Setting Up GitLab CE This guide describes how to provision and configure a GitLab Community Edition instance in the PHX reference implementation.
Projects:
Overview Utilizing the
PHX development environment
, the following steps are performed:
Vagrant creates an LXD node named pxd-gitlab. Using the Ansible provider, Vagrant executes two plays in order. The first play sets up the node:Bootstraps OS packages. Configures OS trust so that C2 certificates are trusted. Joins the C2.ORG domain (provided by pxd-ad): Kerberos, DNS records. Installs GitLab, including C2 certificates. Creates a PAT as preparation for API access in the next play. Restarts GitLab so that the API becomes available. The next play creates GitLab groups and imports several projects. Prerequisites Setting Up the PHX Development Environment on Ubuntu 24.04 : Set up your Ansible development desktop with Ansible, Vagrant, LXD, and VirtualBox on Ubuntu 24.04. Clone the PHX project directories to extend the base C2 development environment. Use this setup to configure essential base services, including the Microsoft AD domain controller and reverse proxy. Finally, access web-based services in the environment via a Firefox profile using the forward proxy for sandboxed access.Ensure the nodes pxd-rproxy1 and pxd-ad are up and running. Provisioning To start and provision the GitLab node, run:
This command takes around 15 minutes to complete.
Show me Bringing machine 'pxd-gitlab' up with 'lxd' provider...
==> pxd-gitlab: Machine has not been created yet, starting...
==> pxd-gitlab: Importing LXC image...
==> pxd-gitlab: Mounting shared folders...
pxd-gitlab: /vagrant => /home/onknows/git/gitlab/c2/ansible-phx
pxd-gitlab: /home/vagrant/.marker => /home/onknows/.marker
pxd-gitlab: /home/vagrant/.local/share/marker => /home/onknows/.local/share/marker
pxd-gitlab: /root/.marker => /home/onknows/.marker
pxd-gitlab: /root/.local/share/marker => /home/onknows/.local/share/marker
pxd-gitlab: /home/vagrant/scripts => /home/onknows/git/c2/c2/user-scripts
pxd-gitlab: /ansible-dev-collections => /home/onknows/git/gitlab/c2/ansible-dev-collections
==> pxd-gitlab: Waiting for machine to boot. This may take a few minutes...
pxd-gitlab: SSH address: 10.190.101.182:22
pxd-gitlab: SSH username: vagrant
pxd-gitlab: SSH auth method: private key
==> pxd-gitlab: Machine booted and ready!
==> pxd-gitlab: Setting hostname...
==> pxd-gitlab: Running provisioner: shell...
pxd-gitlab: Running: inline script
==> pxd-gitlab: Running provisioner: ansible...
pxd-gitlab: Running ansible-playbook...
ini_path: /home/onknows/git/gitlab/c2/ansible-phx/hosts.ini
PLAY [GitLab] ******************************************************************
TASK [Gathering Facts] *********************************************************
ok: [pxd-gitlab]
TASK [Include Linux roles] *****************************************************
included: server_update for pxd-gitlab => (item=server_update)
included: bootstrap for pxd-gitlab => (item=bootstrap)
included: apt_repo for pxd-gitlab => (item=apt_repo)
included: os_trusts for pxd-gitlab => (item=os_trusts)
included: secrets for pxd-gitlab => (item=secrets)
included: mount for pxd-gitlab => (item=mount)
included: radix_guardian for pxd-gitlab => (item=radix_guardian)
TASK [c2platform.core.server_update : include_tasks] ***************************
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/server_update/tasks/update_cache.yml for pxd-gitlab
TASK [c2platform.core.server_update : Apt update cache] ************************
changed: [pxd-gitlab]
TASK [c2platform.core.server_update : include_tasks] ***************************
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/server_update/tasks/update.yml for pxd-gitlab
TASK [c2platform.core.server_update : include_tasks] ***************************
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/server_update/tasks/debian.yml for pxd-gitlab
TASK [c2platform.core.server_update : Upgrade all packages] ********************
changed: [pxd-gitlab]
TASK [c2platform.core.server_update : Check reboot] ****************************
ok: [pxd-gitlab]
TASK [c2platform.core.server_update : Fact server_update_reboot] ***************
ok: [pxd-gitlab]
