17 files changed, 323 insertions, 52 deletions

diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
index 0d11ae6f33f..70af7a829c4 100644
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -13,7 +13,11 @@ class Settings < Settingslogic
       if gitlab_shell.ssh_port != 22
         "ssh://#{gitlab_shell.ssh_user}@#{gitlab_shell.ssh_host}:#{gitlab_shell.ssh_port}/"
       else
-        "#{gitlab_shell.ssh_user}@#{gitlab_shell.ssh_host}:"
+        if gitlab_shell.ssh_host.include? ':'
+          "[#{gitlab_shell.ssh_user}@#{gitlab_shell.ssh_host}]:"
+        else
+          "#{gitlab_shell.ssh_user}@#{gitlab_shell.ssh_host}:"
+        end
       end
     end
 
@@ -56,9 +60,25 @@ end
 # Default settings
 Settings['ldap'] ||= Settingslogic.new({})
 Settings.ldap['enabled'] = false if Settings.ldap['enabled'].nil?
-Settings.ldap['allow_username_or_email_login'] = false if Settings.ldap['allow_username_or_email_login'].nil?
-Settings.ldap['active_directory'] = true if Settings.ldap['active_directory'].nil?
 
+# backwards compatibility, we only have one host
+if Settings.ldap['enabled'] || Rails.env.test?
+  if Settings.ldap['host'].present?
+    server = Settings.ldap.except('sync_time')
+    server['provider_name'] = 'ldap'
+    Settings.ldap['servers'] = {
+      'ldap' => server
+    }
+  end
+
+  Settings.ldap['servers'].each do |key, server|
+    server['label'] ||= 'LDAP'
+    server['allow_username_or_email_login'] = false if server['allow_username_or_email_login'].nil?
+    server['active_directory'] = true if server['active_directory'].nil?
+    server['provider_name'] ||= "ldap#{key}".downcase
+    server['provider_class'] = OmniAuth::Utils.camelize(server['provider_name'])
+  end
+end
 
