Mostly set up Icinga monitoring - CentOS still has issues and need to finish server build and backup

2017-11-12 11:25:07 -06:00 · 2017-11-12 11:25:07 -06:00 · 3c74b0d166
commit 3c74b0d166
parent b0af2fc25f
181 changed files with 1674 additions and 11377 deletions
--- a/pillars/roles/aurpkgs/icinga.sls
+++ b/pillars/roles/aurpkgs/icinga.sls
@ -2,4 +2,3 @@ aur:
  pkgs:
    icinga2: []
    icingaweb2: []
    icingaweb2-module-director: []
--- a/pillars/roles/database/icinga.sls
+++ b/pillars/roles/database/icinga.sls
@ -11,7 +11,3 @@ database:
      icinga:
        host: icinga.actcur.com
        grant: all privileges
    icinga2_director:
      icinga:
        host: icinga.actcur.com
        grant: all privileges
--- a/pillars/roles/firewalld/nrpe.sls
+++ b/pillars/roles/firewalld/nrpe.sls
@ -0,0 +1,4 @@
 firewalld:
  70_internal:
    port:
      5666/tcp: []
--- a/pillars/roles/git/lightbooks.sls
+++ b/pillars/roles/git/lightbooks.sls
@ -0,0 +1,17 @@
 git:
  lightbooks:
    repo: "ssh://gogs@git.actcur.com:5022/actcur/lightbooks.git"
    path: "/usr/share/webapps/lightbooks"
    branch: "master"
    key: "git_actcur"
    force: true
    email: "actcur@actcur.com"
    name: "Actaeus Curabitur"
  lightbooks.dev:
    repo: "ssh://gogs@git.actcur.com:5022/actcur/lightbooks.git"
    path: "/usr/share/webapps/lightbooks-dev"
    branch: "dev"
    key: "git_actcur"
    force: true
    email: "actcur@actcur.com"
    name: "Actaeus Curabitur"
--- a/pillars/roles/git/portal.sls
+++ b/pillars/roles/git/portal.sls
@ -1,5 +1,5 @@
 git:
-  tmux:
+  tmux-root:
    repo: "ssh://gogs@git.actcur.com:5022/actcur/tmux.git"
    path: "/root/tmux"
    branch: "master"
@ -7,6 +7,14 @@ git:
    force: true
    email: "actcur@actcur.com"
    name: "Actaeus Curabitur"
  tmux-ejparker:
    repo: "ssh://gogs@git.actcur.com:5022/actcur/tmux.git"
    path: "/ejparker/tmux"
    branch: "master"
    key: "git_actcur"
    force: true
    email: "actcur@actcur.com"
    name: "Actaeus Curabitur"
  web:
    repo: "ssh://gogs@git.actcur.com:5022/actcur/portal.git"
    path: "/srv/http/portal"
--- a/pillars/roles/git/ytdownloader.sls
+++ b/pillars/roles/git/ytdownloader.sls
@ -0,0 +1,9 @@
 git:
  ytdownloader:
    repo: "ssh://gogs@git.actcur.com:5022/actcur/ytdownloader.git"
    path: "/root/scripts/ytdownloader"
    branch: "master"
    key: "git_actcur"
    force: true
    email: "actcur@actcur.com"
    name: "Actaeus Curabitur"
--- a/pillars/roles/init.sls
+++ b/pillars/roles/init.sls
@ -8,3 +8,4 @@ include:
  - roles.backup
  - roles.ca
  - roles.database
  - roles.services
--- a/pillars/roles/nginx/deluge.sls
+++ b/pillars/roles/nginx/deluge.sls
@ -6,7 +6,7 @@ nginx:
      prot: http
 portal:
-  Video:
+  Media:
    deluge:
      name: Torrents
      summary: Deluge Torrent Server
--- a/pillars/roles/nginx/jackett.sls
+++ b/pillars/roles/nginx/jackett.sls
@ -6,7 +6,7 @@ nginx:
      prot: http
 portal:
-  Video:
+  Media:
    jackett:
      name: Torrent Indexers
      summary: Jackett Server
--- a/pillars/roles/nginx/lightbooks.sls
+++ b/pillars/roles/nginx/lightbooks.sls
@ -0,0 +1,24 @@
 nginx:
  books:
    auth: 2fa
    https:
      port: 8000
      prot: http
  books.dev:
    auth: 2fa
    https:
      port: 8080
      prot: http
    default: no
 portal:
  Media:
    books:
      name: Books and Podcasts
      summary: LightBooks Server
      public: false
  Dev:
    books.dev:
      name: Books and Podcasts - Dev
      summary: LightBooks Server
      public: false
--- a/pillars/roles/nginx/ombi.sls
+++ b/pillars/roles/nginx/ombi.sls
@ -6,7 +6,7 @@ nginx:
      prot: http
 portal:
-  Video:
+  Media:
    ombi:
      name: TV/Movie Requests
      summary: OMBI Plex Requests Server
--- a/pillars/roles/nginx/plexmediaserver.sls
+++ b/pillars/roles/nginx/plexmediaserver.sls
@ -6,7 +6,7 @@ nginx:
      prot: http
 portal:
-  Video:
+  Media:
    plex:
      name: Plex
      summary: Plex Media Server
--- a/pillars/roles/nginx/radarr.sls
+++ b/pillars/roles/nginx/radarr.sls
@ -6,7 +6,7 @@ nginx:
      prot: http
 portal:
-  Video:
+  Media:
    radarr:
      name: Movie Downloader
      summary: Radarr Server
--- a/pillars/roles/nginx/sonarr.sls
+++ b/pillars/roles/nginx/sonarr.sls
@ -6,7 +6,7 @@ nginx:
      prot: http
 portal:
-  Video:
+  Media:
    sonarr:
      name: TV Show Downloader
      summary: Sonarr Server
--- a/pillars/roles/services/aurrepo.sls
+++ b/pillars/roles/services/aurrepo.sls
@ -0,0 +1,3 @@
 services:
  aurrepo:
    updateaur.timer: []
--- a/pillars/roles/services/authelia.sls
+++ b/pillars/roles/services/authelia.sls
@ -0,0 +1,5 @@
 services:
  authelia:
    mongodb: []
    redis: []
    authelia: []
--- a/pillars/roles/services/backup.sls
+++ b/pillars/roles/services/backup.sls
@ -0,0 +1,3 @@
 services:
  backup:
    backup.timer: []
--- a/pillars/roles/services/certbot.sls
+++ b/pillars/roles/services/certbot.sls
@ -0,0 +1,3 @@
 services:
  certbot:
    certbot.timer: []
--- a/pillars/roles/services/core.sls
+++ b/pillars/roles/services/core.sls
@ -0,0 +1,4 @@
 services:
  core:
    firewalld: []
    sshd: []
--- a/pillars/roles/services/deluge.sls
+++ b/pillars/roles/services/deluge.sls
@ -0,0 +1,4 @@
 services:
  deluge:
    deluged: []
    deluge-web: []
--- a/pillars/roles/services/freeipa-server.sls
+++ b/pillars/roles/services/freeipa-server.sls
@ -0,0 +1,3 @@
 services:
  freeipa-server:
    httpd: []
--- a/pillars/roles/services/git.sls
+++ b/pillars/roles/services/git.sls
@ -0,0 +1,3 @@
 services:
  git:
    gogs: []
--- a/pillars/roles/services/icinga.sls
+++ b/pillars/roles/services/icinga.sls
@ -0,0 +1,4 @@
 services:
  icinga:
    icinga2: []
    php-fpm: []
--- a/pillars/roles/services/init.sls
+++ b/pillars/roles/services/init.sls
@ -0,0 +1,15 @@
 {% set states = salt['cp.list_states'](saltenv) %}
 include:
  - roles.services.none
 {%- if grains['roles'] is defined -%}
  {%- if grains['roles'] is not none -%}
    {%- if 'icinga' in grains['roles'] -%}
      {%- for state in states %}
        {%- if state.startswith("pillars.roles.services.") -%}
          {%- set role = state.split('.')[3] %}
  - roles.services.{{ role }}
        {%- endif -%}
      {%- endfor -%}
    {%- endif -%}
  {%- endif -%}
 {%- endif -%}
--- a/pillars/roles/services/lightbooks.sls
+++ b/pillars/roles/services/lightbooks.sls
@ -0,0 +1,3 @@
 services:
  lightbooks:
    php-fpm: []
--- a/pillars/roles/services/mirrorlist.sls
+++ b/pillars/roles/services/mirrorlist.sls
@ -0,0 +1,3 @@
 services:
  mirrorlist:
    getmirrors.timer: []
--- a/pillars/roles/services/mysql.sls
+++ b/pillars/roles/services/mysql.sls
@ -0,0 +1,4 @@
 services:
  mysql:
    mysqld: []
    dumpdb.timer: []
--- a/pillars/roles/services/nginx-proxy.sls
+++ b/pillars/roles/services/nginx-proxy.sls
@ -0,0 +1,3 @@
 services:
  nginx-proxy:
    nginx: []
--- a/pillars/roles/services/none.sls
+++ b/pillars/roles/services/none.sls
--- a/pillars/roles/services/ombi.sls
+++ b/pillars/roles/services/ombi.sls
@ -0,0 +1,3 @@
 services:
  ombi:
    ombi: []
--- a/pillars/roles/services/pass.sls
+++ b/pillars/roles/services/pass.sls
@ -0,0 +1,3 @@
 services:
  pass:
    php-fpm: []
--- a/pillars/roles/services/pkg-cache.sls
+++ b/pillars/roles/services/pkg-cache.sls
@ -0,0 +1,3 @@
 services:
  pkg-cache:
    nginx: []
--- a/pillars/roles/services/plexmediaserver.sls
+++ b/pillars/roles/services/plexmediaserver.sls
@ -0,0 +1,3 @@
 services:
  plexmediaserver:
    plexmediaserver: []
--- a/pillars/roles/services/saltmaster.sls
+++ b/pillars/roles/services/saltmaster.sls
@ -0,0 +1,3 @@
 services:
  saltmaster:
    salt-master: []
--- a/pillars/roles/services/saltminion.sls
+++ b/pillars/roles/services/saltminion.sls
@ -0,0 +1,4 @@
 services:
  saltminion:
    salt-minion: []
    highstate.timer: []
--- a/pillars/roles/services/sshserver.sls
+++ b/pillars/roles/services/sshserver.sls
@ -0,0 +1,3 @@
 services:
  sshserver:
    sshd: []
--- a/pillars/roles/services/ytdownloader.sls
+++ b/pillars/roles/services/ytdownloader.sls
@ -0,0 +1,3 @@
 services:
  ytdownloader:
    ytdownloader.timer: []
--- a/pillars/servers/env/server/centipa.sls
+++ b/pillars/servers/env/server/centipa.sls
--- a/pillars/servers/env/server/debianipa.sls
+++ b/pillars/servers/env/server/debianipa.sls
@ -1 +0,0 @@
 env: prod
--- a/pillars/servers/env/server/ipatest.sls
+++ b/pillars/servers/env/server/ipatest.sls
@ -1 +0,0 @@
 env: prod
--- a/pillars/servers/maintainer/server/centipa.sls
+++ b/pillars/servers/maintainer/server/centipa.sls
--- a/pillars/servers/maintainer/server/debianipa.sls
+++ b/pillars/servers/maintainer/server/debianipa.sls
@ -1,3 +0,0 @@
 maintainer:
  - masaufuku
--- a/pillars/servers/maintainer/server/ipatest.sls
+++ b/pillars/servers/maintainer/server/ipatest.sls
@ -1,3 +0,0 @@
 maintainer:
  - masaufuku
--- a/pillars/servers/roles/server/archtest.sls
+++ b/pillars/servers/roles/server/archtest.sls
@ -2,4 +2,5 @@ grains:
  roles:
    - server
    - ssh
    - nrpe
    - saltminion
--- a/pillars/servers/roles/server/authelia.sls
+++ b/pillars/servers/roles/server/authelia.sls
@ -2,6 +2,7 @@ grains:
  roles:
    - server
    - ssh
    - nrpe
    - saltminion
    - authelia
    - nginx-proxy
--- a/pillars/servers/roles/server/baikal.sls
+++ b/pillars/servers/roles/server/baikal.sls
@ -2,6 +2,7 @@ grains:
  roles:
    - server
    - ssh
    - nrpe
    - saltminion
    - nginx-proxy
    - baikal
--- a/pillars/servers/roles/server/base
+++ b/pillars/servers/roles/server/base
@ -2,4 +2,5 @@ grains:
  roles:
    - server
    - ssh
    - nrpe
    - saltminion
--- a/pillars/servers/roles/server/centipa.sls
+++ b/pillars/servers/roles/server/centipa.sls
@ -2,4 +2,7 @@ grains:
  roles:
    - server
    - ssh
    - nrpe
    - saltminion
    - lightbooks
    - nginx-proxy
--- a/pillars/servers/roles/server/ca.sls
+++ b/pillars/servers/roles/server/ca.sls
@ -2,5 +2,6 @@ grains:
  roles:
    - server
    - ssh
    - nrpe
    - saltminion
    - ca
--- a/pillars/servers/roles/server/debianipa.sls
+++ b/pillars/servers/roles/server/debianipa.sls
@ -1,6 +0,0 @@
 grains:
  roles:
    - server
    - ssh
    - saltminion
    - freeipa_server
--- a/pillars/servers/roles/server/deluge.sls
+++ b/pillars/servers/roles/server/deluge.sls
@ -2,6 +2,7 @@ grains:
  roles:
    - server
    - ssh
    - nrpe
    - saltminion
    - deluge
    - nginx-proxy
--- a/pillars/servers/roles/server/git.sls
+++ b/pillars/servers/roles/server/git.sls
@ -2,7 +2,7 @@ grains:
  roles:
    - server
