configuration.default_projects_features.builds          = false

configuration.webhook_timeout           = 10

# 0 means forever (seconds)
configuration.backup_keep_time          = 0

# NOTE empty = default gitlab limits
configuration.git_max_size              =
configuration.git_timeout               =


# sidekiq
configuration.sidekiq_shutdown_timeout  = 4
configuration.sidekiq_concurrency       = 25
configuration.sidekiq_memory_killer_max_rss = 1000000


# unicorn
configuration.unicorn_worker_timeout    = 60
configuration.unicorn_worker_processes  = 2

# unicorn advanced
configuration.unicorn_backlog_socket    = 1024

configuration.unicorn_worker_memory_limit_min   = 300*(1024**2)
configuration.unicorn_worker_memory_limit_max   = 350*(1024**2)


# nginx
configuration.nginx_client_max_body_size    = 0

# NOTE: we don't really need old ciphers - usually we talk directly to frontend only
configuration.nginx_ssl_ciphers             = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
configuration.nginx_ssl_prefer_server_ciphers = on
configuration.nginx_ssl_protocols           = TLSv1 TLSv1.1 TLSv1.2
# the following is gitlab-omnibus default but not nginx's default
configuration.nginx_ssl_session_cache       = builtin:1000  shared:SSL:10m
configuration.nginx_ssl_session_timeout     = 5m

configuration.nginx_proxy_read_timeout      = 300
configuration.nginx_proxy_connect_timeout   = 300

# nginx advanced
configuration.nginx_worker_processes    = 4
configuration.nginx_worker_connections  = 10240
configuration.nginx_log_format          = $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"
configuration.nginx_sendfile            = on
configuration.nginx_tcp_nopush          = on
configuration.nginx_tcp_nodelay         = on
configuration.nginx_gzip                = on
configuration.nginx_gzip_http_version   = 1.0
configuration.nginx_gzip_comp_level     = 2
configuration.nginx_gzip_proxied        = any
configuration.nginx_gzip_types          = text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/json
configuration.nginx_keepalive_timeout   = 65

# TODO allow configuring trusted proxies
# configuration.nginx_real_ip_trusted_addresses
# configuration.nginx_real_ip_header
# configuration.nginx_real_ip_recursive