gitlab
/
omnibus-gitlab
mirror of https://gitlab.com/gitlab-org/omnibus-gitlab.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'bundle_mattermost' into 'master' 

Bundle mattermost with omnibus-gitlab

See merge request !434
This commit is contained in:
Marin Jankovski 2015-08-20 15:56:22 +00:00
parent 8e7e776158 4e2c7c80c4
commit 7a6f6012b8
18 changed files with 829 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
config/projects/gitlab.rb
View File

@ -75,6 +75,7 @@ dependency "gitlab-cookbooks"
dependency "gitlab-selinux"
dependency "gitlab-scripts"
dependency "gitlab-config-template"
dependency "mattermost"
# version manifest file
dependency "version-manifest"

32
config/software/mattermost.rb Normal file
View File

@ -0,0 +1,32 @@
#
## Copyright:: Copyright (c) 2015 GitLab B.V.
## License:: Apache License, Version 2.0
##
## Licensed under the Apache License, Version 2.0 (the "License");
## you may not use this file except in compliance with the License.
## You may obtain a copy of the License at
##
## http://www.apache.org/licenses/LICENSE-2.0
##
## Unless required by applicable law or agreed to in writing, software
## distributed under the License is distributed on an "AS IS" BASIS,
## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
## See the License for the specific language governing permissions and
## limitations under the License.
##
#
name "mattermost"
default_version "v0.6.0"
source url: "https://github.com/mattermost/platform/releases/download/#{version}/mattermost.tar.gz",
md5: '9731b432644862d2025c68afabc852f5'
build do
move "bin/platform", "#{install_dir}/embedded/bin/mattermost"
command "mkdir -p #{install_dir}/embedded/service/mattermost"
command "#{install_dir}/embedded/bin/rsync -a --delete ./api/templates #{install_dir}/embedded/service/mattermost/api/"
command "#{install_dir}/embedded/bin/rsync -a --delete ./web/static #{install_dir}/embedded/service/mattermost/web/"
command "#{install_dir}/embedded/bin/rsync -a --delete ./web/templates #{install_dir}/embedded/service/mattermost/web/"
end

82
doc/gitlab-mattermost/README.md Normal file
View File

@ -0,0 +1,82 @@
# GitLab Mattermost
You can run a [GitLab Mattermost](http://www.mattermost.org/)
service on your GitLab server.
## Documentation version
Please make sure you are viewing the documentation for the version of
omnibus-gitlab you are using. In most cases this should be the highest numbered
stable branch (example shown below).
![documentation version](doc/images/omnibus-documentation-version.png)
## Getting started
GitLab Mattermost expects to run on its own virtual host. In your DNS you would then
have two entries pointing to the same machine, e.g. `gitlab.example.com` and
`mattermost.example.com`.
GitLab Mattermost is disabled by default, to enable it just tell omnibus-gitlab what
the external URL for Mattermost server is:
```ruby
# in /etc/gitlab/gitlab.rb
mattermost_external_url 'http://mattermost.example.com'
```
After you run `sudo gitlab-ctl reconfigure`, your GitLab Mattermost should
now be reachable at `http://mattermost.example.com` and authorized to connect to GitLab. Authorising Mattermost with GitLab will allow users to use GitLab as SSO provider.
Omnibus-gitlab package will attempt to automatically authorise GitLab Mattermost with GitLab if applications are running on the same server.
This is because automatic authorisation requires access to GitLab database.
If GitLab database is not available you will need to manually authorise GitLab Mattermost for access to GitLab.
## Running GitLab Mattermost on its own server
If you want to run GitLab and GitLab Mattermost on two separate servers you
can use the following settings on the GitLab Mattermost server to effectively disable
the GitLab service bundled into the Omnibus package. The GitLab services will
still be set up on your GitLab Mattermost server, but they will not accept user requests or
consume system resources.
```ruby
mattermost_external_url 'http://mattermost.example.com'
# Tell GitLab Mattermost to integrate with gitlab.example.com
mattermost['oauth'] = {'gitlab' => {'Allow' => true, 'Secret' => "123", 'Id' => "123", "AuthEndpoint" => "http://gitlab.example.com/oauth/authorize", "TokenEndpoint" => "http://gitlab.example.com/oauth/token", "UserApiEndpoint" => "http://gitlab.example.com/api/v3/user" }}
# Shut down GitLab services on the Mattermost server
gitlab_rails['enable'] = false
```
where `Secret` and `Id` are `application secret` and `application id` received when creating new `Application` authorization in GitLab admin section.
## Manually (re)authorising GitLab Mattermost with GitLab
### Authorise GitLab Mattermost
To do this, using browser navigate to the `admin area` of GitLab, `Application` section. Create a new application and for the callback URL use: `http://mattermost.example.com/signup/gitlab/complete` and `http://mattermost.example.com/login/gitlab/complete` (replace http with https if you use https).
Once the application is created you will receive an `Application ID` and `Secret`. One other information needed is the URL of GitLab instance.
Now, go to the GitLab server and edit the `/etc/gitlab/gitlab.rb` configuration file.
In `gitlab.rb` use the values you've received above:
```
mattermost['oauth'] = {'gitlab' => {'Allow' => true, 'Secret' => "123", 'Id' => "123", "AuthEndpoint" => "http://gitlab.example.com/oauth/authorize", "TokenEndpoint" => "http://gitlab.example.com/oauth/token", "UserApiEndpoint" => "http://gitlab.example.com/api/v3/user" }}
```
Save the changes and then run `sudo gitlab-ctl reconfigure`.
If there are no errors your GitLab and GitLab Mattermost should be configured correctly.
### Reauthorise GitLab Mattermost
To reauthorise GitLab Mattermost you will first need to revoke access of the existing authorisation. This can be done in the Admin area of GitLab under `Applications`. Once that is done follow the steps in the `Authorise GitLab Mattermost` section.
### GitLab Mattermost configuration
For a complete list of available options, visit the [gitlab.rb.template](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-config-template/gitlab.rb.template).
We welcome contributions to improve the configuration settings explanations both in the gitlab.rb.template and in the documentation.

