mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2025-01-18 08:06:16 +01:00
e586e45783
Adding docker0 to a trusted zone creates issues with the latest docker pkg. The daemon handles firewalld itself and errors since the interface is already in zone trusted and thus can't be handled by it's own zone.
65 lines
2.1 KiB
YAML
65 lines
2.1 KiB
YAML
---
|
|
|
|
- name: install dependencies
|
|
pacman: name=docker,python-docker,python-gitlab,gitlab-runner state=latest update_cache=yes
|
|
notify: restart gitlab-runner
|
|
|
|
- name: start docker
|
|
systemd: name=docker enabled=yes state=started daemon_reload=yes
|
|
|
|
- name: configure Docker daemon for IPv6
|
|
copy: src=daemon.json dest=/etc/docker/daemon.json owner=root group=root mode=0644
|
|
notify: restart docker
|
|
|
|
# We want to give our gitlab-runners full IPv6 capabilities. Sadly, IPv6 and Docker aren't friends. :(
|
|
# https://medium.com/@skleeschulte/how-to-enable-ipv6-for-docker-containers-on-ubuntu-18-04-c68394a219a2
|
|
# https://github.com/docker/docker.github.io/blob/c0eb65aabe4de94d56bbc20249179f626df5e8c3/engine/userguide/networking/default_network/ipv6.md
|
|
# https://github.com/moby/moby/issues/36954
|
|
- name: add IPv6 NAT for docker
|
|
ansible.posix.firewalld:
|
|
zone: public
|
|
permanent: true
|
|
state: enabled
|
|
immediate: yes
|
|
rich_rule: rule family="ipv6" destination not address="fd00::1/80" source address="fd00::/80" masquerade
|
|
when: configure_firewall
|
|
tags:
|
|
- firewall
|
|
|
|
- name: register gitlab-runner
|
|
command: >
|
|
gitlab-runner register
|
|
--non-interactive
|
|
--url=https://gitlab.archlinux.org/
|
|
--docker-image=alpine:latest
|
|
--tag-list=docker
|
|
--registration-token="{{ vault_gitlab_runner_registration_token }}"
|
|
--executor=docker
|
|
--description="{{ inventory_hostname }}"
|
|
--run-untagged=false
|
|
--docker-tlsverify=true
|
|
--locked=false
|
|
--access-level=not_protected
|
|
args:
|
|
creates: /etc/gitlab-runner/config.toml
|
|
|
|
- name: increase concurrency
|
|
lineinfile:
|
|
path: /etc/gitlab-runner/config.toml
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
regexp: '^concurrent = .*'
|
|
line: concurrent = 100
|
|
notify: restart gitlab-runner
|
|
|
|
- name: enable prometheus exporter
|
|
lineinfile:
|
|
path: /etc/gitlab-runner/config.toml
|
|
insertbefore: '^concurrent'
|
|
line: listen_address = ":{{ gitlab_runner_exporter_port }}"
|
|
notify: restart gitlab-runner
|
|
|
|
- name: enable and start gitlab runner service
|
|
systemd: name=gitlab-runner state=started enabled=yes daemon_reload=yes
|