Infrastructure GitLab Updates

In this push, we are making a decent amount of updates to the gitlab
playbooks as well as updating the README. See below for the changes:

* README updated for further clarity
* GitLab role with further reconfiguration for group lookups
* GitLab role with further reconfiguration to disable built-in nginx
* nginx configuration added and provided to work with omnibus
* GitLab variables updated

ansible/README.md

@@ -67,6 +67,10 @@ role-* -> These playbooks call roles specifically for infrastructure tasks.
           on their usage.
 ```
 
+## Ansible Configuration
+
+The ansible configuration declares our defaults for our ansible host. This is especially true for the "destinations", where the roles and collections are referenced.
+
 ## Designing Playbooks
 
 ### Pre flight and post flight
@@ -152,3 +156,13 @@ Right now, this is a good template to start with: https://github.com/Darkbat91/a
 When pushing to your own forked version of this repository, pre-commit must run to verify your changes. They must be passing to be pushed up. This is an absolute requirement, even for roles.
 
 When the linter passes, the push will complete and you will be able to open a PR.
+
+## Initializing the Ansible Host
+
+When initializing the ansible host, you should be in `./infrastructure/ansible` so that the `ansible.cfg` is used. You will need to run the `init-rocky-ansible-host.yml` playbook and to get started, which will install all the roles and collections required for the playbooks to run.
+
+```
+% git clone https://github.com/rocky-linux/infrastructure
+% cd infrastructure/ansible
+% ansible-playbook playbooks/init-rocky-ansible-host.yml
+```

ansible/playbooks/handlers/main.yml

@@ -9,6 +9,11 @@
     name: httpd
     state: restarted
 
+- name: restart_nginx
+  service:
+    name: nginx
+    state: restarted
+
 - name: reload_networkmanager
   service:
     name: NetworkManager
@@ -22,3 +27,8 @@
     name: "{{ chrony_service_name }}"
     state: restarted
   listen: "chrony service restart"
+
+- name: restart_gitlab
+  command: gitlab-ctl reconfigure
+  register: gitlab_restart
+  failed_when: gitlab_restart_handler_failed_when | bool

ansible/playbooks/role-gitlab-ee.yml

@@ -11,11 +11,13 @@
       stat:
         path: /etc/no-ansible
       register: no_ansible
+
     - name: Verify if we can run ansible
       assert:
         that:
           - "not no_ansible.stat.exists"
         msg: "/etc/no-ansible exists - skipping un on this node"
+
     - name: Install SELinux packages
       package:
         name: python3-policycoreutils.noarch
@@ -26,6 +28,9 @@
       state: present
 
   post_tasks:
+    - name: Reconfigure GitLab
+      import_tasks: tasks/gitlab-reconfigure.yml
+
     - name: Touching run file that ansible has ran here
       file:
         path: /var/log/ansible.run

ansible/playbooks/tasks/gitlab-reconfigure.yml

@@ -0,0 +1,90 @@
+---
+# We need to do some additional configuration for GitLab to ensure that it
+# works and operates immediately with FreeIPA.
+- name: Insert Additional GitLab EE Settings
+  blockinfile:
+    path: /etc/gitlab/gitlab.rb
+    block: |
+      gitlab_rails['ldap_group_base'] = 'cn=groups,cn=accounts,dc=rockylinux,dc=org'
+      gitlab_rails['ldap_admin_group'] = 'cn=gitadm,cn=groups,cn=accounts,dc=rockylinux,dc=org'
+      nginx['enable'] = false
+      nginx['external_users'] = ['nginx']
+  notify: restart_gitlab
+
+- name: Install nginx normally
+  yum:
+    name: nginx
+    state: present
+
+- name: Reconfigure Main nginx configuration
+  template:
+    src: "etc/nginx/nginx.conf.j2"
+    dest: "/etc/nginx/nginx.conf"
+    owner: root
+    group: root
+    mode: '0644'
+    backup: true
+
+- name: Add omnibus nginx configuration
+  template:
+    src: "etc/nginx/conf.d/omnibus.conf.j2"
+    dest: "/etc/nginx/conf.d/omnibus.conf"
+    owner: root
+    group: root
+    mode: '0644'
+    backup: true
+
+- name: Copy self-signed certificates from GitLab
+  copy:
+    src: "/etc/gitlab/ssl/{{ gitlab_domain }}.crt"
+    dest: "/etc/nginx/ssl/{{ gitlab_domain }}.crt"
+    owner: root
+    group: root
+    mode: '0644'
+  when: gitlab_create_self_signed_cert
+
+- name: Copy self-signed certificate key
+  copy:
+    src: "/etc/gitlab/ssl/{{ gitlab_domain }}.key"
+    dest: "/etc/nginx/ssl/{{ gitlab_domain }}.key"
+    owner: root
+    group: root
+    mode: '0644'
+  when: gitlab_create_self_signed_cert
+
+- name: Turn on necessary SELinux booleans
+  ansible.posix.seboolean:
+    name: "{{ item }}"
+    state: true
+    persistent: true
+  loop:
+    - httpd_can_network_connect
+    - httpd_can_network_relay
+    - httpd_read_user_content
+
+- name: Change fcontext to GitLab unix socket for nginx
+  community.general.sefcontext:
+    target: "/var/opt/gitlab/gitlab-workhorse/sockets/socket"
+    setype: httpd_var_run_t
+    state: present
+
+- name: Apply fcontext to GitLab unix socket for nginx
+  command: restorecon -v /var/opt/gitlab/gitlab-workhorse/sockets/socket
+  register: restorecon_result
+  changed_when: "restorecon_result == 0"
+
+- name: Add firewall rules - http/s
+  ansible.posix.firewalld:
+    service: "{{ item }}"
+    permanent: true
+    state: enabled
+    immediate: true
+  loop:
+    - http
+    - https
+
+- name: Enable and Start nginx
+  service:
+    name: nginx
+    enabled: true
+    state: started

ansible/playbooks/templates/etc/nginx/conf.d/omnibus.conf.j2

@@ -0,0 +1,90 @@
+upstream gitlab-workhorse {
+  # On GitLab versions before 13.5, the location is
+  # `/var/opt/gitlab/gitlab-workhorse/socket`. Change the following line
+  # accordingly.
+  server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0;
+}
+
+## Redirects all HTTP traffic to the HTTPS host
+server {
+  ## Either remove "default_server" from the listen line below,
+  ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab
+  ## to be served if you visit any address that your server responds to, eg.
+  ## the ip address of the server (http://x.x.x.x/)
+  listen 0.0.0.0:80;
+  listen [::]:80 ipv6only=on default_server;
+  server_name {{ gitlab_domain }}; ## Replace this with something like gitlab.example.com
+  server_tokens off; ## Don't show the nginx version number, a security best practice
+  return 301 https://$http_host$request_uri;
+  access_log  /var/log/nginx/gitlab_access.log;
+  error_log   /var/log/nginx/gitlab_error.log;
+}
+
+## HTTPS host
+server {
+  listen 0.0.0.0:443 ssl;
+  listen [::]:443 ipv6only=on ssl default_server;
+  server_name {{ gitlab_domain }}; ## Replace this with something like gitlab.example.com
+  server_tokens off; ## Don't show the nginx version number, a security best practice
+  root /opt/gitlab/embedded/service/gitlab-rails/public;
+
+  ## Strong SSL Security
+  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
+  ssl on;
+  ssl_certificate /etc/nginx/ssl/gitlab.crt;
+  ssl_certificate_key /etc/nginx/ssl/gitlab.key;
+
+  # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
+  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_prefer_server_ciphers on;
+  ssl_session_cache shared:SSL:10m;
+  ssl_session_timeout 5m;
+
+  ## See app/controllers/application_controller.rb for headers set
+
+  ## [Optional] Enable HTTP Strict Transport Security
+  ## HSTS is a feature improving protection against MITM attacks
+  ## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
+  # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
+
+  ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
+  ## Replace with your ssl_trusted_certificate. For more info see:
+  ## - https://medium.com/devops-programming/4445f4862461
+  ## - https://www.ruby-forum.com/topic/4419319
+  ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
+  # ssl_stapling on;
+  # ssl_stapling_verify on;
+  # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
+  # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
+  # resolver_timeout 5s;
+
+  ## [Optional] Generate a stronger DHE parameter:
+  ##   sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
+  ##
+  # ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+  ## Individual nginx logs for this GitLab vhost
+  access_log  /var/log/nginx/gitlab_access.log;
+  error_log   /var/log/nginx/gitlab_error.log;
+
+  location / {
+    client_max_body_size 0;
+    gzip off;
+
+    ## https://github.com/gitlabhq/gitlabhq/issues/694
+    ## Some requests take more than 30 seconds.
