Browse Source

roles/gitlab: move to omnibus release

- Move to omnibus release, with NGINX ang pgSQL managed by GitLab
configuration utilities.

- Move from anonymous to authenticated LDAP bind.
python3
Zolfa 5 years ago
parent
commit
9f51ed25f4
Signed by: zolfa GPG Key ID: E1A43B038C4D6616
6 changed files with 2409 additions and 478 deletions
  1. +4
    -2
      roles/gitlab/defaults/main.yaml
  2. +4
    -0
      roles/gitlab/handlers/main.yaml
  3. +0
    -7
      roles/gitlab/meta/main.yaml
  4. +53
    -29
      roles/gitlab/tasks/main.yaml
  5. +2348
    -0
      roles/gitlab/templates/gitlab.rb.j2
  6. +0
    -440
      roles/gitlab/templates/gitlab.yml.j2

+ 4
- 2
roles/gitlab/defaults/main.yaml View File

@ -1,3 +1,5 @@
fqdn: '{{ ansible_hostname }}.lilik.it'
fqdn: '{{ ansible_hostname }}.{{ domain }}'
ssh_port: 8022
ldap_server: ldap.dmz.lilik
ldap_server: ldap1.dmz.lilik.it
ldap_basedn: 'dc=lilik,dc=it'
enable_https: false

+ 4
- 0
roles/gitlab/handlers/main.yaml View File

@ -0,0 +1,4 @@
---
- name: 'reconfigure gitlab'
command: '/usr/bin/gitlab-ctl reconfigure'
...

+ 0
- 7
roles/gitlab/meta/main.yaml View File

@ -1,7 +0,0 @@
---
dependencies:
- role: postgresql
- role: nginx
is_proxy: true
remote_host: "http://unix:/run/gitlab/gitlab-workhorse.socket"
server_fqdn: '{{ fqdn }}'

+ 53
- 29
roles/gitlab/tasks/main.yaml View File

@ -1,37 +1,61 @@
# see /usr/share/doc/gitlab/README.Debian.gz
# for instruction on how to migrate and reset root password
- name: configure gitlab (fqdn)
debconf:
name: 'gitlab'
question: 'gitlab/fqdn'
vtype: 'string'
value: '{{ fqdn }}'
- include_role:
name: service
- name: 'install gnupg and ca-cert'
apt:
pkg:
- 'gnupg'
- 'ca-certificates'
- name: 'add gitlab gnupg key to apt'
apt_key:
id: 'F6403F6544A38863DAA0B6E03F01618A51312F3F'
url: 'https://packages.gitlab.com/gpg.key'
state: 'present'
- name: 'add gitlab apt repos'
apt_repository:
repo: '{{ item }}'
state: 'present'
loop:
- 'deb https://packages.gitlab.com/gitlab/gitlab-ce/debian/ buster main'
- 'deb-src https://packages.gitlab.com/gitlab/gitlab-ce/debian/ buster main'
- include_role: name='service'
vars:
service_name: gitlab
service_name: 'gitlab'
service_packages:
- gitlab
- 'gitlab-ce'
- name: 'load root ca'
copy:
content: '{{ ssl_ca_cert }}'
dest: '/etc/gitlab/ca.crt'
- name: remove debian nginx configuration
file:
path: '/etc/nginx/sites-enabled/{{ fqdn }}'
state: absent
- name: 'generate gitlab password'
gen_passwd: 'length=32'
register: 'ldap_bindpw'
- name: copy my-gitlab.yml
- name: 'set gitlab password'
delegate_to: 'localhost'
ldap_passwd:
dn: 'cn={{ ansible_hostname }},ou=Server,{{ ldap_basedn }}'
passwd: '{{ ldap_bindpw.passwd }}'
server_uri: 'ldap://{{ ldap_server }}'
start_tls: true
bind_dn: '{{ ldap_admin_dn }}'
bind_pw: '{{ ldap_admin_pw }}'
- name: 'update configuration'
template:
src: "gitlab.yml.j2"
dest: "/etc/gitlab/gitlab.yml"
notify: restart gitlab
- name: patch gitlab source to add domain to email ldap field
blockinfile:
block: |
if key.to_s == "email"
value = value.nil? ? value : value + "@lilik.it"
end
dest: /usr/share/gitlab/lib/gitlab/ldap/auth_hash.rb
insertbefore: "return super unless value"
notify: restart gitlab
src: 'gitlab.rb.j2'
dest: '/etc/gitlab/gitlab.rb'
notify: 'reconfigure gitlab'
- name: 'patch gitlab to run in lxc'
lineinfile:
path: '/opt/gitlab/embedded/cookbooks/package/resources/gitlab_sysctl.rb'
insertafter: '^ command "sysctl -e --system"\n'
line: ' ignore_failure true'
notify: 'reconfigure gitlab'

+ 2348
- 0
roles/gitlab/templates/gitlab.rb.j2
File diff suppressed because it is too large
View File


+ 0
- 440
roles/gitlab/templates/gitlab.yml.j2 View File

@ -1,440 +0,0 @@
# # # # # # # # # # # # # # # # # #
# GitLab application config file #
# # # # # # # # # # # # # # # # # #
#
########################### NOTE #####################################
# This file should not receive new settings. All configuration options #
# that do not require an application restart are being moved to #
# ApplicationSetting model! #
# If you change this file in a Merge Request, please also create #
# a MR on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests #
########################################################################
#
#
# How to use:
# 1. Copy file as gitlab.yml
# 2. Update gitlab -> host with your fully qualified domain name
# 3. Update gitlab -> email_from
# 4. If you installed Git from source, change git -> bin_path to /usr/local/bin/git
# IMPORTANT: If Git was installed in a different location use that instead.
# You can check with `which git`. If a wrong path of Git is specified, it will
# result in various issues such as failures of GitLab CI builds.
# 5. Review this configuration file for other settings you may want to adjust
# For Debian specific changes: See /usr/share/doc/README.Debian
production: &base
#
# 1. GitLab app settings
# ==========================
## GitLab settings
gitlab:
## Web server settings (note: host is the FQDN, do not include http://)
# Using environmental variables from /etc/gitlab/gitlab-debian.conf
host: {{ fqdn }}
#port: 80 # Set to 443 if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
https: false # Set to true if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
# Uncommment this line below if your ssh host is different from HTTP/HTTPS one
# (you'd obviously need to replace ssh.host_example.com with your own host).
# Otherwise, ssh host will be set to the `host:` value above
# ssh_host: ssh.host_example.com
# WARNING: See config/application.rb under "Relative url support" for the list of
# other files that need to be changed for relative url support
# relative_url_root: /gitlab
# Uncomment and customize if you can't use the default user to run GitLab (default: 'git')
user: gitlab #gitlab_user (DON'T REMOVE THIS COMMENT)
user_home: /var/lib/gitlab
## Date & Time settings
# Uncomment and customize if you want to change the default time zone of GitLab application.
# To see all available zones, run `bundle exec rake time:zones:all RAILS_ENV=production`
# time_zone: 'UTC'
## Email settings
# Uncomment and set to false if you need to disable email sending from GitLab (default: true)
# email_enabled: true
# Email address used in the "From" field in mails sent by GitLab
# Using environmental variables from /etc/gitlab/gitlab-debian.conf
# email_from: example@example.com
# email_display_name: GitLab
# email_reply_to: noreply@example.com
# Email server smtp settings are in config/initializers/smtp_settings.rb.sample
# default_can_create_group: false # default: true
# username_changing_enabled: false # default: true - User can change her username/namespace
## Default theme ID
## 1 - Graphite
## 2 - Charcoal
## 3 - Green
## 4 - Gray
## 5 - Violet
## 6 - Blue
# default_theme: 2 # default: 2
## Automatic issue closing
# If a commit message matches this regular expression, all issues referenced from the matched text will be closed.
# This happens when the commit is pushed or merged into the default branch of a project.
# When not specified the default issue_closing_pattern as specified below will be used.
# Tip: you can test your closing pattern at http://rubular.com.
# issue_closing_pattern: '((?:[Cc]los(?:e[sd]?|ing)|[Ff]ix(?:e[sd]|ing)?) +(?:(?:issues? +)?#\d+(?:(?:, *| +and +)?))+)'
## Default project features settings
default_projects_features:
issues: true
merge_requests: true
wiki: true
snippets: true
## Webhook settings
# Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10)
# webhook_timeout: 10
## Repository downloads directory
# When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory.
# The default is 'tmp/repositories' relative to the root of the Rails app.
# repository_downloads_path: tmp/repositories
## Reply by email
# Allow users to comment on issues and merge requests by replying to notification emails.
# For documentation on how to set this up, see http://doc.gitlab.com/ce/incoming_email/README.html
incoming_email:
enabled: false
address: "incoming+%{key}@gitlab.example.com"
## Gravatar
## For Libravatar see: http://doc.gitlab.com/ce/customization/libravatar.html
gravatar:
enabled: false # Use user avatar image from Gravatar.com (default: true)
# gravatar urls: possible placeholders: %{hash} %{size} %{email}
# plain_url: "http://..." # default: http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
# ssl_url: "https://..." # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
#
# 2. GitLab CI settings
# ==========================
gitlab_ci:
# Default project notifications settings:
#
# Send emails only on broken builds (default: true)
# all_broken_builds: true
#
# Add pusher to recipients list (default: false)
# add_pusher: true
# The location where build traces are stored (default: builds/). Relative paths are relative to Rails.root
# builds_path: builds/
#
# 3. Auth settings
# ==========================
## LDAP settings
# You can inspect a sample of the LDAP users with login access by running:
# bundle exec rake gitlab:ldap:check RAILS_ENV=production
ldap:
enabled: true
servers:
##########################################################################
#
# Since GitLab 7.4, LDAP servers get ID's (below the ID is 'main'). GitLab
# Enterprise Edition now supports connecting to multiple LDAP servers.
#
# If you are updating from the old (pre-7.4) syntax, you MUST give your
# old server the ID 'main'.
#
##########################################################################
main: # 'main' is the GitLab 'provider ID' of this LDAP server
## label
#
# A human-friendly name for your LDAP server. It is OK to change the label later,
# for instance if you find out it is too large to fit on the web page.
#
# Example: 'Paris' or 'Acme, Ltd.'
label: 'LDAP'
host: '{{ ldap_server }}'
port: 389
uid: 'uid'
method: 'plain' # "tls" or "ssl" or "plain"
#bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
#password: '_the_password_of_the_bind_user'
# This setting specifies if LDAP server is Active Directory LDAP server.
# For non AD servers it skips the AD specific queries.
# If your LDAP server is not AD, set this to false.
active_directory: false
# If allow_username_or_email_login is enabled, GitLab will ignore everything
# after the first '@' in the LDAP username submitted by the user on login.
#
# Example:
# - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials;
# - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'.
#
# If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to
# disable this setting, because the userPrincipalName contains an '@'.
allow_username_or_email_login: true
# To maintain tight control over the number of active users on your GitLab installation,
# enable this setting to keep new users blocked until they have been cleared by the admin
# (default: false).
block_auto_created_users: false
# Base where we can search for users
#
# Ex. ou=People,dc=gitlab,dc=example
#
base: 'o=People,dc=lilik,dc=it'