TASK [c2platform.core.bootstrap : Include package tasks] ***********************
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/bootstrap/tasks/os.yml for pxd-gitlab => (item=['nano' , 'wget' , 'tree' , 'unzip' , 'zip' , 'jq' , 'build-essential' , 'python3-dev' , 'python3-wheel' , 'libsasl2-dev' , 'libldap2-dev' , 'libssl-dev' , 'git' , 'git-lfs' , 'nfs-common' , 'net-tools' , 'telnet' , 'curl' , 'dnsutils' , 'python3' ])
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/bootstrap/tasks/os.yml for pxd-gitlab => (item=python3-pip)
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/bootstrap/tasks/os.yml for pxd-gitlab => (item=['realmd' , 'sssd' , 'sssd-ad' , 'sssd-krb5' , 'krb5-user' , 'adcli' , 'policykit-1' , 'packagekit' , 'sssd-tools' , 'libnss-sss' , 'libpam-sss' , 'bind9-utils' , 'samba-common-bin' ])
TASK [c2platform.core.bootstrap : OS package] **********************************
changed: [pxd-gitlab] => (item=['nano' , 'wget' , 'tree' , 'unzip' , 'zip' , 'jq' , 'build-essential' , 'python3-dev' , 'python3-wheel' , 'libsasl2-dev' , 'libldap2-dev' , 'libssl-dev' , 'git' , 'git-lfs' , 'nfs-common' , 'net-tools' , 'telnet' , 'curl' , 'dnsutils' , 'python3' ])
TASK [c2platform.core.bootstrap : OS package] **********************************
ok: [pxd-gitlab] => (item=python3-pip)
TASK [c2platform.core.bootstrap : OS package] **********************************
changed: [pxd-gitlab] => (item=['realmd' , 'sssd' , 'sssd-ad' , 'sssd-krb5' , 'krb5-user' , 'adcli' , 'policykit-1' , 'packagekit' , 'sssd-tools' , 'libnss-sss' , 'libpam-sss' , 'bind9-utils' , 'samba-common-bin' ])
TASK [c2platform.core.os_trusts : CA distribute ( Debian )] ********************
changed: [pxd-gitlab] => (item=https://letsencrypt.org/certs/isrgrootx1.pem)
changed: [pxd-gitlab] => (item=file:///vagrant/.ca/c2/c2.crt)
TASK [c2platform.core.os_trusts : Execute update-ca-certificates ( Debian )] ***
changed: [pxd-gitlab] => (item=https://letsencrypt.org/certs/isrgrootx1.pem)
changed: [pxd-gitlab] => (item=file:///vagrant/.ca/c2/c2.crt)
TASK [c2platform.core.secrets : Stat secret dir] *******************************
ok: [pxd-gitlab -> localhost] => (item=/home/onknows/git/gitlab/c2/ansible-phx/secret_vars/development)
ok: [pxd-gitlab -> localhost] => (item=/runner/project/secret_vars/development)
TASK [c2platform.core.secrets : Include secrets] *******************************
ok: [pxd-gitlab] => (item=None)
TASK [c2platform.core.radix_guardian : Copy Python script] *********************
changed: [pxd-gitlab]
TASK [c2platform.core.radix_guardian : Configure systemd service] **************
changed: [pxd-gitlab]
TASK [c2platform.core.radix_guardian : Start and enable service] ***************
changed: [pxd-gitlab]
TASK [c2platform.core.linux : Include linux_resources] *************************
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/linux/tasks/fail.yml for pxd-gitlab => (item=0_bootstrap Environment pxd-gitlab → development)
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/linux/tasks/copy.yml for pxd-gitlab => (item=kerberos /etc/hosts)
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/linux/tasks/file.yml for pxd-gitlab => (item=kerberos /etc/systemd/resolved.conf.d)
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/linux/tasks/copy.yml for pxd-gitlab => (item=kerberos Configure systemd/resolved via resolved.conf.d drop-in)
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/linux/tasks/lineinfile.yml for pxd-gitlab => (item=kerberos pam_mkhomedir → /etc/pam.d/common-session)
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/linux/tasks/copy.yml for pxd-gitlab => (item=kerberos /usr/local/bin/update_dns_record.sh)
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/linux/tasks/copy.yml for pxd-gitlab => (item=kerberos Enable GSSAPI via sshd_config.d drop-in)
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/linux/tasks/service.yml for pxd-gitlab => (item=kerberos sssd)
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/linux/tasks/shell.yml for pxd-gitlab => (item=kerberos Join AD domain)
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/linux/tasks/copy.yml for pxd-gitlab => (item=kerberos /etc/sssd/sssd.conf)
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/linux/tasks/copy.yml for pxd-gitlab => (item=kerberos /etc/sudoers.d/c2)
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/linux/tasks/copy.yml for pxd-gitlab => (item=kerberos /etc/krb5.conf)
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/linux/tasks/lineinfile.yml for pxd-gitlab => (item=marker Marker)
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/linux/tasks/copy.yml for pxd-gitlab => (item=ssh_client Configure SSH client via ssh_config.d drop-in)
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/linux/tasks/file.yml for pxd-gitlab => (item=ubuntu_dev /usr/bin/python)
TASK [c2platform.core.linux : Copy files to remote locations] ******************
changed: [pxd-gitlab] => (item=/etc/hosts)
TASK [c2platform.core.linux : Manage files and file properties] ****************
changed: [pxd-gitlab] => (item=/etc/systemd/resolved.conf.d → directory)
TASK [c2platform.core.linux : Copy files to remote locations] ******************
changed: [pxd-gitlab] => (item=/etc/systemd/resolved.conf.d/phx_resolved.conf)
TASK [c2platform.core.linux : Manage lines in text files] **********************
changed: [pxd-gitlab] => (item=/etc/pam.d/common-session)
TASK [c2platform.core.linux : Copy files to remote locations] ******************
changed: [pxd-gitlab] => (item=/usr/local/bin/update_dns_record.sh)
TASK [c2platform.core.linux : Copy files to remote locations] ******************
changed: [pxd-gitlab] => (item=/etc/ssh/sshd_config.d/gssapi.conf)
TASK [c2platform.core.linux : Manage system services] **************************
changed: [pxd-gitlab] => (item=sssd → started)
TASK [c2platform.core.linux : Execute shell commands] **************************
changed: [pxd-gitlab] => (item=realm join --user=tony C2.ORG)
TASK [c2platform.core.linux : Copy files to remote locations] ******************
changed: [pxd-gitlab] => (item=/etc/sssd/sssd.conf)
TASK [c2platform.core.linux : Copy files to remote locations] ******************
changed: [pxd-gitlab] => (item=/etc/sudoers.d/c2)
TASK [c2platform.core.linux : Copy files to remote locations] ******************
changed: [pxd-gitlab] => (item=/etc/krb5.conf)
TASK [c2platform.core.linux : Manage lines in text files] **********************
changed: [pxd-gitlab] => (item=/home/vagrant/.bashrc)
changed: [pxd-gitlab] => (item=/root/.bashrc)
TASK [c2platform.core.linux : Copy files to remote locations] ******************
changed: [pxd-gitlab] => (item=/etc/ssh/ssh_config.d/phx_ssh_client.conf)
TASK [c2platform.core.linux : Manage files and file properties] ****************
changed: [pxd-gitlab] => (item=/usr/bin/python → link)
TASK [c2platform.wincore.win : Include win_resources] **************************
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/wincore/roles/win/tasks/win_dns_zone.yml for pxd-gitlab => (item= 60.168.192.in-addr.arpa)
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/wincore/roles/win/tasks/win_dns_record.yml for pxd-gitlab => (item= 12)
TASK [c2platform.wincore.win : Manage Windows Server DNS Zones] ****************
ok: [pxd-gitlab -> pxd-ad(192.168.61.11)] => (item=60.168.192.in-addr.arpa → present)
TASK [c2platform.wincore.win : Manage Windows Server DNS records] **************
ok: [pxd-gitlab -> pxd-ad(192.168.61.11)] => (item=12 → present)
TASK [c2platform.core.linux : Include linux_resources] *************************
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/linux/tasks/package.yml for pxd-gitlab => (item=0_gitlab_dependencies ['openssh-server' , 'postfix' , 'curl' , 'openssl' , 'tzdata' ])
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/linux/tasks/package.yml for pxd-gitlab => (item=0_gitlab_dependencies_debian gnupg2)
TASK [c2platform.core.linux : Manage packages] *********************************
changed: [pxd-gitlab] => (item=['openssh-server' , 'postfix' , 'curl' , 'openssl' , 'tzdata' ] → present)
TASK [c2platform.core.linux : Manage packages] *********************************
changed: [pxd-gitlab] => (item=gnupg2 → present)
TASK [c2platform.mgmt.gitlab : Check if GitLab repository was added] ***********
ok: [pxd-gitlab]
TASK [c2platform.mgmt.gitlab : Download GitLab repository installation script] ***
changed: [pxd-gitlab]
TASK [c2platform.mgmt.gitlab : Install GitLab repository] **********************
changed: [pxd-gitlab]
TASK [c2platform.mgmt.gitlab : Log GitLab repository scripts result] ***********
changed: [pxd-gitlab] => (item=/tmp/gitlab_install_repository.sh.log)
TASK [c2platform.mgmt.gitlab : Apt update] *************************************
ok: [pxd-gitlab]
TASK [c2platform.mgmt.gitlab : Install GitLab] *********************************
changed: [pxd-gitlab]
TASK [c2platform.mgmt.gitlab : Manage Dpkg selections] *************************
changed: [pxd-gitlab]
TASK [c2platform.mgmt.gitlab : Create a PAT for automation with API access] ****
changed: [pxd-gitlab] => (item=ansible → present)
TASK [c2platform.mgmt.gitlab : Calculate hash of gitlab_import_sources] ********
ok: [pxd-gitlab]
TASK [c2platform.mgmt.gitlab : Check if import sources hash file exists] *******
ok: [pxd-gitlab]
TASK [c2platform.mgmt.gitlab : Update GitLab import sources via gitlab-rails runner] ***
changed: [pxd-gitlab]
TASK [c2platform.mgmt.gitlab : Store import sources hash] **********************
changed: [pxd-gitlab]
TASK [c2platform.core.linux : Include linux_resources] *************************
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/linux/tasks/file.yml for pxd-gitlab => (item=0_certificates /etc/gitlab/ssl)
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/linux/tasks/command.yml for pxd-gitlab => (item=0_certificates Create self-signed certificate)
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/linux/tasks/copy.yml for pxd-gitlab => (item=0_config /etc/gitlab/gitlab.rb)
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/linux/tasks/git.yml for pxd-gitlab => (item=0_server_config Checkout PlantUML repo)
TASK [c2platform.core.linux : Manage files and file properties] ****************
changed: [pxd-gitlab] => (item=/etc/gitlab/ssl → directory)
TASK [c2platform.core.linux : Execute a command on a remote host] **************
changed: [pxd-gitlab] => (item=openssl req -new -nodes -x509 -subj "/C=NL/ST=South Holland/L=The Hague/O=C2 Platform/CN=C2 Platform GitLab Server" -days 3650 -keyout /etc/gitlab/ssl/gitlab.c2platform.org.key -out /etc/gitlab/ssl/gitlab.c2platform.org.crt -extensions v3_ca -addext "subjectAltName=DNS:gitlab.c2platform.org,DNS:*.gitlab.c2platform.org"
)
TASK [c2platform.core.linux : Copy files to remote locations] ******************
changed: [pxd-gitlab] => (item=/etc/gitlab/gitlab.rb)
TASK [c2platform.core.linux : Manage git repositories] *************************
changed: [pxd-gitlab] => (item=https://gitlab.com/c2platform/c2/plantuml.git → /tmp/plantuml → present
)
TASK [c2platform.core.java : Set additional java facts] ************************
ok: [pxd-gitlab]
TASK [c2platform.core.java : Install Java] *************************************
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/java/tasks/install.yml for pxd-gitlab => (item=jdk11_0411_oj9)
TASK [c2platform.core.java : Check Java / JDK installed at /usr/lib/jvm/jdk11_0411_oj9] ***
ok: [pxd-gitlab]
TASK [c2platform.core.java : Download] *****************************************
changed: [pxd-gitlab]
TASK [c2platform.core.java : Create java_home] *********************************
changed: [pxd-gitlab]
TASK [c2platform.core.java : Unarchive] ****************************************
changed: [pxd-gitlab]
TASK [c2platform.core.java : Chmod java_home] **********************************
changed: [pxd-gitlab]
TASK [c2platform.core.cacerts2 : Set fact cacerts2_certificates] ***************
ok: [pxd-gitlab]
TASK [c2platform.core.cacerts2 : cacerts2_certificates] ************************
ok: [pxd-gitlab]
TASK [c2platform.core.cacerts2 : Set various certificate facts] ****************
ok: [pxd-gitlab -> pxd-rproxy1(192.168.60.10)]
TASK [c2platform.core.cacerts2 : Set fact cacerts2_certificates] ***************
ok: [pxd-gitlab]
TASK [c2platform.core.cacerts2 : include_tasks] ********************************
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/cacerts2/tasks/certs/cert.yml for pxd-gitlab => (item=gitlab-server)
TASK [c2platform.core.cacerts2 : Stat key] *************************************
ok: [pxd-gitlab -> pxd-rproxy1(192.168.60.10)]
TASK [c2platform.core.cacerts2 : Stat crt] *************************************
ok: [pxd-gitlab -> pxd-rproxy1(192.168.60.10)]
TASK [c2platform.core.cacerts2 : Stat dir] *************************************
ok: [pxd-gitlab -> pxd-rproxy1(192.168.60.10)]
TASK [c2platform.core.cacerts2 : Generate an OpenSSL private key] **************
ok: [pxd-gitlab -> pxd-rproxy1(192.168.60.10)]
TASK [c2platform.core.cacerts2 : Generate an OpenSSL Certificate Signing Request] ***
ok: [pxd-gitlab -> pxd-rproxy1(192.168.60.10)]
TASK [c2platform.core.cacerts2 : Generate an OpenSSL certificate] **************
ok: [pxd-gitlab -> pxd-rproxy1(192.168.60.10)]
TASK [c2platform.core.cacerts2 : Generate pkcs12 file] *************************
ok: [pxd-gitlab -> pxd-rproxy1(192.168.60.10)]
TASK [c2platform.core.cacerts2 : Create PEM file] ******************************
ok: [pxd-gitlab -> pxd-rproxy1(192.168.60.10)]
TASK [c2platform.core.cacerts2 : include_tasks] ********************************
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/cacerts2/tasks/certs/cert_deploy.yml for pxd-gitlab => (item=gitlab-server)
TASK [c2platform.core.cacerts2 : Copy to control node ( fetch )] ***************
ok: [pxd-gitlab -> pxd-rproxy1(192.168.60.10)] => (item=/vagrant/.ca/c2/gitlab/gitlab-server-pxd-gitlab.key → /tmp/)
ok: [pxd-gitlab -> pxd-rproxy1(192.168.60.10)] => (item=/vagrant/.ca/c2/gitlab/gitlab-server-pxd-gitlab.crt → /tmp/)
TASK [c2platform.core.cacerts2 : Stat parent dir] ******************************
ok: [pxd-gitlab] => (item=key)
ok: [pxd-gitlab] => (item=crt)
TASK [c2platform.core.cacerts2 : Deploy files] *********************************
changed: [pxd-gitlab] => (item=/tmp/gitlab-server-pxd-gitlab.key → /etc/gitlab/ssl/gitlab.c2platform.org.key)
changed: [pxd-gitlab] => (item=/tmp/gitlab-server-pxd-gitlab.crt → /etc/gitlab/ssl/gitlab.c2platform.org.crt)
RUNNING HANDLER [c2platform.mgmt.gitlab : Reconfigure gitlab] ******************
changed: [pxd-gitlab]
RUNNING HANDLER [c2platform.mgmt.gitlab : Restart gitlab] **********************
changed: [pxd-gitlab]
RUNNING HANDLER [c2platform.core.linux : Restart systemd-resolved] *************
changed: [pxd-gitlab]
RUNNING HANDLER [c2platform.core.linux : Restart sssd] *************************
changed: [pxd-gitlab]
RUNNING HANDLER [c2platform.core.linux : Restart ssh] **************************
changed: [pxd-gitlab]
RUNNING HANDLER [c2platform.core.radix_guardian : Restart radix_guardian] ******
changed: [pxd-gitlab]
PLAY RECAP *********************************************************************
pxd-gitlab : ok=115 changed=48 unreachable=0 failed=0 skipped=55 rescued=0 ignored=0
==> pxd-gitlab: Running provisioner: ansible...
pxd-gitlab: Running ansible-playbook...
ini_path: /home/onknows/git/gitlab/c2/ansible-phx/hosts.ini
PLAY [GitLab] ******************************************************************
TASK [Gathering Facts] *********************************************************
ok: [pxd-gitlab]
TASK [c2platform.core.secrets : Stat secret dir] *******************************
ok: [pxd-gitlab -> localhost] => (item=/home/onknows/git/gitlab/c2/ansible-phx/secret_vars/development)
ok: [pxd-gitlab -> localhost] => (item=/runner/project/secret_vars/development)
TASK [c2platform.core.secrets : Include secrets] *******************************
ok: [pxd-gitlab] => (item=None)
TASK [c2platform.core.linux : Include linux_resources] *************************
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/linux/tasks/package.yml for pxd-gitlab => (item=0_gitlab_dependencies ['openssh-server' , 'postfix' , 'curl' , 'openssl' , 'tzdata' ])
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/linux/tasks/package.yml for pxd-gitlab => (item=0_gitlab_dependencies_debian gnupg2)
TASK [c2platform.core.linux : Manage packages] *********************************
ok: [pxd-gitlab] => (item=['openssh-server' , 'postfix' , 'curl' , 'openssl' , 'tzdata' ] → present)
TASK [c2platform.core.linux : Manage packages] *********************************
ok: [pxd-gitlab] => (item=gnupg2 → present)
TASK [c2platform.mgmt.gitlab : Check if GitLab repository was added] ***********
ok: [pxd-gitlab]
TASK [c2platform.mgmt.gitlab : Apt update] *************************************
ok: [pxd-gitlab]
TASK [c2platform.mgmt.gitlab : Install GitLab] *********************************
ok: [pxd-gitlab]
TASK [c2platform.mgmt.gitlab : Manage Dpkg selections] *************************
ok: [pxd-gitlab]
TASK [c2platform.mgmt.gitlab : Create a PAT for automation with API access] ****
ok: [pxd-gitlab] => (item=ansible → present)
TASK [c2platform.mgmt.gitlab : Calculate hash of gitlab_import_sources] ********
ok: [pxd-gitlab]
TASK [c2platform.mgmt.gitlab : Check if import sources hash file exists] *******
ok: [pxd-gitlab]
TASK [c2platform.mgmt.gitlab : Read existing import sources hash] **************
ok: [pxd-gitlab]
TASK [c2platform.mgmt.gitlab : Set existing hash fact] *************************
ok: [pxd-gitlab]
TASK [c2platform.mgmt.gitlab : Import sources configuration unchanged] *********
ok: [pxd-gitlab] =>
msg: 'GitLab import sources configuration is up to date (hash: dbc95cb0c1b64df9c959f5609dc86db7fe503e4c615f51251e2cd46432e5aa9d)'
TASK [c2platform.core.linux : Include linux_resources] *************************
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/linux/tasks/file.yml for pxd-gitlab => (item=0_certificates /etc/gitlab/ssl)
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/linux/tasks/command.yml for pxd-gitlab => (item=0_certificates Create self-signed certificate)
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/linux/tasks/copy.yml for pxd-gitlab => (item=0_config /etc/gitlab/gitlab.rb)
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/linux/tasks/git.yml for pxd-gitlab => (item=0_server_config Checkout PlantUML repo)
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/linux/tasks/pip.yml for pxd-gitlab => (item=1_api_config python-gitlab)
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/linux/tasks/gitlab_group.yml for pxd-gitlab => (item=1_api_config C2 Platform Groups)
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/linux/tasks/gitlab_project.yml for pxd-gitlab => (item=1_api_config C2 Platform Projects)
TASK [c2platform.core.linux : Manage files and file properties] ****************
ok: [pxd-gitlab] => (item=/etc/gitlab/ssl → directory)
TASK [c2platform.core.linux : Execute a command on a remote host] **************
ok: [pxd-gitlab] => (item=openssl req -new -nodes -x509 -subj "/C=NL/ST=South Holland/L=The Hague/O=C2 Platform/CN=C2 Platform GitLab Server" -days 3650 -keyout /etc/gitlab/ssl/gitlab.c2platform.org.key -out /etc/gitlab/ssl/gitlab.c2platform.org.crt -extensions v3_ca -addext "subjectAltName=DNS:gitlab.c2platform.org,DNS:*.gitlab.c2platform.org"
)
TASK [c2platform.core.linux : Copy files to remote locations] ******************
ok: [pxd-gitlab] => (item=/etc/gitlab/gitlab.rb)
TASK [c2platform.core.linux : Manage git repositories] *************************
ok: [pxd-gitlab] => (item=https://gitlab.com/c2platform/c2/plantuml.git → /tmp/plantuml → present
)
TASK [c2platform.core.linux : Manage Python packages] **************************
changed: [pxd-gitlab] => (item=python-gitlab → present)
TASK [c2platform.core.linux : Creates/updates/deletes GitLab Groups] ***********
changed: [pxd-gitlab] => (item=C2 Platform → present)
changed: [pxd-gitlab] => (item=C2 Platform → present)
changed: [pxd-gitlab] => (item=Examples → present)
changed: [pxd-gitlab] => (item=Docker → present)
changed: [pxd-gitlab] => (item=PHX Project → present)
changed: [pxd-gitlab] => (item=Examples → present)
TASK [c2platform.core.linux : Creates/updates/deletes GitLab Projects] *********
changed: [pxd-gitlab] => (item=Ansible Inventory → present)
changed: [pxd-gitlab] => (item=Git LFS and GitLab Pages → present)
changed: [pxd-gitlab] => (item=GitLab Runner → present)
changed: [pxd-gitlab] => (item=Ansible Inventory PHX Project → present)
changed: [pxd-gitlab] => (item=GitLab Runners → present)
TASK [c2platform.core.java : Set additional java facts] ************************
ok: [pxd-gitlab]
TASK [c2platform.core.java : Install Java] *************************************
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/java/tasks/install.yml for pxd-gitlab => (item=jdk11_0411_oj9)
TASK [c2platform.core.java : Check Java / JDK installed at /usr/lib/jvm/jdk11_0411_oj9] ***
ok: [pxd-gitlab]
TASK [c2platform.core.cacerts2 : Set fact cacerts2_certificates] ***************
ok: [pxd-gitlab]
TASK [c2platform.core.cacerts2 : cacerts2_certificates] ************************
ok: [pxd-gitlab]
TASK [c2platform.core.cacerts2 : Set various certificate facts] ****************
ok: [pxd-gitlab -> pxd-rproxy1(192.168.60.10)]
TASK [c2platform.core.cacerts2 : Set fact cacerts2_certificates] ***************
ok: [pxd-gitlab]
TASK [c2platform.core.cacerts2 : include_tasks] ********************************
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/cacerts2/tasks/certs/cert.yml for pxd-gitlab => (item=gitlab-server)
TASK [c2platform.core.cacerts2 : Stat key] *************************************
ok: [pxd-gitlab -> pxd-rproxy1(192.168.60.10)]
TASK [c2platform.core.cacerts2 : Stat crt] *************************************
ok: [pxd-gitlab -> pxd-rproxy1(192.168.60.10)]
TASK [c2platform.core.cacerts2 : Stat dir] *************************************
ok: [pxd-gitlab -> pxd-rproxy1(192.168.60.10)]
TASK [c2platform.core.cacerts2 : Generate an OpenSSL private key] **************
ok: [pxd-gitlab -> pxd-rproxy1(192.168.60.10)]
TASK [c2platform.core.cacerts2 : Generate an OpenSSL Certificate Signing Request] ***
ok: [pxd-gitlab -> pxd-rproxy1(192.168.60.10)]
TASK [c2platform.core.cacerts2 : Generate an OpenSSL certificate] **************
ok: [pxd-gitlab -> pxd-rproxy1(192.168.60.10)]
TASK [c2platform.core.cacerts2 : Generate pkcs12 file] *************************
ok: [pxd-gitlab -> pxd-rproxy1(192.168.60.10)]
TASK [c2platform.core.cacerts2 : Create PEM file] ******************************
ok: [pxd-gitlab -> pxd-rproxy1(192.168.60.10)]
TASK [c2platform.core.cacerts2 : include_tasks] ********************************
included: /home/onknows/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/cacerts2/tasks/certs/cert_deploy.yml for pxd-gitlab => (item=gitlab-server)
TASK [c2platform.core.cacerts2 : Copy to control node ( fetch )] ***************
ok: [pxd-gitlab -> pxd-rproxy1(192.168.60.10)] => (item=/vagrant/.ca/c2/gitlab/gitlab-server-pxd-gitlab.key → /tmp/)
ok: [pxd-gitlab -> pxd-rproxy1(192.168.60.10)] => (item=/vagrant/.ca/c2/gitlab/gitlab-server-pxd-gitlab.crt → /tmp/)
TASK [c2platform.core.cacerts2 : Stat parent dir] ******************************
ok: [pxd-gitlab] => (item=key)
ok: [pxd-gitlab] => (item=crt)
TASK [c2platform.core.cacerts2 : Deploy files] *********************************
ok: [pxd-gitlab] => (item=/tmp/gitlab-server-pxd-gitlab.key → /etc/gitlab/ssl/gitlab.c2platform.org.key)
ok: [pxd-gitlab] => (item=/tmp/gitlab-server-pxd-gitlab.crt → /etc/gitlab/ssl/gitlab.c2platform.org.crt)
PLAY RECAP *********************************************************************
pxd-gitlab : ok=51 changed=3 unreachable=0 failed=0 skipped=37 rescued=0 ignored=0
Verify Login Next, go to
https://gitlab.c2platform.org , log in as root using the password supersecret.
Personal access token (PAT) Navigate to
Preferences → Personal access tokens .
This should show a token named ansible. This token is used to configure via
the API.
GitLab Groups and Projects Next, go to
Groups → C2 Platform . This should show several groups and projects that are created using the API.
Review Vagrant Box The Ansible configuration for GitLab consists of two plays: one for setting up
GitLab and another for configuring it. These are defined in separate
playbooks . Logically, they are separate because in real-world scenarios,
these tasks are often performed by different teams
Box definition in Vagrantfile.yml:
Vagrantfile.yml
243 - name : gitlab
244 short_description : Gitlab CE
245 description : Gitlab CE
246 box : ubuntu24-lxd
247 ip-address : 192.168.60.12
248 plays :
249 - mgmt/gitlab
250 - mgmt/gitlab_config
251 labels :
252 - gitlab
Play for creating the instance This first playbook installs and sets up the GitLab instance on the host.
plays/mgmt/gitlab.yml
---
name : GitLab
hosts : gitlab
become : true
roles :
- { role : c2platform.core.linux }
- { role : c2platform.wincore.win }
- { role : c2platform.mgmt.gitlab }
Note that the play includes the Windows role, which is interesting because the
GitLab node pxd-gitlab is a Linux node. The reason for this is that the
Windows role is used to delegate a task to pxd-ad to create a PTR record,
which is required for the node to successfully join the AD domain C2.ORG and
ensure that Kerberos works correctly.
Note that this is not specific to the GitLab node; it applies to all Ubuntu
nodes. As a consequence of this, the relevant configuration is part of the
Ansible group ubuntu and can be found in group_vars/ubuntu/ptr.yml:
group_vars/ubuntu/ptr.yml
---
win_roles : []
win_resources :
- name : "{{ '.'.join(ansible_eth1.ipv4.address.split('.')[-2::-1]) }}.in-addr.arpa"
module : win_dns_zone
type : Primary
replication : Domain
state : present
delegate_to : pxd-ad
- name : "{{ ansible_eth1.ipv4.address.split('.')[-1] }}"
module : win_dns_record
type : "PTR"
zone : "{{ '.'.join(ansible_eth1.ipv4.address.split('.')[-2::-1]) }}.in-addr.arpa"
value : "{{ inventory_hostname }}.{{ px_ad_domain_name }}"
state : present
delegate_to : pxd-ad
Second play for configuring the instance This second playbook handles post-installation configuration, such as creating
groups and importing projects via the GitLab API.
plays/mgmt/gitlab_config.yml
---
name : GitLab
hosts : gitlab
become : true
roles :
- { role : c2platform.core.secrets }
- { role : c2platform.mgmt.gitlab }
vars :
gitlab_resource_groups_disabled : []
Personal Access Token (PAT) For the purpose of configuring the GitLab instance, the variable gitlab_pats
in the GitLab role (c2platform.mgmt.gitlab) is used to create a Personal
Access Token (PAT):
group_vars/gitlab/main.yml
6 gitlab_pats :
7 - name : ansible
8 username : root
9 token : "{{ px_gitlab_root_pat }}" # vault → supersecrettoken
10 scopes : [ read_service_ping, read_user, read_repository, read_api, self_rotate, write_repository, api, ai_features, create_runner, manage_runner, k8s_proxy, admin_mode, sudo]
11 expires_days : 365
12 state : present
Import and export settings By default, a GitLab instance does not allow importing Git projects from
GitLab.com. For this purpose, the variable gitlab_import_sources is used to
configure import sources:
group_vars/gitlab/main.yml
13 gitlab_import_sources :
14 - github
15 - gitlab_project
16 - git
https://gitlab.c2platform.org/admin/application_settings/general#js-import-export-settingsGitLab Projects and Groups The configuration in group_vars/gitlab/projects.yml shows how the variable
gitlab_resources is used to create GitLab groups and import projects:
group_vars/gitlab/projects.yml
---
gitlab_resources :
1_api_config : # → gitlab_resource_groups_disabled
- name : python-gitlab
module : pip
extra_args : --break-system-packages
- name : C2 Platform Groups
module : gitlab_group
defaults :
api_url : "https://{{ gitlab_domain }}"
api_token : "{{ px_gitlab_root_pat }}"
visibility : public
default_branch : master
avatar_path : /tmp/plantuml/icons/png/c2.png
environment :
REQUESTS_CA_BUNDLE : "{{ px_linux_cert_dir }}/c2.crt.crt"
resources :
- name : C2 Platform
path : c2platform
description : C2 Platform projects for the C2 Platform
- name : C2 Platform
path : c2
parent : c2platform
description : >-
Example / template / reference projects that showcase the power and
versatility of Ansible, GitOps, and Kubernetes. These projects are
part of the esteemed GitLab Open Source Program, and they make full
use of GitLab.
- name : Examples
path : examples
parent : c2platform/c2
- name : Docker
path : docker2
parent : c2platform/c2
avatar_path : /tmp/plantuml/icons/png/docker_min50.png
- name : PHX Project
path : phx
parent : c2platform
description : PHX projects for the PHX Platform
- name : Examples
path : examples
parent : c2platform/phx
- name : C2 Platform Projects
module : gitlab_project
defaults :
api_url : "https://{{ gitlab_domain }}"
api_token : "{{ px_gitlab_root_pat }}"
visibility : public
# default_branch: master
environment :
REQUESTS_CA_BUNDLE : "{{ px_linux_cert_dir }}/c2.crt.crt"
resources :
- name : Ansible Inventory
group : c2platform/c2
path : ansible-inventory
avatar_path : /tmp/plantuml/icons/png/vagrant_ansible.png
import_url : https://gitlab.com/c2platform/c2/ansible-inventory.git
- name : Git LFS and GitLab Pages
group : c2platform/c2/examples
path : git-lfs-and-gitlab-pages
lfs_enabled : true
avatar_path : /tmp/plantuml/icons/png/gitlab.png
import_url : https://gitlab.com/c2platform/phx/examples/git-lfs-and-gitlab-pages.git
- name : GitLab Runner
group : c2platform/c2/docker2
path : gitlab-runner
avatar_path : /tmp/plantuml/icons/png/gitlab.png
import_url : https://gitlab.com/c2platform/c2/docker2/gitlab-runner.git
- name : Ansible Inventory PHX Project
group : c2platform/phx
path : ansible
avatar_path : /tmp/plantuml/icons/png/vagrant_ansible.png
import_url : https://gitlab.com/c2platform/phx/ansible.git
- name : GitLab Runners
group : c2platform/phx/examples
path : gitlab-runners
avatar_path : /tmp/plantuml/icons/png/gitlab.png
import_url : https://gitlab.com/c2platform/phx/examples/gitlab-runners.git
gitlab_resource_groups_disabled : [ '1_api_config' ]
