-
Notifications
You must be signed in to change notification settings - Fork 311
Expand file tree
/
Copy pathconfig.yml.example
More file actions
162 lines (146 loc) · 7.24 KB
/
config.yml.example
File metadata and controls
162 lines (146 loc) · 7.24 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
#
# If you change this file in a Merge Request, please also create
# a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
#
# GitLab user. git by default
user: git
# URL to GitLab instance, used for API calls. Default: http://localhost:8080.
# For relative URL support read http://doc.gitlab.com/ce/install/relative_url.html
# You only have to change the default if you have configured Unicorn
# to listen on a custom port, or if you have configured Unicorn to
# only listen on a Unix domain socket. For Unix domain sockets use
# "http+unix://<urlquoted-path-to-socket>", e.g.
# "http+unix://%2Fpath%2Fto%2Fsocket"
gitlab_url: "http+unix://%2Fhome%2Fgit%2Fgitlab%2Ftmp%2Fsockets%2Fgitlab-workhorse.socket"
# When a http+unix:// is used in gitlab_url, this is the relative URL root to GitLab.
# Not used if gitlab_url is http:// or https://.
# gitlab_relative_url_root: "/"
# See installation.md#using-https for additional HTTPS configuration details.
http_settings:
# read_timeout: 300
# user: someone
# password: somepass
# ca_file: /etc/ssl/cert.pem
# ca_path: /etc/pki/tls/certs
#
# File used as authorized_keys for gitlab user
auth_file: "/home/git/.ssh/authorized_keys"
# SSL certificate dir where custom certificates can be placed
# https://golang.org/pkg/crypto/x509/
# ssl_cert_dir: /opt/gitlab/embedded/ssl/certs/
# File that contains the secret key for verifying access to GitLab.
# Default is .gitlab_shell_secret in the gitlab-shell directory.
# secret_file: "/home/git/gitlab-shell/.gitlab_shell_secret"
#
# The secret field supersedes the secret_file, and if set that
# file will not be read.
# secret: "supersecret"
# Log file.
# Default is gitlab-shell.log in the root directory.
# log_file: "/home/git/gitlab-shell/gitlab-shell.log"
# Log level. INFO by default
log_level: INFO
# Log format. 'json' by default, can be changed to 'text' if needed
log_format: text
# Audit usernames.
# Set to true to see real usernames in the logs instead of key ids, which is easier to follow, but
# incurs an extra API call on every gitlab-shell command.
audit_usernames: false
# Distributed Tracing. GitLab-Shell has distributed tracing instrumentation.
# For more details, visit https://docs.gitlab.com/ee/development/distributed_tracing.html
# gitlab_tracing: opentracing://driver
# This section configures the built-in SSH server. Ignored when running on OpenSSH.
sshd:
# Address which the SSH server listens on. Defaults to [::]:22.
listen: "[::]:22"
# Set to true if gitlab-sshd is being fronted by a load balancer that implements
# the PROXY protocol.
proxy_protocol: false
# Proxy protocol policy ("use", "require", "reject", "ignore"), "use" is the default value
# Values: https://github.com/pires/go-proxyproto/blob/195fedcfbfc1be163f3a0d507fac1709e9d81fed/policy.go#L20
proxy_policy: "use"
# Proxy allowed IP addresses. Takes precedent over proxy_policy. Disabled by default.
# proxy_allowed:
# - "192.168.0.1"
# - "192.168.1.0/24"
# Address which the server listens on HTTP for monitoring/health checks. Defaults to localhost:9122.
web_listen: "localhost:9122"
# Maximum number of concurrent sessions allowed on a single SSH connection. Defaults to 10.
concurrent_sessions_limit: 10
# Sets an interval after which server will send keepalive message to a client. Defaults to 15s.
client_alive_interval: 15
# The server waits for this time for the ongoing connections to complete before shutting down. Defaults to 10s.
grace_period: 10
# The server disconnects after this time if the user has not successfully logged in. Defaults to 60s.
login_grace_time: 60
# A short timeout to decide to abort the connection if the protocol header is not seen within it. Defaults to 500ms
proxy_header_timeout: 500ms
# The endpoint that returns 200 OK if the server is ready to receive incoming connections; otherwise, it returns 503 Service Unavailable. Defaults to "/start".
readiness_probe: "/start"
# The endpoint that returns 200 OK if the server is alive. Defaults to "/health".
liveness_probe: "/health"
# Specifies the available message authentication code algorithms that are used for protecting data integrity
macs: [hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1]
# Specifies the available Key Exchange algorithms
kex_algorithms: [curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1]
# Specified the ciphers allowed
ciphers: [aes128-gcm@openssh.com, chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-ctr, aes192-ctr,aes256-ctr]
# Specified the available Public Key algorithms
public_key_algorithms: [ssh-rsa, ssh-dss, ecdsa-sha2-nistp256, sk-ecdsa-sha2-nistp256@openssh.com, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, ssh-ed25519, sk-ssh-ed25519@openssh.com, rsa-sha2-256, rsa-sha2-512]
# SSH host key files.
host_key_files:
- /run/secrets/ssh-hostkeys/ssh_host_rsa_key
- /run/secrets/ssh-hostkeys/ssh_host_ecdsa_key
- /run/secrets/ssh-hostkeys/ssh_host_ed25519_key
host_key_certs:
- /run/secrets/ssh-hostkeys/ssh_host_rsa_key-cert.pub
- /run/secrets/ssh-hostkeys/ssh_host_ecdsa_key-cert.pub
- /run/secrets/ssh-hostkeys/ssh_host_ed25519_key-cert.pub
# GSSAPI-related settings
gssapi:
# Enable the gssapi-with-mic authentication method. Defaults to false.
enabled: false
# Keytab path. Defaults to "", system default (usually /etc/krb5.keytab).
keytab: ""
# The Kerberos service name to be used by sshd. Defaults to "", accepts any service name in keytab file.
service_principal_name: ""
lfs:
# https://gitlab.com/groups/gitlab-org/-/epics/11872, disabled by default.
pure_ssh_protocol: false
# https://docs.gitlab.com/ee/development/gitlab_shell/features.html#personal-access-token
pat:
# Enable/disable creation of personal access tokens using SSH key
enabled: true
# Configure which PAT scopes are allowable to generate using an SSH key
# allowed_scopes: [read_repository]
# Topology Service configuration for GitLab Cells routing.
# This enables routing SSH requests to the appropriate cell in a multi-cell deployment.
# See: https://handbook.gitlab.com/handbook/engineering/architecture/design-documents/cells/topology_service/
#
# topology_service:
# # Enable Topology Service integration
# enabled: false
#
# # gRPC address of the Topology Service
# address: "topology.gitlab.com:443"
#
# # ClassifyType to use when querying for cell routing.
# # Options: first_cell, session_prefix, cell_id
# classify_type: "first_cell"
#
# # Timeout for Topology Service requests. Defaults to 5s.
# timeout: 5s
#
# # TLS configuration for secure connections
# tls:
# # Enable TLS (recommended for production)
# enabled: true
# # Path to CA certificate file for server verification
# ca_file: "/etc/gitlab/ssl/topology-ca.crt"
# # Client certificate for mTLS (if required by Topology Service)
# # cert_file: "/etc/gitlab/ssl/client.crt"
# # key_file: "/etc/gitlab/ssl/client.key"
# # Expected server name for TLS verification
# # server_name: "topology.gitlab.com"
# # Skip TLS verification (development only, not recommended for production)
# # insecure_skip_verify: false