 Settings['omniauth'] ||= Settingslogic.new({})
 Settings.omniauth['enabled']      = false if Settings.omniauth['enabled'].nil?
@@ -71,6 +91,7 @@ Settings['issues_tracker']  ||= {}
 #
 Settings['gitlab'] ||= Settingslogic.new({})
 Settings.gitlab['default_projects_limit'] ||= 10
+Settings.gitlab['default_branch_protection'] ||= 2
 Settings.gitlab['default_can_create_group'] = true if Settings.gitlab['default_can_create_group'].nil?
 Settings.gitlab['default_theme'] = Gitlab::Theme::MARS if Settings.gitlab['default_theme'].nil?
 Settings.gitlab['host']       ||= 'localhost'
@@ -79,7 +100,9 @@ Settings.gitlab['https']        = false if Settings.gitlab['https'].nil?
 Settings.gitlab['port']       ||= Settings.gitlab.https ? 443 : 80
 Settings.gitlab['relative_url_root'] ||= ENV['RAILS_RELATIVE_URL_ROOT'] || ''
 Settings.gitlab['protocol']   ||= Settings.gitlab.https ? "https" : "http"
+Settings.gitlab['email_enabled'] ||= true if Settings.gitlab['email_enabled'].nil?
 Settings.gitlab['email_from'] ||= "gitlab@#{Settings.gitlab.host}"
+Settings.gitlab['email_display_name'] ||= "GitLab"
 Settings.gitlab['url']        ||= Settings.send(:build_gitlab_url)
 Settings.gitlab['user']       ||= 'git'
 Settings.gitlab['user_home']  ||= begin
@@ -87,11 +110,13 @@ Settings.gitlab['user_home']  ||= begin
 rescue ArgumentError # no user configured
   '/home/' + Settings.gitlab['user']
 end
-Settings.gitlab['signup_enabled'] ||= false
+Settings.gitlab['time_zone']  ||= nil
+Settings.gitlab['signup_enabled'] ||= true if Settings.gitlab['signup_enabled'].nil?
 Settings.gitlab['signin_enabled'] ||= true if Settings.gitlab['signin_enabled'].nil?
+Settings.gitlab['twitter_sharing_enabled'] ||= true if Settings.gitlab['twitter_sharing_enabled'].nil?
 Settings.gitlab['restricted_visibility_levels'] = Settings.send(:verify_constant_array, Gitlab::VisibilityLevel, Settings.gitlab['restricted_visibility_levels'], [])
 Settings.gitlab['username_changing_enabled'] = true if Settings.gitlab['username_changing_enabled'].nil?
-Settings.gitlab['issue_closing_pattern'] = '([Cc]lose[sd]|[Ff]ixe[sd]) #(\d+)' if Settings.gitlab['issue_closing_pattern'].nil?
+Settings.gitlab['issue_closing_pattern'] = '((?:[Cc]los(?:e[sd]?|ing)|[Ff]ix(?:e[sd]|ing)?|[Rr]esolv(?:e[sd]?|ing)) +(?:(?:issues? +)?#\d+(?:(?:, *| +and +)?))+)' if Settings.gitlab['issue_closing_pattern'].nil?
 Settings.gitlab['default_projects_features'] ||= {}
 Settings.gitlab['webhook_timeout'] ||= 10
 Settings.gitlab.default_projects_features['issues']         = true if Settings.gitlab.default_projects_features['issues'].nil?
@@ -130,7 +155,7 @@ Settings.gitlab_shell['ssh_path_prefix'] ||= Settings.send(:build_gitlab_shell_s
 Settings['backup'] ||= Settingslogic.new({})
 Settings.backup['keep_time']  ||= 0
 Settings.backup['path']         = File.expand_path(Settings.backup['path'] || "tmp/backups/", Rails.root)
-Settings.backup['upload'] ||= Settingslogic.new({'remote_directory' => nil, 'connection' => nil})
+Settings.backup['upload'] ||= Settingslogic.new({ 'remote_directory' => nil, 'connection' => nil })
 # Convert upload connection settings to use symbol keys, to make Fog happy
 if Settings.backup['upload']['connection']
   Settings.backup['upload']['connection'] = Hash[Settings.backup['upload']['connection'].map { |k, v| [k.to_sym, v] }]
@@ -154,6 +179,16 @@ Settings.satellites['timeout'] ||= 30
 Settings['extra'] ||= Settingslogic.new({})
 
 #
+# Rack::Attack settings
+#
+Settings['rack_attack'] ||= Settingslogic.new({})
+Settings.rack_attack['git_basic_auth'] ||= Settingslogic.new({})
+Settings.rack_attack.git_basic_auth['ip_whitelist'] ||= %w{127.0.0.1}
+Settings.rack_attack.git_basic_auth['maxretry'] ||= 10
+Settings.rack_attack.git_basic_auth['findtime'] ||= 1.minute
+Settings.rack_attack.git_basic_auth['bantime'] ||= 1.hour
+
+#
 # Testing settings
 #
 if Rails.env.test?
diff --git a/config/initializers/4_sidekiq.rb b/config/initializers/4_sidekiq.rb
index 228b14cb526..e856499732e 100644
--- a/config/initializers/4_sidekiq.rb
+++ b/config/initializers/4_sidekiq.rb
@@ -14,7 +14,8 @@ Sidekiq.configure_server do |config|
   }
 
   config.server_middleware do |chain|
-    chain.add Gitlab::SidekiqMiddleware::ArgumentsLogger
+    chain.add Gitlab::SidekiqMiddleware::ArgumentsLogger if ENV['SIDEKIQ_LOG_ARGUMENTS']
+    chain.add Gitlab::SidekiqMiddleware::MemoryKiller if ENV['SIDEKIQ_MEMORY_KILLER_MAX_RSS']
   end
 end
 
diff --git a/config/initializers/6_rack_profiler.rb b/config/initializers/6_rack_profiler.rb
index a7ee3c59822..b6340287569 100644
--- a/config/initializers/6_rack_profiler.rb
+++ b/config/initializers/6_rack_profiler.rb
@@ -3,4 +3,6 @@ if Rails.env == 'development'
 
   # initialization is skipped so trigger it
   Rack::MiniProfilerRails.initialize!(Rails.application)
+  Rack::MiniProfiler.config.position = 'right'
+  Rack::MiniProfiler.config.start_hidden = true
 end
diff --git a/config/initializers/7_omniauth.rb b/config/initializers/7_omniauth.rb
new file mode 100644
index 00000000000..8f6c5673103
--- /dev/null
+++ b/config/initializers/7_omniauth.rb
@@ -0,0 +1,12 @@
+if Gitlab::LDAP::Config.enabled?
+  module OmniAuth::Strategies
+    server = Gitlab.config.ldap.servers.values.first
+    klass = server['provider_class']
+    const_set(klass, Class.new(LDAP)) unless klass == 'LDAP'
+  end
+
+  OmniauthCallbacksController.class_eval do
+    server = Gitlab.config.ldap.servers.values.first
+    alias_method server['provider_name'], :ldap
+  end
+end
diff --git a/config/initializers/acts_as_taggable_on_patch.rb b/config/initializers/acts_as_taggable_on_patch.rb
index baa77fde392..0d535cb5cac 100644
--- a/config/initializers/acts_as_taggable_on_patch.rb
+++ b/config/initializers/acts_as_taggable_on_patch.rb
@@ -42,11 +42,12 @@ module ActsAsTaggableOn::Taggable
 
         elsif options.delete(:any)
           # get tags, drop out if nothing returned (we need at least one)
-          tags = if options.delete(:wild)
-            ActsAsTaggableOn::Tag.named_like_any(tag_list)
-          else
-            ActsAsTaggableOn::Tag.named_any(tag_list)
-          end
+          tags =
+            if options.delete(:wild)
+              ActsAsTaggableOn::Tag.named_like_any(tag_list)
+            else
+              ActsAsTaggableOn::Tag.named_any(tag_list)
+            end
 
           return empty_result unless tags.length > 0
 
@@ -68,12 +69,12 @@ module ActsAsTaggableOn::Taggable
           select_clause = "DISTINCT #{table_name}.*" unless context and tag_types.one?
 
           if owned_by
-              tagging_join << " AND " +
-                  sanitize_sql([
-                      "#{taggings_alias}.tagger_id = ? AND #{taggings_alias}.tagger_type = ?",
-                      owned_by.id,
-                      owned_by.class.base_class.to_s
-                  ])
+            tagging_join << " AND " +
+              sanitize_sql([
+                  "#{taggings_alias}.tagger_id = ? AND #{taggings_alias}.tagger_type = ?",
+                  owned_by.id,
+                  owned_by.class.base_class.to_s
+              ])
           end
 
           joins << tagging_join
@@ -92,12 +93,12 @@ module ActsAsTaggableOn::Taggable
             tagging_join << " AND " + sanitize_sql(["#{taggings_alias}.context = ?", context.to_s]) if context
 
             if owned_by
-                tagging_join << " AND " +
-                  sanitize_sql([
-                    "#{taggings_alias}.tagger_id = ? AND #{taggings_alias}.tagger_type = ?",
-                    owned_by.id,
-                    owned_by.class.base_class.to_s
-                  ])
+              tagging_join << " AND " +
+                sanitize_sql([
+                  "#{taggings_alias}.tagger_id = ? AND #{taggings_alias}.tagger_type = ?",
+                  owned_by.id,
+                  owned_by.class.base_class.to_s
+                ])
             end
 
