From c912e449c1be5c25f9081dde327a53de93094a1f Mon Sep 17 00:00:00 2001
From: Jacob Vosmaer <contact@jacobvosmaer.nl>
Date: Wed, 29 Jan 2014 19:07:04 +0100
Subject: [PATCH] Import postgres files from omnibus-chef-server

---
 files/gitlab-cookbooks/gitlab/attributes/default.rb                           | 279 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 files/gitlab-cookbooks/gitlab/libraries/chef_server.rb                        | 140 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 files/gitlab-cookbooks/gitlab/libraries/helper.rb                             | 194 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 files/gitlab-cookbooks/gitlab/recipes/postgresql.rb                           | 188 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 files/gitlab-cookbooks/gitlab/templates/default/90-postgresql.conf.sysctl.erb |   5 +++++
 files/gitlab-cookbooks/gitlab/templates/default/pg_hba.conf.erb               |  75 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 files/gitlab-cookbooks/gitlab/templates/default/postgresql-init.erb           |  29 +++++++++++++++++++++++++++++
 files/gitlab-cookbooks/gitlab/templates/default/postgresql.conf.erb           | 556 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 files/gitlab-cookbooks/gitlab/templates/default/sv-postgresql-control-t.erb   |   3 +++
 files/gitlab-cookbooks/gitlab/templates/default/sv-postgresql-log-run.erb     |   2 ++
 files/gitlab-cookbooks/gitlab/templates/default/sv-postgresql-run.erb         |   4 ++++
 11 files changed, 1475 insertions(+), 0 deletions(-)
 create mode 100644 files/gitlab-cookbooks/gitlab/attributes/default.rb
 create mode 100644 files/gitlab-cookbooks/gitlab/libraries/chef_server.rb
 create mode 100644 files/gitlab-cookbooks/gitlab/libraries/helper.rb
 create mode 100644 files/gitlab-cookbooks/gitlab/recipes/postgresql.rb
 create mode 100644 files/gitlab-cookbooks/gitlab/templates/default/90-postgresql.conf.sysctl.erb
 create mode 100644 files/gitlab-cookbooks/gitlab/templates/default/pg_hba.conf.erb
 create mode 100755 files/gitlab-cookbooks/gitlab/templates/default/postgresql-init.erb
 create mode 100644 files/gitlab-cookbooks/gitlab/templates/default/postgresql.conf.erb
 create mode 100644 files/gitlab-cookbooks/gitlab/templates/default/sv-postgresql-control-t.erb
 create mode 100644 files/gitlab-cookbooks/gitlab/templates/default/sv-postgresql-log-run.erb
 create mode 100644 files/gitlab-cookbooks/gitlab/templates/default/sv-postgresql-run.erb

diff --git a/files/gitlab-cookbooks/gitlab/attributes/default.rb b/files/gitlab-cookbooks/gitlab/attributes/default.rb
new file mode 100644
index 0000000..ef62a86
--- /dev/null
+++ b/files/gitlab-cookbooks/gitlab/attributes/default.rb
@@ -0,0 +1,279 @@
+#
+# Copyright:: Copyright (c) 2012 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+###
+# High level options
+###
+default['chef_server']['api_version'] = "11.0.2"
+default['chef_server']['flavor'] = "osc" # Open Source Chef
+
+default['chef_server']['notification_email'] = "info@example.com"
+default['chef_server']['bootstrap']['enable'] = true
+
+####
+# The Chef User that services run as
+####
+# The username for the chef services user
+default['chef_server']['user']['username'] = "chef_server"
+# The shell for the chef services user
+default['chef_server']['user']['shell'] = "/bin/sh"
+# The home directory for the chef services user
+default['chef_server']['user']['home'] = "/opt/chef-server/embedded"
+
+####
+# RabbitMQ
+####
+default['chef_server']['rabbitmq']['enable'] = true
+default['chef_server']['rabbitmq']['ha'] = false
+default['chef_server']['rabbitmq']['dir'] = "/var/opt/chef-server/rabbitmq"
+default['chef_server']['rabbitmq']['data_dir'] = "/var/opt/chef-server/rabbitmq/db"
+default['chef_server']['rabbitmq']['log_directory'] = "/var/log/chef-server/rabbitmq"
+default['chef_server']['rabbitmq']['vhost'] = '/chef'
+default['chef_server']['rabbitmq']['user'] = 'chef'
+default['chef_server']['rabbitmq']['password'] = 'chefrocks'
+default['chef_server']['rabbitmq']['node_ip_address'] = '127.0.0.1'
+default['chef_server']['rabbitmq']['node_port'] = '8672'
+default['chef_server']['rabbitmq']['nodename'] = 'rabbit@localhost'
+default['chef_server']['rabbitmq']['vip'] = '127.0.0.1'
+default['chef_server']['rabbitmq']['consumer_id'] = 'hotsauce'
+
+####
+# Chef Solr
+####
+default['chef_server']['chef-solr']['enable'] = true
+default['chef_server']['chef-solr']['ha'] = false
+default['chef_server']['chef-solr']['dir'] = "/var/opt/chef-server/chef-solr"
+default['chef_server']['chef-solr']['data_dir'] = "/var/opt/chef-server/chef-solr/data"
+default['chef_server']['chef-solr']['log_directory'] = "/var/log/chef-server/chef-solr"
+# defaults for heap size and new generation size are computed in the chef-solr
+# recipe based on node memory
+default['chef_server']['chef-solr']['heap_size'] = nil
+default['chef_server']['chef-solr']['new_size'] = nil
+default['chef_server']['chef-solr']['java_opts'] = ""
+default['chef_server']['chef-solr']['ip_address'] = '127.0.0.1'
+default['chef_server']['chef-solr']['vip'] = '127.0.0.1'
+default['chef_server']['chef-solr']['port'] = 8983
+default['chef_server']['chef-solr']['ram_buffer_size'] = 200
+default['chef_server']['chef-solr']['merge_factor'] = 100
+default['chef_server']['chef-solr']['max_merge_docs'] = 2147483647
+default['chef_server']['chef-solr']['max_field_length'] = 100000
+default['chef_server']['chef-solr']['max_commit_docs'] = 1000
+default['chef_server']['chef-solr']['commit_interval'] = 60000 # in ms
+default['chef_server']['chef-solr']['poll_seconds'] = 20 # slave -> master poll interval in seconds, max of 60 (see solrconfig.xml.erb)
+
+####
+# Chef Expander
+####
+default['chef_server']['chef-expander']['enable'] = true
+default['chef_server']['chef-expander']['ha'] = false
+default['chef_server']['chef-expander']['dir'] = "/var/opt/chef-server/chef-expander"
+default['chef_server']['chef-expander']['log_directory'] = "/var/log/chef-server/chef-expander"
+default['chef_server']['chef-expander']['reindexer_log_directory'] = "/var/log/chef-server/chef-expander-reindexer"
+default['chef_server']['chef-expander']['consumer_id'] = "default"
+default['chef_server']['chef-expander']['nodes'] = 2
+
+####
+# Bookshelf
+####
+default['chef_server']['bookshelf']['enable'] = true
+default['chef_server']['bookshelf']['ha'] = false
+default['chef_server']['bookshelf']['dir'] = "/var/opt/chef-server/bookshelf"
+default['chef_server']['bookshelf']['data_dir'] = "/var/opt/chef-server/bookshelf/data"
+default['chef_server']['bookshelf']['log_directory'] = "/var/log/chef-server/bookshelf"
+default['chef_server']['bookshelf']['svlogd_size'] = 1000000
+default['chef_server']['bookshelf']['svlogd_num'] = 10
+default['chef_server']['bookshelf']['vip'] = node['fqdn']
+default['chef_server']['bookshelf']['url'] = "https://#{node['fqdn']}"
+# Default: set to Host: header. Override to hardcode a url, "http://..."
+default['chef_server']['bookshelf']['external_url'] = :host_header
+default['chef_server']['bookshelf']['listen'] = '127.0.0.1'
+default['chef_server']['bookshelf']['port'] = 4321
+default['chef_server']['bookshelf']['stream_download'] = true
+default['chef_server']['bookshelf']['access_key_id'] = "generated-by-default"
+default['chef_server']['bookshelf']['secret_access_key'] = "generated-by-default"
+
+####
+# Erlang Chef Server API
+####
+default['chef_server']['erchef']['enable'] = true
+default['chef_server']['erchef']['ha'] = false
+default['chef_server']['erchef']['dir'] = "/var/opt/chef-server/erchef"
+default['chef_server']['erchef']['log_directory'] = "/var/log/chef-server/erchef"
+default['chef_server']['erchef']['svlogd_size'] = 1000000
+default['chef_server']['erchef']['svlogd_num'] = 10
+default['chef_server']['erchef']['vip'] = '127.0.0.1'
+default['chef_server']['erchef']['listen'] = '127.0.0.1'
+default['chef_server']['erchef']['port'] = 8000
+default['chef_server']['erchef']['auth_skew'] = '900'
+default['chef_server']['erchef']['bulk_fetch_batch_size'] = '5'
+default['chef_server']['erchef']['max_cache_size'] = '10000'
+default['chef_server']['erchef']['cache_ttl'] = '3600'
+default['chef_server']['erchef']['db_pool_size'] = '20'
+default['chef_server']['erchef']['ibrowse_max_sessions'] = 256
+default['chef_server']['erchef']['ibrowse_max_pipeline_size'] = 1
+# Default: generate signed URLs based upon Host: header. Override with a url, "http:// ..."
