Commit be43d3d5 authored by Nicolas Joyard's avatar Nicolas Joyard

Update gitlab + ajout mattermost

parent e8e8d52b
......@@ -95,9 +95,11 @@ Installe des paquets utiles et crée un groupe commun 'rcapps'.
*Dépend de : apache, postgresql*
Installe gitlab et configure un reverse-proxy apache pour y accéder avec un vhost.
Installe Gitlab Community Edition et configure un reverse-proxy apache pour y accéder avec un vhost.
**Attention** : après la première exécution de ce rôle sur une cible, accéder immédiatement à l'interface Web de gitlab pour définir le compte admin.
**Attention** : après la première exécution de ce rôle sur une cible, accéder immédiatement à l'interface Web de gitlab pour définir le mot de passe du compte admin.
Ce rôle permet aussi l'installation de `gitlab-ci-multi-runner`. Pour ce faire, il faut exécuter le rôle une première fois pour installer Gitlab, accéder à l'administration via l'interface web pour obtenir le token de connexion, puis exécuter à nouveau le rôle en définissant la variable `gitlab_ci_token`.
*Variables :*
......@@ -106,6 +108,10 @@ Installe gitlab et configure un reverse-proxy apache pour y accéder avec un vho
* `gitlab_ssl_cert` (non défini) : chemin *distant* vers le certificat SSL à utiliser ; s'il est indéfini, SSL ne sera pas activé sur le vhost
* `gitlab_ssl_chain` (non défini) : chemin *distant* vers la chaine de certificats à utiliser
* `gitlab_ssl_key` (non défini) : chemin *distant* vers la clé privée serveur pour le certificat SSL
* `gitlab_storage` (`/var/lib/git`) : chemin de stockage des dépôts Git
* `gitlab_ci_token` (non défini) : token de connexion des runners CI
* `gitlab_ci_build_dir` (`/var/lib/gitlab-ci/build`) : chemin de stockage des builds gitlab-ci
* `gitlab_ci_cache_dir` (`/var/cache/gitlab-ci/build`) : chemin de stockage du cache des builds gitlab-ci
### munin-master
......
......@@ -7,6 +7,20 @@ gitlab_storage: /var/lib/git
# gitlab_github_app_id: abcdef123
# gitlab_github_app_secret: abcdef123
# gogs_ssl_cert: /remote/path/to/cert
# gogs_ssl_chain: /remote/path/to/chain (optional)
# gogs_ssl_key: /remote/path/to/key
# gitlab_ssl_cert: /remote/path/to/cert
# gitlab_ssl_chain: /remote/path/to/chain (optional)
# gitlab_ssl_key: /remote/path/to/key
# gitlab_ci_token: abcdef123456
gitlab_ci_build_dir: /var/lib/gitlab-ci/build
gitlab_ci_cache_dir: /var/cache/gitlab-ci/build
gitlab_mattermost_domain: mm.regardscitoyens.org
gitlab_mattermost_port: 8065
# gitlab_mattermost_app_id: abcdef123
# gitlab_mattermost_app_secret: abcdef123
# gitlab_mattermost_ssl_cert: /remote/path/to/cert
# gitlab_mattermost_ssl_chain: /remote/path/to/chain (optional)
# gitlab_mattermost_ssl_key: /remote/path/to/key
Explanation: Prefer GitLab provided packages over the Debian native ones
Package: gitlab-ci-multi-runner
Pin: origin packages.gitlab.com
Pin-Priority: 1001
......@@ -11,27 +11,45 @@
- debian-archive-keyring
- apt-transport-https
- name: Installation clé GPG apt Gitlab
- name: Installation clés GPG apt Gitlab
apt_key:
url: https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey
url: "{{ item }}"
state: present
with_items:
- "https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey"
- "https://packages.gitlab.com/runner/gitlab-ci-multi-runner/gpgkey"
- name: Installation repo apt Gitlab
- name: Installation repos apt Gitlab
apt_repository:
repo: 'deb https://packages.gitlab.com/gitlab/gitlab-ce/debian/ jessie main'
repo: 'deb {{ item }} jessie main'
state: present
update_cache: yes
with_items:
- "https://packages.gitlab.com/gitlab/gitlab-ce/debian/"
- "https://packages.gitlab.com/runner/gitlab-ci-multi-runner/debian/"
- name: Pinning apt pour gitlab-ci-multi-runner
copy:
src: etc_apt_preferences.d_pin-gitlab-runner.pref
dest: /etc/apt/preferences.d/pin-gitlab-runner.pref
- name: Installation gitlab
apt:
name: gitlab-ce
name: "{{ item }}"
state: present
with_items:
- gitlab-ce
- gitlab-ci-multi-runner
- name: Création répertoire stockage
- name: Création répertoires stockage
file:
dest: '{{ gitlab_storage }}'
dest: '{{ item }}'
state: directory
owner: git
with_items:
- '{{ gitlab_storage }}'
- '{{ gitlab_ci_build_dir }}'
- '{{ gitlab_ci_cache_dir }}'
- name: Modification fichier de configuration
lineinfile:
......@@ -44,6 +62,18 @@