    - ssh
    - nrpe
    - saltminion
    - git
    - nginx-proxy
    - nfs
--- a/pillars/servers/roles/server/host.sls
+++ b/pillars/servers/roles/server/host.sls
@ -2,5 +2,6 @@ grains:
  roles:
    - server
    - ssh
    - nrpe
    - saltminion
    - backup
--- a/pillars/servers/roles/server/icinga.sls
+++ b/pillars/servers/roles/server/icinga.sls
@ -2,6 +2,7 @@ grains:
  roles:
    - server
    - ssh
    - nrpe
    - saltminion
    - icinga
    - nginx-proxy
--- a/pillars/servers/roles/server/ipa.sls
+++ b/pillars/servers/roles/server/ipa.sls
@ -2,5 +2,6 @@ grains:
  roles:
    - server
    - ssh
    - nrpe
    - saltminion
    - freeipa-server
--- a/pillars/servers/roles/server/ipatest.sls
+++ b/pillars/servers/roles/server/ipatest.sls
@ -1,5 +0,0 @@
 grains:
  roles:
    - server
    - ssh
    - saltminion
--- a/pillars/servers/roles/server/jackett.sls
+++ b/pillars/servers/roles/server/jackett.sls
@ -2,6 +2,7 @@ grains:
  roles:
    - server
    - ssh
    - nrpe
    - saltminion
    - nginx-proxy
    - jackett
--- a/pillars/servers/roles/server/ombi.sls
+++ b/pillars/servers/roles/server/ombi.sls
@ -2,6 +2,7 @@ grains:
  roles:
    - server
    - ssh
    - nrpe
    - saltminion
    - nginx-proxy
    - ombi
--- a/pillars/servers/roles/server/pass.sls
+++ b/pillars/servers/roles/server/pass.sls
@ -2,6 +2,7 @@ grains:
  roles:
    - server
    - ssh
    - nrpe
    - saltminion
    - nginx-proxy
    - pass
--- a/pillars/servers/roles/server/pkg.sls
+++ b/pillars/servers/roles/server/pkg.sls
@ -2,6 +2,7 @@ grains:
  roles:
    - server
    - ssh
    - nrpe
    - saltminion
    - pkg-cache
    - aurrepo
--- a/pillars/servers/roles/server/plex.sls
+++ b/pillars/servers/roles/server/plex.sls
@ -2,6 +2,7 @@ grains:
  roles:
    - server
    - ssh
    - nrpe
    - saltminion
    - nginx-proxy
    - plexmediaserver
--- a/pillars/servers/roles/server/portal.sls
+++ b/pillars/servers/roles/server/portal.sls
@ -2,6 +2,7 @@ grains:
  roles:
    - server
    - ssh
    - nrpe
    - saltminion
    - portal
    - nginx-proxy
--- a/pillars/servers/roles/server/radarr.sls
+++ b/pillars/servers/roles/server/radarr.sls
@ -2,6 +2,7 @@ grains:
  roles:
    - server
    - ssh
    - nrpe
    - saltminion
    - nginx-proxy
    - radarr
--- a/pillars/servers/roles/server/salt.sls
+++ b/pillars/servers/roles/server/salt.sls
@ -2,6 +2,7 @@ grains:
  roles:
    - server
    - ssh
    - nrpe
    - saltminion
    - saltmaster
    - mirrorlist
--- a/pillars/servers/roles/server/sonarr.sls
+++ b/pillars/servers/roles/server/sonarr.sls
@ -2,8 +2,8 @@ grains:
  roles:
    - server
    - ssh
    - nrpe
    - saltminion
    - nginx-proxy
    - sonarr
    - nfs
    - ytdownloader
--- a/pillars/servers/roles/server/sql.sls
+++ b/pillars/servers/roles/server/sql.sls
@ -2,5 +2,6 @@ grains:
  roles:
    - server
    - ssh
    - nrpe
    - saltminion
    - mysql
--- a/pillars/servers/roles/server/ssh.sls
+++ b/pillars/servers/roles/server/ssh.sls
@ -2,5 +2,6 @@ grains:
  roles:
    - server
    - ssh
    - nrpe
    - saltminion
    - sshserver
--- a/pillars/servers/roles/server/sync.sls
+++ b/pillars/servers/roles/server/sync.sls
@ -2,6 +2,7 @@ grains:
  roles:
    - server
    - ssh
    - nrpe
    - saltminion
    - sync
    - nginx-proxy
--- a/pillars/servers/roles/server/tt.sls
+++ b/pillars/servers/roles/server/tt.sls
@ -2,6 +2,7 @@ grains:
  roles:
    - server
    - ssh
    - nrpe
    - saltminion
    - ttrss
    - nginx-proxy
--- a/pillars/servers/roles/server/vpn.sls
+++ b/pillars/servers/roles/server/vpn.sls
@ -2,6 +2,7 @@ grains:
  roles:
    - server
    - ssh
    - nrpe
    - saltminion
    - vpnserver
    - ca-cert
--- a/states/roles/build/gitlab/init.sls
+++ b/states/roles/build/gitlab/init.sls
@ -1,29 +0,0 @@
 #Note: This *only* initializes the database - only use build script in a fresh environment, it'll nuke existing mysql database
 #initialize redis database as gitlab user
 redis-running:
  service.running:
    - name: redis
    - enable: true
 gitlab_init_db:
  cmd.run:
    - name: "bundle-2.3 exec rake gitlab:setup RAILS_ENV=production force=yes"
    - cwd: "/usr/share/webapps/gitlab"
    - runas: gitlab
 #start services
 gitlab.target:
  service.running:
    - enable: true
    - reload: true
 gitlab-workhorse:
  service.running:
    - enable: true
    - reload: true
 gitlab-unicorn:
  service.running:
    - enable: true
    - reload: true
 gitlab-sidekiq:
  service.running:
    - enable: true
    - reload: true
--- a/states/roles/build/pepper/build_pepper.sh
+++ b/states/roles/build/pepper/build_pepper.sh
@ -1,10 +0,0 @@
 cd /root/
 curl -sS https://getcomposer.org/installer | php
 mv composer.phar /usr/local/bin/composer
 composer global require "laravel/installer"
 ln -s /root/.config/composer/vendor/bin/laravel /usr/local/bin/laravel
 cd /opt/
 laravel new pepper
 cd /opt/pepper
 #require packages we need
 composer require symfony/yaml
--- a/states/roles/build/pepper/init.sls
+++ b/states/roles/build/pepper/init.sls
@ -1,48 +0,0 @@
 include:
 {%- set os=grains['os'] -%}
 {%- if os=="CentOS" or os=="RedHat" %}
  - repos.nginx
  - repos.webtatic
 {% endif %}
 php.packages:
  pkg.installed:
    - pkgs:
      - php56w
      - php56w-mbstring
      - php56w-mysql
      - php56w-mcrypt
      - php56w-fpm
      - php56w-xml
 install_mariadb:
  pkg.installed:
    - pkgs:
      - mariadb-server
 selinux-policy-targeted:
  pkg.installed
 policycoreutils-python:
  pkg.installed
 httpd_can_network_connect:
  selinux.boolean:
    - value: True
    - persist: True
 /root/salt/scripts/build_pepper.sh:
  file.managed:
    - makedirs: true
    - source: salt://roles/build/pepper/build_pepper.sh
    - user: root
    - group: root
    - mode: 744
 build_pepper:
  cmd.run:
    - name: "sh /root/salt/scripts/build_pepper.sh"
 install_nginx:
  pkg.installed:
    - name: nginx
--- a/states/roles/build/saltpad/build_saltpad.sh
+++ b/states/roles/build/saltpad/build_saltpad.sh
@ -1,9 +0,0 @@
 cd /opt/
 git clone https://github.com/tinyclues/saltpad.git -b saltpad_v1
 #git clone https://github.com/Lothiraldan/saltpad.git
 cd saltpad
 virtualenv venv
 source venv/bin/activate
 pip install -r requirements.txt
 pip install chaussette
 pip install pyyaml
--- a/states/roles/build/saltpad/init.sls
+++ b/states/roles/build/saltpad/init.sls
@ -1,49 +0,0 @@
 include:
 {%- set os=grains['os'] -%}
 {%- if os=="CentOS" or os=="RedHat" %}
  - repos.nginx
 {% endif %}
 selinux-policy-targeted:
  pkg.installed
 policycoreutils-python:
  pkg.installed
 httpd_can_network_connect:
  selinux.boolean:
    - value: True
    - persist: True
 python-virtualenv:
  pkg.installed
 /root/salt/scripts/build_saltpad.sh:
  file.managed:
    - makedirs: true
    - source: salt://roles/build/saltpad/build_saltpad.sh
    - user: root
    - group: root
    - mode: 744
 build_saltpad:
  cmd.run:
    - name: "sh /root/salt/scripts/build_saltpad.sh"
 /root/salt/scripts/start_saltpad.sh:
  file.managed:
    - source: salt://roles/build/saltpad/start_saltpad.sh
    - user: root
    - group: root
    - mode: 744
 /usr/lib/systemd/system/saltpad.service:
  file.managed:
    - source: salt://roles/build/saltpad/saltpad.service
    - user: root
    - group: root
    - mode: 644
 install_nginx:
  pkg.installed:
    - name: nginx
--- a/states/roles/build/saltpad/saltpad.service
+++ b/states/roles/build/saltpad/saltpad.service
@ -1,11 +0,0 @@
 [Unit]
 Description=The Saltpad
 After=syslog.target network.target
 [Service]
 Type=forking
 LimitNOFILE=8192
 ExecStart=/bin/bash /root/salt/scripts/start_saltpad.sh start
 [Install]
 WantedBy=multi-user.target
--- a/states/roles/build/saltpad/start_saltpad.sh
+++ b/states/roles/build/saltpad/start_saltpad.sh
@ -1,67 +0,0 @@
 #/bin/bash
 c=`ps aux | grep chaussette | wc -l`
 function stop {
  if [ c -gt 1 ];
  then
    echo "Stopping server.."
    pkill chaussette
    echo ".. Done."
  else
    echo "Server not running"
  fi
 }
 function start {
  if [c -gt 1 ]
  then
    echo "Server is already running"
  else
    echo "Starting Server.."
    cd /opt/saltpad
    source venv/bin/activate
    chaussette saltpad.merged:app &
    echo ".. Done."
  fi
 }
 function restart {
  echo "Restarting server.."
  if [ c -gt 1 ]
  then
    stop
    sleep 5
    start
  else
    start
  fi
  echo ".. Done."
 }
 function status {
  if [ c -gt 1 ]
  then
    echo "Server is not running"
    exit 1
  else
    echo "Server is running"
  fi
 }
 case "$1" in
   start)
      start
   ;;
   stop)
      stop
   ;;
   restart)
      restart
   ;;
   status)
      status
   ;;
   *)
      echo "Usage: $0 {start|stop|restart|status}"
 esac
--- a/states/roles/maintain/gitlab/conf_files/config.yml
+++ b/states/roles/maintain/gitlab/conf_files/config.yml
@ -1,73 +0,0 @@
 #
 # If you change this file in a Merge Request, please also create
 # a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
 #
 # GitLab user. git by default
 user: gitlab
 # URL to GitLab instance, used for API calls. Default: http://localhost:8080.
 # For relative URL support read http://doc.gitlab.com/ce/install/relative_url.html
 # You only have to change the default if you have configured Unicorn
 # to listen on a custom port, or if you have configured Unicorn to
 # only listen on a Unix domain socket. For Unix domain sockets use
 # "http+unix://<urlquoted-path-to-socket>", e.g.
 # "http+unix://%2Fpath%2Fto%2Fsocket"
 gitlab_url: "http://localhost:8080"
 # See installation.md#using-https for additional HTTPS configuration details.
 http_settings:
 #  read_timeout: 300
 #  user: someone
 #  password: somepass
 #  ca_file: /etc/ssl/cert.pem
 #  ca_path: /etc/pki/tls/certs
  self_signed_cert: false
 # File used as authorized_keys for gitlab user
 auth_file: "/var/lib/gitlab/.ssh/authorized_keys"
 # File that contains the secret key for verifying access to GitLab.
 # Default is .gitlab_shell_secret in the gitlab-shell directory.
 # secret_file: "/var/lib/gitlab/gitlab-shell/.gitlab_shell_secret"
 # Parent directory for global custom hook directories (pre-receive.d, update.d, post-receive.d)
 # Default is hooks in the gitlab-shell directory.
 # custom_hooks_dir: "/var/lib/gitlab/gitlab-shell/hooks"
 # Redis settings used for pushing commit notices to gitlab
 redis:
  bin: /usr/bin/redis-cli
  host: 127.0.0.1
  port: 6379
  # pass: redispass # Allows you to specify the password for Redis
  database: 5
  socket: /run/redis/redis.sock # Comment out this line if you want to use TCP or Sentinel
