Make nextcloud role less verbose

roles/gitlab/files/puma.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+# Load "path" as a rackup file.
+#
+# The default is "config.ru".
+#
+rackup 'config.ru'
+pidfile '/home/git/gitlab/tmp/pids/puma.pid'
+state_path '/home/git/gitlab/tmp/pids/puma.state'
+
+stdout_redirect '/home/git/gitlab/log/puma.stdout.log',
+  '/home/git/gitlab/log/puma.stderr.log',
+  true
+
+# Configure "min" to be the minimum number of threads to use to answer
+# requests and "max" the maximum.
+#
+# The default is "0, 16".
+#
+threads 1, 16
+
+# By default, workers accept all requests and queue them to pass to handlers.
+# When false, workers accept the number of simultaneous requests configured.
+#
+# Queueing requests generally improves performance, but can cause deadlocks if
+# the app is waiting on a request to itself. See https://github.com/puma/puma/issues/612
+#
+# When set to false this may require a reverse proxy to handle slow clients and
+# queue requests before they reach puma. This is due to disabling HTTP keepalive
+queue_requests false
+
+# Bind the server to "url". "tcp://", "unix://" and "ssl://" are the only
+# accepted protocols.
+bind 'unix:///home/git/gitlab/tmp/sockets/gitlab.socket'
+
+workers 3
+
+require_relative "/home/git/gitlab/lib/gitlab/cluster/lifecycle_events"
+require_relative "/home/git/gitlab/lib/gitlab/cluster/puma_worker_killer_initializer"
+
+on_restart do
+  # Signal application hooks that we're about to restart
+  Gitlab::Cluster::LifecycleEvents.do_before_master_restart
+end
+
+before_fork do
+  # Signal to the puma killer
+  Gitlab::Cluster::PumaWorkerKillerInitializer.start @config.options unless ENV['DISABLE_PUMA_WORKER_KILLER']
+
+  # Signal application hooks that we're about to fork
+  Gitlab::Cluster::LifecycleEvents.do_before_fork
+end
+
+Gitlab::Cluster::LifecycleEvents.set_puma_options @config.options
+on_worker_boot do
+  # Signal application hooks of worker start
+  Gitlab::Cluster::LifecycleEvents.do_worker_start
+end
+
+# Preload the application before starting the workers; this conflicts with
+# phased restart feature. (off by default)
+preload_app!
+
+tag 'gitlab-puma-worker'
+
+# Verifies that all workers have checked in to the master process within
+# the given timeout. If not the worker process will be restarted. Default
+# value is 60 seconds.
+#
+worker_timeout 60
+
+# Use json formatter
+require_relative "/home/git/gitlab/lib/gitlab/puma_logging/json_formatter"
+
+json_formatter = Gitlab::PumaLogging::JSONFormatter.new
+log_formatter do |str|
+  json_formatter.call(str)
+end

roles/gitlab/files/rack_attack.rb

@@ -0,0 +1,29 @@
+# 1. Rename this file to rack_attack.rb
+# 2. Review the paths_to_be_protected and add any other path you need protecting
+#
+# If you change this file in a Merge Request, please also create a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
+
+paths_to_be_protected = [
+  "#{Rails.application.config.relative_url_root}/users/password",
+  "#{Rails.application.config.relative_url_root}/users/sign_in",
+  "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session.json",
+  "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session",
+  "#{Rails.application.config.relative_url_root}/users",
+  "#{Rails.application.config.relative_url_root}/users/confirmation",
+  "#{Rails.application.config.relative_url_root}/unsubscribes/",
+  "#{Rails.application.config.relative_url_root}/import/github/personal_access_token"
+
+]
+
+# Create one big regular expression that matches strings starting with any of
+# the paths_to_be_protected.
+paths_regex = Regexp.union(paths_to_be_protected.map { |path| /\A#{Regexp.escape(path)}/ })
+rack_attack_enabled = Gitlab.config.rack_attack.git_basic_auth['enabled']
+
+unless Rails.env.test? || !rack_attack_enabled
+  Rack::Attack.throttle('protected paths', limit: 10, period: 60.seconds) do |req|
+    if req.post? && req.path =~ paths_regex
+      req.ip
+    end
+  end
+end

