add gitlab role

2021-08-24 12:16:11 +02:00
commit 80cf4f9a51
11 changed files with 419 additions and 0 deletions
--- a/README.md
+++ b/README.md
@@ -0,0 +1,62 @@
 Role Name
 =========
 This role deploys a gitlab-ee instance and does the following:
 * gitlab installation w/ features
 * deploys gitlab.rb
 * deploys gitlab-secrets.json
 * deploys gitlab ee license
 * deploys gitlab host keys
 * triggers gitlab reconfiguration
 Requirements
 ------------
 * none
 Role Variables
 --------------
 See defaults/main.yml
 Dependencies
 ------------
 * none
 Example Playbook
 ----------------
 ```yaml
  - name: playbook to install gitlab
    hosts: gitlab
    become: yes
    roles:
      - gitlab
 ```
 Additional Information
 ----------------------
 Due to the lack of any secret store, the `host_vars` are encrypted using ansible vault and the password of the ansible user.
 How to test:
 ```
 $ ansible-playbook -i inventories/lab/hosts plays/gitlab.yml --ask-vault-pass --check --diff
 $ ansible-playbook -i inventories/tst/hosts plays/gitlab.yml --ask-vault-pass --check --diff
 $ ansible-playbook -i inventories/prd/hosts plays/gitlab.yml --ask-vault-pass --check --diff
 ```
 How to see the `host_vars`:
 ```
 $ ansible-vault edit inventories/lab/host_vars/mbzex30855.mbmain.migrosbank.ch.yml
 $ ansible-vault edit inventories/tst/host_vars/mbztx30855.mbmain.migrosbank.ch.yml
 $ ansible-vault edit inventories/prd/host_vars/mbzpx30855.mbmain.migrosbank.ch.yml
 ```
 Note:
 If you'd like to see any actual diff output during the test run, you need to remove or disable the `no_log` directive in the configure.yml task.
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -0,0 +1,104 @@
 ---
 # vim: ts=2 sw=2 et ft=yaml.ansible
 # Package information
 gitlab_edition: 'gitlab-ee'
 gitlab_version: ''
 gitlab_package_version_serparator: '-'
 gitlab_config_path: '/etc/gitlab/'
 # ee license
 gitlab_ee_license: 'changeme'
 # templates
 gitlab_config_template: 'gitlab.rb.j2'
 gitlab_secrets_template: 'gitlab-secrets.json.j2'
 gitlab_ee_license_template: 'Gitlab.gitlab-license.j2'
 # Paths and files
 gitlab_config_file: '/etc/gitlab/gitlab.rb'
 gitlab_secrets_file: '/etc/gitlab/gitlab-secrets.json'
 gitlab_ctl_binary: '/usr/bin/gitlab-ctl'
 gitlab_ee_license_file: '/etc/gitlab/Gitlab.gitlab-license'
 # install custom repository
 gitlab_install_custom_repo: false
 gitlab_custom_repo: 'gitlab.repo.j2'
 # ssh configuration
 gitlab_import_ssh_host_keys: false
 gitlab_ssh_host_keys:
  /etc/ssh/ssh_host_rsa_key: 'changeme'
  /etc/ssh/ssh_host_ecdsa_key: 'changeme'
  /etc/ssh/ssh_host_ed25519_key: 'changeme'
 # gitlab.rb configs
 gitlab_conf_external_url: 'changeme'
 gitlab_conf_backup_path: 'changeme'
 gitlab_conf_ssl_cert_bundle: 'changeme'
 gitlab_conf_email_display_name: 'changeme'
 gitlab_conf_email_from: 'changeme'
 gitlab_conf_email_reply_to: 'changeme'
 gitlab_conf_initial_root_pw: 'changeme'
 gitlab_conf_initial_shared_runner_registration_token: 'changeme'
