debops.gitlab default variables

GitLab version configuration

These variables define what GitLab release branch will be used to install GitLab. The gitlab_version variable is used to enable/disable specific features dependent on the GitLab version, but does not correspond to the actual specific version number.

Both of these variables should be kept in sync.

gitlab__release_map

This is the dictionary that keeps track of supported GitLab releases per OS distribution/release. Older OS releases might not have the required environment support, for example old Ruby or Go version.

gitlab__release_map:

  # OS releases with Ruby 2.1
  'wheezy': '8-17-stable'
  'jessie': '8-17-stable'
  'trusty': '8-17-stable'

  # OS releases with Ruby 2.3
  'stretch': '10-8-stable'
  'xenial':  '10-8-stable'

  # OS releases with Ruby 2.5
  'buster':  '12-10-stable'
  'bionic':  '12-10-stable'
  'eoan':    '12-10-stable'

  # OS releases with Ruby 2.7+ (future)
  'bullseye': '12-10-stable'
  'focal':    '12-10-stable'
gitlab__distribution_release

Specify the OS release which is used to select the version of GitLab to install and APT package names.

gitlab__distribution_release: '{{ ansible_local.core.distribution_release|d(ansible_distribution_release) }}'
gitlab__release

Specify the GitLab release to install or manage. The role checks what release is currently installed and can perform automatic upgrade if the installed release is older than the specified. Downgrades are not supported.

gitlab__release: '{{ gitlab__release_map[gitlab__distribution_release] }}'
gitlab_version

Specify the GitLab version to install or manage. The role checks what version is currently installed and can perform automatic upgrade if the installed version is older than the specified. Downgrades are not supported.

gitlab_version: '{{ gitlab__release | replace("-stable","") | replace("-",".") }}'

Application features

gitlab__database

What database to use for GitLab instance? Supported options:

  • postgresql: use PostgreSQL database

The role expects the selected database server to be configured. See the documentation of the debops.postgresql_server role for information about its features.

gitlab__database: '{{ ansible_local.gitlab.database
                      if (ansible_local.gitlab.database|d())
                      else ("postgresql"
                            if (ansible_local|d() and ansible_local.postgresql is defined)
                            else ("mariadb-is-deprecated"
                                  if (ansible_local|d() and ansible_local.mariadb is defined)
                                  else "no-database-detected")) }}'
gitlab_use_systemd

Enable or disable use of the systemd units instead of the upstream init script provided by GitLab. By default the init script will be used on non-systemd hosts.

gitlab_use_systemd: '{{ (ansible_local.gitlab.systemd_services
                         if (ansible_local.gitlab.systemd_services|d())
                         else (False
                               if (ansible_local.gitlab.installed|d())
                               else (True if ansible_service_mgr == "systemd" else False))) }}'
gitlab_enable_pages

Whether to enable gitlab-pages. Available in Gitlab 8.17 and newer.

gitlab_enable_pages: '{{ gitlab_version is version_compare("8.17",
                         operator="ge", strict=True) and gitlab_pages_domain|d() }}'

Application FQDN and DNS addresses

gitlab__fqdn

The Fully Qualified Domain Name of the GitLab application. This address is used to configure the webserver frontend.

gitlab__fqdn: 'code.{{ gitlab_domain }}'
gitlab_domain

Domain which will be used for nginx server and gitlab-shell access GitLab will be configured with HTTPS enabled by default

gitlab_domain: '{{ ansible_domain }}'

APT packages

gitlab__base_packages

List of base APT packages required by GitLab.

gitlab__base_packages: [ 'build-essential', 'cmake', 'git', 'pkg-config',
                         'unzip', 'acl', 'ssl-cert',
                         'libgdbm-dev', 'libreadline-dev', 'libncurses5-dev', 'libffi-dev',
                         'libxml2-dev', 'libxslt1-dev', 'libcurl4-openssl-dev', 'libkrb5-dev',
                         'libicu-dev', 'zlib1g-dev', 'libyaml-dev' ]
gitlab__release_packages

List of base APT packages required by GitLab depending on the distribution release.

gitlab__release_packages:
  jessie:  [ 'libssl-dev' ]
  stretch: [ 'libssl1.0-dev', 'libre2-dev' ]
  buster:  [ 'libssl-dev', 'libre2-dev' ]
  precise: [ 'libssl-dev' ]
  trusty:  [ 'libssl-dev' ]
  xenial:  [ 'libssl-dev', 'libre2-dev' ]
  bionic:  [ 'libssl-dev', 'libre2-dev' ]
gitlab__database_packages

YAML dictionary which contains list of APT packages required by a particular database server.

gitlab__database_packages:
  jessie:
    postgresql: [ 'libpq-dev', 'ruby-pg' ]
  stretch:
    postgresql: [ 'libpq-dev', 'ruby-pg' ]
  buster:
    postgresql: [ 'libpq-dev', 'ruby-pg' ]
  precise:
    postgresql: [ 'libpq-dev', 'ruby-pg' ]
  trusty:
    postgresql: [ 'libpq-dev', 'ruby-pg' ]
  xenial:
    postgresql: [ 'libpq-dev', 'ruby-pg' ]
  bionic:
    postgresql: [ 'libpq-dev', 'ruby-pg' ]

GitLab Pages configuration

gitlab_pages_domain

The main domain served by Gitlab Pages. Set this to your domain to enable Gitlab Pages.

This should be a different one than gitlab_domain to prevent cross domain cookie attacks.

gitlab_pages_domain: ''
gitlab_pages_port

Port the gitlab-pages HTTP server listens to.

gitlab_pages_port: '8090'
gitlab_pages_access_control_enabled

GitLab Pages access control can be configured per-project, and allows access to a Pages site to be controlled based on a user’s membership to that project. You need set also gitlab_pages_auth_client_id and gitlab_pages_auth_client_secret Available in Gitlab 12.10 and newer. https://docs.gitlab.com/12.10/ee/administration/pages/source.html#access-control

gitlab_pages_access_control_enabled: False
gitlab_pages_auth_client_id

GitLab application Client ID

gitlab_pages_auth_client_id: ''
gitlab_pages_auth_client_secret

GitLab application Client Secret

gitlab_pages_auth_client_secret: ''
gitlab_pages_auth_secret_path

Path to auth secret file located on the Ansible Controller. See the debops.secret role for more details.

gitlab_pages_auth_secret_path: '{{ secret + "/credentials/" + inventory_hostname +
                                   "/gitlab-pages/auth/secret" }}'
gitlab_pages_auth_secret

Cookie store hash key, should be at least 32 bytes long.

gitlab_pages_auth_secret: "{{ lookup('password', gitlab_pages_auth_secret_path
                              + ' length=40 chars=hexdigits') }}"

nginx webserver options

gitlab_nginx_auth_realm

Webserver authentication realm.

gitlab_nginx_auth_realm: 'GitLab access is restricted'
gitlab_nginx_access_policy

Name of webserver access policy to enable. Refer to debops.nginx for details.

gitlab_nginx_access_policy: ''
gitlab_nginx_client_max_body_size

nginx client_max_body_size value.

gitlab_nginx_client_max_body_size: '0'
gitlab_nginx_proxy_timeout

nginx - gitlab proxy timeout in seconds

gitlab_nginx_proxy_timeout: '300'

E-mail configuration

gitlab_email_display_name

E-mail sender name used by GitLab

gitlab_email_display_name: 'GitLab'
gitlab_email_from

E-mail address used by GitLab application.

gitlab_email_from: 'git@{{ gitlab__fqdn }}'
gitlab_email_reply_to

E-mail Reply-To address added to GitLab mails.

gitlab_email_reply_to: 'admin+gitlab@{{ gitlab_domain }}'
gitlab_admin_email

Default admin account e-mail address.

gitlab_admin_email: 'admin@{{ gitlab_domain }}'

New user configuration

gitlab_default_can_create_group

Should new users be able to create groups?

gitlab_default_can_create_group: 'true'
gitlab_username_changing_enabled

Can users change their own username?

gitlab_username_changing_enabled: 'false'
gitlab_default_theme

Default GitLab theme to use

gitlab_default_theme: '2'

Database configuration

gitlab_database_server

FQDN of the database server. It will be configured by the debops.postgresql role.

gitlab_database_server: '{{ ansible_local[gitlab__database].server }}'
gitlab_database_port

Port the database is listening on.

gitlab_database_port: '{{ ansible_local[gitlab__database].port }}'
gitlab_database_user

Name of the database account to use for the GitLab application.

gitlab_database_user: 'gitlab'
gitlab_database_name

Name of the database to use for the GitLab data.

gitlab_database_name: 'gitlabhq_production'
gitlab_database_password_path

Path to database password file located on the Ansible Controller. See the debops.secret role for more details.

gitlab_database_password_path: '{{ secret + "/" + gitlab__database + "/" +
                                   ansible_local[gitlab__database].delegate_to }}{%
                                     if gitlab__database=="postgresql" %}/{{ ansible_local[gitlab__database].port }}{% endif
                                   %}{{ "/credentials/" + gitlab_database_user +
                                   "/password" }}'
gitlab_database_password

Database password for GitLab.

gitlab_database_password: "{{ lookup('password', gitlab_database_password_path
                              + ' length=48 chars=ascii_letters,digits,.:-_') }}"
gitlab_postgresql_database_connection

Connection type for PostgreSQL database (choices: socket, port) FIXME: not supported yet

gitlab_postgresql_database_connection: 'socket'

GitLab backup options

gitlab_backup_enabled

Enable or disable Gitlab backup.

gitlab_backup_enabled: True
gitlab_backup_frequency

Backup frequency (daily, weekly, monthly)

gitlab_backup_frequency: 'daily'
gitlab_backup_keep_time

How long to store backups for, in seconds

gitlab_backup_keep_time: '{{ (60 * 60 * 24 * 7) }}'
gitlab_backup_exclude

Choose what should be excluded from the backup. An empty list means that nothing will be excluded from the backup. Valid options can be found at; https://docs.gitlab.com/ee/raketasks/backup_restore.html#excluding-specific-directories-from-the-backup

gitlab_backup_exclude: []

Redis configuration

gitlab_redis_host

Define hostname of redis server to use.

gitlab_redis_host: '{{ ansible_local.redis_server.host|d("localhost") }}'
gitlab_redis_port

Define port of redis server to use.

gitlab_redis_port: '{{ ansible_local.redis_server.port|d("6379") }}'
gitlab_redis_password

Define the Redis authentication password to use

gitlab_redis_password: '{{ ansible_local.redis_server.password|d("") }}'
gitlab_redis_resque

Connection string used in the configuration file.

gitlab_redis_resque: 'redis://{{ ((":" + gitlab_redis_password + "@")
                                  if gitlab_redis_password else "") +
                      gitlab_redis_host + ":" + gitlab_redis_port }}'
gitlab_redis_database

Specify which Redis database to use for GitLab

gitlab_redis_database: '0'

GitLab directory layout

gitlab_home

Home directory

gitlab_home: '{{ (ansible_local.fhs.home | d("/var/local"))
                 + "/" + gitlab_user }}'
gitlab_app_root_path

Application installation directory

gitlab_app_root_path: '{{ (ansible_local.fhs.app | d("/var/local"))
                          + "/" + gitlab_user }}'
gitlab_repositories_path

GitLab repositories

gitlab_repositories_path: '{{ (ansible_local.fhs.data | d("/srv"))
                              + "/gitlab/repositories" }}'
gitlab_satellites_path

GitLab satellites

gitlab_satellites_path: '{{ (ansible_local.fhs.data | d("/srv"))
                            + "/gitlab/satellites" }}'
gitlab_backup_path

Backup path

gitlab_backup_path: '{{ (ansible_local.fhs.backup | d("/var/backups"))
                        + "/gitlab" }}'
gitlab_src_path

GitLab sources root path

gitlab_src_path: '{{ (ansible_local.fhs.src | d("/usr/local/src"))
                     + "/gitlab" }}'
gitlab_lfs_path

Gitlab path for lfs objects

gitlab_lfs_path: '{{ (ansible_local.fhs.data | d("/srv"))
                     + "/gitlab/shared/lfs-objects" }}'
gitlab_shared_path

Gitlab path for shared files

gitlab_shared_path: '{{ (ansible_local.fhs.data | d("/srv"))
                        + "/gitlab/shared" }}'
gitlab_artifacts_path

Gitlab path for artifacts files

gitlab_artifacts_path: '{{ (ansible_local.fhs.data | d("/srv"))
                           + "/gitlab/shared/artifacts" }}'
gitlab_pages_path

Path where GitLab Pages are stored in the filesystem.

gitlab_pages_path: '{{ (ansible_local.fhs.data | d("/srv"))
                       + "/gitlab/shared/pages" }}'

System user, group, additional groups

gitlab_user

System UNIX account used by the GitLab application. It will be visible in the git+ssh remote URLs.

gitlab_user: 'git'
gitlab_group

System UNIX group used by the Gitlab application.

gitlab_group: 'git'
gitlab_system_groups_prefix

Add a prefix to the custom UNIX system group names created by DebOps. By default, no prefix is added.

If the role detects that the LDAP support has been enabled on a host by the debops.ldap Ansible role, custom UNIX group names created locally on the host will have the _ prefix to indicate that they are local to a given host and not create conflicts with any UNIX groups defined in LDAP.