  namespace: resque:gitlab
  # sentinels:
  #   -
  #     host: 127.0.0.1
  #     port: 26380
  #   -
  #     host: 127.0.0.1
  #     port: 26381
 # Log file.
 # Default is gitlab-shell.log in the root directory.
 log_file: "/var/log/gitlab/gitlab-shell.log"
 # Log level. INFO by default
 log_level: INFO
 # Audit usernames.
 # Set to true to see real usernames in the logs instead of key ids, which is easier to follow, but
 # incurs an extra API call on every gitlab-shell command.
 audit_usernames: false
 # Git trace log file.
 # If set, git commands receive GIT_TRACE* environment variables
 # See https://git-scm.com/book/es/v2/Git-Internals-Environment-Variables#Debugging for documentation
 # An absolute path starting with / – the trace output will be appended to that file.
 # It needs to exist so we can check permissions and avoid to throwing warnings to the users.
 git_trace_log_file:
--- a/states/roles/maintain/gitlab/conf_files/database.yml
+++ b/states/roles/maintain/gitlab/conf_files/database.yml
@ -1,44 +0,0 @@
 #
 # PRODUCTION
 #
 production:
  adapter: mysql2
  encoding: utf8
  collation: utf8_general_ci
  reconnect: false
  database: gitlab
  pool: 10
  username: gitlab
  password: "{%- include 'secure/passwords/gitlab_db_password.txt' -%}"
  host: sql.actcur.com
  # socket: /tmp/mysql.sock
 #
 # Development specific
 #
 development:
  adapter: mysql2
  encoding: utf8
  collation: utf8_general_ci
  reconnect: false
  database: gitlabhq_development
  pool: 5
  username: root
  password: "secure password"
  # host: localhost
  # socket: /tmp/mysql.sock
 # Warning: The database defined as "test" will be erased and
 # re-generated from your development database when you run "rake".
 # Do not set this db to the same as development or production.
 test: &test
  adapter: mysql2
  encoding: utf8mb4
  collation: utf8mb4_general_ci
  reconnect: false
  database: gitlabhq_test
  pool: 5
  username: root
  password:
  # host: localhost
  # socket: /tmp/mysql.sock
--- a/states/roles/maintain/gitlab/conf_files/gitlab.conf
+++ b/states/roles/maintain/gitlab/conf_files/gitlab.conf
@ -1,69 +0,0 @@
 ## GitLab
 ##
 ## Lines starting with two hashes (##) are comments with information.
 ## Lines starting with one hash (#) are configuration parameters that can be uncommented.
 ##
 ##################################
 ##        CONTRIBUTING          ##
 ##################################
 ##
 ## If you change this file in a Merge Request, please also create
 ## a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
 ##
 ###################################
 ##         configuration         ##
 ###################################
 ##
 ## See installation.md#using-https for additional HTTPS configuration details.
 upstream gitlab-workhorse {
  server unix:/run/gitlab/gitlab-workhorse.socket fail_timeout=0;
 }
 ## Normal HTTP host
 server {
  ## Either remove "default_server" from the listen line below,
  ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab
  ## to be served if you visit any address that your server responds to, eg.
  ## the ip address of the server (http://x.x.x.x/)n 0.0.0.0:80 default_server;
  listen 0.0.0.0:8000;
  listen [::]:8000;
  server_name git2.actcur.com; ## Replace this with something like gitlab.example.com
  server_tokens off; ## Don't show the nginx version number, a security best practice
  ## See app/controllers/application_controller.rb for headers set
  ## Individual nginx logs for this GitLab vhost
  access_log  /var/log/nginx/gitlab_access.log;
  error_log   /var/log/nginx/gitlab_error.log;
  location / {
    client_max_body_size 0;
    gzip off;
    ## https://github.com/gitlabhq/gitlabhq/issues/694
    ## Some requests take more than 30 seconds.
    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;
    proxy_http_version 1.1;
    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;
    proxy_pass http://gitlab-workhorse;
  }
  error_page 404 /404.html;
  error_page 422 /422.html;
  error_page 500 /500.html;
  error_page 502 /502.html;
  location ~ ^/(404|422|500|502)\.html$ {
    root /usr/share/webapps/gitlab/public;
    internal;
  }
 }
--- a/states/roles/maintain/gitlab/conf_files/gitlab.yml
+++ b/states/roles/maintain/gitlab/conf_files/gitlab.yml
@ -1,627 +0,0 @@
 # # # # # # # # # # # # # # # # # #
 # GitLab application config file  #
 # # # # # # # # # # # # # # # # # #
 #
 ###########################  NOTE  #####################################
 # This file should not receive new settings. All configuration options #
 # * are being moved to ApplicationSetting model!                       #
 # If a setting requires an application restart say so in that screen.  #
 # If you change this file in a Merge Request, please also create       #
 # a MR on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests  #
 ########################################################################
 #
 #
 # How to use:
 # 1. Copy file as gitlab.yml
 # 2. Update gitlab -> host with your fully qualified domain name
 # 3. Update gitlab -> email_from
 # 4. If you installed Git from source, change git -> bin_path to /usr/local/bin/git
 #    IMPORTANT: If Git was installed in a different location use that instead.
 #    You can check with `which git`. If a wrong path of Git is specified, it will
 #     result in various issues such as failures of GitLab CI builds.
 # 5. Review this configuration file for other settings you may want to adjust
 production: &base
  #
  # 1. GitLab app settings
  # ==========================
  ## GitLab settings
  gitlab:
    ## Web server settings (note: host is the FQDN, do not include http://)
    host: git.actcur.com
    port: 443 # Set to 443 if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
    https: true # Set to true if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
    # Uncommment this line below if your ssh host is different from HTTP/HTTPS one
    # (you'd obviously need to replace ssh.host_example.com with your own host).
    # Otherwise, ssh host will be set to the `host:` value above
    # ssh_host: ssh.host_example.com
    # Relative URL support
    # WARNING: We recommend using an FQDN to host GitLab in a root path instead
    # of using a relative URL.
    # Documentation: http://doc.gitlab.com/ce/install/relative_url.html
    # Uncomment and customize the following line to run in a non-root path
    #
    # relative_url_root: /gitlab
    # Trusted Proxies
    # Customize if you have GitLab behind a reverse proxy which is running on a different machine.
    # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address.
    trusted_proxies:
      # Examples:
      #- 192.168.1.0/24
      #- 192.168.2.1
      #- 2001:0db8::/32
    # Uncomment and customize if you can't use the default user to run GitLab (default: 'git')
    user: gitlab
    ## Date & Time settings
    # Uncomment and customize if you want to change the default time zone of GitLab application.
    # To see all available zones, run `bundle exec rake time:zones:all RAILS_ENV=production`
    # time_zone: 'UTC'
    ## Email settings
    # Uncomment and set to false if you need to disable email sending from GitLab (default: true)
    # email_enabled: true
    # Email address used in the "From" field in mails sent by GitLab
    email_from: notifications@actcur.com
    email_display_name: Actcur Git
    email_reply_to: noreply@actcur.com
    email_subject_suffix: ''
    # Email server smtp settings are in config/initializers/smtp_settings.rb.sample
    # default_can_create_group: false  # default: true
    # username_changing_enabled: false # default: true - User can change her username/namespace
    ## Automatic issue closing
    # If a commit message matches this regular expression, all issues referenced from the matched text will be closed.
    # This happens when the commit is pushed or merged into the default branch of a project.
    # When not specified the default issue_closing_pattern as specified below will be used.
    # Tip: you can test your closing pattern at http://rubular.com.
    # issue_closing_pattern: '((?:[Cc]los(?:e[sd]?|ing)|[Ff]ix(?:e[sd]|ing)?|[Rr]esolv(?:e[sd]?|ing))(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+)'
    ## Default project features settings
    default_projects_features:
      issues: true
      merge_requests: true
      wiki: true
      snippets: true
      builds: true
      container_registry: true
    ## Webhook settings
    # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10)
    # webhook_timeout: 10
    ## Repository downloads directory
    # When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory.
    # The default is 'shared/cache/archive/' relative to the root of the Rails app.
    # repository_downloads_path: shared/cache/archive/
  ## Reply by email
  # Allow users to comment on issues and merge requests by replying to notification emails.
  # For documentation on how to set this up, see http://doc.gitlab.com/ce/administration/reply_by_email.html
  incoming_email:
    enabled: false
    # The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to.
    # The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`).
    address: "gitlab-incoming+%{key}@gmail.com"
    # Email account username
    # With third party providers, this is usually the full email address.
    # With self-hosted email servers, this is usually the user part of the email address.
    user: "gitlab-incoming@gmail.com"
    # Email account password
    password: "[REDACTED]"
    # IMAP server host
    host: "imap.gmail.com"
    # IMAP server port
    port: 993
    # Whether the IMAP server uses SSL
    ssl: true
    # Whether the IMAP server uses StartTLS
    start_tls: false
    # The mailbox where incoming mail will end up. Usually "inbox".
    mailbox: "inbox"
    # The IDLE command timeout.
    idle_timeout: 60
  ## Build Artifacts
  artifacts:
    enabled: true
    # The location where build artifacts are stored (default: shared/artifacts).
    # path: shared/artifacts
  ## Git LFS
  lfs:
    enabled: true
    # The location where LFS objects are stored (default: shared/lfs-objects).
    # storage_path: shared/lfs-objects
  ## GitLab Pages
  pages:
    enabled: false
    # The location where pages are stored (default: shared/pages).
    # path: shared/pages
    # The domain under which the pages are served:
    # http://group.example.com/project
    # or project path can be a group page: group.example.com
    host: example.com
    port: 80 # Set to 443 if you serve the pages with HTTPS
    https: false # Set to true if you serve the pages with HTTPS
    # external_http: ["1.1.1.1:80", "[2001::1]:80"] # If defined, enables custom domain support in GitLab Pages
    # external_https: ["1.1.1.1:443", "[2001::1]:443"] # If defined, enables custom domain and certificate support in GitLab Pages
  ## Mattermost
  ## For enabling Add to Mattermost button
  mattermost:
    enabled: false
    host: 'https://mattermost.example.com'
  ## Gravatar
  ## For Libravatar see: http://doc.gitlab.com/ce/customization/libravatar.html
  gravatar:
    # gravatar urls: possible placeholders: %{hash} %{size} %{email} %{username}
    # plain_url: "http://..."     # default: http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
    # ssl_url:   "https://..."    # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
  ## Auxiliary jobs
  # Periodically executed jobs, to self-heal Gitlab, do external synchronizations, etc.
  # Please read here for more information: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job
  cron_jobs:
    # Flag stuck CI jobs as failed
    stuck_ci_jobs_worker:
      cron: "0 * * * *"
    # Execute scheduled triggers
    pipeline_schedule_worker:
      cron: "19 * * * *"
    # Remove expired build artifacts
    expire_build_artifacts_worker:
      cron: "50 * * * *"
    # Periodically run 'git fsck' on all repositories. If started more than
    # once per hour you will have concurrent 'git fsck' jobs.
    repository_check_worker:
      cron: "20 * * * *"
    # Send admin emails once a week
    admin_email_worker:
      cron: "0 0 * * 0"
    # Remove outdated repository archives
    repository_archive_cache_worker:
      cron: "0 * * * *"
  registry:
    # enabled: true
    # host: registry.example.com
    # port: 5005
    # api_url: http://localhost:5000/ # internal address to the registry, will be used by GitLab to directly communicate with API
    # key: config/registry.key
    # path: shared/registry
    # issuer: gitlab-issuer
  #
  # 2. GitLab CI settings
  # ==========================
  gitlab_ci:
    # Default project notifications settings:
    #
    # Send emails only on broken builds (default: true)
    # all_broken_builds: true
    #
    # Add pusher to recipients list (default: false)
    # add_pusher: true
    # The location where build traces are stored (default: builds/). Relative paths are relative to Rails.root
    # builds_path: builds/
  #
  # 3. Auth settings
  # ==========================
  ## LDAP settings
  # You can inspect a sample of the LDAP users with login access by running:
  #   bundle exec rake gitlab:ldap:check RAILS_ENV=production
  ldap:
    enabled: false
    servers:
      ##########################################################################
      #
      # Since GitLab 7.4, LDAP servers get ID's (below the ID is 'main'). GitLab
      # Enterprise Edition now supports connecting to multiple LDAP servers.
      #
      # If you are updating from the old (pre-7.4) syntax, you MUST give your
      # old server the ID 'main'.
      #
      ##########################################################################
      main: # 'main' is the GitLab 'provider ID' of this LDAP server
        ## label
        #
        # A human-friendly name for your LDAP server. It is OK to change the label later,
        # for instance if you find out it is too large to fit on the web page.
        #
        # Example: 'Paris' or 'Acme, Ltd.'
        label: 'LDAP'
        host: '_your_ldap_server'
        port: 389
        uid: 'sAMAccountName'
        method: 'plain' # "tls" or "ssl" or "plain"
        bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
        password: '_the_password_of_the_bind_user'
