Swap GitLab with Gitea #1
31 changed files with 21 additions and 305 deletions
ansible
galaxy-requirements.yml
group_vars/all
host_vars
hostsmain.ymlroles
forrest
gitea/files
gitea_runner/files
gitlab
gitlab_runner
renovate
traefik
website/files
terraform
|
@ -14,8 +14,6 @@ roles:
|
|||
- src: ironicbadger.proxmox_nag_removal
|
||||
version: 1.0.1
|
||||
- src: chmduquesne.iptables_persistent
|
||||
- src: geerlingguy.gitlab
|
||||
version: 3.2.0
|
||||
- src: dokku_bot.ansible_dokku
|
||||
version: v2021.11.28
|
||||
- src: ironicbadger.snapraid
|
||||
|
|
|
@ -11,10 +11,6 @@ pve_hosts:
|
|||
ip: 10.23.1.101
|
||||
docker:
|
||||
ip: 10.23.1.103
|
||||
gitlab:
|
||||
ip: 10.23.1.106
|
||||
gitlab_runner:
|
||||
ip: 10.23.1.107
|
||||
ingress:
|
||||
ip: 10.23.1.10
|
||||
external_ip: 192.168.2.201
|
||||
|
|
|
@ -3,7 +3,6 @@ private_ip: "{{ pve_hosts.docker.ip }}"
|
|||
traefik_provider_jellyfin: true
|
||||
traefik_provider_homeassistant: true
|
||||
traefik_provider_grafana: true
|
||||
traefik_provider_gitlab: true
|
||||
|
||||
with_fail2ban: true
|
||||
|
||||
|
|
|
@ -1 +0,0 @@
|
|||
ssh_extra_allowed_users: git@{{ pve_hosts.internal_cidr }}
|
|
@ -12,7 +12,5 @@ jellyfin
|
|||
forrest
|
||||
qbittorrent
|
||||
restic
|
||||
pve-gitlab
|
||||
pve-gitlab-runner
|
||||
renovate
|
||||
gitea-runner
|
||||
|
|
|
@ -31,7 +31,6 @@
|
|||
- pve-docker
|
||||
- forrest
|
||||
- walker
|
||||
- pve-gitlab-runner
|
||||
- grimes
|
||||
- renovate
|
||||
- gitea-runner
|
||||
|
@ -117,14 +116,6 @@
|
|||
roles:
|
||||
- restic
|
||||
|
||||
- hosts: pve-gitlab
|
||||
roles:
|
||||
- gitlab
|
||||
|
||||
- hosts: pve-gitlab-runner
|
||||
roles:
|
||||
- gitlab_runner
|
||||
|
||||
- hosts: gitea-runner
|
||||
roles:
|
||||
- gitea_runner
|
||||
|
|
|
@ -50,7 +50,6 @@ scrape_configs:
|
|||
static_configs:
|
||||
- targets:
|
||||
- https://bin.theorangeone.net
|
||||
- https://git.theorangeone.net/-/liveness?token={{ gitlab_liveness_access_token }}
|
||||
- https://grafana.jakehoward.tech/api/health
|
||||
- https://homeassistant.jakehoward.tech
|
||||
- https://intersect.jakehoward.tech
|
||||
|
|
|
@ -2,7 +2,6 @@ grafana_smtp_password: "{{ vault_grafana_smtp_password }}"
|
|||
grafana_smtp_user: "{{ vault_grafana_smtp_user }}"
|
||||
grafana_from_email: "{{ vault_grafana_from_email }}"
|
||||
homeassistant_token: "{{ vault_homeassistant_token }}"
|
||||
gitlab_liveness_access_token: "{{ vault_gitlab_liveness_access_token }}"
|
||||
prometheus_healthcheck_uuid: "{{ vault_prometheus_healthcheck_uuid }}"
|
||||
healthchecks_project_uuid: "{{ vault_healthchecks_project_uuid }}"
|
||||
healthcheck_api_token: "{{ vault_healthcheck_api_token }}"
|
||||
|
|
|
@ -6,14 +6,14 @@ DEFAULT_BRANCH = master
|
|||
DISABLE_STARS = true
|
||||
|
||||
[server]
|
||||
SSH_DOMAIN = gitea.theorangeone.net
|
||||
ROOT_URL = https://gitea.theorangeone.net/
|
||||
SSH_DOMAIN = git.theorangeone.net
|
||||
ROOT_URL = https://git.theorangeone.net/
|
||||
START_SSH_SERVER = true
|
||||
SSH_PORT = 22 # Makes the SSH URLs look sane
|
||||
SSH_LISTEN_PORT = 2222
|
||||
BUILTIN_SSH_SERVER_USER = git
|
||||
LFS_START_SERVER = true
|
||||
DOMAIN = gitea.theorangeone.net
|
||||
DOMAIN = git.theorangeone.net
|
||||
PROTOCOL = http # TLS termination done by Traefik
|
||||
ENABLE_GZIP = true
|
||||
OFFLINE_MODE = true
|
||||
|
|
|
@ -23,7 +23,7 @@ services:
|
|||
- redis
|
||||
labels:
|
||||
- traefik.enable=true
|
||||
- traefik.http.routers.gitea.rule=Host(`gitea.theorangeone.net`)
|
||||
- traefik.http.routers.gitea.rule=Host(`git.theorangeone.net`)
|
||||
- traefik.http.services.gitea-gitea.loadbalancer.server.port=3000
|
||||
networks:
|
||||
- default
|
||||
|
|
|
@ -9,7 +9,7 @@ services:
|
|||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
environment:
|
||||
- TZ={{ timezone }}
|
||||
- GITEA_INSTANCE_URL=https://gitea.theorangeone.net
|
||||
- GITEA_INSTANCE_URL=https://git.theorangeone.net
|
||||
- GITEA_RUNNER_REGISTRATION_TOKEN={{ gitea_runner_registration_token }}
|
||||
- GITEA_RUNNER_NAME={{ ansible_hostname }}
|
||||
restart: unless-stopped
|
||||
|
|
|
@ -1,3 +0,0 @@
|
|||
# Reconfigure GitLab before start. Mostly to ensure log directories exist
|
||||
[Service]
|
||||
ExecStartPre=/usr/bin/gitlab-ctl reconfigure
|
|
@ -1,64 +0,0 @@
|
|||
external_url 'https://git.theorangeone.net'
|
||||
nginx['redirect_http_to_https'] = false
|
||||
alertmanager['enable'] = false
|
||||
prometheus_monitoring['enable'] = false
|
||||
grafana['enable'] = false
|
||||
nginx['status'] = {
|
||||
'enable' => false
|
||||
}
|
||||
|
||||
nginx['ssl_certificate'] = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
|
||||
nginx['ssl_certificate_key'] = "/etc/ssl/private/ssl-cert-snakeoil.key"
|
||||
letsencrypt['enable'] = false
|
||||
|
||||
gitlab_rails['time_zone'] = '{{ timezone }}'
|
||||
|
||||
# https://docs.gitlab.com/omnibus/settings/memory_constrained_envs.html
|
||||
puma['worker_processes'] = 2
|
||||
sidekiq['max_concurrency'] = 5
|
||||
|
||||
gitlab_rails['gitlab_default_theme'] = 2
|
||||
|
||||
nginx['real_ip_header'] = 'X-Forwarded-For'
|
||||
nginx['real_ip_trusted_addresses'] = ['{{ pve_hosts.docker.ip }}/32']
|
||||
gitlab_rails['trusted_proxies'] = ['{{ pve_hosts.docker.ip }}/32']
|
||||
|
||||
# SMTP
|
||||
gitlab_rails['smtp_enable'] = true
|
||||
gitlab_rails['smtp_address'] = "smtp.eu.mailgun.org"
|
||||
gitlab_rails['smtp_port'] = 465
|
||||
gitlab_rails['smtp_user_name'] = "{{ gitlab_smtp_user }}"
|
||||
gitlab_rails['smtp_password'] = "{{ gitlab_smtp_password }}"
|
||||
gitlab_rails['smtp_enable_starttls_auto'] = true
|
||||
gitlab_rails['smtp_tls'] = true
|
||||
gitlab_rails['smtp_openssl_verify_mode'] = 'peer'
|
||||
gitlab_rails['gitlab_email_from'] = "{{ gitlab_from_email }}"
|
||||
|
||||
gitlab_rails['artifacts_path'] = "/mnt/gitlab-bulk/artifacts"
|
||||
gitlab_rails['backup_path'] = "/mnt/gitlab-bulk/backups"
|
||||
gitlab_rails['backup_keep_time'] = 60 * 60 * 24 * 14 # 14 days
|
||||
|
||||
# Registry
|
||||
registry_external_url "https://registry.git.theorangeone.net"
|
||||
registry_nginx['redirect_http_to_https'] = false
|
||||
registry_nginx['ssl_certificate'] = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
|
||||
registry_nginx['ssl_certificate_key'] = "/etc/ssl/private/ssl-cert-snakeoil.key"
|
||||
registry['storage'] = {
|
||||
's3' => {
|
||||
'accesskey' => '{{ gitlab_registry_access_key }}',
|
||||
