Browse Source

Merge branch 'initialfiles' into 'master'

Initialfiles

initial version of the install playbook for gitlab
the Mage 6 years ago
parent
commit
fce4c968ee
39 changed files with 695 additions and 0 deletions
  1. 4 0
      common/handlers/main.yml
  2. 9 0
      common/tasks/base_config.yml
  3. 15 0
      common/tasks/extra_config.yml
  4. 6 0
      common/tasks/main.yml
  5. 4 0
      common/tasks/update.yml
  6. 6 0
      common/tasks/upgrade.yml
  7. 8 0
      common/templates/apt/sources.list.j2
  8. 11 0
      common/templates/fail2ban/fail2ban.conf.j2
  9. 52 0
      common/templates/fail2ban/jail.conf.j2
  10. 1 0
      common/templates/mailname.j2
  11. 7 0
      common/templates/resolv.conf.j2
  12. 2 0
      common/templates/ssh_keys/yourusername.j2
  13. 41 0
      common/templates/sshd_config.j2
  14. 13 0
      common/vars/main.yml
  15. 127 0
      gitlab/tasks/gitlab.yml
  16. 5 0
      gitlab/tasks/main.yml
  17. 6 0
      gitlab/tasks/remove_ruby1.9.yml
  18. 6 0
      gitlab/tasks/upgrade.yml
  19. 13 0
      gitlab/templates/git/gitconfig.j2
  20. 24 0
      gitlab/templates/gitlab-shell/config.yml.j2
  21. 16 0
      gitlab/templates/gitlab/database.yml.j2
  22. 54 0
      gitlab/templates/gitlab/gitlab.yml.j2
  23. 18 0
      gitlab/templates/gitlab/rack_attack.rb.j2
  24. 42 0
      gitlab/templates/gitlab/unicorn.rb.j2
  25. 15 0
      gitlab/templates/logrotate/gitlab.j2
  26. 54 0
      gitlab/templates/nginx/gitlab.j2
  27. 25 0
      gitlab/vars/main.yml
  28. 29 0
      host_vars.yml
  29. 10 0
      install.yml
  30. 3 0
      mysql_server/tasks/fortify.yml
  31. 4 0
      mysql_server/tasks/main.yml
  32. 6 0
      mysql_server/tasks/upgrade.yml
  33. 7 0
      mysql_server/vars/main.yml
  34. 4 0
      postfix_sendonly/handlers/main.yml
  35. 4 0
      postfix_sendonly/tasks/main.yml
  36. 5 0
      postfix_sendonly/tasks/postfixconfig.yml
  37. 6 0
      postfix_sendonly/tasks/upgrade.yml
  38. 30 0
      postfix_sendonly/templates/postfix/nousers-main.cf.j2
  39. 3 0
      postfix_sendonly/vars/main.yml

+ 4 - 0
common/handlers/main.yml

@ -0,0 +1,4 @@
1
---
2
- name: restart fail2ban
3
  service: name=fail2ban state=restarted
4

+ 9 - 0
common/tasks/base_config.yml

@ -0,0 +1,9 @@
1
---
2
- name: /etc/resolv.conf
3
  template: src=resolv.conf.j2 dest=/etc/resolv.conf owner=root group=root mode=644
4
- name: /etc/mailname
5
  template: src=mailname.j2 dest=/etc/mailname owner=root group=root mode=644
6
7
- name: /etc/apt/sources.list
8
  template: src=apt/sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=644
9

+ 15 - 0
common/tasks/extra_config.yml

@ -0,0 +1,15 @@
1
---
2
- name: user ssh keys
3
  template: src=ssh_keys/{{ item }}.j2 dest=/home/{{ item }}/.ssh/authorized_keys owner={{ item }} mode=640
4
  with_items: ssh_users
5
6
7
# Fail2ban
8
- name: /etc/fail2ban/fail2ban.conf
9
  template: src=fail2ban/fail2ban.conf.j2 dest=/etc/fail2ban/fail2ban.conf owner=root group=root mode=644
10
  notify: restart fail2ban
11
- name: /etc/fail2ban/jail.conf
12
  template: src=fail2ban/jail.conf.j2 dest=/etc/fail2ban/jail.conf owner=root group=root mode=644
13
  notify: restart fail2ban
14
15

+ 6 - 0
common/tasks/main.yml

@ -0,0 +1,6 @@
1
---
2
- include: base_config.yml
3
- include: update.yml
4
- include: upgrade.yml
5
- include: extra_config.yml
6

+ 4 - 0
common/tasks/update.yml

@ -0,0 +1,4 @@
1
---
2
- name: Update apt cache
3
  apt: update_cache=yes
4

+ 6 - 0
common/tasks/upgrade.yml

@ -0,0 +1,6 @@
1
---
2
# Upgrade tasks, used for install and upgrade playbooks of mail servers
3
- name: Install Packages
4
  action: apt name={{ item }} state=latest
5
  with_items: role_packages
6

+ 8 - 0
common/templates/apt/sources.list.j2

@ -0,0 +1,8 @@
1
# {{ ansible_managed }}
2
3
deb {{ apt_mirror }}debian/ {{ debian_release}} main contrib non-free
4
deb-src {{ apt_mirror }}debian/ {{ debian_release}} main contrib non-free
5
6
deb http://security.debian.org/ stable/updates main
7
deb-src http://security.debian.org/ stable/updates main
8

+ 11 - 0
common/templates/fail2ban/fail2ban.conf.j2

@ -0,0 +1,11 @@
1
# {{ ansible_managed }}
2
# {{ ansible_only }}
3
4
[Definition]
5
loglevel = 3
6
logtarget = /var/log/fail2ban.log
7
socket = /var/run/fail2ban/fail2ban.sock
8
9
# {{ ansible_managed }}
10
# {{ ansible_only }}
11

+ 52 - 0
common/templates/fail2ban/jail.conf.j2

@ -0,0 +1,52 @@
1
# {{ ansible_managed }}
2
# {{ ansible_only }}
3
4
[DEFAULT]
5
ignoreip = 127.0.0.1/8
6
bantime  = 3600
7
maxretry = 3
8
backend = auto
9
destemail = {{ jail_mail_dest }}
10
11
banaction = iptables-multiport
12
mta = sendmail
13
protocol = tcp
14
chain = INPUT
15
16
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
17
action = %(action_)s
18
19
20
# JAILS
21
[ssh]
22
enabled  = true
23
port     = ssh
24
filter   = sshd
25
logpath  = /var/log/auth.log
26
maxretry = 6
27
28
{% if jail_mail %}
29
# Email only jails
30
[postfix]
31
enabled  = true
32
port     = smtp,ssmtp
33
filter   = postfix
34
logpath  = /var/log/mail.warn
35
36
[sasl]
37
enabled  = true
38
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
39
filter   = sasl
40
logpath  = /var/log/mail.warn
41
42
[dovecot]
43
enabled = true
44
port    = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
45
filter  = dovecot
46
logpath = /var/log/mail.warn
47
# End of email only jails
48
{% endif %}
49
50
# {{ ansible_managed }}
51
# {{ ansible_only }}
52

+ 1 - 0
common/templates/mailname.j2

@ -0,0 +1 @@
1
{{ mailname }}

+ 7 - 0
common/templates/resolv.conf.j2

@ -0,0 +1,7 @@
1
# {{ ansible_managed}}
2
search {{ dns_domain }}
3
{% for server in nameservers %}
4
nameserver {{ server }}
5
{% endfor %}
6
options attempts:3 rotate
7