+default['chef_server']['erchef']['base_resource_url'] = :host_header
+default['chef_server']['erchef']['s3_bucket'] = 'bookshelf'
+default['chef_server']['erchef']['s3_url_ttl'] = 900
+default['chef_server']['erchef']['s3_parallel_ops_timeout'] = 5000
+default['chef_server']['erchef']['s3_parallel_ops_fanout'] = 20
+default['chef_server']['erchef']['proxy_user'] = "pivotal"
+default['chef_server']['erchef']['validation_client_name'] = "chef-validator"
+default['chef_server']['erchef']['umask'] = "0022"
+default['chef_server']['erchef']['web_ui_client_name'] = "chef-webui"
+default['chef_server']['erchef']['root_metric_key'] = "chefAPI"
+default['chef_server']['erchef']['depsolver_worker_count'] = 5
+default['chef_server']['erchef']['depsolver_timeout'] = 5000
+default['chef_server']['erchef']['max_request_size'] = 1000000
+
+####
+# Chef Server WebUI
+####
+default['chef_server']['chef-server-webui']['enable'] = true
+default['chef_server']['chef-server-webui']['ha'] = false
+default['chef_server']['chef-server-webui']['dir'] = "/var/opt/chef-server/chef-server-webui"
+default['chef_server']['chef-server-webui']['log_directory'] = "/var/log/chef-server/chef-server-webui"
+default['chef_server']['chef-server-webui']['environment'] = 'chefserver'
+default['chef_server']['chef-server-webui']['listen'] = '127.0.0.1'
+default['chef_server']['chef-server-webui']['vip'] = '127.0.0.1'
+default['chef_server']['chef-server-webui']['port'] = 9462
+default['chef_server']['chef-server-webui']['backlog'] = 1024
+default['chef_server']['chef-server-webui']['tcp_nodelay'] = true
+default['chef_server']['chef-server-webui']['worker_timeout'] = 3600
+default['chef_server']['chef-server-webui']['umask'] = "0022"
+default['chef_server']['chef-server-webui']['worker_processes'] = 2
+default['chef_server']['chef-server-webui']['session_key'] = "_sandbox_session"
+default['chef_server']['chef-server-webui']['cookie_domain'] = "all"
+default['chef_server']['chef-server-webui']['cookie_secret'] = "47b3b8d95dea455baf32155e95d1e64e"
+default['chef_server']['chef-server-webui']['web_ui_client_name'] = "chef-webui"
+default['chef_server']['chef-server-webui']['web_ui_admin_user_name'] = "admin"
+default['chef_server']['chef-server-webui']['web_ui_admin_default_password'] = "p@ssw0rd1"
+
+####
+# Chef Pedant
+####
+default['chef_server']['chef-pedant']['dir'] = "/var/opt/chef-server/chef-pedant"
+default['chef_server']['chef-pedant']['log_directory'] = "/var/log/chef-server/chef-pedant"
+default['chef_server']['chef-pedant']['log_http_requests'] = true
+
+###
+# Estatsd
+###
+default['chef_server']['estatsd']['enable'] = true
+default['chef_server']['estatsd']['dir'] = "/var/opt/chef-server/estatsd"
+default['chef_server']['estatsd']['log_directory'] = "/var/log/chef-server/estatsd"
+default['chef_server']['estatsd']['vip'] = "127.0.0.1"
+default['chef_server']['estatsd']['port'] = 9466
+
+###
+# Load Balancer
+###
+default['chef_server']['lb']['enable'] = true
+default['chef_server']['lb']['vip'] = "127.0.0.1"
+default['chef_server']['lb']['api_fqdn'] = node['fqdn']
+default['chef_server']['lb']['web_ui_fqdn'] = node['fqdn']
+default['chef_server']['lb']['cache_cookbook_files'] = false
+default['chef_server']['lb']['debug'] = false
+default['chef_server']['lb']['upstream']['erchef'] = [ "127.0.0.1" ]
+default['chef_server']['lb']['upstream']['chef-server-webui'] = [ "127.0.0.1" ]
+default['chef_server']['lb']['upstream']['bookshelf'] = [ "127.0.0.1" ]
+
+####
+# Nginx
+####
+default['chef_server']['nginx']['enable'] = true
+default['chef_server']['nginx']['ha'] = false
+default['chef_server']['nginx']['dir'] = "/var/opt/chef-server/nginx"
+default['chef_server']['nginx']['log_directory'] = "/var/log/chef-server/nginx"
+default['chef_server']['nginx']['ssl_port'] = 443
+default['chef_server']['nginx']['enable_non_ssl'] = false
+default['chef_server']['nginx']['non_ssl_port'] = 80
+default['chef_server']['nginx']['server_name'] = node['fqdn']
+default['chef_server']['nginx']['url'] = "https://#{node['fqdn']}"
+# These options provide the current best security with TSLv1
+#default['chef_server']['nginx']['ssl_protocols'] = "-ALL +TLSv1"
+#default['chef_server']['nginx']['ssl_ciphers'] = "RC4:!MD5"
+# This might be necessary for auditors that want no MEDIUM security ciphers and don't understand BEAST attacks
+#default['chef_server']['nginx']['ssl_protocols'] = "-ALL +SSLv3 +TLSv1"
+#default['chef_server']['nginx']['ssl_ciphers'] = "HIGH:!MEDIUM:!LOW:!ADH:!kEDH:!aNULL:!eNULL:!EXP:!SSLv2:!SEED:!CAMELLIA:!PSK"
+# The following favors performance and compatibility, addresses BEAST, and should pass a PCI audit
+default['chef_server']['nginx']['ssl_protocols'] = "SSLv3 TLSv1"
+default['chef_server']['nginx']['ssl_ciphers'] = "RC4-SHA:RC4-MD5:RC4:RSA:HIGH:MEDIUM:!LOW:!kEDH:!aNULL:!ADH:!eNULL:!EXP:!SSLv2:!SEED:!CAMELLIA:!PSK"
+default['chef_server']['nginx']['ssl_certificate'] = nil
+default['chef_server']['nginx']['ssl_certificate_key'] = nil
+default['chef_server']['nginx']['ssl_country_name'] = "US"
+default['chef_server']['nginx']['ssl_state_name'] = "WA"
+default['chef_server']['nginx']['ssl_locality_name'] = "Seattle"
+default['chef_server']['nginx']['ssl_company_name'] = "YouCorp"
+default['chef_server']['nginx']['ssl_organizational_unit_name'] = "Operations"
+default['chef_server']['nginx']['ssl_email_address'] = "you@example.com"
+default['chef_server']['nginx']['worker_processes'] = node['cpu']['total'].to_i
+default['chef_server']['nginx']['worker_connections'] = 10240
+default['chef_server']['nginx']['sendfile'] = 'on'
+default['chef_server']['nginx']['tcp_nopush'] = 'on'
+default['chef_server']['nginx']['tcp_nodelay'] = 'on'
+default['chef_server']['nginx']['gzip'] = "on"
+default['chef_server']['nginx']['gzip_http_version'] = "1.0"
+default['chef_server']['nginx']['gzip_comp_level'] = "2"
+default['chef_server']['nginx']['gzip_proxied'] = "any"
+default['chef_server']['nginx']['gzip_types'] = [ "text/plain", "text/css", "application/x-javascript", "text/xml", "application/xml", "application/xml+rss", "text/javascript", "application/json" ]
+default['chef_server']['nginx']['keepalive_timeout'] = 65
+default['chef_server']['nginx']['client_max_body_size'] = '250m'
+default['chef_server']['nginx']['cache_max_size'] = '5000m'
+
+###
+# PostgreSQL
+###
+default['chef_server']['postgresql']['enable'] = true
+default['chef_server']['postgresql']['ha'] = false
+default['chef_server']['postgresql']['dir'] = "/var/opt/chef-server/postgresql"
+default['chef_server']['postgresql']['data_dir'] = "/var/opt/chef-server/postgresql/data"
+default['chef_server']['postgresql']['log_directory'] = "/var/log/chef-server/postgresql"
+default['chef_server']['postgresql']['svlogd_size'] = 1000000
+default['chef_server']['postgresql']['svlogd_num'] = 10
+default['chef_server']['postgresql']['username'] = "opscode-pgsql"
+default['chef_server']['postgresql']['shell'] = "/bin/sh"
+default['chef_server']['postgresql']['home'] = "/var/opt/chef-server/postgresql"
+default['chef_server']['postgresql']['user_path'] = "/opt/chef-server/embedded/bin:/opt/chef-server/bin:$PATH"
+default['chef_server']['postgresql']['sql_user'] = "opscode_chef"
+default['chef_server']['postgresql']['sql_password'] = "snakepliskin"
+default['chef_server']['postgresql']['sql_ro_user'] = "opscode_chef_ro"
+default['chef_server']['postgresql']['sql_ro_password'] = "shmunzeltazzen"
+default['chef_server']['postgresql']['vip'] = "127.0.0.1"
+default['chef_server']['postgresql']['port'] = 5432
+default['chef_server']['postgresql']['listen_address'] = 'localhost'
+default['chef_server']['postgresql']['max_connections'] = 200
+default['chef_server']['postgresql']['md5_auth_cidr_addresses'] = [ ]
+default['chef_server']['postgresql']['trust_auth_cidr_addresses'] = [ '127.0.0.1/32', '::1/128' ]
+default['chef_server']['postgresql']['shmmax'] = kernel['machine'] =~ /x86_64/ ? 17179869184 : 4294967295
+default['chef_server']['postgresql']['shmall'] = kernel['machine'] =~ /x86_64/ ? 4194304 : 1048575
+
+# Resolves CHEF-3889
+if (node['memory']['total'].to_i / 4) > ((node['chef_server']['postgresql']['shmmax'].to_i / 1024) - 2097152)
+  # guard against setting shared_buffers > shmmax on hosts with installed RAM > 64GB
+  # use 2GB less than shmmax as the default for these large memory machines
+  default['chef_server']['postgresql']['shared_buffers'] = "14336MB"
+else
+  default['chef_server']['postgresql']['shared_buffers'] = "#{(node['memory']['total'].to_i / 4) / (1024)}MB"
+end
+
+default['chef_server']['postgresql']['work_mem'] = "8MB"
+default['chef_server']['postgresql']['effective_cache_size'] = "#{(node['memory']['total'].to_i / 2) / (1024)}MB"
+default['chef_server']['postgresql']['checkpoint_segments'] = 10
+default['chef_server']['postgresql']['checkpoint_timeout'] = "5min"
+default['chef_server']['postgresql']['checkpoint_completion_target'] = 0.9
+default['chef_server']['postgresql']['checkpoint_warning'] = "30s"
diff --git a/files/gitlab-cookbooks/gitlab/libraries/chef_server.rb b/files/gitlab-cookbooks/gitlab/libraries/chef_server.rb
new file mode 100644
index 0000000..05f6261
--- /dev/null
+++ b/files/gitlab-cookbooks/gitlab/libraries/chef_server.rb
@@ -0,0 +1,140 @@
+#
+# Copyright:: Copyright (c) 2012 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'mixlib/config'
+require 'chef/mash'
+require 'chef/json_compat'
+require 'chef/mixin/deep_merge'
+require 'securerandom'
+
+module ChefServer
+  extend(Mixlib::Config)
+
+  rabbitmq Mash.new
+  chef_solr Mash.new
+  chef_expander Mash.new
+  erchef Mash.new
+  chef_server_webui Mash.new
+  lb Mash.new
+  postgresql Mash.new
+  bookshelf Mash.new
+  bootstrap Mash.new
+  nginx Mash.new
+  api_fqdn nil
+  node nil
+  notification_email nil
+
+  class << self
+
+    # guards against creating secrets on non-bootstrap node
+    def generate_hex(chars)
+      SecureRandom.hex(chars)
+    end
+
+    def generate_secrets(node_name)
+      existing_secrets ||= Hash.new
+      if File.exists?("/etc/chef-server/chef-server-secrets.json")
+        existing_secrets = Chef::JSONCompat.from_json(File.read("/etc/chef-server/chef-server-secrets.json"))
+      end
+      existing_secrets.each do |k, v|
+        v.each do |pk, p|
+          ChefServer[k][pk] = p
+        end
+      end
+
+      ChefServer['rabbitmq']['password'] ||= generate_hex(50)
+      ChefServer['chef_server_webui']['cookie_secret'] ||= generate_hex(50)
+      ChefServer['postgresql']['sql_password'] ||= generate_hex(50)
+      ChefServer['postgresql']['sql_ro_password'] ||= generate_hex(50)
+      ChefServer['bookshelf']['access_key_id'] ||= generate_hex(20)
+      ChefServer['bookshelf']['secret_access_key'] ||= generate_hex(40)
+
+      if File.directory?("/etc/chef-server")
+        File.open("/etc/chef-server/chef-server-secrets.json", "w") do |f|
+          f.puts(
+            Chef::JSONCompat.to_json_pretty({
+              'rabbitmq' => {
+                'password' => ChefServer['rabbitmq']['password'],
+              },
+              'chef_server_webui' => {
+                'cookie_secret' => ChefServer['chef_server_webui']['cookie_secret'],
+              },
+              'postgresql' => {
+                'sql_password' => ChefServer['postgresql']['sql_password'],
+                'sql_ro_password' => ChefServer['postgresql']['sql_ro_password']
+              },
+              'bookshelf' => {
+                'access_key_id' => ChefServer['bookshelf']['access_key_id'],
+                'secret_access_key' => ChefServer['bookshelf']['secret_access_key']
+              }
+            })
+          )
+          system("chmod 0600 /etc/chef-server/chef-server-secrets.json")
+        end
+      end
+    end
+
+    def generate_hash
+      results = { "chef_server" => {} }
+      [
+        "rabbitmq",
+        "chef_solr",
+        "chef_expander",
+        "erchef",
+        "chef_server_webui",
+        "lb",
+        "postgresql",
+        "nginx",
+        "bookshelf",
+        "bootstrap"
+      ].each do |key|
+        rkey = key.gsub('_', '-')
+        results['chef_server'][rkey] = ChefServer[key]
+      end
+      results['chef_server']['notification_email'] = ChefServer['notification_email']
+
+      results
+    end
+
+    def gen_api_fqdn
+      ChefServer["lb"]["api_fqdn"] ||= ChefServer['api_fqdn']
+      ChefServer["lb"]["web_ui_fqdn"] ||= ChefServer['api_fqdn']
+      ChefServer["nginx"]["server_name"] ||= ChefServer['api_fqdn']
+
+      # If the user manually set an Nginx URL in the config file all bets are
+      # off...we just cross our fingers and hope they constructed the URL
+      # correctly! We may want to remove this 'private' config value from the
+      # documenation.
+      if ChefServer["nginx"]["url"].nil?
+        ChefServer["nginx"]["url"] = "https://#{ChefServer['api_fqdn']}"
+        if ChefServer["nginx"]["ssl_port"]
+          ChefServer["nginx"]["url"] << ":#{ChefServer["nginx"]["ssl_port"]}"
+        end
+      end
+
+      # The external bookshelf URL should match the external lb
+      ChefServer["bookshelf"]["url"] ||= ChefServer["nginx"]["url"]
+    end
+
+    def generate_config(node_name)
+      generate_secrets(node_name)
+      ChefServer[:api_fqdn] ||= node_name
+      gen_api_fqdn
+      generate_hash
+    end
+  end
+end
diff --git a/files/gitlab-cookbooks/gitlab/libraries/helper.rb b/files/gitlab-cookbooks/gitlab/libraries/helper.rb
new file mode 100644
index 0000000..be63e11
--- /dev/null
+++ b/files/gitlab-cookbooks/gitlab/libraries/helper.rb
@@ -0,0 +1,194 @@
+#
+# Copyright:: Copyright (c) 2012 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'mixlib/shellout'
+
+class PgHelper
+  attr_reader :node
+
+  def initialize(node)
+    @node = node
+  end
+
+  def is_running?
+    OmnibusHelper.service_up?("postgresql")
+  end
+
+  def database_exists?(db_name)
+    psql_cmd(["-d 'template1'",
+              "-c 'select datname from pg_database' -x",
+              "| grep #{db_name}"])
+  end
+
+  def sql_user_exists?
+    user_exists?(node['chef_server']['postgresql']['sql_user'])
+  end
+
+  def sql_ro_user_exists?
