debops.gitlab default variables
Sections
GitLab version configuration
These variables define what GitLab release branch will be used to install
GitLab. The gitlab_version variable is used to enable/disable
specific features dependent on the GitLab version, but does not correspond to
the actual specific version number.
Both of these variables should be kept in sync.
- gitlab__release_map
This is the dictionary that keeps track of supported GitLab releases per OS distribution/release. Older OS releases might not have the required environment support, for example old Ruby or Go version.
gitlab__release_map:
# OS releases with Ruby 2.1
'wheezy': '8-17-stable'
'jessie': '8-17-stable'
'trusty': '8-17-stable'
# OS releases with Ruby 2.3
'stretch': '10-8-stable'
'xenial': '10-8-stable'
# OS releases with Ruby 2.5
'buster': '12-10-stable'
'bionic': '12-10-stable'
'eoan': '12-10-stable'
# OS releases with Ruby 2.7+ (future)
'bullseye': '12-10-stable'
'focal': '12-10-stable'
- gitlab__distribution_release
Specify the OS release which is used to select the version of GitLab to install and APT package names.
gitlab__distribution_release: '{{ ansible_local.core.distribution_release|d(ansible_distribution_release) }}'
- gitlab__release
Specify the GitLab release to install or manage. The role checks what release is currently installed and can perform automatic upgrade if the installed release is older than the specified. Downgrades are not supported.
gitlab__release: '{{ gitlab__release_map[gitlab__distribution_release] }}'
- gitlab_version
Specify the GitLab version to install or manage. The role checks what version is currently installed and can perform automatic upgrade if the installed version is older than the specified. Downgrades are not supported.
gitlab_version: '{{ gitlab__release | replace("-stable","") | replace("-",".") }}'
Application features
- gitlab__database
What database to use for GitLab instance? Supported options:
postgresql: use PostgreSQL database
The role expects the selected database server to be configured. See the documentation of the debops.postgresql_server role for information about its features.
gitlab__database: '{{ ansible_local.gitlab.database
if (ansible_local.gitlab.database|d())
else ("postgresql"
if (ansible_local|d() and ansible_local.postgresql is defined)
else ("mariadb-is-deprecated"
if (ansible_local|d() and ansible_local.mariadb is defined)
else "no-database-detected")) }}'
- gitlab_use_systemd
Enable or disable use of the systemd units instead of the upstream init script provided by GitLab. By default the init script will be used on non-systemd hosts.
gitlab_use_systemd: '{{ (ansible_local.gitlab.systemd_services
if (ansible_local.gitlab.systemd_services|d())
else (False
if (ansible_local.gitlab.installed|d())
else (True if ansible_service_mgr == "systemd" else False))) }}'
- gitlab_enable_pages
Whether to enable gitlab-pages. Available in Gitlab 8.17 and newer.
gitlab_enable_pages: '{{ gitlab_version is version_compare("8.17",
operator="ge", strict=True) and gitlab_pages_domain|d() }}'
Application FQDN and DNS addresses
- gitlab__fqdn
The Fully Qualified Domain Name of the GitLab application. This address is used to configure the webserver frontend.
gitlab__fqdn: 'code.{{ gitlab_domain }}'
- gitlab_domain
Domain which will be used for nginx server and gitlab-shell access GitLab will be configured with HTTPS enabled by default
gitlab_domain: '{{ ansible_domain }}'
APT packages
- gitlab__base_packages
List of base APT packages required by GitLab.
gitlab__base_packages: [ 'build-essential', 'cmake', 'git', 'pkg-config',
'unzip', 'acl', 'ssl-cert',
'libgdbm-dev', 'libreadline-dev', 'libncurses5-dev', 'libffi-dev',
'libxml2-dev', 'libxslt1-dev', 'libcurl4-openssl-dev', 'libkrb5-dev',
'libicu-dev', 'zlib1g-dev', 'libyaml-dev' ]
- gitlab__release_packages
List of base APT packages required by GitLab depending on the distribution release.
gitlab__release_packages:
jessie: [ 'libssl-dev' ]
stretch: [ 'libssl1.0-dev', 'libre2-dev' ]
buster: [ 'libssl-dev', 'libre2-dev' ]
precise: [ 'libssl-dev' ]
trusty: [ 'libssl-dev' ]
xenial: [ 'libssl-dev', 'libre2-dev' ]
bionic: [ 'libssl-dev', 'libre2-dev' ]
- gitlab__database_packages
YAML dictionary which contains list of APT packages required by a particular database server.