+ 2 - 0
common/templates/ssh_keys/yourusername.j2

@ -0,0 +1,2 @@
1
# {{ ansible_managed }}
2

+ 41 - 0
common/templates/sshd_config.j2

@ -0,0 +1,41 @@
1
# {{ ansible_managed }}
2
3
Port 22
4
Protocol 2
5
HostKey /etc/ssh/ssh_host_rsa_key
6
HostKey /etc/ssh/ssh_host_dsa_key
7
UsePrivilegeSeparation yes
8
9
KeyRegenerationInterval 3600
10
ServerKeyBits 2048
11
12
SyslogFacility AUTH
13
LogLevel INFO
14
15
LoginGraceTime 120
16
PermitRootLogin no
17
StrictModes yes
18
19
RSAAuthentication yes
20
PubkeyAuthentication yes
21
22
IgnoreRhosts yes
23
RhostsRSAAuthentication no
24
HostbasedAuthentication no
25
26
PermitEmptyPasswords no
27
ChallengeResponseAuthentication no
28
PasswordAuthentication no
29
30
X11Forwarding yes
31
X11DisplayOffset 10
32
PrintMotd yes
33
PrintLastLog yes
34
TCPKeepAlive yes
35
36
AcceptEnv LANG LC_*
37
38
Subsystem sftp /usr/lib/openssh/sftp-server
39
40
UsePAM yes
41

+ 13 - 0
common/vars/main.yml

@ -0,0 +1,13 @@
1
---
2
role_packages:
3
  - vim
4
  - git
5
  - less
6
  - wget
7
  - bc
8
  - openssh-server
9
  - openssl
10
  - libssl1.0.0
11
  - ntp
12
  - fail2ban
13

+ 127 - 0
gitlab/tasks/gitlab.yml

@ -0,0 +1,127 @@
1
- name: add user git
2
  user: name=git comment="Git Lab" createhome=yes password=*
3
4
- name: create /servers/repositories
5
  file: dest=/servers/repositories owner=git group=git mode=2770 state=directory
6
7
- name: create /servers/gitlab-satellites/
8
  file: dest=/servers/gitlab-satellites/ owner=git group=git mode=770 state=directory
9
10
- name: create authorized_keys file
11
  file: dest=/home/git/.ssh/authorized_keys owner=git group=git mode=600
12
13
- name: create log directory
14
  file: dest=/servers/log/gitlab owner=git group=git mode=755 state=directory
15
16
# gitlab-shell
17
- name: clone gitlab-shell
18
  git:  repo=https://gitlab.com/gitlab-org/gitlab-shell.git
19
        dest=/home/git/gitlab-shell
20
        version={{ gitlab_shell_version }}
21
  sudo_user: git
22
23
- name: gitlab-shell config
24
  template: src=gitlab-shell/config.yml.j2 dest=/home/git/gitlab-shell/config.yml owner=root group=root mode=644
25
26
# gitlab
27
- name: clone gitlab
28
  git:  repo=https://gitlab.com/gitlab-org/gitlab-ce.git
29
        dest=/home/git/gitlab
30
        version={{ gitlab_version }}
31
  sudo_user: git
32
33
- name: configure gitlab.yml
34
  template: src=gitlab/gitlab.yml.j2 dest=/home/git/gitlab/config/gitlab.yml owner=root group=root mode=644
35
36
- name: configure unicorn.rb
37
  template: src=gitlab/unicorn.rb.j2 dest=/home/git/gitlab/config/unicorn.rb owner=root group=root mode=644
38
39
- name: configure rack_attack.rb
40
  template: src=gitlab/rack_attack.rb.j2 dest=/home/git/gitlab/config/initializers/rack_attack.rb owner=root group=root mode=755
41
42
- name: configure database.yml
43
  template: src=gitlab/database.yml.j2 dest=/home/git/gitlab/config/database.yml owner=root group=git mode=640
44
45
- name: install gitlab dependencies
46
  command: bundle install --deployment --without development test postgres aws chdir=/home/git/gitlab/
47
48
# create the tmp directories
49
50
- name: create tmp directory
51
  file: dest=/home/git/gitlab/tmp/ owner=git group=git mode=755 state=directory
52
- name: create pids directory
53
