saibotk-de/infrastructure
saibotk-de/infrastructure
1
0
Fork 0
Code Issues Pull requests Releases 42 Activity

remove!(gitlab): unused

Browse source
This commit is contained in:
Saibotk 2025-01-20 00:26:44 +01:00
parent 14e358c5fe
commit aa576bf5bc
Signed by: saibotk
GPG key ID: 67585F0065E261D5
7 changed files with 0 additions and 719 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
playbooks/gitlab.yml
View file

@ -1,25 +0,0 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure GitLab
hosts: gitlab
roles:
- docker
- docker_cleanup
- traefik
- gitlab

35
roles/gitlab/README.md
View file

@ -1,35 +0,0 @@
Gitlab
=========
This will setup a Gitlab instance using their official docker container and traefik as a reverse proxy.
Requirements
------------
You will need to have docker, docker-compose and traefik installed or declared as dependencies with their respective roles.
**This role assumes that you have setup traefik with an endpoint called `websecure`.**
Role Variables
--------------
**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
### Global variables, that are used:
- `proxy_network`: Defined by the local traefik installation, this is the shared proxy network used by traefik to reach the containers. (optional)
- `proxy_hiddenservice`: Defined by the local traefik installation, this is used to generate the alt-svc header for the alternative Tor domain. (optional)
Dependencies
------------
- docker
- docker-compose
- traefik
License
-------
GPL-3.0-only

167
roles/gitlab/defaults/main.yml
View file

@ -1,167 +0,0 @@
---
# Default variables for the gitlab role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Install location settings
gitlab_install_location: /srv/gitlab
gitlab_data_location: "{{ gitlab_install_location }}/data"
gitlab_config_location: "{{ gitlab_install_location }}/config"
gitlab_log_location: "{{ gitlab_install_location }}/log"
gitlab_telegraf_location: "{{ gitlab_install_location }}/telegraf"
# Put GitLab's logs in a tempfs instead to save headache with diskspace
gitlab_log_tmpfs: false
# Set the certresolver to your desired traefik certresolver.
# Note: This is `letsencrypt_cf` by default for backwards compatibility, you might want to use `letsencrypt_http` instead, depending on your setup
gitlab_traefik_certresolver: letsencrypt_http
# The domain under which traefik should make gitlab (and, if enabled, the registry) reachable
gitlab_domain: gitlab.example.com
gitlab_registry_domain: registry.gitlab.example.com
# The Gitlab version, usually you don't need to adjust this for a host.
# renovate: depName=gitlab/gitlab-ce
gitlab_version: 17.5.1-ce.0
# renovate: depName=docker.io/library/telegraf
gitlab_telegraf_version: "1.26"
# The port you want Gitlab to listen on for SSH connections
gitlab_ssh_port: 22
# The memory limits for the GitLab container
#
# Notice the gitlab_memoryswap_limit must be equal
# or higher than the gitlab_memory_limit
gitlab_memory_limit: "6096mb"
gitlab_memoryswap_limit: "6352mb"
# Enable or disable selinux handling
gitlab_selinux_enabled: true
# Email/SMTP settings
gitlab_smtp_address: smtp.example.com
gitlab_smtp_port: 465
gitlab_smtp_user_name: "gitlab@example.com"
gitlab_smtp_password: "{{ lookup('passwordstore', gitlab_domain + '/' + gitlab_smtp_user_name + ' create=true length=42') }}"
gitlab_smtp_tls: "{{ gitlab_snmp_tls | default('true') }}" # There was a typo in the config option name, this makes sure it's falling back properly
gitlab_email_from: "{{ gitlab_smtp_user_name }}"
gitlab_email_reply_to: "{{ gitlab_smtp_user_name }}"
gitlab_smtp_starttls_auto: false
gitlab_smtp_openssl_verify_mode: "peer"
# Libravatar / Gravatar URLs
gitlab_libravatar_plain: "cdn.libravatar.org"
gitlab_libravatar_ssl: "seccdn.libravatar.org"
# CSP settings
gitlab_csp:
enabled: true
img_src: "https:"
# yamllint disable-line rule:line-length
# frame_src: "https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"
# script_src: "https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"
# SAML settings
gitlab_saml:
enabled: false
label: "SAML"
groups_attribute: "roles"
external_groups: "{{ gitlab_domain }}:external"
idp_cert_fingerprint: "<to be set>"
idp_sso_target_url: "https://sso.example.com"
idp_slo_target_url: "https://sso.example.com"
issuer: "{{ gitlab_domain }}"
certificate: "<cert without '----BEGIN CERTIFICATE----' (can be omited)>"
private_key: "<private key without '----BEGIN RSA PRIVATE KEY----' (can be omited)>"
attribute_statements:
first_name: "first_name"
last_name: "last_name"
name: "name"
username: "username"
email: "email"
name_identifier_format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
autologin: false
# LDAP settings
gitlab_ldap:
enabled: false
label: "LDAP"
host: "ldap.example.com"
port: 389
bind_dn: "_the_full_dn_of_the_user_you_will_bind_with"
password: "_the_password_of_the_bind_user"
encryption: "simple_tls"
verify_certificates: true
uid: "sAMAccountName"
active_directory: true
user_filter: ""
base: "dc=example,dc=com"
# IMAP settings (for email replies to comments etc.)
gitlab_imap:
enabled: false
username: "{{ gitlab_smtp_user_name }}"
password: "{{ gitlab_smtp_password }}"
server_address: imap.example.com
email_address: "incoming+%{key}@gitlab.example.com"
# Gitlab docker registry settings
gitlab_registry:
enabled: false
# Defines the port that is appended to the registry domain used by gitlab.
# This can be omitted, when no port is needed (eg. registry on its own domain)
external_port: 5050
# Defines the entrypoint that traefik should use for the registry.
# Can be useful to use another port while still using the certificate of the main domain.
# This can be omitted to use "websecure" by default
traefik_entrypoint: "websecure"
# Gitlab telegraf configuration, allows to configure a monitoring setup for Gitlab
gitlab_telegraf:
enabled: false
# Your influxDB hosts
influxdb_endpoints:
- "influxdb.example.com"
influxdb_username: telegraf
influxdb_password: ""
influxdb_retention_policy: "gitlab"
influxdb_retention_policy_tag: ""
# Token provided by Gitlab on the admin page
# See https://docs.gitlab.com/ee/administration/monitoring/prometheus/gitlab_metrics.html
metrics_token: ""
# Gitlab dependency proxy feature (see https://docs.gitlab.com/ee/administration/packages/dependency_proxy.html)
gitlab_dependency_proxy:
enabled: false
# Enable the packages feature (see https://docs.gitlab.com/ee/administration/packages/index.html)
gitlab_packages:
enabled: false
# IPv6 ULA config for the bridge network used by docker-ipv6-nat
gitlab_ipv6:
enabled: false
subnet: "fd9e:21a7:a92c:2326::/64"
# Gitlab bundled Mattermost instance settings
gitlab_mattermost:
enabled: false
domain: chat.gitlab.com

44
roles/gitlab/meta/main.yml
View file

@ -1,44 +0,0 @@
galaxy_info:
author: saibotk
description: "Installs and configures GitLab via Docker."
license: GPL-3.0-only
min_ansible_version: "2.9"
standalone: true
platforms:
- name: EL
versions:
- all
- name: GenericUNIX
versions:
- all
- name: Fedora
versions:
- all
- name: opensuse
versions:
- all
- name: GenericBSD
versions:
- all
- name: FreeBSD
versions:
- all
- name: Ubuntu
versions:
- all
- name: SLES
versions:
- all
- name: GenericLinux
versions:
- all
- name: Debian
versions:
- all
galaxy_tags: []
dependencies:
- role: docker
- role: traefik

101
roles/gitlab/tasks/main.yml
View file

@ -1,101 +0,0 @@
---
# Tasks file for the gitlab role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Update default SELinux contexts
community.general.sefcontext:
target: "{{ item }}(/.*)?"
setype: "container_file_t"
state: present
with_items:
- "{{ gitlab_data_location }}"
- "{{ gitlab_config_location }}"
- "{{ gitlab_log_location }}"
- "{{ gitlab_telegraf_location }}"
tags:
- gitlab
when:
- gitlab_selinux_enabled
become: true
- name: Create install directory
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: "0700"
owner: "root"
group: "root"
with_items:
- "{{ gitlab_install_location }}"
tags:
- gitlab
become: true
- name: Create data directory
ansible.builtin.file: # noqa risky-file-permissions # Container manages permissions on its own
path: "{{ item }}"
state: directory
owner: "root"
group: "root"
setype: "container_file_t"
with_items:
- "{{ gitlab_data_location }}"
- "{{ gitlab_config_location }}"
- "{{ gitlab_log_location }}"
- "{{ gitlab_telegraf_location }}"
tags:
- gitlab
become: true
- name: Deploy telegraf.conf
ansible.builtin.template:
src: telegraf.conf
dest: "{{ gitlab_telegraf_location }}/telegraf.conf"
mode: "0600"
owner: "root"
group: "root"
tags:
- telegraf
- gitlab
become: true
when:
- gitlab_telegraf.enabled
- name: Deploy docker-compose.yml
ansible.builtin.template:
src: docker-compose.yml
dest: "{{ gitlab_install_location }}/docker-compose.yml"
mode: "0600"
owner: "root"
group: "root"
validate: docker compose -f %s config -q
tags:
- docker
- gitlab
become: true
- name: Compose GitLab
community.docker.docker_compose_v2:
state: present
project_src: "{{ gitlab_install_location }}"
pull: always
remove_orphans: true
tags:
- gitlab
become: true

321
roles/gitlab/templates/docker-compose.yml
View file

@ -1,321 +0,0 @@
{{ ansible_managed | comment }}
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
version: '2.1'
services:
web:
image: docker.io/gitlab/gitlab-ce:{{ gitlab_version }}
hostname: '{{ gitlab_domain }}'
mem_limit: {{ gitlab_memory_limit }}
memswap_limit: {{ gitlab_memoryswap_limit }}
environment:
GITLAB_OMNIBUS_CONFIG: |
external_url 'https://{{ gitlab_domain }}'
gitlab_rails['gitlab_shell_ssh_port'] = {{ gitlab_ssh_port }}
letsencrypt['enable'] = false
nginx['listen_https'] = false
nginx['listen_port'] = 80
nginx['real_ip_trusted_addresses'] = [ '172.16.0.0/12' ]
nginx['gzip_enabled'] = false
prometheus_monitoring['enable'] = false
# CSP config
gitlab_rails['content_security_policy'] = {
enabled: {{ gitlab_csp.enabled | default(true) | bool | lower }},
report_only: false,
directives: {
default_src: "'self' {{ gitlab_csp.default_src | default("") }}",
script_src: "'self' {{ gitlab_csp.script_src | default("") }} 'unsafe-eval'",
frame_ancestor: "'self'",
frame_src: "'self' {{ gitlab_csp.frame_src | default("") }}",
img_src: "'self' https://{{ gitlab_libravatar_ssl }} {{ gitlab_csp.img_src | default("") }} data: blob:",
style_src: "'self' 'unsafe-inline'",
worker_src: "'self' blob:",
object_src: "'none'"
}
}
# Mail settings
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "{{ gitlab_smtp_address }}"
gitlab_rails['smtp_port'] = {{ gitlab_smtp_port }}
gitlab_rails['smtp_user_name'] = "{{ gitlab_smtp_user_name }}"
gitlab_rails['smtp_password'] = "{{ gitlab_smtp_password }}"
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_domain'] = "{{ gitlab_smtp_address }}"
gitlab_rails['smtp_tls'] = {{ gitlab_smtp_tls | bool | lower }}
gitlab_rails['smtp_enable_starttls_auto'] = {{ gitlab_smtp_starttls_auto | bool | lower }}
gitlab_rails['smtp_openssl_verify_mode'] = '{{ gitlab_smtp_openssl_verify_mode }}'
gitlab_rails['gitlab_email_from'] = '{{ gitlab_email_from }}'
gitlab_rails['gitlab_email_reply_to'] = '{{ gitlab_email_reply_to }}'
# Use Libravatar
gitlab_rails['gravatar_enabled'] = true
gitlab_rails['gravatar_plain_url'] = "http://{{ gitlab_libravatar_plain }}/avatar/%{hash}?s=%{size}&d=identicon"
gitlab_rails['gravatar_ssl_url'] = "https://{{ gitlab_libravatar_ssl }}/avatar/%{hash}?s=%{size}&d=identicon"
{% if gitlab_imap.enabled %}
gitlab_rails['incoming_email_enabled'] = true
# The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to.
# The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`).
#gitlab_rails['incoming_email_address'] = "incoming+%{key}@gitlab.example.com"
gitlab_rails['incoming_email_address'] = "{{ gitlab_imap.email_address }}"
# Email account username
# With third party providers, this is usually the full email address.
# With self-hosted email servers, this is usually the user part of the email address.
gitlab_rails['incoming_email_email'] = "{{ gitlab_imap.username }}"
# Email account password
gitlab_rails['incoming_email_password'] = "{{ gitlab_imap.password }}"
# IMAP server host
gitlab_rails['incoming_email_host'] = "{{ gitlab_imap.server_address }}"
# IMAP server port
gitlab_rails['incoming_email_port'] = 993
# Whether the IMAP server uses SSL
gitlab_rails['incoming_email_ssl'] = true
# Whether the IMAP server uses StartTLS
gitlab_rails['incoming_email_start_tls'] = false
# The mailbox where incoming mail will end up. Usually "inbox".
gitlab_rails['incoming_email_mailbox_name'] = "inbox"
# The IDLE command timeout.
gitlab_rails['incoming_email_idle_timeout'] = 60
{% endif %}
{% if gitlab_packages.enabled %}
# Gitlab packages
gitlab_rails['packages_enabled'] = true
{% endif %}
{% if gitlab_dependency_proxy.enabled %}
# Gitlab dependency proxy
gitlab_rails['dependency_proxy_enabled'] = true
{% endif %}
{% if gitlab_registry.enabled %}
# Gitlab registry
gitlab_rails['registry_enabled'] = true
gitlab_rails['registry_host'] = "{{ gitlab_registry_domain }}"
registry_external_url "https://{{ gitlab_registry_domain }}{% if gitlab_registry.external_port is defined %}:{{ gitlab_registry.external_port }}{% endif %}"
registry_nginx['listen_port'] = 5040
registry_nginx['listen_https'] = false
{% endif %}
{% if gitlab_mattermost.enabled %}
# Mattermost
mattermost_external_url 'https://{{ gitlab_mattermost.domain }}'
mattermost_nginx['listen_port'] = 8050
mattermost_nginx['listen_https'] = false
mattermost['gitlab_auth_endpoint'] = "http://{{ gitlab_domain }}/oauth/authorize"
mattermost['gitlab_token_endpoint'] = "http://{{ gitlab_domain }}/oauth/token"
mattermost['gitlab_user_api_endpoint'] = "http://{{ gitlab_domain }}/api/v4/user"
{% endif %}
{% if gitlab_ldap.enabled %}
gitlab_rails['ldap_enabled'] = true
gitlab_rails['prevent_ldap_sign_in'] = false
gitlab_rails['ldap_servers'] = {
'main' => {
'label' => '{{ gitlab_ldap.label }}',
'host' => '{{ gitlab_ldap.host }}',
'port' => {{ gitlab_ldap.port }},
'uid' => '{{ gitlab_ldap.uid }}',
'encryption' => '{{ gitlab_ldap.encryption }}',
'verify_certificates' => {{ gitlab_ldap.verify_certificates | bool | lower }},
'bind_dn' => '{{ gitlab_ldap.bind_dn }}',
'password' => '{{ gitlab_ldap.password }}',
'timeout' => 10,
'active_directory' => {{ gitlab_ldap.active_directory | bool | lower }},
'allow_username_or_email_login' => false,
'block_auto_created_users' => false,
'base' => '{{ gitlab_ldap.base }}',
'attributes' => {
'username' => ['uid', 'userid', 'sAMAccountName'],
'email' => ['mail', 'email', 'userPrincipalName'],
'name' => 'cn',
'first_name' => 'givenName',
'last_name' => 'sn'
},
'lowercase_usernames' => false
}
}
{% endif %}
{% if gitlab_saml.enabled %}
# SAML settings
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_ldap_user'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = false
gitlab_rails['omniauth_external_providers'] = []
gitlab_rails['omniauth_providers'] = [
{
name: 'saml',
label: '{{ gitlab_saml.label }}',
groups_attribute: '{{ gitlab_saml.groups_attribute }}',
external_groups: ['{{ gitlab_saml.external_groups }}'],
args: {
assertion_consumer_service_url: 'https://{{ gitlab_domain }}/users/auth/saml/callback',
idp_cert_fingerprint: '{{ gitlab_saml.idp_cert_fingerprint }}',
idp_sso_target_url: '{{ gitlab_saml.idp_sso_target_url }}',
idp_slo_target_url: '{{ gitlab_saml.idp_slo_target_url }}',
{% if gitlab_saml.certificate is defined and gitlab_saml.private_key is defined %}
certificate: '-----BEGIN CERTIFICATE-----
{{ gitlab_saml.certificate }}
-----END CERTIFICATE-----',
private_key: '-----BEGIN RSA PRIVATE KEY-----
{{ gitlab_saml.private_key }}
-----END RSA PRIVATE KEY-----',
security: {
authn_requests_signed: true,
want_assertions_signed: true,
embed_sign: true,
signature_method: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
digest_method: 'http://www.w3.org/2001/04/xmlenc#sha256',
},
{% endif %}
issuer: '{{ gitlab_saml.issuer }}',
attribute_statements: {
first_name: ['{{ gitlab_saml.attribute_statements.first_name }}'],
last_name: ['{{ gitlab_saml.attribute_statements.last_name }}'],
name: ['{{ gitlab_saml.attribute_statements.name }}'],
username: ['{{ gitlab_saml.attribute_statements.username }}'],
email: ['{{ gitlab_saml.attribute_statements.email }}'] },
name_identifier_format: '{{ gitlab_saml.name_identifier_format }}',
upstream_two_factor_authn_contexts:
%w(
urn:oasis:names:tc:SAML:2.0:ac:classes:CertificateProtectedTransport
urn:oasis:names:tc:SAML:2.0:ac:classes:SecondFactorOTPSMS
urn:oasis:names:tc:SAML:2.0:ac:classes:SecondFactorIGTOKEN
)
}
}
]
{% if gitlab_saml.autologin %}
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
{% endif %}
{% endif %}
{% if gitlab_log_tmpfs %}
# Configure logging to only retain 10 log files, of 10MiB each
# This should prevent the tmpfs from overflowing
logging['svlogd_size'] = 10 * 1024 * 1024
logging['svlogd_num'] = 5
logging['logrotate_maxsize'] = 10 * 1024 * 1024
logging['logrotate_rotate'] = 5
{% endif %}
labels:
- "traefik.http.routers.gitlab.rule=Host(`{{ gitlab_domain }}`) && PathPrefix(`/`)"
- "traefik.http.routers.gitlab.entrypoints=websecure"
- "traefik.http.routers.gitlab.tls=true"
- "traefik.http.routers.gitlab.tls.certresolver={{ gitlab_traefik_certresolver }}"
- "traefik.http.routers.gitlab.middlewares=gitlab,compress"
- "traefik.http.routers.gitlab.service=gitlab"
- "traefik.http.services.gitlab.loadbalancer.server.port=80"
{% if gitlab_registry.enabled %}
- "traefik.http.routers.gitlab-registry.rule=Host(`{{ gitlab_registry_domain }}`) && PathPrefix(`/`)"
- "traefik.http.routers.gitlab-registry.entrypoints={{ gitlab_registry.traefik_entrypoint | default('websecure') }}"
- "traefik.http.routers.gitlab-registry.tls=true"
- "traefik.http.routers.gitlab-registry.tls.certresolver={{ gitlab_traefik_certresolver }}"
- "traefik.http.routers.gitlab-registry.middlewares=gitlab,compress"
- "traefik.http.routers.gitlab-registry.service=gitlab-registry"
- "traefik.http.services.gitlab-registry.loadbalancer.server.port=5040"
{% endif %}
{% if gitlab_mattermost.enabled %}
- "traefik.http.routers.gitlab-mattermost.rule=Host(`{{ gitlab_mattermost.domain }}`) && PathPrefix(`/`)"
- "traefik.http.routers.gitlab-mattermost.entrypoints=websecure"
- "traefik.http.routers.gitlab-mattermost.tls=true"
- "traefik.http.routers.gitlab-mattermost.tls.certresolver={{ gitlab_traefik_certresolver }}"
- "traefik.http.routers.gitlab-mattermost.middlewares=gitlab,compress"
- "traefik.http.routers.gitlab-mattermost.service=gitlab-mattermost"
- "traefik.http.services.gitlab-mattermost.loadbalancer.server.port=8050"
{% endif %}
- "traefik.http.middlewares.gitlab.headers.sslredirect=true"
- "traefik.http.middlewares.gitlab.headers.stsSeconds=63072000"
- "traefik.enable=true"
{% if proxy_network is defined %}
- "traefik.docker.network={{ proxy_network }}"
{% endif %}
{% if proxy_hiddenservice is defined and proxy_hiddenservice.content is defined %}
- "traefik.http.middlewares.gitlab.headers.customresponseheaders.alt-svc=h2={{ proxy_hiddenservice['content'] | b64decode | trim }}:443; ma=2592000"
{% endif %}
volumes:
- "{{ gitlab_data_location }}:/var/opt/gitlab"
- "{{ gitlab_config_location }}:/etc/gitlab"
{% if not gitlab_log_tmpfs %}
- "{{ gitlab_log_location }}:/var/log/gitlab"
{% endif %}
{% if gitlab_log_tmpfs %}
tmpfs:
- "/var/log/gitlab:size=256M,noexec,nodev,nosuid,rw"
{% endif %}
restart: always
ports:
- "{{ gitlab_ssh_port }}:22"
{% if proxy_network is defined or gitlab_ipv6 is defined and gitlab_ipv6.enabled %}
networks:
{% if proxy_network is defined %}
{{ proxy_network }}:
{% endif %}
{% if gitlab_ipv6 is defined and gitlab_ipv6.enabled %}
gitlab-ipv6:
{% endif %}
{% endif %}
{% if gitlab_telegraf.enabled %}
telegraf:
image: docker.io/library/telegraf:{{ gitlab_telegraf_version }}
restart: always
mem_limit: 256mb
memswap_limit: 384mb
read_only: false # TODO: Switch to self-made container
volumes:
- {{ gitlab_telegraf_location }}:/etc/telegraf/:ro
{% endif %}
{% if proxy_network is defined or gitlab_ipv6 is defined and gitlab_ipv6.enabled %}
networks:
{% if proxy_network is defined %}
{{ proxy_network }}:
external: true
{% endif %}
{% if gitlab_ipv6 is defined and gitlab_ipv6.enabled %}
gitlab-ipv6:
driver: bridge
ipam:
driver: default
config:
- subnet: {{ gitlab_ipv6.subnet }}
enable_ipv6: true
{% endif %}
{% endif %}

26
roles/gitlab/templates/telegraf.conf
View file

@ -1,26 +0,0 @@
{{ ansible_managed | comment }}
[global_tags]
[agent]
interval = "10s"
round_interval = true
metric_batch_size = 1000
metric_buffer_limit = 1000000
collection_jitter = "5s"
flush_interval = "10s"
flush_jitter = "5s"
precision = ""
hostname = "{{ ansible_fqdn }}"
omit_hostname = false
[[outputs.influxdb]]
urls = ["https://{{ gitlab_telegraf.influxdb_endpoints | join('","https://') }}"]
database = "telegraf"
timeout = "5s"
retention_policy = "{{ gitlab_telegraf.influxdb_retention_policy }}"
retention_policy_tag = "{{ gitlab_telegraf.influxdb_retention_policy_tag }}"
username = "{{ gitlab_telegraf.influxdb_username }}"
password = "{{ gitlab_telegraf.influxdb_password }}"
[[inputs.prometheus]]
urls = ["http://{{ gitlab_domain }}/-/metrics?token={{ gitlab_telegraf.metrics_token }}"]