Ansible Role gitlab_ce¶
This role installs and configures GitLab CE, including regular backups.
After installation, the password for the first user „root“ can be found in
/etc/gitlab/initial_root_password.One of the first steps after that would be to deactivate the registration form: In the left sidebar, select Admin > Settings > General, and expand „Sign-up restrictions“. Clear the „Sign-up enabled“ checkbox, then select „Save changes“ (you can’t disable signups without using the UI).
Mandatory Requirements¶
Enable the official GitLab CE Repository. This can be done using the linuxfabrik.lfops.repo_gitlab_ce role.
If you use the gitlab_ce Playbook, this is automatically done for you.
Mandatory Role Variables¶
gitlab_ce__rb_external_url
The URL of your GitLab instance. Currently, only
http://is supported by this role. If running behind a reverse proxy or on a trusted network, this is good enough.Type: String.
Default: none
Example:
# mandatory
gitlab_ce__rb_external_url: 'http://git.example.com'
Optional Role Variables¶
gitlab_ce__on_calendar
The
OnCalendardefinition for the GitLab Backup. Have a look atman systemd.time(7)for the format.Type: String.
Default:
'*-*-* 23:{{ 59 | random(seed=inventory_hostname) }}'
gitlab_ce__rb_git_data_dirs_default_path
For setting up different data storing directory. If missing, the directory will be created by GitLab. If you want to use a single non-default directory to store git data use a path that doesn’t contain symlinks. Docs
Type: String.
Default: unset
gitlab_ce__rb_gitlab_rails_backup_keep_time
The duration in seconds to keep backups before they are allowed to be deleted.
Type: Number.
Default:
86400
gitlab_ce__rb_gitlab_rails_backup_path
Backup Settings. Docs
Type: String.
Default:
'/backup/gitlab'
gitlab_ce__rb_gitlab_rails_extra_matomo_site_id
Extra customization for Matomo.
Type: String.
Default: unset
gitlab_ce__rb_gitlab_rails_extra_matomo_url
Extra customization for Matomo.
Type: String.
Default: unset
gitlab_ce__rb_gitlab_rails_gitlab_default_projects_features_builds
Whether builds are enabled by default for projects.
Type: Bool.
Default:
true
gitlab_ce__rb_gitlab_rails_gitlab_default_projects_features_container_registry
Whether the container registry is enabled by default for projects.
Type: Bool.
Default:
true
gitlab_ce__rb_gitlab_rails_gitlab_default_projects_features_issues
Whether issues are enabled by default for projects.
Type: Bool.
Default:
true
gitlab_ce__rb_gitlab_rails_gitlab_default_projects_features_merge_requests
Whether merge requests are enabled by default for projects.
Type: Bool.
Default:
true
gitlab_ce__rb_gitlab_rails_gitlab_default_projects_features_snippets
Whether snippets are enabled by default for projects.
Type: Bool.
Default:
true
gitlab_ce__rb_gitlab_rails_gitlab_default_projects_features_wiki
Whether the wiki feature is enabled by default for projects.
Type: Bool.
Default:
true
gitlab_ce__rb_gitlab_rails_gitlab_email_display_name
The display name used in GitLab emails.
Type: String.
Default:
'GitLab@{{ inventory_hostname }}'
gitlab_ce__rb_gitlab_rails_gitlab_email_from
If your SMTP server does not like the default ‚From: gitlab@gitlab.example.com‘, you can change the ‚From‘ with this setting.
Type: String.
Default:
'{{ mailto_root__from | d("") }}'
gitlab_ce__rb_gitlab_rails_gitlab_email_reply_to
The ‚Reply To‘ address for emails if it differs from the ‚From‘ address.
Type: String.
Default: unset
gitlab_ce__rb_gitlab_rails_ldap_enabled
Whether the LDAP integration is enabled. Docs
Type: Bool.
Default:
false
gitlab_ce__rb_gitlab_rails_ldap_servers
LDAP configuration for one or more servers. Docs
Type: Dictionary.
Default: unset
gitlab_ce__rb_gitlab_rails_omniauth_allow_single_sign_on
OmniAuth Settings. Docs
Type: List.
