include:

  - role.common.nginx

  {% if salt['grains.get']('include_secrets', True) %}

  - secrets.role.web_gitlab

  {% endif %}

nginx:

  ng:

    certificates:

      gitlab.infra.opensuse.org:

        public_cert: |

          -----BEGIN CERTIFICATE-----

          MIIEWTCCA0GgAwIBAgIBDDANBgkqhkiG9w0BAQsFADA9MRswGQYDVQQKDBJJTkZS

          QS5PUEVOU1VTRS5PUkcxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAe

          Fw0xNzEwMTkxMjI5MzVaFw0xOTEwMjAxMjI5MzVaMEExGzAZBgNVBAoMEklORlJB

          Lk9QRU5TVVNFLk9SRzEiMCAGA1UEAwwZZ2l0bGFiLmluZnJhLm9wZW5zdXNlLm9y

          ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALWfuMhdJOdrwvu2hCw0

          +bRNl8AADSvdBBokQlwpUvbgITNWR3tkj/KgIEO0ohBC7j+a2L3t3qm5tP8ETdET

          cS96lj1nZ6fTWV1J9qezfpTBRDE3VIK3vykoBqzRMBVq6R4Kajg7SvB9pWRpHBC4

          xm3vPA4AnSN9skPtMMGpqZxFMbpGsirObzr5Rit4tM53gZy7zgS2n22TqMeEsEYv

          d/fHxW2bNLvS5BwX+RU1NhRlNFDPI7BQgCOGzgWrKZeukGfzcOhIXMKtnLPQc/65

          VcGQDRm01ReSBqNbyADuAfbYrFOPyf8V2FlloUG/voM4c5y6WamHv2ZJepel5qxI

          ickCAwEAAaOCAV4wggFaMB8GA1UdIwQYMBaAFKlSimqonCWUWJHsFYnI+g8qlmg/

          MEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcwAYYoaHR0cDovL2lwYS1jYS5pbmZy

          YS5vcGVuc3VzZS5vcmcvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYw

          FAYIKwYBBQUHAwEGCCsGAQUFBwMCMH0GA1UdHwR2MHQwcqA6oDiGNmh0dHA6Ly9p

          cGEtY2EuaW5mcmEub3BlbnN1c2Uub3JnL2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0

          pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhv

          cml0eTAdBgNVHQ4EFgQUrqKLD5dYozCI//zl7UW5jYyEkXIwJAYDVR0RBB0wG4IZ

          Z2l0bGFiLmluZnJhLm9wZW5zdXNlLm9yZzANBgkqhkiG9w0BAQsFAAOCAQEAVm3I

          IpSAJovwTDnbDebdPl0+o9QKCYN91B6HXcet05Z+8endi2Nk/vWsa3pClmfo4hgv

          GieObg+fOnjL7JuPXUDf/0/WggaIjGEbk7I8CUubjK3u6AxM2csWBqg0XEL9KdT9

          ScNcNVzHqhrIgO2pz2xImVO03hSLnmsVjTl/ssOsSBbWYSHueT3C7ZJIr4gQ7XDI

          wL0yxP6NShgkEqAUs9QY5GBjm5bsykOj89qgi6Zu8kUJqPYLKkwjZy62cDRvoiQh

          TM0JvF2fa2AjvK0CYcYkIo+Kz1KagM52oQBlZQO7RcEVcW9GfHVMmmj3in5/U45H

          nLpMhv4+wJAh8gJ0oA==

          -----END CERTIFICATE-----

        # private_key included from pillar/secrets/role/web_gitlab.sls

    dh_param:

      gitlab.infra.opensuse.org.dhparams: |

        -----BEGIN DH PARAMETERS-----

        MIIBCAKCAQEA7PJQ8wuX4X5olj1lgscd7NWYCdW2+W/8JmBYQE79qnjKhW9I0lg6

        zigDe6qUh/QonJ9v2rjeoOMa9lFpgee7Hd4QP1ZmS2seaNBVaVBUWaTX/W8Kzi6B

        muks7dMjbkrx4hHzw5A/UK4sXR7o2jkZbSF72hrxL9e2EAD0DTH3cyVJnjbbjxC/

        G44CZVTNZpPk1J9kl00eq19Nx/0tXoa6mS1I4h6+zHS8mg2rZKwWZ+FbpGunGXmE

        V5EOx0TUmcFmCxpdS94+PnFrS78OKpMugJWQNE4hLwZ19+HTzFKRHSoGTUXOZrOk

        QwknZM+Uol0R0oUeo/5zEmN4mfQ1Iv0nCwIBAg==

        -----END DH PARAMETERS-----

    servers:

      managed:

        gitlab.infra.opensuse.org.conf:

          ## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/

          ## Modified from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

          ## Modified from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

          config:

            - upstream gitlab:

                - server:

                    - unix:/srv/www/vhosts/gitlab-ce/tmp/sockets/gitlab.socket

                    - fail_timeout=0

            - upstream gitlab-workhorse:

                - server:

                    - unix:/srv/www/vhosts/gitlab-ce/tmp/sockets/gitlab-workhorse.socket

                    - fail_timeout=0

            - map $http_upgrade $connection_upgrade_gitlab_ssl:

                - default: upgrade

                - "''": close

            ## NGINX 'combined' log format with filtered query strings

            - log_format: gitlab_ssl_access $remote_addr - $remote_user [$time_local] "$request_method $gitlab_ssl_filtered_request_uri $server_protocol" $status $body_bytes_sent "$gitlab_ssl_filtered_http_referer" "$http_user_agent"

            ## Remove private_token from the request URI

            # In:  /foo?private_token=unfiltered&authenticity_token=unfiltered&rss_token=unfiltered&...

            # Out: /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&...

            - map $request_uri $gitlab_ssl_temp_request_uri_1:

                - default: $request_uri

                - ~(?i)^(?<start>.*)(?<temp>[\?&]private[\-_]token)=[^&]*(?<rest>.*)$: '"$start$temp=[FILTERED]$rest"'

            ## Remove authenticity_token from the request URI

            # In:  /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&...

            # Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&...

            - map $gitlab_ssl_temp_request_uri_1 $gitlab_ssl_temp_request_uri_2:

                - default: $gitlab_ssl_temp_request_uri_1

                - ~(?i)^(?<start>.*)(?<temp>[\?&]authenticity[\-_]token)=[^&]*(?<rest>.*)$: '"$start$temp=[FILTERED]$rest"'

            ## Remove rss_token from the request URI

            # In:  /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&...

            # Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=[FILTERED]&...

            - map $gitlab_ssl_temp_request_uri_2 $gitlab_ssl_filtered_request_uri:

                - default: $gitlab_ssl_temp_request_uri_2

                - ~(?i)^(?<start>.*)(?<temp>[\?&]rss[\-_]token)=[^&]*(?<rest>.*)$: '"$start$temp=[FILTERED]$rest"'

            ## A version of the referer without the query string

            - map $http_referer $gitlab_ssl_filtered_http_referer:

                - default: $http_referer

                - ~^(?<temp>.*)\?: $temp

            ## Redirects all HTTP traffic to the HTTPS host

            - server:

                - listen: 0.0.0.0:80

                - listen:

                    - "[::]:80"

                    - ipv6only=on

                    - default_server

                - server_name: gitlab.infra.opensuse.org

                - server_tokens: 'off'

                - return 301: https://$http_host$request_uri

                - access_log:

                    - /var/log/nginx/gitlab_access.log

                    - gitlab_ssl_access

                - error_log: /var/log/nginx/gitlab_error.log

            - server:

                - listen:

                    - 0.0.0.0:443

                    - ssl

                - listen:

                    - "[::]:443"

                    - ipv6only=on

                    - ssl

                    - default_server

                - server_name: gitlab.infra.opensuse.org

                - server_tokens: 'off'

                ## Strong SSL Security

                ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/

                - ssl: 'on'

                - ssl_certificate: /etc/nginx/ssl/gitlab.infra.opensuse.org.crt

                - ssl_certificate_key: /etc/nginx/ssl/gitlab.infra.opensuse.org.key

                # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs

                - ssl_ciphers: '"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"'

                - ssl_protocols:

