Make nextcloud role less verbose
This commit is contained in:
parent
01793908a0
commit
1906213fff
1374
roles/gitlab/files/gitlab.yml
Normal file
1374
roles/gitlab/files/gitlab.yml
Normal file
File diff suppressed because it is too large
Load Diff
78
roles/gitlab/files/puma.rb
Normal file
78
roles/gitlab/files/puma.rb
Normal file
@ -0,0 +1,78 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
# Load "path" as a rackup file.
|
||||
#
|
||||
# The default is "config.ru".
|
||||
#
|
||||
rackup 'config.ru'
|
||||
pidfile '/home/git/gitlab/tmp/pids/puma.pid'
|
||||
state_path '/home/git/gitlab/tmp/pids/puma.state'
|
||||
|
||||
stdout_redirect '/home/git/gitlab/log/puma.stdout.log',
|
||||
'/home/git/gitlab/log/puma.stderr.log',
|
||||
true
|
||||
|
||||
# Configure "min" to be the minimum number of threads to use to answer
|
||||
# requests and "max" the maximum.
|
||||
#
|
||||
# The default is "0, 16".
|
||||
#
|
||||
threads 1, 16
|
||||
|
||||
# By default, workers accept all requests and queue them to pass to handlers.
|
||||
# When false, workers accept the number of simultaneous requests configured.
|
||||
#
|
||||
# Queueing requests generally improves performance, but can cause deadlocks if
|
||||
# the app is waiting on a request to itself. See https://github.com/puma/puma/issues/612
|
||||
#
|
||||
# When set to false this may require a reverse proxy to handle slow clients and
|
||||
# queue requests before they reach puma. This is due to disabling HTTP keepalive
|
||||
queue_requests false
|
||||
|
||||
# Bind the server to "url". "tcp://", "unix://" and "ssl://" are the only
|
||||
# accepted protocols.
|
||||
bind 'unix:///home/git/gitlab/tmp/sockets/gitlab.socket'
|
||||
|
||||
workers 3
|
||||
|
||||
require_relative "/home/git/gitlab/lib/gitlab/cluster/lifecycle_events"
|
||||
require_relative "/home/git/gitlab/lib/gitlab/cluster/puma_worker_killer_initializer"
|
||||
|
||||
on_restart do
|
||||
# Signal application hooks that we're about to restart
|
||||
Gitlab::Cluster::LifecycleEvents.do_before_master_restart
|
||||
end
|
||||
|
||||
before_fork do
|
||||
# Signal to the puma killer
|
||||
Gitlab::Cluster::PumaWorkerKillerInitializer.start @config.options unless ENV['DISABLE_PUMA_WORKER_KILLER']
|
||||
|
||||
# Signal application hooks that we're about to fork
|
||||
Gitlab::Cluster::LifecycleEvents.do_before_fork
|
||||
end
|
||||
|
||||
Gitlab::Cluster::LifecycleEvents.set_puma_options @config.options
|
||||
on_worker_boot do
|
||||
# Signal application hooks of worker start
|
||||
Gitlab::Cluster::LifecycleEvents.do_worker_start
|
||||
end
|
||||
|
||||
# Preload the application before starting the workers; this conflicts with
|
||||
# phased restart feature. (off by default)
|
||||
preload_app!
|
||||
|
||||
tag 'gitlab-puma-worker'
