https://github.com/jrtashjian/homelab-infra-gitlab
https://github.com/jrtashjian/homelab-infra-gitlab
ansible gitlab gitlab-runners homelab terraform
Last synced: 10 days ago
JSON representation
- Host: GitHub
- URL: https://github.com/jrtashjian/homelab-infra-gitlab
- Owner: jrtashjian
- Created: 2026-04-22T21:05:55.000Z (2 months ago)
- Default Branch: master
- Last Pushed: 2026-05-02T06:04:18.000Z (2 months ago)
- Last Synced: 2026-05-02T08:16:22.491Z (2 months ago)
- Topics: ansible, gitlab, gitlab-runners, homelab, terraform
- Language: Jinja
- Homepage:
- Size: 72.3 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# GitLab Infrastructure
This repository manages the provisioning and configuration of a self-hosted GitLab instance and its CI/CD runners using **Terraform** for VM provisioning and **Ansible** for host-level configuration.
**Terraform** provisions the GitLab VM and runner VMs on Proxmox using a shared VM module. It creates a GitLab server, standard-sized runners, and large runners spread across cluster nodes.
**Ansible** configures the runner VMs with Docker and the GitLab Runner service, deploys a shared S3-compatible (MinIO) cache configuration, and manages runner registration and deregistration against the GitLab instance.
## Terraform
### Local Development
To run Terraform commands locally, use the provided `.env.example` as a template:
```bash
cp .env.example .env
```
Fill in the values in `.env` using [1Password Secret References](https://developer.1password.com/docs/cli/secret-references/) (e.g. `op://vault/item/field`) or plain values. Then use the [1Password CLI](https://developer.1password.com/docs/cli) to inject secrets at runtime:
```bash
# Preview changes
op run --env-file=".env" -- terraform plan
# Apply changes
op run --env-file=".env" -- terraform apply
```
### Variables for CI/CD Pipeline
The pipeline utilizes [1Password Service Account](https://developer.1password.com/docs/service-accounts) for retrieving passwords [defined as variables](https://docs.gitlab.com/ee/ci/variables/#define-a-cicd-variable-in-the-ui) using the [Secret Reference](https://developer.1password.com/docs/cli/secret-references/) syntax.
#### GitLab CI/CD Workflow Variables
Required by the GitLab CI/CD workflow itself. Set these as CI/CD variables in the GitLab project settings.
| Variable | Description |
|---|---|
| `OP_SERVICE_ACCOUNT_TOKEN` | The service account token used by the GitLab CI/CD workflow to authenticate with 1Password. |
#### Environment Variables
Credentials passed to Terraform at runtime via 1Password secret references. Set these as CI/CD variables in the GitLab project settings.
| Variable | Description |
|---|---|
| `PROXMOX_VE_ENDPOINT` | The URL of the Proxmox Virtual Environment API endpoint. |
| `PROXMOX_VE_USERNAME` | The username and realm for the Proxmox Virtual Environment API. |
| `PROXMOX_VE_PASSWORD` | The password for the Proxmox Virtual Environment API. |
| `TF_VAR_ansible_user` | The user Ansible connects as on provisioned VMs. |
| `TF_VAR_ansible_pass` | The password for the Ansible user. |
| `TF_VAR_ansible_public_key` | The SSH public key added to provisioned VMs. |
## Ansible
Ansible configures the GitLab runner VMs. Playbooks and roles are in the `ansible/` directory.
### Setup
Install the required Ansible collections:
```bash
cd ansible
ansible-galaxy install --force -r requirements.yml
```
Run the vault setup script to fetch the Ansible vault password and encrypt vault files using [1Password CLI](https://developer.1password.com/docs/cli):
```bash
./setup-vaults.sh
```
### Playbooks
**Deploy** — installs Docker and GitLab Runner, and deploys the runner config template:
```bash
ansible-playbook playbooks/deploy.yml
```
**Register runners** — creates a runner via the GitLab API and registers it on each host (skips hosts already registered):
```bash
ansible-playbook playbooks/register-runners.yml
```
**Unregister runners** — deregisters and removes the runner config from each host:
```bash
ansible-playbook playbooks/unregister-runners.yml
```
**Docker prune** — runs `docker system prune --all --force` on all runner hosts:
```bash
ansible-playbook playbooks/docker-prune.yml
```