refactor(web-app-gitlab): restructure configuration and add OIDC support

- Added oidc feature flag in config - Removed obsolete credentials schema (initial_root_password) - Updated docker-compose.yml.j2 to use explicit GITLAB_* vars (image, version, container, volumes) - Moved initial_root_password into vars/main.yml - Introduced GITLAB_OMNIBUS_BASE and GITLAB_OMNIBUS_OIDC config lists - Switched env.j2 to use GITLAB_OMNIBUS_ALL join See conversation: https://chatgpt.com/share/68b1962c-3ee0-800f-a858-d4590ff6132a
2025-08-30 15:28:12 +02:00 · 2025-08-29 14:02:46 +02:00
parent 3ed84717a7
commit f4ea6c6c0f
5 changed files with 90 additions and 44 deletions
--- a/roles/web-app-gitlab/config/main.yml
+++ b/roles/web-app-gitlab/config/main.yml
@@ -1,20 +1,24 @@
 features:
-  matomo:             true
-  css:                true
-  desktop:            true
-  central_database:   true
-  logout:             true
+  matomo:           true
+  css:              true
+  desktop:          true
+  central_database: true
+  logout:           true
+  oidc:             true 
 docker:
  services:
    redis:
-      enabled: true
+      enabled:      true
    database: 
-      enabled: true
-    gitlab: 
-      image:    "gitlab/gitlab-ee"
-      version:  "latest"
-credentials:
-  initial_root_password: "{{ users.administrator.password }}"
+      enabled:      true
+    gitlab:
+      image:        "gitlab/gitlab-ee"
+      version:      "latest"
+      name:         "gitlab"
+  volumes:
+    data:           "gitlab_data"
+    logs:           "gitlab_logs"
+    config:         "gitlab_config"
 server:
  domains:
    canonical:
--- a/roles/web-app-gitlab/schema/main.yml
+++ b/roles/web-app-gitlab/schema/main.yml
@@ -1,5 +0,0 @@
-credentials:
-  initial_root_password:
-    description: "Initial password for the GitLab root user"
-    algorithm: "sha256"
-    validation: "^[a-f0-9]{64}$"
--- a/roles/web-app-gitlab/templates/docker-compose.yml.j2
+++ b/roles/web-app-gitlab/templates/docker-compose.yml.j2
@@ -1,8 +1,9 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}

  web:
-    image: "{{ gitlab_image }}:{{ gitlab_version }}"
-    hostname: '{{ domains | get_domain(application_id) }}'
+    image: "{{ GITLAB_IMAGE }}:{{ GITLAB_VERSION }}"
+    hostname: '{{ GITLAB_HOSTNAME }}'
+    container_name:  "{{ GITLAB_CONTAINER }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
    ports:
      - "127.0.0.1:{{ ports.localhost.http[application_id] }}:80"
@@ -17,7 +18,10 @@

 {% include 'roles/docker-compose/templates/volumes.yml.j2' %}
  config:
+    name: {{ GITLAB_CONF_VOLUME }}
  logs:
+    name: {{ GITLAB_LOGS_VOLUME }}
  data:
+    name: {{ GITLAB_DATA_VOLUME }}

 {% include 'roles/docker-compose/templates/networks.yml.j2' %}
--- a/roles/web-app-gitlab/templates/env.j2
+++ b/roles/web-app-gitlab/templates/env.j2
@@ -1,22 +1 @@
-{# env.j2 #}
-{% set config_lines = [
-  "external_url 'https://{{ domain }}'",
-  "postgresql['enable']=false",
-  "gitlab_rails['gitlab_shell_ssh_port']={{ ports.public.ssh[application_id] }}",
-  "gitlab_rails['db_adapter']='postgresql'",
-  "gitlab_rails['db_encoding']='utf8'",
-  "gitlab_rails['db_host']='{{ database_host }}'",
-  "gitlab_rails['db_port']='{{ database_port }}'",
-  "gitlab_rails['db_username']='{{ database_username }}'",
-  "gitlab_rails['db_password']='{{ database_password }}'",
-  "gitlab_rails['db_database']=\"{{ database_name }}\"",
-  "nginx['listen_port']=80",
-  "nginx['listen_https']=false",
-  "",
-  "gitlab_rails['initial_root_password']=\"{{ gitlab_initial_root_password }}\"",
-  "",
-  "redis['enable']=false",
-  "gitlab_rails['redis_host']='redis'",
-  "gitlab_rails['redis_port']='6379'"
-] %}
-GITLAB_OMNIBUS_CONFIG="{{ config_lines | join('\\n') }}"
+GITLAB_OMNIBUS_CONFIG="{{ GITLAB_OMNIBUS_ALL | join('\\n') }}"
--- a/roles/web-app-gitlab/vars/main.yml
+++ b/roles/web-app-gitlab/vars/main.yml
@@ -1,5 +1,69 @@
+# General
 application_id:               "web-app-gitlab"
 database_type:                "postgres"
-gitlab_initial_root_password: "{{ applications | get_app_conf(application_id, 'credentials.initial_root_password') }}"
-gitlab_version:               "{{ applications | get_app_conf(application_id, 'docker.services.gitlab.version', True) }}"
-gitlab_image:                 "{{ applications | get_app_conf(application_id, 'docker.services.gitlab.image', True) }}"
+
+# GitLab
+GITLAB_URL:                 "{{ domains | get_url(application_id, WEB_PROTOCOL) }}"
+GITLAB_HOSTNAME:            "{{ domains | get_domain(application_id) }}"
+
+## OIDC
+GITLAB_OIDC_ENABLED:        "{{ applications | get_app_conf(application_id, 'features.oidc') }}"
+GITLAB_OIDC_LABEL:          "{{ OIDC.BUTTON_TEXT }}"
+GITLAB_OIDC_UID_FIELD:      "{{ OIDC.ATTRIBUTES.USERNAME }}"
+GITLAB_OIDC_CLIENT_ID:      "{{ OIDC.CLIENT.ID }}"
+GITLAB_OIDC_CLIENT_SECRET:  "{{ OIDC.CLIENT.SECRET }}"
+GITLAB_OIDC_ISSUER:         "{{ OIDC.CLIENT.ISSUER_URL }}"
+GITLAB_OIDC_REDIRECT_URI:   "{{ GITLAB_URL }}/users/auth/openid_connect/callback"
+
+## Docker
+GITLAB_INIT_ROOT_PASSWORD:  "{{ users.administrator.password }}"
+GITLAB_VERSION:             "{{ applications | get_app_conf(application_id, 'docker.services.gitlab.version') }}"
+GITLAB_IMAGE:               "{{ applications | get_app_conf(application_id, 'docker.services.gitlab.image') }}"
+GITLAB_CONTAINER:           "{{ applications | get_app_conf(application_id, 'docker.services.gitlab.name') }}"
+GITLAB_CONF_VOLUME:         "{{ applications | get_app_conf(application_id, 'docker.volumes.config') }}"
+GITLAB_LOGS_VOLUME:         "{{ applications | get_app_conf(application_id, 'docker.volumes.logs') }}"
+GITLAB_DATA_VOLUME:         "{{ applications | get_app_conf(application_id, 'docker.volumes.data') }}"
+
+## Configuration
+GITLAB_OMNIBUS_BASE:
+  - "external_url '{{ GITLAB_URL }}'"
+  - "postgresql['enable']=false"
+  - "gitlab_rails['gitlab_shell_ssh_port']={{ ports.public.ssh[application_id] }}"
+  - "gitlab_rails['db_adapter']='postgresql'"
+  - "gitlab_rails['db_encoding']='utf8'"
+  - "gitlab_rails['db_host']='{{ database_host }}'"
+  - "gitlab_rails['db_port']='{{ database_port }}'"
+  - "gitlab_rails['db_username']='{{ database_username }}'"
+  - "gitlab_rails['db_password']='{{ database_password }}'"
+  - "gitlab_rails['db_database']='{{ database_name }}'"
+  - "nginx['listen_port']=80"
+  - "nginx['listen_https']=false"
+  - ""
+  - "gitlab_rails['initial_root_password']='{{ GITLAB_INIT_ROOT_PASSWORD }}'"
+  - ""
+  - "redis['enable']=false"
+  - "gitlab_rails['redis_host']='redis'"
+  - "gitlab_rails['redis_port']='6379'"
+
+GITLAB_OMNIBUS_OIDC:
+  - ""
+  - "gitlab_rails['omniauth_enabled']=true"
+  - "gitlab_rails['omniauth_allow_single_sign_on']=['openid_connect']"
+  - "gitlab_rails['omniauth_block_auto_created_users']=false"
+  - "gitlab_rails['omniauth_auto_link_user']=['openid_connect']"
+  - "gitlab_rails['omniauth_providers']=[{ name: 'openid_connect', label: '{{ GITLAB_OIDC_LABEL | replace(\"'\",\"\\\\'\") }}', args: {"
+  - "  name: 'openid_connect',"
+  - "  scope: ['openid','profile','email'],"
+  - "  response_type: 'code',"
+  - "  issuer: '{{ GITLAB_OIDC_ISSUER | replace(\"'\",\"\\\\'\") }}',"
+  - "  discovery: true,"
+  - "  uid_field: '{{ GITLAB_OIDC_UID_FIELD | replace(\"'\",\"\\\\'\") }}',"
+  - "  pkce: true,"
+  - "  client_options: {"
+  - "    identifier: '{{ GITLAB_OIDC_CLIENT_ID | replace(\"'\",\"\\\\'\") }}',"
+  - "    secret: '{{ GITLAB_OIDC_CLIENT_SECRET | replace(\"'\",\"\\\\'\") }}',"
+  - "    redirect_uri: '{{ GITLAB_OIDC_REDIRECT_URI | replace(\"'\",\"\\\\'\") }}'"
+  - "  }"
+  - "} }]"
+
+GITLAB_OMNIBUS_ALL: "{{ GITLAB_OMNIBUS_BASE + (GITLAB_OMNIBUS_OIDC if GITLAB_OIDC_ENABLED else []) }}"