116
files/gitlab-config-template/gitlab.rb.template
View File

@ -588,3 +588,119 @@ external_url 'GENERATED_EXTERNAL_URL'
# ci_nginx['gzip_types'] = [ "text/plain", "text/css", "application/x-javascript", "text/xml", "application/xml", "application/xml+rss", "text/javascript", "application/json" ]
# ci_nginx['keepalive_timeout'] = 65
# ci_nginx['cache_max_size'] = '5000m'
#####################
# GitLab Mattermost #
#####################
# mattermost['enable'] = false
# mattermost['username'] = 'mattermost'
# mattermost['group'] = 'mattermost'
# mattermost['home'] = '/var/opt/gitlab/mattermost'
# mattermost['database_name'] = 'mattermost_production'
# mattermost['log_file_directory'] = '/var/log/gitlab/mattermost'
# mattermost['log_console_enable'] = true
# mattermost['log_console_level'] = 'INFO'
# mattermost['log_file_enable'] = false
# mattermost['log_file_level'] = 'INFO'
# mattermost['log_file_format'] = nil
# mattermost['service_site_name'] = "GitLab Mattermost"
# mattermost['service_mode'] = 'beta'
# mattermost['service_allow_testing'] = false
# mattermost['service_use_ssl'] = false
# mattermost['service_port'] = "8065"
# mattermost['service_version'] = "developer"
# mattermost['service_analytics_url'] = nil
# mattermost['service_use_local_storage'] = true
# mattermost['service_storage_directory'] = "/var/opt/gitlab/mattermost/data"
# mattermost['service_allowed_login_attempts'] = 10
# mattermost['sql_data_source'] = nil
# mattermost['sql_data_source_replicas'] = []
# mattermost['sql_max_idle_conns'] = 10
# mattermost['sql_max_open_conns'] = 10
# mattermost['sql_trace'] = false
# mattermost['oauth'] = {'gitlab' => {'Allow' => true, 'Secret' => "123", 'Id' => "123", "AuthEndpoint" => "aa", "TokenEndpoint" => "bb", "UserApiEndpoint" => "cc" }}
# mattermost['aws'] = {'S3AccessKeyId' => '123', 'S3SecretAccessKey' => '123', 'S3Bucket' => 'aa', 'S3Region' => 'bb'}
# mattermost['image_thumbnail_width'] = 120
# mattermost['image_thumbnail_height'] = 100
# mattermost['image_preview_width'] = 1024
# mattermost['image_preview_height'] = 0
# mattermost['image_profile_width'] = 128
# mattermost['image_profile_height'] = 128
# mattermost['image_initial_font'] = 'luximbi.ttf'
# mattermost['email_by_pass_email'] = true
# mattermost['email_smtp_username'] = nil
# mattermost['email_smtp_password'] = nil
# mattermost['email_smtp_server'] = nil
# mattermost['email_use_tls'] = false
# mattermost['email_feedback_email'] = nil
# mattermost['email_feedback_name'] = nil
# mattermost['email_apple_push_server'] = nil
# mattermost['email_apple_push_cert_public'] = nil
# mattermost['email_apple_push_cert_private'] = nil
# mattermost['ratelimit_use_rate_limiter'] = true
# mattermost['ratelimit_per_sec'] = 10
# mattermost['ratelimit_memory_store_size'] = 10000
# mattermost['ratelimit_vary_by_remote_addr'] = true
# mattermost['ratelimit_vary_by_header'] = nil
# mattermost['privacy_show_email_address'] = true
# mattermost['privacy_show_phone_number'] = true
# mattermost['privacy_show_skype_id'] = true
# mattermost['privacy_show_full_name'] = true
# mattermost['team_max_users_per_team'] = 150
# mattermost['team_allow_public_link'] = true
# mattermost['team_allow_valet_default'] = false
# mattermost['team_terms_link'] = '/static/help/configure_links.html'
# mattermost['team_privacy_link'] = '/static/help/configure_links.html'
# mattermost['team_about_link'] = '/static/help/configure_links.html'
# mattermost['team_help_link'] = '/static/help/configure_links.html'
# mattermost['team_report_problem_link'] = '/static/help/configure_links.html'
# mattermost['team_tour_link'] = '/static/help/configure_links.html'
# mattermost['team_default_color'] = '#2389D7'
####################
# Mattermost NGINX #
####################
# mattermost_nginx['enable'] = false
# mattermost_nginx['client_max_body_size'] = '250m'
# mattermost_nginx['redirect_http_to_https'] = false
# mattermost_nginx['redirect_http_to_https_port'] = 80
# mattermost_nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
# mattermost_nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
# mattermost_nginx['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256"
# mattermost_nginx['ssl_prefer_server_ciphers'] = "on"
# mattermost_nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2" # recommended by https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
# mattermost_nginx['ssl_session_cache'] = "builtin:1000 shared:SSL:10m" # recommended in http://nginx.org/en/docs/http/ngx_http_ssl_module.html
# mattermost_nginx['ssl_session_timeout'] = "5m" # default according to http://nginx.org/en/docs/http/ngx_http_ssl_module.html
# mattermost_nginx['ssl_dhparam'] = nil # Path to ci_dhparams.pem, eg. /etc/gitlab/ssl/ci_dhparams.pem
# mattermost_nginx['listen_addresses'] = ['*']
# mattermost_nginx['listen_port'] = nil # override only if you use a reverse proxy: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#setting-the-nginx-listen-port
# mattermost_nginx['listen_https'] = nil # override only if your reverse proxy internally communicates over HTTP: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#supporting-proxied-ssl
# mattermost_nginx['custom_gitlab_server_config'] = "location ^~ /foo-namespace/bar-project/raw/ {\n deny all;\n}\n"
# mattermost_nginx['custom_nginx_config'] = "include /etc/nginx/conf.d/example.conf;"
## Advanced settings
# mattermost_nginx['dir'] = "/var/opt/gitlab/nginx"
# mattermost_nginx['log_directory'] = "/var/log/gitlab/nginx"
# mattermost_nginx['worker_processes'] = 4
# mattermost_nginx['worker_connections'] = 10240
# mattermost_nginx['sendfile'] = 'on'
# mattermost_nginx['tcp_nopush'] = 'on'
# mattermost_nginx['tcp_nodelay'] = 'on'
# mattermost_nginx['gzip'] = "on"
# mattermost_nginx['gzip_http_version'] = "1.0"
# mattermost_nginx['gzip_comp_level'] = "2"
# mattermost_nginx['gzip_proxied'] = "any"
# mattermost_nginx['gzip_types'] = [ "text/plain", "text/css", "application/x-javascript", "text/xml", "application/xml", "application/xml+rss", "text/javascript", "application/json" ]
# mattermost_nginx['keepalive_timeout'] = 65
# mattermost_nginx['cache_max_size'] = '5000m'

86
files/gitlab-cookbooks/gitlab/attributes/default.rb
View File

@ -254,6 +254,7 @@ default['gitlab']['postgresql']['home'] = "/var/opt/gitlab/postgresql"
default['gitlab']['postgresql']['user_path'] = "#{node['package']['install-dir']}/embedded/bin:#{node['package']['install-dir']}/bin:$PATH"
default['gitlab']['postgresql']['sql_user'] = "gitlab"
default['gitlab']['postgresql']['sql_ci_user'] = "gitlab_ci"
default['gitlab']['postgresql']['sql_mattermost_user'] = "gitlab_mattermost"
default['gitlab']['postgresql']['port'] = 5432
default['gitlab']['postgresql']['listen_address'] = nil
default['gitlab']['postgresql']['max_connections'] = 200
@ -515,3 +516,88 @@ default['gitlab']['ci-redis']['unixsocket'] = "/var/opt/gitlab/ci-redis/redis.so
####
default['gitlab']['ci-nginx'] = default['gitlab']['nginx'].dup
default['gitlab']['ci-nginx']['enable'] = false
####
# Mattermost
####
default['gitlab']['mattermost']['enable'] = false
default['gitlab']['mattermost']['username'] = 'mattermost'
default['gitlab']['mattermost']['group'] = 'mattermost'
default['gitlab']['mattermost']['home'] = '/var/opt/gitlab/mattermost'
default['gitlab']['mattermost']['database_name'] = 'mattermost_production'
default['gitlab']['mattermost']['log_file_directory'] = '/var/log/gitlab/mattermost'
default['gitlab']['mattermost']['log_console_enable'] = true
default['gitlab']['mattermost']['log_console_level'] = 'INFO'
default['gitlab']['mattermost']['log_file_enable'] = false
default['gitlab']['mattermost']['log_file_level'] = 'INFO'
default['gitlab']['mattermost']['log_file_format'] = nil
default['gitlab']['mattermost']['service_site_name'] = "GitLab Mattermost"
default['gitlab']['mattermost']['service_mode'] = 'beta'
default['gitlab']['mattermost']['service_allow_testing'] = false
default['gitlab']['mattermost']['service_use_ssl'] = false
default['gitlab']['mattermost']['service_port'] = "8065"
default['gitlab']['mattermost']['service_version'] = "developer"
default['gitlab']['mattermost']['service_analytics_url'] = nil
default['gitlab']['mattermost']['service_use_local_storage'] = true
default['gitlab']['mattermost']['service_storage_directory'] = "/var/opt/gitlab/mattermost/data"
default['gitlab']['mattermost']['service_allowed_login_attempts'] = 10
default['gitlab']['mattermost']['sql_data_source'] = nil
default['gitlab']['mattermost']['sql_data_source_replicas'] = []
default['gitlab']['mattermost']['sql_max_idle_conns'] = 10
default['gitlab']['mattermost']['sql_max_open_conns'] = 10
default['gitlab']['mattermost']['sql_trace'] = false
# default['gitlab']['mattermost']['oauth'] = {'gitlab' => {'Allow' => true, 'Secret' => "123", 'Id' => "123", "AuthEndpoint" => "aa", "TokenEndpoint" => "bb", "UserApiEndpoint" => "cc" }}
default['gitlab']['mattermost']['oauth'] = {}
# default['gitlab']['mattermost']['aws'] = {'S3AccessKeyId' => '123', 'S3SecretAccessKey' => '123', 'S3Bucket' => 'aa', 'S3Region' => 'bb'}
default['gitlab']['mattermost']['aws'] = {}
default['gitlab']['mattermost']['image_thumbnail_width'] = 120
default['gitlab']['mattermost']['image_thumbnail_height'] = 100
default['gitlab']['mattermost']['image_preview_width'] = 1024
default['gitlab']['mattermost']['image_preview_height'] = 0
default['gitlab']['mattermost']['image_profile_width'] = 128
default['gitlab']['mattermost']['image_profile_height'] = 128
default['gitlab']['mattermost']['image_initial_font'] = 'luximbi.ttf'
default['gitlab']['mattermost']['email_by_pass_email'] = true
default['gitlab']['mattermost']['email_smtp_username'] = nil
default['gitlab']['mattermost']['email_smtp_password'] = nil
default['gitlab']['mattermost']['email_smtp_server'] = nil
default['gitlab']['mattermost']['email_use_tls'] = false
default['gitlab']['mattermost']['email_feedback_email'] = nil
default['gitlab']['mattermost']['email_feedback_name'] = nil
default['gitlab']['mattermost']['email_apple_push_server'] = nil
default['gitlab']['mattermost']['email_apple_push_cert_public'] = nil
default['gitlab']['mattermost']['email_apple_push_cert_private'] = nil
default['gitlab']['mattermost']['ratelimit_use_rate_limiter'] = true
default['gitlab']['mattermost']['ratelimit_per_sec'] = 10
default['gitlab']['mattermost']['ratelimit_memory_store_size'] = 10000
default['gitlab']['mattermost']['ratelimit_vary_by_remote_addr'] = true
default['gitlab']['mattermost']['ratelimit_vary_by_header'] = nil
default['gitlab']['mattermost']['privacy_show_email_address'] = true
default['gitlab']['mattermost']['privacy_show_phone_number'] = true
default['gitlab']['mattermost']['privacy_show_skype_id'] = true
default['gitlab']['mattermost']['privacy_show_full_name'] = true
default['gitlab']['mattermost']['team_max_users_per_team'] = 150
default['gitlab']['mattermost']['team_allow_public_link'] = true
default['gitlab']['mattermost']['team_allow_valet_default'] = false
default['gitlab']['mattermost']['team_terms_link'] = '/static/help/configure_links.html'
default['gitlab']['mattermost']['team_privacy_link'] = '/static/help/configure_links.html'
default['gitlab']['mattermost']['team_about_link'] = '/static/help/configure_links.html'
default['gitlab']['mattermost']['team_help_link'] = '/static/help/configure_links.html'
default['gitlab']['mattermost']['team_report_problem_link'] = '/static/help/configure_links.html'
default['gitlab']['mattermost']['team_tour_link'] = '/static/help/configure_links.html'
default['gitlab']['mattermost']['team_default_color'] = '#2389D7'
####
# Mattermost NGINX
####
default['gitlab']['mattermost-nginx'] = default['gitlab']['nginx'].dup
default['gitlab']['mattermost-nginx']['enable'] = false

