diff --git a/ansible/playbooks/tasks/gitlab-reconfigure.yml b/ansible/playbooks/tasks/gitlab-reconfigure.yml index d64aeae..336aa39 100644 --- a/ansible/playbooks/tasks/gitlab-reconfigure.yml +++ b/ansible/playbooks/tasks/gitlab-reconfigure.yml @@ -1,46 +1,23 @@ --- -- name: Install nginx normally - yum: - name: nginx - state: present - -- name: Reconfigure Main nginx configuration - template: - src: "etc/nginx/nginx.conf.j2" - dest: "/etc/nginx/nginx.conf" - owner: root - group: root - mode: '0644' - backup: true - -- name: Add omnibus nginx configuration - template: - src: "etc/nginx/conf.d/omnibus.conf.j2" - dest: "/etc/nginx/conf.d/omnibus.conf" - owner: root - group: root - mode: '0644' - backup: true - -- name: Copy self-signed certificates from GitLab +- name: Copy certificates from ipa-getcert directory copy: - src: "/etc/gitlab/ssl/{{ gitlab_domain }}.crt" - dest: "/etc/nginx/ssl/{{ gitlab_domain }}.crt" - owner: root + src: "/etc/pki/tls/certs/{{ gitlab_domain }}.crt" + dest: "/etc/gitlab/ssl/{{ gitlab_domain }}.crt" + owner: gitlab-www group: root mode: '0644' remote_src: true - when: gitlab_create_self_signed_cert + when: not gitlab_create_self_signed_cert -- name: Copy self-signed certificate key +- name: Copy keys from ipa-getcert directory copy: - src: "/etc/gitlab/ssl/{{ gitlab_domain }}.key" - dest: "/etc/nginx/ssl/{{ gitlab_domain }}.key" - owner: root + src: "/etc/pki/tls/private/{{ gitlab_domain }}.key" + dest: "/etc/gitlab/ssl/{{ gitlab_domain }}.key" + owner: gitlab-www group: root - mode: '0644' + mode: '0600' remote_src: true - when: gitlab_create_self_signed_cert + when: not gitlab_create_self_signed_cert - name: Symlink the IPA CA file: @@ -50,10 +27,6 @@ group: root state: link -- name: Symlink the hash - command: "openssl rehash /etc/gitlab/trusted-certs" - changed_when: "1 != 1" - - name: Turn on necessary SELinux booleans ansible.posix.seboolean: name: "{{ item }}" @@ -65,21 +38,12 @@ - httpd_can_connect_ldap - httpd_read_user_content -- name: Stop nginx - service: - name: nginx - state: stopped - -- name: Change fcontext to GitLab unix socket for nginx - community.general.sefcontext: - target: "/var/opt/gitlab/gitlab-workhorse/sockets/socket" - setype: httpd_var_run_t - state: present - -- name: Apply fcontext to GitLab unix socket for nginx - command: restorecon -v /var/opt/gitlab/gitlab-workhorse/sockets/socket - register: restorecon_result - changed_when: "restorecon_result.rc == 0" +- name: Reconfigure gitlab is we're asked to + command: /usr/bin/gitlab-ctl reconfigure + register: gitlab_ctl_result + changed_when: "gitlab_ctl_result.rc == 0" + when: + - gitlab_reconfigure_only - name: Add firewall rules - http/s ansible.posix.firewalld: @@ -91,15 +55,10 @@ - http - https -- name: Add nginx user to git groups - user: - name: nginx - shell: /sbin/nologin - groups: gitlab-www,git - append: yes - -- name: Enable and Start nginx - service: - name: nginx - enabled: true - state: started +- name: Deploy correct script + template: + src: "usr/local/bin/fix_gitlab_certs.sh" + dest: "/usr/local/bin/fix_gitlab_certs.sh" + owner: root + group: root + mode: '0750' diff --git a/ansible/playbooks/templates/etc/gitlab/rocky_gitlab.rb b/ansible/playbooks/templates/etc/gitlab/rocky_gitlab.rb index 6f1463f..e74cb50 100644 --- a/ansible/playbooks/templates/etc/gitlab/rocky_gitlab.rb +++ b/ansible/playbooks/templates/etc/gitlab/rocky_gitlab.rb @@ -18,6 +18,7 @@ gitlab_rails['gitlab_default_theme'] = "{{ gitlab_default_theme }}" nginx['redirect_http_to_https'] = {{ gitlab_redirect_http_to_https }} nginx['ssl_certificate'] = "{{ gitlab_ssl_certificate }}" nginx['ssl_certificate_key'] = "{{ gitlab_ssl_certificate_key }}" +letsencrypt['enable'] = false # The directory where Git repositories will be stored. git_data_dirs({"default" => {"path" => "{{ gitlab_git_data_dir }}"} }) @@ -120,8 +121,8 @@ registry_nginx['ssl_certificate_key'] = "{{ gitlab_registry_nginx_ssl_certificat # To change other settings, see: # https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md#changing-gitlab-yml-settings -nginx['enable'] = false -nginx['external_users'] = ['nginx'] +#nginx['enable'] = false +#nginx['external_users'] = ['nginx'] {% if gitlab_external_db %} postgresql['enable'] = false diff --git a/ansible/playbooks/templates/usr/local/bin/fix_gitlab_certs.sh b/ansible/playbooks/templates/usr/local/bin/fix_gitlab_certs.sh new file mode 100644 index 0000000..f62e7fa --- /dev/null +++ b/ansible/playbooks/templates/usr/local/bin/fix_gitlab_certs.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +/bin/cp "{{ gitlab_ssl_key }}" /etc/gitlab/ssl/ +/bin/cp "{{ gitlab_ssl_cert }}" /etc/gitlab/ssl/ +/bin/chown gitlab-www /etc/gitlab/ssl/*.{crt,key} +/bin/chmod 600 /etc/gitlab/ssl/*.key +/usr/bin/gitlab-ctl hup nginx diff --git a/ansible/playbooks/vars/gitlab.yml b/ansible/playbooks/vars/gitlab.yml index 0daaf0e..ff51c95 100644 --- a/ansible/playbooks/vars/gitlab.yml +++ b/ansible/playbooks/vars/gitlab.yml @@ -58,8 +58,7 @@ gitlab_smtp_ca_path: "/etc/pki/tls/certs" gitlab_smtp_ca_file: "/etc/pki/tls/certs/ca-bundle.crt" # In case of reverse proxy -gitlab_nginx_listen_port: 8080 -gitlab_nginx_listen_https: "false" +gitlab_nginx_listen_https: "true" gitlab_default_theme: 2 @@ -71,7 +70,7 @@ gitlab_external_db_password: "{{ gitlab_db_pass }}" gitlab_registry_enable: "true" gitlab_registry_external_url: "https://git.rockylinux.org:5050" gitlab_registry_nginx_ssl_certificate: "{{ gitlab_ssl_certificate }}" -gitlab_registry_nginx_ssl_certificate_key: "{{ gitlab_registry_nginx_ssl_certificate_key }}" +gitlab_registry_nginx_ssl_certificate_key: "{{ gitlab_ssl_certificate_key }}" gitlab_trusted_proxies: - 10.100.20.20/32 @@ -80,6 +79,6 @@ ipa_getcert_requested_hostnames: owner: nginx key_location: "{{ gitlab_ssl_key }}" cert_location: "{{ gitlab_ssl_cert }}" - postcmd: "/bin/systemctl restart nginx" + postcmd: "/usr/local/bin/fix_gitlab_certs.sh" cnames: - "git.rockylinux.org"