Default: unset
gitlab_ce__rb_gitlab_rails_omniauth_auto_link_ldap_user
OmniAuth Settings. Docs
Type: Bool.
Default: unset
gitlab_ce__rb_gitlab_rails_omniauth_block_auto_created_users
OmniAuth Settings. Docs
Type: Bool.
Default: unset
gitlab_ce__rb_gitlab_rails_omniauth_enabled
OmniAuth Settings. Docs
Type: Bool.
Default: unset
gitlab_ce__rb_gitlab_rails_omniauth_external_providers
OmniAuth Settings. Docs
Type: List.
Default: unset
gitlab_ce__rb_gitlab_rails_omniauth_providers
OmniAuth Settings. Docs
Type: List of dictionaries.
Default: unset
gitlab_ce__rb_gitlab_rails_rack_attack_git_basic_auth_bantime
Ban an IP for x seconds after too many auth attempts.
Type: Number.
Default:
3600
gitlab_ce__rb_gitlab_rails_rack_attack_git_basic_auth_enabled
Whether rack attack for Git basic auth is enabled.
Type: Bool.
Default:
true
gitlab_ce__rb_gitlab_rails_rack_attack_git_basic_auth_findtime
Reset the auth attempt counter per IP after x seconds.
Type: Number.
Default:
60
gitlab_ce__rb_gitlab_rails_rack_attack_git_basic_auth_ip_whitelist
List of IP addresses to whitelist from rack attack.
Type: List.
Default:
['127.0.0.1']
gitlab_ce__rb_gitlab_rails_rack_attack_git_basic_auth_maxretry
Limit the number of Git HTTP authentication attempts per IP.
Type: Number.
Default:
10
gitlab_ce__rb_gitlab_rails_time_zone
The time zone for GitLab. Docs
Type: String.
Default:
'Europe/Zurich'
gitlab_ce__rb_gitlab_rails_uploads_directory
For setting up a different storage directory for uploads. If missing, the directory will be created by GitLab. Docs
Type: String.
Default:
'/var/opt/gitlab/gitlab-rails/uploads'
gitlab_ce__rb_letsencrypt_enable
If GitLab should manage Let’s Encrypt certificates itself.
Type: Bool.
Default:
false
gitlab_ce__rb_nginx_listen_https
Set this to
falseonly if your reverse proxy internally communicates over HTTP. DocsType: Bool.
Default:
false
gitlab_ce__rb_nginx_listen_port
Override only if you use a reverse proxy. Docs
Type: Number.
Default:
80
gitlab_ce__rb_nginx_ssl_certificate
Path to the SSL certificate.
Type: String.
Default: unset
gitlab_ce__rb_nginx_ssl_certificate_key
Path to the SSL certificate key.
Type: String.
Default: unset
gitlab_ce__rb_registry_external_url
The URL of the GitLab Container registry.
Type: String.
Default: unset
gitlab_ce__rb_registry_nginx_enable
Set this to
trueto enable the GitLab Container Registry.Type: Bool.
Default: unset
gitlab_ce__rb_registry_nginx_listen_https
Set this to
falseonly if your reverse proxy internally communicates over HTTP. DocsType: Bool.
Default:
false
gitlab_ce__rb_registry_nginx_listen_port
The port on which the Container Registry is listening.
Type: Number.
Default:
5050
gitlab_ce__rb_registry_nginx_proxy_set_headers
Nginx headers for the Container Registry.
Type: Dictionary.
Default:
{'X-Forwarded-Proto': 'https', 'X-Forwarded-Ssl': 'on'}
gitlab_ce__version
The GitLab version to install. This is useful when restoring from a backup. When unset, the latest available version is used.
Type: String.
