actcur/salt
3
0
Fork 0
Code Issues 5 Pull requests Projects Releases Wiki Activity

Updated merge script, moved certs and keys symlinks and references to secure, and added ca and vpnserver states

Browse source
This commit is contained in:
Beth Parker 2017-08-25 10:35:25 -05:00
parent 2f927b6d62
commit 408866fd12
70 changed files with 2878 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
merge.sh
View file

@ -1,9 +1,18 @@
git checkout dev
git merge master
git push
read -p "Commit message? " cm;
git fetch --all;
git checkout master
git merge --squash dev
git commit
git push
git checkout dev
#copy dev to history to ensure we don't lose changes if something goes wrong
git checkout history;
git reset --hard dev;
git push --force;
#merge to master
git checkout -B master origin/master;
git merge --squash dev;
git commit -am "$cm";
git push;
#clean dev
git checkout dev;
git reset --hard master;
git push --force;

0
pillars/roles/backup/init.sls Executable file → Normal file
View file

0
pillars/roles/backup/radarr.sls Executable file → Normal file
View file

21
pillars/roles/ca/init.sls Normal file
View file

@ -0,0 +1,21 @@
{% set states = salt['cp.list_states'](saltenv) %}
include:
- roles.ca.none
{%- if grains['roles'] is defined -%}
{%- if grains['roles'] is not none -%}
{%- if 'ca' in grains['roles'] -%}
{%- for state in states %}
{%- if state.startswith("pillars.roles.ca.") -%}
{%- set role = state.split('.')[3] %}
- roles.ca.{{ role }}
{%- endif -%}
{%- endfor -%}
{%- else -%}
{%- for role in grains['roles'] %}
{%- if 'pillars.roles.ca.'+role in states %}
- roles.ca.{{ role }}
{%- endif -%}
{%- endfor -%}
{%- endif -%}
{%- endif -%}
{%- endif -%}

0
pillars/roles/ca/none.sls Normal file
View file

13
pillars/roles/ca/vpnserver.sls Normal file
View file

@ -0,0 +1,13 @@
ca:
vpn.actcur.com:
type: server
priv-locations:
/etc/openvpn/server/vpn.actcur.com.key:
user: root
group: root
mode: 400
cert-locations:
/etc/openvpn/server/vpn.actcur.com.crt:
user: root
group: root
mode: 400

0
pillars/roles/firewalld/nginx-proxy.sls Executable file → Normal file
View file

1
pillars/roles/init.sls
View file

@ -6,3 +6,4 @@ include:
- roles.mount
- roles.git
- roles.backup
- roles.ca

8
pillars/roles/mount/saltmaster.sls
View file

@ -8,3 +8,11 @@ mount:
host: host.actcur.com
directory: /mnt/butter/backups/configurations
user: backups
/secure/ca/issued:
host: ca.actcur.com
directory: /etc/easy-rsa/pki/issued
user: ca
/secure/ca/private:
host: ca.actcur.com
directory: /etc/easy-rsa/pki/private
user: ca

1
pillars/servers/env/server/archca.sls vendored Normal file
View file

@ -0,0 +1 @@
env: prod

1
pillars/servers/env/server/archgitlab.sls~HEAD vendored Normal file
View file

@ -0,0 +1 @@
env: prod

1
pillars/servers/env/server/archgitlab.sls~HEAD_0 vendored Normal file
View file

@ -0,0 +1 @@
env: prod

1
pillars/servers/env/server/archgitlab.sls~history vendored Normal file
View file

@ -0,0 +1 @@
env: prod

1
pillars/servers/env/server/archgitlab.sls~history_0 vendored Normal file
View file

@ -0,0 +1 @@
env: prod

1
pillars/servers/env/server/archhost1.sls~HEAD vendored Normal file
View file

@ -0,0 +1 @@
env: prod

1
pillars/servers/env/server/archhost1.sls~HEAD_0 vendored Normal file
View file

@ -0,0 +1 @@
env: prod

1
pillars/servers/env/server/archhost1.sls~history vendored Normal file
View file

@ -0,0 +1 @@
env: prod

1
pillars/servers/env/server/archhost1.sls~history_0 vendored Normal file
View file

@ -0,0 +1 @@
env: prod

1
pillars/servers/env/server/archvpn.sls vendored Normal file
View file

@ -0,0 +1 @@
env: prod

1
pillars/servers/env/server/debiangitlab.sls~HEAD vendored Normal file
View file

@ -0,0 +1 @@
env: prod

1
pillars/servers/env/server/debiangitlab.sls~HEAD_0 vendored Normal file
View file

@ -0,0 +1 @@
env: prod

1
pillars/servers/env/server/debiangitlab.sls~history vendored Normal file
View file

@ -0,0 +1 @@
env: prod

1
pillars/servers/env/server/debiangitlab.sls~history_0 vendored Normal file
View file

@ -0,0 +1 @@
env: prod

3
pillars/servers/maintainer/server/archca.sls Normal file
View file

@ -0,0 +1,3 @@
maintainer:
- masaufuku

3
pillars/servers/maintainer/server/archgitlab.sls~HEAD Normal file
View file

@ -0,0 +1,3 @@
maintainer:
- masaufuku

3
pillars/servers/maintainer/server/archgitlab.sls~HEAD_0 Normal file
View file

@ -0,0 +1,3 @@
maintainer:
- masaufuku

3
pillars/servers/maintainer/server/archgitlab.sls~history Normal file
View file

@ -0,0 +1,3 @@
maintainer:
- masaufuku

3
pillars/servers/maintainer/server/archgitlab.sls~history_0 Normal file
View file

@ -0,0 +1,3 @@
maintainer:
- masaufuku

3
pillars/servers/maintainer/server/archhost1.sls~HEAD Normal file
View file

@ -0,0 +1,3 @@
maintainer:
- masaufuku

3
pillars/servers/maintainer/server/archhost1.sls~HEAD_0 Normal file
View file

@ -0,0 +1,3 @@
maintainer:
- masaufuku

3
pillars/servers/maintainer/server/archhost1.sls~history Normal file
View file

@ -0,0 +1,3 @@
maintainer:
- masaufuku

3
pillars/servers/maintainer/server/archhost1.sls~history_0 Normal file
View file

@ -0,0 +1,3 @@
maintainer:
- masaufuku

3
pillars/servers/maintainer/server/archvpn.sls Normal file
View file

@ -0,0 +1,3 @@
maintainer:
- masaufuku

3
pillars/servers/maintainer/server/debiangitlab.sls~HEAD Normal file
View file

@ -0,0 +1,3 @@
maintainer:
- masaufuku

3
pillars/servers/maintainer/server/debiangitlab.sls~HEAD_0 Normal file
View file

@ -0,0 +1,3 @@
maintainer:
- masaufuku

3
pillars/servers/maintainer/server/debiangitlab.sls~history Normal file
View file

@ -0,0 +1,3 @@
maintainer:
- masaufuku

3
pillars/servers/maintainer/server/debiangitlab.sls~history_0 Normal file
View file

@ -0,0 +1,3 @@
maintainer:
- masaufuku

6
pillars/servers/roles/server/archca.sls Normal file
View file

@ -0,0 +1,6 @@
grains:
roles:
- server
- ssh
- saltminion
- ca

7
pillars/servers/roles/server/archvpn.sls Normal file
View file

@ -0,0 +1,7 @@
grains:
roles:
- server
- ssh
- saltminion
- vpnserver
- ca-cert

15
states/roles/build/ca/init.sls Normal file
View file

@ -0,0 +1,15 @@
ca-easy-rsa-build:
pkg.installed:
- name: easy-rsa
#temporary - easy-rsa package is broken and uses wrong working direcotry
easy-rsa-vars-build:
file.managed:
- name: "/etc/easy-rsa/vars"
- source: salt://roles/maintain/ca/vars
#--vars=./vars is temporary until package is fixed
gen-ca-key:
cmd.run:
- name: "easyrsa --vars=./vars init-pki;easyrsa --batch --vars=./vars build-ca nopass batch"
- cwd: "/etc/easy-rsa"