gitlab__database_packages:
jessie:
postgresql: [ 'libpq-dev', 'ruby-pg' ]
stretch:
postgresql: [ 'libpq-dev', 'ruby-pg' ]
buster:
postgresql: [ 'libpq-dev', 'ruby-pg' ]
precise:
postgresql: [ 'libpq-dev', 'ruby-pg' ]
trusty:
postgresql: [ 'libpq-dev', 'ruby-pg' ]
xenial:
postgresql: [ 'libpq-dev', 'ruby-pg' ]
bionic:
postgresql: [ 'libpq-dev', 'ruby-pg' ]
GitLab Pages configuration
- gitlab_pages_domain
The main domain served by Gitlab Pages. Set this to your domain to enable Gitlab Pages.
This should be a different one than gitlab_domain to prevent cross
domain cookie attacks.
gitlab_pages_domain: ''
- gitlab_pages_port
Port the gitlab-pages HTTP server listens to.
gitlab_pages_port: '8090'
- gitlab_pages_access_control_enabled
GitLab Pages access control can be configured per-project, and allows access to
a Pages site to be controlled based on a user’s membership to that project.
You need set also gitlab_pages_auth_client_id and gitlab_pages_auth_client_secret
Available in Gitlab 12.10 and newer.
https://docs.gitlab.com/12.10/ee/administration/pages/source.html#access-control
gitlab_pages_access_control_enabled: False
- gitlab_pages_auth_client_id
GitLab application Client ID
gitlab_pages_auth_client_id: ''
- gitlab_pages_auth_client_secret
GitLab application Client Secret
gitlab_pages_auth_client_secret: ''
- gitlab_pages_auth_secret_path
Path to auth secret file located on the Ansible Controller. See the debops.secret role for more details.
gitlab_pages_auth_secret_path: '{{ secret + "/credentials/" + inventory_hostname +
"/gitlab-pages/auth/secret" }}'
- gitlab_pages_auth_secret
Cookie store hash key, should be at least 32 bytes long.
gitlab_pages_auth_secret: "{{ lookup('password', gitlab_pages_auth_secret_path
+ ' length=40 chars=hexdigits') }}"
nginx webserver options
- gitlab_nginx_auth_realm
Webserver authentication realm.
gitlab_nginx_auth_realm: 'GitLab access is restricted'
- gitlab_nginx_access_policy
Name of webserver access policy to enable. Refer to debops.nginx for details.
gitlab_nginx_access_policy: ''
- gitlab_nginx_client_max_body_size
nginx client_max_body_size value.
gitlab_nginx_client_max_body_size: '0'
- gitlab_nginx_proxy_timeout
nginx - gitlab proxy timeout in seconds
gitlab_nginx_proxy_timeout: '300'
E-mail configuration
- gitlab_email_display_name
E-mail sender name used by GitLab
gitlab_email_display_name: 'GitLab'
- gitlab_email_from
E-mail address used by GitLab application.
gitlab_email_from: 'git@{{ gitlab__fqdn }}'
- gitlab_email_reply_to
E-mail Reply-To address added to GitLab mails.
gitlab_email_reply_to: 'admin+gitlab@{{ gitlab_domain }}'
- gitlab_admin_email
Default admin account e-mail address.
gitlab_admin_email: 'admin@{{ gitlab_domain }}'
New user configuration
- gitlab_default_can_create_group
Should new users be able to create groups?
gitlab_default_can_create_group: 'true'
- gitlab_username_changing_enabled
Can users change their own username?
gitlab_username_changing_enabled: 'false'
- gitlab_default_theme
Default GitLab theme to use
gitlab_default_theme: '2'
Database configuration
- gitlab_database_server
FQDN of the database server. It will be configured by the debops.postgresql role.
gitlab_database_server: '{{ ansible_local[gitlab__database].server }}'
- gitlab_database_port
Port the database is listening on.
gitlab_database_port: '{{ ansible_local[gitlab__database].port }}'
- gitlab_database_user
Name of the database account to use for the GitLab application.
gitlab_database_user: 'gitlab'
- gitlab_database_name
Name of the database to use for the GitLab data.
gitlab_database_name: 'gitlabhq_production'
- gitlab_database_password_path
Path to database password file located on the Ansible Controller. See the debops.secret role for more details.
gitlab_database_password_path: '{{ secret + "/" + gitlab__database + "/" +
ansible_local[gitlab__database].delegate_to }}{%
if gitlab__database=="postgresql" %}/{{ ansible_local[gitlab__database].port }}{% endif
%}{{ "/credentials/" + gitlab_database_user +
"/password" }}'
- gitlab_database_password
Database password for GitLab.
