Use simpler file structure

2021-01-31 10:46:42 +01:00 · 2021-01-31 10:46:42 +01:00 · 7f6381b33c
commit 7f6381b33c
parent 3bca1176a4
17 changed files with 152 additions and 122 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@ -1,5 +0,0 @@
-parseable: true
-quiet: true
-skip_list:
-  - '501'
-use_default_rules: true
--- a/.gitignore
+++ b/.gitignore
@ -12,3 +12,5 @@ vault
 vaults/

 node_modules/
+
+roles/
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -3,40 +3,24 @@ stages:
  - test

 cache:
-  key: "$CI_COMMIT_REF_SLUG"
+  key: $CI_COMMIT_REF_SLUG
  paths:
    - .cache/pip
    - node_modules/

 lint:
-  stage: lint
-  image: python:3.7
-  before_script:
-    - pip install ansible ansible-lint --quiet
-  script:
-    - ansible-lint playbook.yml
-  only:
-    refs:
-      - development
-      - merge_requests
-
-pretty-lint:
  stage: lint
  image: node:12
  before_script:
-    - npm install
+    - npm install prettier --no-save
  script:
-    - npx prettier "roles/**/*.yml" --check
-  only:
-    refs:
-      - development
-      - merge_requests
+    - npx prettier '**/*.yml' --check

 syntax-test:
  stage: test
  image: python:3.7
  before_script:
-    - pip install ansible ansible-lint --quiet
-    - ansible-galaxy install -r roles/requirements.yml
+    - pip install ansible --quiet
+    - ansible-galaxy install -r requirements.yml
  script:
    - ansible-playbook playbook.yml --syntax-check
--- a/.prettier.json
+++ b/.prettier.json
@ -1,9 +0,0 @@
-{
-    "singleQuote": true,
-    "printWidth": 90,
-    "tabWidth": 2,
-    "useTabs": false,
-    "bracketSpacing": true,
-    "parser": "yaml"
-}
-
--- a/.prettierrc.yml
+++ b/.prettierrc.yml
@ -0,0 +1,5 @@
+singleQuote: true
+printWidth: 90
+tabWidth: 2
+useTabs: false
+bracketSpacing: true
--- a/playbook.yml
+++ b/playbook.yml
@ -1,5 +1,29 @@
 - hosts: gitlab
-  become: yes
+  become: true
  become_method: sudo
+  pre_tasks:
+    - name: install packages
+      apt:
+        name: '{{ packages }}'
+        state: present
+    - include_role:
+        name: common
+        tasks_from: 'setup.yml'
+    - include_role:
+        name: common
+        tasks_from: 'network.yml'
+    - include_role:
+        name: common
+        tasks_from: 'host.yml'
  roles:
-    - gitlab
+    - common
+  tasks:
+    - include_role:
+        name: common
+        tasks_from: 'ssl.yml'
+    - import_tasks: 'tasks.yml'
+  vars_files:
+    - 'vars/main.yml'
+    - 'vars/network.yml'
+    - 'vars/postgres.yml'
+    - 'vars/email.yml'
--- a/roles/requirements.yml
+++ b/roles/requirements.yml
--- a/roles/.gitignore
+++ b/roles/.gitignore
@ -1,6 +0,0 @@
-# ignore all external roles and files in the roles dir
-/*
-
-!.gitignore
-!requirements.yml
-!gitlab*/
--- a/roles/gitlab/meta/main.yml
+++ b/roles/gitlab/meta/main.yml
@ -1,16 +0,0 @@
-dependencies:
-  - common
-
-galaxy_info:
-  author: sonny
-  description: "Gitlab omnibus installation"
-  license: "license GPLv3"
-  min_ansible_version: 2.7
-  issue_tracker_url: "https://git.fudiggity.nl/ansible/gitlab/-/issues"
-  platforms:
-    - name: Debian
-      versions:
-        - buster
-  galaxy_tags:
-    - development
-    - system
--- a/roles/gitlab/tasks/main.yml
+++ b/roles/gitlab/tasks/main.yml
@ -1,17 +1,10 @@
- include_role:
-    name: common
-    tasks_from: "network.yml"
- include_role:
-    name: common
-    tasks_from: "host.yml"
-
 - name: copy gitlab firewall template
  template:
-    src: "nftables.j2"
-    dest: "/etc/nftables.conf"
+    src: 'templates/nftables.j2'
+    dest: '/etc/nftables.conf'
    owner: root
    group: root
-    mode: "0600"
+    mode: '0600'
  notify: restart nftables