                    - TLSv1

                    - TLSv1.1

                    - TLSv1.2

                - ssl_prefer_server_ciphers: 'on'

                - ssl_session_cache: shared:SSL:10m

                - ssl_session_timeout: 5m

                - ssl_dhparam: /etc/nginx/ssl/gitlab.infra.opensuse.org.dhparams

                ## [Optional] Enable HTTP Strict Transport Security

                - add_header: Strict-Transport-Security "max-age=31536000; includeSubDomains"

                - access_log:

                    - /var/log/nginx/gitlab_access.log

                    - gitlab_ssl_access

                - error_log: /var/log/nginx/gitlab_error.log

                - location /:

                    - client_max_body_size: 0

                    - gzip: 'off'

                    ## https://github.com/gitlabhq/gitlabhq/issues/694

                    ## Some requests take more than 30 seconds.

                    - proxy_read_timeout: 300

                    - proxy_connect_timeout: 300

                    - proxy_redirect: 'off'

                    - proxy_http_version: 1.1

                    - proxy_set_header: Host $http_host

                    - proxy_set_header: X-Real-IP $remote_addr

                    - proxy_set_header: X-Forwarded-Ssl on

                    - proxy_set_header: X-Forwarded-For $proxy_add_x_forwarded_for

                    - proxy_set_header: X-Forwarded-Proto $scheme

                    - proxy_set_header: Upgrade $http_upgrade

                    - proxy_set_header: Connection $connection_upgrade_gitlab_ssl

                    - proxy_pass: http://gitlab-workhorse

                - error_page: 404 /404.html

                - error_page: 422 /422.html

                - error_page: 500 /500.html

                - error_page: 502 /502.html

                - error_page: 503 /503.html

                - location ~ ^/(404|422|500|502|503)\.html$:

                    - root: /srv/www/vhosts/gitlab-ce/public

                    - internal

          enabled: True

profile:

  {% set osrelease = salt['grains.get']('osrelease') %}

  {% if osrelease == '42.3' %}

  monitoring:

    check_zypper:

      whitelist:

        - gitaly

        - gitlab-ce

        - gitlab-common

        - gitlab-pages

        - gitlab-shell

        - gitlab-workhorse

        - grpc

        - libgrpc4

        - libprotobuf15

        - libprotoc15

        - libruby2_4-2_4

        - nodejs8

        - ruby2.4

        - ruby2.4-rubygem-RedCloth

        - ruby2.4-rubygem-ace-rails-ap

        - ruby2.4-rubygem-actionmailer-4_2

        - ruby2.4-rubygem-actionpack-4_2

        - ruby2.4-rubygem-actionview-4_2

        - ruby2.4-rubygem-activejob-4_2

        - ruby2.4-rubygem-activemodel-4_2

        - ruby2.4-rubygem-activerecord-4_2

        - ruby2.4-rubygem-activesupport-4_2

        - ruby2.4-rubygem-acts-as-taggable-on

        - ruby2.4-rubygem-addressable

        - ruby2.4-rubygem-akismet

        - ruby2.4-rubygem-allocations

        - ruby2.4-rubygem-arel-6

        - ruby2.4-rubygem-asana

        - ruby2.4-rubygem-asciidoctor

        - ruby2.4-rubygem-asciidoctor-plantuml

        - ruby2.4-rubygem-attr_encrypted

        - ruby2.4-rubygem-attr_required

        - ruby2.4-rubygem-autoprefixer-rails

        - ruby2.4-rubygem-babosa

        - ruby2.4-rubygem-base32

        - ruby2.4-rubygem-batch-loader

        - ruby2.4-rubygem-bcrypt_pbkdf

        - ruby2.4-rubygem-bindata

        - ruby2.4-rubygem-bootstrap_form

        - ruby2.4-rubygem-browser

        - ruby2.4-rubygem-builder

        - ruby2.4-rubygem-bundler

        - ruby2.4-rubygem-carrierwave

        - ruby2.4-rubygem-cause

        - ruby2.4-rubygem-charlock_holmes

        - ruby2.4-rubygem-chronic

        - ruby2.4-rubygem-chronic_duration

        - ruby2.4-rubygem-chunky_png

        - ruby2.4-rubygem-citrus

        - ruby2.4-rubygem-concurrent-ruby

        - ruby2.4-rubygem-concurrent-ruby-ext

        - ruby2.4-rubygem-connection_pool

        - ruby2.4-rubygem-crack

        - ruby2.4-rubygem-crass

        - ruby2.4-rubygem-creole

        - ruby2.4-rubygem-css_parser

        - ruby2.4-rubygem-d3_rails

        - ruby2.4-rubygem-debugger-ruby_core_source

        - ruby2.4-rubygem-deckar01-task_list

        - ruby2.4-rubygem-declarative

        - ruby2.4-rubygem-declarative-option

        - ruby2.4-rubygem-default_value_for

        - ruby2.4-rubygem-devise

        - ruby2.4-rubygem-devise-two-factor

        - ruby2.4-rubygem-diff-lcs

        - ruby2.4-rubygem-diffy

        - ruby2.4-rubygem-domain_name

        - ruby2.4-rubygem-doorkeeper

        - ruby2.4-rubygem-doorkeeper-openid_connect

        - ruby2.4-rubygem-dropzonejs-rails

        - ruby2.4-rubygem-email_reply_trimmer

        - ruby2.4-rubygem-encryptor

        - ruby2.4-rubygem-escape_utils

        - ruby2.4-rubygem-et-orbi

        - ruby2.4-rubygem-excon

        - ruby2.4-rubygem-execjs

        - ruby2.4-rubygem-expression_parser

        - ruby2.4-rubygem-faraday

        - ruby2.4-rubygem-faraday-0.8

        - ruby2.4-rubygem-faraday_middleware

        - ruby2.4-rubygem-fast_gettext

        - ruby2.4-rubygem-ffi

        - ruby2.4-rubygem-flipper

        - ruby2.4-rubygem-flipper-active_record

        - ruby2.4-rubygem-flowdock

        - ruby2.4-rubygem-fog-aliyun

        - ruby2.4-rubygem-fog-aws

        - ruby2.4-rubygem-fog-core

        - ruby2.4-rubygem-fog-google

        - ruby2.4-rubygem-fog-json

        - ruby2.4-rubygem-fog-local

        - ruby2.4-rubygem-fog-openstack

        - ruby2.4-rubygem-fog-rackspace

        - ruby2.4-rubygem-fog-xml

        - ruby2.4-rubygem-font-awesome-rails

        - ruby2.4-rubygem-formatador

        - ruby2.4-rubygem-gemnasium-gitlab-service

        - ruby2.4-rubygem-gemojione

        - ruby2.4-rubygem-gettext

        - ruby2.4-rubygem-gettext_i18n_rails

        - ruby2.4-rubygem-gettext_i18n_rails_js

        - ruby2.4-rubygem-gitaly-proto

        - ruby2.4-rubygem-github-linguist

        - ruby2.4-rubygem-github-markup

        - ruby2.4-rubygem-gitlab-flowdock-git-hook

        - ruby2.4-rubygem-gitlab-grit

        - ruby2.4-rubygem-gitlab-markup

        - ruby2.4-rubygem-gitlab_omniauth-ldap

        - ruby2.4-rubygem-globalid

        - ruby2.4-rubygem-gollum-grit_adapter

        - ruby2.4-rubygem-gollum-lib

        - ruby2.4-rubygem-gollum-rugged_adapter

        - ruby2.4-rubygem-gon

        - ruby2.4-rubygem-google-api-client

        - ruby2.4-rubygem-google-protobuf

        - ruby2.4-rubygem-googleapis-common-protos-types

        - ruby2.4-rubygem-googleauth

        - ruby2.4-rubygem-gpgme

        - ruby2.4-rubygem-grape

        - ruby2.4-rubygem-grape-entity

        - ruby2.4-rubygem-grape-route-helpers

        - ruby2.4-rubygem-grape_logging

        - ruby2.4-rubygem-grpc

        - ruby2.4-rubygem-hamlit

        - ruby2.4-rubygem-hashie

        - ruby2.4-rubygem-hashie-forbidden_attributes

        - ruby2.4-rubygem-health_check

        - ruby2.4-rubygem-hipchat

        - ruby2.4-rubygem-html-pipeline

        - ruby2.4-rubygem-html2text

        - ruby2.4-rubygem-htmlentities

        - ruby2.4-rubygem-http-0.9

        - ruby2.4-rubygem-http-cookie

        - ruby2.4-rubygem-http-form_data

        - ruby2.4-rubygem-httparty

        - ruby2.4-rubygem-httpclient

        - ruby2.4-rubygem-i18n

        - ruby2.4-rubygem-ice_nine

        - ruby2.4-rubygem-influxdb

        - ruby2.4-rubygem-ipaddress

        - ruby2.4-rubygem-jira-ruby

        - ruby2.4-rubygem-jquery-atwho-rails

        - ruby2.4-rubygem-jquery-rails

        - ruby2.4-rubygem-json-1

        - ruby2.4-rubygem-json-jwt

        - ruby2.4-rubygem-jwt

        - ruby2.4-rubygem-kaminari

        - ruby2.4-rubygem-kaminari-actionview

        - ruby2.4-rubygem-kaminari-activerecord

        - ruby2.4-rubygem-kaminari-core

        - ruby2.4-rubygem-kgio

        - ruby2.4-rubygem-kubeclient

        - ruby2.4-rubygem-licensee

        - ruby2.4-rubygem-little-plugger

        - ruby2.4-rubygem-logging

        - ruby2.4-rubygem-lograge

        - ruby2.4-rubygem-loofah

        - ruby2.4-rubygem-mail

        - ruby2.4-rubygem-mail_room

        - ruby2.4-rubygem-memoist

        - ruby2.4-rubygem-method_source

        - ruby2.4-rubygem-mime-types

        - ruby2.4-rubygem-mini_mime

        - ruby2.4-rubygem-mini_portile2

        - ruby2.4-rubygem-mousetrap-rails

        - ruby2.4-rubygem-multi_json

        - ruby2.4-rubygem-multi_xml

        - ruby2.4-rubygem-multipart-post-1.2

        - ruby2.4-rubygem-mustermann

        - ruby2.4-rubygem-mustermann-grape

        - ruby2.4-rubygem-net-ldap

        - ruby2.4-rubygem-net-ssh

        - ruby2.4-rubygem-netrc

        - ruby2.4-rubygem-nokogiri

        - ruby2.4-rubygem-numerizer

        - ruby2.4-rubygem-oauth

        - ruby2.4-rubygem-oauth2

        - ruby2.4-rubygem-octokit

        - ruby2.4-rubygem-oj

        - ruby2.4-rubygem-omniauth

        - ruby2.4-rubygem-omniauth-auth0

        - ruby2.4-rubygem-omniauth-authentiq

        - ruby2.4-rubygem-omniauth-azure-oauth2

        - ruby2.4-rubygem-omniauth-cas3

        - ruby2.4-rubygem-omniauth-facebook

        - ruby2.4-rubygem-omniauth-github

        - ruby2.4-rubygem-omniauth-gitlab

        - ruby2.4-rubygem-omniauth-google-oauth2

        - ruby2.4-rubygem-omniauth-kerberos

        - ruby2.4-rubygem-omniauth-multipassword

        - ruby2.4-rubygem-omniauth-oauth

        - ruby2.4-rubygem-omniauth-oauth2

        - ruby2.4-rubygem-omniauth-oauth2-generic

        - ruby2.4-rubygem-omniauth-saml

        - ruby2.4-rubygem-omniauth-shibboleth

        - ruby2.4-rubygem-omniauth-twitter

        - ruby2.4-rubygem-omniauth_crowd

        - ruby2.4-rubygem-org-ruby

        - ruby2.4-rubygem-orm_adapter

        - ruby2.4-rubygem-os

        - ruby2.4-rubygem-paranoia

        - ruby2.4-rubygem-peek

        - ruby2.4-rubygem-peek-gc

        - ruby2.4-rubygem-peek-host

        - ruby2.4-rubygem-peek-performance_bar

        - ruby2.4-rubygem-peek-pg

        - ruby2.4-rubygem-peek-rblineprof

        - ruby2.4-rubygem-peek-redis

        - ruby2.4-rubygem-peek-sidekiq

        - ruby2.4-rubygem-pg

        - ruby2.4-rubygem-po_to_json

        - ruby2.4-rubygem-posix-spawn

        - ruby2.4-rubygem-premailer

        - ruby2.4-rubygem-premailer-rails

        - ruby2.4-rubygem-prometheus-client-mmap

        - ruby2.4-rubygem-public_suffix

        - ruby2.4-rubygem-puma

        - ruby2.4-rubygem-puma_worker_killer

        - ruby2.4-rubygem-pyu-ruby-sasl

        - ruby2.4-rubygem-rack-1_6

        - ruby2.4-rubygem-rack-accept

        - ruby2.4-rubygem-rack-attack

        - ruby2.4-rubygem-rack-cors

        - ruby2.4-rubygem-rack-oauth2

        - ruby2.4-rubygem-rack-protection

        - ruby2.4-rubygem-rack-proxy

        - ruby2.4-rubygem-rails-4_2

        - ruby2.4-rubygem-rails-dom-testing-1

        - ruby2.4-rubygem-rails-html-sanitizer

        - ruby2.4-rubygem-rails-i18n-4

        - ruby2.4-rubygem-railties-4_2

        - ruby2.4-rubygem-rainbow

        - ruby2.4-rubygem-raindrops

        - ruby2.4-rubygem-rake

        - ruby2.4-rubygem-rb-fsevent

        - ruby2.4-rubygem-rb-inotify

        - ruby2.4-rubygem-rblineprof

        - ruby2.4-rubygem-rbnacl

        - ruby2.4-rubygem-re2

        - ruby2.4-rubygem-recaptcha

        - ruby2.4-rubygem-recursive-open-struct

        - ruby2.4-rubygem-redcarpet

        - ruby2.4-rubygem-redis-3

        - ruby2.4-rubygem-redis-actionpack

        - ruby2.4-rubygem-redis-activesupport

        - ruby2.4-rubygem-redis-namespace

        - ruby2.4-rubygem-redis-rack

        - ruby2.4-rubygem-redis-rails

        - ruby2.4-rubygem-redis-store

        - ruby2.4-rubygem-representable

        - ruby2.4-rubygem-request_store

        - ruby2.4-rubygem-responders

        - ruby2.4-rubygem-rest-client

        - ruby2.4-rubygem-retriable

        - ruby2.4-rubygem-rinku

        - ruby2.4-rubygem-rotp

        - ruby2.4-rubygem-rouge

        - ruby2.4-rubygem-rqrcode

        - ruby2.4-rubygem-rqrcode-rails3

        - ruby2.4-rubygem-ruby-fogbugz

        - ruby2.4-rubygem-ruby-prof

        - ruby2.4-rubygem-ruby-saml

        - ruby2.4-rubygem-ruby_parser

        - ruby2.4-rubygem-rubyntlm

        - ruby2.4-rubygem-rubypants

        - ruby2.4-rubygem-rufus-scheduler

        - ruby2.4-rubygem-rugged

        - ruby2.4-rubygem-sanitize-2.1

        - ruby2.4-rubygem-sass

        - ruby2.4-rubygem-sass-listen

        - ruby2.4-rubygem-sass-rails-5_0

        - ruby2.4-rubygem-sawyer

        - ruby2.4-rubygem-securecompare

        - ruby2.4-rubygem-seed-fu

        - ruby2.4-rubygem-select2-rails

        - ruby2.4-rubygem-sentry-raven

        - ruby2.4-rubygem-settingslogic

        - ruby2.4-rubygem-sexp_processor

        - ruby2.4-rubygem-sidekiq

        - ruby2.4-rubygem-sidekiq-cron

        - ruby2.4-rubygem-sidekiq-limit_fetch

        - ruby2.4-rubygem-signet

        - ruby2.4-rubygem-slack-notifier

        - ruby2.4-rubygem-sprockets

        - ruby2.4-rubygem-sprockets-rails

        - ruby2.4-rubygem-state_machines

        - ruby2.4-rubygem-state_machines-activemodel

        - ruby2.4-rubygem-state_machines-activerecord

        - ruby2.4-rubygem-stringex

        - ruby2.4-rubygem-sys-filesystem

        - ruby2.4-rubygem-temple

        - ruby2.4-rubygem-thor

        - ruby2.4-rubygem-thread_safe

        - ruby2.4-rubygem-tilt

        - ruby2.4-rubygem-timfel-krb5-auth

        - ruby2.4-rubygem-toml-rb

        - ruby2.4-rubygem-truncato

        - ruby2.4-rubygem-tzinfo

        - ruby2.4-rubygem-u2f

        - ruby2.4-rubygem-uber

        - ruby2.4-rubygem-uglifier

        - ruby2.4-rubygem-unf

        - ruby2.4-rubygem-unf_ext

        - ruby2.4-rubygem-unicorn

        - ruby2.4-rubygem-unicorn-worker-killer

        - ruby2.4-rubygem-url_safe_base64

        - ruby2.4-rubygem-validates_hostname

        - ruby2.4-rubygem-version_sorter

        - ruby2.4-rubygem-vmstat

        - ruby2.4-rubygem-warden

        - ruby2.4-rubygem-webpack-rails

        - ruby2.4-rubygem-wikicloth

        - ruby2.4-stdlib

  {% endif %}

  web:

    server:

      nginx:

        csr:

          gitlab.infra.opensuse.org: |

            -----BEGIN CERTIFICATE REQUEST-----

            MIIDGzCCAgMCAQAwgZ4xCzAJBgNVBAYTAkRFMRAwDgYDVQQIDAdCYXZhcmlhMRIw

            EAYDVQQHDAlOdXJlbWJlcmcxETAPBgNVBAoMCG9wZW5TVVNFMQ8wDQYDVQQLDAZI

            ZXJvZXMxIjAgBgNVBAMMGWdpdGxhYi5pbmZyYS5vcGVuc3VzZS5vcmcxITAfBgkq

            hkiG9w0BCQEWEmFkbWluQG9wZW5zdXNlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQAD

            ggEPADCCAQoCggEBALWfuMhdJOdrwvu2hCw0+bRNl8AADSvdBBokQlwpUvbgITNW

            R3tkj/KgIEO0ohBC7j+a2L3t3qm5tP8ETdETcS96lj1nZ6fTWV1J9qezfpTBRDE3

            VIK3vykoBqzRMBVq6R4Kajg7SvB9pWRpHBC4xm3vPA4AnSN9skPtMMGpqZxFMbpG

            sirObzr5Rit4tM53gZy7zgS2n22TqMeEsEYvd/fHxW2bNLvS5BwX+RU1NhRlNFDP

            I7BQgCOGzgWrKZeukGfzcOhIXMKtnLPQc/65VcGQDRm01ReSBqNbyADuAfbYrFOP

            yf8V2FlloUG/voM4c5y6WamHv2ZJepel5qxIickCAwEAAaA3MDUGCSqGSIb3DQEJ

            DjEoMCYwJAYDVR0RBB0wG4IZZ2l0bGFiLmluZnJhLm9wZW5zdXNlLm9yZzANBgkq

            hkiG9w0BAQsFAAOCAQEAGJ+RU/bwMTZ+/rkCibJD3Ylp+UUBm0qvFTFkEtkptrM2

            5/im/ogEPgYZnJNBlU+lTba7XL3uyG+eX3A3n8aX9wJE7DMYB7x1qZGkUppd0zIG

            myRBZlZUBxtGtOLGW5+AcpjHdqk5aeLjaWz3PaX3WD7QnAYx7XWPJMdcFVzzwPoO

            M+mSd9H9RUx9HOYy2Wolxg+Mx05mvBrTHoTYsgSBhrmSNLVbA7ZgvAx+cc4vh9Q0

            6NaN7mDmnbT1CVSlQ43o0pRpUIwa9NGD7DQ/Ccrw0FevD/7szXa9KZvXhHdqS7BP

            PJKOVLf4VbNDRGmkks0fst/NNdNuXRlS4lZMePi6pQ==

            -----END CERTIFICATE REQUEST-----