'secretkey' => '{{ gitlab_registry_secret_key }}',
|
||||
'bucket' => '0rng-registry',
|
||||
'region' => 'eu-central-003',
|
||||
'regionendpoint' => 'https://s3.eu-central-003.backblazeb2.com'
|
||||
}
|
||||
}
|
||||
|
||||
# https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/6895
|
||||
nginx['worker_processes'] = "auto"
|
||||
|
||||
# GitLab Pages
|
||||
pages_external_url "https://gitlab-pages.theorangeone.net"
|
||||
gitlab_pages["external_http"] = [":8008"]
|
||||
gitlab_pages["access_control"] = true
|
||||
pages_nginx["enable"] = false
|
||||
gitlab_rails["pages_path"] = "/mnt/gitlab-bulk/pages"
|
|
@ -1,30 +0,0 @@
|
|||
- name: Include vault
|
||||
include_vars: vault.yml
|
||||
|
||||
- name: Install and configure GitLab
|
||||
import_role:
|
||||
name: geerlingguy.gitlab
|
||||
become: true
|
||||
|
||||
- name: Create dir for service override
|
||||
file:
|
||||
path: /usr/lib/systemd/system/gitlab-runsvdir.service.d/
|
||||
state: directory
|
||||
mode: "0755"
|
||||
become: true
|
||||
|
||||
- name: Create override.conf
|
||||
copy:
|
||||
src: files/gitlab-override.conf
|
||||
dest: /usr/lib/systemd/system/gitlab-runsvdir.service.d/gitlab-override.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
become: true
|
||||
|
||||
# https://theorangeone.net/posts/gitlab-dater/
|
||||
- name: Install gitlab-dater
|
||||
git:
|
||||
repo: https://git.theorangeone.net/sys/gitlab-dater
|
||||
dest: "{{ home }}/gitlab-dater"
|
||||
depth: 1
|
|
@ -1,7 +0,0 @@
|
|||
gitlab_config_template: files/gitlab.rb
|
||||
gitlab_create_self_signed_cert: false
|
||||
gitlab_smtp_password: "{{ vault_gitlab_smtp_password }}"
|
||||
gitlab_smtp_user: "{{ vault_gitlab_smtp_user }}"
|
||||
gitlab_from_email: "{{ vault_gitlab_from_email }}"
|
||||
gitlab_registry_access_key: "{{ vault_gitlab_registry_access_key }}"
|
||||
gitlab_registry_secret_key: "{{ vault_gitlab_registry_secret_key }}"
|
21
ansible/roles/gitlab/vars/vault.yml
generated
21
ansible/roles/gitlab/vars/vault.yml
generated
|
@ -1,21 +0,0 @@
|
|||
$ANSIBLE_VAULT;1.1;AES256
|
||||
32383930626639373231366430616531633532333639376431383065373566376238313264633231
|
||||
6537363863336466646330333566396365613538646665650a636633363933326530353834376335
|
||||
31666535316239306136353436353038323466353130373433343533323562356534386664663130
|
||||
6431306465336435390a643661383137666535366463633634633866623263323837376664353262
|
||||
38333636336639663632343130663635376262646130613065633233663562383631626665373036
|
||||
65316563643831303561636536663230623462326233393838663031393135613263333739623038
|
||||
35653739346134396336613163346530653834333138653865366330643037653638653732326633
|
||||
34656632353931626362316663353639633631303636373066343131366538656662653738623134
|
||||
31633636313233363663313939333264333461376630356461303637326438306536343136393132
|
||||
39393734393564366239666662356439336561366238353637373835353761633234333763396133
|
||||
36373635393332613835363631363733613835336132353164633266396136313838366435616239
|
||||
31373662663835666134306438653732653366396564663133653937383434663961386663343833
|
||||
36343434346630623233363862386237343432616237643232643861623234643835306432376236
|
||||
32313063656639346166666435636265383232336166663966633462383331393936646566383637
|
||||
62306663373763323062643935383565383338386639313131636162316366616530636634346462
|
||||
30313438306435656639303165633461623064313938303162663534666431633533366331383061
|
||||
31376535356163383131653339313832653165343531633063633536623061623831333436646138
|
||||
63313739316436306436313965636633326466313137626161623139633736303331633538636263
|
||||
66396339346437633130616135333931373032393139313035623861643039343035313662626136
|
||||
35333263346466323361
|
|
@ -1,20 +0,0 @@
|
|||
concurrent = {{ ansible_processor_nproc }}
|
||||
log_level = "warning"
|
||||
check_interval = 10
|
||||
|
||||
[session_server]
|
||||
session_timeout = 1800
|
||||
|
||||
[[runners]]
|
||||
name = "runner"
|
||||
url = "https://git.theorangeone.net"
|
||||
token = "{{ gitlab_runner_token }}"
|
||||
limit = 0
|
||||
executor = "docker"
|
||||
|
||||
[runners.docker]
|
||||
image = "alpine"
|
||||
privileged = true
|
||||
disable_cache = false
|
||||
volumes = ["/cache", "/certs/client"]
|
||||
pull_policy = "if-not-present"
|
|
@ -1,5 +0,0 @@
|
|||
- name: restart gitlab-runner
|
||||
service:
|
||||
name: gitlab-runner
|
||||
state: restarted
|
||||
become: true
|
|
@ -1,21 +0,0 @@
|
|||
- name: Include vault
|
||||
include_vars: vault.yml
|
||||
|
||||
- name: Install runner
|
||||
package:
|
||||
name: gitlab-runner
|
||||
become: true
|
||||
|
||||
- name: Install config
|
||||
template:
|
||||
src: files/config.toml
|
||||
dest: /etc/gitlab-runner/config.toml
|
||||
mode: "0600"
|
||||
become: true
|
||||
notify: restart gitlab-runner
|
||||
|
||||
- name: Enable runner
|
||||
service:
|
||||
name: gitlab-runner
|
||||
enabled: true
|
||||
become: true
|
|
@ -1 +0,0 @@
|
|||
gitlab_runner_token: "{{ vault_gitlab_runner_token }}"
|
8
ansible/roles/gitlab_runner/vars/vault.yml
generated
8
ansible/roles/gitlab_runner/vars/vault.yml
generated
|
@ -1,8 +0,0 @@
|
|||
$ANSIBLE_VAULT;1.1;AES256
|
||||
61313533333239316433623837616239346461393538356665363034663533343165366434316137
|
||||
3837376330386436656265356637343166643465616534390a666634323334383831306336613636
|
||||
36623630646235386661633266633533396664656464333561623036313865343036653734643132
|
||||
6333393739383764340a646361383961373434303936383131326364626439353262623965643564
|
||||
31343631656234666464383935306434383363316362666263323165613939663736326435313966
|
||||
35373466333937636633383138636434333765646235633630616539343464343237383236613739
|
||||
313038366164653662616461626661363832
|
|
@ -1,7 +1,7 @@
|
|||
module.exports = {
|
||||
endpoint: 'https://git.theorangeone.net/api/v4/',
|
||||
token: '{{ renovate_gitlab_token }}',
|
||||
platform: 'gitlab',
|
||||
endpoint: 'https://git.theorangeone.net/',
|
||||
token: '{{ renovate_gitea_token }}',
|
||||
platform: 'gitea',
|
||||
//dryRun: true,
|
||||
autodiscover: true,
|
||||
onboarding: false,
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
renovate_gitlab_token: "{{ vault_renovate_gitlab_token }}"
|
||||
renovate_gitea_token: "{{ vault_renovate_gitea_token }}"
|
||||
renovate_github_token: "{{ vault_renovate_github_token }}"
|
||||
|
|
21
ansible/roles/renovate/vars/vault.yml
