commit 56fba3b5d9376daddbe9f39e602952140da61754 Author: martin Date: Tue Jan 14 10:10:15 2025 +0100 ORIGIN diff --git a/README.md b/README.md new file mode 100644 index 0000000..9216b6b --- /dev/null +++ b/README.md @@ -0,0 +1,2 @@ +# admin + diff --git a/do_proxy/etc/nginx/nginx.conf b/do_proxy/etc/nginx/nginx.conf new file mode 100644 index 0000000..a274c96 --- /dev/null +++ b/do_proxy/etc/nginx/nginx.conf @@ -0,0 +1,93 @@ +user www-data; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + + ## + # Basic Settings + ## + + + client_max_body_size 128M; + proxy_max_temp_file_size 0; + proxy_buffering off; + server_names_hash_bucket_size 256; + + + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + # server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # SSL Settings + ## + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; + + ## + # Logging Settings + ## + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + ## + # Gzip Settings + ## + + gzip on; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + ## + # Virtual Host Configs + ## + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} + + +#mail { +# # See sample authentication script at: +# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript +# +# # auth_http localhost/auth.php; +# # pop3_capabilities "TOP" "USER"; +# # imap_capabilities "IMAP4rev1" "UIDPLUS"; +# +# server { +# listen localhost:110; +# protocol pop3; +# proxy on; +# } +# +# server { +# listen localhost:143; +# protocol imap; +# proxy on; +# } +#} diff --git a/do_proxy/etc/nginx/sites-available/smartinspace b/do_proxy/etc/nginx/sites-available/smartinspace new file mode 100644 index 0000000..ab0b41c --- /dev/null +++ b/do_proxy/etc/nginx/sites-available/smartinspace @@ -0,0 +1,110 @@ +server{ + server_name smartinspace.ai; + proxy_set_header X-Forwarded-For $remote_addr; + location / { + root /var/www/html; + index index.html; + } + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/smartinspace.ai/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/smartinspace.ai/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot +} + +server { + server_name file.smartinspace.ai; + proxy_set_header X-Forwarded-For $remote_addr; + location / { + proxy_pass https://svnasolvo.ddns.net:44300/; + proxy_intercept_errors on; + error_page 404 502 503 504 = @fallback; + } + location @fallback { + root /var/www/html; + index maintenance.html; + } + + location /seafdav { + proxy_pass https://svnasolvo.ddns.net:44300/seafdav; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 1200s; + client_max_body_size 0; + access_log /var/log/nginx/seafdav.access.log; + error_log /var/log/nginx/seafdav.error.log; + } + + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/file.smartinspace.ai/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/file.smartinspace.ai/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot +} + +server { + if ($host = file.smartinspace.ai) { + return 301 https://$host$request_uri; + } # managed by Certbot + server_name file.smartinspace.ai; + listen 80; + return 404; # managed by Certbot +} +server { + server_name git.smartinspace.ai; + proxy_set_header X-Forwarded-For $remote_addr; + location / { + proxy_pass https://svnasolvo.ddns.net:30000/; + proxy_intercept_errors on; + error_page 404 502 503 504 = @fallback; + } + location @fallback { + root /var/www/html; + index maintenance.html; + } + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/git.smartinspace.ai/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/git.smartinspace.ai/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot +} +server { + if ($host = git.smartinspace.ai) { + return 301 https://$host$request_uri; + } # managed by Certbot + server_name git.smartinspace.ai; + listen 80; + return 404; # managed by Certbot +} + + +server { + server_name dev.smartinspace.ai; + proxy_set_header X-Forwarded-For $remote_addr; + location / { + proxy_pass https://svnasolvo.ddns.net:8080/; + proxy_intercept_errors on; + error_page 404 502 503 504 = @fallback; + } + location @fallback { + root /var/www/html; + index maintenance.html; + } + listen 443 ssl; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + ssl_certificate /etc/letsencrypt/live/dev.smartinspace.ai/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/dev.smartinspace.ai/privkey.pem; # managed by Certbot +} +server { + if ($host = dev.smartinspace.ai) { + return 301 https://$host$request_uri; + } # managed by Certbot + server_name dev.smartinspace.ai; + listen 80; + return 404; # managed by Certbot +} diff --git a/do_proxy/etc/ssh/sshd_config b/do_proxy/etc/ssh/sshd_config new file mode 100644 index 0000000..3f7adb6 --- /dev/null +++ b/do_proxy/etc/ssh/sshd_config @@ -0,0 +1,127 @@ +# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +Include /etc/ssh/sshd_config.d/*.conf + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin yes +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +PubkeyAuthentication yes + +# Expect .ssh/authorized_keys2 to be disregarded by default in future. +AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + +ChallengeResponseAuthentication no +PasswordAuthentication no +UsePAM no + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin yes +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/ligalytics/bernie/etc/nginx/sites-available/leagues.conf b/ligalytics/bernie/etc/nginx/sites-available/leagues.conf new file mode 100644 index 0000000..5d6fc1c --- /dev/null +++ b/ligalytics/bernie/etc/nginx/sites-available/leagues.conf @@ -0,0 +1,63 @@ +server { + listen 80; + server_name bernie; + + client_max_body_size 48M; + client_body_buffer_size 128k; + + client_header_buffer_size 5120k; + large_client_header_buffers 32 5120k; + + #only works in nginx+ + #set_cookie_flag HttpOnly Secure; + #proxy_cookie_path / "/; secure; HTTPOnly; SameSite=strict"; + # proxy_set_header X-Real-IP $remote_addr; + + set_real_ip_from 192.168.178.41; + + error_page 501 502 503 504 /maintenance.html; + location /maintenance.html { + root /home/django/; + } + + location = /favicon.ico { + access_log off; log_not_found off; + } + + location /media { + #autoindex on; + alias /home/django/leagues/data/media; + } + + location /static/ { + root /home/django/; + } + + location / { + include proxy_params; + proxy_pass http://unix:/run/gunicorn.sock; + + # proxy_set_header X-Real-IP $remote_addr; + #proxy_set_header Host $http_host; + #proxy_set_header REMOTE_ADDR $remote_addr; + #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + #proxy_headers_hash_max_size 512; + #proxy_headers_hash_bucket_size 128; + + #proxy_read_timeout 3600; + #proxy_intercept_errors on; + } + + #location ^~ /.well-known { + #root /home/django/leagues/; + #allow all; + #} + + #location = /_csp { + # access_log /var/log/nginx/csp.log CSP; + # proxy_pass http://127.0.0.1/_csp_response; + #} + + # FOR CSP + include snippets/ssl-params.conf; +} diff --git a/ligalytics/bernie/etc/nginx/snippets/ssl-params.conf b/ligalytics/bernie/etc/nginx/snippets/ssl-params.conf new file mode 100644 index 0000000..3c26cf6 --- /dev/null +++ b/ligalytics/bernie/etc/nginx/snippets/ssl-params.conf @@ -0,0 +1,52 @@ +ssl_protocols TLSv1.2 TLSv1.3; +ssl_prefer_server_ciphers on; +ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; +ssl_ecdh_curve secp384r1; +ssl_session_cache shared:SSL:10m; +ssl_session_timeout 1d; +ssl_session_tickets off; +ssl_stapling on; +ssl_stapling_verify on; +resolver 8.8.8.8 8.8.4.4 valid=300s; +resolver_timeout 5s; + +# Disable preloading HSTS for now. You can use the commented out header line that includes +# the "preload" directive if you understand the implications. +# add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; +#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; +add_header X-Frame-Options DENY; +add_header X-Content-Type-Options nosniff; +add_header X-XSS-Protection "1; mode=block" always; + +add_header Content-Security-Policy " +object-src 'none'; +base-uri 'none'; +require-trusted-types-for 'script'; +report-uri https://optimization.ligalytics.com/_csp; +script-src 'strict-dynamic' 'self' 'unsafe-inline' 'nonce-secret321' https://*.googleapis.com https://*.gstatic.com *.google.com https://*.ggpht.com *.googleusercontent.com blob:; +img-src 'self' https://*.googleapis.com https://*.gstatic.com *.google.com *.googleusercontent.com data:; +frame-src *.google.com; +connect-src 'self' https://*.googleapis.com *.google.com https://*.gstatic.com data: blob:; +font-src https://fonts.gstatic.com; +style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; +worker-src blob:; +"; + +set $SCRIPT "script-src 'strict-dynamic' 'nonce-rAnd0m123' 'unsafe-inline'"; +set $SCRIPT "${SCRIPT} https://www.a.com"; +set $SCRIPT "${SCRIPT} https://b.com"; +set $STYLE "style-src 'self'"; +set $STYLE "${STYLE} https://a.com"; +set $IMG "img-src 'self' data:"; +set $IMG "${IMG} https://a.com"; +set $IMG "${IMG} https://www.b.com"; +set $FONT "font-src 'self' data:"; +set $FONT "${FONT} https://a.com"; +set $DEFAULT "default-src 'self'"; +set $CONNECT "connect-src 'self'"; +set $CONNECT "${CONNECT} https://www.a.com"; +set $CONNECT "${CONNECT} https://www.b.com"; +set $FRAME "frame-src 'self'"; +set $FRAME "${FRAME} https://a.com"; +set $FRAME "${FRAME} https://b.com"; +add_header Content-Security-Policy "${SCRIPT}; ${STYLE}; ${IMG}; ${FONT}; ${DEFAULT}; ${CONNECT}; ${FRAME}"; \ No newline at end of file diff --git a/ligalytics/bernie/etc/prometheus/prometheus.yml b/ligalytics/bernie/etc/prometheus/prometheus.yml new file mode 100644 index 0000000..b2f3e5e --- /dev/null +++ b/ligalytics/bernie/etc/prometheus/prometheus.yml @@ -0,0 +1,34 @@ +# my global config +global: + scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute. + evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute. + # scrape_timeout is set to the global default (10s). + +# Alertmanager configuration +alerting: + alertmanagers: + - static_configs: + - targets: + # - alertmanager:9093 + +# Load rules once and periodically evaluate them according to the global 'evaluation_interval'. +rule_files: + # - "first_rules.yml" + # - "second_rules.yml" + +# A scrape configuration containing exactly one endpoint to scrape: +# Here it's Prometheus itself. +scrape_configs: + # The job name is added as a label `job=` to any timeseries scraped from this config. + - job_name: "prometheus" + + # metrics_path defaults to '/metrics' + # scheme defaults to 'http'. + + static_configs: + - targets: ["localhost:9090"] + + + - job_name: "node" + static_configs: + - targets: ["localhost:9100"] diff --git a/ligalytics/bernie/etc/systemd/system/gunicorn.service b/ligalytics/bernie/etc/systemd/system/gunicorn.service new file mode 100644 index 0000000..cd533da --- /dev/null +++ b/ligalytics/bernie/etc/systemd/system/gunicorn.service @@ -0,0 +1,24 @@ +[Unit] +Description=gunicorn daemon +Requires=gunicorn.socket +After=network.target + + +[Service] +User=django +Group=django +WorkingDirectory=/home/django/leagues +ExecStart=/home/django/leagues/venv/bin/gunicorn \ + --bind unix:/run/gunicorn.sock \ + --log-level debug \ + --limit-request-line 0 \ + --limit-request-field_size 0 \ + --graceful-timeout 1200 \ + --capture-output \ + --timeout 1200 \ + --workers 3 \ + leagues.wsgi:application + + +[Install] +WantedBy=multi-user.target diff --git a/ligalytics/bernie/etc/systemd/system/prometheus.service b/ligalytics/bernie/etc/systemd/system/prometheus.service new file mode 100644 index 0000000..1295113 --- /dev/null +++ b/ligalytics/bernie/etc/systemd/system/prometheus.service @@ -0,0 +1,25 @@ +[Unit] + +Description=Prometheus + +Wants=network-online.target + +After=network-online.target + +[Service] + +User=prometheus + +Group=prometheus + +Type=simple + +ExecStart=/usr/local/bin/prometheus \ + --config.file /etc/prometheus/prometheus.yml \ + --storage.tsdb.path /var/lib/prometheus/ \ + --web.console.templates=/etc/prometheus/consoles \ + --web.console.libraries=/etc/prometheus/console_libraries + +[Install] + +WantedBy=multi-user.target diff --git a/ligalytics/meemaw/admin/dbbackup.sh b/ligalytics/meemaw/admin/dbbackup.sh new file mode 100755 index 0000000..f433314 --- /dev/null +++ b/ligalytics/meemaw/admin/dbbackup.sh @@ -0,0 +1,4 @@ +cd /var/www/leagues +venv/bin/python manage.py dbbackup +rsync -a data/computation /db_backup/computation + diff --git a/ligalytics/meemaw/admin/iftop.sh b/ligalytics/meemaw/admin/iftop.sh new file mode 100755 index 0000000..75e3e74 --- /dev/null +++ b/ligalytics/meemaw/admin/iftop.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +echo "$(date)" >> /var/log/iftop/$(date +%F)_iftop.log +/usr/sbin/iftop -PptBbNn -s 28795 -o destination >> /var/log/iftop/$(date +%F)_iftop.log + diff --git a/ligalytics/meemaw/admin/logwatch.sh b/ligalytics/meemaw/admin/logwatch.sh new file mode 100755 index 0000000..02c72a9 --- /dev/null +++ b/ligalytics/meemaw/admin/logwatch.sh @@ -0,0 +1,5 @@ +#!/bin/bash +#/usr/sbin/logwatch --detail high --range yesterday --format html --filename /var/log/logwatch/$(date -d "yesterday" +%F)_logwatch.html +/usr/sbin/logwatch --detail high --range yesterday --format html --mailto m.dahmen@asolvo.de +/usr/sbin/logwatch --detail high --range yesterday --format html --mailto m.dahmen@asolvo.de --filename /var/log/logwatch/$(date -d "yesterday" +%F)_logwatch.html +chmod 644 /var/log/logwatch/$(date -d "yesterday" +%F)_logwatch.html diff --git a/ligalytics/meemaw/admin/nettraf.sh b/ligalytics/meemaw/admin/nettraf.sh new file mode 100755 index 0000000..118ccb0 --- /dev/null +++ b/ligalytics/meemaw/admin/nettraf.sh @@ -0,0 +1,24 @@ +#!/bin/bash + + + +#file1="/var/log/logwatch/$(ls -1r /var/log/logwatch/ | head -1)" +#file2="/var/log/iftop/$(ls -1r /var/log/iftop/ | head -1)" +#file3="/var/log/vnstat/$(ls -1r /var/log/vnstat/ | head -1)" + +file1="/var/log/logwatch/$(date -d "yesterday" +%F)_logwatch.html" +file2="/var/log/iftop/$(date -d "yesterday" +%F)_iftop.log" +file3="/var/log/vnstat/$(date -d "yesterday" +%F)_vnstat.json" +file4="/var/log/ipfm/$(date -d "yesterday" +%F)_ipfm.log" + +mkdir /var/log/nettraf/tmp +cp $file1 /var/log/nettraf/tmp +cp $file2 /var/log/nettraf/tmp +cp $file3 /var/log/nettraf/tmp +cp $file4 /var/log/nettraf/tmp + +cd /var/log/nettraf/tmp +tar -czvf /var/log/nettraf/$(date +%Y_%m_%d_%H_%M)_summary.tar.gz -P * +cd /var/log/nettraf +rm -rf tmp + diff --git a/ligalytics/meemaw/admin/vnstat.sh b/ligalytics/meemaw/admin/vnstat.sh new file mode 100755 index 0000000..eca5b23 --- /dev/null +++ b/ligalytics/meemaw/admin/vnstat.sh @@ -0,0 +1,3 @@ +#!/bin/bash +/usr/bin/vnstat --json >> /var/log/vnstat/$(date +%F)_vnstat.json + diff --git a/ligalytics/meemaw/etc/fail2ban/jail.local b/ligalytics/meemaw/etc/fail2ban/jail.local new file mode 100644 index 0000000..00ad467 --- /dev/null +++ b/ligalytics/meemaw/etc/fail2ban/jail.local @@ -0,0 +1,890 @@ +# +# WARNING: heavily refactored in 0.9.0 release. Please review and +# customize settings for your setup. +# +# Changes: in most of the cases you should not modify this +# file, but provide customizations in jail.local file, +# or separate .conf files under jail.d/ directory, e.g.: +# +# HOW TO ACTIVATE JAILS: +# +# YOU SHOULD NOT MODIFY THIS FILE. +# +# It will probably be overwritten or improved in a distribution update. +# +# Provide customizations in a jail.local file or a jail.d/customisation.local. +# For example to change the default bantime for all jails and to enable the +# ssh-iptables jail the following (uncommented) would appear in the .local file. +# See man 5 jail.conf for details. +# +# [DEFAULT] +# bantime = 1h +# +# [sshd] +# enabled = true +# +# See jail.conf(5) man page for more information + + + +# Comments: use '#' for comment lines and ';' (following a space) for inline comments + + +[INCLUDES] + +#before = paths-distro.conf +before = paths-debian.conf + +# The DEFAULT allows a global definition of the options. They can be overridden +# in each jail afterwards. + +[DEFAULT] + +# +# MISCELLANEOUS OPTIONS +# + +# "ignorself" specifies whether the local resp. own IP addresses should be ignored +# (default is true). Fail2ban will not ban a host which matches such addresses. +#ignorself = true + +# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban +# will not ban a host which matches an address in this list. Several addresses +# can be defined using space (and/or comma) separator. +#ignoreip = 127.0.0.1/8 ::1 + +# External command that will take an tagged arguments to ignore, e.g. , +# and return true if the IP is to be ignored. False otherwise. +# +# ignorecommand = /path/to/command +ignorecommand = + +# "bantime" is the number of seconds that a host is banned. +bantime = 30m + +# A host is banned if it has generated "maxretry" during the last "findtime" +# seconds. +findtime = 10m + +# "maxretry" is the number of failures before a host get banned. +maxretry = 2 + +# "backend" specifies the backend used to get files modification. +# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto". +# This option can be overridden in each jail as well. +# +# pyinotify: requires pyinotify (a file alteration monitor) to be installed. +# If pyinotify is not installed, Fail2ban will use auto. +# gamin: requires Gamin (a file alteration monitor) to be installed. +# If Gamin is not installed, Fail2ban will use auto. +# polling: uses a polling algorithm which does not require external libraries. +# systemd: uses systemd python library to access the systemd journal. +# Specifying "logpath" is not valid for this backend. +# See "journalmatch" in the jails associated filter config +# auto: will try to use the following backends, in order: +# pyinotify, gamin, polling. +# +# Note: if systemd backend is chosen as the default but you enable a jail +# for which logs are present only in its own log files, specify some other +# backend for that jail (e.g. polling) and provide empty value for +# journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200 +backend = auto + +# "usedns" specifies if jails should trust hostnames in logs, +# warn when DNS lookups are performed, or ignore all hostnames in logs +# +# yes: if a hostname is encountered, a DNS lookup will be performed. +# warn: if a hostname is encountered, a DNS lookup will be performed, +# but it will be logged as a warning. +# no: if a hostname is encountered, will not be used for banning, +# but it will be logged as info. +# raw: use raw value (no hostname), allow use it for no-host filters/actions (example user) +usedns = warn + +# "logencoding" specifies the encoding of the log files handled by the jail +# This is used to decode the lines from the log file. +# Typical examples: "ascii", "utf-8" +# +# auto: will use the system locale setting +logencoding = auto + +# "enabled" enables the jails. +# By default all jails are disabled, and it should stay this way. +# Enable only relevant to your setup jails in your .local or jail.d/*.conf +# +# true: jail will be enabled and log files will get monitored for changes +# false: jail is not enabled +enabled = false + + +# "mode" defines the mode of the filter (see corresponding filter implementation for more info). +mode = normal + +# "filter" defines the filter to use by the jail. +# By default jails have names matching their filter name +# +filter = %(__name__)s[mode=%(mode)s] + + +# +# ACTIONS +# + +# Some options used for actions + +# Destination email address used solely for the interpolations in +# jail.{conf,local,d/*} configuration files. +destemail = root@localhost + +# Sender email address used solely for some actions +sender = root@ + +# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the +# mailing. Change mta configuration parameter to mail if you want to +# revert to conventional 'mail'. +mta = sendmail + +# Default protocol +protocol = tcp + +# Specify chain where jumps would need to be added in ban-actions expecting parameter chain +chain = + +# Ports to be banned +# Usually should be overridden in a particular jail +port = 0:65535 + +# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3 +fail2ban_agent = Fail2Ban/%(fail2ban_version)s + +# +# Action shortcuts. To be used to define action parameter + +# Default banning action (e.g. iptables, iptables-new, +# iptables-multiport, shorewall, etc) It is used to define +# action_* variables. Can be overridden globally or per +# section within jail.local file +banaction = iptables-multiport +banaction_allports = iptables-allports + +# The simplest action to take: ban only +action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + +# ban & send an e-mail with whois report to the destemail. +action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] + +# ban & send an e-mail with whois report and relevant log lines +# to the destemail. +action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] + +# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action +# +# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines +# to the destemail. +action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"] + +# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines +# to the destemail. +action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] + %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] + +# Report block via blocklist.de fail2ban reporting service API +# +# See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action. +# Specify expected parameters in file action.d/blocklist_de.local or if the interpolation +# `action_blocklist_de` used for the action, set value of `blocklist_de_apikey` +# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in +# corresponding jail.d/my-jail.local file). +# +action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"] + +# Report ban via badips.com, and use as blacklist +# +# See BadIPsAction docstring in config/action.d/badips.py for +# documentation for this action. +# +# NOTE: This action relies on banaction being present on start and therefore +# should be last action defined for a jail. +# +action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"] +# +# Report ban via badips.com (uses action.d/badips.conf for reporting only) +# +action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"] + +# Report ban via abuseipdb.com. +# +# See action.d/abuseipdb.conf for usage example and details. +# +action_abuseipdb = abuseipdb + +# Choose default action. To change, just override value of 'action' with the +# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local +# globally (section [DEFAULT]) or per specific section +action = %(action_)s + + +# +# JAILS +# + +# +# SSH servers +# + +[sshd] + +# To use more aggressive sshd modes set filter parameter "mode" in jail.local: +# normal (default), ddos, extra or aggressive (combines all). +# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. +#mode = normal +port = ssh +logpath = %(sshd_log)s +backend = %(sshd_backend)s + + +[dropbear] + +port = ssh +logpath = %(dropbear_log)s +backend = %(dropbear_backend)s + + +[selinux-ssh] + +port = ssh +logpath = %(auditd_log)s + + +# +# HTTP servers +# + +[apache-auth] + +port = http,https +logpath = %(apache_error_log)s + + +[apache-badbots] +# Ban hosts which agent identifies spammer robots crawling the web +# for email addresses. The mail outputs are buffered. +port = http,https +logpath = %(apache_access_log)s +bantime = 48h +maxretry = 1 + + +[apache-noscript] + +port = http,https +logpath = %(apache_error_log)s + + +[apache-overflows] + +port = http,https +logpath = %(apache_error_log)s +maxretry = 2 + + +[apache-nohome] + +port = http,https +logpath = %(apache_error_log)s +maxretry = 2 + + +[apache-botsearch] + +port = http,https +logpath = %(apache_error_log)s +maxretry = 2 + + +[apache-fakegooglebot] + +port = http,https +logpath = %(apache_access_log)s +maxretry = 1 +ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot + + +[apache-modsecurity] + +port = http,https +logpath = %(apache_error_log)s +maxretry = 2 + + +[apache-shellshock] + +port = http,https +logpath = %(apache_error_log)s +maxretry = 1 + + +[openhab-auth] + +filter = openhab +action = iptables-allports[name=NoAuthFailures] +logpath = /opt/openhab/logs/request.log + + +[nginx-http-auth] + +port = http,https +logpath = %(nginx_error_log)s + +# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` +# and define `limit_req` and `limit_req_zone` as described in nginx documentation +# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html +# or for example see in 'config/filter.d/nginx-limit-req.conf' +[nginx-limit-req] +port = http,https +logpath = %(nginx_error_log)s + +[nginx-botsearch] + +port = http,https +logpath = %(nginx_error_log)s +maxretry = 2 + + +# Ban attackers that try to use PHP's URL-fopen() functionality +# through GET/POST variables. - Experimental, with more than a year +# of usage in production environments. + +[php-url-fopen] + +port = http,https +logpath = %(nginx_access_log)s + %(apache_access_log)s + + +[suhosin] + +port = http,https +logpath = %(suhosin_log)s + + +[lighttpd-auth] +# Same as above for Apache's mod_auth +# It catches wrong authentifications +port = http,https +logpath = %(lighttpd_error_log)s + + +# +# Webmail and groupware servers +# + +[roundcube-auth] + +port = http,https +logpath = %(roundcube_errors_log)s +# Use following line in your jail.local if roundcube logs to journal. +#backend = %(syslog_backend)s + + +[openwebmail] + +port = http,https +logpath = /var/log/openwebmail.log + + +[horde] + +port = http,https +logpath = /var/log/horde/horde.log + + +[groupoffice] + +port = http,https +logpath = /home/groupoffice/log/info.log + + +[sogo-auth] +# Monitor SOGo groupware server +# without proxy this would be: +# port = 20000 +port = http,https +logpath = /var/log/sogo/sogo.log + + +[tine20] + +logpath = /var/log/tine20/tine20.log +port = http,https + + +# +# Web Applications +# +# + +[drupal-auth] + +port = http,https +logpath = %(syslog_daemon)s +backend = %(syslog_backend)s + +[guacamole] + +port = http,https +logpath = /var/log/tomcat*/catalina.out + +[monit] +#Ban clients brute-forcing the monit gui login +port = 2812 +logpath = /var/log/monit + + +[webmin-auth] + +port = 10000 +logpath = %(syslog_authpriv)s +backend = %(syslog_backend)s + + +[froxlor-auth] + +port = http,https +logpath = %(syslog_authpriv)s +backend = %(syslog_backend)s + + +# +# HTTP Proxy servers +# +# + +[squid] + +port = 80,443,3128,8080 +logpath = /var/log/squid/access.log + + +[3proxy] + +port = 3128 +logpath = /var/log/3proxy.log + + +# +# FTP servers +# + + +[proftpd] + +port = ftp,ftp-data,ftps,ftps-data +logpath = %(proftpd_log)s +backend = %(proftpd_backend)s + + +[pure-ftpd] + +port = ftp,ftp-data,ftps,ftps-data +logpath = %(pureftpd_log)s +backend = %(pureftpd_backend)s + + +[gssftpd] + +port = ftp,ftp-data,ftps,ftps-data +logpath = %(syslog_daemon)s +backend = %(syslog_backend)s + + +[wuftpd] + +port = ftp,ftp-data,ftps,ftps-data +logpath = %(wuftpd_log)s +backend = %(wuftpd_backend)s + + +[vsftpd] +# or overwrite it in jails.local to be +# logpath = %(syslog_authpriv)s +# if you want to rely on PAM failed login attempts +# vsftpd's failregex should match both of those formats +port = ftp,ftp-data,ftps,ftps-data +logpath = %(vsftpd_log)s + + +# +# Mail servers +# + +# ASSP SMTP Proxy Jail +[assp] + +port = smtp,465,submission +logpath = /root/path/to/assp/logs/maillog.txt + + +[courier-smtp] + +port = smtp,465,submission +logpath = %(syslog_mail)s +backend = %(syslog_backend)s + + +[postfix] +# To use another modes set filter parameter "mode" in jail.local: +mode = more +port = smtp,465,submission +logpath = %(postfix_log)s +backend = %(postfix_backend)s + + +[postfix-rbl] + +filter = postfix[mode=rbl] +port = smtp,465,submission +logpath = %(postfix_log)s +backend = %(postfix_backend)s +maxretry = 1 + + +[sendmail-auth] + +port = submission,465,smtp +logpath = %(syslog_mail)s +backend = %(syslog_backend)s + + +[sendmail-reject] +# To use more aggressive modes set filter parameter "mode" in jail.local: +# normal (default), extra or aggressive +# See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details. +#mode = normal +port = smtp,465,submission +logpath = %(syslog_mail)s +backend = %(syslog_backend)s + + +[qmail-rbl] + +filter = qmail +port = smtp,465,submission +logpath = /service/qmail/log/main/current + + +# dovecot defaults to logging to the mail syslog facility +# but can be set by syslog_facility in the dovecot configuration. +[dovecot] + +port = pop3,pop3s,imap,imaps,submission,465,sieve +logpath = %(dovecot_log)s +backend = %(dovecot_backend)s + + +[sieve] + +port = smtp,465,submission +logpath = %(dovecot_log)s +backend = %(dovecot_backend)s + + +[solid-pop3d] + +port = pop3,pop3s +logpath = %(solidpop3d_log)s + + +[exim] +# see filter.d/exim.conf for further modes supported from filter: +#mode = normal +port = smtp,465,submission +logpath = %(exim_main_log)s + + +[exim-spam] + +port = smtp,465,submission +logpath = %(exim_main_log)s + + +[kerio] + +port = imap,smtp,imaps,465 +logpath = /opt/kerio/mailserver/store/logs/security.log + + +# +# Mail servers authenticators: might be used for smtp,ftp,imap servers, so +# all relevant ports get banned +# + +[courier-auth] + +port = smtp,465,submission,imap,imaps,pop3,pop3s +logpath = %(syslog_mail)s +backend = %(syslog_backend)s + + +[postfix-sasl] + +filter = postfix[mode=auth] +port = smtp,465,submission,imap,imaps,pop3,pop3s +# You might consider monitoring /var/log/mail.warn instead if you are +# running postfix since it would provide the same log lines at the +# "warn" level but overall at the smaller filesize. +logpath = %(postfix_log)s +backend = %(postfix_backend)s + + +[perdition] + +port = imap,imaps,pop3,pop3s +logpath = %(syslog_mail)s +backend = %(syslog_backend)s + + +[squirrelmail] + +port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks +logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log + + +[cyrus-imap] + +port = imap,imaps +logpath = %(syslog_mail)s +backend = %(syslog_backend)s + + +[uwimap-auth] + +port = imap,imaps +logpath = %(syslog_mail)s +backend = %(syslog_backend)s + + +# +# +# DNS servers +# + + +# !!! WARNING !!! +# Since UDP is connection-less protocol, spoofing of IP and imitation +# of illegal actions is way too simple. Thus enabling of this filter +# might provide an easy way for implementing a DoS against a chosen +# victim. See +# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html +# Please DO NOT USE this jail unless you know what you are doing. +# +# IMPORTANT: see filter.d/named-refused for instructions to enable logging +# This jail blocks UDP traffic for DNS requests. +# [named-refused-udp] +# +# filter = named-refused +# port = domain,953 +# protocol = udp +# logpath = /var/log/named/security.log + +# IMPORTANT: see filter.d/named-refused for instructions to enable logging +# This jail blocks TCP traffic for DNS requests. + +[named-refused] + +port = domain,953 +logpath = /var/log/named/security.log + + +[nsd] + +port = 53 +action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] +logpath = /var/log/nsd.log + + +# +# Miscellaneous +# + +[asterisk] + +port = 5060,5061 +action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] + %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] +logpath = /var/log/asterisk/messages +maxretry = 10 + + +[freeswitch] + +port = 5060,5061 +action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] + %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] +logpath = /var/log/freeswitch.log +maxretry = 10 + + +# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or +# equivalent section: +# log-warning = 2 +# +# for syslog (daemon facility) +# [mysqld_safe] +# syslog +# +# for own logfile +# [mysqld] +# log-error=/var/log/mysqld.log +[mysqld-auth] + +port = 3306 +logpath = %(mysql_log)s +backend = %(mysql_backend)s + + +# Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf') +[mongodb-auth] +# change port when running with "--shardsvr" or "--configsvr" runtime operation +port = 27017 +logpath = /var/log/mongodb/mongodb.log + + +# Jail for more extended banning of persistent abusers +# !!! WARNINGS !!! +# 1. Make sure that your loglevel specified in fail2ban.conf/.local +# is not at DEBUG level -- which might then cause fail2ban to fall into +# an infinite loop constantly feeding itself with non-informative lines +# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days) +# to maintain entries for failed logins for sufficient amount of time +[recidive] + +logpath = /var/log/fail2ban.log +banaction = %(banaction_allports)s +bantime = 1w +findtime = 1d + + +# Generic filter for PAM. Has to be used with action which bans all +# ports such as iptables-allports, shorewall + +[pam-generic] +# pam-generic filter can be customized to monitor specific subset of 'tty's +banaction = %(banaction_allports)s +logpath = %(syslog_authpriv)s +backend = %(syslog_backend)s + + +[xinetd-fail] + +banaction = iptables-multiport-log +logpath = %(syslog_daemon)s +backend = %(syslog_backend)s +maxretry = 2 + + +# stunnel - need to set port for this +[stunnel] + +logpath = /var/log/stunnel4/stunnel.log + + +[ejabberd-auth] + +port = 5222 +logpath = /var/log/ejabberd/ejabberd.log + + +[counter-strike] + +logpath = /opt/cstrike/logs/L[0-9]*.log +# Firewall: http://www.cstrike-planet.com/faq/6 +tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039 +udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015 +action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] + +# consider low maxretry and a long bantime +# nobody except your own Nagios server should ever probe nrpe +[nagios] + +logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility +backend = %(syslog_backend)s +maxretry = 1 + + +[oracleims] +# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above +logpath = /opt/sun/comms/messaging64/log/mail.log_current +banaction = %(banaction_allports)s + +[directadmin] +logpath = /var/log/directadmin/login.log +port = 2222 + +[portsentry] +logpath = /var/lib/portsentry/portsentry.history +maxretry = 1 + +[pass2allow-ftp] +# this pass2allow example allows FTP traffic after successful HTTP authentication +port = ftp,ftp-data,ftps,ftps-data +# knocking_url variable must be overridden to some secret value in jail.local +knocking_url = /knocking/ +filter = apache-pass[knocking_url="%(knocking_url)s"] +# access log of the website with HTTP auth +logpath = %(apache_access_log)s +blocktype = RETURN +returntype = DROP +action = %(action_)s[blocktype=%(blocktype)s, returntype=%(returntype)s] +bantime = 1h +maxretry = 1 +findtime = 1 + + +[murmur] +# AKA mumble-server +port = 64738 +action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp] +logpath = /var/log/mumble-server/mumble-server.log + + +[screensharingd] +# For Mac OS Screen Sharing Service (VNC) +logpath = /var/log/system.log +logencoding = utf-8 + +[haproxy-http-auth] +# HAProxy by default doesn't log to file you'll need to set it up to forward +# logs to a syslog server which would then write them to disk. +# See "haproxy-http-auth" filter for a brief cautionary note when setting +# maxretry and findtime. +logpath = /var/log/haproxy.log + +[slapd] +port = ldap,ldaps +logpath = /var/log/slapd.log + +[domino-smtp] +port = smtp,ssmtp +logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log + +[phpmyadmin-syslog] +port = http,https +logpath = %(syslog_authpriv)s +backend = %(syslog_backend)s + + +[zoneminder] +# Zoneminder HTTP/HTTPS web interface auth +# Logs auth failures to apache2 error log +port = http,https +logpath = %(apache_error_log)s + diff --git a/ligalytics/meemaw/etc/nginx/nginx.conf b/ligalytics/meemaw/etc/nginx/nginx.conf new file mode 100644 index 0000000..b31f163 --- /dev/null +++ b/ligalytics/meemaw/etc/nginx/nginx.conf @@ -0,0 +1,84 @@ +user www-data; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + # server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # SSL Settings + ## + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; + + ## + # Logging Settings + ## + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + ## + # Gzip Settings + ## + + gzip on; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + ## + # Virtual Host Configs + ## + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} + + +#mail { +# # See sample authentication script at: +# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript +# +# # auth_http localhost/auth.php; +# # pop3_capabilities "TOP" "USER"; +# # imap_capabilities "IMAP4rev1" "UIDPLUS"; +# +# server { +# listen localhost:110; +# protocol pop3; +# proxy on; +# } +# +# server { +# listen localhost:143; +# protocol imap; +# proxy on; +# } +#} \ No newline at end of file diff --git a/ligalytics/meemaw/etc/nginx/sites-available/leagues-dev.conf b/ligalytics/meemaw/etc/nginx/sites-available/leagues-dev.conf new file mode 100644 index 0000000..4984731 --- /dev/null +++ b/ligalytics/meemaw/etc/nginx/sites-available/leagues-dev.conf @@ -0,0 +1,77 @@ +# server { + +# listen 44333 ssl default_server; +# listen [::]:44333 ssl default_server; + +# fastcgi_buffers 16 32k; +# fastcgi_buffer_size 64k; + +# client_max_body_size 48M; +# client_body_buffer_size 128k; + +# client_header_buffer_size 5120k; +# large_client_header_buffers 32 5120k; + + +# proxy_max_temp_file_size 0; +# proxy_buffering off; + +# proxy_read_timeout 300; +# proxy_send_timeout 300; +# proxy_connect_timeout 300; + +# fastcgi_read_timeout 300; +# fastcgi_send_timeout 300; +# fastcgi_connect_timeout 300; + +# #only works in nginx+ +# #set_cookie_flag HttpOnly Secure; +# proxy_cookie_path / "/; secure; HTTPOnly; SameSite=strict"; + + +# proxy_set_header X-Real-IP $remote_addr; + +# server_name stage.ligalytics.com; + + +# error_page 501 502 503 504 /maintenance.html; +# location /maintenance.html { +# root /var/www/html; +# } + + +# location = /favicon.ico { +# access_log off; log_not_found off; +# } + +# location /media { +# #autoindex on; +# alias /home/django/dev/data/media/; +# } + + +# location /static/ { +# root /home/django/; +# } +# location / { +# proxy_set_header Host $http_host; +# proxy_pass http://unix:/home/django/dev/leagues.sock; +# proxy_set_header REMOTE_ADDR $remote_addr; +# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +# proxy_read_timeout 3600; +# proxy_intercept_errors on; +# } + + +# location ^~ /.well-known { +# root /home/django/dev; +# allow all; +# } + + +# include snippets/ssl-ligalytics.conf; +# include snippets/ssl-params.conf; + + +# } \ No newline at end of file diff --git a/ligalytics/meemaw/etc/nginx/sites-available/leagues.conf b/ligalytics/meemaw/etc/nginx/sites-available/leagues.conf new file mode 100644 index 0000000..2869813 --- /dev/null +++ b/ligalytics/meemaw/etc/nginx/sites-available/leagues.conf @@ -0,0 +1,92 @@ +server { + + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + + fastcgi_buffers 16 32k; + fastcgi_buffer_size 64k; + + client_max_body_size 48M; + client_body_buffer_size 128k; + + client_header_buffer_size 5120k; + large_client_header_buffers 32 5120k; + + + proxy_max_temp_file_size 0; + proxy_buffering off; + + proxy_read_timeout 300; + proxy_send_timeout 300; + proxy_connect_timeout 300; + + fastcgi_read_timeout 300; + fastcgi_send_timeout 300; + fastcgi_connect_timeout 300; + + #only works in nginx+ + #set_cookie_flag HttpOnly Secure; + proxy_cookie_path / "/; secure; HTTPOnly; SameSite=strict"; + + + proxy_set_header X-Real-IP $remote_addr; + + server_name stage.ligalytics.com; + + + error_page 501 502 503 504 /maintenance.html; + location /maintenance.html { + root /var/www/html; + } + + + location = /favicon.ico { + access_log off; log_not_found off; + } + + location /media { + #autoindex on; + alias /home/django/prod/data/media; + } + + + location /static/ { + root /home/django/; + } + location / { + proxy_set_header Host $http_host; + proxy_pass http://unix:/home/django/prod/leagues.sock; + proxy_set_header REMOTE_ADDR $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_read_timeout 3600; + proxy_intercept_errors on; + } + + + location ^~ /.well-known { + root /home/django/prod; + allow all; + } + + + location = /_csp { + access_log /var/log/nginx/csp.log CSP; + proxy_pass http://127.0.0.1/_csp_response; + } + + + include snippets/ssl-ligalytics.conf; + include snippets/ssl-params.conf; + + +} + + +server { + listen 81; + location /metrics { + stub_status on; + } +} + diff --git a/ligalytics/meemaw/etc/nginx/snippets/ssl-params.conf b/ligalytics/meemaw/etc/nginx/snippets/ssl-params.conf new file mode 100644 index 0000000..c00b3da --- /dev/null +++ b/ligalytics/meemaw/etc/nginx/snippets/ssl-params.conf @@ -0,0 +1,23 @@ +ssl_protocols TLSv1.2 TLSv1.3; +ssl_prefer_server_ciphers on; +ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; +ssl_ecdh_curve secp384r1; +ssl_session_cache shared:SSL:10m; +ssl_session_timeout 1d; +ssl_session_tickets off; +ssl_stapling on; +ssl_stapling_verify on; +resolver 8.8.8.8 8.8.4.4 valid=300s; +resolver_timeout 5s; + +# Disable preloading HSTS for now. You can use the commented out header line that includes +# the "preload" directive if you understand the implications. +# add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; +#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; +add_header X-Frame-Options DENY; +add_header X-Content-Type-Options nosniff; +add_header X-XSS-Protection "1; mode=block" always; + +add_header Content-Security-Policy "frame-ancestors none; object-src 'none'; form-action 'self'; base-uri 'self'; report-uri https://optimization.ligalytics.com/_csp;"; + +#add_header Content-Security-Policy "default-src 'self'; script-src 'self'; img-src 'self' data:; style-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com; 'unsafe-inline'; font-src 'self' data:; frame-src 'self'; connect-src 'self' https://apis.google.com; object-src 'none'; frame-ancestors none; "; diff --git a/ligalytics/meemaw/etc/ssh/sshd_config b/ligalytics/meemaw/etc/ssh/sshd_config new file mode 100644 index 0000000..e58fc69 --- /dev/null +++ b/ligalytics/meemaw/etc/ssh/sshd_config @@ -0,0 +1,138 @@ +# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin prohibit-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +PubkeyAuthentication yes + +# Expect .ssh/authorized_keys2 to be disregarded by default in future. +AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +# override default of no subsystems +#Subsystem sftp /usr/lib/openssh/sftp-server + + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server +PasswordAuthentication yes + + +#Subsystem sftp internal-sftp + +#Match user dumpy +#ForceCommand internal-sftp +#ChrootDirectory /home/dumpy + +subsystem sftp internal-sftp +Match User dumpy +ChrootDirectory %h +AllowTCPForwarding no +X11Forwarding no +ForceCommand internal-sftp \ No newline at end of file diff --git a/ligalytics/meemaw/etc/supervisor/conf.d/celery.conf b/ligalytics/meemaw/etc/supervisor/conf.d/celery.conf new file mode 100644 index 0000000..62cf080 --- /dev/null +++ b/ligalytics/meemaw/etc/supervisor/conf.d/celery.conf @@ -0,0 +1,52 @@ +; ================================== +; celery worker supervisor example +; ================================== + +; the name of your supervisord program +[program:celery] + +; Set full path to celery program if using virtualenv +command=/var/www/leagues/venv/bin/celery worker -A leagues --loglevel=INFO + +; The directory to your Django project +directory=/var/www/leagues/ + +; If supervisord is run as the root user, switch users to this UNIX user account +; before doing any processing. +user=root + +; Supervisor will start as many instances of this program as named by numprocs +numprocs=1 + +; Put process stdout output in this file +stdout_logfile=/var/log/celery/celery.log + +; Put process stderr output in this file +stderr_logfile=/var/log/celery/celery_error.log + +; If true, this program will start automatically when supervisord is started +autostart=true + +; May be one of false, unexpected, or true. If false, the process will never +; be autorestarted. If unexpected, the process will be restart when the program +; exits with an exit code that is not one of the exit codes associated with this +; process’ configuration (see exitcodes). If true, the process will be +; unconditionally restarted when it exits, without regard to its exit code. +autorestart=true + +; The total number of seconds which the program needs to stay running after +; a startup to consider the start successful. +startsecs=10 + +; Need to wait for currently executing tasks to finish at shutdown. +; Increase this if you have very long running tasks. +stopwaitsecs = 600 + +; When resorting to send SIGKILL to the program to terminate it +; send SIGKILL to its whole process group instead, +; taking care of its children as well. +killasgroup=true + +; if your broker is supervised, set its priority higher +; so it starts first +priority=998 diff --git a/ligalytics/meemaw/etc/supervisor/conf.d/flower.conf b/ligalytics/meemaw/etc/supervisor/conf.d/flower.conf new file mode 100644 index 0000000..640ee43 --- /dev/null +++ b/ligalytics/meemaw/etc/supervisor/conf.d/flower.conf @@ -0,0 +1,52 @@ +; ================================== +; celery flower supervisor example +; ================================== + +; the name of your supervisord program +[program:flower] + +; Set full path to celery program if using virtualenv +command=/var/www/leagues/venv/bin/celery flower -A leagues --loglevel=INFO --url_prefix=flower --basic_auth=4w3s0m3usr:4w3s0m3pwd + +; The directory to your Django projeict +directory=/var/www/leagues/ + +; If supervisord is run as the root user, switch users to this UNIX user account +; before doing any processing. +user=root + +; Supervisor will start as many instances of this program as named by numprocs +numprocs=1 + +; Put process stdout output in this file +stdout_logfile=/var/log/celery/flower.log + +; Put process stderr output in this file +stderr_logfile=/var/log/celery/flower_error.log + +; If true, this program will start automatically when supervisord is started +autostart=true + +; May be one of false, unexpected, or true. If false, the process will never +; be autorestarted. If unexpected, the process will be restart when the program +; exits with an exit code that is not one of the exit codes associated with this +; process’ configuration (see exitcodes). If true, the process will be +; unconditionally restarted when it exits, without regard to its exit code. +autorestart=true + +; The total number of seconds which the program needs to stay running after +; a startup to consider the start successful. +startsecs=10 + +; Need to wait for currently executing tasks to finish at shutdown. +; Increase this if you have very long running tasks. +stopwaitsecs = 600 + +; When resorting to send SIGKILL to the program to terminate it +; send SIGKILL to its whole process group instead, +; taking care of its children as well. +killasgroup=true + +; if your broker is supervised, set its priority higher +; so it starts first +priority=998 diff --git a/ligalytics/meemaw/etc/supervisor/conf.d/gunicorn.conf b/ligalytics/meemaw/etc/supervisor/conf.d/gunicorn.conf new file mode 100644 index 0000000..967b138 --- /dev/null +++ b/ligalytics/meemaw/etc/supervisor/conf.d/gunicorn.conf @@ -0,0 +1,14 @@ +[program:gunicorn] +directory=/var/www/leagues/ +command=/var/www/leagues/venv/bin/gunicorn --log-level=debug --limit-request-line 0 --limit-request-field_size 0 --graceful-timeout 1200 --timeout 1200 --workers 3 --bind unix:/var/www/leagues/leagues.sock leagues.wsgi:application +autostart=true +autorestart=true +#stderr_logfile=/var/log/gunicorn/gunicorn.out.log +#stdout_logfile=/var/log/gunicorn/gunicorn.err.log +stderr_logfile=/var/log/gunicorn/gunicorn.verbose.log +stdout_logfile=/var/log/gunicorn/gunicorn.verbose.log +user=root +group=www-data +environment=LANG=en_US.UTF-8,LC_ALL=en_US.UTF-8 +[group:guni] +programs:gunicorn diff --git a/ligalytics/meemaw/etc/supervisor/supervisord.conf b/ligalytics/meemaw/etc/supervisor/supervisord.conf new file mode 100644 index 0000000..afead15 --- /dev/null +++ b/ligalytics/meemaw/etc/supervisor/supervisord.conf @@ -0,0 +1,28 @@ +; supervisor config file + +[unix_http_server] +file=/var/run/supervisor.sock ; (the path to the socket file) +chmod=0700 ; sockef file mode (default 0700) + +[supervisord] +logfile=/var/log/supervisor/supervisord.log ; (main log file;default $CWD/supervisord.log) +pidfile=/var/run/supervisord.pid ; (supervisord pidfile;default supervisord.pid) +childlogdir=/var/log/supervisor ; ('AUTO' child log dir, default $TEMP) + +; the below section must remain in the config file for RPC +; (supervisorctl/web interface) to work, additional interfaces may be +; added by defining them in separate rpcinterface: sections +[rpcinterface:supervisor] +supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface + +[supervisorctl] +serverurl=unix:///var/run/supervisor.sock ; use a unix:// URL for a unix socket + +; The [include] section can just contain the "files" setting. This +; setting can list multiple files (separated by whitespace or +; newlines). It can also contain wildcards. The filenames are +; interpreted as relative to this file. Included files *cannot* +; include files themselves. + +[include] +files = /etc/supervisor/conf.d/*.conf diff --git a/ligalytics/proxy/etc/nginx/sites-available/accounting.conf b/ligalytics/proxy/etc/nginx/sites-available/accounting.conf new file mode 100644 index 0000000..040ee6f --- /dev/null +++ b/ligalytics/proxy/etc/nginx/sites-available/accounting.conf @@ -0,0 +1,35 @@ +server { + server_name accounting.asolvo.de; + location = /robots.txt { + add_header Content-Type text/plain; + return 200 "User-agent: *\nDisallow: /\n"; + } + #SSL configuration + listen 443 ssl http2; + listen [::]:443 ssl http2; + #include snippets/letsencrypt.conf; + include snippets/ssl-params.conf; + proxy_set_header X-Forwarded-For $remote_addr; + fastcgi_buffers 16 32k; + fastcgi_buffer_size 64k; + client_max_body_size 48M; + client_body_buffer_size 128k; + client_header_buffer_size 5120k; + large_client_header_buffers 32 5120k; + proxy_max_temp_file_size 0; + proxy_buffering off; + #only works in nginx+ + #set_cookie_flag HttpOnly Secure; + #proxy_cookie_path / "/; secure; HTTPOnly; SameSite=strict"; + location / { + proxy_pass http://localhost:5000; + proxy_intercept_errors on; + error_page 404 502 503 504 = @fallback; + } + location @fallback { + root /var/www/html; + index maintenance.html; + } + ssl_certificate /etc/letsencrypt/live/accounting.asolvo.de/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/accounting.asolvo.de/privkey.pem; # managed by Certbot +} diff --git a/ligalytics/proxy/etc/nginx/sites-available/bernie.conf b/ligalytics/proxy/etc/nginx/sites-available/bernie.conf new file mode 100644 index 0000000..412a4c2 --- /dev/null +++ b/ligalytics/proxy/etc/nginx/sites-available/bernie.conf @@ -0,0 +1,94 @@ + +server { + # server_name compute.asolvo.de; + server_name optimization.ligalytics.com; + location = /robots.txt { + add_header Content-Type text/plain; + return 200 "User-agent: *\nDisallow: /\n"; + } + #SSL configuration + listen 443 ssl http2; + listen [::]:443 ssl http2; + include snippets/ssl-params.conf; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + fastcgi_buffers 16 32k; + fastcgi_buffer_size 64k; + client_max_body_size 48M; + client_body_buffer_size 128k; + client_header_buffer_size 5120k; + large_client_header_buffers 32 5120k; + proxy_max_temp_file_size 0; + proxy_buffering off; + location / { + proxy_pass http://bernie/; + proxy_set_header HOST optimization.ligalytics.com; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + proxy_intercept_errors on; + proxy_connect_timeout 5; + proxy_read_timeout 240; + error_page 404 502 503 504 = @fallback; + } + location /flower/ { + #rewrite ^/flower/(.