Commit 6aa57bd7 authored by David Nowell's avatar David Nowell
Browse files

Initial commit

parent 4995d56b
# gitlab-role
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
---
# defaults file for sample-app-role
\ No newline at end of file
# Managed by Ansible
%gitadmin ALL=(ALL) ALL
[default]
region = us-east-2
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>container-reg</short>
<description>Container Registry</description>
<port protocol="tcp" port="4567"/>
</service>
# Ansible - Run daily backups at 2 AM
0 2 * * * root /opt/gitlab/bin/gitlab-rake gitlab:backup:create CRON=1 > /var/log/gitlab/gitback.out 2> /var/log/gitlab/gitback.err
# This part backs up config files
0 3 * * * root /usr/local/bin/gitbackup.sh >> /var/log/gitlab/gitback.out 2>> /var/log/gitlab/gitback.err
#!/bin/bash
DATE=`date +%Y%m%d`
cd /etc/gitlab
tar -cf /tmp/gitback-config.${DATE}.tar .
aws s3 cp /tmp/gitback-config.${DATE}.tar s3://umich-vdc-gitlab
cd /etc/ssh/
tar -cf /tmp/gitback-sshkeys.${DATE}.tar ssh_host*
aws s3 cp /tmp/gitback-sshkeys.${DATE}.tar s3://umich-vdc-gitlab
aws s3 cp /root/.ssh/authorized_keys s3://umich-vdc-gitlab/authorized_keys.${DATE}
command[check_gitlab]=/usr/lib64/nagios/plugins/check_procs -c 1:1 -C runsv -a 'gitlab-workhorse'
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="http"/>
<service name="https"/>
</zone>
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>umich</short>
<description>This is everything but M-Guest. Use Security Group for more granular rules, this is just a fallback in case someone makes a mistake at that level</description>
<source address="10.0.0.0/8"/>
<source address="35.1.0.0/16"/>
<source address="35.2.0.0/16"/>
<source address="35.3.0.0/16"/>
<source address="67.194.0.0/16"/>
<source address="141.211.0.0/16"/>
<source address="141.212.0.0/16"/>
<source address="141.213.0.0/17"/>
<source address="141.213.128.0/17"/>
<source address="141.214.0.0/16"/>
<source address="141.215.0.0/16"/>
<source address="141.216.0.0/16"/>
<source address="192.12.80.0/24"/>
<source address="192.231.253.0/24"/>
<source address="198.108.200.0/22"/>
<source address="198.110.84.0/24"/>
<source address="198.111.224.0/22"/>
<source address="198.111.181.0/25"/>
<source address="207.75.144.0/20"/>
<source address="67.194.176.0/22"/>
<source address="67.194.192.0/20"/>
<source address="198.108.0.0/16"/>
<service name="container-reg"/>
<service name="nrpe"/>
<service name="ssh"/>
<rule family="ipv4">
<source address="10.0.8.0/23"/>
<accept/>
</rule>
</zone>
---
# handlers file for sample-app-role
- name: Reconfigure Gitlab
command: gitlab-ctl reconfigure
- name: Restart Gitlab
command: gitlab-ctl restart
- name: Restart NRPE
command: systemctl restart nrpe.service
galaxy_info:
author: your name
description: your description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Some suggested licenses:
# - BSD (default)
# - MIT
# - GPLv2
# - GPLv3
# - Apache
# - CC-BY
license: license (GPLv2, CC-BY, etc)
min_ansible_version: 1.2
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
# Optionally specify the branch Galaxy will use when accessing the GitHub
# repo for this role. During role install, if no tags are available,
# Galaxy will use this branch. During import Galaxy will access files on
# this branch. If Travis integration is configured, only notifications for this
# branch will be accepted. Otherwise, in all cases, the repo's default branch
# (usually master) will be used.
#github_branch:
#
# platforms is a list of platforms, and each platform has a name and a list of versions.
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.
\ No newline at end of file
---
# tasks file for sample-app-role
- name: Install LVM
yum:
name: lvm2
state: present
- name: Create VG
lvg:
vg: uservg00
pvs: "{{ device_name | regex_replace('sd','xvd') }}"
- name: Create lv-varlog-gitlab
lvol:
vg: uservg00
lv: lv-varlog-gitlab
size: 3g
- name: Create filesystem /var/log/gitlab
filesystem:
fstype: xfs
dev: /dev/uservg00/lv-varlog-gitlab
- name: Create mount point for /var/log/gitlab
file:
path: /var/log/gitlab
state: directory
- name: Mount filesystem /var/log/gitlab
mount:
fstype: xfs
path: /var/log/gitlab
src: /dev/uservg00/lv-varlog-gitlab
state: mounted
- name: Create lv-varopt-gitlab
lvol:
vg: uservg00
lv: lv-varopt-gitlab
size: 8g
- name: Create filesystem /var/opt/gitlab
filesystem:
fstype: xfs
dev: /dev/uservg00/lv-varopt-gitlab
- name: Create mount point for /var/opt/gitlab
file:
path: /var/opt/gitlab
state: directory
- name: Mount /var/opt/gitlab
mount:
fstype: xfs
path: /var/opt/gitlab
src: /dev/uservg00/lv-varopt-gitlab
state: mounted
- name: Create lv-opt-gitlab
lvol:
vg: uservg00
lv: lv-opt-gitlab
size: 8g
- name: Create lv-opt-gitlab
lvol:
vg: uservg00
lv: lv-opt-gitlab
size: 8g
- name: Create filesystem /opt/gitlab
filesystem:
fstype: xfs
dev: /dev/uservg00/lv-opt-gitlab
- name: Create mount point for /opt/gitlab
file:
path: /opt/gitlab
state: directory
- name: Mount /opt/gitlab
mount:
fstype: xfs
path: /opt/gitlab
src: /dev/uservg00/lv-opt-gitlab
state: mounted
- name: Install useful packages
yum:
name: "{{ item }}"
state: present
with_items:
- mailx
- psmisc
- name: Load secret variables
include_vars:
file: vars/secret-vars.yml
- name: Set firewall rules
copy:
src: "{{ item }}"
dest: "/etc/firewalld/zones/{{ item }}"
mode: '644'
owner: root
with_items:
- public.xml
- umich.xml
register: firewall
- name: Container Registry Firewall Service
copy:
src: "{{ item }}"
dest: "/etc/firewalld/services/{{ item }}"
mode: '644'
owner: root
with_items:
- container-reg.xml
- name: Reload Firewalld
service:
name: firewalld
state: reloaded
when: firewall.changed
- name: Check if GitLab configuration file already exists.