generated
21
ansible/roles/renovate/vars/vault.yml
generated
|
@ -1,11 +1,12 @@
|
|||
$ANSIBLE_VAULT;1.1;AES256
|
||||
37666339323131376463616330376335623238363930353938383162623162633665623763626464
|
||||
3833623739633363616362643166393538386139373139310a393530323937373938346237633536
|
||||
32376237386536633134613438383730323565356164313933376232343866303764643033396237
|
||||
6133313835663637660a336162303239636137313339366330323463326339366537343164663336
|
||||
61346434383164336138626261663939333265306430316535653062393431646230636162373665
|
||||
39386436306534316632376238616332636265303534316366356139303865323631323064303665
|
||||
64636565666231643330396164383066623166393339633330363633343639346637343239313936
|
||||
37613266393438616166326138313262623837386231393666633361396364313335346238313863
|
||||
65383435626335333631326537373366636439306366373235386132393839663063333063383133
|
||||
6333613165306462376631326239613864613630363738633331
|
||||
39396266373730336338666661383762373535393862653662613034623939353033653738666238
|
||||
6666396462326235663833336463613864326635643464610a633863323634363939303133383234
|
||||
33663538346230303930343635356365336539393337316235353933366534333832396234633333
|
||||
3565353832343432390a326463623733636561366234376331333261353561326361386235313635
|
||||
33643834343236346238353233383563636262616366326166343135366439643839323566633766
|
||||
66613064396636393462396263636563373633636433623438623336363934353037333138646230
|
||||
38623163366636663237356161313563373232396362396239623761653365333931343761313636
|
||||
38306664366365383537316531666333643462663466303264656238376634323464373365336364
|
||||
39393635326534393661353132353962376531623035303761303236303336363338643936343561
|
||||
31623939353863633261343631313530613335643664323233336134306365316662386631396239
|
||||
613461636333663533336631303839666665
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
traefik_provider_jellyfin: false
|
||||
traefik_provider_homeassistant: false
|
||||
traefik_provider_grafana: false
|
||||
traefik_provider_gitlab: false
|
||||
|
||||
with_fail2ban: false
|
||||
|
|
|
@ -1,30 +0,0 @@
|
|||
http:
|
||||
routers:
|
||||
router-gitlab:
|
||||
rule: Host(`git.theorangeone.net`)
|
||||
service: service-gitlab
|
||||
router-gitlab-registry:
|
||||
rule: Host(`registry.git.theorangeone.net`)
|
||||
service: service-gitlab
|
||||
router-gitlab-pages:
|
||||
rule: HostRegexp(`gitlab-pages.theorangeone.net`, `{subdomain:[a-z]+}.gitlab-pages.theorangeone.net`)
|
||||
service: service-gitlab-pages
|
||||
router-slides:
|
||||
rule: Host(`slides.jakehoward.tech`)
|
||||
service: service-slides
|
||||
services:
|
||||
service-gitlab:
|
||||
loadBalancer:
|
||||
servers:
|
||||
- url: https://{{ pve_hosts.gitlab.ip }}
|
||||
service-gitlab-pages:
|
||||
loadBalancer:
|
||||
servers:
|
||||
- url: http://{{ pve_hosts.gitlab.ip }}:8008
|
||||
|
||||
# HACK: GitLab doesn't support `_redirects` with domains in
|
||||
service-slides:
|
||||
loadBalancer:
|
||||
passHostHeader: false
|
||||
servers:
|
||||
- url: https://slides.gitlab-pages.theorangeone.net
|
|
@ -26,10 +26,6 @@ entryPoints:
|
|||
sans: "*.jakehoward.tech"
|
||||
