---

- name: install docker dependencies
  pacman: name=docker,python-docker state=present

- name: start docker
  service: name=docker enabled=yes state=started

- name: start docker gitlab image
  docker_container:
    name: gitlab
    image: gitlab/gitlab-ee:latest
    domainname: "{{ gitlab_domain }}"
    hostname: "{{ gitlab_domain }}"
    published_ports:
      - "80:80"
      - "443:443"
      - "222:22"
    pull: yes
    restart_policy: always
    env:
      # See https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-config-template/gitlab.rb.template
      # 1. In order to figure out what needs to go into 'idp_cert_fingerprint', run
      # one-shots/keycloak-keyfetcher/get_fingerprint.sh and copy the resulting SHA1 fingerprint into that field.
      # 2. In order to logout properly we need to configure the "After sign out path" and set it to
      # https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/logout?redirect_uri=https%3A//gitlab.archlinux.org
      # https://gitlab.com/gitlab-org/gitlab/issues/14414
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'https://{{ gitlab_domain }}'
        letsencrypt['enable'] = true
        letsencrypt['contact_emails'] = ['webmaster@archlinux.org']
        gitlab_rails['lfs_enabled'] = false
        gitlab_rails['gitlab_shell_ssh_port'] = 222
        gitlab_rails['gitlab_default_can_create_group'] = false
        gitlab_rails['initial_root_password'] = "{{ vault_gitlab_root_password }}"
        gitlab_rails['smtp_enable'] = true
        gitlab_rails['smtp_address'] = 'mail.archlinux.org'
        gitlab_rails['smtp_port'] = 587
        gitlab_rails['smtp_user_name'] = 'gitlab'
        gitlab_rails['smtp_password'] = "{{ vault_gitlab_root_password }}"
        gitlab_rails['smtp_domain'] = 'gitlab.archlinux.org'
        gitlab_rails['smtp_enable_starttls_auto'] = true
        gitlab_rails['gitlab_email_enabled'] = true
        gitlab_rails['gitlab_email_from'] = 'gitlab@archlinux.org'
        gitlab_rails['gitlab_email_display_name'] = 'GitLab'
        gitlab_rails['gitlab_email_reply_to'] = 'noreply@archlinux.org'
        gitlab_rails['gitlab_default_theme'] = 2
        gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
        gitlab_rails['omniauth_block_auto_created_users'] = false
        gitlab_rails['omniauth_auto_link_saml_user'] = true
        gitlab_rails['omniauth_providers'] = [
          {
            name: 'saml',
            label: 'Arch Linux SSO',
            groups_attribute: 'Role',
            admin_groups: ['DevOps'],
            args: {
              assertion_consumer_service_url: 'https://gitlab.archlinux.org/users/auth/saml/callback',
              idp_cert_fingerprint: '75:43:93:1D:7A:F3:B6:16:51:FA:90:3C:E6:46:93:EA:DF:B6:28:8B',
              idp_sso_target_url: 'https://accounts.archlinux.org/auth/realms/archlinux/protocol/saml/clients/saml_gitlab',
              idp_slo_target_url: 'https://accounts.archlinux.org/auth/realms/archlinux/protocol/saml',
              issuer: 'saml_gitlab',
              attribute_statements: {
                first_name: ['first_name'],
                last_name: ['last_name'],
                name: ['name'],
                username: ['username'],
                email: ['email'],
              },
              name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
            }
          }
        ]
    volumes:
      - "/srv/gitlab/config:/etc/gitlab"
      - "/srv/gitlab/logs:/var/log/gitlab"
      - "/srv/gitlab/data:/var/opt/gitlab"

- name: open firewall holes
  firewalld: port={{ item }} permanent=true state=enabled immediate=yes
  when: configure_firewall
  with_items:
    - "80/tcp"
    - "443/tcp"
    - "222/tcp"
  tags:
    - firewall

- name: make docker0 interface trusted
  firewalld: interface=docker0 zone=trusted permanent=true state=enabled immediate=yes
  when: configure_firewall
  tags:
    - firewall