# Upstream parameters for a GitLab instance # # Selected parameters - main ones - names and advanced defaults taken from omnibus-gitlab # https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-config-template/gitlab.rb.template # https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/attributes/default.rb # # TODO better autogenerate from ^^^ (?) # # (last updated for omnibus-gitlab 8.8.9+ce.0-g25376053) [gitlab-parameters] configuration.external_url = http://lab.example.com # db advanced configuration.db_pool = 10 # rack-attack configuration.rate_limit_requests_per_period = 10 configuration.rate_limit_period = 60 configuration.time_zone = UTC configuration.email_enabled = true configuration.email_from = lab@example.com configuration.email_display_name = GitLab configuration.email_reply_to = noreply@example.com configuration.smtp_enable = true configuration.smtp_address = smtp.server configuration.smtp_port = 465 configuration.smtp_user_name = smtp user configuration.smtp_password = smtp password configuration.smtp_domain = lab.example.com configuration.smtp_authentication = login configuration.smtp_enable_starttls_auto = true # none | peer | client_once | fail_if_no_peer_cert -> see gitlab-omnibus links at top configuration.smtp_openssl_verify_mode = peer configuration.default_can_create_group = true configuration.username_changing_enabled = true configuration.default_theme = 2 configuration.default_projects_features.issues = true configuration.default_projects_features.merge_requests = true configuration.default_projects_features.wiki = true configuration.default_projects_features.snippets = true #configuration.default_projects_features.builds = false configuration.webhook_timeout = 10 # 0 means forever (seconds) configuration.backup_keep_time = 0 # NOTE empty = default gitlab limits configuration.git_max_size = configuration.git_timeout = # sidekiq configuration.sidekiq_shutdown_timeout = 4 configuration.sidekiq_concurrency = 25 configuration.sidekiq_memory_killer_max_rss = 1000000 # unicorn configuration.unicorn_worker_timeout = 60 configuration.unicorn_worker_processes = 2 # unicorn advanced configuration.unicorn_backlog_socket = 1024 configuration.unicorn_worker_memory_limit_min = 300*(1024**2) configuration.unicorn_worker_memory_limit_max = 350*(1024**2) # nginx configuration.nginx_client_max_body_size = 0 # NOTE: we don't really need old ciphers - usually we talk directly to frontend only configuration.nginx_ssl_ciphers = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 configuration.nginx_ssl_prefer_server_ciphers = on configuration.nginx_ssl_protocols = TLSv1 TLSv1.1 TLSv1.2 # the following is gitlab-omnibus default but not nginx's default configuration.nginx_ssl_session_cache = builtin:1000 shared:SSL:10m configuration.nginx_ssl_session_timeout = 5m configuration.nginx_proxy_read_timeout = 300 configuration.nginx_proxy_connect_timeout = 300 # nginx advanced configuration.nginx_worker_processes = 4 configuration.nginx_worker_connections = 10240 configuration.nginx_log_format = $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" configuration.nginx_sendfile = on configuration.nginx_tcp_nopush = on configuration.nginx_tcp_nodelay = on configuration.nginx_gzip = on configuration.nginx_gzip_http_version = 1.0 configuration.nginx_gzip_comp_level = 2 configuration.nginx_gzip_proxied = any configuration.nginx_gzip_types = text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/json configuration.nginx_keepalive_timeout = 65 # TODO allow configuring trusted proxies # configuration.nginx_real_ip_trusted_addresses # configuration.nginx_real_ip_header # configuration.nginx_real_ip_recursive