Ansible Role gitlab_ce

This role installs and configures GitLab CE, including regular backups. After installation, the password for the first user „root“ can be found in /etc/gitlab/initial_root_password.

Mandatory Requirements

If you use the gitlab_ce Playbook, this is automatically done for you.

Tags

Tag

What it does

gitlab_ce

* install tar gitlab-ce
* mkdir -p /backup/gitlab
* Deploy /etc/systemd/system/gitlab-dump.service
* Deploy /etc/systemd/system/gitlab-dump.timer
* systemctl enable gitlab-dump.timer --now
* Deploy /etc/gitlab/gitlab.rb
* gitlab-ctl reconfigure
* gitlab-ctl restart

gitlab_ce:configure

Same as above, but without install.

Mandatory Role Variables

Variable

Description

gitlab_ce__rb_external_url

The URL of your GitLab instance. Currently, only http:// is supported by this role. If running behind a reverse proxy or on a trusted network, this is good enough.

Example:

# mandatory
gitlab_ce__rb_external_url: 'http://git.example.com'

Optional Role Variables

Variable

Description

Default Value

gitlab_ce__on_calendar

The OnCalendar definition for the GitLab Backup. Have a look at man systemd.time(7) for the format.

'*-*-* 23:{{ 59 | random(seed=inventory_hostname) }}'

gitlab_ce__rb_git_data_dirs_default_path

For setting up different data storing directory. If missing, the directory will be created by GitLab. If you want to use a single non-default directory to store git data use a path that doesn’t contain symlinks. Docs

unset

gitlab_ce__rb_gitlab_rails_backup_keep_time

The duration in seconds to keep backups before they are allowed to be deleted

86400 (24h)

gitlab_ce__rb_gitlab_rails_backup_path

Backup Settings. Docs

'/backup/gitlab'

gitlab_ce__rb_gitlab_rails_extra_matomo_site_id

Extra customization for Matomo

unset

gitlab_ce__rb_gitlab_rails_extra_matomo_url

Extra customization for Matomo

unset

gitlab_ce__rb_gitlab_rails_gitlab_email_display_name

'GitLab@{{ inventory_hostname }}'

gitlab_ce__rb_gitlab_rails_gitlab_email_from

If your SMTP server does not like the default ‚From: gitlab@gitlab.example.com‘, you can change the ‚From‘ with this setting.

'{{ mailto_root__from | d("") }}'

gitlab_ce__rb_gitlab_rails_omniauth_allow_single_sign_on

OmniAuth Settings. Docs

unset

gitlab_ce__rb_gitlab_rails_omniauth_auto_link_ldap_user

OmniAuth Settings. Docs

unset

gitlab_ce__rb_gitlab_rails_omniauth_block_auto_created_users

OmniAuth Settings. Docs

unset

gitlab_ce__rb_gitlab_rails_omniauth_enabled

OmniAuth Settings. Docs

unset

gitlab_ce__rb_gitlab_rails_omniauth_external_providers

OmniAuth Settings. Docs

unset

gitlab_ce__rb_gitlab_rails_omniauth_providers

OmniAuth Settings. Docs

unset

gitlab_ce__rb_gitlab_rails_rack_attack_git_basic_auth_bantime

Ban an IP for x seconds after too many auth attempts

3600 (1h)

gitlab_ce__rb_gitlab_rails_rack_attack_git_basic_auth_enabled

true

gitlab_ce__rb_gitlab_rails_rack_attack_git_basic_auth_findtime

Reset the auth attempt counter per IP after x seconds

60

gitlab_ce__rb_gitlab_rails_rack_attack_git_basic_auth_ip_whitelist

['127.0.0.1']

gitlab_ce__rb_gitlab_rails_rack_attack_git_basic_auth_maxretry

Limit the number of Git HTTP authentication attempts per IP

10

gitlab_ce__rb_gitlab_rails_time_zone

Docs

'Europe/Zurich'

gitlab_ce__rb_letsencrypt_enable

If GitLab should manage Let’s Encrypt certificates itself

false

gitlab_ce__rb_nginx_listen_https

Set this to false only if your reverse proxy internally communicates over HTTP. Docs

false

gitlab_ce__rb_nginx_listen_port

Override only if you use a reverse proxy. Docs

80

`gitlab_ce__rb_nginx_ssl_certificate_key``

Path to the SSL certificate key.

