debops.gitlab default variables
Sections
GitLab Omnibus installation
- gitlab__edition
Select the GitLab edition you want to install or manage. The "community" edition contains only the open source components, the "enterprise" edition includes closed source components and can be upgraded with a commercial license. Set to "manual" to allow a manual installation of GitLab Omnibus package which can then be configured by the role.
gitlab__edition: 'community'
- gitlab__base_packages
List of the default APT packages used to install GitLab Omnibus on a host.
gitlab__base_packages:
- '{{ "gitlab-ce"
if (gitlab__edition == "community")
else ("gitlab-ee"
if (gitlab__edition == "enterprise")
else []) }}'
- gitlab__packages
List of additional APT packages which should be installed with GitLab Omnibus.
gitlab__packages: []
UNIX environment
- gitlab__user
Name of the primary UNIX account used by GitLab Omnibus.
gitlab__user: 'git'
- gitlab__group
Name of the primary UNIX group used by GitLab Omnibus.
gitlab__group: 'git'
- gitlab__additional_groups
List of additional UNIX groups which the GitLab Omnibus account should belong to.
gitlab__additional_groups:
# The "sshusers" UNIX group permits access to a given UNIX account over SSH
- '{{ (ansible_local.system_groups.local_prefix | d("")) + "sshusers" }}'
- gitlab__comment
The GECOS field of the primary GitLab Omnibus UNIX account.
gitlab__comment: 'GitLab Omnibus main account'
- gitlab__home
The home directory of the primary GitLab Omnibus UNIX account. This path is used by default by the Omnibus packages and shouldn't be changed recklessly.
gitlab__home: '/var/opt/gitlab'
- gitlab__shell
The default UNIX shell used by the primary GitLab Omnibus account.
gitlab__shell: '/bin/sh'
Application environment
- gitlab__fqdn
The Fully Qualified Domain Name on which GitLab Omnibus will be available. It might be published as a SRV record for GitLab Runners to find the API endpoint automatically.
gitlab__fqdn: 'code.{{ gitlab__domain }}'
- gitlab__domain
The DNS domain on which GitLab Omnibus is deployed.
gitlab__domain: '{{ ansible_domain }}'
- gitlab__registry_port
By default, GitLab Container registry is published on the same FQDN as the main GitLab application, on a different TCP port.
gitlab__registry_port: '5050'
- gitlab__firewall_ports
List of TCP ports which should be opened in the ferm firewall to allow access to the GitLab services.
gitlab__firewall_ports:
- 'http'
- 'https'
- 'container-registry'
- gitlab__allow
List of IP addresses or CIDR subnets which are allowed to access GitLab Omnibus services, configured on all hosts in the Ansible inventory. If the list is empty, any host can access GitLab.
gitlab__allow: []
- gitlab__group_allow
List of IP addresses or CIDR subnets which are allowed to access GitLab Omnibus services, configured on hosts in a specific Ansible inventory group. If the list is empty, any host can access GitLab.
gitlab__group_allow: []
- gitlab__host_allow
List of IP addresses or CIDR subnets which are allowed to access GitLab Omnibus services, configured on specific hosts in the Ansible inventory. If the list is empty, any host can access GitLab.
gitlab__host_allow: []
- gitlab__initial_root_password
The initial "root" account password set during GitLab Omnibus installation via the $GITLAB_ROOT_PASSWORD environment variable.
gitlab__initial_root_password: '{{ lookup("password", secret + "/gitlab/credentials/"
+ "root/initial_password") }}'
PKI infrastructure integration
- gitlab__pki_enabled
Enable or disable support for PKI infrastructure, managed by the debops.pki Ansible role.
gitlab__pki_enabled: '{{ (ansible_local.pki.enabled | d(False)) | bool }}'
- gitlab__pki_path
The base path of the PKI infrastructure managed by the debops.pki Ansible role.
gitlab__pki_path: '{{ ansible_local.pki.path | d("/etc/pki/realms") }}'
- gitlab__pki_realm
The name of the PKI realm which should be used by GitLab Omnibus installation by default.
gitlab__pki_realm: '{{ ansible_local.pki.realm | d("domain") }}'
- gitlab__ssl_default_symlinks
List of the symlinks to private key and X.509 certificate used by GitLab
Omnibus by default, located in the /etc/gitlab/ssl/
directory.
