mirror of
https://github.com/rocky-linux/infrastructure
synced 2024-12-22 02:58:28 +00:00
Infrastructure GitLab Updates
In this push, we are making a decent amount of updates to the gitlab playbooks as well as updating the README. See below for the changes: * README updated for further clarity * GitLab role with further reconfiguration for group lookups * GitLab role with further reconfiguration to disable built-in nginx * nginx configuration added and provided to work with omnibus * GitLab variables updated
This commit is contained in:
parent
5383853681
commit
c6323199f4
@ -67,6 +67,10 @@ role-* -> These playbooks call roles specifically for infrastructure tasks.
|
||||
on their usage.
|
||||
```
|
||||
|
||||
## Ansible Configuration
|
||||
|
||||
The ansible configuration declares our defaults for our ansible host. This is especially true for the "destinations", where the roles and collections are referenced.
|
||||
|
||||
## Designing Playbooks
|
||||
|
||||
### Pre flight and post flight
|
||||
@ -152,3 +156,13 @@ Right now, this is a good template to start with: https://github.com/Darkbat91/a
|
||||
When pushing to your own forked version of this repository, pre-commit must run to verify your changes. They must be passing to be pushed up. This is an absolute requirement, even for roles.
|
||||
|
||||
When the linter passes, the push will complete and you will be able to open a PR.
|
||||
|
||||
## Initializing the Ansible Host
|
||||
|
||||
When initializing the ansible host, you should be in `./infrastructure/ansible` so that the `ansible.cfg` is used. You will need to run the `init-rocky-ansible-host.yml` playbook and to get started, which will install all the roles and collections required for the playbooks to run.
|
||||
|
||||
```
|
||||
% git clone https://github.com/rocky-linux/infrastructure
|
||||
% cd infrastructure/ansible
|
||||
% ansible-playbook playbooks/init-rocky-ansible-host.yml
|
||||
```
|
||||
|
@ -9,6 +9,11 @@
|
||||
name: httpd
|
||||
state: restarted
|
||||
|
||||
- name: restart_nginx
|
||||
service:
|
||||
name: nginx
|
||||
state: restarted
|
||||
|
||||
- name: reload_networkmanager
|
||||
service:
|
||||
name: NetworkManager
|
||||
@ -22,3 +27,8 @@
|
||||
name: "{{ chrony_service_name }}"
|
||||
state: restarted
|
||||
listen: "chrony service restart"
|
||||
|
||||
- name: restart_gitlab
|
||||
command: gitlab-ctl reconfigure
|
||||
register: gitlab_restart
|
||||
failed_when: gitlab_restart_handler_failed_when | bool
|
||||
|
@ -11,11 +11,13 @@
|
||||
stat:
|
||||
path: /etc/no-ansible
|
||||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
msg: "/etc/no-ansible exists - skipping un on this node"
|
||||
|
||||
- name: Install SELinux packages
|
||||
package:
|
||||
name: python3-policycoreutils.noarch
|
||||
@ -26,6 +28,9 @@
|
||||
state: present
|
||||
|
||||
post_tasks:
|
||||
- name: Reconfigure GitLab
|
||||
import_tasks: tasks/gitlab-reconfigure.yml
|
||||
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
path: /var/log/ansible.run
|
||||
|
90
ansible/playbooks/tasks/gitlab-reconfigure.yml
Normal file
90
ansible/playbooks/tasks/gitlab-reconfigure.yml
Normal file
@ -0,0 +1,90 @@
|
||||
---
|
||||
# We need to do some additional configuration for GitLab to ensure that it
|
||||
# works and operates immediately with FreeIPA.
|
||||
- name: Insert Additional GitLab EE Settings
|
||||
blockinfile:
|
||||
path: /etc/gitlab/gitlab.rb
|
||||
block: |
|
||||
gitlab_rails['ldap_group_base'] = 'cn=groups,cn=accounts,dc=rockylinux,dc=org'
|
||||
gitlab_rails['ldap_admin_group'] = 'cn=gitadm,cn=groups,cn=accounts,dc=rockylinux,dc=org'
|
||||
nginx['enable'] = false
|
||||
nginx['external_users'] = ['nginx']
|
||||
notify: restart_gitlab
|
||||
|
||||
- name: Install nginx normally
|
||||
yum:
|
||||
name: nginx
|
||||
state: present
|
||||
|
||||
- name: Reconfigure Main nginx configuration
|
||||
template:
|
||||
src: "etc/nginx/nginx.conf.j2"
|
||||
dest: "/etc/nginx/nginx.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
backup: true
|
||||
|
||||
- name: Add omnibus nginx configuration
|
||||
template:
|
||||
src: "etc/nginx/conf.d/omnibus.conf.j2"
|
||||
dest: "/etc/nginx/conf.d/omnibus.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
backup: true
|
||||
|
||||
- name: Copy self-signed certificates from GitLab
|
||||
copy:
|
||||
src: "/etc/gitlab/ssl/{{ gitlab_domain }}.crt"
|
||||
dest: "/etc/nginx/ssl/{{ gitlab_domain }}.crt"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
when: gitlab_create_self_signed_cert
|
||||
|
||||
- name: Copy self-signed certificate key
|
||||
copy:
|
||||
src: "/etc/gitlab/ssl/{{ gitlab_domain }}.key"
|
||||
dest: "/etc/nginx/ssl/{{ gitlab_domain }}.key"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
when: gitlab_create_self_signed_cert
|
||||
|
||||
- name: Turn on necessary SELinux booleans
|
||||
ansible.posix.seboolean:
|
||||
name: "{{ item }}"
|
||||
state: true
|
||||
persistent: true
|
||||
loop:
|
||||
- httpd_can_network_connect
|
||||
- httpd_can_network_relay
|
||||
- httpd_read_user_content
|
||||
|
||||
- name: Change fcontext to GitLab unix socket for nginx
|
||||
community.general.sefcontext:
|
||||
target: "/var/opt/gitlab/gitlab-workhorse/sockets/socket"
|
||||
setype: httpd_var_run_t
|
||||
state: present
|
||||
|
||||
- name: Apply fcontext to GitLab unix socket for nginx
|
||||
command: restorecon -v /var/opt/gitlab/gitlab-workhorse/sockets/socket
|
||||
register: restorecon_result
|
||||
changed_when: "restorecon_result == 0"
|
||||
|
||||
- name: Add firewall rules - http/s
|
||||
ansible.posix.firewalld:
|
||||
service: "{{ item }}"
|
||||
permanent: true
|
||||
state: enabled
|
||||
immediate: true
|
||||
loop:
|
||||
- http
|
||||
- https
|
||||
|
||||
- name: Enable and Start nginx
|
||||
service:
|
||||
name: nginx
|
||||
enabled: true
|
||||
state: started
|
90
ansible/playbooks/templates/etc/nginx/conf.d/omnibus.conf.j2
Normal file
90
ansible/playbooks/templates/etc/nginx/conf.d/omnibus.conf.j2
Normal file
@ -0,0 +1,90 @@
|
||||
upstream gitlab-workhorse {
|
||||
# On GitLab versions before 13.5, the location is
|
||||
# `/var/opt/gitlab/gitlab-workhorse/socket`. Change the following line
|
||||
# accordingly.
|
||||
server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0;
|
||||
}
|
||||
|
||||
## Redirects all HTTP traffic to the HTTPS host
|
||||
server {
|
||||
## Either remove "default_server" from the listen line below,
|
||||
## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab
|
||||
## to be served if you visit any address that your server responds to, eg.
|
||||
## the ip address of the server (http://x.x.x.x/)
|
||||
listen 0.0.0.0:80;
|
||||
listen [::]:80 ipv6only=on default_server;
|
||||
server_name {{ gitlab_domain }}; ## Replace this with something like gitlab.example.com
|
||||
server_tokens off; ## Don't show the nginx version number, a security best practice
|
||||
return 301 https://$http_host$request_uri;
|
||||
access_log /var/log/nginx/gitlab_access.log;
|
||||
error_log /var/log/nginx/gitlab_error.log;
|
||||
}
|
||||
|
||||
## HTTPS host
|
||||
server {
|
||||
listen 0.0.0.0:443 ssl;
|
||||
listen [::]:443 ipv6only=on ssl default_server;
|
||||
server_name {{ gitlab_domain }}; ## Replace this with something like gitlab.example.com
|
||||
server_tokens off; ## Don't show the nginx version number, a security best practice
|
||||
root /opt/gitlab/embedded/service/gitlab-rails/public;
|
||||
|
||||
## Strong SSL Security
|
||||
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
|
||||
ssl on;
|
||||
ssl_certificate /etc/nginx/ssl/gitlab.crt;
|
||||
ssl_certificate_key /etc/nginx/ssl/gitlab.key;
|
||||
|
||||
# GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
|
||||
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_timeout 5m;
|
||||
|
||||
## See app/controllers/application_controller.rb for headers set
|
||||
|
||||
## [Optional] Enable HTTP Strict Transport Security
|
||||
## HSTS is a feature improving protection against MITM attacks
|
||||
## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
|
||||
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
|
||||
|
||||
## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
|
||||
## Replace with your ssl_trusted_certificate. For more info see:
|
||||
## - https://medium.com/devops-programming/4445f4862461
|
||||
## - https://www.ruby-forum.com/topic/4419319
|
||||
## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
|
||||
# ssl_stapling on;
|
||||
# ssl_stapling_verify on;
|
||||
# ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
|
||||
# resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
|
||||
# resolver_timeout 5s;
|
||||
|
||||
## [Optional] Generate a stronger DHE parameter:
|
||||
## sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
|
||||
##
|
||||
# ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
||||
|
||||
## Individual nginx logs for this GitLab vhost
|
||||
access_log /var/log/nginx/gitlab_access.log;
|
||||
error_log /var/log/nginx/gitlab_error.log;
|
||||
|
||||
location / {
|
||||
client_max_body_size 0;
|
||||
gzip off;
|
||||
|
||||
## https://github.com/gitlabhq/gitlabhq/issues/694
|
||||
## Some requests take more than 30 seconds.
|
||||
proxy_read_timeout 300;
|
||||
proxy_connect_timeout 300;
|
||||
proxy_redirect off;
|
||||
|
||||
proxy_http_version 1.1;
|
||||
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-Ssl on;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_pass http://gitlab-workhorse;
|
||||
}
|
||||
}
|
37
ansible/playbooks/templates/etc/nginx/nginx.conf.j2
Normal file
37
ansible/playbooks/templates/etc/nginx/nginx.conf.j2
Normal file
@ -0,0 +1,37 @@
|
||||
# MANAGED BY ANSIBLE
|
||||
# Hostname: {{ inventory_host }}
|
||||
user nginx;
|
||||
worker_processes auto;
|
||||
error_log /var/log/nginx/error.log;
|
||||
pid /run/nginx.pid;
|
||||
|
||||
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
|
||||
include /usr/share/nginx/modules/*.conf;
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
}
|
||||
|
||||
http {
|
||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||
|
||||
access_log /var/log/nginx/access.log main;
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
keepalive_timeout 65;
|
||||
types_hash_max_size 2048;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
# Load modular configuration files from the /etc/nginx/conf.d directory.
|
||||
# See http://nginx.org/en/docs/ngx_core_module.html#include
|
||||
# for more information.
|
||||
|
||||
# All server configurations should go here
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
}
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
gitlab_domain: git.rockylinux.org
|
||||
gitlab_external_url: "https://{gitlab_domain}/"
|
||||
gitlab_external_url: "https://{{ gitlab_domain }}/"
|
||||
|
||||
# Location where all the git repositories will be stored.
|
||||
gitlab_git_data_dir: "/var/opt/gitlab/git-data"
|
||||
@ -8,16 +8,17 @@ gitlab_git_data_dir: "/var/opt/gitlab/git-data"
|
||||
gitlab_backup_path: "/var/opt/gitlab/backups"
|
||||
gitlab_edition: "gitlab-ee"
|
||||
gitlab_redirect_http_to_https: "true"
|
||||
|
||||
# SSL Self-signed Certificate Configuration.
|
||||
# Eventually we will have legitimate certificates to use, such as LetsEncrypt
|
||||
gitlab_create_self_signed_cert: "true"
|
||||
gitlab_self_signed_cert_subj: "/C=US/ST=Missouri/L=Saint Louis/O=IT/CN={{ gitlab_domain }}"
|
||||
gitlab_ssl_certificate: "/etc/gitlab/ssl/{{ gitlab_domain }}.crt"
|
||||
gitlab_ssl_certificate_key: "/etc/gitlab/ssl/{{ gitlab_domain }}.key"
|
||||
|
||||
# SSL Self-signed Certificate Configuration.
|
||||
gitlab_create_self_signed_cert: "true"
|
||||
gitlab_self_signed_cert_subj: "/C=US/ST=Missouri/L=Saint Louis/O=IT/CN={{ gitlab_domain }}"
|
||||
|
||||
# LDAP Configuration
|
||||
gitlab_ldap_enabled: "true"
|
||||
gitlab_ldap_host: "rockylinux.org"
|
||||
gitlab_ldap_host: "ipa001.rockylinux.org"
|
||||
gitlab_ldap_port: "389"
|
||||
gitlab_ldap_uid: "uid"
|
||||
gitlab_ldap_method: "start_tls"
|
||||
@ -38,17 +39,17 @@ gitlab_email_display_name: "Gitlab"
|
||||
gitlab_email_reply_to: "gitlab@rockylinux.org"
|
||||
# SMTP configuration
|
||||
gitlab_smtp_enable: "false"
|
||||
gitlab_smtp_address: "smtp.server"
|
||||
gitlab_smtp_port: "465"
|
||||
gitlab_smtp_user_name: "smtp user"
|
||||
gitlab_smtp_password: "smtp password"
|
||||
gitlab_smtp_domain: "rockylinux.org"
|
||||
gitlab_smtp_address: "smtp.gmail.com"
|
||||
gitlab_smtp_port: "587"
|
||||
gitlab_smtp_user_name: "username@gmail.com"
|
||||
gitlab_smtp_password: "whateverThisIs"
|
||||
gitlab_smtp_domain: "gmail.com"
|
||||
gitlab_smtp_authentication: "login"
|
||||
gitlab_smtp_enable_starttls_auto: "true"
|
||||
gitlab_smtp_tls: "false"
|
||||
gitlab_smtp_tls: "true"
|
||||
gitlab_smtp_openssl_verify_mode: "none"
|
||||
gitlab_smtp_ca_path: "/etc/ssl/certs"
|
||||
gitlab_smtp_ca_file: "/etc/ssl/certs/ca-certificates.crt"
|
||||
gitlab_smtp_ca_path: "/etc/pki/tls/certs"
|
||||
gitlab_smtp_ca_file: "/etc/pki/tls/certs/ca-bundle.crt"
|
||||
|
||||
# In case of reverse proxy
|
||||
gitlab_nginx_listen_port: 8080
|
||||
|
Loading…
Reference in New Issue
Block a user