321 lines
14 KiB
YAML
321 lines
14 KiB
YAML
{{ ansible_managed | comment }}
|
|
|
|
# Infrastructure
|
|
# Ansible instructions to deploy the infrastructure
|
|
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
|
|
# Copyright (C) 2020 Saibotk
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, version 3 of the License.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
version: '2.1'
|
|
services:
|
|
web:
|
|
image: docker.io/gitlab/gitlab-ce:{{ gitlab_version }}
|
|
hostname: '{{ gitlab_domain }}'
|
|
mem_limit: {{ gitlab_memory_limit }}
|
|
memswap_limit: {{ gitlab_memoryswap_limit }}
|
|
environment:
|
|
GITLAB_OMNIBUS_CONFIG: |
|
|
external_url 'https://{{ gitlab_domain }}'
|
|
gitlab_rails['gitlab_shell_ssh_port'] = {{ gitlab_ssh_port }}
|
|
letsencrypt['enable'] = false
|
|
nginx['listen_https'] = false
|
|
nginx['listen_port'] = 80
|
|
nginx['real_ip_trusted_addresses'] = [ '172.16.0.0/12' ]
|
|
nginx['gzip_enabled'] = false
|
|
|
|
prometheus_monitoring['enable'] = false
|
|
|
|
# CSP config
|
|
gitlab_rails['content_security_policy'] = {
|
|
enabled: {{ gitlab_csp.enabled | default(true) | bool | lower }},
|
|
report_only: false,
|
|
directives: {
|
|
default_src: "'self' {{ gitlab_csp.default_src | default("") }}",
|
|
script_src: "'self' {{ gitlab_csp.script_src | default("") }} 'unsafe-eval'",
|
|
frame_ancestor: "'self'",
|
|
frame_src: "'self' {{ gitlab_csp.frame_src | default("") }}",
|
|
img_src: "'self' https://{{ gitlab_libravatar_ssl }} {{ gitlab_csp.img_src | default("") }} data: blob:",
|
|
style_src: "'self' 'unsafe-inline'",
|
|
worker_src: "'self' blob:",
|
|
object_src: "'none'"
|
|
}
|
|
}
|
|
|
|
# Mail settings
|
|
gitlab_rails['smtp_enable'] = true
|
|
gitlab_rails['smtp_address'] = "{{ gitlab_smtp_address }}"
|
|
gitlab_rails['smtp_port'] = {{ gitlab_smtp_port }}
|
|
gitlab_rails['smtp_user_name'] = "{{ gitlab_smtp_user_name }}"
|
|
gitlab_rails['smtp_password'] = "{{ gitlab_smtp_password }}"
|
|
gitlab_rails['smtp_authentication'] = "login"
|
|
gitlab_rails['smtp_domain'] = "{{ gitlab_smtp_address }}"
|
|
gitlab_rails['smtp_tls'] = {{ gitlab_smtp_tls | bool | lower }}
|
|
gitlab_rails['smtp_enable_starttls_auto'] = {{ gitlab_smtp_starttls_auto | bool | lower }}
|
|
gitlab_rails['smtp_openssl_verify_mode'] = '{{ gitlab_smtp_openssl_verify_mode }}'
|
|
|
|
gitlab_rails['gitlab_email_from'] = '{{ gitlab_email_from }}'
|
|
gitlab_rails['gitlab_email_reply_to'] = '{{ gitlab_email_reply_to }}'
|
|
|
|
# Use Libravatar
|
|
gitlab_rails['gravatar_enabled'] = true
|
|
gitlab_rails['gravatar_plain_url'] = "http://{{ gitlab_libravatar_plain }}/avatar/%{hash}?s=%{size}&d=identicon"
|
|
gitlab_rails['gravatar_ssl_url'] = "https://{{ gitlab_libravatar_ssl }}/avatar/%{hash}?s=%{size}&d=identicon"
|
|
|
|
{% if gitlab_imap.enabled %}
|
|
gitlab_rails['incoming_email_enabled'] = true
|
|
|
|
# The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to.
|
|
# The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`).
|
|
#gitlab_rails['incoming_email_address'] = "incoming+%{key}@gitlab.example.com"
|
|
gitlab_rails['incoming_email_address'] = "{{ gitlab_imap.email_address }}"
|
|
|
|
# Email account username
|
|
# With third party providers, this is usually the full email address.
|
|
# With self-hosted email servers, this is usually the user part of the email address.
|
|
gitlab_rails['incoming_email_email'] = "{{ gitlab_imap.username }}"
|
|
# Email account password
|
|
gitlab_rails['incoming_email_password'] = "{{ gitlab_imap.password }}"
|
|
|
|
# IMAP server host
|
|
gitlab_rails['incoming_email_host'] = "{{ gitlab_imap.server_address }}"
|
|
# IMAP server port
|
|
gitlab_rails['incoming_email_port'] = 993
|
|
# Whether the IMAP server uses SSL
|
|
gitlab_rails['incoming_email_ssl'] = true
|
|
# Whether the IMAP server uses StartTLS
|
|
gitlab_rails['incoming_email_start_tls'] = false
|
|
|
|
# The mailbox where incoming mail will end up. Usually "inbox".
|
|
gitlab_rails['incoming_email_mailbox_name'] = "inbox"
|
|
# The IDLE command timeout.
|
|
gitlab_rails['incoming_email_idle_timeout'] = 60
|
|
{% endif %}
|
|
|
|
{% if gitlab_packages.enabled %}
|
|
# Gitlab packages
|
|
gitlab_rails['packages_enabled'] = true
|
|
{% endif %}
|
|
|
|
{% if gitlab_dependency_proxy.enabled %}
|
|
# Gitlab dependency proxy
|
|
gitlab_rails['dependency_proxy_enabled'] = true
|
|
{% endif %}
|
|
|
|
{% if gitlab_registry.enabled %}
|
|
# Gitlab registry
|
|
gitlab_rails['registry_enabled'] = true
|
|
gitlab_rails['registry_host'] = "{{ gitlab_registry_domain }}"
|
|
registry_external_url "https://{{ gitlab_registry_domain }}{% if gitlab_registry.external_port is defined %}:{{ gitlab_registry.external_port }}{% endif %}"
|
|
registry_nginx['listen_port'] = 5040
|
|
registry_nginx['listen_https'] = false
|
|
{% endif %}
|
|
|
|
{% if gitlab_mattermost.enabled %}
|
|
# Mattermost
|
|
mattermost_external_url 'https://{{ gitlab_mattermost.domain }}'
|
|
mattermost_nginx['listen_port'] = 8050
|
|
mattermost_nginx['listen_https'] = false
|
|
mattermost['gitlab_auth_endpoint'] = "http://{{ gitlab_domain }}/oauth/authorize"
|
|
mattermost['gitlab_token_endpoint'] = "http://{{ gitlab_domain }}/oauth/token"
|
|
mattermost['gitlab_user_api_endpoint'] = "http://{{ gitlab_domain }}/api/v4/user"
|
|
{% endif %}
|
|
|
|
{% if gitlab_ldap.enabled %}
|
|
gitlab_rails['ldap_enabled'] = true
|
|
gitlab_rails['prevent_ldap_sign_in'] = false
|
|
gitlab_rails['ldap_servers'] = {
|
|
'main' => {
|
|
'label' => '{{ gitlab_ldap.label }}',
|
|
'host' => '{{ gitlab_ldap.host }}',
|
|
'port' => {{ gitlab_ldap.port }},
|
|
'uid' => '{{ gitlab_ldap.uid }}',
|
|
'encryption' => '{{ gitlab_ldap.encryption }}',
|
|
'verify_certificates' => {{ gitlab_ldap.verify_certificates | bool | lower }},
|
|
'bind_dn' => '{{ gitlab_ldap.bind_dn }}',
|
|
'password' => '{{ gitlab_ldap.password }}',
|
|
'timeout' => 10,
|
|
'active_directory' => {{ gitlab_ldap.active_directory | bool | lower }},
|
|
'allow_username_or_email_login' => false,
|
|
'block_auto_created_users' => false,
|
|
'base' => '{{ gitlab_ldap.base }}',
|
|
'attributes' => {
|
|
'username' => ['uid', 'userid', 'sAMAccountName'],
|
|
'email' => ['mail', 'email', 'userPrincipalName'],
|
|
'name' => 'cn',
|
|
'first_name' => 'givenName',
|
|
'last_name' => 'sn'
|
|
},
|
|
'lowercase_usernames' => false
|
|
}
|
|
}
|
|
{% endif %}
|
|
|
|
{% if gitlab_saml.enabled %}
|
|
# SAML settings
|
|
gitlab_rails['omniauth_enabled'] = true
|
|
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
|
|
gitlab_rails['omniauth_block_auto_created_users'] = false
|
|
gitlab_rails['omniauth_auto_link_ldap_user'] = false
|
|
gitlab_rails['omniauth_auto_link_saml_user'] = false
|
|
gitlab_rails['omniauth_external_providers'] = []
|
|
gitlab_rails['omniauth_providers'] = [
|
|
{
|
|
name: 'saml',
|
|
label: '{{ gitlab_saml.label }}',
|
|
groups_attribute: '{{ gitlab_saml.groups_attribute }}',
|
|
external_groups: ['{{ gitlab_saml.external_groups }}'],
|
|
args: {
|
|
assertion_consumer_service_url: 'https://{{ gitlab_domain }}/users/auth/saml/callback',
|
|
idp_cert_fingerprint: '{{ gitlab_saml.idp_cert_fingerprint }}',
|
|
idp_sso_target_url: '{{ gitlab_saml.idp_sso_target_url }}',
|
|
idp_slo_target_url: '{{ gitlab_saml.idp_slo_target_url }}',
|
|
{% if gitlab_saml.certificate is defined and gitlab_saml.private_key is defined %}
|
|
certificate: '-----BEGIN CERTIFICATE-----
|
|
{{ gitlab_saml.certificate }}
|
|
-----END CERTIFICATE-----',
|
|
private_key: '-----BEGIN RSA PRIVATE KEY-----
|
|
{{ gitlab_saml.private_key }}
|
|
-----END RSA PRIVATE KEY-----',
|
|
security: {
|
|
authn_requests_signed: true,
|
|
want_assertions_signed: true,
|
|
embed_sign: true,
|
|
signature_method: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
|
|
digest_method: 'http://www.w3.org/2001/04/xmlenc#sha256',
|
|
},
|
|
{% endif %}
|
|
issuer: '{{ gitlab_saml.issuer }}',
|
|
attribute_statements: {
|
|
first_name: ['{{ gitlab_saml.attribute_statements.first_name }}'],
|
|
last_name: ['{{ gitlab_saml.attribute_statements.last_name }}'],
|
|
name: ['{{ gitlab_saml.attribute_statements.name }}'],
|
|
username: ['{{ gitlab_saml.attribute_statements.username }}'],
|
|
email: ['{{ gitlab_saml.attribute_statements.email }}'] },
|
|
name_identifier_format: '{{ gitlab_saml.name_identifier_format }}',
|
|
upstream_two_factor_authn_contexts:
|
|
%w(
|
|
urn:oasis:names:tc:SAML:2.0:ac:classes:CertificateProtectedTransport
|
|
urn:oasis:names:tc:SAML:2.0:ac:classes:SecondFactorOTPSMS
|
|
urn:oasis:names:tc:SAML:2.0:ac:classes:SecondFactorIGTOKEN
|
|
)
|
|
}
|
|
}
|
|
]
|
|
{% if gitlab_saml.autologin %}
|
|
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
{% if gitlab_log_tmpfs %}
|
|
# Configure logging to only retain 10 log files, of 10MiB each
|
|
# This should prevent the tmpfs from overflowing
|
|
logging['svlogd_size'] = 10 * 1024 * 1024
|
|
logging['svlogd_num'] = 5
|
|
logging['logrotate_maxsize'] = 10 * 1024 * 1024
|
|
logging['logrotate_rotate'] = 5
|
|
{% endif %}
|
|
|
|
labels:
|
|
- "traefik.http.routers.gitlab.rule=Host(`{{ gitlab_domain }}`) && PathPrefix(`/`)"
|
|
- "traefik.http.routers.gitlab.entrypoints=websecure"
|
|
- "traefik.http.routers.gitlab.tls=true"
|
|
- "traefik.http.routers.gitlab.tls.certresolver={{ gitlab_traefik_certresolver }}"
|
|
- "traefik.http.routers.gitlab.middlewares=gitlab,compress"
|
|
- "traefik.http.routers.gitlab.service=gitlab"
|
|
- "traefik.http.services.gitlab.loadbalancer.server.port=80"
|
|
|
|
{% if gitlab_registry.enabled %}
|
|
