simp_gitlab
: SIMP Profile for managing GitLab
simp_gitlab::config
: Manage additional GitLab-related configurationsimp_gitlab::config::firewall
: Manage firewall for external GitLab accesssimp_gitlab::config::pki
: Manage PKI configurationsimp_gitlab::install
: Install, initially configure and bring up a GitLab instance
simp_gitlab::omnibus_config::gitlab
: Compile a hash of settings for thegitlab
class parameters, using SIMP settingssimp_gitlab::omnibus_config::gitlab_rails
: Compile a hash of settings for thegitlab::gitlab_rails
parameter, using SIMP settingssimp_gitlab::omnibus_config::gitlab_shell
: Compile a hash of settings for thegitlab::shell
parameter, using SIMP settingssimp_gitlab::omnibus_config::mattermost
: Compile a hash of settings for thegitlab::mattermost
parameter, using SIMP settingssimp_gitlab::omnibus_config::nginx
: Compile a hash of settings for thegitlab::nginx
parameter, using SIMP settings
Simp_Gitlab::Stroolean
: Valid PKI management options
Welcome to SIMP!
This module is a component of the System Integrity Management Platform, a managed security compliance framework built on Puppet.
This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:
-
When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
-
If used independently, all SIMP-managed security subsystems are disabled by default, and must be explicitly opted into by administrators. Please review the parameters (e.g.,
$trusted_nets
,$pki
) for details.
The following parameters are available in the simp_gitlab
class:
trusted_nets
denied_nets
external_url
tcp_listen_port
firewall
pki
app_pki_external_source
app_pki_dir
app_pki_key
app_pki_cert
app_pki_ca
edition
two_way_ssl_validation
ldap_verify_certificates
ssl_verify_depth
ssl_protocols
gitlab_options
cipher_suite
ldap
ldap_uri
ldap_active_directory
ldap_base_dn
ldap_bind_dn
ldap_bind_pw
ldap_user_filter
ldap_group_base
manage_package
package_ensure
set_gitlab_root_password
gitlab_root_password
rails_console_load_timeout
allow_fips
Data type: Simplib::Netlist
A list of subnets (in CIDR notation) that should be permitted access
Default value: simplib::lookup('simp_options::trusted_nets', {'default_value' => ['127.0.0.1/32'] })
Data type: Simplib::Netlist
A list of subnets (in CIDR notation) that should be explicitly denied access
Default value: []
Data type: Simplib::Uri
External URL of Gitlab. By default, this will be 'https://' if
$pki
is set and 'http://' if it is false
.
Default value: $pki ? { true => "https://${facts['networking']['fqdn']}", 'simp' => "https://${facts['networking']['fqdn']}", default => "http://${facts['networking']['fqdn']}"
Data type: Simplib::Port
The port upon which to listen for regular TCP connections. By default
this will be '80'
if HTTPS is disabled and '443'
if HTTPS is enabled.
Default value: $pki ? { true => 443, 'simp' => 443, default => 80
Data type: Boolean
If true
, manage firewall rules to accommodate simp_gitlab
Default value: simplib::lookup('simp_options::firewall', {'default_value' => false})
Data type: Simp_gitlab::Stroolean
-
If
'simp'
, includesimp/pki
and usepki::copy
to manage application certs in /etc/pki/simp_apps/gitlab/x509 -
If
true
, do not includesimp/pki
, but still usepki::copy
to manage certs in /etc/pki/simp_apps/gitlab/x509 -
If
false
, do not includesimp/pki
and do not usepki::copy
to manage certs. You will need to appropriately assign a subset of:$app_pki_dir
$app_pki_key
$app_pki_cert
$app_pki_ca
Default value: simplib::lookup('simp_options::pki', { 'default_value' => false })
Data type: String
-
If
$pki
is 'simp' ortrue
, this is the directory from which certs will be copied, viapki::copy
. -
If
$pki
isfalse
, this variable has no effect.
Default value: simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' })
Data type: Stdlib::Absolutepath
This variable controls the basepath of $app_pki_key
, $app_pki_cert
,
$app_pki_ca
, $app_pki_ca_dir
, and $app_pki_crl
.
Default value: '/etc/pki/simp_apps/gitlab/x509'
Data type: Stdlib::Absolutepath
Full path of the private SSL key file.
Default value: "${app_pki_dir}/private/${facts['networking']['fqdn']}.pem"
Data type: Stdlib::Absolutepath
Full path of the public SSL certificate.
Default value: "${app_pki_dir}/public/${facts['networking']['fqdn']}.pub"
Data type: Stdlib::Absolutepath
Full path of the the SSL CA certificate.
Default value: "${app_pki_dir}/cacerts/cacerts.pem"
Data type: Enum['ce','ee']
The Gitlab Omnibus edition to install.
Default value: 'ce'
Data type: Boolean
When true
, server and clients will require mutual TLS authentication.
Default value: false
Data type: Boolean
When true
, SSL LDAP connections must use certificates signed by a known
CA.
Default value: true
Data type: Integer[1]
Sets the verification depth in the client certificates chain.
Default value: 2
Data type: Array[String[1]]
Array of Nginx-compatible SSL/TLS protocols for the web server to accept.
Default value: ['TLSv1.2']
Data type: Hash
Hash of manually-customized parameters for puppet/gitlab
.
These parameters will be deep-merged with settings generated by this
profile. During the deep merge, the settings in $gitlab_options
will
take precedence.
Default value: {}
Data type: Array[String[1]]
The cipher suite to use with SSL
Default value:
simplib::lookup( 'simp_options::openssl::cipher_suite', {
'default_value' => ['DEFAULT', '!MEDIUM']
})
Data type: Boolean
If true
, enable LDAP support for Gitlab Omnibus.
Default value: simplib::lookup('simp_options::ldap', {'default_value' => false})
Data type: Array[Simplib::URI]
List of OpenLDAP server URIs. Note that multiple URIs is an EE feature. @example ['ldap://server1', 'ldaps://server2']
Default value: simplib::lookup('simp_options::ldap::uri', {'default_value' => []})
Data type: Boolean
This setting specifies if LDAP server is Active Directory LDAP server. For non AD servers it skips the AD specific queries. If your LDAP server is not AD, set this to false.
Default value: false
Data type: String[3]
Base where we can search for users
@example ou=People,dc=gitlab,dc=example
Default value: simplib::lookup('simp_options::ldap::base_dn', {'default_value' => simplib::ldap::domain_to_dn()})
Data type: String[3]
The DN to use when binding to the LDAP server
Default value: simplib::lookup('simp_options::ldap::bind_dn', {'default_value' => "cn=hostAuth,ou=Hosts,${ldap_base_dn}"})
Data type: String[1]
The password of the bind user
Default value: simplib::lookup('simp_options::ldap::bind_pw', {'default_value' => "cn=LDAPAdmin,ou=People,${ldap_base_dn}"})
Data type: Optional[String[1]]
Format: RFC 4515 http://tools.ietf.org/search/rfc4515 @example (employeeType=developer)
Default value: undef
Data type: Optional[String[3]]
EE only
Default value: undef
Data type: Boolean
Whether to manage the gitlab-[ce,ee] package.
Default value: true
Data type: String
The ensure status of the gitlab-[ce,ee] package, when managed by
$manage_gitlab
is true.
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
Data type: Boolean
Whether to set the GitLab root password.
- This is HIGHLY recommended, as the root password is not secured during install otherwise. Anyone can navigate the the GitLab URL and set the root password.
Default value: true
Data type: String[16]
GitLab root password to set.
- When set via Hiera, be sure to use eyaml to secure the password.
Default value: simplib::passgen( "simp_gitlab_${trusted['certname']}" )
Data type: Integer[60]
Number of seconds to wait for gitlab-rails console to load when setting the GitLab root password.
Default value: 300
Data type: Boolean
Whether to allow the module to install and manage GitLab, when the server has FIPS enabled.
- Only set this to
true
if the version of GitLab you are running supports FIPS mode.
Default value: true
Type: Puppet Language
Compile a hash of settings for the gitlab
class parameters, using SIMP
settings
Compile a hash of settings for the gitlab
class parameters, using SIMP
settings
Returns: Any
Hash of puppet/gitlab
parameters
Type: Puppet Language
Compile a hash of settings for the gitlab::gitlab_rails
parameter, using
SIMP settings
Compile a hash of settings for the gitlab::gitlab_rails
parameter, using
SIMP settings
Returns: Any
Hash of settings for the 'gitlab::gitlab_rails' # parameter
Type: Puppet Language
Compile a hash of settings for the gitlab::shell
parameter, using
SIMP settings
Compile a hash of settings for the gitlab::shell
parameter, using
SIMP settings
Returns: Any
Hash of settings for the 'gitlab::shell' parameter
Type: Puppet Language
Compile a hash of settings for the gitlab::mattermost
parameter, using
SIMP settings
Compile a hash of settings for the gitlab::mattermost
parameter, using
SIMP settings
Returns: Any
Hash of settings for the 'gitlab::mattermost' parameter
Type: Puppet Language
Compile a hash of settings for the gitlab::nginx
parameter, using
SIMP settings
Compile a hash of settings for the gitlab::nginx
parameter, using
SIMP settings
Returns: Any
Hash of settings for the 'gitlab::nginx' parameter
Valid PKI management options
Alias of Variant[Enum['simp'], Boolean]