mono-infrastructure/ansible/playbooks/tasks/gitlab-reconfigure.yml

---
# We need to do some additional configuration for GitLab to ensure that it
# works and operates immediately with FreeIPA.
- name: Insert Additional GitLab EE Settings
  blockinfile:
    path: /etc/gitlab/gitlab.rb
    block: |
      gitlab_rails['ldap_group_base'] = 'cn=groups,cn=accounts,dc=rockylinux,dc=org'
      gitlab_rails['ldap_admin_group'] = 'cn=gitadm,cn=groups,cn=accounts,dc=rockylinux,dc=org'
      nginx['enable'] = false
      nginx['external_users'] = ['nginx']
  notify: restart_gitlab

- name: Install nginx normally
  yum:
    name: nginx
    state: present

- name: Reconfigure Main nginx configuration
  template:
    src: "etc/nginx/nginx.conf.j2"
    dest: "/etc/nginx/nginx.conf"
    owner: root
    group: root
    mode: '0644'
    backup: true

- name: Add omnibus nginx configuration
  template:
    src: "etc/nginx/conf.d/omnibus.conf.j2"
    dest: "/etc/nginx/conf.d/omnibus.conf"
    owner: root
    group: root
    mode: '0644'
    backup: true

- name: Copy self-signed certificates from GitLab
  copy:
    src: "/etc/gitlab/ssl/{{ gitlab_domain }}.crt"
    dest: "/etc/nginx/ssl/{{ gitlab_domain }}.crt"
    owner: root
    group: root
    mode: '0644'
  when: gitlab_create_self_signed_cert

- name: Copy self-signed certificate key
  copy:
    src: "/etc/gitlab/ssl/{{ gitlab_domain }}.key"
    dest: "/etc/nginx/ssl/{{ gitlab_domain }}.key"
    owner: root
    group: root
    mode: '0644'
  when: gitlab_create_self_signed_cert

- name: Turn on necessary SELinux booleans
  ansible.posix.seboolean:
    name: "{{ item }}"
    state: true
    persistent: true
  loop:
    - httpd_can_network_connect
    - httpd_can_network_relay
    - httpd_read_user_content

- name: Change fcontext to GitLab unix socket for nginx
  community.general.sefcontext:
    target: "/var/opt/gitlab/gitlab-workhorse/sockets/socket"
    setype: httpd_var_run_t
    state: present

- name: Apply fcontext to GitLab unix socket for nginx
  command: restorecon -v /var/opt/gitlab/gitlab-workhorse/sockets/socket
  register: restorecon_result
  changed_when: "restorecon_result == 0"

- name: Add firewall rules - http/s
  ansible.posix.firewalld:
    service: "{{ item }}"
    permanent: true
    state: enabled
    immediate: true
  loop:
    - http
    - https

- name: Enable and Start nginx
  service:
    name: nginx
    enabled: true
    state: started
Infrastructure GitLab Updates In this push, we are making a decent amount of updates to the gitlab playbooks as well as updating the README. See below for the changes: * README updated for further clarity * GitLab role with further reconfiguration for group lookups * GitLab role with further reconfiguration to disable built-in nginx * nginx configuration added and provided to work with omnibus * GitLab variables updated 2020-12-18 06:40:14 +00:00			`---`
			`# We need to do some additional configuration for GitLab to ensure that it`
			`# works and operates immediately with FreeIPA.`
			`- name: Insert Additional GitLab EE Settings`
			`blockinfile:`
			`path: /etc/gitlab/gitlab.rb`
			`block: \|`
			`gitlab_rails['ldap_group_base'] = 'cn=groups,cn=accounts,dc=rockylinux,dc=org'`
			`gitlab_rails['ldap_admin_group'] = 'cn=gitadm,cn=groups,cn=accounts,dc=rockylinux,dc=org'`
			`nginx['enable'] = false`
			`nginx['external_users'] = ['nginx']`
			`notify: restart_gitlab`

			`- name: Install nginx normally`
			`yum:`
			`name: nginx`
			`state: present`

			`- name: Reconfigure Main nginx configuration`
			`template:`
			`src: "etc/nginx/nginx.conf.j2"`
			`dest: "/etc/nginx/nginx.conf"`
			`owner: root`
			`group: root`
			`mode: '0644'`
			`backup: true`

			`- name: Add omnibus nginx configuration`
			`template:`
			`src: "etc/nginx/conf.d/omnibus.conf.j2"`
			`dest: "/etc/nginx/conf.d/omnibus.conf"`
			`owner: root`
			`group: root`
			`mode: '0644'`
			`backup: true`

			`- name: Copy self-signed certificates from GitLab`
			`copy:`
			`src: "/etc/gitlab/ssl/{{ gitlab_domain }}.crt"`
			`dest: "/etc/nginx/ssl/{{ gitlab_domain }}.crt"`
			`owner: root`
			`group: root`
			`mode: '0644'`
			`when: gitlab_create_self_signed_cert`

			`- name: Copy self-signed certificate key`
			`copy:`
			`src: "/etc/gitlab/ssl/{{ gitlab_domain }}.key"`
			`dest: "/etc/nginx/ssl/{{ gitlab_domain }}.key"`
			`owner: root`
			`group: root`
			`mode: '0644'`
			`when: gitlab_create_self_signed_cert`

			`- name: Turn on necessary SELinux booleans`
			`ansible.posix.seboolean:`
			`name: "{{ item }}"`
			`state: true`
			`persistent: true`
			`loop:`
			`- httpd_can_network_connect`
			`- httpd_can_network_relay`
			`- httpd_read_user_content`

			`- name: Change fcontext to GitLab unix socket for nginx`
			`community.general.sefcontext:`
			`target: "/var/opt/gitlab/gitlab-workhorse/sockets/socket"`
			`setype: httpd_var_run_t`
			`state: present`

			`- name: Apply fcontext to GitLab unix socket for nginx`
			`command: restorecon -v /var/opt/gitlab/gitlab-workhorse/sockets/socket`
			`register: restorecon_result`
			`changed_when: "restorecon_result == 0"`

			`- name: Add firewall rules - http/s`
			`ansible.posix.firewalld:`
			`service: "{{ item }}"`
			`permanent: true`
			`state: enabled`
			`immediate: true`
			`loop:`
			`- http`
			`- https`

			`- name: Enable and Start nginx`
			`service:`
			`name: nginx`
			`enabled: true`
			`state: started`