        # Set a timeout, in seconds, for LDAP queries. This helps avoid blocking
        # a request if the LDAP server becomes unresponsive.
        # A value of 0 means there is no timeout.
        timeout: 10
        # This setting specifies if LDAP server is Active Directory LDAP server.
        # For non AD servers it skips the AD specific queries.
        # If your LDAP server is not AD, set this to false.
        active_directory: true
        # If allow_username_or_email_login is enabled, GitLab will ignore everything
        # after the first '@' in the LDAP username submitted by the user on login.
        #
        # Example:
        # - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials;
        # - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'.
        #
        # If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to
        # disable this setting, because the userPrincipalName contains an '@'.
        allow_username_or_email_login: false
        # To maintain tight control over the number of active users on your GitLab installation,
        # enable this setting to keep new users blocked until they have been cleared by the admin
        # (default: false).
        block_auto_created_users: false
        # Base where we can search for users
        #
        #   Ex. ou=People,dc=gitlab,dc=example
        #
        base: ''
        # Filter LDAP users
        #
        #   Format: RFC 4515 http://tools.ietf.org/search/rfc4515
        #   Ex. (employeeType=developer)
        #
        #   Note: GitLab does not support omniauth-ldap's custom filter syntax.
        #
        user_filter: ''
        # LDAP attributes that GitLab will use to create an account for the LDAP user.
        # The specified attribute can either be the attribute name as a string (e.g. 'mail'),
        # or an array of attribute names to try in order (e.g. ['mail', 'email']).
        # Note that the user's LDAP login will always be the attribute specified as `uid` above.
        attributes:
          # The username will be used in paths for the user's own projects
          # (like `gitlab.example.com/username/project`) and when mentioning
          # them in issues, merge request and comments (like `@username`).
          # If the attribute specified for `username` contains an email address,
          # the GitLab username will be the part of the email address before the '@'.
          username: ['uid', 'userid', 'sAMAccountName']
          email:    ['mail', 'email', 'userPrincipalName']
          # If no full name could be found at the attribute specified for `name`,
          # the full name is determined using the attributes specified for
          # `first_name` and `last_name`.
          name:       'cn'
          first_name: 'givenName'
          last_name:  'sn'
      # GitLab EE only: add more LDAP servers
      # Choose an ID made of a-z and 0-9 . This ID will be stored in the database
      # so that GitLab can remember which LDAP server a user belongs to.
      # uswest2:
      #   label:
      #   host:
      #   ....
  ## OmniAuth settings
  omniauth:
    # Allow login via Twitter, Google, etc. using OmniAuth providers
    enabled: false
    # Uncomment this to automatically sign in with a specific omniauth provider's without
    # showing GitLab's sign-in page (default: show the GitLab sign-in page)
    # auto_sign_in_with_provider: saml
    # Sync user's email address from the specified Omniauth provider every time the user logs
    # in (default: nil). And consequently make this field read-only.
    # sync_email_from_provider: cas3
    # CAUTION!
    # This allows users to login without having a user account first. Define the allowed providers
    # using an array, e.g. ["saml", "twitter"], or as true/false to allow all providers or none.
    # User accounts will be created automatically when authentication was successful.
    allow_single_sign_on: ["saml"]
    # Locks down those users until they have been cleared by the admin (default: true).
    block_auto_created_users: true
    # Look up new users in LDAP servers. If a match is found (same uid), automatically
    # link the omniauth identity with the LDAP account. (default: false)
    auto_link_ldap_user: false
    # Allow users with existing accounts to login and auto link their account via SAML
    # login, without having to do a manual login first and manually add SAML
    # (default: false)
    auto_link_saml_user: false
    # Set different Omniauth providers as external so that all users creating accounts
    # via these providers will not be able to have access to internal projects. You
    # will need to use the full name of the provider, like `google_oauth2` for Google.
    # Refer to the examples below for the full names of the supported providers.
    # (default: [])
    external_providers: []
    ## Auth providers
    # Uncomment the following lines and fill in the data of the auth provider you want to use
    # If your favorite auth provider is not listed you can use others:
    # see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations
    # The 'app_id' and 'app_secret' parameters are always passed as the first two
    # arguments, followed by optional 'args' which can be either a hash or an array.
    # Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html
    providers:
      # See omniauth-cas3 for more configuration details
      # - { name: 'cas3',
      #     label: 'cas3',
      #     args: {
      #             url: 'https://sso.example.com',
      #             disable_ssl_verification: false,
      #             login_url: '/cas/login',
      #             service_validate_url: '/cas/p3/serviceValidate',
      #             logout_url: '/cas/logout'} }
      # - { name: 'authentiq',
      #     # for client credentials (client ID and secret), go to https://www.authentiq.com/
      #     app_id: 'YOUR_CLIENT_ID',
      #     app_secret: 'YOUR_CLIENT_SECRET',
      #     args: {
      #             scope: 'aq:name email~rs address aq:push'
      #             # redirect_uri parameter is optional except when 'gitlab.host' in this file is set to 'localhost'
      #             # redirect_uri: 'YOUR_REDIRECT_URI'
      #           }
      #   }
      # - { name: 'github',
      #     app_id: 'YOUR_APP_ID',
      #     app_secret: 'YOUR_APP_SECRET',
      #     url: "https://github.com/",
      #     verify_ssl: true,
      #     args: { scope: 'user:email' } }
      # - { name: 'bitbucket',
      #     app_id: 'YOUR_APP_ID',
      #     app_secret: 'YOUR_APP_SECRET' }
      # - { name: 'gitlab',
      #     app_id: 'YOUR_APP_ID',
      #     app_secret: 'YOUR_APP_SECRET',
      #     args: { scope: 'api' } }
      # - { name: 'google_oauth2',
      #     app_id: 'YOUR_APP_ID',
      #     app_secret: 'YOUR_APP_SECRET',
      #     args: { access_type: 'offline', approval_prompt: '' } }
      # - { name: 'facebook',
      #     app_id: 'YOUR_APP_ID',
      #     app_secret: 'YOUR_APP_SECRET' }
      # - { name: 'twitter',
      #     app_id: 'YOUR_APP_ID',
      #     app_secret: 'YOUR_APP_SECRET' }
      #
      # - { name: 'saml',
      #     label: 'Our SAML Provider',
      #     groups_attribute: 'Groups',
      #     external_groups: ['Contractors', 'Freelancers'],
      #     args: {
      #             assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
      #             idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8',
      #             idp_sso_target_url: 'https://login.example.com/idp',
      #             issuer: 'https://gitlab.example.com',
      #             name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
      #           } }
      #
      # - { name: 'crowd',
      #     args: {
      #       crowd_server_url: 'CROWD SERVER URL',
      #       application_name: 'YOUR_APP_NAME',
      #       application_password: 'YOUR_APP_PASSWORD' } }
      #
      # - { name: 'auth0',
      #     args: {
      #       client_id: 'YOUR_AUTH0_CLIENT_ID',
      #       client_secret: 'YOUR_AUTH0_CLIENT_SECRET',
      #       namespace: 'YOUR_AUTH0_DOMAIN' } }
    # SSO maximum session duration in seconds. Defaults to CAS default of 8 hours.
    # cas3:
    #   session_duration: 28800
  # Shared file storage settings
  shared:
    path: /var/lib/gitlab/shared # Default: shared
  # Gitaly settings
  gitaly:
    # This setting controls whether GitLab uses Gitaly (new component
    # introduced in 9.0). Eventually Gitaly use will become mandatory and
    # this option will disappear.
    enabled: true
  #
  # 4. Advanced settings
  # ==========================
  ## Repositories settings
  repositories:
    # Paths where repositories can be stored. Give the canonicalized absolute pathname.
    # IMPORTANT: None of the path components may be symlink, because
    # gitlab-shell invokes Dir.pwd inside the repository path and that results
    # real path not the symlink.
    storages: # You must have at least a `default` storage path.
      default:
        path: /var/lib/gitlab/repositories/
        gitaly_address: unix:/var/lib/gitlab/sockets/gitlab-gitaly.socket # TCP connections are supported too (e.g. tcp://host:port)
  ## Backup settings
  backup:
    path: "/var/lib/gitlab/backups"   # Relative paths are relative to Rails.root (default: tmp/backups/)
    # archive_permissions: 0640 # Permissions for the resulting backup.tar file (default: 0600)
    # keep_time: 604800   # default: 0 (forever) (in seconds)
    # pg_schema: public     # default: nil, it means that all schemas will be backed up
    # upload:
    #   # Fog storage connection settings, see http://fog.io/storage/ .
    #   connection:
    #     provider: AWS
    #     region: eu-west-1
    #     aws_access_key_id: AKIAKIAKI
    #     aws_secret_access_key: 'secret123'
    #   # The remote 'directory' to store your backups. For S3, this would be the bucket name.
    #   remote_directory: 'my.s3.bucket'
    #   # Use multipart uploads when file size reaches 100MB, see
    #   #  http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html
    #   multipart_chunk_size: 104857600
    #   # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional
    #   # encryption: 'AES256'
    #   # Specifies Amazon S3 storage class to use for backups, this is optional
    #   # storage_class: 'STANDARD'
  ## GitLab Shell settings
  gitlab_shell:
    path: /usr/share/webapps/gitlab-shell/
    hooks_path: /usr/share/webapps/gitlab-shell/hooks/
    # File that contains the secret key for verifying access for gitlab-shell.
    # Default is '.gitlab_shell_secret' relative to Rails.root (i.e. root of the GitLab app).
    # secret_file: /home/git/gitlab/.gitlab_shell_secret
    # Git over HTTP
    upload_pack: true
    receive_pack: true
    # Git import/fetch timeout
    # git_timeout: 800
    # If you use non-standard ssh port you need to specify it
    # ssh_port: 22
  workhorse:
    # File that contains the secret key for verifying access for gitlab-workhorse.
    # Default is '.gitlab_workhorse_secret' relative to Rails.root (i.e. root of the GitLab app).
    # secret_file: /home/git/gitlab/.gitlab_workhorse_secret
  ## Git settings
  # CAUTION!
  # Use the default values unless you really know what you are doing
  git:
    bin_path: /usr/bin/git
    # The next value is the maximum memory size grit can use
    # Given in number of bytes per git object (e.g. a commit)
    # This value can be increased if you have very large commits
    max_size: 20971520 # 20.megabytes
    # Git timeout to read a commit, in seconds
    timeout: 10
  ## Webpack settings
  # If enabled, this will tell rails to serve frontend assets from the webpack-dev-server running
  # on a given port instead of serving directly from /assets/webpack. This is only indended for use
  # in development.
  webpack:
    # dev_server:
    #   enabled: true
    #   host: localhost
    #   port: 3808
  #
  # 5. Extra customization
  # ==========================
  extra:
    ## Google analytics. Uncomment if you want it
    # google_analytics_id: '_your_tracking_id'
    ## Piwik analytics.
    # piwik_url: '_your_piwik_url'
    # piwik_site_id: '_your_piwik_site_id'
  rack_attack:
    git_basic_auth:
      # Rack Attack IP banning enabled
      # enabled: true
      #
      # Whitelist requests from 127.0.0.1 for web proxies (NGINX/Apache) with incorrect headers
      # ip_whitelist: ["127.0.0.1"]
      #
      # Limit the number of Git HTTP authentication attempts per IP
      # maxretry: 10
      #
      # Reset the auth attempt counter per IP after 60 seconds
      # findtime: 60
      #
      # Ban an IP for one hour (3600s) after too many auth attempts
      # bantime: 3600
 development:
  <<: *base
 test:
  <<: *base
  gravatar:
    enabled: true
  lfs:
    enabled: false
  gitlab:
    host: localhost
    port: 80
    # When you run tests we clone and setup gitlab-shell
    # In order to setup it correctly you need to specify
    # your system username you use to run GitLab
    # user: YOUR_USERNAME
  pages:
    path: tmp/tests/pages
  repositories:
    storages:
      default:
        path: tmp/tests/repositories/
        gitaly_address: unix:tmp/tests/gitaly/gitaly.socket
  gitaly:
    enabled: true
  backup:
    path: tmp/tests/backups
  gitlab_shell:
    path: tmp/tests/gitlab-shell/
    hooks_path: tmp/tests/gitlab-shell/hooks/
  issues_tracker:
    redmine:
      title: "Redmine"
      project_url: "http://redmine/projects/:issues_tracker_id"
      issues_url: "http://redmine/:project_id/:issues_tracker_id/:id"
      new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new"
    jira:
      title: "JIRA"
      url: https://sample_company.atlassian.net
      project_key: PROJECT
  ldap:
    enabled: false
    servers:
      main:
        label: ldap
        host: 127.0.0.1
        port: 3890
        uid: 'uid'
        method: 'plain' # "tls" or "ssl" or "plain"
        base: 'dc=example,dc=com'
        user_filter: ''
        group_base: 'ou=groups,dc=example,dc=com'
        admin_group: ''
 staging:
  <<: *base
--- a/states/roles/maintain/gitlab/conf_files/production.rb
+++ b/states/roles/maintain/gitlab/conf_files/production.rb
@ -1,83 +0,0 @@
 Rails.application.configure do
  # Settings specified here will take precedence over those in config/application.rb
  # Code is not reloaded between requests
  config.cache_classes = true
  # Full error reports are disabled and caching is turned on
  config.consider_all_requests_local       = false
  config.action_controller.perform_caching = true
  # Disable Rails's static asset server (Apache or nginx will already do this)
  config.serve_static_files = false
  # Compress JavaScripts and CSS.
  config.assets.js_compressor = :uglifier
  # config.assets.css_compressor = :sass
  # Don't fallback to assets pipeline if a precompiled asset is missed
  config.assets.compile = false
  # Generate digests for assets URLs
  config.assets.digest = true
  # Enable compression of compiled assets using gzip.
  config.assets.compress = true
  # Defaults to nil and saved in location specified by config.assets.prefix
  # config.assets.manifest = YOUR_PATH
  # Specifies the header that your server uses for sending files
  # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for apache
  # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx
  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
  # config.force_ssl = true
  # See everything in the log (default is :info)
  config.log_level = :info
  # Suppress 'Rendered template ...' messages in the log
  # source: http://stackoverflow.com/a/16369363
  %w{render_template render_partial render_collection}.each do |event|
    ActiveSupport::Notifications.unsubscribe "#{event}.action_view"
  end
  # Prepend all log lines with the following tags
  # config.log_tags = [ :subdomain, :uuid ]
  # Use a different logger for distributed setups
  # config.logger = ActiveSupport::TaggedLogging.new(SyslogLogger.new)
  # Enable serving of images, stylesheets, and JavaScripts from an asset server
  config.action_controller.asset_host = ENV['GITLAB_CDN_HOST'] if ENV['GITLAB_CDN_HOST'].present?
