mono-infrastructure/ansible/playbooks/tasks/gitlab-reconfigure.yml

101 lines
2.3 KiB
YAML
Raw Normal View History

---
- name: Install nginx normally
yum:
name: nginx
state: present
- name: Reconfigure Main nginx configuration
template:
src: "etc/nginx/nginx.conf.j2"
dest: "/etc/nginx/nginx.conf"
owner: root
group: root
mode: '0644'
backup: true
- name: Add omnibus nginx configuration
template:
src: "etc/nginx/conf.d/omnibus.conf.j2"
dest: "/etc/nginx/conf.d/omnibus.conf"
owner: root
group: root
mode: '0644'
backup: true
- name: Copy self-signed certificates from GitLab
copy:
src: "/etc/gitlab/ssl/{{ gitlab_domain }}.crt"
dest: "/etc/nginx/ssl/{{ gitlab_domain }}.crt"
owner: root
group: root
mode: '0644'
2020-12-18 08:17:53 +00:00
remote_src: true
when: gitlab_create_self_signed_cert
- name: Copy self-signed certificate key
copy:
src: "/etc/gitlab/ssl/{{ gitlab_domain }}.key"
dest: "/etc/nginx/ssl/{{ gitlab_domain }}.key"
owner: root
group: root
mode: '0644'
2020-12-18 08:17:53 +00:00
remote_src: true
when: gitlab_create_self_signed_cert
2020-12-18 07:39:37 +00:00
- name: Symlink the IPA CA
file:
src: "/etc/ipa/ca.crt"
2020-12-18 08:17:53 +00:00
dest: "/etc/gitlab/trusted-certs/ipa-ca.crt"
2020-12-18 07:39:37 +00:00
owner: root
group: root
state: link
2021-01-24 02:45:58 +00:00
- name: Symlink the hash
command: "openssl rehash /etc/gitlab/trusted-certs"
changed_when: "1 != 1"
- name: Turn on necessary SELinux booleans
ansible.posix.seboolean:
name: "{{ item }}"
state: true
persistent: true
loop:
- httpd_can_network_connect
- httpd_can_network_relay
2021-01-18 01:49:28 +00:00
- httpd_can_connect_ldap
- httpd_read_user_content
- name: Change fcontext to GitLab unix socket for nginx
community.general.sefcontext:
target: "/var/opt/gitlab/gitlab-workhorse/sockets/socket"
setype: httpd_var_run_t
state: present
- name: Apply fcontext to GitLab unix socket for nginx
command: restorecon -v /var/opt/gitlab/gitlab-workhorse/sockets/socket
register: restorecon_result
2020-12-29 03:43:17 +00:00
changed_when: "restorecon_result.rc == 0"
- name: Add firewall rules - http/s
ansible.posix.firewalld:
service: "{{ item }}"
permanent: true
state: enabled
immediate: true
loop:
- http
- https
2020-12-18 07:43:21 +00:00
- name: Add nginx user to git groups
user:
name: nginx
shell: /sbin/nologin
groups: gitlab-www,git
append: yes
- name: Enable and Start nginx
service:
name: nginx
enabled: true
state: started