Default: unset
Example (GitLab running on port 80 behind a reverse proxy, offering Google Authentication, with Matomo integration, plus running a registry):
# optional
gitlab_ce__on_calendar: '*:0/15' # every 15 minutes
gitlab_ce__rb_git_data_dirs_default_path: '/data/gitlab/git-data'
gitlab_ce__rb_gitlab_rails_backup_keep_time: 86400
gitlab_ce__rb_gitlab_rails_backup_path: '/backup/gitlab'
gitlab_ce__rb_gitlab_rails_gitlab_email_display_name: 'My GitLab'
gitlab_ce__rb_gitlab_rails_gitlab_email_from: 'vcs@example.com'
gitlab_ce__rb_gitlab_rails_gitlab_email_reply_to: 'no-reply@example.com'
gitlab_ce__rb_gitlab_rails_gitlab_default_projects_features_builds: false
gitlab_ce__rb_gitlab_rails_gitlab_default_projects_features_container_registry: false
gitlab_ce__rb_gitlab_rails_gitlab_default_projects_features_issues: true
gitlab_ce__rb_gitlab_rails_gitlab_default_projects_features_merge_requests: true
gitlab_ce__rb_gitlab_rails_gitlab_default_projects_features_snippets: false
gitlab_ce__rb_gitlab_rails_gitlab_default_projects_features_wiki: false
gitlab_ce__rb_gitlab_rails_extra_matomo_site_id: '4711'
gitlab_ce__rb_gitlab_rails_extra_matomo_url: 'analytics.example.com/'
gitlab_ce__rb_gitlab_rails_ldap_enabled: true
gitlab_ce__rb_gitlab_rails_ldap_servers:
main:
label: 'LDAP'
host: 'ldap.example.com'
port: 636
uid: 'sAMAccountName'
bind_dn: 'CN=Gitlab,OU=Users,DC=example,DC=com'
password: '<bind_user_password>'
encryption: 'simple_tls'
verify_certificates: true
timeout: 10
active_directory: false
user_filter: '(employeeType=developer)'
base: 'dc=example,dc=com'
lowercase_usernames: false
retry_empty_result_with_codes: [80]
allow_username_or_email_login: false
block_auto_created_users: false
gitlab_ce__rb_gitlab_rails_omniauth_allow_single_sign_on:
- 'google_oauth2'
gitlab_ce__rb_gitlab_rails_omniauth_auto_link_ldap_user: false
gitlab_ce__rb_gitlab_rails_omniauth_block_auto_created_users: false
gitlab_ce__rb_gitlab_rails_omniauth_enabled: true
gitlab_ce__rb_gitlab_rails_omniauth_external_providers:
- 'google_oauth2'
gitlab_ce__rb_gitlab_rails_omniauth_providers:
- name: 'google_oauth2'
app_id: '1095d5c3-8428-44df-89fb-cb0a77ec363f.apps.googleusercontent.com'
app_secret: '45d85464-bc66-4236-9931-c42394f5d08e'
gitlab_ce__rb_gitlab_rails_rack_attack_git_basic_auth_bantime: 3600
gitlab_ce__rb_gitlab_rails_rack_attack_git_basic_auth_enabled: true
gitlab_ce__rb_gitlab_rails_rack_attack_git_basic_auth_findtime: 60
gitlab_ce__rb_gitlab_rails_rack_attack_git_basic_auth_ip_whitelist:
- '127.0.0.1'
gitlab_ce__rb_gitlab_rails_rack_attack_git_basic_auth_maxretry: 10
gitlab_ce__rb_gitlab_rails_time_zone: 'Europe/Zurich'
gitlab_ce__rb_letsencrypt_enable: false
gitlab_ce__rb_nginx_listen_port: '80'
gitlab_ce__rb_nginx_ssl_certificate: '/etc/pki/tls/certs/git.example.com.crt'
gitlab_ce__rb_nginx_ssl_certificate_key: '/etc/pki/tls/private/git.example.com.key'
gitlab_ce__rb_registry_external_url: 'https://registry.example.com'
gitlab_ce__rb_registry_nginx_enable: true
gitlab_ce__rb_registry_nginx_listen_https: false
gitlab_ce__rb_registry_nginx_listen_port: 5050
gitlab_ce__rb_registry_nginx_proxy_set_headers:
'X-Forwarded-Proto': 'https'
'X-Forwarded-Ssl': 'on'
gitlab_ce__version: '14.8.2'