chore(gitlab): update notes after maintenance

.vscode/settings.json

@@ -214,6 +214,7 @@
         "psql",
         "pstate",
         "pulumi",
+        "pulumiverse",
         "pvresize",
         "radeon",
         "replicatedctl",

knowledge base/gitlab.md

@@ -1,6 +1,7 @@
 # Gitlab
 
-1. [Omnibus](#omnibus)
+1. [TL;DR](#tldr)
+1. [Package](#package)
 1. [Kubernetes](#kubernetes)
    1. [Helm chart](#helm-chart)
    1. [Operator](#operator)
@@ -20,23 +21,51 @@
 1. [Further readings](#further-readings)
    1. [Sources](#sources)
 
-## Omnibus
+## TL;DR
+
+```sh
+# List the current application settings of the GitLab instance.
+curl --header 'PRIVATE-TOKEN: glpat-m-…' 'https://gitlab.fqdn/api/v4/application/settings'
+curl --header 'Authorization: bearer glpat-m-…' 'https://gitlab.fqdn/api/v4/application/settings'
+```
+
+## Package
+
+Previously known as 'Omnibus'.
 
 <details>
   <summary>Installation</summary>
 
 Refer [Install self-managed GitLab].
 
+```sh
+sudo dnf install 'gitlab-ee'
+sudo EXTERNAL_URL='http://gitlab.example.com' GITLAB_ROOT_PASSWORD='smthng_Strong_0r_it_llfail' apt install 'gitlab-ee'
+```
+
 </details>
 <details>
   <summary>Configuration</summary>
 
-[Template][omnibus configuration template]
+[Template][package configuration file template]
 
 The application of configuration changes is handled by [Chef Infra].<br/>
 It runs checks, ensures directories, permissions, and services are in place and working, and restarts components if any
 of their configuration files have changed.
 
+```sh
+# Change application settings.
+# Useful to reach those ones not available in the configuration file.
+sudo gitlab-rails runner '
+  ::Gitlab::CurrentSettings.update!(gravatar_enabled: false);
+  ::Gitlab::CurrentSettings.update!(remember_me_enabled: false);
+  ::Gitlab::CurrentSettings.update!(email_confirmation_setting: "hard");
+'
+
+# Disable public registration.
+sudo gitlab-rails runner '::Gitlab::CurrentSettings.update!(signup_enabled: false)'
+```
+
 ```sh
 # Validate.
 # Just makes sure the file is readable from a ruby app.
@@ -78,9 +107,10 @@ gitlab_rails['backup_multipart_chunk_size'] = 104857600
 gitlab_rails['backup_keep_time'] = 604800
 ```
 
-Omnibus' installation procedure generates keys and a certificate for the external URL even when LetsEncrypt's support is
+The package's included nginx generates keys and a **self-signed** certificate for the external URL upon start if the
-explicitly disabled.<br/>
+given URL's schema is HTTPS.<br/>
-These keys are in the OpenSSH format and are password protected.
+The Let's Encrypt account key is in OpenSSL format, while the certificate's key is in OpenSSH format. Both are **not**
+password protected.
 
 </details>
 
@@ -91,6 +121,14 @@ These keys are in the OpenSSH format and are password protected.
 # Check the components' state.
 sudo gitlab-ctl status
 
+# Get the services' logs.
+sudo gitlab-ctl tail
+sudo gitlab-ctl tail 'nginx'
+
+# Restart services.
+sudo gitlab-ctl restart
+sudo gitlab-ctl restart 'nginx'
+
 # Create backups.
 sudo gitlab-backup create BACKUP='prefix_override' STRATEGY='copy'
 
@@ -99,9 +137,51 @@ sudo gitlab-backup create BACKUP='prefix_override' STRATEGY='copy'
 sudo gitlab-backup create … \
   SKIP='db,repositories,uploads,builds,artifacts,pages,lfs,terraform_state,registry,packages,ci_secure_files'
 
-# Package upgrade.
+# Restore backups.
+sudo gitlab-ctl stop 'puma' \
+&& sudo gitlab-ctl stop 'sidekiq'
+
+# Upgrade the package.
 sudo yum check-update
-tmux new-session -A -s 'gitlab-upgrade' "sudo yum update 'gitlab-ee'"
+tmux new-session -As 'gitlab-upgrade' "sudo yum update 'gitlab-ee'"
+
+# Reset the root user's password.
+sudo gitlab-rake 'gitlab:password:reset[root]'
+sudo gitlab-rails console  \
+  # --> user = User.find_by_username 'root'
+  # --> user.password = 'QwerTy184'
+  # --> user.password_confirmation = 'QwerTy184'
+  # --> user.password_automatically_set = false
+  # --> user.save!
+  # --> quit
+sudo gitlab-rails runner '
+  user = User.find_by_username "anUsernameHere";
+  new_password = "QwerTy184";
+  user.password = new_password;
+  user.password_confirmation = new_password;
+  user.password_automatically_set = false;
+  user.save!
+'
+
+# Disable users' two factor authentication.
+sudo gitlab-rails runner 'User.where(username: "anUsernameHere").each(&:disable_two_factor!)'
+```
+
+</details>
+
+<details>
+  <summary>Removal</summary>
+
+```sh
+# Remove all users and groups created by the package.
+sudo gitlab-ctl stop && sudo gitlab-ctl remove-accounts
+
+# Remove all data.
+sudo gitlab-ctl cleanse && sudo rm -r '/opt/gitlab'
+
+# Uninstall the package.
+sudo apt remove 'gitlab-ee'
+sudo dnf remove 'gitlab-ee'
 ```
 
 </details>
@@ -576,7 +656,13 @@ Solution: give that user _developer_ access or have somebody else with enough pr
 - [Use kaniko to build Docker images]
 - [Specify when jobs run with `rules`][specify when jobs run with rules]
 - [Install self-managed GitLab]
-- [Omnibus configuration template]
+- [Package configuration file template]
+- [Install GitLab with the Linux package]
+- [Reset a user's password]
+- [Environment variables]
+- [Sign-up restrictions]
+- [Restore GitLab]
+- [How to disable the Two-factor authentication in GitLab?]
 
 <!--
   References
@@ -605,16 +691,21 @@ Solution: give that user _developer_ access or have somebody else with enough pr
 [deployment]: https://docs.gitlab.com/charts/installation/deployment.html
 [docker machine's aws driver's options]: https://gitlab.com/gitlab-org/ci-cd/docker-machine/-/blob/main/docs/drivers/aws.md#options
 [docker machine's supported cloud providers]: https://docs.gitlab.com/runner/configuration/autoscale.html#supported-cloud-providers
+[environment variables]: https://docs.gitlab.com/ee/administration/environment_variables.html
 [global settings]: https://docs.gitlab.com/charts/charts/globals.html
 [how to restart gitlab]: https://docs.gitlab.com/ee/administration/restart_gitlab.html
+[install gitlab with the linux package]: https://gitlab.com/gitlab-org/omnibus-gitlab/-/blob/master/doc/installation/index.md
 [install self-managed gitlab]: https://about.gitlab.com/install
 [merge request approval rules]: https://docs.gitlab.com/ee/user/project/merge_requests/approvals/rules.html
 [minimal minikube example values file]: https://gitlab.com/gitlab-org/charts/gitlab/-/blob/master/examples/values-minikube-minimum.yaml
-[omnibus configuration template]: https://gitlab.com/gitlab-org/omnibus-gitlab/-/raw/master/files/gitlab-config-template/gitlab.rb.template
 [operator code]: https://gitlab.com/gitlab-org/cloud-native/gitlab-operator
 [operator guide]: https://docs.gitlab.com/operator/
+[package configuration file template]: https://gitlab.com/gitlab-org/omnibus-gitlab/-/raw/master/files/gitlab-config-template/gitlab.rb.template
 [predefined ci/cd variables reference]: https://docs.gitlab.com/ee/ci/variables/predefined_variables.html
+[reset a user's password]: https://docs.gitlab.com/ee/security/reset_user_password.html