|
||||
|
||||
# Verifies that all workers have checked in to the master process within
|
||||
# the given timeout. If not the worker process will be restarted. Default
|
||||
# value is 60 seconds.
|
||||
#
|
||||
worker_timeout 60
|
||||
|
||||
# Use json formatter
|
||||
require_relative "/home/git/gitlab/lib/gitlab/puma_logging/json_formatter"
|
||||
|
||||
json_formatter = Gitlab::PumaLogging::JSONFormatter.new
|
||||
log_formatter do |str|
|
||||
json_formatter.call(str)
|
||||
end
|
29
roles/gitlab/files/rack_attack.rb
Normal file
29
roles/gitlab/files/rack_attack.rb
Normal file
@ -0,0 +1,29 @@
|
||||
# 1. Rename this file to rack_attack.rb
|
||||
# 2. Review the paths_to_be_protected and add any other path you need protecting
|
||||
#
|
||||
# If you change this file in a Merge Request, please also create a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
|
||||
|
||||
paths_to_be_protected = [
|
||||
"#{Rails.application.config.relative_url_root}/users/password",
|
||||
"#{Rails.application.config.relative_url_root}/users/sign_in",
|
||||
"#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session.json",
|
||||
"#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session",
|
||||
"#{Rails.application.config.relative_url_root}/users",
|
||||
"#{Rails.application.config.relative_url_root}/users/confirmation",
|
||||
"#{Rails.application.config.relative_url_root}/unsubscribes/",
|
||||
"#{Rails.application.config.relative_url_root}/import/github/personal_access_token"
|
||||
|
||||
]
|
||||
|
||||
# Create one big regular expression that matches strings starting with any of
|
||||
# the paths_to_be_protected.
|
||||
paths_regex = Regexp.union(paths_to_be_protected.map { |path| /\A#{Regexp.escape(path)}/ })
|
||||
rack_attack_enabled = Gitlab.config.rack_attack.git_basic_auth['enabled']
|
||||
|
||||
unless Rails.env.test? || !rack_attack_enabled
|
||||
Rack::Attack.throttle('protected paths', limit: 10, period: 60.seconds) do |req|
|
||||
if req.post? && req.path =~ paths_regex
|
||||
req.ip
|
||||
end
|
||||
end
|
||||
end
|
1
roles/gitlab/files/redis-tmpfile.conf
Normal file
1
roles/gitlab/files/redis-tmpfile.conf
Normal file
@ -0,0 +1 @@
|
||||
d /var/run/redis 0755 redis redis 10d -
|
1317
roles/gitlab/files/redis.conf
Normal file
1317
roles/gitlab/files/redis.conf
Normal file
File diff suppressed because it is too large
Load Diff
34
roles/gitlab/files/resque.yml
Normal file
34
roles/gitlab/files/resque.yml
Normal file
@ -0,0 +1,34 @@
|
||||
# If you change this file in a Merge Request, please also create
|
||||
# a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
|
||||
#
|
||||
development:
|
||||
url: redis://localhost:6379
|
||||
# sentinels:
|
||||
# -
|
||||
# host: localhost
|
||||
# port: 26380 # point to sentinel, not to redis port
|
||||
# -
|
||||
# host: slave2
|
||||
# port: 26381 # point to sentinel, not to redis port
|
||||
test:
|
||||
url: redis://localhost:6379
|
||||
production:
|
||||
# Redis (single instance)
|
||||
url: unix:/var/run/redis/redis.sock
|
||||
##
|
||||
# Redis + Sentinel (for HA)
|
||||
#
|
||||
# Please read instructions carefully before using it as you may lose data:
|
||||
# http://redis.io/topics/sentinel
|
||||
#
|
||||
# You must specify a list of a few sentinels that will handle client connection
|
||||
# please read here for more information: https://docs.gitlab.com/ce/administration/high_availability/redis.html
|
||||
##
|
||||
# url: redis://master:6379
|
||||
# sentinels:
|
||||
# -
|
||||
# host: slave1
|
||||
# port: 26379 # point to sentinel, not to redis port
|
||||
# -
|
||||
# host: slave2
|
||||
# port: 26379 # point to sentinel, not to redis port
|
12
roles/gitlab/files/secrets.yml
Normal file
12
roles/gitlab/files/secrets.yml
Normal file
@ -0,0 +1,12 @@
|
||||
production:
