Make nextcloud role less verbose

This commit is contained in:
Salt 2020-04-18 03:15:41 -05:00
parent 01793908a0
commit 1906213fff
12 changed files with 3044 additions and 4 deletions

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,78 @@
# frozen_string_literal: true
# Load "path" as a rackup file.
#
# The default is "config.ru".
#
rackup 'config.ru'
pidfile '/home/git/gitlab/tmp/pids/puma.pid'
state_path '/home/git/gitlab/tmp/pids/puma.state'
stdout_redirect '/home/git/gitlab/log/puma.stdout.log',
'/home/git/gitlab/log/puma.stderr.log',
true
# Configure "min" to be the minimum number of threads to use to answer
# requests and "max" the maximum.
#
# The default is "0, 16".
#
threads 1, 16
# By default, workers accept all requests and queue them to pass to handlers.
# When false, workers accept the number of simultaneous requests configured.
#
# Queueing requests generally improves performance, but can cause deadlocks if
# the app is waiting on a request to itself. See https://github.com/puma/puma/issues/612
#
# When set to false this may require a reverse proxy to handle slow clients and
# queue requests before they reach puma. This is due to disabling HTTP keepalive
queue_requests false
# Bind the server to "url". "tcp://", "unix://" and "ssl://" are the only
# accepted protocols.
bind 'unix:///home/git/gitlab/tmp/sockets/gitlab.socket'
workers 3
require_relative "/home/git/gitlab/lib/gitlab/cluster/lifecycle_events"
require_relative "/home/git/gitlab/lib/gitlab/cluster/puma_worker_killer_initializer"
on_restart do
# Signal application hooks that we're about to restart
Gitlab::Cluster::LifecycleEvents.do_before_master_restart
end
before_fork do
# Signal to the puma killer
Gitlab::Cluster::PumaWorkerKillerInitializer.start @config.options unless ENV['DISABLE_PUMA_WORKER_KILLER']
# Signal application hooks that we're about to fork
Gitlab::Cluster::LifecycleEvents.do_before_fork
end
Gitlab::Cluster::LifecycleEvents.set_puma_options @config.options
on_worker_boot do
# Signal application hooks of worker start
Gitlab::Cluster::LifecycleEvents.do_worker_start
end
# Preload the application before starting the workers; this conflicts with
# phased restart feature. (off by default)
preload_app!
tag 'gitlab-puma-worker'
# Verifies that all workers have checked in to the master process within
# the given timeout. If not the worker process will be restarted. Default
# value is 60 seconds.
#
worker_timeout 60
# Use json formatter
require_relative "/home/git/gitlab/lib/gitlab/puma_logging/json_formatter"
json_formatter = Gitlab::PumaLogging::JSONFormatter.new
log_formatter do |str|
json_formatter.call(str)
end

View File

@ -0,0 +1,29 @@
# 1. Rename this file to rack_attack.rb
# 2. Review the paths_to_be_protected and add any other path you need protecting
#
# If you change this file in a Merge Request, please also create a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
paths_to_be_protected = [
"#{Rails.application.config.relative_url_root}/users/password",
"#{Rails.application.config.relative_url_root}/users/sign_in",
"#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session.json",
"#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session",
"#{Rails.application.config.relative_url_root}/users",
"#{Rails.application.config.relative_url_root}/users/confirmation",
"#{Rails.application.config.relative_url_root}/unsubscribes/",
"#{Rails.application.config.relative_url_root}/import/github/personal_access_token"
]
# Create one big regular expression that matches strings starting with any of
# the paths_to_be_protected.
paths_regex = Regexp.union(paths_to_be_protected.map { |path| /\A#{Regexp.escape(path)}/ })
rack_attack_enabled = Gitlab.config.rack_attack.git_basic_auth['enabled']
unless Rails.env.test? || !rack_attack_enabled
Rack::Attack.throttle('protected paths', limit: 10, period: 60.seconds) do |req|
if req.post? && req.path =~ paths_regex
req.ip
end
end
end

View File

@ -0,0 +1 @@
d /var/run/redis 0755 redis redis 10d -

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,34 @@
# If you change this file in a Merge Request, please also create
# a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
#
development:
url: redis://localhost:6379
# sentinels:
# -
# host: localhost
# port: 26380 # point to sentinel, not to redis port
# -
# host: slave2
# port: 26381 # point to sentinel, not to redis port
test:
url: redis://localhost:6379
production:
# Redis (single instance)
url: unix:/var/run/redis/redis.sock
##
# Redis + Sentinel (for HA)
#
# Please read instructions carefully before using it as you may lose data:
# http://redis.io/topics/sentinel
#
# You must specify a list of a few sentinels that will handle client connection
# please read here for more information: https://docs.gitlab.com/ce/administration/high_availability/redis.html
##
# url: redis://master:6379
# sentinels:
# -
# host: slave1
# port: 26379 # point to sentinel, not to redis port
# -
# host: slave2
# port: 26379 # point to sentinel, not to redis port

View File

@ -0,0 +1,12 @@
production:
# db_key_base is used to encrypt for Variables. Ensure that you don't lose it.
# If you change or lose this key you will be unable to access variables stored in database.
# Make sure the secret is at least 30 characters and all random,
# no regular words or you'll be exposed to dictionary attacks.
# db_key_base:
development:
db_key_base: development
test:
db_key_base: test

