[gitlab] smtp server and https push

2021-02-10 19:08:36 +01:00 · 2021-02-10 19:08:36 +01:00 · b152c48ed3
parent d383ca4b8b
commit b152c48ed3
7 changed files with 40 additions and 26 deletions
--- a/ansible.cfg
+++ b/ansible.cfg
@ -17,6 +17,9 @@ inventory = ./hosts
 # Custom header in templates
 # ansible_managed = Ansible managed, see https://gitlab.crans.org/nounous/ansible

+# Maximum size of files to be considered for diff display
+max_diff_size = 1000000
+
 # Do not use cows (with cowsay)
 nocows = 1

--- a/group_vars/git.yml
+++ b/group_vars/git.yml
@ -1,20 +1,23 @@
 ---
-
 glob_gitlab:
  url: 'https://gitlab.crans.org'
  time_zone: 'Europe/Paris'
  email: 'gitlab@crans.org'
  email_display_name: 'Crans GitLab'
-  ldap_label: 'Crans'
-  ldap_host: '172.16.10.147'
-  ldap_port: 389
-  ldap_uid: 'uid'
-  ldap_bind_dn: 'cn=gitlab,ou=service-users,dc=crans,dc=org'
-  ldap_base: 'cn=Utilisateurs,dc=crans,dc=org'
-  ldap_user_filter: '(&(!(shadowExpire=0))(uid=*))'
+  ldap:
+    label: 'Crans'
+    host: "{{ query('ldap', 'ip', 're2o-ldap', 'adm') | first }}"
+    port: 389
+    uid: 'uid'
+    bind_dn: 'cn=gitlab,ou=service-users,dc=crans,dc=org'
+    base: 'cn=Utilisateurs,dc=crans,dc=org'
+    user_filter: '(&(!(shadowExpire=0))(uid=*))'
  cas_name: 'cas3'
  cas_label: 'CAS Cr@ns'
  cas_url: 'https://cas.crans.org'
+  smtp:
+    address: "{{ query('ldap', 'ip', 'redisdead', 'adm') | first }}"
+    port: 25

 glob_nginx:
  service_name: gitlab-omnibus-ssl-nginx
--- a/host_vars/gitzly.adm.crans.org.yml
+++ b/host_vars/gitzly.adm.crans.org.yml
@ -19,4 +19,5 @@ loc_certbot:
    domains: "*.adm.crans.org"

 loc_gitlab:
-  ldap_bind_password: "{{ vault_gitlab_ldap_password }}"
+  ldap:
+    bind_password: "{{ vault_gitlab_ldap_password }}"
--- a/plays/gitlab.yml
+++ b/plays/gitlab.yml
@ -10,7 +10,7 @@
 - hosts: git
  vars:
    certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
-    gitlab: '{{ glob_gitlab | default({}) | combine(loc_gitlab | default({})) }}'
+    gitlab: '{{ glob_gitlab | default({}) | combine(loc_gitlab | default({}), recursive=True) }}'
  roles:
    - certbot
    - gitlab
--- a/roles/gitlab/handlers/main.yml
+++ b/roles/gitlab/handlers/main.yml
@ -0,0 +1,3 @@
+---
+- name: Reconfigure Gitlab
+  command: gitlab-ctl reconfigure
--- a/roles/gitlab/tasks/main.yml
+++ b/roles/gitlab/tasks/main.yml
@ -24,6 +24,4 @@
    mode: 0600
    owner: root
    group: root
-
- name: Reconfigure Gitlab
-  command: gitlab-ctl reconfigure
+  notify: Reconfigure Gitlab
--- a/roles/gitlab/templates/gitlab.rb.j2
+++ b/roles/gitlab/templates/gitlab.rb.j2
@ -79,15 +79,20 @@ gitlab_rails['time_zone'] = '{{ gitlab.time_zone }}'
 ###! Docs: https://docs.gitlab.com/omnibus/settings/smtp.html
 ###! **Use smtp instead of sendmail/postfix.**

-# gitlab_rails['smtp_enable'] = true
-# gitlab_rails['smtp_address'] = "smtp.server"
-# gitlab_rails['smtp_port'] = 465
+gitlab_rails['smtp_enable'] = true
+gitlab_rails['smtp_address'] = "{{ gitlab.smtp.address }}"
+gitlab_rails['smtp_port'] = {{ gitlab.smtp.port }}
 # gitlab_rails['smtp_user_name'] = "smtp user"
 # gitlab_rails['smtp_password'] = "smtp password"
 # gitlab_rails['smtp_domain'] = "example.com"
 # gitlab_rails['smtp_authentication'] = "login"
 # gitlab_rails['smtp_enable_starttls_auto'] = true
 # gitlab_rails['smtp_tls'] = false
+gitlab_rails['smtp_tls'] = false
+gitlab_rails['smtp_openssl_verify_mode'] = 'none'
+gitlab_rails['smtp_enable_starttls_auto'] = false
+gitlab_rails['smtp_ssl'] = false
+gitlab_rails['smtp_force_ssl'] = false

 ###! **Can be: 'none', 'peer', 'client_once', 'fail_if_no_peer_cert'**
 ###! Docs: http://api.rubyonrails.org/classes/ActionMailer/Base.html
@ -443,24 +448,25 @@ gitlab_rails['ldap_enabled'] = true
 ###! **remember to close this block with 'EOS' below**
 gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
  main: # 'main' is the GitLab 'provider ID' of this LDAP server
-    label: '{{ gitlab.ldap_label }}'
-    host: '{{ gitlab.ldap_host }}'
-    port: {{ gitlab.ldap_port }}
-    uid: '{{ gitlab.ldap_uid }}'
-    bind_dn: '{{ gitlab.ldap_bind_dn }}'
-    password: '{{ gitlab.ldap_bind_password }}'
-#     encryption: 'plain' # "start_tls" or "simple_tls" or "plain"
-#     verify_certificates: true
+    label: '{{ gitlab.ldap.label }}'
+    host: '{{ gitlab.ldap.host }}'
+    port: {{ gitlab.ldap.port }}
+    uid: '{{ gitlab.ldap.uid }}'
+    bind_dn: '{{ gitlab.ldap.bind_dn }}'
+    password: '{{ gitlab.ldap.bind_password }}'
+    encryption: 'plain' # "start_tls" or "simple_tls" or "plain"
+    verify_certificates: true
 #     smartcard_auth: false
 #     active_directory: true
    allow_username_or_email_login: true
 #     lowercase_usernames: false
 #     block_auto_created_users: false
-    base: '{{ gitlab.ldap_base }}'
-    user_filter: '{{ gitlab.ldap_user_filter }}'
+    base: '{{ gitlab.ldap.base }}'
+    user_filter: '{{ gitlab.ldap.user_filter }}'
    attributes:
      username: ['uid',]
      email:    ['mail',]
+EOS
 #     ## EE only
 #     group_base: ''
 #     admin_group: ''