29
states/roles/maintain/ca-cert/init.sls Normal file
View file

@ -0,0 +1,29 @@
{##ensure that ca pillar exists##}
{%- if pillar['ca'] is defined -%}
{##copy certs and private keys for machine##}
{%- for name in pillar['ca'] %}
{%- if pillar['ca'][name]['priv-locations'] is defined -%}
{%- for plocation in pillar['ca'][name]['priv-locations'] %}
priv_location_{{plocation}}:
file.managed:
- name: {{plocation}}
- source: salt://secure/ca/private/{{name}}.key
- user: {{pillar['ca'][name]['priv-locations'][plocation]['user']}}
- group: {{pillar['ca'][name]['priv-locations'][plocation]['group']}}
- mode: {{pillar['ca'][name]['priv-locations'][plocation]['mode']}}
{%- endfor %}
{%- endif %}
{%- if pillar['ca'][name]['cert-locations'] is defined -%}
{%- for clocation in pillar['ca'][name]['cert-locations'] %}
cert_location{{clocation}}:
file.managed:
- name: {{clocation}}
- source: salt://secure/ca/issued/{{name}}.crt
- user: {{pillar['ca'][name]['cert-locations'][clocation]['user']}}
- group: {{pillar['ca'][name]['cert-locations'][clocation]['group']}}
- mode: {{pillar['ca'][name]['cert-locations'][clocation]['mode']}}
{%- endfor %}
{%- endif %}
{%- endfor %}
{%- endif %}

56
states/roles/maintain/ca/init.sls Normal file
View file

@ -0,0 +1,56 @@
ca-easy-rsa-maint:
pkg.installed:
- name: easy-rsa
#temporary - easy-rsa package is broken and uses wrong working direcotry
easy-rsa-vars-maint:
file.managed:
- name: "/etc/easy-rsa/vars"
- source: salt://roles/maintain/ca/vars
#initialize ca if necessary
#--vars=./vars is temporary until package is fixed
gen-ca-key:
cmd.run:
- name: "easyrsa --vars=./vars init-pki;easyrsa --batch --vars=./vars build-ca nopass batch"
- cwd: "/etc/easy-rsa"
- onlyif: 'test ! -e /etc/easy-rsa/pki/ca.crt'
#generate keys if needed
#--vars=./vars is temporary until package is fixed
{%- if pillar['ca'] is defined -%}
{%- for name in pillar['ca'] %}
gen-{{name}}-cert:
cmd.run:
- name: "easyrsa --batch --vars=./vars gen-req {{name}} nopass;easyrsa --batch --vars=./vars sign-req {{pillar['ca'][name]['type']}} {{name}};"
- cwd: "/etc/easy-rsa"
- onlyif: 'test ! -e /etc/easy-rsa/pki/reqs/{{name}}.req'
#set ownership to root:ca and mod to 640
{{name}}-cert-perms:
file.managed:
- name: /etc/easy-rsa/pki/issued/{{name}}.crt
- group: ca
- mode: 640
{{name}}-key-perms:
file.managed:
- name: /etc/easy-rsa/pki/private/{{name}}.key
- group: ca
- mode: 640
{%- endfor %}
{%- endif %}
#set directory perms
pki-perms:
file.directory:
- name: /etc/easy-rsa/pki/
- group: ca
- mode: 750
issued-perms:
file.directory:
- name: /etc/easy-rsa/pki/issued/
- group: ca
- mode: 750
private-perms:
file.directory:
- name: /etc/easy-rsa/pki/private
- group: ca
- mode: 750