 gitlab_conf_ldap_enabled: true
 gitlab_conf_ldap_servers:
  active_directory: true
  admin_group: 'changeme'
  allow_username_or_email_login: false
  base: 'changeme'
  bind_dn: 'changeme'
  block_auto_created_users: 'changeme'
  encryption: 'changeme'
  group_base: 'changeme'
  host: 'changeme'
  label: 'changeme'
  password: 'changeme'
  port: 389
  sync_ssh_keys: false
  ca_file: 'changeme'
  uid: 'changeme'
  verify_certificates: true
 gitlab_conf_manage_backup_path: false
 gitlab_conf_omniauth_providers:
  identifier: 'changeme'
  redirect_uri: 'changeme'
  secret: 'changeme'
  discovery: true
  issuer: 'changeme'
  name: 'changeme'
  label: 'changeme'
 gitlab_conf_nginx_enable: true
 gitlab_conf_nginx_redirect_https: true
 gitlab_conf_nginx_ssl_certificate: '/etc/gitlab/ssl/gitlab.crt'
 gitlab_conf_nginx_ssl_certificate_key: '/etc/gitlab/ssl/gitlab.key'
 gitlab_conf_letsencrypt_enable: false
 # gitlab-secrets.json configs
 gitlab_secrets_workhorse_token: 'changeme'
 gitlab_secrets_shell_token: 'changeme'
 gitlab_secrets_rails_key_base: 'changeme'
 gitlab_secrets_rails_db_key_base: 'changeme'
 gitlab_secrets_rails_otp_key_base: 'changeme'
 gitlab_secrets_rails_encrypted_settings_key_base: 'changeme'
 gitlab_secrets_rails_openid_connect_signing_key: 'changeme'
 gitlab_secrets_rails_ci_jwt_signing_key: 'changeme'
 gitlab_secrets_pages_secret: 'changeme'
 gitlab_secrets_pages_id: 'changeme'
 gitlab_secrets_pages_auth_secret: 'changeme'
 gitlab_secrets_pages_api_secret_key: 'changeme'
 gitlab_secrets_kas_api_key: 'changeme'
 gitlab_secrets_grafana_secret_key: 'changeme'
 gitlab_secrets_grafana_gitlab_secret: 'changeme'
 gitlab_secrets_grafana_gitlab_application_id: 'changeme'
 gitlab_secrets_grafana_admin_password: 'changeme'
 gitlab_secrets_grafana_metrics_basic_auth_password: 'changeme'
 gitlab_secrets_registry_http_secret: 'changeme'
 gitlab_secrets_registry_internal_certificate: 'changeme'
 gitlab_secrets_registry_internal_key: 'changeme'
 gitlab_secrets_letsencrypt_auto_enabled: 'changeme'
 gitlab_secrets_mattermost_invite_salt: 'changeme'
 gitlab_secrets_mattermost_file_public_link_salt: 'changeme'
 gitlab_secrets_mattermost_sql_at_rest_encrypt_key: 'changeme'
 gitlab_secrets_postgresql_internal_certificate: 'changeme'
 gitlab_secrets_postresql_internal_key: 'changeme'
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -0,0 +1,13 @@
 ---
 # vim: ts=2 sw=2 et ft=yaml.ansible
 - name: reconfigure gitlab
  shell: "gitlab-ctl reconfigure > /dev/null 2>&1"
  notify: restart gitlab
  register: gitlab_restart
  failed_when: "gitlab_restart.rc > 2"
 - name: restart gitlab
  service:
    name: gitlab-runsvdir.service
    state: restarted
--- a/tasks/configure.yml
+++ b/tasks/configure.yml
@@ -0,0 +1,43 @@
 ---
 # vim: ts=2 sw=2 et ft=yaml.ansible
 - name: copy gitlab configuration file
  template:
    src: '{{ gitlab_config_template }}'
    dest: '{{ gitlab_config_file }}'
    owner: root
    group: root
    mode: 0600
