mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2024-05-05 15:16:26 +02:00
4112bdf9fd
yaml: truthy value should be one of [false, true] (truthy) yaml: wrong indentation: expected 4 but found 2 (indentation) yaml: too few spaces before comment (comments) yaml: missing starting space in comment (comments) yaml: too many blank lines (1 > 0) (empty-lines) yaml: too many spaces after colon (colons) yaml: comment not indented like content (comments-indentation) yaml: no new line character at the end of file (new-line-at-end-of-file) load-failure: Failed to load or parse file parser-error: couldn't resolve module/action 'hosts'. This often indicates a misspelling, missing collection, or incorrect module path.
120 lines
5.5 KiB
YAML
120 lines
5.5 KiB
YAML
---
|
|
|
|
- name: install docker dependencies
|
|
pacman: name=docker,python-docker state=present
|
|
|
|
- name: start docker
|
|
service: name=docker enabled=yes state=started
|
|
|
|
- name: copy sshd_config into place to change the port to 222
|
|
copy: src=sshd_config dest=/srv/gitlab/sshd_config owner=root group=root mode=640
|
|
|
|
- name: start docker gitlab image
|
|
docker_container:
|
|
name: gitlab
|
|
image: gitlab/gitlab-ee:latest
|
|
domainname: "{{ gitlab_domain }}"
|
|
hostname: "{{ gitlab_domain }}"
|
|
container_default_behavior: compatibility
|
|
network_mode: host
|
|
pull: true
|
|
restart_policy: always
|
|
env:
|
|
# See https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-config-template/gitlab.rb.template
|
|
# 1. In order to figure out what needs to go into 'idp_cert_fingerprint', run
|
|
# one-shots/keycloak-keyfetcher/get_fingerprint.sh and copy the resulting SHA1 fingerprint into that field.
|
|
# 2. In order to logout properly we need to configure the "After sign out path" and set it to
|
|
# https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/logout?redirect_uri=https%3A//gitlab.archlinux.org
|
|
# https://gitlab.com/gitlab-org/gitlab/issues/14414
|
|
#
|
|
# In addition, see https://docs.gitlab.com/ee/administration/pages/ for the GitLab Pages trickery done below.
|
|
# Basically, we only allow specific GitLab Pages with custom domains to work. We don't want to enable everyone
|
|
# to be able to have a GitLab Page on purpose (for security and legal safety reasons).
|
|
GITLAB_OMNIBUS_CONFIG: |
|
|
external_url 'https://{{ gitlab_domain }}'
|
|
nginx['client_max_body_size'] = '10g'
|
|
nginx['listen_addresses'] = {{ gitlab_primary_addresses }}
|
|
registry_nginx['listen_addresses'] = {{ gitlab_primary_addresses }}
|
|
gitlab_pages['inplace_chroot'] = true
|
|
pages_external_url "http://{{ gitlab_domain }}"
|
|
pages_nginx['enable'] = false
|
|
gitlab_pages['external_http'] = {{ gitlab_pages_http_addresses }}
|
|
gitlab_pages['external_https'] = {{ gitlab_pages_https_addresses }}
|
|
letsencrypt['enable'] = true
|
|
letsencrypt['contact_emails'] = ['webmaster@archlinux.org']
|
|
gitlab_rails['lfs_enabled'] = true
|
|
gitlab_rails['gitlab_shell_ssh_port'] = 222
|
|
gitlab_rails['gitlab_default_can_create_group'] = false
|
|
gitlab_rails['initial_root_password'] = "{{ vault_gitlab_root_password }}"
|
|
gitlab_rails['smtp_enable'] = true
|
|
gitlab_rails['smtp_address'] = 'mail.archlinux.org'
|
|
gitlab_rails['smtp_port'] = 465
|
|
gitlab_rails['smtp_user_name'] = 'gitlab'
|
|
gitlab_rails['smtp_password'] = "{{ vault_gitlab_root_password }}"
|
|
gitlab_rails['smtp_domain'] = 'gitlab.archlinux.org'
|
|
gitlab_rails['smtp_tls'] = true
|
|
gitlab_rails['smtp_openssl_verify_mode'] = 'peer'
|
|
gitlab_rails['gitlab_email_enabled'] = true
|
|
gitlab_rails['gitlab_email_from'] = 'gitlab@archlinux.org'
|
|
gitlab_rails['gitlab_email_display_name'] = 'GitLab'
|
|
gitlab_rails['gitlab_email_reply_to'] = 'noreply@archlinux.org'
|
|
gitlab_rails['gitlab_default_theme'] = 2
|
|
gitlab_rails['incoming_email_enabled'] = true
|
|
gitlab_rails['incoming_email_address'] = "gitlab+%{key}@archlinux.org"
|
|
gitlab_rails['incoming_email_email'] = "gitlab@archlinux.org"
|
|
gitlab_rails['incoming_email_password'] = "{{ vault_gitlab_root_password }}"
|
|
gitlab_rails['incoming_email_host'] = "mail.archlinux.org"
|
|
gitlab_rails['incoming_email_port'] = 993
|
|
gitlab_rails['incoming_email_ssl'] = true
|
|
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
|
|
gitlab_rails['omniauth_block_auto_created_users'] = false
|
|
gitlab_rails['omniauth_auto_link_saml_user'] = true
|
|
gitlab_rails['omniauth_providers'] = [
|
|
{
|
|
name: 'saml',
|
|
label: 'Arch Linux SSO',
|
|
groups_attribute: 'Role',
|
|
admin_groups: ['DevOps'],
|
|
args: {
|
|
assertion_consumer_service_url: 'https://gitlab.archlinux.org/users/auth/saml/callback',
|
|
idp_cert_fingerprint: '75:43:93:1D:7A:F3:B6:16:51:FA:90:3C:E6:46:93:EA:DF:B6:28:8B',
|
|
idp_sso_target_url: 'https://accounts.archlinux.org/auth/realms/archlinux/protocol/saml/clients/saml_gitlab',
|
|
idp_slo_target_url: 'https://accounts.archlinux.org/auth/realms/archlinux/protocol/saml',
|
|
issuer: 'saml_gitlab',
|
|
attribute_statements: {
|
|
first_name: ['first_name'],
|
|
last_name: ['last_name'],
|
|
name: ['name'],
|
|
username: ['username'],
|
|
email: ['email'],
|
|
},
|
|
name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
|
|
}
|
|
}
|
|
]
|
|
volumes:
|
|
- "/srv/gitlab/config:/etc/gitlab"
|
|
- "/srv/gitlab/logs:/var/log/gitlab"
|
|
- "/srv/gitlab/data:/var/opt/gitlab"
|
|
- "/srv/gitlab/sshd_config:/assets/sshd_config"
|
|
|
|
- name: open firewall holes
|
|
ansible.posix.firewalld: port={{ item }} permanent=true state=enabled immediate=yes
|
|
when: configure_firewall
|
|
with_items:
|
|
- "80/tcp"
|
|
- "443/tcp"
|
|
- "222/tcp"
|
|
- "5050/tcp"
|
|
tags:
|
|
- firewall
|
|
|
|
- name: copy gitlab-cleanup timer and service
|
|
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
|
|
with_items:
|
|
- gitlab-cleanup.timer
|
|
- gitlab-cleanup.service
|
|
|
|
- name: activate systemd timers for gitlab-cleanup
|
|
systemd: name=gitlab-cleanup.timer enabled=yes state=started daemon-reload=yes
|