[fix] role:gitlab

2024-03-22 13:19:10 +01:00 · 2024-03-22 13:19:10 +01:00 · 9b6ffc04c3
commit 9b6ffc04c3
parent 09047036e0
4 changed files with 50 additions and 8 deletions
--- a/ansible/roles/gitlab/defaults/main.json
+++ b/ansible/roles/gitlab/defaults/main.json
@ -1,5 +1,6 @@
 {
 	"var_gitlab_domain": "gitlab.example.org",
+	"var_gitlab_modify_kernel_parameters": true,
 	"var_gitlab_database_kind": "internal",
 	"var_gitlab_database_data_postgresql_host": "localhost",
 	"var_gitlab_database_data_postgresql_port": 5432,
@ -7,8 +8,11 @@
 	"var_gitlab_database_data_postgresql_password": "REPLACE_ME",
 	"var_gitlab_database_data_postgresql_schema": "gitlab",
 	"var_gitlab_authentication_kind": "internal",
+	"var_gitlab_authentication_option_require_predefined_account": false,
+	"var_gitlab_authentication_option_block_auto_created_users": false,
 	"var_gitlab_authentication_data_authelia_url_base": "https://authelia.example.org",
 	"var_gitlab_authentication_data_authelia_client_id": "gitlab",
 	"var_gitlab_authentication_data_authelia_client_secret": "REPLACE_ME",
-	"var_gitlab_authentication_data_authelia_label": "Authelia"
+	"var_gitlab_authentication_data_authelia_label": "Authelia",
+	"var_gitlab_use_bundled_webserver": true
 }
--- a/ansible/roles/gitlab/info.md
+++ b/ansible/roles/gitlab/info.md
@ -9,6 +9,7 @@ Software-Entwickler-Plattform [GitLab](https://about.gitlab.com/)
 - [LinuxTechi | How to Install GitLab on Debian 12 Step-by-Step](https://www.linuxtechi.com/how-to-install-gitlab-on-debian/)
 - [Dokumentation | Configuration](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md)
 - [Authelia | Dokumentation | Integration for GitLab](https://www.authelia.com/integration/openid-connect/gitlab/#application)
+- [Dokumentation | Using a non-bundled web-server](https://docs.gitlab.com/omnibus/settings/nginx.html#using-a-non-bundled-web-server)


 ## ToDo
--- a/ansible/roles/gitlab/templates/gitlab.rb.j2
+++ b/ansible/roles/gitlab/templates/gitlab.rb.j2
@ -571,8 +571,20 @@ external_url 'http://{{var_gitlab_domain}}'
 # gitlab_rails['omniauth_external_providers'] = ['twitter', 'google_oauth2']
 # gitlab_rails['omniauth_allow_bypass_two_factor'] = ['google_oauth2']
 {% if var_gitlab_authentication_kind == 'internal' %}
+gitlab_rails['omniauth_enabled'] = nil
 {% endif %}
 {% if var_gitlab_authentication_kind == 'authelia' %}
+gitlab_rails['omniauth_enabled'] = true
+{% if var_gitlab_authentication_option_require_predefined_account %}
+gitlab_rails['omniauth_allow_single_sign_on'] = []
+{% else %}
+gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
+{% endif %}
+{% if var_gitlab_authentication_option_block_auto_created_users %}
+gitlab_rails['omniauth_block_auto_created_users'] = true
+{% else %}
+gitlab_rails['omniauth_block_auto_created_users'] = false
+{% endif %}
 gitlab_rails['omniauth_providers'] = [
  {
    name: "openid_connect",
@ -1038,7 +1050,8 @@ gitlab_rails['omniauth_providers'] = [
 ##! Docs: https://gitlab.com/gitlab-org/gitlab/-/blob/master/workhorse/README.md
 ################################################################################

-# gitlab_workhorse['enable'] = true
+{% if var_gitlab_use_bundled_webserver %}
+gitlab_workhorse['enable'] = true
 # gitlab_workhorse['ha'] = false
 # gitlab_workhorse['alt_document_root'] = nil

@ -1051,7 +1064,7 @@ gitlab_rails['omniauth_providers'] = [
 # gitlab_workhorse['shutdown_timeout'] = nil
 # gitlab_workhorse['listen_network'] = "unix"
 # gitlab_workhorse['listen_umask'] = 000
-# gitlab_workhorse['listen_addr'] = "/var/opt/gitlab/gitlab-workhorse/sockets/socket"
+gitlab_workhorse['listen_addr'] = "/var/opt/gitlab/gitlab-workhorse/sockets/socket"
 # gitlab_workhorse['auth_backend'] = "http://localhost:8080"

 ##! Enable Redis keywatcher, if this setting is not present it defaults to true
@ -1120,6 +1133,7 @@ gitlab_rails['omniauth_providers'] = [
 # gitlab_workhorse['consul_service_name'] = 'workhorse'
 ##! Semantic metadata used when registering GitLab Workhorse as a Consul service
 # gitlab_workhorse['consul_service_meta'] = {}
+{% endif %}

 ################################################################################
 ## GitLab User Settings
@ -1621,23 +1635,24 @@ gitlab_rails['db_port'] = {{var_gitlab_database_data_postgresql_port | string}}
 ## GitLab Web server
 ##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#using-a-non-bundled-web-server
 ################################################################################
-
+{% if not var_gitlab_use_bundled_webserver %}
 ##! When bundled nginx is disabled we need to add the external webserver user to
 ##! the GitLab webserver group.
-# web_server['external_users'] = []
+nginx['enable'] = false
+web_server['external_users'] = ['www-data']
 # web_server['username'] = 'gitlab-www'
 # web_server['group'] = 'gitlab-www'
 # web_server['uid'] = nil
 # web_server['gid'] = nil
 # web_server['shell'] = '/bin/false'
 # web_server['home'] = '/var/opt/gitlab/nginx'
-
+{% else %}
 ################################################################################
 ## GitLab NGINX
 ##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html
 ################################################################################
+nginx['enable'] = true

-# nginx['enable'] = true
 # nginx['client_max_body_size'] = '250m'
 # nginx['redirect_http_to_https'] = false
 # nginx['redirect_http_to_https_port'] = 80
@ -1766,6 +1781,7 @@ gitlab_rails['db_port'] = {{var_gitlab_database_data_postgresql_port | string}}
 # nginx['consul_service_name'] = 'nginx'
 ##! Semantic metadata used when registering NGINX as a Consul service
 # nginx['consul_service_meta'] = {}
+{% endif %}

 ################################################################################
 ## GitLab Logging
@ -2757,7 +2773,11 @@ letsencrypt['enable'] = nil

 ##! Attempt to modify kernel paramaters. To skip this in containers where the
 ##! relevant file system is read-only, set the value to false.
-# package['modify_kernel_parameters'] = true
+{% if not var_gitlab_modify_kernel_parameters %}
+package['modify_kernel_parameters'] = false
+{% else %}
+package['modify_kernel_parameters'] = true
+{% endif %}

 ##! Specify maximum number of tasks that can be created by the systemd unit
 ##! Will be populated as TasksMax value to the unit file if user is on a systemd
--- a/ansible/roles/gitlab/vardef.json
+++ b/ansible/roles/gitlab/vardef.json
@ -3,6 +3,11 @@
 		"type": "string",
 		"mandatory": false
 	},
+	"modify_kernel_parameters": {
+		"type": "boolean",
+		"mandatory": false,
+		"comment": "muss ausgeschalten werden, wenn GitLab in einem LXC-Container installiert werden soll"
+	},
 	"database_kind": {
 		"type": "string",
 		"mandatory": false,
@ -19,6 +24,14 @@
 			"authelia"
 		]
 	},
+	"authentication_option_require_predefined_account": {
+		"type": "boolean",
+		"mandatory": false
+	},
+	"authentication_option_block_auto_created_users": {
+		"type": "boolean",
+		"mandatory": false
+	},
 	"authentication_data_authelia_url_base": {
 		"type": "string",
 		"mandatory": false
@ -34,5 +47,9 @@
 	"authentication_data_authelia_label": {
 		"type": "string",
 		"mandatory": false
+	},
+	"use_bundled_webserver": {
+		"type": "boolean",
+		"mandatory": false
 	}
 }