Skip to content

Ansible Role linuxfabrik.lfops.gitlab_ce

This role installs and configures GitLab CE, including regular backups.

  • After installation, the password for the first user "root" can be found in /etc/gitlab/initial_root_password.
  • One of the first steps after that would be to deactivate the registration form: In the left sidebar, select Admin > Settings > General, and expand "Sign-up restrictions". Clear the "Sign-up enabled" checkbox, then select "Save changes" (you can't disable signups without using the UI).

Available since LFOps 2.0.0.

Dependent Roles

Any LFOps playbook that installs this role runs these for you. Optional ones can be disabled via the playbook's skip variables.

Tags

gitlab_ce

  • install tar gitlab-ce
  • mkdir -p /backup/gitlab
  • Deploy /etc/systemd/system/gitlab-dump.service
  • Deploy /etc/systemd/system/gitlab-dump.timer
  • systemctl enable gitlab-dump.timer --now
  • Deploy /etc/gitlab/gitlab.rb
  • gitlab-ctl reconfigure
  • gitlab-ctl restart
  • Triggers: gitlab-ctl restart.

gitlab_ce:configure

  • Same as above, but without install.
  • Triggers: gitlab-ctl restart.

Mandatory Role Variables

gitlab_ce__rb_external_url

  • The URL of your GitLab instance. Currently, only http:// is supported by this role. If running behind a reverse proxy or on a trusted network, this is good enough.
  • Type: String.
  • Default: none

Example:

# mandatory
gitlab_ce__rb_external_url: 'http://git.example.com'

Optional Role Variables

gitlab_ce__on_calendar

  • The OnCalendar definition for the GitLab Backup. Have a look at man systemd.time(7) for the format.
  • Type: String.
  • Default: '*-*-* 23:{{ 59 | random(seed=inventory_hostname) }}'

gitlab_ce__rb_git_data_dirs_default_path

  • For setting up different data storing directory. If missing, the directory will be created by GitLab. If you want to use a single non-default directory to store git data use a path that doesn't contain symlinks. Docs
  • Type: String.
  • Default: unset

gitlab_ce__rb_gitlab_rails_backup_keep_time

  • The duration in seconds to keep backups before they are allowed to be deleted.
  • Type: Number.
  • Default: 86400

gitlab_ce__rb_gitlab_rails_backup_path

  • Backup Settings. Docs
  • Type: String.
  • Default: '/backup/gitlab'

gitlab_ce__rb_gitlab_rails_extra_matomo_site_id

  • Extra customization for Matomo.
  • Type: String.
  • Default: unset

gitlab_ce__rb_gitlab_rails_extra_matomo_url

  • Extra customization for Matomo.
  • Type: String.
  • Default: unset

gitlab_ce__rb_gitlab_rails_gitlab_default_projects_features_builds

  • Whether builds are enabled by default for projects.
  • Type: Bool.
  • Default: true

gitlab_ce__rb_gitlab_rails_gitlab_default_projects_features_container_registry

  • Whether the container registry is enabled by default for projects.
  • Type: Bool.
  • Default: true

gitlab_ce__rb_gitlab_rails_gitlab_default_projects_features_issues

  • Whether issues are enabled by default for projects.
  • Type: Bool.
  • Default: true

gitlab_ce__rb_gitlab_rails_gitlab_default_projects_features_merge_requests

  • Whether merge requests are enabled by default for projects.
  • Type: Bool.
  • Default: true

gitlab_ce__rb_gitlab_rails_gitlab_default_projects_features_snippets

  • Whether snippets are enabled by default for projects.
  • Type: Bool.
  • Default: true

gitlab_ce__rb_gitlab_rails_gitlab_default_projects_features_wiki

  • Whether the wiki feature is enabled by default for projects.
  • Type: Bool.
  • Default: true

gitlab_ce__rb_gitlab_rails_gitlab_email_display_name

  • The display name used in GitLab emails.
  • Type: String.
  • Default: 'GitLab@{{ inventory_hostname }}'

gitlab_ce__rb_gitlab_rails_gitlab_email_from

  • If your SMTP server does not like the default 'From: gitlab@gitlab.example.com', you can change the 'From' with this setting.
  • Type: String.
  • Default: '{{ mailto_root__from | d("") }}'

gitlab_ce__rb_gitlab_rails_gitlab_email_reply_to

  • The 'Reply To' address for emails if it differs from the 'From' address.
  • Type: String.
  • Default: unset

