Robin Candau authored 3 months ago and Robin Candau committed 2 months ago

See https://github.com/ansible/ansible/pull/77644

The project membership must also be extended, if not the user is simply
deleted when the membership expires (defeating the purpose of extending
the access tokens).

Fixes: 639101e6 ("gitlab: Add ruby script for continuous extending of bot tokens")

We are not on top of expiring bot tokens and we usually only notice when
someone else points it out.

It is also a bit cumbersome to add new bot tokens, so avoid the issue
altogether, by just extending the lifetime of the bot tokens
continuously.

Fix #617

Gitlab recommends a default value of 1/4th of the total memory here, but
since the previous value was 1MB we go for a bit more conservative
approach here.

Fixes: #615


Signed-off-by: Christian Heusel <christian@heusel.eu>

To shut up the linter.

This feature is needed for the static copy of bugs.a.o[2], to redirect
some of the migrated tasks to the new gitlab URLs.

[1] https://docs.gitlab.com/ee/user/project/pages/redirects.html#domain-level-redirects
[2] https://gitlab.archlinux.org/archlinux/bugs-archive/-/blob/snapshots/_redirects

As per docs: https://docs.gitlab.com/ee/user/project/pages/introduction.html#customize-the-default-folder

We do not want our packagers on gemini to hit the rate-limit.

gitlab_default_can_create_group is removed and setting it crashses
gitlab :/

With the ongoing git migration[1] our GitLab will gain a lot more usage,
so GitLab should get the default ssh port and then DevOps can use a
non-standard port.

We will redirect the old port (222) to the new port for some time, so
fetching won't break for existing local repositories.

[1] https://archlinux.org/news/git-migration-announcement/

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

It looks more professional and we can move it to a dedicated box if the
load increases.

Implement ip based rate limiting on gitlab-pages. This ensures we avoid
slowing down the gitlab server when extensive requests are made against
our gitlab-pages like WKD sync from Archlinux keyring service

https://docs.gitlab.com/ee/administration/pages/#rate-limits



Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

From [1]: "By default, the new Quarkus distribution removes /auth from
           the context-path."

[1] https://www.keycloak.org/migration/migrating-to-quarkus

ansible-lint 6.5.0 complains about:

  name: All names should start with an
        uppercase letter. (name[casing])

After starting a new container with the latest version of GitLab, opt to
remove older docker images so they do not take up disk space needlessly.

These are used to signal the start of the document in a stream of many
documents. As Ansible only supports one YAML document per file this is
unnecessary. About a third of our YAML documents already lacked these.

Since we are now using the local disk instead of a volume (which can be
scaled up easily) it helps to have a more consistent view of free space.

Thorben Günther authored 3 years ago and Kristian Klausen committed 2 years ago

Fix #364

No need to duplicate the logs from /srv/gitlab/logs/.

Using GitLab's official backup tool takes too much time and, more
importantly, space; /srv/gitlab is a bit over 430G but backing it
up nearly exhausts its 1TB volume.

As we're creating btrfs snapshots and backing those up with borg, it
seems unnecessary to also create tarballs of the same data. GitLab's
documentation mentions snapshots as a viable backup strategy, and to
the restored system it should seem like recovering from a power loss.

[1] https://docs.gitlab.com/ee/raketasks/backup_restore#alternative-backup-strategies

The gitlab logs are enormous, spammy and are half a terabyte per month.

The DNS resolution issue has been fixed[1][2].

[1] https://gitlab.com/gitlab-org/gitlab/-/issues/331699#note_635123263
[2] https://gitlab.com/gitlab-org/gitlab-pages/-/merge_requests/513

Fix #380

This reverts commit a863917f.

gitlab-pages uses the API source by default now[2] but DNS resolution is
broken[3] so we need to use the disk config source.
Reported upstream here[4].

[1] https://docs.gitlab.com/ee/administration/pages/#gitlab-pages-doesnt-work-after-upgrading-to-gitlab-140-or-above
[2] https://gitlab.com/gitlab-org/gitlab-pages/-/commit/9a30f40a785ffe586a79a75ebebabda5f513b76f
[3] https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/4243
[4] https://gitlab.com/gitlab-org/gitlab/-/issues/331699#note_608473496

As keycloak is the canonical source of truth and interacting with gitlab
usually requires the username as identifier. As we don't want to
accidently assign permissions to a changed username disallow changing of
usernames altogether in Gitlab.

yaml: truthy value should be one of [false, true] (truthy)
yaml: wrong indentation: expected 4 but found 2 (indentation)
yaml: too few spaces before comment (comments)
yaml: missing starting space in comment (comments)
yaml: too many blank lines (1 > 0) (empty-lines)
yaml: too many spaces after colon (colons)
yaml: comment not indented like content (comments-indentation)
yaml: no new line character at the end of file (new-line-at-end-of-file)
load-failure: Failed to load or parse file
parser-error: couldn't resolve module/action 'hosts'. This often indicates a misspelling, missing collection, or incorrect module path.

GitLab becomes unhappy if it can't poll localhost.

Kristian Klausen authored 4 years ago and Sven-Hendrik Haase committed 4 years ago

Fix #228

Gitlab uses IMAP to fetch incoming mails. IMAP used to run on port 143
until the recent migration which disabled that port. This change makes
gitlab use port 993 and implicit TLS.

This cuts some complexity while also getting rid of the Docker userspace proxy which is slow compared
to kernelspace routing.
It also allows us to make GitLab consume a second IP for GitLab Pages without too much fuckery.