- { regexp: "^gitlab_workhorse\\['listen_network'", line: "gitlab_workhorse['listen_network'] = 'tcp'" }
- { regexp: "^gitlab_workhorse\\['listen_addr'", line: "gitlab_workhorse['listen_addr'] = '127.0.0.1:{{ gitlab_port }}'" }
- { regexp: "^git_data_dirs", line: "git_data_dirs({'default' => '{{ gitlab_storage }}'})" }
- { regexp: "^mattermost\\['enable", line: "mattermost['enable'] = true" }
- { regexp: "^mattermost_nginx\\['enable", line: "mattermost_nginx['enable'] = false" }
- { regexp: "^mattermost\\['gitlab_enable'", line: "mattermost['gitlab_enable'] = true" }
- { regexp: "^mattermost\\['gitlab_id'", line: "mattermost['gitlab_id'] = '{{ gitlab_mattermost_app_id }}'" }
- { regexp: "^mattermost\\['gitlab_secret'", line: "mattermost['gitlab_secret'] = '{{ gitlab_mattermost_app_secret }}'" }
- { regexp: "^mattermost\\['gitlab_scope'", line: "mattermost['gitlab_scope'] = ''" }
- { regexp: "^mattermost\\['gitlab_auth_endpoint'", line: "mattermost['gitlab_auth_endpoint'] = 'https://{{ gitlab_domain }}/oauth/authorize'" }
- { regexp: "^mattermost\\['gitlab_token_endpoint'", line: "mattermost['gitlab_token_endpoint'] = 'https://{{ gitlab_domain }}/oauth/token'" }
- { regexp: "^mattermost\\['gitlab_user_api_endpoint'", line: "mattermost['gitlab_user_api_endpoint'] = 'https://{{ gitlab_domain }}/api/v3/user'" }
- { regexp: "^mattermost\\['email_enable_sign_up_with_email", line: "mattermost['email_enable_sign_up_with_email'] = false" }
- { regexp: "^mattermost\\['service_site_url'", line: "mattermost['service_site_url'] = 'https://mm.regardscitoyens.org'" }
- { regexp: "^mattermost\\['service_use_ssl'", line: "mattermost['service_use_ssl'] = true" }
- name: Modification URL externe
lineinfile:
......@@ -63,6 +93,24 @@
- { regexp: "^external_url ", line: "external_url 'http://{{ gitlab_domain }}'"}
when: gitlab_ssl_cert is not defined
- name: Modification URL externe (mattermost)
lineinfile:
dest: /etc/gitlab/gitlab.rb
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
with_items:
- { regexp: "^mattermost_external_url ", line: "mattermost_external_url 'https://{{ gitlab_mattermost_domain }}'"}
when: gitlab_mattermost_ssl_cert is defined
- name: Modification URL externe (mattermost)
lineinfile:
dest: /etc/gitlab/gitlab.rb
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
with_items:
- { regexp: "^mattermost_external_url ", line: "mattermost_external_url 'http://{{ gitlab_mattermost_domain }}'"}
when: gitlab_mattermost_ssl_cert is not defined
- name: Configuration provider github
lineinfile:
dest: /etc/gitlab/gitlab.rb
......@@ -105,7 +153,39 @@
notify:
- reload apache
- name: Création config vhost apache SSL (mattermost)
template:
src: etc_apache2_sites-available_017-gitlab-mm-ssl.conf.j2
dest: /etc/apache2/sites-available/017-gitlab-mm.conf
notify:
- reload apache
when: gitlab_mattermost_ssl_cert is defined
- name: Création config vhost apache (mattermost)
template:
src: etc_apache2_sites-available_017-gitlab-mm-nossl.conf.j2
dest: /etc/apache2/sites-available/017-gitlab-mm.conf
notify:
- reload apache
when: gitlab_mattermost_ssl_cert is not defined
- name: Création lien config vhost apache (mattermost)
file:
src: /etc/apache2/sites-available/017-gitlab-mm.conf
path: /etc/apache2/sites-enabled/017-gitlab-mm.conf
state: link
notify:
- reload apache
- name: Ajout user git au groupe ssh
user:
name: git
groups: ssh
- name: Enregistrement multi runner
shell:
cmd: 'gitlab-ci-multi-runner register --non-interactive --name multi-runner --url {{ (gitlab_ssl_cert is defined) | ternary("https","http") }}://{{ gitlab_domain }} --registration-token {{ gitlab_ci_token }} --executor shell --build-dir {{ gitlab_ci_build_dir }} --cache-dir {{ gitlab_ci_cache_dir }}'
become: yes
become_user: root
when: gitlab_ci_token is defined
failed_when: no
......@@ -19,10 +19,7 @@
SSLCertificateFile {{ gitlab_ssl_cert }}
SSLCertificateKeyFile {{ gitlab_ssl_key }}
{% if gitlab_ssl_chain is defined %}
SSLCertificateChainFile {{ gitlab_ssl_chain }}
{% endif %}
ServerName {{ gitlab_domain }}
ServerSignature Off
......@@ -49,6 +46,7 @@
RewriteEngine on
#Forward all requests to gitlab-workhorse except existing files like error documents
RewriteRule ^/\.well-known - [L]
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_URI} ^/uploads/.*
RewriteRule .* http://127.0.0.1:{{ gitlab_port }}%{REQUEST_URI} [P,QSA,NE]
......