See gitlab__ssl_symlinks for more details.
gitlab__ssl_default_symlinks:
- link: '{{ gitlab__fqdn + ".key" }}'
src: '{{ gitlab__pki_path + "/" + gitlab__pki_realm + "/private/key.pem" }}'
- link: '{{ gitlab__fqdn + ".crt" }}'
src: '{{ gitlab__pki_path + "/" + gitlab__pki_realm + "/public/chain.pem" }}'
- gitlab__ssl_symlinks
List of additional symlinks to private keys and X.509 certificates used by
GitLab Omnibus, located in the /etc/gitlab/ssl/
directory.
See gitlab__ssl_symlinks for more details.
gitlab__ssl_symlinks: []
- gitlab__ssl_default_cacerts
List of the symlinks to Certificate Authority certificate used by GitLab
Omnibus by default, located in the /etc/gitlab/trusted-certs/
directory. Syntax is the same as the configuration for private keys and
certificates. See gitlab__ssl_symlinks for more details.
gitlab__ssl_default_cacerts:
- link: '{{ gitlab__pki_realm + "-root.crt" }}'
src: '{{ gitlab__pki_path + "/" + gitlab__pki_realm + "/public/root.pem" }}'
- gitlab__ssl_cacerts
List of additional symlinks to Certificate Authority certificate used by
GitLab Omnibus, located in the /etc/gitlab/trusted-certs/
directory.
Syntax is the same as the configuration for private keys and certificates.
See gitlab__ssl_symlinks for more details.
gitlab__ssl_cacerts: []
LDAP Authentication configuration
More information about LDAP support in GitLab can be found at https://gitlab.com/help/administration/auth/ldap.md
- gitlab__ldap_enabled
Enable or disable LDAP integration.
gitlab__ldap_enabled: '{{ True
if (ansible_local | d() and ansible_local.ldap | d() and
(ansible_local.ldap.enabled | d()) | bool)
else False }}'
- gitlab__ldap_base_dn
The base Distinguished Name which should be used to create Distinguished Names of the LDAP directory objects, defined as a YAML list. If this variable is empty, LDAP configuration will not be generated.
gitlab__ldap_base_dn: '{{ ansible_local.ldap.base_dn | d([]) }}'
- gitlab__ldap_device_dn
The Distinguished Name of the current host LDAP object, defined as a YAML list. It will be used as a base for the GitLab service account LDAP object. If the list is empty, the role will not create the account LDAP object automatically.
gitlab__ldap_device_dn: '{{ ansible_local.ldap.device_dn | d([]) }}'
- gitlab__ldap_self_rdn
The Relative Distinguished Name of the account LDAP object used by the GitLab service to access the LDAP directory.
gitlab__ldap_self_rdn: 'uid=gitlab'
- gitlab__ldap_self_object_classes
List of the LDAP object classes which will be used to create the LDAP object used by the Gitlab service to access the LDAP directory.
gitlab__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]
- gitlab__ldap_self_attributes
YAML dictionary that defines the attributes of the LDAP object used by the GitLab service to access the LDAP directory.
gitlab__ldap_self_attributes:
uid: '{{ gitlab__ldap_self_rdn.split("=")[1] }}'
userPassword: '{{ gitlab__ldap_bindpw }}'
host: '{{ [ansible_fqdn, ansible_hostname] | unique }}'
description: 'Account used by the "GitLab" service to access the LDAP directory'
- gitlab__ldap_binddn
The Distinguished Name of the account LDAP object used by the GitLab service to bind to the LDAP directory.
gitlab__ldap_binddn: '{{ ([gitlab__ldap_self_rdn] + gitlab__ldap_device_dn) | join(",") }}'
- gitlab__ldap_bindpw
The password stored in the account LDAP object used by the GitLab service to bind to the LDAP directory.
gitlab__ldap_bindpw: '{{ (lookup("password", secret + "/ldap/credentials/"
+ gitlab__ldap_binddn | to_uuid + ".password length=32"))
if gitlab__ldap_enabled | bool
else "" }}'
- gitlab__ldap_label
Specify the name of the LDAP server displayed on the login page.
gitlab__ldap_label: 'LDAP'
- gitlab__ldap_host
FQDN address of the LDAP server to connect to.
gitlab__ldap_host: '{{ ansible_local.ldap.hosts | d([""]) | first }}'
- gitlab__ldap_port
The LDAP service port to use for connections.
gitlab__ldap_port: '{{ ansible_local.ldap.port | d("389") }}'
- gitlab__ldap_encryption
The encryption method that should be used to connect to the LDAP server.
Available methods: start_tls
, simple_tls
, plain
.
gitlab__ldap_encryption: '{{ "start_tls"
if ((ansible_local.ldap.start_tls | d()) | bool)
else "simple_tls" }}'
- gitlab__ldap_timeout
Set timeout in seconds for LDAP queries.
gitlab__ldap_timeout: '10'
- gitlab__ldap_activedirectory
Enable or disable support for ActiveDirectory servers.
gitlab__ldap_activedirectory: False
- gitlab__ldap_account_attribute
Name of the LDAP attribute to use for account lookups. On plain LDAP servers
it's usually uid
, on older ActiveDirectory installations it could be
sAMAccountName
.
gitlab__ldap_account_attribute: '{{ "sAMAccountName"
if (gitlab__ldap_activedirectory | bool)
else "uid" }}'
- gitlab__ldap_user_filter
LDAP search query which will be used by the GitLab service to filter the available user accounts.
gitlab__ldap_user_filter: '(&
(objectClass=inetOrgPerson)
(|
(authorizedService=all)
(authorizedService=gitlab)
(authorizedService=web:public)
)
)'
- gitlab__ldap_username_or_email_login
If this variable is enabled, GitLab will ignore everything after the first '@' in the LDAP username submitted by the user on login.
Example:
- the user enters jane.doe@example.com
and p@ssw0rd
as LDAP
credentials;
- GitLab queries the LDAP server with jane.doe
and p@ssw0rd
.
If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to disable this setting, because the userPrincipalName contains an '@'.
gitlab__ldap_username_or_email_login: '{{ True
if (gitlab__ldap_account_attribute in
["uid", "sAMAccountName"])
else False }}'
- gitlab__ldap_block_auto_created_users
Enable this setting to keep new LDAP users blocked until they have been cleared by the admin.
gitlab__ldap_block_auto_created_users: False
- gitlab__ldap_lowercase_usernames
If enabled, GitLab will convert usernames to lowercase before searching the for the LDAP user accounts.
gitlab__ldap_lowercase_usernames: True
GitLab backup options
- gitlab__backup_enabled
When enabled, the role will configure the cron service to
periodically perform backups of the GitLab Omnibus installation. If this
parameter is set to False
, the cron configuration will be
removed.
gitlab__backup_enabled: True
- gitlab__backup_frequency
Select the GitLab Omnibus backup frequency (either daily
, weekly
or
monthly
).
gitlab__backup_frequency: 'daily'
- gitlab__backup_keep_time
How long to store backups for, in seconds.
gitlab__backup_keep_time: '{{ (60 * 60 * 24 * 7) | int }}'
- gitlab__backup_path
Absolute path to the directory where GitLab Omnibus backups are stored and managed.
gitlab__backup_path: '/var/opt/gitlab/backups'
- gitlab__backup_exclude_directories
Choose what should be excluded from the backup. An empty list means that nothing will be excluded from the backup. Reference: https://docs.gitlab.com/ee/raketasks/backup_gitlab.html#excluding-specific-directories-from-the-backup
gitlab__backup_exclude_directories: []
- gitlab__backup_default_environment
YAML dictionary with default environment variables which should be present in the GitLab backup cron job. Dictionary keys are the variable names, dictionary values are the variable values. An empty value removes the variable from the generated configuration file.
gitlab__backup_default_environment:
CRON: '1'
SKIP: '{{ gitlab__backup_exclude_directories | join(",") }}'
- gitlab__backup_environment
YAML dictionary with custom environment variables which should be present in the GitLab backup cron job. Dictionary keys are the variable names, dictionary values are the variable values. An empty value removes the variable from the generated configuration file. This variable is combined with the default environment variable.
gitlab__backup_environment: {}
GitLab Omnibus configuration file
The lists below define the contents of the /etc/gitlab/gitlab.rb
configuration file which manages the GitLab Omnibus installation. The role
maintains the configuration file using the Universal Configuration
system. See gitlab__configuration for more details.
- gitlab__default_configuration
The default configuration options for GitLab Omnibus defined by the role.
gitlab__default_configuration:
- name: 'preamble-comment'
title: 'GitLab configuration settings'
comment: |
This file is generated during initial installation and **is not** modified
during upgrades.
Check out the latest version of this file to know about the different
settings that can be configured, when they were introduced and why:
https://gitlab.com/gitlab-org/omnibus-gitlab/blame/master/files/gitlab-config-template/gitlab.rb.template
Locally, the complete template corresponding to the installed version can be found at:
/opt/gitlab/etc/gitlab.rb.template
You can run `gitlab-ctl diff-config` to compare the contents of the current gitlab.rb with
the gitlab.rb.template from the currently running version.
You can run `gitlab-ctl show-config` to display the configuration that will be generated by
running `gitlab-ctl reconfigure`
state: 'present'
- name: 'external_url'
title: 'GitLab URL'
comment: |
URL on which GitLab will be reachable.
For more details on configuring external_url see:
https://docs.gitlab.com/omnibus/settings/configuration.html#configuring-the-external-url-for-gitlab
value: '{{ (("https://") if gitlab__pki_enabled | bool else ("http://"))
+ gitlab__fqdn }}'
- name: 'registry_external_url'
title: 'GitLab Container Registry URL'
comment: |
URL on which GitLab Container Registry will be reachable. By default we
use the same FQDN as the main GitLab installation with a separate TCP
port; see the documentation to find out how to publish the Registry on
a separate FQDN.
value: '{{ (("https://") if gitlab__pki_enabled | bool else ("http://"))
+ gitlab__fqdn + ":" + gitlab__registry_port }}'
- name: 'roles'
title: 'Roles for multi-instance GitLab'
comment: |
The default is to have no roles enabled, which results in GitLab running as an all-in-one instance.
Options:
redis_sentinel_role redis_master_role redis_replica_role geo_primary_role geo_secondary_role
postgres_role consul_role application_role monitoring_role
For more details on each role, see:
https://docs.gitlab.com/omnibus/roles/README.html#roles
value: [ 'redis_sentinel_role', 'redis_master_role' ]
state: 'comment'
- name: 'legend-comment'
title: 'Legend'
comment: |
The following notations at the beginning of each line may be used to
differentiate between components of this file and to easily select them using
a regex.
## Titles, subtitles etc
##! More information - Description, Docs, Links, Issues etc.
Configuration settings have a single # followed by a single space at the
beginning; Remove them to enable the setting.
**Configuration settings below are optional.**
state: 'present'
- name: 'header-comment'
raw: |
################################################################################
################################################################################
## Configuration Settings for GitLab CE and EE ##
################################################################################
################################################################################
################################################################################
## gitlab.yml configuration
##! Docs: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/gitlab.yml.md
################################################################################
state: 'present'
separator: True
- name: 'gitlab_rails'
options:
- name: 'time_zone'
title: 'Set the time zone of the GitLab Omnibus installation'
value: '{{ ansible_local.tzdata.timezone | d("UTC") }}'
state: 'present'
- name: 'backup_path'
title: 'Absolute path where GitLab backups are stored'
value: '{{ gitlab__backup_path }}'
state: '{{ "present"
if (gitlab__backup_path != "/var/opt/gitlab/backups")
else "comment" }}'
- name: 'backup_keep_time'
title: 'The duration in seconds to keep backups before they are allowed to be deleted'
value: '{{ gitlab__backup_keep_time }}'
state: '{{ "present"
if (gitlab__backup_keep_time | string != "604800")
else "comment" }}'
- name: 'ldap_enabled'
title: 'LDAP Settings'
comment: |
Docs: https://docs.gitlab.com/omnibus/settings/ldap.html
**Be careful not to break the indentation in the ldap_servers block. It is
in yaml format and the spaces must be retained. Using tabs will not work.**
value: '{{ ansible_local.ldap.enabled | d(False) }}'
state: '{{ "present" if gitlab__ldap_enabled | bool else "comment" }}'
- name: 'prevent_ldap_sign_in'
value: False
state: 'comment'
- name: 'ldap_servers'
title: "**remember to close this block with 'EOS' below**"
raw: |
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
main: # 'main' is the GitLab 'provider ID' of this LDAP server
label: '{{ gitlab__ldap_label }}'
host: '{{ gitlab__ldap_host }}'
port: {{ gitlab__ldap_port }}
uid: '{{ gitlab__ldap_account_attribute }}'
bind_dn: '{{ gitlab__ldap_binddn }}'
password: '{{ gitlab__ldap_bindpw }}'
encryption: '{{ gitlab__ldap_encryption }}' # "start_tls" or "simple_tls" or "plain"
verify_certificates: true
smartcard_auth: false
active_directory: {{ gitlab__ldap_activedirectory | lower }}
allow_username_or_email_login: {{ gitlab__ldap_username_or_email_login | lower }}
lowercase_usernames: {{ gitlab__ldap_lowercase_usernames | lower }}
block_auto_created_users: {{ gitlab__ldap_block_auto_created_users | lower }}
base: '{{ gitlab__ldap_base_dn | join(",") }}'
user_filter: '{{ gitlab__ldap_user_filter }}'
## EE only
group_base: ''
admin_group: ''
sync_ssh_keys: false
EOS
state: '{{ "present" if gitlab__ldap_enabled | bool else "comment" }}'
- name: 'nginx'
options:
- name: 'redirect_http_to_https'
title: 'Enable HTTP to HTTPS redirection in nginx'
value: '{{ True if gitlab__pki_enabled | bool else False }}'
state: 'present'
- name: 'package'
options:
- name: 'modify_kernel_parameters'
comment: |
Attempt to modify kernel parameters. To skip this in containers where
the relevant file system is read-only, set the value to false.
value: '{{ False
if ("container" in (ansible_virtualization_tech_guest | d([])))
else True }}'
state: '{{ "present"
if ("container" in (ansible_virtualization_tech_guest | d([])))
else "comment" }}'
- gitlab__configuration
The configuration options for GitLab Omnibus defined on all hosts in the Ansible inventory.
gitlab__configuration: []
- gitlab__group_configuration
The configuration options for GitLab Omnibus defined on hosts in a specific Ansible inventory group.
gitlab__group_configuration: []
- gitlab__host_configuration
The configuration options for GitLab Omnibus defined on specific hosts in the Ansible inventory.
gitlab__host_configuration: []
- gitlab__combined_configuration
Variable which combines all GitLab Omnibus configuration variables and is used in role tasks and templates.
gitlab__combined_configuration: '{{ gitlab__default_configuration
+ gitlab__configuration
+ gitlab__group_configuration
+ gitlab__host_configuration }}'
Configuration for other Ansible roles
- gitlab__etc_services__dependent_list
List of custom /etc/services
to configure for the debops.etc_services
Ansible role.
gitlab__etc_services__dependent_list:
- name: 'container-registry'
port: '{{ gitlab__registry_port }}'
protocols: [ 'tcp' ]
comment: 'GitLab Omnibus Container Registry'
- gitlab__keyring__dependent_apt_keys
List of APT repositories and GPG keys managed by the debops.keyring Ansible role.
gitlab__keyring__dependent_apt_keys:
- id: 'F640 3F65 44A3 8863 DAA0 B6E0 3F01 618A 5131 2F3F'
repo: 'deb https://packages.gitlab.com/gitlab/gitlab-ee/debian/ {{ ansible_distribution_release }} main'
filename: 'gitlab_ee'
state: '{{ "present"
if (gitlab__edition == "enterprise")
else "absent" }}'
- gitlab__extrepo__dependent_sources
List of APT repository sources managed by the debops.extrepo Ansible role.
gitlab__extrepo__dependent_sources:
- name: 'gitlab_ce'
state: '{{ "present"
if (gitlab__edition == "community")
else "absent" }}'
- gitlab__ferm__dependent_rules
Configuration for the debops.ferm Ansible role.
gitlab__ferm__dependent_rules:
- name: 'gitlab_services'
type: 'accept'
by_role: 'debops.gitlab'
dport: '{{ gitlab__firewall_ports }}'
saddr: '{{ gitlab__allow + gitlab__group_allow + gitlab__host_allow }}'
accept_any: True
rule_state: 'present'
- gitlab__ldap__dependent_tasks
Configuration for the debops.ldap Ansible role.
gitlab__ldap__dependent_tasks:
- name: 'Create GitLab account for {{ gitlab__ldap_device_dn | join(",") }}'
dn: '{{ gitlab__ldap_binddn }}'
objectClass: '{{ gitlab__ldap_self_object_classes }}'
attributes: '{{ gitlab__ldap_self_attributes }}'
no_log: '{{ debops__no_log | d(True) }}'
state: '{{ "present" if gitlab__ldap_device_dn | d() else "ignore" }}'