diff --git a/defaults/main.yml b/defaults/main.yml index 15bb1d2..eeb9cba 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,15 +1,18 @@ --- - +# gitlab_ver: 13.10.2 gitlab_config_dest: /etc/gitlab +gitlab_config_privilege_escalate: True +gitlab_config_privilege_escalation_user: root # Run gitlab-ctl reconfigure if config has changed -gitlab_config_reconfigure: true +gitlab_config_reconfigure: True # Take nightly backup of gitlab application and configuration -gitlab_config_auto_nightly_backup: true +gitlab_config_auto_backup_enabled: True # Required gitlab_config_external_url: http://example.com +gitlab_config_letsencrypt_enabled: true # Optional - Following are NOT default values, are only examples @@ -91,7 +94,36 @@ gitlab_config_external_url: http://example.com # }, # ] -# gitlab_config_manage_backup_path: true +gitlab_config_manage_backup_path: False +gitlab_config_backup_use_nfs: False + +gitlab_config_backup_restore_enabled: False +gitlab_config_backup_restore_check_config: True +gitlab_config_backup_restore_verify_db_secrets: False + +## Backup Environment Variables +# gitlab_config_backup_restore_prompt_disable: True +gitlab_config_backup_strategy: copy +# gitlab_config_backup_timestamp_prefix: [TIMESTAMP] +# gitlab_config_backup_gzip_rsyncable: true +# gitlab_config_backup_group_duration: daily|weekly +# gitlab_config_backup_exclude_directories: +# - db # (databases) +# - uploads # (attachments) +# - builds # (CI job output logs) +# - artifacts # (CI job artifacts) +# - lfs # (LFS objects) +# - registry # (Container Registry Images) +# - pages # (Pages Content) +# - repositories # (Git repositories data) +# - tar # (Tar Creation) +# Note: v13.3+ https://docs.gitlab.com/ee/raketasks/backup_restore.html#back-up-git-repositories-concurrently +# gitlab_config_backup_concurrency: 1 +# gitlab_config_backup_storage_concurrency: 1 + +## Backup:Restore Environment Variables +# gitlab_config_backup_restore_timestamp: [TIMESTAMP]-{{ gitlab_config_mode | default("omnibus") }} + # gitlab_config_backup_path: /var/opt/gitlab/backups # gitlab_config_backup_archive_permissions: '0644' @@ -111,6 +143,23 @@ gitlab_config_external_url: http://example.com # endPoint: https://s3.abc.com # gitlab_config_backup_upload_remote_directory: my.s3.gitlab-backups +gitlab_config_backup_application_data: True +gitlab_config_backup_application_data_schedule: + # month: '*' + # weekday: '*' + # day: '*' + # hour: '*' + # minute: '*' +gitlab_config_backup_config_data: True +gitlab_config_backup_config_data_schedule: + # month: '*' + # weekday: '*' + # day: '*' + # hour: '*' + # minute: '*' +# gitlab_config_backup_config_data_path: /var/opt/gitlab/config-backups +# gitlab_config_backup_config_data_addl_cmds: [] + # gitlab_config_smtp_enabled: true # gitlab_config_smtp_address: example.com # gitlab_config_smtp_port: 25 @@ -156,7 +205,7 @@ gitlab_config_external_url: http://example.com # gitlab_config_prometheus_gitlab_monitor_enabled: true # To enable HTTPS, change the gitlab_config_external_url to https://example.com -# gitlab_config_enable_https: true +gitlab_config_enable_https: False # gitlab_config_src_pki_dir: ~/pki # gitlab_config_dest_pki_dir: /etc/gitlab/ssl # gitlab_config_pki_key_suffix: '.key' @@ -173,12 +222,6 @@ gitlab_config_external_url: http://example.com # - key: no_proxy # value: localhost,127.0.0.1 -# Setting for auto nightly backups -# gitlab_config_backup_application_data: true -# gitlab_config_backup_config_data: true -# gitlab_config_backup_config_data_path: /var/opt/gitlab/config-backups -# gitlab_config_backup_config_data_additional_cmd: '' - # For all other settings listed on - https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-config-template/gitlab.rb.template , # use following map to add custom settings # gitlab_config_custom: |+ diff --git a/meta/main.yml b/meta/main.yml index fc87a1c..7cc9e6d 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -28,4 +28,8 @@ galaxy_info: - gitlab - configure -dependencies: [] +dependencies: + - role: andrewrothstein.cron + version: v1.0.0 + - role: andrewrothstein.gitlab + version: v2.2.8 diff --git a/tasks/backup.yml b/tasks/backup.yml index d2a1482..00d33cd 100644 --- a/tasks/backup.yml +++ b/tasks/backup.yml @@ -1,38 +1,66 @@ --- +- name: create backup dir + become: '{{ gitlab_config_privilege_escalate }}' + become_user: '{{ gitlab_config_privilege_escalation_user }}' + when: gitlab_config_manage_backup_path or gitlab_config_backup_use_nfs + file: + path: '{{ gitlab_config_backup_dir }}' + state: directory + mode: 0755 + owner: '{{ gitlab_config_eff_user }}' + group: '{{ gitlab_config_eff_group }}' + - name: create cronjob to take nightly backup of application data - become: yes - become_user: root - when: gitlab_config_backup_application_data|default(true) + become: '{{ gitlab_config_privilege_escalate }}' + become_user: '{{ gitlab_config_privilege_escalation_user }}' + when: gitlab_config_backup_application_data cron: - name: "gitlab-ce-nightly-backups-app-data" - minute: "0" - hour: "2" - job: "/opt/gitlab/bin/gitlab-rake gitlab:backup:create" + name: "gitlab-app-data-backup" + job: |- + {{ gitlab_config_backup_program }} {{ gitlab_config_backup_command }} + {%- for env in (gitlab_config_backup_environment_vars | dict2items | rejectattr("value", "eq", "") | list) %} {{ env.key }}={{ env.value }}{% endfor -%} + month: '{{ gitlab_config_backup_application_data_schedule.month | default(omit) }}' + weekday: '{{ gitlab_config_backup_application_data_schedule.weekday | default(omit) }}' + day: '{{ gitlab_config_backup_application_data_schedule.day | default(omit) }}' + hour: '{{ gitlab_config_backup_application_data_schedule.hour | default(omit) }}' + minute: '{{ gitlab_config_backup_application_data_schedule.minute | default(omit) }}' state: present - name: create cronjob to take nightly backup of configuration data - become: yes - become_user: root - when: gitlab_config_backup_config_data|default(true) + become: '{{ gitlab_config_privilege_escalate }}' + become_user: '{{ gitlab_config_privilege_escalation_user }}' + when: gitlab_config_backup_config_data cron: - name: "gitlab-ce-nightly-backups-config-data" - minute: "0" - hour: "2" - job: 'umask 0077; FILE=$(date "+etc-gitlab-\%s.tgz"); tar cfz {{ gitlab_config_auto_nightly_backup_config_data_path }}/$FILE -C / etc/gitlab; {{ gitlab_config_backup_config_data_additional_cmd }}' + name: "gitlab-config-data-backup" + job: |- + {{ ((gitlab_ver is version("12.3", operator="<") | ternary( + [ + "umask %s" | format(gitlab_config_auto_backup_config_data_permissions), + 'FILE=$(date "+etc-gitlab-\%s.tgz")', + "tar cfz %s/$FILE -C / %s" | format(gitlab_config_auto_backup_config_data_path, gitlab_config_dest) + ], + [ + "%s backup-etc %s" | format(gitlab_config_controller_cli, gitlab_config_auto_backup_config_data_path) + ])) + (gitlab_config_backup_config_data_addl_cmds | default([]))) | join(";") }} + month: '{{ gitlab_config_backup_config_data_schedule.month | default(omit) }}' + weekday: '{{ gitlab_config_backup_config_data_schedule.weekday | default(omit) }}' + day: '{{ gitlab_config_backup_config_data_schedule.day | default(omit) }}' + hour: '{{ gitlab_config_backup_config_data_schedule.hour | default(omit) }}' + minute: '{{ gitlab_config_backup_config_data_schedule.minute | default(omit) }}' state: present - name: update MAILTO entry of crontab to get output of nightly jobs - become: yes - become_user: root + become: '{{ gitlab_config_privilege_escalate }}' + become_user: '{{ gitlab_config_privilege_escalation_user }}' when: gitlab_config_cronjob_notification_email is defined cronvar: name: MAILTO - value: "{{ gitlab_config_cronjob_notification_email }}" + value: '{{ gitlab_config_cronjob_notification_email }}' - name: update MAILFROM entry of crontab - become: yes - become_user: root + become: '{{ gitlab_config_privilege_escalate }}' + become_user: '{{ gitlab_config_privilege_escalation_user }}' when: gitlab_config_cronjob_notification_email is defined and gitlab_config_email_from is defined cronvar: name: MAILFROM - value: "{{ gitlab_config_email_from }}" + value: '{{ gitlab_config_email_from }}' diff --git a/tasks/main.yml b/tasks/main.yml index 03446bc..ece9710 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,32 +1,25 @@ --- -- include_tasks: pki.yml - when: gitlab_config_enable_https|default(false) - -- name: create backup dir - become: yes - become_user: root - when: gitlab_config_manage_backup_path|default(false) or gitlab_config_backup_use_nfs|default(false) - file: - path: '{{ gitlab_config_backup_dir }}' - state: directory - mode: 0755 - owner: git - group: git - - name: load gitlab-config file - become: yes - become_user: root - register: load_config + become: '{{ gitlab_config_privilege_escalate }}' + become_user: '{{ gitlab_config_privilege_escalation_user }}' + register: gitlab_config template: src: gitlab.rb.j2 dest: '{{ gitlab_config_dest }}/gitlab.rb' mode: 0600 -- name: reconfigure gitlab - become: yes - become_user: root - when: gitlab_config_reconfigure|default(true) and load_config is changed - command: gitlab-ctl reconfigure +- include_tasks: pki.yml + when: gitlab_config_enable_https - include_tasks: backup.yml - when: gitlab_config_auto_nightly_backup | default(true) + when: gitlab_config_auto_backup_enabled + +- name: reconfigure gitlab + become: '{{ gitlab_config_privilege_escalate }}' + become_user: '{{ gitlab_config_privilege_escalation_user }}' + when: gitlab_config_reconfigure and gitlab_config is changed + command: '{{ gitlab_config_controller_cli }} reconfigure' + +- name: restore gitlab + when: gitlab_config_backup_restore_enabled + include_tasks: restore.yml diff --git a/tasks/pki.yml b/tasks/pki.yml index 3f90080..bf824ee 100644 --- a/tasks/pki.yml +++ b/tasks/pki.yml @@ -1,15 +1,15 @@ --- - name: create host pki dir - become: yes - become_user: root + become: '{{ gitlab_config_privilege_escalate }}' + become_user: '{{ gitlab_config_privilege_escalation_user }}' file: state: directory path: '{{ gitlab_config_dest_pki_dir }}' mode: 0700 - name: install keys/certs - become: yes - become_user: root + become: '{{ gitlab_config_privilege_escalate }}' + become_user: '{{ gitlab_config_privilege_escalation_user }}' with_items: - { f: '{{ gitlab_config_pki_key_src }}', d: '{{ gitlab_config_pki_key_dest }}', m: '0400' } - { f: '{{ gitlab_config_pki_cert_src }}', d: '{{ gitlab_config_pki_cert_dest }}', m: '0400'} diff --git a/tasks/restore.yml b/tasks/restore.yml new file mode 100644 index 0000000..16b364b --- /dev/null +++ b/tasks/restore.yml @@ -0,0 +1,42 @@ +--- +- name: stop processes connected to database + become: '{{ gitlab_config_privilege_escalate }}' + become_user: '{{ gitlab_config_privilege_escalation_user }}' + loop: + - unicorn + - puma + - sidekiq + command: '{{ gitlab_config_controller_cli }} stop {{ item }}' + +- name: restore application backup ref={{ gitlab_config_backup_restore_timestamp }} + become: '{{ gitlab_config_privilege_escalate }}' + become_user: '{{ gitlab_config_privilege_escalation_user }}' + command: |- + {{ gitlab_config_backup_program }} {{ gitlab_config_backup_restore_command }} + {%- for k,v in gitlab_config_backup_restore_environment_vars.items() %} {{ k }}={{ v }}{% endfor -%} + +- name: look for gitlab secrets file + become: '{{ gitlab_config_privilege_escalate }}' + become_user: '{{ gitlab_config_privilege_escalation_user }}' + changed_when: False + stat: + path: '{{ gitlab_config_secrets_path }}' + register: gitlab_secrets + +- when: gitlab_secrets.stat.exists + become: '{{ gitlab_config_privilege_escalate }}' + become_user: '{{ gitlab_config_privilege_escalation_user }}' + block: + - name: reload gitlab + loop: + - reconfigure + - restart + command: '{{ gitlab_config_controller_cli }} {{ item }}' + + - name: check gitlab configuration + when: gitlab_config_backup_restore_check_config + command: gitlab-rake gitlab:check SANITIZE=true + + - name: verify db decryption capabilities + when: gitlab_config_backup_restore_verify_db_secrets + command: gitlab-rake gitlab:doctor:secrets diff --git a/templates/gitlab.rb.j2 b/templates/gitlab.rb.j2 index baaa0fe..889d5c2 100644 --- a/templates/gitlab.rb.j2 +++ b/templates/gitlab.rb.j2 @@ -1,11 +1,20 @@ #jinja2: trim_blocks:False ## Latest options listed at https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-config-template/gitlab.rb.template +{% if gitlab_config_user is defined -%} +user['username'] = {{ gitlab_config_user | to_json }} +{%- endif %} +{% if gitlab_config_group is defined -%} +user['group'] = {{ gitlab_config_group | to_json }} +{%- endif %} + ## GitLab URL ##! URL on which GitLab will be reachable. ##! For more details on configuring external_url see: ##! https://docs.gitlab.com/omnibus/settings/configuration.html#configuring-the-external-url-for-gitlab external_url "{{ gitlab_config_external_url }}" +##! SSL Configuration Options: https://docs.gitlab.com/omnibus/settings/ssl.html +letsencrypt['enable'] = {{ gitlab_config_letsencrypt_enabled | to_json }} {% if proxy_env is defined -%} gitlab_rails['env'] = { diff --git a/vars/main.yml b/vars/main.yml index 621083e..3145847 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,4 +1,10 @@ --- +gitlab_config_controller_cli: gitlab-ctl +gitlab_config_secrets_path: '{{ gitlab_config_dest }}/gitlab-secrets.json' + +gitlab_config_eff_user: gitlab_config_user | default("git") +gitlab_config_eff_group: gitlab_config_group | default("git") + gitlab_config_pki_key_file: '{{ inventory_hostname }}{{ gitlab_config_pki_key_suffix | default(".key") }}' gitlab_config_pki_key_src: '{{ gitlab_config_src_pki_dir | default("~/pki") }}/{{ gitlab_config_pki_key_file }}' gitlab_config_pki_key_dest: '{{ gitlab_config_dest_pki_dir | default("/etc/gitlab/ssl") }}/{{ gitlab_config_pki_key_file }}' @@ -7,7 +13,29 @@ gitlab_config_pki_cert_file: '{{ inventory_hostname }}{{ gitlab_config_pki_cert_ gitlab_config_pki_cert_src: '{{ gitlab_config_src_pki_dir | default("~/pki") }}/{{ gitlab_config_pki_cert_file }}' gitlab_config_pki_cert_dest: '{{ gitlab_config_dest_pki_dir | default("/etc/gitlab/ssl") }}/{{ gitlab_config_pki_cert_file }}' +gitlab_config_backup_program: '{{ gitlab_ver is version("12.1", operator=">") | ternary("gitlab-backup", "gitlab-rake") }}' +gitlab_config_backup_command: '{{ gitlab_ver is version("12.1", operator=">") | ternary("create", "gitlab:backup:create") }}' +gitlab_config_backup_restore_command: '{{ gitlab_ver is version("12.1", operator=">") | ternary("restore", "gitlab:backup:restore") }}' gitlab_config_backup_use_nfs: '{{ gitlab_config_backup_upload is defined and gitlab_config_backup_upload[":local_root"] is defined }}' gitlab_config_backup_dir: "{% if gitlab_config_backup_use_nfs %}{{ gitlab_config_backup_upload[':local_root'] }}{% else %}{{ gitlab_config_backup_path|default('/var/opt/gitlab/backups') }}{% endif %}" -gitlab_config_auto_nightly_backup_config_data_path: "{% if gitlab_config_backup_config_data_path is defined %}{{ gitlab_config_backup_config_data_path }}{% else %}{{ gitlab_config_backup_path | default('/var/opt/gitlab/backups') }}{% endif %}" +gitlab_config_backup_environment_vars: + CRON: 1 + STRATEGY: '{{ gitlab_config_backup_strategy | default(None) }}' + BACKUP: '{{ gitlab_config_backup_timestamp_prefix | default(None) }}' + GZIP_RSYNCABLE: '{{ gitlab_config_backup_gzip_rsyncable | default(None) }}' + DIRECTORY: '{{ gitlab_config_backup_group_duration | default(None) }}' + SKIP: |- + {{ (gitlab_config_backup_exclude_directories is defined and gitlab_config_backup_exclude_directories is sequence) | ternary( + gitlab_config_backup_exclude_directories | default([]) | join(","), + None + ) }} + GITLAB_BACKUP_MAX_CONCURRENCY: '{{ gitlab_ver is version("13.3", operator="<") | ternary(None, gitlab_config_backup_concurrency) }}' + GITLAB_BACKUP_MAX_STORAGE_CONCURRENCY: '{{ gitlab_ver is version("13.3", operator="<") | ternary(None, gitlab_config_backup_storage_concurrency) }}' +gitlab_config_backup_restore_environment_vars: + GITLAB_ASSUME_YES: '{{ gitlab_config_backup_restore_prompt_disable | default(True) | int }}' + BACKUP: '{{ gitlab_config_backup_restore_timestamp }}' + force: 'yes' + +gitlab_config_auto_backup_config_data_path: '{{ gitlab_config_backup_config_data_path | default("/etc/gitlab/config_backup") }}' +gitlab_config_auto_backup_config_data_permissions: '0600'