Initial commit

670194f9 · Rémi - Le Filament · 670194f9 · 670194f9 · 670194f9 · 670194f9
--- a/README.md
+++ b/README.md
+Role Name
+=========
+
+This role allows for deployment and configuration of GitLab CE
+
+Requirements
+------------
+
+None
+
+Role Variables
+--------------
+
+Variables from default directory :
+* domain: domain belonging to customer
+* git_url: URL on which GitLab will be listening
+* Mail configuration :
+  * mailserver: SMTP server to use for sending e-mails (defaults to smtp.{{ domain }})
+  * smtpport: SMTP server port (defaults to 465)
+  * smtpuser: SMTP username (defaults to smtpuser)
+  * smtppass: SMTP user password (defaults to veryUnsecurePassToBeModified)
+  * git_mail_from: from address used in e-mail sent from GitLab (defaults to git@{{ domain }})
+  * default_maintenance_email: maintenance e-mail used to request Let's Encrypt certificate (defaults to maintenance@{{ domain }})
+* OPTIONAL - SSO integration :
+  * enable_omniauth: whether or not configure SSO integration (defaults to false)
+  * sso_url: URL for SSO server
+  * sso_oidc_gitlab_id: OpenID connect identifier defined for gitlab
+  * sso_oidc_gitlab_secret: OpenID connect secret defined for gitlab
+* OPTIONAL - Backups (for backups to be deployed, host needs to be in maintenance_contract group):
+  * swift parameters for 2 object storage instances where backups should be pushed daily
+  * git_backup_pass : Passphrase for encryption of backups
+
+Variables from vars directory :
+* gitlab_gpg_key_url: GitLab GPG key to be added to apt_key
+* gitlab_packages_url: GitLab packages URL to retrieve packages from
+* packages_to_install: GitLab Community Edition to be installed
+* tmp_backup_dir: Temporary backup directory used during backup process
+* backup_crons: list of scripts to be executed for backups together with associated cron tasks
+
+Dependencies
+------------
+
+This role has no dependencies per-se, however, it is foreseen to use other roles from Le Filament on the same server :
+* init_server for initial server configuration (and in particular SSHD configuration) - https://sources.le-filament.com/lefilament/ansible-roles/init_server
+* security to securize GitLab server (iptables, auditd, fail2ban) - https://sources.le-filament.com/lefilament/ansible-roles/server_security
+
+Example Playbook
+----------------
+
+    - hosts: gitlab
+      become: true
+      roles:
+      - { role: gitlab, tags: gitlab }
+      vars:
+      - { domain: "example.org" }
+      - { git_url: "git.{{ domain }}" }
+      - { mailserver: "smtp.{{ domain }}" }
+      - { smtpport: 465 }
+      - { smtpuser: "smtpuser" }
+      - { smtppass: "veryUnsecurePassToBeModified" }
+      - { git_mail_from: "git@{{ domain }}" }
+      - { default_maintenance_email: "maintenance@{{ domain }}" }
+
+License
+-------
+
+AGPL-3
+
+Author Information
+------------------
+
+Le Filament (https://le-filament.com)
--- a/defaults/main.yml
+++ b/defaults/main.yml
+---
+domain: example.org
+git_url: git.{{ domain }}
+
+# Mail configuration
+mailserver: smtp.{{ domain }}
+smtpport: 465
+smtpuser: smtpuser
+smtppass: veryUnsecurePassToBeModified
+git_mail_from: git@{{ domain }}
+default_maintenance_email: maintenance@{{ domain }}
+
+# OPTIONAL - SSO integration
+enable_omniauth: false
+# sso_url: auth.{{ domain }}
+# sso_oidc_gitlab_id: gitlabid
+# sso_oidc_gitlab_secret: secrettobemodified
+
+# OPTIONAL - For Backups only
+# Parameters for pushing backups to Object Storage - Instance 1
+# swift_odoo_authurl: https://auth.cloud.ovh.net/v3/
+# swift_odoo_authversion: 3
+# swift_odoo_tenantid: "132e1fa"
+# swift_odoo_tenantname: "12312534534"
+# swift_odoo_username: "testuser"
+# swift_odoo_password: "testpassword"
+# swift_odoo_regionname: "GRA"
+# Parameters for pushing backups to Object Storage - Instance 2
+# swift_odoo2_authurl: https://auth.cloud.ovh.net/v3/
+# swift_odoo2_authversion: 3
+# swift_odoo2_tenantid: "12323534ab"
+# swift_odoo2_tenantname: "123124235345"
+# swift_odoo2_username: "testuser"
+# swift_odoo2_password: "testpassword"
+# swift_odoo2_regionname: "DE"
+# Passphrase for backups encryption
+# git_backup_pass: notSecureEnoughPasswordToBeModified
--- a/handlers/main.yml
+++ b/handlers/main.yml
+---
+# handlers file for gitlab
+- name: reconfigure gitlab
+  command: gitlab-ctl reconfigure
--- a/meta/main.yml
+++ b/meta/main.yml
+---
+galaxy_info:
+  author: Rémi
+  description: Role for deploying and configuring GitLab CE edition
+  company: Le Filament (https://le-filament.com)
+  license: AGPL-3.0-or-later
+  min_ansible_version: 2.1
+  platforms:
+    - name: Ubuntu
+      versions:
+        - 20.04
+  galaxy_tags:
+    - gitlab
--- a/tasks/main.yml
+++ b/tasks/main.yml
+---
+
+- name: Install apt-transport-https package
+  package:
+    name: apt-transport-https
+    state: latest
+  async: 120
+  poll: 10
+  when: ansible_os_family == "Debian" and not ansible_check_mode
+
+# INSTALLATION
+- name: Add GitLab GPG key to APT
+  apt_key:
+    url: "{{ gitlab_gpg_key_url }}"
+  when: ansible_os_family == "Debian"
+
+- name: Add GitLab repo to APT repositories
+  apt_repository:
+    repo: deb {{ gitlab_packages_url }}/{{ ansible_distribution|lower }} {{ ansible_distribution_release }} main
+    update_cache: true
+  when: ansible_os_family == "Debian"
+
+- name: Install GitLab package
+  package:
+    name: "{{ packages_to_install }}"
+    state: latest
+  async: 120
+  poll: 10
+  when: not ansible_check_mode
+
+- name: Check installed GitLab package
+  package:
+    name: gitlab-ce
+    state: latest
+  when: ansible_check_mode
+
+- name: Install necessary python modules
+  pip:
+    name: ['python-swiftclient', 'python-keystoneclient']
+    state: latest
+
+# CONFIGURATION
+- name: Install gitlab configuration file
+  template:
+    src: gitlab.rb.j2
+    dest: "/etc/gitlab/gitlab.rb"
+    owner: root
+    group: root
+    mode: '0600'
+  notify: reconfigure gitlab
+
+
+# BACKUP
+- name: Copy Backup scripts on server
+  template:
+    src: "{{ item.script }}.j2"
+    dest: /root/{{ item.script }}
+    owner: root
+    group: root
+    mode: '0700'
+  with_items: '{{ backup_crons }}'
+  loop_control:
+    label: '{{ item.name }}'
+  when: inventory_hostname in groups.maintenance_contract
+
+- name: add cron job to execute backup list every day
+  cron:
+    name: "{{ item.name }}"
+    minute: "{{ item.minute }}"
+    hour: "{{ item.hour }}"
+    job: /root/{{ item.script }}
+  with_items: '{{ backup_crons }}'
+  loop_control:
+    label: '{{ item.name }}'
+  when: inventory_hostname in groups.maintenance_contract
--- a/templates/gitlab.rb.j2
+++ b/templates/gitlab.rb.j2
+### GitLab URL
+external_url 'https://{{ git_url }}'
+
+### Timezone
+gitlab_rails['time_zone'] = 'Europe/Paris'
+
+### SMTP server
+gitlab_rails['smtp_enable'] = true
+gitlab_rails['smtp_address'] = "{{ mailserver }}"
+gitlab_rails['smtp_port'] = {{ smtpport }}
+gitlab_rails['smtp_user_name'] = "{{ smtpuser }}"
+gitlab_rails['smtp_password'] = "{{ smtppass }}"
+gitlab_rails['smtp_domain'] = "{{ domain }}"
+gitlab_rails['smtp_authentication'] = "login"
+gitlab_rails['smtp_tls'] = true
+gitlab_rails['smtp_openssl_verify_mode'] = 'none'
+
+### Email Settings
+gitlab_rails['gitlab_email_enabled'] = true
+gitlab_rails['gitlab_email_from'] = '{{ git_mail_from }}'
+gitlab_rails['gitlab_email_reply_to'] = 'noreply@{{ domain }}'
+gitlab_rails['incoming_email_enabled'] = false
+
+### Content Security Policy
+gitlab_rails['content_security_policy'] = {
+ 'enabled' => true,
+ 'report_only' => false,
+}
+
+### Impersonation settings
+gitlab_rails['impersonation_enabled'] = true
+
+{% if enable_omniauth is defined %}
+### Omniauth (SSO auth)
+gitlab_rails['omniauth_enabled'] = true
+gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
+gitlab_rails['omniauth_block_auto_created_users'] = false
+gitlab_rails['omniauth_providers'] = [
+  {
+    "name" => 'openid_connect',
+    "args" => {
+      'name' => 'openid_connect',
+      'issuer' => 'https://{{ sso_url }}',
+      'scope' => ['openid', 'profile', 'email'],
+      'response_type' => 'code',
+      'client_auth_method' => 'client_secret_post',
+      'discovery' => true,
+      'uid_field' => 'sub',
+      'client_options' => {
+        'redirect_uri' => 'http://{{ git_url }}/users/auth/openid_connect/callback',
+        'identifier' => '{{ sso_oidc_gitlab_id }}',
+        'secret' => '{{ sso_oidc_gitlab_secret }}',
+      }
+    },
+    "label" => 'Le Filament SSO'
+  }
+]
+
+{% endif %}
+### Container Registry settings
+registry_external_url 'https://{{ git_url }}:5050'
+
+### GitLab PostgreSQL
+##! **recommend value is 1/4 of total RAM, up to 14GB.**
+postgresql['shared_buffers'] = "1GB"
+
+### GitLab NGINX
+nginx['redirect_http_to_https'] = true
+
+### GitLab Mattermost
+mattermost['enable'] = false
+
+### Registry NGINX
+registry_nginx['enable'] = true
+registry_nginx['redirect_http_to_https'] = true
+
+### Prometheus
+prometheus_monitoring['enable'] = false
+alertmanager['enable'] = false
+node_exporter['enable'] = false
+redis_exporter['enable'] = false
+postgres_exporter['enable'] = false
+gitlab_exporter['enable'] = false
+
+### Grafana Dashboards
+grafana['enable'] = false
+
+### Let's Encrypt integration
+letsencrypt['enable'] = true
+letsencrypt['contact_emails'] = ['{{ default_maintenance_email }}']
--- a/templates/local_gitlab_backup.sh.j2
+++ b/templates/local_gitlab_backup.sh.j2
+#!/bin/bash
+# Script for making daily Gitlab backups
+TMP_BACKUP_DIR={{ tmp_backup_dir }}
+
+# Delete temp directory if already exists
+if [ -d "$TMP_BACKUP_DIR" ]; then
+  rm -rf $TMP_BACKUP_DIR
+fi
+# Create temp directory
+mkdir -p $TMP_BACKUP_DIR
+# Backup configuration
+gitlab-ctl backup-etc && cd /etc/gitlab/config_backup && cp $(ls -t | head -n1) $TMP_BACKUP_DIR && cd -
+# Backup GitLab
+gitlab-backup create SKIP=builds,artifacts,registry && cd /var/opt/gitlab/backups/ && cp $(ls -t | head -n1) $TMP_BACKUP_DIR && cd -
--- a/templates/push_gitlab_backup.sh.j2
+++ b/templates/push_gitlab_backup.sh.j2
+#!/bin/bash
+
+export SWIFT_USERNAME="{{ swift_odoo_username }}"
+export SWIFT_PASSWORD="{{ swift_odoo_password }}"
+export SWIFT_AUTHURL="{{ swift_odoo_authurl }}"
+export SWIFT_AUTHVERSION={{ swift_odoo_authversion }}
+export SWIFT_TENANTNAME="{{ swift_odoo_tenantname }}"
+export SWIFT_TENANTID="{{ swift_odoo_tenantid }}"
+export SWIFT_REGIONNAME="{{ swift_odoo_regionname }}"
+
+export PASSPHRASE="{{ git_backup_pass }}"
+
+duplicity full --volsize 200 {{ tmp_backup_dir }} swift://gitlab_{{ inventory_hostname|lower }}
+duplicity remove-all-but-n-full 30 --force swift://gitlab_{{ inventory_hostname|lower }}
--- a/templates/push_gitlab_backup2.sh.j2
+++ b/templates/push_gitlab_backup2.sh.j2
+#!/bin/bash
+
+export SWIFT_USERNAME="{{ swift_odoo2_username }}"
+export SWIFT_PASSWORD="{{ swift_odoo2_password }}"
+export SWIFT_AUTHURL="{{ swift_odoo2_authurl }}"
+export SWIFT_AUTHVERSION={{ swift_odoo2_authversion }}
+export SWIFT_TENANTNAME="{{ swift_odoo2_tenantname }}"
+export SWIFT_TENANTID="{{ swift_odoo2_tenantid }}"
+export SWIFT_REGIONNAME="{{ swift_odoo2_regionname }}"
+
+export PASSPHRASE="{{ git_backup_pass }}"
+
+duplicity full --volsize 200 {{ tmp_backup_dir }} swift://gitlab_{{ inventory_hostname|lower }}
+duplicity remove-all-but-n-full 30 --force swift://gitlab_{{ inventory_hostname|lower }}
--- a/vars/main.yml
+++ b/vars/main.yml
+---
+gitlab_gpg_key_url: https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey
+gitlab_packages_url: https://packages.gitlab.com/gitlab/gitlab-ce
+packages_to_install:
+  - gitlab-ce
+  - duplicity
+  - python3-pip
+tmp_backup_dir: "/tmp/gitlab_backups/"
+
+backup_crons:
+  - name: "local gitlab backup"
+    script: local_gitlab_backup.sh
+    hour: 2
+    minute: 43
+  - name: "push gitlab backup"
+    script: push_gitlab_backup.sh
+    hour: 3
+    minute: 43
+  - name: "push gitlab backup 2"
+    script: push_gitlab_backup2.sh
+    hour: 4
+    minute: 43