LILiK
/
lilik_playbook
5
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Playbooks to a new Lilik
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
467 Commits
12 Branches
967 KiB
Tree: 6c9e2fb272
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '6c9e2fb272'
${ noResults }
lilik_playbook/roles/gitlab/tasks/main.yaml

131 lines
3.7 KiB
Raw Normal View History

use gitlab from debian repositories, temp vm name: projects2
7 years ago
roles/gitlab: move to omnibus release - Move to omnibus release, with NGINX ang pgSQL managed by GitLab configuration utilities. - Move from anonymous to authenticated LDAP bind.
5 years ago
roles/gitlab: update cache after apt
5 years ago
style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. *(ToDo: deployment of Certificate Revokation Lists)* * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix *Replaces:* x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert *Replaces:* ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain | default: `${domain}` - server_fqdn | default: `${hostname}.dmz.${domain}` *Replaces:* fqdn_domain Removed: - fqdn_dmain - x509_suffix *Replaced by:* x509_ldap_suffix in common New defaults: - server_fqdn | default: `${hostname}.${domain}` *Replaces*: fqdn - ldap_domain | default: `${domain}` - ldap_server | default: `ldap1.dmz.${domain}` - ldap_basedn | default: `dn(${ldap_domain})` - enable_https | default: `true` New defaults: - server_fqdn | default: `${hostname}.${domain}`
5 years ago
roles/gitlab: move to omnibus release - Move to omnibus release, with NGINX ang pgSQL managed by GitLab configuration utilities. - Move from anonymous to authenticated LDAP bind.
5 years ago
style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. *(ToDo: deployment of Certificate Revokation Lists)* * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix *Replaces:* x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert *Replaces:* ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain | default: `${domain}` - server_fqdn | default: `${hostname}.dmz.${domain}` *Replaces:* fqdn_domain Removed: - fqdn_dmain - x509_suffix *Replaced by:* x509_ldap_suffix in common New defaults: - server_fqdn | default: `${hostname}.${domain}` *Replaces*: fqdn - ldap_domain | default: `${domain}` - ldap_server | default: `ldap1.dmz.${domain}` - ldap_basedn | default: `dn(${ldap_domain})` - enable_https | default: `true` New defaults: - server_fqdn | default: `${hostname}.${domain}`
5 years ago
roles/gitlab: move to omnibus release - Move to omnibus release, with NGINX ang pgSQL managed by GitLab configuration utilities. - Move from anonymous to authenticated LDAP bind.
5 years ago
roles/gitlab: update cache after apt
5 years ago
roles/gitlab: move to omnibus release - Move to omnibus release, with NGINX ang pgSQL managed by GitLab configuration utilities. - Move from anonymous to authenticated LDAP bind.
5 years ago
style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. *(ToDo: deployment of Certificate Revokation Lists)* * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix *Replaces:* x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert *Replaces:* ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain | default: `${domain}` - server_fqdn | default: `${hostname}.dmz.${domain}` *Replaces:* fqdn_domain Removed: - fqdn_dmain - x509_suffix *Replaced by:* x509_ldap_suffix in common New defaults: - server_fqdn | default: `${hostname}.${domain}` *Replaces*: fqdn - ldap_domain | default: `${domain}` - ldap_server | default: `ldap1.dmz.${domain}` - ldap_basedn | default: `dn(${ldap_domain})` - enable_https | default: `true` New defaults: - server_fqdn | default: `${hostname}.${domain}`
5 years ago
roles/gitlab: move to omnibus release - Move to omnibus release, with NGINX ang pgSQL managed by GitLab configuration utilities. - Move from anonymous to authenticated LDAP bind.
5 years ago
style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. *(ToDo: deployment of Certificate Revokation Lists)* * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix *Replaces:* x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert *Replaces:* ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain | default: `${domain}` - server_fqdn | default: `${hostname}.dmz.${domain}` *Replaces:* fqdn_domain Removed: - fqdn_dmain - x509_suffix *Replaced by:* x509_ldap_suffix in common New defaults: - server_fqdn | default: `${hostname}.${domain}` *Replaces*: fqdn - ldap_domain | default: `${domain}` - ldap_server | default: `ldap1.dmz.${domain}` - ldap_basedn | default: `dn(${ldap_domain})` - enable_https | default: `true` New defaults: - server_fqdn | default: `${hostname}.${domain}`
5 years ago
roles/gitlab: move to omnibus release - Move to omnibus release, with NGINX ang pgSQL managed by GitLab configuration utilities. - Move from anonymous to authenticated LDAP bind.
5 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
5 years ago
roles/gitlab: move to omnibus release - Move to omnibus release, with NGINX ang pgSQL managed by GitLab configuration utilities. - Move from anonymous to authenticated LDAP bind.
5 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
5 years ago
style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. *(ToDo: deployment of Certificate Revokation Lists)* * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix *Replaces:* x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert *Replaces:* ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain | default: `${domain}` - server_fqdn | default: `${hostname}.dmz.${domain}` *Replaces:* fqdn_domain Removed: - fqdn_dmain - x509_suffix *Replaced by:* x509_ldap_suffix in common New defaults: - server_fqdn | default: `${hostname}.${domain}` *Replaces*: fqdn - ldap_domain | default: `${domain}` - ldap_server | default: `ldap1.dmz.${domain}` - ldap_basedn | default: `dn(${ldap_domain})` - enable_https | default: `true` New defaults: - server_fqdn | default: `${hostname}.${domain}`
5 years ago
use gitlab from debian repositories, temp vm name: projects2
7 years ago
style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. *(ToDo: deployment of Certificate Revokation Lists)* * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix *Replaces:* x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert *Replaces:* ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain | default: `${domain}` - server_fqdn | default: `${hostname}.dmz.${domain}` *Replaces:* fqdn_domain Removed: - fqdn_dmain - x509_suffix *Replaced by:* x509_ldap_suffix in common New defaults: - server_fqdn | default: `${hostname}.${domain}` *Replaces*: fqdn - ldap_domain | default: `${domain}` - ldap_server | default: `ldap1.dmz.${domain}` - ldap_basedn | default: `dn(${ldap_domain})` - enable_https | default: `true` New defaults: - server_fqdn | default: `${hostname}.${domain}`
5 years ago
roles/gitlab: move to omnibus release - Move to omnibus release, with NGINX ang pgSQL managed by GitLab configuration utilities. - Move from anonymous to authenticated LDAP bind.
5 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
5 years ago
style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. *(ToDo: deployment of Certificate Revokation Lists)* * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix *Replaces:* x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert *Replaces:* ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain | default: `${domain}` - server_fqdn | default: `${hostname}.dmz.${domain}` *Replaces:* fqdn_domain Removed: - fqdn_dmain - x509_suffix *Replaced by:* x509_ldap_suffix in common New defaults: - server_fqdn | default: `${hostname}.${domain}` *Replaces*: fqdn - ldap_domain | default: `${domain}` - ldap_server | default: `ldap1.dmz.${domain}` - ldap_basedn | default: `dn(${ldap_domain})` - enable_https | default: `true` New defaults: - server_fqdn | default: `${hostname}.${domain}`
5 years ago
use gitlab from debian repositories, temp vm name: projects2
7 years ago
style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. *(ToDo: deployment of Certificate Revokation Lists)* * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix *Replaces:* x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert *Replaces:* ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain | default: `${domain}` - server_fqdn | default: `${hostname}.dmz.${domain}` *Replaces:* fqdn_domain Removed: - fqdn_dmain - x509_suffix *Replaced by:* x509_ldap_suffix in common New defaults: - server_fqdn | default: `${hostname}.${domain}` *Replaces*: fqdn - ldap_domain | default: `${domain}` - ldap_server | default: `ldap1.dmz.${domain}` - ldap_basedn | default: `dn(${ldap_domain})` - enable_https | default: `true` New defaults: - server_fqdn | default: `${hostname}.${domain}`
5 years ago
roles/gitlab: move to omnibus release - Move to omnibus release, with NGINX ang pgSQL managed by GitLab configuration utilities. - Move from anonymous to authenticated LDAP bind.
5 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
5 years ago
roles/gitlab: move to omnibus release - Move to omnibus release, with NGINX ang pgSQL managed by GitLab configuration utilities. - Move from anonymous to authenticated LDAP bind.
5 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
5 years ago
style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. *(ToDo: deployment of Certificate Revokation Lists)* * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix *Replaces:* x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert *Replaces:* ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain | default: `${domain}` - server_fqdn | default: `${hostname}.dmz.${domain}` *Replaces:* fqdn_domain Removed: - fqdn_dmain - x509_suffix *Replaced by:* x509_ldap_suffix in common New defaults: - server_fqdn | default: `${hostname}.${domain}` *Replaces*: fqdn - ldap_domain | default: `${domain}` - ldap_server | default: `ldap1.dmz.${domain}` - ldap_basedn | default: `dn(${ldap_domain})` - enable_https | default: `true` New defaults: - server_fqdn | default: `${hostname}.${domain}`
5 years ago
roles/gitlab: move to omnibus release - Move to omnibus release, with NGINX ang pgSQL managed by GitLab configuration utilities. - Move from anonymous to authenticated LDAP bind.
5 years ago
style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. *(ToDo: deployment of Certificate Revokation Lists)* * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix *Replaces:* x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert *Replaces:* ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain | default: `${domain}` - server_fqdn | default: `${hostname}.dmz.${domain}` *Replaces:* fqdn_domain Removed: - fqdn_dmain - x509_suffix *Replaced by:* x509_ldap_suffix in common New defaults: - server_fqdn | default: `${hostname}.${domain}` *Replaces*: fqdn - ldap_domain | default: `${domain}` - ldap_server | default: `ldap1.dmz.${domain}` - ldap_basedn | default: `dn(${ldap_domain})` - enable_https | default: `true` New defaults: - server_fqdn | default: `${hostname}.${domain}`
5 years ago
add gitlab roles
8 years ago
roles/gitlab: move to omnibus release - Move to omnibus release, with NGINX ang pgSQL managed by GitLab configuration utilities. - Move from anonymous to authenticated LDAP bind.
5 years ago
style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. *(ToDo: deployment of Certificate Revokation Lists)* * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix *Replaces:* x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert *Replaces:* ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain | default: `${domain}` - server_fqdn | default: `${hostname}.dmz.${domain}` *Replaces:* fqdn_domain Removed: - fqdn_dmain - x509_suffix *Replaced by:* x509_ldap_suffix in common New defaults: - server_fqdn | default: `${hostname}.${domain}` *Replaces*: fqdn - ldap_domain | default: `${domain}` - ldap_server | default: `ldap1.dmz.${domain}` - ldap_basedn | default: `dn(${ldap_domain})` - enable_https | default: `true` New defaults: - server_fqdn | default: `${hostname}.${domain}`
5 years ago
roles/gitlab: move to omnibus release - Move to omnibus release, with NGINX ang pgSQL managed by GitLab configuration utilities. - Move from anonymous to authenticated LDAP bind.
5 years ago
roles/gitlab: configure ocsp stapling correctly
5 years ago
roles/gitlab: move to omnibus release - Move to omnibus release, with NGINX ang pgSQL managed by GitLab configuration utilities. - Move from anonymous to authenticated LDAP bind.
5 years ago
roles/gitlab: new monitoring format
5 years ago
add missing tasks name
5 years ago
roles/gitlab: new monitoring format
5 years ago
roles/gitlab: advanced http monitoring
5 years ago
add missing tasks name
5 years ago
roles/gitlab: new monitoring format
5 years ago
roles/gitlab: advanced http monitoring
5 years ago
roles/gitlab: new monitoring format
5 years ago
roles/gitlab: advanced http monitoring
5 years ago
roles/gitlab: new monitoring format
5 years ago
roles/gitlab: advanced http monitoring
5 years ago
monitoring: new host template
5 years ago
roles/gitlab: advanced http monitoring
5 years ago
roles/gitlab: new monitoring format
5 years ago
roles/gitlab: advanced http monitoring
5 years ago
roles/gitlab: new monitoring format
5 years ago
 
  1. # see /usr/share/doc/gitlab/README.Debian.gz

  2. # for instruction on how to migrate and reset root password

  3. 

  4. - name: 'install gnupg and ca-cert'

  5.   apt:

  6.     pkg:

  7.       - 'gnupg'

  8.       - 'ca-certificates'

  9.     state: 'present'

  10.     update_cache: true

  11.     cache_valid_time: 3600

  12.   tags:

  13.     - 'packages'

  14. 

  15. - name: 'add gitlab gnupg key to apt'

  16.   apt_key:

  17.     id: 'F6403F6544A38863DAA0B6E03F01618A51312F3F'

  18.     url: 'https://packages.gitlab.com/gpg.key'

  19.     state: 'present'

  20.   tags:

  21.     - 'packages'

  22. 

  23. - name: 'add gitlab apt repos'

  24.   apt_repository:

  25.     repo: '{{ item }}'

  26.     state: 'present'

  27.     update_cache: true

  28.   loop:

  29.     - 'deb https://packages.gitlab.com/gitlab/gitlab-ce/debian/ buster main'

  30.     - 'deb-src https://packages.gitlab.com/gitlab/gitlab-ce/debian/ buster main'

  31.   tags:

  32.     - 'packages'

  33. 

  34. - name: 'install gitlab'

  35.   apt:

  36.     pkg: 'gitlab-ce'

  37.     state: 'present'

  38.     update_cache: true

  39.     cache_valid_time: 3600

  40.   tags:

  41.     - 'packages'

  42. 

  43. - name: 'load ldap server ca'

  44.   copy:

  45.     content: '{{ ldap_tls_server_ca }}'

  46.     dest: '/etc/gitlab/ldap_server_ca.crt'

  47.   tags:

  48.     - 'tls_int'

  49. 

  50. - name: 'generate gitlab ldap password'

  51.   gen_passwd: 'length=32'

  52.   register: 'gitlab_ldap_passwd'

  53.   no_log: true

  54.   tags:

  55.     - 'tls_int'

  56.     - 'service_password'

  57. 

  58. - name: 'set gitlab ldap password'

  59.   delegate_to: 'localhost'

  60.   ldap_passwd:

  61.     dn: 'cn={{ host_fqdn }},ou=Server,{{ ldap_basedn }}'

  62.     passwd: '{{ gitlab_ldap_passwd.passwd }}'

  63.     server_uri: 'ldap://{{ ldap_server }}'

  64.     start_tls: true

  65.     bind_dn: '{{ ldap_admin_dn }}'

  66.     bind_pw: '{{ ldap_admin_pw }}'

  67.   no_log: true

  68.   tags:

  69.     - 'tls_int'

  70.     - 'service_password'

  71. 

  72. - name: 'update gitlab configuration'

  73.   template:

  74.       src: 'gitlab.rb.j2'

  75.       dest: '/etc/gitlab/gitlab.rb'

  76.   notify: 'reconfigure gitlab'

  77.   tags:

  78.     - 'tls_int'

  79.     - 'service_password'

  80. 

  81. - name: 'upload letsencrypt ca for ocsp stapling verification'

  82.   get_url:

  83.     url: 'https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt'

  84.     dest: '/etc/gitlab/ssl/chain.crt'

  85. 

  86. - name: 'patch gitlab to run in lxc'

  87.   lineinfile:

  88.     path: '/opt/gitlab/embedded/cookbooks/package/resources/gitlab_sysctl.rb'

  89.     insertafter: '^    command "sysctl -e --system"\n'

  90.     line: '    ignore_failure true'

  91.   notify: 'reconfigure gitlab'

  92. 

  93. 

  94. - name: 'MONITORING | add HTTP services'

  95.   block:

  96.     - name: 'MONITORING | add HTTP/gitlab to monitored service'

  97.       set_fact:

  98.         monitoring_vhosts: '{{ monitoring_vhosts + [gitlab_nginx_main_fqdn] }}'

  99.       when: gitlab_enable_https

  100.     - name: 'MONITORING | add HTTP/mattermost to monitored service'

  101.       set_fact:

  102.         monitoring_vhosts: '{{ monitoring_vhosts + [gitlab_nginx_mattermost_fqdn] }}'

  103.         when: gitlab_enable_mattermost

  104.     - name: 'MONITORING | add vhosts to host monitoring entry'

  105.       set_fact:

  106.         monitoring_entry: >

  107.           {{ monitoring_entry | default({}) | combine({

  108.                'address': ansible_host,

  109.                'vhosts': monitoring_vhosts,

  110.                }) }}

  111.     - name: 'MONITORING | add vhosts_uri to host monitoring entry'

  112.       set_fact:

  113.         monitoring_entry: >

  114.           {{ monitoring_entry | default({}) | combine({

  115.                'address': ansible_host,

  116.                'vhosts_uri': { gitlab_nginx_main_fqdn: {'/': { 'content': 'Sign in · GitLab'} },

  117.                                gitlab_nginx_mattermost_fqdn: { '/': { 'content': '<title>Mattermost</title>' } } },

  118.                }, recursive=true) }}

  119.     - name: 'MONITORING | update monitoring facts'

  120.       set_fact:

  121.         monitoring_facts: >

  122.           {{ hostvars[monitoring_host]['monitoring_facts']

  123.                | default({})

  124.                | combine({host_fqdn: monitoring_entry}) }}

  125.       delegate_facts: true

  126.       delegate_to: '{{ monitoring_host }}'

  127.   tags:

  128.     - 'monitoring'

  129. ...

  130. 

  131.