Initial commit

.ansible-lint

@@ -0,0 +1,5 @@
+parseable: true
+quiet: true
+skip_list:
+  - '501'
+use_default_rules: true

.gitignore

@@ -0,0 +1,14 @@
+*.retry
+*.swp
+
+.venv
+.env
+env
+venv
+
+.vault
+.vaults/
+vault
+vaults/
+
+node_modules/

.gitlab-ci.yml

@@ -0,0 +1,41 @@
+stages:
+  - lint
+  - test
+
+cache:
+  key: "$CI_COMMIT_REF_SLUG"
+  paths:
+    - .cache/pip
+    - node_modules/
+
+lint:
+  stage: lint
+  image: python:3.7
+  before_script:
+    - pip install ansible ansible-lint --quiet
+  script:
+    - ansible-lint playbook.yml
+  only:
+    refs:
+      - development
+      - merge_requests
+
+pretty-lint:
+  stage: lint
+  image: node:12
+  before_script:
+    - npm install
+  script:
+    - npx prettier "roles/**/*.yml" --check
+  only:
+    refs:
+      - development
+      - merge_requests
+
+syntax-test:
+  stage: test
+  image: python:3.7
+  before_script:
+    - pip install ansible ansible-lint --quiet
+  script:
+    - ansible-playbook playbook.yml --syntax-check

.prettier.json

@@ -0,0 +1,9 @@
+{
+    "singleQuote": true,
+    "printWidth": 90,
+    "tabWidth": 2,
+    "useTabs": false,
+    "bracketSpacing": true,
+    "parser": "yaml"
+}
+

ansible.cfg

@@ -0,0 +1,2 @@
+[defaults]
+roles_path = ./roles

inventory.yml

@@ -0,0 +1,3 @@
+gitlab:
+  hosts:
+    192.168.178.88:

playbook.yml

@@ -0,0 +1,5 @@
+- hosts: gitlab
+  become: yes
+  become_method: sudo
+  roles:
+    - gitlab

roles/.gitignore

@@ -0,0 +1,6 @@
+# ignore all external roles and files in the roles dir
+/*
+
+!.gitignore
+!requirements.yml
+!gitlab*/

roles/gitlab/defaults/main.yml

@@ -0,0 +1,26 @@
+host_interface: "en*"
+host_ip: "192.168.178.88"
+host_subnet: "24"
+host_gateway: "192.168.178.1"
+host_dns: "192.168.178.1"
+hostname: "gitlab.fudiggity.nl"
+
+default_user: "sonny"
+
+app_name: "gitlab"
+app_user: "root"
+
+postgres_host: "192.168.178.165"
+postgres_port: "5432"
+postgres_db: "gitlab"
+postgres_user: "gitlab"
+postgres_password: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  66343661313333383264343865656339306430633565626261373934343537623332353438353736
+  3336656666326139363333316163343334666638313230330a356666613131393532316333313733
+  32306132633237303562373762393136623466383337626264663032626538393133646137656231
+  6233323030313461390a653266613562353261343866316239313161643466643239386130616534
+  33316162633762303936616463393662643339336532623138623536366263333634306237643662
+  3662363761663761373334663038663833663839363731633631
+
+gitlab_setup_script: "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh"

roles/gitlab/meta/main.yml

@@ -0,0 +1,16 @@
+dependencies:
+  - common
+
+galaxy_info:
+  author: sonny
+  description: "Gitlab omnibus installation"
+  license: "license GPLv3"
+  min_ansible_version: 2.7
+  issue_tracker_url: "https://git.fudiggity.nl/ansible/gitlab/-/issues"
+  platforms:
+    - name: Debian
+      versions:
+        - buster
+  galaxy_tags:
+    - development
+    - system

roles/gitlab/tasks/main.yml

@@ -0,0 +1,72 @@
+- include_role:
+    name: common
+    tasks_from: "network.yml"
+- include_role:
+    name: common
+    tasks_from: "host.yml"
+
+- name: copy gitlab firewall template
+  template:
+    src: "nftables.j2"
+    dest: "/etc/nftables.conf"
+    owner: root
+    group: root
+    mode: "0600"
+  notify: restart nftables
+
+- name: create gitlab config dir
+  file:
+    path: /etc/gitlab
+    state: directory
+    owner: root
+    group: root
+    mode: "0644"
+
+- name: copy gitlab config
+  template:
+    src: "gitlab.j2"
+    dest: "/etc/gitlab/gitlab.rb"
+    owner: root
+    group: root
+    mode: "0600"
+
+- name: install packages
+  apt:
+    name:
+      - curl
+      - openssh-server
+      - ca-certificates
+      - postfix
+    state: present
+  notify: restart postfix
+
+- name: check installed packages
+  package_facts:
+    manager: apt
+
+- include_role:
+    name: common
+    tasks_from: "ssl.yml"
+
+- name: download gitlab setup script
+  get_url:
+    url: "{{ gitlab_setup_script }}"
+    dest: /tmp/
+    mode: "0750"
+  when: "'gitlab-ee' not in ansible_facts.packages"
+
+- name: run gitlab setup script
+  command: /tmp/script.deb.sh
+  when: "'gitlab-ee' not in ansible_facts.packages"
+
+- name: install gitlab # noqa 403
+  apt:
+    name: "gitlab-ee"
+    update_cache: true
+    state: latest
+  register: package_install
+
+# Updates reconfigure automatically
+- name: reconfigure gitlab
+  command: gitlab-ctl reconfigure
+  when: not package_install.changed # noqa 503

roles/gitlab/templates/nftables.j2

@@ -0,0 +1,19 @@
+# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
+#
+# vim:set ts=2 sw=2 et:
+
+flush ruleset
+
+table inet filter {
+	chain input {
+		type filter hook input priority 0; policy drop;
+
+		# accept any localhost traffic
+		iif lo accept
+
+		# accept traffic originated from us
+		ct state { established, related } accept
+
+		tcp dport { 22, 80, 443 } accept
+	}
+}

roles/requirements.yml

@@ -0,0 +1,4 @@
+- src: git+https://git.fudiggity.nl/ansible/common.git
+  name: common
+  version: master
+  scm: git