gitlab_database_password: "{{ lookup('password', gitlab_database_password_path
+ ' length=48 chars=ascii_letters,digits,.:-_') }}"
- gitlab_postgresql_database_connection
Connection type for PostgreSQL database (choices: socket, port) FIXME: not supported yet
gitlab_postgresql_database_connection: 'socket'
GitLab backup options
- gitlab_backup_enabled
Enable or disable Gitlab backup.
gitlab_backup_enabled: True
- gitlab_backup_frequency
Backup frequency (daily, weekly, monthly)
gitlab_backup_frequency: 'daily'
- gitlab_backup_keep_time
How long to store backups for, in seconds
gitlab_backup_keep_time: '{{ (60 * 60 * 24 * 7) }}'
- gitlab_backup_exclude
Choose what should be excluded from the backup. An empty list means that nothing will be excluded from the backup. Valid options can be found at; https://docs.gitlab.com/ee/raketasks/backup_restore.html#excluding-specific-directories-from-the-backup
gitlab_backup_exclude: []
Redis configuration
- gitlab_redis_host
Define hostname of redis server to use.
gitlab_redis_host: '{{ ansible_local.redis_server.host|d("localhost") }}'
- gitlab_redis_port
Define port of redis server to use.
gitlab_redis_port: '{{ ansible_local.redis_server.port|d("6379") }}'
- gitlab_redis_password
Define the Redis authentication password to use
gitlab_redis_password: '{{ ansible_local.redis_server.password|d("") }}'
- gitlab_redis_resque
Connection string used in the configuration file.
gitlab_redis_resque: 'redis://{{ ((":" + gitlab_redis_password + "@")
if gitlab_redis_password else "") +
gitlab_redis_host + ":" + gitlab_redis_port }}'
- gitlab_redis_database
Specify which Redis database to use for GitLab
gitlab_redis_database: '0'
GitLab directory layout
- gitlab_home
Home directory
gitlab_home: '{{ (ansible_local.fhs.home | d("/var/local"))
+ "/" + gitlab_user }}'
- gitlab_app_root_path
Application installation directory
gitlab_app_root_path: '{{ (ansible_local.fhs.app | d("/var/local"))
+ "/" + gitlab_user }}'
- gitlab_repositories_path
GitLab repositories
gitlab_repositories_path: '{{ (ansible_local.fhs.data | d("/srv"))
+ "/gitlab/repositories" }}'
- gitlab_satellites_path
GitLab satellites
gitlab_satellites_path: '{{ (ansible_local.fhs.data | d("/srv"))
+ "/gitlab/satellites" }}'
- gitlab_backup_path
Backup path
gitlab_backup_path: '{{ (ansible_local.fhs.backup | d("/var/backups"))
+ "/gitlab" }}'
- gitlab_src_path
GitLab sources root path
gitlab_src_path: '{{ (ansible_local.fhs.src | d("/usr/local/src"))
+ "/gitlab" }}'
- gitlab_lfs_path
Gitlab path for lfs objects
gitlab_lfs_path: '{{ (ansible_local.fhs.data | d("/srv"))
+ "/gitlab/shared/lfs-objects" }}'
Gitlab path for shared files
gitlab_shared_path: '{{ (ansible_local.fhs.data | d("/srv"))
+ "/gitlab/shared" }}'
- gitlab_artifacts_path
Gitlab path for artifacts files
gitlab_artifacts_path: '{{ (ansible_local.fhs.data | d("/srv"))
+ "/gitlab/shared/artifacts" }}'
- gitlab_pages_path
Path where GitLab Pages are stored in the filesystem.
gitlab_pages_path: '{{ (ansible_local.fhs.data | d("/srv"))
+ "/gitlab/shared/pages" }}'
System user, group, additional groups
- gitlab_user
System UNIX account used by the GitLab application. It will be visible in the git+ssh remote URLs.
gitlab_user: 'git'
- gitlab_group
System UNIX group used by the Gitlab application.
gitlab_group: 'git'
- gitlab_system_groups_prefix
Add a prefix to the custom UNIX system group names created by DebOps. By default, no prefix is added.
If the role detects that the LDAP support has been enabled on a host by the
debops.ldap Ansible role, custom UNIX group names created locally on
the host will have the _ prefix to indicate that they are local to
a given host and not create conflicts with any UNIX groups defined in LDAP.