  # Precompile additional assets (application.js, application.css, and all non-JS/CSS are already added)
  # config.assets.precompile += %w( search.js )
  # Disable delivery errors, bad email addresses will be ignored
  # config.action_mailer.raise_delivery_errors = false
  # Enable threaded mode
  # config.threadsafe! unless $rails_rake_task
  # Enable locale fallbacks for I18n (makes lookups for any locale fall back to
  # the I18n.default_locale when a translation can not be found)
  config.i18n.fallbacks = true
  # Send deprecation notices to registered listeners
  config.active_support.deprecation = :notify
  config.action_mailer.delivery_method = :smtp
  # Defaults to:
  # # config.action_mailer.sendmail_settings = {
  # #   location: '/usr/sbin/sendmail',
  # #   arguments: '-i -t'
  # # }
  config.action_mailer.perform_deliveries = true
  config.action_mailer.raise_delivery_errors = true
  config.eager_load = true
  config.allow_concurrency = false
 end
--- a/states/roles/maintain/gitlab/conf_files/redis.conf
+++ b/states/roles/maintain/gitlab/conf_files/redis.conf
--- a/states/roles/maintain/gitlab/conf_files/resque.yml
+++ b/states/roles/maintain/gitlab/conf_files/resque.yml
@ -1,34 +0,0 @@
 # If you change this file in a Merge Request, please also create
 # a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
 #
 development:
  url: unix:/run/redis/redis.sock
  # sentinels:
  #   -
  #     host: localhost
  #     port: 26380 # point to sentinel, not to redis port
  #   -
  #     host: slave2
  #     port: 26381 # point to sentinel, not to redis port
 test:
  url: unix:/run/redis/redis.sock
 production:
  # Redis (single instance)
  url: unix:/run/redis/redis.sock
  ##
  # Redis + Sentinel (for HA)
  #
  # Please read instructions carefully before using it as you may lose data:
  # http://redis.io/topics/sentinel
  #
  # You must specify a list of a few sentinels that will handle client connection
  # please read here for more information: https://docs.gitlab.com/ce/administration/high_availability/redis.html
  ##
  # url: redis://master:6379
  # sentinels:
  #   -
  #     host: slave1
  #     port: 26379 # point to sentinel, not to redis port
  #   -
  #     host: slave2
  #     port: 26379 # point to sentinel, not to redis port
--- a/states/roles/maintain/gitlab/conf_files/smtp_settings.rb
+++ b/states/roles/maintain/gitlab/conf_files/smtp_settings.rb
@ -1,23 +0,0 @@
 # To enable smtp email delivery for your GitLab instance do the following:
 # 1. Rename this file to smtp_settings.rb
 # 2. Edit settings inside this file
 # 3. Restart GitLab instance
 #
 # For full list of options and their values see http://api.rubyonrails.org/classes/ActionMailer/Base.html
 #
 # If you change this file in a Merge Request, please also create a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
 if Rails.env.production?
  Rails.application.config.action_mailer.delivery_method = :smtp
  ActionMailer::Base.delivery_method = :smtp
  ActionMailer::Base.smtp_settings = {
    authentication: :plain,
    address: "smtp.zoho.com",
    port: 587,
    user_name: "notifications@actcur.com",
    password: "{%- include 'secure/passwords/gitlab_smtp_password.txt' -%}",
    domain: "smtp.zoho.com",
    enable_starttls_auto: true,
  }
 end
--- a/states/roles/maintain/gitlab/conf_files/tmp_redis.conf
+++ b/states/roles/maintain/gitlab/conf_files/tmp_redis.conf
@ -1 +0,0 @@
 d /run/redis 0755 redis redis -
--- a/states/roles/maintain/gitlab/init.sls
+++ b/states/roles/maintain/gitlab/init.sls
@ -1,175 +0,0 @@
 gitlab:
  pkg.installed
 mariadb:
  pkg.installed
 gitlab_nginx:
  pkg.installed:
    - name: nginx
 #managed files
 /etc/webapps/gitlab/gitlab.yml:
  file.managed:
    - source: salt://roles/maintain/gitlab/conf_files/gitlab.yml
    - user: root
    - group: root
    - mode: 644
 /etc/webapps/gitlab/database.yml:
  file.managed:
    - source: salt://roles/maintain/gitlab/conf_files/database.yml
    - user: gitlab
    - group: gitlab
    - mode: 600
    - template: jinja
 /etc/webapps/gitlab/resque.yml:
  file.managed:
    - source: salt://roles/maintain/gitlab/conf_files/resque.yml
    - user: root
    - group: root
    - mode: 644
 /etc/webapps/gitlab-shell/config.yml:
  file.managed:
    - source: salt://roles/maintain/gitlab/conf_files/config.yml
    - user: gitlab
    - group: gitlab
    - mode: 600
 /usr/share/webapps/gitlab/config/initializers/smtp_settings.rb:
  file.managed:
    - source: salt://roles/maintain/gitlab/conf_files/smtp_settings.rb
    - user: root
    - group: root
    - mode: 644
    - template: jinja
 /usr/share/webapps/gitlab/config/environments/production.rb:
  file.managed:
    - source: salt://roles/maintain/gitlab/conf_files/production.rb
    - user: root
    - group: root
    - mode: 644
 /etc/redis.conf:
  file.managed:
    - source: salt://roles/maintain/gitlab/conf_files/redis.conf
    - user: root
    - group: root
    - mode: 644
 /etc/tempfiles.d/redis.conf:
  file.managed:
    - source: salt://roles/maintain/gitlab/conf_files/tmp_redis.conf
    - user: root
    - group: root
    - mode: 644
    - makedirs: true
 /etc/nginx/conf.d/gitlab.conf:
  file.managed:
    - source: salt://roles/maintain/gitlab/conf_files/gitlab.conf
    - user: root
    - group: root
    - makedirs: true
    - dir_mode: 755
    - mode: 644
 #add users git and gitlab to redis group
 git_user:
  user.present:
    - name: git
    - groups:
      - redis
 gitlab_user:
  user.present:
    - name: gitlab
    - groups:
      - redis
 #migrate redis database as gitlab user if necessary
 redis-running:
  service.running:
    - name: redis
    - enable: true
    - watch:
      - file: /etc/redis.conf
      - file: /etc/tempfiles.d/redis.conf
 gitlab_rake_db:
  cmd.run:
    - name: "bundle-2.3 exec rake db:migrate RAILS_ENV=production"
    - cwd: "/usr/share/webapps/gitlab"
    - runas: gitlab
    - watch:
      - pkg: gitlab
 #global git configuration
 gitlab_git_name:
  git.config_set:
    - name: user.name
    - value: "Actaeus Curabitur"
    - user: gitlab
    - global: true
 gitlab_git_email:
  git.config_set:
    - name: user.email
    - value: "actcur@actcur.com"
    - user: gitlab
    - global: true
 gitlab_git_crlf:
  git.config_set:
    - name: core.autocrlf
    - value: "input"
    - user: gitlab
    - global: true
 #create symlink
 symlink_repos:
  file.symlink:
    - name: /var/lib/gitlab/repositories
    - target: /mnt/repos
    - force: true
 #verify perms for repos are right
 /var/lib/gitlab/repositories/:
  file.directory:
    - user: gitlab
    - group: gitlab
    - dir_mode: 4770
 #start services
 gitlab.target:
  service.running:
    - enable: true
    - watch:
      - file: /etc/webapps/gitlab/gitlab.yml
      - file: /etc/webapps/gitlab/database.yml
      - file: /etc/webapps/gitlab/resque.yml
      - file: /etc/webapps/gitlab-shell/config.yml
      - file: /etc/nginx/conf.d/gitlab.conf
      - file: /usr/share/webapps/gitlab/config/initializers/smtp_settings.rb
      - file: /usr/share/webapps/gitlab/config/environments/production.rb
 gitlab-workhorse:
  service.running:
    - enable: true
    - watch:
      - file: /etc/webapps/gitlab/gitlab.yml
      - file: /etc/webapps/gitlab/database.yml
      - file: /etc/webapps/gitlab/resque.yml
      - file: /etc/webapps/gitlab-shell/config.yml
      - file: /etc/nginx/conf.d/gitlab.conf
      - file: /usr/share/webapps/gitlab/config/initializers/smtp_settings.rb
      - file: /usr/share/webapps/gitlab/config/environments/production.rb
 gitlab-unicorn:
  service.running:
    - enable: true
    - watch:
      - file: /etc/webapps/gitlab/gitlab.yml
      - file: /etc/webapps/gitlab/database.yml
      - file: /etc/webapps/gitlab/resque.yml
      - file: /etc/webapps/gitlab-shell/config.yml
      - file: /etc/nginx/conf.d/gitlab.conf
      - file: /usr/share/webapps/gitlab/config/initializers/smtp_settings.rb
      - file: /usr/share/webapps/gitlab/config/environments/production.rb
 gitlab-sidekiq:
  service.running:
    - enable: true
    - watch:
      - file: /etc/webapps/gitlab/gitlab.yml
      - file: /etc/webapps/gitlab/database.yml
      - file: /etc/webapps/gitlab/resque.yml
      - file: /etc/webapps/gitlab-shell/config.yml
      - file: /etc/nginx/conf.d/gitlab.conf
      - file: /usr/share/webapps/gitlab/config/initializers/smtp_settings.rb
      - file: /usr/share/webapps/gitlab/config/environments/production.rb
--- a/states/roles/maintain/gitlabarch/conf_files/config.yml
+++ b/states/roles/maintain/gitlabarch/conf_files/config.yml
@ -1,73 +0,0 @@
 #
 # If you change this file in a Merge Request, please also create
 # a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
 #
 # GitLab user. git by default
 user: gitlab
 # URL to GitLab instance, used for API calls. Default: http://localhost:8080.
 # For relative URL support read http://doc.gitlab.com/ce/install/relative_url.html
 # You only have to change the default if you have configured Unicorn
 # to listen on a custom port, or if you have configured Unicorn to
 # only listen on a Unix domain socket. For Unix domain sockets use
 # "http+unix://<urlquoted-path-to-socket>", e.g.
 # "http+unix://%2Fpath%2Fto%2Fsocket"
 gitlab_url: "http://localhost:8080"
 # See installation.md#using-https for additional HTTPS configuration details.
 http_settings:
 #  read_timeout: 300
 #  user: someone
 #  password: somepass
 #  ca_file: /etc/ssl/cert.pem
 #  ca_path: /etc/pki/tls/certs
  self_signed_cert: false
 # File used as authorized_keys for gitlab user
 auth_file: "/var/lib/gitlab/.ssh/authorized_keys"
 # File that contains the secret key for verifying access to GitLab.
 # Default is .gitlab_shell_secret in the gitlab-shell directory.
 # secret_file: "/var/lib/gitlab/gitlab-shell/.gitlab_shell_secret"
 # Parent directory for global custom hook directories (pre-receive.d, update.d, post-receive.d)
 # Default is hooks in the gitlab-shell directory.
 # custom_hooks_dir: "/var/lib/gitlab/gitlab-shell/hooks"
 # Redis settings used for pushing commit notices to gitlab
 redis:
  bin: /usr/bin/redis-cli
  host: 127.0.0.1
  port: 6379
  # pass: redispass # Allows you to specify the password for Redis
  database: 5
  socket: /run/redis/redis.sock # Comment out this line if you want to use TCP or Sentinel
  namespace: resque:gitlab
  # sentinels:
  #   -
  #     host: 127.0.0.1
  #     port: 26380
  #   -
  #     host: 127.0.0.1
  #     port: 26381
 # Log file.
 # Default is gitlab-shell.log in the root directory.
 log_file: "/var/log/gitlab/gitlab-shell.log"
