Make nextcloud role less verbose
This commit is contained in:
parent
01793908a0
commit
1906213fff
1374
roles/gitlab/files/gitlab.yml
Normal file
1374
roles/gitlab/files/gitlab.yml
Normal file
File diff suppressed because it is too large
Load Diff
78
roles/gitlab/files/puma.rb
Normal file
78
roles/gitlab/files/puma.rb
Normal file
@ -0,0 +1,78 @@
|
|||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
# Load "path" as a rackup file.
|
||||||
|
#
|
||||||
|
# The default is "config.ru".
|
||||||
|
#
|
||||||
|
rackup 'config.ru'
|
||||||
|
pidfile '/home/git/gitlab/tmp/pids/puma.pid'
|
||||||
|
state_path '/home/git/gitlab/tmp/pids/puma.state'
|
||||||
|
|
||||||
|
stdout_redirect '/home/git/gitlab/log/puma.stdout.log',
|
||||||
|
'/home/git/gitlab/log/puma.stderr.log',
|
||||||
|
true
|
||||||
|
|
||||||
|
# Configure "min" to be the minimum number of threads to use to answer
|
||||||
|
# requests and "max" the maximum.
|
||||||
|
#
|
||||||
|
# The default is "0, 16".
|
||||||
|
#
|
||||||
|
threads 1, 16
|
||||||
|
|
||||||
|
# By default, workers accept all requests and queue them to pass to handlers.
|
||||||
|
# When false, workers accept the number of simultaneous requests configured.
|
||||||
|
#
|
||||||
|
# Queueing requests generally improves performance, but can cause deadlocks if
|
||||||
|
# the app is waiting on a request to itself. See https://github.com/puma/puma/issues/612
|
||||||
|
#
|
||||||
|
# When set to false this may require a reverse proxy to handle slow clients and
|
||||||
|
# queue requests before they reach puma. This is due to disabling HTTP keepalive
|
||||||
|
queue_requests false
|
||||||
|
|
||||||
|
# Bind the server to "url". "tcp://", "unix://" and "ssl://" are the only
|
||||||
|
# accepted protocols.
|
||||||
|
bind 'unix:///home/git/gitlab/tmp/sockets/gitlab.socket'
|
||||||
|
|
||||||
|
workers 3
|
||||||
|
|
||||||
|
require_relative "/home/git/gitlab/lib/gitlab/cluster/lifecycle_events"
|
||||||
|
require_relative "/home/git/gitlab/lib/gitlab/cluster/puma_worker_killer_initializer"
|
||||||
|
|
||||||
|
on_restart do
|
||||||
|
# Signal application hooks that we're about to restart
|
||||||
|
Gitlab::Cluster::LifecycleEvents.do_before_master_restart
|
||||||
|
end
|
||||||
|
|
||||||
|
before_fork do
|
||||||
|
# Signal to the puma killer
|
||||||
|
Gitlab::Cluster::PumaWorkerKillerInitializer.start @config.options unless ENV['DISABLE_PUMA_WORKER_KILLER']
|
||||||
|
|
||||||
|
# Signal application hooks that we're about to fork
|
||||||
|
Gitlab::Cluster::LifecycleEvents.do_before_fork
|
||||||
|
end
|
||||||
|
|
||||||
|
Gitlab::Cluster::LifecycleEvents.set_puma_options @config.options
|
||||||
|
on_worker_boot do
|
||||||
|
# Signal application hooks of worker start
|
||||||
|
Gitlab::Cluster::LifecycleEvents.do_worker_start
|
||||||
|
end
|
||||||
|
|
||||||
|
# Preload the application before starting the workers; this conflicts with
|
||||||
|
# phased restart feature. (off by default)
|
||||||
|
preload_app!
|
||||||
|
|
||||||
|
tag 'gitlab-puma-worker'
|
||||||
|
|
||||||
|
# Verifies that all workers have checked in to the master process within
|
||||||
|
# the given timeout. If not the worker process will be restarted. Default
|
||||||
|
# value is 60 seconds.
|
||||||
|
#
|
||||||
|
worker_timeout 60
|
||||||
|
|
||||||
|
# Use json formatter
|
||||||
|
require_relative "/home/git/gitlab/lib/gitlab/puma_logging/json_formatter"
|
||||||
|
|
||||||
|
json_formatter = Gitlab::PumaLogging::JSONFormatter.new
|
||||||
|
log_formatter do |str|
|
||||||
|
json_formatter.call(str)
|
||||||
|
end
|
29
roles/gitlab/files/rack_attack.rb
Normal file
29
roles/gitlab/files/rack_attack.rb
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
# 1. Rename this file to rack_attack.rb
|
||||||
|
# 2. Review the paths_to_be_protected and add any other path you need protecting
|
||||||
|
#
|
||||||
|
# If you change this file in a Merge Request, please also create a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
|
||||||
|
|
||||||
|
paths_to_be_protected = [
|
||||||
|
"#{Rails.application.config.relative_url_root}/users/password",
|
||||||
|
"#{Rails.application.config.relative_url_root}/users/sign_in",
|
||||||
|
"#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session.json",
|
||||||
|
"#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session",
|
||||||
|
"#{Rails.application.config.relative_url_root}/users",
|
||||||
|
"#{Rails.application.config.relative_url_root}/users/confirmation",
|
||||||
|
"#{Rails.application.config.relative_url_root}/unsubscribes/",
|
||||||
|
"#{Rails.application.config.relative_url_root}/import/github/personal_access_token"
|
||||||
|
|
||||||
|
]
|
||||||
|
|
||||||
|
# Create one big regular expression that matches strings starting with any of
|
||||||
|
# the paths_to_be_protected.
|
||||||
|
paths_regex = Regexp.union(paths_to_be_protected.map { |path| /\A#{Regexp.escape(path)}/ })
|
||||||
|
rack_attack_enabled = Gitlab.config.rack_attack.git_basic_auth['enabled']
|
||||||
|
|
||||||
|
unless Rails.env.test? || !rack_attack_enabled
|
||||||
|
Rack::Attack.throttle('protected paths', limit: 10, period: 60.seconds) do |req|
|
||||||
|
if req.post? && req.path =~ paths_regex
|
||||||
|
req.ip
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
1
roles/gitlab/files/redis-tmpfile.conf
Normal file
1
roles/gitlab/files/redis-tmpfile.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
d /var/run/redis 0755 redis redis 10d -
|
1317
roles/gitlab/files/redis.conf
Normal file
1317
roles/gitlab/files/redis.conf
Normal file
File diff suppressed because it is too large
Load Diff
34
roles/gitlab/files/resque.yml
Normal file
34
roles/gitlab/files/resque.yml
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
# If you change this file in a Merge Request, please also create
|
||||||
|
# a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
|
||||||
|
#
|
||||||
|
development:
|
||||||
|
url: redis://localhost:6379
|
||||||
|
# sentinels:
|
||||||
|
# -
|
||||||
|
# host: localhost
|
||||||
|
# port: 26380 # point to sentinel, not to redis port
|
||||||
|
# -
|
||||||
|
# host: slave2
|
||||||
|
# port: 26381 # point to sentinel, not to redis port
|
||||||
|
test:
|
||||||
|
url: redis://localhost:6379
|
||||||
|
production:
|
||||||
|
# Redis (single instance)
|
||||||
|
url: unix:/var/run/redis/redis.sock
|
||||||
|
##
|
||||||
|
# Redis + Sentinel (for HA)
|
||||||
|
#
|
||||||
|
# Please read instructions carefully before using it as you may lose data:
|
||||||
|
# http://redis.io/topics/sentinel
|
||||||
|
#
|
||||||
|
# You must specify a list of a few sentinels that will handle client connection
|
||||||
|
# please read here for more information: https://docs.gitlab.com/ce/administration/high_availability/redis.html
|
||||||
|
##
|
||||||
|
# url: redis://master:6379
|
||||||
|
# sentinels:
|
||||||
|
# -
|
||||||
|
# host: slave1
|
||||||
|
# port: 26379 # point to sentinel, not to redis port
|
||||||
|
# -
|
||||||
|
# host: slave2
|
||||||
|
# port: 26379 # point to sentinel, not to redis port
|
12
roles/gitlab/files/secrets.yml
Normal file
12
roles/gitlab/files/secrets.yml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
production:
|
||||||
|
# db_key_base is used to encrypt for Variables. Ensure that you don't lose it.
|
||||||
|
# If you change or lose this key you will be unable to access variables stored in database.
|
||||||
|
# Make sure the secret is at least 30 characters and all random,
|
||||||
|
# no regular words or you'll be exposed to dictionary attacks.
|
||||||
|
# db_key_base:
|
||||||
|
|
||||||
|
development:
|
||||||
|
db_key_base: development
|
||||||
|
|
||||||
|
test:
|
||||||
|
db_key_base: test
|
5
roles/gitlab/meta/main.yml
Normal file
5
roles/gitlab/meta/main.yml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
allow_duplicates: no
|
||||||
|
dependencies:
|
||||||
|
- role: apache-php
|
||||||
|
- role: mysql
|
149
roles/gitlab/tasks/main.yml
Normal file
149
roles/gitlab/tasks/main.yml
Normal file
@ -0,0 +1,149 @@
|
|||||||
|
#!/usr/bin/ansible-playbook
|
||||||
|
# vim:ft=ansible:
|
||||||
|
---
|
||||||
|
- name: Set up webroot for {{ gitlab_repo }}
|
||||||
|
block:
|
||||||
|
- name: Add repository keys
|
||||||
|
apt_key:
|
||||||
|
url: "{{ item }}"
|
||||||
|
loop:
|
||||||
|
- "https://dl.yarnpkg.com/debian/pubkey.gpg"
|
||||||
|
- name: Add repositories
|
||||||
|
apt_repository:
|
||||||
|
repo: "{{ item }}"
|
||||||
|
loop:
|
||||||
|
- "ppa:brightbox/ruby-ng" # Ruby version in 18.10 is out-of-date per GitLab 12.2
|
||||||
|
- "deb https://dl.yarnpkg.com/debian/ stable main"
|
||||||
|
register: repo
|
||||||
|
- name: Update repos
|
||||||
|
apt:
|
||||||
|
upgrade: "yes"
|
||||||
|
update_cache: yes
|
||||||
|
when: repo is changed
|
||||||
|
- name: Install dependencies
|
||||||
|
apt:
|
||||||
|
name:
|
||||||
|
- build-essential
|
||||||
|
- checkinstall
|
||||||
|
- cmake
|
||||||
|
- curl
|
||||||
|
- git
|
||||||
|
- git-core
|
||||||
|
- golang
|
||||||
|
- graphicsmagick
|
||||||
|
- libcurl4-openssl-dev
|
||||||
|
- libffi-dev
|
||||||
|
- libgdbm-dev
|
||||||
|
- libicu-dev
|
||||||
|
- libncurses5-dev
|
||||||
|
- libre2-dev
|
||||||
|
- libreadline-dev
|
||||||
|
- libssl-dev
|
||||||
|
- libxml2-dev
|
||||||
|
- libxslt-dev
|
||||||
|
- libyaml-dev
|
||||||
|
- logrotate
|
||||||
|
- nodejs
|
||||||
|
- openssh-server
|
||||||
|
- pkg-config
|
||||||
|
- python-docutils
|
||||||
|
- rsync
|
||||||
|
- ruby
|
||||||
|
- runit
|
||||||
|
- yarn
|
||||||
|
- zlib1g-dev
|
||||||
|
- name: Install and configure Redis
|
||||||
|
block:
|
||||||
|
- name: Install packages
|
||||||
|
apt:
|
||||||
|
name: "redis-server"
|
||||||
|
register: repo2
|
||||||
|
- name: Disable service
|
||||||
|
service:
|
||||||
|
name: redis-server
|
||||||
|
state: stopped
|
||||||
|
when: repo2 is changed
|
||||||
|
- name: Copy config
|
||||||
|
copy:
|
||||||
|
src: redis.conf
|
||||||
|
dest: "/etc/redis/redis.conf"
|
||||||
|
- name: Copy tmpfiles config
|
||||||
|
copy:
|
||||||
|
src: redis-tmpfile.conf
|
||||||
|
dest: "/etc/tmpfiles.d/redis.conf"
|
||||||
|
- name: Create socket directory
|
||||||
|
file:
|
||||||
|
path: "/var/run/redis"
|
||||||
|
state: directory
|
||||||
|
mode: 755
|
||||||
|
owner: redis
|
||||||
|
group: redis
|
||||||
|
- name: Enable and start service
|
||||||
|
service:
|
||||||
|
name: redis-server
|
||||||
|
state: started
|
||||||
|
enabled: yes
|
||||||
|
- name: Add gitlab user
|
||||||
|
user:
|
||||||
|
name: git
|
||||||
|
home: "/var/gitlab"
|
||||||
|
groups:
|
||||||
|
- "redis"
|
||||||
|
comment: "GitLab"
|
||||||
|
shell: "/usr/sbin/nologin"
|
||||||
|
- name: Set up MySQL
|
||||||
|
block:
|
||||||
|
- name: Create database
|
||||||
|
mysql_db:
|
||||||
|
name: gitlab
|
||||||
|
login_user: root
|
||||||
|
login_password: "{{ mysql_root_password }}"
|
||||||
|
state: present
|
||||||
|
- name: Create Gitlab user
|
||||||
|
mysql_user:
|
||||||
|
name: gitlab
|
||||||
|
host: localhost
|
||||||
|
password: "{{ gitlab_mysql_password }}"