+[restore gitlab]: https://docs.gitlab.com/ee/administration/backup_restore/restore_gitlab.html
 [runners on kubernetes]: https://docs.gitlab.com/runner/install/kubernetes.html
+[sign-up restrictions]: https://docs.gitlab.com/ee/administration/settings/sign_up_restrictions.html
 [specify when jobs run with rules]: https://docs.gitlab.com/ee/ci/jobs/job_rules.html
 [support object storage bucket prefixes]: https://gitlab.com/gitlab-org/charts/gitlab/-/issues/3376
 [tls]: https://docs.gitlab.com/charts/installation/tls.html
@@ -628,4 +719,5 @@ Solution: give that user _developer_ access or have somebody else with enough pr
 [aws driver does not support multiple non default subnets]: https://github.com/docker/machine/issues/4700
 [chef infra]: https://www.chef.io/products/chef-infra
 [configuring private dns zones and upstream nameservers in kubernetes]: https://kubernetes.io/blog/2017/04/configuring-private-dns-zones-upstream-nameservers-kubernetes/
+[how to disable the two-factor authentication in gitlab?]: https://stackoverflow.com/questions/31024771/how-to-disable-the-two-factor-authentication-in-gitlab
 [using gitlab token to clone without authentication]: https://stackoverflow.com/questions/25409700/using-gitlab-token-to-clone-without-authentication#29570677

knowledge base/pulumi.md

@@ -20,6 +20,7 @@
    1. [Stack init fails because the stack supposedly already exists](#stack-init-fails-because-the-stack-supposedly-already-exists)
    1. [Stack init fails due to missing scheme](#stack-init-fails-due-to-missing-scheme)
    1. [Stack init fails due to invalid key identifier](#stack-init-fails-due-to-invalid-key-identifier)
+   1. [Change your program back to the original providers](#change-your-program-back-to-the-original-providers)
 1. [Further readings](#further-readings)
    1. [Sources](#sources)
 
@@ -850,6 +851,26 @@ Root cause: the secrets provider is set to use a KMS key, but one did not provid
 
 Solution: Read [secrets] and fix the configuration by providing a correct key identifier.
 
+### Change your program back to the original providers
+
+Context: Typescript project, `preview` or `update` action.
+
+Error message example:
+
+> error: provider
+> urn:pulumi:dev::projectName::pulumi:providers:aws::default_6_29_0::159e5843-63ae-4789-b332-4658578ba34c for resource
+> urn:pulumi:dev::projectName::aws:ec2/instance:Instance::instanceName has not been registered yet, this is due to a
+> change of providers mixed with --target. Change your program back to the original providers
+
+Root cause: one is using a different provider version than the one the resource has been created with.
+
+Solution:
+
+1. Get the provider version the resource wants from the run output.
+1. Fix the provider's version to the one wanted by the resource.
+1. Run `pulumi install` to gather the required version.
+1. Try the action again now.
+
 ## Further readings
 
 - [Website]

snippets/aws.fish

@@ -27,6 +27,7 @@ alias aws-ssm-gitlabAutoscalingManager-ita-b "aws ec2 describe-instances --outpu
 | xargs -ot aws ssm start-session --target"
 
 aws s3 rm 's3://bucket-name/prefix' --recursive --dry-run
+aws s3 cp 's3://my-first-bucket/test.txt' 's3://my-other-bucket/'
 
 aws ecs list-tasks --cluster 'testCluster' --family 'testService' --output 'text' --query 'taskArns' \
 | xargs -p aws ecs wait tasks-running --cluster 'testCluster' --tasks

snippets/gitlab.omnibus.install.sh

@@ -1,41 +0,0 @@
-#!sh
-
-# Instance OS: AmazonLinux 2023
-# Instance size: t4g.xlarge
-# Source: https://about.gitlab.com/install/#amazonlinux-2023
-
-sudo systemctl is-active sshd.service
-sudo systemctl is-enabled sshd.service