*)$ /$1 break; + proxy_pass http://bernie:5555; + proxy_set_header Host $host; + proxy_redirect off; + } + location @fallback { + root /var/www/html; + index maintenance.html; + } +ssl_certificate /etc/letsencrypt/live/optimization.ligalytics.com/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/optimization.ligalytics.com/privkey.pem; # managed by Certbot +} + +server { + server_name team.ligalytics.com; + listen 443; + #rewrite ^/singleteam(.*)$ $1 last; + location = /robots.txt { + add_header Content-Type text/plain; + return 200 "User-agent: *\nDisallow: /\n"; + } + error_page 400 401 402 403 404 500 501 502 503 504 /maintenance.html; + location /maintenance.html { + root /var/www/html; + } + location / { + proxy_pass http://bernie/; + #rewrite ^/singleteam(.*)$ $1 break; + proxy_intercept_errors on; + proxy_set_header Host team.ligalytics.com; + proxy_set_header X-Real-IP $remote_addr; + proxy_connect_timeout 5; + proxy_read_timeout 240; + #root /var/www/html; + #index maintenance.html; + } + ssl_certificate /etc/letsencrypt/live/team.ligalytics.com/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/team.ligalytics.com/privkey.pem; # managed by Certbot +} + + +server { + server_name club.ligalytics.com; + error_page 400 401 402 403 404 500 501 502 503 504 /maintenance.html; + location /maintenance.html { + root /var/www/html; + } + listen 443; + location / { + proxy_pass http://bernie/; + proxy_intercept_errors on; + proxy_set_header HOST club.ligalytics.com; + proxy_set_header X-Real-IP $remote_addr; + proxy_connect_timeout 5; + proxy_read_timeout 240; + #root /var/www/html; + #index maintenance.html; + } + ssl_certificate /etc/letsencrypt/live/club.ligalytics.com/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/club.ligalytics.com/privkey.pem; # managed by Certbot +} diff --git a/ligalytics/proxy/etc/nginx/sites-available/cloud.conf b/ligalytics/proxy/etc/nginx/sites-available/cloud.conf new file mode 100644 index 0000000..65702b0 --- /dev/null +++ b/ligalytics/proxy/etc/nginx/sites-available/cloud.conf @@ -0,0 +1,65 @@ +server { + server_name cloud.asolvo.de; + location = /robots.txt { + add_header Content-Type text/plain; + return 200 "User-agent: *\nDisallow: /\n"; + } + #SSL configuration + listen 443 ssl http2; + listen [::]:443 ssl http2; + #include snippets/letsencrypt.conf; + include snippets/ssl-params.conf; + proxy_set_header X-Forwarded-For $remote_addr; + fastcgi_buffers 16 32k; + fastcgi_buffer_size 64k; + client_max_body_size 48M; + client_body_buffer_size 128k; + client_header_buffer_size 5120k; + large_client_header_buffers 32 5120k; + proxy_max_temp_file_size 0; + proxy_buffering off; + #only works in nginx+ + #set_cookie_flag HttpOnly Secure; + #proxy_cookie_path / "/; secure; HTTPOnly; SameSite=strict"; + location / { + proxy_pass http://127.0.0.1:8000; + proxy_set_header host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + proxy_read_timeout 1200s; + #Used for view/edit office file via Office Online Server + client_max_body_size 0; + access_log /var/log/nginx/seahub.access.log; + error_log /var/log/nginx/seahub.error.log; + } + location /seafhttp { + rewrite ^/seafhttp(.*)$ $1 break; + proxy_pass http://127.0.0.1:8082; + client_max_body_size 0; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + proxy_connect_timeout 36000s; + proxy_read_timeout 36000s; + proxy_send_timeout 36000s; + send_timeout 36000s; + } + location /media { + root /home/seafile/seafile-server-latest/seahub; + } + #location /flower/ { + # proxy_pass http://192.168.178.21:5555; + #} + #location / { + # proxy_pass https://meemaw/; + # proxy_intercept_errors on; + # error_page 404 502 503 504 = @fallback; + #} + location @fallback { + root /var/www/html; + index maintenance.html; + } + ssl_certificate /etc/letsencrypt/live/cloud.asolvo.de/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/cloud.asolvo.de/privkey.pem; # managed by Certbot +} + diff --git a/ligalytics/proxy/etc/nginx/sites-available/git.conf b/ligalytics/proxy/etc/nginx/sites-available/git.conf new file mode 100644 index 0000000..d430ee7 --- /dev/null +++ b/ligalytics/proxy/etc/nginx/sites-available/git.conf @@ -0,0 +1,32 @@ +server { + server_name git.asolvo.de; + location = /robots.txt { + add_header Content-Type text/plain; + return 200 "User-agent: *\nDisallow: /\n"; + } + #SSL configuration + listen 443 ssl http2; + listen [::]:443 ssl http2; + include snippets/ssl-params.conf; + proxy_set_header X-Forwarded-For $remote_addr; + fastcgi_buffers 16 32k; + fastcgi_buffer_size 64k; + client_max_body_size 48M; + client_body_buffer_size 128k; + client_header_buffer_size 5120k; + large_client_header_buffers 32 5120k; + proxy_max_temp_file_size 0; + proxy_buffering off; + proxy_set_header X-Forwarded-For $remote_addr; + location / { + proxy_pass http://127.0.0.1:3000/; + proxy_intercept_errors on; + error_page 404 502 503 504 = @fallback; + } + location @fallback { + root /var/www/html; + index maintenance.html; + } + ssl_certificate /etc/letsencrypt/live/git.asolvo.de/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/git.asolvo.de/privkey.pem; # managed by Certbot +} diff --git a/ligalytics/proxy/etc/nginx/sites-available/grafana.conf b/ligalytics/proxy/etc/nginx/sites-available/grafana.conf new file mode 100644 index 0000000..af72115 --- /dev/null +++ b/ligalytics/proxy/etc/nginx/sites-available/grafana.conf @@ -0,0 +1,28 @@ +server { + server_name monitor.asolvo.de; + location = /robots.txt { + add_header Content-Type text/plain; + return 200 "User-agent: *\nDisallow: /\n"; + } + #SSL configuration + listen 443 ssl http2; + listen [::]:443 ssl http2; + include snippets/ssl-params.conf; + #proxy_set_header X-Forwarded-For $remote_addr; + fastcgi_buffers 16 32k; + fastcgi_buffer_size 64k; + client_max_body_size 48M; + client_body_buffer_size 128k; + client_header_buffer_size 5120k; + large_client_header_buffers 32 5120k; + proxy_max_temp_file_size 0; + proxy_buffering off; + #proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $http_host; + location / { + proxy_pass http://localhost:3030/; + } + ssl_certificate /etc/letsencrypt/live/monitor.asolvo.de/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/monitor.asolvo.de/privkey.pem; # managed by Certbot +} + diff --git a/ligalytics/proxy/etc/nginx/sites-available/main.conf b/ligalytics/proxy/etc/nginx/sites-available/main.conf new file mode 100644 index 0000000..c99ecc3 --- /dev/null +++ b/ligalytics/proxy/etc/nginx/sites-available/main.conf @@ -0,0 +1,11 @@ +server { + listen 80; + rewrite ^ https://$http_host$request_uri? permanent; # force redirect http to https + server_tokens off; + + + location = /robots.txt { + add_header Content-Type text/plain; + return 200 "User-agent: *\nDisallow: /\n"; + } +} diff --git a/ligalytics/proxy/etc/nginx/sites-available/optimization.conf b/ligalytics/proxy/etc/nginx/sites-available/optimization.conf new file mode 100644 index 0000000..4f71f0e --- /dev/null +++ b/ligalytics/proxy/etc/nginx/sites-available/optimization.conf @@ -0,0 +1,112 @@ +# server { +# server_name team.ligalytics.com; +# listen 443; +# #rewrite ^/singleteam(.*)$ $1 last; +# location = /robots.txt { +# add_header Content-Type text/plain; +# return 200 "User-agent: *\nDisallow: /\n"; +# } +# error_page 400 401 402 403 404 500 501 502 503 504 /maintenance.html; +# location /maintenance.html { +# root /var/www/html; +# } +# location / { +# proxy_pass https://meemaw/; +# #rewrite ^/singleteam(.*)$ $1 break; +# proxy_intercept_errors on; +# proxy_set_header Host team.ligalytics.com; +# proxy_set_header X-Real-IP $remote_addr; +# proxy_connect_timeout 5; +# proxy_read_timeout 240; +# #root /var/www/html; +# #index maintenance.html; +# } +# ssl_certificate /etc/letsencrypt/live/team.ligalytics.com/fullchain.pem; # managed by Certbot +# ssl_certificate_key /etc/letsencrypt/live/team.ligalytics.com/privkey.pem; # managed by Certbot +# } + + +# server { +# server_name club.ligalytics.com; +# error_page 400 401 402 403 404 500 501 502 503 504 /maintenance.html; +# location /maintenance.html { +# root /var/www/html; +# } +# listen 443; +# location / { +# proxy_pass https://meemaw/; +# proxy_intercept_errors on; +# proxy_set_header HOST club.ligalytics.com; +# proxy_set_header X-Real-IP $remote_addr; +# proxy_connect_timeout 5; +# proxy_read_timeout 240; +# #root /var/www/html; +# #index maintenance.html; +# } +# ssl_certificate /etc/letsencrypt/live/club.ligalytics.com/fullchain.pem; # managed by Certbot +# ssl_certificate_key /etc/letsencrypt/live/club.ligalytics.com/privkey.pem; # managed by Certbot +# } + + +# server { +# server_name stage.ligalytics.com; +# error_page 402 403 501 502 503 504 /maintenance.html; +# location /maintenance.html { +# root /var/www/html; +# } +# location = /robots.txt { +# add_header Content-Type text/plain; +# return 200 "User-agent: *\nDisallow: /\n"; +# } +# #SSL configuration +# listen 443 ssl http2 default_server; +# listen [::]:443 ssl http2 default_server; +# include snippets/letsencrypt.conf; +# include snippets/ssl-params.conf; +# proxy_set_header X-Forwarded-For $remote_addr; +# proxy_set_header X-Real-IP $remote_addr; +# fastcgi_buffers 16 32k; +# fastcgi_buffer_size 64k; +# client_max_body_size 48M; +# client_body_buffer_size 128k; +# client_header_buffer_size 5120k; +# large_client_header_buffers 32 5120k; +# proxy_max_temp_file_size 0; +# proxy_buffering off; +# proxy_read_timeout 300; +# proxy_send_timeout 300; +# proxy_connect_timeout 300; +# fastcgi_read_timeout 300; +# fastcgi_send_timeout 300; +# fastcgi_connect_timeout 300; +# error_page 402 403 501 502 503 504 = @fallback; +# #only works in nginx+ +# #set_cookie_flag HttpOnly Secure; +# #proxy_cookie_path / "/; secure; HTTPOnly; SameSite=strict"; +# location / { +# proxy_pass https://meemaw/; +# proxy_set_header HOST stage.ligalytics.com; +# proxy_set_header X-Forwarded-For $remote_addr; +# proxy_set_header X-Real-IP $remote_addr; +# proxy_intercept_errors on; +# proxy_connect_timeout 5; +# proxy_read_timeout 240; +# #root /var/www/html; +# #index maintenance.html; +# } +# location /flower/ { +# #rewrite ^/flower/(.*)$ /$1 break; +# proxy_pass http://192.168.178.21:5555; +# proxy_set_header Host $host; +# proxy_redirect off; +# } +# location @fallback { +# root /var/www/html; +# index /var/www/html/maintenance.html; +# } + +# ssl_certificate /etc/letsencrypt/live/stage.ligalytics.com/fullchain.pem; # managed by Certbot +# ssl_certificate_key /etc/letsencrypt/live/stage.ligalytics.com/privkey.pem; # managed by Certbot + +# } + diff --git a/ligalytics/proxy/etc/nginx/sites-available/stage.conf b/ligalytics/proxy/etc/nginx/sites-available/stage.conf new file mode 100644 index 0000000..863371c --- /dev/null +++ b/ligalytics/proxy/etc/nginx/sites-available/stage.conf @@ -0,0 +1,76 @@ +server { + server_name stage.ligalytics.com; + error_page 400 401 402 403 404 500 501 502 503 504 /maintenance.html; + location /maintenance.html { + root /var/www/html; + } + location = /robots.txt { + add_header Content-Type text/plain; + return 200 "User-agent: *\nDisallow: /\n"; + } + #SSL configuration + listen 443 ssl http2; + listen [::]:443 ssl http2; + #include snippets/letsencrypt.conf; + #include snippets/ssl-params.conf; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + fastcgi_buffers 16 32k; + fastcgi_buffer_size 64k; + client_max_body_size 48M; + client_body_buffer_size 128k; + client_header_buffer_size 5120k; + large_client_header_buffers 32 5120k; + proxy_read_timeout 300; + proxy_send_timeout 300; + proxy_connect_timeout 300; + fastcgi_read_timeout 300; + fastcgi_send_timeout 300; + fastcgi_connect_timeout 300; + proxy_max_temp_file_size 0; + proxy_buffering off; + #only works in nginx+ + #set_cookie_flag HttpOnly Secure; + #proxy_cookie_path / "/; secure; HTTPOnly; SameSite=strict"; + location / { + proxy_pass http://bernie:8000; + #proxy_intercept_errors on; + #error_page 404 502 503 504 = @fallback; + #root /var/www/html; + #index maintenance.html; + } + location @fallback { + root /var/www/html; + index maintenance.html; + } + ssl_certificate /etc/letsencrypt/live/stage.ligalytics.com/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/stage.ligalytics.com/privkey.pem; # managed by Certbot +} + + +# server { +# server_name api.ligalytics.com; +# listen 443; +# #rewrite ^/singleteam(.*)$ $1 last; +# location = /robots.txt { +# add_header Content-Type text/plain; +# return 200 "User-agent: *\nDisallow: /\n"; +# } +# error_page 400 401 402 403 404 500 501 502 503 504 /maintenance.html; +# location /maintenance.html { +# root /var/www/html; +# } +# location / { +# proxy_pass https://meemaw:44333/; +# #rewrite ^/singleteam(.*)$ $1 break; +# proxy_intercept_errors on; +# proxy_set_header Host api.ligalytics.com; +# proxy_set_header X-Real-IP $remote_addr; +# proxy_connect_timeout 5; +# proxy_read_timeout 240; +# #root /var/www/html; +# #index maintenance.html; +# } +# ssl_certificate /etc/letsencrypt/live/api.ligalytics.com/fullchain.pem; # managed by Certbot +# ssl_certificate_key /etc/letsencrypt/live/api.ligalytics.com/privkey.pem; # managed by Certbot +# } diff --git a/ligalytics/proxy/etc/nginx/snippets/ssl-params.conf b/ligalytics/proxy/etc/nginx/snippets/ssl-params.conf new file mode 100644 index 0000000..21876cd --- /dev/null +++ b/ligalytics/proxy/etc/nginx/snippets/ssl-params.conf @@ -0,0 +1,20 @@ +ssl_protocols TLSv1.2 TLSv1.3; +ssl_prefer_server_ciphers on; +ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; +ssl_ecdh_curve secp384r1; +ssl_session_cache shared:SSL:10m; +ssl_session_tickets off; +ssl_stapling on; +ssl_stapling_verify on; +resolver 8.8.8.8 8.8.4.4 valid=300s; +resolver_timeout 5s; + +# Disable preloading HSTS for now. You can use the commented out header line that includes +# the "preload" directive if you understand the implications. +#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; +add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; +add_header X-Frame-Options DENY; +add_header X-Content-Type-Options nosniff; + +ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + diff --git a/ligalytics/proxy/seafile/conf/ccnet.conf b/ligalytics/proxy/seafile/conf/ccnet.conf new file mode 100644 index 0000000..ebf3493 --- /dev/null +++ b/ligalytics/proxy/seafile/conf/ccnet.conf @@ -0,0 +1,12 @@ +[General] +SERVICE_URL = https://cloud.asolvo.de + +[Database] +ENGINE = mysql +HOST = 127.0.0.1 +PORT = 3306 +USER = seafile +PASSWD = 4w3s0m3pwd +DB = ccnet-db +CONNECTION_CHARSET = utf8 + diff --git a/ligalytics/proxy/seafile/conf/gunicorn.conf.py b/ligalytics/proxy/seafile/conf/gunicorn.conf.py new file mode 100644 index 0000000..3fcc027 --- /dev/null +++ b/ligalytics/proxy/seafile/conf/gunicorn.conf.py @@ -0,0 +1,17 @@ + +import os + +daemon = True +workers = 5 + +# default localhost:8000 +bind = "127.0.0.1:8000" + +# Pid +pids_dir = '/home/seafile/pids' +pidfile = os.path.join(pids_dir, 'seahub.pid') + +# for file upload, we need a longer timeout value (default is only 30s, too short) +timeout = 1200 + +limit_request_line = 8190 diff --git a/ligalytics/proxy/seafile/conf/seafdav.conf b/ligalytics/proxy/seafile/conf/seafdav.conf new file mode 100644 index 0000000..75cd392 --- /dev/null +++ b/ligalytics/proxy/seafile/conf/seafdav.conf @@ -0,0 +1,6 @@ + +[WEBDAV] +enabled = false +port = 8080 +fastcgi = false +share_name = / diff --git a/ligalytics/proxy/seafile/conf/seafile.conf b/ligalytics/proxy/seafile/conf/seafile.conf new file mode 100644 index 0000000..6413de1 --- /dev/null +++ b/ligalytics/proxy/seafile/conf/seafile.conf @@ -0,0 +1,13 @@ +[fileserver] +host = 127.0.0.1 +port = 8082 + +[database] +type = mysql +host = 127.0.0.1 +port = 3306 +user = seafile +password = 4w3s0m3pwd +db_name = seafile-db +connection_charset = utf8 + diff --git a/ligalytics/proxy/seafile/conf/seahub_settings.py b/ligalytics/proxy/seafile/conf/seahub_settings.py new file mode 100755 index 0000000..41cfc34 --- /dev/null +++ b/ligalytics/proxy/seafile/conf/seahub_settings.py @@ -0,0 +1,22 @@ +# -*- coding: utf-8 -*- +SECRET_KEY = "b'h#cff-ei%$8+zlpxf-*fu)tg4i4^j1c=+144@hl%d5ff8t!*c*'" + +#SERVE_STATIC = False +SITE_ROOT="/" +LOGIN_URL="/accounts/login/" +FILE_SERVER_ROOT="https://cloud.asolvo.de/seafhttp" +#MEDIA_URL = "/seafmedia/" +#COMPRESS_URL = MEDIA_URL +#STATIC_URL = MEDIA_URL + "assets/" + +DATABASES = { + 'default': { + 'ENGINE': 'django.db.backends.mysql', + 'NAME': 'seahub-db', + 'USER': 'seafile', + 'PASSWORD': '4w3s0m3pwd', + 'HOST': '127.0.0.1', + 'PORT': '3306' + } +} + diff --git a/raspbi/apache2/mods-available/dav_svn.conf b/raspbi/apache2/mods-available/dav_svn.conf new file mode 100644 index 0000000..3bdfa71 --- /dev/null +++ b/raspbi/apache2/mods-available/dav_svn.conf @@ -0,0 +1,98 @@ +# dav_svn.conf - Subversion/Apache configuration +# + +#GLOBAL FLAGS +#SVNCompressionLevel 9 +#SVNAllowBulkUpdates prefer +#LimitRequestBody 0 + + +DAV svn +SVNPATH /home/pi/repos/E-On +AuthType Basic +AuthName "E-On" +AuthUserFile /home/pi/repos/E-On/conf/dav_svn.passwd +Require valid-user +SSLRequireSSL + + + +DAV svn +SVNPATH /home/pi/repos/Sasol +AuthType Basic +AuthName "Sasol" +AuthUserFile /home/pi/repos/Sasol/conf/dav_svn.passwd +Require valid-user +SSLRequireSSL + + + +DAV svn +SVNPATH /home/pi/repos/DFL +AuthType Basic +AuthName "DFL" +AuthUserFile /home/pi/repos/DFL/conf/dav_svn.passwd +Require valid-user +SSLRequireSSL + + + +DAV svn +SVNPATH /home/pi/repos/uefa +AuthType Basic +AuthName "UEFA" +AuthUserFile /home/pi/repos/uefa/conf/dav_svn.passwd +Require valid-user +SSLRequireSSL + + + +DAV svn +SVNPATH /home/pi/repos/BBL +AuthType Basic +AuthName "BBL" +AuthUserFile /home/pi/repos/BBL/conf/dav_svn.passwd +Require valid-user +SSLRequireSSL + + + +DAV svn +SVNPATH /home/pi/repos/CHL +AuthType Basic +AuthName "CHL" +AuthUserFile /home/pi/repos/CHL/conf/dav_svn.passwd +Require valid-user +SSLRequireSSL + + + +DAV svn +SVNPATH /home/pi/repos/DFLdeploy +AuthType Basic +AuthName DFL-Deploy +AuthUserFile /home/pi/repos/DFLdeploy/conf/dav_svn.passwd +Require valid-user +SSLRequireSSL + + + +DAV svn +SVNPATH /home/pi/repos/leagues +AuthType Basic +AuthName Leagues +AuthUserFile /home/pi/repos/leagues/conf/dav_svn.passwd +Require valid-user +SSLRequireSSL + + + +DAV svn +SVNPATH /home/pi/repos/bigstar +AuthType Basic +AuthName BigStar +AuthUserFile /home/pi/repos/bigstar/conf/dav_svn.passwd +Require valid-user +SSLRequireSSL + + diff --git a/raspbi/apache2/sites-available/000-default-le-ssl.conf b/raspbi/apache2/sites-available/000-default-le-ssl.conf new file mode 100644 index 0000000..67bbec3 --- /dev/null +++ b/raspbi/apache2/sites-available/000-default-le-ssl.conf @@ -0,0 +1,87 @@ + + + # The ServerName directive sets the request scheme, hostname and port that + # the server uses to identify itself. This is used when creating + # redirection URLs. In the context of virtual hosts, the ServerName + # specifies what hostname must appear in the request's Host: header to + # match this virtual host. For the default virtual host (this file) this + # value is not decisive as it is used as a last resort host regardless. + # However, you must set it for any further virtual host explicitly. + #ServerName www.example.com + + #ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + + #TimeOUt 12000 + #KeepAlive On + #MaxKeepAliveRequests 100 + #KeepAliveTimeout 15 + + # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, + # error, crit, alert, emerg. + # It is also possible to configure the loglevel for particular + # modules, e.g. + #LogLevel info ssl:warn + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + # For most configuration files from conf-available/, which are + # enabled or disabled at a global level, it is possible to + # include a line for only one particular virtual host. For example the + # following line enables the CGI configuration for this host only + # after it has been globally disabled with "a2disconf". + #Include conf-available/serve-cgi-bin.conf + + + SSLProxyEngine On + ProxyPreserveHost On + ProxyPass /svn/ ! + ProxyPass / https://raspbi4/ + ProxyPassReverse / https://raspbi4/ + + + ServerName svnasolvo.ddns.net + Include /etc/letsencrypt/options-ssl-apache.conf + + SSLCertificateFile /etc/letsencrypt/live/svnasolvo.ddns.net/fullchain.pem + SSLCertificateKeyFile /etc/letsencrypt/live/svnasolvo.ddns.net/privkey.pem + + + + + + + + + # The ServerName directive sets the request scheme, hostname and port that + # the server uses to identify itself. This is used when creating + # redirection URLs. In the context of virtual hosts, the ServerName + # specifies what hostname must appear in the request's Host: header to + # match this virtual host. For the default virtual host (this file) this + # value is not decisive as it is used as a last resort host regardless. + # However, you must set it for any further virtual host explicitly. + #ServerName www.example.com + + ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + + # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, + # error, crit, alert, emerg. + # It is also possible to configure the loglevel for particular + # modules, e.g. + #LogLevel info ssl:warn + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + # For most configuration files from conf-available/, which are + # enabled or disabled at a global level, it is possible to + # include a line for only one particular virtual host. For example the + # following line enables the CGI configuration for this host only + # after it has been globally disabled with "a2disconf". + #Include conf-available/serve-cgi-bin.conf + + + + diff --git a/raspbi3/etc/nginx/nginx.conf b/raspbi3/etc/nginx/nginx.conf new file mode 100644 index 0000000..a8abd48 --- /dev/null +++ b/raspbi3/etc/nginx/nginx.conf @@ -0,0 +1,91 @@ +user www-data; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + + ## + # Basic Settings + ## + + client_max_body_size 128M; + proxy_max_temp_file_size 0; + proxy_buffering off; + server_names_hash_bucket_size 256; + + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + # server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # SSL Settings + ## + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; + + ## + # Logging Settings + ## + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + ## + # Gzip Settings + ## + + gzip on; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + ## + # Virtual Host Configs + ## + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} + + +#mail { +# # See sample authentication script at: +# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript +# +# # auth_http localhost/auth.php; +# # pop3_capabilities "TOP" "USER"; +# # imap_capabilities "IMAP4rev1" "UIDPLUS"; +# +# server { +# listen localhost:110; +# protocol pop3; +# proxy on; +# } +# +# server { +# listen localhost:143; +# protocol imap; +# proxy on; +# } +#} diff --git a/raspbi3/etc/nginx/proxy_params b/raspbi3/etc/nginx/proxy_params new file mode 100644 index 0000000..df75bc5 --- /dev/null +++ b/raspbi3/etc/nginx/proxy_params @@ -0,0 +1,4 @@ +proxy_set_header Host $http_host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; diff --git a/raspbi3/etc/nginx/sites-available/seafile.conf b/raspbi3/etc/nginx/sites-available/seafile.conf new file mode 100644 index 0000000..d93ffcf --- /dev/null +++ b/raspbi3/etc/nginx/sites-available/seafile.conf @@ -0,0 +1,78 @@ +server { + #listen 80; + server_name smartinspace.ai; # managed by Certbot + + #SSL configuration + listen 443 ssl http2 ; + listen [::]:443 ssl http2 ; + include snippets/letsencrypt.conf; + include snippets/ssl-params.conf; + + proxy_set_header X-Forwarded-For $remote_addr; + + location / { + proxy_pass http://127.0.0.1:8000; + proxy_set_header host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + proxy_read_timeout 1200s; + + #Used for view/edit office file via Office Online Server + client_max_body_size 0; + + access_log /var/log/nginx/seahub.access.log; + error_log /var/log/nginx/seahub.error.log; + } + + location /seafhttp { + rewrite ^/seafhttp(.