LILiK
/
lilik_playbook
5
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Playbooks to a new Lilik
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
463 Commits
12 Branches
967 KiB
Tree: a76d3c0d44
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a76d3c0d44'
${ noResults }
lilik_playbook/roles/gitlab/README.md

71 lines
2.4 KiB
Raw Normal View History

Documentation for refactored roles And minor improvements/refactoring
5 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
5 years ago
Documentation for refactored roles And minor improvements/refactoring
5 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
5 years ago
Documentation for refactored roles And minor improvements/refactoring
5 years ago
style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. *(ToDo: deployment of Certificate Revokation Lists)* * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix *Replaces:* x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert *Replaces:* ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain | default: `${domain}` - server_fqdn | default: `${hostname}.dmz.${domain}` *Replaces:* fqdn_domain Removed: - fqdn_dmain - x509_suffix *Replaced by:* x509_ldap_suffix in common New defaults: - server_fqdn | default: `${hostname}.${domain}` *Replaces*: fqdn - ldap_domain | default: `${domain}` - ldap_server | default: `ldap1.dmz.${domain}` - ldap_basedn | default: `dn(${ldap_domain})` - enable_https | default: `true` New defaults: - server_fqdn | default: `${hostname}.${domain}`
5 years ago
Documentation for refactored roles And minor improvements/refactoring
5 years ago
style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. *(ToDo: deployment of Certificate Revokation Lists)* * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix *Replaces:* x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert *Replaces:* ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain | default: `${domain}` - server_fqdn | default: `${hostname}.dmz.${domain}` *Replaces:* fqdn_domain Removed: - fqdn_dmain - x509_suffix *Replaced by:* x509_ldap_suffix in common New defaults: - server_fqdn | default: `${hostname}.${domain}` *Replaces*: fqdn - ldap_domain | default: `${domain}` - ldap_server | default: `ldap1.dmz.${domain}` - ldap_basedn | default: `dn(${ldap_domain})` - enable_https | default: `true` New defaults: - server_fqdn | default: `${hostname}.${domain}`
5 years ago
Documentation for refactored roles And minor improvements/refactoring
5 years ago
 
  1. # Role: gitlab

  2. 

  3. Set-up a Omnibus GitLab server
  4. 

  5. ## Configuration variables

  6. 

  7. | Name                           | Description                                     |
  8. |--------------------------------|-------------------------------------------------|
  9. | `host_fqdn`                    | [`$hostname.dmz.$domain`]                       |
  10. | `gitlab_ssh_port`              | External SSH port. [`22`]                       |
  11. | `ldap_server`                  | LDAP server fqdn [`'ldap1.dmz.$domain'`]        |
  12. | `ldap_tls_server_ca`           | [`$tls_root_ca`]                                |
  13. | `ldap_domain`                  | LDAP domain, used to derive base dn [`$domain`] |
  14. | `gitlab_enable_https`          | Enable HTTPS. [`false`]                         |
  15. | `gitlab_enable_mattermost`     |                                                 |
  16. | `gitlab_nginx_main_fqdn`       | [`$hostname.$domain`]                           |
  17. | `gitlab_nginx_mattermost_fqdn` | [`mattermost.$domain`]                          |
  18. | `gitlab_nginx_proxy_protocol`  | [`true`]                                        |
  19. | `ldap_admin_dn`                | DN of a LDAP user with admin privileges.        |
  20. | `ldap_admin_pw`                | Bind password of that user.                     |
  21. | `gitlab_initial_root_password` | Available only before initialization.           |
  22. 

  23. **Note**: The Ansible controller must have OpenLDAP properly configured
  24. with root ca set in `~/.ldaprc`.
  25. 

  26. ## Minimal example

  27. 

  28. group_vars/all.yaml:
  29. 

  30. 	---
  31. 	domain: 'example.com'
  32. 	user_ca_keys:
  33. 	  - "ssh-ed25519 ################### CA"
  34. 	tls_root_ca: |
  35. 	  -----BEGIN CERTIFICATE-----
  36. 	  ###########################
  37. 	  -----END CERTIFICATE-----
  38. 

  39. hosts:
  40. 

  41. 	vm_gateway            ansible_host=10.0.2.1   ansible_user=root
  42. 	authorities_request   ansible_host=10.0.1.8   ansible_user=request
  43. 	host1                 ansible_host=10.0.1.1   ansible_user=root
  44. 	ldap1                 ansible_host=10.0.2.2   ansible_user=root ansible_lxc_host=host1
  45. 	gitlab                ansible_host=10.0.2.3   ansible_user=root ansible_lxc_host=host1
  46. 

  47. playbook.yaml:
  48. 

  49. 	---
  50. 	# Configure GitLab on a Physical Host
  51. 	- hosts: 'host1'
  52.       roles:
  53. 	    - role: 'dns_record'
  54. 	    - role: 'reverse_proxy'
  55. 		  hostname: 'projects'
  56. 	    - role: 'gitlab'
  57. 

  58. 

  59. Command line:
  60. 

  61. 	ansible-playbook -i hosts playbook.yaml \
  62. 		-e ldap_admin_dn=<admin_dn> -e \
  63. 		-e ldap_amdin_pw=<admin_pw>
  64. 

  65. 

  66. ## Requirements

  67. 

  68. On Ansible controller:
  69. 

  70. - tasks/ca-dialog.yaml
  71.