- name: Install docker dependencies
pacman: name=docker,python-docker state=present
- name: Start docker
service: name=docker enabled=yes state=started
- name: Create directories for gitlab
file: path={{ item }} state=directory owner=root group=root mode=0755
loop:
- /srv/gitlab
- /srv/gitlab/scripts
- name: Start docker gitlab image
docker_container:
name: gitlab
image: gitlab/gitlab-ee:latest
domainname: "{{ gitlab_domain }}"
hostname: "{{ gitlab_domain }}"
container_default_behavior: compatibility
network_mode: host
pull: true
restart_policy: always
log_driver: none
env:
# See https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-config-template/gitlab.rb.template
# 1. In order to figure out what needs to go into 'idp_cert_fingerprint', run
# one-shots/keycloak-keyfetcher/get_fingerprint.sh and copy the resulting SHA1 fingerprint into that field.
# 2. In order to logout properly we need to configure the "After sign out path" and set it to
# https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/logout?redirect_uri=https%3A//gitlab.archlinux.org
# https://gitlab.com/gitlab-org/gitlab/issues/14414
#
# In addition, see https://docs.gitlab.com/ee/administration/pages/ for the GitLab Pages trickery done below.
# Basically, we only allow specific GitLab Pages with custom domains to work. We don't want to enable everyone
# to be able to have a GitLab Page on purpose (for security and legal safety reasons).
GITLAB_OMNIBUS_CONFIG: |
external_url 'https://{{ gitlab_domain }}'
registry_external_url 'https://registry.archlinux.org'
nginx['client_max_body_size'] = '10g'
nginx['listen_addresses'] = {{ gitlab_primary_addresses }}
nginx['custom_gitlab_server_config'] = "set $bypass 0;\nif ($remote_addr = \"{{ hostvars['gemini.archlinux.org']['ipv4_address'] }}\") {\nset $bypass 1;\n}\nif ($remote_addr = \"{{ hostvars['gemini.archlinux.org']['ipv6_address'] }}\") {\nset $bypass 1;\n}\nproxy_set_header Gitlab-Bypass-Rate-Limiting $bypass;\n"
registry_nginx['listen_addresses'] = {{ gitlab_primary_addresses }}
gitlab_pages['inplace_chroot'] = true
pages_external_url "http://{{ gitlab_domain }}"
pages_nginx['enable'] = false
gitlab_pages['external_http'] = {{ gitlab_pages_http_addresses }}
gitlab_pages['external_https'] = {{ gitlab_pages_https_addresses }}
gitlab_pages['rate_limit_source_ip'] = 10.0
gitlab_pages['rate_limit_source_ip_burst'] = 300
gitlab_pages['env'] = { 'FF_ENFORCE_IP_RATE_LIMITS' => 'true', 'FF_CONFIGURABLE_ROOT_DIR' => 'true', 'FF_ENABLE_DOMAIN_REDIRECT' => 'true' }
letsencrypt['enable'] = true
letsencrypt['contact_emails'] = ['webmaster@archlinux.org']
gitlab_rails['env'] = {'GITLAB_THROTTLE_BYPASS_HEADER' => 'Gitlab-Bypass-Rate-Limiting'}
gitlab_rails['lfs_enabled'] = true
gitlab_rails['gitlab_username_changing_enabled'] = false
gitlab_rails['initial_root_password'] = "{{ vault_gitlab_root_password }}"
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = 'mail.archlinux.org'
gitlab_rails['smtp_port'] = 465
gitlab_rails['smtp_user_name'] = 'gitlab'
gitlab_rails['smtp_password'] = "{{ vault_gitlab_root_password }}"
gitlab_rails['smtp_domain'] = 'gitlab.archlinux.org'
gitlab_rails['smtp_tls'] = true
gitlab_rails['smtp_openssl_verify_mode'] = 'peer'
gitlab_rails['gitlab_email_enabled'] = true
gitlab_rails['gitlab_email_from'] = 'gitlab@archlinux.org'
gitlab_rails['gitlab_email_display_name'] = 'GitLab'
gitlab_rails['gitlab_email_reply_to'] = 'noreply@archlinux.org'
gitlab_rails['gitlab_default_theme'] = 2
gitlab_rails['incoming_email_enabled'] = true
gitlab_rails['incoming_email_address'] = "gitlab+%{key}@archlinux.org"
gitlab_rails['incoming_email_email'] = "gitlab@archlinux.org"
gitlab_rails['incoming_email_password'] = "{{ vault_gitlab_root_password }}"
gitlab_rails['incoming_email_host'] = "mail.archlinux.org"
gitlab_rails['incoming_email_port'] = 993
gitlab_rails['incoming_email_ssl'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_providers'] = [
{
name: 'saml',
label: 'Arch Linux SSO',
groups_attribute: 'Role',
admin_groups: ['DevOps'],
args: {
assertion_consumer_service_url: 'https://gitlab.archlinux.org/users/auth/saml/callback',
idp_cert_fingerprint: '75:43:93:1D:7A:F3:B6:16:51:FA:90:3C:E6:46:93:EA:DF:B6:28:8B',
idp_sso_target_url: 'https://accounts.archlinux.org/realms/archlinux/protocol/saml/clients/saml_gitlab',
idp_slo_target_url: 'https://accounts.archlinux.org/realms/archlinux/protocol/saml',
issuer: 'saml_gitlab',
attribute_statements: {
first_name: ['first_name'],
last_name: ['last_name'],
name: ['name'],
username: ['username'],
email: ['email'],
},
name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
}
}
]
prometheus_monitoring['enable'] = false
postgresql['shared_buffers'] = "8GB"
volumes:
- "/srv/gitlab/config:/etc/gitlab"
- "/srv/gitlab/logs:/var/log/gitlab"
- "/srv/gitlab/data:/var/opt/gitlab"
- "/srv/gitlab/scripts:/opt/gitlab-scripts:ro"
- name: Prune unused docker images
docker_prune:
images: true
- name: Setup 222 -> 22 port redirect
ansible.posix.firewalld: state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 forward-port port=222 protocol=tcp to-port=22"
tags:
- firewall
- name: Open firewall holes
ansible.posix.firewalld: port={{ item }} permanent=true state=enabled immediate=yes
when: configure_firewall
loop:
- "80/tcp"
- "443/tcp"
- "22/tcp"
- "222/tcp"
tags:
- firewall
- name: Install ruby script for extending bot tokens
template: src=gitlab-bot-token-extender.rb.j2 dest=/srv/gitlab/scripts/gitlab-bot-token-extender.rb owner=root group=root mode=0644
- name: Copy {gitlab-cleanup,gitlab-bot-token-extender} timer and service
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
loop:
- gitlab-cleanup.timer
- gitlab-cleanup.service
- gitlab-bot-token-extender.timer
- gitlab-bot-token-extender.service
- name: Activate systemd timers for gitlab-cleanup
systemd_service: name={{ item }} enabled=yes state=started daemon-reload=yes
loop:
- gitlab-cleanup.timer
- gitlab-bot-token-extender.timer