81
files/gitlab-cookbooks/gitlab/libraries/gitlab.rb
View File

@ -50,14 +50,17 @@ module Gitlab
gitlab_git_http_server Mash.new
nginx Mash.new
ci_nginx Mash.new
mattermost_nginx Mash.new
logging Mash.new
remote_syslog Mash.new
logrotate Mash.new
high_availability Mash.new
web_server Mash.new
mattermost Mash.new
node nil
external_url nil
ci_external_url nil
mattermost_external_url nil
git_data_dir nil
class << self
@ -81,6 +84,11 @@ module Gitlab
end
Gitlab['gitlab_ci']['db_key_base'] ||= generate_hex(64)
Gitlab['mattermost']['service_invite_salt'] ||= generate_hex(64)
Gitlab['mattermost']['service_public_link_salt'] ||= generate_hex(64)
Gitlab['mattermost']['service_reset_salt'] ||= generate_hex(64)
Gitlab['mattermost']['sql_at_rest_encrypt_key'] ||= generate_hex(64)
# Note: Besides the section below, gitlab-secrets.json will also change
# in CiHelper in libraries/helper.rb
SecretsHelper.write_to_gitlab_secrets
@ -148,6 +156,7 @@ module Gitlab
postgresql
remote-syslog
gitlab-git-http-server
mattermost
}.each do |runit_sv|
Gitlab[runit_sv.gsub('-', '_')]['svlogd_prefix'] ||= "#{node['hostname']} #{runit_sv}: "
end
@ -200,6 +209,27 @@ module Gitlab
end
end
def parse_mattermost_postgresql_settings
value_from_gitlab_rb = Gitlab['mattermost']['sql_data_source']
attributes_values = []
[
%w{postgresql sql_mattermost_user},
%w{postgresql unix_socket_directory},
%w{postgresql port},
%w{mattermost database_name}
].each do |value|
attributes_values << (Gitlab[value.first][value.last] || node['gitlab'][value.first][value.last])
end
value_from_attributes = "user=#{attributes_values[0]} host=#{attributes_values[1]} port=#{attributes_values[2]} dbname=#{attributes_values[3]}"
Gitlab['mattermost']['sql_data_source'] = value_from_gitlab_rb || value_from_attributes
if Gitlab['mattermost']['sql_data_source_replicas'].nil? && node['gitlab']['mattermost']['sql_data_source_replicas'].empty?
Gitlab['mattermost']['sql_data_source_replicas'] = [Gitlab['mattermost']['sql_data_source']]
end
end
def parse_unicorn_listen_address
# Make sure gitlab-git-http-server can talk to unicorn
listen_address = unicorn['listen'] || node['gitlab']['unicorn']['listen']
@ -273,6 +303,49 @@ module Gitlab
ci_nginx['enable'] = true if ci_nginx['enable'].nil?
end
def parse_mattermost_external_url
return unless mattermost_external_url
mattermost['enable'] = true if mattermost['enable'].nil?
uri = URI(mattermost_external_url.to_s)
unless uri.host
raise "GitLab Mattermost external URL must must include a schema and FQDN, e.g. http://mattermost.example.com/"
end
Gitlab['mattermost']['host'] = uri.host
case uri.scheme
when "http"
Gitlab['mattermost']['service_use_ssl'] = false
when "https"
Gitlab['mattermost']['service_use_ssl'] = true
Gitlab['mattermost_nginx']['ssl_certificate'] ||= "/etc/gitlab/ssl/#{uri.host}.crt"
Gitlab['mattermost_nginx']['ssl_certificate_key'] ||= "/etc/gitlab/ssl/#{uri.host}.key"
else
raise "Unsupported external URL scheme: #{uri.scheme}"
end
unless ["", "/"].include?(uri.path)
raise "Unsupported CI external URL path: #{uri.path}"
end
Gitlab['mattermost_nginx']['listen_port'] = uri.port
end
def parse_gitlab_mattermost
return unless mattermost['enable']
mattermost_nginx['enable'] = true if mattermost_nginx['enable'].nil?
unless gitlab_rails["enable"] || node['gitlab']['gitlab-rails']['enable']
redis["enable"] = false
unicorn["enable"] = false
sidekiq["enable"] = false
end
end
def generate_hash
results = { "gitlab" => {} }
[
@ -291,14 +364,17 @@ module Gitlab
"gitlab_git_http_server",
"nginx",
"ci_nginx",
"mattermost_nginx",
"logging",
"remote_syslog",
"logrotate",
"high_availability",
"postgresql",
"web_server",
"mattermost",
"external_url",
"ci_external_url"
"ci_external_url",
"mattermost_external_url"
].each do |key|
rkey = key.gsub('_', '-')
results['gitlab'][rkey] = Gitlab[key]
@ -314,6 +390,7 @@ module Gitlab
parse_udp_log_shipping
parse_redis_settings
parse_postgresql_settings
parse_mattermost_postgresql_settings
# Parse ci_external_url _before_ gitlab_ci settings so that the user
# can turn on gitlab_ci by only specifying ci_external_url
parse_ci_external_url
@ -321,6 +398,8 @@ module Gitlab
parse_nginx_listen_address
parse_nginx_listen_ports
parse_gitlab_ci
parse_mattermost_external_url
parse_gitlab_mattermost
# The last step is to convert underscores to hyphens in top-level keys
generate_hash
end

125
files/gitlab-cookbooks/gitlab/libraries/helper.rb
View File

@ -106,15 +106,55 @@ class OmnibusHelper
end
module AuthorizeHelper
def query_gitlab_rails(uri, name)
warn("Connecting to GitLab to generate new app_id and app_secret for #{name}.")
runner_cmd = create_or_find_authorization(uri, name)
cmd = execute_rails_runner(runner_cmd)
do_shell_out(cmd)
end
def create_or_find_authorization(uri, name)
args = %Q(redirect_uri: "#{uri}", name: "#{name}")
app = %Q(app = Doorkeeper::Application.where(#{args}).first_or_create;)
output = %Q(puts app.uid.concat(" ").concat(app.secret);)
%W(
#{app}
#{output}
).join
end
def execute_rails_runner(cmd)
%W(
/opt/gitlab/bin/gitlab-rails
runner
-e production
'#{cmd}'
).join(" ")
end
def warn(msg)
Chef::Log.warn(msg)
end
def info(msg)
Chef::Log.info(msg)
end
end
class CiHelper
extend ShellOutHelper
extend AuthorizeHelper
def self.authorize_with_gitlab(gitlab_external_url)
warn("Connecting to GitLab to generate new app_id and app_secret.")
redirect_uri = "#{Gitlab['ci_external_url']}/user_sessions/callback"
app_name = "GitLab CI"
runner_cmd = create_or_find_authorization
cmd = execute_rails_runner(runner_cmd)
o = do_shell_out(cmd)
o = query_gitlab_rails(redirect_uri, app_name)
app_id, app_secret = nil
if o.exitstatus == 0
@ -133,38 +173,46 @@ class CiHelper
{ 'url' => gitlab_external_url, 'app_id' => app_id, 'app_secret' => app_secret }
end
end
def self.create_or_find_authorization
ci_external_url = Gitlab['ci_external_url']
args = %Q(redirect_uri: "#{ci_external_url}/user_sessions/callback", name: "GitLab CI")
class MattermostHelper
extend ShellOutHelper
extend AuthorizeHelper
app = %Q(app = Doorkeeper::Application.where(#{args}).first_or_create;)
def self.authorize_with_gitlab(gitlab_external_url)
redirect_uri = "#{Gitlab['mattermost_external_url']}/signup/gitlab/complete\r\n#{Gitlab['mattermost_external_url']}/login/gitlab/complete"
app_name = "GitLab Mattermost"
output = %Q(puts app.uid.concat(" ").concat(app.secret);)
o = query_gitlab_rails(redirect_uri, app_name)
%W(
#{app}
#{output}
).join
app_id, app_secret = nil
if o.exitstatus == 0
app_id, app_secret = o.stdout.chomp.split(" ")
gitlab_url = gitlab_external_url.chomp("/")
Gitlab['mattermost']['oauth'] = {} unless Gitlab['mattermost']['oauth']
Gitlab['mattermost']['oauth']['gitlab'] = { 'Allow' => true,
'Secret' => app_secret,
'Id' => app_id,
'AuthEndpoint' => "#{gitlab_url}/oauth/authorize",
'TokenEndpoint' => "#{gitlab_url}/oauth/token",
'UserApiEndpoint' => "#{gitlab_url}/api/v3/user"
}
SecretsHelper.write_to_gitlab_secrets
info("Updated the gitlab-secrets.json file.")
else
warn("Something went wrong while trying to update gitlab-secrets.json. Check the file permissions and try reconfiguring again.")
end
{ 'Allow' => true,
'Secret' => app_secret,
'Id' => app_id,
'AuthEndpoint' => "#{gitlab_url}/oauth/authorize",
'TokenEndpoint' => "#{gitlab_url}/oauth/token",
'UserApiEndpoint' => "#{gitlab_url}/api/v3/user"
}
end
def self.execute_rails_runner(cmd)
%W(
/opt/gitlab/bin/gitlab-rails
runner
-e production
'#{cmd}'
).join(" ")
end
def self.warn(msg)
Chef::Log.warn(msg)
end
def self.info(msg)
Chef::Log.info(msg)
end
end
class SecretsHelper
@ -196,6 +244,12 @@ class SecretsHelper
'secret_token' => Gitlab['gitlab_ci']['secret_token'],
'secret_key_base' => Gitlab['gitlab_ci']['secret_key_base'],
'db_key_base' => Gitlab['gitlab_ci']['db_key_base'],
},
'mattermost' => {
'service_invite_salt' => Gitlab['mattermost']['service_invite_salt'],
'service_public_link_salt' => Gitlab['mattermost']['service_public_link_salt'],
'service_reset_salt' => Gitlab['mattermost']['service_reset_salt'],
'sql_at_rest_encrypt_key' => Gitlab['mattermost']['sql_at_rest_encrypt_key']
}
}
@ -210,6 +264,15 @@ class SecretsHelper
secret_tokens['gitlab_ci'].merge!(ci_auth)
end
if Gitlab['mattermost']['oauth'] && Gitlab['mattermost']['oauth']['gitlab']
gitlab_oauth = { 'oauth' =>
{
'gitlab' => Gitlab['mattermost']['oauth']['gitlab']
}
}
secret_tokens['mattermost'].merge!(gitlab_oauth)
end
if File.directory?("/etc/gitlab")
File.open("/etc/gitlab/gitlab-secrets.json", "w") do |f|
f.puts(

