Ansible role gitlab
Install and configure GitLab on your system.
GitHub | Version | Issues | Pull Requests | Downloads |
---|---|---|---|---|
This example is taken from molecule/default/converge.yml
and is tested on each push, pull request and release.
---
- name: Converge
hosts: all
become: true
gather_facts: true
pre_tasks:
- name: Update apt cache.
apt: update_cache=true cache_valid_time=600
when: ansible_os_family == 'Debian'
roles:
- role: buluma.gitlab
gitlab_letsencrypt: false
gitlab_cleanup_ruby: false
gitlab_trusted_certs:
- isrgrootx1.pem # A root certificate for letsencrypt.
The machine needs to be prepared. In CI this is done using molecule/default/prepare.yml
:
---
- name: Prepare
hosts: all
become: true
gather_facts: false
roles:
- role: buluma.bootstrap
Also see a full explanation and example on how to use these roles.
The default values for the variables are set in defaults/main.yml
:
---
# defaults file for gitlab
# Specify a specific version for GitLab to install.
# Please have a look at this repository for available package version:
# community: "https://packages.gitlab.com/gitlab/gitlab-ce"
# enterprise: "https://packages.gitlab.com/gitlab/gitlab-ee"
gitlab_version: "16.9.3"
# A part of the version is the "release", mostly "0". See repositories above.
gitlab_release: 0
# Choose to install "enterprise" or "community".
gitlab_distribution: community
# Would you like Ansible to show you the initial_root_password?
gitlab_show_initial_root_password: false
# Instead of defining the variables below, you can also simply copy a configuration file.
# Place this file into the `files` directory that hosts the playbooks.
# To configure GitLab using variables, comment this line
# gitlab_configuration_file: gitlab.rb
# The configuration below is only required when **not** placing a configuration file.
# The URL where the gitlab installation will be made available on.
# For "https", let's encrypt will be used.
gitlab_external_url: "http://localhost"
# Set the preferred timezone.
gitlab_rails_time_zone: UTC
# The syntax of `gitlab.rb` will be tested before applying this role. The
# package `ruby` is required for that. By default `ruby` is installed and
# uninstalled. This makes the role not idempotent, so CI ruby is not un-
# installed.
gitlab_cleanup_ruby: true
# This role checks for outstanding database migrations. The role wil wait for
# migrations to finish. This value is in minutes.
gitlab_database_migrations_retries: 300
# You can install all roles by not specifying any role, or select a few roles.
# gitlab_roles:
# - redis_sentinel_role
# - redis_master_role
# - redis_replica_role
# - geo_primary_role
# - geo_secondary_role
# - postgres_role
# - consul_role
# - application_role
# - monitoring_role
# You can set the default theme for the GitLab ui. Pick any one from:
# indigo, dark, light, blue, green, lightindigo, lightblue, lightgreen,
# red or lightred. (Nerds call "pink" "redlight")
gitlab_default_theme: dark
# You can disable features for newly created projects.
gitlab_default_projects_features_issues: true
gitlab_default_projects_features_merge_requests: true
gitlab_default_projects_features_wiki: true
gitlab_default_projects_features_snippets: true
gitlab_default_projects_features_builds: true
gitlab_default_projects_features_container_registry: true
# LDAP settings.
gitlab_rails_ldap_enabled: false
gitlab_rails_prevent_ldap_sign_in: false
# When `gitlab_rails_ldap_enabled` is set to `true`, you need to define (at
# least on) `gitlab_rails_ldap_servers`.
# gitlab_rails_ldap_servers:
# - name: main
# label: LDAP
# host: _your_ldap_server
# port: 389
# uid: sAMAccountName
# bind_dn: _the_full_dn_of_the_user_you_will_bind_with
# password: _the_password_of_the_bind_user
# encryption: plain
# verify_certificates: true
# smartcard_auth: true
# active_directory: true
# allow_username_or_email_login: false
# lowercase_usernames: false
# block_auto_created_users: false
# base: ""
# user_filter: ""
# # These settings are only available when `gitlab_distribution` is set to
# # the value `enterprise`.
# # group_base: ""
# # admin_group: ""
# # sync_ssh_keys: false
# - name: secondary
# label: LDAP
# host: _your_ldap_server
# port: 389
# uid: sAMAccountName
# bind_dn: _the_full_dn_of_the_user_you_will_bind_with
# password: _the_password_of_the_bind_user
# encryption: plain
# verify_certificates: true
# smartcard_auth: true
# active_directory: true
# allow_username_or_email_login: false
# lowercase_usernames: false
# block_auto_created_users: false
# base: ""
# user_filter: ""
# # These settings are only available when `gitlab_distribution` is set to
# # the value `enterprise`.
# # group_base: ""
# # admin_group: ""
# # sync_ssh_keys: false
# Backup settings.
gitlab_rails_manage_backup_path: true
gitlab_rails_backup_path: /var/opt/gitlab/backups
gitlab_rails_backup_gitaly_backup_path: /opt/gitlab/embedded/bin/gitaly-backup
gitlab_rails_backup_archive_permissions: "0644"
gitlab_rails_backup_pg_schema: public
gitlab_rails_backup_keep_time: 604800
# You can save backups on AWS S3.
# gitlab_rails_backup_upload_connection:
# provider: AWS
# region: eu-west-1
# aws_access_key_id: AKIAKIAKI
# aws_secret_access_key: secret123
# use_iam_profile: false
# gitlab_rails_backup_upload_remote_directory: my.s3.bucket
# gitlab_rails_backup_multipart_chunk_size: 104857600
# gitlab_rails_backup_encryption: AES256
# gitlab_rails_backup_encryption_key: "base64-encoded encryption key"
# gitlab_rails_backup_upload_storage_options:
# server_side_encryption: "aws:kms"
# server_side_encryption_kms_key_id: "arn:aws:kms:YOUR-KEY-ID-HERE"
# gitlab_rails_backup_storage_class: STANDARD
# You can also save a backup on DigitalOcean Spaces.
# gitlab_rails_backup_upload_connection:
# provider: AWS
# region: ams3
# aws_access_key_id: AKIAKIAKI
# aws_secret_access_key: secret123
# endpoint: "https://ams3.digitaloceanspaces.com"
# gitlab_rails_backup_upload_remote_directory: my.s3.bucket
# You can skip parts in a backup.
# gitlab_rails_env:
# SKIP: db,uploads,repositories,builds,artifacts,lfs,registry,pages
# SMTP settings.
gitlab_rails_smtp_enable: true
gitlab_rails_smtp_address: smtp.server
gitlab_rails_smtp_port: 465
gitlab_rails_smtp_user_name: smtp user
gitlab_rails_smtp_password: smtp password
gitlab_rails_smtp_domain: example.com
gitlab_rails_smtp_authentication: login
gitlab_rails_smtp_enable_starttls_auto: true
gitlab_rails_smtp_tls: false
gitlab_rails_smtp_pool: false
gitlab_rails_smtp_openssl_verify_mode: none
gitlab_rails_smtp_ca_path: /etc/ssl/certs
gitlab_rails_smtp_ca_file: /etc/ssl/certs/ca-certificates.crt
# E-mail settings.
gitlab_rails_gitlab_email_enabled: true
gitlab_rails_gitlab_email_from: "example@example.com"
gitlab_rails_gitlab_email_display_name: Example
gitlab_rails_gitlab_email_reply_to: "noreply@example.com"
gitlab_rails_gitlab_email_subject_suffix: ""
gitlab_rails_gitlab_email_smime_enabled: false
gitlab_rails_gitlab_email_smime_key_file: /etc/gitlab/ssl/gitlab_smime.key
gitlab_rails_gitlab_email_smime_cert_file: /etc/gitlab/ssl/gitlab_smime.crt
gitlab_rails_gitlab_email_smime_ca_certs_file: /etc/gitlab/ssl/gitlab_smime_cas.crt
# User settings.
# gitlab_rails['gitlab_default_can_create_group'] = true
# gitlab_rails['gitlab_username_changing_enabled'] = true
# Gravater settings.
# gitlab_rails['gravatar_plain_url'] = 'http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon'
# gitlab_rails['gravatar_ssl_url'] = 'https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon'
# Cron jobs settings, only when `gitlab_distribution` == `enterprise`.
# gitlab_rails['geo_file_download_dispatch_worker_cron'] = "*/10 * * * *"
# gitlab_rails['geo_repository_sync_worker_cron'] = "*/5 * * * *"
# gitlab_rails['geo_secondary_registry_consistency_worker'] = "* * * * *"
# gitlab_rails['geo_secondary_usage_data_cron_worker'] = "0 0 * * 0"
# gitlab_rails['geo_prune_event_log_worker_cron'] = "*/5 * * * *"
# gitlab_rails['geo_repository_verification_primary_batch_worker_cron'] = "*/5 * * * *"
# gitlab_rails['geo_repository_verification_secondary_scheduler_worker_cron'] = "*/5 * * * *"
# gitlab_rails['ldap_sync_worker_cron'] = "30 1 * * *"
# gitlab_rails['ldap_group_sync_worker_cron'] = "0 * * * *"
# gitlab_rails['historical_data_worker_cron'] = "0 12 * * *"
# gitlab_rails['pseudonymizer_worker_cron'] = "0 23 * * *"
# gitlab_rails['elastic_index_bulk_cron'] = "*/1 * * * *"
# gitlab_rails['analytics_devops_adoption_create_all_snapshots_worker_cron'] = "0 4 * * 0"
# Incoming email settings.
# gitlab_rails['incoming_email_address'] = "gitlab-incoming+%{key}@gmail.com"
# gitlab_rails['incoming_email_email'] = "gitlab-incoming@gmail.com"
# gitlab_rails['incoming_email_password'] = "[REDACTED]"
# gitlab_rails['incoming_email_host'] = "imap.gmail.com"
# gitlab_rails['incoming_email_port'] = 993
# gitlab_rails['incoming_email_ssl'] = true
# gitlab_rails['incoming_email_start_tls'] = false
# gitlab_rails['incoming_email_mailbox_name'] = "inbox"
# gitlab_rails['incoming_email_idle_timeout'] = 60
# gitlab_rails['incoming_email_log_file'] = "/var/log/gitlab/mailroom/mail_room_json.log"
# gitlab_rails['incoming_email_expunge_deleted'] = false
# gitlab_rails['incoming_email_inbox_method'] = 'microsoft_graph'
# gitlab_rails['incoming_email_inbox_options'] = {
# 'tenant_id': 'YOUR-TENANT-ID',
# 'client_id': 'YOUR-CLIENT-ID',
# 'client_secret': 'YOUR-CLIENT-SECRET',
# 'poll_interval': 60 # Optional
# }
# Settings for artifacts.
# gitlab_rails['artifacts_enabled'] = true
# gitlab_rails['artifacts_path'] = "/var/opt/gitlab/gitlab-rails/shared/artifacts"
# gitlab_rails['artifacts_object_store_enabled'] = false
# gitlab_rails['artifacts_object_store_direct_upload'] = false
# gitlab_rails['artifacts_object_store_background_upload'] = true
# gitlab_rails['artifacts_object_store_proxy_download'] = false
# gitlab_rails['artifacts_object_store_remote_directory'] = "artifacts"
# gitlab_rails['artifacts_object_store_connection'] = {
# 'provider' => 'AWS',
# 'region' => 'eu-west-1',
# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',
# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',
# # # The below options configure an S3 compatible host instead of AWS
# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4.
# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
# # 'host' => 's3.amazonaws.com',
# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
# }
# Settings for OmniAuth
# gitlab_rails['omniauth_enabled'] = nil
# gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
# gitlab_rails['omniauth_sync_email_from_provider'] = 'saml'
# gitlab_rails['omniauth_sync_profile_from_provider'] = ['saml']
# gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
# gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
# gitlab_rails['omniauth_block_auto_created_users'] = true
# gitlab_rails['omniauth_auto_link_ldap_user'] = false
# gitlab_rails['omniauth_auto_link_saml_user'] = false
# gitlab_rails['omniauth_auto_link_user'] = ['saml']
# gitlab_rails['omniauth_external_providers'] = ['twitter', 'google_oauth2']
# gitlab_rails['omniauth_allow_bypass_two_factor'] = ['google_oauth2']
# gitlab_rails['omniauth_providers'] = [
# {
# "name" => "google_oauth2",
# "app_id" => "YOUR APP ID",
# "app_secret" => "YOUR APP SECRET",
# "args" => { "access_type" => "offline", "approval_prompt" => "" }
# }
# ]
# gitlab_rails['omniauth_cas3_session_duration'] = 28800
# gitlab_rails['omniauth_saml_message_max_byte_size'] = 250000
# Settings for git storage
# git_data_dirs({
# "default" => {
# "path" => "/mnt/nfs-01/git-data"
# }
# })
# Settings for uploads
# gitlab_rails['uploads_directory'] = "/var/opt/gitlab/gitlab-rails/uploads"
# gitlab_rails['uploads_storage_path'] = "/opt/gitlab/embedded/service/gitlab-rails/public"
# gitlab_rails['uploads_base_dir'] = "uploads/-/system"
# gitlab_rails['uploads_object_store_enabled'] = false
# gitlab_rails['uploads_object_store_direct_upload'] = false
# gitlab_rails['uploads_object_store_background_upload'] = true
# gitlab_rails['uploads_object_store_proxy_download'] = false
# gitlab_rails['uploads_object_store_remote_directory'] = "uploads"
# gitlab_rails['uploads_object_store_connection'] = {
# 'provider' => 'AWS',
# 'region' => 'eu-west-1',
# 'aws_access_key_id' => 'AWS_ACCESS_KEY_ID',
# 'aws_secret_access_key' => 'AWS_SECRET_ACCESS_KEY',
# # # The below options configure an S3 compatible host instead of AWS
# # 'host' => 's3.amazonaws.com',
# # 'aws_signature_version' => 4, # For creation of signed URLs. Set to 2 if provider does not support v4.
# # 'endpoint' => 'https://s3.amazonaws.com', # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
# # 'path_style' => false # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
# }
# Database settings
# If you are using the internal database, set `gitlab_rails_db_enabled` to "false".
gitlab_rails_db_enabled: false
gitlab_rails_db_adapter: postgresql
gitlab_rails_db_encoding: unicode
# gitlab_rails_db_collation:
gitlab_rails_db_database: gitlabhq_production
gitlab_rails_db_username: gitlab
gitlab_rails_db_password: "Som3P@s5w0rd"
gitlab_rails_db_host: localhost
gitlab_rails_db_port: 5432
# gitlab_rails_db_socket:
# gitlab_rails_db_sslmode:
gitlab_rails_db_sslcompression: 0
# gitlab_rails_db_sslrootcert:
# gitlab_rails_db_sslcert:
# gitlab_rails_db_sslkey:
gitlab_rails_db_prepared_statements: false
gitlab_rails_db_statements_limit: 1000
# gitlab_rails_db_connect_timeout:
# gitlab_rails_db_keepalives:
# gitlab_rails_db_keepalives_idle:
# gitlab_rails_db_keepalives_interval:
# gitlab_rails_db_keepalives_count:
# gitlab_rails_db_tcp_user_timeout:
# gitlab_rails_db_application_name:
# SSL settings
# # If you do not want to use SSL, use this structure.
# gitlab_letsencrypt: false
# gitlab_external_url: "http://gitlab.example.com" # (No `https` in the value.)
# # If you bring your own certificates, use this structure.
# gitlab_letsencrypt: false
# gitlab_ssl_directory: /etc/gitlab/ssl
# gitlab_ssl_key: some_file.key
# gitlab_ssl_crt: some_file.crt
# # If you'd like to use letsencrypt, use this scructure.
# gitlab_letsencrypt: true
# gitlab_letsencrypt_contact_emails:
# - robert@meinit.nl
# gitlab_acme_staging_endpoint: https://ca.internal/acme/acme/directory
# gitlab_acme_production_endpoint: https://ca.internal/acme/acme/directory
# gitlab_letsencrypt_group: root
# gitlab_letsencrypt_key_size: 2048
# gitlab_letsencrypt_owner: root
# gitlab_letsencrypt_wwwroot: /var/opt/gitlab/nginx/www
# gitlab_letsencrypt_auto_renew: true
# gitlab_letsencrypt_auto_renew_hour: 0
# gitlab_letsencrypt_auto_renew_minute: nil
# gitlab_letsencrypt_auto_renew_day_of_month: nil
# gitlab_letsencrypt_auto_renew_log_directory: /var/log/gitlab/lets-encrypt
# In case you need to trust a (CA) certificate to access remote resources,
# like an LDAP server, download the (CA) certificate, place it in the `files`
# directory and refer to it in the below list.
# gitlab_trusted_certs:
# - my-ca-1.crt
# - my-1.crt
- pip packages listed in requirements.txt.
The following roles are used to prepare a system. You can prepare your system in another way.
Requirement | GitHub | Version |
---|---|---|
buluma.bootstrap |
This role is a part of many compatible roles. Have a look at the documentation of these roles for further information.
Here is an overview of related roles:
This role has been tested on these container images:
container | tags |
---|---|
EL | 8, 9 |
Ubuntu | focal |
The minimum version of Ansible required is 2.12, tests have been done to:
- The previous version.
- The current version.
- The development version.
If you find issues, please register them in GitHub