From c6323199f4e2cea8a1fd2f91996419c99b1899e2 Mon Sep 17 00:00:00 2001 From: nazunalika Date: Thu, 17 Dec 2020 23:40:14 -0700 Subject: [PATCH] Infrastructure GitLab Updates In this push, we are making a decent amount of updates to the gitlab playbooks as well as updating the README. See below for the changes: * README updated for further clarity * GitLab role with further reconfiguration for group lookups * GitLab role with further reconfiguration to disable built-in nginx * nginx configuration added and provided to work with omnibus * GitLab variables updated --- ansible/README.md | 14 +++ ansible/playbooks/handlers/main.yml | 10 +++ ansible/playbooks/role-gitlab-ee.yml | 5 ++ .../playbooks/tasks/gitlab-reconfigure.yml | 90 +++++++++++++++++++ .../etc/nginx/conf.d/omnibus.conf.j2 | 90 +++++++++++++++++++ .../templates/etc/nginx/nginx.conf.j2 | 37 ++++++++ ansible/playbooks/vars/gitlab.yml | 29 +++--- 7 files changed, 261 insertions(+), 14 deletions(-) create mode 100644 ansible/playbooks/tasks/gitlab-reconfigure.yml create mode 100644 ansible/playbooks/templates/etc/nginx/conf.d/omnibus.conf.j2 create mode 100644 ansible/playbooks/templates/etc/nginx/nginx.conf.j2 diff --git a/ansible/README.md b/ansible/README.md index 0ee9424..094de25 100644 --- a/ansible/README.md +++ b/ansible/README.md @@ -67,6 +67,10 @@ role-* -> These playbooks call roles specifically for infrastructure tasks. on their usage. ``` +## Ansible Configuration + +The ansible configuration declares our defaults for our ansible host. This is especially true for the "destinations", where the roles and collections are referenced. + ## Designing Playbooks ### Pre flight and post flight @@ -152,3 +156,13 @@ Right now, this is a good template to start with: https://github.com/Darkbat91/a When pushing to your own forked version of this repository, pre-commit must run to verify your changes. They must be passing to be pushed up. This is an absolute requirement, even for roles. When the linter passes, the push will complete and you will be able to open a PR. + +## Initializing the Ansible Host + +When initializing the ansible host, you should be in `./infrastructure/ansible` so that the `ansible.cfg` is used. You will need to run the `init-rocky-ansible-host.yml` playbook and to get started, which will install all the roles and collections required for the playbooks to run. + +``` +% git clone https://github.com/rocky-linux/infrastructure +% cd infrastructure/ansible +% ansible-playbook playbooks/init-rocky-ansible-host.yml +``` diff --git a/ansible/playbooks/handlers/main.yml b/ansible/playbooks/handlers/main.yml index 1193165..a9f7821 100644 --- a/ansible/playbooks/handlers/main.yml +++ b/ansible/playbooks/handlers/main.yml @@ -9,6 +9,11 @@ name: httpd state: restarted +- name: restart_nginx + service: + name: nginx + state: restarted + - name: reload_networkmanager service: name: NetworkManager @@ -22,3 +27,8 @@ name: "{{ chrony_service_name }}" state: restarted listen: "chrony service restart" + +- name: restart_gitlab + command: gitlab-ctl reconfigure + register: gitlab_restart + failed_when: gitlab_restart_handler_failed_when | bool diff --git a/ansible/playbooks/role-gitlab-ee.yml b/ansible/playbooks/role-gitlab-ee.yml index ff11edf..cd1a9b8 100644 --- a/ansible/playbooks/role-gitlab-ee.yml +++ b/ansible/playbooks/role-gitlab-ee.yml @@ -11,11 +11,13 @@ stat: path: /etc/no-ansible register: no_ansible + - name: Verify if we can run ansible assert: that: - "not no_ansible.stat.exists" msg: "/etc/no-ansible exists - skipping un on this node" + - name: Install SELinux packages package: name: python3-policycoreutils.noarch @@ -26,6 +28,9 @@ state: present post_tasks: + - name: Reconfigure GitLab + import_tasks: tasks/gitlab-reconfigure.yml + - name: Touching run file that ansible has ran here file: path: /var/log/ansible.run diff --git a/ansible/playbooks/tasks/gitlab-reconfigure.yml b/ansible/playbooks/tasks/gitlab-reconfigure.yml new file mode 100644 index 0000000..8dde5da --- /dev/null +++ b/ansible/playbooks/tasks/gitlab-reconfigure.yml @@ -0,0 +1,90 @@ +--- +# We need to do some additional configuration for GitLab to ensure that it +# works and operates immediately with FreeIPA. +- name: Insert Additional GitLab EE Settings + blockinfile: + path: /etc/gitlab/gitlab.rb + block: | + gitlab_rails['ldap_group_base'] = 'cn=groups,cn=accounts,dc=rockylinux,dc=org' + gitlab_rails['ldap_admin_group'] = 'cn=gitadm,cn=groups,cn=accounts,dc=rockylinux,dc=org' + nginx['enable'] = false + nginx['external_users'] = ['nginx'] + notify: restart_gitlab + +- name: Install nginx normally + yum: + name: nginx + state: present + +- name: Reconfigure Main nginx configuration + template: + src: "etc/nginx/nginx.conf.j2" + dest: "/etc/nginx/nginx.conf" + owner: root + group: root + mode: '0644' + backup: true + +- name: Add omnibus nginx configuration + template: + src: "etc/nginx/conf.d/omnibus.conf.j2" + dest: "/etc/nginx/conf.d/omnibus.conf" + owner: root + group: root + mode: '0644' + backup: true + +- name: Copy self-signed certificates from GitLab + copy: + src: "/etc/gitlab/ssl/{{ gitlab_domain }}.crt" + dest: "/etc/nginx/ssl/{{ gitlab_domain }}.crt" + owner: root + group: root + mode: '0644' + when: gitlab_create_self_signed_cert + +- name: Copy self-signed certificate key + copy: + src: "/etc/gitlab/ssl/{{ gitlab_domain }}.key" + dest: "/etc/nginx/ssl/{{ gitlab_domain }}.key" + owner: root + group: root + mode: '0644' + when: gitlab_create_self_signed_cert + +- name: Turn on necessary SELinux booleans + ansible.posix.seboolean: + name: "{{ item }}" + state: true + persistent: true + loop: + - httpd_can_network_connect + - httpd_can_network_relay + - httpd_read_user_content + +- name: Change fcontext to GitLab unix socket for nginx + community.general.sefcontext: + target: "/var/opt/gitlab/gitlab-workhorse/sockets/socket" + setype: httpd_var_run_t + state: present + +- name: Apply fcontext to GitLab unix socket for nginx + command: restorecon -v /var/opt/gitlab/gitlab-workhorse/sockets/socket + register: restorecon_result + changed_when: "restorecon_result == 0" + +- name: Add firewall rules - http/s + ansible.posix.firewalld: + service: "{{ item }}" + permanent: true + state: enabled + immediate: true + loop: + - http + - https + +- name: Enable and Start nginx + service: + name: nginx + enabled: true + state: started diff --git a/ansible/playbooks/templates/etc/nginx/conf.d/omnibus.conf.j2 b/ansible/playbooks/templates/etc/nginx/conf.d/omnibus.conf.j2 new file mode 100644 index 0000000..9bf023c --- /dev/null +++ b/ansible/playbooks/templates/etc/nginx/conf.d/omnibus.conf.j2 @@ -0,0 +1,90 @@ +upstream gitlab-workhorse { + # On GitLab versions before 13.5, the location is + # `/var/opt/gitlab/gitlab-workhorse/socket`. Change the following line + # accordingly. + server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0; +} + +## Redirects all HTTP traffic to the HTTPS host +server { + ## Either remove "default_server" from the listen line below, + ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab + ## to be served if you visit any address that your server responds to, eg. + ## the ip address of the server (http://x.x.x.x/) + listen 0.0.0.0:80; + listen [::]:80 ipv6only=on default_server; + server_name {{ gitlab_domain }}; ## Replace this with something like gitlab.example.com + server_tokens off; ## Don't show the nginx version number, a security best practice + return 301 https://$http_host$request_uri; + access_log /var/log/nginx/gitlab_access.log; + error_log /var/log/nginx/gitlab_error.log; +} + +## HTTPS host +server { + listen 0.0.0.0:443 ssl; + listen [::]:443 ipv6only=on ssl default_server; + server_name {{ gitlab_domain }}; ## Replace this with something like gitlab.example.com + server_tokens off; ## Don't show the nginx version number, a security best practice + root /opt/gitlab/embedded/service/gitlab-rails/public; + + ## Strong SSL Security + ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/ + ssl on; + ssl_certificate /etc/nginx/ssl/gitlab.crt; + ssl_certificate_key /etc/nginx/ssl/gitlab.key; + + # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs + ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 5m; + + ## See app/controllers/application_controller.rb for headers set + + ## [Optional] Enable HTTP Strict Transport Security + ## HSTS is a feature improving protection against MITM attacks + ## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/ + # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + + ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL. + ## Replace with your ssl_trusted_certificate. For more info see: + ## - https://medium.com/devops-programming/4445f4862461 + ## - https://www.ruby-forum.com/topic/4419319 + ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx + # ssl_stapling on; + # ssl_stapling_verify on; + # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; + # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired + # resolver_timeout 5s; + + ## [Optional] Generate a stronger DHE parameter: + ## sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096 + ## + # ssl_dhparam /etc/ssl/certs/dhparam.pem; + + ## Individual nginx logs for this GitLab vhost + access_log /var/log/nginx/gitlab_access.log; + error_log /var/log/nginx/gitlab_error.log; + + location / { + client_max_body_size 0; + gzip off; + + ## https://github.com/gitlabhq/gitlabhq/issues/694 + ## Some requests take more than 30 seconds. + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + + proxy_http_version 1.1; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://gitlab-workhorse; + } +} diff --git a/ansible/playbooks/templates/etc/nginx/nginx.conf.j2 b/ansible/playbooks/templates/etc/nginx/nginx.conf.j2 new file mode 100644 index 0000000..273f1e8 --- /dev/null +++ b/ansible/playbooks/templates/etc/nginx/nginx.conf.j2 @@ -0,0 +1,37 @@ +# MANAGED BY ANSIBLE +# Hostname: {{ inventory_host }} +user nginx; +worker_processes auto; +error_log /var/log/nginx/error.log; +pid /run/nginx.pid; + +# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. +include /usr/share/nginx/modules/*.conf; + +events { + worker_connections 1024; +} + +http { + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # Load modular configuration files from the /etc/nginx/conf.d directory. + # See http://nginx.org/en/docs/ngx_core_module.html#include + # for more information. + + # All server configurations should go here + include /etc/nginx/conf.d/*.conf; +} diff --git a/ansible/playbooks/vars/gitlab.yml b/ansible/playbooks/vars/gitlab.yml index 9fbb8b8..fab96a8 100644 --- a/ansible/playbooks/vars/gitlab.yml +++ b/ansible/playbooks/vars/gitlab.yml @@ -1,6 +1,6 @@ --- gitlab_domain: git.rockylinux.org -gitlab_external_url: "https://{gitlab_domain}/" +gitlab_external_url: "https://{{ gitlab_domain }}/" # Location where all the git repositories will be stored. gitlab_git_data_dir: "/var/opt/gitlab/git-data" @@ -8,16 +8,17 @@ gitlab_git_data_dir: "/var/opt/gitlab/git-data" gitlab_backup_path: "/var/opt/gitlab/backups" gitlab_edition: "gitlab-ee" gitlab_redirect_http_to_https: "true" + +# SSL Self-signed Certificate Configuration. +# Eventually we will have legitimate certificates to use, such as LetsEncrypt +gitlab_create_self_signed_cert: "true" +gitlab_self_signed_cert_subj: "/C=US/ST=Missouri/L=Saint Louis/O=IT/CN={{ gitlab_domain }}" gitlab_ssl_certificate: "/etc/gitlab/ssl/{{ gitlab_domain }}.crt" gitlab_ssl_certificate_key: "/etc/gitlab/ssl/{{ gitlab_domain }}.key" -# SSL Self-signed Certificate Configuration. -gitlab_create_self_signed_cert: "true" -gitlab_self_signed_cert_subj: "/C=US/ST=Missouri/L=Saint Louis/O=IT/CN={{ gitlab_domain }}" - # LDAP Configuration gitlab_ldap_enabled: "true" -gitlab_ldap_host: "rockylinux.org" +gitlab_ldap_host: "ipa001.rockylinux.org" gitlab_ldap_port: "389" gitlab_ldap_uid: "uid" gitlab_ldap_method: "start_tls" @@ -38,17 +39,17 @@ gitlab_email_display_name: "Gitlab" gitlab_email_reply_to: "gitlab@rockylinux.org" # SMTP configuration gitlab_smtp_enable: "false" -gitlab_smtp_address: "smtp.server" -gitlab_smtp_port: "465" -gitlab_smtp_user_name: "smtp user" -gitlab_smtp_password: "smtp password" -gitlab_smtp_domain: "rockylinux.org" +gitlab_smtp_address: "smtp.gmail.com" +gitlab_smtp_port: "587" +gitlab_smtp_user_name: "username@gmail.com" +gitlab_smtp_password: "whateverThisIs" +gitlab_smtp_domain: "gmail.com" gitlab_smtp_authentication: "login" gitlab_smtp_enable_starttls_auto: "true" -gitlab_smtp_tls: "false" +gitlab_smtp_tls: "true" gitlab_smtp_openssl_verify_mode: "none" -gitlab_smtp_ca_path: "/etc/ssl/certs" -gitlab_smtp_ca_file: "/etc/ssl/certs/ca-certificates.crt" +gitlab_smtp_ca_path: "/etc/pki/tls/certs" +gitlab_smtp_ca_file: "/etc/pki/tls/certs/ca-bundle.crt" # In case of reverse proxy gitlab_nginx_listen_port: 8080