{{ ansible_managed | comment }} # Infrastructure # Ansible instructions to deploy the infrastructure # Copyright (C) 2019-2020 Christoph (Sheogorath) Kern # Copyright (C) 2020 Saibotk # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, version 3 of the License. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . version: '2.1' services: web: image: docker.io/gitlab/gitlab-ce:{{ gitlab_version }} hostname: '{{ gitlab_domain }}' mem_limit: {{ gitlab_memory_limit }} memswap_limit: {{ gitlab_memoryswap_limit }} environment: GITLAB_OMNIBUS_CONFIG: | external_url 'https://{{ gitlab_domain }}' gitlab_rails['gitlab_shell_ssh_port'] = {{ gitlab_ssh_port }} letsencrypt['enable'] = false nginx['listen_https'] = false nginx['listen_port'] = 80 nginx['real_ip_trusted_addresses'] = [ '172.16.0.0/12' ] nginx['gzip_enabled'] = false prometheus_monitoring['enable'] = false # CSP config gitlab_rails['content_security_policy'] = { enabled: {{ gitlab_csp.enabled | default(true) | bool | lower }}, report_only: false, directives: { default_src: "'self' {{ gitlab_csp.default_src | default("") }}", script_src: "'self' {{ gitlab_csp.script_src | default("") }} 'unsafe-eval'", frame_ancestor: "'self'", frame_src: "'self' {{ gitlab_csp.frame_src | default("") }}", img_src: "'self' https://{{ gitlab_libravatar_ssl }} {{ gitlab_csp.img_src | default("") }} data: blob:", style_src: "'self' 'unsafe-inline'", worker_src: "'self' blob:", object_src: "'none'" } } # Mail settings gitlab_rails['smtp_enable'] = true gitlab_rails['smtp_address'] = "{{ gitlab_smtp_address }}" gitlab_rails['smtp_port'] = {{ gitlab_smtp_port }} gitlab_rails['smtp_user_name'] = "{{ gitlab_smtp_user_name }}" gitlab_rails['smtp_password'] = "{{ gitlab_smtp_password }}" gitlab_rails['smtp_authentication'] = "login" gitlab_rails['smtp_domain'] = "{{ gitlab_smtp_address }}" gitlab_rails['smtp_tls'] = {{ gitlab_smtp_tls | bool | lower }} gitlab_rails['smtp_enable_starttls_auto'] = {{ gitlab_smtp_starttls_auto | bool | lower }} gitlab_rails['smtp_openssl_verify_mode'] = '{{ gitlab_smtp_openssl_verify_mode }}' gitlab_rails['gitlab_email_from'] = '{{ gitlab_email_from }}' gitlab_rails['gitlab_email_reply_to'] = '{{ gitlab_email_reply_to }}' # Use Libravatar gitlab_rails['gravatar_enabled'] = true gitlab_rails['gravatar_plain_url'] = "http://{{ gitlab_libravatar_plain }}/avatar/%{hash}?s=%{size}&d=identicon" gitlab_rails['gravatar_ssl_url'] = "https://{{ gitlab_libravatar_ssl }}/avatar/%{hash}?s=%{size}&d=identicon" {% if gitlab_imap.enabled %} gitlab_rails['incoming_email_enabled'] = true # The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to. # The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`). #gitlab_rails['incoming_email_address'] = "incoming+%{key}@gitlab.example.com" gitlab_rails['incoming_email_address'] = "{{ gitlab_imap.email_address }}" # Email account username # With third party providers, this is usually the full email address. # With self-hosted email servers, this is usually the user part of the email address. gitlab_rails['incoming_email_email'] = "{{ gitlab_imap.username }}" # Email account password gitlab_rails['incoming_email_password'] = "{{ gitlab_imap.password }}" # IMAP server host gitlab_rails['incoming_email_host'] = "{{ gitlab_imap.server_address }}" # IMAP server port gitlab_rails['incoming_email_port'] = 993 # Whether the IMAP server uses SSL gitlab_rails['incoming_email_ssl'] = true # Whether the IMAP server uses StartTLS gitlab_rails['incoming_email_start_tls'] = false # The mailbox where incoming mail will end up. Usually "inbox". gitlab_rails['incoming_email_mailbox_name'] = "inbox" # The IDLE command timeout. gitlab_rails['incoming_email_idle_timeout'] = 60 {% endif %} {% if gitlab_packages.enabled %} # Gitlab packages gitlab_rails['packages_enabled'] = true {% endif %} {% if gitlab_dependency_proxy.enabled %} # Gitlab dependency proxy gitlab_rails['dependency_proxy_enabled'] = true {% endif %} {% if gitlab_registry.enabled %} # Gitlab registry gitlab_rails['registry_enabled'] = true gitlab_rails['registry_host'] = "{{ gitlab_registry_domain }}" registry_external_url "https://{{ gitlab_registry_domain }}{% if gitlab_registry.external_port is defined %}:{{ gitlab_registry.external_port }}{% endif %}" registry_nginx['listen_port'] = 5040 registry_nginx['listen_https'] = false {% endif %} {% if gitlab_mattermost.enabled %} # Mattermost mattermost_external_url 'https://{{ gitlab_mattermost.domain }}' mattermost_nginx['listen_port'] = 8050 mattermost_nginx['listen_https'] = false mattermost['gitlab_auth_endpoint'] = "http://{{ gitlab_domain }}/oauth/authorize" mattermost['gitlab_token_endpoint'] = "http://{{ gitlab_domain }}/oauth/token" mattermost['gitlab_user_api_endpoint'] = "http://{{ gitlab_domain }}/api/v4/user" {% endif %} {% if gitlab_ldap.enabled %} gitlab_rails['ldap_enabled'] = true gitlab_rails['prevent_ldap_sign_in'] = false gitlab_rails['ldap_servers'] = { 'main' => { 'label' => '{{ gitlab_ldap.label }}', 'host' => '{{ gitlab_ldap.host }}', 'port' => {{ gitlab_ldap.port }}, 'uid' => '{{ gitlab_ldap.uid }}', 'encryption' => '{{ gitlab_ldap.encryption }}', 'verify_certificates' => {{ gitlab_ldap.verify_certificates | bool | lower }}, 'bind_dn' => '{{ gitlab_ldap.bind_dn }}', 'password' => '{{ gitlab_ldap.password }}', 'timeout' => 10, 'active_directory' => {{ gitlab_ldap.active_directory | bool | lower }}, 'allow_username_or_email_login' => false, 'block_auto_created_users' => false, 'base' => '{{ gitlab_ldap.base }}', 'attributes' => { 'username' => ['uid', 'userid', 'sAMAccountName'], 'email' => ['mail', 'email', 'userPrincipalName'], 'name' => 'cn', 'first_name' => 'givenName', 'last_name' => 'sn' }, 'lowercase_usernames' => false } } {% endif %} {% if gitlab_saml.enabled %} # SAML settings gitlab_rails['omniauth_enabled'] = true gitlab_rails['omniauth_allow_single_sign_on'] = ['saml'] gitlab_rails['omniauth_block_auto_created_users'] = false gitlab_rails['omniauth_auto_link_ldap_user'] = false gitlab_rails['omniauth_auto_link_saml_user'] = false gitlab_rails['omniauth_external_providers'] = [] gitlab_rails['omniauth_providers'] = [ { name: 'saml', label: '{{ gitlab_saml.label }}', groups_attribute: '{{ gitlab_saml.groups_attribute }}', external_groups: ['{{ gitlab_saml.external_groups }}'], args: { assertion_consumer_service_url: 'https://{{ gitlab_domain }}/users/auth/saml/callback', idp_cert_fingerprint: '{{ gitlab_saml.idp_cert_fingerprint }}', idp_sso_target_url: '{{ gitlab_saml.idp_sso_target_url }}', idp_slo_target_url: '{{ gitlab_saml.idp_slo_target_url }}', {% if gitlab_saml.certificate is defined and gitlab_saml.private_key is defined %} certificate: '-----BEGIN CERTIFICATE----- {{ gitlab_saml.certificate }} -----END CERTIFICATE-----', private_key: '-----BEGIN RSA PRIVATE KEY----- {{ gitlab_saml.private_key }} -----END RSA PRIVATE KEY-----', security: { authn_requests_signed: true, want_assertions_signed: true, embed_sign: true, signature_method: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256', digest_method: 'http://www.w3.org/2001/04/xmlenc#sha256', }, {% endif %} issuer: '{{ gitlab_saml.issuer }}', attribute_statements: { first_name: ['{{ gitlab_saml.attribute_statements.first_name }}'], last_name: ['{{ gitlab_saml.attribute_statements.last_name }}'], name: ['{{ gitlab_saml.attribute_statements.name }}'], username: ['{{ gitlab_saml.attribute_statements.username }}'], email: ['{{ gitlab_saml.attribute_statements.email }}'] }, name_identifier_format: '{{ gitlab_saml.name_identifier_format }}', upstream_two_factor_authn_contexts: %w( urn:oasis:names:tc:SAML:2.0:ac:classes:CertificateProtectedTransport urn:oasis:names:tc:SAML:2.0:ac:classes:SecondFactorOTPSMS urn:oasis:names:tc:SAML:2.0:ac:classes:SecondFactorIGTOKEN ) } } ] {% if gitlab_saml.autologin %} gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml' {% endif %} {% endif %} {% if gitlab_log_tmpfs %} # Configure logging to only retain 10 log files, of 10MiB each # This should prevent the tmpfs from overflowing logging['svlogd_size'] = 10 * 1024 * 1024 logging['svlogd_num'] = 5 logging['logrotate_maxsize'] = 10 * 1024 * 1024 logging['logrotate_rotate'] = 5 {% endif %} labels: - "traefik.http.routers.gitlab.rule=Host(`{{ gitlab_domain }}`) && PathPrefix(`/`)" - "traefik.http.routers.gitlab.entrypoints=websecure" - "traefik.http.routers.gitlab.tls=true" - "traefik.http.routers.gitlab.tls.certresolver={{ gitlab_traefik_certresolver }}" - "traefik.http.routers.gitlab.middlewares=gitlab,compress" - "traefik.http.routers.gitlab.service=gitlab" - "traefik.http.services.gitlab.loadbalancer.server.port=80" {% if gitlab_registry.enabled %} - "traefik.http.routers.gitlab-registry.rule=Host(`{{ gitlab_registry_domain }}`) && PathPrefix(`/`)" - "traefik.http.routers.gitlab-registry.entrypoints={{ gitlab_registry.traefik_entrypoint | default('websecure') }}" - "traefik.http.routers.gitlab-registry.tls=true" - "traefik.http.routers.gitlab-registry.tls.certresolver={{ gitlab_traefik_certresolver }}" - "traefik.http.routers.gitlab-registry.middlewares=gitlab,compress" - "traefik.http.routers.gitlab-registry.service=gitlab-registry" - "traefik.http.services.gitlab-registry.loadbalancer.server.port=5040" {% endif %} {% if gitlab_mattermost.enabled %} - "traefik.http.routers.gitlab-mattermost.rule=Host(`{{ gitlab_mattermost.domain }}`) && PathPrefix(`/`)" - "traefik.http.routers.gitlab-mattermost.entrypoints=websecure" - "traefik.http.routers.gitlab-mattermost.tls=true" - "traefik.http.routers.gitlab-mattermost.tls.certresolver={{ gitlab_traefik_certresolver }}" - "traefik.http.routers.gitlab-mattermost.middlewares=gitlab,compress" - "traefik.http.routers.gitlab-mattermost.service=gitlab-mattermost" - "traefik.http.services.gitlab-mattermost.loadbalancer.server.port=8050" {% endif %} - "traefik.http.middlewares.gitlab.headers.sslredirect=true" - "traefik.http.middlewares.gitlab.headers.stsSeconds=63072000" - "traefik.enable=true" {% if proxy_network is defined %} - "traefik.docker.network={{ proxy_network }}" {% endif %} {% if proxy_hiddenservice is defined and proxy_hiddenservice.content is defined %} - "traefik.http.middlewares.gitlab.headers.customresponseheaders.alt-svc=h2={{ proxy_hiddenservice['content'] | b64decode | trim }}:443; ma=2592000" {% endif %} volumes: - "{{ gitlab_data_location }}:/var/opt/gitlab" - "{{ gitlab_config_location }}:/etc/gitlab" {% if not gitlab_log_tmpfs %} - "{{ gitlab_log_location }}:/var/log/gitlab" {% endif %} {% if gitlab_log_tmpfs %} tmpfs: - "/var/log/gitlab:size=256M,noexec,nodev,nosuid,rw" {% endif %} restart: always ports: - "{{ gitlab_ssh_port }}:22" {% if proxy_network is defined or gitlab_ipv6 is defined and gitlab_ipv6.enabled %} networks: {% if proxy_network is defined %} {{ proxy_network }}: {% endif %} {% if gitlab_ipv6 is defined and gitlab_ipv6.enabled %} gitlab-ipv6: {% endif %} {% endif %} {% if gitlab_telegraf.enabled %} telegraf: image: docker.io/library/telegraf:{{ gitlab_telegraf_version }} restart: always mem_limit: 256mb memswap_limit: 384mb read_only: false # TODO: Switch to self-made container volumes: - {{ gitlab_telegraf_location }}:/etc/telegraf/:ro {% endif %} {% if proxy_network is defined or gitlab_ipv6 is defined and gitlab_ipv6.enabled %} networks: {% if proxy_network is defined %} {{ proxy_network }}: external: true {% endif %} {% if gitlab_ipv6 is defined and gitlab_ipv6.enabled %} gitlab-ipv6: driver: bridge ipam: driver: default config: - subnet: {{ gitlab_ipv6.subnet }} enable_ipv6: true {% endif %} {% endif %}