             joins << tagging_join
diff --git a/config/initializers/carrierwave.rb b/config/initializers/carrierwave.rb
index d0065b63e54..bfb8656df55 100644
--- a/config/initializers/carrierwave.rb
+++ b/config/initializers/carrierwave.rb
@@ -12,22 +12,30 @@ if File.exists?(aws_file)
       aws_secret_access_key: AWS_CONFIG['secret_access_key'], # required
       region: AWS_CONFIG['region'],                           # optional, defaults to 'us-east-1'
     }
-    config.fog_directory  = AWS_CONFIG['bucket']                    # required
-    config.fog_public     = false                                   # optional, defaults to true
-    config.fog_attributes = {'Cache-Control'=>'max-age=315576000'}  # optional, defaults to {}
-    config.fog_authenticated_url_expiration = 1 << 29               # optional time (in seconds) that authenticated urls will be valid.
-                                                                    # when fog_public is false and provider is AWS or Google, defaults to 600
+
+    # required
+    config.fog_directory = AWS_CONFIG['bucket']
+
+    # optional, defaults to true
+    config.fog_public = false
+
+    # optional, defaults to {}
+    config.fog_attributes = { 'Cache-Control'=>'max-age=315576000' }
+
+    # optional time (in seconds) that authenticated urls will be valid.
+    # when fog_public is false and provider is AWS or Google, defaults to 600
+    config.fog_authenticated_url_expiration = 1 << 29
   end
 
   # Mocking Fog requests, based on: https://github.com/carrierwaveuploader/carrierwave/wiki/How-to%3A-Test-Fog-based-uploaders
   if Rails.env.test?
     Fog.mock!
     connection = ::Fog::Storage.new(
-        :aws_access_key_id      => AWS_CONFIG['access_key_id'],
-        :aws_secret_access_key  => AWS_CONFIG['secret_access_key'],
-        :provider               => 'AWS',
-        :region                 => AWS_CONFIG['region']
+        aws_access_key_id: AWS_CONFIG['access_key_id'],
+        aws_secret_access_key: AWS_CONFIG['secret_access_key'],
+        provider: 'AWS',
+        region: AWS_CONFIG['region']
       )
-    connection.directories.create(:key => AWS_CONFIG['bucket'])
+    connection.directories.create(key: AWS_CONFIG['bucket'])
   end
 end
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index 34f4f386988..79abe3c695d 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -145,7 +145,8 @@ Devise.setup do |config|
   # Time interval you can reset your password with a reset password key.
   # Don't put a too small interval or your users won't have the time to
   # change their passwords.
-  config.reset_password_within = 2.hours
+  # When someone else invites you to GitLab this time is also used so it should be pretty long.
+  config.reset_password_within = 2.days
 
   # ==> Configuration for :encryptable
   # Allow you to use another encryption algorithm besides bcrypt (default). You can use
@@ -204,22 +205,24 @@ Devise.setup do |config|
   #   manager.default_strategies(scope: :user).unshift :some_external_strategy
   # end
 
-  if Gitlab.config.ldap.enabled
-    if Gitlab.config.ldap.allow_username_or_email_login
-      email_stripping_proc = ->(name) {name.gsub(/@.*$/,'')}
-    else
-      email_stripping_proc = ->(name) {name}
+  if Gitlab::LDAP::Config.enabled?
+    Gitlab.config.ldap.servers.values.each do |server|
+      if server['allow_username_or_email_login']
+        email_stripping_proc = ->(name) {name.gsub(/@.*$/,'')}
+      else
+        email_stripping_proc = ->(name) {name}
+      end
+
+      config.omniauth server['provider_name'],
+        host:     server['host'],
+        base:     server['base'],
+        uid:      server['uid'],
+        port:     server['port'],
+        method:   server['method'],
+        bind_dn:  server['bind_dn'],
+        password: server['password'],
+        name_proc: email_stripping_proc
     end
-
-    config.omniauth :ldap,
-      host:     Gitlab.config.ldap['host'],
-      base:     Gitlab.config.ldap['base'],
-      uid:      Gitlab.config.ldap['uid'],
-      port:     Gitlab.config.ldap['port'],
-      method:   Gitlab.config.ldap['method'],
-      bind_dn:  Gitlab.config.ldap['bind_dn'],
-      password: Gitlab.config.ldap['password'],
-      name_proc: email_stripping_proc
   end
 
   Gitlab.config.omniauth.providers.each do |provider|
diff --git a/config/initializers/disable_email_interceptor.rb b/config/initializers/disable_email_interceptor.rb
new file mode 100644
index 00000000000..c76a6b8b19f
--- /dev/null
+++ b/config/initializers/disable_email_interceptor.rb
@@ -0,0 +1,2 @@
+# Interceptor in lib/disable_email_interceptor.rb
+ActionMailer::Base.register_interceptor(DisableEmailInterceptor) unless Gitlab.config.gitlab.email_enabled
diff --git a/config/initializers/doorkeeper.rb b/config/initializers/doorkeeper.rb
new file mode 100644
index 00000000000..9da7ebf4290
--- /dev/null
+++ b/config/initializers/doorkeeper.rb
@@ -0,0 +1,102 @@
+Doorkeeper.configure do
+  # Change the ORM that doorkeeper will use.
+  # Currently supported options are :active_record, :mongoid2, :mongoid3, :mongo_mapper
+  orm :active_record
+
+  # This block will be called to check whether the resource owner is authenticated or not.
+  resource_owner_authenticator do
+    # Put your resource owner authentication logic here.
+    # Example implementation:
+    current_user || redirect_to(new_user_session_url)
+  end
+
+  resource_owner_from_credentials do |routes|
+    u = User.find_by(email: params[:username])
+    u if u && u.valid_password?(params[:password])
+  end
+
+  # If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below.
+  # admin_authenticator do
+  #   # Put your admin authentication logic here.
+  #   # Example implementation:
+  #   Admin.find_by_id(session[:admin_id]) || redirect_to(new_admin_session_url)
+  # end
+
+  # Authorization Code expiration time (default 10 minutes).
+  # authorization_code_expires_in 10.minutes
+
+  # Access token expiration time (default 2 hours).
+  # If you want to disable expiration, set this to nil.
+  access_token_expires_in nil
+
+  # Reuse access token for the same resource owner within an application (disabled by default)
+  # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/383
+  # reuse_access_token
+
+  # Issue access tokens with refresh token (disabled by default)
+  use_refresh_token
+
+  # Forces the usage of the HTTPS protocol in non-native redirect uris (enabled
+  # by default in non-development environments). OAuth2 delegates security in
+  # communication to the HTTPS protocol so it is wise to keep this enabled.
+  #
+  force_ssl_in_redirect_uri false
+
+  # Provide support for an owner to be assigned to each registered application (disabled by default)
+  # Optional parameter confirmation: true (default false) if you want to enforce ownership of
+  # a registered application
+  # Note: you must also run the rails g doorkeeper:application_owner generator to provide the necessary support
+  enable_application_owner confirmation: false
+
+  # Define access token scopes for your provider
+  # For more information go to
+  # https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Scopes
+  default_scopes  :api
+  #optional_scopes :write, :update
+
+  # Change the way client credentials are retrieved from the request object.
+  # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
+  # falls back to the `:client_id` and `:client_secret` params from the `params` object.
+  # Check out the wiki for more information on customization
+  # client_credentials :from_basic, :from_params
+
+  # Change the way access token is authenticated from the request object.
+  # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
+  # falls back to the `:access_token` or `:bearer_token` params from the `params` object.
+  # Check out the wiki for more information on customization
+  access_token_methods :from_access_token_param, :from_bearer_authorization, :from_bearer_param
+
+  # Change the native redirect uri for client apps
+  # When clients register with the following redirect uri, they won't be redirected to any server and the authorization code will be displayed within the provider
+  # The value can be any string. Use nil to disable this feature. When disabled, clients must provide a valid URL
+  # (Similar behaviour: https://developers.google.com/accounts/docs/OAuth2InstalledApp#choosingredirecturi)
+  #
+  native_redirect_uri nil#'urn:ietf:wg:oauth:2.0:oob'
+
+  # Specify what grant flows are enabled in array of Strings. The valid
+  # strings and the flows they enable are:
+  #
+  # "authorization_code" => Authorization Code Grant Flow
+  # "implicit"           => Implicit Grant Flow
+  # "password"           => Resource Owner Password Credentials Grant Flow
+  # "client_credentials" => Client Credentials Grant Flow
+  #
+  # If not specified, Doorkeeper enables all the four grant flows.
+  #
+  # grant_flows %w(authorization_code implicit password client_credentials)
+
+  # Under some circumstances you might want to have applications auto-approved,
+  # so that the user skips the authorization step.
+  # For example if dealing with trusted a application.
+  # skip_authorization do |resource_owner, client|
+  #   client.superapp? or resource_owner.admin?
+  # end
+
+  # WWW-Authenticate Realm (default "Doorkeeper").
+  # realm "Doorkeeper"
+
+  # Allow dynamic query parameters (disabled by default)
+  # Some applications require dynamic query parameters on their request_uri
+  # set to true if you want this to be allowed
+  # wildcard_redirect_uri false
+end
diff --git a/config/initializers/gitlab_shell_secret_token.rb b/config/initializers/gitlab_shell_secret_token.rb
new file mode 100644
index 00000000000..e7c9f0ba7c2
--- /dev/null
+++ b/config/initializers/gitlab_shell_secret_token.rb
@@ -0,0 +1,19 @@
+# Be sure to restart your server when you modify this file.
+
+require 'securerandom'
+
+# Your secret key for verifying the gitlab_shell.
+
+
+secret_file = Rails.root.join('.gitlab_shell_secret')
+gitlab_shell_symlink = File.join(Gitlab.config.gitlab_shell.path, '.gitlab_shell_secret')
+
+unless File.exist? secret_file
+  # Generate a new token of 16 random hexadecimal characters and store it in secret_file.
+  token = SecureRandom.hex(16)
+  File.write(secret_file, token)
+end
+
+if File.exist?(Gitlab.config.gitlab_shell.path) && !File.exist?(gitlab_shell_symlink)
+  FileUtils.symlink(secret_file, gitlab_shell_symlink)
+end
diff --git a/config/initializers/public_key.rb b/config/initializers/public_key.rb
new file mode 100644
index 00000000000..75d74e3625d
--- /dev/null
+++ b/config/initializers/public_key.rb
@@ -0,0 +1,2 @@
+path = File.expand_path("~/.ssh/id_rsa.pub")
+Gitlab::BitbucketImport.public_key = File.read(path) if File.exist?(path)
diff --git a/config/initializers/rack_attack_git_basic_auth.rb b/config/initializers/rack_attack_git_basic_auth.rb
new file mode 100644
index 00000000000..bbbfed68329
--- /dev/null
+++ b/config/initializers/rack_attack_git_basic_auth.rb
@@ -0,0 +1,12 @@
+unless Rails.env.test?
+  # Tell the Rack::Attack Rack middleware to maintain an IP blacklist. We will
+  # update the blacklist from Grack::Auth#authenticate_user.
+  Rack::Attack.blacklist('Git HTTP Basic Auth') do |req|
+    Rack::Attack::Allow2Ban.filter(req.ip, Gitlab.config.rack_attack.git_basic_auth) do
+      # This block only gets run if the IP was not already banned.
+      # Return false, meaning that we do not see anything wrong with the
+      # request at this time
+      false
+    end
+  end
+end
diff --git a/config/initializers/redis-store-fix-expiry.rb b/config/initializers/redis-store-fix-expiry.rb
new file mode 100644
index 00000000000..fce0a135330
--- /dev/null
+++ b/config/initializers/redis-store-fix-expiry.rb
@@ -0,0 +1,44 @@
+# Monkey-patch Redis::Store to make 'setex' and 'expire' work with namespacing
+
+module Gitlab
+  class Redis
+    class Store
+      module Namespace
+        # Redis::Store#setex in redis-store 1.1.4 does not respect namespaces;
+        # this new method does.
+        def setex(key, expires_in, value, options=nil)
+          namespace(key) { |key| super(key, expires_in, value) }
+        end
+
+        # Redis::Store#expire in redis-store 1.1.4 does not respect namespaces;
+        # this new method does.
+        def expire(key, expires_in)
+          namespace(key) { |key| super(key, expires_in) }
+        end
+
+        private
+
+        # Our new definitions of #setex and #expire above assume that the
+        # #namespace method exists. Because we cannot be sure of that, we
+        # re-implement the #namespace method from Redis::Store::Namespace so
+        # that it is available for all Redis::Store instances, whether they use
+        # namespacing or not.
+        #
+        # Based on lib/redis/store/namespace.rb L49-51 (redis-store 1.1.4)
+        def namespace(key)
+          if @namespace
+            yield interpolate(key)
+          else
+            # This Redis::Store instance does not use a namespace so we should
+            # just pass through the key.
+            yield key
+          end
+        end
+      end
+    end
+  end
+end
+
+Redis::Store.class_eval do
+  include Gitlab::Redis::Store::Namespace
+end
diff --git a/config/initializers/smtp_settings.rb.sample b/config/initializers/smtp_settings.rb.sample
index 3711b03796e..f0fe2fdfa43 100644
--- a/config/initializers/smtp_settings.rb.sample
+++ b/config/initializers/smtp_settings.rb.sample
@@ -1,8 +1,11 @@
-# To enable smtp email delivery for your GitLab instance do next: 
+# To enable smtp email delivery for your GitLab instance do the following:
 # 1. Rename this file to smtp_settings.rb
 # 2. Edit settings inside this file
 # 3. Restart GitLab instance
 #
+# For full list of options and their values see http://api.rubyonrails.org/classes/ActionMailer/Base.html
+#
+
 if Rails.env.production?
   Gitlab::Application.config.action_mailer.delivery_method = :smtp
 
@@ -13,6 +16,7 @@ if Rails.env.production?
     password: "123456",
     domain: "gitlab.company.com",
     authentication: :login,
-    enable_starttls_auto: true
+    enable_starttls_auto: true,
+    openssl_verify_mode: 'peer' # See ActionMailer documentation for other possible options
   }
 end
diff --git a/config/initializers/static_files.rb b/config/initializers/static_files.rb
new file mode 100644
index 00000000000..d9042c652bb
--- /dev/null
+++ b/config/initializers/static_files.rb
@@ -0,0 +1,15 @@
+app = Rails.application
+
+if app.config.serve_static_assets
+  # The `ActionDispatch::Static` middleware intercepts requests for static files 
+  # by checking if they exist in the `/public` directory. 
+  # We're replacing it with our `Gitlab::Middleware::Static` that does the same,
+  # except ignoring `/uploads`, letting those go through to the GitLab Rails app.
+
+  app.config.middleware.swap(
+    ActionDispatch::Static, 
+    Gitlab::Middleware::Static, 
+    app.paths["public"].first, 
+    app.config.static_cache_control
+  )
+end
diff --git a/config/initializers/time_zone.rb b/config/initializers/time_zone.rb
new file mode 100644
index 00000000000..ee246e67d66
--- /dev/null
+++ b/config/initializers/time_zone.rb
@@ -0,0 +1 @@
+Time.zone = Gitlab.config.gitlab.time_zone || Time.zone
diff --git a/config/initializers/timeout.rb b/config/initializers/timeout.rb
new file mode 100644
index 00000000000..bc88595cf26
--- /dev/null
+++ b/config/initializers/timeout.rb
@@ -0,0 +1,8 @@
+# Slowpoke extends Rack::Timeout to gracefully kill Unicorn workers so they can clean up state.
+Slowpoke.timeout = 60
+
+# The `Rack::Timeout` middleware kills requests after 60 seconds (as set above).
+# We're replacing it with our `Gitlab::Middleware::Timeout` that does the same,
+# except ignoring Git-over-HTTP requests, letting those take as long as they need.
+
+Rails.application.config.middleware.swap(Rack::Timeout, Gitlab::Middleware::Timeout)