stat: path=/etc/gitlab/gitlab.rb
- name: Add Gitlab Repo
yum_repository:
name: gitlab_gitlab-ee
description: GitLab EE Repo
baseurl: https://packages.gitlab.com/gitlab/gitlab-ee/el/7/$basearch
gpgcheck: yes
gpgkey: "https://packages.gitlab.com/gitlab/gitlab-ee/gpgkey\nhttps://packages.gitlab.com/gitlab/gitlab-ee/gpgkey/gitlab-gitlab-ee-3D645A26AB9FBD22.pub.gpg"
enabled: yes
sslcacert: /etc/pki/tls/certs/ca-bundle.crt
sslverify: yes
state: present
- name: Install GitLab GPG Key 1
rpm_key:
key: https://packages.gitlab.com/gitlab/gitlab-ee/gpgkey
state: present
- name: Install GitLab GPG Key 2
rpm_key:
key: https://packages.gitlab.com/gitlab/gitlab-ee/gpgkey/gitlab-gitlab-ee-3D645A26AB9FBD22.pub.gpg
state: present
- name: Install GitLab EE
yum:
name: gitlab-ee
state: present
- name: Git is picky about authorized keys file location - ensure it is in default location
blockinfile:
path: /etc/ssh/sshd_config
block: |
Match User git
AuthorizedKeysFile .ssh/authorized_keys
Banner none
register: gitssh
- name: Restart sshd if changed
service:
name: sshd
state: restarted
enabled: yes
when: gitssh.changed
- name: Create gitadmin group
group:
name: gitadmin
gid: 663663
state: present
- name: Add git user to gitadmin group
user:
name: git
groups: gitadmin
state: present
- name: Grant sudo to gitadmin group
copy:
src: "80-umadmins"
dest: "/etc/sudoers.d/80-umadmins"
mode: '644'
- name: Cron job to backup Gitlab
copy:
src: "gitback-cron"
dest: "/etc/cron.d/gitback"
mode: '644'
- name: Script to backup Git configurations
copy:
src: "gitbackup.sh"
dest: "/usr/local/bin/gitbackup.sh"
mode: '744'
- name: update /etc/gitlab/gitlab.rb
template:
src: "gitlab.rb.j2"
dest: "/etc/gitlab/gitlab.rb"
mode: '600'
owner: "root"
notify:
- Reconfigure Gitlab
- Restart Gitlab
- name: Create /etc/gitlab/ssl
file:
path: "/etc/gitlab/ssl"
state: "directory"
mode: '750'
- name: Copy Gitlab keys
copy:
src: "{{ item }}"
dest: "/etc/gitlab/ssl/{{ item }}"
mode: '640'
with_items:
- "gitlab.aws.vdc.it.umich.edu.key"
- "gitlab.aws.vdc.it.umich.edu.crt"
- name: Create /root/.aws directory
file:
path: "/root/.aws"
state: "directory"
mode: '750'
- name: AWS Config
copy:
src: "aws-config"
dest: "/root/.aws/config"
mode: '600'
- name: AWS Credentials
template:
src: "aws-credentials.j2"
dest: "/root/.aws/credentials"
mode: '600'
owner: "root"
- name: Custom NRPE check
copy:
src: "gitlab-nrpe.cfg"
dest: "/etc/nrpe.d/"
owner: nrpe
group: nrpe
mode: "640"
notify:
- Restart NRPE
# This is how to do a restore (as root). Should also be documented somewhere else:
# gitlab-ctl stop unicorn
# gitlab-ctl stop sidekiq
#
# aws s3 ls umich-vdc-gitlab
#
# aws s3 cp s3://umich-vdc-gitlab/1529568076_2018_06_21_10.8.4-ee_gitlab_backup.tar /var/opt/gitlab/backups/
#
# chown git:git /var/opt/gitlab/backups/*.tar
#
# aws s3 cp s3://umich-vdc-gitlab/gitback-config.20180620.tar /etc/gitlab/
#
# cd /etc/gitlab; tar -xf gitback-config.20180620.tar .
#
# aws s3 cp s3://umich-vdc-gitlab/gitback-ssh-host-keys.20180620.tar /etc/ssh/
#
# cd /etc/ssh; tar -xf gitback-ssh-host-keys.20180620.tar
#
# gitlab-rake gitlab:backup:restore BACKUP=1529568076_2018_06_21_10.8.4-ee force=yes
#
# gitlab-ctl start unicorn
# gitlab-ctl start sidekiq
#
# usermod -G gitadmin git
#
# systemctl restart sshd.service
#
# gitlab-ctl restart
#
# gitlab-rake gitlab:check SANITIZE=true
#
#
[default]
aws_access_key_id = {{ s3_akey }}
aws_secret_access_key = {{ s3_sak }}
This diff is collapsed.
---
- hosts: localhost
remote_user: root
roles:
- sample-app-role
\ No newline at end of file
---
# vars file for sample-app-role
restore: yes
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment