2020-08-10 01:37:13 +02:00
{{ ansible_managed | comment }}
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
version : '2.1'
services :
web :
image : docker.io/gitlab/gitlab-ce:{{ gitlab_version }}
hostname : '{{ gitlab_domain }}'
2021-02-13 16:47:30 +01:00
mem_limit : {{ gitlab_memory_limit }}
memswap_limit : {{ gitlab_memoryswap_limit }}
2020-08-10 01:37:13 +02:00
environment :
GITLAB_OMNIBUS_CONFIG : |
external_url 'https://{{ gitlab_domain }}'
gitlab_rails['gitlab_shell_ssh_port'] = {{ gitlab_ssh_port }}
letsencrypt['enable'] = false
nginx['listen_https'] = false
nginx['listen_port'] = 80
nginx['real_ip_trusted_addresses'] = [ '172.16.0.0/12' ]
nginx['gzip_enabled'] = false
prometheus_monitoring['enable'] = false
# CSP config
gitlab_rails['content_security_policy'] = {
enabled : true ,
report_only : false ,
directives : {
default_src : "'self' {{ gitlab_csp.default_src | default(" ") }}" ,
script_src : "'self' {{ gitlab_csp.script_src | default(" ") }} 'unsafe-eval'" ,
frame_ancestor : "'self'" ,
frame_src : "'self' {{ gitlab_csp.frame_src | default(" ") }}" ,
img_src : "'self' https://{{ gitlab_libravatar_ssl }} {{ gitlab_csp.img_src | default(" ") }} data: blob:" ,
style_src : "'self' 'unsafe-inline'" ,
worker_src : "'self' blob:" ,
object_src : "'none'"
}
}
# Mail settings
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "{{ gitlab_smtp_address }}"
gitlab_rails['smtp_port'] = {{ gitlab_smtp_port }}
gitlab_rails['smtp_user_name'] = "{{ gitlab_smtp_user_name }}"
gitlab_rails['smtp_password'] = "{{ gitlab_smtp_password }}"
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_domain'] = "{{ gitlab_smtp_address }}"
gitlab_rails['smtp_tls'] = {{ gitlab_smtp_tls }}
gitlab_rails['smtp_openssl_verify_mode'] = 'peer'
gitlab_rails['gitlab_email_from'] = '{{ gitlab_email_from }}'
gitlab_rails['gitlab_email_reply_to'] = '{{ gitlab_email_reply_to }}'
# Use Libravatar
gitlab_rails['gravatar_enabled'] = true
gitlab_rails['gravatar_plain_url'] = "http://{{ gitlab_libravatar_plain }}/avatar/%{hash}?s=%{size}&d=identicon"
gitlab_rails['gravatar_ssl_url'] = "https://{{ gitlab_libravatar_ssl }}/avatar/%{hash}?s=%{size}&d=identicon"
2021-09-14 01:42:21 +02:00
{% if gitlab_imap.enabled %}
2020-08-10 01:37:13 +02:00
gitlab_rails['incoming_email_enabled'] = true
# The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to.
# The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`).
#gitlab_rails['incoming_email_address'] = "incoming+%{key}@gitlab.example.com"
gitlab_rails['incoming_email_address'] = "{{ gitlab_imap.email_address }}"
# Email account username
# With third party providers, this is usually the full email address.
# With self-hosted email servers, this is usually the user part of the email address.
gitlab_rails['incoming_email_email'] = "{{ gitlab_imap.username }}"
# Email account password
gitlab_rails['incoming_email_password'] = "{{ gitlab_imap.password }}"
# IMAP server host
gitlab_rails['incoming_email_host'] = "{{ gitlab_imap.server_address }}"
# IMAP server port
gitlab_rails['incoming_email_port'] = 993
# Whether the IMAP server uses SSL
gitlab_rails['incoming_email_ssl'] = true
# Whether the IMAP server uses StartTLS
gitlab_rails['incoming_email_start_tls'] = false
# The mailbox where incoming mail will end up. Usually "inbox".
gitlab_rails['incoming_email_mailbox_name'] = "inbox"
# The IDLE command timeout.
gitlab_rails['incoming_email_idle_timeout'] = 60
{% endif %}
2020-08-23 12:01:00 +02:00
{% if gitlab_packages.enabled %}
# Gitlab packages
gitlab_rails['packages_enabled'] = true
{% endif %}
2021-03-17 03:09:11 +01:00
{% if gitlab_dependency_proxy.enabled %}
# Gitlab dependency proxy
gitlab_rails['dependency_proxy_enabled'] = true
{% endif %}
2020-08-10 01:37:13 +02:00
{% if gitlab_registry.enabled %}
# Gitlab registry
gitlab_rails['registry_enabled'] = true
gitlab_rails['registry_host'] = "{{ gitlab_registry_domain }}"
2021-08-15 23:57:13 +02:00
registry_external_url "https://{{ gitlab_registry_domain }}{% if gitlab_registry.external_port is defined %}:{{ gitlab_registry.external_port }}{% endif %}"
registry_nginx['listen_port'] = 5040
2020-08-10 01:37:13 +02:00
registry_nginx['listen_https'] = false
{% endif %}
2021-09-14 01:42:21 +02:00
{% if gitlab_saml.enabled %}
2020-08-10 01:37:13 +02:00
# SAML settings
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_ldap_user'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = false
gitlab_rails['omniauth_external_providers'] = []
gitlab_rails['omniauth_providers'] = [
{
name : 'saml' ,
label : '{{ gitlab_saml.label }}' ,
groups_attribute : '{{ gitlab_saml.groups_attribute }}' ,
external_groups : [ '{{ gitlab_saml.external_groups }}' ] ,
args : {
assertion_consumer_service_url : 'https://{{ gitlab_domain }}/users/auth/saml/callback' ,
idp_cert_fingerprint : '{{ gitlab_saml.idp_cert_fingerprint }}' ,
idp_sso_target_url : '{{ gitlab_saml.idp_sso_target_url }}' ,
idp_slo_target_url : '{{ gitlab_saml.idp_slo_target_url }}' ,
{% if gitlab_saml.certificate is defined and gitlab_saml.private_key is defined %}
certificate : '-----BEGIN CERTIFICATE-----
{{ gitlab_saml.certificate }}
-----END CERTIFICATE-----',
private_key : '-----BEGIN RSA PRIVATE KEY-----
{{ gitlab_saml.private_key }}
-----END RSA PRIVATE KEY-----',
security : {
authn_requests_signed : true ,
want_assertions_signed : true ,
embed_sign : true ,
signature_method : 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' ,
digest_method : 'http://www.w3.org/2001/04/xmlenc#sha256' ,
},
{% endif %}
issuer : '{{ gitlab_saml.issuer }}' ,
attribute_statements : {
first_name : [ '{{ gitlab_saml.attribute_statements.first_name }}' ] ,
last_name : [ '{{ gitlab_saml.attribute_statements.last_name }}' ] ,
name : [ '{{ gitlab_saml.attribute_statements.name }}' ] ,
username : [ '{{ gitlab_saml.attribute_statements.username }}' ] ,
email : [ '{{ gitlab_saml.attribute_statements.email }}' ] },
name_identifier_format : '{{ gitlab_saml.name_identifier_format }}' ,
upstream_two_factor_authn_contexts :
%w(
urn:oasis:names:tc:SAML:2.0:ac:classes:CertificateProtectedTransport
urn:oasis:names:tc:SAML:2.0:ac:classes:SecondFactorOTPSMS
urn:oasis:names:tc:SAML:2.0:ac:classes:SecondFactorIGTOKEN
)
}
}
]
{% if gitlab_saml.autologin %}
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
{% endif %}
{% endif %}
2021-05-08 02:13:51 +02:00
{% if gitlab_log_tmpfs %}
# Configure logging to only retain 10 log files, of 10MiB each
# This should prevent the tmpfs from overflowing
logging['svlogd_size'] = 10 * 1024 * 1024
logging['svlogd_num'] = 5
logging['logrotate_maxsize'] = 10 * 1024 * 1024
logging['logrotate_rotate'] = 5
{% endif %}
2020-08-10 01:37:13 +02:00
labels :
- "traefik.http.routers.gitlab.rule=Host(`{{ gitlab_domain }}`) && PathPrefix(`/`)"
- "traefik.http.routers.gitlab.entrypoints=websecure"
- "traefik.http.routers.gitlab.tls=true"
- "traefik.http.routers.gitlab.tls.certresolver={{ gitlab_traefik_certresolver }}"
- "traefik.http.routers.gitlab.middlewares=gitlab,compress"
- "traefik.http.routers.gitlab.service=gitlab"
- "traefik.http.services.gitlab.loadbalancer.server.port=80"
{% if gitlab_registry.enabled %}
- "traefik.http.routers.gitlab-registry.rule=Host(`{{ gitlab_registry_domain }}`) && PathPrefix(`/`)"
2021-08-15 23:57:13 +02:00
- "traefik.http.routers.gitlab-registry.entrypoints={{ gitlab_registry.traefik_entrypoint | default('websecure') }}"
2020-08-10 01:37:13 +02:00
- "traefik.http.routers.gitlab-registry.tls=true"
- "traefik.http.routers.gitlab-registry.tls.certresolver={{ gitlab_traefik_certresolver }}"
- "traefik.http.routers.gitlab-registry.middlewares=gitlab,compress"
- "traefik.http.routers.gitlab-registry.service=gitlab-registry"
2021-08-15 23:57:13 +02:00
- "traefik.http.services.gitlab-registry.loadbalancer.server.port=5040"
2020-08-10 01:37:13 +02:00
{% endif %}
- "traefik.http.middlewares.gitlab.headers.sslredirect=true"
- "traefik.http.middlewares.gitlab.headers.stsSeconds=63072000"
- "traefik.enable=true"
{% if proxy_network is defined %}
- "traefik.docker.network={{ proxy_network }}"
{% endif %}
{% if proxy_hiddenservice is defined and proxy_hiddenservice.content is defined %}
- "traefik.http.middlewares.gitlab.headers.customresponseheaders.alt-svc=h2={{ proxy_hiddenservice['content'] | b64decode | trim }}:443; ma=2592000"
{% endif %}
volumes :
- "{{ gitlab_data_location }}:/var/opt/gitlab"
- "{{ gitlab_config_location }}:/etc/gitlab"
2021-01-31 00:40:42 +01:00
{% if not gitlab_log_tmpfs %}
2020-08-10 01:37:13 +02:00
- "{{ gitlab_log_location }}:/var/log/gitlab"
2021-01-30 20:16:49 +01:00
{% endif %}
{% if gitlab_log_tmpfs %}
tmpfs :
2021-02-12 00:59:14 +01:00
- "/var/log/gitlab:size=256M,noexec,nodev,nosuid,rw"
2021-01-30 20:16:49 +01:00
{% endif %}
2020-08-10 01:37:13 +02:00
restart : always
ports :
- "{{ gitlab_ssh_port }}:22"
{% if proxy_network is defined or gitlab_ipv6 is defined and gitlab_ipv6.enabled %}
networks :
{% if proxy_network is defined %}
{{ proxy_network }} :
{% endif %}
{% if gitlab_ipv6 is defined and gitlab_ipv6.enabled %}
gitlab-ipv6 :
{% endif %}
{% endif %}
2021-03-28 02:41:26 +01:00
{% if gitlab_telegraf.enabled %}
telegraf :
image : docker.io/library/telegraf:{{ gitlab_telegraf_version }}
restart : always
mem_limit : 256mb
memswap_limit : 384mb
read_only : true
volumes :
- {{ gitlab_telegraf_location }}:/etc/telegraf/:ro
{% endif %}
2020-08-10 01:37:13 +02:00
{% if proxy_network is defined or gitlab_ipv6 is defined and gitlab_ipv6.enabled %}
networks :
{% if proxy_network is defined %}
{{ proxy_network }} :
external : true
{% endif %}
{% if gitlab_ipv6 is defined and gitlab_ipv6.enabled %}
gitlab-ipv6 :
driver : bridge
ipam :
driver : default
config :
- subnet : {{ gitlab_ipv6.subnet }}
enable_ipv6 : true
{% endif %}
{% endif %}