+    user_exists?(node['chef_server']['postgresql']['sql_ro_user'])
+  end
+  
+  def user_exists?(db_user)
+    psql_cmd(["-d 'template1'",
+              "-c 'select usename from pg_user' -x",
+              "|grep #{db_user}"])
+  end
+
+  def psql_cmd(cmd_list)
+    cmd = ["/opt/chef-server/embedded/bin/chpst",
+           "-u #{pg_user}",
+           "/opt/chef-server/embedded/bin/psql",
+           "--port #{pg_port}",
+           cmd_list.join(" ")].join(" ")
+    do_shell_out(cmd, 0)
+  end
+
+  def pg_user
+    node['chef_server']['postgresql']['username']
+  end
+
+  def pg_port
+    node['chef_server']['postgresql']['port']
+  end
+
+  def do_shell_out(cmd, expect_status)
+    o = Mixlib::ShellOut.new(cmd)
+    o.run_command
+    o.exitstatus == expect_status
+  end
+
+end
+
+class OmnibusHelper
+
+  def self.should_notify?(service_name)
+    File.symlink?("/opt/chef-server/service/#{service_name}") && service_up?(service_name)
+  end
+
+  def self.service_up?(service_name)
+    o = Mixlib::ShellOut.new("/opt/chef-server/bin/chef-server-ctl status #{service_name}")
+    o.run_command
+    o.exitstatus == 0
+  end
+
+  # generate a certificate signed by the opscode ca key
+  #
+  # === Returns
+  # [cert, key]
+  #
+  def self.gen_certificate
+    key = OpenSSL::PKey::RSA.generate(2048)
+    public_key = key.public_key
+    cert_uuid = UUIDTools::UUID.random_create
+    common_name = "URI:http://opscode.com/GUIDS/#{cert_uuid}"
+    info = [["C", "US"], ["ST", "Washington"], ["L", "Seattle"], ["O", "Opscode, Inc."], ["OU", "Certificate Service"], ["CN", common_name]]
+    cert = OpenSSL::X509::Certificate.new
+    cert.subject = OpenSSL::X509::Name.new(info)
+    cert.issuer = ca_certificate.subject
+    cert.not_before = Time.now
+    cert.not_after = Time.now + 10 * 365 * 24 * 60 * 60 # 10 years
+    cert.public_key = public_key
+    cert.serial = 1
+    cert.version = 3
+
+    ef = OpenSSL::X509::ExtensionFactory.new
+    ef.subject_certificate = cert
+    ef.issuer_certificate = ca_certificate
+    cert.extensions = [
+                       ef.create_extension("basicConstraints","CA:FALSE",true),
+                       ef.create_extension("subjectKeyIdentifier", "hash")
+                      ]
+    cert.sign(ca_keypair, OpenSSL::Digest::SHA1.new)
+
+    return cert, key
+  end
+
+  ######################################################################
+  #
+  # the following is the Opscode CA key and certificate, copied from
+  # the cert project(s)
+  #
+  ######################################################################
+
+  def self.ca_certificate
+    @_ca_cert ||=
+      begin
+        cert_string = <<-EOCERT
+-----BEGIN CERTIFICATE-----
+MIIDyDCCAzGgAwIBAwIBATANBgkqhkiG9w0BAQUFADCBnjELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFjAUBgNVBAoM
+DU9wc2NvZGUsIEluYy4xHDAaBgNVBAsME0NlcnRpZmljYXRlIFNlcnZpY2UxMjAw
+BgNVBAMMKW9wc2NvZGUuY29tL2VtYWlsQWRkcmVzcz1hdXRoQG9wc2NvZGUuY29t
+MB4XDTA5MDUwNjIzMDEzNVoXDTE5MDUwNDIzMDEzNVowgZ4xCzAJBgNVBAYTAlVT
+MRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRYwFAYDVQQK
+DA1PcHNjb2RlLCBJbmMuMRwwGgYDVQQLDBNDZXJ0aWZpY2F0ZSBTZXJ2aWNlMTIw
+MAYDVQQDDClvcHNjb2RlLmNvbS9lbWFpbEFkZHJlc3M9YXV0aEBvcHNjb2RlLmNv
+bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAlKTCZPmifZe9ruxlQpWRj+yx
+Mxt6+omH44jSfj4Obrnmm5eqVhRwjSfHOq383IeilFrNqC5VkiZrlLh8uhuTeaCy
+PE1eED7DZOmwuswTui49DqXiVE39jB6TnzZ3mr6HOPHXtPhSzdtILo18RMmgyfm/
+csrwct1B3GuQ9LSVMXkCAwEAAaOCARIwggEOMA8GA1UdEwEB/wQFMAMBAf8wHQYD
+VR0OBBYEFJ228MdlU86GfVLsQx8rleAeM+eLMA4GA1UdDwEB/wQEAwIBBjCBywYD
+VR0jBIHDMIHAgBSdtvDHZVPOhn1S7EMfK5XgHjPni6GBpKSBoTCBnjELMAkGA1UE
+BhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFjAU
+BgNVBAoMDU9wc2NvZGUsIEluYy4xHDAaBgNVBAsME0NlcnRpZmljYXRlIFNlcnZp
+Y2UxMjAwBgNVBAMMKW9wc2NvZGUuY29tL2VtYWlsQWRkcmVzcz1hdXRoQG9wc2Nv
+ZGUuY29tggEBMA0GCSqGSIb3DQEBBQUAA4GBAHJxAnwTt/liAMfZf5Khg7Mck4f+
+IkO3rjoI23XNbVHlctTOieSwzRZtBRdNOTzQvzzhh1KKpl3Rt04rrRPQvDeO/Usm
+pVr6g+lk2hhDgKKeR4J7qXZmlemZTrFZoobdoijDaOT5NuqkGt5ANdTqzRwbC9zQ
+t6vXSWGCFoo4AEic
+-----END CERTIFICATE-----
+EOCERT
+        OpenSSL::X509::Certificate.new(cert_string)
+      end
+  end
+
+  def self.ca_keypair
+    @_ca_key ||=
+      begin
+        keypair_string = <<-EOKEY
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQCUpMJk+aJ9l72u7GVClZGP7LEzG3r6iYfjiNJ+Pg5uueabl6pW
+FHCNJ8c6rfzch6KUWs2oLlWSJmuUuHy6G5N5oLI8TV4QPsNk6bC6zBO6Lj0OpeJU
+Tf2MHpOfNneavoc48de0+FLN20gujXxEyaDJ+b9yyvBy3UHca5D0tJUxeQIDAQAB
+AoGAYAPRIeJyiIfk2cIPYqQ0g3BTwfyFQqJl6Z7uwOca8YEZqfWc7L+FOFiyg3/x
+rw3aAdRptbJASgiRQ16sCpdXeaRFY5gcO2MnqmCyoyp2//zhdFReSC+Akim1UPtG
+5SqqdV9I0TBl+1JlMiivn677mXGij+qyQjSWxW2pGVsbTSUCQQDDLb/DgoD0+N6O
+FIoJ/Mh5cgIxQhqXu/dylEv/I3goSJdXPAqhsnsa6zYQGdftnvMK1ZXS/hYL4i06
+w9lKDV8PAkEAwvaz1oUtXLNfYYAF42c1BoBhqCzjXSzMWPu5BlWQzSsdzgVgDuX3
+LlkiIdRtMcMaNskaBTtIClCxaEm3rUnm9wJAEOp2JEu7QYAQSeAd1p/CAESRTBOe
+mmgAGj4gGAzK7TLdawIZKcp+QOcB2INk44NTLS01vwOmhYEkymMPAgwGoQJAKimq
+GMFyXvLXtME4BMbEG+TVucYDYZoXk0LU776/cu9ZIb3d2Tr4asiR7hj/iFx2JdT1
+0J3SZZCv3SrcExjBXwJABS3/iQroe24tvrmyy4tc5YG5ygIRaBUCs6dn0fbisX/9
+K1oq5Lnwimy4l2NI0o/lxIqnwFilACjs3tuXH1OhMA==
+-----END RSA PRIVATE KEY-----
+EOKEY
+        OpenSSL::PKey::RSA.new(keypair_string)
+      end
+  end
+
+  def self.erl_atom_or_string(term)
+    case term
+    when Symbol
+      term
+    when String
+      "\"#{term}\""
+    else
+      "undefined"
+    end
+  end
+end
+
diff --git a/files/gitlab-cookbooks/gitlab/recipes/postgresql.rb b/files/gitlab-cookbooks/gitlab/recipes/postgresql.rb
new file mode 100644
index 0000000..11e955f
--- /dev/null
+++ b/files/gitlab-cookbooks/gitlab/recipes/postgresql.rb
@@ -0,0 +1,188 @@
+#
+# Copyright:: Copyright (c) 2012 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+postgresql_dir = node['chef_server']['postgresql']['dir']
+postgresql_data_dir = node['chef_server']['postgresql']['data_dir']
+postgresql_data_dir_symlink = File.join(postgresql_dir, "data")
+postgresql_log_dir = node['chef_server']['postgresql']['log_directory']
+chef_db_dir = Dir.glob("/opt/chef-server/embedded/service/erchef/lib/chef_db-*").first
+
+user node['chef_server']['postgresql']['username'] do
+  system true
+  shell node['chef_server']['postgresql']['shell']
+  home node['chef_server']['postgresql']['home']
+end
+
+directory postgresql_log_dir do
+  owner node['chef_server']['postgresql']['username']
+  recursive true
+end
+
+directory postgresql_dir do
+  owner node['chef_server']['postgresql']['username']
+  mode "0700"
+end
+
+directory postgresql_data_dir do
+  owner node['chef_server']['postgresql']['username']
+  mode "0700"
+  recursive true
+end
+
+link postgresql_data_dir_symlink do
+  to postgresql_data_dir
+  not_if { postgresql_data_dir == postgresql_data_dir_symlink }
+end
+
+file File.join(node['chef_server']['postgresql']['home'], ".profile") do
+  owner node['chef_server']['postgresql']['username']
+  mode "0644"
+  content <<-EOH
+PATH=#{node['chef_server']['postgresql']['user_path']}
+EOH
+end
+
+if File.directory?("/etc/sysctl.d") && File.exists?("/etc/init.d/procps")
+  # smells like ubuntu...