-sudo systemctl enable --now 'sshd.service'
-
-# Firewalld was not available on the instance
-# ---
-# sudo systemctl enable --now 'firewalld.service'
-# sudo firewall-cmd --permanent --add-service=http
-# sudo firewall-cmd --permanent --add-service=https
-# sudo systemctl reload firewalld.service
-
-# Can be avoided if emails are not used.
-sudo dnf -y install 'postfix'
-sudo systemctl enable --now 'postfix.service'
-
-# Should have been `curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.rpm.sh | bash`, but
-# blindly installing stuff from the Internet just sucks.
-# Soooo, following their script…
-source '/etc/os-release'
-os="${ID}"
-dist="${VERSION_ID}"
-base_url='https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/config_file.repo'
-curl -sSf "${base_url}?os=${os}&dist=${dist}&source=script" | sudo tee '/etc/yum.repos.d/gitlab_gitlab-ee.repo'
-dnf -q makecache -y --disablerepo='*' --enablerepo='gitlab_gitlab-ee'
-dnf -q makecache -y --disablerepo='*' --enablerepo='gitlab_gitlab-ee-source'
-
-# For 'https://…' URLs, the package will automatically request a certificate with Let's Encrypt during installation.
-# This requires inbound HTTP access and a valid hostname. You can also use your own certificate.
-# To avoid this, just use 'http://…' without the final 's'.
-sudo EXTERNAL_URL="http://ip-172-31-73-256.eu-south-2.compute.internal" dnf install -y 'gitlab-ee'
-
-# File automatically removed after 24h.
-sudo cat '/etc/gitlab/initial_root_password'
-
-xdg-open 'http://ip-172-31-73-256.eu-south-2.compute.internal'

snippets/gitlab.omnibus.reconfigure.sh

@@ -1,12 +0,0 @@
-#!sh
-
-# Updated config template available at
-# https://gitlab.com/gitlab-org/omnibus-gitlab/blame/master/files/gitlab-config-template/gitlab.rb.template
-
-# Local template (corresponding to the installed version) available at '/opt/gitlab/etc/gitlab.rb.template'
-
-sudo dnf -y install 'ruby' 'vim'
-sudo vim '/etc/gitlab/gitlab.rb'
-sudo ruby -c '/etc/gitlab/gitlab.rb'
-sudo gitlab-ctl show-config
-sudo gitlab-ctl reconfigure

snippets/gitlab.omnibus.sh

@@ -0,0 +1,144 @@
+#!/usr/bin/env sh
+
+##
+# Installation - start
+# --------------------------------------
+# Instance OS: AmazonLinux 2023
+# Instance size: t4g.xlarge
+# Source: https://about.gitlab.com/install/#amazonlinux-2023
+##
+
+sudo systemctl is-active sshd.service
+sudo systemctl is-enabled sshd.service
+sudo systemctl enable --now 'sshd.service'
+
+# Firewalld was not available on the instance
+# ---
+# sudo systemctl enable --now 'firewalld.service'
+# sudo firewall-cmd --permanent --add-service=http
+# sudo firewall-cmd --permanent --add-service=https
+# sudo systemctl reload firewalld.service
+
+# Can be avoided if emails are not used.
+sudo dnf -y install 'postfix'
+sudo systemctl enable --now 'postfix.service'
+
+# Should have been `curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.rpm.sh | bash`, but
+# blindly installing stuff from the Internet just sucks.
+# Soooo, following their script…
+source '/etc/os-release'
+os="${ID}"
+dist="${VERSION_ID}"
+base_url='https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/config_file.repo'
+curl -sSf "${base_url}?os=${os}&dist=${dist}&source=script" | sudo tee '/etc/yum.repos.d/gitlab_gitlab-ee.repo'
+dnf -q makecache -y --disablerepo='*' --enablerepo='gitlab_gitlab-ee'
+dnf -q makecache -y --disablerepo='*' --enablerepo='gitlab_gitlab-ee-source'
+
+# For 'https://…' URLs, the package will automatically request a certificate with Let's Encrypt during installation.
+# This requires inbound HTTP access and a valid hostname. You can also use your own certificate.