View File

@ -0,0 +1,5 @@
---
allow_duplicates: no
dependencies:
- role: apache-php
- role: mysql

149
roles/gitlab/tasks/main.yml Normal file
View File

@ -0,0 +1,149 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: Set up webroot for {{ gitlab_repo }}
block:
- name: Add repository keys
apt_key:
url: "{{ item }}"
loop:
- "https://dl.yarnpkg.com/debian/pubkey.gpg"
- name: Add repositories
apt_repository:
repo: "{{ item }}"
loop:
- "ppa:brightbox/ruby-ng" # Ruby version in 18.10 is out-of-date per GitLab 12.2
- "deb https://dl.yarnpkg.com/debian/ stable main"
register: repo
- name: Update repos
apt:
upgrade: "yes"
update_cache: yes
when: repo is changed
- name: Install dependencies
apt:
name:
- build-essential
- checkinstall
- cmake
- curl
- git
- git-core
- golang
- graphicsmagick
- libcurl4-openssl-dev
- libffi-dev
- libgdbm-dev
- libicu-dev
- libncurses5-dev
- libre2-dev
- libreadline-dev
- libssl-dev
- libxml2-dev
- libxslt-dev
- libyaml-dev
- logrotate
- nodejs
- openssh-server
- pkg-config
- python-docutils
- rsync
- ruby
- runit
- yarn
- zlib1g-dev
- name: Install and configure Redis
block:
- name: Install packages
apt:
name: "redis-server"
register: repo2
- name: Disable service
service:
name: redis-server
state: stopped
when: repo2 is changed
- name: Copy config
copy:
src: redis.conf
dest: "/etc/redis/redis.conf"
- name: Copy tmpfiles config
copy:
src: redis-tmpfile.conf
dest: "/etc/tmpfiles.d/redis.conf"
- name: Create socket directory
file:
path: "/var/run/redis"
state: directory
mode: 755
owner: redis
group: redis
- name: Enable and start service
service:
name: redis-server
state: started
enabled: yes
- name: Add gitlab user
user:
name: git
home: "/var/gitlab"
groups:
- "redis"
comment: "GitLab"
shell: "/usr/sbin/nologin"
- name: Set up MySQL
block:
- name: Create database
mysql_db:
name: gitlab
login_user: root
login_password: "{{ mysql_root_password }}"
state: present
- name: Create Gitlab user
mysql_user:
name: gitlab
host: localhost
password: "{{ gitlab_mysql_password }}"
priv: "gitlab.*:ALL,GRANT"
login_user: root
login_password: "{{ mysql_root_password }}"
- name: Clone and build GitLab
block:
- name: Clone GitLab
git:
depth: 1
dest: "/var/gitlab/gitlab-foss"
force: yes
repo: "https://gitlab.com/gitlab-org/gitlab-foss.git"
version: 12-10-stable
- name: Copy configs around
copy:
remote_src: yes
src: "{{ item.src }}"
dest: "{{ item.dest }}"
loop:
- { src: "/var/gitlab/gitlab-foss/config/gitlab.yml.example", dest: "/var/gitlab/gitlab-foss/config/gitlab.yml" }
- name: Set up Apache
block:
- name: Create webroot
file:
path: "{{ gitlab_webroot }}"
mode: "0755"
state: directory
- name: Copy over virtual host configs
template:
src: apache2-vhost-ssl.conf
dest: "/etc/apache2/sites-available/{{ gitlab_url }}.conf"
notify: restart apache
- name: Enable config
command:
cmd: "a2ensite {{ gitlab_url }}.conf"
creates: "/etc/apache2/sites-enabled/{{ gitlab_url }}.conf"
notify: restart apache
- name: Generate certificate
include_role:
name: https
vars:
website_url: "{{ gitlab_url }}"
website_webroot: "{{ gitlab_webroot }}"
become: yes

View File

@ -0,0 +1,30 @@
# Configuration for {{ gitlab_url }}
# vim:ft=apache:
# Accept connections from non-SNI clients
SSLStrictSNIVHostCheck off
# Website configuration
<VirtualHost *:80>
ServerName {{ gitlab_url }}
Redirect permanent / https://{{ gitlab_url }}
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/cert/crt/{{ gitlab_url }}.crt
SSLCertificateKeyFile /etc/pki/cert/private/{{ gitlab_url }}.key
SSLCertificateChainFile /etc/pki/cert/crt/{{ gitlab_url}}-fullchain.crt
<FilesMatch "\.(cgi|shtml|phtml|php)$">\
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
ServerName {{ gitlab_url }}
DocumentRoot {{ gitlab_webroot }}
<Directory "{{ gitlab_webroot }}">
Require all granted
AllowOverride All
Options MultiViews FollowSymlinks
</Directory>
</VirtualHost>

View File

@ -0,0 +1,13 @@
# Configuration for {{ gitlab_url }}
# vim:ft=apache:
# Website configuration
<VirtualHost *:80>
ServerName {{ gitlab_url }}
DocumentRoot {{ gitlab_webroot }}
<Directory "{{ gitlab_webroot }}">
Require all granted
AllowOverride All
Options MultiViews FollowSymlinks
</Directory>
</VirtualHost>

View File

@ -5,9 +5,7 @@
block:
- name: Install Nextcloud-required packages
apt:
name: "{{ packages }}"
vars:
packages:
name:
- php-imagick
- name: Set up MySQL
block: