actcur/salt
3
0
Fork 0
Code Issues 5 Pull requests Projects Releases Wiki Activity

Mostly set up Icinga monitoring - CentOS still has issues and need to finish server build and backup

Browse source
This commit is contained in:
Beth Parker 2017-11-12 11:25:07 -06:00
parent b0af2fc25f
commit 3c74b0d166
181 changed files with 1674 additions and 11377 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
pillars/roles/aurpkgs/icinga.sls
View file

@ -2,4 +2,3 @@ aur:
pkgs:
icinga2: []
icingaweb2: []
icingaweb2-module-director: []

4
pillars/roles/database/icinga.sls
View file

@ -11,7 +11,3 @@ database:
icinga:
host: icinga.actcur.com
grant: all privileges
icinga2_director:
icinga:
host: icinga.actcur.com
grant: all privileges

4
pillars/roles/firewalld/nrpe.sls Normal file
View file

@ -0,0 +1,4 @@
firewalld:
70_internal:
port:
5666/tcp: []

17
pillars/roles/git/lightbooks.sls Normal file
View file

@ -0,0 +1,17 @@
git:
lightbooks:
repo: "ssh://gogs@git.actcur.com:5022/actcur/lightbooks.git"
path: "/usr/share/webapps/lightbooks"
branch: "master"
key: "git_actcur"
force: true
email: "actcur@actcur.com"
name: "Actaeus Curabitur"
lightbooks.dev:
repo: "ssh://gogs@git.actcur.com:5022/actcur/lightbooks.git"
path: "/usr/share/webapps/lightbooks-dev"
branch: "dev"
key: "git_actcur"
force: true
email: "actcur@actcur.com"
name: "Actaeus Curabitur"

10
pillars/roles/git/portal.sls
View file

@ -1,5 +1,5 @@
git:
tmux:
tmux-root:
repo: "ssh://gogs@git.actcur.com:5022/actcur/tmux.git"
path: "/root/tmux"
branch: "master"
@ -7,6 +7,14 @@ git:
force: true
email: "actcur@actcur.com"
name: "Actaeus Curabitur"
tmux-ejparker:
repo: "ssh://gogs@git.actcur.com:5022/actcur/tmux.git"
path: "/ejparker/tmux"
branch: "master"
key: "git_actcur"
force: true
email: "actcur@actcur.com"
name: "Actaeus Curabitur"
web:
repo: "ssh://gogs@git.actcur.com:5022/actcur/portal.git"
path: "/srv/http/portal"

9
pillars/roles/git/ytdownloader.sls Normal file
View file

@ -0,0 +1,9 @@
git:
ytdownloader:
repo: "ssh://gogs@git.actcur.com:5022/actcur/ytdownloader.git"
path: "/root/scripts/ytdownloader"
branch: "master"
key: "git_actcur"
force: true
email: "actcur@actcur.com"
name: "Actaeus Curabitur"

1
pillars/roles/init.sls
View file

@ -8,3 +8,4 @@ include:
- roles.backup
- roles.ca
- roles.database
- roles.services

2
pillars/roles/nginx/deluge.sls
View file

@ -6,7 +6,7 @@ nginx:
prot: http
portal:
Video:
Media:
deluge:
name: Torrents
summary: Deluge Torrent Server

2
pillars/roles/nginx/jackett.sls
View file

@ -6,7 +6,7 @@ nginx:
prot: http
portal:
Video:
Media:
jackett:
name: Torrent Indexers
summary: Jackett Server

24
pillars/roles/nginx/lightbooks.sls Normal file
View file

@ -0,0 +1,24 @@
nginx:
books:
auth: 2fa
https:
port: 8000
prot: http
books.dev:
auth: 2fa
https:
port: 8080
prot: http
default: no
portal:
Media:
books:
name: Books and Podcasts
summary: LightBooks Server
public: false
Dev:
books.dev:
name: Books and Podcasts - Dev
summary: LightBooks Server
public: false

2
pillars/roles/nginx/ombi.sls
View file

@ -6,7 +6,7 @@ nginx:
prot: http
portal:
Video:
Media:
ombi:
name: TV/Movie Requests
summary: OMBI Plex Requests Server

2
pillars/roles/nginx/plexmediaserver.sls
View file

@ -6,7 +6,7 @@ nginx:
prot: http
portal:
Video:
Media:
plex:
name: Plex
summary: Plex Media Server

2
pillars/roles/nginx/radarr.sls
View file

@ -6,7 +6,7 @@ nginx:
prot: http
portal:
Video:
Media:
radarr:
name: Movie Downloader
summary: Radarr Server

2
pillars/roles/nginx/sonarr.sls
View file

@ -6,7 +6,7 @@ nginx:
prot: http
portal:
Video:
Media:
sonarr:
name: TV Show Downloader
summary: Sonarr Server

3
pillars/roles/services/aurrepo.sls Normal file
View file

@ -0,0 +1,3 @@
services:
aurrepo:
updateaur.timer: []

5
pillars/roles/services/authelia.sls Normal file
View file

@ -0,0 +1,5 @@
services:
authelia:
mongodb: []
redis: []
authelia: []

3
pillars/roles/services/backup.sls Normal file
View file

@ -0,0 +1,3 @@
services:
backup:
backup.timer: []

3
pillars/roles/services/certbot.sls Normal file
View file

@ -0,0 +1,3 @@
services:
certbot:
certbot.timer: []

4
pillars/roles/services/core.sls Normal file
View file

@ -0,0 +1,4 @@
services:
core:
firewalld: []
sshd: []

4
pillars/roles/services/deluge.sls Normal file
View file

@ -0,0 +1,4 @@
services:
deluge:
deluged: []
deluge-web: []

3
pillars/roles/services/freeipa-server.sls Normal file
View file

@ -0,0 +1,3 @@
services:
freeipa-server:
httpd: []

3
pillars/roles/services/git.sls Normal file
View file

@ -0,0 +1,3 @@
services:
git:
gogs: []

4
pillars/roles/services/icinga.sls Normal file
View file

@ -0,0 +1,4 @@
services:
icinga:
icinga2: []
php-fpm: []

15
pillars/roles/services/init.sls Normal file
View file

@ -0,0 +1,15 @@
{% set states = salt['cp.list_states'](saltenv) %}
include:
- roles.services.none
{%- if grains['roles'] is defined -%}
{%- if grains['roles'] is not none -%}
{%- if 'icinga' in grains['roles'] -%}
{%- for state in states %}
{%- if state.startswith("pillars.roles.services.") -%}
{%- set role = state.split('.')[3] %}
- roles.services.{{ role }}
{%- endif -%}
{%- endfor -%}
{%- endif -%}
{%- endif -%}
{%- endif -%}

3
pillars/roles/services/lightbooks.sls Normal file
View file

@ -0,0 +1,3 @@
services:
lightbooks:
php-fpm: []

3
pillars/roles/services/mirrorlist.sls Normal file
View file

@ -0,0 +1,3 @@
services:
mirrorlist:
getmirrors.timer: []

4
pillars/roles/services/mysql.sls Normal file
View file

@ -0,0 +1,4 @@
services:
mysql:
mysqld: []
dumpdb.timer: []

3
pillars/roles/services/nginx-proxy.sls Normal file
View file

@ -0,0 +1,3 @@
services:
nginx-proxy:
nginx: []

0
pillars/roles/services/none.sls Normal file
View file

3
pillars/roles/services/ombi.sls Normal file
View file

@ -0,0 +1,3 @@
services:
ombi:
ombi: []

3
pillars/roles/services/pass.sls Normal file
View file

@ -0,0 +1,3 @@
services:
pass:
php-fpm: []

3
pillars/roles/services/pkg-cache.sls Normal file
View file

@ -0,0 +1,3 @@
services:
pkg-cache:
nginx: []

3
pillars/roles/services/plexmediaserver.sls Normal file
View file

@ -0,0 +1,3 @@
services:
plexmediaserver:
plexmediaserver: []

3
pillars/roles/services/saltmaster.sls Normal file
View file

@ -0,0 +1,3 @@
services:
saltmaster:
salt-master: []

4
pillars/roles/services/saltminion.sls Normal file
View file

@ -0,0 +1,4 @@
services:
saltminion:
salt-minion: []
highstate.timer: []

3
pillars/roles/services/sshserver.sls Normal file
View file

@ -0,0 +1,3 @@
services:
sshserver:
sshd: []

3
pillars/roles/services/ytdownloader.sls Normal file
View file

@ -0,0 +1,3 @@
services:
ytdownloader:
ytdownloader.timer: []

0
pillars/servers/env/server/centipa.sls → pillars/servers/env/server/books.sls vendored
View file

1
pillars/servers/env/server/debianipa.sls vendored
View file

@ -1 +0,0 @@
env: prod

1
pillars/servers/env/server/ipatest.sls vendored
View file

@ -1 +0,0 @@
env: prod

0
pillars/servers/maintainer/server/centipa.sls → pillars/servers/maintainer/server/books.sls
View file

3
pillars/servers/maintainer/server/debianipa.sls
View file

@ -1,3 +0,0 @@
maintainer:
- masaufuku

3
pillars/servers/maintainer/server/ipatest.sls
View file

@ -1,3 +0,0 @@
maintainer:
- masaufuku

1
pillars/servers/roles/server/archtest.sls
View file

@ -2,4 +2,5 @@ grains:
roles:
- server
- ssh
- nrpe
- saltminion

1
pillars/servers/roles/server/authelia.sls
View file

@ -2,6 +2,7 @@ grains:
roles:
- server
- ssh
- nrpe
- saltminion
- authelia
- nginx-proxy

1
pillars/servers/roles/server/baikal.sls
View file

@ -2,6 +2,7 @@ grains:
roles:
- server
- ssh
- nrpe
- saltminion
- nginx-proxy
- baikal

1
pillars/servers/roles/server/base
View file

@ -2,4 +2,5 @@ grains:
roles:
- server
- ssh
- nrpe
- saltminion

3
pillars/servers/roles/server/centipa.sls → pillars/servers/roles/server/books.sls
View file

@ -2,4 +2,7 @@ grains:
roles:
- server
- ssh
- nrpe
- saltminion
- lightbooks
- nginx-proxy

1
pillars/servers/roles/server/ca.sls
View file

@ -2,5 +2,6 @@ grains:
roles:
- server
- ssh
- nrpe
- saltminion
- ca

6
pillars/servers/roles/server/debianipa.sls
View file

@ -1,6 +0,0 @@
grains:
roles:
- server
- ssh
- saltminion
- freeipa_server

1
pillars/servers/roles/server/deluge.sls
View file

@ -2,6 +2,7 @@ grains:
roles:
- server
- ssh
- nrpe
- saltminion
- deluge
- nginx-proxy

2
pillars/servers/roles/server/git.sls
View file

@ -2,7 +2,7 @@ grains:
roles:
- server
- ssh
- nrpe
- saltminion
- git
- nginx-proxy
- nfs

1
pillars/servers/roles/server/host.sls
View file

@ -2,5 +2,6 @@ grains:
roles:
- server
- ssh
- nrpe
- saltminion
- backup

1
pillars/servers/roles/server/icinga.sls
View file

@ -2,6 +2,7 @@ grains:
roles:
- server
- ssh
- nrpe
- saltminion
- icinga
- nginx-proxy

1
pillars/servers/roles/server/ipa.sls
View file

@ -2,5 +2,6 @@ grains:
roles:
- server
- ssh
- nrpe
- saltminion
- freeipa-server

5
pillars/servers/roles/server/ipatest.sls
View file

@ -1,5 +0,0 @@
grains:
roles:
- server
- ssh
- saltminion

1
pillars/servers/roles/server/jackett.sls
View file

@ -2,6 +2,7 @@ grains:
roles:
- server
- ssh
- nrpe
- saltminion
- nginx-proxy
- jackett

