167 lines
6.1 KiB
YAML
167 lines
6.1 KiB
YAML
---
|
|
# Default variables for the gitlab role
|
|
|
|
# Infrastructure
|
|
# Ansible instructions to deploy the infrastructure
|
|
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
|
|
# Copyright (C) 2020 Saibotk
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, version 3 of the License.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
# Install location settings
|
|
gitlab_install_location: /srv/gitlab
|
|
gitlab_data_location: "{{ gitlab_install_location }}/data"
|
|
gitlab_config_location: "{{ gitlab_install_location }}/config"
|
|
gitlab_log_location: "{{ gitlab_install_location }}/log"
|
|
gitlab_telegraf_location: "{{ gitlab_install_location }}/telegraf"
|
|
|
|
# Put GitLab's logs in a tempfs instead to save headache with diskspace
|
|
gitlab_log_tmpfs: false
|
|
|
|
# Set the certresolver to your desired traefik certresolver.
|
|
# Note: This is `letsencrypt_cf` by default for backwards compatibility, you might want to use `letsencrypt_http` instead, depending on your setup
|
|
gitlab_traefik_certresolver: letsencrypt_http
|
|
|
|
# The domain under which traefik should make gitlab (and, if enabled, the registry) reachable
|
|
gitlab_domain: gitlab.example.com
|
|
gitlab_registry_domain: registry.gitlab.example.com
|
|
|
|
# The Gitlab version, usually you don't need to adjust this for a host.
|
|
# renovate: depName=gitlab/gitlab-ce
|
|
gitlab_version: 16.11.3-ce.0
|
|
|
|
# renovate: depName=docker.io/library/telegraf
|
|
gitlab_telegraf_version: "1.26"
|
|
|
|
# The port you want Gitlab to listen on for SSH connections
|
|
gitlab_ssh_port: 22
|
|
|
|
# The memory limits for the GitLab container
|
|
#
|
|
# Notice the gitlab_memoryswap_limit must be equal
|
|
# or higher than the gitlab_memory_limit
|
|
gitlab_memory_limit: "6096mb"
|
|
gitlab_memoryswap_limit: "6352mb"
|
|
|
|
# Enable or disable selinux handling
|
|
gitlab_selinux_enabled: true
|
|
|
|
# Email/SMTP settings
|
|
gitlab_smtp_address: smtp.example.com
|
|
gitlab_smtp_port: 465
|
|
gitlab_smtp_user_name: "gitlab@example.com"
|
|
gitlab_smtp_password: "{{ lookup('passwordstore', gitlab_domain + '/' + gitlab_smtp_user_name + ' create=true length=42') }}"
|
|
gitlab_smtp_tls: "{{ gitlab_snmp_tls | default('true') }}" # There was a typo in the config option name, this makes sure it's falling back properly
|
|
gitlab_email_from: "{{ gitlab_smtp_user_name }}"
|
|
gitlab_email_reply_to: "{{ gitlab_smtp_user_name }}"
|
|
gitlab_smtp_starttls_auto: false
|
|
gitlab_smtp_openssl_verify_mode: "peer"
|
|
|
|
# Libravatar / Gravatar URLs
|
|
gitlab_libravatar_plain: "cdn.libravatar.org"
|
|
gitlab_libravatar_ssl: "seccdn.libravatar.org"
|
|
|
|
# CSP settings
|
|
gitlab_csp:
|
|
enabled: true
|
|
img_src: "https:"
|
|
# yamllint disable-line rule:line-length
|
|
# frame_src: "https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"
|
|
# script_src: "https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"
|
|
|
|
# SAML settings
|
|
gitlab_saml:
|
|
enabled: false
|
|
label: "SAML"
|
|
groups_attribute: "roles"
|
|
external_groups: "{{ gitlab_domain }}:external"
|
|
idp_cert_fingerprint: "<to be set>"
|
|
idp_sso_target_url: "https://sso.example.com"
|
|
idp_slo_target_url: "https://sso.example.com"
|
|
issuer: "{{ gitlab_domain }}"
|
|
certificate: "<cert without '----BEGIN CERTIFICATE----' (can be omited)>"
|
|
private_key: "<private key without '----BEGIN RSA PRIVATE KEY----' (can be omited)>"
|
|
attribute_statements:
|
|
first_name: "first_name"
|
|
last_name: "last_name"
|
|
name: "name"
|
|
username: "username"
|
|
email: "email"
|
|
name_identifier_format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
|
|
autologin: false
|
|
|
|
# LDAP settings
|
|
gitlab_ldap:
|
|
enabled: false
|
|
label: "LDAP"
|
|
host: "ldap.example.com"
|
|
port: 389
|
|
bind_dn: "_the_full_dn_of_the_user_you_will_bind_with"
|
|
password: "_the_password_of_the_bind_user"
|
|
encryption: "simple_tls"
|
|
verify_certificates: true
|
|
uid: "sAMAccountName"
|
|
active_directory: true
|
|
user_filter: ""
|
|
base: "dc=example,dc=com"
|
|
|
|
# IMAP settings (for email replies to comments etc.)
|
|
gitlab_imap:
|
|
enabled: false
|
|
username: "{{ gitlab_smtp_user_name }}"
|
|
password: "{{ gitlab_smtp_password }}"
|
|
server_address: imap.example.com
|
|
email_address: "incoming+%{key}@gitlab.example.com"
|
|
|
|
# Gitlab docker registry settings
|
|
gitlab_registry:
|
|
enabled: false
|
|
# Defines the port that is appended to the registry domain used by gitlab.
|
|
# This can be omitted, when no port is needed (eg. registry on its own domain)
|
|
external_port: 5050
|
|
# Defines the entrypoint that traefik should use for the registry.
|
|
# Can be useful to use another port while still using the certificate of the main domain.
|
|
# This can be omitted to use "websecure" by default
|
|
traefik_entrypoint: "websecure"
|
|
|
|
# Gitlab telegraf configuration, allows to configure a monitoring setup for Gitlab
|
|
gitlab_telegraf:
|
|
enabled: false
|
|
# Your influxDB hosts
|
|
influxdb_endpoints:
|
|
- "influxdb.example.com"
|
|
influxdb_username: telegraf
|
|
influxdb_password: ""
|
|
influxdb_retention_policy: "gitlab"
|
|
influxdb_retention_policy_tag: ""
|
|
# Token provided by Gitlab on the admin page
|
|
# See https://docs.gitlab.com/ee/administration/monitoring/prometheus/gitlab_metrics.html
|
|
metrics_token: ""
|
|
|
|
# Gitlab dependency proxy feature (see https://docs.gitlab.com/ee/administration/packages/dependency_proxy.html)
|
|
gitlab_dependency_proxy:
|
|
enabled: false
|
|
|
|
# Enable the packages feature (see https://docs.gitlab.com/ee/administration/packages/index.html)
|
|
gitlab_packages:
|
|
enabled: false
|
|
|
|
# IPv6 ULA config for the bridge network used by docker-ipv6-nat
|
|
gitlab_ipv6:
|
|
enabled: false
|
|
subnet: "fd9e:21a7:a92c:2326::/64"
|
|
|
|
# Gitlab bundled Mattermost instance settings
|
|
gitlab_mattermost:
|
|
enabled: false
|
|
domain: chat.gitlab.com
|