/
init.pp
233 lines (220 loc) · 9.63 KB
/
init.pp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
# SIMP Profile for managing GitLab
#
# ## Welcome to SIMP!
#
# This module is a component of the System Integrity Management Platform, a
# managed security compliance framework built on Puppet.
#
# This module is optimally designed for use within a larger SIMP ecosystem, but
# it can be used independently:
#
# * When included within the SIMP ecosystem, security compliance settings will
# be managed from the Puppet server.
#
# * If used independently, all SIMP-managed security subsystems are disabled by
# default, and must be explicitly opted into by administrators. Please
# review the parameters (e.g., `$trusted_nets`, `pki`) for details.
#
# @param trusted_nets
# A whitelist of subnets (in CIDR notation) permitted access
#
# @param denied_nets
# A blacklist of subnets (in CIDR notation) that should be explicitly denied access
#
# @param external_url
# Default: http://$fqdn
# External URL of Gitlab. By default, this will be 'https' if ``$pki`` is
# set and 'http' if is ``false``.
#
# @param tcp_listen_port
# The port upon which to listen for regular TCP connections. By default
# this will be ``'80'`` if HTTPS is disabled and ``'443'`` if HTTPS is enabled.
#
# @param firewall
# If ``true``, manage firewall rules to accommodate **simp_gitlab**
#
# @param pki
# * If ``'simp'``, include SIMP's pki module and use pki::copy to manage
# application certs in /etc/pki/simp_apps/gitlab/x509
# * If ``true``, do *not* include SIMP's pki module, but still use pki::copy
# to manage certs in /etc/pki/simp_apps/gitlab/x509
# * If ``false``, do not include SIMP's pki module and do not use pki::copy
# to manage certs. You will need to appropriately assign a subset of:
#
# * app_pki_dir
# * app_pki_key
# * app_pki_cert
# * app_pki_ca
#
# @param app_pki_external_source
# * If pki = 'simp' or true, this is the directory from which certs will be
# copied, via pki::copy. Defaults to /etc/pki/simp/x509.
#
# * If pki = false, this variable has no effect.
#
# @param app_pki_dir
# This variable controls the basepath of $app_pki_key, $app_pki_cert,
# $app_pki_ca, $app_pki_ca_dir, and $app_pki_crl.
# It defaults to /etc/pki/simp_apps/gitlab/x509.
#
# @param app_pki_key
# Full path of the private SSL key file.
#
# @param app_pki_cert
# Full path of the public SSL certificate.
#
# @param app_pki_ca
# Full path of the the SSL CA certificate.
#
# @param edition
# The Gitlab Omnibus edition to install.
# Used to set gitlab::manage_upstream_edition.
#
# @param two_way_ssl_validation
# When `true`, server and clients will require mutual TLS authentication.
#
# @param ldap_verify_certificates
# When `true`, SSL LDAP connections must use certificates signed by a known
# CA. Defaults to `true`.
#
# @param ssl_verify_depth
# Sets the verification depth in the client certificates chain.
#
# @param ssl_protocols
# Array of Nginx-comptaible SSL/TLS protocols for the web server to accept.
#
# @param gitlab_options
# Hash of manually-customized parameters for `puppet/gitlab`.
#
# These parameters will be deep-merged with settings generated by this
# profile. During the deep merge, the settings in `$gitlab_options` will
# take precedence.
#
# @param cipher_suite
# The cipher suite to use with SSL
#
# @param ldap
# If ``true``, enable LDAP support for Gitlab Omnibus.
#
# @param ldap_uri
# List of OpenLDAP server URIs. Note that _multiple_ URIs is an EE feature.
# @example ['ldap://server1', 'ldaps://server2']
#
# @param ldap_active_directory
# This setting specifies if LDAP server is Active Directory LDAP server.
# For non AD servers it skips the AD specific queries.
# If your LDAP server is not AD, set this to false.
#
# @param ldap_base_dn
# Base where we can search for users
#
# @example ou=People,dc=gitlab,dc=example
#
# @param ldap_bind_dn
# The DN to use when binding to the LDAP server
#
# @param ldap_bind_pw
# The password of the bind user
#
# @param ldap_user_filter
# Format: RFC 4515 http://tools.ietf.org/search/rfc4515
# @example (employeeType=developer)
#
# @param ldap_group_base
# EE only
#
# @param manage_package
# Whether simp_gitlab will manage the gitlab-[ce,ee] package.
#
# - Set to true if you want simp_gitlab to set the GitLab root password,
# during the initial install and configuration of GitLab. This is
# **HIGHLY** recommended, as the root password is not secured during
# install otherwise. Anyone can navigate the the GitLab URL and set
# the root password.
#
# @param package_ensure
# The ensure status of the gitlab-[ce,ee] package, when managed by
# `$manage_gitlab` is true.
#
# @author https://github.com/simp/pupmod-simp-simp_gitlab/graphs/contributors
#
class simp_gitlab (
Simplib::Netlist $trusted_nets = simplib::lookup('simp_options::trusted_nets', {'default_value' => ['127.0.0.1/32'] }),
Simp_gitlab::Stroolean $pki = simplib::lookup('simp_options::pki', { 'default_value' => false }),
Simplib::Uri $external_url = $pki ? { true => "https://${facts['fqdn']}", 'simp' => "https://${facts['fqdn']}", default => "http://${facts['fqdn']}" },
Simplib::Netlist $denied_nets = [],
Simplib::Port $tcp_listen_port = $pki ? { true => 443, 'simp' => 443, default => 80},
Boolean $firewall = simplib::lookup('simp_options::firewall', {'default_value' => false}),
Boolean $ldap = simplib::lookup('simp_options::ldap', {'default_value' => false}),
Boolean $ldap_active_directory = false,
Array[Simplib::URI] $ldap_uri = simplib::lookup('simp_options::ldap::uri', {'default_value' => []}),
String[3] $ldap_base_dn = simplib::lookup('simp_options::ldap::base_dn', {'default_value' => simplib::ldap::domain_to_dn()}),
String[3] $ldap_bind_dn = simplib::lookup('simp_options::ldap::bind_dn', {'default_value' => "cn=hostAuth,ou=Hosts,${ldap_base_dn}"}),
String[1] $ldap_bind_pw = simplib::lookup('simp_options::ldap::bind_pw', {'default_value' => "cn=LDAPAdmin,ou=People,${ldap_base_dn}"}),
Optional[String[3]] $ldap_group_base = undef,
Optional[String[1]] $ldap_user_filter = undef,
Hash $gitlab_options = {},
String $app_pki_external_source = simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' }),
Stdlib::Absolutepath $app_pki_dir = '/etc/pki/simp_apps/gitlab/x509',
Stdlib::Absolutepath $app_pki_key = "${app_pki_dir}/private/${facts['fqdn']}.pem",
Stdlib::Absolutepath $app_pki_cert = "${app_pki_dir}/public/${facts['fqdn']}.pub",
Stdlib::Absolutepath $app_pki_ca = "${app_pki_dir}/cacerts/cacerts.pem",
Boolean $two_way_ssl_validation = false,
Boolean $ldap_verify_certificates = true,
Integer[1] $ssl_verify_depth = 2,
Array[String[1]] $ssl_protocols = ['TLSv1.1','TLSv1.2'],
Array[String[1]] $cipher_suite = simplib::lookup( 'simp_options::openssl::cipher_suite', {
'default_value' => ['DEFAULT', '!MEDIUM']
}),
Enum['ce','ee'] $edition = 'ce',
Boolean $manage_package = true,
String $package_ensure = simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' }),
) {
simplib::assert_metadata( $module_name )
$oses = load_module_metadata( $module_name )['operatingsystem_support'].map |$i| { $i['operatingsystem'] }
unless $::operatingsystem in $oses { fail("${::operatingsystem} not supported") }
# calculated variables
$gitlab_root_passwd = simplib::passgen( "simp_gitlab_${trusted['certname']}" )
$gitlab_ssh_user = pick($gitlab_options.dig( 'user', 'username' ), 'git')
$gitlab_ssh_home = pick($gitlab_options.dig( 'user', 'home' ), '/var/opt/gitlab' )
$gitlab_ssh_keyfile = pick($gitlab_options.dig( 'shell', 'auth_file' ), "${gitlab_ssh_home}/.ssh/authorized_keys" )
include 'postfix'
include 'ntpd'
include 'ssh'
include 'simp_gitlab::install'
include 'simp_gitlab::config'
Class['ntpd']
-> Class['simp_gitlab::install']
-> Class['simp_gitlab::config']
-> Class['postfix']
svckill::ignore { 'chronyd': } # On EL7, GitLab pulls in the chronyd service
if $pki {
pki::copy { 'gitlab':
pki => $pki,
source => $app_pki_external_source,
}
file{ '/etc/gitlab/trusted-certs':
ensure => directory,
mode => '0755',
owner => 'root',
group => 'root',
}
pki_cert_sync{ '/etc/gitlab/trusted-certs':
source => "${app_pki_dir}/cacerts",
purge => true,
# ``gitlab reconfigure`` generates PEM hash links
generate_pem_hash_links => false,
notify => Class['gitlab::service'],
}
Pki::Copy['gitlab'] -> Pki_cert_sync['/etc/gitlab/trusted-certs']
File['/etc/gitlab/trusted-certs'] -> Pki_cert_sync['/etc/gitlab/trusted-certs']
if $manage_package {
# Certs need to be in place for initial gitlab-ctl reconfigure
Pki_cert_sync['/etc/gitlab/trusted-certs'] -> Exec['initial_gitlab_reconfigure']
}
}
if $firewall {
include 'simp_gitlab::config::firewall'
Class['simp_gitlab::config::firewall'] -> Class['::simp_gitlab::install']
}
}