If the LDAP support was enabled after the system groups have been created, the role will keep the current prefix value to not duplicate the UNIX groups.
gitlab_system_groups_prefix: '{{ ansible_local.system_groups.local_prefix
if ansible_local.system_groups.local_prefix|d()
else ("_"
if (ansible_local.ldap.posix_enabled|d())|bool)
else "") }}'
- gitlab_user_append_groups
List of additional system groups to add to the GitLab user account.
The sshusers UNIX group is used in DebOps to limit SSH access. See the
debops.system_groups role for more details.
gitlab_user_append_groups: [ '{{ system_groups__prefix }}sshusers', 'ssl-cert' ]
- gitlab__shell
The default shell used by the GitLab UNIX account.
gitlab__shell: '/bin/bash'
Internal application options
- gitlab_time_zone
The timezone used by GitLab.
gitlab_time_zone: 'UTC'
- gitlab_git_max_size
Max git upload size in bytes.
gitlab_git_max_size: '{{ (1024 * 1024 * 20) }}'
- gitlab_git_timeout
The git connection timeout in seconds.
gitlab_git_timeout: '10'
- gitlab_unicorn_port
Unicorn port on localhost interface.
gitlab_unicorn_port: '18082'
- gitlab_unicorn_timeout
Unicorn connection timeout in seconds.
gitlab_unicorn_timeout: '60'
- gitlab_passenger_options
Additional options for Phusion Passenger as text block.
gitlab_passenger_options: ''
- gitlab_shell_ssh_port
SSH port for GitLab Shell (does not affect sshd port setting).
gitlab_shell_ssh_port: '22'
- gitlab__gravatar_enabled
Enable/Disable gitlab gravatar feature.
gitlab__gravatar_enabled: True
- gitlab__gravatar_plain_url
Gravatar (HTTP) URL used by gitlab.
gitlab__gravatar_plain_url: ''
- gitlab__gravatar_ssl_url
Gravatar SSL (HTTPS) URL used by gitlab.
gitlab__gravatar_ssl_url: ''
Compatibility workarounds
- gitlab_support_filesystem_acl
Enable or disable ACL configuration for the webserver
gitlab_support_filesystem_acl: True
gitlab-shell source code
- gitlab_shell_git_repo
URL of the gitlab-shell repository.
gitlab_shell_git_repo: 'https://gitlab.com/gitlab-org/gitlab-shell.git'
- gitlab_shell_git_dest
Path where the gitlab-shell source code will be cloned into a bare
repository.
gitlab_shell_git_dest: '{{ gitlab_src_path + "/" + gitlab_shell_git_repo.split("://")[1] }}'
- gitlab_shell_git_checkout
Path where the gitlab-shell source code will be checked out.
gitlab_shell_git_checkout: '{{ gitlab_app_root_path + "/gitlab-shell" }}'
GitLab CE source code
- gitlab_ce_git_repo
URL of the GitLab CE repository.
gitlab_ce_git_repo: 'https://gitlab.com/gitlab-org/gitlab-foss.git'
- gitlab_ce_git_dest
Path where the GitLab CE source code will be cloned into a bare repository.
gitlab_ce_git_dest: '{{ gitlab_src_path + "/" + gitlab_ce_git_repo.split("://")[1] }}'
- gitlab_ce_git_checkout
Path where the GitLab CE source code will be checked out.
gitlab_ce_git_checkout: '{{ gitlab_app_root_path + "/gitlab" }}'
GitLab git HTTP server source code
- gitlab_git_http_server_repo
URL of the git HTTP server repository.
gitlab_git_http_server_repo: 'https://gitlab.com/gitlab-org/gitlab-git-http-server.git'
- gitlab_git_http_server_dest
Path where the git HTTP server source code will be cloned into a bare repository.
gitlab_git_http_server_dest: '{{ gitlab_src_path + "/" + gitlab_git_http_server_repo.split("://")[1] }}'
- gitlab_git_http_server_checkout
Path where the git HTTP server source code will be checked out.
gitlab_git_http_server_checkout: '{{ gitlab_app_root_path + "/gitlab-git-http-server" }}'
GitLab Workhorse source code
- gitlab_workhorse_repo
URL of the GitLab Workhorse repository.
gitlab_workhorse_repo: 'https://gitlab.com/gitlab-org/gitlab-workhorse.git'
- gitlab_workhorse_dest
Path where the GitLab Workhorse source code will be cloned into a bare repository.