# Filter LDAP users
#
# Format: RFC 4515 http://tools.ietf.org/search/rfc4515
# Ex. (employeeType=developer)
#
# Note: GitLab does not support omniauth-ldap's custom filter syntax.
#
user_filter: '(memberOf=cn=projects,o=Group,dc=lilik,dc=it)'
# LDAP attributes that GitLab will use to create an account for the LDAP user.
# The specified attribute can either be the attribute name as a string (e.g. 'mail'),
# or an array of attribute names to try in order (e.g. ['mail', 'email']).
# Note that the user's LDAP login will always be the attribute specified as `uid` above.
attributes:
# The username will be used in paths for the user's own projects
# (like `gitlab.example.com/username/project`) and when mentioning
# them in issues, merge request and comments (like `@username`).
# If the attribute specified for `username` contains an email address,
# the GitLab username will be the part of the email address before the '@'.
username: ['uid', 'userid', 'sAMAccountName']
email: ['mail', 'email', 'userPrincipalName']
# If no full name could be found at the attribute specified for `name`,
# the full name is determined using the attributes specified for
# `first_name` and `last_name`.
name: 'cn'
first_name: 'givenName'
last_name: 'sn'
group_base: 'o=Group,dc=lilik,dc=it'
admin_group: 'admin'
# GitLab EE only: add more LDAP servers
# Choose an ID made of a-z and 0-9 . This ID will be stored in the database
# so that GitLab can remember which LDAP server a user belongs to.
# uswest2:
# label:
# host:
# ....
## OmniAuth settings
omniauth:
# Allow login via Twitter, Google, etc. using OmniAuth providers
enabled: false
# Uncomment this to automatically sign in with a specific omniauth provider's without
# showing GitLab's sign-in page (default: show the GitLab sign-in page)
# auto_sign_in_with_provider: saml
# CAUTION!
# This allows users to login without having a user account first (default: false).
# User accounts will be created automatically when authentication was successful.
allow_single_sign_on: false
# Locks down those users until they have been cleared by the admin (default: true).
block_auto_created_users: true
# Look up new users in LDAP servers. If a match is found (same uid), automatically
# link the omniauth identity with the LDAP account. (default: false)
auto_link_ldap_user: false
## Auth providers
# Uncomment the following lines and fill in the data of the auth provider you want to use
# If your favorite auth provider is not listed you can use others:
# see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations
# The 'app_id' and 'app_secret' parameters are always passed as the first two
# arguments, followed by optional 'args' which can be either a hash or an array.
# Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html
providers:
# - { name: 'google_oauth2',
# label: 'Google',
# app_id: 'YOUR_APP_ID',
# app_secret: 'YOUR_APP_SECRET',
# args: { access_type: 'offline', approval_prompt: '' } }
# - { name: 'twitter',
# app_id: 'YOUR_APP_ID',
# app_secret: 'YOUR_APP_SECRET' }
# - { name: 'github',
# label: 'GitHub',
# app_id: 'YOUR_APP_ID',
# app_secret: 'YOUR_APP_SECRET',
# args: { scope: 'user:email' } }
# - { name: 'gitlab',
# label: 'GitLab.com',
# app_id: 'YOUR_APP_ID',
# app_secret: 'YOUR_APP_SECRET',
# args: { scope: 'api' } }
# - { name: 'bitbucket',
# app_id: 'YOUR_APP_ID',
# app_secret: 'YOUR_APP_SECRET' }
# - { name: 'saml',
# label: 'Our SAML Provider',
# args: {
# assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
# idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8',
# idp_sso_target_url: 'https://login.example.com/idp',
# issuer: 'https://gitlab.example.com',
# name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
# } }
# - { name: 'crowd',
# args: {
# crowd_server_url: 'CROWD SERVER URL',
# application_name: 'YOUR_APP_NAME',
# application_password: 'YOUR_APP_PASSWORD' } }
#
# 4. Advanced settings
# ==========================
# GitLab Satellites
satellites:
# Relative paths are relative to Rails.root (default: tmp/repo_satellites/)
path: /home/git/gitlab-satellites/
timeout: 30
## Backup settings
backup:
path: "tmp/backups" # Relative paths are relative to Rails.root (default: tmp/backups/)
# archive_permissions: 0640 # Permissions for the resulting backup.tar file (default: 0600)
# keep_time: 604800 # default: 0 (forever) (in seconds)
# pg_schema: public # default: nil, it means that all schemas will be backed up
# upload:
# # Fog storage connection settings, see http://fog.io/storage/ .
# connection:
# provider: AWS
# region: eu-west-1
# aws_access_key_id: AKIAKIAKI
# aws_secret_access_key: 'secret123'
# # The remote 'directory' to store your backups. For S3, this would be the bucket name.
# remote_directory: 'my.s3.bucket'
# # Use multipart uploads when file size reaches 100MB, see
# # http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html
# multipart_chunk_size: 104857600
## GitLab Shell settings
gitlab_shell:
path: /usr/share/gitlab-shell/
# REPOS_PATH MUST NOT BE A SYMLINK!!!
repos_path: /var/lib/gitlab/repositories/
hooks_path: /usr/share/gitlab-shell/hooks/
# File that contains the secret key for verifying access for gitlab-shell.
# Default is '.gitlab_shell_secret' relative to Rails.root (i.e. root of the GitLab app).
secret_file: /var/lib/gitlab/.gitlab_shell_secret
# Git over HTTP
upload_pack: true
receive_pack: true
# If you use non-standard ssh port you need to specify it
ssh_port: {{ ssh_port }}
## Git settings
# CAUTION!
# Use the default values unless you really know what you are doing
git:
bin_path: /usr/bin/git
# The next value is the maximum memory size grit can use
# Given in number of bytes per git object (e.g. a commit)
# This value can be increased if you have very large commits
max_size: 20971520 # 20.megabytes
# Git timeout to read a commit, in seconds
timeout: 10
#
# 5. Extra customization
# ==========================
extra:
## Google analytics. Uncomment if you want it
# google_analytics_id: '_your_tracking_id'
## Piwik analytics.
# piwik_url: '_your_piwik_url'
# piwik_site_id: '_your_piwik_site_id'
rack_attack:
git_basic_auth:
# Rack Attack IP banning enabled
# enabled: true
#
# Whitelist requests from 127.0.0.1 for web proxies (NGINX/Apache) with incorrect headers
# ip_whitelist: ["127.0.0.1"]
#
# Limit the number of Git HTTP authentication attempts per IP
# maxretry: 10
#
# Reset the auth attempt counter per IP after 60 seconds
# findtime: 60
#
# Ban an IP for one hour (3600s) after too many auth attempts
# bantime: 3600
development:
<<: *base
test:
<<: *base
gravatar:
enabled: true
gitlab:
host: localhost
port: 80
# When you run tests we clone and setup gitlab-shell
# In order to setup it correctly you need to specify
# your system username you use to run GitLab
user: gitlab
email_from: example@example.com
email_display_name: GitLab
email_reply_to: noreply@example.com
satellites:
path: tmp/tests/gitlab-satellites/
backup:
path: tmp/tests/backups
gitlab_shell:
path: /usr/share/gitlab-shell/
repos_path: tmp/tests/repositories/
hooks_path: /usr/share/gitlab-shell/hooks/
secret_file: tmp/tests/gitlab-shell/.gitlab_shell_secret
issues_tracker:
redmine:
title: "Redmine"
project_url: "http://redmine/projects/:issues_tracker_id"
issues_url: "http://redmine/:project_id/:issues_tracker_id/:id"
new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new"
ldap:
enabled: false
servers:
main:
label: ldap
host: 127.0.0.1
port: 3890
uid: 'uid'
method: 'plain' # "tls" or "ssl" or "plain"
base: 'dc=example,dc=com'
user_filter: ''
group_base: 'ou=groups,dc=example,dc=com'
admin_group: ''
sync_ssh_keys: false
staging:
<<: *base

Loading…
Cancel
Save