LILiK
/
lilik_playbook
5
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Playbooks to a new Lilik
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
354 Commits
12 Branches
967 KiB
Tree: f47d64ba7e
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'f47d64ba7e'
${ noResults }
lilik_playbook/roles/gitlab/README.md

69 lines
2.1 KiB
Raw Normal View History

Documentation for refactored roles And minor improvements/refactoring
5 years ago
roles/gitlab: initial_root_password
5 years ago
roles/gitlabe: gitlab mattermost added
5 years ago
Documentation for refactored roles And minor improvements/refactoring
5 years ago
style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. *(ToDo: deployment of Certificate Revokation Lists)* * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix *Replaces:* x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert *Replaces:* ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain | default: `${domain}` - server_fqdn | default: `${hostname}.dmz.${domain}` *Replaces:* fqdn_domain Removed: - fqdn_dmain - x509_suffix *Replaced by:* x509_ldap_suffix in common New defaults: - server_fqdn | default: `${hostname}.${domain}` *Replaces*: fqdn - ldap_domain | default: `${domain}` - ldap_server | default: `ldap1.dmz.${domain}` - ldap_basedn | default: `dn(${ldap_domain})` - enable_https | default: `true` New defaults: - server_fqdn | default: `${hostname}.${domain}`
5 years ago
Documentation for refactored roles And minor improvements/refactoring
5 years ago
style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. *(ToDo: deployment of Certificate Revokation Lists)* * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix *Replaces:* x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert *Replaces:* ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain | default: `${domain}` - server_fqdn | default: `${hostname}.dmz.${domain}` *Replaces:* fqdn_domain Removed: - fqdn_dmain - x509_suffix *Replaced by:* x509_ldap_suffix in common New defaults: - server_fqdn | default: `${hostname}.${domain}` *Replaces*: fqdn - ldap_domain | default: `${domain}` - ldap_server | default: `ldap1.dmz.${domain}` - ldap_basedn | default: `dn(${ldap_domain})` - enable_https | default: `true` New defaults: - server_fqdn | default: `${hostname}.${domain}`
5 years ago
Documentation for refactored roles And minor improvements/refactoring
5 years ago
 
  1. # Role: gitlab

  2. 

  3. Set-up a Omnibus GitLab server
  4. 

  5. ## Configuration variables

  6. 

  7. | Name                    | Description                                     |
  8. |-------------------------|-------------------------------------------------|
  9. | `server_fqdn`           | [`$hostname.$domain`]                           |
  10. | `ssh_port`              | External SSH port. [`22`]                       |
  11. | `ldap_server`*          | LDAP server fqdn [`'ldap1.dmz.$domain'`]        |
  12. | `ldap_domain`           | LDAP domain, used to derive base dn [`$domain`] |
  13. | `enable_https`          | Enable HTTPS. [`false`]                         |
  14. | `ldap_admin_dn`         | DN of a LDAP user with admin privileges.        |
  15. | `ldap_admin_pw`         | Bind password of that user.                     |
  16. | `initial_root_password` | Available only before initialization.           |
  17. | `mattermost_hostname`   | If defined, creates GitLab Mattermost instance. |
  18. 

  19. **Note**: The Ansible controller must have OpenLDAP properly configured
  20. with root ca set in `~/.ldaprc`.
  21. 

  22. ## Minimal example

  23. 

  24. group_vars/all.yaml:
  25. 

  26. 	---
  27. 	domain: 'example.com'
  28. 	ssl_subject_prefix: '/C=IT/L=Firenze/O=LILiK'
  29. 	x509_suffix: 'o=LILiK,l=Firenze,st=IT'
  30. 	user_ca_keys:
  31. 	  - "ssh-ed25519 ################### CA"
  32. 	ssl_ca_cert: |
  33. 	  -----BEGIN CERTIFICATE-----
  34. 	  ###########################
  35. 	  -----END CERTIFICATE-----
  36. 

  37. hosts:
  38. 

  39. 	vm_gateway            ansible_host=10.0.2.1   ansible_user=root
  40. 	authorities_request   ansible_host=10.0.1.8   ansible_user=request
  41. 	host1                 ansible_host=10.0.1.1   ansible_user=root
  42. 	ldap1                 ansible_host=10.0.2.2   ansible_user=root ansible_lxc_host=host1
  43. 	gitlab                ansible_host=10.0.2.3   ansible_user=root ansible_lxc_host=host1
  44. 

  45. playbook.yaml:
  46. 

  47. 	---
  48. 	# Configure GitLab on a Physical Host
  49. 	- hosts: 'host1'
  50.       roles:
  51. 	    - role: 'dns_record'
  52. 	    - role: 'reverse_proxy'
  53. 		  hostname: 'projects'
  54. 	    - role: 'gitlab'
  55. 

  56. 

  57. Command line:
  58. 

  59. 	ansible-playbook -i hosts playbook.yaml \
  60. 		-e ldap_admin_dn=<admin_dn> -e \
  61. 		-e ldap_amdin_pw=<admin_pw>
  62. 

  63. 

  64. ## Requirements

  65. 

  66. On Ansible controller:
  67. 

  68. - tasks/ca-dialog.yaml
  69.