|
||||
# db_key_base is used to encrypt for Variables. Ensure that you don't lose it.
|
||||
# If you change or lose this key you will be unable to access variables stored in database.
|
||||
# Make sure the secret is at least 30 characters and all random,
|
||||
# no regular words or you'll be exposed to dictionary attacks.
|
||||
# db_key_base:
|
||||
|
||||
development:
|
||||
db_key_base: development
|
||||
|
||||
test:
|
||||
db_key_base: test
|
5
roles/gitlab/meta/main.yml
Normal file
5
roles/gitlab/meta/main.yml
Normal file
@ -0,0 +1,5 @@
|
||||
---
|
||||
allow_duplicates: no
|
||||
dependencies:
|
||||
- role: apache-php
|
||||
- role: mysql
|
149
roles/gitlab/tasks/main.yml
Normal file
149
roles/gitlab/tasks/main.yml
Normal file
@ -0,0 +1,149 @@
|
||||
#!/usr/bin/ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
---
|
||||
- name: Set up webroot for {{ gitlab_repo }}
|
||||
block:
|
||||
- name: Add repository keys
|
||||
apt_key:
|
||||
url: "{{ item }}"
|
||||
loop:
|
||||
- "https://dl.yarnpkg.com/debian/pubkey.gpg"
|
||||
- name: Add repositories
|
||||
apt_repository:
|
||||
repo: "{{ item }}"
|
||||
loop:
|
||||
- "ppa:brightbox/ruby-ng" # Ruby version in 18.10 is out-of-date per GitLab 12.2
|
||||
- "deb https://dl.yarnpkg.com/debian/ stable main"
|
||||
register: repo
|
||||
- name: Update repos
|
||||
apt:
|
||||
upgrade: "yes"
|
||||
update_cache: yes
|
||||
when: repo is changed
|
||||
- name: Install dependencies
|
||||
apt:
|
||||
name:
|
||||
- build-essential
|
||||
- checkinstall
|
||||
- cmake
|
||||
- curl
|
||||
- git
|
||||
- git-core
|
||||
- golang
|
||||
- graphicsmagick
|
||||
- libcurl4-openssl-dev
|
||||
- libffi-dev
|
||||
- libgdbm-dev
|
||||
- libicu-dev
|
||||
- libncurses5-dev
|
||||
- libre2-dev
|
||||
- libreadline-dev
|
||||
- libssl-dev
|
||||
- libxml2-dev
|
||||
- libxslt-dev
|
||||
- libyaml-dev
|
||||
- logrotate
|
||||
- nodejs
|
||||
- openssh-server
|
||||
- pkg-config
|
||||
- python-docutils
|
||||
- rsync
|
||||
- ruby
|
||||
- runit
|
||||
- yarn
|
||||
- zlib1g-dev
|
||||
- name: Install and configure Redis
|
||||
block:
|
||||
- name: Install packages
|
||||
apt:
|
||||
name: "redis-server"
|
||||
register: repo2
|
||||
- name: Disable service
|
||||
service:
|
||||
name: redis-server
|
||||
state: stopped
|
||||
when: repo2 is changed
|
||||
- name: Copy config
|
||||
copy:
|
||||
src: redis.conf
|
||||
dest: "/etc/redis/redis.conf"
|
||||
- name: Copy tmpfiles config
|
||||
copy:
|
||||
src: redis-tmpfile.conf
|
||||
dest: "/etc/tmpfiles.d/redis.conf"
|
||||
- name: Create socket directory
|
||||
file:
|
||||
path: "/var/run/redis"
|
||||
state: directory
|
||||
mode: 755
|
||||
owner: redis
|
||||
group: redis
|
||||
- name: Enable and start service
|
||||
service:
|
||||
name: redis-server
|
||||
state: started
|
||||
enabled: yes
|
||||
- name: Add gitlab user
|
||||
user:
|
||||
name: git
|
||||
home: "/var/gitlab"
|
||||
groups:
|
||||
- "redis"
|
||||
comment: "GitLab"
|
||||
shell: "/usr/sbin/nologin"
|
||||
- name: Set up MySQL
|
||||
block:
|
||||
- name: Create database
|
||||
mysql_db:
|
||||
name: gitlab
|
||||
login_user: root
|
||||
login_password: "{{ mysql_root_password }}"
|
||||
state: present
|
||||
- name: Create Gitlab user
|
||||
mysql_user:
|
||||
name: gitlab
|
||||
host: localhost
|
||||