1
pillars/servers/roles/server/ombi.sls
View file

@ -2,6 +2,7 @@ grains:
roles:
- server
- ssh
- nrpe
- saltminion
- nginx-proxy
- ombi

1
pillars/servers/roles/server/pass.sls
View file

@ -2,6 +2,7 @@ grains:
roles:
- server
- ssh
- nrpe
- saltminion
- nginx-proxy
- pass

1
pillars/servers/roles/server/pkg.sls
View file

@ -2,6 +2,7 @@ grains:
roles:
- server
- ssh
- nrpe
- saltminion
- pkg-cache
- aurrepo

1
pillars/servers/roles/server/plex.sls
View file

@ -2,6 +2,7 @@ grains:
roles:
- server
- ssh
- nrpe
- saltminion
- nginx-proxy
- plexmediaserver

1
pillars/servers/roles/server/portal.sls
View file

@ -2,6 +2,7 @@ grains:
roles:
- server
- ssh
- nrpe
- saltminion
- portal
- nginx-proxy

1
pillars/servers/roles/server/radarr.sls
View file

@ -2,6 +2,7 @@ grains:
roles:
- server
- ssh
- nrpe
- saltminion
- nginx-proxy
- radarr

1
pillars/servers/roles/server/salt.sls
View file

@ -2,6 +2,7 @@ grains:
roles:
- server
- ssh
- nrpe
- saltminion
- saltmaster
- mirrorlist

2
pillars/servers/roles/server/sonarr.sls
View file

@ -2,8 +2,8 @@ grains:
roles:
- server
- ssh
- nrpe
- saltminion
- nginx-proxy
- sonarr
- nfs
- ytdownloader

1
pillars/servers/roles/server/sql.sls
View file

@ -2,5 +2,6 @@ grains:
roles:
- server
- ssh
- nrpe
- saltminion
- mysql

1
pillars/servers/roles/server/ssh.sls
View file

@ -2,5 +2,6 @@ grains:
roles:
- server
- ssh
- nrpe
- saltminion
- sshserver

1
pillars/servers/roles/server/sync.sls
View file

@ -2,6 +2,7 @@ grains:
roles:
- server
- ssh
- nrpe
- saltminion
- sync
- nginx-proxy

1
pillars/servers/roles/server/tt.sls
View file

@ -2,6 +2,7 @@ grains:
roles:
- server
- ssh
- nrpe
- saltminion
- ttrss
- nginx-proxy

1
pillars/servers/roles/server/vpn.sls
View file

@ -2,6 +2,7 @@ grains:
roles:
- server
- ssh
- nrpe
- saltminion
- vpnserver
- ca-cert

29
states/roles/build/gitlab/init.sls
View file

@ -1,29 +0,0 @@
#Note: This *only* initializes the database - only use build script in a fresh environment, it'll nuke existing mysql database
#initialize redis database as gitlab user
redis-running:
service.running:
- name: redis
- enable: true
gitlab_init_db:
cmd.run:
- name: "bundle-2.3 exec rake gitlab:setup RAILS_ENV=production force=yes"
- cwd: "/usr/share/webapps/gitlab"
- runas: gitlab
#start services
gitlab.target:
service.running:
- enable: true
- reload: true
gitlab-workhorse:
service.running:
- enable: true
- reload: true
gitlab-unicorn:
service.running:
- enable: true
- reload: true
gitlab-sidekiq:
service.running:
- enable: true
- reload: true

10
states/roles/build/pepper/build_pepper.sh
View file

@ -1,10 +0,0 @@
cd /root/
curl -sS https://getcomposer.org/installer | php
mv composer.phar /usr/local/bin/composer
composer global require "laravel/installer"
ln -s /root/.config/composer/vendor/bin/laravel /usr/local/bin/laravel
cd /opt/
laravel new pepper
cd /opt/pepper
#require packages we need
composer require symfony/yaml

48
states/roles/build/pepper/init.sls
View file

@ -1,48 +0,0 @@
include:
{%- set os=grains['os'] -%}
{%- if os=="CentOS" or os=="RedHat" %}
- repos.nginx
- repos.webtatic
{% endif %}
php.packages:
pkg.installed:
- pkgs:
- php56w
- php56w-mbstring
- php56w-mysql
- php56w-mcrypt
- php56w-fpm
- php56w-xml
install_mariadb:
pkg.installed:
- pkgs:
- mariadb-server
selinux-policy-targeted:
pkg.installed
policycoreutils-python:
pkg.installed
httpd_can_network_connect:
selinux.boolean:
- value: True
- persist: True
/root/salt/scripts/build_pepper.sh:
file.managed:
- makedirs: true
- source: salt://roles/build/pepper/build_pepper.sh
- user: root
- group: root
- mode: 744
build_pepper:
cmd.run:
- name: "sh /root/salt/scripts/build_pepper.sh"
install_nginx:
pkg.installed:
- name: nginx

9
states/roles/build/saltpad/build_saltpad.sh
View file

@ -1,9 +0,0 @@
cd /opt/
git clone https://github.com/tinyclues/saltpad.git -b saltpad_v1
#git clone https://github.com/Lothiraldan/saltpad.git
cd saltpad
virtualenv venv
source venv/bin/activate
pip install -r requirements.txt
pip install chaussette
pip install pyyaml

49
states/roles/build/saltpad/init.sls
View file

@ -1,49 +0,0 @@
include:
{%- set os=grains['os'] -%}
{%- if os=="CentOS" or os=="RedHat" %}
- repos.nginx
{% endif %}
selinux-policy-targeted:
pkg.installed
policycoreutils-python:
pkg.installed
httpd_can_network_connect:
selinux.boolean:
- value: True
- persist: True
python-virtualenv:
pkg.installed
/root/salt/scripts/build_saltpad.sh:
file.managed:
- makedirs: true
- source: salt://roles/build/saltpad/build_saltpad.sh
- user: root
- group: root
- mode: 744
build_saltpad:
cmd.run:
- name: "sh /root/salt/scripts/build_saltpad.sh"
/root/salt/scripts/start_saltpad.sh:
file.managed:
- source: salt://roles/build/saltpad/start_saltpad.sh
- user: root
- group: root
- mode: 744
/usr/lib/systemd/system/saltpad.service:
file.managed:
- source: salt://roles/build/saltpad/saltpad.service
- user: root
- group: root
- mode: 644
install_nginx:
pkg.installed:
- name: nginx

11
states/roles/build/saltpad/saltpad.service
View file

@ -1,11 +0,0 @@
[Unit]
Description=The Saltpad
After=syslog.target network.target
[Service]
Type=forking
LimitNOFILE=8192
ExecStart=/bin/bash /root/salt/scripts/start_saltpad.sh start
[Install]
WantedBy=multi-user.target

67
states/roles/build/saltpad/start_saltpad.sh
View file

@ -1,67 +0,0 @@
#/bin/bash
c=`ps aux | grep chaussette | wc -l`
function stop {
if [ c -gt 1 ];
then
echo "Stopping server.."
pkill chaussette
echo ".. Done."
else
echo "Server not running"
fi
}
function start {
if [c -gt 1 ]
then
echo "Server is already running"
else
echo "Starting Server.."
cd /opt/saltpad
source venv/bin/activate
chaussette saltpad.merged:app &
echo ".. Done."
fi
}
function restart {
echo "Restarting server.."
if [ c -gt 1 ]
then
stop
sleep 5
start
else
start
fi
echo ".. Done."
}
function status {
if [ c -gt 1 ]
then
echo "Server is not running"
exit 1
else
echo "Server is running"
fi
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
status)
status
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
esac

73
states/roles/maintain/gitlab/conf_files/config.yml
View file

@ -1,73 +0,0 @@
#
# If you change this file in a Merge Request, please also create
# a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
#
# GitLab user. git by default
user: gitlab
# URL to GitLab instance, used for API calls. Default: http://localhost:8080.
# For relative URL support read http://doc.gitlab.com/ce/install/relative_url.html
# You only have to change the default if you have configured Unicorn
# to listen on a custom port, or if you have configured Unicorn to
# only listen on a Unix domain socket. For Unix domain sockets use
# "http+unix://<urlquoted-path-to-socket>", e.g.
# "http+unix://%2Fpath%2Fto%2Fsocket"
gitlab_url: "http://localhost:8080"
# See installation.md#using-https for additional HTTPS configuration details.
http_settings:
# read_timeout: 300
# user: someone
# password: somepass
# ca_file: /etc/ssl/cert.pem
# ca_path: /etc/pki/tls/certs
self_signed_cert: false
# File used as authorized_keys for gitlab user
auth_file: "/var/lib/gitlab/.ssh/authorized_keys"
# File that contains the secret key for verifying access to GitLab.
# Default is .gitlab_shell_secret in the gitlab-shell directory.
# secret_file: "/var/lib/gitlab/gitlab-shell/.gitlab_shell_secret"
# Parent directory for global custom hook directories (pre-receive.d, update.d, post-receive.d)
# Default is hooks in the gitlab-shell directory.
# custom_hooks_dir: "/var/lib/gitlab/gitlab-shell/hooks"
# Redis settings used for pushing commit notices to gitlab
redis:
bin: /usr/bin/redis-cli
host: 127.0.0.1
port: 6379
# pass: redispass # Allows you to specify the password for Redis
database: 5
socket: /run/redis/redis.sock # Comment out this line if you want to use TCP or Sentinel
namespace: resque:gitlab
# sentinels:
# -
# host: 127.0.0.1
# port: 26380
# -
# host: 127.0.0.1
# port: 26381
# Log file.
# Default is gitlab-shell.log in the root directory.
log_file: "/var/log/gitlab/gitlab-shell.log"
# Log level. INFO by default
log_level: INFO
# Audit usernames.
# Set to true to see real usernames in the logs instead of key ids, which is easier to follow, but
# incurs an extra API call on every gitlab-shell command.
audit_usernames: false
# Git trace log file.
# If set, git commands receive GIT_TRACE* environment variables
# See https://git-scm.com/book/es/v2/Git-Internals-Environment-Variables#Debugging for documentation
# An absolute path starting with / the trace output will be appended to that file.
# It needs to exist so we can check permissions and avoid to throwing warnings to the users.
git_trace_log_file:

44
states/roles/maintain/gitlab/conf_files/database.yml
View file

@ -1,44 +0,0 @@
#
# PRODUCTION
#
production:
adapter: mysql2
encoding: utf8
collation: utf8_general_ci
reconnect: false
database: gitlab
pool: 10
username: gitlab
password: "{%- include 'secure/passwords/gitlab_db_password.txt' -%}"
host: sql.actcur.com
# socket: /tmp/mysql.sock
#
# Development specific
#
development:
adapter: mysql2
encoding: utf8
collation: utf8_general_ci
reconnect: false
database: gitlabhq_development
pool: 5
username: root
password: "secure password"
# host: localhost
# socket: /tmp/mysql.sock
# Warning: The database defined as "test" will be erased and
# re-generated from your development database when you run "rake".
# Do not set this db to the same as development or production.
test: &test
adapter: mysql2
encoding: utf8mb4
collation: utf8mb4_general_ci
reconnect: false
database: gitlabhq_test
pool: 5
username: root
password:
# host: localhost
# socket: /tmp/mysql.sock

69
states/roles/maintain/gitlab/conf_files/gitlab.conf
View file

@ -1,69 +0,0 @@
## GitLab
##
## Lines starting with two hashes (##) are comments with information.
## Lines starting with one hash (#) are configuration parameters that can be uncommented.
##
##################################
## CONTRIBUTING ##
##################################
##
## If you change this file in a Merge Request, please also create
## a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
##
###################################
## configuration ##
###################################
##
## See installation.md#using-https for additional HTTPS configuration details.
upstream gitlab-workhorse {
server unix:/run/gitlab/gitlab-workhorse.socket fail_timeout=0;
}
## Normal HTTP host
server {
## Either remove "default_server" from the listen line below,
## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab
## to be served if you visit any address that your server responds to, eg.
## the ip address of the server (http://x.x.x.x/)n 0.0.0.0:80 default_server;
listen 0.0.0.0:8000;
listen [::]:8000;
server_name git2.actcur.com; ## Replace this with something like gitlab.example.com
server_tokens off; ## Don't show the nginx version number, a security best practice
## See app/controllers/application_controller.rb for headers set
## Individual nginx logs for this GitLab vhost
access_log /var/log/nginx/gitlab_access.log;
error_log /var/log/nginx/gitlab_error.log;
location / {
client_max_body_size 0;
gzip off;
## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://gitlab-workhorse;
}
error_page 404 /404.html;
error_page 422 /422.html;
error_page 500 /500.html;
error_page 502 /502.html;
location ~ ^/(404|422|500|502)\.html$ {
root /usr/share/webapps/gitlab/public;
internal;
}
}

627
states/roles/maintain/gitlab/conf_files/gitlab.yml
View file

@ -1,627 +0,0 @@
# # # # # # # # # # # # # # # # # #
# GitLab application config file #
# # # # # # # # # # # # # # # # # #
#
########################### NOTE #####################################
# This file should not receive new settings. All configuration options #
# * are being moved to ApplicationSetting model! #
# If a setting requires an application restart say so in that screen. #
# If you change this file in a Merge Request, please also create #
# a MR on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests #
########################################################################
#
#
# How to use:
# 1. Copy file as gitlab.yml
# 2. Update gitlab -> host with your fully qualified domain name
# 3. Update gitlab -> email_from
# 4. If you installed Git from source, change git -> bin_path to /usr/local/bin/git
# IMPORTANT: If Git was installed in a different location use that instead.
# You can check with `which git`. If a wrong path of Git is specified, it will
# result in various issues such as failures of GitLab CI builds.
# 5. Review this configuration file for other settings you may want to adjust
production: &base
#
# 1. GitLab app settings
# ==========================
## GitLab settings
gitlab:
## Web server settings (note: host is the FQDN, do not include http://)
host: git.actcur.com
port: 443 # Set to 443 if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
https: true # Set to true if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
# Uncommment this line below if your ssh host is different from HTTP/HTTPS one
# (you'd obviously need to replace ssh.host_example.com with your own host).
# Otherwise, ssh host will be set to the `host:` value above
# ssh_host: ssh.host_example.com
# Relative URL support
# WARNING: We recommend using an FQDN to host GitLab in a root path instead
# of using a relative URL.
# Documentation: http://doc.gitlab.com/ce/install/relative_url.html
# Uncomment and customize the following line to run in a non-root path
#
# relative_url_root: /gitlab
# Trusted Proxies
# Customize if you have GitLab behind a reverse proxy which is running on a different machine.
# Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address.
trusted_proxies:
# Examples:
#- 192.168.1.0/24
#- 192.168.2.1
#- 2001:0db8::/32
# Uncomment and customize if you can't use the default user to run GitLab (default: 'git')
user: gitlab
## Date & Time settings
# Uncomment and customize if you want to change the default time zone of GitLab application.
# To see all available zones, run `bundle exec rake time:zones:all RAILS_ENV=production`
# time_zone: 'UTC'
## Email settings
# Uncomment and set to false if you need to disable email sending from GitLab (default: true)
# email_enabled: true
# Email address used in the "From" field in mails sent by GitLab
email_from: notifications@actcur.com
email_display_name: Actcur Git
email_reply_to: noreply@actcur.com
email_subject_suffix: ''
# Email server smtp settings are in config/initializers/smtp_settings.rb.sample
# default_can_create_group: false # default: true
# username_changing_enabled: false # default: true - User can change her username/namespace
## Automatic issue closing
# If a commit message matches this regular expression, all issues referenced from the matched text will be closed.
# This happens when the commit is pushed or merged into the default branch of a project.
# When not specified the default issue_closing_pattern as specified below will be used.
# Tip: you can test your closing pattern at http://rubular.com.
# issue_closing_pattern: '((?:[Cc]los(?:e[sd]?|ing)|[Ff]ix(?:e[sd]|ing)?|[Rr]esolv(?:e[sd]?|ing))(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+)'
## Default project features settings
default_projects_features:
issues: true
merge_requests: true
wiki: true
snippets: true
builds: true
container_registry: true
## Webhook settings
# Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10)
# webhook_timeout: 10
## Repository downloads directory
# When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory.
# The default is 'shared/cache/archive/' relative to the root of the Rails app.
# repository_downloads_path: shared/cache/archive/
## Reply by email
# Allow users to comment on issues and merge requests by replying to notification emails.
# For documentation on how to set this up, see http://doc.gitlab.com/ce/administration/reply_by_email.html
incoming_email:
enabled: false
# The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to.
# The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`).
address: "gitlab-incoming+%{key}@gmail.com"
# Email account username
# With third party providers, this is usually the full email address.
# With self-hosted email servers, this is usually the user part of the email address.
user: "gitlab-incoming@gmail.com"
# Email account password
password: "[REDACTED]"
# IMAP server host
host: "imap.gmail.com"
# IMAP server port
port: 993
# Whether the IMAP server uses SSL
ssl: true
# Whether the IMAP server uses StartTLS
start_tls: false
# The mailbox where incoming mail will end up. Usually "inbox".
mailbox: "inbox"
# The IDLE command timeout.
idle_timeout: 60
## Build Artifacts
artifacts:
enabled: true
# The location where build artifacts are stored (default: shared/artifacts).
# path: shared/artifacts
## Git LFS
lfs:
enabled: true
# The location where LFS objects are stored (default: shared/lfs-objects).
# storage_path: shared/lfs-objects
## GitLab Pages
pages:
enabled: false
# The location where pages are stored (default: shared/pages).
# path: shared/pages
# The domain under which the pages are served:
# http://group.example.com/project
# or project path can be a group page: group.example.com
host: example.com
port: 80 # Set to 443 if you serve the pages with HTTPS
https: false # Set to true if you serve the pages with HTTPS
# external_http: ["1.1.1.1:80", "[2001::1]:80"] # If defined, enables custom domain support in GitLab Pages
# external_https: ["1.1.1.1:443", "[2001::1]:443"] # If defined, enables custom domain and certificate support in GitLab Pages
## Mattermost
## For enabling Add to Mattermost button
mattermost:
enabled: false
host: 'https://mattermost.example.com'
## Gravatar
## For Libravatar see: http://doc.gitlab.com/ce/customization/libravatar.html
gravatar:
# gravatar urls: possible placeholders: %{hash} %{size} %{email} %{username}
# plain_url: "http://..." # default: http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
# ssl_url: "https://..." # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
## Auxiliary jobs
# Periodically executed jobs, to self-heal Gitlab, do external synchronizations, etc.
# Please read here for more information: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job
cron_jobs:
# Flag stuck CI jobs as failed
stuck_ci_jobs_worker:
cron: "0 * * * *"
# Execute scheduled triggers
pipeline_schedule_worker:
cron: "19 * * * *"
# Remove expired build artifacts
expire_build_artifacts_worker:
cron: "50 * * * *"
# Periodically run 'git fsck' on all repositories. If started more than
# once per hour you will have concurrent 'git fsck' jobs.
repository_check_worker:
cron: "20 * * * *"
# Send admin emails once a week
admin_email_worker:
cron: "0 0 * * 0"
# Remove outdated repository archives
repository_archive_cache_worker:
cron: "0 * * * *"
registry:
# enabled: true
# host: registry.example.com
# port: 5005
# api_url: http://localhost:5000/ # internal address to the registry, will be used by GitLab to directly communicate with API
# key: config/registry.key
# path: shared/registry
# issuer: gitlab-issuer
#
# 2. GitLab CI settings
# ==========================
gitlab_ci:
# Default project notifications settings:
#
# Send emails only on broken builds (default: true)
# all_broken_builds: true
#
# Add pusher to recipients list (default: false)
# add_pusher: true
# The location where build traces are stored (default: builds/). Relative paths are relative to Rails.root
# builds_path: builds/
#
# 3. Auth settings
# ==========================
## LDAP settings
# You can inspect a sample of the LDAP users with login access by running:
# bundle exec rake gitlab:ldap:check RAILS_ENV=production
ldap:
enabled: false
servers:
##########################################################################
#
# Since GitLab 7.4, LDAP servers get ID's (below the ID is 'main'). GitLab
# Enterprise Edition now supports connecting to multiple LDAP servers.
#
# If you are updating from the old (pre-7.4) syntax, you MUST give your
# old server the ID 'main'.
#
##########################################################################
main: # 'main' is the GitLab 'provider ID' of this LDAP server
## label
#
# A human-friendly name for your LDAP server. It is OK to change the label later,
# for instance if you find out it is too large to fit on the web page.
#
# Example: 'Paris' or 'Acme, Ltd.'
label: 'LDAP'
host: '_your_ldap_server'
port: 389
uid: 'sAMAccountName'
method: 'plain' # "tls" or "ssl" or "plain"
bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
password: '_the_password_of_the_bind_user'
# Set a timeout, in seconds, for LDAP queries. This helps avoid blocking
# a request if the LDAP server becomes unresponsive.
# A value of 0 means there is no timeout.
timeout: 10
# This setting specifies if LDAP server is Active Directory LDAP server.
# For non AD servers it skips the AD specific queries.
# If your LDAP server is not AD, set this to false.
active_directory: true
# If allow_username_or_email_login is enabled, GitLab will ignore everything
# after the first '@' in the LDAP username submitted by the user on login.
#
# Example:
# - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials;
# - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'.
#
# If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to
# disable this setting, because the userPrincipalName contains an '@'.
allow_username_or_email_login: false
# To maintain tight control over the number of active users on your GitLab installation,
# enable this setting to keep new users blocked until they have been cleared by the admin
# (default: false).
block_auto_created_users: false
# Base where we can search for users
#
# Ex. ou=People,dc=gitlab,dc=example
#
base: ''
# Filter LDAP users
#
# Format: RFC 4515 http://tools.ietf.org/search/rfc4515
# Ex. (employeeType=developer)
#
# Note: GitLab does not support omniauth-ldap's custom filter syntax.
#
user_filter: ''
# LDAP attributes that GitLab will use to create an account for the LDAP user.
# The specified attribute can either be the attribute name as a string (e.g. 'mail'),
# or an array of attribute names to try in order (e.g. ['mail', 'email']).
# Note that the user's LDAP login will always be the attribute specified as `uid` above.
attributes:
# The username will be used in paths for the user's own projects
# (like `gitlab.example.com/username/project`) and when mentioning
# them in issues, merge request and comments (like `@username`).
# If the attribute specified for `username` contains an email address,
# the GitLab username will be the part of the email address before the '@'.
username: ['uid', 'userid', 'sAMAccountName']
email: ['mail', 'email', 'userPrincipalName']
# If no full name could be found at the attribute specified for `name`,
# the full name is determined using the attributes specified for
# `first_name` and `last_name`.
name: 'cn'
first_name: 'givenName'
last_name: 'sn'
# GitLab EE only: add more LDAP servers
# Choose an ID made of a-z and 0-9 . This ID will be stored in the database
# so that GitLab can remember which LDAP server a user belongs to.
# uswest2:
# label:
# host:
# ....
## OmniAuth settings
omniauth:
# Allow login via Twitter, Google, etc. using OmniAuth providers
enabled: false
# Uncomment this to automatically sign in with a specific omniauth provider's without
# showing GitLab's sign-in page (default: show the GitLab sign-in page)
# auto_sign_in_with_provider: saml
# Sync user's email address from the specified Omniauth provider every time the user logs
# in (default: nil). And consequently make this field read-only.
# sync_email_from_provider: cas3
# CAUTION!
# This allows users to login without having a user account first. Define the allowed providers
# using an array, e.g. ["saml", "twitter"], or as true/false to allow all providers or none.
# User accounts will be created automatically when authentication was successful.
allow_single_sign_on: ["saml"]
# Locks down those users until they have been cleared by the admin (default: true).
block_auto_created_users: true
# Look up new users in LDAP servers. If a match is found (same uid), automatically
# link the omniauth identity with the LDAP account. (default: false)
auto_link_ldap_user: false
# Allow users with existing accounts to login and auto link their account via SAML
# login, without having to do a manual login first and manually add SAML
# (default: false)
auto_link_saml_user: false
# Set different Omniauth providers as external so that all users creating accounts
# via these providers will not be able to have access to internal projects. You
# will need to use the full name of the provider, like `google_oauth2` for Google.
# Refer to the examples below for the full names of the supported providers.
# (default: [])
external_providers: []
## Auth providers
# Uncomment the following lines and fill in the data of the auth provider you want to use
# If your favorite auth provider is not listed you can use others:
# see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations
# The 'app_id' and 'app_secret' parameters are always passed as the first two
# arguments, followed by optional 'args' which can be either a hash or an array.
# Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html
providers:
# See omniauth-cas3 for more configuration details
# - { name: 'cas3',
# label: 'cas3',
# args: {
# url: 'https://sso.example.com',
# disable_ssl_verification: false,
# login_url: '/cas/login',
# service_validate_url: '/cas/p3/serviceValidate',
# logout_url: '/cas/logout'} }
# - { name: 'authentiq',
# # for client credentials (client ID and secret), go to https://www.authentiq.com/
# app_id: 'YOUR_CLIENT_ID',
# app_secret: 'YOUR_CLIENT_SECRET',
# args: {
# scope: 'aq:name email~rs address aq:push'
# # redirect_uri parameter is optional except when 'gitlab.host' in this file is set to 'localhost'
# # redirect_uri: 'YOUR_REDIRECT_URI'
# }
# }
# - { name: 'github',
# app_id: 'YOUR_APP_ID',
# app_secret: 'YOUR_APP_SECRET',
# url: "https://github.com/",
# verify_ssl: true,
# args: { scope: 'user:email' } }
# - { name: 'bitbucket',
# app_id: 'YOUR_APP_ID',
# app_secret: 'YOUR_APP_SECRET' }
# - { name: 'gitlab',
# app_id: 'YOUR_APP_ID',
# app_secret: 'YOUR_APP_SECRET',
# args: { scope: 'api' } }
# - { name: 'google_oauth2',
# app_id: 'YOUR_APP_ID',
# app_secret: 'YOUR_APP_SECRET',
# args: { access_type: 'offline', approval_prompt: '' } }
# - { name: 'facebook',
# app_id: 'YOUR_APP_ID',
# app_secret: 'YOUR_APP_SECRET' }
# - { name: 'twitter',
# app_id: 'YOUR_APP_ID',
# app_secret: 'YOUR_APP_SECRET' }
#
# - { name: 'saml',
# label: 'Our SAML Provider',
# groups_attribute: 'Groups',
# external_groups: ['Contractors', 'Freelancers'],
# args: {
# assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
# idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8',
# idp_sso_target_url: 'https://login.example.com/idp',
# issuer: 'https://gitlab.example.com',
# name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
# } }
#
# - { name: 'crowd',
# args: {
# crowd_server_url: 'CROWD SERVER URL',
# application_name: 'YOUR_APP_NAME',
# application_password: 'YOUR_APP_PASSWORD' } }
#
# - { name: 'auth0',
# args: {
# client_id: 'YOUR_AUTH0_CLIENT_ID',
# client_secret: 'YOUR_AUTH0_CLIENT_SECRET',
# namespace: 'YOUR_AUTH0_DOMAIN' } }
# SSO maximum session duration in seconds. Defaults to CAS default of 8 hours.
# cas3:
# session_duration: 28800
# Shared file storage settings
shared:
path: /var/lib/gitlab/shared # Default: shared
# Gitaly settings
gitaly:
# This setting controls whether GitLab uses Gitaly (new component
# introduced in 9.0). Eventually Gitaly use will become mandatory and
# this option will disappear.
enabled: true
#
# 4. Advanced settings
# ==========================
## Repositories settings
repositories:
# Paths where repositories can be stored. Give the canonicalized absolute pathname.
# IMPORTANT: None of the path components may be symlink, because
# gitlab-shell invokes Dir.pwd inside the repository path and that results
# real path not the symlink.
storages: # You must have at least a `default` storage path.
default:
path: /var/lib/gitlab/repositories/
gitaly_address: unix:/var/lib/gitlab/sockets/gitlab-gitaly.socket # TCP connections are supported too (e.g. tcp://host:port)
## Backup settings
backup:
path: "/var/lib/gitlab/backups" # Relative paths are relative to Rails.root (default: tmp/backups/)
# archive_permissions: 0640 # Permissions for the resulting backup.tar file (default: 0600)
# keep_time: 604800 # default: 0 (forever) (in seconds)
# pg_schema: public # default: nil, it means that all schemas will be backed up
# upload:
# # Fog storage connection settings, see http://fog.io/storage/ .
# connection:
# provider: AWS
# region: eu-west-1
# aws_access_key_id: AKIAKIAKI
# aws_secret_access_key: 'secret123'
# # The remote 'directory' to store your backups. For S3, this would be the bucket name.
# remote_directory: 'my.s3.bucket'
# # Use multipart uploads when file size reaches 100MB, see
# # http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html
# multipart_chunk_size: 104857600
# # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional
# # encryption: 'AES256'
# # Specifies Amazon S3 storage class to use for backups, this is optional
# # storage_class: 'STANDARD'
## GitLab Shell settings
gitlab_shell:
path: /usr/share/webapps/gitlab-shell/
hooks_path: /usr/share/webapps/gitlab-shell/hooks/
# File that contains the secret key for verifying access for gitlab-shell.
# Default is '.gitlab_shell_secret' relative to Rails.root (i.e. root of the GitLab app).
# secret_file: /home/git/gitlab/.gitlab_shell_secret
# Git over HTTP
upload_pack: true
receive_pack: true
# Git import/fetch timeout
# git_timeout: 800
# If you use non-standard ssh port you need to specify it
# ssh_port: 22
workhorse:
# File that contains the secret key for verifying access for gitlab-workhorse.
# Default is '.gitlab_workhorse_secret' relative to Rails.root (i.e. root of the GitLab app).
# secret_file: /home/git/gitlab/.gitlab_workhorse_secret
## Git settings
# CAUTION!
# Use the default values unless you really know what you are doing
git:
bin_path: /usr/bin/git
# The next value is the maximum memory size grit can use
# Given in number of bytes per git object (e.g. a commit)
# This value can be increased if you have very large commits
max_size: 20971520 # 20.megabytes
# Git timeout to read a commit, in seconds
timeout: 10
## Webpack settings
# If enabled, this will tell rails to serve frontend assets from the webpack-dev-server running
# on a given port instead of serving directly from /assets/webpack. This is only indended for use
# in development.
webpack:
# dev_server:
# enabled: true
# host: localhost
# port: 3808
#
# 5. Extra customization
# ==========================
extra:
## Google analytics. Uncomment if you want it
# google_analytics_id: '_your_tracking_id'
## Piwik analytics.
# piwik_url: '_your_piwik_url'
# piwik_site_id: '_your_piwik_site_id'
rack_attack:
git_basic_auth:
# Rack Attack IP banning enabled
# enabled: true
#
# Whitelist requests from 127.0.0.1 for web proxies (NGINX/Apache) with incorrect headers
# ip_whitelist: ["127.0.0.1"]
#
# Limit the number of Git HTTP authentication attempts per IP
# maxretry: 10
#
# Reset the auth attempt counter per IP after 60 seconds
# findtime: 60
#
# Ban an IP for one hour (3600s) after too many auth attempts
# bantime: 3600
development:
<<: *base
test:
<<: *base
gravatar:
enabled: true
lfs:
enabled: false
gitlab:
host: localhost
port: 80
# When you run tests we clone and setup gitlab-shell
# In order to setup it correctly you need to specify
# your system username you use to run GitLab
# user: YOUR_USERNAME
pages:
path: tmp/tests/pages
repositories:
storages:
default:
path: tmp/tests/repositories/
gitaly_address: unix:tmp/tests/gitaly/gitaly.socket
gitaly:
enabled: true
backup:
path: tmp/tests/backups
gitlab_shell:
path: tmp/tests/gitlab-shell/
hooks_path: tmp/tests/gitlab-shell/hooks/
issues_tracker:
redmine:
title: "Redmine"
project_url: "http://redmine/projects/:issues_tracker_id"
issues_url: "http://redmine/:project_id/:issues_tracker_id/:id"
new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new"
jira:
title: "JIRA"
url: https://sample_company.atlassian.net
project_key: PROJECT
ldap:
enabled: false
servers:
main:
label: ldap
host: 127.0.0.1
port: 3890
uid: 'uid'
method: 'plain' # "tls" or "ssl" or "plain"
base: 'dc=example,dc=com'
user_filter: ''
group_base: 'ou=groups,dc=example,dc=com'
admin_group: ''
staging:
<<: *base

83
states/roles/maintain/gitlab/conf_files/production.rb
View file

@ -1,83 +0,0 @@
Rails.application.configure do
# Settings specified here will take precedence over those in config/application.rb
# Code is not reloaded between requests
config.cache_classes = true
# Full error reports are disabled and caching is turned on
config.consider_all_requests_local = false
config.action_controller.perform_caching = true
# Disable Rails's static asset server (Apache or nginx will already do this)
config.serve_static_files = false
# Compress JavaScripts and CSS.
config.assets.js_compressor = :uglifier
# config.assets.css_compressor = :sass
# Don't fallback to assets pipeline if a precompiled asset is missed
config.assets.compile = false
# Generate digests for assets URLs
config.assets.digest = true
# Enable compression of compiled assets using gzip.
config.assets.compress = true
# Defaults to nil and saved in location specified by config.assets.prefix
# config.assets.manifest = YOUR_PATH
# Specifies the header that your server uses for sending files
# config.action_dispatch.x_sendfile_header = "X-Sendfile" # for apache
# config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx
# Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
# config.force_ssl = true
# See everything in the log (default is :info)
config.log_level = :info
# Suppress 'Rendered template ...' messages in the log
# source: http://stackoverflow.com/a/16369363
%w{render_template render_partial render_collection}.each do |event|
ActiveSupport::Notifications.unsubscribe "#{event}.action_view"
end
# Prepend all log lines with the following tags
# config.log_tags = [ :subdomain, :uuid ]
# Use a different logger for distributed setups
# config.logger = ActiveSupport::TaggedLogging.new(SyslogLogger.new)
# Enable serving of images, stylesheets, and JavaScripts from an asset server
config.action_controller.asset_host = ENV['GITLAB_CDN_HOST'] if ENV['GITLAB_CDN_HOST'].present?
# Precompile additional assets (application.js, application.css, and all non-JS/CSS are already added)
# config.assets.precompile += %w( search.js )
# Disable delivery errors, bad email addresses will be ignored
# config.action_mailer.raise_delivery_errors = false
# Enable threaded mode
# config.threadsafe! unless $rails_rake_task
# Enable locale fallbacks for I18n (makes lookups for any locale fall back to
# the I18n.default_locale when a translation can not be found)
config.i18n.fallbacks = true
# Send deprecation notices to registered listeners
config.active_support.deprecation = :notify
config.action_mailer.delivery_method = :smtp
# Defaults to:
# # config.action_mailer.sendmail_settings = {
# # location: '/usr/sbin/sendmail',
# # arguments: '-i -t'
# # }
config.action_mailer.perform_deliveries = true
config.action_mailer.raise_delivery_errors = true
config.eager_load = true
config.allow_concurrency = false
end

