Skip to content
Snippets Groups Projects
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
main.yml 6.94 KiB
- name: Install docker dependencies
  pacman: name=docker,python-docker state=present

- name: Start docker
  service: name=docker enabled=yes state=started

- name: Create directories for gitlab
  file: path={{ item }} state=directory owner=root group=root mode=0755
  loop:
    - /srv/gitlab
    - /srv/gitlab/scripts

- name: Start docker gitlab image
  docker_container:
    name: gitlab
    image: gitlab/gitlab-ee:latest
    domainname: "{{ gitlab_domain }}"
    hostname: "{{ gitlab_domain }}"
    container_default_behavior: compatibility
    network_mode: host
    pull: true
    restart_policy: always
    log_driver: none
    env:
      # See https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-config-template/gitlab.rb.template
      # 1. In order to figure out what needs to go into 'idp_cert_fingerprint', run
      # one-shots/keycloak-keyfetcher/get_fingerprint.sh and copy the resulting SHA1 fingerprint into that field.
      # 2. In order to logout properly we need to configure the "After sign out path" and set it to
      # https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/logout?redirect_uri=https%3A//gitlab.archlinux.org
      # https://gitlab.com/gitlab-org/gitlab/issues/14414
      #
      # In addition, see https://docs.gitlab.com/ee/administration/pages/ for the GitLab Pages trickery done below.
      # Basically, we only allow specific GitLab Pages with custom domains to work. We don't want to enable everyone
      # to be able to have a GitLab Page on purpose (for security and legal safety reasons).
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'https://{{ gitlab_domain }}'
        registry_external_url 'https://registry.archlinux.org'
        nginx['client_max_body_size'] = '10g'
        nginx['listen_addresses'] = {{ gitlab_primary_addresses }}
        nginx['custom_gitlab_server_config'] = "set $bypass 0;\nif ($remote_addr = \"{{ hostvars['gemini.archlinux.org']['ipv4_address'] }}\") {\nset $bypass 1;\n}\nif ($remote_addr = \"{{ hostvars['gemini.archlinux.org']['ipv6_address'] }}\") {\nset $bypass 1;\n}\nproxy_set_header Gitlab-Bypass-Rate-Limiting $bypass;\n"
        registry_nginx['listen_addresses'] = {{ gitlab_primary_addresses }}
        gitlab_pages['inplace_chroot'] = true
        pages_external_url "http://{{ gitlab_domain }}"
        pages_nginx['enable'] = false
        gitlab_pages['external_http'] = {{ gitlab_pages_http_addresses }}
        gitlab_pages['external_https'] = {{ gitlab_pages_https_addresses }}
        gitlab_pages['rate_limit_source_ip'] = 10.0
        gitlab_pages['rate_limit_source_ip_burst'] = 300
        gitlab_pages['env'] = { 'FF_ENFORCE_IP_RATE_LIMITS' => 'true', 'FF_CONFIGURABLE_ROOT_DIR' => 'true', 'FF_ENABLE_DOMAIN_REDIRECT' => 'true' }
        letsencrypt['enable'] = true
        letsencrypt['contact_emails'] = ['webmaster@archlinux.org']
        gitlab_rails['env'] = {'GITLAB_THROTTLE_BYPASS_HEADER' => 'Gitlab-Bypass-Rate-Limiting'}
        gitlab_rails['lfs_enabled'] = true
        gitlab_rails['gitlab_username_changing_enabled'] = false
        gitlab_rails['initial_root_password'] = "{{ vault_gitlab_root_password }}"
        gitlab_rails['smtp_enable'] = true
        gitlab_rails['smtp_address'] = 'mail.archlinux.org'
        gitlab_rails['smtp_port'] = 465
        gitlab_rails['smtp_user_name'] = 'gitlab'
        gitlab_rails['smtp_password'] = "{{ vault_gitlab_root_password }}"
        gitlab_rails['smtp_domain'] = 'gitlab.archlinux.org'
        gitlab_rails['smtp_tls'] = true
        gitlab_rails['smtp_openssl_verify_mode'] = 'peer'
        gitlab_rails['gitlab_email_enabled'] = true
        gitlab_rails['gitlab_email_from'] = 'gitlab@archlinux.org'
        gitlab_rails['gitlab_email_display_name'] = 'GitLab'
        gitlab_rails['gitlab_email_reply_to'] = 'noreply@archlinux.org'
        gitlab_rails['gitlab_default_theme'] = 2
        gitlab_rails['incoming_email_enabled'] = true
        gitlab_rails['incoming_email_address'] = "gitlab+%{key}@archlinux.org"