惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

TaoSecurity Blog
TaoSecurity Blog
T
Troy Hunt's Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Vercel News
Vercel News
T
Threatpost
G
Google Developers Blog
T
Threat Research - Cisco Blogs
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
The Exploit Database - CXSecurity.com
H
Heimdal Security Blog
Google DeepMind News
Google DeepMind News
Cyberwarzone
Cyberwarzone
T
The Blog of Author Tim Ferriss
Know Your Adversary
Know Your Adversary
Hacker News: Ask HN
Hacker News: Ask HN
www.infosecurity-magazine.com
www.infosecurity-magazine.com
S
Schneier on Security
B
Blog
V2EX - 技术
V2EX - 技术
NISL@THU
NISL@THU
C
CERT Recently Published Vulnerability Notes
W
WeLiveSecurity
C
Cybersecurity and Infrastructure Security Agency CISA
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Y
Y Combinator Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Spread Privacy
Spread Privacy
The Last Watchdog
The Last Watchdog
V
Vulnerabilities – Threatpost
N
Netflix TechBlog - Medium
Schneier on Security
Schneier on Security
F
Fortinet All Blogs
N
News | PayPal Newsroom
Attack and Defense Labs
Attack and Defense Labs
Blog — PlanetScale
Blog — PlanetScale
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Microsoft Security Blog
Microsoft Security Blog
S
Security @ Cisco Blogs
人人都是产品经理
人人都是产品经理
爱范儿
爱范儿
P
Privacy & Cybersecurity Law Blog
P
Proofpoint News Feed
Project Zero
Project Zero
I
Intezer
罗磊的独立博客
H
Hackread – Cybersecurity News, Data Breaches, AI and More
酷 壳 – CoolShell
酷 壳 – CoolShell
博客园 - Franky
SecWiki News
SecWiki News
Martin Fowler
Martin Fowler

运维开发绿皮书

OBS虚拟摄像头重命名 Ubuntu备份为LiveOS 使用Powershell卸载windows默认程序 Cisco路由器OSPF配置 汽车的分类和特点 Windows11跳过TPM2.0 HTTPS 双向认证与 USB 加密锁配置实战 SSL 证书工具 字数统计 BMI 计算 颜色转换 Hash 生成器 JSON 格式化 JWT 解码 房贷计算 时间戳转换 URL 编码 UUID 生成 牛马时钟 二维码批量生成器 CKS Simulator Kubernetes 1.25 FRP TOTP验证码生成器 direct-ssh-passthrough-nat 脚本使用说明 Python软件授权 Linux命令行百度网盘 为 Containerd 配置 Harbor 无证书镜像站 Docker一键部署Meta和MetacubexD面板 必应搜索屏蔽垃圾网站 VMware的ubuntu完整安装vm-tools支持粘贴板 Docker Desktop 安装到其他位置 Dell EMC PowerEdge R740服务器内存插槽使用说明及正确安装方法 tc常用命令总结 OpenStack排错 稳定币监管与投资指南 VMware ESXi 密码恢复指南 VMware 加密 state.tgz 文件解密教程 六百万数据 MySQL count(*) 优化 使用iptables禁止特定子网访问指定端口 解决 iptables DNAT 无法转发到 127.0.0.1 的问题及安全风险分析 Linux 一键测试脚本 Gitlab批量创建用户 Ubuntu安装VNC教程 Windows11跳过微软账号登录 vue配置Nginx伪静态 Linux下Ollama开放端口 模型详解配置 修改Git提交历史中的作者信息 在PowerShell中启动Git Bash的方法 一键安装OpenVPN 大语言模型 模型架构-Transformer模型 训练相关资料 GPT&DeepSeek模型 大模型技术基础 Git Bash 中一键安装 pacman Gitlab-Runner的一些问题 Docker运行kwaivgi-liveportrait Firefox密码提取 在x86-64上构建和运行多种架构的Docker容器 flutter配置镜像站 VMware最新下载地址(纪念碑) 一键安装Conda Docker老版本runc报错无法启动 清理Rancher节点 aapanel 7.x 中文语言配置指南 Ubuntu 22 安装 Kubernetes 1.29 集群指南 Ubuntu修复CNVD-2024-4920726 GRUB锁定密码 Grub2手动引导Linux Cron在线表达式生成器 GitLab一键设置镜像源 文本字符串倒序 Windows禁用任务管理器 UOS(1070a)服务器版本部署Kubernetes1.28 Windows11恢复Windows10右键菜单 Ubuntu一键设置镜像源 CentOS 7 一键设置Vault镜像 Base64在线编码解码 代码差异对比 为Docker分配物理网卡 解密CFSSL生成的CRL数据 已经在谷底了 怎么走都是向上 GitLab统计提交代码行数Python代码 Windows11的24H2出现扩展错误 Windows绕过MicroSoft Store直接下载应用 Fossy平台离线部署分析 在WSL中移除Windows环境变量 重装MicroSoft Store Sony Xperia 10 IV(pdx225)AOSP14编译和刷机方法 pnpm在DevContainer中存储出错解决方法 从SVN迁移仓库到Git Ubuntu中移除Snap软件包 使用Netcat检测UDP端口连通性 rke2集群命令行调试方法 Ubuntu隐私优化-关闭公共门户连接检查 Cisco路由器配置ipv4和ipv6的VTY账户密码 Python实现九九乘法表 Windows10中用多网卡链路聚合来解决网卡网速瓶颈 CentOS7 安装 OpenResty
Gitlab配置详解
Paper-Dragon · 2025-08-26 · via 运维开发绿皮书

Gitlab配置文件真是又臭又长,将很多款文件合并到一个文件中,整个配置3601行,英文不太好的朋友很容易因为理解偏差误操作,下面是汉化版本的gitlab.rb文件,我已经将它完全汉化。最后记录了汉化脚本。

## GitLab配置设置
##! 此文件在初始安装期间生成,在升级过程中不会修改。
##! 查看此文件的最新版本以了解可以配置的不同设置、它们的引入时间和原因:
##! https://gitlab.com/gitlab-org/omnibus-gitlab/blame/master/files/gitlab-config-template/gitlab.rb.template

##! 在本地,可以找到与已安装版本对应的完整模板:
##! /opt/gitlab/etc/gitlab.rb.template

##! 您可以运行 `gitlab-ctl diff-config` 来比较当前 gitlab.rb 与当前运行版本的 gitlab.rb.template 的内容。

##! 您可以运行 `gitlab-ctl show-config` 来显示通过运行 `gitlab-ctl reconfigure` 将生成的配置。

##! 通常,此处指定的值应反映该属性的默认值。
##! 在某些情况下,这种行为是不可能或不希望的。例如,在提供密码或连接到第三方服务时。
##! 在这些情况下,我们努力提供一个示例配置。

## GitLab URL
##! GitLab 可访问的 URL。
##! 有关配置 external_url 的更多详细信息,请参见:
##! https://docs.gitlab.com/omnibus/settings/configuration.html#configuring-the-external-url-for-gitlab
##!
##! 注意:在安装/升级期间,环境变量 EXTERNAL_URL 的值将用于填充/替换此值。
##! 在 AWS EC2 实例上,我们还会尝试从 AWS 获取公共主机名/IP 地址。
##! 有关更多详细信息,请参见:
##! https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
external_url 'GENERATED_EXTERNAL_URL'

## 多实例 GitLab 的角色
##! 默认情况下不启用任何角色,这会导致 GitLab 作为一体化实例运行。
##! 选项:
##!   application_role
##!   redis_sentinel_role
##!   redis_master_role
##!   redis_replica_role
##!   monitoring_role
##!   geo_primary_role
##!   geo_secondary_role
##!   postgres_role
##!   patroni_role
##!   consul_role
##!   pgbouncer_role
##!   pages_role
##!   sidekiq_role
##!   spamcheck_role
##!   gitaly_role
##! 有关每个角色的更多详细信息,请参见:
##! https://docs.gitlab.com/omnibus/roles/index.html#roles
##!
# roles ['redis_sentinel_role', 'redis_master_role']

## 图例
##! 每行开头的以下符号可用于区分此文件的组件,并使用正则表达式轻松选择它们。
##! ## 标题、副标题等
##! ##! 更多信息 - 描述、文档、链接、问题等
##! 配置设置以单个 # 后跟单个空格开头;删除它们以启用设置。

##! **以下配置设置是可选的。**


################################################################################
################################################################################
##                GitLab CE 和 EE 的配置设置                 ##
################################################################################
################################################################################

################################################################################
## gitlab.yml 配置
##! 文档: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/gitlab.yml.md
################################################################################
# gitlab_rails['enable'] = true # 除非文档中明确说明,否则不要禁用

# gitlab_rails['gitlab_ssh_host'] = 'ssh.host_example.com'
# gitlab_rails['gitlab_ssh_user'] = ''
# gitlab_rails['time_zone'] = 'UTC'

### Rails 资产 / CDN 主机
###! 定义用于 Rails 资产的主机/cdn 的 URL
###! 文档: https://docs.gitlab.com/omnibus/settings/configuration.html#set-a-content-delivery-network-url
# gitlab_rails['cdn_host'] = 'https://mycdnsubdomain.fictional-cdn.com'

### 请求持续时间
###! 告诉 Rails 应用程序完成请求所需的时间
###! 此值需要低于在 puma 中设置的 worker 超时时间。
###! 默认情况下,我们允许 worker 超时时间的 95%
# gitlab_rails['max_request_duration_seconds'] = 57

### GitLab 邮件服务器设置
###! 文档: https://docs.gitlab.com/omnibus/settings/smtp.html
###! **使用 smtp 而不是 sendmail/postfix。**

# gitlab_rails['smtp_enable'] = true
# gitlab_rails['smtp_address'] = "smtp.server"
# gitlab_rails['smtp_port'] = 465
# gitlab_rails['smtp_user_name'] = "smtp user"
# gitlab_rails['smtp_password'] = "smtp password"
# gitlab_rails['smtp_domain'] = "example.com"
# gitlab_rails['smtp_authentication'] = "login"
# gitlab_rails['smtp_enable_starttls_auto'] = true
# gitlab_rails['smtp_tls'] = false
# gitlab_rails['smtp_pool'] = false

###! **可以是: 'none', 'peer', 'client_once', 'fail_if_no_peer_cert'**
###! 文档: http://api.rubyonrails.org/classes/ActionMailer/Base.html
# gitlab_rails['smtp_openssl_verify_mode'] = 'none'

# gitlab_rails['smtp_ca_path'] = "/etc/ssl/certs"
# gitlab_rails['smtp_ca_file'] = "/etc/ssl/certs/ca-certificates.crt"

### 邮件设置

# gitlab_rails['gitlab_email_enabled'] = true

###! 如果您的 SMTP 服务器不喜欢默认的 'From: gitlab@gitlab.example.com'
###! 可以通过此设置更改 'From'。
# gitlab_rails['gitlab_email_from'] = 'example@example.com'
# gitlab_rails['gitlab_email_display_name'] = 'Example'
# gitlab_rails['gitlab_email_reply_to'] = 'noreply@example.com'
# gitlab_rails['gitlab_email_subject_suffix'] = ''
# gitlab_rails['gitlab_email_smime_enabled'] = false
# gitlab_rails['gitlab_email_smime_key_file'] = '/etc/gitlab/ssl/gitlab_smime.key'
# gitlab_rails['gitlab_email_smime_cert_file'] = '/etc/gitlab/ssl/gitlab_smime.crt'
# gitlab_rails['gitlab_email_smime_ca_certs_file'] = '/etc/gitlab/ssl/gitlab_smime_cas.crt'

### GitLab 用户权限
# gitlab_rails['gitlab_username_changing_enabled'] = true

### 默认主题
###! 可用值:
###! `1`  for Indigo
###! `2`  for Dark
###! `3`  for Light
###! `4`  for Blue
###! `5`  for Green
###! `6`  for Light Indigo
###! `7`  for Light Blue
###! `8`  for Light Green
###! `9`  for Red
###! `10` for Light Red
# gitlab_rails['gitlab_default_theme'] = 2

### 默认颜色模式
### 可用值:
##! `1`  for Light mode
##! `2`  for Dark mode
##! `3`  for Auto (follow system preferences)
# gitlab_rails['gitlab_default_color_mode'] = 1

### 自定义 html 头部标签
###! 查看 https://docs.gitlab.com/ee/administration/custom_html_header_tags.html 了解更多
###! 在某些情况下需要一些自定义头部标签
###! 例如,添加欧盟 cookie 同意
###! 提示:您还必须将外部源添加到 content_security_policy 中,
###!      通常是 script_src 和 style_src。
# gitlab_rails['custom_html_header_tags'] = nil

### 默认项目功能设置
# gitlab_rails['gitlab_default_projects_features_issues'] = true
# gitlab_rails['gitlab_default_projects_features_merge_requests'] = true
# gitlab_rails['gitlab_default_projects_features_wiki'] = true
# gitlab_rails['gitlab_default_projects_features_snippets'] = true
# gitlab_rails['gitlab_default_projects_features_builds'] = true
# gitlab_rails['gitlab_default_projects_features_container_registry'] = true

### 自动关闭问题
###! 查看 https://docs.gitlab.com/ee/administration/issue_closing_pattern.html 了解更多
###! 关于此模式的信息。
# gitlab_rails['gitlab_issue_closing_pattern'] = "\b((?:[Cc]los(?:e[sd]?|ing)|\b[Ff]ix(?:e[sd]|ing)?|\b[Rr]esolv(?:e[sd]?|ing)|\b[Ii]mplement(?:s|ed|ing)?)(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+)"

### 下载位置
###! 当用户点击项目上的 "Download zip" 时,会在以下目录中创建一个临时的 zip 文件。
###! 不应与 `gitaly['configuration'].storage` 路径相同,或为其子目录。
# gitlab_rails['gitlab_repository_downloads_path'] = 'tmp/repositories'

### Gravatar 设置
# gitlab_rails['gravatar_plain_url'] = 'http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon'
# gitlab_rails['gravatar_ssl_url'] = 'https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon'

### 辅助任务
###! 定期执行的任务,用于自我修复 Gitlab,进行外部同步等。
###! 文档: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job
###!       https://docs.gitlab.com/ee/ci/yaml/index.html#artifactsexpire_in
# gitlab_rails['stuck_ci_jobs_worker_cron'] = "0 0 * * *"
# gitlab_rails['expire_build_artifacts_worker_cron'] = "*/7 * * * *"
# gitlab_rails['environments_auto_stop_cron_worker_cron'] = "24 * * * *"
# gitlab_rails['pipeline_schedule_worker_cron'] = "3-59/10 * * * *"
# gitlab_rails['ci_archive_traces_cron_worker_cron'] = "17 * * * *"
# gitlab_rails['repository_check_worker_cron'] = "20 * * * *"
# gitlab_rails['admin_email_worker_cron'] = "0 0 * * 0"
# gitlab_rails['personal_access_tokens_expiring_worker_cron'] = "0 1 * * *"
# gitlab_rails['personal_access_tokens_expired_notification_worker_cron'] = "0 2 * * *"
# gitlab_rails['repository_archive_cache_worker_cron'] = "0 * * * *"
# gitlab_rails['pages_domain_verification_cron_worker'] = "*/15 * * * *"
# gitlab_rails['pages_domain_ssl_renewal_cron_worker'] = "*/10 * * * *"
# gitlab_rails['pages_domain_removal_cron_worker'] = "47 0 * * *"
# gitlab_rails['remove_unaccepted_member_invites_cron_worker'] = "10 15 * * *"
# gitlab_rails['schedule_migrate_external_diffs_worker_cron'] = "15 * * * *"
# gitlab_rails['ci_platform_metrics_update_cron_worker'] = '47 9 * * *'
# gitlab_rails['analytics_usage_trends_count_job_trigger_worker_cron'] = "50 23 */1 * *"
# gitlab_rails['member_invitation_reminder_emails_worker_cron'] = "0 0 * * *"
# gitlab_rails['user_status_cleanup_batch_worker_cron'] = "* * * * *"
# gitlab_rails['namespaces_in_product_marketing_emails_worker_cron'] = "0 9 * * *"
# gitlab_rails['ssh_keys_expired_notification_worker_cron'] = "0 2 * * *"
# gitlab_rails['ssh_keys_expiring_soon_notification_worker_cron'] = "0 1 * * *"
# gitlab_rails['loose_foreign_keys_cleanup_worker_cron'] = "*/5 * * * *"
# gitlab_rails['ci_runner_versions_reconciliation_worker_cron'] = "@daily"
# gitlab_rails['ci_runners_stale_machines_cleanup_worker_cron'] = "36 * * * *"
# gitlab_rails['ci_catalog_resources_process_sync_events_worker_cron'] = "*/1 * * * *"
# gitlab_rails['ci_click_house_finished_pipelines_sync_worker_cron'] = "*/4 * * * *"
# gitlab_rails['ci_click_house_finished_pipelines_sync_worker_args'] = [1]

### Webhook 设置
###! 发送 webhook HTTP POST 请求后等待 HTTP 响应的秒数(默认:10)
# gitlab_rails['webhook_timeout'] = 10

### HTTP 客户端设置
###! 这是用于设置相互 TLS 客户端证书和证书文件密码的。
# gitlab_rails['http_client']['tls_client_cert_file'] = nil
# gitlab_rails['http_client']['tls_client_cert_password'] = nil

### GraphQL 设置
###! 告诉 Rails 应用程序完成 GraphQL 请求所需的时间。
###! 我们建议此值高于数据库超时值且低于在 puma 中设置的 worker 超时时间。(默认:30)
# gitlab_rails['graphql_timeout'] = 30

### 受信任的代理
###! 如果您的 GitLab 位于运行在不同机器上的反向代理后面,请自定义。
###! **将反向代理的 IP 地址添加到列表中,否则用户将显示为从该地址登录。**
# gitlab_rails['trusted_proxies'] = []

### 内容安全策略
###! 如果要启用 Content-Security-Policy 头部,请自定义,这有助于阻止 JavaScript 跨站脚本(XSS)攻击。
###! 查看: https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP
# gitlab_rails['content_security_policy'] = {
#  'enabled' => false,
#  'report_only' => false,
#  # 每个指令都是一个字符串(例如 "'self'")。
#  # 只有在需要自定义 CSP 指令时才需要设置此部分
#  # 查看 https://docs.gitlab.com/omnibus/settings/configuration.html#set-a-content-security-policy
#  'directives' => {
#    'base_uri' => nil,
#    'child_src' => nil,
#    'connect_src' => nil,
#    'default_src' => nil,
#    'font_src' => nil,
#    'form_action' => nil,
#    'frame_ancestors' => nil,
#    'frame_src' => nil,
#    'img_src' => nil,
#    'manifest_src' => nil,
#    'media_src' => nil,
#    'object_src' => nil,
#    'script_src' => nil,
#    'style_src' => nil,
#    'worker_src' => nil,
#    'report_uri' => nil,
#  }
# }

### 允许的主机
###! 自定义 Rails 应用程序应处理的 `host` 头部。默认情况下,允许所有。
# gitlab_rails['allowed_hosts'] = []

### 监控设置
###! 控制对监控端点访问的 IP 白名单
# gitlab_rails['monitoring_whitelist'] = ['127.0.0.0/8', '::1/128']

### 会话设置

# gitlab_rails['signed_cookie_salt'] = 'signed cookie'
# gitlab_rails['authenticated_encrypted_cookie_salt'] = 'authenticated encrypted cookie'

### 关机设置
###! 定义阻止健康检查的时间间隔,
###! 但继续接受应用程序请求。
# gitlab_rails['shutdown_blackout_seconds'] = 10

### Microsoft Graph Mailer
###! 允许使用 Microsoft Graph API 和 OAuth 2.0 客户端凭据流发送邮件。
###! 文档: https://docs.gitlab.com/omnibus/settings/microsoft_graph_mailer.html
# gitlab_rails['microsoft_graph_mailer_enabled'] = false
# gitlab_rails['microsoft_graph_mailer_user_id'] = "YOUR-USER-ID"
# gitlab_rails['microsoft_graph_mailer_tenant'] = "YOUR-TENANT-ID"
# gitlab_rails['microsoft_graph_mailer_client_id'] = "YOUR-CLIENT-ID"
# gitlab_rails['microsoft_graph_mailer_client_secret'] = "YOUR-CLIENT-SECRET-ID"
# gitlab_rails['microsoft_graph_mailer_azure_ad_endpoint'] = "https://login.microsoftonline.com"
# gitlab_rails['microsoft_graph_mailer_graph_endpoint'] = "https://graph.microsoft.com"

################################################################
## 通过邮件回复
################################################################
###! 允许用户通过回复通知邮件来评论问题和合并请求。
###! 文档: https://docs.gitlab.com/ee/administration/reply_by_email.html
# gitlab_rails['incoming_email_enabled'] = true

### 收件人邮箱地址
###! 包含 `%{key}` 占位符的邮箱地址,该占位符将被替换以引用被回复的项目。
###! **占位符可以省略,但如果存在,它必须出现在地址的 "user" 部分(`@` 之前)。**
# gitlab_rails['incoming_email_address'] = "gitlab-incoming+%{key}@gmail.com"

#### 邮箱账户用户名
####! **对于第三方提供商,这通常是完整的邮箱地址。**
####! **对于自托管邮箱服务器,这通常是邮箱地址的用户部分。**
# gitlab_rails['incoming_email_email'] = "gitlab-incoming@gmail.com"

#### 邮箱账户密码
# gitlab_rails['incoming_email_password'] = "[REDACTED]"

#### IMAP 设置
# gitlab_rails['incoming_email_host'] = "imap.gmail.com"
# gitlab_rails['incoming_email_port'] = 993
# gitlab_rails['incoming_email_ssl'] = true
# gitlab_rails['incoming_email_start_tls'] = false

#### 收件箱设置 (通过 `mail_room`)
####! 收件邮件将到达的邮箱。通常是 "inbox"。
# gitlab_rails['incoming_email_mailbox_name'] = "inbox"
####! IDLE 命令超时时间。
# gitlab_rails['incoming_email_idle_timeout'] = 60
####! 内部 `mail_room` JSON 日志文件的文件名
# gitlab_rails['incoming_email_log_file'] = "/var/log/gitlab/mailroom/mail_room_json.log"
####! 这会在投递后标记删除收件。
####! 如果您使用 Microsoft Graph API 而不是 IMAP,请将其设置为 false 以保留
####! 收件箱中的邮件,因为删除的邮件会在一段时间后自动清除。
# gitlab_rails['incoming_email_delete_after_delivery'] = true
####! 在投递后标记删除时,从邮箱中永久删除邮件
####! 仅适用于 IMAP。Microsoft Graph 将自动清除任何删除的邮件。
# gitlab_rails['incoming_email_expunge_deleted'] = false

#### 收件箱选项 (for Microsoft Graph)
# gitlab_rails['incoming_email_inbox_method'] = 'microsoft_graph'
# gitlab_rails['incoming_email_inbox_options'] = {
#    'tenant_id': 'YOUR-TENANT-ID',
#    'client_id': 'YOUR-CLIENT-ID',
#    'client_secret': 'YOUR-CLIENT-SECRET',
#    'poll_interval': 60  # 可选
# }

####! 收件邮件如何传递给 Rails 进程。接受 sidekiq 或 webhook。
####! 默认配置是 webhook。
# gitlab_rails['incoming_email_delivery_method'] = "webhook"

####! 用于验证 webhook 请求的令牌。令牌必须恰好是 32 字节,
####! 并使用 base64 编码
# gitlab_rails['incoming_email_auth_token'] = nil

####! mail_room 崩溃日志的格式
# mailroom['exit_log_format'] = "plain"

### 统一(简化)对象存储配置
###! 这使用单个凭据用于具有多个存储桶的对象存储。
###! 它还允许 Workhorse 使用自己的 S3 客户端直接上传文件,
###! 而不是使用预签名 URL。
###!
###! 仅当 object_store 部分未在类型内定义时,此配置才会生效。
###! 例如,启用 gitlab_rails['artifacts_object_store_enabled'] 或
###! gitlab_rails['lfs_object_store_enabled'] 将阻止使用统一设置。
###!
###! 确保为每种类型的对象使用不同的存储桶。
###! 文档: https://docs.gitlab.com/ee/administration/object_storage.html
# gitlab_rails['object_store']['enabled'] = false
# gitlab_rails['object_store']['connection'] = {}
# gitlab_rails['object_store']['storage_options'] = {}
# gitlab_rails['object_store']['proxy_download'] = false
# gitlab_rails['object_store']['objects']['artifacts']['bucket'] = nil
# gitlab_rails['object_store']['objects']['external_diffs']['bucket'] = nil
# gitlab_rails['object_store']['objects']['lfs']['bucket'] = nil
# gitlab_rails['object_store']['objects']['uploads']['bucket'] = nil
# gitlab_rails['object_store']['objects']['packages']['bucket'] = nil
# gitlab_rails['object_store']['objects']['dependency_proxy']['bucket'] = nil
# gitlab_rails['object_store']['objects']['terraform_state']['bucket'] = nil
# gitlab_rails['object_store']['objects']['ci_secure_files']['bucket'] = nil
# gitlab_rails['object_store']['objects']['pages']['bucket'] = nil

### 作业产物
# gitlab_rails['artifacts_enabled'] = true
# gitlab_rails['artifacts_path'] = "/var/opt/gitlab/gitlab-rails/shared/artifacts"
###! 作业产物对象存储
###! 文档: https://docs.gitlab.com/ee/administration/job_artifacts.html#using-object-storage
# gitlab_rails['artifacts_object_store_enabled'] = false
# gitlab_rails['artifacts_object_store_proxy_download'] = false
# gitlab_rails['artifacts_object_store_remote_directory'] = "artifacts"
# gitlab_rails['artifacts_object_store_connection'] = {
#   'provider' => 'AWS',
#   'region' => 'eu-west-1',
#   'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',
#   'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',
#   # # 以下选项配置 S3 兼容主机而不是 AWS
#   # 'aws_signature_version' => 4, # 用于创建签名 URL。如果提供商不支持 v4,请设置为 2。
#   # 'endpoint' => 'https://s3.amazonaws.com', # 默认: nil - 适用于 S3 兼容服务如 DigitalOcean Spaces
#   # 'host' => 's3.amazonaws.com',
#   # 'path_style' => false # 使用 'host/bucket_name/object' 而不是 'bucket_name.host/object'
# }

### 外部合并请求差异
# gitlab_rails['external_diffs_enabled'] = false
# gitlab_rails['external_diffs_when'] = nil
# gitlab_rails['external_diffs_storage_path'] = "/var/opt/gitlab/gitlab-rails/shared/external-diffs"
# gitlab_rails['external_diffs_object_store_enabled'] = false
# gitlab_rails['external_diffs_object_store_proxy_download'] = false
# gitlab_rails['external_diffs_object_store_remote_directory'] = "external-diffs"
# gitlab_rails['external_diffs_object_store_connection'] = {
#   'provider' => 'AWS',
#   'region' => 'eu-west-1',
#   'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',
#   'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',
#   # # 以下选项配置 S3 兼容主机而不是 AWS
#   # 'aws_signature_version' => 4, # 用于创建签名 URL。如果提供商不支持 v4,请设置为 2。
#   # 'endpoint' => 'https://s3.amazonaws.com', # 默认: nil - 适用于 S3 兼容服务如 DigitalOcean Spaces
#   # 'host' => 's3.amazonaws.com',
#   # 'path_style' => false # 使用 'host/bucket_name/object' 而不是 'bucket_name.host/object'
# }

### Git LFS
# gitlab_rails['lfs_enabled'] = true
# gitlab_rails['lfs_storage_path'] = "/var/opt/gitlab/gitlab-rails/shared/lfs-objects"
# gitlab_rails['lfs_object_store_enabled'] = false
# gitlab_rails['lfs_object_store_proxy_download'] = false
# gitlab_rails['lfs_object_store_remote_directory'] = "lfs-objects"
# gitlab_rails['lfs_object_store_connection'] = {
#   'provider' => 'AWS',
#   'region' => 'eu-west-1',
#   'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',
#   'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',
#   # # 以下选项配置 S3 兼容主机而不是 AWS
#   # 'aws_signature_version' => 4, # 用于创建签名 URL。如果提供商不支持 v4,请设置为 2。
#   # 'endpoint' => 'https://s3.amazonaws.com', # 默认: nil - 适用于 S3 兼容服务如 DigitalOcean Spaces
#   # 'host' => 's3.amazonaws.com',
#   # 'path_style' => false # 使用 'host/bucket_name/object' 而不是 'bucket_name.host/object'
# }

### GitLab 上传
###! 文档: https://docs.gitlab.com/ee/administration/uploads.html
# gitlab_rails['uploads_directory'] = "/var/opt/gitlab/gitlab-rails/uploads"
# gitlab_rails['uploads_storage_path'] = "/opt/gitlab/embedded/service/gitlab-rails/public"
# gitlab_rails['uploads_base_dir'] = "uploads/-/system"
# gitlab_rails['uploads_object_store_enabled'] = false
# gitlab_rails['uploads_object_store_proxy_download'] = false
# gitlab_rails['uploads_object_store_remote_directory'] = "uploads"
# gitlab_rails['uploads_object_store_connection'] = {
#   'provider' => 'AWS',
#   'region' => 'eu-west-1',
#   'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',
#   'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',
#   # # 以下选项配置 S3 兼容主机而不是 AWS
#   # 'host' => 's3.amazonaws.com',
#   # 'aws_signature_version' => 4, # 用于创建签名 URL。如果提供商不支持 v4,请设置为 2。
#   # 'endpoint' => 'https://s3.amazonaws.com', # 默认: nil - 适用于 S3 兼容服务如 DigitalOcean Spaces
#   # 'path_style' => false # 使用 'host/bucket_name/object' 而不是 'bucket_name.host/object'
# }

### Terraform state
###! 文档: https://docs.gitlab.com/ee/administration/terraform_state
# gitlab_rails['terraform_state_enabled'] = true
# gitlab_rails['terraform_state_storage_path'] = "/var/opt/gitlab/gitlab-rails/shared/terraform_state"
# gitlab_rails['terraform_state_object_store_enabled'] = false
# gitlab_rails['terraform_state_object_store_remote_directory'] = "terraform"
# gitlab_rails['terraform_state_object_store_connection'] = {
#   'provider' => 'AWS',
#   'region' => 'eu-west-1',
#   'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',
#   'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',
#   # # The below options configure an S3 compatible host instead of AWS
#   # 'host' => 's3.amazonaws.com',
#   # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4.
#   # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
#   # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
# }

### CI Secure Files
# gitlab_rails['ci_secure_files_enabled'] = true
# gitlab_rails['ci_secure_files_storage_path'] = "/var/opt/gitlab/gitlab-rails/shared/ci_secure_files"
# gitlab_rails['ci_secure_files_object_store_enabled'] = false
# gitlab_rails['ci_secure_files_object_store_remote_directory'] = "ci-secure-files"
# gitlab_rails['ci_secure_files_object_store_connection'] = {
#   'provider' => 'AWS',
#   'region' => 'eu-west-1',
#   'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',
#   'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',
#   # # The below options configure an S3 compatible host instead of AWS
#   # 'host' => 's3.amazonaws.com',
#   # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4.
#   # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
#   # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
# }

### GitLab Pages
# gitlab_rails['pages_object_store_enabled'] = false
# gitlab_rails['pages_object_store_remote_directory'] = "pages"
# gitlab_rails['pages_object_store_connection'] = {
#   'provider' => 'AWS',
#   'region' => 'eu-west-1',
#   'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',
#   'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',
#   # # The below options configure an S3 compatible host instead of AWS
#   # 'host' => 's3.amazonaws.com',
#   # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4.
#   # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
#   # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
# }
# gitlab_rails['pages_local_store_enabled'] = true
# gitlab_rails['pages_local_store_path'] = "/var/opt/gitlab/gitlab-rails/shared/pages"

### Impersonation settings
# gitlab_rails['impersonation_enabled'] = true

### Disable jQuery and CSS animations
# gitlab_rails['disable_animations'] = false

### Application settings cache expiry in seconds. (default: 60)
# gitlab_rails['application_settings_cache_seconds'] = 60

### Usage Statistics
# gitlab_rails['usage_ping_enabled'] = true

### GitLab Mattermost
###! 如果 Mattermost 安装在同一个 omnibus 实例上,这些设置无效
# gitlab_rails['mattermost_host'] = "https://mattermost.example.com"

### LDAP 设置
###! 文档: https://docs.gitlab.com/ee/administration/auth/ldap/index.html
###! **注意不要破坏 ldap_servers 块的缩进。该块为 yaml 格式,必须保留空格。使用 tab 无效。**

# gitlab_rails['ldap_enabled'] = false
# gitlab_rails['prevent_ldap_sign_in'] = false

###! **记得用下方 'EOS' 结束此块**
# gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
#   main: # 'main' is the GitLab 'provider ID' of this LDAP server
#     label: 'LDAP'
#     host: '_your_ldap_server'
#     port: 389
#     uid: 'sAMAccountName'
#     bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
#     password: '_the_password_of_the_bind_user'
#     encryption: 'plain' # "start_tls" or "simple_tls" or "plain"
#     verify_certificates: true
#     smartcard_auth: false
#     active_directory: true
#     smartcard_ad_cert_field: 'altSecurityIdentities'
#     smartcard_ad_cert_format: null # 'issuer_and_serial_number', 'issuer_and_subject' , 'principal_name'
#     allow_username_or_email_login: false
#     lowercase_usernames: false
#     block_auto_created_users: false
#     base: ''
#     user_filter: ''
#     ## EE only
#     group_base: ''
#     admin_group: ''
#     sync_ssh_keys: false
#
#   secondary: # 'secondary' is the GitLab 'provider ID' of second LDAP server
#     label: 'LDAP'
#     host: '_your_ldap_server'
#     port: 389
#     uid: 'sAMAccountName'
#     bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
#     password: '_the_password_of_the_bind_user'
#     encryption: 'plain' # "start_tls" or "simple_tls" or "plain"
#     verify_certificates: true
#     smartcard_auth: false
#     active_directory: true
#     smartcard_ad_cert_field: 'altSecurityIdentities'
#     smartcard_ad_cert_format: null # 'issuer_and_serial_number', 'issuer_and_subject' , 'principal_name'
#     allow_username_or_email_login: false
#     lowercase_usernames: false
#     block_auto_created_users: false
#     base: ''
#     user_filter: ''
#     ## EE only
#     group_base: ''
#     admin_group: ''
#     sync_ssh_keys: false
# EOS

### 智能卡认证设置
###! 文档: https://docs.gitlab.com/ee/administration/auth/smartcard.html
# gitlab_rails['smartcard_enabled'] = false
# gitlab_rails['smartcard_ca_file'] = "/etc/gitlab/ssl/CA.pem"
# gitlab_rails['smartcard_client_certificate_required_host'] = 'smartcard.gitlab.example.com'
# gitlab_rails['smartcard_client_certificate_required_port'] = 3444
# gitlab_rails['smartcard_required_for_git_access'] = false
# gitlab_rails['smartcard_san_extensions'] = false

### OmniAuth 设置
###! 文档: https://docs.gitlab.com/ee/integration/omniauth.html
# gitlab_rails['omniauth_enabled'] = nil
# gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
# gitlab_rails['omniauth_sync_email_from_provider'] = 'saml'
# gitlab_rails['omniauth_sync_profile_from_provider'] = ['saml']
# gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
# gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
# gitlab_rails['omniauth_block_auto_created_users'] = true
# gitlab_rails['omniauth_auto_link_ldap_user'] = false
# gitlab_rails['omniauth_auto_link_saml_user'] = false
# gitlab_rails['omniauth_auto_link_user'] = ['twitter']
# gitlab_rails['omniauth_external_providers'] = ['twitter', 'google_oauth2']
# gitlab_rails['omniauth_allow_bypass_two_factor'] = ['google_oauth2']
# gitlab_rails['omniauth_providers'] = [
#   {
#     "name" => "google_oauth2",
#     "app_id" => "YOUR APP ID",
#     "app_secret" => "YOUR APP SECRET",
#     "args" => { "access_type" => "offline", "approval_prompt" => "" }
#   }
# ]
# gitlab_rails['omniauth_cas3_session_duration'] = 28800
# gitlab_rails['omniauth_saml_message_max_byte_size'] = 250000

### OIDC 设置
# 配置自定义 ID Token 有效期(默认 120 秒)。
#! 文档: https://docs.gitlab.com/administration/auth/oidc/?tab=Linux+package+%28Omnibus%29#configure-a-custom-duration-for-id-tokens
# gitlab_rails['oidc_provider_openid_id_token_expire_in_seconds'] = 120


### JWT ID Token 设置
# 配置 CI JWT ID token 的自定义发行者 URL
# gitlab_rails['ci_id_tokens_issuer_url'] = https://example-oidc-configuration-bucket.s3.eu-north-1.amazonaws.com

### FortiAuthenticator 认证设置
# gitlab_rails['forti_authenticator_enabled'] = false
# gitlab_rails['forti_authenticator_host'] = 'forti_authenticator.example.com'
# gitlab_rails['forti_authenticator_port'] = 443
# gitlab_rails['forti_authenticator_username'] = 'admin'
# gitlab_rails['forti_authenticator_access_token'] = 's3cr3t'

### FortiToken Cloud 认证设置
# gitlab_rails['forti_token_cloud_enabled'] = false
# gitlab_rails['forti_token_cloud_client_id'] = 'forti_token_cloud_client_id'
# gitlab_rails['forti_token_cloud_client_secret'] = 's3cr3t'

### DuoAuth 认证设置
# gitlab_rails['duo_auth_enabled'] = false
# gitlab_rails['duo_auth_integration_key'] = 'duo_auth_integration_key'
# gitlab_rails['duo_auth_secret_key'] = 'duo_auth_secret_key'
# gitlab_rails['duo_auth_hostname'] = 'duo_auth.example.com'

### 备份设置
###! 文档: https://docs.gitlab.com/omnibus/settings/backups.html

# gitlab_rails['manage_backup_path'] = true
# gitlab_rails['backup_path'] = "/var/opt/gitlab/backups"
# gitlab_rails['backup_gitaly_backup_path'] = "/opt/gitlab/embedded/bin/gitaly-backup"

###! 文档: https://docs.gitlab.com/ee/administration/backup_restore/backup_gitlab.html#backup-archive-permissions
# gitlab_rails['backup_archive_permissions'] = 0644

# gitlab_rails['backup_pg_schema'] = 'public'

###! 保留备份允许删除前的秒数
# gitlab_rails['backup_keep_time'] = 604800

# gitlab_rails['backup_upload_connection'] = {
#   'provider' => 'AWS',
#   'region' => 'eu-west-1',
#   'aws_access_key_id' => 'AKIAKIAKI',
#   'aws_secret_access_key' => 'secret123',
#   # # If IAM profile use is enabled, remove aws_access_key_id and aws_secret_access_key
#   'use_iam_profile' => false
# }
# gitlab_rails['backup_upload_remote_directory'] = 'my.s3.bucket'
# gitlab_rails['backup_multipart_chunk_size'] = 104857600

###! **开启 AWS S3 服务端加密(S3 管理密钥)用于备份**
# gitlab_rails['backup_encryption'] = 'AES256'
###! 加密备份时使用的密钥。
###! 设置此值将启用客户提供密钥的服务端加密;否则使用 S3 管理密钥。
# gitlab_rails['backup_encryption_key'] = '<base64-encoded encryption key>'

###! **开启 AWS SSE-KMS(AWS 管理但客户主密钥)服务端加密
# gitlab_rails['backup_upload_storage_options'] = {
#  'server_side_encryption' => 'aws:kms',
#  'server_side_encryption_kms_key_id' => 'arn:aws:kms:YOUR-KEY-ID-HERE'
# }

###! **指定用于备份的 Amazon S3 存储类型。有效值包括 'STANDARD'、'STANDARD_IA' 和 'REDUCED_REDUNDANCY'**
# gitlab_rails['backup_storage_class'] = 'STANDARD'

###! 跳过部分备份。用逗号分隔。
###! 文档: https://docs.gitlab.com/ee/administration/backup_restore/backup_gitlab.html#excluding-specific-data-from-the-backup
#gitlab_rails['env'] = {
#    "SKIP" => "db,uploads,repositories,builds,artifacts,lfs,registry,pages"
#}

### Gitaly 设置
# gitlab_rails['gitaly_token'] = 'secret token'
# gitlab_rails['repositories_storages'] = {
#   'default' => {
#     'gitaly_address' => 'tcp://praefect-lb:2305',
#     'gitaly_token' => 'secret_token'
#   }
# }

### 用于存储 GitLab 应用上传内容,如 LFS 对象、构建产物
###! 文档: https://docs.gitlab.com/ee/development/shared_files.html
# gitlab_rails['shared_path'] = '/var/opt/gitlab/gitlab-rails/shared'

### 用于存储加密配置文件
###! 文档: https://docs.gitlab.com/ee/administration/encrypted_configuration.html
# gitlab_rails['encrypted_settings_path'] = '/var/opt/gitlab/gitlab-rails/shared/encrypted_settings'

### 等待文件系统挂载
###! 文档: https://docs.gitlab.com/omnibus/settings/configuration.html#start-linux-package-installation-services-only-after-a-given-file-system-is-mounted
# high_availability['mountpoint'] = ["/var/opt/gitlab/git-data", "/var/opt/gitlab/gitlab-rails/shared"]

### GitLab Shell 设置
# gitlab_rails['gitlab_shell_ssh_port'] = 22
# gitlab_rails['gitlab_shell_git_timeout'] = 800

### 额外自定义
# gitlab_rails['extra_google_analytics_id'] = '_your_tracking_id'
# gitlab_rails['extra_google_tag_manager_id'] = '_your_tracking_id'
# gitlab_rails['extra_one_trust_id'] = '_your_one_trust_id'
# gitlab_rails['extra_google_tag_manager_nonce_id'] = '_your_google_tag_manager_id'
# gitlab_rails['extra_bizible'] = false
# gitlab_rails['extra_matomo_url'] = '_your_matomo_url'
# gitlab_rails['extra_matomo_site_id'] = '_your_matomo_site_id'
# gitlab_rails['extra_matomo_disable_cookies'] = false
# gitlab_rails['extra_maximum_text_highlight_size_kilobytes'] = 512