unset

`gitlab_ce__rb_nginx_ssl_certificate``

Path to the SSL certificate.

unset

gitlab_ce__rb_registry_external_url

The URL of the GitLab Container registry.

unset

gitlab_ce__rb_registry_nginx_enable

Set this to true to enable the GitLab Container Registry.

unset

gitlab_ce__rb_registry_nginx_listen_https

Set this to false only if your reverse proxy internally communicates over HTTP. Docs

false

gitlab_ce__rb_registry_nginx_listen_port

The port on which the Container Registry is listening.

5050

gitlab_ce__rb_registry_nginx_proxy_set_headers

Nginx headers for the Container Registry.

{'X-Forwarded-Proto': 'https', 'X-Forwarded-Ssl': 'on'}

gitlab_ce__version

The GitLab version to install. This is useful when restoring from a backup. When unset, the latest available version is used.

unset

Example (GitLab running on port 80 behind a reverse proxy, offering Google Authentication, with Matomo integration, plus running a registry):

# optional
gitlab_ce__on_calendar: '*:0/15'  # every 15 minutes

gitlab_ce__rb_git_data_dirs_default_path: '/data/gitlab/git-data'

gitlab_ce__rb_gitlab_rails_backup_keep_time: 86400
gitlab_ce__rb_gitlab_rails_backup_path: '/backup/gitlab'

gitlab_ce__rb_gitlab_rails_gitlab_email_display_name: 'My GitLab'
gitlab_ce__rb_gitlab_rails_gitlab_email_from: 'noreply@example.com'

gitlab_ce__rb_gitlab_rails_extra_matomo_site_id: '4711'
gitlab_ce__rb_gitlab_rails_extra_matomo_url: 'analytics.example.com/'

gitlab_ce__rb_gitlab_rails_omniauth_allow_single_sign_on:
  - 'google_oauth2'
gitlab_ce__rb_gitlab_rails_omniauth_auto_link_ldap_user: false
gitlab_ce__rb_gitlab_rails_omniauth_block_auto_created_users: false
gitlab_ce__rb_gitlab_rails_omniauth_enabled: true
gitlab_ce__rb_gitlab_rails_omniauth_external_providers:
  - 'google_oauth2'
gitlab_ce__rb_gitlab_rails_omniauth_providers:
  - name: 'google_oauth2'
    app_id: '1095d5c3-8428-44df-89fb-cb0a77ec363f.apps.googleusercontent.com'
    app_secret: '45d85464-bc66-4236-9931-c42394f5d08e'

gitlab_ce__rb_gitlab_rails_rack_attack_git_basic_auth_bantime: 3600
gitlab_ce__rb_gitlab_rails_rack_attack_git_basic_auth_enabled: true
gitlab_ce__rb_gitlab_rails_rack_attack_git_basic_auth_findtime: 60
gitlab_ce__rb_gitlab_rails_rack_attack_git_basic_auth_ip_whitelist:
  - '127.0.0.1'
gitlab_ce__rb_gitlab_rails_rack_attack_git_basic_auth_maxretry: 10

gitlab_ce__rb_gitlab_rails_time_zone: 'Europe/Zurich'

gitlab_ce__rb_letsencrypt_enable: false

gitlab_ce__rb_nginx_listen_port: '80'
gitlab_ce__rb_nginx_ssl_certificate: '/etc/pki/tls/certs/git.example.com.crt'
gitlab_ce__rb_nginx_ssl_certificate_key: '/etc/pki/tls/private/git.example.com.key'
gitlab_ce__rb_registry_external_url: 'https://registry.example.com'
gitlab_ce__rb_registry_nginx_enable: true
gitlab_ce__rb_registry_nginx_listen_https: false
gitlab_ce__rb_registry_nginx_listen_port: 5050
gitlab_ce__rb_registry_nginx_proxy_set_headers:
  'X-Forwarded-Proto': 'https'
  'X-Forwarded-Ssl': 'on'

gitlab_ce__version: '14.8.2'

License

The Unlicense

Author Information

Linuxfabrik GmbH, Zurich