gitlab_ce__rb_gitlab_rails_ldap_enabled

  • Whether the LDAP integration is enabled. Docs
  • Type: Bool.
  • Default: false

gitlab_ce__rb_gitlab_rails_ldap_servers

  • LDAP configuration for one or more servers. Docs
  • Type: Dictionary.
  • Default: unset

gitlab_ce__rb_gitlab_rails_omniauth_allow_single_sign_on

  • OmniAuth Settings. Docs
  • Type: List.
  • Default: unset

gitlab_ce__rb_gitlab_rails_omniauth_auto_link_ldap_user

  • OmniAuth Settings. Docs
  • Type: Bool.
  • Default: unset

gitlab_ce__rb_gitlab_rails_omniauth_block_auto_created_users

  • OmniAuth Settings. Docs
  • Type: Bool.
  • Default: unset

gitlab_ce__rb_gitlab_rails_omniauth_enabled

  • OmniAuth Settings. Docs
  • Type: Bool.
  • Default: unset

gitlab_ce__rb_gitlab_rails_omniauth_external_providers

  • OmniAuth Settings. Docs
  • Type: List.
  • Default: unset

gitlab_ce__rb_gitlab_rails_omniauth_providers

  • OmniAuth Settings. Docs
  • Type: List of dictionaries.
  • Default: unset

gitlab_ce__rb_gitlab_rails_rack_attack_git_basic_auth_bantime

  • Ban an IP for x seconds after too many auth attempts.
  • Type: Number.
  • Default: 3600

gitlab_ce__rb_gitlab_rails_rack_attack_git_basic_auth_enabled

  • Whether rack attack for Git basic auth is enabled.
  • Type: Bool.
  • Default: true

gitlab_ce__rb_gitlab_rails_rack_attack_git_basic_auth_findtime

  • Reset the auth attempt counter per IP after x seconds.
  • Type: Number.
  • Default: 60

gitlab_ce__rb_gitlab_rails_rack_attack_git_basic_auth_ip_whitelist

  • List of IP addresses to whitelist from rack attack.
  • Type: List.
  • Default: ['127.0.0.1']

gitlab_ce__rb_gitlab_rails_rack_attack_git_basic_auth_maxretry

  • Limit the number of Git HTTP authentication attempts per IP.
  • Type: Number.
  • Default: 10

gitlab_ce__rb_gitlab_rails_time_zone

  • The time zone for GitLab. Docs
  • Type: String.
  • Default: 'Europe/Zurich'

gitlab_ce__rb_gitlab_rails_uploads_directory

  • For setting up a different storage directory for uploads. If missing, the directory will be created by GitLab. Docs
  • Type: String.
  • Default: '/var/opt/gitlab/gitlab-rails/uploads'

gitlab_ce__rb_letsencrypt_enable

  • If GitLab should manage Let's Encrypt certificates itself.
  • Type: Bool.
  • Default: false

gitlab_ce__rb_nginx_listen_https

  • Set this to false only if your reverse proxy internally communicates over HTTP. Docs
  • Type: Bool.
  • Default: false

gitlab_ce__rb_nginx_listen_port

  • Override only if you use a reverse proxy. Docs
  • Type: Number.
  • Default: 80

gitlab_ce__rb_nginx_ssl_certificate

  • Path to the SSL certificate.
  • Type: String.
  • Default: unset

gitlab_ce__rb_nginx_ssl_certificate_key

  • Path to the SSL certificate key.
  • Type: String.
  • Default: unset

gitlab_ce__rb_registry_external_url

  • The URL of the GitLab Container registry.
  • Type: String.
  • Default: unset

gitlab_ce__rb_registry_nginx_enable

  • Set this to true to enable the GitLab Container Registry.
  • Type: Bool.
  • Default: unset

gitlab_ce__rb_registry_nginx_listen_https

  • Set this to false only if your reverse proxy internally communicates over HTTP. Docs
  • Type: Bool.
  • Default: false

gitlab_ce__rb_registry_nginx_listen_port

  • The port on which the Container Registry is listening.
  • Type: Number.
  • Default: 5050

gitlab_ce__rb_registry_nginx_proxy_set_headers

  • Nginx headers for the Container Registry.
  • Type: Dictionary.
  • Default: {'X-Forwarded-Proto': 'https', 'X-Forwarded-Ssl': 'on'}

gitlab_ce__version

  • The GitLab version to install. This is useful when restoring from a backup. When unset, the latest available version is used.
  • Type: String.
  • Default: unset

Example (GitLab running on port 80 behind a reverse proxy, offering Google Authentication, with Matomo integration, plus running a registry):

# optional
gitlab_ce__on_calendar: '*:0/15'  # every 15 minutes

gitlab_ce__rb_git_data_dirs_default_path: '/data/gitlab/git-data'

gitlab_ce__rb_gitlab_rails_backup_keep_time: 86400
gitlab_ce__rb_gitlab_rails_backup_path: '/backup/gitlab'

gitlab_ce__rb_gitlab_rails_gitlab_email_display_name: 'My GitLab'
gitlab_ce__rb_gitlab_rails_gitlab_email_from: 'vcs@example.com'
gitlab_ce__rb_gitlab_rails_gitlab_email_reply_to: 'no-reply@example.com'

gitlab_ce__rb_gitlab_rails_gitlab_default_projects_features_builds: false
gitlab_ce__rb_gitlab_rails_gitlab_default_projects_features_container_registry: false
gitlab_ce__rb_gitlab_rails_gitlab_default_projects_features_issues: true
gitlab_ce__rb_gitlab_rails_gitlab_default_projects_features_merge_requests: true
gitlab_ce__rb_gitlab_rails_gitlab_default_projects_features_snippets: false
gitlab_ce__rb_gitlab_rails_gitlab_default_projects_features_wiki: false

gitlab_ce__rb_gitlab_rails_extra_matomo_site_id: '4711'
gitlab_ce__rb_gitlab_rails_extra_matomo_url: 'analytics.example.com/'

gitlab_ce__rb_gitlab_rails_ldap_enabled: true
gitlab_ce__rb_gitlab_rails_ldap_servers:
  main:
    label: 'LDAP'
    host: 'ldap.example.com'
    port: 636
    uid: 'sAMAccountName'
    bind_dn: 'CN=Gitlab,OU=Users,DC=example,DC=com'
    password: '<bind_user_password>'
    encryption: 'simple_tls'
    verify_certificates: true
    timeout: 10
    active_directory: false
    user_filter: '(employeeType=developer)'
    base: 'dc=example,dc=com'
    lowercase_usernames: false
    retry_empty_result_with_codes: [80]
    allow_username_or_email_login: false
    block_auto_created_users: false

gitlab_ce__rb_gitlab_rails_omniauth_allow_single_sign_on:
  - 'google_oauth2'
gitlab_ce__rb_gitlab_rails_omniauth_auto_link_ldap_user: false
gitlab_ce__rb_gitlab_rails_omniauth_block_auto_created_users: false
gitlab_ce__rb_gitlab_rails_omniauth_enabled: true
gitlab_ce__rb_gitlab_rails_omniauth_external_providers:
  - 'google_oauth2'
gitlab_ce__rb_gitlab_rails_omniauth_providers:
  - name: 'google_oauth2'
    app_id: '1095d5c3-8428-44df-89fb-cb0a77ec363f.apps.googleusercontent.com'
    app_secret: '45d85464-bc66-4236-9931-c42394f5d08e'

gitlab_ce__rb_gitlab_rails_rack_attack_git_basic_auth_bantime: 3600
gitlab_ce__rb_gitlab_rails_rack_attack_git_basic_auth_enabled: true
gitlab_ce__rb_gitlab_rails_rack_attack_git_basic_auth_findtime: 60
gitlab_ce__rb_gitlab_rails_rack_attack_git_basic_auth_ip_whitelist:
  - '127.0.0.1'
gitlab_ce__rb_gitlab_rails_rack_attack_git_basic_auth_maxretry: 10

gitlab_ce__rb_gitlab_rails_time_zone: 'Europe/Zurich'

gitlab_ce__rb_letsencrypt_enable: false

gitlab_ce__rb_nginx_listen_port: '80'
gitlab_ce__rb_nginx_ssl_certificate: '/etc/pki/tls/certs/git.example.com.crt'
gitlab_ce__rb_nginx_ssl_certificate_key: '/etc/pki/tls/private/git.example.com.key'
gitlab_ce__rb_registry_external_url: 'https://registry.example.com'
gitlab_ce__rb_registry_nginx_enable: true
gitlab_ce__rb_registry_nginx_listen_https: false
gitlab_ce__rb_registry_nginx_listen_port: 5050
gitlab_ce__rb_registry_nginx_proxy_set_headers:
  'X-Forwarded-Proto': 'https'
  'X-Forwarded-Ssl': 'on'

gitlab_ce__version: '14.8.2'

License

The Unlicense

Author Information

Linuxfabrik GmbH, Zurich