- "traefik.http.routers.gitlab-registry.rule=Host(`{{ gitlab_registry_domain }}`) && PathPrefix(`/`)"
|
|
- "traefik.http.routers.gitlab-registry.entrypoints={{ gitlab_registry.traefik_entrypoint | default('websecure') }}"
|
|
- "traefik.http.routers.gitlab-registry.tls=true"
|
|
- "traefik.http.routers.gitlab-registry.tls.certresolver={{ gitlab_traefik_certresolver }}"
|
|
- "traefik.http.routers.gitlab-registry.middlewares=gitlab,compress"
|
|
- "traefik.http.routers.gitlab-registry.service=gitlab-registry"
|
|
- "traefik.http.services.gitlab-registry.loadbalancer.server.port=5040"
|
|
{% endif %}
|
|
|
|
{% if gitlab_mattermost.enabled %}
|
|
- "traefik.http.routers.gitlab-mattermost.rule=Host(`{{ gitlab_mattermost.domain }}`) && PathPrefix(`/`)"
|
|
- "traefik.http.routers.gitlab-mattermost.entrypoints=websecure"
|
|
- "traefik.http.routers.gitlab-mattermost.tls=true"
|
|
- "traefik.http.routers.gitlab-mattermost.tls.certresolver={{ gitlab_traefik_certresolver }}"
|
|
- "traefik.http.routers.gitlab-mattermost.middlewares=gitlab,compress"
|
|
- "traefik.http.routers.gitlab-mattermost.service=gitlab-mattermost"
|
|
- "traefik.http.services.gitlab-mattermost.loadbalancer.server.port=8050"
|
|
{% endif %}
|
|
|
|
- "traefik.http.middlewares.gitlab.headers.sslredirect=true"
|
|
- "traefik.http.middlewares.gitlab.headers.stsSeconds=63072000"
|
|
|
|
- "traefik.enable=true"
|
|
{% if proxy_network is defined %}
|
|
- "traefik.docker.network={{ proxy_network }}"
|
|
{% endif %}
|
|
{% if proxy_hiddenservice is defined and proxy_hiddenservice.content is defined %}
|
|
- "traefik.http.middlewares.gitlab.headers.customresponseheaders.alt-svc=h2={{ proxy_hiddenservice['content'] | b64decode | trim }}:443; ma=2592000"
|
|
{% endif %}
|
|
volumes:
|
|
- "{{ gitlab_data_location }}:/var/opt/gitlab"
|
|
- "{{ gitlab_config_location }}:/etc/gitlab"
|
|
{% if not gitlab_log_tmpfs %}
|
|
- "{{ gitlab_log_location }}:/var/log/gitlab"
|
|
{% endif %}
|
|
|
|
|
|
{% if gitlab_log_tmpfs %}
|
|
tmpfs:
|
|
- "/var/log/gitlab:size=256M,noexec,nodev,nosuid,rw"
|
|
{% endif %}
|
|
|
|
restart: always
|
|
ports:
|
|
- "{{ gitlab_ssh_port }}:22"
|
|
{% if proxy_network is defined or gitlab_ipv6 is defined and gitlab_ipv6.enabled %}
|
|
networks:
|
|
{% if proxy_network is defined %}
|
|
{{ proxy_network }}:
|
|
{% endif %}
|
|
{% if gitlab_ipv6 is defined and gitlab_ipv6.enabled %}
|
|
gitlab-ipv6:
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
|
|
{% if gitlab_telegraf.enabled %}
|
|
telegraf:
|
|
image: docker.io/library/telegraf:{{ gitlab_telegraf_version }}
|
|
restart: always
|
|
mem_limit: 256mb
|
|
memswap_limit: 384mb
|
|
read_only: false # TODO: Switch to self-made container
|
|
volumes:
|
|
- {{ gitlab_telegraf_location }}:/etc/telegraf/:ro
|
|
{% endif %}
|
|
|
|
{% if proxy_network is defined or gitlab_ipv6 is defined and gitlab_ipv6.enabled %}
|
|
networks:
|
|
{% if proxy_network is defined %}
|
|
{{ proxy_network }}:
|
|
external: true
|
|
{% endif %}
|
|
{% if gitlab_ipv6 is defined and gitlab_ipv6.enabled %}
|
|
gitlab-ipv6:
|
|
driver: bridge
|
|
ipam:
|
|
driver: default
|
|
config:
|
|
- subnet: {{ gitlab_ipv6.subnet }}
|
|
enable_ipv6: true
|
|
{% endif %}
|
|
{% endif %}
|