If the LDAP support was enabled after the system groups have been created, the role will keep the current prefix value to not duplicate the UNIX groups.

gitlab_system_groups_prefix: '{{ ansible_local.system_groups.local_prefix
                                 if ansible_local.system_groups.local_prefix|d()
                                 else ("_"
                                       if (ansible_local.ldap.posix_enabled|d())|bool)
                                       else "") }}'
gitlab_user_append_groups

List of additional system groups to add to the GitLab user account. The sshusers UNIX group is used in DebOps to limit SSH access. See the debops.system_groups role for more details.

gitlab_user_append_groups: [ '{{ system_groups__prefix }}sshusers', 'ssl-cert' ]
gitlab__shell

The default shell used by the GitLab UNIX account.

gitlab__shell: '/bin/bash'

Internal application options

gitlab_time_zone

The timezone used by GitLab.

gitlab_time_zone: 'UTC'
gitlab_git_max_size

Max git upload size in bytes.

gitlab_git_max_size: '{{ (1024 * 1024 * 20) }}'
gitlab_git_timeout

The git connection timeout in seconds.

gitlab_git_timeout: '10'
gitlab_unicorn_port

Unicorn port on localhost interface.

gitlab_unicorn_port: '18082'
gitlab_unicorn_timeout

Unicorn connection timeout in seconds.

gitlab_unicorn_timeout: '60'
gitlab_passenger_options

Additional options for Phusion Passenger as text block.

gitlab_passenger_options: ''
gitlab_shell_ssh_port

SSH port for GitLab Shell (does not affect sshd port setting).

gitlab_shell_ssh_port: '22'
gitlab__gravatar_enabled

Enable/Disable gitlab gravatar feature.

gitlab__gravatar_enabled: True
gitlab__gravatar_plain_url

Gravatar (HTTP) URL used by gitlab.

gitlab__gravatar_plain_url: ''
gitlab__gravatar_ssl_url

Gravatar SSL (HTTPS) URL used by gitlab.

gitlab__gravatar_ssl_url: ''

Compatibility workarounds

gitlab_support_filesystem_acl

Enable or disable ACL configuration for the webserver

gitlab_support_filesystem_acl: True

gitlab-shell source code

gitlab_shell_git_repo

URL of the gitlab-shell repository.

gitlab_shell_git_repo: 'https://gitlab.com/gitlab-org/gitlab-shell.git'
gitlab_shell_git_dest

Path where the gitlab-shell source code will be cloned into a bare repository.

gitlab_shell_git_dest: '{{ gitlab_src_path + "/" + gitlab_shell_git_repo.split("://")[1] }}'
gitlab_shell_git_checkout

Path where the gitlab-shell source code will be checked out.

gitlab_shell_git_checkout: '{{ gitlab_app_root_path + "/gitlab-shell" }}'

GitLab CE source code

gitlab_ce_git_repo

URL of the GitLab CE repository.

gitlab_ce_git_repo: 'https://gitlab.com/gitlab-org/gitlab-foss.git'
gitlab_ce_git_dest

Path where the GitLab CE source code will be cloned into a bare repository.

gitlab_ce_git_dest: '{{ gitlab_src_path + "/" + gitlab_ce_git_repo.split("://")[1] }}'
gitlab_ce_git_checkout

Path where the GitLab CE source code will be checked out.

gitlab_ce_git_checkout: '{{ gitlab_app_root_path + "/gitlab" }}'

GitLab git HTTP server source code

gitlab_git_http_server_repo

URL of the git HTTP server repository.

gitlab_git_http_server_repo: 'https://gitlab.com/gitlab-org/gitlab-git-http-server.git'
gitlab_git_http_server_dest

Path where the git HTTP server source code will be cloned into a bare repository.

gitlab_git_http_server_dest: '{{ gitlab_src_path + "/" + gitlab_git_http_server_repo.split("://")[1] }}'
gitlab_git_http_server_checkout

Path where the git HTTP server source code will be checked out.

gitlab_git_http_server_checkout: '{{ gitlab_app_root_path + "/gitlab-git-http-server" }}'

GitLab Workhorse source code

gitlab_workhorse_repo

URL of the GitLab Workhorse repository.

gitlab_workhorse_repo: 'https://gitlab.com/gitlab-org/gitlab-workhorse.git'
gitlab_workhorse_dest

Path where the GitLab Workhorse source code will be cloned into a bare repository.

gitlab_workhorse_dest: '{{ gitlab_src_path + "/" + gitlab_workhorse_repo.split("://")[1] }}'
gitlab_workhorse_checkout

Path where the GitLab Workhorse source code will be checked out.

gitlab_workhorse_checkout: '{{ gitlab_app_root_path + "/gitlab-workhorse" }}'