*)$ $1 break; + proxy_pass http://127.0.0.1:8082; + + client_max_body_size 0; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_connect_timeout 36000s; + proxy_read_timeout 36000s; + proxy_send_timeout 36000s; + + send_timeout 36000s; + } + + location /seafdav { + proxy_pass http://127.0.0.1:8080/seafdav; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 1200s; + client_max_body_size 0; + access_log /var/log/nginx/seafdav.access.log; + error_log /var/log/nginx/seafdav.error.log; + } + + + + + location /media { + root /home/seafile/seafile-server-latest/seahub; + } + + ssl_certificate /etc/letsencrypt/live/smartinspace.ai/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/smartinspace.ai/privkey.pem; # managed by Certbot + +} + +server { + + listen 3000 ssl; + listen [::]:3000 ssl; + + ssl_certificate /etc/letsencrypt/live/smartinspace.ai/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/smartinspace.ai/privkey.pem; # managed by Certbot + + location / { + proxy_pass http://127.0.0.1:30000/; + } +} diff --git a/raspbi3/etc/nginx/snippets/fastcgi-php.conf b/raspbi3/etc/nginx/snippets/fastcgi-php.conf new file mode 100644 index 0000000..467a9e7 --- /dev/null +++ b/raspbi3/etc/nginx/snippets/fastcgi-php.conf @@ -0,0 +1,13 @@ +# regex to split $uri to $fastcgi_script_name and $fastcgi_path +fastcgi_split_path_info ^(.+?\.php)(/.*)$; + +# Check that the PHP script exists before passing it +try_files $fastcgi_script_name =404; + +# Bypass the fact that try_files resets $fastcgi_path_info +# see: http://trac.nginx.org/nginx/ticket/321 +set $path_info $fastcgi_path_info; +fastcgi_param PATH_INFO $path_info; + +fastcgi_index index.php; +include fastcgi.conf; diff --git a/raspbi3/etc/nginx/snippets/letsencrypt.conf b/raspbi3/etc/nginx/snippets/letsencrypt.conf new file mode 100644 index 0000000..0617dbd --- /dev/null +++ b/raspbi3/etc/nginx/snippets/letsencrypt.conf @@ -0,0 +1,2 @@ +ssl_certificate /etc/letsencrypt/live/smartinspace.ai/fullchain.pem; # managed by Certbot +ssl_certificate_key /etc/letsencrypt/live/smartinspace.ai/privkey.pem; # managed by Certbot diff --git a/raspbi3/etc/nginx/snippets/snakeoil.conf b/raspbi3/etc/nginx/snippets/snakeoil.conf new file mode 100644 index 0000000..ad26c3e --- /dev/null +++ b/raspbi3/etc/nginx/snippets/snakeoil.conf @@ -0,0 +1,5 @@ +# Self signed certificates generated by the ssl-cert package +# Don't use them in a production server! + +ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; +ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; diff --git a/raspbi3/etc/nginx/snippets/ssl-params.conf b/raspbi3/etc/nginx/snippets/ssl-params.conf new file mode 100644 index 0000000..3b8e489 --- /dev/null +++ b/raspbi3/etc/nginx/snippets/ssl-params.conf @@ -0,0 +1,19 @@ +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_prefer_server_ciphers on; +ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; +ssl_ecdh_curve secp384r1; +ssl_session_cache shared:SSL:10m; +ssl_session_tickets off; +ssl_stapling on; +ssl_stapling_verify on; +resolver 8.8.8.8 8.8.4.4 valid=300s; +resolver_timeout 5s; + +# Disable preloading HSTS for now. You can use the commented out header line that includes +# the "preload" directive if you understand the implications. +#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; +add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; +add_header X-Frame-Options DENY; +add_header X-Content-Type-Options nosniff; + +ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; diff --git a/raspbi3/etc/samba/smb.conf b/raspbi3/etc/samba/smb.conf new file mode 100644 index 0000000..ad720cb --- /dev/null +++ b/raspbi3/etc/samba/smb.conf @@ -0,0 +1,243 @@ +# +# Sample configuration file for the Samba suite for Debian GNU/Linux. +# +# +# This is the main Samba configuration file. You should read the +# smb.conf(5) manual page in order to understand the options listed +# here. Samba has a huge number of configurable options most of which +# are not shown in this example +# +# Some options that are often worth tuning have been included as +# commented-out examples in this file. +# - When such options are commented with ";", the proposed setting +# differs from the default Samba behaviour +# - When commented with "#", the proposed setting is the default +# behaviour of Samba but the option is considered important +# enough to be mentioned here +# +# NOTE: Whenever you modify this file you should run the command +# "testparm" to check that you have not made any basic syntactic +# errors. + +#======================= Global Settings ======================= + +[global] + +## Browsing/Identification ### + +# Change this to the workgroup/NT-domain name your Samba server will part of + workgroup = WORKGROUP + +#### Networking #### + +# The specific set of interfaces / networks to bind to +# This can be either the interface name or an IP address/netmask; +# interface names are normally preferred +; interfaces = 127.0.0.0/8 eth0 + +# Only bind to the named interfaces and/or networks; you must use the +# 'interfaces' option above to use this. +# It is recommended that you enable this feature if your Samba machine is +# not protected by a firewall or is a firewall itself. However, this +# option cannot handle dynamic or non-broadcast interfaces correctly. +; bind interfaces only = yes + + + +#### Debugging/Accounting #### + +# This tells Samba to use a separate log file for each machine +# that connects + log file = /var/log/samba/log.%m + +# Cap the size of the individual log files (in KiB). + max log size = 1000 + +# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}. +# Append syslog@1 if you want important messages to be sent to syslog too. + logging = file + +# Do something sensible when Samba crashes: mail the admin a backtrace + panic action = /usr/share/samba/panic-action %d + + +####### Authentication ####### + +# Server role. Defines in which mode Samba will operate. Possible +# values are "standalone server", "member server", "classic primary +# domain controller", "classic backup domain controller", "active +# directory domain controller". +# +# Most people will want "standalone server" or "member server". +# Running as "active directory domain controller" will require first +# running "samba-tool domain provision" to wipe databases and create a +# new domain. + server role = standalone server + + obey pam restrictions = yes + +# This boolean parameter controls whether Samba attempts to sync the Unix +# password with the SMB password when the encrypted SMB password in the +# passdb is changed. + unix password sync = yes + +# For Unix password sync to work on a Debian GNU/Linux system, the following +# parameters must be set (thanks to Ian Kahan < for +# sending the correct chat script for the passwd program in Debian Sarge). + passwd program = /usr/bin/passwd %u + passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . + +# This boolean controls whether PAM will be used for password changes +# when requested by an SMB client instead of the program listed in +# 'passwd program'. The default is 'no'. + pam password change = yes + +# This option controls how unsuccessful authentication attempts are mapped +# to anonymous connections + map to guest = bad user + +########## Domains ########### + +# +# The following settings only takes effect if 'server role = primary +# classic domain controller', 'server role = backup domain controller' +# or 'domain logons' is set +# + +# It specifies the location of the user's +# profile directory from the client point of view) The following +# required a [profiles] share to be setup on the samba server (see +# below) +; logon path = \\%N\profiles\%U +# Another common choice is storing the profile in the user's home directory +# (this is Samba's default) +# logon path = \\%N\%U\profile + +# The following setting only takes effect if 'domain logons' is set +# It specifies the location of a user's home directory (from the client +# point of view) +; logon drive = H: +# logon home = \\%N\%U + +# The following setting only takes effect if 'domain logons' is set +# It specifies the script to run during logon. The script must be stored +# in the [netlogon] share +# NOTE: Must be store in 'DOS' file format convention +; logon script = logon.cmd + +# This allows Unix users to be created on the domain controller via the SAMR +# RPC pipe. The example command creates a user account with a disabled Unix +# password; please adapt to your needs +; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u + +# This allows machine accounts to be created on the domain controller via the +# SAMR RPC pipe. +# The following assumes a "machines" group exists on the system +; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u + +# This allows Unix groups to be created on the domain controller via the SAMR +# RPC pipe. +; add group script = /usr/sbin/addgroup --force-badname %g + +############ Misc ############ + +# Using the following line enables you to customise your configuration +# on a per machine basis. The %m gets replaced with the netbios name +# of the machine that is connecting +; include = /home/samba/etc/smb.conf.%m + +# Some defaults for winbind (make sure you're not using the ranges +# for something else.) +; idmap config * : backend = tdb +; idmap config * : range = 3000-7999 +; idmap config YOURDOMAINHERE : backend = tdb +; idmap config YOURDOMAINHERE : range = 100000-999999 +; template shell = /bin/bash + +# Setup usershare options to enable non-root users to share folders +# with the net usershare command. + +# Maximum number of usershare. 0 means that usershare is disabled. +# usershare max shares = 100 + +# Allow users who've been granted usershare privileges to create +# public shares, not just authenticated ones + usershare allow guests = yes + +#======================= Share Definitions ======================= + +[homes] + comment = Home Directories + browseable = no + +# By default, the home directories are exported read-only. Change the +# next parameter to 'no' if you want to be able to write to them. + read only = yes + +# File creation mask is set to 0700 for security reasons. If you want to +# create files with group=rw permissions, set next parameter to 0775. + create mask = 0700 + +# Directory creation mask is set to 0700 for security reasons. If you want to +# create dirs. with group=rw permissions, set next parameter to 0775. + directory mask = 0700 + +# By default, \\server\username shares can be connected to by anyone +# with access to the samba server. +# The following parameter makes sure that only "username" can connect +# to \\server\username +# This might need tweaking when using external authentication schemes + valid users = %S + +# Un-comment the following and create the netlogon directory for Domain Logons +# (you need to configure Samba to act as a domain controller too.) +;[netlogon] +; comment = Network Logon Service +; path = /home/samba/netlogon +; guest ok = yes +; read only = yes + +# Un-comment the following and create the profiles directory to store +# users profiles (see the "logon path" option above) +# (you need to configure Samba to act as a domain controller too.) +# The path below should be writable by all users so that their +# profile directory may be created the first time they log on +;[profiles] +; comment = Users profiles +; path = /home/samba/profiles +; guest ok = no +; browseable = no +; create mask = 0600 +; directory mask = 0700 + +[printers] + comment = All Printers + browseable = no + path = /var/spool/samba + printable = yes + guest ok = no + read only = yes + create mask = 0700 + +# Windows clients look for this share name as a source of downloadable +# printer drivers +[print$] + comment = Printer Drivers + path = /var/lib/samba/printers + browseable = yes + read only = yes + guest ok = no +# Uncomment to allow remote administration of Windows print drivers. +# You may need to replace 'lpadmin' with the name of the group your +# admin users are members of. +# Please note that you also need to set appropriate Unix permissions +# to the drivers directory for these users to have write rights in it +; write list = root, @lpadmin +[smb] +comment = raspbi4 +public = yes +writeable = yes +browsable = yes +path = /media/part-ntfs/ +create mask = 0777 +directory mask = 0777 diff --git a/raspbi3/etc/systemd/system/gitea.service b/raspbi3/etc/systemd/system/gitea.service new file mode 100644 index 0000000..73e838c --- /dev/null +++ b/raspbi3/etc/systemd/system/gitea.service @@ -0,0 +1,68 @@ +[Unit] +Description=Gitea (Git with a cup of tea) +After=syslog.target +After=network.target +### +# Don't forget to add the database service requirements +### +# +#Requires=mysql.service +#Requires=mariadb.service +#Requires=postgresql.service +#Requires=memcached.service +#Requires=redis.service +# +### +# If using socket activation for main http/s +### +# +#After=gitea.main.socket +#Requires=gitea.main.socket +# +### +# (You can also provide gitea an http fallback and/or ssh socket too) +# +# An example of /etc/systemd/system/gitea.main.socket +### +## +## [Unit] +## Description=Gitea Web Socket +## PartOf=gitea.service +## +## [Socket] +## Service=gitea.service +## ListenStream= +## NoDelay=true +## +## [Install] +## WantedBy=sockets.target +## +### + +[Service] +# Modify these two values and uncomment them if you have +# repos with lots of files and get an HTTP error 500 because +# of that +### +#LimitMEMLOCK=infinity +#LimitNOFILE=65535 +RestartSec=2s +Type=simple +User=git +Group=git +WorkingDirectory=/var/lib/gitea/ +# If using Unix socket: tells systemd to create the /run/gitea folder, which will contain the gitea.sock file +# (manually creating /run/gitea doesn't work, because it would not persist across reboots) +#RuntimeDirectory=gitea +ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini +Restart=always +Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea +# If you want to bind Gitea to a port below 1024, uncomment +# the two values below, or use socket activation to pass Gitea its ports as above +### +#CapabilityBoundingSet=CAP_NET_BIND_SERVICE +#AmbientCapabilities=CAP_NET_BIND_SERVICE +### + +[Install] +WantedBy=multi-user.target diff --git a/raspbi3/etc/systemd/system/noip2.service b/raspbi3/etc/systemd/system/noip2.service new file mode 100644 index 0000000..391a690 --- /dev/null +++ b/raspbi3/etc/systemd/system/noip2.service @@ -0,0 +1,10 @@ +[Unit] +Description=No-Ip Dynamic DNS Update Service +After=network.target + +[Service] +Type=forking +ExecStart=/usr/local/bin/noip2 + +[Install] +WantedBy=multi-user.target diff --git a/raspbi3/etc/systemd/system/seafile.service b/raspbi3/etc/systemd/system/seafile.service new file mode 100644 index 0000000..7bf2e1b --- /dev/null +++ b/raspbi3/etc/systemd/system/seafile.service @@ -0,0 +1,14 @@ +[Unit] +Description=Seafile +#add mysql.service or postgresql.service depending on your database to the line below +After=network.target mysql.service + +[Service] +Type=forking +ExecStart=/home/seafile/seafile-server-latest/seafile.sh start +ExecStop=/home/seafile/seafile-server-latest/seafile.sh stop +User=seafile +Group=seafile + +[Install] +WantedBy=multi-user.target diff --git a/raspbi3/etc/systemd/system/seahub.service b/raspbi3/etc/systemd/system/seahub.service new file mode 100644 index 0000000..ccc0676 --- /dev/null +++ b/raspbi3/etc/systemd/system/seahub.service @@ -0,0 +1,14 @@ +[Unit] +Description=Seafile hub +After=network.target seafile.service + +[Service] +Type=forking +#change start to start-fastcgi if you want to run fastcgi +ExecStart=/home/seafile/seafile-server-latest/seahub.sh start +ExecStop=/home/seafile/seafile-server-latest/seahub.sh stop +User=seafile +Group=seafile + +[Install] +WantedBy=multi-user.target diff --git a/raspbi3/scripts/getdump.sh b/raspbi3/scripts/getdump.sh new file mode 100755 index 0000000..c95b9e9 --- /dev/null +++ b/raspbi3/scripts/getdump.sh @@ -0,0 +1,3 @@ +host="martin@optimization.ligalytics.com" +file=`ssh $host 'ls -1r /db_backup | head -1'` +scp $host:/db_backup/$file /media/part-ntfs/Work/ligalytics/db_dump/ diff --git a/raspbi3/scripts/getlog.sh b/raspbi3/scripts/getlog.sh new file mode 100755 index 0000000..3da6200 --- /dev/null +++ b/raspbi3/scripts/getlog.sh @@ -0,0 +1,24 @@ +host="martin@optimization.ligalytics.com" + + +#LOGWATCH +#file=`ssh -i keyfile $host 'ls -1r /var/log/logwatch/ | head -1'` +#echo copying latest logfile for logwatch... $file +#scp -i keyfile $host:/var/log/logwatch/$file . + + +#IFTOP +#file=`ssh -i keyfile $host 'ls -1r /var/log/iftop/ | head -1'` +#echo copying latest logfile for iftop ... $file +#scp -i keyfile $host:/var/log/iftop/$file . + + +#Summary +file=`ssh $host 'ls -1r /var/log/nettraf/ | head -1'` +#echo copying latest network summary ... $file +scp $host:/var/log/nettraf/$file /media/part-ntfs/Work/ligalytics/logs/ + + + + + diff --git a/raspbi3/seafile_conf/ccnet.conf b/raspbi3/seafile_conf/ccnet.conf new file mode 100644 index 0000000..326f02f --- /dev/null +++ b/raspbi3/seafile_conf/ccnet.conf @@ -0,0 +1,18 @@ +[General] +USER_NAME = SmartInServer +ID = 878b66071f5ba78dbaf323cd481cb61118a92321 +NAME = SmartInServer +SERVICE_URL = https://smartinspace.ai:44300 + +[Client] +PORT = 13419 + +[Database] +ENGINE = mysql +HOST = 127.0.0.1 +PORT = 3306 +USER = seafile +PASSWD = seafile+123 +DB = ccnet-db +CONNECTION_CHARSET = utf8 + diff --git a/raspbi3/seafile_conf/gunicorn.conf b/raspbi3/seafile_conf/gunicorn.conf new file mode 100644 index 0000000..3fcc027 --- /dev/null +++ b/raspbi3/seafile_conf/gunicorn.conf @@ -0,0 +1,17 @@ + +import os + +daemon = True +workers = 5 + +# default localhost:8000 +bind = "127.0.0.1:8000" + +# Pid +pids_dir = '/home/seafile/pids' +pidfile = os.path.join(pids_dir, 'seahub.pid') + +# for file upload, we need a longer timeout value (default is only 30s, too short) +timeout = 1200 + +limit_request_line = 8190 diff --git a/raspbi3/seafile_conf/seafdav.conf b/raspbi3/seafile_conf/seafdav.conf new file mode 100644 index 0000000..11e0f65 --- /dev/null +++ b/raspbi3/seafile_conf/seafdav.conf @@ -0,0 +1,6 @@ + +[WEBDAV] +enabled = true +port = 8080 +fastcgi = false +share_name = /seafdav diff --git a/raspbi3/seafile_conf/seafile.conf b/raspbi3/seafile_conf/seafile.conf new file mode 100644 index 0000000..2ef4752 --- /dev/null +++ b/raspbi3/seafile_conf/seafile.conf @@ -0,0 +1,12 @@ +[fileserver] +port = 8082 + +[database] +type = mysql +host = 127.0.0.1 +port = 3306 +user = seafile +password = seafile+123 +db_name = seafile-db +connection_charset = utf8 + diff --git a/raspbi3/seafile_conf/seahub_settings.py b/raspbi3/seafile_conf/seahub_settings.py new file mode 100755 index 0000000..0b91368 --- /dev/null +++ b/raspbi3/seafile_conf/seahub_settings.py @@ -0,0 +1,17 @@ +# -*- coding: utf-8 -*- +SECRET_KEY = "$&@+j^qy!((+ml4pvnwl+uui6tvil2-6=10ihwso=6pee6mwec" + +DATABASES = { + 'default': { + 'ENGINE': 'django.db.backends.mysql', + 'NAME': 'seahub-db', + 'USER': 'seafile', + 'PASSWORD': 'seafile+123', + 'HOST': '127.0.0.1', + 'PORT': '3306' + } +} + +SERVER_ROOT = 'https://smartinspace.ai:44300' +FILE_SERVER_ROOT = 'https://smartinspace.ai:44300/seafhttp' + diff --git a/raspbi4/gitlab/gitlab.rb b/raspbi4/gitlab/gitlab.rb new file mode 100644 index 0000000..3ba7b31 --- /dev/null +++ b/raspbi4/gitlab/gitlab.rb @@ -0,0 +1,2390 @@ +## GitLab configuration settings +##! This file is generated during initial installation and **is not** modified +##! during upgrades. +##! Check out the latest version of this file to know about the different +##! settings that can be configured by this file, which may be found at: +##! https://gitlab.com/gitlab-org/omnibus-gitlab/raw/master/files/gitlab-config-template/gitlab.rb.template + +##! You can run `gitlab-ctl diff-config` to compare the contents of the current gitlab.rb with +##! the gitlab.rb.template from the currently running version. + +##! You can run `gitlab-ctl show-config` to display the configuration that will be generated by +##! running `gitlab-ctl reconfigure` + +##! In general, the values specified here should reflect what the default value of the attribute will be. +##! There are instances where this behavior is not possible or desired. For example, when providing passwords, +##! or connecting to third party services. +##! In those instances, we endeavour to provide an example configuration. + +## GitLab URL +##! URL on which GitLab will be reachable. +##! For more details on configuring external_url see: +##! https://docs.gitlab.com/omnibus/settings/configuration.html#configuring-the-external-url-for-gitlab +##! +##! Note: During installation/upgrades, the value of the environment variable +##! EXTERNAL_URL will be used to populate/replace this value. +##! On AWS EC2 instances, we also attempt to fetch the public hostname/IP +##! address from AWS. For more details, see: +##! https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html +external_url 'https://svnasolvo.ddns.net' + +## Roles for multi-instance GitLab +##! The default is to have no roles enabled, which results in GitLab running as an all-in-one instance. +##! Options: +##! redis_sentinel_role redis_master_role redis_slave_role geo_primary_role geo_secondary_role +##! For more details on each role, see: +##! https://docs.gitlab.com/omnibus/roles/README.html#roles +##! +# roles ['redis_sentinel_role', 'redis_master_role'] + +## Legend +##! The following notations at the beginning of each line may be used to +##! differentiate between components of this file and to easily select them using +##! a regex. +##! ## Titles, subtitles etc +##! ##! More information - Description, Docs, Links, Issues etc. +##! Configuration settings have a single # followed by a single space at the +##! beginning; Remove them to enable the setting. + +##! **Configuration settings below are optional.** + + +################################################################################ +################################################################################ +## Configuration Settings for GitLab CE and EE ## +################################################################################ +################################################################################ + +################################################################################ +## gitlab.yml configuration +##! Docs: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/gitlab.yml.md +################################################################################ +# gitlab_rails['gitlab_ssh_host'] = 'ssh.host_example.com' +# gitlab_rails['gitlab_ssh_user'] = '' +# gitlab_rails['time_zone'] = 'UTC' + +### Request duration +###! Tells the rails application how long it has to complete a request +###! This value needs to be lower than the worker timeout set in unicorn/puma. +###! By default, we'll allow 95% of the the worker timeout +# gitlab_rails['max_request_duration_seconds'] = 57 + +### Email Settings +# gitlab_rails['gitlab_email_enabled'] = true +gitlab_rails['gitlab_email_from'] = 'm.dahmen@asolvo.de' +gitlab_rails['gitlab_email_display_name'] = 'Martin' +gitlab_rails['gitlab_email_reply_to'] = 'm.dahmen@asolvo.de' +# gitlab_rails['gitlab_email_subject_suffix'] = '' +# gitlab_rails['gitlab_email_smime_enabled'] = false +# gitlab_rails['gitlab_email_smime_key_file'] = '/etc/gitlab/ssl/gitlab_smime.key' +# gitlab_rails['gitlab_email_smime_cert_file'] = '/etc/gitlab/ssl/gitlab_smime.crt' + +### GitLab user privileges +# gitlab_rails['gitlab_default_can_create_group'] = true +# gitlab_rails['gitlab_username_changing_enabled'] = true + +### Default Theme +# gitlab_rails['gitlab_default_theme'] = 2 + +### Default project feature settings +# gitlab_rails['gitlab_default_projects_features_issues'] = true +# gitlab_rails['gitlab_default_projects_features_merge_requests'] = true +# gitlab_rails['gitlab_default_projects_features_wiki'] = true +# gitlab_rails['gitlab_default_projects_features_snippets'] = true +# gitlab_rails['gitlab_default_projects_features_builds'] = true +# gitlab_rails['gitlab_default_projects_features_container_registry'] = true + +### Automatic issue closing +###! See https://docs.gitlab.com/ee/customization/issue_closing.html for more +###! information about this pattern. +# gitlab_rails['gitlab_issue_closing_pattern'] = "\b((?:[Cc]los(?:e[sd]?|ing)|\b[Ff]ix(?:e[sd]|ing)?|\b[Rr]esolv(?:e[sd]?|ing)|\b[Ii]mplement(?:s|ed|ing)?)(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+)" + +### Download location +###! When a user clicks e.g. 'Download zip' on a project, a temporary zip file +###! is created in the following directory. +###! Should not be the same path, or a sub directory of any of the `git_data_dirs` +# gitlab_rails['gitlab_repository_downloads_path'] = 'tmp/repositories' + +### Gravatar Settings +# gitlab_rails['gravatar_plain_url'] = 'http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon' +# gitlab_rails['gravatar_ssl_url'] = 'https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon' + +### Auxiliary jobs +###! Periodically executed jobs, to self-heal Gitlab, do external +###! synchronizations, etc. +###! Docs: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job +###! https://docs.gitlab.com/ee/ci/yaml/README.html#artifactsexpire_in +# gitlab_rails['stuck_ci_jobs_worker_cron'] = "0 0 * * *" +# gitlab_rails['expire_build_artifacts_worker_cron'] = "50 * * * *" +# gitlab_rails['environments_auto_stop_cron_worker_cron'] = "24 * * * *" +# gitlab_rails['pipeline_schedule_worker_cron'] = "19 * * * *" +# gitlab_rails['ci_archive_traces_cron_worker_cron'] = "17 * * * *" +# gitlab_rails['repository_check_worker_cron'] = "20 * * * *" +# gitlab_rails['admin_email_worker_cron'] = "0 0 * * 0" +# gitlab_rails['personal_access_tokens_expiring_worker_cron'] = "0 1 * * *" +# gitlab_rails['repository_archive_cache_worker_cron'] = "0 * * * *" +# gitlab_rails['pages_domain_verification_cron_worker'] = "*/15 * * * *" +# gitlab_rails['pages_domain_ssl_renewal_cron_worker'] = "*/10 * * * *" +# gitlab_rails['pages_domain_removal_cron_worker'] = "47 0 * * *" +# gitlab_rails['schedule_migrate_external_diffs_worker_cron'] = "15 * * * *" + +### Webhook Settings +###! Number of seconds to wait for HTTP response after sending webhook HTTP POST +###! request (default: 10) +# gitlab_rails['webhook_timeout'] = 10 + +### GraphQL Settings +###! Tells the rails application how long it has to complete a GraphQL request. +###! We suggest this value to be higher than the database timeout value +###! and lower than the worker timeout set in unicorn/puma. (default: 30) +# gitlab_rails['graphql_timeout'] = 30 + +### Trusted proxies +###! Customize if you have GitLab behind a reverse proxy which is running on a +###! different machine. +###! **Add the IP address for your reverse proxy to the list, otherwise users +###! will appear signed in from that address.** +# gitlab_rails['trusted_proxies'] = [] + +### Content Security Policy +####! Customize if you want to enable the Content-Security-Policy header, which +####! can help thwart JavaScript cross-site scripting (XSS) attacks. +####! See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP +# gitlab_rails['content_security_policy'] = { +# 'enabled' => false, +# 'report_only' => false, +# # Each directive is a String (e.g. "'self'"). +# 'directives' => { +# 'base_uri' => nil, +# 'child_src' => nil, +# 'connect_src' => nil, +# 'default_src' => nil, +# 'font_src' => nil, +# 'form_action' => nil, +# 'frame_ancestors' => nil, +# 'frame_src' => nil, +# 'img_src' => nil, +# 'manifest_src' => nil, +# 'media_src' => nil, +# 'object_src' => nil, +# 'script_src' => nil, +# 'style_src' => nil, +# 'worker_src' => nil, +# 'report_uri' => nil, +# } +# } + +### Monitoring settings +###! IP whitelist controlling access to monitoring endpoints +# gitlab_rails['monitoring_whitelist'] = ['127.0.0.0/8', '::1/128'] +###! Time between sampling of unicorn socket metrics, in seconds +# gitlab_rails['monitoring_unicorn_sampler_interval'] = 10 + +### Shutdown settings +###! Defines an interval to block healthcheck, +###! but continue accepting application requests. +# gitlab_rails['shutdown_blackout_seconds'] = 10 + +### Reply by email +###! Allow users to comment on issues and merge requests by replying to +###! notification emails. +###! Docs: https://docs.gitlab.com/ee/administration/reply_by_email.html +# gitlab_rails['incoming_email_enabled'] = true + +#### Incoming Email Address +####! The email address including the `%{key}` placeholder that will be replaced +####! to reference the item being replied to. +####! **The placeholder can be omitted but if present, it must appear in the +####! "user" part of the address (before the `@`).** +# gitlab_rails['incoming_email_address'] = "gitlab-incoming+%{key}@gmail.com" + +#### Email account username +####! **With third party providers, this is usually the full email address.** +####! **With self-hosted email servers, this is usually the user part of the +####! email address.** +# gitlab_rails['incoming_email_email'] = "gitlab-incoming@gmail.com" + +#### Email account password +# gitlab_rails['incoming_email_password'] = "[REDACTED]" + +#### IMAP Settings +# gitlab_rails['incoming_email_host'] = "imap.gmail.com" +# gitlab_rails['incoming_email_port'] = 993 +# gitlab_rails['incoming_email_ssl'] = true +# gitlab_rails['incoming_email_start_tls'] = false + +#### Incoming Mailbox Settings (via `mail_room`) +####! The mailbox where incoming mail will end up. Usually "inbox". +# gitlab_rails['incoming_email_mailbox_name'] = "inbox" +####! The IDLE command timeout. +# gitlab_rails['incoming_email_idle_timeout'] = 60 +####! The file name for internal `mail_room` JSON logfile +# gitlab_rails['incoming_email_log_file'] = "/var/log/gitlab/mailroom/mail_room_json.log" + +####! The format of mail_room crash logs +# mailroom['exit_log_format'] = "plain" + +### Job Artifacts +# gitlab_rails['artifacts_enabled'] = true +# gitlab_rails['artifacts_path'] = "/var/opt/gitlab/gitlab-rails/shared/artifacts" +####! Job artifacts Object Store +####! Docs: https://docs.gitlab.com/ee/administration/job_artifacts.html#using-object-storage +# gitlab_rails['artifacts_object_store_enabled'] = false +# gitlab_rails['artifacts_object_store_direct_upload'] = false +# gitlab_rails['artifacts_object_store_background_upload'] = true +# gitlab_rails['artifacts_object_store_proxy_download'] = false +# gitlab_rails['artifacts_object_store_remote_directory'] = "artifacts" +# gitlab_rails['artifacts_object_store_connection'] = { +# 'provider' => 'AWS', +# 'region' => 'eu-west-1', +# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID', +# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY', +# # # The below options configure an S3 compatible host instead of AWS +# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4. +# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces +# # 'host' => 's3.amazonaws.com', +# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' +# } + +### External merge request diffs +# gitlab_rails['external_diffs_enabled'] = false +# gitlab_rails['external_diffs_when'] = nil +# gitlab_rails['external_diffs_storage_path'] = "/var/opt/gitlab/gitlab-rails/shared/external-diffs" +# gitlab_rails['external_diffs_object_store_enabled'] = false +# gitlab_rails['external_diffs_object_store_direct_upload'] = false +# gitlab_rails['external_diffs_object_store_background_upload'] = false +# gitlab_rails['external_diffs_object_store_proxy_download'] = false +# gitlab_rails['external_diffs_object_store_remote_directory'] = "external-diffs" +# gitlab_rails['external_diffs_object_store_connection'] = { +# 'provider' => 'AWS', +# 'region' => 'eu-west-1', +# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID', +# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY', +# # # The below options configure an S3 compatible host instead of AWS +# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4. +# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces +# # 'host' => 's3.amazonaws.com', +# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' +# } + +### Git LFS +# gitlab_rails['lfs_enabled'] = true +# gitlab_rails['lfs_storage_path'] = "/var/opt/gitlab/gitlab-rails/shared/lfs-objects" +# gitlab_rails['lfs_object_store_enabled'] = false +# gitlab_rails['lfs_object_store_direct_upload'] = false +# gitlab_rails['lfs_object_store_background_upload'] = true +# gitlab_rails['lfs_object_store_proxy_download'] = false +# gitlab_rails['lfs_object_store_remote_directory'] = "lfs-objects" +# gitlab_rails['lfs_object_store_connection'] = { +# 'provider' => 'AWS', +# 'region' => 'eu-west-1', +# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID', +# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY', +# # # The below options configure an S3 compatible host instead of AWS +# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4. +# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces +# # 'host' => 's3.amazonaws.com', +# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' +# } + +### GitLab uploads +###! Docs: https://docs.gitlab.com/ee/administration/uploads.html +# gitlab_rails['uploads_storage_path'] = "/opt/gitlab/embedded/service/gitlab-rails/public" +# gitlab_rails['uploads_base_dir'] = "uploads/-/system" +# gitlab_rails['uploads_object_store_enabled'] = false +# gitlab_rails['uploads_object_store_direct_upload'] = false +# gitlab_rails['uploads_object_store_background_upload'] = true +# gitlab_rails['uploads_object_store_proxy_download'] = false +# gitlab_rails['uploads_object_store_remote_directory'] = "uploads" +# gitlab_rails['uploads_object_store_connection'] = { +# 'provider' => 'AWS', +# 'region' => 'eu-west-1', +# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID', +# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY', +# # # The below options configure an S3 compatible host instead of AWS +# # 'host' => 's3.amazonaws.com', +# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4. +# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces +# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' +# } + +### Terraform state +###! Docs: https://docs.gitlab.com/ee/administration/terraform_state +# gitlab_rails['terraform_state_enabled'] = true +# gitlab_rails['terraform_state_storage_path'] = "/var/opt/gitlab/gitlab-rails/shared/terraform_state" +# gitlab_rails['terraform_state_object_store_enabled'] = false +# gitlab_rails['terraform_state_object_store_remote_directory'] = "terraform_state" +# gitlab_rails['terraform_state_object_store_connection'] = { +# 'provider' => 'AWS', +# 'region' => 'eu-west-1', +# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID', +# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY', +# # # The below options configure an S3 compatible host instead of AWS +# # 'host' => 's3.amazonaws.com', +# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4. +# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces +# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' +# } + +### Impersonation settings +# gitlab_rails['impersonation_enabled'] = true + +### Usage Statistics +# gitlab_rails['usage_ping_enabled'] = true + +### Seat Link setting +###! Docs: https://docs.gitlab.com/ee/subscriptions/index.html#seat-link +# gitlab_rails['seat_link_enabled'] = true + +### GitLab Mattermost +###! These settings are void if Mattermost is installed on the same omnibus +###! install +# gitlab_rails['mattermost_host'] = "https://mattermost.example.com" + +### LDAP Settings +###! Docs: https://docs.gitlab.com/omnibus/settings/ldap.html +###! **Be careful not to break the indentation in the ldap_servers block. It is +###! in yaml format and the spaces must be retained. Using tabs will not work.** + +# gitlab_rails['ldap_enabled'] = false +# gitlab_rails['prevent_ldap_sign_in'] = false + +###! **remember to close this block with 'EOS' below** +# gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' +# main: # 'main' is the GitLab 'provider ID' of this LDAP server +# label: 'LDAP' +# host: '_your_ldap_server' +# port: 389 +# uid: 'sAMAccountName' +# bind_dn: '_the_full_dn_of_the_user_you_will_bind_with' +# password: '_the_password_of_the_bind_user' +# encryption: 'plain' # "start_tls" or "simple_tls" or "plain" +# verify_certificates: true +# smartcard_auth: false +# active_directory: true +# allow_username_or_email_login: false +# lowercase_usernames: false +# block_auto_created_users: false +# base: '' +# user_filter: '' +# ## EE only +# group_base: '' +# admin_group: '' +# sync_ssh_keys: false +# +# secondary: # 'secondary' is the GitLab 'provider ID' of second LDAP server +# label: 'LDAP' +# host: '_your_ldap_server' +# port: 389 +# uid: 'sAMAccountName' +# bind_dn: '_the_full_dn_of_the_user_you_will_bind_with' +# password: '_the_password_of_the_bind_user' +# encryption: 'plain' # "start_tls" or "simple_tls" or "plain" +# verify_certificates: true +# smartcard_auth: false +# active_directory: true +# allow_username_or_email_login: false +# lowercase_usernames: false +# block_auto_created_users: false +# base: '' +# user_filter: '' +# ## EE only +# group_base: '' +# admin_group: '' +# sync_ssh_keys: false +# EOS + +### Smartcard authentication settings +###! Docs: https://docs.gitlab.com/ee/administration/auth/smartcard.html +# gitlab_rails['smartcard_enabled'] = false +# gitlab_rails['smartcard_ca_file'] = "/etc/gitlab/ssl/CA.pem" +# gitlab_rails['smartcard_client_certificate_required_host'] = 'smartcard.gitlab.example.com' +# gitlab_rails['smartcard_client_certificate_required_port'] = 3444 +# gitlab_rails['smartcard_required_for_git_access'] = false +# gitlab_rails['smartcard_san_extensions'] = false + +### OmniAuth Settings +###! Docs: https://docs.gitlab.com/ee/integration/omniauth.html +# gitlab_rails['omniauth_enabled'] = nil +# gitlab_rails['omniauth_allow_single_sign_on'] = ['saml'] +# gitlab_rails['omniauth_sync_email_from_provider'] = 'saml' +# gitlab_rails['omniauth_sync_profile_from_provider'] = ['saml'] +# gitlab_rails['omniauth_sync_profile_attributes'] = ['email'] +# gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml' +# gitlab_rails['omniauth_block_auto_created_users'] = true +# gitlab_rails['omniauth_auto_link_ldap_user'] = false +# gitlab_rails['omniauth_auto_link_saml_user'] = false +# gitlab_rails['omniauth_external_providers'] = ['twitter', 'google_oauth2'] +# gitlab_rails['omniauth_allow_bypass_two_factor'] = ['google_oauth2'] +# gitlab_rails['omniauth_providers'] = [ +# { +# "name" => "google_oauth2", +# "app_id" => "YOUR APP ID", +# "app_secret" => "YOUR APP SECRET", +# "args" => { "access_type" => "offline", "approval_prompt" => "" } +# } +# ] + +### Backup Settings +###! Docs: https://docs.gitlab.com/omnibus/settings/backups.html + +# gitlab_rails['manage_backup_path'] = true +# gitlab_rails['backup_path'] = "/var/opt/gitlab/backups" + +###! Docs: https://docs.gitlab.com/ee/raketasks/backup_restore.html#backup-archive-permissions +# gitlab_rails['backup_archive_permissions'] = 0644 + +# gitlab_rails['backup_pg_schema'] = 'public' + +###! The duration in seconds to keep backups before they are allowed to be deleted +# gitlab_rails['backup_keep_time'] = 604800 + +# gitlab_rails['backup_upload_connection'] = { +# 'provider' => 'AWS', +# 'region' => 'eu-west-1', +# 'aws_access_key_id' => 'AKIAKIAKI', +# 'aws_secret_access_key' => 'secret123' +# } +# gitlab_rails['backup_upload_remote_directory'] = 'my.s3.bucket' +# gitlab_rails['backup_multipart_chunk_size'] = 104857600 + +###! **Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for +###! backups** +# gitlab_rails['backup_encryption'] = 'AES256' +###! The encryption key to use with AWS Server-Side Encryption. +###! Setting this value will enable Server-Side Encryption with customer provided keys; +###! otherwise S3-managed keys are used. +# gitlab_rails['backup_encryption_key'] = '' + +###! **Specifies Amazon S3 storage class to use for backups. Valid values +###! include 'STANDARD', 'STANDARD_IA', and 'REDUCED_REDUNDANCY'** +# gitlab_rails['backup_storage_class'] = 'STANDARD' + +###! Skip parts of the backup. Comma separated. +###! Docs: https://docs.gitlab.com/ee/raketasks/backup_restore.html#excluding-specific-directories-from-the-backup +#gitlab_rails['env'] = { +# "SKIP" => "db,uploads,repositories,builds,artifacts,lfs,registry,pages" +#} + +### Pseudonymizer Settings +# gitlab_rails['pseudonymizer_manifest'] = 'config/pseudonymizer.yml' +# gitlab_rails['pseudonymizer_upload_remote_directory'] = 'gitlab-elt' +# gitlab_rails['pseudonymizer_upload_connection'] = { +# 'provider' => 'AWS', +# 'region' => 'eu-west-1', +# 'aws_access_key_id' => 'AKIAKIAKI', +# 'aws_secret_access_key' => 'secret123' +# } + + +### For setting up different data storing directory +###! Docs: https://docs.gitlab.com/omnibus/settings/configuration.html#storing-git-data-in-an-alternative-directory +###! **If you want to use a single non-default directory to store git data use a +###! path that doesn't contain symlinks.** +# git_data_dirs({ +# "default" => { +# "path" => "/mnt/nfs-01/git-data" +# } +# }) + +### Gitaly settings +# gitlab_rails['gitaly_token'] = 'secret token' + +### For storing GitLab application uploads, eg. LFS objects, build artifacts +###! Docs: https://docs.gitlab.com/ee/development/shared_files.html +# gitlab_rails['shared_path'] = '/var/opt/gitlab/gitlab-rails/shared' + +### Wait for file system to be mounted +###! Docs: https://docs.gitlab.com/omnibus/settings/configuration.html#only-start-omnibus-gitlab-services-after-a-given-filesystem-is-mounted +# high_availability['mountpoint'] = ["/var/opt/gitlab/git-data", "/var/opt/gitlab/gitlab-rails/shared"] + +### GitLab Shell settings for GitLab +# gitlab_rails['gitlab_shell_ssh_port'] = 22 +# gitlab_rails['gitlab_shell_git_timeout'] = 800 + +### Extra customization +# gitlab_rails['extra_google_analytics_id'] = '_your_tracking_id' +# gitlab_rails['extra_piwik_url'] = '_your_piwik_url' +# gitlab_rails['extra_piwik_site_id'] = '_your_piwik_site_id' + +##! Docs: https://docs.gitlab.com/omnibus/settings/environment-variables.html +# gitlab_rails['env'] = { +# 'BUNDLE_GEMFILE' => "/opt/gitlab/embedded/service/gitlab-rails/Gemfile", +# 'PATH' => "/opt/gitlab/bin:/opt/gitlab/embedded/bin:/bin:/usr/bin" +# } + +# gitlab_rails['rack_attack_git_basic_auth'] = { +# 'enabled' => false, +# 'ip_whitelist' => ["127.0.0.1"], +# 'maxretry' => 10, +# 'findtime' => 60, +# 'bantime' => 3600 +# } + +# Prioritize the Admin Area protected paths throttle settings over the +# deprecated Omnibus-managed protected paths throttle. This allows you to keep +# gitlab_rails['rack_attack_git_basic_auth'] enabled to run the Git and +# container registry failed authentication ban. +# See https://gitlab.com/gitlab-org/gitlab/issues/37093 +# gitlab_rails['rack_attack_admin_area_protected_paths_enabled'] = true + +###! **We do not recommend changing these directories.** +# gitlab_rails['dir'] = "/var/opt/gitlab/gitlab-rails" +# gitlab_rails['log_directory'] = "/var/log/gitlab/gitlab-rails" + +### GitLab application settings +# gitlab_rails['uploads_directory'] = "/var/opt/gitlab/gitlab-rails/uploads" +# gitlab_rails['rate_limit_requests_per_period'] = 10 +# gitlab_rails['rate_limit_period'] = 60 + +#### Change the initial default admin password and shared runner registration tokens. +####! **Only applicable on initial setup, changing these settings after database +####! is created and seeded won't yield any change.** +# gitlab_rails['initial_root_password'] = "password" +# gitlab_rails['initial_shared_runners_registration_token'] = "token" + +#### Set path to an initial license to be used while bootstrapping GitLab. +####! **Only applicable on initial setup, future license updations need to be done via UI. +####! Updating the file specified in this path won't yield any change after the first reconfigure run. +# gitlab_rails['initial_license_file'] = '/etc/gitlab/company.gitlab-license' + +#### Enable or disable automatic database migrations +# gitlab_rails['auto_migrate'] = true + +#### This is advanced feature used by large gitlab deployments where loading +#### whole RAILS env takes a lot of time. +# gitlab_rails['rake_cache_clear'] = true + +### GitLab database settings +###! Docs: https://docs.gitlab.com/omnibus/settings/database.html +###! **Only needed if you use an external database.** +# gitlab_rails['db_adapter'] = "postgresql" +# gitlab_rails['db_encoding'] = "unicode" +# gitlab_rails['db_collation'] = nil +# gitlab_rails['db_database'] = "gitlabhq_production" +# gitlab_rails['db_pool'] = 1 +# gitlab_rails['db_username'] = "gitlab" +# gitlab_rails['db_password'] = nil +# gitlab_rails['db_host'] = nil +# gitlab_rails['db_port'] = 5432 +# gitlab_rails['db_socket'] = nil +# gitlab_rails['db_sslmode'] = nil +# gitlab_rails['db_sslcompression'] = 0 +# gitlab_rails['db_sslrootcert'] = nil +# gitlab_rails['db_sslcert'] = nil +# gitlab_rails['db_sslkey'] = nil +# gitlab_rails['db_prepared_statements'] = false +# gitlab_rails['db_statements_limit'] = 1000 + + +### GitLab Redis settings +###! Connect to your own Redis instance +###! Docs: https://docs.gitlab.com/omnibus/settings/redis.html + +#### Redis TCP connection +# gitlab_rails['redis_host'] = "127.0.0.1" +# gitlab_rails['redis_port'] = 6379 +# gitlab_rails['redis_ssl'] = false +# gitlab_rails['redis_password'] = nil +# gitlab_rails['redis_database'] = 0 +# gitlab_rails['redis_enable_client'] = true + +#### Redis local UNIX socket (will be disabled if TCP method is used) +# gitlab_rails['redis_socket'] = "/var/opt/gitlab/redis/redis.socket" + +#### Sentinel support +####! To have Sentinel working, you must enable Redis TCP connection support +####! above and define a few Sentinel hosts below (to get a reliable setup +####! at least 3 hosts). +####! **You don't need to list every sentinel host, but the ones not listed will +####! not be used in a fail-over situation to query for the new master.** +# gitlab_rails['redis_sentinels'] = [ +# {'host' => '127.0.0.1', 'port' => 26379}, +# ] + +#### Separate instances support +###! Docs: https://docs.gitlab.com/omnibus/settings/redis.html#running-with-multiple-redis-instances +# gitlab_rails['redis_cache_instance'] = nil +# gitlab_rails['redis_cache_sentinels'] = nil +# gitlab_rails['redis_queues_instance'] = nil +# gitlab_rails['redis_queues_sentinels'] = nil +# gitlab_rails['redis_shared_state_instance'] = nil +# gitlab_rails['redis_shared_sentinels'] = nil +# gitlab_rails['redis_actioncable_instance'] = nil +# gitlab_rails['redis_actioncable_sentinels'] = nil + +### GitLab email server settings +###! Docs: https://docs.gitlab.com/omnibus/settings/smtp.html +###! **Use smtp instead of sendmail/postfix.** + +gitlab_rails['smtp_enable'] = true +gitlab_rails['smtp_address'] = "smtp.strato.de" +gitlab_rails['smtp_port'] = 465 +gitlab_rails['smtp_user_name'] = "martin@ligalytics.com" +gitlab_rails['smtp_password'] = "0x86dx5Fsmcqattj8Q27R0x27d" +gitlab_rails['smtp_domain'] = "ligalytics.com" +gitlab_rails['smtp_authentication'] = "login" +gitlab_rails['smtp_enable_starttls_auto'] = true +gitlab_rails['smtp_tls'] = true +gitlab_rails['smpt_openssl_verify_mode'] = 'none' + +###! **Can be: 'none', 'peer', 'client_once', 'fail_if_no_peer_cert'** +###! Docs: http://api.rubyonrails.org/classes/ActionMailer/Base.html +# gitlab_rails['smtp_openssl_verify_mode'] = 'none' + +# gitlab_rails['smtp_ca_path'] = "/etc/ssl/certs" +# gitlab_rails['smtp_ca_file'] = "/etc/ssl/certs/ca-certificates.crt" + +################################################################################ +## Container Registry settings +##! Docs: https://docs.gitlab.com/ee/administration/container_registry.html +################################################################################ + +# registry_external_url 'https://registry.example.com' + +### Settings used by GitLab application +# gitlab_rails['registry_enabled'] = true +# gitlab_rails['registry_host'] = "registry.gitlab.example.com" +# gitlab_rails['registry_port'] = "5005" +# gitlab_rails['registry_path'] = "/var/opt/gitlab/gitlab-rails/shared/registry" + +# Notification secret, it's used to authenticate notification requests to GitLab application +# You only need to change this when you use external Registry service, otherwise +# it will be taken directly from notification settings of your Registry +# gitlab_rails['registry_notification_secret'] = nil + +###! **Do not change the following 3 settings unless you know what you are +###! doing** +# gitlab_rails['registry_api_url'] = "http://localhost:5000" +# gitlab_rails['registry_key_path'] = "/var/opt/gitlab/gitlab-rails/certificate.key" +# gitlab_rails['registry_issuer'] = "omnibus-gitlab-issuer" + +### Settings used by Registry application +# registry['enable'] = true +# registry['username'] = "registry" +# registry['group'] = "registry" +# registry['uid'] = nil +# registry['gid'] = nil +# registry['dir'] = "/var/opt/gitlab/registry" +# registry['registry_http_addr'] = "localhost:5000" +# registry['debug_addr'] = "localhost:5001" +# registry['log_directory'] = "/var/log/gitlab/registry" +# registry['env_directory'] = "/opt/gitlab/etc/registry/env" +# registry['env'] = { +# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/" +# } +# registry['log_level'] = "info" +# registry['log_formatter'] = "text" +# registry['rootcertbundle'] = "/var/opt/gitlab/registry/certificate.crt" +# registry['health_storagedriver_enabled'] = true +# registry['storage_delete_enabled'] = true +# registry['validation_enabled'] = false +# registry['autoredirect'] = false +# registry['compatibility_schema1_enabled'] = false + +### Registry backend storage +###! Docs: https://docs.gitlab.com/ee/administration/container_registry.html#container-registry-storage-driver +# registry['storage'] = { +# 's3' => { +# 'accesskey' => 'AKIAKIAKI', +# 'secretkey' => 'secret123', +# 'region' => 'us-east-1', +# 'bucket' => 'gitlab-registry-bucket-AKIAKIAKI' +# } +# } + +### Registry notifications endpoints +# registry['notifications'] = [ +# { +# 'name' => 'test_endpoint', +# 'url' => 'https://gitlab.example.com/notify2', +# 'timeout' => '500ms', +# 'threshold' => 5, +# 'backoff' => '1s', +# 'headers' => { +# "Authorization" => ["AUTHORIZATION_EXAMPLE_TOKEN"] +# } +# } +# ] +### Default registry notifications +# registry['default_notifications_timeout'] = "500ms" +# registry['default_notifications_threshold'] = 5 +# registry['default_notifications_backoff'] = "1s" +# registry['default_notifications_headers'] = {} + +################################################################################ +## Error Reporting and Logging with Sentry +################################################################################ +# gitlab_rails['sentry_enabled'] = false +# gitlab_rails['sentry_dsn'] = 'https://@sentry.io/' +# gitlab_rails['sentry_clientside_dsn'] = 'https://@sentry.io/' +# gitlab_rails['sentry_environment'] = 'production' + +################################################################################ +## GitLab Workhorse +##! Docs: https://gitlab.com/gitlab-org/gitlab-workhorse/blob/master/README.md +################################################################################ + +# gitlab_workhorse['enable'] = true +# gitlab_workhorse['ha'] = false +# gitlab_workhorse['listen_network'] = "unix" +# gitlab_workhorse['listen_umask'] = 000 +# gitlab_workhorse['listen_addr'] = "/var/opt/gitlab/gitlab-workhorse/socket" +# gitlab_workhorse['auth_backend'] = "http://localhost:8080" + +##! the empty string is the default in gitlab-workhorse option parser +# gitlab_workhorse['auth_socket'] = "''" + +##! put an empty string on the command line +# gitlab_workhorse['pprof_listen_addr'] = "''" + +# gitlab_workhorse['prometheus_listen_addr'] = "localhost:9229" + +# gitlab_workhorse['dir'] = "/var/opt/gitlab/gitlab-workhorse" +# gitlab_workhorse['log_directory'] = "/var/log/gitlab/gitlab-workhorse" +# gitlab_workhorse['proxy_headers_timeout'] = "1m0s" + +##! limit number of concurrent API requests, defaults to 0 which is unlimited +# gitlab_workhorse['api_limit'] = 0 + +##! limit number of API requests allowed to be queued, defaults to 0 which +##! disables queuing +# gitlab_workhorse['api_queue_limit'] = 0 + +##! duration after which we timeout requests if they sit too long in the queue +# gitlab_workhorse['api_queue_duration'] = "30s" + +##! Long polling duration for job requesting for runners +# gitlab_workhorse['api_ci_long_polling_duration'] = "60s" + +##! Log format: default is text, can also be json or none. +# gitlab_workhorse['log_format'] = "json" + +# gitlab_workhorse['env_directory'] = "/opt/gitlab/etc/gitlab-workhorse/env" +# gitlab_workhorse['env'] = { +# 'PATH' => "/opt/gitlab/bin:/opt/gitlab/embedded/bin:/bin:/usr/bin", +# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/" +# } + +################################################################################ +## GitLab User Settings +##! Modify default git user. +##! Docs: https://docs.gitlab.com/omnibus/settings/configuration.html#changing-the-name-of-the-git-user-group +################################################################################ + +# user['username'] = "git" +# user['group'] = "git" +# user['uid'] = nil +# user['gid'] = nil + +##! The shell for the git user +# user['shell'] = "/bin/sh" + +##! The home directory for the git user +# user['home'] = "/var/opt/gitlab" + +# user['git_user_name'] = "GitLab" +# user['git_user_email'] = "gitlab@#{node['fqdn']}" + +################################################################################ +## GitLab Unicorn +##! Tweak unicorn settings. +##! Docs: https://docs.gitlab.com/omnibus/settings/unicorn.html +################################################################################ + +# unicorn['enable'] = true +# unicorn['worker_timeout'] = 60 +###! Minimum worker_processes is 2 at this moment +###! See https://gitlab.com/gitlab-org/gitlab-foss/issues/18771 +# unicorn['worker_processes'] = 2 + +### Advanced settings +# unicorn['listen'] = 'localhost' +# unicorn['port'] = 8080 +# unicorn['socket'] = '/var/opt/gitlab/gitlab-rails/sockets/gitlab.socket' +# unicorn['pidfile'] = '/opt/gitlab/var/unicorn/unicorn.pid' +# unicorn['tcp_nopush'] = true +# unicorn['backlog_socket'] = 1024 + +###! **Make sure somaxconn is equal or higher then backlog_socket** +# unicorn['somaxconn'] = 1024 + +###! **We do not recommend changing this setting** +# unicorn['log_directory'] = "/var/log/gitlab/unicorn" + +### **Only change these settings if you understand well what they mean** +###! Docs: https://docs.gitlab.com/ee/administration/operations/unicorn.html#unicorn-worker-killer +###! https://github.com/kzk/unicorn-worker-killer +# unicorn['worker_memory_limit_min'] = "1024 * 1 << 20" +# unicorn['worker_memory_limit_max'] = "1280 * 1 << 20" + +# unicorn['exporter_enabled'] = false +# unicorn['exporter_address'] = "127.0.0.1" +# unicorn['exporter_port'] = 8083 + +################################################################################ +## GitLab Puma +##! Tweak puma settings. You should only use Unicorn or Puma, not both. +##! Docs: https://docs.gitlab.com/omnibus/settings/puma.html +################################################################################ + +# puma['enable'] = false +# puma['ha'] = false +# puma['worker_timeout'] = 60 +puma['worker_processes'] = 2 +# puma['min_threads'] = 4 +# puma['max_threads'] = 4 + +### Advanced settings +# puma['listen'] = '127.0.0.1' +# puma['port'] = 8080 +# puma['socket'] = '/var/opt/gitlab/gitlab-rails/sockets/gitlab.socket' +# puma['pidfile'] = '/opt/gitlab/var/puma/puma.pid' +# puma['state_path'] = '/opt/gitlab/var/puma/puma.state' + +###! **We do not recommend changing this setting** +# puma['log_directory'] = "/var/log/gitlab/puma" + +### **Only change these settings if you understand well what they mean** +###! Docs: https://github.com/schneems/puma_worker_killer +# puma['per_worker_max_memory_mb'] = 850 + +# puma['exporter_enabled'] = false +# puma['exporter_address'] = "127.0.0.1" +# puma['exporter_port'] = 8083 + +################################################################################ +## GitLab Sidekiq +################################################################################ + +# sidekiq['log_directory'] = "/var/log/gitlab/sidekiq" +# sidekiq['log_format'] = "json" +# sidekiq['shutdown_timeout'] = 4 +sidekiq['concurrency'] = 9 +# sidekiq['metrics_enabled'] = true +# sidekiq['listen_address'] = "localhost" +# sidekiq['listen_port'] = 8082 + +### Experimental Sidekiq Cluster settings +###! These settings allow starting `sidekiq-cluster` instead of sidekiq. +###! Docs: https://docs.gitlab.com/ee/administration/operations/extra_sidekiq_processes.html#using-sidekiq-cluster-by-default-experimental +# sidekiq['cluster'] = false +# sidekiq['experimental_queue_selector'] = false +# sidekiq['interval'] = nil +# sidekiq['max_concurrency'] = nil +# sidekiq['min_concurrency'] = nil +# sidekiq['negate'] = false +# sidekiq['queue_groups'] = ['*'] + +################################################################################ +## gitlab-shell +################################################################################ + +# gitlab_shell['audit_usernames'] = false +# gitlab_shell['log_level'] = 'INFO' +# gitlab_shell['log_format'] = 'json' +# gitlab_shell['http_settings'] = { user: 'username', password: 'password', ca_file: '/etc/ssl/cert.pem', ca_path: '/etc/pki/tls/certs', self_signed_cert: false} +# gitlab_shell['log_directory'] = "/var/log/gitlab/gitlab-shell/" +# gitlab_shell['custom_hooks_dir'] = "/opt/gitlab/embedded/service/gitlab-shell/hooks" + +# gitlab_shell['auth_file'] = "/var/opt/gitlab/.ssh/authorized_keys" + +### Migration to Go feature flags +###! Docs: https://gitlab.com/gitlab-org/gitlab-shell#migration-to-go-feature-flags +# gitlab_shell['migration'] = { enabled: true, features: [] } + +### Git trace log file. +###! If set, git commands receive GIT_TRACE* environment variables +###! Docs: https://git-scm.com/book/es/v2/Git-Internals-Environment-Variables#Debugging +###! An absolute path starting with / – the trace output will be appended to +###! that file. It needs to exist so we can check permissions and avoid +###! throwing warnings to the users. +# gitlab_shell['git_trace_log_file'] = "/var/log/gitlab/gitlab-shell/gitlab-shell-git-trace.log" + +##! **We do not recommend changing this directory.** +# gitlab_shell['dir'] = "/var/opt/gitlab/gitlab-shell" + +################################################################ +## GitLab PostgreSQL +################################################################ + +###! Changing any of these settings requires a restart of postgresql. +###! By default, reconfigure reloads postgresql if it is running. If you +###! change any of these settings, be sure to run `gitlab-ctl restart postgresql` +###! after reconfigure in order for the changes to take effect. +# postgresql['enable'] = true +# postgresql['listen_address'] = nil +# postgresql['port'] = 5432 +# postgresql['data_dir'] = "/var/opt/gitlab/postgresql/data" + +##! **recommend value is 1/4 of total RAM, up to 14GB.** +# postgresql['shared_buffers'] = "256MB" + +### Advanced settings +# postgresql['ha'] = false +# postgresql['dir'] = "/var/opt/gitlab/postgresql" +# postgresql['log_directory'] = "/var/log/gitlab/postgresql" +# postgresql['log_destination'] = nil +# postgresql['logging_collector'] = nil +# postgresql['log_truncate_on_rotation'] = nil +# postgresql['log_rotation_age'] = nil +# postgresql['log_rotation_size'] = nil +# postgresql['username'] = "gitlab-psql" +# postgresql['group'] = "gitlab-psql" +##! `SQL_USER_PASSWORD_HASH` can be generated using the command `gitlab-ctl pg-password-md5 gitlab` +# postgresql['sql_user_password'] = 'SQL_USER_PASSWORD_HASH' +# postgresql['uid'] = nil +# postgresql['gid'] = nil +# postgresql['shell'] = "/bin/sh" +# postgresql['home'] = "/var/opt/gitlab/postgresql" +# postgresql['user_path'] = "/opt/gitlab/embedded/bin:/opt/gitlab/bin:$PATH" +# postgresql['sql_user'] = "gitlab" +# postgresql['max_connections'] = 200 +# postgresql['md5_auth_cidr_addresses'] = [] +# postgresql['trust_auth_cidr_addresses'] = [] +# postgresql['wal_buffers'] = "-1" +# postgresql['autovacuum_max_workers'] = "3" +# postgresql['autovacuum_freeze_max_age'] = "200000000" +# postgresql['log_statement'] = nil +# postgresql['track_activity_query_size'] = "1024" +# postgresql['shared_preload_libraries'] = nil +# postgresql['dynamic_shared_memory_type'] = nil +# postgresql['hot_standby'] = "off" + +### SSL settings +# See https://www.postgresql.org/docs/9.6/static/runtime-config-connection.html#GUC-SSL-CERT-FILE for more details +# postgresql['ssl'] = 'on' +# postgresql['ssl_ciphers'] = 'HIGH:MEDIUM:+3DES:!aNULL:!SSLv3:!TLSv1' +# postgresql['ssl_cert_file'] = 'server.crt' +# postgresql['ssl_key_file'] = 'server.key' +# postgresql['ssl_ca_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem' +# postgresql['ssl_crl_file'] = nil + +### Replication settings +###! Note, some replication settings do not require a full restart. They are documented below. +# postgresql['wal_level'] = "hot_standby" +# postgresql['max_wal_senders'] = 5 +# postgresql['max_replication_slots'] = 0 +# postgresql['max_locks_per_transaction'] = 128 + +# Backup/Archive settings +# postgresql['archive_mode'] = "off" + +###! Changing any of these settings only requires a reload of postgresql. You do not need to +###! restart postgresql if you change any of these and run reconfigure. +# postgresql['work_mem'] = "16MB" +# postgresql['maintenance_work_mem'] = "16MB" +# postgresql['checkpoint_segments'] = 10 +# postgresql['checkpoint_timeout'] = "5min" +# postgresql['checkpoint_completion_target'] = 0.9 +# postgresql['effective_io_concurrency'] = 1 +# postgresql['checkpoint_warning'] = "30s" +# postgresql['effective_cache_size'] = "1MB" +# postgresql['shmmax'] = 17179869184 # or 4294967295 +# postgresql['shmall'] = 4194304 # or 1048575 +# postgresql['autovacuum'] = "on" +# postgresql['log_autovacuum_min_duration'] = "-1" +# postgresql['autovacuum_naptime'] = "1min" +# postgresql['autovacuum_vacuum_threshold'] = "50" +# postgresql['autovacuum_analyze_threshold'] = "50" +# postgresql['autovacuum_vacuum_scale_factor'] = "0.02" +# postgresql['autovacuum_analyze_scale_factor'] = "0.01" +# postgresql['autovacuum_vacuum_cost_delay'] = "20ms" +# postgresql['autovacuum_vacuum_cost_limit'] = "-1" +# postgresql['statement_timeout'] = "60000" +# postgresql['idle_in_transaction_session_timeout'] = "60000" +# postgresql['log_line_prefix'] = "%a" +# postgresql['max_worker_processes'] = 8 +# postgresql['max_parallel_workers_per_gather'] = 0 +# postgresql['log_lock_waits'] = 1 +# postgresql['deadlock_timeout'] = '5s' +# postgresql['track_io_timing'] = 0 +# postgresql['default_statistics_target'] = 1000 + +### Available in PostgreSQL 9.6 and later +# postgresql['min_wal_size'] = 80MB +# postgresql['max_wal_size'] = 1GB + +# Backup/Archive settings +# postgresql['archive_command'] = nil +# postgresql['archive_timeout'] = "0" + +### Replication settings +# postgresql['sql_replication_user'] = "gitlab_replicator" +# postgresql['sql_replication_password'] = "md5 hash of postgresql password" # You can generate with `gitlab-ctl pg-password-md5 ` +# postgresql['wal_keep_segments'] = 10 +# postgresql['max_standby_archive_delay'] = "30s" +# postgresql['max_standby_streaming_delay'] = "30s" +# postgresql['synchronous_commit'] = on +# postgresql['synchronous_standby_names'] = '' +# postgresql['hot_standby_feedback'] = 'off' +# postgresql['random_page_cost'] = 2.0 +# postgresql['log_temp_files'] = -1 +# postgresql['log_checkpoints'] = 'off' +# To add custom entries to pg_hba.conf use the following +# postgresql['custom_pg_hba_entries'] = { +# APPLICATION: [ # APPLICATION should identify what the settings are used for +# { +# type: example, +# database: example, +# user: example, +# cidr: example, +# method: example, +# option: example +# } +# ] +# } +# See https://www.postgresql.org/docs/9.6/static/auth-pg-hba-conf.html for an explanation +# of the values + +### Version settings +# Set this if you have disabled the bundled PostgreSQL but still want to use the backup rake tasks +# postgresql['version'] = 10 + +################################################################################ +## GitLab Redis +##! **Can be disabled if you are using your own Redis instance.** +##! Docs: https://docs.gitlab.com/omnibus/settings/redis.html +################################################################################ + +# redis['enable'] = true +# redis['ha'] = false +# redis['hz'] = 10 +# redis['dir'] = "/var/opt/gitlab/redis" +# redis['log_directory'] = "/var/log/gitlab/redis" +# redis['username'] = "gitlab-redis" +# redis['group'] = "gitlab-redis" +# redis['maxclients'] = "10000" +# redis['maxmemory'] = "0" +# redis['maxmemory_policy'] = "noeviction" +# redis['maxmemory_samples'] = "5" +# redis['tcp_backlog'] = 511 +# redis['tcp_timeout'] = "60" +# redis['tcp_keepalive'] = "300" +# redis['uid'] = nil +# redis['gid'] = nil + +### Disable or obfuscate unnecessary redis command names +### Uncomment and edit this block to add or remove entries. +### See https://docs.gitlab.com/omnibus/settings/redis.html#renamed-commands +### for detailed usage +### +# redis['rename_commands'] = { +# 'KEYS': '' +#} +# + +###! **To enable only Redis service in this machine, uncomment +###! one of the lines below (choose master or slave instance types).** +###! Docs: https://docs.gitlab.com/omnibus/settings/redis.html +###! https://docs.gitlab.com/ee/administration/high_availability/redis.html +# redis_master_role['enable'] = true +# redis_slave_role['enable'] = true + +### Redis TCP support (will disable UNIX socket transport) +# redis['bind'] = '0.0.0.0' # or specify an IP to bind to a single one +# redis['port'] = 6379 +# redis['password'] = 'redis-password-goes-here' + +### Redis Sentinel support +###! **You need a master slave Redis replication to be able to do failover** +###! **Please read the documentation before enabling it to understand the +###! caveats:** +###! Docs: https://docs.gitlab.com/ee/administration/high_availability/redis.html + +### Replication support +#### Slave Redis instance +# redis['master'] = false # by default this is true + +#### Slave and Sentinel shared configuration +####! **Both need to point to the master Redis instance to get replication and +####! heartbeat monitoring** +# redis['master_name'] = 'gitlab-redis' +# redis['master_ip'] = nil +# redis['master_port'] = 6379 + +#### Support to run redis slaves in a Docker or NAT environment +####! Docs: https://redis.io/topics/replication#configuring-replication-in-docker-and-nat +# redis['announce_ip'] = nil +# redis['announce_port'] = nil + +####! **Master password should have the same value defined in +####! redis['password'] to enable the instance to transition to/from +####! master/slave in a failover event.** +# redis['master_password'] = 'redis-password-goes-here' + +####! Increase these values when your slaves can't catch up with master +# redis['client_output_buffer_limit_normal'] = '0 0 0' +# redis['client_output_buffer_limit_slave'] = '256mb 64mb 60' +# redis['client_output_buffer_limit_pubsub'] = '32mb 8mb 60' + +#####! Redis snapshotting frequency +#####! Set to [] to disable +#####! Set to [''] to clear previously set values +# redis['save'] = [ '900 1', '300 10', '60 10000' ] + +#####! Redis lazy freeing +#####! Defaults to false +# redis['lazyfree_lazy_eviction'] = true +# redis['lazyfree_lazy_expire'] = true +# redis['lazyfree_lazy_server_del'] = true +# redis['replica_lazy_flush'] = true + +################################################################################ +## GitLab Web server +##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#using-a-non-bundled-web-server +################################################################################ + +##! When bundled nginx is disabled we need to add the external webserver user to +##! the GitLab webserver group. +# web_server['external_users'] = ['www-data'] +# web_server['username'] = 'gitlab-www' +# web_server['group'] = 'gitlab-www' +# web_server['uid'] = nil +# web_server['gid'] = nil +# web_server['shell'] = '/bin/false' +# web_server['home'] = '/var/opt/gitlab/nginx' + +################################################################################ +## GitLab NGINX +##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html +################################################################################ + +# nginx['enable'] = false +# nginx['client_max_body_size'] = '250m' +# nginx['redirect_http_to_https'] = false +# nginx['redirect_http_to_https_port'] = 80 + +##! Most root CA's are included by default +# nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt" + +##! enable/disable 2-way SSL client authentication +# nginx['ssl_verify_client'] = "off" + +##! if ssl_verify_client on, verification depth in the client certificates chain +# nginx['ssl_verify_depth'] = "1" + +# nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt" +# nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key" +# nginx['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256" +# nginx['ssl_prefer_server_ciphers'] = "on" + +##! **Recommended by: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html +##! https://cipherli.st/** +# nginx['ssl_protocols'] = "TLSv1.2 TLSv1.3" + +##! **Recommended in: https://nginx.org/en/docs/http/ngx_http_ssl_module.html** +# nginx['ssl_session_cache'] = "builtin:1000 shared:SSL:10m" + +##! **Default according to https://nginx.org/en/docs/http/ngx_http_ssl_module.html** +# nginx['ssl_session_timeout'] = "5m" + +# nginx['ssl_dhparam'] = nil # Path to dhparams.pem, eg. /etc/gitlab/ssl/dhparams.pem +# nginx['listen_addresses'] = ['*', '[::]'] + +##! **Defaults to forcing web browsers to always communicate using only HTTPS** +##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#setting-http-strict-transport-security +# nginx['hsts_max_age'] = 31536000 +# nginx['hsts_include_subdomains'] = false + +##! Defaults to stripping path information when making cross-origin requests +# nginx['referrer_policy'] = 'strict-origin-when-cross-origin' + +##! **Docs: http://nginx.org/en/docs/http/ngx_http_gzip_module.html** +# nginx['gzip_enabled'] = true + +##! **Override only if you use a reverse proxy** +##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#setting-the-nginx-listen-port +# nginx['listen_port'] = nil + +##! **Override only if your reverse proxy internally communicates over HTTP** +##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#supporting-proxied-ssl +# nginx['listen_https'] = nil + +# nginx['custom_gitlab_server_config'] = "location ^~ /foo-namespace/bar-project/raw/ {\n deny all;\n}\n" +# nginx['custom_nginx_config'] = "include /home/pi/nginx.conf;" +# nginx['proxy_read_timeout'] = 3600 +# nginx['proxy_connect_timeout'] = 300 +# nginx['proxy_set_headers'] = { +# "Host" => "$http_host_with_default", +# "X-Real-IP" => "$remote_addr", +# "X-Forwarded-For" => "$proxy_add_x_forwarded_for", +# "X-Forwarded-Proto" => "https", +# "X-Forwarded-Ssl" => "on", +# "Upgrade" => "$http_upgrade", +# "Connection" => "$connection_upgrade" +# } +# nginx['proxy_cache_path'] = 'proxy_cache keys_zone=gitlab:10m max_size=1g levels=1:2' +# nginx['proxy_cache'] = 'gitlab' +# nginx['http2_enabled'] = true +# nginx['real_ip_trusted_addresses'] = [] +# nginx['real_ip_header'] = nil +# nginx['real_ip_recursive'] = nil +# nginx['custom_error_pages'] = { +# '404' => { +# 'title' => 'Example title', +# 'header' => 'Example header', +# 'message' => 'Example message' +# } +# } + +### Advanced settings +# nginx['dir'] = "/var/opt/gitlab/nginx" +# nginx['log_directory'] = "/var/log/gitlab/nginx" +# nginx['worker_processes'] = 4 +# nginx['worker_connections'] = 10240 +# nginx['log_format'] = '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"' +# nginx['sendfile'] = 'on' +# nginx['tcp_nopush'] = 'on' +# nginx['tcp_nodelay'] = 'on' +# nginx['gzip'] = "on" +# nginx['gzip_http_version'] = "1.0" +# nginx['gzip_comp_level'] = "2" +# nginx['gzip_proxied'] = "any" +# nginx['gzip_types'] = [ "text/plain", "text/css", "application/x-javascript", "text/xml", "application/xml", "application/xml+rss", "text/javascript", "application/json" ] +# nginx['keepalive_timeout'] = 65 +# nginx['cache_max_size'] = '5000m' +# nginx['server_names_hash_bucket_size'] = 64 +##! These paths have proxy_request_buffering disabled +# nginx['request_buffering_off_path_regex'] = "\.git/git-receive-pack$|\.git/info/refs?service=git-receive-pack$|\.git/gitlab-lfs/objects|\.git/info/lfs/objects/batch$" + +### Nginx status +# nginx['status'] = { +# "enable" => true, +# "listen_addresses" => ["127.0.0.1"], +# "fqdn" => "dev.example.com", +# "port" => 9999, +# "vts_enable" => true, +# "options" => { +# "stub_status" => "on", # Turn on stats +# "server_tokens" => "off", # Don't show the version of NGINX +# "access_log" => "off", # Disable logs for stats +# "allow" => "127.0.0.1", # Only allow access from localhost +# "deny" => "all" # Deny access to anyone else +# } +# } + +################################################################################ +## GitLab Logging +##! Docs: https://docs.gitlab.com/omnibus/settings/logs.html +################################################################################ + +# logging['svlogd_size'] = 200 * 1024 * 1024 # rotate after 200 MB of log data +# logging['svlogd_num'] = 30 # keep 30 rotated log files +# logging['svlogd_timeout'] = 24 * 60 * 60 # rotate after 24 hours +# logging['svlogd_filter'] = "gzip" # compress logs with gzip +# logging['svlogd_udp'] = nil # transmit log messages via UDP +# logging['svlogd_prefix'] = nil # custom prefix for log messages +# logging['logrotate_frequency'] = "daily" # rotate logs daily +# logging['logrotate_maxsize'] = nil # rotate logs when they grow bigger than size bytes even before the specified time interval (daily, weekly, monthly, or yearly) +# logging['logrotate_size'] = nil # do not rotate by size by default +# logging['logrotate_rotate'] = 30 # keep 30 rotated logs +# logging['logrotate_compress'] = "compress" # see 'man logrotate' +# logging['logrotate_method'] = "copytruncate" # see 'man logrotate' +# logging['logrotate_postrotate'] = nil # no postrotate command by default +# logging['logrotate_dateformat'] = nil # use date extensions for rotated files rather than numbers e.g. a value of "-%Y-%m-%d" would give rotated files like production.log-2016-03-09.gz + +### UDP log forwarding +##! Docs: http://docs.gitlab.com/omnibus/settings/logs.html#udp-log-forwarding + +##! remote host to ship log messages to via UDP +# logging['udp_log_shipping_host'] = nil + +##! override the hostname used when logs are shipped via UDP, +## by default the system hostname will be used. +# logging['udp_log_shipping_hostname'] = nil + +##! remote port to ship log messages to via UDP +# logging['udp_log_shipping_port'] = 514 + +################################################################################ +## Logrotate +##! Docs: https://docs.gitlab.com/omnibus/settings/logs.html#logrotate +##! You can disable built in logrotate feature. +################################################################################ +# logrotate['enable'] = true +# logrotate['log_directory'] = "/var/log/gitlab/logrotate" + +################################################################################ +## Users and groups accounts +##! Disable management of users and groups accounts. +##! **Set only if creating accounts manually** +##! Docs: https://docs.gitlab.com/omnibus/settings/configuration.html#disable-user-and-group-account-management +################################################################################ + +# manage_accounts['enable'] = false + +################################################################################ +## Storage directories +##! Disable managing storage directories +##! Docs: https://docs.gitlab.com/omnibus/settings/configuration.html#disable-storage-directories-management +################################################################################ + +##! **Set only if the select directories are created manually** +# manage_storage_directories['enable'] = false +# manage_storage_directories['manage_etc'] = false + +################################################################################ +## Runtime directory +##! Docs: https://docs.gitlab.com//omnibus/settings/configuration.html#configuring-runtime-directory +################################################################################ + +# runtime_dir '/run' + +################################################################################ +## Git +##! Advanced setting for configuring git system settings for omnibus-gitlab +##! internal git +################################################################################ + +##! For multiple options under one header use array of comma separated values, +##! eg.: +##! { "receive" => ["fsckObjects = true"], "alias" => ["st = status", "co = checkout"] } + +# omnibus_gitconfig['system'] = { +# "pack" => ["threads = 1", "useSparse = true"], +# "receive" => ["fsckObjects = true", "advertisePushOptions = true"], +# "repack" => ["writeBitmaps = true"], +# "transfer" => ["hideRefs=^refs/tmp/", "hideRefs=^refs/keep-around/", "hideRefs=^refs/remotes/"], +# "core" => [ +# 'alternateRefsCommand="exit 0 #"', +# "fsyncObjectFiles = true" +# ], +# "fetch" => ["writeCommitGraph = true"] +# } + +################################################################################ +## GitLab Pages +##! Docs: https://docs.gitlab.com/ee/pages/administration.html +################################################################################ + +##! Define to enable GitLab Pages +# pages_external_url "http://pages.example.com/" +# gitlab_pages['enable'] = false + +##! Configure to expose GitLab Pages on external IP address, serving the HTTP +# gitlab_pages['external_http'] = [] + +##! Configure to expose GitLab Pages on external IP address, serving the HTTPS +# gitlab_pages['external_https'] = [] + +##! Configure to use the default list of cipher suites +# gitlab_pages['insecure_ciphers'] = false + +##! Configure to enable health check endpoint on GitLab Pages +# gitlab_pages['status_uri'] = "/@status" + +##! Tune the maximum number of concurrent connections GitLab Pages will handle. +##! This should be in the range 1 - 10000, defaulting to 5000. +# gitlab_pages['max_connections'] = 5000 + +##! Configure to use JSON structured logging in GitLab Pages +# gitlab_pages['log_format'] = "json" + +##! Configure verbose logging for GitLab Pages +# gitlab_pages['log_verbose'] = false + +##! Error Reporting and Logging with Sentry +# gitlab_pages['sentry_enabled'] = false +# gitlab_pages['sentry_dsn'] = 'https://@sentry.io/' +# gitlab_pages['sentry_environment'] = 'production' + +##! Listen for requests forwarded by reverse proxy +# gitlab_pages['listen_proxy'] = "localhost:8090" + +##! Configure GitLab Pages to use an HTTP Proxy +# gitlab_pages['http_proxy'] = "http://example:8080" + +# gitlab_pages['redirect_http'] = true +# gitlab_pages['use_http2'] = true +# gitlab_pages['dir'] = "/var/opt/gitlab/gitlab-pages" +# gitlab_pages['log_directory'] = "/var/log/gitlab/gitlab-pages" + +# gitlab_pages['artifacts_server'] = true +# gitlab_pages['artifacts_server_url'] = nil # Defaults to external_url + '/api/v4' +# gitlab_pages['artifacts_server_timeout'] = 10 + +##! Environments that do not support bind-mounting should set this parameter to +##! true. This is incompatible with the artifacts server +# gitlab_pages['inplace_chroot'] = false + +##! Prometheus metrics for Pages docs: https://gitlab.com/gitlab-org/gitlab-pages/#enable-prometheus-metrics +# gitlab_pages['metrics_address'] = ":9235" + +##! Specifies the minimum SSL/TLS version ("ssl3", "tls1.0", "tls1.1" or "tls1.2") +# gitlab_pages['tls_min_version'] = "ssl3" + +##! Specifies the maximum SSL/TLS version ("ssl3", "tls1.0", "tls1.1" or "tls1.2") +# gitlab_pages['tls_max_version'] = "tls1.2" + +##! Pages access control +# gitlab_pages['access_control'] = false +# gitlab_pages['gitlab_id'] = nil # Automatically generated if not present +# gitlab_pages['gitlab_secret'] = nil # Generated if not present +# gitlab_pages['auth_redirect_uri'] = nil # Defaults to projects subdomain of pages_external_url and + '/auth' +# gitlab_pages['gitlab_server'] = nil # Defaults to external_url +# gitlab_pages['auth_secret'] = nil # Generated if not present + +##! GitLab API HTTP client connection timeout +# gitlab_pages['gitlab_client_http_timeout'] = "10s" + +##! GitLab API JWT Token expiry time" +# gitlab_pages['gitlab_client_jwt_expiry'] = "30s" + +##! Define custom gitlab-pages HTTP headers for the whole instance +# gitlab_pages['headers'] = [] + +##! Shared secret used for authentication between Pages and GitLab +# gitlab_pages['api_secret_key'] = nil # Will be generated if not set. Base64 encoded and exactly 32 bytes long. + +################################################################################ +## GitLab Pages NGINX +################################################################################ + +# All the settings defined in the "GitLab Nginx" section are also available in +# this "GitLab Pages NGINX" section, using the key `pages_nginx`. However, +# those settings should be explicitly set. That is, settings given as +# `nginx['some_setting']` WILL NOT be automatically replicated as +# `pages_nginx['some_setting']` and should be set separately. + +# Below you can find settings that are exclusive to "GitLab Pages NGINX" +# pages_nginx['enable'] = false + +# gitlab_rails['pages_path'] = "/var/opt/gitlab/gitlab-rails/shared/pages" + +################################################################################ +## GitLab CI +##! Docs: https://docs.gitlab.com/ee/ci/quick_start/README.html +################################################################################ + +# gitlab_ci['gitlab_ci_all_broken_builds'] = true +# gitlab_ci['gitlab_ci_add_pusher'] = true +# gitlab_ci['builds_directory'] = '/var/opt/gitlab/gitlab-ci/builds' + +################################################################################ +## GitLab Mattermost +##! Docs: https://docs.gitlab.com/omnibus/gitlab-mattermost +################################################################################ + +# mattermost_external_url 'http://mattermost.example.com' + +# mattermost['enable'] = false +# mattermost['username'] = 'mattermost' +# mattermost['group'] = 'mattermost' +# mattermost['uid'] = nil +# mattermost['gid'] = nil +# mattermost['home'] = '/var/opt/gitlab/mattermost' +# mattermost['database_name'] = 'mattermost_production' +# mattermost['env'] = { +# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/" +# } +# mattermost['service_address'] = "127.0.0.1" +# mattermost['service_port'] = "8065" +# mattermost['service_site_url'] = nil +# mattermost['service_allowed_untrusted_internal_connections'] = "" +# mattermost['service_enable_api_team_deletion'] = true +# mattermost['team_site_name'] = "GitLab Mattermost" +# mattermost['sql_driver_name'] = 'mysql' +# mattermost['sql_data_source'] = "mmuser:mostest@tcp(dockerhost:3306)/mattermost_test?charset=utf8mb4,utf8" +# mattermost['log_file_directory'] = '/var/log/gitlab/mattermost/' +# mattermost['gitlab_enable'] = false +# mattermost['gitlab_id'] = "12345656" +# mattermost['gitlab_secret'] = "123456789" +# mattermost['gitlab_scope'] = "" +# mattermost['gitlab_auth_endpoint'] = "http://gitlab.example.com/oauth/authorize" +# mattermost['gitlab_token_endpoint'] = "http://gitlab.example.com/oauth/token" +# mattermost['gitlab_user_api_endpoint'] = "http://gitlab.example.com/api/v4/user" +# mattermost['file_directory'] = "/var/opt/gitlab/mattermost/data" +# mattermost['plugin_directory'] = "/var/opt/gitlab/mattermost/plugins" +# mattermost['plugin_client_directory'] = "/var/opt/gitlab/mattermost/client-plugins" + +################################################################################ +## Mattermost NGINX +################################################################################ + +# All the settings defined in the "GitLab Nginx" section are also available in +# this "Mattermost NGINX" section, using the key `mattermost_nginx`. However, +# those settings should be explicitly set. That is, settings given as +# `nginx['some_setting']` WILL NOT be automatically replicated as +# `mattermost_nginx['some_setting']` and should be set separately. + +# Below you can find settings that are exclusive to "Mattermost NGINX" +# mattermost_nginx['enable'] = false + +# mattermost_nginx['custom_gitlab_mattermost_server_config'] = "location ^~ /foo-namespace/bar-project/raw/ {\n deny all;\n}\n" +# mattermost_nginx['proxy_set_headers'] = { +# "Host" => "$http_host", +# "X-Real-IP" => "$remote_addr", +# "X-Forwarded-For" => "$proxy_add_x_forwarded_for", +# "X-Frame-Options" => "SAMEORIGIN", +# "X-Forwarded-Proto" => "https", +# "X-Forwarded-Ssl" => "on", +# "Upgrade" => "$http_upgrade", +# "Connection" => "$connection_upgrade" +# } + + +################################################################################ +## Registry NGINX +################################################################################ + +# All the settings defined in the "GitLab Nginx" section are also available in +# this "Registry NGINX" section, using the key `registry_nginx`. However, those +# settings should be explicitly set. That is, settings given as +# `nginx['some_setting']` WILL NOT be automatically replicated as +# `registry_nginx['some_setting']` and should be set separately. + +# Below you can find settings that are exclusive to "Registry NGINX" +# registry_nginx['enable'] = false + +# registry_nginx['proxy_set_headers'] = { +# "Host" => "$http_host", +# "X-Real-IP" => "$remote_addr", +# "X-Forwarded-For" => "$proxy_add_x_forwarded_for", +# "X-Forwarded-Proto" => "https", +# "X-Forwarded-Ssl" => "on" +# } + +# When the registry is automatically enabled using the same domain as `external_url`, +# it listens on this port +# registry_nginx['listen_port'] = 5050 + +################################################################################ +## Prometheus +##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/ +################################################################################ + +###! **To enable only Monitoring service in this machine, uncomment +###! the line below.** +###! Docs: https://docs.gitlab.com/ee/administration/high_availability +# monitoring_role['enable'] = true + +# prometheus['enable'] = true +# prometheus['monitor_kubernetes'] = true +# prometheus['username'] = 'gitlab-prometheus' +# prometheus['group'] = 'gitlab-prometheus' +# prometheus['uid'] = nil +# prometheus['gid'] = nil +# prometheus['shell'] = '/bin/sh' +# prometheus['home'] = '/var/opt/gitlab/prometheus' +# prometheus['log_directory'] = '/var/log/gitlab/prometheus' +# prometheus['rules_files'] = ['/var/opt/gitlab/prometheus/rules/*.rules'] +# prometheus['scrape_interval'] = 15 +# prometheus['scrape_timeout'] = 15 +# prometheus['env_directory'] = '/opt/gitlab/etc/prometheus/env' +# prometheus['env'] = { +# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/" +# } +# +### Custom scrape configs +# +# Prometheus can scrape additional jobs via scrape_configs. The default automatically +# includes all of the exporters supported by the omnibus config. +# +# See: https://prometheus.io/docs/operating/configuration/# +# +# Example: +# +# prometheus['scrape_configs'] = [ +# { +# 'job_name': 'example', +# 'static_configs' => [ +# 'targets' => ['hostname:port'], +# ], +# }, +# ] +# +### Custom alertmanager config +# +# To configure external alertmanagers, create an alertmanager config. +# +# See: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alertmanager_config +# +# prometheus['alertmanagers'] = [ +# { +# 'static_configs' => [ +# { +# 'targets' => [ +# 'hostname:port' +# ] +# } +# ] +# } +# ] +# +### Custom Prometheus flags +# +# prometheus['flags'] = { +# 'storage.tsdb.path' => "/var/opt/gitlab/prometheus/data", +# 'storage.tsdb.retention.time' => "15d", +# 'config.file' => "/var/opt/gitlab/prometheus/prometheus.yml" +# } + +##! Advanced settings. Should be changed only if absolutely needed. +# prometheus['listen_address'] = 'localhost:9090' + +################################################################################ +## Prometheus Alertmanager +################################################################################ + +# alertmanager['enable'] = true +# alertmanager['home'] = '/var/opt/gitlab/alertmanager' +# alertmanager['log_directory'] = '/var/log/gitlab/alertmanager' +# alertmanager['admin_email'] = 'admin@example.com' +# alertmanager['flags'] = { +# 'web.listen-address' => "localhost:9093" +# 'storage.path' => "/var/opt/gitlab/alertmanager/data" +# 'config.file' => "/var/opt/gitlab/alertmanager/alertmanager.yml" +# } +# alertmanager['env_directory'] = '/opt/gitlab/etc/alertmanager/env' +# alertmanager['env'] = { +# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/" +# } + +##! Advanced settings. Should be changed only if absolutely needed. +# alertmanager['listen_address'] = 'localhost:9093' +# alertmanager['global'] = {} + +################################################################################ +## Prometheus Node Exporter +##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/node_exporter.html +################################################################################ + +# node_exporter['enable'] = true +# node_exporter['home'] = '/var/opt/gitlab/node-exporter' +# node_exporter['log_directory'] = '/var/log/gitlab/node-exporter' +# node_exporter['flags'] = { +# 'collector.textfile.directory' => "/var/opt/gitlab/node-exporter/textfile_collector" +# } +# node_exporter['env_directory'] = '/opt/gitlab/etc/node-exporter/env' +# node_exporter['env'] = { +# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/" +# } + +##! Advanced settings. Should be changed only if absolutely needed. +# node_exporter['listen_address'] = 'localhost:9100' + +################################################################################ +## Prometheus Redis exporter +##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/redis_exporter.html +################################################################################ + +# redis_exporter['enable'] = true +# redis_exporter['log_directory'] = '/var/log/gitlab/redis-exporter' +# redis_exporter['flags'] = { +# 'redis.addr' => "unix:///var/opt/gitlab/redis/redis.socket", +# } +# redis_exporter['env_directory'] = '/opt/gitlab/etc/redis-exporter/env' +# redis_exporter['env'] = { +# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/" +# } + +##! Advanced settings. Should be changed only if absolutely needed. +# redis_exporter['listen_address'] = 'localhost:9121' + +################################################################################ +## Prometheus Postgres exporter +##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/postgres_exporter.html +################################################################################ + +# postgres_exporter['enable'] = true +# postgres_exporter['home'] = '/var/opt/gitlab/postgres-exporter' +# postgres_exporter['log_directory'] = '/var/log/gitlab/postgres-exporter' +# postgres_exporter['flags'] = {} +# postgres_exporter['listen_address'] = 'localhost:9187' +# postgres_exporter['env_directory'] = '/opt/gitlab/etc/postgres-exporter/env' +# postgres_exporter['env'] = { +# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/" +# } +# postgres_exporter['sslmode'] = nil + +################################################################################ +## Prometheus PgBouncer exporter (EE only) +##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/pgbouncer_exporter.html +################################################################################ + +# pgbouncer_exporter['enable'] = false +# pgbouncer_exporter['log_directory'] = "/var/log/gitlab/pgbouncer-exporter" +# pgbouncer_exporter['listen_address'] = 'localhost:9188' +# pgbouncer_exporter['env_directory'] = '/opt/gitlab/etc/pgbouncer-exporter/env' +# pgbouncer_exporter['env'] = { +# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/" +# } + +################################################################################ +## Prometheus Gitlab exporter +##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/gitlab_exporter.html +################################################################################ + + +# gitlab_exporter['enable'] = true +# gitlab_exporter['log_directory'] = "/var/log/gitlab/gitlab-exporter" +# gitlab_exporter['home'] = "/var/opt/gitlab/gitlab-exporter" + +##! Advanced settings. Should be changed only if absolutely needed. +# gitlab_exporter['listen_address'] = 'localhost' +# gitlab_exporter['listen_port'] = '9168' + +##! Manage gitlab-exporter sidekiq probes. false by default when Sentinels are +##! found. +# gitlab_exporter['probe_sidekiq'] = true + +# To completely disable prometheus, and all of it's exporters, set to false +prometheus_monitoring['enable'] = false + +################################################################################ +## Grafana Dashboards +##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/#prometheus-as-a-grafana-data-source +################################################################################ + +# grafana['enable'] = true +# grafana['log_directory'] = '/var/log/gitlab/grafana' +# grafana['home'] = '/var/opt/gitlab/grafana' +# grafana['admin_password'] = 'admin' +# grafana['allow_user_sign_up'] = false +# grafana['basic_auth_enabled'] = false +# grafana['disable_login_form'] = true +# grafana['gitlab_application_id'] = 'GITLAB_APPLICATION_ID' +# grafana['gitlab_secret'] = 'GITLAB_SECRET' +# grafana['env_directory'] = '/opt/gitlab/etc/grafana/env' +# grafana['allowed_groups'] = [] +# grafana['gitlab_auth_sign_up'] = true +# grafana['env'] = { +# 'SSL_CERT_DIR' => "#{node['package']['install-dir']}/embedded/ssl/certs/" +# } +# grafana['metrics_enabled'] = false +# grafana['metrics_basic_auth_username'] = 'grafana_metrics' # default: nil +# grafana['metrics_basic_auth_password'] = 'please_set_a_unique_password' # default: nil + +### Dashboards +# +# See: http://docs.grafana.org/administration/provisioning/#dashboards +# +# NOTE: Setting this will override the default. +# +# grafana['dashboards'] = [ +# { +# 'name' => 'GitLab Omnibus', +# 'orgId' => 1, +# 'folder' => 'GitLab Omnibus', +# 'type' => 'file', +# 'disableDeletion' => true, +# 'updateIntervalSeconds' => 600, +# 'options' => { +# 'path' => '/opt/gitlab/embedded/service/grafana-dashboards', +# } +# } +# ] + +### Datasources +# +# See: http://docs.grafana.org/administration/provisioning/#example-datasource-config-file +# +# NOTE: Setting this will override the default. +# +# grafana['datasources'] = [ +# { +# 'name' => 'GitLab Omnibus', +# 'type' => 'prometheus', +# 'access' => 'proxy', +# 'url' => 'http://localhost:9090' +# } +# ] + +##! Advanced settings. Should be changed only if absolutely needed. +# grafana['http_addr'] = 'localhost' +# grafana['http_port'] = 3000 + +################################################################################ +## Gitaly +##! Docs: +################################################################################ + +# The gitaly['enable'] option exists for the purpose of cluster +# deployments, see https://docs.gitlab.com/ee/administration/gitaly/index.html . +# gitaly['enable'] = true +# gitaly['dir'] = "/var/opt/gitlab/gitaly" +# gitaly['log_directory'] = "/var/log/gitlab/gitaly" +# gitaly['bin_path'] = "/opt/gitlab/embedded/bin/gitaly" +# gitaly['env_directory'] = "/opt/gitlab/etc/gitaly/env" +# gitaly['env'] = { +# 'PATH' => "/opt/gitlab/bin:/opt/gitlab/embedded/bin:/bin:/usr/bin", +# 'HOME' => '/var/opt/gitlab' +# } + +##! internal_socket_dir is the directory that will contain internal gitaly sockets, +##! separate from socket_path which is the socket that external clients listen on + +# gitaly['internal_socket_dir'] = "/var/opt/gitlab/gitaly" +# gitaly['socket_path'] = "/var/opt/gitlab/gitaly/gitaly.socket" +# gitaly['listen_addr'] = "localhost:8075" +# gitaly['tls_listen_addr'] = "localhost:9075" +# gitaly['certificate_path'] = "/var/opt/gitlab/gitaly/certificate.pem" +# gitaly['key_path'] = "/var/opt/gitlab/gitaly/key.pem" +# gitaly['prometheus_listen_addr'] = "localhost:9236" +# gitaly['logging_level'] = "warn" +# gitaly['logging_format'] = "json" +# gitaly['logging_sentry_dsn'] = "https://:@sentry.io/" +# gitaly['logging_ruby_sentry_dsn'] = "https://:@sentry.io/" +# gitaly['logging_sentry_environment'] = "production" +# gitaly['prometheus_grpc_latency_buckets'] = "[0.001, 0.005, 0.025, 0.1, 0.5, 1.0, 10.0, 30.0, 60.0, 300.0, 1500.0]" +# gitaly['auth_token'] = '' +# gitaly['auth_transitioning'] = false # When true, auth is logged to Prometheus but NOT enforced +# gitaly['graceful_restart_timeout'] = '1m' # Grace time for a gitaly process to finish ongoing requests +# gitaly['git_catfile_cache_size'] = 100 # Number of 'git cat-file' processes kept around for re-use +# gitaly['open_files_ulimit'] = 15000 # Maximum number of open files allowed for the gitaly process +# gitaly['ruby_max_rss'] = 300000000 # RSS threshold in bytes for triggering a gitaly-ruby restart +# gitaly['ruby_graceful_restart_timeout'] = '10m' # Grace time for a gitaly-ruby process to finish ongoing requests +# gitaly['ruby_restart_delay'] = '5m' # Period of sustained high RSS that needs to be observed before restarting gitaly-ruby +# gitaly['ruby_rugged_git_config_search_path'] = "/opt/gitlab/embedded/etc" # Location of system-wide gitconfig file +# gitaly['ruby_num_workers'] = 3 # Number of gitaly-ruby worker processes. Minimum 2, default 2. +# gitaly['concurrency'] = [ +# { +# 'rpc' => "/gitaly.SmartHTTPService/PostReceivePack", +# 'max_per_repo' => 20 +# }, { +# 'rpc' => "/gitaly.SSHService/SSHUploadPack", +# 'max_per_repo' => 5 +# } +# ] + +################################################################################ +## Praefect +##! Docs: https://gitlab.com/gitlab-org/gitaly/blob/master/doc/design_ha.md +################################################################################ + +# praefect['enable'] = false +# praefect['virtual_storage_name'] = "praefect" +# praefect['failover_enabled'] = false +# praefect['failover_election_strategy'] = 'local' +# praefect['auth_token'] = "" +# praefect['auth_transitioning'] = false +# praefect['listen_addr'] = "localhost:2305" +# praefect['postgres_queue_enabled'] = false +# praefect['prometheus_listen_addr'] = "localhost:9652" +# praefect['prometheus_grpc_latency_buckets'] = "[0.001, 0.005, 0.025, 0.1, 0.5, 1.0, 10.0, 30.0, 60.0, 300.0, 1500.0]" +# praefect['logging_level'] = "warn" +# praefect['logging_format'] = "json" +# praefect['virtual_storages'] = { +# 'default' => { +# 'praefect-internal-0' => { +# 'address' => 'tcp://10.23.56.78:8075', +# 'token' => 'abc123' +# }, +# 'praefect-internal-1' => { +# 'address' => 'tcp://10.76.23.31:8075', +# 'token' => 'xyz456' +# } +# }, +# 'alternative' => { +# 'praefect-internal-2' => { +# 'address' => 'tcp://10.34.1.16:8075', +# 'token' => 'abc321' +# }, +# 'praefect-internal-3' => { +# 'address' => 'tcp://10.23.18.6:8075', +# 'token' => 'xyz890' +# } +# } +# } +# praefect['sentry_dsn'] = "https://:@sentry.io/" +# praefect['sentry_environment'] = "production" +# praefect['database_host'] = 'postgres.internal' +# praefect['database_port'] = 5432 +# praefect['database_user'] = 'praefect' +# praefect['database_password'] = 'secret' +# praefect['database_dbname'] = 'praefect_production' +# praefect['database_sslmode'] = 'disable' +# praefect['database_sslcert'] = '/path/to/client-cert' +# praefect['database_sslkey'] = '/path/to/client-key' +# praefect['database_sslrootcert'] = '/path/to/rootcert' + +################################################################################ +# Storage check +################################################################################ +# storage_check['enable'] = false +# storage_check['target'] = 'unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket' +# storage_check['log_directory'] = '/var/log/gitlab/storage-check' + +################################################################################ +# Let's Encrypt integration +################################################################################ +# letsencrypt['enable'] = nil +# letsencrypt['contact_emails'] = [] # This should be an array of email addresses to add as contacts +# letsencrypt['group'] = 'root' +# letsencrypt['key_size'] = 2048 +# letsencrypt['owner'] = 'root' +# letsencrypt['wwwroot'] = '/var/opt/gitlab/nginx/www' +# See http://docs.gitlab.com/omnibus/settings/ssl.html#automatic-renewal for more on these sesttings +# letsencrypt['auto_renew'] = true +# letsencrypt['auto_renew_hour'] = 0 +# letsencrypt['auto_renew_minute'] = nil # Should be a number or cron expression, if specified. +# letsencrypt['auto_renew_day_of_month'] = "*/4" + +##! Turn off automatic init system detection. To skip init detection in +##! non-docker containers. Recommended not to change. +# package['detect_init'] = true + +##! Specify maximum number of tasks that can be created by the systemd unit +##! Will be populated as TasksMax value to the unit file if user is on a systemd +##! version that supports it (>= 227). Will be a no-op if user is not on systemd. +# package['systemd_tasks_max'] = 4915 + +##! Settings to configure order of GitLab's systemd unit. +##! Note: We do not recommend changing these values unless absolutely necessary +# package['systemd_after'] = 'multi-user.target' +# package['systemd_wanted_by'] = 'multi-user.target' +################################################################################ +################################################################################ +## Configuration Settings for GitLab EE only ## +################################################################################ +################################################################################ + + +################################################################################ +## Auxiliary cron jobs applicable to GitLab EE only +################################################################################ +# +# gitlab_rails['geo_file_download_dispatch_worker_cron'] = "*/10 * * * *" +# gitlab_rails['geo_repository_sync_worker_cron'] = "*/5 * * * *" +# gitlab_rails['geo_secondary_registry_consistency_worker'] = "* * * * *" +# gitlab_rails['geo_prune_event_log_worker_cron'] = "*/5 * * * *" +# gitlab_rails['geo_repository_verification_primary_batch_worker_cron'] = "*/5 * * * *" +# gitlab_rails['geo_repository_verification_secondary_scheduler_worker_cron'] = "*/5 * * * *" +# gitlab_rails['geo_migrated_local_files_clean_up_worker_cron'] = "15 */6 * * *" +# gitlab_rails['ldap_sync_worker_cron'] = "30 1 * * *" +# gitlab_rails['ldap_group_sync_worker_cron'] = "0 * * * *" +# gitlab_rails['historical_data_worker_cron'] = "0 12 * * *" +# gitlab_rails['pseudonymizer_worker_cron'] = "0 23 * * *" +# gitlab_rails['elastic_index_bulk_cron'] = "*/1 * * * *" + +################################################################################ +## Kerberos (EE Only) +##! Docs: https://docs.gitlab.com/ee/integration/kerberos.html#http-git-access +################################################################################ + +# gitlab_rails['kerberos_enabled'] = true +# gitlab_rails['kerberos_keytab'] = /etc/http.keytab +# gitlab_rails['kerberos_service_principal_name'] = HTTP/gitlab.example.com@EXAMPLE.COM +# gitlab_rails['kerberos_use_dedicated_port'] = true +# gitlab_rails['kerberos_port'] = 8443 +# gitlab_rails['kerberos_https'] = true + +################################################################################ +## Package repository (EE Only) +##! Docs: https://docs.gitlab.com/ee/administration/maven_packages.md +################################################################################ + +# gitlab_rails['packages_enabled'] = true +# gitlab_rails['packages_storage_path'] = "/var/opt/gitlab/gitlab-rails/shared/packages" +# gitlab_rails['packages_object_store_enabled'] = false +# gitlab_rails['packages_object_store_direct_upload'] = false +# gitlab_rails['packages_object_store_background_upload'] = true +# gitlab_rails['packages_object_store_proxy_download'] = false +# gitlab_rails['packages_object_store_remote_directory'] = "packages" +# gitlab_rails['packages_object_store_connection'] = { +# 'provider' => 'AWS', +# 'region' => 'eu-west-1', +# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID', +# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY', +# # # The below options configure an S3 compatible host instead of AWS +# # 'host' => 's3.amazonaws.com', +# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4. +# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces +# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' +# } + +################################################################################ +## Dependency proxy (EE Only) +##! Docs: https://docs.gitlab.com/ee/administration/dependency_proxy.md +################################################################################ + +# gitlab_rails['dependency_proxy_enabled'] = true +# gitlab_rails['dependency_proxy_storage_path'] = "/var/opt/gitlab/gitlab-rails/shared/dependency_proxy" +# gitlab_rails['dependency_proxy_object_store_enabled'] = false +# gitlab_rails['dependency_proxy_object_store_direct_upload'] = false +# gitlab_rails['dependency_proxy_object_store_background_upload'] = true +# gitlab_rails['dependency_proxy_object_store_proxy_download'] = false +# gitlab_rails['dependency_proxy_object_store_remote_directory'] = "dependency_proxy" +# gitlab_rails['dependency_proxy_object_store_connection'] = { +# 'provider' => 'AWS', +# 'region' => 'eu-west-1', +# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID', +# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY', +# # # The below options configure an S3 compatible host instead of AWS +# # 'host' => 's3.amazonaws.com', +# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4. +# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces +# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' +# } + +################################################################################ +## GitLab Sentinel (EE Only) +##! Docs: http://docs.gitlab.com/ce/administration/high_availability/redis.html#high-availability-with-sentinel +################################################################################ + +##! **Make sure you configured all redis['master_*'] keys above before +##! continuing.** + +##! To enable Sentinel and disable all other services in this machine, +##! uncomment the line below (if you've enabled Redis role, it will keep it). +##! Docs: https://docs.gitlab.com/ee/administration/high_availability/redis.html +# redis_sentinel_role['enable'] = true + +# sentinel['enable'] = true + +##! Bind to all interfaces, uncomment to specify an IP and bind to a single one +# sentinel['bind'] = '0.0.0.0' + +##! Uncomment to change default port +# sentinel['port'] = 26379 + +#### Support to run sentinels in a Docker or NAT environment +#####! Docs: https://redis.io/topics/sentinel#sentinel-docker-nat-and-possible-issues +# In an standard case, Sentinel will run in the same network service as Redis, so the same IP will be announce for Redis and Sentinel +# Only define these values if it is needed to announce for Sentinel a differen IP service than Redis +# sentinel['announce_ip'] = nil # If not defined, its value will be taken from redis['announce_ip'] or nil if not present +# sentinel['announce_port'] = nil # If not defined, its value will be taken from sentinel['port'] or nil if redis['announce_ip'] not present + +##! Quorum must reflect the amount of voting sentinels it take to start a +##! failover. +##! **Value must NOT be greater then the amount of sentinels.** +##! The quorum can be used to tune Sentinel in two ways: +##! 1. If a the quorum is set to a value smaller than the majority of Sentinels +##! we deploy, we are basically making Sentinel more sensible to master +##! failures, triggering a failover as soon as even just a minority of +##! Sentinels is no longer able to talk with the master. +##! 2. If a quorum is set to a value greater than the majority of Sentinels, we +##! are making Sentinel able to failover only when there are a very large +##! number (larger than majority) of well connected Sentinels which agree +##! about the master being down. +# sentinel['quorum'] = 1 + +### Consider unresponsive server down after x amount of ms. +# sentinel['down_after_milliseconds'] = 10000 + +### Specifies the failover timeout in milliseconds. +##! It is used in many ways: +##! +##! - The time needed to re-start a failover after a previous failover was +##! already tried against the same master by a given Sentinel, is two +##! times the failover timeout. +##! +##! - The time needed for a slave replicating to a wrong master according +##! to a Sentinel current configuration, to be forced to replicate +##! with the right master, is exactly the failover timeout (counting since +##! the moment a Sentinel detected the misconfiguration). +##! +##! - The time needed to cancel a failover that is already in progress but +##! did not produced any configuration change (SLAVEOF NO ONE yet not +##! acknowledged by the promoted slave). +##! +##! - The maximum time a failover in progress waits for all the slaves to be +##! reconfigured as slaves of the new master. However even after this time +##! the slaves will be reconfigured by the Sentinels anyway, but not with +##! the exact parallel-syncs progression as specified. +# sentinel['failover_timeout'] = 60000 + +################################################################################ +## GitLab Sidekiq Cluster (EE only) +################################################################################ + +##! GitLab Enterprise Edition allows one to start an extra set of Sidekiq processes +##! besides the default one. These processes can be used to consume a dedicated set +##! of queues. This can be used to ensure certain queues always have dedicated +##! workers, no matter the amount of jobs that need to be processed. + +# sidekiq_cluster['enable'] = false +# sidekiq_cluster['ha'] = false +# sidekiq_cluster['log_directory'] = "/var/log/gitlab/sidekiq-cluster" +# sidekiq_cluster['interval'] = 5 # The number of seconds to wait between worker checks +# sidekiq_cluster['max_concurrency'] = 50 # The maximum number of threads each Sidekiq process should run +# sidekiq_cluster['min_concurrency'] = 0 # The minimum number of threads each Sidekiq process should run + +##! Each entry in the queue_groups array denotes a group of queues that have to be processed by a +##! Sidekiq process. Multiple queues can be processed by the same process by +##! separating them with a comma within the group entry + +# sidekiq_cluster['queue_groups'] = [ +# "process_commit,post_receive", +# "gitlab_shell" +# ] +# + +##! If negate is enabled then sidekiq-cluster will process all the queues that +##! don't match those in queue_groups. + +# sidekiq_cluster['negate'] = false + +################################################################################ +## Additional Database Settings (EE only) +##! Docs: https://docs.gitlab.com/ee/administration/database_load_balancing.html +################################################################################ +# gitlab_rails['db_load_balancing'] = { 'hosts' => ['secondary1.example.com'] } + +################################################################################ +## GitLab Geo +##! Docs: https://docs.gitlab.com/ee/gitlab-geo +################################################################################ +# geo_primary_role['enable'] = false +# geo_secondary_role['enable'] = false + +# This is an optional identifier which Geo nodes can use to identify themselves. +# For example, if external_url is the same for two secondaries, you must specify +# a unique Geo node name for those secondaries. +# +# If it is blank, it defaults to external_url. +# gitlab_rails['geo_node_name'] = nil + +# gitlab_rails['geo_registry_replication_enabled'] = true +# gitlab_rails['geo_registry_replication_primary_api_url'] = 'https://example.com:5000' + + +################################################################################ +## GitLab Geo Secondary (EE only) +################################################################################ +# geo_secondary['auto_migrate'] = true +# geo_secondary['db_adapter'] = "postgresql" +# geo_secondary['db_encoding'] = "unicode" +# geo_secondary['db_collation'] = nil +# geo_secondary['db_database'] = "gitlabhq_geo_production" +# geo_secondary['db_pool'] = 1 +# geo_secondary['db_username'] = "gitlab_geo" +# geo_secondary['db_password'] = nil +# geo_secondary['db_host'] = "/var/opt/gitlab/geo-postgresql" +# geo_secondary['db_port'] = 5431 +# geo_secondary['db_socket'] = nil +# geo_secondary['db_sslmode'] = nil +# geo_secondary['db_sslcompression'] = 0 +# geo_secondary['db_sslrootcert'] = nil +# geo_secondary['db_sslca'] = nil +# geo_secondary['db_fdw'] = true + +################################################################################ +## GitLab Geo Secondary Tracking Database (EE only) +################################################################################ + +# geo_postgresql['enable'] = false +# geo_postgresql['ha'] = false +# geo_postgresql['dir'] = '/var/opt/gitlab/geo-postgresql' +# geo_postgresql['data_dir'] = '/var/opt/gitlab/geo-postgresql/data' +# geo_postgresql['pgbouncer_user'] = nil +# geo_postgresql['pgbouncer_user_password'] = nil +##! `SQL_USER_PASSWORD_HASH` can be generated using the command `gitlab-ctl pg-password-md5 gitlab` +# geo_postgresql['sql_user_password'] = 'SQL_USER_PASSWORD_HASH' + +################################################################################ +## Unleash +##! Docs: https://docs.gitlab.com/ee/user/project/operations/feature_flags.html +################################################################################ +# gitlab_rails['feature_flags_unleash_enabled'] = false +# gitlab_rails['feature_flags_unleash_url'] = nil +# gitlab_rails['feature_flags_unleash_app_name'] = nil +# gitlab_rails['feature_flags_unleash_instance_id'] = nil + +################################################################################ +# Pgbouncer (EE only) +# See [GitLab PgBouncer documentation](http://docs.gitlab.com/omnibus/settings/database.html#enabling-pgbouncer-ee-only) +# See the [PgBouncer page](https://pgbouncer.github.io/config.html) for details +################################################################################ +# pgbouncer['enable'] = false +# pgbouncer['log_directory'] = '/var/log/gitlab/pgbouncer' +# pgbouncer['data_directory'] = '/var/opt/gitlab/pgbouncer' +# pgbouncer['env_directory'] = '/opt/gitlab/etc/pgbouncer/env' +# pgbouncer['env'] = { +# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/" +# } +# pgbouncer['listen_addr'] = '0.0.0.0' +# pgbouncer['listen_port'] = '6432' +# pgbouncer['pool_mode'] = 'transaction' +# pgbouncer['server_reset_query'] = 'DISCARD ALL' +# pgbouncer['application_name_add_host'] = '1' +# pgbouncer['max_client_conn'] = '2048' +# pgbouncer['default_pool_size'] = '100' +# pgbouncer['min_pool_size'] = '0' +# pgbouncer['reserve_pool_size'] = '5' +# pgbouncer['reserve_pool_timeout'] = '5.0' +# pgbouncer['server_round_robin'] = '0' +# pgbouncer['log_connections'] = '0' +# pgbouncer['server_idle_timeout'] = '30' +# pgbouncer['dns_max_ttl'] = '15.0' +# pgbouncer['dns_zone_check_period'] = '0' +# pgbouncer['dns_nxdomain_ttl'] = '15.0' +# pgbouncer['admin_users'] = %w(gitlab-psql postgres pgbouncer) +# pgbouncer['stats_users'] = %w(gitlab-psql postgres pgbouncer) +# pgbouncer['ignore_startup_parameters'] = 'extra_float_digits' +# pgbouncer['databases'] = { +# DATABASE_NAME: { +# host: HOSTNAME, +# port: PORT +# user: USERNAME, +# password: PASSWORD +###! generate this with `echo -n '$password + $username' | md5sum` +# } +# ... +# } +# pgbouncer['logfile'] = nil +# pgbouncer['unix_socket_dir'] = nil +# pgbouncer['unix_socket_mode'] = '0777' +# pgbouncer['unix_socket_group'] = nil +# pgbouncer['auth_type'] = 'md5' +# pgbouncer['auth_hba_file'] = nil +# pgbouncer['auth_query'] = 'SELECT username, password FROM public.pg_shadow_lookup($1)' +# pgbouncer['users'] = { +# { +# name: USERNAME, +# password: MD5_PASSWORD_HASH +# } +# } +# postgresql['pgbouncer_user'] = nil +# postgresql['pgbouncer_user_password'] = nil +# pgbouncer['server_reset_query_always'] = 0 +# pgbouncer['server_check_query'] = 'select 1' +# pgbouncer['server_check_delay'] = 30 +# pgbouncer['max_db_connections'] = nil +# pgbouncer['max_user_connections'] = nil +# pgbouncer['syslog'] = 0 +# pgbouncer['syslog_facility'] = 'daemon' +# pgbouncer['syslog_ident'] = 'pgbouncer' +# pgbouncer['log_disconnections'] = 1 +# pgbouncer['log_pooler_errors'] = 1 +# pgbouncer['stats_period'] = 60 +# pgbouncer['verbose'] = 0 +# pgbouncer['server_lifetime'] = 3600 +# pgbouncer['server_connect_timeout'] = 15 +# pgbouncer['server_login_retry'] = 15 +# pgbouncer['query_timeout'] = 0 +# pgbouncer['query_wait_timeout'] = 120 +# pgbouncer['client_idle_timeout'] = 0 +# pgbouncer['client_login_timeout'] = 60 +# pgbouncer['autodb_idle_timeout'] = 3600 +# pgbouncer['suspend_timeout'] = 10 +# pgbouncer['idle_transaction_timeout'] = 0 +# pgbouncer['pkt_buf'] = 4096 +# pgbouncer['listen_backlog'] = 128 +# pgbouncer['sbuf_loopcnt'] = 5 +# pgbouncer['max_packet_size'] = 2147483647 +# pgbouncer['tcp_defer_accept'] = 0 +# pgbouncer['tcp_socket_buffer'] = 0 +# pgbouncer['tcp_keepalive'] = 1 +# pgbouncer['tcp_keepcnt'] = 0 +# pgbouncer['tcp_keepidle'] = 0 +# pgbouncer['tcp_keepintvl'] = 0 +# pgbouncer['disable_pqexec'] = 0 + +## Pgbouncer client TLS options +# pgbouncer['client_tls_sslmode'] = 'disable' +# pgbouncer['client_tls_ca_file'] = nil +# pgbouncer['client_tls_key_file'] = nil +# pgbouncer['client_tls_cert_file'] = nil +# pgbouncer['client_tls_protocols'] = 'all' +# pgbouncer['client_tls_dheparams'] = 'auto' +# pgbouncer['client_tls_ecdhcurve'] = 'auto' +# +## Pgbouncer server TLS options +# pgbouncer['server_tls_sslmode'] = 'disable' +# pgbouncer['server_tls_ca_file'] = nil +# pgbouncer['server_tls_key_file'] = nil +# pgbouncer['server_tls_cert_file'] = nil +# pgbouncer['server_tls_protocols'] = 'all' +# pgbouncer['server_tls_ciphers'] = 'fast' + +################################################################################ +# Repmgr (EE only) +################################################################################ +# repmgr['enable'] = false +# repmgr['cluster'] = 'gitlab_cluster' +# repmgr['database'] = 'gitlab_repmgr' +# repmgr['host'] = nil +# repmgr['node_number'] = nil +# repmgr['port'] = 5432 +# repmgr['trust_auth_cidr_addresses'] = [] +# repmgr['username'] = 'gitlab_repmgr' +# repmgr['sslmode'] = 'prefer' +# repmgr['sslcompression'] = 0 +# repmgr['failover'] = 'automatic' +# repmgr['log_directory'] = '/var/log/gitlab/repmgrd' +# repmgr['node_name'] = nil +# repmgr['pg_bindir'] = '/opt/gitlab/embedded/bin' +# repmgr['service_start_command'] = '/opt/gitlab/bin/gitlab-ctl start postgresql' +# repmgr['service_stop_command'] = '/opt/gitlab/bin/gitlab-ctl stop postgresql' +# repmgr['service_reload_command'] = '/opt/gitlab/bin/gitlab-ctl hup postgresql' +# repmgr['service_restart_command'] = '/opt/gitlab/bin/gitlab-ctl restart postgresql' +# repmgr['service_promote_command'] = nil +# repmgr['promote_command'] = '/opt/gitlab/embedded/bin/repmgr standby promote -f /var/opt/gitlab/postgresql/repmgr.conf' +# repmgr['follow_command'] = '/opt/gitlab/embedded/bin/repmgr standby follow -f /var/opt/gitlab/postgresql/repmgr.conf' + +# repmgr['upstream_node'] = nil +# repmgr['use_replication_slots'] = false +# repmgr['loglevel'] = 'INFO' +# repmgr['logfacility'] = 'STDERR' +# repmgr['logfile'] = nil + +# repmgr['event_notification_command'] = nil +# repmgr['event_notifications'] = nil + +# repmgr['rsync_options'] = nil +# repmgr['ssh_options'] = nil +# repmgr['priority'] = nil +# +# HA setting to specify if a node should attempt to be master on initialization +# repmgr['master_on_initialization'] = true + +# repmgr['retry_promote_interval_secs'] = 300 +# repmgr['witness_repl_nodes_sync_interval_secs'] = 15 +# repmgr['reconnect_attempts'] = 6 +# repmgr['reconnect_interval'] = 10 +# repmgr['monitor_interval_secs'] = 2 +# repmgr['master_response_timeout'] = 60 +# repmgr['daemon'] = true +# repmgrd['enable'] = true + +################################################################################ +# Consul (EEP only) +################################################################################ +# consul['enable'] = false +# consul['dir'] = '/var/opt/gitlab/consul' +# consul['username'] = 'gitlab-consul' +# consul['group'] = 'gitlab-consul' +# consul['config_file'] = '/var/opt/gitlab/consul/config.json' +# consul['config_dir'] = '/var/opt/gitlab/consul/config.d' +# consul['data_dir'] = '/var/opt/gitlab/consul/data' +# consul['log_directory'] = '/var/log/gitlab/consul' +# consul['env_directory'] = '/opt/gitlab/etc/consul/env' +# consul['env'] = { +# 'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/" +# } +# consul['monitoring_service_discovery'] = false +# consul['node_name'] = nil +# consul['script_directory'] = '/var/opt/gitlab/consul/scripts' +# consul['configuration'] = { +# 'client_addr' => nil, +# 'datacenter' => 'gitlab_consul', +# 'enable_script_checks' => true, +# 'server' => false +# } +# consul['services'] = [] +# consul['service_config'] = { +# 'postgresql' => { +# 'service' => { +# 'name' => "postgresql", +# 'address' => '', +# 'port' => 5432, +# 'checks' => [ +# { +# 'script' => "/var/opt/gitlab/consul/scripts/check_postgresql", +# 'interval' => "10s" +# } +# ] +# } +# } +# } +# consul['watchers'] = { +# 'postgresql' => { +# enable: false, +# handler: 'failover_pgbouncer' +# } +# } + + + diff --git a/smartinspace/etc/nginx/sites-available/smartinspace.conf b/smartinspace/etc/nginx/sites-available/smartinspace.conf new file mode 100644 index 0000000..6f5b258 --- /dev/null +++ b/smartinspace/etc/nginx/sites-available/smartinspace.conf @@ -0,0 +1,215 @@ +server { + server_name smartinspace.tech; + proxy_set_header X-Forwarded-For $remote_addr; + location / { + root /var/www/html; + index index.html; + proxy_intercept_errors on; + error_page 404 502 503 504 = @fallback; + } + + location @fallback { + root /var/www/html; + index maintenance.html; + } + + location = /_csp { + access_log /var/log/nginx/csp.log CSP; + proxy_pass http://127.0.0.1/_csp_response; + } + + + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/smartinspace.tech/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/smartinspace.tech/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + include snippets/ssl-params.conf; + + +} +server { + if ($host = smartinspace.tech) { + return 301 https://$host$request_uri; + } # managed by Certbot + server_name smartinspace.tech; + listen 80; + return 404; # managed by Certbot + + location /_csp_response { + access_log off; + return 204; + } + + + } + + + #server{ + # server_name nemo.smartinspace.tech; + # proxy_set_header X-Forwarded-For $remote_addr; + # location / { + # root /var/www/html; + # index nemo.html; + # proxy_intercept_errors on; + # error_page 404 502 503 504 = @fallback; + # auth_basic "Restricted Content"; + # auth_basic_user_file /etc/nginx/.htpasswd; + # } + # + # location @fallback { + # root /var/www/html; + # index maintenance.html; + # } + # listen 443 ssl; # managed by Certbot + # ssl_certificate /etc/letsencrypt/live/nemo.smartinspace.tech/fullchain.pem; # managed by Certbot + # ssl_certificate_key /etc/letsencrypt/live/nemo.smartinspace.tech/privkey.pem; # managed by Certbot + # include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + # + # + # + #} + #server{ + # if ($host = nemo.smartinspace.tech) { + # return 301 https://$host$request_uri; + # } # managed by Certbot + # server_name nemo.smartinspace.tech; + # listen 80; + # return 404; # managed by Certbot + #} + server { + server_name file.smartinspace.tech; + #proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $host:$server_port; + location / { + proxy_pass http://svnasolvo.ddns.net:8100/; + proxy_intercept_errors on; + error_page 404 502 503 504 = @fallback; + } + location @fallback { + root /var/www/html; + index maintenance.html; + } + + + location /seafhttp { + rewrite ^/seafhttp(.*)$ $1 break; + proxy_pass http://svnasolvo.ddns.net:18082; + client_max_body_size 0; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_connect_timeout 36000s; + proxy_read_timeout 36000s; + proxy_send_timeout 36000s; + + send_timeout 36000s; + + access_log /var/log/nginx/seafhttp.access.log; + error_log /var/log/nginx/seafhttp.error.log; + } + + #location /media { + # root /home/seafile/seafile-server-latest/seahub; + #} + + location /seafdav { + proxy_pass https://svnasolvo.ddns.net:44300/seafdav; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 1200s; + client_max_body_size 0; + access_log /var/log/nginx/seafdav.access.log; + error_log /var/log/nginx/seafdav.error.log; + } + + + client_max_body_size 0; + + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/file.smartinspace.tech/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/file.smartinspace.tech/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + } + + server { + server_name git.smartinspace.tech; + proxy_set_header X-Forwarded-For $remote_addr; + location / { + proxy_pass http://svnasolvo.ddns.net:30000/; + proxy_intercept_errors on; + error_page 404 502 503 504 = @fallback; + } + location @fallback { + root /var/www/html; + index maintenance.html; + } + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/git.smartinspace.tech/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/git.smartinspace.tech/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + + } + + + #server { + # server_name dev.smartinspace.ai; + # proxy_set_header X-Forwarded-For $remote_addr; + # location / { + # #proxy_pass https://svnasolvo.ddns.net:/; + # proxy_pass https://svnasolvo.ddns.net; + # proxy_intercept_errors on; + # error_page 404 502 503 504 = @fallback; + # } + # location @fallback { + # root /var/www/html; + # index maintenance.html; + # } + # listen 443 ssl; # managed by Certbot + # ssl_certificate /etc/letsencrypt/live/dev.smartinspace.ai/fullchain.pem; # managed by Certbot + # ssl_certificate_key /etc/letsencrypt/live/dev.smartinspace.ai/privkey.pem; # managed by Certbot + # include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + #} + #server { + # if ($host = dev.smartinspace.ai) { + # return 301 https://$host$request_uri; + # } # managed by Certbot + # server_name dev.smartinspace.ai; + # listen 80; + # return 404; # managed by Certbot + #} + server { + server_name goats.smartinspace.tech; + proxy_set_header X-Forwarded-For $remote_addr; + location / { + proxy_pass http://localhost:5000; + proxy_intercept_errors on; + error_page 404 502 503 504 = @fallback; + } + location @fallback { + root /var/www/html; + index maintenance.html; + } + + listen 443; + ssl_certificate /etc/letsencrypt/live/goats.smartinspace.tech/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/goats.smartinspace.tech/privkey.pem; # managed by Certbot + + } + server { + if ($host = goats.smartinspace.tech) { + return 301 https://$host$request_uri; + } # managed by Certbot + server_name goats.smartinspace.tech; + listen 80; + return 404; # managed by Certbot + } +