 # Log level. INFO by default
 log_level: INFO
 # Audit usernames.
 # Set to true to see real usernames in the logs instead of key ids, which is easier to follow, but
 # incurs an extra API call on every gitlab-shell command.
 audit_usernames: false
 # Git trace log file.
 # If set, git commands receive GIT_TRACE* environment variables
 # See https://git-scm.com/book/es/v2/Git-Internals-Environment-Variables#Debugging for documentation
 # An absolute path starting with / – the trace output will be appended to that file.
 # It needs to exist so we can check permissions and avoid to throwing warnings to the users.
 git_trace_log_file:
--- a/states/roles/maintain/gitlabarch/conf_files/database.yml
+++ b/states/roles/maintain/gitlabarch/conf_files/database.yml
@ -1,44 +0,0 @@
 #
 # PRODUCTION
 #
 production:
  adapter: mysql2
  encoding: utf8
  collation: utf8_general_ci
  reconnect: false
  database: gitlab
  pool: 10
  username: gitlab
  password: "{%- include 'secure/passwords/gitlab_db_password.txt' -%}"
  host: sql.actcur.com
  # socket: /tmp/mysql.sock
 #
 # Development specific
 #
 development:
  adapter: mysql2
  encoding: utf8
  collation: utf8_general_ci
  reconnect: false
  database: gitlabhq_development
  pool: 5
  username: root
  password: "secure password"
  # host: localhost
  # socket: /tmp/mysql.sock
 # Warning: The database defined as "test" will be erased and
 # re-generated from your development database when you run "rake".
 # Do not set this db to the same as development or production.
 test: &test
  adapter: mysql2
  encoding: utf8mb4
  collation: utf8mb4_general_ci
  reconnect: false
  database: gitlabhq_test
  pool: 5
  username: root
  password:
  # host: localhost
  # socket: /tmp/mysql.sock
--- a/states/roles/maintain/gitlabarch/conf_files/gitlab.conf
+++ b/states/roles/maintain/gitlabarch/conf_files/gitlab.conf
@ -1,69 +0,0 @@
 ## GitLab
 ##
 ## Lines starting with two hashes (##) are comments with information.
 ## Lines starting with one hash (#) are configuration parameters that can be uncommented.
 ##
 ##################################
 ##        CONTRIBUTING          ##
 ##################################
 ##
 ## If you change this file in a Merge Request, please also create
 ## a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
 ##
 ###################################
 ##         configuration         ##
 ###################################
 ##
 ## See installation.md#using-https for additional HTTPS configuration details.
 upstream gitlab-workhorse {
  server unix:/run/gitlab/gitlab-workhorse.socket fail_timeout=0;
 }
 ## Normal HTTP host
 server {
  ## Either remove "default_server" from the listen line below,
  ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab
  ## to be served if you visit any address that your server responds to, eg.
  ## the ip address of the server (http://x.x.x.x/)n 0.0.0.0:80 default_server;
  listen 0.0.0.0:8000;
  listen [::]:8000;
  server_name git2.actcur.com; ## Replace this with something like gitlab.example.com
  server_tokens off; ## Don't show the nginx version number, a security best practice
  ## See app/controllers/application_controller.rb for headers set
  ## Individual nginx logs for this GitLab vhost
  access_log  /var/log/nginx/gitlab_access.log;
  error_log   /var/log/nginx/gitlab_error.log;
  location / {
    client_max_body_size 0;
    gzip off;
    ## https://github.com/gitlabhq/gitlabhq/issues/694
    ## Some requests take more than 30 seconds.
    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;
    proxy_http_version 1.1;
    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;
    proxy_pass http://gitlab-workhorse;
  }
  error_page 404 /404.html;
  error_page 422 /422.html;
  error_page 500 /500.html;
  error_page 502 /502.html;
  location ~ ^/(404|422|500|502)\.html$ {
    root /usr/share/webapps/gitlab/public;
    internal;
  }
 }
--- a/states/roles/maintain/gitlabarch/conf_files/gitlab.yml
+++ b/states/roles/maintain/gitlabarch/conf_files/gitlab.yml
@ -1,627 +0,0 @@
 # # # # # # # # # # # # # # # # # #
 # GitLab application config file  #
 # # # # # # # # # # # # # # # # # #
 #
 ###########################  NOTE  #####################################
 # This file should not receive new settings. All configuration options #
 # * are being moved to ApplicationSetting model!                       #
 # If a setting requires an application restart say so in that screen.  #
 # If you change this file in a Merge Request, please also create       #
 # a MR on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests  #
 ########################################################################
 #
 #
 # How to use:
 # 1. Copy file as gitlab.yml
 # 2. Update gitlab -> host with your fully qualified domain name
 # 3. Update gitlab -> email_from
 # 4. If you installed Git from source, change git -> bin_path to /usr/local/bin/git
 #    IMPORTANT: If Git was installed in a different location use that instead.
 #    You can check with `which git`. If a wrong path of Git is specified, it will
 #     result in various issues such as failures of GitLab CI builds.
 # 5. Review this configuration file for other settings you may want to adjust
 production: &base
  #
  # 1. GitLab app settings
  # ==========================
  ## GitLab settings
  gitlab:
    ## Web server settings (note: host is the FQDN, do not include http://)
    host: git.actcur.com
    port: 443 # Set to 443 if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
    https: true # Set to true if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
    # Uncommment this line below if your ssh host is different from HTTP/HTTPS one
    # (you'd obviously need to replace ssh.host_example.com with your own host).
    # Otherwise, ssh host will be set to the `host:` value above
    # ssh_host: ssh.host_example.com
    # Relative URL support
    # WARNING: We recommend using an FQDN to host GitLab in a root path instead
    # of using a relative URL.
    # Documentation: http://doc.gitlab.com/ce/install/relative_url.html
    # Uncomment and customize the following line to run in a non-root path
    #
    # relative_url_root: /gitlab
    # Trusted Proxies
    # Customize if you have GitLab behind a reverse proxy which is running on a different machine.
    # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address.
    trusted_proxies:
      # Examples:
      #- 192.168.1.0/24
      #- 192.168.2.1
      #- 2001:0db8::/32
    # Uncomment and customize if you can't use the default user to run GitLab (default: 'git')
    user: gitlab
    ## Date & Time settings
    # Uncomment and customize if you want to change the default time zone of GitLab application.
    # To see all available zones, run `bundle exec rake time:zones:all RAILS_ENV=production`
    # time_zone: 'UTC'
    ## Email settings
    # Uncomment and set to false if you need to disable email sending from GitLab (default: true)
    # email_enabled: true
    # Email address used in the "From" field in mails sent by GitLab
    email_from: notifications@actcur.com
    email_display_name: Actcur Git
    email_reply_to: noreply@actcur.com
    email_subject_suffix: ''
    # Email server smtp settings are in config/initializers/smtp_settings.rb.sample
    # default_can_create_group: false  # default: true
    # username_changing_enabled: false # default: true - User can change her username/namespace
    ## Automatic issue closing
    # If a commit message matches this regular expression, all issues referenced from the matched text will be closed.
    # This happens when the commit is pushed or merged into the default branch of a project.
    # When not specified the default issue_closing_pattern as specified below will be used.
    # Tip: you can test your closing pattern at http://rubular.com.
    # issue_closing_pattern: '((?:[Cc]los(?:e[sd]?|ing)|[Ff]ix(?:e[sd]|ing)?|[Rr]esolv(?:e[sd]?|ing))(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+)'
    ## Default project features settings
    default_projects_features:
      issues: true
      merge_requests: true
      wiki: true
      snippets: true
      builds: true
      container_registry: true
    ## Webhook settings
    # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10)
    # webhook_timeout: 10
    ## Repository downloads directory
    # When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory.
    # The default is 'shared/cache/archive/' relative to the root of the Rails app.
    # repository_downloads_path: shared/cache/archive/
  ## Reply by email
  # Allow users to comment on issues and merge requests by replying to notification emails.
  # For documentation on how to set this up, see http://doc.gitlab.com/ce/administration/reply_by_email.html
  incoming_email:
    enabled: false
    # The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to.
    # The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`).
    address: "gitlab-incoming+%{key}@gmail.com"
    # Email account username
    # With third party providers, this is usually the full email address.
    # With self-hosted email servers, this is usually the user part of the email address.
    user: "gitlab-incoming@gmail.com"
    # Email account password
    password: "[REDACTED]"
    # IMAP server host
    host: "imap.gmail.com"
    # IMAP server port
    port: 993
    # Whether the IMAP server uses SSL
    ssl: true
    # Whether the IMAP server uses StartTLS
    start_tls: false
    # The mailbox where incoming mail will end up. Usually "inbox".
    mailbox: "inbox"
    # The IDLE command timeout.
    idle_timeout: 60
  ## Build Artifacts
  artifacts:
    enabled: true
    # The location where build artifacts are stored (default: shared/artifacts).
    # path: shared/artifacts
  ## Git LFS
  lfs:
    enabled: true
    # The location where LFS objects are stored (default: shared/lfs-objects).
    # storage_path: shared/lfs-objects
  ## GitLab Pages
  pages:
    enabled: false
    # The location where pages are stored (default: shared/pages).
    # path: shared/pages
    # The domain under which the pages are served:
    # http://group.example.com/project
    # or project path can be a group page: group.example.com
    host: example.com
    port: 80 # Set to 443 if you serve the pages with HTTPS
    https: false # Set to true if you serve the pages with HTTPS
    # external_http: ["1.1.1.1:80", "[2001::1]:80"] # If defined, enables custom domain support in GitLab Pages
    # external_https: ["1.1.1.1:443", "[2001::1]:443"] # If defined, enables custom domain and certificate support in GitLab Pages
  ## Mattermost
  ## For enabling Add to Mattermost button
  mattermost:
    enabled: false
    host: 'https://mattermost.example.com'
  ## Gravatar
  ## For Libravatar see: http://doc.gitlab.com/ce/customization/libravatar.html
  gravatar:
    # gravatar urls: possible placeholders: %{hash} %{size} %{email} %{username}
    # plain_url: "http://..."     # default: http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
    # ssl_url:   "https://..."    # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
  ## Auxiliary jobs
  # Periodically executed jobs, to self-heal Gitlab, do external synchronizations, etc.
  # Please read here for more information: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job
  cron_jobs:
    # Flag stuck CI jobs as failed
    stuck_ci_jobs_worker:
      cron: "0 * * * *"
    # Execute scheduled triggers
    pipeline_schedule_worker:
      cron: "19 * * * *"
    # Remove expired build artifacts
    expire_build_artifacts_worker:
      cron: "50 * * * *"
    # Periodically run 'git fsck' on all repositories. If started more than
    # once per hour you will have concurrent 'git fsck' jobs.
    repository_check_worker:
      cron: "20 * * * *"
    # Send admin emails once a week
    admin_email_worker:
      cron: "0 0 * * 0"
    # Remove outdated repository archives
    repository_archive_cache_worker:
      cron: "0 * * * *"
  registry:
    # enabled: true
    # host: registry.example.com
    # port: 5005
    # api_url: http://localhost:5000/ # internal address to the registry, will be used by GitLab to directly communicate with API
    # key: config/registry.key
    # path: shared/registry
    # issuer: gitlab-issuer
  #
  # 2. GitLab CI settings
  # ==========================
  gitlab_ci:
    # Default project notifications settings:
    #
    # Send emails only on broken builds (default: true)
    # all_broken_builds: true
    #
    # Add pusher to recipients list (default: false)
    # add_pusher: true
    # The location where build traces are stored (default: builds/). Relative paths are relative to Rails.root
    # builds_path: builds/
  #
  # 3. Auth settings
  # ==========================
  ## LDAP settings
  # You can inspect a sample of the LDAP users with login access by running:
  #   bundle exec rake gitlab:ldap:check RAILS_ENV=production
  ldap:
    enabled: false
    servers:
      ##########################################################################
      #
      # Since GitLab 7.4, LDAP servers get ID's (below the ID is 'main'). GitLab
      # Enterprise Edition now supports connecting to multiple LDAP servers.
      #
      # If you are updating from the old (pre-7.4) syntax, you MUST give your
      # old server the ID 'main'.
      #
      ##########################################################################
      main: # 'main' is the GitLab 'provider ID' of this LDAP server
        ## label
        #
        # A human-friendly name for your LDAP server. It is OK to change the label later,
        # for instance if you find out it is too large to fit on the web page.
        #
        # Example: 'Paris' or 'Acme, Ltd.'
        label: 'LDAP'
        host: '_your_ldap_server'
        port: 389
        uid: 'sAMAccountName'
        method: 'plain' # "tls" or "ssl" or "plain"
        bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
        password: '_the_password_of_the_bind_user'
        # Set a timeout, in seconds, for LDAP queries. This helps avoid blocking
        # a request if the LDAP server becomes unresponsive.
        # A value of 0 means there is no timeout.
        timeout: 10
        # This setting specifies if LDAP server is Active Directory LDAP server.
        # For non AD servers it skips the AD specific queries.
        # If your LDAP server is not AD, set this to false.
        active_directory: true
        # If allow_username_or_email_login is enabled, GitLab will ignore everything
        # after the first '@' in the LDAP username submitted by the user on login.
        #
        # Example:
        # - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials;
        # - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'.
        #
        # If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to
        # disable this setting, because the userPrincipalName contains an '@'.
        allow_username_or_email_login: false
        # To maintain tight control over the number of active users on your GitLab installation,
        # enable this setting to keep new users blocked until they have been cleared by the admin
        # (default: false).
        block_auto_created_users: false
        # Base where we can search for users
        #
        #   Ex. ou=People,dc=gitlab,dc=example
        #
        base: ''
