{"id":42926639,"url":"https://github.com/coderefinery/gitlab-openstack-deploy","last_synced_at":"2026-01-30T18:10:26.917Z","repository":{"id":75413985,"uuid":"88707970","full_name":"coderefinery/gitlab-openstack-deploy","owner":"coderefinery","description":"An Ansible playbook to deploy a Gitlab Server on OpenStack (Specifically CSC's Pouta)","archived":false,"fork":false,"pushed_at":"2018-11-08T09:22:25.000Z","size":82,"stargazers_count":2,"open_issues_count":4,"forks_count":3,"subscribers_count":17,"default_branch":"master","last_synced_at":"2025-09-10T04:46:52.827Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/coderefinery.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2017-04-19T06:15:07.000Z","updated_at":"2019-02-20T14:17:38.000Z","dependencies_parsed_at":null,"dependency_job_id":"a887018a-5c65-4381-940e-c053a27ce9b0","html_url":"https://github.com/coderefinery/gitlab-openstack-deploy","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/coderefinery/gitlab-openstack-deploy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coderefinery%2Fgitlab-openstack-deploy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coderefinery%2Fgitlab-openstack-deploy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coderefinery%2Fgitlab-openstack-deploy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coderefinery%2Fgitlab-openstack-deploy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/coderefinery","download_url":"https://codeload.github.com/coderefinery/gitlab-openstack-deploy/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coderefinery%2Fgitlab-openstack-deploy/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28917035,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-30T16:37:38.804Z","status":"ssl_error","status_checked_at":"2026-01-30T16:37:37.878Z","response_time":66,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-30T18:10:26.788Z","updated_at":"2026-01-30T18:10:26.900Z","avatar_url":"https://github.com/coderefinery.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Gitlab Devops\n\nThis repository contains Ansible playbooks for administering the gitlab\ninstallations on OpenStack.. It should not be kept on the gitlab installation\nto avoid obvious chicken-egg problems.\n\n## Setting up the Python environment\n\nThis assumes you have virtualenvwrapper, virtualenv and in general Python\ninstalled.\n\n    $ mkvirtualenv cr-gitlab-devops\n    (cr-gitlab-devops)$ pip install -r requirements.txt\n\nOn subsequent uses it suffices to activate the virtual environment\n\n    $ workon cr-gitlab-devops\n    (cr-gitlab-devops)$\n\n## Setting up environment variables\n\nThis repository does not contain per-installation data.\n\nThe data is expected to be found thus\n\n```\nrepo/\n  playbook.yml\n  roles/...\n  environment/ # here you can have multiple environments\n    coderefinery-gitlab/ # symlink to a separate repo\n      hosts\n      group_vars/\n        all/\n          vars.yml\n          vault.yml\n          ansible.cfg\n          other.yml\n    another-gitlab/\n      hosts\n      group_vars\n        all/\n          vars.yml\n          vault.yml\n          something_completely_different.yml\n```\n\nTo create a new set of environment variables it is suggested to copy an\nexisting set for simplicity.\n\n## Playbook\n\nThere roles are run with playbook called playbook.yml. The playbook will provision\nthe necessary resources from OpenStack and configure the system as much as\npossible.\n\nIt requires certain environment variables for OpenStack authentication called\nan OpenRC.\n\n    (cr-gitlab-devops)$ source project-openrc.sh\n    Please enter your OpenStack Password:\n    (cr-gitlab-devops)$\n\nThen you can run the actual playbook provided you have the vault password.\n\n    (cr-gitlab-devops)$ export ANSIBLE\\_CONFIG=~/path/to/coderefinery-gitlab/ansible.cfg\n    ansible-playbook playbook.yml -i environments/coderefinery-gitlab/hosts\n    Vault password:\n\nand Bob is your uncle!\n\n### Ansible vault\n\nTo de-crypt the encrypted secrets found in group\\_vars/all/vault.yml\none needs a vault password. It is distributed separately.\n\nTo view the contents of the vault file run\n\n    (cr-gitlab-devops)$ ansible-vault view group\\_vars/all/vault.yml\n\nAnd to edit it run\n\n    (cr-gitlab-devops)$ ansible-vault edit group\\_vars/all/vault.yml\n\nFor more information check out  [Ansible vault\ndocumentation](http://docs.ansible.com/ansible/playbooks_vault.html)\n\n## Provisioning\n\nStep one of the playbook creates the following servers\n\n* the actual gitlab host with a public ip\n* a separate backup-host with a volume for backups and a cron-job that runs\n  backups on gitlab-host\n* a gitlab-runner instance that runs gitlab-runner inside docker against the gitlab instance\n  * there was a chicken and egg issue with getting the authentication key for\n    runner so after installing gitlab you will need to get the files\n\nAfter the hosts are created the system creates ssh.cfg in the root of your\ninstallation, which is used to use the gitlab installation as bastion so that\nthe gitlab installation can be the only one of the three items with a public\nIP address.\n\nTo communicate with the other two parts run\n\n    $ ssh -F ssh.{{gitlab_name}}.cfg gitlab-runner / gitlab-backup\n\n## Configuring\n\nMost configuration is in group\\_vars/all/vars.yml or the vault.yml that was\nalready covered.\n\nMost values should be self-explanatory. If in doubt try grepping for how they\nare used.\n\nWhen adding a variable to the vault make a line in vars.yml that copies the\nvariable to another variable without the prefix vaulted\\_ . This makes it\neasier to check the names of variables in the vault without decrypting it all the time..\n\nInitial installation root password is stored inside the vault. Check that to\nlog in and start managing the server if installing from scratch.\n\n### SSL\n\nSSL keys were created by using certbot. There is a part called letsencrypt\nthat will in theory re-generate the certificates using a brand new ansible\nmodule. This is doubtable in practice and someone should re-generate the\ncertificates manually before summer holidays 2017.\n\nThe playbook for letsencrypt is included but disabled in case there is time to\nwork on it.\n\n### Runner config\n\nMultiple virtual machines can be created to host runners for GitLab CI/CD\npipelines. Their specs are specified in a dict called runner_vms like so:\n\n```\nrunner_vms:\n  centos-dedicated:\n    image: \"CentOS-7.0\"\n    flavor: \"io.70GB\"\n    runner_configs:\n      - RUNNER_NAME: \"centos-dedicated\"\n        DOCKER_IMAGE: \"centos\"\n        REGISTER_LOCKED: \"true\"\n        state: \"started\"\n  ubuntu-dedicated:\n    image: \"CentOS-7.0\"\n    flavor: \"io.70GB\"\n    runner_configs:\n      - RUNNER_NAME: \"ubuntu-dedicated\"\n        DOCKER_IMAGE: \"ubuntu\"\n        REGISTER_LOCKED: \"true\"\n        REGISTRATION_TOKEN: \"{{ vaulted_ubuntu_dedicated_reg_token }}\"\n        state: \"started\"\n  shared:\n    image: \"CentOS-7.0\"\n    flavor: \"io.70GB\"\n    runner_configs:\n      - RUNNER_NAME: \"ubuntu-shared\"\n        DOCKER_IMAGE: \"ubuntu\"\n        REGISTRATION_TOKEN: \"{{ initial_shared_runners_registration_token }}\"\n        state: \"started\"\n      - RUNNER_NAME: \"alpine\"\n        DOCKER_IMAGE: \"alpine\"\n        REGISTRATION_TOKEN: \"{{ initial_shared_runners_registration_token }}\"\n        state: \"started\"\n```\n\nRunner configuration consists of setting an image and a flavor for the virtual\nmachine and a list of environment variable dicts (one per runner) that\nconfigure runners at registration time. A list of these environment variables\ncan be retrieved by running \"docker exec gitlab-runner gitlab-ci-multi-runner\nhelp register\" as root on a runner machine.\n\nIf a registration token is not initially specified for a runner, then it will\nnot register initially. This is useful when you want to precreate a dedicated\nrunner whose registration token will only be known once a project is created\nthat will use the runner. Once the registration token is known, you can use it\nto register these precreated runners as runners by adding it into the dict.\n\nIn the example above, the \"shared\" runner gets a special value for\nREGISTRATION_TOKEN. This is an initial token that is configured in GitLab's\nconfig file and can be used to register shared runners right away.\n\nFor runners that should only be usable by a single project you can set\nREGISTER_LOCKED: \"true\" in the list of environment variables.\n\nThe state variable can be any of the [states accepted by the docker\nmodule](https://docs.ansible.com/ansible/docker_container_module.html). As\ncontainers are identified by name only it is important that you do change\nRUNNER_NAME without first setting it's state to stopped or absent. If you do,\nyou will have a ghost container and have to stop and remove it manually.\n\n## Recovering backups\n\n1) obtain files and copy them to remote machine, e.g.\n\n```\n[cloud-user@gitlab-internal tmp]$ ls -alhZ\ndrwxrwxrwt. root       root       system_u:object_r:tmp_t:s0       .\ndrwxr-xr-x. root       root       system_u:object_r:root_t:s0      ..\n-rw-------. cloud-user cloud-user unconfined_u:object_r:user_tmp_t:s0\n1495065614_2017_05_18_gitlab_backup.tar\n-rw-------. cloud-user cloud-user unconfined_u:object_r:user_tmp_t:s0\netc-gitlab-1495065602.tgz\n```\n\n2)  copy  xxxx_gitlab_backup.tar to /srv/gitlab/data/backups\n    chmod 0755 /srv/gitlab/data/backups/xxx_gitlab_backup.tar\n\n  copy etc-gitlab-XXX.tgz to /srv/gitlab/config/backups/ (optional, you can\n  pack it wherever you like)\n\n3) shutdown stuff that uses the database\n\n```\ndocker exec -it gitlab gitlab-ctl stop unicorn\ndocker exec -it gitlab gitlab-ctl stop sidekiq\n```\n\n4) unpack the config .tgz, copy files you wish to replace (everything except\ngitlab.rb probably, unless you changed certificates)\n\n5) run\n\n```\ndocker exec -it gitlab gitlab-rake gitlab:backup:restore \\\nBACKUP=1495065614_2017_05_18\n```\n\nwith the timestamp of the backup. Answer YES to everything.\n\n## Updating\n\n1. Notify on system\n2. Verify that a recent backup exists\n3. Edit gitlab_tag in environments/[your_env]/group_vars/all/vars.yml\n4. Set up environment variables (like ANSIBLE_CONFIG, OpenStack credentials\n   etc.)\n5. Run playbook\n\nIf you suspect something fishy about the migrations not having been run, run\n\n```\n$ ssh -F ssh.[your_environment].cfg gitlab\n$ su\n# docker exec -it gitlab bash\n# gitlab-rake db:migrate\n```\n\nMigrations should be run automatically at the startup of the container,\nthough.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcoderefinery%2Fgitlab-openstack-deploy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcoderefinery%2Fgitlab-openstack-deploy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcoderefinery%2Fgitlab-openstack-deploy/lists"}