From 7fafe2314d97af5bf2f0bd7f1f403651a287022e Mon Sep 17 00:00:00 2001 From: Andrea Cimbalo Date: Sat, 12 Aug 2017 19:16:36 +0200 Subject: [PATCH] use gitlab from debian repositories, temp vm name: projects2 --- projects.yaml | 15 +- roles/gitlab/defaults/main.yaml | 3 + roles/gitlab/handlers/main.yaml | 2 - roles/gitlab/meta/main.yaml | 4 +- roles/gitlab/tasks/main.yaml | 90 ++-- roles/gitlab/templates/gitlab.conf.nginx.j2 | 54 --- roles/gitlab/templates/gitlab.yml.j2 | 440 ++++++++++++++++++++ roles/gitlab/templates/gitlab.yml.orig | 437 +++++++++++++++++++ roles/gitlab/templates/my-gitlab.rb.j2 | 40 -- roles/gitlab/templates/my-gitlab.yml.j2 | 24 ++ roles/gitlab/vars/main.yml | 2 - 11 files changed, 941 insertions(+), 170 deletions(-) create mode 100644 roles/gitlab/defaults/main.yaml delete mode 100644 roles/gitlab/handlers/main.yaml delete mode 100644 roles/gitlab/templates/gitlab.conf.nginx.j2 create mode 100644 roles/gitlab/templates/gitlab.yml.j2 create mode 100644 roles/gitlab/templates/gitlab.yml.orig delete mode 100644 roles/gitlab/templates/my-gitlab.rb.j2 create mode 100644 roles/gitlab/templates/my-gitlab.yml.j2 delete mode 100644 roles/gitlab/vars/main.yml diff --git a/projects.yaml b/projects.yaml index 0aa7456..7ccdf8d 100644 --- a/projects.yaml +++ b/projects.yaml @@ -1,13 +1,14 @@ --- -- hosts: biff +- hosts: emmett roles: - role: lxc_guest - vm_name: projects - # distro: sid + vm_name: projects2 - role: ssh_server ansible_connection: lxc_ssh - ansible_docker_extra_args: projects -- hosts: projects + ansible_docker_extra_args: projects2 +- hosts: projects2 roles: - - role: dns_record - - role: gitlab + - role: dns_record + - role: reverse_proxy + hostname: projects2 + - role: gitlab diff --git a/roles/gitlab/defaults/main.yaml b/roles/gitlab/defaults/main.yaml new file mode 100644 index 0000000..fa69837 --- /dev/null +++ b/roles/gitlab/defaults/main.yaml @@ -0,0 +1,3 @@ +fqdn: '{{ ansible_hostname }}.lilik.it' +ssh_port: 8022 +ldap_server: ldap.dmz.lilik diff --git a/roles/gitlab/handlers/main.yaml b/roles/gitlab/handlers/main.yaml deleted file mode 100644 index c4fa6c9..0000000 --- a/roles/gitlab/handlers/main.yaml +++ /dev/null @@ -1,2 +0,0 @@ -- name: restart gitlab-ce - shell: gitlab-ctl restart diff --git a/roles/gitlab/meta/main.yaml b/roles/gitlab/meta/main.yaml index a943e7f..1d992e9 100644 --- a/roles/gitlab/meta/main.yaml +++ b/roles/gitlab/meta/main.yaml @@ -2,4 +2,6 @@ dependencies: - role: postgresql - role: nginx - parent_role_path: "gitlab" + is_proxy: true + remote_host: "http://unix:/run/gitlab/gitlab-workhorse.socket" + server_fqdn: '{{ fqdn }}' diff --git a/roles/gitlab/tasks/main.yaml b/roles/gitlab/tasks/main.yaml index 43c13f5..e649139 100644 --- a/roles/gitlab/tasks/main.yaml +++ b/roles/gitlab/tasks/main.yaml @@ -1,65 +1,27 @@ -- name: install apt-transport-https package - apt: - name: "{{ item }}" - state: present - update_cache: yes - cache_valid_time: 3600 - with_items: - - apt-transport-https - -- name: add gitlab omnibus apt key - apt_key: - url: https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey - state: present - -- name: add gitlab omnibus repository - apt_repository: - repo: 'deb https://packages.gitlab.com/gitlab/gitlab-ce/debian/ jessie main' - state: present - -- name: install gitlab package - apt: - name: "{{ item }}" - state: present - update_cache: yes - cache_valid_time: 3600 - with_items: - - gitlab-ce - -- block: - - name: create gitlab DB - postgresql_db: - name: gitlabhq_production - - name: create gitlab DB user - postgresql_user: - name: gitlab-psql - # password: "{{ password }}" - db: gitlabhq_production - priv: ALL - role_attr_flags: SUPERUSER - become: true - become_method: su - become_user: postgres - -# - name: copy lilik-150x54.png -# copy: -# src: lilik-150x54.png -# dest: /usr/share/roundcube/skins/classic/images/ - -- name: copy my-gitlab.rb +# see /usr/share/doc/gitlab/README.Debian.gz +# for instruction on how to migrate and reset root password + +- name: configure gitlab (fqdn) + debconf: + name: 'gitlab' + question: 'gitlab/fqdn' + vtype: 'string' + value: '{{ fqdn }}' + +- include_role: + name: service + vars: + service_name: gitlab + service_packages: + - gitlab + +- name: remove debian nginx configuration + file: + path: '/etc/nginx/sites-enabled/{{ fqdn }}' + state: absent + +- name: copy my-gitlab.yml template: - src: "my-gitlab.rb.j2" - dest: "/etc/gitlab/my-gitlab.rb" - mode: 0600 - notify: restart gitlab-ce - -- name: include my-gitlab.rb - lineinfile: - dest: /etc/gitlab/gitlab.rb - insertafter: EOF - line: eval File.open('/etc/gitlab/my-gitlab.rb').read - notify: restart gitlab-ce - -- name: reconfigure gitlab-ce - shell: gitlab-ctl reconfigure - notify: restart gitlab-ce + src: "gitlab.yml.j2" + dest: "/etc/gitlab/gitlab.yml" + notify: restart gitlab diff --git a/roles/gitlab/templates/gitlab.conf.nginx.j2 b/roles/gitlab/templates/gitlab.conf.nginx.j2 deleted file mode 100644 index 7ad7b91..0000000 --- a/roles/gitlab/templates/gitlab.conf.nginx.j2 +++ /dev/null @@ -1,54 +0,0 @@ -#upstream gitlab { -# server unix:/var/opt/gitlab/gitlab-rails/sockets/gitlab.socket; -# proxy_pass http://localhost:8080; -#} - -server { - listen *:80; - - - server_name projects.lilik.it; - - client_max_body_size 0; - - -#location ~* \.(git) { -# proxy_read_timeout 300; -# proxy_connect_timeout 300; -# proxy_redirect off; - -# proxy_set_header X-Forwarded-Proto $scheme; -# proxy_set_header Host $http_host; -# proxy_set_header X-Real-IP $remote_addr; -# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -# proxy_set_header X-Frame-Options SAMEORIGIN; -# proxy_pass http://gitlab; -# proxy_pass http://localhost:8080; -#} - - location / { - ## If you use HTTPS make sure you disable gzip compression - ## to be safe against BREACH attack. - - - ## https://github.com/gitlabhq/gitlabhq/issues/694 - ## Some requests take more than 30 seconds. - proxy_read_timeout 3600; - proxy_connect_timeout 300; - proxy_redirect off; - - proxy_http_version 1.1; - - proxy_set_header Host projects.leader.lilik.it; - proxy_set_header X-Forwarded-Host ""; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto http; - - proxy_pass http://localhost:8181; - proxy_hide_header Content-Security-Policy; - proxy_hide_header X-Frame-Options; - } - - -} diff --git a/roles/gitlab/templates/gitlab.yml.j2 b/roles/gitlab/templates/gitlab.yml.j2 new file mode 100644 index 0000000..4473f84 --- /dev/null +++ b/roles/gitlab/templates/gitlab.yml.j2 @@ -0,0 +1,440 @@ +# # # # # # # # # # # # # # # # # # +# GitLab application config file # +# # # # # # # # # # # # # # # # # # +# +########################### NOTE ##################################### +# This file should not receive new settings. All configuration options # +# that do not require an application restart are being moved to # +# ApplicationSetting model! # +# If you change this file in a Merge Request, please also create # +# a MR on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests # +######################################################################## +# +# +# How to use: +# 1. Copy file as gitlab.yml +# 2. Update gitlab -> host with your fully qualified domain name +# 3. Update gitlab -> email_from +# 4. If you installed Git from source, change git -> bin_path to /usr/local/bin/git +# IMPORTANT: If Git was installed in a different location use that instead. +# You can check with `which git`. If a wrong path of Git is specified, it will +# result in various issues such as failures of GitLab CI builds. +# 5. Review this configuration file for other settings you may want to adjust + +# For Debian specific changes: See /usr/share/doc/README.Debian + +production: &base + # + # 1. GitLab app settings + # ========================== + + ## GitLab settings + gitlab: + ## Web server settings (note: host is the FQDN, do not include http://) + # Using environmental variables from /etc/gitlab/gitlab-debian.conf + host: {{ fqdn }} + #port: 80 # Set to 443 if using HTTPS, see installation.md#using-https for additional HTTPS configuration details + https: false # Set to true if using HTTPS, see installation.md#using-https for additional HTTPS configuration details + + # Uncommment this line below if your ssh host is different from HTTP/HTTPS one + # (you'd obviously need to replace ssh.host_example.com with your own host). + # Otherwise, ssh host will be set to the `host:` value above + # ssh_host: ssh.host_example.com + + # WARNING: See config/application.rb under "Relative url support" for the list of + # other files that need to be changed for relative url support + # relative_url_root: /gitlab + + # Uncomment and customize if you can't use the default user to run GitLab (default: 'git') + user: gitlab #gitlab_user (DON'T REMOVE THIS COMMENT) + user_home: /var/lib/gitlab + + ## Date & Time settings + # Uncomment and customize if you want to change the default time zone of GitLab application. + # To see all available zones, run `bundle exec rake time:zones:all RAILS_ENV=production` + # time_zone: 'UTC' + + ## Email settings + # Uncomment and set to false if you need to disable email sending from GitLab (default: true) + # email_enabled: true + # Email address used in the "From" field in mails sent by GitLab + # Using environmental variables from /etc/gitlab/gitlab-debian.conf + # email_from: example@example.com + # email_display_name: GitLab + # email_reply_to: noreply@example.com + + # Email server smtp settings are in config/initializers/smtp_settings.rb.sample + + # default_can_create_group: false # default: true + # username_changing_enabled: false # default: true - User can change her username/namespace + ## Default theme ID + ## 1 - Graphite + ## 2 - Charcoal + ## 3 - Green + ## 4 - Gray + ## 5 - Violet + ## 6 - Blue + # default_theme: 2 # default: 2 + + ## Automatic issue closing + # If a commit message matches this regular expression, all issues referenced from the matched text will be closed. + # This happens when the commit is pushed or merged into the default branch of a project. + # When not specified the default issue_closing_pattern as specified below will be used. + # Tip: you can test your closing pattern at http://rubular.com. + # issue_closing_pattern: '((?:[Cc]los(?:e[sd]?|ing)|[Ff]ix(?:e[sd]|ing)?) +(?:(?:issues? +)?#\d+(?:(?:, *| +and +)?))+)' + + ## Default project features settings + default_projects_features: + issues: true + merge_requests: true + wiki: true + snippets: true + + ## Webhook settings + # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10) + # webhook_timeout: 10 + + ## Repository downloads directory + # When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory. + # The default is 'tmp/repositories' relative to the root of the Rails app. + # repository_downloads_path: tmp/repositories + + ## Reply by email + # Allow users to comment on issues and merge requests by replying to notification emails. + # For documentation on how to set this up, see http://doc.gitlab.com/ce/incoming_email/README.html + incoming_email: + enabled: false + address: "incoming+%{key}@gitlab.example.com" + + ## Gravatar + ## For Libravatar see: http://doc.gitlab.com/ce/customization/libravatar.html + gravatar: + enabled: false # Use user avatar image from Gravatar.com (default: true) + # gravatar urls: possible placeholders: %{hash} %{size} %{email} + # plain_url: "http://..." # default: http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon + # ssl_url: "https://..." # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon + + # + # 2. GitLab CI settings + # ========================== + + gitlab_ci: + # Default project notifications settings: + # + # Send emails only on broken builds (default: true) + # all_broken_builds: true + # + # Add pusher to recipients list (default: false) + # add_pusher: true + + # The location where build traces are stored (default: builds/). Relative paths are relative to Rails.root + # builds_path: builds/ + + # + # 3. Auth settings + # ========================== + + ## LDAP settings + # You can inspect a sample of the LDAP users with login access by running: + # bundle exec rake gitlab:ldap:check RAILS_ENV=production + ldap: + enabled: true + servers: + ########################################################################## + # + # Since GitLab 7.4, LDAP servers get ID's (below the ID is 'main'). GitLab + # Enterprise Edition now supports connecting to multiple LDAP servers. + # + # If you are updating from the old (pre-7.4) syntax, you MUST give your + # old server the ID 'main'. + # + ########################################################################## + main: # 'main' is the GitLab 'provider ID' of this LDAP server + ## label + # + # A human-friendly name for your LDAP server. It is OK to change the label later, + # for instance if you find out it is too large to fit on the web page. + # + # Example: 'Paris' or 'Acme, Ltd.' + label: 'LDAP' + + host: '{{ ldap_server }}' + port: 389 + uid: 'uid' + method: 'plain' # "tls" or "ssl" or "plain" + #bind_dn: '_the_full_dn_of_the_user_you_will_bind_with' + #password: '_the_password_of_the_bind_user' + + # This setting specifies if LDAP server is Active Directory LDAP server. + # For non AD servers it skips the AD specific queries. + # If your LDAP server is not AD, set this to false. + active_directory: false + + # If allow_username_or_email_login is enabled, GitLab will ignore everything + # after the first '@' in the LDAP username submitted by the user on login. + # + # Example: + # - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials; + # - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'. + # + # If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to + # disable this setting, because the userPrincipalName contains an '@'. + allow_username_or_email_login: true + + # To maintain tight control over the number of active users on your GitLab installation, + # enable this setting to keep new users blocked until they have been cleared by the admin + # (default: false). + block_auto_created_users: false + + # Base where we can search for users + # + # Ex. ou=People,dc=gitlab,dc=example + # + base: 'o=People,dc=lilik,dc=it' + + # Filter LDAP users + # + # Format: RFC 4515 http://tools.ietf.org/search/rfc4515 + # Ex. (employeeType=developer) + # + # Note: GitLab does not support omniauth-ldap's custom filter syntax. + # + user_filter: '(memberOf=cn=projects,o=Group,dc=lilik,dc=it)' + + # LDAP attributes that GitLab will use to create an account for the LDAP user. + # The specified attribute can either be the attribute name as a string (e.g. 'mail'), + # or an array of attribute names to try in order (e.g. ['mail', 'email']). + # Note that the user's LDAP login will always be the attribute specified as `uid` above. + attributes: + # The username will be used in paths for the user's own projects + # (like `gitlab.example.com/username/project`) and when mentioning + # them in issues, merge request and comments (like `@username`). + # If the attribute specified for `username` contains an email address, + # the GitLab username will be the part of the email address before the '@'. + username: ['uid', 'userid', 'sAMAccountName'] + email: ['mail', 'email', 'userPrincipalName'] + + # If no full name could be found at the attribute specified for `name`, + # the full name is determined using the attributes specified for + # `first_name` and `last_name`. + name: 'cn' + first_name: 'givenName' + last_name: 'sn' + + group_base: 'o=Group,dc=lilik,dc=it' + admin_group: 'admin' + + # GitLab EE only: add more LDAP servers + # Choose an ID made of a-z and 0-9 . This ID will be stored in the database + # so that GitLab can remember which LDAP server a user belongs to. + # uswest2: + # label: + # host: + # .... + + + ## OmniAuth settings + omniauth: + # Allow login via Twitter, Google, etc. using OmniAuth providers + enabled: false + + # Uncomment this to automatically sign in with a specific omniauth provider's without + # showing GitLab's sign-in page (default: show the GitLab sign-in page) + # auto_sign_in_with_provider: saml + + # CAUTION! + # This allows users to login without having a user account first (default: false). + # User accounts will be created automatically when authentication was successful. + allow_single_sign_on: false + # Locks down those users until they have been cleared by the admin (default: true). + block_auto_created_users: true + # Look up new users in LDAP servers. If a match is found (same uid), automatically + # link the omniauth identity with the LDAP account. (default: false) + auto_link_ldap_user: false + + ## Auth providers + # Uncomment the following lines and fill in the data of the auth provider you want to use + # If your favorite auth provider is not listed you can use others: + # see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations + # The 'app_id' and 'app_secret' parameters are always passed as the first two + # arguments, followed by optional 'args' which can be either a hash or an array. + # Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html + providers: + # - { name: 'google_oauth2', + # label: 'Google', + # app_id: 'YOUR_APP_ID', + # app_secret: 'YOUR_APP_SECRET', + # args: { access_type: 'offline', approval_prompt: '' } } + # - { name: 'twitter', + # app_id: 'YOUR_APP_ID', + # app_secret: 'YOUR_APP_SECRET' } + # - { name: 'github', + # label: 'GitHub', + # app_id: 'YOUR_APP_ID', + # app_secret: 'YOUR_APP_SECRET', + # args: { scope: 'user:email' } } + # - { name: 'gitlab', + # label: 'GitLab.com', + # app_id: 'YOUR_APP_ID', + # app_secret: 'YOUR_APP_SECRET', + # args: { scope: 'api' } } + # - { name: 'bitbucket', + # app_id: 'YOUR_APP_ID', + # app_secret: 'YOUR_APP_SECRET' } + # - { name: 'saml', + # label: 'Our SAML Provider', + # args: { + # assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback', + # idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8', + # idp_sso_target_url: 'https://login.example.com/idp', + # issuer: 'https://gitlab.example.com', + # name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' + # } } + # - { name: 'crowd', + # args: { + # crowd_server_url: 'CROWD SERVER URL', + # application_name: 'YOUR_APP_NAME', + # application_password: 'YOUR_APP_PASSWORD' } } + + + + + # + # 4. Advanced settings + # ========================== + + # GitLab Satellites + satellites: + # Relative paths are relative to Rails.root (default: tmp/repo_satellites/) + path: /home/git/gitlab-satellites/ + timeout: 30 + + ## Backup settings + backup: + path: "tmp/backups" # Relative paths are relative to Rails.root (default: tmp/backups/) + # archive_permissions: 0640 # Permissions for the resulting backup.tar file (default: 0600) + # keep_time: 604800 # default: 0 (forever) (in seconds) + # pg_schema: public # default: nil, it means that all schemas will be backed up + # upload: + # # Fog storage connection settings, see http://fog.io/storage/ . + # connection: + # provider: AWS + # region: eu-west-1 + # aws_access_key_id: AKIAKIAKI + # aws_secret_access_key: 'secret123' + # # The remote 'directory' to store your backups. For S3, this would be the bucket name. + # remote_directory: 'my.s3.bucket' + # # Use multipart uploads when file size reaches 100MB, see + # # http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html + # multipart_chunk_size: 104857600 + + ## GitLab Shell settings + gitlab_shell: + path: /usr/share/gitlab-shell/ + + # REPOS_PATH MUST NOT BE A SYMLINK!!! + repos_path: /var/lib/gitlab/repositories/ + hooks_path: /usr/share/gitlab-shell/hooks/ + + # File that contains the secret key for verifying access for gitlab-shell. + # Default is '.gitlab_shell_secret' relative to Rails.root (i.e. root of the GitLab app). + secret_file: /var/lib/gitlab/.gitlab_shell_secret + + # Git over HTTP + upload_pack: true + receive_pack: true + + # If you use non-standard ssh port you need to specify it + ssh_port: {{ ssh_port }} + + ## Git settings + # CAUTION! + # Use the default values unless you really know what you are doing + git: + bin_path: /usr/bin/git + # The next value is the maximum memory size grit can use + # Given in number of bytes per git object (e.g. a commit) + # This value can be increased if you have very large commits + max_size: 20971520 # 20.megabytes + # Git timeout to read a commit, in seconds + timeout: 10 + + # + # 5. Extra customization + # ========================== + + extra: + ## Google analytics. Uncomment if you want it + # google_analytics_id: '_your_tracking_id' + + ## Piwik analytics. + # piwik_url: '_your_piwik_url' + # piwik_site_id: '_your_piwik_site_id' + + rack_attack: + git_basic_auth: + # Rack Attack IP banning enabled + # enabled: true + # + # Whitelist requests from 127.0.0.1 for web proxies (NGINX/Apache) with incorrect headers + # ip_whitelist: ["127.0.0.1"] + # + # Limit the number of Git HTTP authentication attempts per IP + # maxretry: 10 + # + # Reset the auth attempt counter per IP after 60 seconds + # findtime: 60 + # + # Ban an IP for one hour (3600s) after too many auth attempts + # bantime: 3600 + +development: + <<: *base + +test: + <<: *base + gravatar: + enabled: true + gitlab: + host: localhost + port: 80 + + # When you run tests we clone and setup gitlab-shell + # In order to setup it correctly you need to specify + # your system username you use to run GitLab + user: gitlab + email_from: example@example.com + email_display_name: GitLab + email_reply_to: noreply@example.com + satellites: + path: tmp/tests/gitlab-satellites/ + backup: + path: tmp/tests/backups + gitlab_shell: + path: /usr/share/gitlab-shell/ + repos_path: tmp/tests/repositories/ + hooks_path: /usr/share/gitlab-shell/hooks/ + secret_file: tmp/tests/gitlab-shell/.gitlab_shell_secret + issues_tracker: + redmine: + title: "Redmine" + project_url: "http://redmine/projects/:issues_tracker_id" + issues_url: "http://redmine/:project_id/:issues_tracker_id/:id" + new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new" + ldap: + enabled: false + servers: + main: + label: ldap + host: 127.0.0.1 + port: 3890 + uid: 'uid' + method: 'plain' # "tls" or "ssl" or "plain" + base: 'dc=example,dc=com' + user_filter: '' + group_base: 'ou=groups,dc=example,dc=com' + admin_group: '' + sync_ssh_keys: false + +staging: + <<: *base diff --git a/roles/gitlab/templates/gitlab.yml.orig b/roles/gitlab/templates/gitlab.yml.orig new file mode 100644 index 0000000..82c5cbe --- /dev/null +++ b/roles/gitlab/templates/gitlab.yml.orig @@ -0,0 +1,437 @@ +# # # # # # # # # # # # # # # # # # +# GitLab application config file # +# # # # # # # # # # # # # # # # # # +# +########################### NOTE ##################################### +# This file should not receive new settings. All configuration options # +# that do not require an application restart are being moved to # +# ApplicationSetting model! # +# If you change this file in a Merge Request, please also create # +# a MR on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests # +######################################################################## +# +# +# How to use: +# 1. Copy file as gitlab.yml +# 2. Update gitlab -> host with your fully qualified domain name +# 3. Update gitlab -> email_from +# 4. If you installed Git from source, change git -> bin_path to /usr/local/bin/git +# IMPORTANT: If Git was installed in a different location use that instead. +# You can check with `which git`. If a wrong path of Git is specified, it will +# result in various issues such as failures of GitLab CI builds. +# 5. Review this configuration file for other settings you may want to adjust + +# For Debian specific changes: See /usr/share/doc/README.Debian + +production: &base + # + # 1. GitLab app settings + # ========================== + + ## GitLab settings + gitlab: + ## Web server settings (note: host is the FQDN, do not include http://) + # Using environmental variables from /etc/gitlab/gitlab-debian.conf + #host: localhost + #port: 80 # Set to 443 if using HTTPS, see installation.md#using-https for additional HTTPS configuration details + https: false # Set to true if using HTTPS, see installation.md#using-https for additional HTTPS configuration details + + # Uncommment this line below if your ssh host is different from HTTP/HTTPS one + # (you'd obviously need to replace ssh.host_example.com with your own host). + # Otherwise, ssh host will be set to the `host:` value above + # ssh_host: ssh.host_example.com + + # WARNING: See config/application.rb under "Relative url support" for the list of + # other files that need to be changed for relative url support + # relative_url_root: /gitlab + + # Uncomment and customize if you can't use the default user to run GitLab (default: 'git') + user: gitlab #gitlab_user (DON'T REMOVE THIS COMMENT) + user_home: /var/lib/gitlab + + ## Date & Time settings + # Uncomment and customize if you want to change the default time zone of GitLab application. + # To see all available zones, run `bundle exec rake time:zones:all RAILS_ENV=production` + # time_zone: 'UTC' + + ## Email settings + # Uncomment and set to false if you need to disable email sending from GitLab (default: true) + # email_enabled: true + # Email address used in the "From" field in mails sent by GitLab + # Using environmental variables from /etc/gitlab/gitlab-debian.conf + # email_from: example@example.com + # email_display_name: GitLab + # email_reply_to: noreply@example.com + + # Email server smtp settings are in config/initializers/smtp_settings.rb.sample + + # default_can_create_group: false # default: true + # username_changing_enabled: false # default: true - User can change her username/namespace + ## Default theme ID + ## 1 - Graphite + ## 2 - Charcoal + ## 3 - Green + ## 4 - Gray + ## 5 - Violet + ## 6 - Blue + # default_theme: 2 # default: 2 + + ## Automatic issue closing + # If a commit message matches this regular expression, all issues referenced from the matched text will be closed. + # This happens when the commit is pushed or merged into the default branch of a project. + # When not specified the default issue_closing_pattern as specified below will be used. + # Tip: you can test your closing pattern at http://rubular.com. + # issue_closing_pattern: '((?:[Cc]los(?:e[sd]?|ing)|[Ff]ix(?:e[sd]|ing)?) +(?:(?:issues? +)?#\d+(?:(?:, *| +and +)?))+)' + + ## Default project features settings + default_projects_features: + issues: true + merge_requests: true + wiki: true + snippets: false + + ## Webhook settings + # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10) + # webhook_timeout: 10 + + ## Repository downloads directory + # When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory. + # The default is 'tmp/repositories' relative to the root of the Rails app. + # repository_downloads_path: tmp/repositories + + ## Reply by email + # Allow users to comment on issues and merge requests by replying to notification emails. + # For documentation on how to set this up, see http://doc.gitlab.com/ce/incoming_email/README.html + incoming_email: + enabled: false + address: "incoming+%{key}@gitlab.example.com" + + ## Gravatar + ## For Libravatar see: http://doc.gitlab.com/ce/customization/libravatar.html + gravatar: + enabled: true # Use user avatar image from Gravatar.com (default: true) + # gravatar urls: possible placeholders: %{hash} %{size} %{email} + # plain_url: "http://..." # default: http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon + # ssl_url: "https://..." # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon + + # + # 2. GitLab CI settings + # ========================== + + gitlab_ci: + # Default project notifications settings: + # + # Send emails only on broken builds (default: true) + # all_broken_builds: true + # + # Add pusher to recipients list (default: false) + # add_pusher: true + + # The location where build traces are stored (default: builds/). Relative paths are relative to Rails.root + # builds_path: builds/ + + # + # 3. Auth settings + # ========================== + + ## LDAP settings + # You can inspect a sample of the LDAP users with login access by running: + # bundle exec rake gitlab:ldap:check RAILS_ENV=production + ldap: + enabled: false + servers: + ########################################################################## + # + # Since GitLab 7.4, LDAP servers get ID's (below the ID is 'main'). GitLab + # Enterprise Edition now supports connecting to multiple LDAP servers. + # + # If you are updating from the old (pre-7.4) syntax, you MUST give your + # old server the ID 'main'. + # + ########################################################################## + main: # 'main' is the GitLab 'provider ID' of this LDAP server + ## label + # + # A human-friendly name for your LDAP server. It is OK to change the label later, + # for instance if you find out it is too large to fit on the web page. + # + # Example: 'Paris' or 'Acme, Ltd.' + label: 'LDAP' + + host: '_your_ldap_server' + port: 389 + uid: 'sAMAccountName' + method: 'plain' # "tls" or "ssl" or "plain" + bind_dn: '_the_full_dn_of_the_user_you_will_bind_with' + password: '_the_password_of_the_bind_user' + + # This setting specifies if LDAP server is Active Directory LDAP server. + # For non AD servers it skips the AD specific queries. + # If your LDAP server is not AD, set this to false. + active_directory: true + + # If allow_username_or_email_login is enabled, GitLab will ignore everything + # after the first '@' in the LDAP username submitted by the user on login. + # + # Example: + # - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials; + # - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'. + # + # If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to + # disable this setting, because the userPrincipalName contains an '@'. + allow_username_or_email_login: false + + # To maintain tight control over the number of active users on your GitLab installation, + # enable this setting to keep new users blocked until they have been cleared by the admin + # (default: false). + block_auto_created_users: false + + # Base where we can search for users + # + # Ex. ou=People,dc=gitlab,dc=example + # + base: '' + + # Filter LDAP users + # + # Format: RFC 4515 http://tools.ietf.org/search/rfc4515 + # Ex. (employeeType=developer) + # + # Note: GitLab does not support omniauth-ldap's custom filter syntax. + # + user_filter: '' + + # LDAP attributes that GitLab will use to create an account for the LDAP user. + # The specified attribute can either be the attribute name as a string (e.g. 'mail'), + # or an array of attribute names to try in order (e.g. ['mail', 'email']). + # Note that the user's LDAP login will always be the attribute specified as `uid` above. + attributes: + # The username will be used in paths for the user's own projects + # (like `gitlab.example.com/username/project`) and when mentioning + # them in issues, merge request and comments (like `@username`). + # If the attribute specified for `username` contains an email address, + # the GitLab username will be the part of the email address before the '@'. + username: ['uid', 'userid', 'sAMAccountName'] + email: ['mail', 'email', 'userPrincipalName'] + + # If no full name could be found at the attribute specified for `name`, + # the full name is determined using the attributes specified for + # `first_name` and `last_name`. + name: 'cn' + first_name: 'givenName' + last_name: 'sn' + + # GitLab EE only: add more LDAP servers + # Choose an ID made of a-z and 0-9 . This ID will be stored in the database + # so that GitLab can remember which LDAP server a user belongs to. + # uswest2: + # label: + # host: + # .... + + + ## OmniAuth settings + omniauth: + # Allow login via Twitter, Google, etc. using OmniAuth providers + enabled: false + + # Uncomment this to automatically sign in with a specific omniauth provider's without + # showing GitLab's sign-in page (default: show the GitLab sign-in page) + # auto_sign_in_with_provider: saml + + # CAUTION! + # This allows users to login without having a user account first (default: false). + # User accounts will be created automatically when authentication was successful. + allow_single_sign_on: false + # Locks down those users until they have been cleared by the admin (default: true). + block_auto_created_users: true + # Look up new users in LDAP servers. If a match is found (same uid), automatically + # link the omniauth identity with the LDAP account. (default: false) + auto_link_ldap_user: false + + ## Auth providers + # Uncomment the following lines and fill in the data of the auth provider you want to use + # If your favorite auth provider is not listed you can use others: + # see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations + # The 'app_id' and 'app_secret' parameters are always passed as the first two + # arguments, followed by optional 'args' which can be either a hash or an array. + # Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html + providers: + # - { name: 'google_oauth2', + # label: 'Google', + # app_id: 'YOUR_APP_ID', + # app_secret: 'YOUR_APP_SECRET', + # args: { access_type: 'offline', approval_prompt: '' } } + # - { name: 'twitter', + # app_id: 'YOUR_APP_ID', + # app_secret: 'YOUR_APP_SECRET' } + # - { name: 'github', + # label: 'GitHub', + # app_id: 'YOUR_APP_ID', + # app_secret: 'YOUR_APP_SECRET', + # args: { scope: 'user:email' } } + # - { name: 'gitlab', + # label: 'GitLab.com', + # app_id: 'YOUR_APP_ID', + # app_secret: 'YOUR_APP_SECRET', + # args: { scope: 'api' } } + # - { name: 'bitbucket', + # app_id: 'YOUR_APP_ID', + # app_secret: 'YOUR_APP_SECRET' } + # - { name: 'saml', + # label: 'Our SAML Provider', + # args: { + # assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback', + # idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8', + # idp_sso_target_url: 'https://login.example.com/idp', + # issuer: 'https://gitlab.example.com', + # name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' + # } } + # - { name: 'crowd', + # args: { + # crowd_server_url: 'CROWD SERVER URL', + # application_name: 'YOUR_APP_NAME', + # application_password: 'YOUR_APP_PASSWORD' } } + + + + + # + # 4. Advanced settings + # ========================== + + # GitLab Satellites + satellites: + # Relative paths are relative to Rails.root (default: tmp/repo_satellites/) + path: /home/git/gitlab-satellites/ + timeout: 30 + + ## Backup settings + backup: + path: "tmp/backups" # Relative paths are relative to Rails.root (default: tmp/backups/) + # archive_permissions: 0640 # Permissions for the resulting backup.tar file (default: 0600) + # keep_time: 604800 # default: 0 (forever) (in seconds) + # pg_schema: public # default: nil, it means that all schemas will be backed up + # upload: + # # Fog storage connection settings, see http://fog.io/storage/ . + # connection: + # provider: AWS + # region: eu-west-1 + # aws_access_key_id: AKIAKIAKI + # aws_secret_access_key: 'secret123' + # # The remote 'directory' to store your backups. For S3, this would be the bucket name. + # remote_directory: 'my.s3.bucket' + # # Use multipart uploads when file size reaches 100MB, see + # # http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html + # multipart_chunk_size: 104857600 + + ## GitLab Shell settings + gitlab_shell: + path: /usr/share/gitlab-shell/ + + # REPOS_PATH MUST NOT BE A SYMLINK!!! + repos_path: /var/lib/gitlab/repositories/ + hooks_path: /usr/share/gitlab-shell/hooks/ + + # File that contains the secret key for verifying access for gitlab-shell. + # Default is '.gitlab_shell_secret' relative to Rails.root (i.e. root of the GitLab app). + secret_file: /var/lib/gitlab/.gitlab_shell_secret + + # Git over HTTP + upload_pack: true + receive_pack: true + + # If you use non-standard ssh port you need to specify it + # ssh_port: 22 + + ## Git settings + # CAUTION! + # Use the default values unless you really know what you are doing + git: + bin_path: /usr/bin/git + # The next value is the maximum memory size grit can use + # Given in number of bytes per git object (e.g. a commit) + # This value can be increased if you have very large commits + max_size: 20971520 # 20.megabytes + # Git timeout to read a commit, in seconds + timeout: 10 + + # + # 5. Extra customization + # ========================== + + extra: + ## Google analytics. Uncomment if you want it + # google_analytics_id: '_your_tracking_id' + + ## Piwik analytics. + # piwik_url: '_your_piwik_url' + # piwik_site_id: '_your_piwik_site_id' + + rack_attack: + git_basic_auth: + # Rack Attack IP banning enabled + # enabled: true + # + # Whitelist requests from 127.0.0.1 for web proxies (NGINX/Apache) with incorrect headers + # ip_whitelist: ["127.0.0.1"] + # + # Limit the number of Git HTTP authentication attempts per IP + # maxretry: 10 + # + # Reset the auth attempt counter per IP after 60 seconds + # findtime: 60 + # + # Ban an IP for one hour (3600s) after too many auth attempts + # bantime: 3600 + +development: + <<: *base + +test: + <<: *base + gravatar: + enabled: true + gitlab: + host: localhost + port: 80 + + # When you run tests we clone and setup gitlab-shell + # In order to setup it correctly you need to specify + # your system username you use to run GitLab + user: gitlab + email_from: example@example.com + email_display_name: GitLab + email_reply_to: noreply@example.com + satellites: + path: tmp/tests/gitlab-satellites/ + backup: + path: tmp/tests/backups + gitlab_shell: + path: /usr/share/gitlab-shell/ + repos_path: tmp/tests/repositories/ + hooks_path: /usr/share/gitlab-shell/hooks/ + secret_file: tmp/tests/gitlab-shell/.gitlab_shell_secret + issues_tracker: + redmine: + title: "Redmine" + project_url: "http://redmine/projects/:issues_tracker_id" + issues_url: "http://redmine/:project_id/:issues_tracker_id/:id" + new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new" + ldap: + enabled: false + servers: + main: + label: ldap + host: 127.0.0.1 + port: 3890 + uid: 'uid' + method: 'plain' # "tls" or "ssl" or "plain" + base: 'dc=example,dc=com' + user_filter: '' + group_base: 'ou=groups,dc=example,dc=com' + admin_group: '' + sync_ssh_keys: false + +staging: + <<: *base diff --git a/roles/gitlab/templates/my-gitlab.rb.j2 b/roles/gitlab/templates/my-gitlab.rb.j2 deleted file mode 100644 index 767311c..0000000 --- a/roles/gitlab/templates/my-gitlab.rb.j2 +++ /dev/null @@ -1,40 +0,0 @@ -external_url 'http://projects.lilik.it' -gitlab_rails['gitlab_default_projects_features_issues'] = true -gitlab_rails['gitlab_default_projects_features_wiki'] = true -gitlab_rails['gitlab_default_projects_features_snippets'] = true -gitlab_rails['ldap_enabled'] = true -gitlab_rails['ldap_servers'] = YAML.load <<-EOS - main: - label: 'LDAP' - host: 'ldap2.lilik.it' - port: 389 - uid: 'mail' - method: 'plain' - base: 'vd=lilik.it,o=hosting,dc=lilik,dc=it' - user_filter: '(memberOf=cn=projects,o=Group,dc=lilik,dc=it)' - attributes: - username: ['uid', 'userid', 'sAMAccountName'] - email: ['mail', 'email', 'userPrincipalName'] - name: 'cn' - first_name: 'givenName' - last_name: 'sn' -EOS -gitlab_rails['gitlab_shell_ssh_port'] = 8082 -gitlab_rails['smtp_enable'] = true -gitlab_rails['smtp_address'] = "mail.lilik.it" -gitlab_rails['smtp_port'] = 25 - -unicorn['worker_processes'] = 1 # default is 2 - -gitlab_workhorse['listen_network'] = "tcp" -gitlab_workhorse['listen_addr'] = "localhost:8181" - -gitlab_rails['db_adapter'] = "postgresql" -gitlab_rails['db_encoding'] = 'utf8' -gitlab_rails['db_username'] = "gitlab-psql" -gitlab_rails['db_host'] = nil -gitlab_rails['db_socket'] = "/var/run/postgresql/" -gitlab_rails['db_port'] = nil - -postgresql['enable'] = false -nginx['enable'] = false diff --git a/roles/gitlab/templates/my-gitlab.yml.j2 b/roles/gitlab/templates/my-gitlab.yml.j2 new file mode 100644 index 0000000..4c2fe6a --- /dev/null +++ b/roles/gitlab/templates/my-gitlab.yml.j2 @@ -0,0 +1,24 @@ +gitlab_rails['gitlab_shell_ssh_port'] = 8082 +gitlab_rails['smtp_enable'] = true +gitlab_rails['smtp_address'] = "mail.lilik.it" +gitlab_rails['smtp_port'] = 25 + +ldap: + enabled: false + servers: + main: + label: 'LDAP' + host: 'ldap2.lilik.it' + port: 389 + uid: 'mail' + method: 'plain' + base: 'vd=lilik.it,o=hosting,dc=lilik,dc=it' + user_filter: '(memberOf=cn=projects,o=Group,dc=lilik,dc=it)' + attributes: + username: ['uid', 'userid', 'sAMAccountName'] + email: ['mail', 'email', 'userPrincipalName'] + name: 'cn' + first_name: 'givenName' + last_name: 'sn' + group_base: 'cn=projects,o=Group,dc=lilik,dc=it' + admin_group: 'admin' diff --git a/roles/gitlab/vars/main.yml b/roles/gitlab/vars/main.yml deleted file mode 100644 index 261e2a1..0000000 --- a/roles/gitlab/vars/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -config_names: - - gitlab