        # Filter LDAP users
        #
        #   Format: RFC 4515 http://tools.ietf.org/search/rfc4515
        #   Ex. (employeeType=developer)
        #
        #   Note: GitLab does not support omniauth-ldap's custom filter syntax.
        #
        user_filter: ''
        # LDAP attributes that GitLab will use to create an account for the LDAP user.
        # The specified attribute can either be the attribute name as a string (e.g. 'mail'),
        # or an array of attribute names to try in order (e.g. ['mail', 'email']).
        # Note that the user's LDAP login will always be the attribute specified as `uid` above.
        attributes:
          # The username will be used in paths for the user's own projects
          # (like `gitlab.example.com/username/project`) and when mentioning
          # them in issues, merge request and comments (like `@username`).
          # If the attribute specified for `username` contains an email address,
          # the GitLab username will be the part of the email address before the '@'.
          username: ['uid', 'userid', 'sAMAccountName']
          email:    ['mail', 'email', 'userPrincipalName']
          # If no full name could be found at the attribute specified for `name`,
          # the full name is determined using the attributes specified for
          # `first_name` and `last_name`.
          name:       'cn'
          first_name: 'givenName'
          last_name:  'sn'
      # GitLab EE only: add more LDAP servers
      # Choose an ID made of a-z and 0-9 . This ID will be stored in the database
      # so that GitLab can remember which LDAP server a user belongs to.
      # uswest2:
      #   label:
      #   host:
      #   ....
  ## OmniAuth settings
  omniauth:
    # Allow login via Twitter, Google, etc. using OmniAuth providers
    enabled: false
    # Uncomment this to automatically sign in with a specific omniauth provider's without
    # showing GitLab's sign-in page (default: show the GitLab sign-in page)
    # auto_sign_in_with_provider: saml
    # Sync user's email address from the specified Omniauth provider every time the user logs
    # in (default: nil). And consequently make this field read-only.
    # sync_email_from_provider: cas3
    # CAUTION!
    # This allows users to login without having a user account first. Define the allowed providers
    # using an array, e.g. ["saml", "twitter"], or as true/false to allow all providers or none.
    # User accounts will be created automatically when authentication was successful.
    allow_single_sign_on: ["saml"]
    # Locks down those users until they have been cleared by the admin (default: true).
    block_auto_created_users: true
    # Look up new users in LDAP servers. If a match is found (same uid), automatically
    # link the omniauth identity with the LDAP account. (default: false)
    auto_link_ldap_user: false
    # Allow users with existing accounts to login and auto link their account via SAML
    # login, without having to do a manual login first and manually add SAML
    # (default: false)
    auto_link_saml_user: false
    # Set different Omniauth providers as external so that all users creating accounts
    # via these providers will not be able to have access to internal projects. You
    # will need to use the full name of the provider, like `google_oauth2` for Google.
    # Refer to the examples below for the full names of the supported providers.
    # (default: [])
    external_providers: []
    ## Auth providers
    # Uncomment the following lines and fill in the data of the auth provider you want to use
    # If your favorite auth provider is not listed you can use others:
    # see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations
    # The 'app_id' and 'app_secret' parameters are always passed as the first two
    # arguments, followed by optional 'args' which can be either a hash or an array.
    # Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html
    providers:
      # See omniauth-cas3 for more configuration details
      # - { name: 'cas3',
      #     label: 'cas3',
      #     args: {
      #             url: 'https://sso.example.com',
      #             disable_ssl_verification: false,
      #             login_url: '/cas/login',
      #             service_validate_url: '/cas/p3/serviceValidate',
      #             logout_url: '/cas/logout'} }
      # - { name: 'authentiq',
      #     # for client credentials (client ID and secret), go to https://www.authentiq.com/
      #     app_id: 'YOUR_CLIENT_ID',
      #     app_secret: 'YOUR_CLIENT_SECRET',
      #     args: {
      #             scope: 'aq:name email~rs address aq:push'
      #             # redirect_uri parameter is optional except when 'gitlab.host' in this file is set to 'localhost'
      #             # redirect_uri: 'YOUR_REDIRECT_URI'
      #           }
      #   }
      # - { name: 'github',
      #     app_id: 'YOUR_APP_ID',
      #     app_secret: 'YOUR_APP_SECRET',
      #     url: "https://github.com/",
      #     verify_ssl: true,
      #     args: { scope: 'user:email' } }
      # - { name: 'bitbucket',
      #     app_id: 'YOUR_APP_ID',
      #     app_secret: 'YOUR_APP_SECRET' }
      # - { name: 'gitlab',
      #     app_id: 'YOUR_APP_ID',
      #     app_secret: 'YOUR_APP_SECRET',
      #     args: { scope: 'api' } }
      # - { name: 'google_oauth2',
      #     app_id: 'YOUR_APP_ID',
      #     app_secret: 'YOUR_APP_SECRET',
      #     args: { access_type: 'offline', approval_prompt: '' } }
      # - { name: 'facebook',
      #     app_id: 'YOUR_APP_ID',
      #     app_secret: 'YOUR_APP_SECRET' }
      # - { name: 'twitter',
      #     app_id: 'YOUR_APP_ID',
      #     app_secret: 'YOUR_APP_SECRET' }
      #
      # - { name: 'saml',
      #     label: 'Our SAML Provider',
      #     groups_attribute: 'Groups',
      #     external_groups: ['Contractors', 'Freelancers'],
      #     args: {
      #             assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
      #             idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8',
      #             idp_sso_target_url: 'https://login.example.com/idp',
      #             issuer: 'https://gitlab.example.com',
      #             name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
      #           } }
      #
      # - { name: 'crowd',
      #     args: {
      #       crowd_server_url: 'CROWD SERVER URL',
      #       application_name: 'YOUR_APP_NAME',
      #       application_password: 'YOUR_APP_PASSWORD' } }
      #
      # - { name: 'auth0',
      #     args: {
      #       client_id: 'YOUR_AUTH0_CLIENT_ID',
      #       client_secret: 'YOUR_AUTH0_CLIENT_SECRET',
      #       namespace: 'YOUR_AUTH0_DOMAIN' } }
    # SSO maximum session duration in seconds. Defaults to CAS default of 8 hours.
    # cas3:
    #   session_duration: 28800
  # Shared file storage settings
  shared:
    path: /var/lib/gitlab/shared # Default: shared
  # Gitaly settings
  gitaly:
    # This setting controls whether GitLab uses Gitaly (new component
    # introduced in 9.0). Eventually Gitaly use will become mandatory and
    # this option will disappear.
    enabled: true
  #
  # 4. Advanced settings
  # ==========================
  ## Repositories settings
  repositories:
    # Paths where repositories can be stored. Give the canonicalized absolute pathname.
    # IMPORTANT: None of the path components may be symlink, because
    # gitlab-shell invokes Dir.pwd inside the repository path and that results
    # real path not the symlink.
    storages: # You must have at least a `default` storage path.
      default:
        path: /var/lib/gitlab/repositories/
        gitaly_address: unix:/var/lib/gitlab/sockets/gitlab-gitaly.socket # TCP connections are supported too (e.g. tcp://host:port)
  ## Backup settings
  backup:
    path: "/var/lib/gitlab/backups"   # Relative paths are relative to Rails.root (default: tmp/backups/)
    # archive_permissions: 0640 # Permissions for the resulting backup.tar file (default: 0600)
    # keep_time: 604800   # default: 0 (forever) (in seconds)
    # pg_schema: public     # default: nil, it means that all schemas will be backed up
    # upload:
    #   # Fog storage connection settings, see http://fog.io/storage/ .
    #   connection:
    #     provider: AWS
    #     region: eu-west-1
    #     aws_access_key_id: AKIAKIAKI
    #     aws_secret_access_key: 'secret123'
    #   # The remote 'directory' to store your backups. For S3, this would be the bucket name.
    #   remote_directory: 'my.s3.bucket'
    #   # Use multipart uploads when file size reaches 100MB, see
    #   #  http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html
    #   multipart_chunk_size: 104857600
    #   # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional
    #   # encryption: 'AES256'
    #   # Specifies Amazon S3 storage class to use for backups, this is optional
    #   # storage_class: 'STANDARD'
  ## GitLab Shell settings
  gitlab_shell:
    path: /usr/share/webapps/gitlab-shell/
    hooks_path: /usr/share/webapps/gitlab-shell/hooks/
    # File that contains the secret key for verifying access for gitlab-shell.
    # Default is '.gitlab_shell_secret' relative to Rails.root (i.e. root of the GitLab app).
    # secret_file: /home/git/gitlab/.gitlab_shell_secret
    # Git over HTTP
    upload_pack: true
    receive_pack: true
    # Git import/fetch timeout
    # git_timeout: 800
    # If you use non-standard ssh port you need to specify it
    # ssh_port: 22
  workhorse:
    # File that contains the secret key for verifying access for gitlab-workhorse.
    # Default is '.gitlab_workhorse_secret' relative to Rails.root (i.e. root of the GitLab app).
    # secret_file: /home/git/gitlab/.gitlab_workhorse_secret
  ## Git settings
  # CAUTION!
  # Use the default values unless you really know what you are doing
  git:
    bin_path: /usr/bin/git
    # The next value is the maximum memory size grit can use
    # Given in number of bytes per git object (e.g. a commit)
    # This value can be increased if you have very large commits
    max_size: 20971520 # 20.megabytes
    # Git timeout to read a commit, in seconds
    timeout: 10
  ## Webpack settings
  # If enabled, this will tell rails to serve frontend assets from the webpack-dev-server running
  # on a given port instead of serving directly from /assets/webpack. This is only indended for use
  # in development.
  webpack:
    # dev_server:
    #   enabled: true
    #   host: localhost
    #   port: 3808
  #
  # 5. Extra customization
  # ==========================
  extra:
    ## Google analytics. Uncomment if you want it
    # google_analytics_id: '_your_tracking_id'
    ## Piwik analytics.
    # piwik_url: '_your_piwik_url'
    # piwik_site_id: '_your_piwik_site_id'
  rack_attack:
    git_basic_auth:
      # Rack Attack IP banning enabled
      # enabled: true
      #
      # Whitelist requests from 127.0.0.1 for web proxies (NGINX/Apache) with incorrect headers
      # ip_whitelist: ["127.0.0.1"]
      #
      # Limit the number of Git HTTP authentication attempts per IP
      # maxretry: 10
      #
      # Reset the auth attempt counter per IP after 60 seconds
      # findtime: 60
      #
      # Ban an IP for one hour (3600s) after too many auth attempts
      # bantime: 3600
 development:
  <<: *base
 test:
  <<: *base
  gravatar:
    enabled: true
  lfs:
    enabled: false
  gitlab:
    host: localhost
    port: 80
    # When you run tests we clone and setup gitlab-shell
    # In order to setup it correctly you need to specify
    # your system username you use to run GitLab
    # user: YOUR_USERNAME
  pages:
    path: tmp/tests/pages
  repositories:
    storages:
      default:
        path: tmp/tests/repositories/
        gitaly_address: unix:tmp/tests/gitaly/gitaly.socket
  gitaly:
    enabled: true
  backup:
    path: tmp/tests/backups
  gitlab_shell:
    path: tmp/tests/gitlab-shell/
    hooks_path: tmp/tests/gitlab-shell/hooks/
  issues_tracker:
    redmine:
      title: "Redmine"
      project_url: "http://redmine/projects/:issues_tracker_id"
      issues_url: "http://redmine/:project_id/:issues_tracker_id/:id"
      new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new"
    jira:
      title: "JIRA"
      url: https://sample_company.atlassian.net
      project_key: PROJECT
  ldap:
    enabled: false
    servers:
      main:
        label: ldap
        host: 127.0.0.1
        port: 3890
        uid: 'uid'
        method: 'plain' # "tls" or "ssl" or "plain"
        base: 'dc=example,dc=com'
        user_filter: ''
        group_base: 'ou=groups,dc=example,dc=com'
        admin_group: ''
 staging:
  <<: *base
--- a/states/roles/maintain/gitlabarch/conf_files/production.rb
+++ b/states/roles/maintain/gitlabarch/conf_files/production.rb
@ -1,83 +0,0 @@
 Rails.application.configure do
  # Settings specified here will take precedence over those in config/application.rb
  # Code is not reloaded between requests
  config.cache_classes = true
  # Full error reports are disabled and caching is turned on
  config.consider_all_requests_local       = false
  config.action_controller.perform_caching = true
  # Disable Rails's static asset server (Apache or nginx will already do this)
  config.serve_static_files = false
  # Compress JavaScripts and CSS.
  config.assets.js_compressor = :uglifier
  # config.assets.css_compressor = :sass
  # Don't fallback to assets pipeline if a precompiled asset is missed
  config.assets.compile = false
  # Generate digests for assets URLs
  config.assets.digest = true
  # Enable compression of compiled assets using gzip.
  config.assets.compress = true
  # Defaults to nil and saved in location specified by config.assets.prefix
  # config.assets.manifest = YOUR_PATH
  # Specifies the header that your server uses for sending files
  # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for apache
  # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx
  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
  # config.force_ssl = true
  # See everything in the log (default is :info)
  config.log_level = :info
  # Suppress 'Rendered template ...' messages in the log
  # source: http://stackoverflow.com/a/16369363
  %w{render_template render_partial render_collection}.each do |event|
    ActiveSupport::Notifications.unsubscribe "#{event}.action_view"
  end
  # Prepend all log lines with the following tags
  # config.log_tags = [ :subdomain, :uuid ]
  # Use a different logger for distributed setups
  # config.logger = ActiveSupport::TaggedLogging.new(SyslogLogger.new)
  # Enable serving of images, stylesheets, and JavaScripts from an asset server
  config.action_controller.asset_host = ENV['GITLAB_CDN_HOST'] if ENV['GITLAB_CDN_HOST'].present?