gitlab_workhorse_dest: '{{ gitlab_src_path + "/" + gitlab_workhorse_repo.split("://")[1] }}'
- gitlab_workhorse_checkout
Path where the GitLab Workhorse source code will be checked out.
gitlab_workhorse_checkout: '{{ gitlab_app_root_path + "/gitlab-workhorse" }}'
GitLab Pages source code
- gitlab_pages_repo
URL of the GitLab Pages repository.
gitlab_pages_repo: 'https://gitlab.com/gitlab-org/gitlab-pages.git'
- gitlab_pages_dest
Path where the GitLab Pages source code will be cloned into a bare repository.
gitlab_pages_dest: '{{ gitlab_src_path + "/" + gitlab_pages_repo.split("://")[1] }}'
- gitlab_pages_checkout
Path where the GitLab Pages source code will be checked out.
gitlab_pages_checkout: '{{ gitlab_app_root_path + "/gitlab-pages" }}'
Gitaly source code
- gitlab__gitaly_repo
URL of the Gitaly repository.
gitlab__gitaly_repo: 'https://gitlab.com/gitlab-org/gitaly.git'
- gitlab__gitaly_dest
Path where the Gitaly source code will be cloned into a bare repository.
gitlab__gitaly_dest: '{{ gitlab_src_path + "/" + gitlab__gitaly_repo.split("://")[1] }}'
- gitlab__gitaly_checkout
Path where the Gitaly source code will be checked out.
gitlab__gitaly_checkout: '{{ gitlab_app_root_path + "/gitaly" }}'
Build and deployment commands Different versions of GitLab might require different command parameters to build and deploy the service. The variables below define the commands according to the selected version or feature.
- gitlab_assets_clean
Rake task which cleans GitLab static assets during upgrades.
gitlab_assets_clean: '{{ "gitlab:assets:clean"
if (gitlab_version is version_compare("8.17", operator="ge", strict=True))
else "assets:clean" }}'
- gitlab_assets_compile
Rake task which builds or rebuilds GitLab assets during installation or upgrades.
gitlab_assets_compile: '{{ "gitlab:assets:compile"
if (gitlab_version is version_compare("8.17", operator="ge", strict=True))
else "assets:precompile" }}'
- gitlab_ce_bundle_install_without
YAML dictionary which maps Bundler parameters to the selected database backend.
gitlab_ce_bundle_install_without:
'postgresql': 'development test aws mysql'
LDAP Authentication configuration
More information about LDAP support in GitLab can be found at https://gitlab.com/help/administration/auth/ldap.md
- gitlab__ldap_enabled
Enable or disable LDAP support.
gitlab__ldap_enabled: '{{ True
if (ansible_local|d() and ansible_local.ldap|d() and
(ansible_local.ldap.enabled|d())|bool)
else False }}'
- gitlab__ldap_base_dn
The base Distinguished Name which should be used to create Distinguished Names of the LDAP directory objects, defined as a YAML list. If this variable is empty, LDAP configuration will not be generated.
gitlab__ldap_base_dn: '{{ ansible_local.ldap.base_dn|d([]) }}'
- gitlab__ldap_device_dn
The Distinguished Name of the current host LDAP object, defined as a YAML list. It will be used as a base for the GitLab service account LDAP object. If the list is empty, the role will not create the account LDAP object automatically.
gitlab__ldap_device_dn: '{{ ansible_local.ldap.device_dn|d([]) }}'
- gitlab__ldap_self_rdn
The Relative Distinguished Name of the account LDAP object used by the GitLab service to access the LDAP directory.
gitlab__ldap_self_rdn: 'uid=gitlab'
- gitlab__ldap_self_object_classes
List of the LDAP object classes which will be used to create the LDAP object used by the Gitlab service to access the LDAP directory.
gitlab__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]
- gitlab__ldap_self_attributes
YAML dictionary that defines the attributes of the LDAP object used by the GitLab service to access the LDAP directory.
gitlab__ldap_self_attributes:
uid: '{{ gitlab__ldap_self_rdn.split("=")[1] }}'
userPassword: '{{ gitlab__ldap_bindpw }}'
host: '{{ [ ansible_fqdn, ansible_hostname ] | unique }}'
description: 'Account used by the "GitLab" service to access the LDAP directory'
- gitlab__ldap_binddn
The Distinguished Name of the account LDAP object used by the GitLab service to bind to the LDAP directory.
gitlab__ldap_binddn: '{{ ([ gitlab__ldap_self_rdn ] + gitlab__ldap_device_dn) | join(",") }}'
- gitlab__ldap_bindpw
The password stored in the account LDAP object used by the GitLab service to bind to the LDAP directory.
gitlab__ldap_bindpw: '{{ (lookup("password", secret + "/ldap/credentials/"
+ gitlab__ldap_binddn | to_uuid + ".password length=32"))
if gitlab__ldap_enabled|bool
else "" }}'
- gitlab__ldap_sync_time
Specify the time in seconds between LDAP permission checks. The checks will be performed on the next GitLab interaction after the timeout.
gitlab__ldap_sync_time: '3600'
- gitlab__ldap_label
Specify the name of the LDAP server displayed on the login page.
gitlab__ldap_label: 'LDAP'
- gitlab__ldap_host
FQDN address of the LDAP server to connect to.
gitlab__ldap_host: '{{ ansible_local.ldap.hosts|d([""]) | first }}'
- gitlab__ldap_port
The LDAP service port to use for connections.
gitlab__ldap_port: '{{ ansible_local.ldap.port|d("389") }}'
- gitlab__ldap_encryption
The encryption method that should be used to connect to the LDAP server.
Available methods: start_tls, simple_tls, plain.
gitlab__ldap_encryption: '{{ "start_tls"
if (ansible_local|d() and ansible_local.ldap|d() and
(ansible_local.ldap.start_tls|d())|bool)
else "simple_tls" }}'
- gitlab__ldap_timeout
Set timeout in seconds for LDAP queries.
gitlab__ldap_timeout: '10'
- gitlab__ldap_activedirectory
Enable or disable support for ActiveDirectory servers.
gitlab__ldap_activedirectory: False
- gitlab__ldap_account_attribute
Name of the LDAP attribute to use for account lookups. On plain LDAP servers
it's usually uid, on older ActiveDirectory installations it could be
sAMAccountName.
gitlab__ldap_account_attribute: '{{ "sAMAccountName"
if (gitlab__ldap_activedirectory|bool)
else "uid" }}'
- gitlab__ldap_user_filter
LDAP search query which will be used by the GitLab service to filter the available user accounts.
gitlab__ldap_user_filter: '(&
(objectClass=inetOrgPerson)
(|
(authorizedService=all)
(authorizedService=gitlab)
(authorizedService=web:public)
)
)'
- gitlab__ldap_username_or_email_login
If this variable is enabled, GitLab will ignore everything after the first '@' in the LDAP username submitted by the user on login.
Example:
- the user enters jane.doe@example.com and p@ssw0rd as LDAP
credentials;
- GitLab queries the LDAP server with jane.doe and p@ssw0rd.
If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to disable this setting, because the userPrincipalName contains an '@'.
gitlab__ldap_username_or_email_login: '{{ True
if (gitlab__ldap_account_attribute in
[ "uid", "sAMAccountName" ])
else False }}'
- gitlab__ldap_block_auto_created_users
Enable this setting to keep new LDAP users blocked until they have been cleared by the admin.
gitlab__ldap_block_auto_created_users: False
- gitlab__ldap_lowercase_usernames
If enabled, GitLab will convert usernames to lowercase before searching the for the LDAP user accounts.
gitlab__ldap_lowercase_usernames: True
Piwik configuration
- gitlab__piwik_url
The URL (ex.: analytics.example.com) on which Piwik analytics responds (default to disabled). Please note that the visit requests from GitLab to the Piwik URL will be pushed with the same http scheme that the GitLab is hosted with. So, the URL variable must not contain the http scheme, but may contain a port or subdirectories.
gitlab__piwik_url: ''
- gitlab__piwik_site_id
The ID of the GitLab website in Piwik analytics.
gitlab__piwik_site_id: '0'
Gitlab Container Registry configuration
It is possible to integrate the Docker Container Registry into GitLab, enabling each project to store its Docker images. For this to work, a separate Docker Registry needs to be installed, either on the same host as GitLab, or on a different host.
The debops.docker_registry role can be used to set up a Registry service;
if the service is configured on the same host as GitLab service, the roles
will automatically integrate their services.
- gitlab__registry_enabled
Enable or disable support for GitLab Container Registry.
gitlab__registry_enabled: '{{ True
if (ansible_local|d() and ansible_local.docker_registry|d() and
(ansible_local.docker_registry.installed|d())|bool)
else False }}'
- gitlab__registry_host_fqdn
The Fully Qualified Domain Name of the Docker Registry, displayed to the GitLab users when configuring the Container Registry for their projects in the Gitlab UI. The Docker Registry needs to be reachable on a separate DNS subdomain, because GitLab does not proxy the connections to the service.
gitlab__registry_host_fqdn: '{{ ansible_local.docker_registry.host_fqdn|d(("registry." + gitlab_domain)) }}'
- gitlab__registry_host_port
If the Docker Registry is available on TCP port other than 443, you can specify the port number here; it will be displayed in the GitLab Container Registry section of the GitLab interface. Docker Registry published behind a HTTPS reverse proxy does not need to advertise its port, 443 (HTTPS) will be used automatically by Docker clients.
gitlab__registry_host_port: '{{ ansible_local.docker_registry.host_port|d("5005") }}'
- gitlab__registry_api_url
The internal URL to the Docker Registry API endpoint. Will be used by GitLab to directly communicate with the Registry API.
gitlab__registry_api_url: '{{ ansible_local.docker_registry.api_url|d("http://localhost:5000") }}'
- gitlab__registry_path
The absolute path of the Docker Registry filesystem storage. This directory needs to be readable by the Gitlab UNIX account and the webserver.
gitlab__registry_path: '{{ ansible_local.docker_registry.storage_path
if (ansible_local|d() and ansible_local.docker_registry|d() and
(ansible_local.docker_registry.storage_type|d()) == "filesystem")
else "shared/registry" }}'
- gitlab__registry_token_realm_url
The URL of the GitLab Container Registry API endpoint where Docker clients request authentication tokens required to access the Docker Registry.
gitlab__registry_token_realm_url: '{{ "https://" + gitlab__fqdn + "/jwt/auth" }}'
- gitlab__registry_token_issuer
The name of the issuer of the authentication token. This value is included in the issued tokens, and needs to be specified in the Docker Registry configuration as well.
gitlab__registry_token_issuer: '{{ gitlab__fqdn + "-issuer" }}'
- gitlab__registry_token_service
Name of the internal GitLab API service that manages the token authentication.
gitlab__registry_token_service: 'container_registry'
- gitlab__registry_pki_path
The base path of the PKI managed by the debops.pki Ansible role.
gitlab__registry_pki_path: '{{ ansible_local.pki.path|d("/etc/pki/realms") }}'
- gitlab__registry_pki_realm
The name of the PKI realm which should be used to sign the GitLab Container Registry tokens. The Docker Registry will use the certificate in a given PKI realm to authenticate the signatures.
gitlab__registry_pki_realm: '{{ ansible_local.pki.realm|d("domain") }}'
- gitlab__registry_pki_key
Name of the file in the PKI realm directory which contains the private key used by the GitLab Container Registry service to sign the authentication tokens.
gitlab__registry_pki_key: 'default.key'
- gitlab__registry_private_key
The absolute path of the private key used by the GitLab Container Registry service to sign authentication tokens for Docker clients.
gitlab__registry_private_key: '{{ gitlab__registry_pki_path + "/" +
gitlab__registry_pki_realm + "/" +
gitlab__registry_pki_key }}'
Configuration for other Ansible roles
- gitlab__python__dependent_packages3
Configuration for the debops.python Ansible role.
gitlab__python__dependent_packages3:
- 'python3-docutils'
- gitlab__python__dependent_packages2
Configuration for the debops.python Ansible role.
gitlab__python__dependent_packages2:
- 'python-docutils'
- gitlab__etc_services__dependent_list
List of custom /etc/services to configure for the debops.etc_services
Ansible role.
gitlab__etc_services__dependent_list:
- name: 'gitlab'
port: '{{ gitlab_unicorn_port }}'
comment: 'GitLab'
- name: 'gitlab-pages'
port: '{{ gitlab_pages_port }}'
comment: 'GitLab Pages'
- gitlab__apt_preferences__dependent_list
Configuration for the debops.apt_preferences role.
gitlab__apt_preferences__dependent_list:
- package: 'git git-*'
backports: [ 'jessie' ]
reason: 'Meet version requirement of GitLab 8.17 (Git version >= 2.7.3) on Debian Jessie.'
by_role: 'debops.gitlab'
- gitlab__logrotate__dependent_config
Configuration for the debops.logrotate Ansible role.
gitlab__logrotate__dependent_config:
- filename: 'gitlab'
sections:
- log: '{{ gitlab_home }}/gitlab/log/*.log'
comment: |
GitLab logrotate settings
based on: https://stackoverflow.com/a/4883967
options: |
daily
missingok
rotate 90
compress
notifempty
copytruncate
state: 'present'
- log: '{{ gitlab_home }}/gitlab-shell/gitlab-shell.log'
options: |
daily
missingok
rotate 90
compress
notifempty
copytruncate
state: 'present'
- gitlab__postgresql__dependent_roles
Configuration of PostgreSQL roles for debops.postgresql Ansible role.
gitlab__postgresql__dependent_roles:
# Owner of the ``gitlabhq_production`` database
- name: '{{ gitlab_database_name }}'
flags: [ 'NOLOGIN' ]
# GitLab user account role
- name: '{{ gitlab_database_user }}'
password: '{{ gitlab_database_password }}'
- gitlab__postgresql__dependent_databases
Configuration of PostgreSQL databases for the debops.postgresql Ansible role.
gitlab__postgresql__dependent_databases:
- name: '{{ gitlab_database_name }}'
owner: '{{ gitlab_database_name }}'
- gitlab__postgresql__dependent_groups
Configuration of PostgreSQL groups for the debops.postgresql Ansible role.
gitlab__postgresql__dependent_groups:
- roles: [ '{{ gitlab_database_user }}' ]
groups: [ '{{ gitlab_database_name }}' ]
database: '{{ gitlab_database_name }}'
- gitlab__postgresql__dependent_extensions
Configuration of PostgreSQL extensions for the debops.postgresql Ansible role.
gitlab__postgresql__dependent_extensions:
- database: '{{ gitlab_database_name }}'
extension: 'pg_trgm'
- gitlab__postgresql__dependent_pgpass
The ~/.pgpass configuration for debops.postgresql Ansible role.
gitlab__postgresql__dependent_pgpass:
- owner: '{{ gitlab_user }}'
home: '{{ gitlab_home }}'
database: '{{ gitlab_database_name }}'
role: '{{ gitlab_database_user }}'
- gitlab__ldap__dependent_tasks
Configuration for the debops.ldap Ansible role.
gitlab__ldap__dependent_tasks:
- name: 'Create GitLab account for {{ gitlab__ldap_device_dn | join(",") }}'
dn: '{{ gitlab__ldap_binddn }}'
objectClass: '{{ gitlab__ldap_self_object_classes }}'
attributes: '{{ gitlab__ldap_self_attributes }}'
no_log: '{{ debops__no_log | d(True) }}'
state: '{{ "present" if gitlab__ldap_device_dn|d() else "ignore" }}'
- gitlab__nginx__dependent_upstreams
List of nginx upstreams for the debops.nginx Ansible role.
gitlab__nginx__dependent_upstreams:
# Upstream configuration for the ``gitlab-workhorse`` used in GitLab 8.2+
- name: 'gitlab-workhorse'
server: 'unix:{{ gitlab_ce_git_checkout }}/tmp/sockets/gitlab-workhorse.socket'
- gitlab__nginx__dependent_servers
List of nginx servers for the debops.nginx Ansible role.
gitlab__nginx__dependent_servers:
- '{{ gitlab__nginx_server }}'
- '{{ gitlab__nginx_pages_server }}'
- gitlab__nginx_server
Configuration of the GitLab nginx proxy for the debops.nginx Ansible role.
gitlab__nginx_server:
by_role: 'debops.gitlab'
enabled: True
type: 'rails'
name: '{{ gitlab__fqdn }}'
root: '{{ gitlab_ce_git_checkout }}/public'
webroot_create: False
deny_hidden: False
access_policy: '{{ gitlab_nginx_access_policy }}'
auth_basic_realm: '{{ gitlab_nginx_auth_realm }}'
error_pages:
'404': '/404.html'
'422': '/422.html'
'500': '/500.html'
'502': '/502.html'
# Phusion Passenger options
passenger_user: '{{ gitlab_user }}'
passenger_group: '{{ gitlab_group }}'
passenger_options: '{{ gitlab_passenger_options }}'
options: |
client_max_body_size {{ gitlab_nginx_client_max_body_size }};
location_list:
- pattern: '/'
options: |
client_max_body_size 0;
gzip off;
## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://gitlab-workhorse;
- gitlab__nginx_pages_server
Configuration of the GitLab Pages nginx proxy for the debops.nginx role.
gitlab__nginx_pages_server:
by_role: 'debops.gitlab'
enabled: '{{ gitlab_enable_pages }}'
type: 'proxy'
name: [ '{{ gitlab_pages_domain }}', '*.{{ gitlab_pages_domain }}' ]
filename: 'gitlab-pages'
proxy_pass: 'http://localhost:{{ gitlab_pages_port }}'
state: '{{ "present" if gitlab_pages_domain|d() else "absent" }}'