##! 文档: https://docs.gitlab.com/omnibus/settings/environment-variables.html
# gitlab_rails['env'] = {
#   'BUNDLE_GEMFILE' => "/opt/gitlab/embedded/service/gitlab-rails/Gemfile",
#   'PATH' => "/opt/gitlab/bin:/opt/gitlab/embedded/bin:/bin:/usr/bin"
# }

# gitlab_rails['rack_attack_git_basic_auth'] = {
#   'enabled' => false,
#   'ip_whitelist' => ["127.0.0.1"],
#   'maxretry' => 10,
#   'findtime' => 60,
#   'bantime' => 3600
# }

# gitlab_rails['dir'] = "/var/opt/gitlab/gitlab-rails"
# gitlab_rails['log_directory'] = "/var/log/gitlab/gitlab-rails"
# gitlab_rails['log_group'] = nil

#### 更改初始默认管理员密码和共享 runner 注册令牌。
####! **仅首次初始化时有效,数据库创建并初始化后更改无效。**
# gitlab_rails['initial_root_password'] = "password"
# gitlab_rails['initial_shared_runners_registration_token'] = "token"

### 产品使用数据
# 此设置用于启用 GitLab 实例的产品使用数据。
# 仅在首次安装时读取。GitLab 运行后应在管理页面 UI 切换此设置。
# gitlab_rails['initial_gitlab_product_usage_data'] = nil

#### 是否在初始化时将 root 密码打印到 STDOUT
# gitlab_rails['display_initial_root_password'] = false

#### 是否将初始 root 密码写入 /etc/gitlab/initial_root_password
# gitlab_rails['store_initial_root_password'] = true

#### 设置初始化时使用的许可证路径。
####! **仅首次初始化时有效,后续许可证更新需通过 UI 完成。
####! 首次 reconfigure 后更新此路径无效。
# gitlab_rails['initial_license_file'] = '/etc/gitlab/company.gitlab-license'

####! 启用或禁用自动数据库迁移
# gitlab_rails['auto_migrate'] = true

####! 此为高级功能,适用于大型 GitLab 部署,RAILS 环境加载耗时较长。
# gitlab_rails['rake_cache_clear'] = true

### GitLab 数据库设置
###! 文档: https://docs.gitlab.com/omnibus/settings/database.html
###! **仅在使用外部数据库时需要。**
# gitlab_rails['db_adapter'] = "postgresql"
# gitlab_rails['db_encoding'] = "unicode"
# gitlab_rails['db_collation'] = nil
# gitlab_rails['db_database'] = "gitlabhq_production"
# gitlab_rails['db_username'] = "gitlab"
# gitlab_rails['db_password'] = nil
# gitlab_rails['db_host'] = nil
# gitlab_rails['db_port'] = 5432
# gitlab_rails['db_socket'] = nil
# gitlab_rails['db_sslmode'] = nil
# gitlab_rails['db_sslcompression'] = 0
# gitlab_rails['db_sslrootcert'] = nil
# gitlab_rails['db_sslcert'] = nil
# gitlab_rails['db_sslkey'] = nil
# gitlab_rails['db_prepared_statements'] = false
# gitlab_rails['db_statements_limit'] = 1000
# gitlab_rails['db_connect_timeout'] = nil
# gitlab_rails['db_keepalives'] = nil
# gitlab_rails['db_keepalives_idle'] = nil
# gitlab_rails['db_keepalives_interval'] = nil
# gitlab_rails['db_keepalives_count'] = nil
# gitlab_rails['db_tcp_user_timeout'] = nil
# gitlab_rails['db_application_name'] = nil
# gitlab_rails['db_database_tasks'] = true

##! 生成额外数据库配置的命令
# gitlab_rails['db_extra_config_command'] = nil

### Gitlab 分解数据库设置
###! 文档: https://docs.gitlab.com/omnibus/settings/database.html
# gitlab_rails['databases']['main']['db_database'] = 'gitlabhq_production'
# gitlab_rails['databases']['main']['database_tasks'] = true
# gitlab_rails['databases']['ci']['enable'] = true
# gitlab_rails['databases']['ci']['db_database'] = 'gitlabhq_production'
# gitlab_rails['databases']['ci']['database_tasks'] = false

### GitLab ClickHouse 连接设置
###! 实验性
# gitlab_rails['clickhouse_databases']['main']['database'] = 'dbname'
# gitlab_rails['clickhouse_databases']['main']['url'] = 'https://example.com/path'
# gitlab_rails['clickhouse_databases']['main']['username'] = 'gitlab'
# gitlab_rails['clickhouse_databases']['main']['password'] = 'password'

### GitLab Redis 设置
###! 连接自有 Redis 实例
###! 文档: https://docs.gitlab.com/omnibus/settings/redis.html

#### Redis TCP 连接
# gitlab_rails['redis_host'] = "127.0.0.1"
# gitlab_rails['redis_port'] = 6379
# gitlab_rails['redis_ssl'] = false
# gitlab_rails['redis_password'] = nil
# gitlab_rails['redis_database'] = 0
# gitlab_rails['redis_enable_client'] = true
# gitlab_rails['redis_tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'
# gitlab_rails['redis_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'
# gitlab_rails['redis_tls_client_cert_file'] = nil
# gitlab_rails['redis_tls_client_key_file'] = nil
# gitlab_rails['redis_connect_timeout'] = nil
# gitlab_rails['redis_read_timeout'] = nil
# gitlab_rails['redis_write_timeout'] = nil

#### Redis 本地 UNIX socket(如使用 TCP 则禁用)
# gitlab_rails['redis_socket'] = "/var/opt/gitlab/redis/redis.socket"

#### Cells
# gitlab_rails['cell'] = {
#   enabled: false,
#   id: nil,
#   database: {
#     skip_sequence_alteration: false
#   },
#   topology_service_client: {
#     address: 'topology-service.gitlab.example.com:443',
#     ca_file: 'path/to/your/ca/.pem',
#     certificate_file: 'path/to/your/cert/.pem',
#     private_key_file: 'path/to/your/key/.pem'
#   }
# }

#### 会话 cookie 设置
# gitlab_rails['session_store_session_cookie_token_prefix'] = ''

#### Sentinel 支持
####! 要启用 Sentinel,需先启用 Redis TCP 连接支持
####! 并在下方定义若干 Sentinel 主机(可靠配置建议至少 3 个主机)。
####! **无需列出所有 sentinel 主机,未列出的主机在故障转移时不会用于查询新主机。**
# gitlab_rails['redis_sentinels'] = [
#   {'host' => '127.0.0.1', 'port' => 26379},
# ]
# gitlab_rails['redis_sentinels_password'] = 'sentinel-requirepass-goes-here'

# gitlab_rails['redis_sentinel_master'] = nil
# gitlab_rails['redis_sentinel_master_ip'] = nil
# gitlab_rails['redis_sentinel_master_port'] = nil

#### 集群支持
####! 集群支持仅适用于部分 Redis 实例。为保持与 GitLab rails 应用的完全兼容,`resque.yml` 不支持集群模式。
####!
####! 要使 Redis 集群工作,您必须声明 `redis_{instance}_cluster_nodes`
####! 如果 Redis 服务器启用了 ACL,则需要 `redis_{instance}_username` 和 `redis_{instance}_password`。
# gitlab_rails['redis_xxxx_cluster_nodes'] = [
#    {'host' => '127.0.0.1', 'port' => 6379},
# ]

#### 单独实例支持
####! 文档: https://docs.gitlab.com/omnibus/settings/redis.html#running-with-multiple-redis-instances
# gitlab_rails['redis_cache_instance'] = nil
# gitlab_rails['redis_cache_sentinels'] = nil
# gitlab_rails['redis_cache_sentinels_password'] = nil
# gitlab_rails['redis_cache_username'] = nil
# gitlab_rails['redis_cache_password'] = nil
# gitlab_rails['redis_cache_cluster_nodes'] = nil
# gitlab_rails['redis_cache_tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'
# gitlab_rails['redis_cache_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'
# gitlab_rails['redis_cache_tls_client_cert_file'] = nil
# gitlab_rails['redis_cache_tls_client_key_file'] = nil
# gitlab_rails['redis_queues_instance'] = nil
# gitlab_rails['redis_queues_sentinels'] = nil
# gitlab_rails['redis_queues_sentinels_password'] = nil
# gitlab_rails['redis_queues_username'] = nil
# gitlab_rails['redis_queues_password'] = nil
# gitlab_rails['redis_queues_cluster_nodes'] = nil
# gitlab_rails['redis_queues_tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'
# gitlab_rails['redis_queues_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'
# gitlab_rails['redis_queues_tls_client_cert_file'] = nil
# gitlab_rails['redis_queues_tls_client_key_file'] = nil
# gitlab_rails['redis_shared_state_instance'] = nil
# gitlab_rails['redis_shared_state_sentinels'] = nil
# gitlab_rails['redis_shared_state_sentinels_password'] = nil
# gitlab_rails['redis_shared_state_username'] = nil
# gitlab_rails['redis_shared_state_password'] = nil
# gitlab_rails['redis_shared_state_cluster_nodes'] = nil
# gitlab_rails['redis_shared_state_tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'
# gitlab_rails['redis_shared_state_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'
# gitlab_rails['redis_shared_state_tls_client_cert_file'] = nil
# gitlab_rails['redis_shared_state_tls_client_key_file'] = nil
# gitlab_rails['redis_trace_chunks_instance'] = nil
# gitlab_rails['redis_trace_chunks_sentinels'] = nil
# gitlab_rails['redis_trace_chunks_sentinels_password'] = nil
# gitlab_rails['redis_trace_chunks_username'] = nil
# gitlab_rails['redis_trace_chunks_password'] = nil
# gitlab_rails['redis_trace_chunks_cluster_nodes'] = nil
# gitlab_rails['redis_trace_chunks_tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'
# gitlab_rails['redis_trace_chunks_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'
# gitlab_rails['redis_trace_chunks_tls_client_cert_file'] = nil
# gitlab_rails['redis_trace_chunks_tls_client_key_file'] = nil
# gitlab_rails['redis_actioncable_instance'] = nil
# gitlab_rails['redis_actioncable_sentinels'] = nil
# gitlab_rails['redis_actioncable_sentinels_password'] = nil
# gitlab_rails['redis_actioncable_username'] = nil
# gitlab_rails['redis_actioncable_password'] = nil
# gitlab_rails['redis_actioncable_cluster_nodes'] = nil
# gitlab_rails['redis_actioncable_tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'
# gitlab_rails['redis_actioncable_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'
# gitlab_rails['redis_actioncable_tls_client_cert_file'] = nil
# gitlab_rails['redis_actioncable_tls_client_key_file'] = nil
# gitlab_rails['redis_rate_limiting_instance'] = nil
# gitlab_rails['redis_rate_limiting_sentinels'] = nil
# gitlab_rails['redis_rate_limiting_sentinels_password'] = nil
# gitlab_rails['redis_rate_limiting_username'] = nil
# gitlab_rails['redis_rate_limiting_password'] = nil
# gitlab_rails['redis_rate_limiting_cluster_nodes'] = nil
# gitlab_rails['redis_rate_limiting_tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'
# gitlab_rails['redis_rate_limiting_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'
# gitlab_rails['redis_rate_limiting_tls_client_cert_file'] = nil
# gitlab_rails['redis_rate_limiting_tls_client_key_file'] = nil
# gitlab_rails['redis_sessions_instance'] = nil
# gitlab_rails['redis_sessions_sentinels'] = nil
# gitlab_rails['redis_sessions_sentinels_password'] = nil
# gitlab_rails['redis_sessions_username'] = nil
# gitlab_rails['redis_sessions_password'] = nil
# gitlab_rails['redis_sessions_cluster_nodes'] = nil
# gitlab_rails['redis_sessions_tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'
# gitlab_rails['redis_sessions_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'
# gitlab_rails['redis_sessions_tls_client_cert_file'] = nil
# gitlab_rails['redis_sessions_tls_client_key_file'] = nil
# gitlab_rails['redis_cluster_rate_limiting_instance'] = nil
# gitlab_rails['redis_cluster_rate_limiting_sentinels'] = nil
# gitlab_rails['redis_cluster_rate_limiting_sentinels_password'] = nil
# gitlab_rails['redis_cluster_rate_limiting_username'] = nil
# gitlab_rails['redis_cluster_rate_limiting_password'] = nil
# gitlab_rails['redis_cluster_rate_limiting_cluster_nodes'] = nil
# gitlab_rails['redis_cluster_rate_limiting_tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'
# gitlab_rails['redis_cluster_rate_limiting_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'
# gitlab_rails['redis_cluster_rate_limiting_tls_client_cert_file'] = nil
# gitlab_rails['redis_cluster_rate_limiting_tls_client_key_file'] = nil
# gitlab_rails['redis_repository_cache_instance'] = nil
# gitlab_rails['redis_repository_cache_sentinels'] = nil
# gitlab_rails['redis_repository_cache_sentinels_password'] = nil
# gitlab_rails['redis_repository_cache_username'] = nil
# gitlab_rails['redis_repository_cache_password'] = nil
# gitlab_rails['redis_repository_cache_cluster_nodes'] = nil
# gitlab_rails['redis_repository_cache_tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'
# gitlab_rails['redis_repository_cache_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'
# gitlab_rails['redis_repository_cache_tls_client_cert_file'] = nil
# gitlab_rails['redis_repository_cache_tls_client_key_file'] = nil
# gitlab_rails['redis_workhorse_instance'] = nil
# gitlab_rails['redis_workhorse_sentinels'] = nil
# gitlab_rails['redis_workhorse_sentinels_password'] = nil
# gitlab_rails['redis_workhorse_username'] = nil
# gitlab_rails['redis_workhorse_password'] = nil
# gitlab_rails['redis_workhorse_cluster_nodes'] = nil
# gitlab_rails['redis_workhorse_tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'
# gitlab_rails['redis_workhorse_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'
# gitlab_rails['redis_workhorse_tls_client_cert_file'] = nil
# gitlab_rails['redis_workhorse_tls_client_key_file'] = nil

# gitlab_rails['redis_workhorse_sentinel_master'] = nil

# gitlab_rails['redis_yml_override'] = nil

################################################################################
## Container Registry 设置
##! 文档: https://docs.gitlab.com/ee/administration/packages/container_registry.html
################################################################################

# registry_external_url 'https://registry.example.com'

### Settings used by GitLab application
# gitlab_rails['registry_enabled'] = true
# gitlab_rails['registry_host'] = "registry.gitlab.example.com"
# gitlab_rails['registry_port'] = "5005"
# gitlab_rails['registry_path'] = "/var/opt/gitlab/gitlab-rails/shared/registry"

###! 通知密钥,用于认证发往 GitLab 应用的通知请求
###! 仅在使用外部 Registry 服务时需更改,否则
###! 会直接从 Registry 的通知设置中获取
# gitlab_rails['registry_notification_secret'] = nil

###! **除非非常清楚,否则不要更改以下 3 个设置**
# gitlab_rails['registry_api_url'] = "http://127.0.0.1:5000"
# gitlab_rails['registry_key_path'] = "/var/opt/gitlab/gitlab-rails/certificate.key"
# gitlab_rails['registry_issuer'] = "omnibus-gitlab-issuer"

### Settings used by Registry application
# registry['enable'] = true
# registry['username'] = "registry"
# registry['group'] = "registry"
# registry['uid'] = nil
# registry['gid'] = nil
# registry['dir'] = "/var/opt/gitlab/registry"
# registry['shell'] = "/usr/sbin/nologin"
# registry['registry_http_addr'] = "127.0.0.1:5000"
# registry['debug_addr'] = "localhost:5001"
# registry['log_directory'] = "/var/log/gitlab/registry"
# registry['env_directory'] = "/opt/gitlab/etc/registry/env"
# registry['env'] = {
#   'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/",
#   'GODEBUG' => "tlsmlkem=0",
# }
# registry['log_level'] = "info"
# registry['log_formatter'] = "text"
# registry['rootcertbundle'] = "/var/opt/gitlab/registry/certificate.crt"
# registry['health_storagedriver_enabled'] = true
# registry['middleware'] = nil
# registry['storage_delete_enabled'] = true
# registry['validation_enabled'] = false
# registry['autoredirect'] = false
# registry['compatibility_schema1_enabled'] = false

### Registry 后端存储
###! 文档: https://docs.gitlab.com/ee/administration/packages/container_registry.html#configure-storage-for-the-container-registry
# registry['storage'] = {
#   's3' => {
#     'accesskey' => 's3-access-key',
#     'secretkey' => 's3-secret-key-for-access-key',
#     'bucket' => 'your-s3-bucket',
#     'region' => 'your-s3-region',
#     'regionendpoint' => 'your-s3-regionendpoint'
#   },
#   'redirect' => {
#     'disable' => false
#   }
# }

### Registry 数据库
###! 文档: https://docs.gitlab.com/ee/administration/packages/container_registry_metadata_database.html#new-installations
# registry['auto_migrate'] = true
# registry['database'] = {
#   'enabled' => false,
#   'host' => 'localhost',
#   'port' => 5432,
#   'user' => 'registry',
#   'password' => 'registry',
#   'dbname' => 'registry',
#   'sslmode' => 'prefer',
#   'sslcert' => '/path/to/client.crt',
#   'sslkey' => '/path/to/client.key',
#   'sslrootcert' => '/path/to/root.crt',
#   'connecttimeout' => '5s',
#   'draintimeout' => '2m',
#   'preparedstatements' => false,
#   'primary' => 'primary.record.fqdn',
#   'pool' => {
#       'maxidle' => 25,
#       'maxopen' => 25,
#       'maxlifetime' => '5m'
#   }
# }

### Registry 垃圾回收
###! 文档: https://gitlab.com/gitlab-org/container-registry/-/blob/master/docs/configuration.md?ref_type=heads#gc
# registry['gc'] = {
#   'disabled' => false,
#   'maxbackoff' => '24h',
#   'noidlebackoff' => false,
#   'transactiontimeout' => '10s',
#   'reviewafter' => '24h',
#   'manifests' => {
#       'disabled' => false,
#       'interval' => '5s'
#   },
#   'blobs' => {
#       'disabled' => false,
#       'interval' => '5s',
#       'storagetimeout' => '5s'
#   }
# }

### Registry 报告
###! 文档: https://gitlab.com/gitlab-org/container-registry/-/blob/master/docs/configuration.md?ref_type=heads#reporting
# registry['reporting'] = {
#   'sentry' => {
#     'enabled' => true,
#     'dsn' => 'https://<key>@sentry.io/<project>',
#     'environment' => 'production'
#   }
# }

### Registry 通知端点
# registry['notifications'] = [
#   {
#     'name' => 'test_endpoint',
#     'url' => 'https://gitlab.example.com/notify2',
#     'timeout' => '500ms',
#     'threshold' => 5, # DEPRECATED: use maxretries instead https://gitlab.com/gitlab-org/container-registry/-/issues/1243
#     'maxretries' => 5,
#     'backoff' => '1s',
#     'headers' => {
#       "Authorization" => ["AUTHORIZATION_EXAMPLE_TOKEN"]
#     }
#   }
# ]
### 默认 registry 通知
# registry['default_notifications_timeout'] = "500ms"
# registry['default_notifications_threshold'] = 5
# registry['default_notifications_maxretries'] = 5
# registry['default_notifications_backoff'] = "1s"
# registry['default_notifications_headers'] = {}

### Registry Redis
# registry['redis'] = {
#   'loadbalancing' => {
#     'enabled' => true,
#     'addr' => 'localhost:16379,localhost:26379',
#     'username' => 'registry',
#     'password' => 'secret',
#     'db' => 0,
#     'dialtimeout' => '10ms',
#     'readtimeout' => '10ms',
#     'writetimeout' => '10ms',
#     'tls' => {
#       'enabled' => true,
#       'insecure' => true
#     },
#     'pool' => {
#       'size' => 10,
#       'maxlifetime' => '1h',
#       'idletimeout' => '300s'
#     }
#   }
# }


################################################################################
## Sentry 错误报告与日志
################################################################################
# gitlab_rails['sentry_enabled'] = false
# gitlab_rails['sentry_dsn'] = 'https://<key>@sentry.io/<project>'
# gitlab_rails['sentry_clientside_dsn'] = 'https://<key>@sentry.io/<project>'
# gitlab_rails['sentry_environment'] = 'production'

################################################################################
## GitLab 主力
##!文档:https://gitlab.com/gitlab-org/gitlab/-/blob/master/workhorse/README.md
################################################################################

# gitlab_workhorse['enable'] = true
# gitlab_workhorse['ha'] = false
# gitlab_workhorse['alt_document_root'] = nil

##!等待所有请求完成的持续时间(例如,“10s”表示 10秒)。默认情况下,这是禁用的,以保留现有的
##!快速关机行为。这不应设置为高于 30秒,因为 gitlab-ctl 将等待长达 30 秒(如SVWAIT 变量),如果进程没有关闭。
# gitlab_workhorse['shutdown_timeout'] = nil
# gitlab_workhorse['listen_network'] = "unix"
# gitlab_workhorse['listen_umask'] = 000
# gitlab_workhorse['listen_addr'] = "/var/opt/gitlab/gitlab-workhorse/sockets/socket"
# gitlab_workhorse['auth_backend'] = "http://localhost:8080"