  file: dest=/home/git/gitlab/tmp/pids/ owner=git group=git mode=755 state=directory
54
- name: create sockets directory
55
  file: dest=/home/git/gitlab/tmp/sockets owner=git group=git mode=755 state=directory
56
57
- name: create uploads directories
58
  file: dest=/home/git/gitlab/public/uploads owner=git group=git mode=755 state=directory
59
60
61
- name: link to application.log
62
  file: src=/servers/log/gitlab/application.log dest=/home/git/gitlab/log/application.log owner=git group=git mode=666 state=link
63
- name: link to production.log
64
  file: src=/servers/log/gitlab/production.log dest=/home/git/gitlab/log/production.log owner=git group=git mode=666 state=link
65
- name: touch application.log
66
  file: dest=/servers/log/gitlab/application.log owner=git group=git mode=666
67
- name: touch production.log
68
  file: dest=/servers/log/gitlab/production.log owner=git group=git mode=666
69
70
# initialize git
71
- name: git config
72
  template: src=git/gitconfig.j2 dest=/home/git/.gitconfig owner=git group=git mode=644
73
74
# mysql user and database
75
# assumes that some other role will install and config mysql-server
76
- name: mysql gitlab database
77
  mysql_db: name=gitlabhq_production encoding=utf8 collation=utf8_unicode_ci login_user=root login_password={{ mysql_root_passwd }}
78
  register: gitlab_db
79
80
- name: mysql gitlab user
81
  mysql_user: name=git password={{ mysql_gitlab_passwd }} priv='gitlabhq_production.*:SELECT,LOCK TABLES,INSERT,UPDATE,DELETE,CREATE,DROP,INDEX,ALTER' login_user=root login_password={{ mysql_root_passwd }}
82
83
# initialize database
84
- name: db setup
85
  command: bundle exec rake db:setup RAILS_ENV=production chdir=/home/git/gitlab/
86
  when: gitlab_db.changed
87
88
- name: db migrate
89
  command: bundle exec rake db:migrate RAILS_ENV=production chdir=/home/git/gitlab/
90
  when: gitlab_db.changed
91
92
- name: db seed_fu
93
  command: bundle exec rake db:seed_fu RAILS_ENV=production chdir=/home/git/gitlab/
94
  when: gitlab_db.changed
95
96
# init scripts ans system settings
97
- name: copy gitlab init script
98
  command: cp lib/support/init.d/gitlab /etc/init.d/gitlab chdir=/home/git/gitlab creates=/etc/init.d/gitlab
99
100
- name: copy gitlab defaults file
101
  command: cp lib/support/init.d/gitlab.default.example /etc/default/gitlab chdir=/home/git/gitlab/ creates=/etc/default/gitlab
102
103
- name: config logrotate
104
  template: src=logrotate/gitlab.j2 dest=/etc/logrotate.d/gitlab owner=root group=root mode=644
105
106
- name: update-rc.d
107
  command: update-rc.d gitlab defaults 21
108
109
- name: compile assets
110
  command: bundle exec rake assets:precompile RAILS_ENV=production chdir=/home/git/gitlab/
111
112
- name: start gitlab
113
  service: name=gitlab state=restarted
114
115
# configure nginx
116
- name: create nginx log directory
117
  file: dest=/servers/log/nginx owner=www-data group=www-data mode=666 state=directory
118
119
- name: remove default nginx host
120
  file: dest=/etc/nginx/sites-enabled/default state=absent
121
122
- name: config nginx
123
  template: src=nginx/gitlab.j2 dest=/etc/nginx/sites-enabled/gitlab owner=root group=root mode=644
124
125
- name: start nginx
126
  service: name=nginx state=restarted
127