 - name: create gitlab config dir
@ -20,53 +13,48 @@
    state: directory
    owner: root
    group: root
-    mode: "0644"
+    mode: '0644'

 - name: copy gitlab config
  template:
-    src: "gitlab.j2"
-    dest: "/etc/gitlab/gitlab.rb"
+    src: 'templates/gitlab.j2'
+    dest: '/etc/gitlab/gitlab.rb'
    owner: root
    group: root
-    mode: "0600"
+    mode: '0600'

- name: install packages
-  apt:
-    name:
-      - curl
-      - openssh-server
-      - ca-certificates
-      - postfix
-    state: present
+- name: copy postfix config
+  template:
+    src: 'templates/postfix.j2'
+    dest: '/etc/postfix/main.cf'
+    owner: root
+    group: root
+    mode: '0644'
  notify: restart postfix

 - name: check installed packages
  package_facts:
    manager: apt

- include_role:
-    name: common
-    tasks_from: "ssl.yml"
-
 - name: download gitlab setup script
  get_url:
-    url: "{{ gitlab_setup_script }}"
+    url: '{{ gitlab_setup_script }}'
    dest: /tmp/
-    mode: "0750"
+    mode: '0750'
  when: "'gitlab-ee' not in ansible_facts.packages"

 - name: run gitlab setup script
  command: /tmp/script.deb.sh
  when: "'gitlab-ee' not in ansible_facts.packages"

- name: install gitlab # noqa 403
+- name: install gitlab
  apt:
-    name: "gitlab-ee"
+    name: 'gitlab-ee'
    update_cache: true
    state: latest
  register: package_install

 # Updates reconfigure automatically
 - name: reconfigure gitlab
-  command: gitlab-ctl reconfigure
-  when: not package_install.changed # noqa 503
+  command: 'gitlab-ctl reconfigure'
+  when: not package_install.changed
--- a/roles/gitlab/templates/gitlab.j2
+++ b/roles/gitlab/templates/gitlab.j2
@ -71,9 +71,9 @@ external_url 'https://git.fudiggity.nl'
 # gitlab_rails['max_request_duration_seconds'] = 57

 ### Email Settings
-# gitlab_rails['gitlab_email_enabled'] = true
-# gitlab_rails['gitlab_email_from'] = 'example@example.com'
-# gitlab_rails['gitlab_email_display_name'] = 'Example'
+gitlab_rails['gitlab_email_enabled'] = true
+gitlab_rails['gitlab_email_from'] = '{{ smtp_username }}'
+gitlab_rails['gitlab_email_display_name'] = 'Gitlab'
 # gitlab_rails['gitlab_email_reply_to'] = 'noreply@example.com'
 # gitlab_rails['gitlab_email_subject_suffix'] = ''
 # gitlab_rails['gitlab_email_smime_enabled'] = false
@ -625,19 +625,19 @@ gitlab_rails['db_sslmode'] = "require"
 ###! Docs: https://docs.gitlab.com/omnibus/settings/smtp.html
 ###! **Use smtp instead of sendmail/postfix.**

-# gitlab_rails['smtp_enable'] = true
-# gitlab_rails['smtp_address'] = "smtp.server"
-# gitlab_rails['smtp_port'] = 465
-# gitlab_rails['smtp_user_name'] = "smtp user"
-# gitlab_rails['smtp_password'] = "smtp password"
+gitlab_rails['smtp_enable'] = true
+gitlab_rails['smtp_address'] = "{{ smtp_server }}"
+gitlab_rails['smtp_port'] = {{ smtp_port }}
+gitlab_rails['smtp_user_name'] = "{{ smtp_username }}"
+gitlab_rails['smtp_password'] = "{{ smtp_password }}"
 # gitlab_rails['smtp_domain'] = "example.com"
-# gitlab_rails['smtp_authentication'] = "login"
-# gitlab_rails['smtp_enable_starttls_auto'] = true
-# gitlab_rails['smtp_tls'] = false
+gitlab_rails['smtp_authentication'] = "login"
+gitlab_rails['smtp_enable_starttls_auto'] = true
+gitlab_rails['smtp_tls'] = true

 ###! **Can be: 'none', 'peer', 'client_once', 'fail_if_no_peer_cert'**
 ###! Docs: http://api.rubyonrails.org/classes/ActionMailer/Base.html
-# gitlab_rails['smtp_openssl_verify_mode'] = 'none'
+gitlab_rails['smtp_openssl_verify_mode'] = 'peer'

 # gitlab_rails['smtp_ca_path'] = "/etc/ssl/certs"
 # gitlab_rails['smtp_ca_file'] = "/etc/ssl/certs/ca-certificates.crt"
@ -797,7 +797,7 @@ gitlab_rails['db_sslmode'] = "require"
 # user['home'] = "/var/opt/gitlab"

 # user['git_user_name'] = "GitLab"
-# user['git_user_email'] = "gitlab@#{node['fqdn']}"
+user['git_user_email'] = "{{ smtp_username }}"

 ################################################################################
 ## GitLab Unicorn
--- a/roles/gitlab/templates/nftables.j2
+++ b/roles/gitlab/templates/nftables.j2
--- a/templates/postfix.j2
+++ b/templates/postfix.j2
@ -0,0 +1,46 @@
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
+# fresh installs.
+compatibility_level = 2
+
+
+
+# TLS parameters
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_use_tls=yes
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+myhostname = {{ smtp_domain }}
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+mydestination = $myhostname, localhost.localdomain, localhost
+relayhost = 
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = all
--- a/vars/email.yml
+++ b/vars/email.yml
@ -0,0 +1,13 @@
+smtp_server: 'smtp.transip.email'
+smtp_port: 465
+smtp_username: 'gitlab@fudiggity.nl'
+smtp_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          61333133363037363433356134346438306431626664313230386439373338623437353866376232
+          6463383937636262666261656534353231663262303838630a323862363161653262636339306363
+          62663639663030356263323539336231336335303761303965356132636265356661636534323363
+          3165353961373137350a333864386439323163383835326664383665333363326438356231643030
+          64313064353331663232653637343862303737656431316336373531353461623531633531333164
+          65376632636666316166323465653134366463313863333137623838326134363739363338316461
+          336533373134643132383363393032376638
+smtp_domain: 'fudiggity.nl'
--- a/vars/main.yml
+++ b/vars/main.yml
@ -0,0 +1,12 @@
+default_user: 'sonny'
+
+app_name: 'gitlab'
+app_user: 'root'
+
+packages:
+  - curl
+  - openssh-server
+  - ca-certificates
+  - postfix
+
+gitlab_setup_script: 'https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh'
--- a/vars/network.yml
+++ b/vars/network.yml
@ -0,0 +1,6 @@
+host_interface: 'en*'
+host_ip: '192.168.178.88'
+host_subnet: '24'
+host_gateway: '192.168.178.1'
+host_dns: '192.168.178.1'
+hostname: 'gitlab.fudiggity.nl'
--- a/roles/gitlab/defaults/main.yml
+++ b/roles/gitlab/defaults/main.yml
@ -1,19 +1,7 @@
-host_interface: "en*"
-host_ip: "192.168.178.88"
-host_subnet: "24"
-host_gateway: "192.168.178.1"
-host_dns: "192.168.178.1"
-hostname: "gitlab.fudiggity.nl"
-
-default_user: "sonny"
-
-app_name: "gitlab"
-app_user: "root"
-
-postgres_host: "192.168.178.165"
-postgres_port: "5432"
-postgres_db: "gitlab"
-postgres_user: "gitlab"
+postgres_host: '192.168.178.165'
+postgres_port: '5432'
+postgres_db: 'gitlab'
+postgres_user: 'gitlab'
 postgres_password: !vault |
  $ANSIBLE_VAULT;1.1;AES256
  66343661313333383264343865656339306430633565626261373934343537623332353438353736
@ -22,5 +10,3 @@ postgres_password: !vault |
  6233323030313461390a653266613562353261343866316239313161643466643239386130616534
  33316162633762303936616463393662643339336532623138623536366263333634306237643662
  3662363761663761373334663038663833663839363731633631
-
-gitlab_setup_script: "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh"