add gitlab

playbook.yml

@@ -16,6 +16,7 @@
     - { role: home_assistant, tags: ["home_assistant"] }
     - { role: n8n, tags: ["n8n"] }
     - { role: matrix, tags: ["matrix"] }
+    - { role: gitlab, tags: ["gitlab"] }
     - { role: iptables, tags: ["iptables"] }
     - { role: borg, tags: ["borg"] }
     - { role: watchtower, tags: ["watchtower"] }

roles/gitlab/tasks/base.yml

@@ -0,0 +1,22 @@
+---
+
+- name: Check gitlab directory exist
+  ansible.builtin.file:
+    path: gitlab
+    state: directory
+
+- name: Copy template conf
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "gitlab/{{ item.dest }}"
+  loop:
+    - { src: 'docker-compose.yml', dest: 'docker-compose.yml' }
+  register: gitlab_copy_templates_results
+
+- name: Update and restart container
+  community.docker.docker_compose:
+    project_src: gitlab
+    state: present
+    pull: true
+    restarted: "{{ gitlab_copy_templates_results.changed }}"
+  become: true

roles/gitlab/tasks/main.yml

@@ -0,0 +1,4 @@
+---
+
+- ansible.builtin.import_tasks: base.yml
+  name: base

roles/gitlab/templates/docker-compose.yml

@@ -0,0 +1,116 @@
+version: '3'
+
+services:
+  gitlab:
+    image: gitlab/gitlab-ce:latest
+    container_name: gitlab
+    restart: unless-stopped
+    environment:
+      GITLAB_OMNIBUS_CONFIG: |
+        external_url 'https://gitlab.{{ server.domain }}'
+
+        gitlab_rails['lfs_enabled'] = true
+        gitlab_rails['gitlab_shell_ssh_port'] = 22
+        nginx['listen_port'] = 80
+        nginx['listen_https'] = false
+        nginx['proxy_set_headers'] = {
+          'X-Forwarded-Proto' => 'https',
+          'X-Forwarded-Ssl' => 'on',
+          'Host' => 'gitlab.{{ server.domain }}'
+        }
+
+        registry['enable'] = true
+        registry_external_url 'https://registry.{{ server.domain }}'
+        registry_nginx['listen_port'] = 80
+        registry_nginx['listen_https'] = false
+
+        puma['worker_processes'] = 0
+        sidekiq['max_concurrency'] = 10
+        gitlab_rails['env'] = {
+          'MALLOC_CONF' => 'dirty_decay_ms:1000,muzzy_decay_ms:1000'
+        }
+        gitaly['configuration'] = {
+          concurrency: [
+            {
+              'rpc' => "/gitaly.SmartHTTPService/PostReceivePack",
+              'max_per_repo' => 3,
+            }, {
+              'rpc' => "/gitaly.SSHService/SSHUploadPack",
+              'max_per_repo' => 3,
+            },
+          ],
+          cgroups: {
+            repositories: {
+              count: 2,
+            },
+            mountpoint: '/sys/fs/cgroup',
+            hierarchy_root: 'gitaly',
+            memory_bytes: 500000,
+            cpu_shares: 512,
+          },
+        }
+        gitaly['env'] = {
+          'MALLOC_CONF' => 'dirty_decay_ms:1000,muzzy_decay_ms:1000',
+          'GITALY_COMMAND_SPAWN_MAX_PARALLEL' => '2'
+        }
+    volumes:
+      - {{ server.work_dir }}/gitlab/data/:/var/opt/gitlab/
+      - {{ server.work_dir }}/gitlab/config/:/etc/gitlab/
+      - {{ server.work_dir }}/gitlab/logs/:/var/log/gitlab/
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    networks:
+      - proxy
+      - interne
+      - metrics
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=proxy
+      # HTTP Reverse proxy Gitlab
+      - traefik.http.routers.gitlab-secure.entrypoints=https
+      - traefik.http.routers.gitlab-secure.rule=Host(`gitlab.{{ server.domain }}`)
+      - traefik.http.routers.gitlab-secure.tls=true
+      - traefik.http.routers.gitlab-secure.tls.certresolver=sslResolver
+      - traefik.http.routers.gitlab-secure.service=gitlab
+      - traefik.http.services.gitlab.loadbalancer.server.port=80
+      # HTTP Reverse proxy Registry
+      - traefik.http.routers.gitlab-registry-secure.entrypoints=https
+      - traefik.http.routers.gitlab-registry-secure.rule=Host(`registry.{{ server.domain }}`)
+      - traefik.http.routers.gitlab-registry-secure.tls=true
+      - traefik.http.routers.gitlab-registry-secure.tls.certresolver=sslResolver
+      - traefik.http.routers.gitlab-registry-secure.service=gitlab-registry
+      - traefik.http.services.gitlab-registry.loadbalancer.server.port=80
+      # TCP SSH Reverse proxy Gitlab
+      - traefik.tcp.routers.gitlab-ssh.rule=HostSNI(`gitlab.{{ server.domain }}`)
+      - traefik.tcp.routers.gitlab-ssh.entrypoints=ssh
+      - traefik.tcp.routers.gitlab-ssh.service=gitlab-ssh
+      - traefik.tcp.services.gitlab-ssh.loadbalancer.server.port=22
+    logging:
+      driver: loki
+      options:
+        loki-url: "https://lokidoki:vEGH5Z5siWgcDkNknvCVzPCyqhHSBJCBjeBRZJvxUP8SdgfxJ6AqCGutCWugGsx5@loki.mrdev023.fr/loki/api/v1/push"
+        mode: non-blocking
+
+  gitlab-runner:
+    image: gitlab/gitlab-runner:alpine
+    container_name: gitlab-runner
+    restart: unless-stopped
+    depends_on:
+      - gitlab
+    volumes:
+      - {{ server.work_dir }}/gitlab/runner/:/etc/gitlab-runner/
+      - /var/run/docker.sock:/var/run/docker.sock
+    networks:
+      - interne
+    logging:
+      driver: loki
+      options:
+        loki-url: "https://lokidoki:vEGH5Z5siWgcDkNknvCVzPCyqhHSBJCBjeBRZJvxUP8SdgfxJ6AqCGutCWugGsx5@loki.mrdev023.fr/loki/api/v1/push"
+        mode: non-blocking
+
+networks:
+  interne:
+  metrics:
+    external: true
+  proxy:
+    external: true

roles/iptables/templates/firewall.j2

@@ -64,6 +64,7 @@
 
 # SSH
 /sbin/iptables -A INPUT -p tcp --dport {{ server.ssh_port }} -j ACCEPT
+/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT # ACCEPT SSH INPUT THROUGH TRAEFIK
 /sbin/iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT # ACCEPT SSH OUTPUT LIKE GIT
 
 # ICMP (Ping)

roles/traefik/templates/config/traefik.yml

@@ -6,6 +6,8 @@ log:
 accessLog: {}
 
 entryPoints:
+  ssh:
+    address: ":22"
   http:
     address: ":80"
     http:

roles/traefik/templates/docker-compose.yml

@@ -13,6 +13,7 @@ services:
       vpn:
         ipv4_address: {{ server.vpn.reverse_proxy_ip }}
     ports:
+      - 22:22
       - 80:80
       - 443:443
     volumes: