CCCHH/ansible-infra
CCCHH/ansible-infra
2
2
Fork 1
Code Issues 8 Pull requests 8 Wiki Activity Actions

Vendor Galaxy Roles and Collections
Some checks failed
/ Ansible Lint (push) Failing after 5m45s
Details
/ Ansible Lint (pull_request) Failing after 4m59s
Details

Browse source
This commit is contained in:
Stefan Bethke 2026-02-06 22:07:16 +01:00
commit 2aed20393f
3553 changed files with 387444 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

19
ansible_collections/debops/debops/roles/gitlab/COPYRIGHT Normal file
View file

@ -0,0 +1,19 @@
debops.gitlab - Install and manage GitLab Omnibus
Copyright (C) 2015-2022 Maciej Delmanowski <drybjed@gmail.com>
Copyright (C) 2015-2022 DebOps <https://debops.org/>
SPDX-License-Identifier: GPL-3.0-only
This Ansible role is part of DebOps.
DebOps is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License version 3, as
published by the Free Software Foundation.
DebOps is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with DebOps. If not, see https://www.gnu.org/licenses/.

763
ansible_collections/debops/debops/roles/gitlab/defaults/main.yml Normal file
View file

@ -0,0 +1,763 @@
---
# .. vim: foldmarker=[[[,]]]:foldmethod=marker
# .. Copyright (C) 2015-2022 Maciej Delmanowski <drybjed@gmail.com>
# .. Copyright (C) 2015-2022 DebOps <https://debops.org/>
# .. SPDX-License-Identifier: GPL-3.0-only
# .. _gitlab__ref_defaults:
# debops.gitlab default variables
# ===============================
# .. contents:: Sections
# :local:
#
# .. include:: ../../../../includes/global.rst
# GitLab Omnibus installation [[[
# -------------------------------
# .. envvar:: gitlab__edition [[[
#
# Select the GitLab edition you want to install or manage. The "community"
# edition contains only the open source components, the "enterprise" edition
# includes closed source components and can be upgraded with a commercial
# license. Set to "manual" to allow a manual installation of GitLab Omnibus
# package which can then be configured by the role.
gitlab__edition: 'community'
# ]]]
# .. envvar:: gitlab__preferred_version [[[
#
# Specify the version of the GitLab APT package to install, in the
# :man:`apt_preferences(5)` format. By default any version is preferred, which
# will usually select the latest version available. An example selection of
# a specific version: ``16.9.1-ce.0``.
gitlab__preferred_version: '*'
# ]]]
# .. envvar:: gitlab__base_packages [[[
#
# List of the default APT packages used to install GitLab Omnibus on a host.
gitlab__base_packages:
- '{{ "gitlab-ce"
if (gitlab__edition == "community")
else ("gitlab-ee"
if (gitlab__edition == "enterprise")
else []) }}'
# ]]]
# .. envvar:: gitlab__packages [[[
#
# List of additional APT packages which should be installed with GitLab
# Omnibus.
gitlab__packages: []
# ]]]
# ]]]
# UNIX environment [[[
# --------------------
# .. envvar:: gitlab__user [[[
#
# Name of the primary UNIX account used by GitLab Omnibus.
gitlab__user: 'git'
# ]]]
# .. envvar:: gitlab__group [[[
#
# Name of the primary UNIX group used by GitLab Omnibus.
gitlab__group: 'git'
# ]]]
# .. envvar:: gitlab__additional_groups [[[
#
# List of additional UNIX groups which the GitLab Omnibus account should belong
# to.
gitlab__additional_groups:
# The "sshusers" UNIX group permits access to a given UNIX account over SSH
- '{{ (ansible_local.system_groups.local_prefix | d("")) + "sshusers" }}'
# ]]]
# .. envvar:: gitlab__comment [[[
#
# The GECOS field of the primary GitLab Omnibus UNIX account.
gitlab__comment: 'GitLab Omnibus main account'
# ]]]
# .. envvar:: gitlab__home [[[
#
# The home directory of the primary GitLab Omnibus UNIX account. This path is
# used by default by the Omnibus packages and shouldn't be changed recklessly.
gitlab__home: '/var/opt/gitlab'
# ]]]
# .. envvar:: gitlab__shell [[[
#
# The default UNIX shell used by the primary GitLab Omnibus account.
gitlab__shell: '/bin/sh'
# ]]]
# ]]]
# Application environment [[[
# ---------------------------
# .. envvar:: gitlab__fqdn [[[
#
# The Fully Qualified Domain Name on which GitLab Omnibus will be available. It
# might be published :ref:`as a SRV record <dns_configuration_srv_usage>` for
# GitLab Runners to find the API endpoint automatically.
gitlab__fqdn: 'code.{{ gitlab__domain }}'
# ]]]
# .. envvar:: gitlab__domain [[[
#
# The DNS domain on which GitLab Omnibus is deployed.
gitlab__domain: '{{ ansible_domain }}'
# ]]]
# .. envvar:: gitlab__registry_port [[[
#
# By default, GitLab Container registry is published on the same FQDN as the
# main GitLab application, on a different TCP port.
gitlab__registry_port: '5050'
# ]]]
# .. envvar:: gitlab__firewall_ports [[[
#
# List of TCP ports which should be opened in the :command:`ferm` firewall to
# allow access to the GitLab services.
gitlab__firewall_ports:
- 'http'
- 'https'
- 'container-registry'
# ]]]
# .. envvar:: gitlab__allow [[[
#
# List of IP addresses or CIDR subnets which are allowed to access GitLab
# Omnibus services, configured on all hosts in the Ansible inventory. If the
# list is empty, any host can access GitLab.
gitlab__allow: []
# ]]]
# .. envvar:: gitlab__group_allow [[[
#
# List of IP addresses or CIDR subnets which are allowed to access GitLab
# Omnibus services, configured on hosts in a specific Ansible inventory group.
# If the list is empty, any host can access GitLab.
gitlab__group_allow: []
# ]]]
# .. envvar:: gitlab__host_allow [[[
#
# List of IP addresses or CIDR subnets which are allowed to access GitLab
# Omnibus services, configured on specific hosts in the Ansible inventory. If
# the list is empty, any host can access GitLab.
gitlab__host_allow: []
# ]]]
# .. envvar:: gitlab__initial_root_password [[[
#
# The initial "root" account password set during GitLab Omnibus installation
# via the $GITLAB_ROOT_PASSWORD environment variable.
gitlab__initial_root_password: '{{ lookup("password", secret + "/gitlab/credentials/"
+ "root/initial_password") }}'
# ]]]
# ]]]
# PKI infrastructure integration [[[
# ----------------------------------
# .. envvar:: gitlab__pki_enabled [[[
#
# Enable or disable support for PKI infrastructure, managed by the
# :ref:`debops.pki` Ansible role.
gitlab__pki_enabled: '{{ (ansible_local.pki.enabled | d(False)) | bool }}'
# ]]]
# .. envvar:: gitlab__pki_path [[[
#
# The base path of the PKI infrastructure managed by the :ref:`debops.pki`
# Ansible role.
gitlab__pki_path: '{{ ansible_local.pki.path | d("/etc/pki/realms") }}'
# ]]]
# .. envvar:: gitlab__pki_hook_path [[[
#
# Directory with PKI hooks.
gitlab__pki_hook_path: '{{ ansible_local.pki.hooks | d("/etc/pki/hooks") }}'
# ]]]
# .. envvar:: gitlab__pki_realm [[[
#
# The name of the PKI realm which should be used by GitLab Omnibus installation
# by default.
gitlab__pki_realm: '{{ ansible_local.pki.realm | d("domain") }}'
# ]]]
# .. envvar:: gitlab__ssl_default_symlinks [[[
#
# List of the symlinks to private key and X.509 certificate used by GitLab
# Omnibus by default, located in the :file:`/etc/gitlab/ssl/` directory.
# See :ref:`gitlab__ref_ssl_symlinks` for more details.
gitlab__ssl_default_symlinks:
- link: '{{ gitlab__fqdn + ".key" }}'
src: '{{ gitlab__pki_path + "/" + gitlab__pki_realm + "/private/key.pem" }}'
- link: '{{ gitlab__fqdn + ".crt" }}'
src: '{{ gitlab__pki_path + "/" + gitlab__pki_realm + "/public/chain.pem" }}'
# ]]]
# .. envvar:: gitlab__ssl_symlinks [[[
#
# List of additional symlinks to private keys and X.509 certificates used by
# GitLab Omnibus, located in the :file:`/etc/gitlab/ssl/` directory.
# See :ref:`gitlab__ref_ssl_symlinks` for more details.
gitlab__ssl_symlinks: []
# ]]]
# .. envvar:: gitlab__ssl_default_cacerts [[[
#
# List of the symlinks to Certificate Authority certificate used by GitLab
# Omnibus by default, located in the :file:`/etc/gitlab/trusted-certs/`
# directory. Syntax is the same as the configuration for private keys and
# certificates. See :ref:`gitlab__ref_ssl_symlinks` for more details.
gitlab__ssl_default_cacerts:
- link: '{{ gitlab__pki_realm + "-root.crt" }}'
src: '{{ gitlab__pki_path + "/" + gitlab__pki_realm + "/public/root.pem" }}'
# ]]]
# .. envvar:: gitlab__ssl_cacerts [[[
#
# List of additional symlinks to Certificate Authority certificate used by
# GitLab Omnibus, located in the :file:`/etc/gitlab/trusted-certs/` directory.
# Syntax is the same as the configuration for private keys and certificates.
# See :ref:`gitlab__ref_ssl_symlinks` for more details.
gitlab__ssl_cacerts: []
# ]]]
# ]]]
# LDAP Authentication configuration [[[
# -------------------------------------
# More information about LDAP support in GitLab can be found at
# https://gitlab.com/help/administration/auth/ldap.md
# .. envvar:: gitlab__ldap_enabled [[[
#
# Enable or disable LDAP integration.
gitlab__ldap_enabled: '{{ True
if (ansible_local | d() and ansible_local.ldap | d() and
(ansible_local.ldap.enabled | d()) | bool)
else False }}'
# ]]]
# .. envvar:: gitlab__ldap_base_dn [[[
#
# The base Distinguished Name which should be used to create Distinguished
# Names of the LDAP directory objects, defined as a YAML list. If this variable
# is empty, LDAP configuration will not be generated.
gitlab__ldap_base_dn: '{{ ansible_local.ldap.base_dn | d([]) }}'
# ]]]
# .. envvar:: gitlab__ldap_device_dn [[[
#
# The Distinguished Name of the current host LDAP object, defined as a YAML
# list. It will be used as a base for the GitLab service account LDAP object.
# If the list is empty, the role will not create the account LDAP object
# automatically.
gitlab__ldap_device_dn: '{{ ansible_local.ldap.device_dn | d([]) }}'
# ]]]
# .. envvar:: gitlab__ldap_self_rdn [[[
#
# The Relative Distinguished Name of the account LDAP object used by the
# GitLab service to access the LDAP directory.
gitlab__ldap_self_rdn: 'uid=gitlab'
# ]]]
# .. envvar:: gitlab__ldap_self_object_classes [[[
#
# List of the LDAP object classes which will be used to create the LDAP object
# used by the Gitlab service to access the LDAP directory.
gitlab__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]
# ]]]
# .. envvar:: gitlab__ldap_self_attributes [[[
#
# YAML dictionary that defines the attributes of the LDAP object used by the
# GitLab service to access the LDAP directory.
gitlab__ldap_self_attributes:
uid: '{{ gitlab__ldap_self_rdn.split("=")[1] }}'
userPassword: '{{ gitlab__ldap_bindpw }}'
host: '{{ [ansible_fqdn, ansible_hostname] | unique }}'
description: 'Account used by the "GitLab" service to access the LDAP directory'
# ]]]
# .. envvar:: gitlab__ldap_binddn [[[
#
# The Distinguished Name of the account LDAP object used by the
# GitLab service to bind to the LDAP directory.
gitlab__ldap_binddn: '{{ ([gitlab__ldap_self_rdn] + gitlab__ldap_device_dn) | join(",") }}'
# ]]]
# .. envvar:: gitlab__ldap_bindpw [[[
#
# The password stored in the account LDAP object used by the GitLab service to
# bind to the LDAP directory.
gitlab__ldap_bindpw: '{{ (lookup("password", secret + "/ldap/credentials/"
+ gitlab__ldap_binddn | to_uuid + ".password length=32"))
if gitlab__ldap_enabled | bool
else "" }}'
# ]]]
# .. envvar:: gitlab__ldap_label [[[
#
# Specify the name of the LDAP server displayed on the login page.
gitlab__ldap_label: 'LDAP'
# ]]]
# .. envvar:: gitlab__ldap_host [[[
#
# FQDN address of the LDAP server to connect to.
gitlab__ldap_host: '{{ ansible_local.ldap.hosts | d([""]) | first }}'
# ]]]
# .. envvar:: gitlab__ldap_port [[[
#
# The LDAP service port to use for connections.
gitlab__ldap_port: '{{ ansible_local.ldap.port | d("389") }}'
# ]]]
# .. envvar:: gitlab__ldap_encryption [[[
#
# The encryption method that should be used to connect to the LDAP server.
# Available methods: ``start_tls``, ``simple_tls``, ``plain``.
gitlab__ldap_encryption: '{{ "start_tls"
if ((ansible_local.ldap.start_tls | d()) | bool)
else "simple_tls" }}'
# ]]]
# .. envvar:: gitlab__ldap_timeout [[[
#
# Set timeout in seconds for LDAP queries.
gitlab__ldap_timeout: '10'
# ]]]
# .. envvar:: gitlab__ldap_activedirectory [[[
#
# Enable or disable support for ActiveDirectory servers.
gitlab__ldap_activedirectory: False
# ]]]
# .. envvar:: gitlab__ldap_account_attribute [[[
#
# Name of the LDAP attribute to use for account lookups. On plain LDAP servers
# it's usually ``uid``, on older ActiveDirectory installations it could be
# ``sAMAccountName``.
gitlab__ldap_account_attribute: '{{ "sAMAccountName"
if (gitlab__ldap_activedirectory | bool)
else "uid" }}'
# ]]]
# .. envvar:: gitlab__ldap_user_filter [[[
#
# LDAP search query which will be used by the GitLab service to filter the
# available user accounts.
gitlab__ldap_user_filter: '(&
(objectClass=inetOrgPerson)
(|
(authorizedService=all)
(authorizedService=gitlab)
(authorizedService=web:public)
)
)'
# ]]]
# .. envvar:: gitlab__ldap_username_or_email_login [[[
#
# If this variable is enabled, GitLab will ignore everything
# after the first '@' in the LDAP username submitted by the user on login.
#
# Example:
# - the user enters ``jane.doe@example.com`` and ``p@ssw0rd`` as LDAP
# credentials;
# - GitLab queries the LDAP server with ``jane.doe`` and ``p@ssw0rd``.
#
# If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to
# disable this setting, because the userPrincipalName contains an '@'.
gitlab__ldap_username_or_email_login: '{{ True
if (gitlab__ldap_account_attribute in
["uid", "sAMAccountName"])
else False }}'
# ]]]
# .. envvar:: gitlab__ldap_block_auto_created_users [[[
#
# Enable this setting to keep new LDAP users blocked until they have been
# cleared by the admin.
gitlab__ldap_block_auto_created_users: False
# ]]]
# .. envvar:: gitlab__ldap_lowercase_usernames [[[
#
# If enabled, GitLab will convert usernames to lowercase before searching the
# for the LDAP user accounts.
gitlab__ldap_lowercase_usernames: True
# ]]]
# ]]]
# GitLab backup options [[[
# -------------------------
# .. envvar:: gitlab__backup_enabled [[[
#
# When enabled, the role will configure the :command:`cron` service to
# periodically perform backups of the GitLab Omnibus installation. If this
# parameter is set to ``False``, the :command:`cron` configuration will be
# removed.
gitlab__backup_enabled: True
# ]]]
# .. envvar:: gitlab__backup_frequency [[[
#
# Select the GitLab Omnibus backup frequency (either ``daily``, ``weekly`` or
# ``monthly``).
gitlab__backup_frequency: 'daily'
# ]]]
# .. envvar:: gitlab__backup_keep_time [[[
#
# How long to store backups for, in seconds.
gitlab__backup_keep_time: '{{ (60 * 60 * 24 * 7) | int }}'
# ]]]
# .. envvar:: gitlab__backup_path [[[
#
# Absolute path to the directory where GitLab Omnibus backups are stored and
# managed.
gitlab__backup_path: '/var/opt/gitlab/backups'
# ]]]
# .. envvar:: gitlab__backup_exclude_directories [[[
#
# Choose what should be excluded from the backup. An empty list means that
# nothing will be excluded from the backup.
# Reference: https://docs.gitlab.com/ee/raketasks/backup_gitlab.html#excluding-specific-directories-from-the-backup
gitlab__backup_exclude_directories: []
# ]]]
# .. envvar:: gitlab__backup_default_environment [[[
#
# YAML dictionary with default environment variables which should be present in
# the GitLab backup :command:`cron` job. Dictionary keys are the variable
# names, dictionary values are the variable values. An empty value removes the
# variable from the generated configuration file.
gitlab__backup_default_environment:
CRON: '1'
SKIP: '{{ gitlab__backup_exclude_directories | join(",") }}'
# ]]]
# .. envvar:: gitlab__backup_environment [[[
#
# YAML dictionary with custom environment variables which should be present in
# the GitLab backup :command:`cron` job. Dictionary keys are the variable
# names, dictionary values are the variable values. An empty value removes the
# variable from the generated configuration file. This variable is combined
# with the default environment variable.
gitlab__backup_environment: {}
# ]]]
# ]]]
# GitLab Omnibus configuration file [[[
# -------------------------------------
# The lists below define the contents of the :file:`/etc/gitlab/gitlab.rb`
# configuration file which manages the GitLab Omnibus installation. The role
# maintains the configuration file using the :ref:`universal_configuration`
# system. See :ref:`gitlab__ref_configuration` for more details.
# .. envvar:: gitlab__default_configuration [[[
#
# The default configuration options for GitLab Omnibus defined by the role.
gitlab__default_configuration:
- name: 'preamble-comment'
title: 'GitLab configuration settings'
comment: |
This file is generated during initial installation and **is not** modified
during upgrades.
Check out the latest version of this file to know about the different
settings that can be configured, when they were introduced and why:
https://gitlab.com/gitlab-org/omnibus-gitlab/blame/master/files/gitlab-config-template/gitlab.rb.template
Locally, the complete template corresponding to the installed version can be found at:
/opt/gitlab/etc/gitlab.rb.template
You can run `gitlab-ctl diff-config` to compare the contents of the current gitlab.rb with
the gitlab.rb.template from the currently running version.
You can run `gitlab-ctl show-config` to display the configuration that will be generated by
running `gitlab-ctl reconfigure`
state: 'present'
- name: 'external_url'
title: 'GitLab URL'
comment: |
URL on which GitLab will be reachable.
For more details on configuring external_url see:
https://docs.gitlab.com/omnibus/settings/configuration.html#configuring-the-external-url-for-gitlab
value: '{{ (("https://") if gitlab__pki_enabled | bool else ("http://"))
+ gitlab__fqdn }}'
- name: 'registry_external_url'
title: 'GitLab Container Registry URL'
comment: |
URL on which GitLab Container Registry will be reachable. By default we
use the same FQDN as the main GitLab installation with a separate TCP
port; see the documentation to find out how to publish the Registry on
a separate FQDN.
value: '{{ (("https://") if gitlab__pki_enabled | bool else ("http://"))
+ gitlab__fqdn + ":" + gitlab__registry_port }}'
- name: 'roles'
title: 'Roles for multi-instance GitLab'
comment: |
The default is to have no roles enabled, which results in GitLab running as an all-in-one instance.
Options:
redis_sentinel_role redis_master_role redis_replica_role geo_primary_role geo_secondary_role
postgres_role consul_role application_role monitoring_role
For more details on each role, see:
https://docs.gitlab.com/omnibus/roles/README.html#roles
value: [ 'redis_sentinel_role', 'redis_master_role' ]
state: 'comment'
- name: 'legend-comment'
title: 'Legend'
comment: |
The following notations at the beginning of each line may be used to
differentiate between components of this file and to easily select them using
a regex.
## Titles, subtitles etc
##! More information - Description, Docs, Links, Issues etc.
Configuration settings have a single # followed by a single space at the
beginning; Remove them to enable the setting.
**Configuration settings below are optional.**
state: 'present'
- name: 'header-comment'
raw: |
################################################################################
################################################################################
## Configuration Settings for GitLab CE and EE ##
################################################################################
################################################################################
################################################################################
## gitlab.yml configuration
##! Docs: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/gitlab.yml.md
################################################################################
state: 'present'
separator: True
- name: 'gitlab_rails'
options:
- name: 'time_zone'
title: 'Set the time zone of the GitLab Omnibus installation'
value: '{{ ansible_local.tzdata.timezone | d("UTC") }}'
state: 'present'
- name: 'backup_path'
title: 'Absolute path where GitLab backups are stored'
value: '{{ gitlab__backup_path }}'
state: '{{ "present"
if (gitlab__backup_path != "/var/opt/gitlab/backups")
else "comment" }}'
- name: 'backup_keep_time'
title: 'The duration in seconds to keep backups before they are allowed to be deleted'
value: '{{ gitlab__backup_keep_time }}'
state: '{{ "present"
if (gitlab__backup_keep_time | string != "604800")
else "comment" }}'
- name: 'ldap_enabled'
title: 'LDAP Settings'
comment: |
Docs: https://docs.gitlab.com/omnibus/settings/ldap.html
**Be careful not to break the indentation in the ldap_servers block. It is
in yaml format and the spaces must be retained. Using tabs will not work.**