##! 启用 Redis keywatcher,未设置时默认为 true
# gitlab_workhorse['workhorse_keywatcher'] = true

##! 空字符串为 gitlab-workhorse 选项解析器的默认值
# gitlab_workhorse['auth_socket'] = "''"

##! 在命令行上放置空字符串
# gitlab_workhorse['pprof_listen_addr'] = "''"

# gitlab_workhorse['prometheus_listen_addr'] = "localhost:9229"

# gitlab_workhorse['dir'] = "/var/opt/gitlab/gitlab-workhorse"
# gitlab_workhorse['log_directory'] = "/var/log/gitlab/gitlab-workhorse"
# gitlab_workhorse['proxy_headers_timeout'] = "1m0s"

##! 限制并发 API 请求数,默认 0 表示无限制
# gitlab_workhorse['api_limit'] = 0

##! 限制允许排队的 API 请求数,默认 0 表示禁用排队
# gitlab_workhorse['api_queue_limit'] = 0

##! 请求在队列中等待超时的时长
# gitlab_workhorse['api_queue_duration'] = "30s"

##! CI 任务请求 runner 的长轮询时长
# gitlab_workhorse['api_ci_long_polling_duration'] = "60s"

##! 若有则传递 X-Request-Id,否则 Workhorse 会生成随机值。
# gitlab_workhorse['propagate_correlation_id'] = false

##! 允许传递关联 ID 的 CIDR 块列表。
##! 需同时设置 propagate_correlation_id 为 true。
##! 例如:%w(127.0.0.1/32 192.168.0.1/32)
# gitlab_workhorse['trusted_cidrs_for_propagation'] = nil

##! 必须匹配远程 IP 地址的 CIDR 块列表,才能用 X-Forwarded-For HTTP 头作为实际客户端 IP。
##! 与 propagate_correlation_id 和 trusted_cidrs_for_propagation 配合使用。
##! 例如:%w(127.0.0.1/32 192.168.0.1/32)
# gitlab_workhorse['trusted_cidrs_for_x_forwarded_for'] = nil

##! 日志格式:默认 json,也可为 text 或 none。
# gitlab_workhorse['log_format'] = "json"

# gitlab_workhorse['env_directory'] = "/opt/gitlab/etc/gitlab-workhorse/env"
# gitlab_workhorse['env'] = {
#   'PATH' => "/opt/gitlab/bin:/opt/gitlab/embedded/bin:/bin:/usr/bin",
#   'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/".
#   'GODEBUG' => "tlsmlkem=0",
# }

##! 动态图片缩放器的资源限制。
##! 超过阈值时 Workhorse 会以原始尺寸提供图片。
##!
##! 允许并发执行的缩放进程最大数。建议不超过 CPU 数量。
# gitlab_workhorse['image_scaler_max_procs'] = 4
##!
##! 图片可缩放的最大文件大小(字节)
# gitlab_workhorse['image_scaler_max_filesize'] = 250000

##! 用于将 GitLab Workhorse 注册为 Consul 服务的服务名
# gitlab_workhorse['consul_service_name'] = 'workhorse'
##! 注册 GitLab Workhorse 为 Consul 服务时使用的语义元数据
# gitlab_workhorse['consul_service_meta'] = {}

##! Workhorse 专用 Redis 设置
##! 当 Workhorse 需使用不同于其他组件的 Redis 实例时使用。
##! 此处设置应与 `gitlab_rails['redis_workhorse_*']` 保持一致(如有设置)。如未设置,则从下方值推断。
##! `gitlab_rails['redis_workhorse_*']` 告诉 Rails 应用发布消息的 Redis,
##! `gitlab_workhorse['redis_*']` 告诉 Workhorse 订阅消息的 Redis。
##! 因此两者需一致。
# gitlab_workhorse['redis_socket'] = "/var/opt/gitlab/redis/redis.socket"
# gitlab_workhorse['redis_host'] = "127.0.0.1"
# gitlab_workhorse['redis_port'] = nil
# gitlab_workhorse['redis_database'] = nil
# gitlab_workhorse['redis_username'] = nil
# gitlab_workhorse['redis_password'] = nil
# gitlab_workhorse['redis_ssl'] = false
# gitlab_workhorse['redis_cluster_nodes'] = []
# gitlab_workhorse['redis_sentinels'] = []
# gitlab_workhorse['redis_sentinels_password'] = nil
# gitlab_workhorse['redis_sentinel_master'] = nil
# gitlab_workhorse['redis_sentinel_master_ip'] = nil
# gitlab_workhorse['redis_sentinel_master_port'] = nil

##! 生成额外配置的命令
# gitlab_workhorse['extra_config_command'] = nil

##! 元数据配置部分
# gitlab_workhorse['metadata_zip_reader_limit_bytes'] = nil

################################################################################
## GitLab 用户设置
##! 修改默认 git 用户。
##! 文档:https://docs.gitlab.com/omnibus/settings/configuration.html#change-the-name-of-the-git-user-or-group
################################################################################

# user['username'] = "git"
# user['group'] = "git"
# user['uid'] = nil
# user['gid'] = nil

##! git 用户的 shell
# user['shell'] = "/bin/sh"

##! git 用户的主目录
# user['home'] = "/var/opt/gitlab"

# user['git_user_name'] = "GitLab"
# user['git_user_email'] = "gitlab@#{node['fqdn']}"

################################################################################
## GitLab Puma
##! 调整 puma 设置。
##! 文档:https://docs.gitlab.com/ee/administration/operations/puma.html
################################################################################

# puma['enable'] = true
# puma['ha'] = false
# puma['worker_timeout'] = 60
# puma['worker_processes'] = 2
# puma['min_threads'] = 4
# puma['max_threads'] = 4

### 高级设置
# puma['listen'] = '127.0.0.1'
# puma['port'] = 8080
# puma['socket'] = '/var/opt/gitlab/gitlab-rails/sockets/gitlab.socket'
# puma['somaxconn'] = 2048

### SSL 设置
# puma['ssl_listen'] = nil
# puma['ssl_port'] = nil
# puma['ssl_certificate'] = nil
# puma['ssl_certificate_key'] = nil
# puma['ssl_client_certificate'] = nil
# puma['ssl_cipher_filter'] = nil
# puma['ssl_key_password_command'] = nil
# puma['ssl_verify_mode'] = 'none'

# puma['pidfile'] = '/opt/gitlab/var/puma/puma.pid'
# puma['state_path'] = '/opt/gitlab/var/puma/puma.state'

###! **不建议更改此设置**
# puma['log_directory'] = "/var/log/gitlab/puma"

###! **仅在充分理解含义时更改这些设置**
###! 文档:https://github.com/schneems/puma_worker_killer
# puma['per_worker_max_memory_mb'] = 1024

# puma['exporter_enabled'] = false
# puma['exporter_address'] = "127.0.0.1"
# puma['exporter_port'] = 8083
# puma['exporter_tls_enabled'] = false
# puma['exporter_tls_cert_path'] = ""
# puma['exporter_tls_key_path'] = ""

# puma['prometheus_scrape_scheme'] = 'http'
# puma['prometheus_scrape_tls_server_name'] = 'localhost'
# puma['prometheus_scrape_tls_skip_verification'] = false

##! 用于将 Puma 注册为 Consul 服务的服务名
# puma['consul_service_name'] = 'rails'
##! 注册 Puma 为 Consul 服务时使用的语义元数据
# puma['consul_service_meta'] = {}

################################################################################
## GitLab Sidekiq
################################################################################
##! GitLab 支持启动多个 sidekiq 进程。
##! 这些进程可用于消费专用队列。
##! 可确保特定队列能处理更多工作负载。
##! https://docs.gitlab.com/ee/administration/sidekiq/extra_sidekiq_processes.html

# sidekiq['enable'] = true
# sidekiq['log_directory'] = "/var/log/gitlab/sidekiq"
# sidekiq['log_format'] = "json"
# sidekiq['shutdown_timeout'] = 4
# sidekiq['interval'] = nil
# sidekiq['concurrency'] = 20

##! GitLab 支持通过 routing rules 数组将任务路由到特定队列。
##! 每条规则为队列选择器查询和对应队列的元组。默认未配置(空数组)。
# sidekiq['routing_rules'] = []

##! queue_groups 数组每项表示需由 Sidekiq 进程处理的一组队列。
##! 多个队列可由同一进程处理,组内用逗号分隔,`*` 表示处理所有队列。
# sidekiq['queue_groups'] = ['*']

##! 指定 Sidekiq 进程的 Prometheus 指标端点。
# sidekiq['metrics_enabled'] = true
# sidekiq['exporter_log_enabled'] = false
# sidekiq['exporter_tls_enabled'] = false
# sidekiq['exporter_tls_cert_path'] = ""
# sidekiq['exporter_tls_key_path'] = ""
# sidekiq['listen_address'] = "localhost"
# sidekiq['listen_port'] = 8082

##! 指定 Sidekiq 进程的健康检查端点。
##! 默认与 Prometheus 指标设置相同(见上)。
# sidekiq['health_checks_enabled'] = true
# sidekiq['health_checks_listen_address'] = "localhost"
# sidekiq['health_checks_listen_port'] = 8092

##! 用于将 Sidekiq 注册为 Consul 服务的服务名
# sidekiq['consul_service_name'] = 'sidekiq'
##! 注册 Sidekiq 为 Consul 服务时使用的语义元数据
# sidekiq['consul_service_meta'] = {}

################################################################################
## gitlab-shell
################################################################################

# gitlab_shell['audit_usernames'] = false
# gitlab_shell['log_level'] = 'INFO'
# gitlab_shell['log_format'] = 'json'
# gitlab_shell['http_settings'] = { user: 'username', password: 'password', ca_file: '/etc/ssl/cert.pem', ca_path: '/etc/pki/tls/certs'}
# gitlab_shell['log_directory'] = "/var/log/gitlab/gitlab-shell"

# gitlab_shell['auth_file'] = "/var/opt/gitlab/.ssh/authorized_keys"

### Git trace 日志文件。
###! 设置后,git 命令会收到 GIT_TRACE* 环境变量
###! 文档:https://git-scm.com/book/en/v2/Git-Internals-Environment-Variables#_debugging
###! 绝对路径(以 / 开头)——跟踪输出会追加到该文件。
###! 需确保文件存在以检查权限,避免向用户抛出警告。
# gitlab_shell['git_trace_log_file'] = "/var/log/gitlab/gitlab-shell/gitlab-shell-git-trace.log"

##! **不建议更改此目录。**
# gitlab_shell['dir'] = "/var/opt/gitlab/gitlab-shell"

# gitlab_shell['lfs_pure_ssh_protocol'] = false
# gitlab_shell['pat'] = { enabled: true, allowed_scopes: [] }

################################################################################
## gitlab-sshd
################################################################################

# gitlab_sshd['enable'] = false
# gitlab_sshd['generate_host_keys'] = true
# gitlab_sshd['dir'] = "/var/opt/gitlab/gitlab-sshd"

###! gitlab-sshd 大部分日志输出到 /var/log/gitlab/gitlab-shell/gitlab-shell.log。
###! 此目录仅存储守护进程的 stdout/stderr 输出。
# gitlab_sshd['log_directory'] = "/var/log/gitlab/gitlab-sshd/"

# gitlab_sshd['env_directory'] = '/opt/gitlab/etc/gitlab-sshd/env'
# gitlab_sshd['listen_address'] = 'localhost:2222'
# gitlab_sshd['metrics_address'] = 'localhost:9122'
# gitlab_sshd['concurrent_sessions_limit'] = 100
# gitlab_sshd['proxy_protocol'] = false
# gitlab_sshd['proxy_policy'] = 'use'
# gitlab_sshd['proxy_header_timeout'] = '500ms'
# gitlab_sshd['grace_period'] = 55
# gitlab_sshd['client_alive_interval'] = nil
# gitlab_sshd['ciphers'] = nil
# gitlab_sshd['kex_algorithms'] = nil
# gitlab_sshd['macs'] = nil
##! 要接受的公钥算法列表。
##! 例如:%w(ssh-ed25519 ecdsa-sha2-nistp256 rsa-sha2-256 rsa-sha2-512)
# gitlab_sshd['public_key_algorithms'] = nil
# gitlab_sshd['login_grace_time'] = 60
# gitlab_sshd['host_keys_dir'] = '/var/opt/gitlab/gitlab-sshd'
# gitlab_sshd['host_keys_glob'] = 'ssh_host_*_key'
# gitlab_sshd['host_certs_dir'] = '/var/opt/gitlab/gitlab-sshd'
# gitlab_sshd['host_certs_glob'] = 'ssh_host_*-cert.pub'

################################################################
## GitLab PostgreSQL
################################################################

##! 更改以下任意设置需重启 postgresql。
##! 默认情况下,reconfigure 会重载 postgresql(如正在运行)。如更改这些设置,
##! 请在 reconfigure 后运行 `gitlab-ctl restart postgresql` 以使更改生效。
# postgresql['enable'] = true
# postgresql['listen_address'] = nil
# postgresql['port'] = 5432

##! 仅在启用 Patroni 时使用。此端口用于 PostgreSQL 响应其他集群成员。
##! Patroni 用此端口通告 PostgreSQL 连接端点。##! 连接到集群的端口。默认与 postgresql['port'] 相同。
# postgresql['connect_port'] = 5432

##! **推荐值为总内存的 1/4,最高 14GB。**
##! 对于 Docker 容器,默认 256MB,配置见 docker/assets/gitlab.rb。
##! 其他情况,默认用总内存的 1/4,配置见 files/gitlab-cookbooks/postgresql/attributes/default.rb。
# postgresql['shared_buffers'] = "256MB"

### 高级设置
# postgresql['ha'] = false
# postgresql['dir'] = "/var/opt/gitlab/postgresql"
# postgresql['log_directory'] = "/var/log/gitlab/postgresql"
# postgresql['log_destination'] = nil
# postgresql['logging_collector'] = nil
# postgresql['log_truncate_on_rotation'] = nil
# postgresql['log_rotation_age'] = nil
# postgresql['log_rotation_size'] = nil
# postgresql['log_connections'] = "off"
# postgresql['log_disconnections'] = "off"
##! 'username' 影响安装时创建的系统和 PostgreSQL 用户账户,安装后不可更改。
##! 详情见:https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/3606
# postgresql['username'] = "gitlab-psql"
# postgresql['group'] = "gitlab-psql"
##! `SQL_USER_PASSWORD_HASH` 可通过命令 `gitlab-ctl pg-password-md5 gitlab` 生成
# postgresql['sql_user_password'] = 'SQL_USER_PASSWORD_HASH'
# postgresql['uid'] = nil
# postgresql['gid'] = nil
# postgresql['shell'] = "/bin/sh"
# postgresql['home'] = "/var/opt/gitlab/postgresql"
# postgresql['user_path'] = "/opt/gitlab/embedded/bin:/opt/gitlab/bin:$PATH"
# postgresql['sql_user'] = "gitlab"
# postgresql['max_connections'] = 400
# postgresql['md5_auth_cidr_addresses'] = []
# postgresql['trust_auth_cidr_addresses'] = []
# postgresql['wal_buffers'] = "-1"
# postgresql['autovacuum_max_workers'] = "3"
# postgresql['autovacuum_freeze_max_age'] = "200000000"
# postgresql['log_statement'] = nil
# postgresql['track_activity_query_size'] = "1024"
# postgresql['shared_preload_libraries'] = nil
# postgresql['dynamic_shared_memory_type'] = nil
# postgresql['hot_standby'] = "off"

### Registry 元数据数据库设置
### 通过 GitLab 管理的 PostgreSQL 自动化支持正在开发中。
# postgresql['registry']['user'] = "registry"
# postgresql['registry']['password'] = nil
# postgresql['registry']['dbname'] = "registry"
# postgresql['registry']['auto_create'] = true

### SSL 设置
###! 详情见 https://www.postgresql.org/docs/13/static/runtime-config-connection.html#GUC-SSL-CERT-FILE
# postgresql['ssl'] = 'on'
# postgresql['hostssl'] = false
# postgresql['ssl_ciphers'] = 'HIGH:MEDIUM:+3DES:!aNULL:!SSLv3:!TLSv1'
# postgresql['ssl_cert_file'] = 'server.crt'
# postgresql['ssl_key_file'] = 'server.key'
# postgresql['ssl_ca_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'
# postgresql['ssl_crl_file'] = nil
# postgresql['cert_auth_addresses'] = {
#   'ADDRESS' => {
#     database: 'gitlabhq_production',
#     user: 'gitlab'
#   }
# }

### 复制设置
###! 注意,部分复制设置无需完全重启,具体见下文。
# postgresql['wal_level'] = "hot_standby"
# postgresql['wal_log_hints'] = 'off'
# postgresql['max_wal_senders'] = 5
# postgresql['max_replication_slots'] = 0
# postgresql['max_locks_per_transaction'] = 128

### 备份/归档设置
# postgresql['archive_mode'] = "off"

###! 更改以下任意设置只需重载 postgresql,无需重启。修改后运行 reconfigure 即可。
# postgresql['work_mem'] = "16MB"
# postgresql['maintenance_work_mem'] = "16MB"
# postgresql['checkpoint_timeout'] = "5min"
# postgresql['checkpoint_completion_target'] = 0.9
# postgresql['effective_io_concurrency'] = 1
# postgresql['checkpoint_warning'] = "30s"
# postgresql['effective_cache_size'] = "1MB"
# postgresql['shmmax'] =  17179869184 # or 4294967295
# postgresql['shmall'] =  4194304 # or 1048575
# postgresql['autovacuum'] = "on"
# postgresql['log_autovacuum_min_duration'] = "-1"
# postgresql['autovacuum_naptime'] = "1min"
# postgresql['autovacuum_vacuum_threshold'] = "50"
# postgresql['autovacuum_analyze_threshold'] = "50"
# postgresql['autovacuum_vacuum_scale_factor'] = "0.02"
# postgresql['autovacuum_analyze_scale_factor'] = "0.01"
# postgresql['autovacuum_vacuum_cost_delay'] = "20ms"
# postgresql['autovacuum_vacuum_cost_limit'] = "-1"
# postgresql['statement_timeout'] = "60000"
# postgresql['idle_in_transaction_session_timeout'] = "60000"
# postgresql['log_line_prefix'] = "%a"
# postgresql['max_worker_processes'] = 8
# postgresql['max_parallel_workers_per_gather'] = 0
# postgresql['log_lock_waits'] = 1
# postgresql['deadlock_timeout'] = '5s'
# postgresql['track_io_timing'] = 0
# postgresql['default_statistics_target'] = 1000

### 可在 PostgreSQL 9.6 及更高版本中使用
# postgresql['min_wal_size'] = "80MB"
# postgresql['max_wal_size'] = "1GB"

### 备份/归档设置
# postgresql['archive_command'] = nil
# postgresql['archive_timeout'] = "0"

### 复制设置
# postgresql['sql_replication_user'] = "gitlab_replicator"
# postgresql['sql_replication_password'] = "md5 hash of postgresql password" # You can generate with `gitlab-ctl pg-password-md5 <dbuser>`
# postgresql['wal_keep_segments'] = 10
# postgresql['max_standby_archive_delay'] = "30s"
# postgresql['max_standby_streaming_delay'] = "30s"
# postgresql['synchronous_commit'] = on
# postgresql['synchronous_standby_names'] = ''
# postgresql['hot_standby_feedback'] = 'off'
# postgresql['random_page_cost'] = 2.0
# postgresql['log_temp_files'] = -1
# postgresql['log_checkpoints'] = 'off'
###! 如需向 pg_hba.conf 添加自定义项请用如下格式
# postgresql['custom_pg_hba_entries'] = {
#   APPLICATION: [ # APPLICATION 应标识设置的用途
#     {
#       type: example,
#       database: example,
#       user: example,
#       cidr: example,
#       method: example,
#       option: example
#     }
#   ]
# }
###! 详情见 https://www.postgresql.org/docs/13/static/auth-pg-hba-conf.html
###! 了解各项值的说明

### 版本设置
# 若禁用内置 PostgreSQL 但仍需使用备份 rake 任务可设置此项
# postgresql['version'] = 16


##! PostgreSQL 版本变更时自动重启服务。
# postgresql['auto_restart_on_version_change'] = true

################################################################################
## GitLab Redis
##! **如使用自有 Redis 实例可禁用此项。**
##! 文档:https://docs.gitlab.com/omnibus/settings/redis.html
################################################################################

# redis['enable'] = true
# redis['ha'] = false
# redis['start_down'] = false
# redis['set_replicaof'] = false
# redis['hz'] = 10
# redis['dir'] = "/var/opt/gitlab/redis"
# redis['log_directory'] = "/var/log/gitlab/redis"
# redis['log_group'] = nil
# redis['username'] = "gitlab-redis"
# redis['group'] = "gitlab-redis"
# redis['maxclients'] = "10000"
# redis['open_files_ulimit'] = nil # Maximum number of open files allowed for the redis process (defaults to ope
# redis['maxmemory'] = "0"
# redis['maxmemory_policy'] = "noeviction"
# redis['maxmemory_samples'] = "5"
# redis['stop_writes_on_bgsave_error'] = true
# redis['tcp_backlog'] = 511
# redis['tcp_timeout'] = "60"
# redis['tcp_keepalive'] = "300"
# redis['uid'] = nil
# redis['gid'] = nil
# redis['startup_delay'] = 0

### Redis TLS 设置
###! 通过 TLS 运行 Redis 时需指定以下设置
# redis['tls_port'] = nil
# redis['tls_cert_file'] = nil
# redis['tls_key_file'] = nil

###! 其他 TLS 相关可选设置
# redis['tls_dh_params_file'] = nil
# redis['tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'
# redis['tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'
# redis['tls_auth_clients'] = 'optional'
# redis['tls_replication'] = nil
# redis['tls_cluster'] = nil
# redis['tls_protocols'] = nil
# redis['tls_ciphers'] = nil
# redis['tls_ciphersuites'] = nil
# redis['tls_prefer_server_ciphers'] = nil
# redis['tls_session_caching'] = nil
# redis['tls_session_cache_size'] = nil
# redis['tls_session_cache_timeout'] = nil

###! 禁用或混淆不必要的 redis 命令名
###! 取消注释并编辑此块以添加或移除条目。
###! 详细用法见 https://docs.gitlab.com/omnibus/settings/redis.html#renamed-commands
###!
# redis['rename_commands'] = {
#   'KEYS': ''
# }


###! 配置 runit 的 sv 命令超时时间(秒),用于管理 Redis 服务
# redis['runit_sv_timeout'] = nil

###! **如需仅在本机启用 Redis 服务,取消下面一行注释(主或副本实例类型二选一)。**
###! 文档:https://docs.gitlab.com/omnibus/settings/redis.html
###!       https://docs.gitlab.com/ee/administration/redis/replication_and_failover.html
# redis_master_role['enable'] = true
# redis_replica_role['enable'] = true

### Redis TCP 支持(会禁用 UNIX socket 传输)
# redis['bind'] = '0.0.0.0' # or specify an IP to bind to a single one
# redis['port'] = 6379
# redis['password'] = 'redis-password-goes-here'

### Redis Sentinel 支持
###! **需主副本 Redis 复制以实现故障转移**
###! **启用前请阅读文档了解注意事项:**
###! 文档:https://docs.gitlab.com/ee/administration/redis/replication_and_failover.html

### 复制支持
#### 副本 Redis 实例
# redis['master'] = false # by default this is true

#### 副本与 Sentinel 共享配置
####! **两者需指向主 Redis 实例以实现复制和心跳监控**
# redis['master_name'] = 'gitlab-redis'
# redis['master_ip'] = nil
# redis['master_port'] = 6379

#### 支持在 Docker 或 NAT 环境下运行 redis 副本
####! 文档:https://redis.io/topics/replication#configuring-replication-in-docker-and-nat
# redis['announce_ip'] = nil
# redis['announce_port'] = nil
# redis['announce_ip_from_hostname'] = false

####! **主密码需与 redis['password'] 保持一致,以便实例在故障转移时切换主/副本角色。**
# redis['master_password'] = 'redis-password-goes-here'

####! 副本跟不上主时可增大这些值
# redis['client_output_buffer_limit_normal'] = '0 0 0'
# redis['client_output_buffer_limit_replica'] = '256mb 64mb 60'
# redis['client_output_buffer_limit_pubsub'] = '32mb 8mb 60'

#####! Redis 快照频率
#####! 设为 [] 表示禁用
#####! 设为 [''] 表示清除已设值
# redis['save'] = [ '900 1', '300 10', '60 10000' ]

#####! Redis 惰性释放
#####! 默认 false
# redis['lazyfree_lazy_eviction'] = true
# redis['lazyfree_lazy_expire'] = true
# redis['lazyfree_lazy_server_del'] = true
# redis['replica_lazy_flush'] = true

#####! Redis 多线程 I/O
#####! 默认禁用
# redis['io_threads'] = 4
# redis['io_threads_do_reads'] = true

################################################################################
## GitLab Web 服务器
##! 文档:https://docs.gitlab.com/omnibus/settings/nginx.html#using-a-non-bundled-web-server
################################################################################

##! 禁用内置 nginx 时需将外部 web 服务器用户加入 GitLab web 服务器组。
# web_server['external_users'] = []
# web_server['username'] = 'gitlab-www'
# web_server['group'] = 'gitlab-www'
# web_server['uid'] = nil
# web_server['gid'] = nil
# web_server['shell'] = '/bin/false'
# web_server['home'] = '/var/opt/gitlab/nginx'

################################################################################
## GitLab NGINX
##! 文档:https://docs.gitlab.com/omnibus/settings/nginx.html
################################################################################

# nginx['enable'] = true
# nginx['client_max_body_size'] = '0'
# nginx['redirect_http_to_https'] = false
# nginx['redirect_http_to_https_port'] = 80

##! 大多数根 CA 默认已包含
# nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt"

##! 启用/禁用双向 SSL 客户端认证
# nginx['ssl_verify_client'] = "off"

##! 若 ssl_verify_client 为 on,客户端证书链的验证深度
# nginx['ssl_verify_depth'] = "1"

# nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
# nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
# nginx['ssl_ciphers'] = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
# nginx['ssl_prefer_server_ciphers'] = "off"

##! **推荐配置:https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
# nginx['ssl_protocols'] = "TLSv1.2 TLSv1.3"

##! **推荐配置:https://nginx.org/en/docs/http/ngx_http_ssl_module.html**
# nginx['ssl_session_cache'] = "shared:SSL:10m"

##! **推荐配置:https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&ocsp=false&guideline=5.6**
# nginx['ssl_session_tickets'] = "off"

##! **默认值参考:https://nginx.org/en/docs/http/ngx_http_ssl_module.html**
# nginx['ssl_session_timeout'] = "1d"

# nginx['ssl_dhparam'] = nil # Path to dhparams.pem, eg. /etc/gitlab/ssl/dhparams.pem
# nginx['ssl_password_file'] = nil # Path to file with passphrases for ssl certificate secret keys
# nginx['listen_addresses'] = ['*']

##! **默认强制浏览器始终使用 HTTPS 通信**
##! 文档:https://docs.gitlab.com/omnibus/settings/ssl/#configure-the-http-strict-transport-security-hsts
# nginx['hsts_max_age'] = 63072000
# nginx['hsts_include_subdomains'] = false

##! 默认跨域请求时去除路径信息
# nginx['referrer_policy'] = 'strict-origin-when-cross-origin'

##! **文档:http://nginx.org/en/docs/http/ngx_http_gzip_module.html**
# nginx['gzip_enabled'] = true

##! **仅在使用反向代理时覆盖**
##! 文档:https://docs.gitlab.com/omnibus/settings/nginx.html#setting-the-nginx-listen-port
# nginx['listen_port'] = nil

##! **仅在反向代理内部通过 HTTP 通信时覆盖**
##! 文档:https://docs.gitlab.com/omnibus/settings/ssl/#configure-a-reverse-proxy-or-load-balancer-ssl-termination
# nginx['listen_https'] = nil

##! **仅在反向代理启用 proxy protocol 时覆盖**
##! 文档:https://docs.gitlab.com/omnibus/settings/nginx.html#configuring-the-proxy-protocol
# nginx['proxy_protocol'] = false

# nginx['custom_gitlab_server_config'] = "location ^~ /foo-namespace/bar-project/raw/ {\n deny all;\n}\n"
# nginx['custom_nginx_config'] = "include /etc/nginx/conf.d/example.conf;"
# nginx['proxy_read_timeout'] = 3600
# nginx['proxy_connect_timeout'] = 300
# nginx['proxy_set_headers'] = {
#  "Host" => "$http_host_with_default",
#  "X-Real-IP" => "$remote_addr",
#  "X-Forwarded-For" => "$proxy_add_x_forwarded_for",
#  "Upgrade" => "$http_upgrade",
#  "Connection" => "$connection_upgrade"
# }
# nginx['proxy_cache_path'] = 'proxy_cache keys_zone=gitlab:10m max_size=1g levels=1:2'
# nginx['proxy_cache'] = 'gitlab'
# nginx['proxy_custom_buffer_size'] = nil
# nginx['http2_enabled'] = true
# nginx['real_ip_trusted_addresses'] = []
# nginx['real_ip_header'] = nil
# nginx['real_ip_recursive'] = nil
# nginx['custom_error_pages'] = {
#   '404' => {
#     'title' => 'Example title',
#     'header' => 'Example header',
#     'message' => 'Example message'
#   }
# }

### 高级设置
# nginx['dir'] = "/var/opt/gitlab/nginx"
# nginx['log_directory'] = "/var/log/gitlab/nginx"
# nginx['log_group'] = nil
# nginx['error_log_level'] = "error"
# nginx['worker_processes'] = 4
# nginx['worker_connections'] = 10240
# nginx['log_format'] = '$remote_addr - $remote_user [$time_local] "$request_method $filtered_request_uri $server_protocol" $status $body_bytes_sent "$filtered_http_referer" "$http_user_agent" $gzip_ratio'
# nginx['sendfile'] = 'on'
# nginx['tcp_nopush'] = 'on'
# nginx['tcp_nodelay'] = 'on'
# nginx['hide_server_tokens'] = 'off'
# nginx['gzip_http_version'] = "1.0"
# nginx['gzip_comp_level'] = "2"
# nginx['gzip_proxied'] = "any"
# nginx['gzip_types'] = [ "text/plain", "text/css", "application/x-javascript", "text/xml", "application/xml", "application/xml+rss", "text/javascript", "application/json" ]
# nginx['keepalive_timeout'] = 65
# nginx['keepalive_time'] = '1h'
# nginx['cache_max_size'] = '5000m'
# nginx['server_names_hash_bucket_size'] = 64
##! 这些路径禁用 proxy_request_buffering
# nginx['request_buffering_off_path_regex'] = "/api/v\\d/jobs/\\d+/artifacts$|/import/gitlab_project$|\\.git/git-receive-pack$|\\.git/ssh-receive-pack$|\\.git/ssh-upload-pack$|\\.git/gitlab-lfs/objects|\\.git/info/lfs/objects/batch$"

### Nginx 状态
# nginx['status'] = {
#  "enable" => true,
#  "listen_addresses" => ["127.0.0.1"],
#  "fqdn" => "dev.example.com",
#  "port" => 9999,
#  "vts_enable" => true,
#  "options" => {
#    "server_tokens" => "off", # Don't show the version of NGINX
#    "access_log" => "off", # Disable logs for stats
#    "allow" => "127.0.0.1", # Only allow access from localhost
#    "deny" => "all" # Deny access to anyone else
#  }
# }

##! 用于将 Nginx 注册为 Consul 服务的服务名
# nginx['consul_service_name'] = 'nginx'
##! 注册 NGINX 为 Consul 服务时使用的语义元数据
# nginx['consul_service_meta'] = {}

################################################################################
## GitLab 日志
##! 文档:https://docs.gitlab.com/omnibus/settings/logs.html
################################################################################

# logging['svlogd_size'] = 200 * 1024 * 1024 # rotate after 200 MB of log data
# logging['svlogd_num'] = 30 # keep 30 rotated log files
# logging['svlogd_timeout'] = 24 * 60 * 60 # rotate after 24 hours
# logging['svlogd_filter'] = "gzip" # compress logs with gzip
# logging['svlogd_udp'] = nil # transmit log messages via UDP
# logging['svlogd_prefix'] = nil # custom prefix for log messages
# logging['logrotate_frequency'] = "daily" # rotate logs daily
# logging['logrotate_maxsize'] = nil # rotate logs when they grow bigger than size bytes even before the specified time interval (daily, weekly, monthly, or yearly)
# logging['logrotate_size'] = nil # do not rotate by size by default
# logging['logrotate_rotate'] = 30 # keep 30 rotated logs
# logging['logrotate_compress'] = "compress" # see 'man logrotate'
# logging['logrotate_method'] = "copytruncate" # see 'man logrotate'
# logging['logrotate_postrotate'] = nil # no postrotate command by default
# logging['logrotate_dateformat'] = nil # use date extensions for rotated files rather than numbers e.g. a value of "-%Y-%m-%d" would give rotated files like production.log-2016-03-09.gz
# logging['log_group'] = nil # assign this group to specified log directories and use it for runit-managed logs, can be overridden per-service

### UDP 日志转发
##! 文档:http://docs.gitlab.com/omnibus/settings/logs.html#udp-log-forwarding

##! 通过 UDP 发送日志消息的远程主机
# logging['udp_log_shipping_host'] = nil

##! 通过 UDP 发送日志时覆盖主机名,默认使用系统主机名。
# logging['udp_log_shipping_hostname'] = nil

##! 通过 UDP 发送日志消息的远程端口
# logging['udp_log_shipping_port'] = 514


################################################################################
## Logrotate
##! 文档:https://docs.gitlab.com/omnibus/settings/logs.html#logrotate
##! 可禁用内置 logrotate 功能。
################################################################################
# logrotate['enable'] = true
# logrotate['log_directory'] = "/var/log/gitlab/logrotate"
# logrotate['log_group'] = nil

################################################################################
## 用户和组账户
##! 禁用用户和组账户管理。
##! **仅在手动创建账户时设置**
##! 文档:https://docs.gitlab.com/omnibus/settings/configuration.html#disable-user-and-group-account-management
################################################################################

# manage_accounts['enable'] = true

################################################################################
## 存储目录
##! 禁用存储目录管理
##! 文档:https://docs.gitlab.com/omnibus/settings/configuration.html#disable-storage-directories-management
################################################################################

##! **仅在手动创建目录时设置**
# manage_storage_directories['enable'] = false
# manage_storage_directories['manage_etc'] = false

################################################################################
## 运行时目录
##! 文档:https://docs.gitlab.com//omnibus/settings/configuration.html#configure-the-runtime-directory
################################################################################

# runtime_dir '/run'

################################################################################
## GitLab Pages
##! 文档:https://docs.gitlab.com/ee/administration/pages/
################################################################################

##! 定义以启用 GitLab Pages
# pages_external_url "http://pages.example.com/"
# gitlab_pages['enable'] = false

##! 配置以在外部 IP 地址上暴露 GitLab Pages,服务 HTTP
# gitlab_pages['external_http'] = []

##! 配置以在外部 IP 地址上暴露 GitLab Pages,服务 HTTPS
# gitlab_pages['external_https'] = []

##! 配置以在外部 IP 地址上通过 PROXYv2 服务 HTTPS
# gitlab_pages['external_https_proxyv2'] = []

##! 使用外部 IP 地址时配置证书
# gitlab_pages['cert'] = "/etc/gitlab/ssl/#{Gitlab['gitlab_pages']['domain']}.crt"
# gitlab_pages['cert_key'] = "/etc/gitlab/ssl/#{Gitlab['gitlab_pages']['domain']}.key"

##! 使用默认密码套件列表
# gitlab_pages['insecure_ciphers'] = false

##! 启用 GitLab Pages 健康检查端点
# gitlab_pages['status_uri'] = "/@status"

##! 调整 GitLab Pages 可处理的最大并发连接数。
##! 默认 0 表示无限制。
# gitlab_pages['max_connections'] = 0

##! 配置 GitLab Pages 接受的最大 URI 长度
##! 默认有限制以保证安全。设为 0 表示无限制
# gitlab_pages['max_uri_length'] = 2048

##! 设置 propagate_correlation_id 为 true 可让反向代理后端
##! 生成并设置关联 ID 到发往 GitLab Pages 的请求。如果反向代理
##! 设置了 X-Request-ID 头,则该值会在请求链中传递。
# gitlab_pages['propagate_correlation_id'] = false

##! 配置 GitLab Pages 使用 JSON 结构化日志
# gitlab_pages['log_format'] = "json"

##! 配置 GitLab Pages 的详细日志
# gitlab_pages['log_verbose'] = false

##! Sentry 错误报告与日志
# gitlab_pages['sentry_enabled'] = false
# gitlab_pages['sentry_dsn'] = 'https://<key>@sentry.io/<project>'
# gitlab_pages['sentry_environment'] = 'production'

##! 监听反向代理转发的请求
# gitlab_pages['listen_proxy'] = "localhost:8090"

# gitlab_pages['redirect_http'] = true
# gitlab_pages['use_http2'] = true
# gitlab_pages['dir'] = "/var/opt/gitlab/gitlab-pages"
# gitlab_pages['log_directory'] = "/var/log/gitlab/gitlab-pages"
# gitlab_pages['log_group'] = nil

# gitlab_pages['artifacts_server'] = true
# gitlab_pages['artifacts_server_url'] = nil # Defaults to external_url + '/api/v4'
# gitlab_pages['artifacts_server_timeout'] = 10

##! Pages 的 Prometheus 指标,文档:https://gitlab.com/gitlab-org/gitlab-pages/#enable-prometheus-metrics
# gitlab_pages['metrics_address'] = ":9235"

##! 指定最小 TLS 版本(“tls1.2”或“tls1.3”)
# gitlab_pages['tls_min_version'] = "tls1.2"

##! 指定最大 TLS 版本(“tls1.2”或“tls1.3”)
# gitlab_pages['tls_max_version'] = "tls1.3"

##! Pages 访问控制
# gitlab_pages['access_control'] = false
# gitlab_pages['gitlab_id'] = nil # Automatically generated if not present
# gitlab_pages['gitlab_secret'] = nil # Generated if not present
# gitlab_pages['auth_redirect_uri'] = nil # Defaults to projects subdomain of pages_external_url and + '/auth'
# gitlab_pages['gitlab_server'] = nil # Defaults to external_url
# gitlab_pages['internal_gitlab_server'] = nil # Defaults to gitlab_server, can be changed to internal load balancer
# gitlab_pages['auth_secret'] = nil # Generated if not present
# gitlab_pages['auth_scope'] = nil # Defaults to api, can be changed to read_api to increase security
# gitlab_pages['auth_timeout'] = "5s" # GitLab application client timeout for authentication
# gitlab_pages['auth_cookie_session_timeout'] = "10m" # Authentication cookie session timeout (truncated to seconds). A zero value means the cookie will be deleted after the browser session ends

##! GitLab Pages 服务器关闭超时时间
##! 时长(如“30s”表示 30 秒)
# gitlab_pages['server_shutdown_timeout'] = "30s"

##! GitLab API HTTP 客户端连接超时
# gitlab_pages['gitlab_client_http_timeout'] = "10s"

##! GitLab API JWT Token 过期时间
# gitlab_pages['gitlab_client_jwt_expiry'] = "30s"

##! 基于 API 的 Pages 配置高级设置。
##! 推荐默认值已在 GitLab Pages 内部设置。
##! 仅在确有需要时修改。

##! 域配置在缓存中存储的最长时间。
# gitlab_pages['gitlab_cache_expiry'] = "600s"
##! 域配置刷新到期的间隔(默认:60s)。
# gitlab_pages['gitlab_cache_refresh'] = "60s"
##! 过期项从缓存中移除的间隔(默认:60s)。
# gitlab_pages['gitlab_cache_cleanup'] = "60s"
##! 每次请求等待 GitLab API 响应的最长时间。
# gitlab_pages['gitlab_retrieval_timeout'] = "30s"
##! 重试解析域配置(通过 GitLab API)前的等待间隔。
# gitlab_pages['gitlab_retrieval_interval'] = "1s"
##! 解析域配置(通过 API)最大重试次数
# gitlab_pages['gitlab_retrieval_retries'] = 3

##! 为整个实例定义自定义 gitlab-pages HTTP 头
# gitlab_pages['headers'] = []

##! Pages 与 GitLab 之间认证用的共享密钥
# gitlab_pages['api_secret_key'] = nil # Will be generated if not set. Base64 encoded and exactly 32 bytes long.