+    proxy_read_timeout      300;
+    proxy_connect_timeout   300;
+    proxy_redirect          off;
+
+    proxy_http_version 1.1;
+
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-Ssl     on;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   $scheme;
+    proxy_pass http://gitlab-workhorse;
+  }
+}

ansible/playbooks/templates/etc/nginx/nginx.conf.j2

@@ -0,0 +1,37 @@
+# MANAGED BY ANSIBLE
+# Hostname: {{ inventory_host }}
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
+
+# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
+include /usr/share/nginx/modules/*.conf;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+    keepalive_timeout   65;
+    types_hash_max_size 2048;
+
+    include             /etc/nginx/mime.types;
+    default_type        application/octet-stream;
+
+    # Load modular configuration files from the /etc/nginx/conf.d directory.
+    # See http://nginx.org/en/docs/ngx_core_module.html#include
+    # for more information.
+
+    # All server configurations should go here
+    include /etc/nginx/conf.d/*.conf;
+}

ansible/playbooks/vars/gitlab.yml

@@ -1,6 +1,6 @@
 ---
 gitlab_domain: git.rockylinux.org
-gitlab_external_url: "https://{gitlab_domain}/"
+gitlab_external_url: "https://{{ gitlab_domain }}/"
 
 # Location where all the git repositories will be stored.
 gitlab_git_data_dir: "/var/opt/gitlab/git-data"
@@ -8,16 +8,17 @@ gitlab_git_data_dir: "/var/opt/gitlab/git-data"
 gitlab_backup_path: "/var/opt/gitlab/backups"
 gitlab_edition: "gitlab-ee"
 gitlab_redirect_http_to_https: "true"
+
+# SSL Self-signed Certificate Configuration.
+# Eventually we will have legitimate certificates to use, such as LetsEncrypt
+gitlab_create_self_signed_cert: "true"
+gitlab_self_signed_cert_subj: "/C=US/ST=Missouri/L=Saint Louis/O=IT/CN={{ gitlab_domain }}"
 gitlab_ssl_certificate: "/etc/gitlab/ssl/{{ gitlab_domain }}.crt"
 gitlab_ssl_certificate_key: "/etc/gitlab/ssl/{{ gitlab_domain }}.key"
 
-# SSL Self-signed Certificate Configuration.
-gitlab_create_self_signed_cert: "true"
-gitlab_self_signed_cert_subj: "/C=US/ST=Missouri/L=Saint Louis/O=IT/CN={{ gitlab_domain }}"
-
 # LDAP Configuration
 gitlab_ldap_enabled: "true"
-gitlab_ldap_host: "rockylinux.org"
+gitlab_ldap_host: "ipa001.rockylinux.org"
 gitlab_ldap_port: "389"
 gitlab_ldap_uid: "uid"
 gitlab_ldap_method: "start_tls"
@@ -38,17 +39,17 @@ gitlab_email_display_name: "Gitlab"
 gitlab_email_reply_to: "gitlab@rockylinux.org"
 # SMTP configuration
 gitlab_smtp_enable: "false"
-gitlab_smtp_address: "smtp.server"
-gitlab_smtp_port: "465"
-gitlab_smtp_user_name: "smtp user"
-gitlab_smtp_password: "smtp password"
-gitlab_smtp_domain: "rockylinux.org"
+gitlab_smtp_address: "smtp.gmail.com"
+gitlab_smtp_port: "587"
+gitlab_smtp_user_name: "username@gmail.com"
+gitlab_smtp_password: "whateverThisIs"
+gitlab_smtp_domain: "gmail.com"
 gitlab_smtp_authentication: "login"
 gitlab_smtp_enable_starttls_auto: "true"
-gitlab_smtp_tls: "false"
+gitlab_smtp_tls: "true"
 gitlab_smtp_openssl_verify_mode: "none"
-gitlab_smtp_ca_path: "/etc/ssl/certs"
-gitlab_smtp_ca_file: "/etc/ssl/certs/ca-certificates.crt"
+gitlab_smtp_ca_path: "/etc/pki/tls/certs"
+gitlab_smtp_ca_file: "/etc/pki/tls/certs/ca-bundle.crt"
 
 # In case of reverse proxy
 gitlab_nginx_listen_port: 8080