value: '{{ ansible_local.ldap.enabled | d(False) }}'
state: '{{ "present" if gitlab__ldap_enabled | bool else "comment" }}'
- name: 'prevent_ldap_sign_in'
value: False
state: 'comment'
- name: 'ldap_servers'
title: "**remember to close this block with 'EOS' below**"
raw: |
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
main: # 'main' is the GitLab 'provider ID' of this LDAP server
label: '{{ gitlab__ldap_label }}'
host: '{{ gitlab__ldap_host }}'
port: {{ gitlab__ldap_port }}
uid: '{{ gitlab__ldap_account_attribute }}'
bind_dn: '{{ gitlab__ldap_binddn }}'
password: '{{ gitlab__ldap_bindpw }}'
encryption: '{{ gitlab__ldap_encryption }}' # "start_tls" or "simple_tls" or "plain"
verify_certificates: true
smartcard_auth: false
active_directory: {{ gitlab__ldap_activedirectory | lower }}
allow_username_or_email_login: {{ gitlab__ldap_username_or_email_login | lower }}
lowercase_usernames: {{ gitlab__ldap_lowercase_usernames | lower }}
block_auto_created_users: {{ gitlab__ldap_block_auto_created_users | lower }}
base: '{{ gitlab__ldap_base_dn | join(",") }}'
user_filter: '{{ gitlab__ldap_user_filter }}'
## EE only
group_base: ''
admin_group: ''
sync_ssh_keys: false
EOS
state: '{{ "present" if gitlab__ldap_enabled | bool else "comment" }}'
- name: 'nginx'
options:
- name: 'redirect_http_to_https'
title: 'Enable HTTP to HTTPS redirection in nginx'
value: '{{ True if gitlab__pki_enabled | bool else False }}'
state: 'present'
- name: 'package'
options:
- name: 'modify_kernel_parameters'
comment: |
Attempt to modify kernel parameters. To skip this in containers where
the relevant file system is read-only, set the value to false.
value: '{{ False
if ("container" in (ansible_virtualization_tech_guest | d([])))
else True }}'
state: '{{ "present"
if ("container" in (ansible_virtualization_tech_guest | d([])))
else "comment" }}'
# ]]]
# .. envvar:: gitlab__configuration [[[
#
# The configuration options for GitLab Omnibus defined on all hosts in the
# Ansible inventory.
gitlab__configuration: []
# ]]]
# .. envvar:: gitlab__group_configuration [[[
#
# The configuration options for GitLab Omnibus defined on hosts in a specific
# Ansible inventory group.
gitlab__group_configuration: []
# ]]]
# .. envvar:: gitlab__host_configuration [[[
#
# The configuration options for GitLab Omnibus defined on specific hosts in the
# Ansible inventory.
gitlab__host_configuration: []
# ]]]
# .. envvar:: gitlab__combined_configuration [[[
#
# Variable which combines all GitLab Omnibus configuration variables and is
# used in role tasks and templates.
gitlab__combined_configuration: '{{ gitlab__default_configuration
+ gitlab__configuration
+ gitlab__group_configuration
+ gitlab__host_configuration }}'
# ]]]
# ]]]
# Configuration for other Ansible roles [[[
# -----------------------------------------
# .. envvar:: gitlab__apt_preferences__dependent_list [[[
#
# Configuration for the :ref:`debops.apt_preferences` Ansible role.
gitlab__apt_preferences__dependent_list:
- filename: 'gitlab.pref'
package: '{{ "gitlab-ce"
if (gitlab__edition == "community")
else ("gitlab-ee"
if (gitlab__edition == "enterprise")
else "") }}'
version: '{{ gitlab__preferred_version }}'
state: 'present'
# ]]]
# .. envvar:: gitlab__etc_services__dependent_list [[[
#
# List of custom :file:`/etc/services` to configure for the :ref:`debops.etc_services`
# Ansible role.
gitlab__etc_services__dependent_list:
- name: 'container-registry'
port: '{{ gitlab__registry_port }}'
protocols: [ 'tcp' ]
comment: 'GitLab Omnibus Container Registry'
# ]]]
# .. envvar:: gitlab__keyring__dependent_apt_keys [[[
#
# List of APT repositories and GPG keys managed by the :ref:`debops.keyring`
# Ansible role.
gitlab__keyring__dependent_apt_keys:
- id: 'F640 3F65 44A3 8863 DAA0 B6E0 3F01 618A 5131 2F3F'
repo: 'deb https://packages.gitlab.com/gitlab/gitlab-ee/debian/ {{ ansible_distribution_release }} main'
filename: 'gitlab_ee'
state: '{{ "present"
if (gitlab__edition == "enterprise")
else "absent" }}'
# ]]]
# .. envvar:: gitlab__extrepo__dependent_sources [[[
#
# List of APT repository sources managed by the :ref:`debops.extrepo` Ansible
# role.
gitlab__extrepo__dependent_sources:
- name: 'gitlab_ce'
state: '{{ "present"
if (gitlab__edition == "community")
else "absent" }}'
# ]]]
# .. envvar:: gitlab__ferm__dependent_rules [[[
#
# Configuration for the :ref:`debops.ferm` Ansible role.
gitlab__ferm__dependent_rules:
- name: 'gitlab_services'
type: 'accept'
by_role: 'debops.gitlab'
dport: '{{ gitlab__firewall_ports }}'
saddr: '{{ gitlab__allow + gitlab__group_allow + gitlab__host_allow }}'
accept_any: True
rule_state: 'present'
# ]]]
# .. envvar:: gitlab__ldap__dependent_tasks [[[
#
# Configuration for the :ref:`debops.ldap` Ansible role.
gitlab__ldap__dependent_tasks:
- name: 'Create GitLab account for {{ gitlab__ldap_device_dn | join(",") }}'
dn: '{{ gitlab__ldap_binddn }}'
objectClass: '{{ gitlab__ldap_self_object_classes }}'
attributes: '{{ gitlab__ldap_self_attributes }}'
no_log: '{{ debops__no_log | d(True) }}'
state: '{{ "present" if gitlab__ldap_device_dn | d() else "ignore" }}'
# ]]]
# ]]]

36
ansible_collections/debops/debops/roles/gitlab/meta/main.yml Normal file
View file

@ -0,0 +1,36 @@
---
# Copyright (C) 2015-2022 Maciej Delmanowski <drybjed@gmail.com>
# Copyright (C) 2015-2022 DebOps <https://debops.org/>
# SPDX-License-Identifier: GPL-3.0-only
# Ensure that custom Ansible plugins and modules included in the main DebOps
# collection are available to roles in other collections.
collections: [ 'debops.debops' ]
dependencies: []
galaxy_info:
author: 'Maciej Delmanowski'
description: 'Install, upgrade and manage GitLab Omnibus instance'
company: 'DebOps'
license: 'GPL-3.0-only'
min_ansible_version: '2.1.0'
platforms:
- name: 'Ubuntu'
versions: [ 'all' ]
- name: 'Debian'
versions: [ 'all' ]
galaxy_tags:
- gitlab
- gitlabci
- git
- webapp
- rails
- development
- programming
- ci

122
ansible_collections/debops/debops/roles/gitlab/tasks/main.yml Normal file
View file

@ -0,0 +1,122 @@
---
# Copyright (C) 2015-2022 Maciej Delmanowski <drybjed@gmail.com>
# Copyright (C) 2015-2022 DebOps <https://debops.org/>
# SPDX-License-Identifier: GPL-3.0-only
- name: Import DebOps global handlers
ansible.builtin.import_role:
name: 'global_handlers'
- name: Import DebOps secret role
ansible.builtin.import_role:
name: 'secret'
- name: Make sure that Ansible local facts directory exists
ansible.builtin.file:
path: '/etc/ansible/facts.d'
state: 'directory'
mode: '0755'
- name: Save information about GitLab in Ansible Facts
ansible.builtin.template:
src: 'etc/ansible/facts.d/gitlab.fact.j2'
dest: '/etc/ansible/facts.d/gitlab.fact'
mode: '0755'
notify: [ 'Refresh host facts' ]
tags: [ 'meta::facts' ]
- name: Flush handlers if needed
ansible.builtin.meta: 'flush_handlers'
- name: Create GitLab UNIX system group
ansible.builtin.group:
name: '{{ gitlab__group }}'
state: 'present'
system: True
- name: Create GitLab UNIX system account
ansible.builtin.user:
name: '{{ gitlab__user }}'
group: '{{ gitlab__group }}'
groups: '{{ gitlab__additional_groups }}'
comment: '{{ gitlab__comment }}'
home: '{{ gitlab__home }}'
shell: '{{ gitlab__shell }}'
state: 'present'
append: True
system: True
- name: Create GitLab configuration directories
ansible.builtin.file:
path: '{{ item.path }}'
state: 'directory'
mode: '{{ item.mode }}'
loop:
- { path: '/etc/gitlab/ssl', mode: '0755' }
- { path: '/etc/gitlab/trusted-certs', mode: '0755' }
- name: Manage CA certificate symlinks in GitLab environment
ansible.builtin.file: # noqa risky-file-permissions
path: '{{ "/etc/gitlab/trusted-certs/" + item.link }}'
src: '{{ item.src }}'
state: '{{ item.state | d("link") }}'
loop: '{{ q("flattened", (gitlab__ssl_default_cacerts + gitlab__ssl_cacerts)) }}'
notify: [ 'Restart GitLab Omnibus' ]
when: gitlab__pki_enabled | bool
- name: Manage private key and SSL certificate symlinks in GitLab environment
ansible.builtin.file: # noqa risky-file-permissions
path: '{{ "/etc/gitlab/ssl/" + item.link }}'
src: '{{ item.src }}'
state: '{{ item.state | d("link") }}'
loop: '{{ q("flattened", (gitlab__ssl_default_symlinks + gitlab__ssl_symlinks)) }}'
notify: [ 'Restart GitLab Omnibus' ]
when: gitlab__pki_enabled | bool
- name: Generate GitLab Omnibus configuration
ansible.builtin.template:
src: 'etc/gitlab/gitlab.rb.j2'
dest: '/etc/gitlab/gitlab.rb'
mode: '0600'
notify: [ 'Reconfigure GitLab Omnibus' ]
no_log: '{{ debops__no_log | d(True) }}'
- name: Remove GitLab Omnibus backup cron job if requested
ansible.builtin.file:
path: '/etc/cron.d/backup-gitlab-omnibus'
state: 'absent'
when: not gitlab__backup_enabled | bool
- name: Configure GitLab Omnibus backup cron job
ansible.builtin.template:
src: 'etc/cron.d/backup-gitlab-omnibus.j2'
dest: '/etc/cron.d/backup-gitlab-omnibus'
mode: '0644'
when: gitlab__backup_enabled | bool
- name: Make sure that PKI hook directory exists
ansible.builtin.file:
path: '{{ gitlab__pki_hook_path }}'
state: 'directory'
owner: 'root'
group: 'root'
mode: '0755'
when: gitlab__pki_enabled | bool
- name: Manage PKI gitlab hook
ansible.builtin.template:
src: '{{ lookup("debops.debops.template_src", "etc/pki/hooks/gitlab.j2") }}'
dest: '{{ gitlab__pki_hook_path + "/gitlab" }}'
owner: 'root'
group: 'root'
mode: '0755'
when: gitlab__pki_enabled | bool
- name: Install GitLab APT packages
environment:
GITLAB_ROOT_PASSWORD: '{{ gitlab__initial_root_password }}'
ansible.builtin.package:
name: '{{ q("flattened", gitlab__base_packages + gitlab__packages) }}'
state: 'present'
register: gitlab__register_packages
until: gitlab__register_packages is succeeded