198
states/roles/maintain/ca/vars Normal file
View file

@ -0,0 +1,198 @@
# Easy-RSA 3 parameter settings
# NOTE: If you installed Easy-RSA from your distro's package manager, don't edit
# this file in place -- instead, you should copy the entire easy-rsa directory
# to another location so future upgrades don't wipe out your changes.
# HOW TO USE THIS FILE
#
# vars.example contains built-in examples to Easy-RSA settings. You MUST name
# this file 'vars' if you want it to be used as a configuration file. If you do
# not, it WILL NOT be automatically read when you call easyrsa commands.
#
# It is not necessary to use this config file unless you wish to change
# operational defaults. These defaults should be fine for many uses without the
# need to copy and edit the 'vars' file.
#
# All of the editable settings are shown commented and start with the command
# 'set_var' -- this means any set_var command that is uncommented has been
# modified by the user. If you're happy with a default, there is no need to
# define the value to its default.
# NOTES FOR WINDOWS USERS
#
# Paths for Windows *MUST* use forward slashes, or optionally double-esscaped
# backslashes (single forward slashes are recommended.) This means your path to
# the openssl binary might look like this:
# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
# A little housekeeping: DON'T EDIT THIS SECTION
#
# Easy-RSA 3.x doesn't source into the environment directly.
# Complain if a user tries to do this:
if [ -z "$EASYRSA_CALLER" ]; then
echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
echo "This is no longer necessary and is disallowed. See the section called" >&2
echo "'How to use this file' near the top comments for more details." >&2
return 1
fi
# DO YOUR EDITS BELOW THIS POINT
# This variable should point to the top level of the easy-rsa tree. By default,
# this is taken to be the directory you are currently in.
set_var EASYRSA "$PWD"
# If your OpenSSL command is not in the system PATH, you will need to define the
# path to it here. Normally this means a full path to the executable, otherwise
# you could have left it undefined here and the shown default would be used.
#
# Windows users, remember to use paths with forward-slashes (or escaped
# back-slashes.) Windows users should declare the full path to the openssl
# binary here if it is not in their system PATH.
#set_var EASYRSA_OPENSSL "openssl"
#
# This sample is in Windows syntax -- edit it for your path if not using PATH:
#set_var EASYRSA_OPENSSL "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
# Edit this variable to point to your soon-to-be-created key directory.
#
# WARNING: init-pki will do a rm -rf on this directory so make sure you define
# it correctly! (Interactive mode will prompt before acting.)
#set_var EASYRSA_PKI "$EASYRSA/pki"
# Define X509 DN mode.
# This is used to adjust what elements are included in the Subject field as the DN
# (this is the "Distinguished Name.")
# Note that in cn_only mode the Organizational fields further below aren't used.
#
# Choices are:
# cn_only - use just a CN value
# org - use the "traditional" Country/Province/City/Org/OU/email/CN format
#set_var EASYRSA_DN "cn_only"
# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.)
# These are the default values for fields which will be placed in the
# certificate. Don't leave any of these fields blank, although interactively
# you may omit any specific field by typing the "." symbol (not valid for
# email.)
#set_var EASYRSA_REQ_COUNTRY "US"
#set_var EASYRSA_REQ_PROVINCE "California"
#set_var EASYRSA_REQ_CITY "San Francisco"
#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
#set_var EASYRSA_REQ_EMAIL "me@example.net"
#set_var EASYRSA_REQ_OU "My Organizational Unit"
# Choose a size in bits for your keypairs. The recommended value is 2048. Using
# 2048-bit keys is considered more than sufficient for many years into the
# future. Larger keysizes will slow down TLS negotiation and make key/DH param
# generation take much longer. Values up to 4096 should be accepted by most
# software. Only used when the crypto alg is rsa (see below.)
#set_var EASYRSA_KEY_SIZE 2048
# The default crypto mode is rsa; ec can enable elliptic curve support.
# Note that not all software supports ECC, so use care when enabling it.
# Choices for crypto alg are: (each in lower-case)
# * rsa
# * ec
#set_var EASYRSA_ALGO rsa
# Define the named curve, used in ec mode only:
#set_var EASYRSA_CURVE secp384r1
# In how many days should the root CA key expire?
#set_var EASYRSA_CA_EXPIRE 3650
# In how many days should certificates expire?
#set_var EASYRSA_CERT_EXPIRE 3650
# How many days until the next CRL publish date? Note that the CRL can still be
# parsed after this timeframe passes. It is only used for an expected next
# publication date.
#set_var EASYRSA_CRL_DAYS 180
# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default
# is "no" to discourage use of deprecated extensions. If you require this
# feature to use with --ns-cert-type, set this to "yes" here. This support
# should be replaced with the more modern --remote-cert-tls feature. If you do
# not use --ns-cert-type in your configs, it is safe (and recommended) to leave
# this defined to "no". When set to "yes", server-signed certs get the
# nsCertType=server attribute, and also get any NS_COMMENT defined below in the
# nsComment field.
#set_var EASYRSA_NS_SUPPORT "no"
# When NS_SUPPORT is set to "yes", this field is added as the nsComment field.
# Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored.
#set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate"
# A temp file used to stage cert extensions during signing. The default should
# be fine for most users; however, some users might want an alternative under a
# RAM-based FS, such as /dev/shm or /tmp on some systems.
#set_var EASYRSA_TEMP_FILE "$EASYRSA_PKI/extensions.temp"
# !!
# NOTE: ADVANCED OPTIONS BELOW THIS POINT
# PLAY WITH THEM AT YOUR OWN RISK
# !!
# Broken shell command aliases: If you have a largely broken shell that is
# missing any of these POSIX-required commands used by Easy-RSA, you will need
# to define an alias to the proper path for the command. The symptom will be
# some form of a 'command not found' error from your shell. This means your
# shell is BROKEN, but you can hack around it here if you really need. These
# shown values are not defaults: it is up to you to know what you're doing if
# you touch these.
#
#alias awk="/alt/bin/awk"
#alias cat="/alt/bin/cat"
# X509 extensions directory:
# If you want to customize the X509 extensions used, set the directory to look
# for extensions here. Each cert type you sign must have a matching filename,
# and an optional file named 'COMMON' is included first when present. Note that
# when undefined here, default behaviour is to look in $EASYRSA_PKI first, then
# fallback to $EASYRSA for the 'x509-types' dir. You may override this
# detection with an explicit dir here.
#
#set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
# OpenSSL config file:
# If you need to use a specific openssl config file, you can reference it here.
# Normally this file is auto-detected from a file named openssl-1.0.cnf from the
# EASYRSA_PKI or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA
# specific and you cannot just use a standard config file, so this is an
# advanced feature.
#set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf"
# Default CN:
# This is best left alone. Interactively you will set this manually, and BATCH
# callers are expected to set this themselves.
#set_var EASYRSA_REQ_CN "ChangeMe"
# Cryptographic digest to use.
# Do not change this default unless you understand the security implications.
# Valid choices include: md5, sha1, sha256, sha224, sha384, sha512
#set_var EASYRSA_DIGEST "sha256"
# Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly
# in batch mode without any user input, confirmation on dangerous operations,
# or most output. Setting this to any non-blank string enables batch mode.
#set_var EASYRSA_BATCH ""

2
states/roles/maintain/gitlab/conf_files/database.yml
View file

@ -9,7 +9,7 @@ production:
database: gitlab
pool: 10
username: gitlab
password: "{%- include 'secure/gitlab_db_password.txt' -%}"
password: "{%- include 'secure/passwords/gitlab_db_password.txt' -%}"
host: sql.actcur.com
# socket: /tmp/mysql.sock

2
states/roles/maintain/gitlab/conf_files/smtp_settings.rb
View file

@ -16,7 +16,7 @@ if Rails.env.production?
address: "smtp.zoho.com",
port: 587,
user_name: "notifications@actcur.com",
password: "{%- include 'secure/gitlab_smtp_password.txt' -%}",
password: "{%- include 'secure/passwords/gitlab_smtp_password.txt' -%}",
domain: "smtp.zoho.com",
enable_starttls_auto: true,
}

0
states/roles/maintain/gitlab/init.sls Executable file → Normal file
View file

73
states/roles/maintain/gitlabarch/conf_files/config.yml Normal file
View file

@ -0,0 +1,73 @@
#
# If you change this file in a Merge Request, please also create
# a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
#
# GitLab user. git by default
user: gitlab
# URL to GitLab instance, used for API calls. Default: http://localhost:8080.
# For relative URL support read http://doc.gitlab.com/ce/install/relative_url.html
# You only have to change the default if you have configured Unicorn
# to listen on a custom port, or if you have configured Unicorn to
# only listen on a Unix domain socket. For Unix domain sockets use
# "http+unix://<urlquoted-path-to-socket>", e.g.
# "http+unix://%2Fpath%2Fto%2Fsocket"
gitlab_url: "http://localhost:8080"
# See installation.md#using-https for additional HTTPS configuration details.
http_settings:
# read_timeout: 300
# user: someone
# password: somepass
# ca_file: /etc/ssl/cert.pem
# ca_path: /etc/pki/tls/certs
self_signed_cert: false
# File used as authorized_keys for gitlab user
auth_file: "/var/lib/gitlab/.ssh/authorized_keys"
# File that contains the secret key for verifying access to GitLab.
# Default is .gitlab_shell_secret in the gitlab-shell directory.
# secret_file: "/var/lib/gitlab/gitlab-shell/.gitlab_shell_secret"
# Parent directory for global custom hook directories (pre-receive.d, update.d, post-receive.d)
# Default is hooks in the gitlab-shell directory.
# custom_hooks_dir: "/var/lib/gitlab/gitlab-shell/hooks"
# Redis settings used for pushing commit notices to gitlab
redis:
bin: /usr/bin/redis-cli
host: 127.0.0.1
port: 6379
# pass: redispass # Allows you to specify the password for Redis
database: 5
socket: /run/redis/redis.sock # Comment out this line if you want to use TCP or Sentinel
namespace: resque:gitlab
# sentinels:
# -
# host: 127.0.0.1
# port: 26380
# -
# host: 127.0.0.1
# port: 26381
# Log file.
# Default is gitlab-shell.log in the root directory.
log_file: "/var/log/gitlab/gitlab-shell.log"
# Log level. INFO by default
log_level: INFO
# Audit usernames.
# Set to true to see real usernames in the logs instead of key ids, which is easier to follow, but
# incurs an extra API call on every gitlab-shell command.
audit_usernames: false
# Git trace log file.
# If set, git commands receive GIT_TRACE* environment variables
# See https://git-scm.com/book/es/v2/Git-Internals-Environment-Variables#Debugging for documentation
# An absolute path starting with / the trace output will be appended to that file.
# It needs to exist so we can check permissions and avoid to throwing warnings to the users.
git_trace_log_file:

44
states/roles/maintain/gitlabarch/conf_files/database.yml Normal file
View file

@ -0,0 +1,44 @@
#
# PRODUCTION
#
production:
adapter: mysql2
encoding: utf8
collation: utf8_general_ci
reconnect: false
database: gitlab
pool: 10
username: gitlab
password: "{%- include 'secure/passwords/gitlab_db_password.txt' -%}"
host: sql.actcur.com
# socket: /tmp/mysql.sock
#
# Development specific
#
development:
adapter: mysql2
encoding: utf8
collation: utf8_general_ci
reconnect: false
database: gitlabhq_development
pool: 5
username: root
password: "secure password"
# host: localhost
# socket: /tmp/mysql.sock
# Warning: The database defined as "test" will be erased and
# re-generated from your development database when you run "rake".
# Do not set this db to the same as development or production.
test: &test
adapter: mysql2
encoding: utf8mb4
collation: utf8mb4_general_ci
reconnect: false
database: gitlabhq_test
pool: 5
username: root
password:
# host: localhost
# socket: /tmp/mysql.sock

69
states/roles/maintain/gitlabarch/conf_files/gitlab.conf Normal file
View file

@ -0,0 +1,69 @@
## GitLab
##
## Lines starting with two hashes (##) are comments with information.
## Lines starting with one hash (#) are configuration parameters that can be uncommented.
##
##################################
## CONTRIBUTING ##
##################################
##
## If you change this file in a Merge Request, please also create
## a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
##
###################################
## configuration ##
###################################
##
## See installation.md#using-https for additional HTTPS configuration details.
upstream gitlab-workhorse {
server unix:/run/gitlab/gitlab-workhorse.socket fail_timeout=0;
}
## Normal HTTP host
server {
## Either remove "default_server" from the listen line below,
## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab
## to be served if you visit any address that your server responds to, eg.
## the ip address of the server (http://x.x.x.x/)n 0.0.0.0:80 default_server;
listen 0.0.0.0:8000;
listen [::]:8000;
server_name git2.actcur.com; ## Replace this with something like gitlab.example.com
server_tokens off; ## Don't show the nginx version number, a security best practice
## See app/controllers/application_controller.rb for headers set
## Individual nginx logs for this GitLab vhost
access_log /var/log/nginx/gitlab_access.log;
error_log /var/log/nginx/gitlab_error.log;
location / {
client_max_body_size 0;
gzip off;
## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://gitlab-workhorse;
}
error_page 404 /404.html;
error_page 422 /422.html;
error_page 500 /500.html;
error_page 502 /502.html;
location ~ ^/(404|422|500|502)\.html$ {
root /usr/share/webapps/gitlab/public;
internal;
}
}

627
states/roles/maintain/gitlabarch/conf_files/gitlab.yml Normal file
View file

@ -0,0 +1,627 @@
# # # # # # # # # # # # # # # # # #
# GitLab application config file #
# # # # # # # # # # # # # # # # # #
#
########################### NOTE #####################################
# This file should not receive new settings. All configuration options #
# * are being moved to ApplicationSetting model! #
# If a setting requires an application restart say so in that screen. #
# If you change this file in a Merge Request, please also create #
# a MR on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests #
########################################################################
#
#
# How to use:
# 1. Copy file as gitlab.yml
# 2. Update gitlab -> host with your fully qualified domain name
# 3. Update gitlab -> email_from
# 4. If you installed Git from source, change git -> bin_path to /usr/local/bin/git
# IMPORTANT: If Git was installed in a different location use that instead.
# You can check with `which git`. If a wrong path of Git is specified, it will
# result in various issues such as failures of GitLab CI builds.
# 5. Review this configuration file for other settings you may want to adjust
production: &base
#
# 1. GitLab app settings
# ==========================
## GitLab settings
gitlab:
## Web server settings (note: host is the FQDN, do not include http://)
host: git.actcur.com
port: 443 # Set to 443 if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
https: true # Set to true if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
# Uncommment this line below if your ssh host is different from HTTP/HTTPS one
# (you'd obviously need to replace ssh.host_example.com with your own host).
# Otherwise, ssh host will be set to the `host:` value above
# ssh_host: ssh.host_example.com
# Relative URL support
# WARNING: We recommend using an FQDN to host GitLab in a root path instead
# of using a relative URL.
# Documentation: http://doc.gitlab.com/ce/install/relative_url.html
# Uncomment and customize the following line to run in a non-root path
#
# relative_url_root: /gitlab
# Trusted Proxies
# Customize if you have GitLab behind a reverse proxy which is running on a different machine.
# Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address.
trusted_proxies:
# Examples:
#- 192.168.1.0/24
#- 192.168.2.1
#- 2001:0db8::/32
# Uncomment and customize if you can't use the default user to run GitLab (default: 'git')
user: gitlab
## Date & Time settings
# Uncomment and customize if you want to change the default time zone of GitLab application.
# To see all available zones, run `bundle exec rake time:zones:all RAILS_ENV=production`
# time_zone: 'UTC'
## Email settings
# Uncomment and set to false if you need to disable email sending from GitLab (default: true)
# email_enabled: true
# Email address used in the "From" field in mails sent by GitLab
email_from: notifications@actcur.com
email_display_name: Actcur Git
email_reply_to: noreply@actcur.com
email_subject_suffix: ''
# Email server smtp settings are in config/initializers/smtp_settings.rb.sample
# default_can_create_group: false # default: true
# username_changing_enabled: false # default: true - User can change her username/namespace
## Automatic issue closing
# If a commit message matches this regular expression, all issues referenced from the matched text will be closed.
# This happens when the commit is pushed or merged into the default branch of a project.
# When not specified the default issue_closing_pattern as specified below will be used.
# Tip: you can test your closing pattern at http://rubular.com.
# issue_closing_pattern: '((?:[Cc]los(?:e[sd]?|ing)|[Ff]ix(?:e[sd]|ing)?|[Rr]esolv(?:e[sd]?|ing))(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+)'
## Default project features settings
default_projects_features:
issues: true
merge_requests: true
wiki: true
snippets: true
builds: true
container_registry: true
## Webhook settings
# Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10)
# webhook_timeout: 10
## Repository downloads directory
# When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory.
# The default is 'shared/cache/archive/' relative to the root of the Rails app.
# repository_downloads_path: shared/cache/archive/
## Reply by email
# Allow users to comment on issues and merge requests by replying to notification emails.
# For documentation on how to set this up, see http://doc.gitlab.com/ce/administration/reply_by_email.html
incoming_email:
enabled: false
# The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to.
# The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`).
address: "gitlab-incoming+%{key}@gmail.com"
# Email account username
# With third party providers, this is usually the full email address.
# With self-hosted email servers, this is usually the user part of the email address.
user: "gitlab-incoming@gmail.com"
# Email account password
password: "[REDACTED]"
# IMAP server host
host: "imap.gmail.com"
# IMAP server port
port: 993
# Whether the IMAP server uses SSL
ssl: true
# Whether the IMAP server uses StartTLS
start_tls: false
# The mailbox where incoming mail will end up. Usually "inbox".
mailbox: "inbox"
# The IDLE command timeout.
idle_timeout: 60
## Build Artifacts
artifacts:
enabled: true
# The location where build artifacts are stored (default: shared/artifacts).
# path: shared/artifacts
## Git LFS
lfs:
enabled: true
# The location where LFS objects are stored (default: shared/lfs-objects).
# storage_path: shared/lfs-objects
## GitLab Pages
pages:
enabled: false
# The location where pages are stored (default: shared/pages).
# path: shared/pages
# The domain under which the pages are served:
# http://group.example.com/project
# or project path can be a group page: group.example.com
host: example.com
port: 80 # Set to 443 if you serve the pages with HTTPS
https: false # Set to true if you serve the pages with HTTPS
# external_http: ["1.1.1.1:80", "[2001::1]:80"] # If defined, enables custom domain support in GitLab Pages
# external_https: ["1.1.1.1:443", "[2001::1]:443"] # If defined, enables custom domain and certificate support in GitLab Pages
## Mattermost
## For enabling Add to Mattermost button
mattermost:
enabled: false
host: 'https://mattermost.example.com'
## Gravatar
## For Libravatar see: http://doc.gitlab.com/ce/customization/libravatar.html
gravatar:
# gravatar urls: possible placeholders: %{hash} %{size} %{email} %{username}
# plain_url: "http://..." # default: http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
# ssl_url: "https://..." # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
## Auxiliary jobs
# Periodically executed jobs, to self-heal Gitlab, do external synchronizations, etc.
# Please read here for more information: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job
cron_jobs:
# Flag stuck CI jobs as failed
stuck_ci_jobs_worker:
cron: "0 * * * *"
# Execute scheduled triggers
pipeline_schedule_worker:
cron: "19 * * * *"
# Remove expired build artifacts
expire_build_artifacts_worker:
cron: "50 * * * *"
# Periodically run 'git fsck' on all repositories. If started more than
# once per hour you will have concurrent 'git fsck' jobs.
repository_check_worker:
cron: "20 * * * *"
# Send admin emails once a week
admin_email_worker:
cron: "0 0 * * 0"
# Remove outdated repository archives
repository_archive_cache_worker:
cron: "0 * * * *"
registry:
# enabled: true
# host: registry.example.com
# port: 5005
# api_url: http://localhost:5000/ # internal address to the registry, will be used by GitLab to directly communicate with API
# key: config/registry.key
# path: shared/registry
# issuer: gitlab-issuer
#
# 2. GitLab CI settings
# ==========================
gitlab_ci:
# Default project notifications settings:
#
# Send emails only on broken builds (default: true)
# all_broken_builds: true
#
# Add pusher to recipients list (default: false)
# add_pusher: true
# The location where build traces are stored (default: builds/). Relative paths are relative to Rails.root
# builds_path: builds/
#
# 3. Auth settings
# ==========================
## LDAP settings
# You can inspect a sample of the LDAP users with login access by running:
# bundle exec rake gitlab:ldap:check RAILS_ENV=production
ldap:
enabled: false
servers:
##########################################################################
#
# Since GitLab 7.4, LDAP servers get ID's (below the ID is 'main'). GitLab
# Enterprise Edition now supports connecting to multiple LDAP servers.
#
# If you are updating from the old (pre-7.4) syntax, you MUST give your
# old server the ID 'main'.
#
##########################################################################
main: # 'main' is the GitLab 'provider ID' of this LDAP server
## label
#
# A human-friendly name for your LDAP server. It is OK to change the label later,
# for instance if you find out it is too large to fit on the web page.
#
# Example: 'Paris' or 'Acme, Ltd.'
label: 'LDAP'
host: '_your_ldap_server'
port: 389
uid: 'sAMAccountName'
method: 'plain' # "tls" or "ssl" or "plain"
bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
password: '_the_password_of_the_bind_user'
# Set a timeout, in seconds, for LDAP queries. This helps avoid blocking
# a request if the LDAP server becomes unresponsive.
# A value of 0 means there is no timeout.
timeout: 10
# This setting specifies if LDAP server is Active Directory LDAP server.
# For non AD servers it skips the AD specific queries.
# If your LDAP server is not AD, set this to false.
active_directory: true
# If allow_username_or_email_login is enabled, GitLab will ignore everything
# after the first '@' in the LDAP username submitted by the user on login.
#
# Example:
# - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials;
# - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'.
#
# If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to
# disable this setting, because the userPrincipalName contains an '@'.
allow_username_or_email_login: false
# To maintain tight control over the number of active users on your GitLab installation,
# enable this setting to keep new users blocked until they have been cleared by the admin
# (default: false).
block_auto_created_users: false
# Base where we can search for users
#
# Ex. ou=People,dc=gitlab,dc=example
#
base: ''
# Filter LDAP users
#
# Format: RFC 4515 http://tools.ietf.org/search/rfc4515
# Ex. (employeeType=developer)
#
# Note: GitLab does not support omniauth-ldap's custom filter syntax.
#
user_filter: ''
# LDAP attributes that GitLab will use to create an account for the LDAP user.
# The specified attribute can either be the attribute name as a string (e.g. 'mail'),
# or an array of attribute names to try in order (e.g. ['mail', 'email']).
# Note that the user's LDAP login will always be the attribute specified as `uid` above.
attributes:
# The username will be used in paths for the user's own projects
# (like `gitlab.example.com/username/project`) and when mentioning
# them in issues, merge request and comments (like `@username`).
# If the attribute specified for `username` contains an email address,
# the GitLab username will be the part of the email address before the '@'.
username: ['uid', 'userid', 'sAMAccountName']
email: ['mail', 'email', 'userPrincipalName']
# If no full name could be found at the attribute specified for `name`,
# the full name is determined using the attributes specified for
# `first_name` and `last_name`.
name: 'cn'
first_name: 'givenName'
last_name: 'sn'
# GitLab EE only: add more LDAP servers
# Choose an ID made of a-z and 0-9 . This ID will be stored in the database
# so that GitLab can remember which LDAP server a user belongs to.
# uswest2:
# label:
# host:
# ....
## OmniAuth settings
omniauth:
# Allow login via Twitter, Google, etc. using OmniAuth providers
enabled: false
# Uncomment this to automatically sign in with a specific omniauth provider's without
# showing GitLab's sign-in page (default: show the GitLab sign-in page)
# auto_sign_in_with_provider: saml
# Sync user's email address from the specified Omniauth provider every time the user logs
# in (default: nil). And consequently make this field read-only.
# sync_email_from_provider: cas3
# CAUTION!
# This allows users to login without having a user account first. Define the allowed providers
# using an array, e.g. ["saml", "twitter"], or as true/false to allow all providers or none.
# User accounts will be created automatically when authentication was successful.
allow_single_sign_on: ["saml"]
# Locks down those users until they have been cleared by the admin (default: true).
block_auto_created_users: true
# Look up new users in LDAP servers. If a match is found (same uid), automatically
# link the omniauth identity with the LDAP account. (default: false)
auto_link_ldap_user: false
# Allow users with existing accounts to login and auto link their account via SAML
# login, without having to do a manual login first and manually add SAML
# (default: false)
auto_link_saml_user: false
# Set different Omniauth providers as external so that all users creating accounts
# via these providers will not be able to have access to internal projects. You
# will need to use the full name of the provider, like `google_oauth2` for Google.
# Refer to the examples below for the full names of the supported providers.
# (default: [])
external_providers: []
## Auth providers
# Uncomment the following lines and fill in the data of the auth provider you want to use
# If your favorite auth provider is not listed you can use others:
# see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations
# The 'app_id' and 'app_secret' parameters are always passed as the first two
# arguments, followed by optional 'args' which can be either a hash or an array.
# Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html
providers:
# See omniauth-cas3 for more configuration details
# - { name: 'cas3',
# label: 'cas3',
# args: {
# url: 'https://sso.example.com',
# disable_ssl_verification: false,
# login_url: '/cas/login',
# service_validate_url: '/cas/p3/serviceValidate',
# logout_url: '/cas/logout'} }
# - { name: 'authentiq',
# # for client credentials (client ID and secret), go to https://www.authentiq.com/
# app_id: 'YOUR_CLIENT_ID',
# app_secret: 'YOUR_CLIENT_SECRET',
# args: {
# scope: 'aq:name email~rs address aq:push'
# # redirect_uri parameter is optional except when 'gitlab.host' in this file is set to 'localhost'
# # redirect_uri: 'YOUR_REDIRECT_URI'
# }
# }
# - { name: 'github',
# app_id: 'YOUR_APP_ID',
# app_secret: 'YOUR_APP_SECRET',
# url: "https://github.com/",
# verify_ssl: true,
# args: { scope: 'user:email' } }
# - { name: 'bitbucket',
# app_id: 'YOUR_APP_ID',
# app_secret: 'YOUR_APP_SECRET' }
# - { name: 'gitlab',
# app_id: 'YOUR_APP_ID',
# app_secret: 'YOUR_APP_SECRET',
# args: { scope: 'api' } }
# - { name: 'google_oauth2',
# app_id: 'YOUR_APP_ID',
# app_secret: 'YOUR_APP_SECRET',
# args: { access_type: 'offline', approval_prompt: '' } }
# - { name: 'facebook',
# app_id: 'YOUR_APP_ID',
# app_secret: 'YOUR_APP_SECRET' }
# - { name: 'twitter',
# app_id: 'YOUR_APP_ID',
# app_secret: 'YOUR_APP_SECRET' }
#
# - { name: 'saml',
# label: 'Our SAML Provider',
# groups_attribute: 'Groups',
# external_groups: ['Contractors', 'Freelancers'],
# args: {
# assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
# idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8',
# idp_sso_target_url: 'https://login.example.com/idp',
# issuer: 'https://gitlab.example.com',
# name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
# } }
#
# - { name: 'crowd',
# args: {
# crowd_server_url: 'CROWD SERVER URL',
# application_name: 'YOUR_APP_NAME',
# application_password: 'YOUR_APP_PASSWORD' } }
#
# - { name: 'auth0',
# args: {
# client_id: 'YOUR_AUTH0_CLIENT_ID',
# client_secret: 'YOUR_AUTH0_CLIENT_SECRET',
# namespace: 'YOUR_AUTH0_DOMAIN' } }
# SSO maximum session duration in seconds. Defaults to CAS default of 8 hours.
# cas3:
# session_duration: 28800
# Shared file storage settings
shared:
path: /var/lib/gitlab/shared # Default: shared
# Gitaly settings
gitaly:
# This setting controls whether GitLab uses Gitaly (new component
# introduced in 9.0). Eventually Gitaly use will become mandatory and
# this option will disappear.
enabled: true
#
# 4. Advanced settings
# ==========================
## Repositories settings
repositories:
# Paths where repositories can be stored. Give the canonicalized absolute pathname.
# IMPORTANT: None of the path components may be symlink, because
# gitlab-shell invokes Dir.pwd inside the repository path and that results
# real path not the symlink.
storages: # You must have at least a `default` storage path.
default:
path: /var/lib/gitlab/repositories/
gitaly_address: unix:/var/lib/gitlab/sockets/gitlab-gitaly.socket # TCP connections are supported too (e.g. tcp://host:port)
## Backup settings
backup:
path: "/var/lib/gitlab/backups" # Relative paths are relative to Rails.root (default: tmp/backups/)
# archive_permissions: 0640 # Permissions for the resulting backup.tar file (default: 0600)
# keep_time: 604800 # default: 0 (forever) (in seconds)
# pg_schema: public # default: nil, it means that all schemas will be backed up
# upload:
# # Fog storage connection settings, see http://fog.io/storage/ .
# connection:
# provider: AWS
# region: eu-west-1
# aws_access_key_id: AKIAKIAKI
# aws_secret_access_key: 'secret123'
# # The remote 'directory' to store your backups. For S3, this would be the bucket name.
# remote_directory: 'my.s3.bucket'
# # Use multipart uploads when file size reaches 100MB, see
# # http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html
# multipart_chunk_size: 104857600
# # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional
# # encryption: 'AES256'
# # Specifies Amazon S3 storage class to use for backups, this is optional
# # storage_class: 'STANDARD'
## GitLab Shell settings
gitlab_shell:
path: /usr/share/webapps/gitlab-shell/
hooks_path: /usr/share/webapps/gitlab-shell/hooks/
# File that contains the secret key for verifying access for gitlab-shell.
# Default is '.gitlab_shell_secret' relative to Rails.root (i.e. root of the GitLab app).
# secret_file: /home/git/gitlab/.gitlab_shell_secret
# Git over HTTP
upload_pack: true
receive_pack: true
# Git import/fetch timeout
# git_timeout: 800
# If you use non-standard ssh port you need to specify it
# ssh_port: 22
workhorse:
# File that contains the secret key for verifying access for gitlab-workhorse.
# Default is '.gitlab_workhorse_secret' relative to Rails.root (i.e. root of the GitLab app).
# secret_file: /home/git/gitlab/.gitlab_workhorse_secret
## Git settings
# CAUTION!
# Use the default values unless you really know what you are doing
git:
bin_path: /usr/bin/git
# The next value is the maximum memory size grit can use
# Given in number of bytes per git object (e.g. a commit)
# This value can be increased if you have very large commits
max_size: 20971520 # 20.megabytes
# Git timeout to read a commit, in seconds
timeout: 10
## Webpack settings
# If enabled, this will tell rails to serve frontend assets from the webpack-dev-server running
# on a given port instead of serving directly from /assets/webpack. This is only indended for use
# in development.
webpack:
# dev_server:
# enabled: true
# host: localhost
# port: 3808
#
# 5. Extra customization
# ==========================
extra:
## Google analytics. Uncomment if you want it
# google_analytics_id: '_your_tracking_id'
## Piwik analytics.
# piwik_url: '_your_piwik_url'
# piwik_site_id: '_your_piwik_site_id'
rack_attack:
git_basic_auth:
# Rack Attack IP banning enabled
# enabled: true
#
# Whitelist requests from 127.0.0.1 for web proxies (NGINX/Apache) with incorrect headers
# ip_whitelist: ["127.0.0.1"]
#
# Limit the number of Git HTTP authentication attempts per IP
# maxretry: 10
#
# Reset the auth attempt counter per IP after 60 seconds
# findtime: 60
#
# Ban an IP for one hour (3600s) after too many auth attempts
# bantime: 3600
development:
<<: *base
test:
<<: *base
gravatar:
enabled: true
lfs:
enabled: false
gitlab:
host: localhost
port: 80
# When you run tests we clone and setup gitlab-shell
# In order to setup it correctly you need to specify
# your system username you use to run GitLab
# user: YOUR_USERNAME
pages:
path: tmp/tests/pages
repositories:
storages:
default:
path: tmp/tests/repositories/
gitaly_address: unix:tmp/tests/gitaly/gitaly.socket
gitaly:
enabled: true
backup:
path: tmp/tests/backups
gitlab_shell:
path: tmp/tests/gitlab-shell/
hooks_path: tmp/tests/gitlab-shell/hooks/
issues_tracker:
redmine:
title: "Redmine"
project_url: "http://redmine/projects/:issues_tracker_id"
issues_url: "http://redmine/:project_id/:issues_tracker_id/:id"
new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new"
jira:
title: "JIRA"
url: https://sample_company.atlassian.net
project_key: PROJECT
ldap:
enabled: false
servers:
main:
label: ldap
host: 127.0.0.1
port: 3890
uid: 'uid'
method: 'plain' # "tls" or "ssl" or "plain"
base: 'dc=example,dc=com'
user_filter: ''
group_base: 'ou=groups,dc=example,dc=com'
admin_group: ''
staging:
<<: *base

83
states/roles/maintain/gitlabarch/conf_files/production.rb Normal file
View file

@ -0,0 +1,83 @@
Rails.application.configure do
# Settings specified here will take precedence over those in config/application.rb
# Code is not reloaded between requests
config.cache_classes = true
# Full error reports are disabled and caching is turned on
config.consider_all_requests_local = false
config.action_controller.perform_caching = true
# Disable Rails's static asset server (Apache or nginx will already do this)
config.serve_static_files = false
# Compress JavaScripts and CSS.
config.assets.js_compressor = :uglifier
# config.assets.css_compressor = :sass
# Don't fallback to assets pipeline if a precompiled asset is missed
config.assets.compile = false
# Generate digests for assets URLs
config.assets.digest = true
# Enable compression of compiled assets using gzip.
config.assets.compress = true
# Defaults to nil and saved in location specified by config.assets.prefix
# config.assets.manifest = YOUR_PATH
# Specifies the header that your server uses for sending files
# config.action_dispatch.x_sendfile_header = "X-Sendfile" # for apache
# config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx
# Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
# config.force_ssl = true
# See everything in the log (default is :info)
config.log_level = :info
# Suppress 'Rendered template ...' messages in the log
# source: http://stackoverflow.com/a/16369363
%w{render_template render_partial render_collection}.each do |event|
ActiveSupport::Notifications.unsubscribe "#{event}.action_view"
end
# Prepend all log lines with the following tags
# config.log_tags = [ :subdomain, :uuid ]
# Use a different logger for distributed setups
# config.logger = ActiveSupport::TaggedLogging.new(SyslogLogger.new)
# Enable serving of images, stylesheets, and JavaScripts from an asset server
config.action_controller.asset_host = ENV['GITLAB_CDN_HOST'] if ENV['GITLAB_CDN_HOST'].present?
# Precompile additional assets (application.js, application.css, and all non-JS/CSS are already added)
# config.assets.precompile += %w( search.js )
# Disable delivery errors, bad email addresses will be ignored
# config.action_mailer.raise_delivery_errors = false
# Enable threaded mode
# config.threadsafe! unless $rails_rake_task
# Enable locale fallbacks for I18n (makes lookups for any locale fall back to
# the I18n.default_locale when a translation can not be found)
config.i18n.fallbacks = true
# Send deprecation notices to registered listeners
config.active_support.deprecation = :notify
config.action_mailer.delivery_method = :smtp
# Defaults to:
# # config.action_mailer.sendmail_settings = {
# # location: '/usr/sbin/sendmail',
# # arguments: '-i -t'
# # }
config.action_mailer.perform_deliveries = true
config.action_mailer.raise_delivery_errors = true
config.eager_load = true
config.allow_concurrency = false
end

1293
states/roles/maintain/gitlabarch/conf_files/redis.conf Normal file
View file

File diff suppressed because it is too large Load diff

34
states/roles/maintain/gitlabarch/conf_files/resque.yml Normal file
View file

@ -0,0 +1,34 @@
# If you change this file in a Merge Request, please also create
# a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
#
development:
url: unix:/run/redis/redis.sock
# sentinels:
# -
# host: localhost
# port: 26380 # point to sentinel, not to redis port
# -
# host: slave2
# port: 26381 # point to sentinel, not to redis port
test:
url: unix:/run/redis/redis.sock
production:
# Redis (single instance)
url: unix:/run/redis/redis.sock
##
# Redis + Sentinel (for HA)
#
# Please read instructions carefully before using it as you may lose data:
# http://redis.io/topics/sentinel
#
# You must specify a list of a few sentinels that will handle client connection
# please read here for more information: https://docs.gitlab.com/ce/administration/high_availability/redis.html
##
# url: redis://master:6379
# sentinels:
# -
# host: slave1
# port: 26379 # point to sentinel, not to redis port
# -
# host: slave2
# port: 26379 # point to sentinel, not to redis port

23
states/roles/maintain/gitlabarch/conf_files/smtp_settings.rb Normal file
View file

@ -0,0 +1,23 @@
# To enable smtp email delivery for your GitLab instance do the following:
# 1. Rename this file to smtp_settings.rb
# 2. Edit settings inside this file
# 3. Restart GitLab instance
#
# For full list of options and their values see http://api.rubyonrails.org/classes/ActionMailer/Base.html
#
# If you change this file in a Merge Request, please also create a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
if Rails.env.production?
Rails.application.config.action_mailer.delivery_method = :smtp
ActionMailer::Base.delivery_method = :smtp
ActionMailer::Base.smtp_settings = {
authentication: :plain,
address: "smtp.zoho.com",
port: 587,
user_name: "notifications@actcur.com",
password: "{%- include 'secure/passwords/gitlab_smtp_password.txt' -%}",
domain: "smtp.zoho.com",
enable_starttls_auto: true,
}
end

1
states/roles/maintain/gitlabarch/conf_files/tmp_redis.conf Normal file
View file

@ -0,0 +1 @@
d /run/redis 0755 redis redis -

175
states/roles/maintain/gitlabarch/init.sls Normal file
View file

@ -0,0 +1,175 @@
gitlab:
pkg.installed
mariadb:
pkg.installed
gitlab_nginx:
pkg.installed:
- name: nginx
#managed files
/etc/webapps/gitlab/gitlab.yml:
file.managed:
- source: salt://roles/maintain/gitlab/conf_files/gitlab.yml
- user: root
- group: root
- mode: 644
/etc/webapps/gitlab/database.yml:
file.managed:
- source: salt://roles/maintain/gitlab/conf_files/database.yml
- user: gitlab
- group: gitlab
- mode: 600
- template: jinja
/etc/webapps/gitlab/resque.yml:
file.managed:
- source: salt://roles/maintain/gitlab/conf_files/resque.yml
- user: root
- group: root
- mode: 644
/etc/webapps/gitlab-shell/config.yml:
file.managed:
- source: salt://roles/maintain/gitlab/conf_files/config.yml
- user: gitlab
- group: gitlab
- mode: 600
/usr/share/webapps/gitlab/config/initializers/smtp_settings.rb:
file.managed:
- source: salt://roles/maintain/gitlab/conf_files/smtp_settings.rb
- user: root
- group: root
- mode: 644
- template: jinja
/usr/share/webapps/gitlab/config/environments/production.rb:
file.managed:
- source: salt://roles/maintain/gitlab/conf_files/production.rb
- user: root
- group: root
- mode: 644
/etc/redis.conf:
file.managed:
- source: salt://roles/maintain/gitlab/conf_files/redis.conf
- user: root
- group: root
- mode: 644
/etc/tempfiles.d/redis.conf:
file.managed:
- source: salt://roles/maintain/gitlab/conf_files/tmp_redis.conf
- user: root
- group: root
- mode: 644
- makedirs: true
/etc/nginx/conf.d/gitlab.conf:
file.managed:
- source: salt://roles/maintain/gitlab/conf_files/gitlab.conf
- user: root
- group: root
- makedirs: true
- dir_mode: 755
- mode: 644
#add users git and gitlab to redis group
git_user:
user.present:
- name: git
- groups:
- redis
gitlab_user:
user.present:
- name: gitlab
- groups:
- redis
#migrate redis database as gitlab user if necessary
redis-running:
service.running:
- name: redis
- enable: true
- watch:
- file: /etc/redis.conf
- file: /etc/tempfiles.d/redis.conf
gitlab_rake_db:
cmd.run:
- name: "bundle-2.3 exec rake db:migrate RAILS_ENV=production"
- cwd: "/usr/share/webapps/gitlab"
- runas: gitlab
- watch:
- pkg: gitlab
#global git configuration
gitlab_git_name:
git.config_set:
- name: user.name
- value: "Actaeus Curabitur"
- user: gitlab
- global: true
gitlab_git_email:
git.config_set:
- name: user.email
- value: "actcur@actcur.com"
- user: gitlab
- global: true
gitlab_git_crlf:
git.config_set:
- name: core.autocrlf
- value: "input"
- user: gitlab
- global: true
#create symlink
symlink_repos:
file.symlink:
- name: /var/lib/gitlab/repositories
- target: /mnt/repos
- force: true
#verify perms for repos are right
/var/lib/gitlab/repositories/:
file.directory:
- user: gitlab
- group: gitlab
- dir_mode: 4770
#start services
gitlab.target:
service.running:
- enable: true
- watch:
- file: /etc/webapps/gitlab/gitlab.yml
- file: /etc/webapps/gitlab/database.yml
- file: /etc/webapps/gitlab/resque.yml
- file: /etc/webapps/gitlab-shell/config.yml
- file: /etc/nginx/conf.d/gitlab.conf
- file: /usr/share/webapps/gitlab/config/initializers/smtp_settings.rb
- file: /usr/share/webapps/gitlab/config/environments/production.rb
gitlab-workhorse:
service.running:
- enable: true
- watch:
- file: /etc/webapps/gitlab/gitlab.yml
- file: /etc/webapps/gitlab/database.yml
- file: /etc/webapps/gitlab/resque.yml
- file: /etc/webapps/gitlab-shell/config.yml
- file: /etc/nginx/conf.d/gitlab.conf
- file: /usr/share/webapps/gitlab/config/initializers/smtp_settings.rb
- file: /usr/share/webapps/gitlab/config/environments/production.rb
gitlab-unicorn:
service.running:
- enable: true
- watch:
- file: /etc/webapps/gitlab/gitlab.yml
- file: /etc/webapps/gitlab/database.yml
- file: /etc/webapps/gitlab/resque.yml
- file: /etc/webapps/gitlab-shell/config.yml
- file: /etc/nginx/conf.d/gitlab.conf
- file: /usr/share/webapps/gitlab/config/initializers/smtp_settings.rb
- file: /usr/share/webapps/gitlab/config/environments/production.rb
gitlab-sidekiq:
service.running:
- enable: true
- watch:
- file: /etc/webapps/gitlab/gitlab.yml
- file: /etc/webapps/gitlab/database.yml
- file: /etc/webapps/gitlab/resque.yml
- file: /etc/webapps/gitlab-shell/config.yml
- file: /etc/nginx/conf.d/gitlab.conf
- file: /usr/share/webapps/gitlab/config/initializers/smtp_settings.rb
- file: /usr/share/webapps/gitlab/config/environments/production.rb

1
states/roles/maintain/glances/certs
View file

@ -1 +0,0 @@
/etc/letsencrypt/live/

4
states/roles/maintain/glances/init.sls
View file

@ -31,7 +31,7 @@ nginx:
{%- for name in pillar['nginx'] %}
"/etc/nginx/certs/{{name}}.actcur.com/":
file.recurse:
- source: salt://roles/maintain/nginx-proxy/certs/{{name}}.actcur.com/
- source: salt://secure/certs/{{name}}.actcur.com/
{%- if os=="CentOS" or os=="RedHat" %}
- user: nginx
- user: nginx
@ -76,7 +76,7 @@ nginx:
"/etc/nginx/certs/portal.actcur.com/":
file.recurse:
- source: salt://roles/maintain/nginx-proxy/certs/portal.actcur.com/
- source: salt://secure/certs/portal.actcur.com/
- user: http
- group: http
- dir_mode: 755

1
states/roles/maintain/ldap/certs
View file

@ -1 +0,0 @@
/etc/letsencrypt/live/

3
states/roles/maintain/ldap/init.sls
View file

@ -9,7 +9,7 @@ openldap:
/etc/openldap/certs/:
file.recurse:
- source: salt://roles/maintain/nginx-proxy/certs/ldap.actcur.com/
- source: salt://secure/certs/ldap.actcur.com/
- user: ldap
- group: ldap
- dir_mode: 755
@ -92,4 +92,3 @@ own_data:
- user: ldap
- group: ldap
- mode: 644

1
states/roles/maintain/nginx-proxy/certs
View file

@ -1 +0,0 @@
/etc/letsencrypt/live/

8
states/roles/maintain/nginx-proxy/init.sls
View file

@ -35,7 +35,7 @@ nginx:
{%- for name in pillar['nginx'] %}
"/etc/nginx/certs/{{name}}.actcur.com/":
file.recurse:
- source: salt://roles/maintain/nginx-proxy/certs/{{name}}.actcur.com/
- source: salt://secure/certs/{{name}}.actcur.com/
{%- if os=="CentOS" or os=="RedHat" %}
- user: nginx
- user: nginx
@ -44,7 +44,7 @@ nginx:
- group: http
{%- endif %}
- dir_mode: 755
- file:mode: 400
- file_mode: 400
- clean: true
/etc/nginx/conf.d/{{ name }}.conf:
@ -80,10 +80,10 @@ nginx:
"/etc/nginx/certs/portal.actcur.com/":
file.recurse:
- source: salt://roles/maintain/nginx-proxy/certs/portal.actcur.com/
- source: salt://secure/certs/portal.actcur.com/
- user: http
- group: http
- dir_mode: 755
- file:mode: 400
- file_mode: 400
- clean: true
{%- endif -%}

17
states/roles/maintain/vpnserver/init.sls Normal file
View file

@ -0,0 +1,17 @@
vpn-server:
pkg.installed:
- name: openvpn
#generate diff-hellman param files
#build only
gen-dh-param:
cmd.run:
- name: "openssl dhparam -out /etc/openvpn/server/dh.pem 2048"
- onlyif: 'test ! -e /etc/openvpn/server/dh.pem'
#generate hmac key
#build only
gen-hmac-key:
cmd.run:
- name: "openvpn --genkey --secret /etc/openvpn/server/ta.key"
- onlyif: 'test ! -e /etc/openvpn/server/ta.key'

2
states/systems/core/backup/init.sls
View file

@ -11,7 +11,7 @@
{{ name }}_key:
file.managed:
- name: /root/.ssh/{{ pillar['backup'][name]['key'] }}
- source: salt://systems/core/backup/keys/{{ pillar['backup'][name]['key'] }}
- source: salt://secure/keys/backup/{{ pillar['backup'][name]['key'] }}
- user: root
- group: root
- mode: 600

2
states/systems/core/git/init.sls
View file

@ -12,7 +12,7 @@ git_pkg:
{{ repo }}_key:
file.managed:
- name: /root/.ssh/{{ pillar['git'][repo]['key'] }}
- source: salt://systems/core/git/keys/{{ pillar['git'][repo]['key'] }}
- source: salt://secure/keys/git/{{ pillar['git'][repo]['key'] }}
- user: root
- group: root
- mode: 600

1
states/systems/core/git/keys
View file

@ -1 +0,0 @@
/keys/git/

2
states/systems/core/mount/init.sls Executable file → Normal file
View file

@ -45,7 +45,7 @@ mount_host.actcur.com:
{{ mount }}_key:
file.managed:
- name: /root/.ssh/{{user}}_key
- source: salt://systems/core/mount/keys/{{user}}_key
- source: salt://secure/keys/mount/{{user}}_key
- user: root
- group: root
- mode: 600

1
states/systems/core/mount/keys
View file

@ -1 +0,0 @@
/keys/mount/

0
states/top.sls Executable file → Normal file
View file

0
test Executable file → Normal file
View file