salt/ansible
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Remove postfix, gitlab, and some defunct templates

Browse Source
This commit is contained in:
Salt 2020-07-23 21:37:49 -05:00
parent f62c6a8414
commit 8fc419e273
13 changed files with 0 additions and 1775 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1374
roles/gitlab/files/gitlab.yml
View File

File diff suppressed because it is too large Load Diff

78
roles/gitlab/files/puma.rb
View File

@ -1,78 +0,0 @@
# frozen_string_literal: true
# Load "path" as a rackup file.
#
# The default is "config.ru".
#
rackup 'config.ru'
pidfile '/home/git/gitlab/tmp/pids/puma.pid'
state_path '/home/git/gitlab/tmp/pids/puma.state'
stdout_redirect '/home/git/gitlab/log/puma.stdout.log',
'/home/git/gitlab/log/puma.stderr.log',
true
# Configure "min" to be the minimum number of threads to use to answer
# requests and "max" the maximum.
#
# The default is "0, 16".
#
threads 1, 16
# By default, workers accept all requests and queue them to pass to handlers.
# When false, workers accept the number of simultaneous requests configured.
#
# Queueing requests generally improves performance, but can cause deadlocks if
# the app is waiting on a request to itself. See https://github.com/puma/puma/issues/612
#
# When set to false this may require a reverse proxy to handle slow clients and
# queue requests before they reach puma. This is due to disabling HTTP keepalive
queue_requests false
# Bind the server to "url". "tcp://", "unix://" and "ssl://" are the only
# accepted protocols.
bind 'unix:///home/git/gitlab/tmp/sockets/gitlab.socket'
workers 3
require_relative "/home/git/gitlab/lib/gitlab/cluster/lifecycle_events"
require_relative "/home/git/gitlab/lib/gitlab/cluster/puma_worker_killer_initializer"
on_restart do
# Signal application hooks that we're about to restart
Gitlab::Cluster::LifecycleEvents.do_before_master_restart
end
before_fork do
# Signal to the puma killer
Gitlab::Cluster::PumaWorkerKillerInitializer.start @config.options unless ENV['DISABLE_PUMA_WORKER_KILLER']
# Signal application hooks that we're about to fork
Gitlab::Cluster::LifecycleEvents.do_before_fork
end
Gitlab::Cluster::LifecycleEvents.set_puma_options @config.options
on_worker_boot do
# Signal application hooks of worker start
Gitlab::Cluster::LifecycleEvents.do_worker_start
end
# Preload the application before starting the workers; this conflicts with
# phased restart feature. (off by default)
preload_app!
tag 'gitlab-puma-worker'
# Verifies that all workers have checked in to the master process within
# the given timeout. If not the worker process will be restarted. Default
# value is 60 seconds.
#
worker_timeout 60
# Use json formatter
require_relative "/home/git/gitlab/lib/gitlab/puma_logging/json_formatter"
json_formatter = Gitlab::PumaLogging::JSONFormatter.new
log_formatter do |str|
json_formatter.call(str)
end

29
roles/gitlab/files/rack_attack.rb
View File

@ -1,29 +0,0 @@
# 1. Rename this file to rack_attack.rb
# 2. Review the paths_to_be_protected and add any other path you need protecting
#
# If you change this file in a Merge Request, please also create a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
paths_to_be_protected = [
"#{Rails.application.config.relative_url_root}/users/password",
"#{Rails.application.config.relative_url_root}/users/sign_in",
"#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session.json",
"#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session",
"#{Rails.application.config.relative_url_root}/users",
"#{Rails.application.config.relative_url_root}/users/confirmation",
"#{Rails.application.config.relative_url_root}/unsubscribes/",
"#{Rails.application.config.relative_url_root}/import/github/personal_access_token"
]
# Create one big regular expression that matches strings starting with any of
# the paths_to_be_protected.
paths_regex = Regexp.union(paths_to_be_protected.map { |path| /\A#{Regexp.escape(path)}/ })
rack_attack_enabled = Gitlab.config.rack_attack.git_basic_auth['enabled']
unless Rails.env.test? || !rack_attack_enabled
Rack::Attack.throttle('protected paths', limit: 10, period: 60.seconds) do |req|
if req.post? && req.path =~ paths_regex
req.ip
end
end
end

