mirror of
https://github.com/rocky-linux/infrastructure
synced 2024-10-01 00:04:09 +00:00
c6323199f4
In this push, we are making a decent amount of updates to the gitlab playbooks as well as updating the README. See below for the changes: * README updated for further clarity * GitLab role with further reconfiguration for group lookups * GitLab role with further reconfiguration to disable built-in nginx * nginx configuration added and provided to work with omnibus * GitLab variables updated
91 lines
2.3 KiB
YAML
91 lines
2.3 KiB
YAML
---
|
|
# We need to do some additional configuration for GitLab to ensure that it
|
|
# works and operates immediately with FreeIPA.
|
|
- name: Insert Additional GitLab EE Settings
|
|
blockinfile:
|
|
path: /etc/gitlab/gitlab.rb
|
|
block: |
|
|
gitlab_rails['ldap_group_base'] = 'cn=groups,cn=accounts,dc=rockylinux,dc=org'
|
|
gitlab_rails['ldap_admin_group'] = 'cn=gitadm,cn=groups,cn=accounts,dc=rockylinux,dc=org'
|
|
nginx['enable'] = false
|
|
nginx['external_users'] = ['nginx']
|
|
notify: restart_gitlab
|
|
|
|
- name: Install nginx normally
|
|
yum:
|
|
name: nginx
|
|
state: present
|
|
|
|
- name: Reconfigure Main nginx configuration
|
|
template:
|
|
src: "etc/nginx/nginx.conf.j2"
|
|
dest: "/etc/nginx/nginx.conf"
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
backup: true
|
|
|
|
- name: Add omnibus nginx configuration
|
|
template:
|
|
src: "etc/nginx/conf.d/omnibus.conf.j2"
|
|
dest: "/etc/nginx/conf.d/omnibus.conf"
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
backup: true
|
|
|
|
- name: Copy self-signed certificates from GitLab
|
|
copy:
|
|
src: "/etc/gitlab/ssl/{{ gitlab_domain }}.crt"
|
|
dest: "/etc/nginx/ssl/{{ gitlab_domain }}.crt"
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
when: gitlab_create_self_signed_cert
|
|
|
|
- name: Copy self-signed certificate key
|
|
copy:
|
|
src: "/etc/gitlab/ssl/{{ gitlab_domain }}.key"
|
|
dest: "/etc/nginx/ssl/{{ gitlab_domain }}.key"
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
when: gitlab_create_self_signed_cert
|
|
|
|
- name: Turn on necessary SELinux booleans
|
|
ansible.posix.seboolean:
|
|
name: "{{ item }}"
|
|
state: true
|
|
persistent: true
|
|
loop:
|
|
- httpd_can_network_connect
|
|
- httpd_can_network_relay
|
|
- httpd_read_user_content
|
|
|
|
- name: Change fcontext to GitLab unix socket for nginx
|
|
community.general.sefcontext:
|
|
target: "/var/opt/gitlab/gitlab-workhorse/sockets/socket"
|
|
setype: httpd_var_run_t
|
|
state: present
|
|
|
|
- name: Apply fcontext to GitLab unix socket for nginx
|
|
command: restorecon -v /var/opt/gitlab/gitlab-workhorse/sockets/socket
|
|
register: restorecon_result
|
|
changed_when: "restorecon_result == 0"
|
|
|
|
- name: Add firewall rules - http/s
|
|
ansible.posix.firewalld:
|
|
service: "{{ item }}"
|
|
permanent: true
|
|
state: enabled
|
|
immediate: true
|
|
loop:
|
|
- http
|
|
- https
|
|
|
|
- name: Enable and Start nginx
|
|
service:
|
|
name: nginx
|
|
enabled: true
|
|
state: started
|