+  service "procps" do
+    action :nothing
+  end
+
+  template "/etc/sysctl.d/90-postgresql.conf" do
+    source "90-postgresql.conf.sysctl.erb"
+    owner "root"
+    mode  "0644"
+    variables(node['chef_server']['postgresql'].to_hash)
+    notifies :start, 'service[procps]', :immediately
+  end
+else
+  # hope this works...
+  execute "sysctl" do
+    command "/sbin/sysctl -p /etc/sysctl.conf"
+    action :nothing
+  end
+
+  bash "add shm settings" do
+    user "root"
+    code <<-EOF
+      echo 'kernel.shmmax = #{node['chef_server']['postgresql']['shmmax']}' >> /etc/sysctl.conf
+      echo 'kernel.shmall = #{node['chef_server']['postgresql']['shmall']}' >> /etc/sysctl.conf
+    EOF
+    notifies :run, 'execute[sysctl]', :immediately
+    not_if "egrep '^kernel.shmmax = ' /etc/sysctl.conf"
+  end
+end
+
+execute "/opt/chef-server/embedded/bin/initdb -D #{postgresql_data_dir}" do
+  user node['chef_server']['postgresql']['username']
+  not_if { File.exists?(File.join(postgresql_data_dir, "PG_VERSION")) }
+end
+
+postgresql_config = File.join(postgresql_data_dir, "postgresql.conf")
+
+template postgresql_config do
+  source "postgresql.conf.erb"
+  owner node['chef_server']['postgresql']['username']
+  mode "0644"
+  variables(node['chef_server']['postgresql'].to_hash)
+  notifies :restart, 'service[postgresql]' if OmnibusHelper.should_notify?("postgresql")
+end
+
+pg_hba_config = File.join(postgresql_data_dir, "pg_hba.conf")
+
+template pg_hba_config do
+  source "pg_hba.conf.erb"
+  owner node['chef_server']['postgresql']['username']
+  mode "0644"
+  variables(node['chef_server']['postgresql'].to_hash)
+  notifies :restart, 'service[postgresql]' if OmnibusHelper.should_notify?("postgresql")
+end
+
+should_notify = OmnibusHelper.should_notify?("postgresql")
+
+runit_service "postgresql" do
+  down node['chef_server']['postgresql']['ha']
+  control(['t'])
+  options({
+    :log_directory => postgresql_log_dir,
+    :svlogd_size => node['chef_server']['postgresql']['svlogd_size'],
+    :svlogd_num  => node['chef_server']['postgresql']['svlogd_num']
+  }.merge(params))
+end
+
+if node['chef_server']['bootstrap']['enable']
+  execute "/opt/chef-server/bin/chef-server-ctl start postgresql" do
+    retries 20
+  end
+end
+
+###
+# Create the database, migrate it, and create the users we need, and grant them
+# privileges.
+###
+pg_helper = PgHelper.new(node)
+pg_port = node['chef_server']['postgresql']['port']
+pg_user = node['chef_server']['postgresql']['username']
+bin_dir = "/opt/chef-server/embedded/bin"
+db_name = "opscode_chef"
+
+execute "create #{db_name} database" do
+  command "#{bin_dir}/createdb -T template0 --port #{pg_port} -E UTF-8 #{db_name}"
+  user pg_user
+  not_if { !pg_helper.is_running? || pg_helper.database_exists?(db_name) }
+  retries 30
+  notifies :run, "execute[migrate_database]", :immediately
+end
+
+execute "migrate_database" do
+  command "#{bin_dir}/psql #{db_name} --port #{pg_port} < priv/pgsql_schema.sql"
+  cwd chef_db_dir
+  user pg_user
+  action :nothing
+end
+
+sql_user        = node['chef_server']['postgresql']['sql_user']
+sql_user_passwd = node['chef_server']['postgresql']['sql_password']
+
+execute "#{bin_dir}/psql --port #{pg_port} -d '#{db_name}' -c \"CREATE USER #{sql_user} WITH SUPERUSER ENCRYPTED PASSWORD '#{sql_user_passwd}'\"" do
+  cwd chef_db_dir
+  user pg_user
+  notifies :run, "execute[grant #{db_name} privileges]", :immediately
+  not_if { !pg_helper.is_running? || pg_helper.sql_user_exists? }
+end
+
+execute "grant #{db_name} privileges" do
+  command "#{bin_dir}/psql --port #{pg_port} -d '#{db_name}' -c \"GRANT ALL PRIVILEGES ON DATABASE #{db_name} TO #{sql_user}\""
+  user pg_user
+  action :nothing
+end
+
+sql_ro_user = node['chef_server']['postgresql']['sql_ro_user']
+sql_ro_user_passwd = node['chef_server']['postgresql']['sql_ro_password']
+
+execute "#{bin_dir}/psql --port #{pg_port} -d '#{db_name}' -c \"CREATE USER #{sql_ro_user} WITH SUPERUSER ENCRYPTED PASSWORD '#{sql_ro_user_passwd}'\"" do
+  cwd chef_db_dir
+  user pg_user
+  notifies :run, "execute[grant #{db_name}_ro privileges]", :immediately
+  not_if { !pg_helper.is_running? || pg_helper.sql_ro_user_exists? }
+end
+
+execute "grant #{db_name}_ro privileges" do
+  command "#{bin_dir}/psql --port #{pg_port} -d '#{db_name}' -c \"GRANT ALL PRIVILEGES ON DATABASE #{db_name} TO #{sql_ro_user}\""
+  user pg_user
+  action :nothing
+end
diff --git a/files/gitlab-cookbooks/gitlab/templates/default/90-postgresql.conf.sysctl.erb b/files/gitlab-cookbooks/gitlab/templates/default/90-postgresql.conf.sysctl.erb
new file mode 100644
index 0000000..55ae354
--- /dev/null
+++ b/files/gitlab-cookbooks/gitlab/templates/default/90-postgresql.conf.sysctl.erb
@@ -0,0 +1,5 @@
+#
+# chef server postgresql kernel shm tweaks
+#
+kernel.shmmax = <%= node['chef_server']['postgresql']['shmmax'] %>
+kernel.shmall = <%= node['chef_server']['postgresql']['shmall'] %>
diff --git a/files/gitlab-cookbooks/gitlab/templates/default/pg_hba.conf.erb b/files/gitlab-cookbooks/gitlab/templates/default/pg_hba.conf.erb
new file mode 100644
index 0000000..d7f5651
--- /dev/null
+++ b/files/gitlab-cookbooks/gitlab/templates/default/pg_hba.conf.erb
@@ -0,0 +1,75 @@
+# PostgreSQL Client Authentication Configuration File
+# ===================================================
+#
+# Refer to the "Client Authentication" section in the
+# PostgreSQL documentation for a complete description
+# of this file.  A short synopsis follows.
+#
+# This file controls: which hosts are allowed to connect, how clients
+# are authenticated, which PostgreSQL user names they can use, which
+# databases they can access.  Records take one of these forms:
+#
+# local      DATABASE  USER  METHOD  [OPTION]
+# host       DATABASE  USER  CIDR-ADDRESS  METHOD  [OPTION]
+# hostssl    DATABASE  USER  CIDR-ADDRESS  METHOD  [OPTION]
+# hostnossl  DATABASE  USER  CIDR-ADDRESS  METHOD  [OPTION]
+#
+# (The uppercase items must be replaced by actual values.)
