# # If you change this file in a Merge Request, please also create # a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests # # GitLab user. git by default user: git # URL to GitLab instance, used for API calls. Default: http://localhost:8080. # For relative URL support read http://doc.gitlab.com/ce/install/relative_url.html # You only have to change the default if you have configured Unicorn # to listen on a custom port, or if you have configured Unicorn to # only listen on a Unix domain socket. For Unix domain sockets use # "http+unix://", e.g. # "http+unix://%2Fpath%2Fto%2Fsocket" gitlab_url: "http+unix://%2Fhome%2Fgit%2Fgitlab%2Ftmp%2Fsockets%2Fgitlab-workhorse.socket" # When a http+unix:// is used in gitlab_url, this is the relative URL root to GitLab. # Not used if gitlab_url is http:// or https://. # gitlab_relative_url_root: "/" # See installation.md#using-https for additional HTTPS configuration details. http_settings: # read_timeout: 300 # user: someone # password: somepass # ca_file: /etc/ssl/cert.pem # ca_path: /etc/pki/tls/certs # # File used as authorized_keys for gitlab user auth_file: "/home/git/.ssh/authorized_keys" # SSL certificate dir where custom certificates can be placed # https://golang.org/pkg/crypto/x509/ # ssl_cert_dir: /opt/gitlab/embedded/ssl/certs/ # File that contains the secret key for verifying access to GitLab. # Default is .gitlab_shell_secret in the gitlab-shell directory. # secret_file: "/home/git/gitlab-shell/.gitlab_shell_secret" # # The secret field supersedes the secret_file, and if set that # file will not be read. # secret: "supersecret" # Log file. # Default is gitlab-shell.log in the root directory. # log_file: "/home/git/gitlab-shell/gitlab-shell.log" # Log level. INFO by default log_level: INFO # Log format. 'json' by default, can be changed to 'text' if needed # log_format: json # Audit usernames. # Set to true to see real usernames in the logs instead of key ids, which is easier to follow, but # incurs an extra API call on every gitlab-shell command. audit_usernames: false # Distributed Tracing. GitLab-Shell has distributed tracing instrumentation. # For more details, visit https://docs.gitlab.com/ee/development/distributed_tracing.html # gitlab_tracing: opentracing://driver # This section configures the built-in SSH server. Ignored when running on OpenSSH. sshd: # Address which the SSH server listens on. Defaults to [::]:22. listen: "[::]:22" # Set to true if gitlab-sshd is being fronted by a load balancer that implements # the PROXY protocol. proxy_protocol: false # Proxy protocol policy ("use", "require", "reject", "ignore"), "use" is the default value # Values: https://github.com/pires/go-proxyproto/blob/195fedcfbfc1be163f3a0d507fac1709e9d81fed/policy.go#L20 proxy_policy: "use" # Proxy allowed IP addresses. Takes precedent over proxy_policy. Disabled by default. # proxy_allowed: # - "192.168.0.1" # - "192.168.1.0/24" # Address which the server listens on HTTP for monitoring/health checks. Defaults to localhost:9122. web_listen: "localhost:9122" # Maximum number of concurrent sessions allowed on a single SSH connection. Defaults to 10. concurrent_sessions_limit: 10 # Sets an interval after which server will send keepalive message to a client. Defaults to 15s. client_alive_interval: 15 # The server waits for this time for the ongoing connections to complete before shutting down. Defaults to 10s. grace_period: 10 # The server disconnects after this time if the user has not successfully logged in. Defaults to 60s. login_grace_time: 60 # A short timeout to decide to abort the connection if the protocol header is not seen within it. Defaults to 500ms proxy_header_timeout: 500ms # The endpoint that returns 200 OK if the server is ready to receive incoming connections; otherwise, it returns 503 Service Unavailable. Defaults to "/start". readiness_probe: "/start" # The endpoint that returns 200 OK if the server is alive. Defaults to "/health". liveness_probe: "/health" # Specifies the available message authentication code algorithms that are used for protecting data integrity macs: [hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1] # Specifies the available Key Exchange algorithms kex_algorithms: [curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1] # Specified the ciphers allowed ciphers: [aes128-gcm@openssh.com, chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-ctr, aes192-ctr,aes256-ctr] # SSH host key files. host_key_files: - /run/secrets/ssh-hostkeys/ssh_host_rsa_key - /run/secrets/ssh-hostkeys/ssh_host_ecdsa_key - /run/secrets/ssh-hostkeys/ssh_host_ed25519_key host_key_certs: - /run/secrets/ssh-hostkeys/ssh_host_rsa_key-cert.pub - /run/secrets/ssh-hostkeys/ssh_host_ecdsa_key-cert.pub - /run/secrets/ssh-hostkeys/ssh_host_ed25519_key-cert.pub # GSSAPI-related settings gssapi: # Enable the gssapi-with-mic authentication method. Defaults to false. enabled: false # Keytab path. Defaults to "", system default (usually /etc/krb5.keytab). keytab: "" # The Kerberos service name to be used by sshd. Defaults to "", accepts any service name in keytab file. service_principal_name: ""