Skip to content

egeneralov/gitlab

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

48 Commits
defaults
defaults
 
 
files
files
 
 
handlers
handlers
 
 
meta
meta
 
 
tasks
tasks
 
 
templates
templates
 
 
tests
tests
 
 
vars
vars
 
 
README.md
README.md
 
 

Repository files navigation

egeneralov.gitlab

Provision gitlab-ce installation with LDAP, omniauth and s3 backup integration.

Requirements

Debian-based machine. Tested on stretch, installation "on-premise" and DigitalOcean template.

Role Variables

All fields are required and have default value.

  • domain: like gitlab.egeneralov.tk

  • email: for let's encrypt notifications

  • root_password: string, more 8 chars

  • runners_token: string, 21 chars

  • ldap:

    • enabled: if true - enable integration
    • host: ldap dns name, like ldap.egeneralov.tk
    • port: 389 or (ssl) 636
    • uid: id attribute, like uid
    • bind_dn: like uid=gitlabro,cn=users,cn=compat,dc=egeneralov,dc=tk
    • password: bind_dn user password
    • encryption: plain, simple_tls or start_tls
    • verify_certificates: true or false
    • ca_file: path /etc/ipa/ca.crt
    • active_directory: true or false
    • allow_username_or_email_login: true or false
    • block_auto_created_users: true or false
    • base: base dn, like dc=egeneralov,dc=tk
    • user_filter: just (objectClass=inetorgperson) or restrict to group like (&(uid=%u)(memberOf=gitlab,cn=groups,cn=accounts,dc=egeneralov,dc=tk))

  • omniauth:

    {
      "name": "bitbucket",
      "app_id": "",
      "app_secret": "",
      "url": "https://bitbucket.org/"
    }
  • backup: setup auto-backups to S3
    • enabled: if true - enable integration
    • bucket: name of DigitalOcean space
    {
      "provider": "AWS",
      "region": "ams3",
      "aws_access_key_id": "",
      "aws_secret_access_key": "",
      "endpoint": "https://ams3.digitaloceanspaces.com"
    }
  • restore: restore your gitlab from backup file
    • enabled: if true - proceed restore action
    • force: if true - proceed restore action if backup file already present on remote host
    • from: path to _gitlab_backup.tar file
    • secrets: path to gitlab-secrets.json, if lost - database secrets will be cleaned

Example playbook

Just install

- hosts: gitlab
  vars:
    domain: gitlab.shared
    email: [email protected]
    root_password: Ru65oNWUzJQ17yh7YwzE
    runners_token: Ru65oNWUzJQ17yh7YwzE
  roles:
    - egeneralov.gitlab

Restore from backup

asciicast

- hosts: gitlab
  vars:
    domain: gitlab.shared
    email: [email protected]
    root_password: Ru65oNWUzJQ17yh7YwzE
    runners_token: Ru65oNWUzJQ17yh7YwzE
    gitlab_version: 11.3.4-ce.0
    restore:
      enabled: yes
      from: 1551970455_2019_03_07_11.3.4_gitlab_backup.tar
      secrets: gitlab-secrets.json
      force: no
  roles:
    - egeneralov.gitlab

Example with ldap and auto-backup to digital ocean s3

- hosts: gitlab
  vars:
    domain: gitlab.company.tld
    email: [email protected]
    root_password: Ru65oNWUzJQ17yh7YwzE
    runners_token: Ru65oNWUzJQ17yh7YwzE
    ldap:
      enabled: true
      host: ldap.company.tld
      bind_dn: 'uid=gitlabro,cn=users,cn=compat,dc=company,dc=tld'
      password: 'Ru65oNWUzJQ17yh7YwzE'
      encryption: 'plain'
      base: 'dc=company,dc=tld'
      user_filter: '(objectClass=inetorgperson)'
    backup:
      enabled: true
      bucket: "gitlab-company-tld-backup-space"
      upload_connection: {
          "provider": "AWS",
          "region": "ams3",
          "aws_access_key_id": "digitaloceanspaces",
          "aws_secret_access_key": "Ru65oNWUzJQ17yh7YwzE",
          "endpoint": "https://ams3.digitaloceanspaces.com"
        }
  roles:
    - egeneralov.gitlab

Example ssl client auth setup

Run the following playbook

- hosts: gitlab
  vars:
    domain: gitlab.{{ ansible_default_ipv4.address }}.xip.io
    registry_host: registry.{{ ansible_default_ipv4.address }}.xip.io
    email: [email protected]
    root_password: Ru65oNWUzJQ17yh7YwzE
    runners_token: Ru65oNWUzJQ17yh7YwzE
    
    nginx:
      enable: false
    
    custom_nginx:
      ssl:
        provider: selfsigned
        base_subj: "/C=NL/ST={{ domain }}/L={{ domain }}/O={{ domain }}/OU={{ domain }}"
        # specify list of users for auto-certificate setup. Insecure way.
        users:
          - egeneralov
  roles:
    - egeneralov.gitlab

And you can generate client certificates (manualy) like that (Insecure way):

cd /etc/gitlab/ssl/
USER=egeneralov
openssl genrsa -out $USER.key 2048
openssl req -new -key $USER.key -out $USER.csr -subj "/C=NL/ST=Zuid Holland/L=Rotterdam/O=Sparkling Network/OU=IT Department/CN=$USER"
openssl x509 -req -in $USER.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out $USER.crt -days 365
openssl pkcs12 -export -out $USER.pfx -inkey $USER.key -in $USER.crt -certfile ca.crt

Secure way:

  • customer must generate .key via openssl genrsa -out $USER.key 2048
  • customer must generate .csr via openssl req -new -key $USER.key -out $USER.csr -subj "/C=NL/ST=Zuid Holland/L=Rotterdam/O=Sparkling Network/OU=IT Department/CN=$USER"
  • obtain a .csr from your customer
  • you copy .csr to /etc/gitlab/ssl on gitlab server
  • sign .crt via openssl x509 -req -in $USER.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out $USER.crt -days 365
  • send .crt and ca.crt to your customer
  • your customer must generate his .pfx file via openssl pkcs12 -export -out $USER.pfx -inkey $USER.key -in $USER.crt -certfile ca.crt

License

MIT

About

ansible-galaxy install egeneralov.gitlab

Topics

ldap gitlab backup restore playbook auto-backup iaac

Resources

Readme
Activity

Stars

0 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

No packages published

Languages