+# To avoid this, just use 'http://…' without the final 's'.
+sudo EXTERNAL_URL="http://ip-172-31-73-256.eu-south-2.compute.internal" dnf install -y 'gitlab-ee'
+
+# File automatically removed after 24h.
+sudo cat '/etc/gitlab/initial_root_password'
+
+# Open the page.
+open 'http://ip-172-31-73-256.eu-south-2.compute.internal'
+xdg-open 'http://ip-172-31-73-256.eu-south-2.compute.internal'
+
+## Installation - end ---------------- #
+
+##
+# Configuration - start
+# --------------------------------------
+##
+
+# Updated config template available at
+# https://gitlab.com/gitlab-org/omnibus-gitlab/blame/master/files/gitlab-config-template/gitlab.rb.template
+
+# Local template (corresponding to the installed version) available at '/opt/gitlab/etc/gitlab.rb.template'
+
+sudo dnf -y install 'ruby' 'vim'
+sudo vim '/etc/gitlab/gitlab.rb'
+sudo ruby -c '/etc/gitlab/gitlab.rb'
+sudo gitlab-ctl show-config
+sudo gitlab-ctl reconfigure
+
+gitlab-rails runner '
+	::Gitlab::CurrentSettings.update!(signup_enabled: false);
+	::Gitlab::CurrentSettings.update!(require_admin_approval_after_user_signup: false);
+
+	::Gitlab::CurrentSettings.update!(email_confirmation_setting: "hard");
+
+	::Gitlab::CurrentSettings.update!(password_number_required: true);
+	::Gitlab::CurrentSettings.update!(password_lowercase_required: true);
+	::Gitlab::CurrentSettings.update!(password_uppercase_required: true);
+'
+
+# Configuration - end ---------------- #
+
+##
+# Maintenance - start
+# --------------------------------------
+##
+
+# Package upgrade
+sudo yum check-update
+sudo yum info 'gitlab-ee'
+sudo rpm -qa | grep 'gitlab-ee'
+tmux new-session -A -s 'gitlab-upgrade' "sudo yum update 'gitlab-ee'"
+
+# Password reset
+sudo gitlab-rake 'gitlab:password:reset[root]'
+sudo gitlab-rails console \
+	# --> user = User.find_by_username 'root'
+	# --> user.password = 'QwerTy184'
+	# --> user.password_confirmation = 'QwerTy184'
+	# --> user.password_automatically_set = false
+	# --> user.save!
+	# --> quit
+sudo gitlab-rails runner '
+	user = User.find_by_username "anUsernameHere";
+	new_password = "QwerTy184";
+	user.password = new_password;
+	user.password_confirmation = new_password;
+	user.password_automatically_set = false;
+	user.save!
+'
+
+# Disable users' two factor authentication.
+sudo gitlab-rails runner 'User.where(username: "anUsernameHere").each(&:disable_two_factor!)'
+sudo gitlab-rails runner 'User.update_all(otp_required_for_login: false, encrypted_otp_secret: nil)'
+
+## Maintenance - end ----------------- #
+
+##
+# Restore backups - start
+# --------------------------------------
+# Version *and* edition of the installed version must be the exact same of the
+# ones from the backup.
+##
+
+sudo aws s3 cp 's3://backups/gitlab/gitlab-secrets.json' '/etc/gitlab/gitlab-secrets.json'
+sudo aws s3 cp 's3://backups/gitlab/gitlab.rb' '/etc/gitlab/gitlab.rb'
+sudo aws s3 cp \
+	's3://backups/gitlab/11493107454_2018_04_25_10.6.4-ce_gitlab_backup.tar' \
+	'/var/opt/gitlab/backups/'
+sudo gitlab-ctl stop 'puma'
+sudo gitlab-ctl stop 'sidekiq'
+sudo gitlab-backup restore BACKUP='11493107454_2018_04_25_10.6.4-ce'
+sudo gitlab-ctl start
+
+## Restore backups - end ------------- #
+
+##
+# Removal - start
+##
+
+sudo gitlab-ctl stop
+sudo gitlab-ctl remove-accounts
+sudo gitlab-ctl cleanse
+sudo rm -rf '/etc/gitlab' '/opt/gitlab'
+sudo dnf -y remove --noautoremove 'gitlab-ee'
+
+## Removal - end --------------------- #

snippets/gitlab.omnibus.upgrade.sh

@@ -1,6 +0,0 @@
-#!sh
-
-sudo yum check-update
-sudo yum info 'gitlab-ee'
-sudo rpm -qa | grep 'gitlab-ee'
-tmux new-session -A -s 'gitlab-upgrade' "sudo yum update 'gitlab-ee'"