diff --git a/files/gitlab-cookbooks/gitlab/attributes/default.rb b/files/gitlab-cookbooks/gitlab/attributes/default.rb index 49ddea8..4325d7a 100644 --- a/files/gitlab-cookbooks/gitlab/attributes/default.rb +++ b/files/gitlab-cookbooks/gitlab/attributes/default.rb @@ -233,6 +233,14 @@ default['gitlab']['redis']['shell'] = "/bin/nologin" default['gitlab']['redis']['home'] = "/var/opt/gitlab/redis" default['gitlab']['redis']['port'] = 6379 +#### +# Web server +#### +# Username for the webserver user +default['gitlab']['webserver']['username'] = 'gitlab-www' +default['gitlab']['webserver']['group'] = 'gitlab-www' +default['gitlab']['webserver']['uid'] = nil +default['gitlab']['webserver']['gid'] = nil #### # Nginx diff --git a/files/gitlab-cookbooks/gitlab/recipes/default.rb b/files/gitlab-cookbooks/gitlab/recipes/default.rb index 3b05488..1653e24 100644 --- a/files/gitlab-cookbooks/gitlab/recipes/default.rb +++ b/files/gitlab-cookbooks/gitlab/recipes/default.rb @@ -49,6 +49,7 @@ include_recipe "gitlab::users" include_recipe "gitlab::gitlab-shell" include_recipe "gitlab::gitlab-rails" include_recipe "gitlab::selinux" +include_recipe "gitlab::web_server" # Create dummy unicorn and sidekiq services to receive notifications, in case # the corresponding service recipe is not loaded below. diff --git a/files/gitlab-cookbooks/gitlab/recipes/web_server.rb b/files/gitlab-cookbooks/gitlab/recipes/web_server.rb new file mode 100644 index 0000000..07d3273 --- /dev/null +++ b/files/gitlab-cookbooks/gitlab/recipes/web_server.rb @@ -0,0 +1,33 @@ +# +# Copyright:: Copyright (c) 2012 Opscode, Inc. +# Copyright:: Copyright (c) 2014 GitLab.com +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +webserver_username = node['gitlab']['webserver']['username'] +webserver_group = node['gitlab']['webserver']['group'] + +# Create the group for the GitLab user +group webserver_group do + gid node['gitlab']['webserver']['gid'] +end + +# Create the webserver user +user webserver_username do + shell node['gitlab']['user']['shell'] + uid node['gitlab']['webserver']['uid'] + gid webserver_group + supports manage_home: false +end diff --git a/files/gitlab-cookbooks/gitlab/templates/default/nginx.conf.erb b/files/gitlab-cookbooks/gitlab/templates/default/nginx.conf.erb index 17f181b..0ae2723 100644 --- a/files/gitlab-cookbooks/gitlab/templates/default/nginx.conf.erb +++ b/files/gitlab-cookbooks/gitlab/templates/default/nginx.conf.erb @@ -2,7 +2,7 @@ # erased! To change the contents below, edit /etc/gitlab/gitlab.rb # and run `sudo gitlab-ctl reconfigure`. -user <%= node['gitlab']['user']['username'] %> <%= node['gitlab']['user']['username']%>; +user <%= node['gitlab']['user']['username'] %> <%= node['gitlab']['web_server']['username']%>; worker_processes <%= @worker_processes %>; error_log /var/log/gitlab/nginx/error.log; pid /var/opt/gitlab/nginx/nginx.pid; -- libgit2 0.21.2