  notify: reconfigure gitlab
  no_log: true # do not expose potential secrets
 - name: copy gitlab secrets file
  template:
    src: gitlab-secrets.json.j2
    dest: /etc/gitlab/gitlab-secrets.json
    owner: root
    group: root
    mode: 0600
  notify: reconfigure gitlab
  no_log: true # do not expose potential secrets
 - name: copy license when installing gitlab-ee version
  template:
    src: '{{ gitlab_ee_license_template }}'
    dest: '{{ gitlab_ee_license_file }}'
    owner: root
    group: root
    mode: 0644
  notify: reconfigure gitlab
  no_log: true # do not expose potential secrets
  when: gitlab_edition == 'gitlab-ee' and gitlab_ee_license | length > 0
 - name: copy ssh host keys when migrating
  copy:
    dest: '{{ item.key }}'
    content: "{{ item.value }}\n"
    owner: root
    group: root
    mode: 0400
  loop: '{{ gitlab_ssh_host_keys | dict2items }}'
  when: gitlab_import_ssh_host_keys
--- a/tasks/install.yml
+++ b/tasks/install.yml
@@ -0,0 +1,32 @@
 ---
 # vim: ts=2 sw=2 et ft=yaml.ansible
 - name: check if gitlab is already installed
  stat:
    path: '{{ gitlab_ctl_binary }}'
  register: gl_binary
 - name: install gitlab dependencies
  package:
    name: '{{ gitlab_pkg_dependencies }}'
    state: present
 - name: add gitlab repository if necessary
  template:
    src: '{{ gitlab_install_custom_repo }}'
    dest: '/etc/yum.repos.d/gitlab_{{ gitlab_edition }}.repo'
    owner: root
    group: root
    mode: 0644
  when: gitlab_install_custom_repo
 - name: assemble gitlab package name
  set_fact:
    gitlab_package: '{{ gitlab_edition }}{{ gitlab_package_version_separator }}{{ gitlab_version }}'
  when: gitlab_version | length > 0
 - name: install gitlab
  package:
    name: '{{ gitlab_package | default(gitlab_edition) }}'
    state: present
  when: not gl_binary.stat.exists
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -0,0 +1,19 @@
 ---
 # vim: ts=2 sw=2 et ft=yaml.ansible
 - name: load gitlab package dependency list based on distribution type
  include_vars: '{{ item }}'
  loop:
    - 'gitlab_pkg_dependencies.yml'
  tags:
    - 'gitlab_vars'
 - name: install gitlab and dependencies
  import_tasks: install.yml
  tags:
    - 'gitlab_install'
 - name: configure gitlab
  import_tasks: configure.yml
  tags:
    - 'gitlab_configure'
--- a/templates/Gitlab.gitlab-license.j2
+++ b/templates/Gitlab.gitlab-license.j2
@@ -0,0 +1 @@
 {{ gitlab_ee_license }}
--- a/templates/gitlab-secrets.json.j2
+++ b/templates/gitlab-secrets.json.j2
@@ -0,0 +1,51 @@
 {
  "gitlab_workhorse": {
    "secret_token": "{{ gitlab_secrets_workhorse_token }}"
  },
  "gitlab_shell": {
    "secret_token": "{{ gitlab_secrets_shell_token }}"
  },
  "gitlab_rails": {
    "secret_key_base": "{{ gitlab_secrets_rails_key_base }}",
    "db_key_base": "{{ gitlab_secrets_rails_db_key_base }}",
    "otp_key_base": "{{ gitlab_secrets_rails_otp_key_base }}",
    "encrypted_settings_key_base": "{{ gitlab_secrets_rails_encrypted_settings_key_base }}"