+#
+# The first field is the connection type: "local" is a Unix-domain socket,
+# "host" is either a plain or SSL-encrypted TCP/IP socket, "hostssl" is an
+# SSL-encrypted TCP/IP socket, and "hostnossl" is a plain TCP/IP socket.
+#
+# DATABASE can be "all", "sameuser", "samerole", a database name, or
+# a comma-separated list thereof.
+#
+# USER can be "all", a user name, a group name prefixed with "+", or
+# a comma-separated list thereof.  In both the DATABASE and USER fields
+# you can also write a file name prefixed with "@" to include names from
+# a separate file.
+#
+# CIDR-ADDRESS specifies the set of hosts the record matches.
+# It is made up of an IP address and a CIDR mask that is an integer
+# (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that specifies
+# the number of significant bits in the mask.  Alternatively, you can write
+# an IP address and netmask in separate columns to specify the set of hosts.
+#
+# METHOD can be "trust", "reject", "md5", "crypt", "password", "gss", "sspi",
+# "krb5", "ident", "pam" or "ldap".  Note that "password" sends passwords
+# in clear text; "md5" is preferred since it sends encrypted passwords.
+#
+# OPTION is the ident map or the name of the PAM service, depending on METHOD.
+#
+# Database and user names containing spaces, commas, quotes and other special
+# characters must be quoted. Quoting one of the keywords "all", "sameuser" or
+# "samerole" makes the name lose its special character, and just match a
+# database or username with that name.
+#
+# This file is read on server startup and when the postmaster receives
+# a SIGHUP signal.  If you edit the file on a running system, you have
+# to SIGHUP the postmaster for the changes to take effect.  You can use
+# "pg_ctl reload" to do that.
+
+# Put your actual configuration here
+# ----------------------------------
+#
+# If you want to allow non-local connections, you need to add more
+# "host" records. In that case you will also need to make PostgreSQL listen
+# on a non-local interface via the listen_addresses configuration parameter,
+# or via the -i or -h command line switches.
+#
+
+
+# TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD
+
+# "local" is for Unix domain socket connections only
+local   all         all                               trust
+
+<% node['chef_server']['postgresql']['trust_auth_cidr_addresses'].each do |cidr| %>
+host    all         all         <%= cidr %>           trust
+<% end %>
+
+<% node['chef_server']['postgresql']['md5_auth_cidr_addresses'].each do |cidr| %>
+host    all         all         <%= cidr %>           md5
+<% end %>
+
diff --git a/files/gitlab-cookbooks/gitlab/templates/default/postgresql-init.erb b/files/gitlab-cookbooks/gitlab/templates/default/postgresql-init.erb
new file mode 100755
index 0000000..49b5357
--- /dev/null
+++ b/files/gitlab-cookbooks/gitlab/templates/default/postgresql-init.erb
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+#
+# make postgresql stop/restart send sigint to terminate clients to postgresql
+# immediately.
+#
+
+RETVAL=0
+
+case "$1" in
+  stop|force-stop)
+    /opt/chef-server/embedded/bin/sv once postgresql
+    /opt/chef-server/embedded/bin/sv interrupt postgresql
+    RETVAL=$?
+    ;;
+  restart)
+    /opt/chef-server/embedded/bin/sv once postgresql
+    /opt/chef-server/embedded/bin/sv interrupt postgresql
+    sleep 5
+    /opt/chef-server/embedded/bin/sv start postgresql
+    RETVAL=$?
+    ;;
+	*)
+		/opt/chef-server/embedded/bin/sv $1 postgresql
+    RETVAL=$?
+esac
+
+exit $RETVAL
+
diff --git a/files/gitlab-cookbooks/gitlab/templates/default/postgresql.conf.erb b/files/gitlab-cookbooks/gitlab/templates/default/postgresql.conf.erb
new file mode 100644
index 0000000..8c2073f
--- /dev/null
+++ b/files/gitlab-cookbooks/gitlab/templates/default/postgresql.conf.erb
@@ -0,0 +1,556 @@
+# -----------------------------
+# PostgreSQL configuration file
+# -----------------------------
+#
+# This file consists of lines of the form:
+#
+#   name = value
+#
+# (The "=" is optional.)  Whitespace may be used.  Comments are introduced with
+# "#" anywhere on a line.  The complete list of parameter names and allowed
+# values can be found in the PostgreSQL documentation.
+#
+# The commented-out settings shown in this file represent the default values.
+# Re-commenting a setting is NOT sufficient to revert it to the default value;
+# you need to reload the server.
+#
+# This file is read on server startup and when the server receives a SIGHUP
+# signal.  If you edit the file on a running system, you have to SIGHUP the
+# server for the changes to take effect, or use "pg_ctl reload".  Some
+# parameters, which are marked below, require a server shutdown and restart to
+# take effect.
+#
+# Any parameter can also be given as a command-line option to the server, e.g.,
+# "postgres -c log_connections=on".  Some parameters can be changed at run time
+# with the "SET" SQL command.
+#
+# Memory units:  kB = kilobytes        Time units:  ms  = milliseconds
+#                MB = megabytes                     s   = seconds
+#                GB = gigabytes                     min = minutes
+#                                                   h   = hours
+#                                                   d   = days
+
+
+#------------------------------------------------------------------------------
+# FILE LOCATIONS
+#------------------------------------------------------------------------------
+
+# The default values of these variables are driven from the -D command-line
+# option or PGDATA environment variable, represented here as ConfigDir.
+
+#data_directory = 'ConfigDir'   # use data in another directory
+          # (change requires restart)
+#hba_file = 'ConfigDir/pg_hba.conf' # host-based authentication file
+          # (change requires restart)
+#ident_file = 'ConfigDir/pg_ident.conf' # ident configuration file
+          # (change requires restart)
+
+# If external_pid_file is not explicitly set, no extra PID file is written.
+#external_pid_file = '(none)'   # write an extra PID file
+          # (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# CONNECTIONS AND AUTHENTICATION
+#------------------------------------------------------------------------------
+
+# - Connection Settings -
+
+listen_addresses = '<%= node['chef_server']['postgresql']['listen_address'] %>'    # what IP address(es) to listen on;
+          # comma-separated list of addresses;
+          # defaults to 'localhost', '*' = all
+          # (change requires restart)
+port = <%= node['chef_server']['postgresql']['port'] %>        # (change requires restart)
+max_connections = <%= node['chef_server']['postgresql']['max_connections'] %>      # (change requires restart)
+# Note:  Increasing max_connections costs ~400 bytes of shared memory per
+# connection slot, plus lock space (see max_locks_per_transaction).
+#superuser_reserved_connections = 3 # (change requires restart)
+#unix_socket_directory = ''   # (change requires restart)
+#unix_socket_group = ''     # (change requires restart)
+#unix_socket_permissions = 0777   # begin with 0 to use octal notation
+          # (change requires restart)
+#bonjour = off        # advertise server via Bonjour
+          # (change requires restart)
+#bonjour_name = ''      # defaults to the computer name
+          # (change requires restart)
+
+# - Security and Authentication -
+
+#authentication_timeout = 1min    # 1s-600s
+#ssl = off        # (change requires restart)
+#ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'  # allowed SSL ciphers
+          # (change requires restart)
+#ssl_renegotiation_limit = 512MB  # amount of data between renegotiations
+#password_encryption = on
+#db_user_namespace = off
+
+# Kerberos and GSSAPI
+#krb_server_keyfile = ''
+#krb_srvname = 'postgres'   # (Kerberos only)
+#krb_caseins_users = off
+
+# - TCP Keepalives -
+# see "man 7 tcp" for details
+
+#tcp_keepalives_idle = 0    # TCP_KEEPIDLE, in seconds;
+          # 0 selects the system default
+#tcp_keepalives_interval = 0    # TCP_KEEPINTVL, in seconds;
+          # 0 selects the system default
+#tcp_keepalives_count = 0   # TCP_KEEPCNT;
+          # 0 selects the system default
+
+
+#------------------------------------------------------------------------------
+# RESOURCE USAGE (except WAL)
+#------------------------------------------------------------------------------
+
+# - Memory -
+
+shared_buffers = <%= node['chef_server']['postgresql']['shared_buffers'] %> # min 128kB
+          # (change requires restart)
+#temp_buffers = 8MB     # min 800kB
+#max_prepared_transactions = 0    # zero disables the feature
+          # (change requires restart)
+# Note:  Increasing max_prepared_transactions costs ~600 bytes of shared memory
+# per transaction slot, plus lock space (see max_locks_per_transaction).
+# It is not advisable to set max_prepared_transactions nonzero unless you
+# actively intend to use prepared transactions.
+work_mem = <%= node['chef_server']['postgresql']['work_mem'] %>				# min 64kB
+#maintenance_work_mem = 16MB    # min 1MB
+#max_stack_depth = 2MB      # min 100kB
+
+# - Kernel Resource Usage -
+
+#max_files_per_process = 1000   # min 25
+          # (change requires restart)
+#shared_preload_libraries = ''    # (change requires restart)
+
+# - Cost-Based Vacuum Delay -
+
+#vacuum_cost_delay = 0ms    # 0-100 milliseconds
+#vacuum_cost_page_hit = 1   # 0-10000 credits
+#vacuum_cost_page_miss = 10   # 0-10000 credits
+#vacuum_cost_page_dirty = 20    # 0-10000 credits
+#vacuum_cost_limit = 200    # 1-10000 credits
+
+# - Background Writer -
+
+#bgwriter_delay = 200ms     # 10-10000ms between rounds
+#bgwriter_lru_maxpages = 100    # 0-1000 max buffers written/round
+#bgwriter_lru_multiplier = 2.0    # 0-10.0 multipler on buffers scanned/round
+
+# - Asynchronous Behavior -
+
+#effective_io_concurrency = 1   # 1-1000. 0 disables prefetching
+
+
+#------------------------------------------------------------------------------
+# WRITE AHEAD LOG
+#------------------------------------------------------------------------------
+
+# - Settings -
+
+#wal_level = minimal      # minimal, archive, or hot_standby
+          # (change requires restart)
+#fsync = on       # turns forced synchronization on or off
+#synchronous_commit = on    # synchronization level; on, off, or local
+#wal_sync_method = fsync    # the default is the first option
+          # supported by the operating system:
+          #   open_datasync
+          #   fdatasync (default on Linux)
+          #   fsync
+          #   fsync_writethrough
+          #   open_sync
+#full_page_writes = on      # recover from partial page writes
+#wal_buffers = -1     # min 32kB, -1 sets based on shared_buffers
+          # (change requires restart)
+#wal_writer_delay = 200ms   # 1-10000 milliseconds
+
+#commit_delay = 0     # range 0-100000, in microseconds
+#commit_siblings = 5      # range 1-1000
+
+# - Checkpoints -
+
+checkpoint_segments =  <%= node['chef_server']['postgresql']['checkpoint_segments'] %>		# in logfile segments, min 1, 16MB each, default 3
+checkpoint_timeout = <%= node['chef_server']['postgresql']['checkpoint_timeout'] %>		# range 30s-1h, default 5min
+checkpoint_completion_target = <%= node['chef_server']['postgresql']['checkpoint_completion_target'] %>	# checkpoint target duration, 0.0 - 1.0, default 0.5
+checkpoint_warning = <%= node['chef_server']['postgresql']['checkpoint_warning'] %>		# 0 disables, default 30s
+
+# - Archiving -
+
+#archive_mode = off   # allows archiving to be done
+        # (change requires restart)
+#archive_command = ''   # command to use to archive a logfile segment
+#archive_timeout = 0    # force a logfile segment switch after this
+        # number of seconds; 0 disables
+
+
+#------------------------------------------------------------------------------
+# REPLICATION
+#------------------------------------------------------------------------------
+
+# - Master Server -
+
+# These settings are ignored on a standby server
+
+#max_wal_senders = 0    # max number of walsender processes
+        # (change requires restart)
+#wal_sender_delay = 1s    # walsender cycle time, 1-10000 milliseconds
+#wal_keep_segments = 0    # in logfile segments, 16MB each; 0 disables
+#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed
+#replication_timeout = 60s  # in milliseconds; 0 disables
+#synchronous_standby_names = '' # standby servers that provide sync rep
+        # comma-separated list of application_name
+        # from standby(s); '*' = all
+
+# - Standby Servers -
+
+# These settings are ignored on a master server
+
+#hot_standby = off      # "on" allows queries during recovery
+          # (change requires restart)
+#max_standby_archive_delay = 30s  # max delay before canceling queries
+          # when reading WAL from archive;
+          # -1 allows indefinite delay
+#max_standby_streaming_delay = 30s  # max delay before canceling queries
+          # when reading streaming WAL;
+          # -1 allows indefinite delay
+#wal_receiver_status_interval = 10s # send replies at least this often
+          # 0 disables
+#hot_standby_feedback = off   # send info from standby to prevent
+          # query conflicts
+
+
+#------------------------------------------------------------------------------
+# QUERY TUNING
+#------------------------------------------------------------------------------
+
+# - Planner Method Configuration -
+
+#enable_bitmapscan = on
+#enable_hashagg = on
+#enable_hashjoin = on
+#enable_indexscan = on
+#enable_material = on
+#enable_mergejoin = on
+#enable_nestloop = on
+#enable_seqscan = on
+#enable_sort = on
+#enable_tidscan = on
+
+# - Planner Cost Constants -
+
+#seq_page_cost = 1.0      # measured on an arbitrary scale
+#random_page_cost = 4.0     # same scale as above
+#cpu_tuple_cost = 0.01      # same scale as above
+#cpu_index_tuple_cost = 0.005   # same scale as above
+#cpu_operator_cost = 0.0025   # same scale as above
+effective_cache_size = <%= node['chef_server']['postgresql']['effective_cache_size'] %> # Default 128MB
+
+# - Genetic Query Optimizer -
+
+#geqo = on
+#geqo_threshold = 12
+#geqo_effort = 5      # range 1-10
+#geqo_pool_size = 0     # selects default based on effort
+#geqo_generations = 0     # selects default based on effort
+#geqo_selection_bias = 2.0    # range 1.5-2.0
+#geqo_seed = 0.0      # range 0.0-1.0
+
+# - Other Planner Options -
+
+#default_statistics_target = 100  # range 1-10000
+#constraint_exclusion = partition # on, off, or partition
+#cursor_tuple_fraction = 0.1    # range 0.0-1.0
+#from_collapse_limit = 8
+#join_collapse_limit = 8    # 1 disables collapsing of explicit
+          # JOIN clauses
+
+
+#------------------------------------------------------------------------------
+# ERROR REPORTING AND LOGGING
+#------------------------------------------------------------------------------
+
+# - Where to Log -
+
+#log_destination = 'stderr'   # Valid values are combinations of
+          # stderr, csvlog, syslog, and eventlog,
+          # depending on platform.  csvlog
+          # requires logging_collector to be on.
+
+# This is used when logging to stderr:
+#logging_collector = off    # Enable capturing of stderr and csvlog
+          # into log files. Required to be on for
+          # csvlogs.
+          # (change requires restart)
+
+# These are only used if logging_collector is on:
+#log_directory = 'pg_log'   # directory where log files are written,
+          # can be absolute or relative to PGDATA
+#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'  # log file name pattern,
+          # can include strftime() escapes
+#log_file_mode = 0600     # creation mode for log files,
+          # begin with 0 to use octal notation
+#log_truncate_on_rotation = off   # If on, an existing log file with the
+          # same name as the new log file will be
+          # truncated rather than appended to.
+          # But such truncation only occurs on
+          # time-driven rotation, not on restarts
+          # or size-driven rotation.  Default is
+          # off, meaning append to existing files
+          # in all cases.
+#log_rotation_age = 1d      # Automatic rotation of logfiles will
+          # happen after that time.  0 disables.
+#log_rotation_size = 10MB   # Automatic rotation of logfiles will
+          # happen after that much log output.
+          # 0 disables.
+
+# These are relevant when logging to syslog:
+#syslog_facility = 'LOCAL0'
+#syslog_ident = 'postgres'
+
+#silent_mode = off      # Run server silently.
+          # DO NOT USE without syslog or
+          # logging_collector
+          # (change requires restart)
+
+
+# - When to Log -
+
+#client_min_messages = notice   # values in order of decreasing detail:
+          #   debug5
+          #   debug4
+          #   debug3
+          #   debug2
+          #   debug1
+          #   log
+          #   notice
+          #   warning
+          #   error
+
+#log_min_messages = warning   # values in order of decreasing detail:
+          #   debug5
+          #   debug4
+          #   debug3
+          #   debug2
+          #   debug1
+          #   info
+          #   notice
+          #   warning
+          #   error
+          #   log
+          #   fatal
+          #   panic
+
+#log_min_error_statement = error  # values in order of decreasing detail:
+          #   debug5
+          #   debug4
+          #   debug3
+          #   debug2
+          #   debug1
+          #   info
+          #   notice
+          #   warning
+          #   error
+          #   log
+          #   fatal
+          #   panic (effectively off)
+
+#log_min_duration_statement = -1  # -1 is disabled, 0 logs all statements
+          # and their durations, > 0 logs only
+          # statements running at least this number
+          # of milliseconds
+
+
+# - What to Log -
+
+#debug_print_parse = off
+#debug_print_rewritten = off
+#debug_print_plan = off
+#debug_pretty_print = on
+#log_checkpoints = off
+#log_connections = off
+#log_disconnections = off
+#log_duration = off
+#log_error_verbosity = default    # terse, default, or verbose messages
+#log_hostname = off
+#log_line_prefix = ''     # special values:
+          #   %a = application name
+          #   %u = user name
+          #   %d = database name
+          #   %r = remote host and port
+          #   %h = remote host
+          #   %p = process ID
+          #   %t = timestamp without milliseconds
+          #   %m = timestamp with milliseconds
+          #   %i = command tag
+          #   %e = SQL state
+          #   %c = session ID
+          #   %l = session line number
+          #   %s = session start timestamp
+          #   %v = virtual transaction ID
+          #   %x = transaction ID (0 if none)
+          #   %q = stop here in non-session
+          #        processes
+          #   %% = '%'
+          # e.g. '<%u%%%d> '
+#log_lock_waits = off     # log lock waits >= deadlock_timeout
+#log_statement = 'none'     # none, ddl, mod, all
+#log_temp_files = -1      # log temporary files equal or larger
+          # than the specified size in kilobytes;
+          # -1 disables, 0 logs all temp files
+#log_timezone = '(defaults to server environment setting)'
+
+
+#------------------------------------------------------------------------------
+# RUNTIME STATISTICS
+#------------------------------------------------------------------------------
+
+# - Query/Index Statistics Collector -
+
+#track_activities = on
+#track_counts = on
+#track_functions = none     # none, pl, all
+#track_activity_query_size = 1024   # (change requires restart)
+#update_process_title = on
+#stats_temp_directory = 'pg_stat_tmp'
+
+
+# - Statistics Monitoring -
+
+#log_parser_stats = off
+#log_planner_stats = off
+#log_executor_stats = off
+#log_statement_stats = off
+
+
+#------------------------------------------------------------------------------
+# AUTOVACUUM PARAMETERS
+#------------------------------------------------------------------------------
+
+#autovacuum = on      # Enable autovacuum subprocess?  'on'
+          # requires track_counts to also be on.
+#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and
+          # their durations, > 0 logs only
+          # actions running at least this number
+          # of milliseconds.
+#autovacuum_max_workers = 3   # max number of autovacuum subprocesses
+          # (change requires restart)
+#autovacuum_naptime = 1min    # time between autovacuum runs
+#autovacuum_vacuum_threshold = 50 # min number of row updates before
+          # vacuum
+#autovacuum_analyze_threshold = 50  # min number of row updates before
+          # analyze
+#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum
+#autovacuum_analyze_scale_factor = 0.1  # fraction of table size before analyze
+#autovacuum_freeze_max_age = 200000000  # maximum XID age before forced vacuum
+          # (change requires restart)
+#autovacuum_vacuum_cost_delay = 20ms  # default vacuum cost delay for
+          # autovacuum, in milliseconds;
+          # -1 means use vacuum_cost_delay
+#autovacuum_vacuum_cost_limit = -1  # default vacuum cost limit for
+          # autovacuum, -1 means use
+          # vacuum_cost_limit
+
+
+#------------------------------------------------------------------------------
+# CLIENT CONNECTION DEFAULTS
+#------------------------------------------------------------------------------
+
+# - Statement Behavior -
+
+#search_path = '"$user",public'   # schema names
+#default_tablespace = ''    # a tablespace name, '' uses the default
+#temp_tablespaces = ''      # a list of tablespace names, '' uses
+          # only default tablespace
+#check_function_bodies = on
+#default_transaction_isolation = 'read committed'
+#default_transaction_read_only = off
+#default_transaction_deferrable = off
+#session_replication_role = 'origin'
+#statement_timeout = 0      # in milliseconds, 0 is disabled
+#vacuum_freeze_min_age = 50000000
+#vacuum_freeze_table_age = 150000000
+#bytea_output = 'hex'     # hex, escape
+#xmlbinary = 'base64'
+#xmloption = 'content'
+
+# - Locale and Formatting -
+
+datestyle = 'iso, mdy'
+#intervalstyle = 'postgres'
+#timezone = '(defaults to server environment setting)'
+#timezone_abbreviations = 'Default'     # Select the set of available time zone
+          # abbreviations.  Currently, there are
+          #   Default
+          #   Australia
+          #   India
+          # You can create your own file in
+          # share/timezonesets/.
+#extra_float_digits = 0     # min -15, max 3
+#client_encoding = sql_ascii    # actually, defaults to database
+          # encoding
+
+# These settings are initialized by initdb, but they can be changed.
+lc_messages = 'C'     # locale for system error message
+          # strings
+lc_monetary = 'C'     # locale for monetary formatting
+lc_numeric = 'C'      # locale for number formatting
+lc_time = 'C'       # locale for time formatting
+
+# default configuration for text search
+default_text_search_config = 'pg_catalog.english'
+
+# - Other Defaults -
+
+#dynamic_library_path = '$libdir'
+#local_preload_libraries = ''
+
+
+#------------------------------------------------------------------------------
+# LOCK MANAGEMENT
+#------------------------------------------------------------------------------
+
+#deadlock_timeout = 1s
+#max_locks_per_transaction = 64   # min 10
+          # (change requires restart)
+# Note:  Each lock table slot uses ~270 bytes of shared memory, and there are
+# max_locks_per_transaction * (max_connections + max_prepared_transactions)
+# lock table slots.
+#max_pred_locks_per_transaction = 64  # min 10
+          # (change requires restart)
+
+#------------------------------------------------------------------------------
+# VERSION/PLATFORM COMPATIBILITY
+#------------------------------------------------------------------------------
+
+# - Previous PostgreSQL Versions -
+
+#array_nulls = on
+#backslash_quote = safe_encoding  # on, off, or safe_encoding
+#default_with_oids = off
+#escape_string_warning = on
+#lo_compat_privileges = off
+#quote_all_identifiers = off
+#sql_inheritance = on
+#standard_conforming_strings = on
+#synchronize_seqscans = on
+
+# - Other Platforms and Clients -
+
+#transform_null_equals = off
+
+
+#------------------------------------------------------------------------------
+# ERROR HANDLING
+#------------------------------------------------------------------------------
+
+#exit_on_error = off        # terminate session on any error?
+#restart_after_crash = on     # reinitialize after backend crash?
+
+
+#------------------------------------------------------------------------------
+# CUSTOMIZED OPTIONS
+#------------------------------------------------------------------------------
+
+#custom_variable_classes = ''   # list of custom variable class names
diff --git a/files/gitlab-cookbooks/gitlab/templates/default/sv-postgresql-control-t.erb b/files/gitlab-cookbooks/gitlab/templates/default/sv-postgresql-control-t.erb
new file mode 100644
index 0000000..ac7eb29
--- /dev/null
+++ b/files/gitlab-cookbooks/gitlab/templates/default/sv-postgresql-control-t.erb
@@ -0,0 +1,3 @@
+#!/bin/sh
+echo "received TERM from runit, sending INT instead to force quit connections"
+/opt/chef-server/embedded/bin/sv interrupt postgresql
diff --git a/files/gitlab-cookbooks/gitlab/templates/default/sv-postgresql-log-run.erb b/files/gitlab-cookbooks/gitlab/templates/default/sv-postgresql-log-run.erb
new file mode 100644
index 0000000..c8ab3e3
--- /dev/null
+++ b/files/gitlab-cookbooks/gitlab/templates/default/sv-postgresql-log-run.erb
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec svlogd -tt <%= @options[:log_directory] %>
diff --git a/files/gitlab-cookbooks/gitlab/templates/default/sv-postgresql-run.erb b/files/gitlab-cookbooks/gitlab/templates/default/sv-postgresql-run.erb
new file mode 100644
index 0000000..67a5a78
--- /dev/null
+++ b/files/gitlab-cookbooks/gitlab/templates/default/sv-postgresql-run.erb
@@ -0,0 +1,4 @@
+#!/bin/sh
+exec 2>&1
+exec chpst -P -U <%= node['chef_server']['postgresql']['username'] %> -u <%= node['chef_server']['postgresql']['username'] %> /opt/chef-server/embedded/bin/postgres -D <%= File.join(node['chef_server']['postgresql']['dir'], "data") %>
+
--
libgit2 0.21.2