password: "{{ gitlab_mysql_password }}"
|
||||
priv: "gitlab.*:ALL,GRANT"
|
||||
login_user: root
|
||||
login_password: "{{ mysql_root_password }}"
|
||||
- name: Clone and build GitLab
|
||||
block:
|
||||
- name: Clone GitLab
|
||||
git:
|
||||
depth: 1
|
||||
dest: "/var/gitlab/gitlab-foss"
|
||||
force: yes
|
||||
repo: "https://gitlab.com/gitlab-org/gitlab-foss.git"
|
||||
version: 12-10-stable
|
||||
- name: Copy configs around
|
||||
copy:
|
||||
remote_src: yes
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
loop:
|
||||
- { src: "/var/gitlab/gitlab-foss/config/gitlab.yml.example", dest: "/var/gitlab/gitlab-foss/config/gitlab.yml" }
|
||||
- name: Set up Apache
|
||||
block:
|
||||
- name: Create webroot
|
||||
file:
|
||||
path: "{{ gitlab_webroot }}"
|
||||
mode: "0755"
|
||||
state: directory
|
||||
- name: Copy over virtual host configs
|
||||
template:
|
||||
src: apache2-vhost-ssl.conf
|
||||
dest: "/etc/apache2/sites-available/{{ gitlab_url }}.conf"
|
||||
notify: restart apache
|
||||
- name: Enable config
|
||||
command:
|
||||
cmd: "a2ensite {{ gitlab_url }}.conf"
|
||||
creates: "/etc/apache2/sites-enabled/{{ gitlab_url }}.conf"
|
||||
notify: restart apache
|
||||
- name: Generate certificate
|
||||
include_role:
|
||||
name: https
|
||||
vars:
|
||||
website_url: "{{ gitlab_url }}"
|
||||
website_webroot: "{{ gitlab_webroot }}"
|
||||
become: yes
|
30
roles/gitlab/templates/apache2-vhost-ssl.conf
Normal file
30
roles/gitlab/templates/apache2-vhost-ssl.conf
Normal file
@ -0,0 +1,30 @@
|
||||
# Configuration for {{ gitlab_url }}
|
||||
# vim:ft=apache:
|
||||
|
||||
# Accept connections from non-SNI clients
|
||||
SSLStrictSNIVHostCheck off
|
||||
|
||||
# Website configuration
|
||||
<VirtualHost *:80>
|
||||
ServerName {{ gitlab_url }}
|
||||
Redirect permanent / https://{{ gitlab_url }}
|
||||
</VirtualHost>
|
||||
<VirtualHost *:443>
|
||||
SSLEngine on
|
||||
SSLCertificateFile /etc/pki/cert/crt/{{ gitlab_url }}.crt
|
||||
SSLCertificateKeyFile /etc/pki/cert/private/{{ gitlab_url }}.key
|
||||
SSLCertificateChainFile /etc/pki/cert/crt/{{ gitlab_url}}-fullchain.crt
|
||||
<FilesMatch "\.(cgi|shtml|phtml|php)$">\
|
||||
SSLOptions +StdEnvVars
|
||||
</FilesMatch>
|
||||
<Directory /usr/lib/cgi-bin>
|
||||
SSLOptions +StdEnvVars
|
||||
</Directory>
|
||||
ServerName {{ gitlab_url }}
|
||||
DocumentRoot {{ gitlab_webroot }}
|
||||
<Directory "{{ gitlab_webroot }}">
|
||||
Require all granted
|
||||
AllowOverride All
|
||||
Options MultiViews FollowSymlinks
|
||||
</Directory>
|
||||
</VirtualHost>
|
13
roles/gitlab/templates/apache2-vhost.conf
Normal file
13
roles/gitlab/templates/apache2-vhost.conf
Normal file
@ -0,0 +1,13 @@
|
||||
# Configuration for {{ gitlab_url }}
|
||||
# vim:ft=apache:
|
||||
|
||||
# Website configuration
|
||||
<VirtualHost *:80>
|
||||
ServerName {{ gitlab_url }}
|
||||
DocumentRoot {{ gitlab_webroot }}
|
||||
<Directory "{{ gitlab_webroot }}">
|
||||
Require all granted
|
||||
AllowOverride All
|
||||
Options MultiViews FollowSymlinks
|
||||
</Directory>
|
||||
</VirtualHost>
|
@ -5,9 +5,7 @@
|
||||
block:
|
||||
- name: Install Nextcloud-required packages
|
||||
apt:
|
||||
name: "{{ packages }}"
|
||||
vars:
|
||||
packages:
|
||||
name:
|
||||
- php-imagick
|
||||
- name: Set up MySQL
|
||||
block:
|
||||
|
Loading…
Reference in New Issue
Block a user