    "openid_connect_signing_key": "{{ gitlab_secrets_rails_openid_connect_signing_key }}"
    "ci_jwt_signing_key": "{{ gitlab_secrets_rails_ci_jwt_signing_key }}"
  },
  "gitlab_pages": {
    "gitlab_secret": {% if gitlab_secrets_pages_secret | length %}"{{ gitlab_secrets_pages_secret }}"{% else %}null{% endif %},
    "gitlab_id": {% if gitlab_secrets_pages_id | length %}"{{ gitlab_secrets_pages_id }}"{% else %}null{% endif %},
    "auth_secret": {% if gitlab_secrets_pages_auth_secret | length %}"{{ gitlab_secrets_pages_auth_secret }}"{% else %}null{% endif %},
    "api_secret_key": {% if gitlab_secrets_pages_api_secret_key | length %}"{{ gitlab_secrets_pages_api_secret_key }}"{% else %}""{% endif %}
  },
  {% if gitlab_kas_api_key is defined %}
  "gitlab_kas": {
    "api_secret_key": "{{ gitlab_secrets_kas_api_key }}"
  },
  {% endif %}
  "grafana": {
    "secret_key": "{{ gitlab_secrets_grafana_secret_key }}",
    "gitlab_secret": "{{ gitlab_secrets_grafana_gitlab_secret }}",
    "gitlab_application_id": "{{ gitlab_secrets_grafana_gitlab_application_id }}",
    "admin_password": "{{ gitlab_secrets_grafana_admin_password }}",
    "metrics_basic_auth_password": {% if gitlab_secrets_grafana_metrics_basic_auth_password | length %}"{{ gitlab_secrets_grafana_metrics_basic_auth_password }}"{% else %}null{% endif %}
  },
  "registry": {
    "http_secret": "{{ gitlab_secrets_registry_http_secret }}",
    "internal_certificate": "{{ gitlab_secrets_registry_internal_certificate }}",
    "internal_key": "{{ gitlab_secrets_registry_internal_key }}"
  },
  "letsencrypt": {
    "auto_enabled": {% if gitlab_secrets_letsencrypt_auto_enabled | length %}"{{ gitlab_secrets_letsencrypt_auto_enabled }}"{% else %}null{% endif %}
  },
  "mattermost": {
    "email_invite_salt": "{{ gitlab_secrets_mattermost_invite_salt }}",
    "file_public_link_salt": "{{ gitlab_secrets_mattermost_file_public_link_salt }}",
    "sql_at_rest_encrypt_key": "{{ gitlab_secrets_mattermost_sql_at_rest_encrypt_key }}"
  },
  "postgresql": {
    "internal_certificate": "{{ gitlab_secrets_postgresql_internal_certificate }}",
    "internal_key": "{{ gitlab_secrets_postgresql_internal_key }}" 
  }
 }
--- a/templates/gitlab.rb.j2
+++ b/templates/gitlab.rb.j2
@@ -0,0 +1,75 @@
 # vim: ts=2 sw=2 et ft=ruby
 # general configs
 external_url '{{ gitlab_conf_external_url }}'
 # gitlab configs
 gitlab_rails['backup_path'] = "{{ gitlab_conf_backup_path }}"
 gitlab_rails['env'] = {"SSL_CERT_FILE"=>"{{ gitlab_conf_ssl_cert_bundle }}"}
 gitlab_rails['gitlab_email_display_name'] = "{{ gitlab_conf_email_display_name }}"
 gitlab_rails['gitlab_email_from'] = "{{ gitlab_conf_email_from }}"
 gitlab_rails['gitlab_email_reply_to'] = "{{ gitlab_conf_email_reply_to }}"
 gitlab_rails['initial_root_password'] = "{{ gitlab_conf_initial_root_pw }}"
 gitlab_rails['initial_shared_runners_registration_token'] = "{{ gitlab_conf_initial_shared_runner_registration_token }}"
 gitlab_rails['ldap_enabled'] = {{ gitlab_conf_ldap_enabled }}
 gitlab_rails['manage_backup_path'] = {{ gitlab_conf_manage_backup_path }}
 gitlab_rails['ldap_servers'] = { 
  "main"=>{ 
    "active_directory"=>{{ gitlab_conf_ldap_servers.active_directory }}, 
    "admin_group"=>"{{ gitlab_conf_ldap_servers.admin_group }}", 
    "allow_username_or_email_login"=>{{ gitlab_conf_ldap_servers.allow_username_or_email_login }},
    "attributes"=>{
      "email"=>["mail", "email", "userPrincipalName"], 
      "first_name"=>"givenName", 
      "last_name"=>"sn", 
      "name"=>"nosuchattribute", 
      "username"=>["uid", "userid", "sAMAccountName"]
    }, 
    "base"=>"{{ gitlab_conf_ldap_servers.base }}",
    "bind_dn"=>"{{ gitlab_conf_ldap_servers.bind_dn }}",
    "block_auto_created_users"=>{{ gitlab_conf_ldap_servers.block_auto_created_users }},
    "encryption"=>"{{ gitlab_conf_ldap_servers.encryption }}",
    "group_base"=>"{{ gitlab_conf_ldap_servers.group_base }}",
    "host"=>"{{ gitlab_conf_ldap_servers.host }}",
    "label"=>"{{ gitlab_conf_ldap_servers.label }}",
    "password"=>"{{ gitlab_conf_ldap_servers.password }}",
    "port"=>"{{ gitlab_conf_ldap_servers.port }}",
    "sync_ssh_keys"=>{{ gitlab_conf_ldap_servers.sync_ssh_keys }},
    "tls_options"=>{
      "ca_file"=>"{{ gitlab_conf_ldap_servers.ca_file }}",
    },
    "uid"=>"{{ gitlab_conf_ldap_servers.uid }}",
    "verify_certificates"=>{{ gitlab_conf_ldap_servers.verify_certificates }},
  }
 }
 gitlab_rails['omniauth_providers'] = [{
  "args"=>{
    "client_options"=>{
      "identifier"=>"{{ gitlab_conf_omniauth_providers.identifier }}",
      "redirect_uri"=>"{{ gitlab_conf_omniauth_providers.redirect_uri }}",
      "secret"=>"{{ gitlab_conf_omniauth_providers.secret }}",
    },
    "discovery"=>{{ gitlab_conf_omniauth_providers.discovery }},
    "issuer"=>"{{ gitlab_conf_omniauth_providers.issuer }}",
    "name"=>"{{ gitlab_conf_omniauth_providers.name }}",
    "response_type"=>"code",
    "scope"=>["openid", "profile"]
  },
  "label"=>"{{ gitlab_conf_omniauth_providers.label }}",
  "name"=>"openid_connect"
 }]
 # nginx configs
 nginx['enable'] = {{ gitlab_conf_nginx_enable }}
 nginx['redirect_http_to_https'] = {{ gitlab_conf_nginx_redirect_https }}
 nginx['ssl_certificate'] = "{{ gitlab_conf_nginx_ssl_certificate }}"
 nginx['ssl_certificate_key'] = "{{ gitlab_conf_nginx_ssl_certificate_key }}"
 # letsencrypt configs
 letsencrypt['enable'] = {{ gitlab_conf_letsencrypt_enable }}
--- a/templates/gitlab.repo.j2
+++ b/templates/gitlab.repo.j2
@@ -0,0 +1,10 @@
 {{ ansible_managed | comment }}
 [gitlab_gitlab-ee]
 name=gitlab_gitlab-ee
 baseurl={{ gitlab_repo_base_url }}
 repo_gpgcheck=0
 gpgcheck=0
 enabled=1
 sslverify=1
 sslcacert={{ gitlab_cacert_bundle }}
 metadata_expire=300
--- a/vars/gitlab_pkg_dependencies.yml
+++ b/vars/gitlab_pkg_dependencies.yml
@@ -0,0 +1,9 @@
 ---
 # vim: ts=2 sw=2 et ft=yaml.ansible
 gitlab_pkg_dependencies:
  - openssh-server
  - postfix
  - curl
  - openssl
  - tzdata