##! 从 zip 压缩包服务 GitLab Pages 的高级设置。
##! 推荐默认值已在 GitLab Pages 内部设置。
##! 仅在确有需要时修改。

##! 压缩包在内存中缓存的最长时间。
# gitlab_pages['zip_cache_expiration'] = "60s"
##! zip 缓存清理间隔。
# gitlab_pages['zip_cache_cleanup'] = "30s"
##! 缓存未过期时访问会刷新缓存的间隔。
# gitlab_pages['zip_cache_refresh'] = "30s"
##! 从文件系统或对象存储打开 zip 的最长时间。
# gitlab_pages['zip_open_timeout'] = "30s"
##! Zip HTTP 客户端超时
# gitlab_pages['zip_http_client_timeout'] = "30m"

##! ReadTimeout 为读取整个请求(含 body)的最长时间。为零或负值则无超时。
# gitlab_pages['server_read_timeout'] = "5s"
##! ReadHeaderTimeout 为读取请求头的最长时间。为零或负值则无超时。
# gitlab_pages['server_read_header_timeout'] = "1s"
##! WriteTimeout 为响应写入超时的最长时间。为零或负值则无超时。
# gitlab_pages['server_write_timeout'] = "5m"
##! KeepAlive 指定此监听器接受的网络连接的 keep-alive 时长。为零则启用 keep-alive(如协议和系统支持),为负则禁用。
# gitlab_pages['server_keep_alive'] = "15s"

##! 启用从磁盘而非对象存储服务内容
# gitlab_pages['enable_disk'] = nil

##! 下方限流选项仅报告被拒绝请求,不实际拒绝。
##! 启用 `FF_ENABLE_RATE_LIMITER=true` 环境变量可拒绝请求。

##! 限流规则详见 https://docs.gitlab.com/ee/administration/pages/#rate-limits

##! 单 IP 每秒 HTTP 请求限流,0 表示禁用
# gitlab_pages['rate_limit_source_ip'] = 50.0
##! 单 IP 每秒允许的最大突发 HTTP 请求
# gitlab_pages['rate_limit_source_ip_burst'] = 600
##! 单域名每秒 HTTP 请求限流,0 表示禁用
# gitlab_pages['rate_limit_domain'] = 0
##! 单域名每秒允许的最大突发 HTTP 请求
# gitlab_pages['rate_limit_domain_burst'] = 10000

##! 单 IP 每秒新建 TLS 连接限流,0 表示禁用
# gitlab_pages['rate_limit_tls_source_ip'] = 50.0
##! 单 IP 每秒允许的最大突发 TLS 连接
# gitlab_pages['rate_limit_tls_source_ip_burst'] = 600
##! 单域名每秒新建 TLS 连接限流,0 表示禁用
# gitlab_pages['rate_limit_tls_domain'] = 0
##! 单域名每秒允许的最大突发 TLS 连接
# gitlab_pages['rate_limit_tls_domain_burst'] = 10000

##! _redirects 文件最大大小(字节)
# gitlab_pages['redirects_max_config_size'] = 65536
##! _redirects 规则 URL 允许的最大路径段数
# gitlab_pages['redirects_max_path_segments'] = 25
##! _redirects 允许的最大规则数
# gitlab_pages['redirects_max_rule_count'] = 1000

# gitlab_pages['env_directory'] = "/opt/gitlab/etc/gitlab-pages/env"
# gitlab_pages['env'] = {
#   'SSL_CERT_DIR' => "#{node['package']['install-dir']}/embedded/ssl/certs/",
#   'GODEBUG' => "tlsmlkem=0",
# }

##! 实验性 - 启用路径中的命名空间
# gitlab_pages['namespace_in_path'] = false

##! 配置 GitLab Pages 客户端证书和密钥,用于与 GitLab API 的双向 TLS
# gitlab_pages['client_cert'] = "/path/to/client.crt"
# gitlab_pages['client_key'] = "/path/to/client.key"
##! 配置用于签发客户端证书的根 CA 证书(用于 GitLab API)
# gitlab_pages['client_ca_certs'] = "/path/to/ca.crt"

################################################################################
## GitLab Pages NGINX
################################################################################

##! “GitLab Nginx”部分定义的所有设置在本节也可用,使用 `pages_nginx` 键。
##! 但这些设置需显式设置。即 `nginx['some_setting']` 不会自动复制为 `pages_nginx['some_setting']`,需单独设置。

##! 以下为仅“GitLab Pages NGINX”专属的设置
# pages_nginx['enable'] = true

# gitlab_rails['pages_path'] = "/var/opt/gitlab/gitlab-rails/shared/pages"

################################################################################
## GitLab CI
##! 文档:https://docs.gitlab.com/ee/ci/quick_start/
################################################################################

# gitlab_ci['gitlab_ci_all_broken_builds'] = true
# gitlab_ci['gitlab_ci_add_pusher'] = true
# gitlab_ci['builds_directory'] = '/var/opt/gitlab/gitlab-ci/builds'

################################################################################
## GitLab Kubernetes Agent Server
##! 文档:https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/blob/master/README.md
################################################################################

##! GitLab 应用使用的设置
# gitlab_rails['gitlab_kas_enabled'] = true
# gitlab_rails['gitlab_kas_external_url'] = 'ws://gitlab.example.com/-/kubernetes-agent/'
# gitlab_rails['gitlab_kas_internal_url'] = 'grpc://localhost:8153'
# gitlab_rails['gitlab_kas_external_k8s_proxy_url'] = 'https://gitlab.example.com/-/kubernetes-agent/k8s-proxy/'

##! GitLab KAS 的设置
# gitlab_kas_external_url "ws://gitlab.example.com/-/kubernetes-agent/"
# gitlab_kas['enable'] = true

##! GitLab KAS 的代理配置
# gitlab_kas['agent_configuration_poll_period'] = 300
# gitlab_kas['agent_info_cache_ttl'] = 300
# gitlab_kas['agent_info_cache_error_ttl'] = 60

##! KAS 与 GitLab 之间认证用的共享密钥
# gitlab_kas['api_secret_key'] = nil # Will be generated if not set. Base64 encoded and exactly 32 bytes long.

##! 多节点部署下 KAS 实例间认证用的共享密钥
# gitlab_kas['private_api_secret_key'] = nil # Will be generated if not set. Base64 encoded and exactly 32 bytes long.
#
##! WebSocket Token 签名与校验用密钥。多节点部署需共享。
# gitlab_kas['websocket_token_secret_key'] = nil # Will be generated if not set. Base64 encoded and exactly 72 bytes long.

##! GitLab KAS 的监听配置
# gitlab_kas['listen_address'] = 'localhost:8150'
# gitlab_kas['listen_network'] = 'tcp'
# gitlab_kas['listen_websocket'] = true
# gitlab_kas['certificate_file'] = "/path/to/certificate.pem"
# gitlab_kas['key_file'] = "/path/to/key.pem"
# gitlab_kas['observability_listen_network'] = 'tcp'
# gitlab_kas['observability_listen_address'] = 'localhost:8151'
# gitlab_kas['internal_api_listen_network'] = 'tcp'
# gitlab_kas['internal_api_listen_address'] = 'localhost:8153'
# gitlab_kas['internal_api_certificate_file'] = "/path/to/certificate.pem"
# gitlab_kas['internal_api_key_file'] = "/path/to/key.pem"
# gitlab_kas['kubernetes_api_listen_address'] = 'localhost:8154'
# gitlab_kas['kubernetes_api_certificate_file'] = "/path/to/certificate.pem"
# gitlab_kas['kubernetes_api_key_file'] = "/path/to/key.pem"
# gitlab_kas['private_api_listen_network'] = 'tcp'
# gitlab_kas['private_api_listen_address'] = 'localhost:8155'
# gitlab_kas['private_api_certificate_file'] = "/path/to/certificate.pem"
# gitlab_kas['private_api_key_file'] = "/path/to/key.pem"

##! GitLab KAS 的指标配置
# gitlab_kas['metrics_usage_reporting_period'] = 60

##! GitLab KAS 的日志配置
# gitlab_kas['log_level'] = 'info'
# gitlab_kas['grpc_log_level'] = 'error'

##! GitLab KAS 的环境变量
# gitlab_kas['env'] = {
#   'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/",
#   'GODEBUG' => "tlsmlkem=0",
#   # In a multi-node setup, this address MUST be reachable from other KAS instances. In a single-node setup,
#   # it can be on localhost for simplicity.
#   # Use OWN_PRIVATE_API_CIDR + OWN_PRIVATE_API_PORT (optional) + OWN_PRIVATE_API_SCHEME (optional) if you cannot
#   # specify a correct address for each KAS instance in OWN_PRIVATE_API_URL.
#   # 'OWN_PRIVATE_API_URL' => 'grpc://localhost:8155'
#   # 'OWN_PRIVATE_API_CIDR' => '10.0.0.0/8', # IPv4 example
#   # 'OWN_PRIVATE_API_CIDR' => '2001:db8:8a2e:370::7334/64', # IPv6 example
#   # 'OWN_PRIVATE_API_PORT' => '8155', # if not set, port from private_api_listen_address is used
#   # 'OWN_PRIVATE_API_SCHEME' => 'grpc', # use grpcs when using TLS on private API endpoint
#   # OWN_PRIVATE_API_HOST is used to verify the TLS cert hostname.
#   # Set KAS' host name if you want to use TLS for KAS->KAS communication.
#   # 'OWN_PRIVATE_API_HOST' => '<server-name-from-cert>',
# }

##! Sentry 错误报告与日志
# gitlab_kas['sentry_dsn'] = 'https://<key>@sentry.io/<project>'
# gitlab_kas['sentry_environment'] = 'production'

##! GitLab KAS 的目录
# gitlab_kas['dir'] = '/var/opt/gitlab/gitlab-kas'
# gitlab_kas['log_directory'] = '/var/log/gitlab/gitlab-kas'
# gitlab_kas['log_group'] = nil
# gitlab_kas['env_directory'] = '/opt/gitlab/etc/gitlab-kas/env'

##! GitLab KAS 的 Redis 设置
# gitlab_kas['redis_socket'] = ''
# gitlab_kas['redis_host'] = '127.0.0.1'
# gitlab_kas['redis_port'] = '6379'
# gitlab_kas['redis_password'] = nil

# gitlab_kas['redis_sentinels'] = []
# gitlab_kas['redis_sentinels_master_name'] = nil
# gitlab_kas['redis_sentinels_password'] = ''

# gitlab_kas['redis_ssl'] = false
# gitlab_kas['redis_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'
# gitlab_kas['redis_tls_client_cert_file'] = nil
# gitlab_kas['redis_tls_client_key_file'] = nil

##! GitLab KAS 的工作区配置。该功能尚在开发中,暂不适用于生产环境。
# gitlab_kas['workspaces']['enabled'] = false
# gitlab_kas['workspaces']['listen']['network'] = 'tcp'
# gitlab_kas['workspaces']['listen']['address'] = 'localhost:8160'
# gitlab_kas['workspaces']['listen']['listen_grace_period'] = '1s'
# gitlab_kas['workspaces']['listen']['shutdown_grace_period'] = '200s'

##! 生成额外配置的命令
# gitlab_kas['extra_config_command'] = nil

################################################################################
## GitLab 推荐审阅人(仅限企业版)
##! 文档:https://docs.gitlab.com/ee/user/project/merge_requests/reviews/#suggested-reviewers
################################################################################

##! 推荐审阅人与 GitLab 之间认证用的共享密钥
# suggested_reviewers['api_secret_key'] = nil # Will be generated if not set. Base64 encoded and exactly 32 bytes long.

################################################################################
## GitLab Mattermost
##! 文档:https://docs.gitlab.com/ee/integration/mattermost/
################################################################################

# mattermost_external_url 'http://mattermost.example.com'

# mattermost['enable'] = false
# mattermost['username'] = 'mattermost'
# mattermost['group'] = 'mattermost'
# mattermost['uid'] = nil
# mattermost['gid'] = nil
# mattermost['home'] = '/var/opt/gitlab/mattermost'
# mattermost['database_name'] = 'mattermost_production'
# mattermost['env'] = {
#   'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/",
#   'GODEBUG` => "tlsmlkem=0",
# }
# mattermost['service_address'] = "127.0.0.1"
# mattermost['service_port'] = "8065"
# mattermost['service_site_url'] = nil
# mattermost['service_allowed_untrusted_internal_connections'] = ""
# mattermost['service_enable_api_team_deletion'] = true
# mattermost['team_site_name'] = "GitLab Mattermost"
# mattermost['sql_driver_name'] = 'mysql'
# mattermost['sql_data_source'] = "mmuser:mostest@tcp(dockerhost:3306)/mattermost_test?charset=utf8mb4,utf8"
# mattermost['log_file_directory'] = '/var/log/gitlab/mattermost/'
# mattermost['gitlab_enable'] = false
# mattermost['gitlab_id'] = "12345656"
# mattermost['gitlab_secret'] = "123456789"
# mattermost['gitlab_scope'] = ""
# mattermost['gitlab_auth_endpoint'] = "http://gitlab.example.com/oauth/authorize"
# mattermost['gitlab_token_endpoint'] = "http://gitlab.example.com/oauth/token"
# mattermost['gitlab_user_api_endpoint'] = "http://gitlab.example.com/api/v4/user"
# mattermost['file_directory'] = "/var/opt/gitlab/mattermost/data"
# mattermost['plugin_directory'] = "/var/opt/gitlab/mattermost/plugins"
# mattermost['plugin_client_directory'] = "/var/opt/gitlab/mattermost/client-plugins"

################################################################################
## Mattermost NGINX
################################################################################

##! “GitLab Nginx”部分定义的所有设置在本节也可用,使用 `mattermost_nginx` 键。
##! 但这些设置需显式设置。即 `nginx['some_setting']` 不会自动复制为 `mattermost_nginx['some_setting']`,需单独设置。

##! 以下为仅“Mattermost NGINX”专属的设置
# mattermost_nginx['enable'] = false

# mattermost_nginx['custom_gitlab_mattermost_server_config'] = "location ^~ /foo-namespace/bar-project/raw/ {\n deny all;\n}\n"
# mattermost_nginx['proxy_set_headers'] = {
#   "Host" => "$http_host",
#   "X-Real-IP" => "$remote_addr",
#   "X-Forwarded-For" => "$proxy_add_x_forwarded_for",
#   "X-Frame-Options" => "SAMEORIGIN",
#   "X-Forwarded-Proto" => "https",
#   "X-Forwarded-Ssl" => "on",
#   "Upgrade" => "$http_upgrade",
#   "Connection" => "$connection_upgrade"
# }


################################################################################
## Registry NGINX
################################################################################

##! “GitLab Nginx”部分定义的所有设置在本节也可用,使用 `registry_nginx` 键。
##! 但这些设置需显式设置。即 `nginx['some_setting']` 不会自动复制为 `registry_nginx['some_setting']`,需单独设置。

##! 以下为仅“Registry NGINX”专属的设置##! `nginx['some_setting']` 不会自动复制为
##! `registry_nginx['some_setting']`,需单独设置。

##! 以下为仅“Registry NGINX”专属的设置
# registry_nginx['enable'] = false

# registry_nginx['proxy_set_headers'] = {
#  "Host" => "$http_host",
#  "X-Real-IP" => "$remote_addr",
#  "X-Forwarded-For" => "$proxy_add_x_forwarded_for",
#  "X-Forwarded-Proto" => "https",
#  "X-Forwarded-Ssl" => "on"
# }

##! 当注册表自动启用并使用与 `external_url` 相同的域时,
##! 会监听此端口
# registry_nginx['listen_port'] = 5050

################################################################################
## Prometheus
##! 文档:https://docs.gitlab.com/ee/administration/monitoring/prometheus/
################################################################################

###! **如需仅在本机启用监控服务,请取消下面这行的注释。**
# monitoring_role['enable'] = true

# prometheus['enable'] = true
# prometheus['monitor_kubernetes'] = true
# prometheus['username'] = 'gitlab-prometheus'
# prometheus['group'] = 'gitlab-prometheus'
# prometheus['uid'] = nil
# prometheus['gid'] = nil
# prometheus['shell'] = '/bin/sh'
# prometheus['home'] = '/var/opt/gitlab/prometheus'
# prometheus['log_directory'] = '/var/log/gitlab/prometheus'
# prometheus['log_group'] = nil
# prometheus['rules_files'] = ['/var/opt/gitlab/prometheus/rules/*.rules']
# prometheus['scrape_interval'] = 15
# prometheus['scrape_timeout'] = 15
# prometheus['external_labels'] = { }
# prometheus['env_directory'] = '/opt/gitlab/etc/prometheus/env'
# prometheus['env'] = {
#   'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/",
#   'GODEBUG' => "tlsmlkem=0",
# }

### 自定义采集配置

###! Prometheus 可通过 scrape_configs 采集额外任务。默认会自动包含 omnibus 配置支持的所有导出器。
###!
###! 参见:https://prometheus.io/docs/operating/configuration/#scrape_config
# prometheus['scrape_configs'] = [
#   {
#     'job_name': 'example',
#     'static_configs' => [
#       'targets' => ['hostname:port'],
#     ],
#   },
# ]

### 自定义 alertmanager 配置

###! 如需配置外部 alertmanager,请创建 alertmanager 配置。
###! 参见:https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alertmanager_config
# prometheus['alertmanagers'] = [
#   {
#     'static_configs' => [
#       {
#         'targets' => [
#           'hostname:port'
#         ]
#       }
#     ]
#   }
# ]

### 自定义 Prometheus 参数

# prometheus['flags'] = {
#   'storage.tsdb.path' => "/var/opt/gitlab/prometheus/data",
#   'storage.tsdb.retention.time' => "15d",
#   'config.file' => "/var/opt/gitlab/prometheus/prometheus.yml"
# }

###! 高级设置。仅在确有需要时修改。
# prometheus['listen_address'] = 'localhost:9090'
#

###! 用于将 Prometheus 注册为 Consul 服务的服务名
# prometheus['consul_service_name'] = 'prometheus'
###! 注册 Prometheus 为 Consul 服务时使用的语义元数据
# prometheus['consul_service_meta'] = {}


###! **仅当 Prometheus 与 Rails 不在同一服务器时需要。**
###! 例如,在多节点架构中,Prometheus 安装在监控节点,Rails 安装在 Rails 节点。
###! https://docs.gitlab.com/ee/administration/monitoring/prometheus/index.html#using-an-external-prometheus-server
###! 此值应为 Prometheus 可被 GitLab Rails(Puma, Sidekiq) 节点访问的地址。
# gitlab_rails['prometheus_address'] = 'your.prom:9090'

################################################################################
## Prometheus Alertmanager
################################################################################

# alertmanager['enable'] = true
# alertmanager['home'] = '/var/opt/gitlab/alertmanager'
# alertmanager['log_directory'] = '/var/log/gitlab/alertmanager'
# alertmanager['log_group'] = nil
# alertmanager['admin_email'] = 'admin@example.com'
# alertmanager['flags'] = {
#   'web.listen-address' => "localhost:9093",
#   'storage.path' => "/var/opt/gitlab/alertmanager/data",
#   'config.file' => "/var/opt/gitlab/alertmanager/alertmanager.yml"
# }
# alertmanager['env_directory'] = '/opt/gitlab/etc/alertmanager/env'
# alertmanager['env'] = {
#   'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/",
#   'GODEBUG' => "tlsmlkem=0",
# }

##! 高级设置。仅在确有需要时修改。
# alertmanager['listen_address'] = 'localhost:9093'
# alertmanager['global'] = {}

################################################################################
## Prometheus Node Exporter
##! 文档:https://docs.gitlab.com/ee/administration/monitoring/prometheus/node_exporter.html
################################################################################

# node_exporter['enable'] = true
# node_exporter['home'] = '/var/opt/gitlab/node-exporter'
# node_exporter['log_directory'] = '/var/log/gitlab/node-exporter'
# node_exporter['log_group'] = nil
# node_exporter['flags'] = {
#   'collector.textfile.directory' => "/var/opt/gitlab/node-exporter/textfile_collector"
# }
# node_exporter['env_directory'] = '/opt/gitlab/etc/node-exporter/env'
# node_exporter['env'] = {
#   'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/",
#   'GODEBUG' => "tlsmlkem=0",
# }

##! 高级设置。仅在确有需要时修改。
# node_exporter['listen_address'] = 'localhost:9100'

##! 用于将 Node Exporter 注册为 Consul 服务的服务名
# node_exporter['consul_service_name'] = 'node-exporter'
##! 注册 Node Exporter 为 Consul 服务时使用的语义元数据
# node_exporter['consul_service_meta'] = {}

################################################################################
## Prometheus Redis exporter
##! 文档:https://docs.gitlab.com/ee/administration/monitoring/prometheus/redis_exporter.html
################################################################################

# redis_exporter['enable'] = true
# redis_exporter['log_directory'] = '/var/log/gitlab/redis-exporter'
# redis_exporter['log_group'] = nil
# redis_exporter['flags'] = {
#   'redis.addr' => "unix:///var/opt/gitlab/redis/redis.socket",
# }
# redis_exporter['env_directory'] = '/opt/gitlab/etc/redis-exporter/env'
# redis_exporter['env'] = {
#   'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/",
#   'GODEBUG' => "tlsmlkem=0",
# }

##! 高级设置。仅在确有需要时修改。
# redis_exporter['listen_address'] = 'localhost:9121'

##! 用于将 Redis Exporter 注册为 Consul 服务的服务名
# redis_exporter['consul_service_name'] = 'redis-exporter'
##! 注册 Redis Exporter 为 Consul 服务时使用的语义元数据
# redis_exporter['consul_service_meta'] = {}

################################################################################
## Prometheus Postgres exporter
##! 文档:https://docs.gitlab.com/ee/administration/monitoring/prometheus/postgres_exporter.html
################################################################################

# postgres_exporter['enable'] = true
# postgres_exporter['home'] = '/var/opt/gitlab/postgres-exporter'
# postgres_exporter['log_directory'] = '/var/log/gitlab/postgres-exporter'
# postgres_exporter['log_group'] = nil
# postgres_exporter['flags'] = {
#  'collector.stat_user_tables' => false,
#  'collector.postmaster' => true
# }
# postgres_exporter['listen_address'] = 'localhost:9187'
# postgres_exporter['env_directory'] = '/opt/gitlab/etc/postgres-exporter/env'
# postgres_exporter['env'] = {
#   'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/",
#   'GODEBUG' => "tlsmlkem=0",
# }
# postgres_exporter['sslmode'] = nil

##! 用于将 Postgres Exporter 注册为 Consul 服务的服务名
# postgres_exporter['consul_service_name'] = 'postgres-exporter'
##! 注册 Postgres Exporter 为 Consul 服务时使用的语义元数据
# postgres_exporter['consul_service_meta'] = {}

################################################################################
## Prometheus PgBouncer exporter(仅限企业版)
##! 文档:https://docs.gitlab.com/ee/administration/monitoring/prometheus/pgbouncer_exporter.html
################################################################################

# pgbouncer_exporter['enable'] = false
# pgbouncer_exporter['log_directory'] = "/var/log/gitlab/pgbouncer-exporter"
# pgbouncer_exporter['log_group'] = nil
# pgbouncer_exporter['listen_address'] = 'localhost:9188'
# pgbouncer_exporter['env_directory'] = '/opt/gitlab/etc/pgbouncer-exporter/env'
# pgbouncer_exporter['env'] = {
#   'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/",
#   'GODEBUG' => "tlsmlkem=0",
# }

################################################################################
## Prometheus Gitlab exporter
##! 文档:https://docs.gitlab.com/ee/administration/monitoring/prometheus/gitlab_exporter.html
################################################################################

# gitlab_exporter['enable'] = true
# gitlab_exporter['log_directory'] = "/var/log/gitlab/gitlab-exporter"
# gitlab_exporter['log_group'] = nil
# gitlab_exporter['home'] = "/var/opt/gitlab/gitlab-exporter"

##! 高级设置。仅在确有需要时修改。
# gitlab_exporter['server_name'] = 'webrick'
# gitlab_exporter['listen_address'] = 'localhost'
# gitlab_exporter['listen_port'] = '9168'

##! TLS 设置。
# gitlab_exporter['tls_enabled'] = false
# gitlab_exporter['tls_cert_path'] = '/etc/gitlab/ssl/gitlab-exporter.crt'
# gitlab_exporter['tls_key_path'] = '/etc/gitlab/ssl/gitlab-exporter.key'

##! Prometheus 采集相关配置
# gitlab_exporter['prometheus_scrape_scheme'] = 'http'
# gitlab_exporter['prometheus_scrape_tls_server_name'] = 'localhost'
# gitlab_exporter['prometheus_scrape_tls_skip_verification'] = false

##! 管理 gitlab-exporter sidekiq 探针。若发现 Sentinel,默认关闭。
# gitlab_exporter['probe_sidekiq'] = true

##! 管理 gitlab-exporter elasticsearch 探针。若启用安全性则添加授权头。
# gitlab_exporter['probe_elasticsearch'] = false
# gitlab_exporter['elasticsearch_url'] = 'http://localhost:9200'
# gitlab_exporter['elasticsearch_authorization'] = 'Basic <yourbase64encodedcredentials>'

##! 用于将 GitLab Exporter 注册为 Consul 服务的服务名
# gitlab_exporter['consul_service_name'] = 'gitlab-exporter'
##! 注册 GitLab Exporter 为 Consul 服务时使用的语义元数据
# gitlab_exporter['consul_service_meta'] = {}

##! 生成额外配置的命令
# gitlab_exporter['extra_config_command'] = nil

##! 如需完全禁用 prometheus 及其所有导出器,设为 false
# prometheus_monitoring['enable'] = true

################################################################################
## Gitaly
##! 文档:https://docs.gitlab.com/ee/administration/gitaly/configure_gitaly.html
################################################################################

##! gitaly['enable'] 选项用于集群部署,详见 https://docs.gitlab.com/ee/administration/gitaly/index.html。
# gitaly['enable'] = true
# gitaly['dir'] = "/var/opt/gitlab/gitaly"
# gitaly['log_group'] = nil
# gitaly['bin_path'] = "/opt/gitlab/embedded/bin/gitaly"
# gitaly['use_wrapper'] = true
# gitaly['env_directory'] = "/opt/gitlab/etc/gitaly/env"
# gitaly['env'] = {
#  'PATH' => "/opt/gitlab/bin:/opt/gitlab/embedded/bin:/bin:/usr/bin",
#  'HOME' => '/var/opt/gitlab',
#  'TZ' => ':/etc/localtime',
#  'PYTHONPATH' => "/opt/gitlab/embedded/lib/python3.9/site-packages",
#  'ICU_DATA' => "/opt/gitlab/embedded/share/icu/current",
#  'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/",
#  'WRAPPER_JSON_LOGGING' => true
#  'GODEBUG' => "tlsmlkem=0",
# }
# gitaly['gitlab_secret'] = <secret>


# gitaly['open_files_ulimit'] = 15000 # gitaly 进程允许的最大打开文件数
##! 用于将 Gitaly 注册为 Consul 服务的服务名
# gitaly['consul_service_name'] = 'gitaly'
##! 注册 Gitaly 为 Consul 服务时使用的语义元数据
# gitaly['consul_service_meta'] = {}
# gitaly['configuration'] = {
#   socket_path: '/var/opt/gitlab/gitaly/gitaly.socket',
#   runtime_dir: '/var/opt/gitlab/gitaly/run',
#   listen_addr: 'localhost:8075',
#   prometheus_listen_addr: 'localhost:9236',
#   tls_listen_addr: 'localhost:9075',
#   tls: {
#     certificate_path: '/var/opt/gitlab/gitaly/certificate.pem',
#     key_path: '/var/opt/gitlab/gitaly/key.pem',
#   },
#   graceful_restart_timeout: '1m', # Grace time for a gitaly process to finish ongoing requests
#   logging: {
#     dir: "/var/log/gitlab/gitaly",
#     level: 'warn',
#     format: 'json',
#     sentry_dsn: 'https://<key>:<secret>@sentry.io/<project>',
#     sentry_environment: 'production',
#   },
#   prometheus: {
#     grpc_latency_buckets: [0.001, 0.005, 0.025, 0.1, 0.5, 1.0, 10.0, 30.0, 60.0, 300.0, 1500.0],
#   },
#   auth: {
#     token: '<secret>',
#     transitioning: false, # When true, auth is logged to Prometheus but NOT enforced
#   },
#   git: {
#     catfile_cache_size: 100, # Number of 'git cat-file' processes kept around for re-use
#     signing_key: '/var/opt/gitlab/gitaly/signing_key.gpg',
#     ## Gitaly knows to set up the required default configuration for spawned Git
#     ## commands automatically. It should thus not be required to configure anything
#     ## here, except in very special situations where you must e.g. tweak specific
#     ## performance-related settings or enable debugging facilities. It is not safe in
#     ## general to set Git configuration that may change Git output in ways that are
#     ## unexpected by Gitaly.
#     config: [
#       { key: 'pack.threads', value: '4' },
#       { key: 'http.http://example.com.proxy', value: 'http://example.proxy.com' },
#     ],
#   },
#   gitlab: {
#     url: 'http://localhost:9999',
#     relative_url_root: '/gitlab-ee',
#   },
#   hooks: {
#     custom_hooks_dir: '/var/opt/gitlab/gitaly/custom_hooks',
#   },
#   daily_maintenance: {
#     disabled: false,
#     start_hour: 22,
#     start_minute: 30,
#     duration: '30m',
#     storages: ['default'],
#   },
#   cgroups: {
#     mountpoint: '/sys/fs/cgroup',
#     hierarchy_root: 'gitaly',
#     memory_bytes: 1048576,
#     cpu_shares: 512,
#     cpu_quota_us: 400000,
#     repositories: {
#       count: 1000,
#       memory_bytes: 12884901888,
#       cpu_shares: 128,
#       cpu_quota_us: 200000
#       max_cgroups_per_repo: 2
#     },
#   },
#   concurrency: [
#     {
#       rpc: '/gitaly.SmartHTTPService/PostReceivePack',
#       max_per_repo: 20,
#     },
#     {
#       rpc: '/gitaly.SSHService/SSHUploadPack',
#       max_per_repo: 5,
#     },
#   ],
#   rate_limiting: [
#     {
#       rpc: '/gitaly.SmartHTTPService/PostReceivePack',
#       interval: '1m',
#       burst: 10,
#     },
#     {
#       rpc: '/gitaly.SSHService/SSHUploadPack',
#       interval: '1m',
#       burst: 5,
#     },
#   ],
#   pack_objects_cache: {
#     enabled: true,
#     dir: '/var/opt/gitlab/git-data/repositories/+gitaly/PackObjectsCache',
#     max_age: '5m',
#   },
#   storage: [
#     {
#       name: 'gitaly-1',
#       path: '/var/opt/gitlab/git-data/repositories',
#     },
#   ],
# }

################################################################################
## Praefect
##! 文档:https://docs.gitlab.com/ee/administration/gitaly/praefect.html
################################################################################

# praefect['enable'] = false
# praefect['dir'] = "/var/opt/gitlab/praefect"
# praefect['log_directory'] = "/var/log/gitlab/praefect"
# praefect['log_group'] = nil
# praefect['env_directory'] = "/opt/gitlab/etc/praefect/env"
# praefect['env'] = {
#  'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/",
#  'GODEBUG' => "tlsmlkem=0",
#  'GITALY_PID_FILE' => "/var/opt/gitlab/praefect/praefect.pid",
#  'WRAPPER_JSON_LOGGING' => true
# }
# praefect['wrapper_path'] = "/opt/gitlab/embedded/bin/gitaly-wrapper"
# praefect['auto_migrate'] = true
##! 用于将 Praefect 注册为 Consul 服务的服务名
# praefect['consul_service_name'] = 'praefect'
##! 注册 Praefect 为 Consul 服务时使用的语义元数据
# praefect['consul_service_meta'] = {}
# praefect['configuration'] = {
#   listen_addr: 'localhost:2305',
#   prometheus_listen_addr: 'localhost:9652',
#   tls_listen_addr: 'localhost:3305',
#   auth: {
#     token: '',
#     transitioning: false,
#   },
#   logging: {
#     format: 'json',
#     level: 'warn',
#   },
#   failover: {
#     enabled: true,
#   },
#   background_verification: {
#     delete_invalid_records: false,
#     verification_interval: '72h',
#   },
#   reconciliation: {
#     scheduling_interval: '5m',
#     histogram_buckets: [0.001, 0.005, 0.025, 0.1, 0.5, 1.0, 10.0],
#   },
#   tls: {
#     certificate_path: '/var/opt/gitlab/prafect/certificate.pem',
#     key_path: '/var/opt/gitlab/prafect/key.pem',
#   },
#   database: {
#     host: 'postgres.external',
#     port: 6432,
#     user: 'praefect',
#     password: 'secret',
#     dbname: 'praefect_production',
#     sslmode: 'disable',
#     sslcert: '/path/to/client-cert',
#     sslkey: '/path/to/client-key',
#     sslrootcert: '/path/to/rootcert',
#     session_pooled: {
#       host: 'postgres.internal',
#       port: 5432,
#       user: 'praefect',
#       password: 'secret',
#       dbname: 'praefect_production_direct',
#       sslmode: 'disable',
#       sslcert: '/path/to/client-cert',
#       sslkey: '/path/to/client-key',
#       sslrootcert: '/path/to/rootcert',
#     },
#   },
#   sentry: {
#     sentry_dsn: 'https://<key>:<secret>@sentry.io/<project>',
#     sentry_environment: 'production',
#   },
#   prometheus: {
#     grpc_latency_buckets: [0.001, 0.005, 0.025, 0.1, 0.5, 1.0, 10.0, 30.0, 60.0, 300.0, 1500.0],
#   },
#   graceful_stop_timeout: '1m',
#   virtual_storage: [
#     {
#       name: 'default',
#       default_replication_factor: 3,
#       node: [
#         {
#           storage: 'praefect-internal-0',
#           address: 'tcp://10.23.56.78:8075',
#           token: 'abc123',
#         },
#         {
#           storage: 'praefect-internal-1',
#           address: 'tcp://10.76.23.31:8075',
#           token: 'xyz456',
#         },
#       ],
#    },
#     {
#       name: 'alternative',
#       node: [
#         {
#           storage: 'praefect-internal-2',
#           address: 'tcp://10.34.1.16:8075',
#           token: 'abc321',
#         },
#         {
#           storage: 'praefect-internal-3',
#           address: 'tcp://10.23.18.6:8075',
#           token: 'xyz890',
#         },
#       ],
#     },
#   ],
# }

################################################################################
## 存储检查
################################################################################
# storage_check['enable'] = false
# storage_check['target'] = 'unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket'
# storage_check['log_directory'] = '/var/log/gitlab/storage-check'
# storage_check['log_group'] = nil

################################################################################
## Let's Encrypt 集成
################################################################################
# letsencrypt['enable'] = nil
# letsencrypt['contact_emails'] = [] # This should be an array of email addresses to add as contacts
# letsencrypt['group'] = 'root'
# letsencrypt['key_size'] = 2048
# letsencrypt['owner'] = 'root'
# letsencrypt['wwwroot'] = '/var/opt/gitlab/nginx/www'
##! 更多设置见 https://docs.gitlab.com/omnibus/settings/ssl/index.html#renew-the-certificates-automatically
# letsencrypt['auto_renew'] = true
# letsencrypt['auto_renew_hour'] = 0
# letsencrypt['auto_renew_minute'] = nil # Should be a number or cron expression, if specified.
# letsencrypt['auto_renew_day_of_month'] = "*/4"
# letsencrypt['auto_renew_log_directory'] = '/var/log/gitlab/lets-encrypt'
# letsencrypt['alt_names'] = []

##! 关闭自动初始化系统检测。用于跳过非 docker 容器中的初始化检测。不建议更改。
# package['detect_init'] = true

##! 尝试修改内核参数。若容器相关文件系统为只读,可设为 false 跳过。
# package['modify_kernel_parameters'] = true

##! 指定 systemd 单元可创建的最大任务数
##! 若用户系统 systemd 版本支持(>= 227),将作为 TasksMax 写入单元文件。否则无效。
# package['systemd_tasks_max'] = 4915

##! 配置 GitLab systemd 单元的启动顺序。
##! 注意:除非必要,不建议更改这些值
# package['systemd_after'] = 'multi-user.target'
# package['systemd_wanted_by'] = 'multi-user.target'

##! 控制密钥生成和存储的设置
##! 注意:除非必要,不建议更改这些值
##! 设为 false 时只解析 `gitlab-secrets.json` 文件中的密钥,不生成新密钥。
# package['generate_default_secrets'] = true
##! 设为 false 时不创建默认的 `gitlab-secrets.json` 文件
# package['generate_secrets_json_file'] = true

##! 控制 SELinux 策略的设置
##! 实验性。设为 1.0 时从旧多策略模块切换为新单一 `gitlab` SELinux 策略模块。
# package['selinux_policy_version'] = nil
################################################################################
################################################################################
##                  仅适用于 GitLab EE 的配置设置                 ##
################################################################################
################################################################################


################################################################################
## 仅适用于 GitLab EE 的辅助定时任务
################################################################################

# gitlab_rails['geo_repository_sync_worker_cron'] = "*/5 * * * *"
# gitlab_rails['geo_secondary_registry_consistency_worker'] = "* * * * *"
# gitlab_rails['geo_secondary_usage_data_cron_worker'] = "0 0 * * 0"
# gitlab_rails['geo_prune_event_log_worker_cron'] = "*/5 * * * *"
# gitlab_rails['geo_repository_verification_primary_batch_worker_cron'] = "*/5 * * * *"
# gitlab_rails['geo_repository_verification_secondary_scheduler_worker_cron'] = "*/5 * * * *"
# gitlab_rails['geo_metrics_update_worker_cron'] = "*/1 * * * *"
# gitlab_rails['ldap_sync_worker_cron'] = "30 1 * * *"
# gitlab_rails['ldap_group_sync_worker_cron'] = "0 * * * *"
# gitlab_rails['historical_data_worker_cron'] = "0 12 * * *"
# gitlab_rails['elastic_index_bulk_cron'] = "*/1 * * * *"
# gitlab_rails['analytics_devops_adoption_create_all_snapshots_worker_cron'] = "0 4 * * 0"
# gitlab_rails['ci_runners_stale_group_runners_prune_worker_cron'] = "30 * * * *"
# gitlab_rails['click_house_ci_finished_builds_sync_worker_cron'] = "*/3 * * * *"
# gitlab_rails['click_house_ci_finished_builds_sync_worker_args'] = [1]

################################################################################
## Kerberos(仅限企业版)
##! 文档:https://docs.gitlab.com/ee/integration/kerberos.html#http-git-access
################################################################################

# gitlab_rails['kerberos_enabled'] = true
# gitlab_rails['kerberos_keytab'] = /etc/http.keytab
# gitlab_rails['kerberos_service_principal_name'] = HTTP/gitlab.example.com@EXAMPLE.COM
# gitlab_rails['kerberos_simple_ldap_linking_allowed_realms'] = ['example.com','kerberos.example.com']
# gitlab_rails['kerberos_use_dedicated_port'] = true
# gitlab_rails['kerberos_port'] = 8443
# gitlab_rails['kerberos_https'] = true

################################################################################
## 软件包仓库
##! 文档:https://docs.gitlab.com/ee/administration/packages/
################################################################################

# gitlab_rails['packages_enabled'] = true
# gitlab_rails['packages_storage_path'] = "/var/opt/gitlab/gitlab-rails/shared/packages"
# gitlab_rails['packages_object_store_enabled'] = false
# gitlab_rails['packages_object_store_proxy_download'] = false
# gitlab_rails['packages_object_store_remote_directory'] = "packages"
# gitlab_rails['packages_object_store_connection'] = {
#   'provider' => 'AWS',
#   'region' => 'eu-west-1',
#   'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',
#   'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',
#   # # The below options configure an S3 compatible host instead of AWS
#   # 'host' => 's3.amazonaws.com',
#   # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4.
#   # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
#   # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
# }

################################################################################
## 依赖代理
##! 文档:https://docs.gitlab.com/ee/administration/packages/dependency_proxy.html
################################################################################

# gitlab_rails['dependency_proxy_enabled'] = true
# gitlab_rails['dependency_proxy_storage_path'] = "/var/opt/gitlab/gitlab-rails/shared/dependency_proxy"
# gitlab_rails['dependency_proxy_object_store_enabled'] = false
# gitlab_rails['dependency_proxy_object_store_proxy_download'] = false
# gitlab_rails['dependency_proxy_object_store_remote_directory'] = "dependency_proxy"
# gitlab_rails['dependency_proxy_object_store_connection'] = {
#   'provider' => 'AWS',
#   'region' => 'eu-west-1',
#   'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',
#   'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',
#   # # The below options configure an S3 compatible host instead of AWS
#   # 'host' => 's3.amazonaws.com',
#   # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4.
#   # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
#   # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
# }

################################################################################
## GitLab Sentinel(仅限企业版)
##! 文档:https://docs.gitlab.com/ee/administration/redis/replication_and_failover.html
################################################################################

##! **请确保在继续之前已配置所有 redis['master_*'] 键。**

##! 要启用 Sentinel 并禁用本机上的所有其他服务,
##! 取消下面这行的注释(如果已启用 Redis 角色,则会保留该角色)。
##! 文档:https://docs.gitlab.com/ee/administration/redis/replication_and_failover.html
# redis_sentinel_role['enable'] = true

# sentinel['enable'] = true

##! 绑定所有接口,取消注释以指定 IP 并仅绑定到一个接口
# sentinel['bind'] = '0.0.0.0'

##! 取消注释以更改默认端口
# sentinel['port'] = 26379

##! 取消注释以要求 Sentinel 密码。此密码可与 Redis 主密码不同。
# sentinel['password'] = 'sentinel-password-goes-here'

### 支持在 Docker 或 NAT 环境下运行 Sentinel
###! 文档:https://redis.io/topics/sentinel#sentinel-docker-nat-and-possible-issues
###! 标准情况下,Sentinel 与 Redis 运行在同一网络服务中,因此会为 Redis 和 Sentinel 通告同一 IP
###! 仅在需要为 Sentinel 通告不同于 Redis 的 IP 服务时定义这些值
# sentinel['announce_ip'] = nil # If not defined, its value will be taken from redis['announce_ip'] or nil if not present
# sentinel['announce_port'] = nil # If not defined, its value will be taken from sentinel['port'] or nil if redis['announce_ip'] not present

##! Quorum 必须反映启动故障转移所需的投票 Sentinel 数量。
##! **值不能大于 Sentinel 数量。**
##! Quorum 可用于两种方式调整 Sentinel :
##! 1. 如果 quorum 设置为小于我们部署的 Sentinel 多数的值,
##!    实际上是让 Sentinel 对主故障更敏感,只要少数 Sentinel 无法与主通信就会触发故障转移。
##! 2. 如果 quorum 设置为大于 Sentinel 多数的值,
##!    则只有大量(超过多数)的 Sentinel 同意主故障时才会进行故障转移。
# sentinel['quorum'] = 1

### 服务器无响应后判定为宕机的毫秒数。
# sentinel['down_after_milliseconds'] = 10000

### 指定故障转移超时时间(毫秒)。
##! 用途如下:
##!
##! - 针对同一主机已尝试故障转移后,重新启动故障转移所需时间为两倍超时时间。
##!
##! - 副本因 Sentinel 当前配置而连接错误主机,强制其连接正确主机的时间为超时时间(自 Sentinel 检测到错误起计)。
##!
##! - 已在进行但未产生配置变更的故障转移(REPLICAOF NO ONE 未被提升副本确认)取消所需时间。
##!
##! - 故障转移进行中等待所有副本重新配置为新主的最大时间。即使超时,Sentinel 仍会重新配置副本,但不会按指定的并行同步进度。
# sentinel['failover_timeout'] = 60000

### Sentinel TLS 设置
###! 要通过 TLS 运行 Sentinel,请为以下设置指定值
# sentinel['tls_port'] = nil
# sentinel['tls_cert_file'] = nil
# sentinel['tls_key_file'] = nil

###! 其他 TLS 相关可选设置
# sentinel['tls_dh_params_file'] = nil
# sentinel['tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'
# sentinel['tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'
# sentinel['tls_auth_clients'] = 'optional'
# sentinel['tls_replication'] = nil
# sentinel['tls_cluster'] = nil
# sentinel['tls_protocols'] = nil
# sentinel['tls_ciphers'] = nil
# sentinel['tls_ciphersuites'] = nil
# sentinel['tls_prefer_server_ciphers'] = nil
# sentinel['tls_session_caching'] = nil
# sentinel['tls_session_cache_size'] = nil
# sentinel['tls_session_cache_timeout'] = nil

### Sentinel 主机名支持
###! 启用后,Redis 将支持主机名
###! 通常无需更改,我们会根据 `redis['announce_ip']` 输入自动判断
###! * 若提供完整主机名则配置为 true
###! * 若提供 IP 地址则配置为 false
# sentinel['use_hostnames'] = <calculated>

### Sentinel 日志设置
# sentinel['log_directory'] = '/var/log/gitlab/sentinel'

################################################################################
## 其他数据库设置(仅限企业版)
##! 文档:https://docs.gitlab.com/ee/administration/postgresql/database_load_balancing.html
################################################################################
# gitlab_rails['db_load_balancing'] = { 'hosts' => ['secondary1.example.com'] }

################################################################################
## GitLab Geo
##! 文档:https://docs.gitlab.com/ee/administration/geo/
################################################################################
##! Geo 角色 'geo_primary_role' 和 'geo_secondary_role' 已在上方与其他角色一起设置。
##! 更多信息见:https://docs.gitlab.com/omnibus/roles/index.html#roles 。

##! 这是一个可选标识符,Geo 节点可用来标识自身。
##! 例如,如果两个二级节点的 external_url 相同,必须为这些二级节点指定唯一的 Geo 节点名称。

##! 若留空,则默认为 external_url。
# gitlab_rails['geo_node_name'] = nil

# gitlab_rails['geo_registry_replication_enabled'] = true
# gitlab_rails['geo_registry_replication_primary_api_url'] = 'https://example.com:5050'


################################################################################
## GitLab Geo Secondary(仅限企业版)
################################################################################
# geo_secondary['auto_migrate'] = true
# geo_secondary['db_adapter'] = "postgresql"
# geo_secondary['db_encoding'] = "unicode"
# geo_secondary['db_collation'] = nil
# geo_secondary['db_database'] = "gitlabhq_geo_production"
# geo_secondary['db_username'] = "gitlab_geo"
# geo_secondary['db_password'] = nil
# geo_secondary['db_host'] = "/var/opt/gitlab/geo-postgresql"
# geo_secondary['db_port'] = 5431
# geo_secondary['db_socket'] = nil
# geo_secondary['db_sslmode'] = nil
# geo_secondary['db_sslcompression'] = 0
# geo_secondary['db_sslrootcert'] = nil
# geo_secondary['db_sslca'] = nil
# geo_secondary['db_prepared_statements'] = false
# geo_secondary['db_database_tasks'] = true

################################################################################
## GitLab Geo Secondary 跟踪数据库(仅限企业版)
################################################################################

# geo_postgresql['enable'] = false
# geo_postgresql['ha'] = false
# geo_postgresql['dir'] = '/var/opt/gitlab/geo-postgresql'
# geo_postgresql['pgbouncer_user'] = nil
# geo_postgresql['pgbouncer_user_password'] = nil
##! `SQL_USER_PASSWORD_HASH` can be generated using the command `gitlab-ctl pg-password-md5 gitlab`
# geo_postgresql['sql_user_password'] = 'SQL_USER_PASSWORD_HASH'
# geo_postgresql['log_directory'] = '/var/log/gitlab/geo-postgresql'

##! 当 PostgreSQL 版本变更时自动重启服务。
# geo_postgresql['auto_restart_on_version_change'] = true

################################################################################
## GitLab Geo 日志游标守护进程(仅限企业版)
################################################################################

# geo_logcursor['enable'] = false
# geo_logcursor['log_directory'] = '/var/log/gitlab/geo-logcursor'
# geo_logcursor['log_group'] = nil

################################################################################
## Unleash
##! 这些设置供 GitLab 内部使用。
##! 用于在 GitLab 开发期间控制功能开关。
##! 文档:https://docs.gitlab.com/ee/development/feature_flags
################################################################################
# gitlab_rails['feature_flags_unleash_enabled'] = false
# gitlab_rails['feature_flags_unleash_url'] = nil
# gitlab_rails['feature_flags_unleash_app_name'] = nil
# gitlab_rails['feature_flags_unleash_instance_id'] = nil

################################################################################
## Pgbouncer(仅限企业版)
##! 参见 GitLab PgBouncer 文档:https://docs.gitlab.com/ee/administration/postgresql/pgbouncer.html
##! 参见 PgBouncer 页面 http://www.pgbouncer.org/config.html 获取详情
################################################################################
# pgbouncer['enable'] = false
# pgbouncer['log_directory'] = '/var/log/gitlab/pgbouncer'
# pgbouncer['log_group'] = nil
# pgbouncer['data_directory'] = '/var/opt/gitlab/pgbouncer'
# pgbouncer['env_directory'] = '/opt/gitlab/etc/pgbouncer/env'
# pgbouncer['env'] = {
#   'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"
# }
# pgbouncer['listen_addr'] = '0.0.0.0'
# pgbouncer['listen_port'] = '6432'
# pgbouncer['pool_mode'] = 'transaction'
# pgbouncer['max_prepared_statements'] = 0
# pgbouncer['server_reset_query'] = 'DISCARD ALL'
# pgbouncer['application_name_add_host'] = '1'
# pgbouncer['max_client_conn'] = '2048'
# pgbouncer['default_pool_size'] = '100'
# pgbouncer['min_pool_size'] = '0'
# pgbouncer['reserve_pool_size'] = '5'
# pgbouncer['reserve_pool_timeout'] = '5.0'
# pgbouncer['server_round_robin'] = '0'
# pgbouncer['log_connections'] = '0'
# pgbouncer['server_idle_timeout'] = '30'
# pgbouncer['dns_max_ttl'] = '15.0'
# pgbouncer['dns_zone_check_period'] = '0'
# pgbouncer['dns_nxdomain_ttl'] = '15.0'
# pgbouncer['admin_users'] = %w(gitlab-psql postgres pgbouncer)
# pgbouncer['stats_users'] = %w(gitlab-psql postgres pgbouncer)
# pgbouncer['ignore_startup_parameters'] = 'extra_float_digits'
# pgbouncer['track_extra_parameters'] = %w(IntervalStyle)
# pgbouncer['databases'] = {
#   DATABASE_NAME: {
#     host: HOSTNAME,
#     port: PORT
#     user: USERNAME,
#     password: PASSWORD
##! generate this with `echo -n '$password + $username' | md5sum`
#   }
#   ...
# }
# pgbouncer['logfile'] = nil
# pgbouncer['unix_socket_dir'] = nil
# pgbouncer['unix_socket_mode'] = '0777'
# pgbouncer['unix_socket_group'] = nil
# pgbouncer['auth_type'] = 'md5'
# pgbouncer['auth_hba_file'] = nil
# pgbouncer['auth_dbname'] = nil
# pgbouncer['auth_query'] = 'SELECT username, password FROM public.pg_shadow_lookup($1)'
# pgbouncer['users'] = {
#   USERNAME: {
#     'password': MD5_PASSWORD_HASH,
#   }
# }
# postgresql['pgbouncer_user'] = nil
# postgresql['pgbouncer_user_password'] = nil
# pgbouncer['server_reset_query_always'] = 0
# pgbouncer['server_check_query'] = 'select 1'
# pgbouncer['server_check_delay'] = 30
# pgbouncer['max_db_connections'] = nil
# pgbouncer['max_user_connections'] = nil
# pgbouncer['syslog'] = 0
# pgbouncer['syslog_facility'] = 'daemon'
# pgbouncer['syslog_ident'] = 'pgbouncer'
# pgbouncer['log_disconnections'] = 1
# pgbouncer['log_pooler_errors'] = 1
# pgbouncer['stats_period'] = 60
# pgbouncer['verbose'] = 0
# pgbouncer['server_lifetime'] = 3600
# pgbouncer['server_connect_timeout'] = 15
# pgbouncer['server_login_retry'] = 15
# pgbouncer['query_timeout'] = 0
# pgbouncer['query_wait_timeout'] = 120
# pgbouncer['client_idle_timeout'] = 0
# pgbouncer['client_login_timeout'] = 60
# pgbouncer['autodb_idle_timeout'] = 3600
# pgbouncer['suspend_timeout'] = 10
# pgbouncer['idle_transaction_timeout'] = 0
# pgbouncer['cancel_wait_timeout'] = 10
# pgbouncer['pkt_buf'] = 4096
# pgbouncer['listen_backlog'] = 128
# pgbouncer['sbuf_loopcnt'] = 5
# pgbouncer['max_packet_size'] = 2147483647
# pgbouncer['so_reuseport'] = 0
# pgbouncer['tcp_defer_accept'] = 0
# pgbouncer['tcp_socket_buffer'] = 0
# pgbouncer['tcp_keepalive'] = 1
# pgbouncer['tcp_keepcnt'] = 0
# pgbouncer['tcp_keepidle'] = 0
# pgbouncer['tcp_keepintvl'] = 0
# pgbouncer['disable_pqexec'] = 0
# default['pgbouncer']['peers'] = {}

### Pgbouncer 客户端 TLS 选项
# pgbouncer['client_tls_sslmode'] = 'disable'
# pgbouncer['client_tls_ca_file'] = nil
# pgbouncer['client_tls_key_file'] = nil
# pgbouncer['client_tls_cert_file'] = nil
# pgbouncer['client_tls_protocols'] = 'all'
# pgbouncer['client_tls_dheparams'] = 'auto'
# pgbouncer['client_tls_ecdhcurve'] = 'auto'
#
### Pgbouncer 服务端 TLS 选项
# pgbouncer['server_tls_sslmode'] = 'disable'
# pgbouncer['server_tls_ca_file'] = nil
# pgbouncer['server_tls_key_file'] = nil
# pgbouncer['server_tls_cert_file'] = nil
# pgbouncer['server_tls_protocols'] = 'all'
# pgbouncer['server_tls_ciphers'] = 'fast'

################################################################################
## Patroni(仅限企业版)
################################################################################
# patroni['enable'] = false

# patroni['dir'] = '/var/opt/gitlab/patroni'
# patroni['ctl_command'] = '/opt/gitlab/embedded/bin/patronictl'

### Patroni 动态配置设置
# patroni['loop_wait'] = 10
# patroni['ttl'] = 30
# patroni['retry_timeout'] = 10
# patroni['maximum_lag_on_failover'] = 1_048_576
# patroni['max_timelines_history'] = 0
# patroni['master_start_timeout'] = 300
# patroni['use_pg_rewind'] = true
# patroni['remove_data_directory_on_rewind_failure'] = false
# patroni['remove_data_directory_on_diverged_timelines'] = false
# patroni['use_slots'] = true
# patroni['replication_password'] = nil
# patroni['replication_slots'] = {}
# patroni['callbacks'] = {}
# patroni['recovery_conf'] = {}
# patroni['tags'] = {}

### 备用集群复制设置
# patroni['standby_cluster']['enable'] = false
# patroni['standby_cluster']['host'] = nil
# patroni['standby_cluster']['port'] = 5432
# patroni['standby_cluster']['primary_slot_name'] = nil

### 全局/通用设置
# patroni['scope'] = 'gitlab-postgresql-ha'
# patroni['name'] = nil

### 日志设置
# patroni['log_directory'] = '/var/log/gitlab/patroni'
# patroni['log_group'] = nil
# patroni['log_level'] = 'INFO'

### Consul 专用设置
# patroni['consul']['url'] = 'http://127.0.0.1:8500'
# patroni['consul']['service_check_interval'] = '10s'
# patroni['consul']['register_service'] = true
# patroni['consul']['checks'] = []

### PostgreSQL 配置覆盖
# patroni['postgresql']['hot_standby'] = 'on'

###! 以下设置在所有节点上必须保持一致。
###! 留空则使用 PostgreSQL 默认值。
# patroni['postgresql']['wal_level'] = 'replica'
# patroni['postgresql']['wal_log_hints'] = 'on'
# patroni['postgresql']['max_worker_processes'] = 8
# patroni['postgresql']['max_locks_per_transaction'] = 64
# patroni['postgresql']['max_connections'] = 400
# patroni['postgresql']['checkpoint_timeout'] = 30

###! 以下设置可在各节点不同。
###! 留空则使用 PostgreSQL 默认值。
# patroni['postgresql']['wal_keep_segments'] = 8
# patroni['postgresql']['max_wal_senders'] = 5
# patroni['postgresql']['max_replication_slots'] = 5

### 流复制的永久复制槽
# patroni['replication_slots'] = {
#   'geo_secondary' => { 'type' => 'physical' }
# }

###! Patroni API 绑定和监听的地址和端口。
# patroni['listen_address'] = nil
# patroni['port'] = '8008'

###! Patroni 节点向其他集群成员通告的 API 和 PostgreSQL 通信地址。
###! 如果未指定,则尝试使用第一个可用的私有 IP,最后回退到默认网卡。
# patroni['connect_address'] = nil

###! Patroni API 响应其他集群成员的端口。该端口会被通告,默认与 patroni['port'] 相同。
# patroni['connect_port'] = '8008'

###! 允许调用不安全 REST API 端点的主机集合。
###! 每项可以是主机名、IP 或 CIDR 地址。
###! 如果未设置,则允许所有主机。
# patroni['allowlist'] = []
# patroni['allowlist_include_members'] = false

###! Patroni API 写命令的基本认证用户名和密码。
###! 如果未指定,则 API 不使用基本认证。
# patroni['username'] = nil
# patroni['password'] = nil

###! Patroni API 的 TLS 配置。需同时指定证书和密钥文件才启用 TLS。
###! 如果未指定,则 API 使用明文 HTTP。
# patroni['tls_certificate_file'] = nil
# patroni['tls_key_file'] = nil
# patroni['tls_key_password'] = nil
# patroni['tls_ca_file'] = nil
# patroni['tls_ciphers'] = nil
# patroni['tls_client_mode'] = nil
# patroni['tls_client_certificate_file'] = nil
# patroni['tls_client_key_file'] = nil
# patroni['tls_verify'] = true

################################################################################
## Consul(仅限企业版)
################################################################################
# consul['enable'] = false
# consul['binary_path'] = '/opt/gitlab/embedded/bin/consul'
# consul['dir'] = '/var/opt/gitlab/consul'
# consul['username'] = 'gitlab-consul'
# consul['group'] = 'gitlab-consul'
# consul['config_file'] = '/var/opt/gitlab/consul/config.json'
# consul['config_dir'] = '/var/opt/gitlab/consul/config.d'
# consul['data_dir'] = '/var/opt/gitlab/consul/data'
# consul['log_directory'] = '/var/log/gitlab/consul'
# consul['log_group'] = nil
# consul['env_directory'] = '/opt/gitlab/etc/consul/env'
# consul['env'] = {
#   'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"
#   'GODEBUG' => "tlsmlkem=0",
# }
# consul['monitoring_service_discovery'] = false
# consul['node_name'] = nil
# consul['script_directory'] = '/var/opt/gitlab/consul/scripts'
# consul['configuration'] = {
#   'client_addr' => nil,
#   'datacenter' => 'gitlab_consul',
#   'enable_script_checks' => false,
#   'enable_local_script_checks' => true,
#   'server' => false
# }
# consul['services'] = []
# consul['service_config'] = {
#   'postgresql' => {
#     'service' => {
#       'name' => "postgresql",
#       'address' => '',
#       'port' => 5432,
#       'checks' => [
#         {
#           'script' => "/var/opt/gitlab/consul/scripts/check_postgresql",
#           'interval' => "10s"
#         }
#       ]
#     }
#   }
# }
# consul['watchers'] = []
# consul['custom_config_dir'] = '/path/to/service/configs/directory'

### HTTP API 端口
# consul['http_port'] = nil
# consul['https_port'] = nil

### Gossip 加密
# consul['encryption_key'] = nil
# consul['encryption_verify_incoming'] = nil
# consul['encryption_verify_outgoing'] = nil

### TLS 设置
# consul['use_tls'] = false
# consul['tls_ca_file'] = nil
# consul['tls_certificate_file'] = nil
# consul['tls_key_file'] = nil
# consul['tls_verify_client'] = nil

################################################################################
## 服务台邮箱设置
################################################################################
### 服务台邮箱
###! 允许用户通过发送邮件到服务台地址创建新服务台工单。
###! 文档:https://docs.gitlab.com/ee/user/project/service_desk/index.html
# gitlab_rails['service_desk_email_enabled'] = false

#### 服务台邮箱设置(通过 `mail_room`)
#### 服务台邮箱地址
####! 邮箱地址包含 `%{key}` 占位符,该占位符会被替换为被回复的项目。
####! **占位符可以省略,但如果存在,必须出现在地址的“用户”部分(@前)。**
# gitlab_rails['service_desk_email_address'] = "contact_project+%{key}@gmail.com"

#### 服务台邮箱账户用户名
####! **第三方邮箱通常为完整邮箱地址。**
####! **自建邮箱服务器通常为邮箱的用户部分。**
# gitlab_rails['service_desk_email_email'] = "contact_project@gmail.com"

#### 服务台邮箱账户密码
# gitlab_rails['service_desk_email_password'] = "[REDACTED]"

####! 服务台邮件将进入的邮箱,通常为“inbox”。
# gitlab_rails['service_desk_email_mailbox_name'] = "inbox"
####! IDLE 命令超时。
# gitlab_rails['service_desk_email_idle_timeout'] = 60
####! 内部 `mail_room` JSON 日志文件名
# gitlab_rails['service_desk_email_log_file'] = "/var/log/gitlab/mailroom/mail_room_json.log"

#### 服务台 IMAP 设置
# gitlab_rails['service_desk_email_host'] = "imap.gmail.com"
# gitlab_rails['service_desk_email_port'] = 993
# gitlab_rails['service_desk_email_ssl'] = true
# gitlab_rails['service_desk_email_start_tls'] = false

#### 收件箱选项(用于 Microsoft Graph)
# gitlab_rails['service_desk_email_inbox_method'] = 'microsoft_graph'
# gitlab_rails['service_desk_email_inbox_options'] = {
#    'tenant_id': 'YOUR-TENANT-ID',
#    'client_id': 'YOUR-CLIENT-ID',
#    'client_secret': 'YOUR-CLIENT-SECRET',
#    'poll_interval': 60  # 可选
# }

####! 服务台邮件如何传递到 Rails 进程。可选 sidekiq 或 webhook。默认配置为 webhook。
# gitlab_rails['service_desk_email_delivery_method'] = "webhook"

####! 用于 webhook 请求认证的令牌。令牌必须正好 32 字节,base64 编码
# gitlab_rails['service_desk_email_auth_token'] = nil

#################################################################################
## 垃圾邮件检查(仅限企业版)
#################################################################################

# spamcheck['enable'] = false
# spamcheck['dir'] = '/var/opt/gitlab/spamcheck'
# spamcheck['port'] = 8001
# spamcheck['external_port'] = nil
# spamcheck['monitoring_address'] = ':8003'
# spamcheck['log_level'] = 'info'
# spamcheck['log_format'] = 'json'
# spamcheck['log_output'] = 'stdout'
# spamcheck['monitor_mode'] = false
# spamcheck['allowlist'] = {}
# spamcheck['denylist'] = {}
# spamcheck['log_directory'] = "/var/log/gitlab/spamcheck"
# spamcheck['log_group'] = nil
# spamcheck['env_directory'] = "/opt/gitlab/etc/spamcheck/env"
# spamcheck['env'] = {
#   'SSL_CERT_DIR' => '/opt/gitlab/embedded/ssl/certs/',
#   'GODEBUG' => "tlsmlkem=0",
# }
# spamcheck['classifier']['log_directory'] = "/var/log/gitlab/spam-classifier"

#################################################################################
## (Go-)Crond
#################################################################################
# crond['log_directory'] = '/var/log/gitlab/crond'
# crond['cron_d'] = '/var/opt/gitlab/crond'
# crond['flags'] = {}

#################################################################################
## gitlab-backup-cli 设置
#################################################################################
# gitlab_backup_cli['enable'] = false
# gitlab_backup_cli['user'] = 'gitlab-backup'
# gitlab_backup_cli['group'] = 'gitlab-backup'
# gitlab_backup_cli['dir'] = '/var/opt/gitlab/backups'
# gitlab_backup_cli['additional_groups'] = %w[git gitlab-psql registry]

我使用了AI助理工具进行汉化,但是配置文件太长啦,已经超过了当下AI软件最长的上下文空间,我写了个python切片合并工具解决这个问题,最后使用微软copilot进行解决。这里对汉化过程使用的关键文件进行记录,以备下次使用。