1293
states/roles/maintain/gitlab/conf_files/redis.conf
View file

File diff suppressed because it is too large Load diff

34
states/roles/maintain/gitlab/conf_files/resque.yml
View file

@ -1,34 +0,0 @@
# If you change this file in a Merge Request, please also create
# a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
#
development:
url: unix:/run/redis/redis.sock
# sentinels:
# -
# host: localhost
# port: 26380 # point to sentinel, not to redis port
# -
# host: slave2
# port: 26381 # point to sentinel, not to redis port
test:
url: unix:/run/redis/redis.sock
production:
# Redis (single instance)
url: unix:/run/redis/redis.sock
##
# Redis + Sentinel (for HA)
#
# Please read instructions carefully before using it as you may lose data:
# http://redis.io/topics/sentinel
#
# You must specify a list of a few sentinels that will handle client connection
# please read here for more information: https://docs.gitlab.com/ce/administration/high_availability/redis.html
##
# url: redis://master:6379
# sentinels:
# -
# host: slave1
# port: 26379 # point to sentinel, not to redis port
# -
# host: slave2
# port: 26379 # point to sentinel, not to redis port

23
states/roles/maintain/gitlab/conf_files/smtp_settings.rb
View file

@ -1,23 +0,0 @@
# To enable smtp email delivery for your GitLab instance do the following:
# 1. Rename this file to smtp_settings.rb
# 2. Edit settings inside this file
# 3. Restart GitLab instance
#
# For full list of options and their values see http://api.rubyonrails.org/classes/ActionMailer/Base.html
#
# If you change this file in a Merge Request, please also create a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
if Rails.env.production?
Rails.application.config.action_mailer.delivery_method = :smtp
ActionMailer::Base.delivery_method = :smtp
ActionMailer::Base.smtp_settings = {
authentication: :plain,
address: "smtp.zoho.com",
port: 587,
user_name: "notifications@actcur.com",
password: "{%- include 'secure/passwords/gitlab_smtp_password.txt' -%}",
domain: "smtp.zoho.com",
enable_starttls_auto: true,
}
end

1
states/roles/maintain/gitlab/conf_files/tmp_redis.conf
View file

@ -1 +0,0 @@
d /run/redis 0755 redis redis -

175
states/roles/maintain/gitlab/init.sls
View file

@ -1,175 +0,0 @@
gitlab:
pkg.installed
mariadb:
pkg.installed
gitlab_nginx:
pkg.installed:
- name: nginx
#managed files
/etc/webapps/gitlab/gitlab.yml:
file.managed:
- source: salt://roles/maintain/gitlab/conf_files/gitlab.yml
- user: root
- group: root
- mode: 644
/etc/webapps/gitlab/database.yml:
file.managed:
- source: salt://roles/maintain/gitlab/conf_files/database.yml
- user: gitlab
- group: gitlab
- mode: 600
- template: jinja
/etc/webapps/gitlab/resque.yml:
file.managed:
- source: salt://roles/maintain/gitlab/conf_files/resque.yml
- user: root
- group: root
- mode: 644
/etc/webapps/gitlab-shell/config.yml:
file.managed:
- source: salt://roles/maintain/gitlab/conf_files/config.yml
- user: gitlab
- group: gitlab
- mode: 600
/usr/share/webapps/gitlab/config/initializers/smtp_settings.rb:
file.managed:
- source: salt://roles/maintain/gitlab/conf_files/smtp_settings.rb
- user: root
- group: root
- mode: 644
- template: jinja
/usr/share/webapps/gitlab/config/environments/production.rb:
file.managed:
- source: salt://roles/maintain/gitlab/conf_files/production.rb
- user: root
- group: root
- mode: 644
/etc/redis.conf:
file.managed:
- source: salt://roles/maintain/gitlab/conf_files/redis.conf
- user: root
- group: root
- mode: 644
/etc/tempfiles.d/redis.conf:
file.managed:
- source: salt://roles/maintain/gitlab/conf_files/tmp_redis.conf
- user: root
- group: root
- mode: 644
- makedirs: true
/etc/nginx/conf.d/gitlab.conf:
file.managed:
- source: salt://roles/maintain/gitlab/conf_files/gitlab.conf
- user: root
- group: root
- makedirs: true
- dir_mode: 755
- mode: 644
#add users git and gitlab to redis group
git_user:
user.present:
- name: git
- groups:
- redis
gitlab_user:
user.present:
- name: gitlab
- groups:
- redis
#migrate redis database as gitlab user if necessary
redis-running:
service.running:
- name: redis
- enable: true
- watch:
- file: /etc/redis.conf
- file: /etc/tempfiles.d/redis.conf
gitlab_rake_db:
cmd.run:
- name: "bundle-2.3 exec rake db:migrate RAILS_ENV=production"
- cwd: "/usr/share/webapps/gitlab"
- runas: gitlab
- watch:
- pkg: gitlab
#global git configuration
gitlab_git_name:
git.config_set:
- name: user.name
- value: "Actaeus Curabitur"
- user: gitlab
- global: true
gitlab_git_email:
git.config_set:
- name: user.email
- value: "actcur@actcur.com"
- user: gitlab
- global: true
gitlab_git_crlf:
git.config_set:
- name: core.autocrlf
- value: "input"
- user: gitlab
- global: true
#create symlink
symlink_repos:
file.symlink:
- name: /var/lib/gitlab/repositories
- target: /mnt/repos
- force: true
#verify perms for repos are right
/var/lib/gitlab/repositories/:
file.directory:
- user: gitlab
- group: gitlab
- dir_mode: 4770
#start services
gitlab.target:
service.running:
- enable: true
- watch:
- file: /etc/webapps/gitlab/gitlab.yml
- file: /etc/webapps/gitlab/database.yml
- file: /etc/webapps/gitlab/resque.yml
- file: /etc/webapps/gitlab-shell/config.yml
- file: /etc/nginx/conf.d/gitlab.conf
- file: /usr/share/webapps/gitlab/config/initializers/smtp_settings.rb
- file: /usr/share/webapps/gitlab/config/environments/production.rb
gitlab-workhorse:
service.running:
- enable: true
- watch:
- file: /etc/webapps/gitlab/gitlab.yml
- file: /etc/webapps/gitlab/database.yml
- file: /etc/webapps/gitlab/resque.yml
- file: /etc/webapps/gitlab-shell/config.yml
- file: /etc/nginx/conf.d/gitlab.conf
- file: /usr/share/webapps/gitlab/config/initializers/smtp_settings.rb
- file: /usr/share/webapps/gitlab/config/environments/production.rb
gitlab-unicorn:
service.running:
- enable: true
- watch:
- file: /etc/webapps/gitlab/gitlab.yml
- file: /etc/webapps/gitlab/database.yml
- file: /etc/webapps/gitlab/resque.yml
- file: /etc/webapps/gitlab-shell/config.yml
- file: /etc/nginx/conf.d/gitlab.conf
- file: /usr/share/webapps/gitlab/config/initializers/smtp_settings.rb
- file: /usr/share/webapps/gitlab/config/environments/production.rb
gitlab-sidekiq:
service.running:
- enable: true
- watch:
- file: /etc/webapps/gitlab/gitlab.yml
- file: /etc/webapps/gitlab/database.yml
- file: /etc/webapps/gitlab/resque.yml
- file: /etc/webapps/gitlab-shell/config.yml
- file: /etc/nginx/conf.d/gitlab.conf
- file: /usr/share/webapps/gitlab/config/initializers/smtp_settings.rb
- file: /usr/share/webapps/gitlab/config/environments/production.rb

73
states/roles/maintain/gitlabarch/conf_files/config.yml
View file

@ -1,73 +0,0 @@
#
# If you change this file in a Merge Request, please also create
# a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
#
# GitLab user. git by default
user: gitlab
# URL to GitLab instance, used for API calls. Default: http://localhost:8080.
# For relative URL support read http://doc.gitlab.com/ce/install/relative_url.html
# You only have to change the default if you have configured Unicorn
# to listen on a custom port, or if you have configured Unicorn to
# only listen on a Unix domain socket. For Unix domain sockets use
# "http+unix://<urlquoted-path-to-socket>", e.g.
# "http+unix://%2Fpath%2Fto%2Fsocket"
gitlab_url: "http://localhost:8080"
# See installation.md#using-https for additional HTTPS configuration details.
http_settings:
# read_timeout: 300
# user: someone
# password: somepass
# ca_file: /etc/ssl/cert.pem
# ca_path: /etc/pki/tls/certs
self_signed_cert: false
# File used as authorized_keys for gitlab user
auth_file: "/var/lib/gitlab/.ssh/authorized_keys"
# File that contains the secret key for verifying access to GitLab.
# Default is .gitlab_shell_secret in the gitlab-shell directory.
# secret_file: "/var/lib/gitlab/gitlab-shell/.gitlab_shell_secret"
# Parent directory for global custom hook directories (pre-receive.d, update.d, post-receive.d)
# Default is hooks in the gitlab-shell directory.
# custom_hooks_dir: "/var/lib/gitlab/gitlab-shell/hooks"
# Redis settings used for pushing commit notices to gitlab
redis:
bin: /usr/bin/redis-cli
host: 127.0.0.1
port: 6379
# pass: redispass # Allows you to specify the password for Redis
database: 5
socket: /run/redis/redis.sock # Comment out this line if you want to use TCP or Sentinel
namespace: resque:gitlab
# sentinels:
# -
# host: 127.0.0.1
# port: 26380
# -
# host: 127.0.0.1
# port: 26381
# Log file.
# Default is gitlab-shell.log in the root directory.
log_file: "/var/log/gitlab/gitlab-shell.log"
# Log level. INFO by default
log_level: INFO
# Audit usernames.
# Set to true to see real usernames in the logs instead of key ids, which is easier to follow, but
# incurs an extra API call on every gitlab-shell command.
audit_usernames: false
# Git trace log file.
# If set, git commands receive GIT_TRACE* environment variables
# See https://git-scm.com/book/es/v2/Git-Internals-Environment-Variables#Debugging for documentation
# An absolute path starting with / the trace output will be appended to that file.
# It needs to exist so we can check permissions and avoid to throwing warnings to the users.
git_trace_log_file:

44
states/roles/maintain/gitlabarch/conf_files/database.yml
View file

@ -1,44 +0,0 @@
#
# PRODUCTION
#
production:
adapter: mysql2
encoding: utf8
collation: utf8_general_ci
reconnect: false
database: gitlab
pool: 10
username: gitlab
password: "{%- include 'secure/passwords/gitlab_db_password.txt' -%}"
host: sql.actcur.com
# socket: /tmp/mysql.sock
#
# Development specific
#
development:
adapter: mysql2
encoding: utf8
collation: utf8_general_ci
reconnect: false
database: gitlabhq_development
pool: 5
username: root
password: "secure password"
# host: localhost
# socket: /tmp/mysql.sock
# Warning: The database defined as "test" will be erased and
# re-generated from your development database when you run "rake".
# Do not set this db to the same as development or production.
test: &test
adapter: mysql2
encoding: utf8mb4
collation: utf8mb4_general_ci
reconnect: false
database: gitlabhq_test
pool: 5
username: root
password:
# host: localhost
# socket: /tmp/mysql.sock

69
states/roles/maintain/gitlabarch/conf_files/gitlab.conf
View file

@ -1,69 +0,0 @@
## GitLab
##
## Lines starting with two hashes (##) are comments with information.
## Lines starting with one hash (#) are configuration parameters that can be uncommented.
##
##################################
## CONTRIBUTING ##
##################################
##
## If you change this file in a Merge Request, please also create
## a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
##
###################################
## configuration ##
###################################
##
## See installation.md#using-https for additional HTTPS configuration details.
upstream gitlab-workhorse {
server unix:/run/gitlab/gitlab-workhorse.socket fail_timeout=0;
}
## Normal HTTP host
server {
## Either remove "default_server" from the listen line below,
## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab
## to be served if you visit any address that your server responds to, eg.
## the ip address of the server (http://x.x.x.x/)n 0.0.0.0:80 default_server;
listen 0.0.0.0:8000;
listen [::]:8000;
server_name git2.actcur.com; ## Replace this with something like gitlab.example.com
server_tokens off; ## Don't show the nginx version number, a security best practice
## See app/controllers/application_controller.rb for headers set
## Individual nginx logs for this GitLab vhost
access_log /var/log/nginx/gitlab_access.log;
error_log /var/log/nginx/gitlab_error.log;
location / {
client_max_body_size 0;
gzip off;
## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://gitlab-workhorse;
}
error_page 404 /404.html;
error_page 422 /422.html;
error_page 500 /500.html;
error_page 502 /502.html;
location ~ ^/(404|422|500|502)\.html$ {
root /usr/share/webapps/gitlab/public;
internal;
}
}