GitLab Pages source code

gitlab_pages_repo

URL of the GitLab Pages repository.

gitlab_pages_repo: 'https://gitlab.com/gitlab-org/gitlab-pages.git'
gitlab_pages_dest

Path where the GitLab Pages source code will be cloned into a bare repository.

gitlab_pages_dest: '{{ gitlab_src_path + "/" + gitlab_pages_repo.split("://")[1] }}'
gitlab_pages_checkout

Path where the GitLab Pages source code will be checked out.

gitlab_pages_checkout: '{{ gitlab_app_root_path + "/gitlab-pages" }}'

Gitaly source code

gitlab__gitaly_repo

URL of the Gitaly repository.

gitlab__gitaly_repo: 'https://gitlab.com/gitlab-org/gitaly.git'
gitlab__gitaly_dest

Path where the Gitaly source code will be cloned into a bare repository.

gitlab__gitaly_dest: '{{ gitlab_src_path + "/" + gitlab__gitaly_repo.split("://")[1] }}'
gitlab__gitaly_checkout

Path where the Gitaly source code will be checked out.

gitlab__gitaly_checkout: '{{ gitlab_app_root_path + "/gitaly" }}'

Build and deployment commands Different versions of GitLab might require different command parameters to build and deploy the service. The variables below define the commands according to the selected version or feature.

gitlab_assets_clean

Rake task which cleans GitLab static assets during upgrades.

gitlab_assets_clean: '{{ "gitlab:assets:clean"
                         if (gitlab_version is version_compare("8.17", operator="ge", strict=True))
                         else "assets:clean" }}'
gitlab_assets_compile

Rake task which builds or rebuilds GitLab assets during installation or upgrades.

gitlab_assets_compile: '{{ "gitlab:assets:compile"
                           if (gitlab_version is version_compare("8.17", operator="ge", strict=True))
                           else "assets:precompile" }}'
gitlab_ce_bundle_install_without

YAML dictionary which maps Bundler parameters to the selected database backend.

gitlab_ce_bundle_install_without:
  'postgresql': 'development test aws mysql'

LDAP Authentication configuration

More information about LDAP support in GitLab can be found at https://gitlab.com/help/administration/auth/ldap.md

gitlab__ldap_enabled

Enable or disable LDAP support.

gitlab__ldap_enabled: '{{ True
                          if (ansible_local|d() and ansible_local.ldap|d() and
                              (ansible_local.ldap.enabled|d())|bool)
                          else False }}'
gitlab__ldap_base_dn

The base Distinguished Name which should be used to create Distinguished Names of the LDAP directory objects, defined as a YAML list. If this variable is empty, LDAP configuration will not be generated.

gitlab__ldap_base_dn: '{{ ansible_local.ldap.base_dn|d([]) }}'
gitlab__ldap_device_dn

The Distinguished Name of the current host LDAP object, defined as a YAML list. It will be used as a base for the GitLab service account LDAP object. If the list is empty, the role will not create the account LDAP object automatically.

gitlab__ldap_device_dn: '{{ ansible_local.ldap.device_dn|d([]) }}'
gitlab__ldap_self_rdn

The Relative Distinguished Name of the account LDAP object used by the GitLab service to access the LDAP directory.

gitlab__ldap_self_rdn: 'uid=gitlab'
gitlab__ldap_self_object_classes

List of the LDAP object classes which will be used to create the LDAP object used by the Gitlab service to access the LDAP directory.

gitlab__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]
gitlab__ldap_self_attributes

YAML dictionary that defines the attributes of the LDAP object used by the GitLab service to access the LDAP directory.

gitlab__ldap_self_attributes:
  uid: '{{ gitlab__ldap_self_rdn.split("=")[1] }}'
  userPassword: '{{ gitlab__ldap_bindpw }}'
  host: '{{ [ ansible_fqdn, ansible_hostname ] | unique }}'
  description: 'Account used by the "GitLab" service to access the LDAP directory'
gitlab__ldap_binddn

The Distinguished Name of the account LDAP object used by the GitLab service to bind to the LDAP directory.

gitlab__ldap_binddn: '{{ ([ gitlab__ldap_self_rdn ] + gitlab__ldap_device_dn) | join(",") }}'
gitlab__ldap_bindpw

The password stored in the account LDAP object used by the GitLab service to bind to the LDAP directory.

gitlab__ldap_bindpw: '{{ (lookup("password", secret + "/ldap/credentials/"
                                 + gitlab__ldap_binddn | to_uuid + ".password length=32"))
                         if gitlab__ldap_enabled|bool
                         else "" }}'
gitlab__ldap_sync_time