|
||||||
|
priv: "gitlab.*:ALL,GRANT"
|
||||||
|
login_user: root
|
||||||
|
login_password: "{{ mysql_root_password }}"
|
||||||
|
- name: Clone and build GitLab
|
||||||
|
block:
|
||||||
|
- name: Clone GitLab
|
||||||
|
git:
|
||||||
|
depth: 1
|
||||||
|
dest: "/var/gitlab/gitlab-foss"
|
||||||
|
force: yes
|
||||||
|
repo: "https://gitlab.com/gitlab-org/gitlab-foss.git"
|
||||||
|
version: 12-10-stable
|
||||||
|
- name: Copy configs around
|
||||||
|
copy:
|
||||||
|
remote_src: yes
|
||||||
|
src: "{{ item.src }}"
|
||||||
|
dest: "{{ item.dest }}"
|
||||||
|
loop:
|
||||||
|
- { src: "/var/gitlab/gitlab-foss/config/gitlab.yml.example", dest: "/var/gitlab/gitlab-foss/config/gitlab.yml" }
|
||||||
|
- name: Set up Apache
|
||||||
|
block:
|
||||||
|
- name: Create webroot
|
||||||
|
file:
|
||||||
|
path: "{{ gitlab_webroot }}"
|
||||||
|
mode: "0755"
|
||||||
|
state: directory
|
||||||
|
- name: Copy over virtual host configs
|
||||||
|
template:
|
||||||
|
src: apache2-vhost-ssl.conf
|
||||||
|
dest: "/etc/apache2/sites-available/{{ gitlab_url }}.conf"
|
||||||
|
notify: restart apache
|
||||||
|
- name: Enable config
|
||||||
|
command:
|
||||||
|
cmd: "a2ensite {{ gitlab_url }}.conf"
|
||||||
|
creates: "/etc/apache2/sites-enabled/{{ gitlab_url }}.conf"
|
||||||
|
notify: restart apache
|
||||||
|
- name: Generate certificate
|
||||||
|
include_role:
|
||||||
|
name: https
|
||||||
|
vars:
|
||||||
|
website_url: "{{ gitlab_url }}"
|
||||||
|
website_webroot: "{{ gitlab_webroot }}"
|
||||||
|
become: yes
|
30
roles/gitlab/templates/apache2-vhost-ssl.conf
Normal file
30
roles/gitlab/templates/apache2-vhost-ssl.conf
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
# Configuration for {{ gitlab_url }}
|
||||||
|
# vim:ft=apache:
|
||||||
|
|
||||||
|
# Accept connections from non-SNI clients
|
||||||
|
SSLStrictSNIVHostCheck off
|
||||||
|
|
||||||
|
# Website configuration
|
||||||
|
<VirtualHost *:80>
|
||||||
|
ServerName {{ gitlab_url }}
|
||||||
|
Redirect permanent / https://{{ gitlab_url }}
|
||||||
|
</VirtualHost>
|
||||||
|
<VirtualHost *:443>
|
||||||
|
SSLEngine on
|
||||||
|
SSLCertificateFile /etc/pki/cert/crt/{{ gitlab_url }}.crt
|
||||||
|
SSLCertificateKeyFile /etc/pki/cert/private/{{ gitlab_url }}.key
|
||||||
|
SSLCertificateChainFile /etc/pki/cert/crt/{{ gitlab_url}}-fullchain.crt
|
||||||
|
<FilesMatch "\.(cgi|shtml|phtml|php)$">\
|
||||||
|
SSLOptions +StdEnvVars
|
||||||
|
</FilesMatch>
|
||||||
|
<Directory /usr/lib/cgi-bin>
|
||||||
|
SSLOptions +StdEnvVars
|
||||||
|
</Directory>
|
||||||
|
ServerName {{ gitlab_url }}
|
||||||
|
DocumentRoot {{ gitlab_webroot }}
|
||||||
|
<Directory "{{ gitlab_webroot }}">
|
||||||
|
Require all granted
|
||||||
|
AllowOverride All
|
||||||
|
Options MultiViews FollowSymlinks
|
||||||
|
</Directory>
|
||||||
|
</VirtualHost>
|
13
roles/gitlab/templates/apache2-vhost.conf
Normal file
13
roles/gitlab/templates/apache2-vhost.conf
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
# Configuration for {{ gitlab_url }}
|
||||||
|
# vim:ft=apache:
|
||||||
|
|
||||||
|
# Website configuration
|
||||||
|
<VirtualHost *:80>
|
||||||
|
ServerName {{ gitlab_url }}
|
||||||
|
DocumentRoot {{ gitlab_webroot }}
|
||||||
|
<Directory "{{ gitlab_webroot }}">
|
||||||
|
Require all granted
|
||||||
|
AllowOverride All
|
||||||
|
Options MultiViews FollowSymlinks
|
||||||
|
</Directory>
|
||||||
|
</VirtualHost>
|
@ -5,9 +5,7 @@
|
|||||||
block:
|
block:
|
||||||
- name: Install Nextcloud-required packages
|
- name: Install Nextcloud-required packages
|
||||||
apt:
|
apt:
|
||||||
name: "{{ packages }}"
|
name:
|
||||||
vars:
|
|
||||||
packages:
|
|
||||||
- php-imagick
|
- php-imagick
|
||||||
- name: Set up MySQL
|
- name: Set up MySQL
|
||||||
block:
|
block:
|
||||||
|
Loading…
Reference in New Issue
Block a user