roles/gitlab/files/redis-tmpfile.conf

@@ -0,0 +1 @@
+d  /var/run/redis  0755  redis  redis  10d  -

roles/gitlab/files/resque.yml

@@ -0,0 +1,34 @@
+# If you change this file in a Merge Request, please also create
+# a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
+#
+development:
+  url: redis://localhost:6379
+  # sentinels:
+  #   -
+  #     host: localhost
+  #     port: 26380 # point to sentinel, not to redis port
+  #   -
+  #     host: slave2
+  #     port: 26381 # point to sentinel, not to redis port
+test:
+  url: redis://localhost:6379
+production:
+  # Redis (single instance)
+  url: unix:/var/run/redis/redis.sock
+  ##
+  # Redis + Sentinel (for HA)
+  #
+  # Please read instructions carefully before using it as you may lose data:
+  # http://redis.io/topics/sentinel
+  #
+  # You must specify a list of a few sentinels that will handle client connection
+  # please read here for more information: https://docs.gitlab.com/ce/administration/high_availability/redis.html
+  ##
+  # url: redis://master:6379
+  # sentinels:
+  #   -
+  #     host: slave1
+  #     port: 26379 # point to sentinel, not to redis port
+  #   -
+  #     host: slave2
+  #     port: 26379 # point to sentinel, not to redis port

roles/gitlab/files/secrets.yml

@@ -0,0 +1,12 @@
+production:
+  # db_key_base is used to encrypt for Variables. Ensure that you don't lose it.
+  # If you change or lose this key you will be unable to access variables stored in database.
+  # Make sure the secret is at least 30 characters and all random,
+  # no regular words or you'll be exposed to dictionary attacks.
+  # db_key_base:
+
+development:
+  db_key_base: development
+
+test:
+  db_key_base: test

roles/gitlab/meta/main.yml

@@ -0,0 +1,5 @@
+---
+allow_duplicates: no
+dependencies:
+  - role: apache-php
+  - role: mysql

roles/gitlab/tasks/main.yml

@@ -0,0 +1,149 @@
+#!/usr/bin/ansible-playbook
+# vim:ft=ansible:
+---
+- name: Set up webroot for {{ gitlab_repo }}
+  block:
+    - name: Add repository keys
+      apt_key:
+        url: "{{ item }}"
+      loop:
+        - "https://dl.yarnpkg.com/debian/pubkey.gpg"
+    - name: Add repositories
+      apt_repository:
+        repo: "{{ item }}"
+      loop:
+        - "ppa:brightbox/ruby-ng" # Ruby version in 18.10 is out-of-date per GitLab 12.2
+        - "deb https://dl.yarnpkg.com/debian/ stable main"
+      register: repo
+    - name: Update repos
+      apt:
+        upgrade: "yes"
+        update_cache: yes
+      when: repo is changed
+    - name: Install dependencies
+      apt:
+        name:
+          - build-essential
+          - checkinstall
+          - cmake
+          - curl
+          - git
+          - git-core
+          - golang
+          - graphicsmagick
+          - libcurl4-openssl-dev
+          - libffi-dev
+          - libgdbm-dev
+          - libicu-dev
+          - libncurses5-dev
+          - libre2-dev
+          - libreadline-dev
+          - libssl-dev
+          - libxml2-dev
+          - libxslt-dev
+          - libyaml-dev
+          - logrotate
+          - nodejs
+          - openssh-server
+          - pkg-config
+          - python-docutils
+          - rsync
+          - ruby
+          - runit
+          - yarn
+          - zlib1g-dev
+    - name: Install and configure Redis
+      block:
+        - name: Install packages
+          apt:
+            name: "redis-server"
+          register: repo2
+        - name: Disable service
+          service:
+            name: redis-server
+            state: stopped
+          when: repo2 is changed
+        - name: Copy config
+          copy:
+            src: redis.conf
+            dest: "/etc/redis/redis.conf"
+        - name: Copy tmpfiles config
+          copy:
+            src: redis-tmpfile.conf
+            dest: "/etc/tmpfiles.d/redis.conf"
+        - name: Create socket directory
+          file:
+            path: "/var/run/redis"
+            state: directory
+            mode: 755
+            owner: redis
+            group: redis
+        - name: Enable and start service
+          service:
+            name: redis-server
+            state: started
+            enabled: yes
+    - name: Add gitlab user
+      user:
+        name: git
+        home: "/var/gitlab"
+        groups:
+          - "redis"
+        comment: "GitLab"
+        shell: "/usr/sbin/nologin"
+    - name: Set up MySQL
+      block:
+        - name: Create database
+          mysql_db:
+            name: gitlab
+            login_user: root
+            login_password: "{{ mysql_root_password }}"
+            state: present
+        - name: Create Gitlab user
+          mysql_user:
+            name: gitlab
+            host: localhost
+            password: "{{ gitlab_mysql_password }}"
+            priv: "gitlab.*:ALL,GRANT"
+            login_user: root
+            login_password: "{{ mysql_root_password }}"
+    - name: Clone and build GitLab
+      block:
+        - name: Clone GitLab
+          git:
+            depth: 1
+            dest: "/var/gitlab/gitlab-foss"
+            force: yes
+            repo: "https://gitlab.com/gitlab-org/gitlab-foss.git"
+            version: 12-10-stable
+        - name: Copy configs around
+          copy:
+            remote_src: yes
+            src: "{{ item.src }}"
+            dest: "{{ item.dest }}"
+          loop:
+            - { src: "/var/gitlab/gitlab-foss/config/gitlab.yml.example", dest: "/var/gitlab/gitlab-foss/config/gitlab.yml" }
+    - name: Set up Apache
+      block:
+        - name: Create webroot
+          file:
+            path: "{{ gitlab_webroot }}"
+            mode: "0755"
+            state: directory
+        - name: Copy over virtual host configs
+          template:
+            src: apache2-vhost-ssl.conf
+            dest: "/etc/apache2/sites-available/{{ gitlab_url }}.conf"
+          notify: restart apache
+        - name: Enable config
+          command:
+            cmd: "a2ensite {{ gitlab_url }}.conf"
+            creates: "/etc/apache2/sites-enabled/{{ gitlab_url }}.conf"
+          notify: restart apache
+    - name: Generate certificate
+      include_role:
+        name: https
+      vars:
+        website_url: "{{ gitlab_url }}"
+        website_webroot: "{{ gitlab_webroot }}"
+  become: yes

roles/gitlab/templates/apache2-vhost-ssl.conf

@@ -0,0 +1,30 @@
+# Configuration for {{ gitlab_url }}
+# vim:ft=apache:
+
+# Accept connections from non-SNI clients
+SSLStrictSNIVHostCheck off
+
+# Website configuration
+<VirtualHost *:80>
+	ServerName {{ gitlab_url }}
+	Redirect permanent / https://{{ gitlab_url }}
+</VirtualHost>
+<VirtualHost *:443>
+	SSLEngine on
+	SSLCertificateFile /etc/pki/cert/crt/{{ gitlab_url }}.crt
+	SSLCertificateKeyFile /etc/pki/cert/private/{{ gitlab_url }}.key
+	SSLCertificateChainFile /etc/pki/cert/crt/{{ gitlab_url}}-fullchain.crt
+	<FilesMatch "\.(cgi|shtml|phtml|php)$">\
+		SSLOptions +StdEnvVars
+	</FilesMatch>
+	<Directory /usr/lib/cgi-bin>
+		SSLOptions +StdEnvVars
+	</Directory>
+	ServerName {{ gitlab_url }}
+	DocumentRoot {{ gitlab_webroot }}
+	<Directory "{{ gitlab_webroot }}">
+		Require all granted
+		AllowOverride All
+		Options MultiViews FollowSymlinks
+	</Directory>
+</VirtualHost>

roles/gitlab/templates/apache2-vhost.conf

@@ -0,0 +1,13 @@
+# Configuration for {{ gitlab_url }}
+# vim:ft=apache:
+
+# Website configuration
+<VirtualHost *:80>
+	ServerName {{ gitlab_url }}
+	DocumentRoot {{ gitlab_webroot }}
+	<Directory "{{ gitlab_webroot }}">
+		Require all granted
+		AllowOverride All
+		Options MultiViews FollowSymlinks
+	</Directory>
+</VirtualHost>

roles/nextcloud/tasks/main.yml

@@ -5,10 +5,8 @@
   block:
   - name: Install Nextcloud-required packages
     apt:
-      name: "{{ packages }}"
+      name:
-    vars:
+        - php-imagick
-      packages:
-      - php-imagick
   - name: Set up MySQL
     block:
       - name: Create database