Getting started
Default configuration
The debops.gitlab role supports installation of GitLab Omnibus Community
Edition as well as the Enterprise Edition, which can be selected using the
gitlab__edition variable. Manual installation of the GitLab Omnibus
package is also supported, in which case the role can be used to configure such
installation and provide integration with the rest of the environment.
By default, the installation will be configured to publish GitLab on the
code.{{ gitlab__domain }} DNS domain, to aid configuration of GitLab Runner
instances. This can be changed by overriding the gitlab__fqdn
variable via the Ansible inventory.
The initial root password is randomly generated and stored in the
ansible/secret/gitlab/credentials/ directory on the Ansible Controller,
managed by the debops.secret Ansible role.
GitLab Omnibus deployed by DebOps will be configured with GitLab Container Registry available by default on a separate TCP port. This ensures that only one DNS domain and X.509 certificate is needed by default. Container Registry can be deployed on a separate DNS domain if needed.
The role integrates GitLab Omnibus with the ferm service through the debops.ferm Ansible role. By default, the main GitLab service and Container Registry are accessible to any hosts and networks once deployed, this can be configured using role variables.
PKI environment managed by the debops.pki role is also integrated with
GitLab Omnibus, via the use of symlinks in /etc/gitlab/ssl/ directory
that provide access to private keys and X.509 certificates in the
/etc/pki/realms/ directories.
If the LDAP environment managed by the debops.ldap Ansible role is detected, a suitable user account for GitLab instance will be created by default. GitLab will be configured with a single LDAP server in that case.
Daily backups of GitLab Omnibus environment will be enabled by default using the cron service.
Example inventory
To install GitLab Omnibus service on a host, it needs to be included in the
[debops_service_gitlab] Ansible inventory group.
Example Ansible inventory:
[debops_all_hosts]
hostname
[debops_service_gitlab]
hostname
Example playbook
If you are using this role without DebOps, here's an example Ansible playbook
that uses the debops.gitlab role:
---
- name: Manage GitLab Omnibus service
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debops_service_gitlab' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
roles:
- role: keyring
tags: [ 'role::keyring', 'skip::keyring' ]
keyring__dependent_apt_keys:
- '{{ gitlab__keyring__dependent_apt_keys }}'
- role: extrepo
tags: [ 'role::extrepo', 'skip::extrepo' ]
extrepo__dependent_sources:
- '{{ gitlab__extrepo__dependent_sources }}'
- role: etc_services
tags: [ 'role::etc_services', 'skip::etc_services' ]
etc_services__dependent_list:
- '{{ gitlab__etc_services__dependent_list }}'
- role: ferm
tags: [ 'role::ferm', 'skip::ferm' ]
ferm__dependent_rules:
- '{{ gitlab__ferm__dependent_rules }}'
- role: python
tags: [ 'role::python', 'skip::python', 'role::ldap' ]
python__dependent_packages3:
- '{{ ldap__python__dependent_packages3 }}'
python__dependent_packages2:
- '{{ ldap__python__dependent_packages2 }}'
- role: ldap
tags: [ 'role::ldap', 'skip::ldap' ]
ldap__dependent_tasks:
- '{{ gitlab__ldap__dependent_tasks }}'
- role: gitlab
tags: [ 'role::gitlab', 'skip::gitlab' ]
Other resources
List of other useful resources related to the debops.gitlab Ansible role:
Official documentation of GitLab Omnibus
GitLab package repository which contains APT packages for older releases, not accessible through the official APT configuration