49
ansible_collections/debops/debops/roles/gitlab/templates/etc/ansible/facts.d/gitlab.fact.j2 Normal file
View file

@ -0,0 +1,49 @@
#!{{ ansible_python['executable'] }}
# -*- coding: utf-8 -*-
# Copyright (C) 2022 Maciej Delmanowski <drybjed@gmail.com>
# Copyright (C) 2022 DebOps <https://debops.org/>
# SPDX-License-Identifier: GPL-3.0-only
# {{ ansible_managed }}
from __future__ import print_function
from json import loads, dumps
from sys import exit
import subprocess
import signal
import os
def cmd_exists(cmd):
return any(
os.access(os.path.join(path, cmd), os.X_OK)
for path in os.environ["PATH"].split(os.pathsep)
)
output = {}
output['installed'] = cmd_exists('gitlab-ctl')
output['omnibus'] = cmd_exists('gitlab-ctl')
if output['omnibus']:
try:
version_stdout = subprocess.check_output(
["dpkg-query", "-W", "-f=${Version}",
"gitlab-ce"]).decode('utf-8').split('-')[0]
if version_stdout:
output['version'] = version_stdout
output['edition'] = 'community'
else:
version_stdout = subprocess.check_output(
["dpkg-query", "-W", "-f=${Version}",
"gitlab-ee"]).decode('utf-8').split('-')[0]
if version_stdout:
output['version'] = version_stdout
output['edition'] = 'enterprise'
except Exception:
pass
print(dumps(output, sort_keys=True, indent=4))

18
ansible_collections/debops/debops/roles/gitlab/templates/etc/cron.d/backup-gitlab-omnibus.j2 Normal file
View file

@ -0,0 +1,18 @@
{# Copyright (C) 2022 Maciej Delmanowski <drybjed@gmail.com>
# Copyright (C) 2022 DebOps <https://debops.org/>
# SPDX-License-Identifier: GPL-3.0-only
#}
# {{ ansible_managed }}
# Create a backup of the GitLab Omnibus installation.
# Backup tarballs are stored in {{ gitlab__backup_path }}
# Environment variables
{% for key, value in (gitlab__backup_environment | combine(gitlab__backup_default_environment)) | dictsort %}
{% if value %}
{{ '{}={}'.format(key | upper, value) }}
{% endif %}
{% endfor %}
# Cron job
@{{ gitlab__backup_frequency }} root test -x /usr/bin/gitlab-backup && /usr/bin/gitlab-backup create

112
ansible_collections/debops/debops/roles/gitlab/templates/etc/gitlab/gitlab.rb.j2 Normal file
View file

@ -0,0 +1,112 @@
{# Copyright (C) 2022 Maciej Delmanowski <drybjed@gmail.com>
# Copyright (C) 2022 DebOps <https://debops.org/>
# SPDX-License-Identifier: GPL-3.0-only
#}
# {{ ansible_managed }}
{% for item in gitlab__combined_configuration | debops.debops.parse_kv_items %}
{% if item.state not in [ 'absent', 'ignore', 'init' ] %}
{% if item.separator | d() %}
{{ '' }}
{% endif %}
{% if (item.title | d() or item.comment | d()) and not loop.first %}
{{ '' }}
{% endif %}
{% if item.title | d() %}
{{ item.title | regex_replace('\n$','') | comment(prefix='', postfix='', decoration='## ') -}}
{% endif %}
{% if item.comment | d() %}
{{ item.comment | regex_replace('\n$','') | comment(prefix='', postfix='', decoration='##! ') -}}
{% endif %}
{% set item_comment = '' %}
{% if item.state == 'comment' %}
{% set item_comment = '# ' %}
{% endif %}
{% if item.raw | d() %}
{% if item.state == 'comment' %}
{{ item.raw | regex_replace('\n$','') | comment(prefix='', postfix='', decoration='# ') -}}
{% else %}
{{ item.raw | regex_replace('\n$','') }}
{% endif %}
{% elif item.value is defined %}
{% if item.value | bool and item.value is not iterable %}
{% if item.value | string == '1' %}
{{ "{}{} {}".format(item_comment, item.name, item.value) }}
{% else %}
{{ "{}{} {}".format(item_comment, item.name, 'true') }}
{% endif %}
{% elif not item.value | bool and item.value is not iterable %}
{% if item.value is not none %}
{% if item.value | int or item.value | string == '0' %}
{{ "{}{} {}".format(item_comment, item.name, item.value) }}
{% else %}
{{ "{}{} {}".format(item_comment, item.name, 'false') }}
{% endif %}
{% endif %}
{% elif item.value is string %}
{% if item.value == 'nil' %}
{{ "{}{} {}".format(item_comment, item.name, item.value) }}
{% else %}
{{ "{}{} '{}'".format(item_comment, item.name, item.value) }}
{% endif %}
{% elif item.value is number %}
{{ "{}{} {}".format(item_comment, item.name, item.value) }}
{% elif item.value is not string and item.value is not mapping %}
{{ "{}{} {}".format(item_comment, item.name, "['" + item.value | join("', '") + "']") }}
{% endif %}
{% elif item.options | d() %}
{% for element in item.options %}
{% if element.state not in [ 'absent', 'ignore', 'init' ] %}
{% if (element.title | d() or element.comment | d()) %}
{{ '' }}
{% endif %}
{% if element.title | d() %}
{{ element.title | regex_replace('\n$','') | comment(prefix='', postfix='', decoration='## ') -}}
{% endif %}
{% if element.comment | d() %}
{{ element.comment | regex_replace('\n$','') | comment(prefix='', postfix='', decoration='##! ') -}}
{% endif %}
{% set element_comment = '' %}
{% if element.state == 'comment' %}
{% set element_comment = '# ' %}
{% endif %}
{% if element.raw | d() %}
{% if element.state == 'comment' %}
{{ element.raw | regex_replace('\n$','') | comment(prefix='', postfix='', decoration='# ') -}}
{% else %}
{{ element.raw | regex_replace('\n$','') }}
{% endif %}
{% elif element.value is defined %}
{% if element.value | bool and element.value is not iterable %}
{% if element.value | string == '1' %}
{{ "{}{}['{}'] = {}".format(element_comment, item.name, element.name, element.value) }}
{% else %}
{{ "{}{}['{}'] = {}".format(element_comment, item.name, element.name, 'true') }}
{% endif %}
{% elif not element.value | bool and element.value is not iterable %}
{% if element.value is not none %}
{% if element.value | int or element.value | string == '0' %}
{{ "{}{}['{}'] = {}".format(element_comment, item.name, element.name, element.value) }}
{% else %}
{{ "{}{}['{}'] = {}".format(element_comment, item.name, element.name, 'false') }}
{% endif %}
{% endif %}
{% elif element.value is string %}
{% if element.value == 'nil' %}
{{ "{}{}['{}'] = {}".format(element_comment, item.name, element.name, element.value) }}
{% else %}
{{ "{}{}['{}'] = '{}'".format(element_comment, item.name, element.name, element.value) }}
{% endif %}
{% elif element.value is number %}
{{ "{}{}['{}'] = {}".format(element_comment, item.name, element.name, element.value) }}
{% elif element.value is not string and element.value is not mapping %}
{{ "{}{}['{}'] = {}".format(element_comment, item.name, element.name, "['" + element.value | join("', '") + "']") }}
{% endif %}
{% else %}
{{ "{}{}['{}'] = []".format(element_comment, item.name, element.name) }}
{% endif %}
{% endif %}
{% endfor %}
{% endif %}
{% endif %}
{% endfor %}

40
ansible_collections/debops/debops/roles/gitlab/templates/etc/pki/hooks/gitlab.j2 Normal file
View file

@ -0,0 +1,40 @@
#!/usr/bin/env bash
# Copyright (C) 2025 Maciej Delmanowski <drybjed@drybjed.net>
# Copyright (C) 2025 DebOps <https://debops.org/>
# SPDX-License-Identifier: GPL-3.0-only
# {{ ansible_managed }}
# Restart GitLab Omnibus nginx service on a certificate state change
set -o nounset -o pipefail -o errexit
# Check if any GitLab Omnibus certificates are symlinked from the current PKI realm
certificate="$(find /etc/gitlab/ssl -type l -exec readlink -f {} + | grep "/etc/pki/realms/${PKI_SCRIPT_REALM}" || true)"
# Get list of current realm states
read -r -a states <<< "$(echo "${PKI_SCRIPT_STATE:-}" | tr "," " ")"
if [ -n "${certificate}" ] && [[ ${states[*]} ]] ; then
for state in "${states[@]}" ; do
if [ "${state}" = "changed-certificate" ] || [ "${state}" = "changed-dhparam" ] ; then
# Check if current init is systemd
if pidof systemd > /dev/null 2>&1 ; then
gitlab_state="$(systemctl is-active gitlab-runsvdir.service)"
if [ "${gitlab_state}" = "active" ] ; then
gitlab-ctl restart nginx
fi
fi
break
fi
done
fi