Specify the time in seconds between LDAP permission checks. The checks will be performed on the next GitLab interaction after the timeout.

gitlab__ldap_sync_time: '3600'
gitlab__ldap_label

Specify the name of the LDAP server displayed on the login page.

gitlab__ldap_label: 'LDAP'
gitlab__ldap_host

FQDN address of the LDAP server to connect to.

gitlab__ldap_host: '{{ ansible_local.ldap.hosts|d([""]) | first }}'
gitlab__ldap_port

The LDAP service port to use for connections.

gitlab__ldap_port: '{{ ansible_local.ldap.port|d("389") }}'
gitlab__ldap_encryption

The encryption method that should be used to connect to the LDAP server. Available methods: start_tls, simple_tls, plain.

gitlab__ldap_encryption: '{{ "start_tls"
                             if (ansible_local|d() and ansible_local.ldap|d() and
                                 (ansible_local.ldap.start_tls|d())|bool)
                             else "simple_tls" }}'
gitlab__ldap_timeout

Set timeout in seconds for LDAP queries.

gitlab__ldap_timeout: '10'
gitlab__ldap_activedirectory

Enable or disable support for ActiveDirectory servers.

gitlab__ldap_activedirectory: False
gitlab__ldap_account_attribute

Name of the LDAP attribute to use for account lookups. On plain LDAP servers it's usually uid, on older ActiveDirectory installations it could be sAMAccountName.

gitlab__ldap_account_attribute: '{{ "sAMAccountName"
                                    if (gitlab__ldap_activedirectory|bool)
                                    else "uid" }}'
gitlab__ldap_user_filter

LDAP search query which will be used by the GitLab service to filter the available user accounts.

gitlab__ldap_user_filter: '(&
                             (objectClass=inetOrgPerson)
                             (|
                               (authorizedService=all)
                               (authorizedService=gitlab)
                               (authorizedService=web:public)
                             )
                           )'
gitlab__ldap_username_or_email_login

If this variable is enabled, GitLab will ignore everything after the first '@' in the LDAP username submitted by the user on login.

Example: - the user enters jane.doe@example.com and p@ssw0rd as LDAP credentials; - GitLab queries the LDAP server with jane.doe and p@ssw0rd.

If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to disable this setting, because the userPrincipalName contains an '@'.

gitlab__ldap_username_or_email_login: '{{ True
                                          if (gitlab__ldap_account_attribute in
                                              [ "uid", "sAMAccountName" ])
                                          else False }}'
gitlab__ldap_block_auto_created_users

Enable this setting to keep new LDAP users blocked until they have been cleared by the admin.

gitlab__ldap_block_auto_created_users: False
gitlab__ldap_lowercase_usernames

If enabled, GitLab will convert usernames to lowercase before searching the for the LDAP user accounts.

gitlab__ldap_lowercase_usernames: True

Piwik configuration

gitlab__piwik_url

The URL (ex.: analytics.example.com) on which Piwik analytics responds (default to disabled). Please note that the visit requests from GitLab to the Piwik URL will be pushed with the same http scheme that the GitLab is hosted with. So, the URL variable must not contain the http scheme, but may contain a port or subdirectories.

gitlab__piwik_url: ''
gitlab__piwik_site_id

The ID of the GitLab website in Piwik analytics.

gitlab__piwik_site_id: '0'

Gitlab Container Registry configuration

It is possible to integrate the Docker Container Registry into GitLab, enabling each project to store its Docker images. For this to work, a separate Docker Registry needs to be installed, either on the same host as GitLab, or on a different host.

The debops.docker_registry role can be used to set up a Registry service; if the service is configured on the same host as GitLab service, the roles will automatically integrate their services.

gitlab__registry_enabled

Enable or disable support for GitLab Container Registry.

gitlab__registry_enabled: '{{ True
                              if (ansible_local|d() and ansible_local.docker_registry|d() and
                                  (ansible_local.docker_registry.installed|d())|bool)
                              else False }}'
gitlab__registry_host_fqdn

The Fully Qualified Domain Name of the Docker Registry, displayed to the GitLab users when configuring the Container Registry for their projects in the Gitlab UI. The Docker Registry needs to be reachable on a separate DNS subdomain, because GitLab does not proxy the connections to the service.

gitlab__registry_host_fqdn: '{{ ansible_local.docker_registry.host_fqdn|d(("registry." + gitlab_domain)) }}'
gitlab__registry_host_port

If the Docker Registry is available on TCP port other than 443, you can specify the port number here; it will be displayed in the GitLab Container Registry section of the GitLab interface. Docker Registry published behind a HTTPS reverse proxy does not need to advertise its port, 443 (HTTPS) will be used automatically by Docker clients.

gitlab__registry_host_port: '{{ ansible_local.docker_registry.host_port|d("5005") }}'
gitlab__registry_api_url

The internal URL to the Docker Registry API endpoint. Will be used by GitLab to directly communicate with the Registry API.

gitlab__registry_api_url: '{{ ansible_local.docker_registry.api_url|d("http://localhost:5000") }}'
gitlab__registry_path

The absolute path of the Docker Registry filesystem storage. This directory needs to be readable by the Gitlab UNIX account and the webserver.

gitlab__registry_path: '{{ ansible_local.docker_registry.storage_path
                           if (ansible_local|d() and ansible_local.docker_registry|d() and
                               (ansible_local.docker_registry.storage_type|d()) == "filesystem")
                           else "shared/registry" }}'
gitlab__registry_token_realm_url

The URL of the GitLab Container Registry API endpoint where Docker clients request authentication tokens required to access the Docker Registry.

gitlab__registry_token_realm_url: '{{ "https://" + gitlab__fqdn + "/jwt/auth" }}'
gitlab__registry_token_issuer

The name of the issuer of the authentication token. This value is included in the issued tokens, and needs to be specified in the Docker Registry configuration as well.

gitlab__registry_token_issuer: '{{ gitlab__fqdn + "-issuer" }}'
gitlab__registry_token_service

Name of the internal GitLab API service that manages the token authentication.

gitlab__registry_token_service: 'container_registry'
gitlab__registry_pki_path

The base path of the PKI managed by the debops.pki Ansible role.

gitlab__registry_pki_path: '{{ ansible_local.pki.path|d("/etc/pki/realms") }}'
gitlab__registry_pki_realm

The name of the PKI realm which should be used to sign the GitLab Container Registry tokens. The Docker Registry will use the certificate in a given PKI realm to authenticate the signatures.

gitlab__registry_pki_realm: '{{ ansible_local.pki.realm|d("domain") }}'
gitlab__registry_pki_key

Name of the file in the PKI realm directory which contains the private key used by the GitLab Container Registry service to sign the authentication tokens.

gitlab__registry_pki_key: 'default.key'
gitlab__registry_private_key

The absolute path of the private key used by the GitLab Container Registry service to sign authentication tokens for Docker clients.

gitlab__registry_private_key: '{{ gitlab__registry_pki_path + "/" +
                                  gitlab__registry_pki_realm + "/" +
                                  gitlab__registry_pki_key }}'

Configuration for other Ansible roles

gitlab__python__dependent_packages3

Configuration for the debops.python Ansible role.

gitlab__python__dependent_packages3:

  - 'python3-docutils'
gitlab__python__dependent_packages2

Configuration for the debops.python Ansible role.

gitlab__python__dependent_packages2:

  - 'python-docutils'
gitlab__etc_services__dependent_list

List of custom /etc/services to configure for the debops.etc_services Ansible role.

gitlab__etc_services__dependent_list:

  - name: 'gitlab'
    port: '{{ gitlab_unicorn_port }}'
    comment: 'GitLab'

  - name: 'gitlab-pages'
    port: '{{ gitlab_pages_port }}'
    comment: 'GitLab Pages'
gitlab__apt_preferences__dependent_list

Configuration for the debops.apt_preferences role.

gitlab__apt_preferences__dependent_list:

  - package: 'git git-*'
    backports: [ 'jessie' ]
    reason:  'Meet version requirement of GitLab 8.17 (Git version >= 2.7.3) on Debian Jessie.'
    by_role: 'debops.gitlab'
gitlab__logrotate__dependent_config

Configuration for the debops.logrotate Ansible role.

gitlab__logrotate__dependent_config:

  - filename: 'gitlab'
    sections:

      - log: '{{ gitlab_home }}/gitlab/log/*.log'
        comment: |
          GitLab logrotate settings
          based on: https://stackoverflow.com/a/4883967
        options: |
          daily
          missingok
          rotate 90
          compress
          notifempty
          copytruncate
        state: 'present'

      - log: '{{ gitlab_home }}/gitlab-shell/gitlab-shell.log'
        options: |
          daily
          missingok
          rotate 90
          compress
          notifempty
          copytruncate
        state: 'present'
gitlab__postgresql__dependent_roles

Configuration of PostgreSQL roles for debops.postgresql Ansible role.

gitlab__postgresql__dependent_roles:

  # Owner of the ``gitlabhq_production`` database
  - name: '{{ gitlab_database_name }}'
    flags: [ 'NOLOGIN' ]

  # GitLab user account role
  - name: '{{ gitlab_database_user }}'
    password: '{{ gitlab_database_password }}'
gitlab__postgresql__dependent_databases

Configuration of PostgreSQL databases for the debops.postgresql Ansible role.

gitlab__postgresql__dependent_databases:

  - name:  '{{ gitlab_database_name }}'
    owner: '{{ gitlab_database_name }}'
gitlab__postgresql__dependent_groups

Configuration of PostgreSQL groups for the debops.postgresql Ansible role.

gitlab__postgresql__dependent_groups:

  - roles:  [ '{{ gitlab_database_user }}' ]
    groups: [ '{{ gitlab_database_name }}' ]
    database: '{{ gitlab_database_name }}'
gitlab__postgresql__dependent_extensions

Configuration of PostgreSQL extensions for the debops.postgresql Ansible role.

gitlab__postgresql__dependent_extensions:

  - database: '{{ gitlab_database_name }}'
    extension: 'pg_trgm'
gitlab__postgresql__dependent_pgpass

The ~/.pgpass configuration for debops.postgresql Ansible role.

gitlab__postgresql__dependent_pgpass:

  - owner: '{{ gitlab_user }}'
    home: '{{ gitlab_home }}'
    database: '{{ gitlab_database_name }}'
    role: '{{ gitlab_database_user }}'
gitlab__ldap__dependent_tasks

Configuration for the debops.ldap Ansible role.

gitlab__ldap__dependent_tasks:

  - name: 'Create GitLab account for {{ gitlab__ldap_device_dn | join(",") }}'
    dn: '{{ gitlab__ldap_binddn }}'
    objectClass: '{{ gitlab__ldap_self_object_classes }}'
    attributes: '{{ gitlab__ldap_self_attributes }}'
    no_log: True
    state: '{{ "present" if gitlab__ldap_device_dn|d() else "ignore" }}'
gitlab__nginx__dependent_upstreams

List of nginx upstreams for the debops.nginx Ansible role.

gitlab__nginx__dependent_upstreams:

  # Upstream configuration for the ``gitlab-workhorse`` used in GitLab 8.2+
  - name: 'gitlab-workhorse'
    server: 'unix:{{ gitlab_ce_git_checkout }}/tmp/sockets/gitlab-workhorse.socket'
gitlab__nginx__dependent_servers

List of nginx servers for the debops.nginx Ansible role.

gitlab__nginx__dependent_servers:

  - '{{ gitlab__nginx_server }}'
  - '{{ gitlab__nginx_pages_server }}'
gitlab__nginx_server

Configuration of the GitLab nginx proxy for the debops.nginx Ansible role.

gitlab__nginx_server:
  by_role: 'debops.gitlab'
  enabled: True
  type: 'rails'
  name: '{{ gitlab__fqdn }}'
  root: '{{ gitlab_ce_git_checkout }}/public'
  webroot_create: False

  deny_hidden: False

  access_policy: '{{ gitlab_nginx_access_policy }}'
  auth_basic_realm: '{{ gitlab_nginx_auth_realm }}'

  error_pages:
    '404': '/404.html'
    '422': '/422.html'
    '500': '/500.html'
    '502': '/502.html'

  # Phusion Passenger options
  passenger_user: '{{ gitlab_user }}'
  passenger_group: '{{ gitlab_group }}'
  passenger_options: '{{ gitlab_passenger_options }}'

  options: |
    client_max_body_size {{ gitlab_nginx_client_max_body_size }};

  location_list:
    - pattern: '/'
      options: |
        client_max_body_size 0;
        gzip off;

        ## https://github.com/gitlabhq/gitlabhq/issues/694
        ## Some requests take more than 30 seconds.
        proxy_read_timeout      300;
        proxy_connect_timeout   300;
        proxy_redirect          off;

        proxy_http_version 1.1;

        proxy_set_header    Host                $http_host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto   $scheme;

        proxy_pass http://gitlab-workhorse;
gitlab__nginx_pages_server

Configuration of the GitLab Pages nginx proxy for the debops.nginx role.

gitlab__nginx_pages_server:
  by_role: 'debops.gitlab'
  enabled: '{{ gitlab_enable_pages }}'
  type: 'proxy'
  name: [ '{{ gitlab_pages_domain }}', '*.{{ gitlab_pages_domain }}' ]
  filename: 'gitlab-pages'
  proxy_pass: 'http://localhost:{{ gitlab_pages_port }}'
  state: '{{ "present" if gitlab_pages_domain|d() else "absent" }}'