- main: 0rng.one
|
||||
sans: "*.0rng.one"
|
||||
{% if traefik_provider_gitlab %}
|
||||
- main: gitlab-pages.theorangeone.net
|
||||
sans: "*.gitlab-pages.theorangeone.net"
|
||||
{% endif %}
|
||||
proxyProtocol:
|
||||
trustedIPs:
|
||||
- "{{ wireguard.cidr }}"
|
||||
|
|
|
@ -86,16 +86,6 @@
|
|||
when: traefik_provider_grafana
|
||||
become: true
|
||||
|
||||
- name: Install gitlab provider
|
||||
template:
|
||||
src: files/file-provider-gitlab.yml
|
||||
dest: /opt/traefik/traefik/conf/gitlab.yml
|
||||
mode: "{{ docker_compose_file_mask }}"
|
||||
owner: "{{ docker_user.name }}"
|
||||
notify: restart traefik
|
||||
when: traefik_provider_gitlab
|
||||
become: true
|
||||
|
||||
- name: logrotate config
|
||||
template:
|
||||
src: files/logrotate.conf
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
version: "2.3"
|
||||
|
||||
x-website: &website
|
||||
image: registry.git.theorangeone.net/repos/website:latest
|
||||
image: registry.gitlab.com/realorangeone/website:latest
|
||||
user: "{{ docker_user.id }}"
|
||||
restart: unless-stopped
|
||||
init: true
|
||||
|
|
|
@ -180,13 +180,6 @@ resource "cloudflare_record" "jakehowardtech_mailgun_dmarc" {
|
|||
ttl = 1
|
||||
}
|
||||
|
||||
resource "cloudflare_record" "jakehowardtech_slides" {
|
||||
zone_id = cloudflare_zone.jakehowardtech.id
|
||||
name = "slides"
|
||||
value = cloudflare_record.theorangeonenet_gitlab_pages.hostname
|
||||
type = "CNAME"
|
||||
ttl = 1
|
||||
}
|
||||
resource "cloudflare_record" "jakehowardtech_matrix_admin" {
|
||||
zone_id = cloudflare_zone.jakehowardtech.id
|
||||
name = "synapse-admin"
|
||||
|
|
|
@ -10,22 +10,6 @@ resource "cloudflare_record" "theorangeonenet_git" {
|
|||
ttl = 1
|
||||
}
|
||||
|
||||
resource "cloudflare_record" "theorangeonenet_gitea" {
|
||||
zone_id = cloudflare_zone.theorangeonenet.id
|
||||
name = "gitea"
|
||||
value = linode_instance.casey.ip_address
|
||||
type = "A"
|
||||
ttl = 1
|
||||
}
|
||||
|
||||
resource "cloudflare_record" "theorangeonenet_git_registry" {
|
||||
zone_id = cloudflare_zone.theorangeonenet.id
|
||||
name = "registry.git"
|
||||
value = cloudflare_record.theorangeonenet_git.hostname
|
||||
type = "CNAME"
|
||||
ttl = 1
|
||||
}
|
||||
|
||||
resource "cloudflare_record" "theorangeonenet_whoami" {
|
||||
zone_id = cloudflare_zone.theorangeonenet.id
|
||||
name = "whoami"
|
||||
|
@ -268,22 +252,6 @@ resource "cloudflare_record" "theorangeonenet_mailgun_dmarc" {
|
|||
ttl = 1
|
||||
}
|
||||
|
||||
resource "cloudflare_record" "theorangeonenet_gitlab_pages" {
|
||||
zone_id = cloudflare_zone.theorangeonenet.id
|
||||
name = "gitlab-pages"
|
||||
value = cloudflare_record.theorangeonenet_git.hostname
|
||||
type = "CNAME"
|
||||
ttl = 1
|
||||
}
|
||||
|
||||
resource "cloudflare_record" "theorangeonenet_gitlab_pages_wildcard" {
|
||||
zone_id = cloudflare_zone.theorangeonenet.id
|
||||
name = "*.gitlab-pages"
|
||||
value = cloudflare_record.theorangeonenet_gitlab_pages.hostname
|
||||
type = "CNAME"
|
||||
ttl = 1
|
||||
}
|
||||
|
||||
resource "cloudflare_record" "theorangeonenet_mastodon" {
|
||||
zone_id = cloudflare_zone.theorangeonenet.id
|
||||
name = "mastodon"
|
||||
|
|
Loading…
Reference in a new issue