  # Precompile additional assets (application.js, application.css, and all non-JS/CSS are already added)
  # config.assets.precompile += %w( search.js )
  # Disable delivery errors, bad email addresses will be ignored
  # config.action_mailer.raise_delivery_errors = false
  # Enable threaded mode
  # config.threadsafe! unless $rails_rake_task
  # Enable locale fallbacks for I18n (makes lookups for any locale fall back to
  # the I18n.default_locale when a translation can not be found)
  config.i18n.fallbacks = true
  # Send deprecation notices to registered listeners
  config.active_support.deprecation = :notify
  config.action_mailer.delivery_method = :smtp
  # Defaults to:
  # # config.action_mailer.sendmail_settings = {
  # #   location: '/usr/sbin/sendmail',
  # #   arguments: '-i -t'
  # # }
  config.action_mailer.perform_deliveries = true
  config.action_mailer.raise_delivery_errors = true
  config.eager_load = true
  config.allow_concurrency = false
 end
--- a/states/roles/maintain/gitlabarch/conf_files/redis.conf
+++ b/states/roles/maintain/gitlabarch/conf_files/redis.conf
--- a/states/roles/maintain/gitlabarch/conf_files/resque.yml
+++ b/states/roles/maintain/gitlabarch/conf_files/resque.yml
@ -1,34 +0,0 @@
 # If you change this file in a Merge Request, please also create
 # a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
 #
 development:
  url: unix:/run/redis/redis.sock
  # sentinels:
  #   -
  #     host: localhost
  #     port: 26380 # point to sentinel, not to redis port
  #   -
  #     host: slave2
  #     port: 26381 # point to sentinel, not to redis port
 test:
  url: unix:/run/redis/redis.sock
 production:
  # Redis (single instance)
  url: unix:/run/redis/redis.sock
  ##
  # Redis + Sentinel (for HA)
  #
  # Please read instructions carefully before using it as you may lose data:
  # http://redis.io/topics/sentinel
  #
  # You must specify a list of a few sentinels that will handle client connection
  # please read here for more information: https://docs.gitlab.com/ce/administration/high_availability/redis.html
  ##
  # url: redis://master:6379
  # sentinels:
  #   -
  #     host: slave1
  #     port: 26379 # point to sentinel, not to redis port
  #   -
  #     host: slave2
  #     port: 26379 # point to sentinel, not to redis port
--- a/states/roles/maintain/gitlabarch/conf_files/smtp_settings.rb
+++ b/states/roles/maintain/gitlabarch/conf_files/smtp_settings.rb
@ -1,23 +0,0 @@
 # To enable smtp email delivery for your GitLab instance do the following:
 # 1. Rename this file to smtp_settings.rb
 # 2. Edit settings inside this file
 # 3. Restart GitLab instance
 #
 # For full list of options and their values see http://api.rubyonrails.org/classes/ActionMailer/Base.html
 #
 # If you change this file in a Merge Request, please also create a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
 if Rails.env.production?
  Rails.application.config.action_mailer.delivery_method = :smtp
  ActionMailer::Base.delivery_method = :smtp
  ActionMailer::Base.smtp_settings = {
    authentication: :plain,
    address: "smtp.zoho.com",
    port: 587,
    user_name: "notifications@actcur.com",
    password: "{%- include 'secure/passwords/gitlab_smtp_password.txt' -%}",
    domain: "smtp.zoho.com",
    enable_starttls_auto: true,
  }
 end
--- a/states/roles/maintain/gitlabarch/conf_files/tmp_redis.conf
+++ b/states/roles/maintain/gitlabarch/conf_files/tmp_redis.conf
@ -1 +0,0 @@
 d /run/redis 0755 redis redis -
--- a/states/roles/maintain/gitlabarch/init.sls
+++ b/states/roles/maintain/gitlabarch/init.sls
@ -1,175 +0,0 @@
 gitlab:
  pkg.installed
 mariadb:
  pkg.installed
 gitlab_nginx:
  pkg.installed:
    - name: nginx
 #managed files
 /etc/webapps/gitlab/gitlab.yml:
  file.managed:
    - source: salt://roles/maintain/gitlab/conf_files/gitlab.yml
    - user: root
    - group: root
    - mode: 644
 /etc/webapps/gitlab/database.yml:
  file.managed:
    - source: salt://roles/maintain/gitlab/conf_files/database.yml
    - user: gitlab
    - group: gitlab
    - mode: 600
    - template: jinja
 /etc/webapps/gitlab/resque.yml:
  file.managed:
    - source: salt://roles/maintain/gitlab/conf_files/resque.yml
    - user: root
    - group: root
    - mode: 644
 /etc/webapps/gitlab-shell/config.yml:
  file.managed:
    - source: salt://roles/maintain/gitlab/conf_files/config.yml
    - user: gitlab
    - group: gitlab
    - mode: 600
 /usr/share/webapps/gitlab/config/initializers/smtp_settings.rb:
  file.managed:
    - source: salt://roles/maintain/gitlab/conf_files/smtp_settings.rb
    - user: root
    - group: root
    - mode: 644
    - template: jinja
 /usr/share/webapps/gitlab/config/environments/production.rb:
  file.managed:
    - source: salt://roles/maintain/gitlab/conf_files/production.rb
    - user: root
    - group: root
    - mode: 644
 /etc/redis.conf:
  file.managed:
    - source: salt://roles/maintain/gitlab/conf_files/redis.conf
    - user: root
    - group: root
    - mode: 644
 /etc/tempfiles.d/redis.conf:
  file.managed:
    - source: salt://roles/maintain/gitlab/conf_files/tmp_redis.conf
    - user: root
    - group: root
    - mode: 644
    - makedirs: true
 /etc/nginx/conf.d/gitlab.conf:
  file.managed:
    - source: salt://roles/maintain/gitlab/conf_files/gitlab.conf
    - user: root
    - group: root
    - makedirs: true
    - dir_mode: 755
    - mode: 644
 #add users git and gitlab to redis group
 git_user:
  user.present:
    - name: git
    - groups:
      - redis
 gitlab_user:
  user.present:
    - name: gitlab
    - groups:
      - redis
 #migrate redis database as gitlab user if necessary
 redis-running:
  service.running:
    - name: redis
    - enable: true
    - watch:
      - file: /etc/redis.conf
      - file: /etc/tempfiles.d/redis.conf
 gitlab_rake_db:
  cmd.run:
    - name: "bundle-2.3 exec rake db:migrate RAILS_ENV=production"
    - cwd: "/usr/share/webapps/gitlab"
    - runas: gitlab
    - watch:
      - pkg: gitlab
 #global git configuration
 gitlab_git_name:
  git.config_set:
    - name: user.name
    - value: "Actaeus Curabitur"
    - user: gitlab
    - global: true
 gitlab_git_email:
  git.config_set:
    - name: user.email
    - value: "actcur@actcur.com"
    - user: gitlab
    - global: true
 gitlab_git_crlf:
  git.config_set:
    - name: core.autocrlf
    - value: "input"
    - user: gitlab
    - global: true
 #create symlink
 symlink_repos:
  file.symlink:
    - name: /var/lib/gitlab/repositories
    - target: /mnt/repos
    - force: true
 #verify perms for repos are right
 /var/lib/gitlab/repositories/:
  file.directory:
    - user: gitlab
    - group: gitlab
    - dir_mode: 4770
 #start services
 gitlab.target:
  service.running:
    - enable: true
    - watch:
      - file: /etc/webapps/gitlab/gitlab.yml
      - file: /etc/webapps/gitlab/database.yml
      - file: /etc/webapps/gitlab/resque.yml
      - file: /etc/webapps/gitlab-shell/config.yml
      - file: /etc/nginx/conf.d/gitlab.conf
      - file: /usr/share/webapps/gitlab/config/initializers/smtp_settings.rb
      - file: /usr/share/webapps/gitlab/config/environments/production.rb
 gitlab-workhorse:
  service.running:
    - enable: true
    - watch:
      - file: /etc/webapps/gitlab/gitlab.yml
      - file: /etc/webapps/gitlab/database.yml
      - file: /etc/webapps/gitlab/resque.yml
      - file: /etc/webapps/gitlab-shell/config.yml
      - file: /etc/nginx/conf.d/gitlab.conf
      - file: /usr/share/webapps/gitlab/config/initializers/smtp_settings.rb
      - file: /usr/share/webapps/gitlab/config/environments/production.rb
 gitlab-unicorn:
  service.running:
    - enable: true
    - watch:
      - file: /etc/webapps/gitlab/gitlab.yml
      - file: /etc/webapps/gitlab/database.yml
      - file: /etc/webapps/gitlab/resque.yml
      - file: /etc/webapps/gitlab-shell/config.yml
      - file: /etc/nginx/conf.d/gitlab.conf
      - file: /usr/share/webapps/gitlab/config/initializers/smtp_settings.rb
      - file: /usr/share/webapps/gitlab/config/environments/production.rb
 gitlab-sidekiq:
  service.running:
    - enable: true
    - watch:
      - file: /etc/webapps/gitlab/gitlab.yml
      - file: /etc/webapps/gitlab/database.yml
      - file: /etc/webapps/gitlab/resque.yml
      - file: /etc/webapps/gitlab-shell/config.yml
      - file: /etc/nginx/conf.d/gitlab.conf
      - file: /usr/share/webapps/gitlab/config/initializers/smtp_settings.rb
      - file: /usr/share/webapps/gitlab/config/environments/production.rb
--- a/states/roles/maintain/icinga/conf.d/hosts.conf
+++ b/states/roles/maintain/icinga/conf.d/hosts.conf
@ -0,0 +1,18 @@
 {% set states = salt['cp.list_states'](saltenv) %}
 {%- for state in states %}
  {%- if state.startswith("pillars.servers.roles.server.") -%}
    {%- set server = state.split('.')[4] %}
    {% set role_data = salt['file.read']('/etc/icinga2/server_roles/'+server+'.sls')|load_yaml %}
 object Host "{{server}}.actcur.com" {
  import "generic-host"
  address = "{{server}}.actcur.com"
    {%- if role_data['grains'] is defined %}
      {%- if role_data['grains']['roles'] is defined %}
  vars.roles=[{%- for role in role_data['grains']['roles'] %}"{{role}}",{%- endfor -%}""];
      {%- endif -%}
    {%- endif %}
 }
  {%- endif -%}
 {%- endfor %}
--- a/states/roles/maintain/icinga/conf.d/services/core.conf
+++ b/states/roles/maintain/icinga/conf.d/services/core.conf
@ -0,0 +1,49 @@
 apply Service "npre_disk-root" {
  import "generic-service"
  check_command = "nrpe"
  vars.nrpe_command = "check_disk"
  vars.nrpe_arguments = [ "-w 20% -c 10% -p /" ]
  assign where host.address && host.vars.os == "Arch Linux"
 }
 apply Service "npre_load"{
  import "generic-service"
  check_command = "nrpe"
  vars.nrpe_command = "check_load"
  vars.nrpe_arguments = [ "-w 15,10,5 -c 30,20,10" ]
  assign where host.address && host.vars.os == "Arch Linux"
 }
 apply Service "npre_swap"{
  import "generic-service"
  check_command = "nrpe"
  vars.nrpe_command = "check_swap"
  vars.nrpe_arguments = [ "-w 20% -c 10%" ]
  assign where host.address && host.vars.os == "Arch Linux"
 }
 apply Service "npre_cpu"{
  import "generic-service"
  check_command = "nrpe"
  vars.nrpe_command = "check_cpu"
  vars.nrpe_arguments = [ "" ]
  assign where host.address && host.vars.os == "Arch Linux"
 }
 apply Service "npre_mem"{
  import "generic-service"
  check_command = "nrpe"
  vars.nrpe_command = "check_mem"
  vars.nrpe_arguments = [ "-w 80 -c 90" ]
  assign where host.address && host.vars.os == "Arch Linux"
 }
--- a/states/roles/maintain/icinga/conf.d/services/service.conf
+++ b/states/roles/maintain/icinga/conf.d/services/service.conf
@ -0,0 +1,22 @@
 {%- if services is defined %}
  {%- for role in services %}
    {%- if services[role] is defined %}
      {%- for service in services[role] %}
        {%- if role == "core" -%}
          {% set role_restriction = '' %}
        {%- else -%}
          {% set role_restriction = '&& "'+role+'" in host.vars.roles' %}
        {%- endif %}
 apply Service "nrpe_service_{{role}}_{{ service }}"{
  import "generic-service"
  check_command = "nrpe"
  vars.nrpe_command = "check_service"
  vars.nrpe_arguments = [ "{{ service }}" ]
  assign where host.address {{role_restriction}}
 }
      {%- endfor -%}
    {%- endif -%}
  {%- endfor -%}
 {%- endif -%}
--- a/Show more
+++ b/Show more