<VirtualHost *:80>
ServerName {{ gitlab_mattermost_domain }}
ServerSignature Off
ProxyPreserveHost On
# Ensure that encoded slashes are not decoded but left in their encoded state.
# http://doc.gitlab.com/ce/api/projects.html#get-single-project
AllowEncodedSlashes NoDecode
<Location />
# New authorization commands for apache 2.4 and up
# http://httpd.apache.org/docs/2.4/upgrading.html#access
Require all granted
#Allow forwarding to gitlab-workhorse
ProxyPassReverse http://127.0.0.1:{{ gitlab_mattermost_port }}
ProxyPassReverse http://{{ gitlab_mattermost_domain }}/
</Location>
# Apache equivalent of nginx try files
# http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
# http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
RewriteEngine on
#Forward all requests to gitlab-workhorse except existing files like error documents
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_URI} ^/uploads/.*
RewriteRule .* http://127.0.0.1:{{ gitlab_mattermost_port }}%{REQUEST_URI} [P,QSA,NE]
# needed for downloading attachments
DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public
#Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
ErrorDocument 404 /404.html
ErrorDocument 422 /422.html
ErrorDocument 500 /500.html
ErrorDocument 502 /502.html
ErrorDocument 503 /503.html
# It is assumed that the log directory is in /var/log/httpd.
# For Debian distributions you might want to change this to
# /var/log/apache2.
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
ErrorLog ${APACHE_LOG_DIR}/gitlab_mm_error.log
CustomLog ${APACHE_LOG_DIR}/gitlab_mm_forwarded.log common_forwarded
CustomLog ${APACHE_LOG_DIR}/gitlab_mm_access.log combined env=!dontlog
CustomLog ${APACHE_LOG_DIR}/gitlab_mm.log combined
</VirtualHost>
<VirtualHost *:80>
ServerName {{ gitlab_mattermost_domain }}
ServerSignature Off
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L]
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
#strong encryption ciphers only
#see ciphers(1) http://www.openssl.org/docs/apps/ciphers.html
SSLProtocol all -SSLv2
SSLHonorCipherOrder on
SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
SSLCompression Off
SSLCertificateFile {{ gitlab_mattermost_ssl_cert }}
SSLCertificateKeyFile {{ gitlab_mattermost_ssl_key }}
SSLCertificateChainFile {{ gitlab_mattermost_ssl_chain }}
ServerName {{ gitlab_mattermost_domain }}
ServerSignature Off
ProxyPreserveHost On
# Ensure that encoded slashes are not decoded but left in their encoded state.
# http://doc.gitlab.com/ce/api/projects.html#get-single-project
AllowEncodedSlashes NoDecode
<Location />
# New authorization commands for apache 2.4 and up
# http://httpd.apache.org/docs/2.4/upgrading.html#access
Require all granted
#Allow forwarding to gitlab-workhorse
ProxyPassReverse http://127.0.0.1:{{ gitlab_mattermost_port }}
ProxyPassReverse http://{{ gitlab_mattermost_domain }}/
</Location>
# Apache equivalent of nginx try files
# http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
# http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
RewriteEngine on
#Forward all requests to gitlab-workhorse except existing files like error documents
RewriteRule ^/\.well-known - [L]
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_URI} ^/uploads/.*
RewriteRule .* http://127.0.0.1:{{ gitlab_mattermost_port }}%{REQUEST_URI} [P,QSA,NE]
RequestHeader set X_FORWARDED_PROTO 'https'
RequestHeader set X-Forwarded-Ssl on
# needed for downloading attachments
DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public
#Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
ErrorDocument 404 /404.html
ErrorDocument 422 /422.html
ErrorDocument 500 /500.html
ErrorDocument 502 /502.html
ErrorDocument 503 /503.html
# It is assumed that the log directory is in /var/log/httpd.
# For Debian distributions you might want to change this to
# /var/log/apache2.
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
ErrorLog ${APACHE_LOG_DIR}/gitlab_mm_error.log
CustomLog ${APACHE_LOG_DIR}/gitlab_mm_forwarded.log common_forwarded
CustomLog ${APACHE_LOG_DIR}/gitlab_mm_access.log combined env=!dontlog
CustomLog ${APACHE_LOG_DIR}/gitlab_mm.log combined
</VirtualHost>
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment