Getting started

Default configuration

The debops.gitlab role supports installation of GitLab Omnibus Community Edition as well as the Enterprise Edition, which can be selected using the gitlab__edition variable. Manual installation of the GitLab Omnibus package is also supported, in which case the role can be used to configure such installation and provide integration with the rest of the environment.

By default, the installation will be configured to publish GitLab on the code.{{ gitlab__domain }} DNS domain, to aid configuration of GitLab Runner instances. This can be changed by overriding the gitlab__fqdn variable via the Ansible inventory.

The initial root password is randomly generated and stored in the ansible/secret/gitlab/credentials/ directory on the Ansible Controller, managed by the debops.secret Ansible role.

GitLab Omnibus deployed by DebOps will be configured with GitLab Container Registry available by default on a separate TCP port. This ensures that only one DNS domain and X.509 certificate is needed by default. Container Registry can be deployed on a separate DNS domain if needed.

The role integrates GitLab Omnibus with the ferm service through the debops.ferm Ansible role. By default, the main GitLab service and Container Registry are accessible to any hosts and networks once deployed, this can be configured using role variables.

PKI environment managed by the debops.pki role is also integrated with GitLab Omnibus, via the use of symlinks in /etc/gitlab/ssl/ directory that provide access to private keys and X.509 certificates in the /etc/pki/realms/ directories.

If the LDAP environment managed by the debops.ldap Ansible role is detected, a suitable user account for GitLab instance will be created by default. GitLab will be configured with a single LDAP server in that case.

Daily backups of GitLab Omnibus environment will be enabled by default using the cron service.

Example inventory

To install GitLab Omnibus service on a host, it needs to be included in the [debops_service_gitlab] Ansible inventory group.

Example Ansible inventory:



Example playbook

If you are using this role without DebOps, here's an example Ansible playbook that uses the debops.gitlab role:


- name: Manage GitLab Omnibus service
  collections: [ 'debops.debops', 'debops.roles01',
                 'debops.roles02', 'debops.roles03' ]
  hosts: [ 'debops_service_gitlab' ]
  become: True

  environment: '{{ inventory__environment | d({})
                   | combine(inventory__group_environment | d({}))
                   | combine(inventory__host_environment  | d({})) }}'


    - role: keyring
      tags: [ 'role::keyring', 'skip::keyring' ]
        - '{{ gitlab__keyring__dependent_apt_keys }}'

    - role: extrepo
      tags: [ 'role::extrepo', 'skip::extrepo' ]
        - '{{ gitlab__extrepo__dependent_sources }}'

    - role: etc_services
      tags: [ 'role::etc_services', 'skip::etc_services' ]
        - '{{ gitlab__etc_services__dependent_list }}'

    - role: ferm
      tags: [ 'role::ferm', 'skip::ferm' ]
        - '{{ gitlab__ferm__dependent_rules }}'

    - role: python
      tags: [ 'role::python', 'skip::python', 'role::ldap' ]
        - '{{ ldap__python__dependent_packages3 }}'
        - '{{ ldap__python__dependent_packages2 }}'

    - role: ldap
      tags: [ 'role::ldap', 'skip::ldap' ]
        - '{{ gitlab__ldap__dependent_tasks }}'

    - role: gitlab
      tags: [ 'role::gitlab', 'skip::gitlab' ]

Ansible tags

You can use Ansible --tags or --skip-tags parameters to limit what tasks are performed during Ansible run. This can be used after a host was first configured to speed up playbook execution, when you are sure that most of the configuration is already in the desired state.

Available role tags:


Main role tag, should be used in the playbook to execute all of the role tasks as well as role dependencies.

Other resources

List of other useful resources related to the debops.gitlab Ansible role:

  • Official documentation of GitLab Omnibus

  • GitLab package repository which contains APT packages for older releases, not accessible through the official APT configuration