1
files/gitlab-cookbooks/gitlab/recipes/default.rb
View File

@ -107,6 +107,7 @@ include_recipe "runit"
"remote-syslog",
"logrotate",
"bootstrap",
"mattermost"
].each do |service|
if node["gitlab"][service]["enable"]
include_recipe "gitlab::#{service}"

113
files/gitlab-cookbooks/gitlab/recipes/mattermost.rb Normal file
View File

@ -0,0 +1,113 @@
#
# Copyright:: Copyright (c) 2012 Opscode, Inc.
# Copyright:: Copyright (c) 2015 GitLab B.V.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
gitlab = node['gitlab']
mattermost_user = gitlab['mattermost']['username']
mattermost_group = gitlab['mattermost']['group']
mattermost_home = gitlab['mattermost']['home']
mattermost_log_dir = gitlab['mattermost']['log_file_directory']
mattermost_storage_directory = gitlab['mattermost']['service_storage_directory']
postgresql_socket_dir = gitlab['postgresql']['unix_socket_directory']
pg_port = gitlab['postgresql']['port']
pg_user = gitlab['postgresql']['username']
###
# Create group and user that will be running mattermost
###
group mattermost_group do
system true
end
user mattermost_user do
shell '/bin/sh'
home mattermost_home
gid mattermost_group
system true
end
###
# Create required directories
###
[
mattermost_home,
mattermost_log_dir,
mattermost_storage_directory
].compact.each do |dir|
directory dir do
owner mattermost_user
recursive true
end
end
###
# Create the database users, create the database we need, and grant them
# privileges.
###
pg_helper = PgHelper.new(node)
bin_dir = "/opt/gitlab/embedded/bin"
db_name = gitlab['mattermost']['database_name']
sql_user = gitlab['postgresql']['sql_mattermost_user']
execute "create #{sql_user} database user" do
command "#{bin_dir}/psql --port #{pg_port} -h #{postgresql_socket_dir} -d template1 -c \"CREATE USER #{sql_user}\""
user pg_user
not_if { !pg_helper.is_running? || pg_helper.user_exists?(sql_user) }
end
execute "create #{db_name} database" do
command "#{bin_dir}/createdb --port #{pg_port} -h #{postgresql_socket_dir} -O #{sql_user} #{db_name}"
user pg_user
not_if { !pg_helper.is_running? || pg_helper.database_exists?(db_name) }
retries 30
end
###
# Populate mattermost configuration options
###
# Try connecting to GitLab only if it is enabled
if gitlab['enable']
database_ready = pg_helper.is_running? && pg_helper.database_exists?(gitlab['gitlab-rails']['db_database'])
gitlab_oauth = if gitlab['mattermost']['oauth']['gitlab']
gitlab['mattermost']['oauth']['gitlab']
else
database_ready ? MattermostHelper.authorize_with_gitlab(Gitlab['external_url']):{}
end
oauth_attributes = gitlab['mattermost']['oauth'].to_hash.merge('gitlab' => gitlab_oauth)
end
template "#{mattermost_home}/config.json" do
source "config.json.erb"
owner mattermost_user
variables gitlab['mattermost'].to_hash.merge(gitlab['postgresql']).to_hash.merge('oauth' => oauth_attributes)
mode "0644"
notifies :restart, "service[mattermost]"
end
###
# Mattermost control service
###
runit_service "mattermost" do
options({
:log_directory => mattermost_log_dir
}.merge(params))
log_options gitlab['logging'].to_hash.merge(gitlab['mattermost'].to_hash)
end

20
files/gitlab-cookbooks/gitlab/recipes/mattermost_disable.rb Normal file
View File

@ -0,0 +1,20 @@
#
# Copyright:: Copyright (c) 2015 GitLab B.V.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
runit_service "mattermost" do
action :disable
end

35
files/gitlab-cookbooks/gitlab/recipes/nginx.rb
View File

@ -42,6 +42,7 @@ nginx_config = File.join(nginx_conf_dir, "nginx.conf")
gitlab_rails_http_conf = File.join(nginx_conf_dir, "gitlab-http.conf")
gitlab_ci_http_conf = File.join(nginx_conf_dir, "gitlab-ci-http.conf")
gitlab_mattermost_http_conf = File.join(nginx_conf_dir, "gitlab-mattermost-http.conf")
# If the service is enabled, check if we are using internal nginx
gitlab_rails_enabled = if node['gitlab']['gitlab-rails']['enable']
@ -56,6 +57,12 @@ gitlab_ci_enabled = if node['gitlab']['gitlab-ci']['enable']
false
end
gitlab_mattermost_enabled = if node['gitlab']['mattermost']['enable']
node['gitlab']['mattermost-nginx']['enable']
else
false
end
# Include the config file for gitlab-rails in nginx.conf later
nginx_vars = node['gitlab']['nginx'].to_hash.merge({
:gitlab_http_config => gitlab_rails_enabled ? gitlab_rails_http_conf : nil
@ -65,6 +72,11 @@ nginx_vars = node['gitlab']['nginx'].to_hash.merge({
nginx_vars = nginx_vars.merge!(
:gitlab_ci_http_config => gitlab_ci_enabled ? gitlab_ci_http_conf : nil
)
# Include the config file for gitlab mattermost in nginx.conf later
nginx_vars = nginx_vars.to_hash.merge!({
:gitlab_mattermost_http_config => gitlab_mattermost_enabled ? gitlab_mattermost_http_conf : nil
})
if nginx_vars['listen_https'].nil?
nginx_vars['https'] = node['gitlab']['gitlab-rails']['gitlab_https']
else
@ -109,6 +121,29 @@ template gitlab_ci_http_conf do
action gitlab_ci_enabled ? :create : :delete
end
mattermost_nginx_vars = node['gitlab']['mattermost-nginx'].to_hash
if mattermost_nginx_vars['listen_https'].nil?
mattermost_nginx_vars['https'] = node['gitlab']['mattermost']['service_use_ssl']
else
mattermost_nginx_vars['https'] = mattermost_nginx_vars['listen_https']
end
template gitlab_mattermost_http_conf do
source "nginx-gitlab-mattermost-http.conf.erb"
owner "root"
group "root"
mode "0644"
variables(mattermost_nginx_vars.merge(
{
:fqdn => node['gitlab']['mattermost']['host'],
:service_port => node['gitlab']['mattermost']['service_port']
}
))
notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx")
action gitlab_mattermost_enabled ? :create : :delete
end
template nginx_config do
source "nginx.conf.erb"
owner "root"

82
files/gitlab-cookbooks/gitlab/templates/default/config.json.erb Normal file
View File

@ -0,0 +1,82 @@
{
"LogSettings": {
"ConsoleEnable": <%= @log_console_enable %>,
"ConsoleLevel": "<%= @log_console_level %>",
"FileEnable": <%= @log_file_enable %>,
"FileLevel": "<%= @log_file_level %>",
"FileFormat": "<%= @log_file_format %>",
"FileLocation": "<%= @log_file_directory %>/mattermost.log"
},
"ServiceSettings": {
"SiteName": "<%= @service_site_name %>",
"Mode" : "<%= @service_mode %>",
"AllowTesting" : <%= @service_allow_testing %>,
"UseSSL": <%= @service_use_ssl %>,
"Port": "<%= @service_port %>",
"Version": "<%= @service_version %>",
"InviteSalt": "<%= @service_invite_salt %>",
"PublicLinkSalt": "<%= @service_public_link_salt %>",
"ResetSalt": "<%= @service_reset_salt %>",
"AnalyticsUrl": "<%= @service_analytics_url %>",
"UseLocalStorage": <%= @service_use_local_storage %>,
"StorageDirectory": "<%= @service_storage_directory %>",
"AllowedLoginAttempts": <%= @service_allowed_login_attempts %>
},
"SSOSettings": <%= @oauth.to_json %>,
"SqlSettings": {
"DriverName": "postgres",
"DataSource": "<%= @sql_data_source %>",
"DataSourceReplicas": [<%= @sql_data_source_replicas.map{ |dsr| "\"#{dsr}\"" }.join(',') %>],
"MaxIdleConns": <%= @sql_max_idle_conns %>,
"MaxOpenConns": <%= @sql_max_open_conns %>,
"Trace": <%= @sql_trace %>,
"AtRestEncryptKey": "<%= @sql_at_rest_encrypt_key %>"
},
"AWSSettings": <%= @aws.to_json %>,
"ImageSettings": {
"ThumbnailWidth": <%= @image_thumbnail_width %>,
"ThumbnailHeight": <%= @image_thumbnail_height %>,
"PreviewWidth": <%= @image_preview_width %>,
"PreviewHeight": <%= @image_preview_height %>,
"ProfileWidth": <%= @image_profile_width %>,
"ProfileHeight": <%= @image_profile_height %>,
"InitialFont": "<%= @image_initial_font %>"
},
"EmailSettings": {
"ByPassEmail" : <%= @email_by_pass_email %>,
"SMTPUsername": "<%= @email_smtp_username %>",
"SMTPPassword": "<%= @email_smtp_password %>",
"SMTPServer": "<%= @email_smtp_server %>",
"UseTLS": <%= @email_use_tls %>,
"FeedbackEmail": "<%= @email_feedback_email %>",
"FeedbackName": "<%= @email_feedback_name %>",
"ApplePushServer": "<%= @email_apple_push_server %>",
"ApplePushCertPublic": "<%= @email_apple_push_cert_public %>",
"ApplePushCertPrivate": "<%= @email_apple_push_cert_private %>"
},
"RateLimitSettings": {
"UseRateLimiter": <%= @ratelimit_use_rate_limiter %>,
"PerSec": <%= @ratelimit_per_sec %>,
"MemoryStoreSize": <%= @ratelimit_memory_store_size %>,
"VaryByRemoteAddr": <%= @ratelimit_vary_by_remote_addr %>,
"VaryByHeader": "<%= @ratelimit_vary_by_header %>"
},
"PrivacySettings": {
"ShowEmailAddress": <%= @privacy_show_email_address %>,
"ShowPhoneNumber": <%= @privacy_show_phone_number %>,
"ShowSkypeId": <%= @privacy_show_skype_id %>,
"ShowFullName": <%= @privacy_show_full_name %>
},
"TeamSettings": {
"MaxUsersPerTeam": <%= @team_max_users_per_team %>,
"AllowPublicLink": <%= @team_allow_public_link %>,
"AllowValetDefault": <%= @team_allow_valet_default %>,
"TermsLink": "<%= @team_terms_link %>",
"PrivacyLink": "<%= @team_privacy_link %>",
"AboutLink": "<%= @team_about_link %>",
"HelpLink": "<%= @team_help_link %>",
"ReportProblemLink": "<%= @team_report_problem_link %>",
"TourLink": "<%= @team_tour_link %>",
"DefaultThemeColor": "<%= @team_default_color %>"
}
}

70
files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-mattermost-http.conf.erb Normal file
View File

@ -0,0 +1,70 @@
# This file is managed by gitlab-ctl. Manual changes will be
# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
# and run `sudo gitlab-ctl reconfigure`.
## GitLab Mattermost
upstream gitlab_mattermost {
server 127.0.0.1:<%= @service_port %>;
}
<% if @https && @redirect_http_to_https %>
server {
<% @listen_addresses.each do |listen_address| %>
listen <%= listen_address %>:<%= @redirect_http_to_https_port %>;
<% end %>
server_name <%= @fqdn %>;
server_tokens off;
return 301 https://<%= @fqdn %>:<%= @port %>$request_uri;
access_log <%= @log_directory %>/gitlab_mattermost_access.log;
error_log <%= @log_directory %>/gitlab_mattermost_access.log;
}
<% end %>
server {
<% @listen_addresses.each do |listen_address| %>
listen <%= listen_address %>:<%= @listen_port %><% if @https %> ssl<% end %>;
<% end %>
server_name <%= @fqdn %>;
server_tokens off; # don't show the version number, a security best practice
<% if @https %>
ssl on;
ssl_certificate <%= @ssl_certificate %>;
ssl_certificate_key <%= @ssl_certificate_key %>;
ssl_ciphers '<%= @ssl_ciphers %>';
ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>;
ssl_protocols <%= @ssl_protocols %>;
ssl_session_cache <%= @ssl_session_cache %>;
ssl_session_timeout <%= @ssl_session_timeout %>;
<% if @ssl_dhparam %>
ssl_dhparam <%= @ssl_dhparam %>;
<% end %>
<% end %>
access_log <%= @log_directory %>/gitlab_mattermost_access.log;
error_log <%= @log_directory %>/gitlab_mattermost_error.log;
location / {
## If you use HTTPS make sure you disable gzip compression
## to be safe against BREACH attack.
<%= 'gzip off;' if @https %>
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Frame-Options SAMEORIGIN;
<% if @https %>
proxy_set_header X-Forwarded-Ssl on;
<% end %>
proxy_pass http://gitlab_mattermost;
}
<%= @custom_gitlab_mattermost_server_config %>
}

4
files/gitlab-cookbooks/gitlab/templates/default/nginx.conf.erb
View File

@ -36,5 +36,9 @@ http {
include <%= @gitlab_ci_http_config %>;
<% end %>
<% if @gitlab_mattermost_http_config %>
include <%= @gitlab_mattermost_http_config %>;
<% end %>
<%= @custom_nginx_config %>
}

1
files/gitlab-cookbooks/gitlab/templates/default/pg_ident.conf.erb
View File

@ -42,5 +42,6 @@
# MAPNAME SYSTEM-USERNAME PG-USERNAME
gitlab <%= node['gitlab']['user']['username'] %> <%= node['gitlab']['postgresql']['sql_user'] %>
gitlab <%= node['gitlab']['gitlab-ci']['username'] %> <%= node['gitlab']['postgresql']['sql_ci_user'] %>
gitlab <%= node['gitlab']['mattermost']['username'] %> <%= node['gitlab']['postgresql']['sql_mattermost_user'] %>
# Default to a 1-1 mapping between system usernames and Postgres usernames
gitlab /^(.*)$ \1

6
files/gitlab-cookbooks/gitlab/templates/default/sv-mattermost-log-config.erb Normal file
View File

@ -0,0 +1,6 @@
<%= "s#@svlogd_size" if @svlogd_size %>
<%= "n#@svlogd_num" if @svlogd_num %>
<%= "t#@svlogd_timeout" if @svlogd_timeout %>
<%= "!#@svlogd_filter" if @svlogd_filter %>
<%= "u#@svlogd_udp" if @svlogd_udp %>
<%= "p#@svlogd_prefix" if @svlogd_prefix %>

2
files/gitlab-cookbooks/gitlab/templates/default/sv-mattermost-log-run.erb Normal file
View File

@ -0,0 +1,2 @@
#!/bin/sh
exec svlogd -tt <%= @options[:log_directory] %>

4
files/gitlab-cookbooks/gitlab/templates/default/sv-mattermost-run.erb Normal file
View File

@ -0,0 +1,4 @@
#!/bin/sh
exec 2>&1
cd /opt/gitlab/embedded/service/mattermost
exec chpst -P -U mattermost -u mattermost /opt/gitlab/embedded/bin/mattermost -config /var/opt/gitlab/mattermost/config.json