34
roles/gitlab/files/resque.yml
View File

@ -1,34 +0,0 @@
# If you change this file in a Merge Request, please also create
# a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
#
development:
url: redis://localhost:6379
# sentinels:
# -
# host: localhost
# port: 26380 # point to sentinel, not to redis port
# -
# host: slave2
# port: 26381 # point to sentinel, not to redis port
test:
url: redis://localhost:6379
production:
# Redis (single instance)
url: unix:/var/run/redis/redis.sock
##
# Redis + Sentinel (for HA)
#
# Please read instructions carefully before using it as you may lose data:
# http://redis.io/topics/sentinel
#
# You must specify a list of a few sentinels that will handle client connection
# please read here for more information: https://docs.gitlab.com/ce/administration/high_availability/redis.html
##
# url: redis://master:6379
# sentinels:
# -
# host: slave1
# port: 26379 # point to sentinel, not to redis port
# -
# host: slave2
# port: 26379 # point to sentinel, not to redis port

12
roles/gitlab/files/secrets.yml
View File

@ -1,12 +0,0 @@
production:
# db_key_base is used to encrypt for Variables. Ensure that you don't lose it.
# If you change or lose this key you will be unable to access variables stored in database.
# Make sure the secret is at least 30 characters and all random,
# no regular words or you'll be exposed to dictionary attacks.
# db_key_base:
development:
db_key_base: development
test:
db_key_base: test

9
roles/gitlab/meta/main.yml
View File

@ -1,9 +0,0 @@
---
allow_duplicates: no
dependencies:
- role: apache-php
- role: mysql
- role: redis
- role: postfix-null
vars:
postfix_hostname: "{{ gitlab_url }}"

161
roles/gitlab/tasks/main.yml
View File

@ -1,161 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: Set up webroot for {{ gitlab_repo }}
block:
- name: Add repository keys
apt_key:
url: "{{ item }}"
loop:
- "https://dl.yarnpkg.com/debian/pubkey.gpg"
- name: Add repositories
apt_repository:
repo: "{{ item }}"
loop:
- "ppa:brightbox/ruby-ng" # Ruby version in 18.10 is out-of-date per GitLab 12.2
- "deb https://dl.yarnpkg.com/debian/ stable main"
register: repo
- name: Update repos
apt:
upgrade: "yes"
update_cache: yes
when: repo is changed
- name: Install dependencies
apt:
name:
- build-essential
- checkinstall
- cmake
- curl
- git
- git-core
- golang
- graphicsmagick
- libcurl4-openssl-dev
- libffi-dev
- libgdbm-dev
- libicu-dev
- libncurses5-dev
- libre2-dev
- libreadline-dev
- libssl-dev
- libxml2-dev
- libxslt-dev
- libyaml-dev
- logrotate
- nodejs
- openssh-server
- pkg-config
- python-docutils
- rsync
- ruby
- runit
- yarn
- zlib1g-dev
- name: Add gitlab user
user:
name: git
home: "/home/git"
groups:
- "redis"
comment: "GitLab"
shell: "/usr/sbin/nologin"
- name: Set up MySQL
block:
- name: Create database
mysql_db:
name: gitlab
login_user: root
login_password: "{{ mysql_root_password }}"
state: present
- name: Create Gitlab user
mysql_user:
name: gitlab
host: localhost
password: "{{ gitlab_mysql_password }}"
priv: "gitlab.*:ALL,GRANT"
login_user: root
login_password: "{{ mysql_root_password }}"
- name: Clone and build GitLab
block:
- name: Clone GitLab
git:
depth: 1
dest: "/home/git/gitlab"
force: yes
repo: "https://gitlab.com/gitlab-org/gitlab-foss.git"
version: 12-10-stable
- name: Create public directory
file:
path: "/home/git/public"
mode: "0755"
state: directory
- name: Create uploads directory
file:
path: "/home/git/public/uploads"
mode: "0700"
state: directory
- name: Copy secrets
copy:
src: "/home/git/gitlab/config/secrets.yml.example"
dest: "/home/git/gitlab/config/secrets.yml"
remote_src: yes
- name: Copy configs around
copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
loop:
- { src: "gitlab.yml", dest: "/home/git/gitlab/config/gitlab.yml" }
- { src: "pumba.rb", dest: "/home/git/gitlab/config/puma.rb" }
- { src: "rack_attack.rb", dest: "/home/git/gitlab/config/initializers/rack_attack.rb" }
- { src: "resque.yml", dest: "/home/git/gitlab/config/resque.yml" }
- name: Change permissions
file:
path: "{{ item.src }}"
state: touch
mode: "{{ item.mode }}"
loop:
- { src: "/home/git/gitlab/log", mode: "u+rwX,go-w" }
- { src: "/home/git/gitlab/tmp", mode: "u+rwX" }
- { src: "/home/git/gitlab/tmp/pids", mode: "u+rwX" }
- { src: "/home/git/gitlab/tmp/sockets", mode: "u+rwX" }
- { src: "/home/git/gitlab/builds", mode: "u+rwX" }
- { src: "/home/git/gitlab/shared/artifacts", mode: "u+rwX" }
- { src: "/home/git/gitlab/shared/pages", mode: "u+rwX" }
- name: Configure git
git_config:
name: "{{ item.name }}"
value: "{{ item.value }}"
loop:
- { name: "core.autocrlf", value: "input" }
- { name: "gc.auto", value: "0" }
- { name: "repack.writeBitmaps", value: "true" }
- { name: "receive.advertisePushOptions", value: "true" }
- { name: "core.fsyncObjectFiles", value: "true" }
become: yes
become_user: git
- name: Set up Apache
block:
- name: Create webroot
file:
path: "{{ gitlab_webroot }}"
src: "/home/git/public"
mode: "0755"
state: link
- name: Copy over virtual host configs
template:
src: apache2-vhost-ssl.conf
dest: "/etc/apache2/sites-available/{{ gitlab_url }}.conf"
notify: restart apache
- name: Enable config
command:
cmd: "a2ensite {{ gitlab_url }}.conf"
creates: "/etc/apache2/sites-enabled/{{ gitlab_url }}.conf"
notify: restart apache
- name: Generate certificate
include_role:
name: https
vars:
website_url: "{{ gitlab_url }}"
website_webroot: "{{ gitlab_webroot }}"
become: yes

41
roles/gitlab/templates/apache2-vhost-ssl.conf
View File

@ -1,41 +0,0 @@
# Configuration for {{ gitlab_url }}
# vim:ft=apache:
# Accept connections from non-SNI clients
SSLStrictSNIVHostCheck off
# Website configuration
<VirtualHost *:80>
ServerName {{ gitlab_url }}
Redirect permanent / https://{{ gitlab_url }}
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/cert/crt/{{ gitlab_url }}.crt
SSLCertificateKeyFile /etc/pki/cert/private/{{ gitlab_url }}.key
SSLCertificateChainFile /etc/pki/cert/crt/{{ gitlab_url }}-fullchain.crt
SSLProtocol {{ ssl_protocol }}
SSLCipherSuite {{ ssl_cipher_suite }}
ServerName {{ gitlab_url }}
DocumentRoot {{ gitlab_webroot }}
<Directory "{{ gitlab_webroot }}">
Require all granted
AllowOverride All
Options MultiViews FollowSymlinks
</Directory>
<Location />
Require all granted
ProxyPassReverse http://127.0.0.1:8086
ProxyPassReverse http://git.9iron.club/
</Location>
# Forward all requets to GL except error docs and ACME challenges
RewriteEngine on
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_URI} ^/uploads/.*
RewriteCond %{REQUEST_URI} !\.well-known-acme-challenge
RewriteRule .* http://127.0.0.1:8086%{REQUEST_URI} [P,QSA,NE]
RequestHeader set X_FORWARDED_PROTO 'https'
RequestHeader set X-Forwarded-Ssl on
</VirtualHost>

10
roles/gitlab/templates/database.yml
View File

@ -1,10 +0,0 @@
production:
adapter: mysql2
encoding: utf8
collation: utf8_general_ci
reconnect: false
database: gitlab
pool: 10
username: gitlab
password: {{ gitlab_mysql_password }}
host: localhost

2
roles/postfix-null/meta/main.yml
View File

@ -1,2 +0,0 @@
---
allow_duplicates: no

14
roles/postfix-null/tasks/main.yml
View File

@ -1,14 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: Set up Postfix
block:
- name: Install Postfix
apt:
name:
- postfix
- name: Install config
template:
src: "main.cf"
dest: "/etc/postfix/main.cf"
become: yes

6
roles/postfix-null/templates/main.cf
View File

@ -1,6 +0,0 @@
myhostname = {{ postfix_hostname }}
mydomain = {{ postfix_domain }}
myorigin = $mydomain
#relayhost = $mydomain
inet_interfaces = loopback-only
mydestination =

5
roles/redis/templates/main.cf
View File

@ -1,5 +0,0 @@
myhostname = {{ postfix_hostname }}
myorigin = $mydomain
#relayhost = $mydomain
inet_interfaces = loopback-only
mydestination =