627
states/roles/maintain/gitlabarch/conf_files/gitlab.yml
View file

@ -1,627 +0,0 @@
# # # # # # # # # # # # # # # # # #
# GitLab application config file #
# # # # # # # # # # # # # # # # # #
#
########################### NOTE #####################################
# This file should not receive new settings. All configuration options #
# * are being moved to ApplicationSetting model! #
# If a setting requires an application restart say so in that screen. #
# If you change this file in a Merge Request, please also create #
# a MR on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests #
########################################################################
#
#
# How to use:
# 1. Copy file as gitlab.yml
# 2. Update gitlab -> host with your fully qualified domain name
# 3. Update gitlab -> email_from
# 4. If you installed Git from source, change git -> bin_path to /usr/local/bin/git
# IMPORTANT: If Git was installed in a different location use that instead.
# You can check with `which git`. If a wrong path of Git is specified, it will
# result in various issues such as failures of GitLab CI builds.
# 5. Review this configuration file for other settings you may want to adjust
production: &base
#
# 1. GitLab app settings
# ==========================
## GitLab settings
gitlab:
## Web server settings (note: host is the FQDN, do not include http://)
host: git.actcur.com
port: 443 # Set to 443 if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
https: true # Set to true if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
# Uncommment this line below if your ssh host is different from HTTP/HTTPS one
# (you'd obviously need to replace ssh.host_example.com with your own host).
# Otherwise, ssh host will be set to the `host:` value above
# ssh_host: ssh.host_example.com
# Relative URL support
# WARNING: We recommend using an FQDN to host GitLab in a root path instead
# of using a relative URL.
# Documentation: http://doc.gitlab.com/ce/install/relative_url.html
# Uncomment and customize the following line to run in a non-root path
#
# relative_url_root: /gitlab
# Trusted Proxies
# Customize if you have GitLab behind a reverse proxy which is running on a different machine.
# Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address.
trusted_proxies:
# Examples:
#- 192.168.1.0/24
#- 192.168.2.1
#- 2001:0db8::/32
# Uncomment and customize if you can't use the default user to run GitLab (default: 'git')
user: gitlab
## Date & Time settings
# Uncomment and customize if you want to change the default time zone of GitLab application.
# To see all available zones, run `bundle exec rake time:zones:all RAILS_ENV=production`
# time_zone: 'UTC'
## Email settings
# Uncomment and set to false if you need to disable email sending from GitLab (default: true)
# email_enabled: true
# Email address used in the "From" field in mails sent by GitLab
email_from: notifications@actcur.com
email_display_name: Actcur Git
email_reply_to: noreply@actcur.com
email_subject_suffix: ''
# Email server smtp settings are in config/initializers/smtp_settings.rb.sample
# default_can_create_group: false # default: true
# username_changing_enabled: false # default: true - User can change her username/namespace
## Automatic issue closing
# If a commit message matches this regular expression, all issues referenced from the matched text will be closed.
# This happens when the commit is pushed or merged into the default branch of a project.
# When not specified the default issue_closing_pattern as specified below will be used.
# Tip: you can test your closing pattern at http://rubular.com.
# issue_closing_pattern: '((?:[Cc]los(?:e[sd]?|ing)|[Ff]ix(?:e[sd]|ing)?|[Rr]esolv(?:e[sd]?|ing))(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+)'
## Default project features settings
default_projects_features:
issues: true
merge_requests: true
wiki: true
snippets: true
builds: true
container_registry: true
## Webhook settings
# Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10)
# webhook_timeout: 10
## Repository downloads directory
# When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory.
# The default is 'shared/cache/archive/' relative to the root of the Rails app.
# repository_downloads_path: shared/cache/archive/
## Reply by email
# Allow users to comment on issues and merge requests by replying to notification emails.
# For documentation on how to set this up, see http://doc.gitlab.com/ce/administration/reply_by_email.html
incoming_email:
enabled: false
# The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to.
# The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`).
address: "gitlab-incoming+%{key}@gmail.com"
# Email account username
# With third party providers, this is usually the full email address.
# With self-hosted email servers, this is usually the user part of the email address.
user: "gitlab-incoming@gmail.com"
# Email account password
password: "[REDACTED]"
# IMAP server host
host: "imap.gmail.com"
# IMAP server port
port: 993
# Whether the IMAP server uses SSL
ssl: true
# Whether the IMAP server uses StartTLS
start_tls: false
# The mailbox where incoming mail will end up. Usually "inbox".
mailbox: "inbox"
# The IDLE command timeout.
idle_timeout: 60
## Build Artifacts
artifacts:
enabled: true
# The location where build artifacts are stored (default: shared/artifacts).
# path: shared/artifacts
## Git LFS
lfs:
enabled: true
# The location where LFS objects are stored (default: shared/lfs-objects).
# storage_path: shared/lfs-objects
## GitLab Pages
pages:
enabled: false
# The location where pages are stored (default: shared/pages).
# path: shared/pages
# The domain under which the pages are served:
# http://group.example.com/project
# or project path can be a group page: group.example.com
host: example.com
port: 80 # Set to 443 if you serve the pages with HTTPS
https: false # Set to true if you serve the pages with HTTPS
# external_http: ["1.1.1.1:80", "[2001::1]:80"] # If defined, enables custom domain support in GitLab Pages
# external_https: ["1.1.1.1:443", "[2001::1]:443"] # If defined, enables custom domain and certificate support in GitLab Pages
## Mattermost
## For enabling Add to Mattermost button
mattermost:
enabled: false
host: 'https://mattermost.example.com'
## Gravatar
## For Libravatar see: http://doc.gitlab.com/ce/customization/libravatar.html
gravatar:
# gravatar urls: possible placeholders: %{hash} %{size} %{email} %{username}
# plain_url: "http://..." # default: http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
# ssl_url: "https://..." # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
## Auxiliary jobs
# Periodically executed jobs, to self-heal Gitlab, do external synchronizations, etc.
# Please read here for more information: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job
cron_jobs:
# Flag stuck CI jobs as failed
stuck_ci_jobs_worker:
cron: "0 * * * *"
# Execute scheduled triggers
pipeline_schedule_worker:
cron: "19 * * * *"
# Remove expired build artifacts
expire_build_artifacts_worker:
cron: "50 * * * *"
# Periodically run 'git fsck' on all repositories. If started more than
# once per hour you will have concurrent 'git fsck' jobs.
repository_check_worker:
cron: "20 * * * *"
# Send admin emails once a week
admin_email_worker:
cron: "0 0 * * 0"
# Remove outdated repository archives
repository_archive_cache_worker:
cron: "0 * * * *"
registry:
# enabled: true
# host: registry.example.com
# port: 5005
# api_url: http://localhost:5000/ # internal address to the registry, will be used by GitLab to directly communicate with API
# key: config/registry.key
# path: shared/registry
# issuer: gitlab-issuer
#
# 2. GitLab CI settings
# ==========================
gitlab_ci:
# Default project notifications settings:
#
# Send emails only on broken builds (default: true)
# all_broken_builds: true
#
# Add pusher to recipients list (default: false)
# add_pusher: true
# The location where build traces are stored (default: builds/). Relative paths are relative to Rails.root
# builds_path: builds/
#
# 3. Auth settings
# ==========================
## LDAP settings
# You can inspect a sample of the LDAP users with login access by running:
# bundle exec rake gitlab:ldap:check RAILS_ENV=production
ldap:
enabled: false
servers:
##########################################################################
#
# Since GitLab 7.4, LDAP servers get ID's (below the ID is 'main'). GitLab
# Enterprise Edition now supports connecting to multiple LDAP servers.
#
# If you are updating from the old (pre-7.4) syntax, you MUST give your
# old server the ID 'main'.
#
##########################################################################
main: # 'main' is the GitLab 'provider ID' of this LDAP server
## label
#
# A human-friendly name for your LDAP server. It is OK to change the label later,
# for instance if you find out it is too large to fit on the web page.
#
# Example: 'Paris' or 'Acme, Ltd.'
label: 'LDAP'
host: '_your_ldap_server'
port: 389
uid: 'sAMAccountName'
method: 'plain' # "tls" or "ssl" or "plain"
bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
password: '_the_password_of_the_bind_user'
# Set a timeout, in seconds, for LDAP queries. This helps avoid blocking
# a request if the LDAP server becomes unresponsive.
# A value of 0 means there is no timeout.
timeout: 10
# This setting specifies if LDAP server is Active Directory LDAP server.
# For non AD servers it skips the AD specific queries.
# If your LDAP server is not AD, set this to false.
active_directory: true
# If allow_username_or_email_login is enabled, GitLab will ignore everything
# after the first '@' in the LDAP username submitted by the user on login.
#
# Example:
# - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials;
# - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'.
#
# If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to
# disable this setting, because the userPrincipalName contains an '@'.
allow_username_or_email_login: false
# To maintain tight control over the number of active users on your GitLab installation,
# enable this setting to keep new users blocked until they have been cleared by the admin
# (default: false).
block_auto_created_users: false
# Base where we can search for users
#
# Ex. ou=People,dc=gitlab,dc=example
#
base: ''
# Filter LDAP users
#
# Format: RFC 4515 http://tools.ietf.org/search/rfc4515
# Ex. (employeeType=developer)
#
# Note: GitLab does not support omniauth-ldap's custom filter syntax.
#
user_filter: ''
# LDAP attributes that GitLab will use to create an account for the LDAP user.
# The specified attribute can either be the attribute name as a string (e.g. 'mail'),
# or an array of attribute names to try in order (e.g. ['mail', 'email']).
# Note that the user's LDAP login will always be the attribute specified as `uid` above.
attributes:
# The username will be used in paths for the user's own projects
# (like `gitlab.example.com/username/project`) and when mentioning
# them in issues, merge request and comments (like `@username`).
# If the attribute specified for `username` contains an email address,
# the GitLab username will be the part of the email address before the '@'.
username: ['uid', 'userid', 'sAMAccountName']
email: ['mail', 'email', 'userPrincipalName']
# If no full name could be found at the attribute specified for `name`,
# the full name is determined using the attributes specified for
# `first_name` and `last_name`.
name: 'cn'
first_name: 'givenName'
last_name: 'sn'
# GitLab EE only: add more LDAP servers
# Choose an ID made of a-z and 0-9 . This ID will be stored in the database
# so that GitLab can remember which LDAP server a user belongs to.
# uswest2:
# label:
# host:
# ....
## OmniAuth settings
omniauth:
# Allow login via Twitter, Google, etc. using OmniAuth providers
enabled: false
# Uncomment this to automatically sign in with a specific omniauth provider's without
# showing GitLab's sign-in page (default: show the GitLab sign-in page)
# auto_sign_in_with_provider: saml
# Sync user's email address from the specified Omniauth provider every time the user logs
# in (default: nil). And consequently make this field read-only.
# sync_email_from_provider: cas3
# CAUTION!
# This allows users to login without having a user account first. Define the allowed providers
# using an array, e.g. ["saml", "twitter"], or as true/false to allow all providers or none.
# User accounts will be created automatically when authentication was successful.
allow_single_sign_on: ["saml"]
# Locks down those users until they have been cleared by the admin (default: true).
block_auto_created_users: true
# Look up new users in LDAP servers. If a match is found (same uid), automatically
# link the omniauth identity with the LDAP account. (default: false)
auto_link_ldap_user: false
# Allow users with existing accounts to login and auto link their account via SAML
# login, without having to do a manual login first and manually add SAML
# (default: false)
auto_link_saml_user: false
# Set different Omniauth providers as external so that all users creating accounts
# via these providers will not be able to have access to internal projects. You
# will need to use the full name of the provider, like `google_oauth2` for Google.
# Refer to the examples below for the full names of the supported providers.
# (default: [])
external_providers: []
## Auth providers
# Uncomment the following lines and fill in the data of the auth provider you want to use
# If your favorite auth provider is not listed you can use others:
# see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations
# The 'app_id' and 'app_secret' parameters are always passed as the first two
# arguments, followed by optional 'args' which can be either a hash or an array.
# Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html
providers:
# See omniauth-cas3 for more configuration details
# - { name: 'cas3',
# label: 'cas3',
# args: {
# url: 'https://sso.example.com',
# disable_ssl_verification: false,
# login_url: '/cas/login',
# service_validate_url: '/cas/p3/serviceValidate',
# logout_url: '/cas/logout'} }
# - { name: 'authentiq',
# # for client credentials (client ID and secret), go to https://www.authentiq.com/
# app_id: 'YOUR_CLIENT_ID',
# app_secret: 'YOUR_CLIENT_SECRET',
# args: {
# scope: 'aq:name email~rs address aq:push'
# # redirect_uri parameter is optional except when 'gitlab.host' in this file is set to 'localhost'
# # redirect_uri: 'YOUR_REDIRECT_URI'
# }
# }
# - { name: 'github',
# app_id: 'YOUR_APP_ID',
# app_secret: 'YOUR_APP_SECRET',
# url: "https://github.com/",
# verify_ssl: true,
# args: { scope: 'user:email' } }
# - { name: 'bitbucket',
# app_id: 'YOUR_APP_ID',
# app_secret: 'YOUR_APP_SECRET' }
# - { name: 'gitlab',
# app_id: 'YOUR_APP_ID',
# app_secret: 'YOUR_APP_SECRET',
# args: { scope: 'api' } }
# - { name: 'google_oauth2',
# app_id: 'YOUR_APP_ID',
# app_secret: 'YOUR_APP_SECRET',
# args: { access_type: 'offline', approval_prompt: '' } }
# - { name: 'facebook',
# app_id: 'YOUR_APP_ID',
# app_secret: 'YOUR_APP_SECRET' }
# - { name: 'twitter',
# app_id: 'YOUR_APP_ID',
# app_secret: 'YOUR_APP_SECRET' }
#
# - { name: 'saml',
# label: 'Our SAML Provider',
# groups_attribute: 'Groups',
# external_groups: ['Contractors', 'Freelancers'],
# args: {
# assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
# idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8',
# idp_sso_target_url: 'https://login.example.com/idp',
# issuer: 'https://gitlab.example.com',
# name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
# } }
#
# - { name: 'crowd',
# args: {
# crowd_server_url: 'CROWD SERVER URL',
# application_name: 'YOUR_APP_NAME',
# application_password: 'YOUR_APP_PASSWORD' } }
#
# - { name: 'auth0',
# args: {
# client_id: 'YOUR_AUTH0_CLIENT_ID',
# client_secret: 'YOUR_AUTH0_CLIENT_SECRET',
# namespace: 'YOUR_AUTH0_DOMAIN' } }
# SSO maximum session duration in seconds. Defaults to CAS default of 8 hours.
# cas3:
# session_duration: 28800
# Shared file storage settings
shared:
path: /var/lib/gitlab/shared # Default: shared
# Gitaly settings
gitaly:
# This setting controls whether GitLab uses Gitaly (new component
# introduced in 9.0). Eventually Gitaly use will become mandatory and
# this option will disappear.
enabled: true
#
# 4. Advanced settings
# ==========================
## Repositories settings
repositories:
# Paths where repositories can be stored. Give the canonicalized absolute pathname.
# IMPORTANT: None of the path components may be symlink, because
# gitlab-shell invokes Dir.pwd inside the repository path and that results
# real path not the symlink.
storages: # You must have at least a `default` storage path.
default:
path: /var/lib/gitlab/repositories/
gitaly_address: unix:/var/lib/gitlab/sockets/gitlab-gitaly.socket # TCP connections are supported too (e.g. tcp://host:port)
## Backup settings
backup:
path: "/var/lib/gitlab/backups" # Relative paths are relative to Rails.root (default: tmp/backups/)
# archive_permissions: 0640 # Permissions for the resulting backup.tar file (default: 0600)
# keep_time: 604800 # default: 0 (forever) (in seconds)
# pg_schema: public # default: nil, it means that all schemas will be backed up
# upload:
# # Fog storage connection settings, see http://fog.io/storage/ .
# connection:
# provider: AWS
# region: eu-west-1
# aws_access_key_id: AKIAKIAKI
# aws_secret_access_key: 'secret123'
# # The remote 'directory' to store your backups. For S3, this would be the bucket name.
# remote_directory: 'my.s3.bucket'
# # Use multipart uploads when file size reaches 100MB, see
# # http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html
# multipart_chunk_size: 104857600
# # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional
# # encryption: 'AES256'
# # Specifies Amazon S3 storage class to use for backups, this is optional
# # storage_class: 'STANDARD'
## GitLab Shell settings
gitlab_shell:
path: /usr/share/webapps/gitlab-shell/
hooks_path: /usr/share/webapps/gitlab-shell/hooks/
# File that contains the secret key for verifying access for gitlab-shell.
# Default is '.gitlab_shell_secret' relative to Rails.root (i.e. root of the GitLab app).
# secret_file: /home/git/gitlab/.gitlab_shell_secret
# Git over HTTP
upload_pack: true
receive_pack: true
# Git import/fetch timeout
# git_timeout: 800
# If you use non-standard ssh port you need to specify it
# ssh_port: 22
workhorse:
# File that contains the secret key for verifying access for gitlab-workhorse.
# Default is '.gitlab_workhorse_secret' relative to Rails.root (i.e. root of the GitLab app).
# secret_file: /home/git/gitlab/.gitlab_workhorse_secret
## Git settings
# CAUTION!
# Use the default values unless you really know what you are doing
git:
bin_path: /usr/bin/git
# The next value is the maximum memory size grit can use
# Given in number of bytes per git object (e.g. a commit)
# This value can be increased if you have very large commits
max_size: 20971520 # 20.megabytes
# Git timeout to read a commit, in seconds
timeout: 10
## Webpack settings
# If enabled, this will tell rails to serve frontend assets from the webpack-dev-server running
# on a given port instead of serving directly from /assets/webpack. This is only indended for use
# in development.
webpack:
# dev_server:
# enabled: true
# host: localhost
# port: 3808
#
# 5. Extra customization
# ==========================
extra:
## Google analytics. Uncomment if you want it
# google_analytics_id: '_your_tracking_id'
## Piwik analytics.
# piwik_url: '_your_piwik_url'
# piwik_site_id: '_your_piwik_site_id'
rack_attack:
git_basic_auth:
# Rack Attack IP banning enabled
# enabled: true
#
# Whitelist requests from 127.0.0.1 for web proxies (NGINX/Apache) with incorrect headers
# ip_whitelist: ["127.0.0.1"]
#
# Limit the number of Git HTTP authentication attempts per IP
# maxretry: 10
#
# Reset the auth attempt counter per IP after 60 seconds
# findtime: 60
#
# Ban an IP for one hour (3600s) after too many auth attempts
# bantime: 3600
development:
<<: *base
test:
<<: *base
gravatar:
enabled: true
lfs:
enabled: false
gitlab:
host: localhost
port: 80
# When you run tests we clone and setup gitlab-shell
# In order to setup it correctly you need to specify
# your system username you use to run GitLab
# user: YOUR_USERNAME
pages:
path: tmp/tests/pages
repositories:
storages:
default:
path: tmp/tests/repositories/
gitaly_address: unix:tmp/tests/gitaly/gitaly.socket
gitaly:
enabled: true
backup:
path: tmp/tests/backups
gitlab_shell:
path: tmp/tests/gitlab-shell/
hooks_path: tmp/tests/gitlab-shell/hooks/
issues_tracker:
redmine:
title: "Redmine"
project_url: "http://redmine/projects/:issues_tracker_id"
issues_url: "http://redmine/:project_id/:issues_tracker_id/:id"
new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new"
jira:
title: "JIRA"
url: https://sample_company.atlassian.net
project_key: PROJECT
ldap:
enabled: false
servers:
main:
label: ldap
host: 127.0.0.1
port: 3890
uid: 'uid'
method: 'plain' # "tls" or "ssl" or "plain"
base: 'dc=example,dc=com'
user_filter: ''
group_base: 'ou=groups,dc=example,dc=com'
admin_group: ''
staging:
<<: *base

83
states/roles/maintain/gitlabarch/conf_files/production.rb
View file

@ -1,83 +0,0 @@
Rails.application.configure do
# Settings specified here will take precedence over those in config/application.rb
# Code is not reloaded between requests
config.cache_classes = true
# Full error reports are disabled and caching is turned on
config.consider_all_requests_local = false
config.action_controller.perform_caching = true
# Disable Rails's static asset server (Apache or nginx will already do this)
config.serve_static_files = false
# Compress JavaScripts and CSS.
config.assets.js_compressor = :uglifier
# config.assets.css_compressor = :sass
# Don't fallback to assets pipeline if a precompiled asset is missed
config.assets.compile = false
# Generate digests for assets URLs
config.assets.digest = true
# Enable compression of compiled assets using gzip.
config.assets.compress = true
# Defaults to nil and saved in location specified by config.assets.prefix
# config.assets.manifest = YOUR_PATH
# Specifies the header that your server uses for sending files
# config.action_dispatch.x_sendfile_header = "X-Sendfile" # for apache
# config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx
# Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
# config.force_ssl = true
# See everything in the log (default is :info)
config.log_level = :info
# Suppress 'Rendered template ...' messages in the log
# source: http://stackoverflow.com/a/16369363
%w{render_template render_partial render_collection}.each do |event|
ActiveSupport::Notifications.unsubscribe "#{event}.action_view"
end
# Prepend all log lines with the following tags
# config.log_tags = [ :subdomain, :uuid ]
# Use a different logger for distributed setups
# config.logger = ActiveSupport::TaggedLogging.new(SyslogLogger.new)
# Enable serving of images, stylesheets, and JavaScripts from an asset server
config.action_controller.asset_host = ENV['GITLAB_CDN_HOST'] if ENV['GITLAB_CDN_HOST'].present?
# Precompile additional assets (application.js, application.css, and all non-JS/CSS are already added)
# config.assets.precompile += %w( search.js )
# Disable delivery errors, bad email addresses will be ignored
# config.action_mailer.raise_delivery_errors = false
# Enable threaded mode
# config.threadsafe! unless $rails_rake_task
# Enable locale fallbacks for I18n (makes lookups for any locale fall back to
# the I18n.default_locale when a translation can not be found)
config.i18n.fallbacks = true
# Send deprecation notices to registered listeners
config.active_support.deprecation = :notify
config.action_mailer.delivery_method = :smtp
# Defaults to:
# # config.action_mailer.sendmail_settings = {
# # location: '/usr/sbin/sendmail',
# # arguments: '-i -t'
# # }
config.action_mailer.perform_deliveries = true
config.action_mailer.raise_delivery_errors = true
config.eager_load = true
config.allow_concurrency = false
end

1293
states/roles/maintain/gitlabarch/conf_files/redis.conf
View file

File diff suppressed because it is too large Load diff

34
states/roles/maintain/gitlabarch/conf_files/resque.yml
View file

@ -1,34 +0,0 @@
# If you change this file in a Merge Request, please also create
# a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
#
development:
url: unix:/run/redis/redis.sock
# sentinels:
# -
# host: localhost
# port: 26380 # point to sentinel, not to redis port
# -
# host: slave2
# port: 26381 # point to sentinel, not to redis port
test:
url: unix:/run/redis/redis.sock
production:
# Redis (single instance)
url: unix:/run/redis/redis.sock
##
# Redis + Sentinel (for HA)
#
# Please read instructions carefully before using it as you may lose data:
# http://redis.io/topics/sentinel
#
# You must specify a list of a few sentinels that will handle client connection
# please read here for more information: https://docs.gitlab.com/ce/administration/high_availability/redis.html
##
# url: redis://master:6379
# sentinels:
# -
# host: slave1
# port: 26379 # point to sentinel, not to redis port
# -
# host: slave2
# port: 26379 # point to sentinel, not to redis port

23
states/roles/maintain/gitlabarch/conf_files/smtp_settings.rb
View file

@ -1,23 +0,0 @@
# To enable smtp email delivery for your GitLab instance do the following:
# 1. Rename this file to smtp_settings.rb
# 2. Edit settings inside this file
# 3. Restart GitLab instance
#
# For full list of options and their values see http://api.rubyonrails.org/classes/ActionMailer/Base.html
#
# If you change this file in a Merge Request, please also create a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
if Rails.env.production?
Rails.application.config.action_mailer.delivery_method = :smtp
ActionMailer::Base.delivery_method = :smtp
ActionMailer::Base.smtp_settings = {
authentication: :plain,
address: "smtp.zoho.com",
port: 587,
user_name: "notifications@actcur.com",
password: "{%- include 'secure/passwords/gitlab_smtp_password.txt' -%}",
domain: "smtp.zoho.com",
enable_starttls_auto: true,
}
end

1
states/roles/maintain/gitlabarch/conf_files/tmp_redis.conf
View file

@ -1 +0,0 @@
d /run/redis 0755 redis redis -

175
states/roles/maintain/gitlabarch/init.sls
View file

@ -1,175 +0,0 @@
gitlab:
pkg.installed
mariadb:
pkg.installed
gitlab_nginx:
pkg.installed:
- name: nginx
#managed files
/etc/webapps/gitlab/gitlab.yml:
file.managed:
- source: salt://roles/maintain/gitlab/conf_files/gitlab.yml
- user: root
- group: root
- mode: 644
/etc/webapps/gitlab/database.yml:
file.managed:
- source: salt://roles/maintain/gitlab/conf_files/database.yml
- user: gitlab
- group: gitlab
- mode: 600
- template: jinja
/etc/webapps/gitlab/resque.yml:
file.managed:
- source: salt://roles/maintain/gitlab/conf_files/resque.yml
- user: root
- group: root
- mode: 644
/etc/webapps/gitlab-shell/config.yml:
file.managed:
- source: salt://roles/maintain/gitlab/conf_files/config.yml
- user: gitlab
- group: gitlab
- mode: 600
/usr/share/webapps/gitlab/config/initializers/smtp_settings.rb:
file.managed:
- source: salt://roles/maintain/gitlab/conf_files/smtp_settings.rb
- user: root
- group: root
- mode: 644
- template: jinja
/usr/share/webapps/gitlab/config/environments/production.rb:
file.managed:
- source: salt://roles/maintain/gitlab/conf_files/production.rb
- user: root
- group: root
- mode: 644
/etc/redis.conf:
file.managed:
- source: salt://roles/maintain/gitlab/conf_files/redis.conf
- user: root
- group: root
- mode: 644
/etc/tempfiles.d/redis.conf:
file.managed:
- source: salt://roles/maintain/gitlab/conf_files/tmp_redis.conf
- user: root
- group: root
- mode: 644
- makedirs: true
/etc/nginx/conf.d/gitlab.conf:
file.managed:
- source: salt://roles/maintain/gitlab/conf_files/gitlab.conf
- user: root
- group: root
- makedirs: true
- dir_mode: 755
- mode: 644
#add users git and gitlab to redis group
git_user:
user.present:
- name: git
- groups:
- redis
gitlab_user:
user.present:
- name: gitlab
- groups:
- redis
#migrate redis database as gitlab user if necessary
redis-running:
service.running:
- name: redis
- enable: true
- watch:
- file: /etc/redis.conf
- file: /etc/tempfiles.d/redis.conf
gitlab_rake_db:
cmd.run:
- name: "bundle-2.3 exec rake db:migrate RAILS_ENV=production"
- cwd: "/usr/share/webapps/gitlab"
- runas: gitlab
- watch:
- pkg: gitlab
#global git configuration
gitlab_git_name:
git.config_set:
- name: user.name
- value: "Actaeus Curabitur"
- user: gitlab
- global: true
gitlab_git_email:
git.config_set:
- name: user.email
- value: "actcur@actcur.com"
- user: gitlab
- global: true
gitlab_git_crlf:
git.config_set:
- name: core.autocrlf
- value: "input"
- user: gitlab
- global: true
#create symlink
symlink_repos:
file.symlink:
- name: /var/lib/gitlab/repositories
- target: /mnt/repos
- force: true
#verify perms for repos are right
/var/lib/gitlab/repositories/:
file.directory:
- user: gitlab
- group: gitlab
- dir_mode: 4770
#start services
gitlab.target:
service.running:
- enable: true
- watch:
- file: /etc/webapps/gitlab/gitlab.yml
- file: /etc/webapps/gitlab/database.yml
- file: /etc/webapps/gitlab/resque.yml
- file: /etc/webapps/gitlab-shell/config.yml
- file: /etc/nginx/conf.d/gitlab.conf
- file: /usr/share/webapps/gitlab/config/initializers/smtp_settings.rb
- file: /usr/share/webapps/gitlab/config/environments/production.rb
gitlab-workhorse:
service.running:
- enable: true
- watch:
- file: /etc/webapps/gitlab/gitlab.yml
- file: /etc/webapps/gitlab/database.yml
- file: /etc/webapps/gitlab/resque.yml
- file: /etc/webapps/gitlab-shell/config.yml
- file: /etc/nginx/conf.d/gitlab.conf
- file: /usr/share/webapps/gitlab/config/initializers/smtp_settings.rb
- file: /usr/share/webapps/gitlab/config/environments/production.rb
gitlab-unicorn:
service.running:
- enable: true
- watch:
- file: /etc/webapps/gitlab/gitlab.yml
- file: /etc/webapps/gitlab/database.yml
- file: /etc/webapps/gitlab/resque.yml
- file: /etc/webapps/gitlab-shell/config.yml
- file: /etc/nginx/conf.d/gitlab.conf
- file: /usr/share/webapps/gitlab/config/initializers/smtp_settings.rb
- file: /usr/share/webapps/gitlab/config/environments/production.rb
gitlab-sidekiq:
service.running:
- enable: true
- watch:
- file: /etc/webapps/gitlab/gitlab.yml
- file: /etc/webapps/gitlab/database.yml
- file: /etc/webapps/gitlab/resque.yml
- file: /etc/webapps/gitlab-shell/config.yml
- file: /etc/nginx/conf.d/gitlab.conf
- file: /usr/share/webapps/gitlab/config/initializers/smtp_settings.rb
- file: /usr/share/webapps/gitlab/config/environments/production.rb

18
states/roles/maintain/icinga/conf.d/hosts.conf Normal file
View file

@ -0,0 +1,18 @@
{% set states = salt['cp.list_states'](saltenv) %}
{%- for state in states %}
{%- if state.startswith("pillars.servers.roles.server.") -%}
{%- set server = state.split('.')[4] %}
{% set role_data = salt['file.read']('/etc/icinga2/server_roles/'+server+'.sls')|load_yaml %}
object Host "{{server}}.actcur.com" {
import "generic-host"
address = "{{server}}.actcur.com"
{%- if role_data['grains'] is defined %}
{%- if role_data['grains']['roles'] is defined %}
vars.roles=[{%- for role in role_data['grains']['roles'] %}"{{role}}",{%- endfor -%}""];
{%- endif -%}
{%- endif %}
}
{%- endif -%}
{%- endfor %}

49
states/roles/maintain/icinga/conf.d/services/core.conf Normal file
View file

@ -0,0 +1,49 @@
apply Service "npre_disk-root" {
import "generic-service"
check_command = "nrpe"
vars.nrpe_command = "check_disk"
vars.nrpe_arguments = [ "-w 20% -c 10% -p /" ]
assign where host.address && host.vars.os == "Arch Linux"
}
apply Service "npre_load"{
import "generic-service"
check_command = "nrpe"
vars.nrpe_command = "check_load"
vars.nrpe_arguments = [ "-w 15,10,5 -c 30,20,10" ]
assign where host.address && host.vars.os == "Arch Linux"
}
apply Service "npre_swap"{
import "generic-service"
check_command = "nrpe"
vars.nrpe_command = "check_swap"
vars.nrpe_arguments = [ "-w 20% -c 10%" ]
assign where host.address && host.vars.os == "Arch Linux"
}
apply Service "npre_cpu"{
import "generic-service"
check_command = "nrpe"
vars.nrpe_command = "check_cpu"
vars.nrpe_arguments = [ "" ]
assign where host.address && host.vars.os == "Arch Linux"
}
apply Service "npre_mem"{
import "generic-service"
check_command = "nrpe"
vars.nrpe_command = "check_mem"
vars.nrpe_arguments = [ "-w 80 -c 90" ]
assign where host.address && host.vars.os == "Arch Linux"
}

22
states/roles/maintain/icinga/conf.d/services/service.conf Normal file
View file

@ -0,0 +1,22 @@
{%- if services is defined %}
{%- for role in services %}
{%- if services[role] is defined %}
{%- for service in services[role] %}
{%- if role == "core" -%}
{% set role_restriction = '' %}
{%- else -%}
{% set role_restriction = '&& "'+role+'" in host.vars.roles' %}
{%- endif %}
apply Service "nrpe_service_{{role}}_{{ service }}"{
import "generic-service"
check_command = "nrpe"
vars.nrpe_command = "check_service"
vars.nrpe_arguments = [ "{{ service }}" ]
assign where host.address {{role_restriction}}
}
{%- endfor -%}
{%- endif -%}
{%- endfor -%}
{%- endif -%}

Some files were not shown because too many files have changed in this diff Show more