+ 5 - 0
gitlab/tasks/main.yml

@ -0,0 +1,5 @@
1
---
2
- include: remove_ruby1.9.yml
3
- include: upgrade.yml
4
- include: gitlab.yml
5

+ 6 - 0
gitlab/tasks/remove_ruby1.9.yml

@ -0,0 +1,6 @@
1
---
2
- name: Remove incompatible packages
3
  action: apt name={{ item }} state=absent
4
  with_items:
5
    - ruby1.9.1
6

+ 6 - 0
gitlab/tasks/upgrade.yml

@ -0,0 +1,6 @@
1
---
2
# Upgrade tasks, used for install and upgrade playbooks of mail servers
3
- name: Install Packages
4
  action: apt name={{ item }} state=latest
5
  with_items: role_packages
6

+ 13 - 0
gitlab/templates/git/gitconfig.j2

@ -0,0 +1,13 @@
1
# {{ ansible_managed }}
2
# {{ ansible_only }}
3
4
[user]
5
  name = {{ gitlab_name }}
6
  email = {{ gitlab_email }}
7
8
[push]
9
  default = matching
10
11
[core]
12
  autocrlf = input
13

+ 24 - 0
gitlab/templates/gitlab-shell/config.yml.j2

@ -0,0 +1,24 @@
1
# {{ ansible_managed }}
2
# {{ ansible_only}}
3
user: git
4
gitlab_url: "http://magick-source.net/"
5
http_settings:
6
  self_signed_cert: false
7
8
repos_path: "/servers/repositories"
9
10
auth_file: "/home/git/.ssh/authorized_keys"
11
12
redis:
13
  bin: /usr/bin/redis-cli
14
  host: 127.0.0.1
15
  port: 6379
16
  namespace: resque:gitlab
17
18
log_file: "/servers/log/gitlab/gitlab-shell.log"
19
log_level: INFO
20
21
audit_usernames: true
22
23
# {{ ansible_managed }}
24
# {{ ansible_only}}

+ 16 - 0
gitlab/templates/gitlab/database.yml.j2

@ -0,0 +1,16 @@
1
# {{ ansible_managed }}
2
# {{ ansible_only }}
3
#
4
# PRODUCTION
5
#
6
7
production:
8
  adapter: mysql2
9
  encoding: utf8
10
  reconnect: false
11
  database: gitlabhq_production
12
  pool: 10
13
  username: git
14
  password: {{ mysql_gitlab_passwd }}
15
16

+ 54 - 0
gitlab/templates/gitlab/gitlab.yml.j2

@ -0,0 +1,54 @@
1
# {{ ansible_managed }}
2
# {{ ansible_only }}
3
##################################
4
# Gitlab application config file #
5
##################################
6
7
production: &base
8
  gitlab:
9
    host: {{ gitlab_host }}
10
    port: 80
11
    https: false
12
    email_from: {{ gitlab_email }}
13
    support_email: {{ gitlab_email }}
14
    default_projects_features:
15
      issues: true
16
      merge_requests: true
17
      wiki: true
18
      wall: true
19
      snippets: false
20
      visibility_level: private
21
  issues_tracker:
22
23
  gravatar:
24
    enabled: true
25
    plain_url: http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=retro
26
    ssl_url: https://www.gravatar.com/avatar/%{hash}?s=%{size}&d=retro
27
28
  ldap:
29
    enabled: false
30
  omniauth:
31
    enabled: false
32
33
  satellites:
34
    path: /servers/gitlab-satellites/
35
36
  backup:
37
    path: /servers/backup/gitlab
38
39
  gitlab_shell:
40
    path: /home/git/gitlab-shell/
41
    repos_path: /servers/repositories/
42
    hooks_path: /home/git/gitlab-shell/hooks/
43
44
    upload_pack: true
45
    receive_pack: true
46
47
  git:
48
    bin_path: /usr/bin/git
49
    max_size: 512000 # 500k
50
    timeout: 10
51
 
52
  extra:
53
    # google_analytics_id: '_your_tracking_id'
54

+ 18 - 0
gitlab/templates/gitlab/rack_attack.rb.j2

@ -0,0 +1,18 @@
1
# {{ ansible_managed }}
2
# {{ ansible_only }}
3
4
paths_to_be_protected = [
5
  "#{Rails.application.config.relative_url_root}/users/password",
6
  "#{Rails.application.config.relative_url_root}/users/sign_in",
7
  "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session.json",
8
  "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session",
9
  "#{Rails.application.config.relative_url_root}/users",
10
  "#{Rails.application.config.relative_url_root}/users/confirmation"
11
]
12
13
unless Rails.env.test?
14
  Rack::Attack.throttle('protected paths', limit: 10, period: 60.seconds) do |req|
15
    req.ip if paths_to_be_protected.include?(req.path) && req.post?
16
  end
17
end
18

+ 42 - 0
gitlab/templates/gitlab/unicorn.rb.j2

@ -0,0 +1,42 @@
1
# {{ ansible_managed }}
2
# {{ ansible_only }}
3
4
worker_processes 2
5
working_directory "/home/git/gitlab"
6
7
listen "/home/git/gitlab/tmp/sockets/gitlab.socket", :backlog => 64
8
listen "127.0.0.1:8080", :tcp_nopush => true
9
10
timeout 30
11
12
pid "/home/git/gitlab/tmp/pids/unicorn.pid"
13
14
stderr_path "/servers/log/gitlab/unicorn.stderr.log"
15
stdout_path "/servers/log/gitlab/unicorn.stdout.log"
16
17
preload_app true
18
19
GC.respond_to?(:copy_on_write_friendly=) and
20
  GC.copy_on_write_friendly = true
21
22
check_client_connection false
23
24
before_fork do |server, worker|
25
  defined?(ActiveRecord::Base) and
26
    ActiveRecord::Base.connection.disconnect!
27
28
  old_pid = "#{server.config[:pid]}.oldbin"
29
  if old_pid != server.pid
30
    begin
31
      sig = (worker.nr + 1) >= server.worker_processes ? :QUIT : :TTOU
32
      Process.kill(sig, File.read(old_pid).to_i)
33
    rescue Errno::ENOENT, Errno::ESRCH
34
    end
35
  end
36
end
37
38
after_fork do |server, worker|
39
  defined?(ActiveRecord::Base) and
40
    ActiveRecord::Base.establish_connection
41
end
42

+ 15 - 0
gitlab/templates/logrotate/gitlab.j2

@ -0,0 +1,15 @@
1
# {{ ansible_managed }}
2
# {{ ansible_only }}
3
# GitLab logrotate settings
4
# based on: http://stackoverflow.com/a/4883967
5
6
/servers/log/gitlab/*.log {
7
  weekly
8
  missingok
9
  rotate 52
10
  compress
11
  delaycompress
12
  notifempty
13
  copytruncate
14
}
15

+ 54 - 0
gitlab/templates/nginx/gitlab.j2

@ -0,0 +1,54 @@
1
# {{ ansible_managed }}
2
# {{ ansible_only }}
3
4
upstream gitlab {
5
  server unix:/home/git/gitlab/tmp/sockets/gitlab.socket;
6
}
7
8
server {
9
  listen *:80 default_server;
10
  server_name {{ gitlab_host }};
11
  server_tokens off;
12
13
  root /home/git/gitlab/public;
14
  client_max_body_size 1m;
15
16
  access_log  /servers/log/nginx/gitlab_access.log;
17
  error_log   /servers/log/nginx/gitlab_error.log;
18
19
  location = / {
20
    if ($http_cookie !~* "request_method") {
21
      set $logic "N";
22
    }
23
    if ($is_args != "?") {
24
      set $logic "${logic}O";
25
    }
26
    if ($logic = "NO") {
27
      return 302 /public;
28
    }
29
    if ($http_cookie ~* "request_method=delete") {
30
      return 302 /public$is_args$args;
31
    }
32
    if ($logic = "N") {
33
      return 302 /public$is_args$args;
34
    }
35
    return 302 /dashboard$is_args$args;
36
  }
37
38
  location / {
39
    try_files $uri $uri/index.html $uri.html @gitlab;
40
  }
41
42
  location @gitlab {
43
    proxy_read_timeout 300;
44
    proxy_connect_timeout 300;
45
    proxy_redirect     off;
46
47
    proxy_set_header   X-Forwarded-Proto $scheme;
48
    proxy_set_header   Host              $http_host;
49
    proxy_set_header   X-Real-IP         $remote_addr;
50
    proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
51
52
    proxy_pass http://gitlab;
53
  }
54
}

+ 25 - 0
gitlab/vars/main.yml

@ -0,0 +1,25 @@
1
---
2
role_packages:
3
  - build-essential
4
  - zlib1g-dev
5
  - libyaml-dev
6
  - libssl-dev
7
  - libgdbm-dev
8
  - libreadline-dev
9
  - libncurses5-dev
10
  - libffi-dev
11
  - curl
12
  - checkinstall
13
  - libxml2-dev
14
  - libxslt1-dev
15
  - libcurl4-openssl-dev
16
  - libicu-dev
17
  - logrotate
18
  - python-docutils
19
  - redis-server
20
  - git
21
  - ruby2.0
22
  - ruby2.0-dev
23
  - bundler
24
  - nginx
25

+ 29 - 0
host_vars.yml

@ -0,0 +1,29 @@
1
---
2
# variables needed for this playboosk
3
ansible_hostname: some.hostname.com
4
ansible_only: Don't edit manually
5
6
# for apt configs
7
apt_mirror: http://ftp.debian.org
8
debian_release: testing
9
10
# for postfix
11
mail_relayhost: some smtp server
12
mailname: hostname.com
13
14
# for mysql
15
mysql_root_passwd: somepasswd
16
17
# dns configs
18
dns_domain: hostname.com
19
nameservers:
20
  - ns1.yourhosting.com
21
  - ns2.yourhosting.com
22
23
jail_mail: False
24
jail_mail_dest: youremail@some.hostname.com
25
26
# for ssh
27
ssh_users:
28
  - yourusername
29

+ 10 - 0
install.yml

@ -0,0 +1,10 @@
1
---
2
- name: Install gitlab servers
3
  hosts: gitserver
4
  sudo: yes
5
  roles:
6
    - common
7
    - postfix_sendonly
8
    - mysql_server
9
    - gitlab
10

+ 3 - 0
mysql_server/tasks/fortify.yml

@ -0,0 +1,3 @@
1
- name: set mysql root passwd
2
  mysql_user: name=root password={{ mysql_root_passwd }} check_implicit_admin=yes login_user=root login_password={{ mysql_root_passwd }} state=present
3

+ 4 - 0
mysql_server/tasks/main.yml

@ -0,0 +1,4 @@
1
---
2
- include: upgrade.yml
3
- include: fortify.yml
4

+ 6 - 0
mysql_server/tasks/upgrade.yml

@ -0,0 +1,6 @@
1
---
2
# Upgrade tasks, used for install and upgrade playbooks of mail servers
3
- name: Install Packages
4
  action: apt name={{ item }} state=latest
5
  with_items: role_packages
6

+ 7 - 0
mysql_server/vars/main.yml

@ -0,0 +1,7 @@
1
---
2
role_packages:
3
  - mysql-server
4
  - mysql-client
5
  - python-mysqldb # needed by ansible
6
  - libmysqlclient-dev
7

+ 4 - 0
postfix_sendonly/handlers/main.yml

@ -0,0 +1,4 @@
1
---
2
- name: restart postfix
3
  service: name=postfix state=restarted
4

+ 4 - 0
postfix_sendonly/tasks/main.yml

@ -0,0 +1,4 @@
1
---
2
- include: upgrade.yml
3
- include: postfixconfig.yml
4

+ 5 - 0
postfix_sendonly/tasks/postfixconfig.yml

@ -0,0 +1,5 @@
1
---
2
- name: file /etc/postfix/main.cf
3
  template: src=postfix/nousers-main.cf.j2 dest=/etc/postfix/main.cf owner=root group=root mode=644
4
  notify: restart postfix
5

+ 6 - 0
postfix_sendonly/tasks/upgrade.yml

@ -0,0 +1,6 @@
1
---
2
# Upgrade tasks, used for install and upgrade playbooks of mail servers
3
- name: Install Packages
4
  action: apt name={{ item }} state=latest
5
  with_items: role_packages
6

+ 30 - 0
postfix_sendonly/templates/postfix/nousers-main.cf.j2

@ -0,0 +1,30 @@
1
# {{ ansible_managed }}
2
# {{ ansible_only }}
3
4
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
5
biff = no
6
7
append_dot_mydomain = no
8
9
readme_directory = no
10
11
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
12
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
13
smtpd_use_tls=yes
14
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
15
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
16
17
smtpd_relay_restrictions = permit_mynetworks
18
myhostname = {{ ansible_hostname }}
19
alias_maps = hash:/etc/aliases
20
alias_database = hash:/etc/aliases
21
myorigin = /etc/mailname
22
mydestination =
23
relayhost = {{ mail_relayhost }}
24
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
25
mailbox_size_limit = 10
26
recipient_delimiter =
27
inet_interfaces = loopback-only
28
inet_protocols = all
29
30

+ 3 - 0
postfix_sendonly/vars/main.yml

@ -0,0 +1,3 @@
1
---
2
role_packages:
3
  - postfix