refactor(examples/gitlab): move role to ansible's folder

examples/ansible/role.gitlab-omnibus-on-ec2/defaults/main.yml

@@ -0,0 +1,14 @@
+---
+
+install_method: package
+external_url: https://{{ ansible_fqdn }}
+gitlab_version: null
+
+# Random but idempotent, so it will not change every time the role is applied.
+# It is only used for installation anyways.
+initial_password: "{{ lookup('ansible.builtin.password', '/dev/null', seed=inventory_hostname) }}"
+
+certificate_privatekey_type: RSA
+certificate_privatekey_rsa_size: 2048
+certificate_must_be_wildcard: false
+certificate_dir: /etc/gitlab/ssl

examples/ansible/role.gitlab-omnibus-on-ec2/handlers/certify/package.yml

@@ -0,0 +1,65 @@
+---
+
+- name: Create the DNS TXT record for challenge validation
+  when: external_url_hostname in dns_challenge.challenge_data
+  tags:
+    - aws
+    - route53
+  become: true
+  amazon.aws.route53:
+    zone: apolloagriculture.com  # FIXME
+    record: "{{ dns_challenge.challenge_data[external_url_hostname]['dns-01'].record }}"
+    type: TXT
+    ttl: 60
+    state: present
+    overwrite: true
+    wait: true
+    value:
+      # Value should be enclosed in quotation marks
+      >-
+      {{
+        dns_challenge.challenge_data[external_url_hostname]['dns-01'].resource_value
+        | regex_replace('^(.*)$', '"\1"')
+      }}
+  notify:
+    - Validate the challenge and issue the certificate
+    - Remove the TXT record for challenge validation from the DNS
+    - "Restart Gitlab's nginx"
+
+- name: Validate the challenge and issue the certificate
+  become: true
+  community.crypto.acme_certificate:
+    challenge: dns-01
+    acme_version: 2
+    acme_directory: https://acme-v02.api.letsencrypt.org/directory
+    account_key_src: "{{ letsencrypt_privatekey_path }}"
+    account_email: "{{ acme_account_email }}"
+    csr: "{{ certificate_csr_path }}"
+    cert: "{{ certificate_path }}"
+    remaining_days: 29
+    terms_agreed: true
+    data: "{{ dns_challenge }}"
+    force: true  # required to overwrite existing certificates
+  register: certificate_validation
+
+- name: Remove the TXT record for challenge validation from the DNS
+  vars:
+    validation_record: "{{ ['_acme-challenge', external_url_hostname] | join('.') }}"
+  when:
+    - certificate_validation is not failed
+    - query('community.dns.lookup', validation_record, type='TXT') != []
+  tags:
+    - aws
+    - route53
+  become: true
+  amazon.aws.route53:
+    zone: apolloagriculture.com  # FIXME
+    record: "{{ validation_record }}"
+    type: TXT
+    state: absent
+    wait: true
+
+- name: "Restart Gitlab's nginx"
+  when: certificate_validation is not failed
+  become: true
+  ansible.builtin.command: gitlab-ctl restart 'nginx'

examples/ansible/role.gitlab-omnibus-on-ec2/handlers/configure/package.yml

@@ -2,8 +2,7 @@
 
 - name: "Validate Gitlab's configuration file"
   become: true
-  ansible.builtin.command: >-
-    gitlab-ctl show-config
+  ansible.builtin.command: gitlab-ctl show-config
   register: config_file_validation
   changed_when: false
   failed_when: config_file_validation.rc != 0
@@ -11,8 +10,7 @@
 - name: Reconfigure Gitlab
   when: config_file_validation is not failed
   become: true
-  ansible.builtin.command: >-
-    gitlab-ctl reconfigure
+  ansible.builtin.command: gitlab-ctl reconfigure
   register: reconfiguration
   changed_when:
     - reconfiguration.rc == 0

examples/ansible/role.gitlab-omnibus-on-ec2/handlers/install/package.yml

@@ -0,0 +1,16 @@
+---
+
+- name: Show the settings for initial access
+  tags:
+    - credentials
+    - initial
+    - password
+  ansible.builtin.debug:
+    msg: >-
+      {{
+        dict([
+          [ 'URL', external_url ],
+          [ 'Username', 'root' ],
+          [ 'Initial Password', initial_password ]
+        ])
+      }}

examples/ansible/role.gitlab-omnibus-on-ec2/handlers/main.yml

@@ -0,0 +1,27 @@
+---
+
+- name: Load installation handlers
+  tags:
+    - "{{ install_method }}"
+    - gitlab
+    - install
+  ansible.builtin.import_tasks:
+    file: "{{ role_path }}/handlers/install/{{ install_method }}.yml"
+
+- name: Load configuration handlers
+  tags:
+    - "{{ install_method }}"
+    - configuration
+    - configure
+    - gitlab
+  ansible.builtin.import_tasks:
+    file: "{{ role_path }}/handlers/configure/{{ install_method }}.yml"
+
+- name: Load certification handlers
+  tags:
+    - "{{ install_method }}"
+    - certificate
+    - certify
+    - gitlab
+  ansible.builtin.import_tasks:
+    file: "{{ role_path }}/handlers/certify/{{ install_method }}.yml"

examples/ansible/role.gitlab-omnibus-on-ec2/meta/main.yml

@@ -1,4 +1,6 @@
 ---
 
 collections:
+  - amazon.aws
+  - community.crypto
   - community.dns

examples/ansible/role.gitlab-omnibus-on-ec2/tasks/certify/package.yml

@@ -0,0 +1,52 @@
+---
+
+- name: Set up the requirements
+  block:
+    - name: Install required python libraries
+      become: true
+      ansible.builtin.package:
+        name: python3-boto3
+    - name: Ensure the destination folder exists
+      check_mode: false
+      become: true
+      ansible.builtin.file:
+        path: "{{ certificate_dir }}"
+        state: directory
+        owner: root
+        group: root
+        mode: u=rwx,g=rx,o=rx
+
+- name: Generate OpenSSL private keys for the account and the certificate
+  become: true
+  community.crypto.openssl_privatekey:
+    path: "{{ item }}"
+    type: "{{ certificate_privatekey_type }}"
+    size: "{{ (certificate_privatekey_type == 'RSA') | ternary(certificate_privatekey_rsa_size, omit) }}"
+    regenerate: partial_idempotence
+    backup: true
+  with_items:
+    - "{{ certificate_privatekey_path }}"
+    - "{{ letsencrypt_privatekey_path }}"
+
+
+- name: Generate the CRS for the certificate
+  become: true
+  community.crypto.openssl_csr:
+    path: "{{ certificate_csr_path }}"
+    privatekey_path: "{{ certificate_privatekey_path }}"
+    common_name: "{{ certificate_csr_commonname }}"
+
+- name: Create the DNS challenge for '{{ external_url_hostname }}'
+  become: true
+  community.crypto.acme_certificate:
+    challenge: dns-01
+    acme_version: 2
+    acme_directory: https://acme-v02.api.letsencrypt.org/directory
+    account_key_src: "{{ letsencrypt_privatekey_path }}"
+    account_email: "{{ acme_account_email }}"
+    csr: "{{ certificate_csr_path }}"
+    cert: "{{ certificate_path }}"
+    terms_agreed: true
+    remaining_days: 29
+  register: dns_challenge
+  notify: Create the DNS TXT record for challenge validation

examples/ansible/role.gitlab-omnibus-on-ec2/tasks/configure/package.yml

@@ -0,0 +1,32 @@
+---
+
+- name: Ensure the destination folder exists
+  check_mode: false
+  become: true
+  ansible.builtin.file:
+    path: /etc/gitlab
+    state: directory
+    owner: root
+    group: root
+    mode: u=rwx,g=rwx,o=rx
+
+- name: Create the configuration file
+  become: true
+  ansible.builtin.template:
+    src: gitlab.rb.j2
+    dest: /etc/gitlab/gitlab.rb
+    owner: root
+    group: root
+    mode: u=rw,g=,o=
+    backup: true
+  notify:
+    - "Validate Gitlab's configuration file"
+    - Reconfigure Gitlab
+
+- name: Configure settings that are unreachable from the configuration file
+  become: true
+  ansible.builtin.command: >-
+    gitlab-rails runner '
+      ::Gitlab::CurrentSettings.update!(signup_enabled: false);
+    '
+  changed_when: true

examples/ansible/role.gitlab-omnibus-on-ec2/tasks/install/package.yml

@@ -0,0 +1,46 @@
+---
+
+# Follow 'https://about.gitlab.com/install/#amazonlinux-2023'.
+
+- name: Add Gitlab's repositories
+  tags:
+    - repo
+    - repository
+    - repositories
+  become: true
+  ansible.builtin.yum_repository:
+    # Refer 'files/yum.gitlab_gitlab-ee.repo'.
+    name: "{{ item.name }}"
+    description: "{{ item.description }}"
+    baseurl: "{{ item.baseurl }}"
+    repo_gpgcheck: true
+    gpgcheck: true
+    gpgkey: |-
+      https://packages.gitlab.com/gitlab/gitlab-ee/gpgkey
+      https://packages.gitlab.com/gitlab/gitlab-ee/gpgkey/gitlab-gitlab-ee-3D645A26AB9FBD22.pub.gpg
+    sslverify: true
+    sslcacert: /etc/pki/tls/certs/ca-bundle.crt
+    metadata_expire: 300
+    protect: true
+  with_items:
+    - name: gitlab-ee
+      description: gitlab-ee
+      baseurl: https://packages.gitlab.com/gitlab/gitlab-ee/amazon/2023/$basearch
+    - name: gitlab-ee-source
+      description: gitlab-ee-source
+      baseurl: https://packages.gitlab.com/gitlab/gitlab-ee/amazon/2023/SRPMS
+
+- name: Install Gitlab's omnibus package
+  tags:
+    - package
+  environment:
+    EXTERNAL_URL: "{{ external_url }}"
+    GITLAB_ROOT_PASSWORD: "{{ initial_password }}"
+  become: true
+  ansible.builtin.package:
+    name: >-
+      {{
+        (gitlab_version is ansible.builtin.version('16.9.0', '>=', version_type='semver'))
+        | ternary(['gitlab-ee', gitlab_version] | join('-'), 'gitlab-ee')
+      }}
+  notify: Show the settings for initial access

examples/ansible/role.gitlab-omnibus-on-ec2/tasks/main.yml

@@ -23,3 +23,11 @@
     - gitlab
   ansible.builtin.import_tasks:
     file: "{{ role_path }}/tasks/configure/{{ install_method }}.yml"
+- name: Validate certificate for '{{ external_url_hostname }}'
+  tags:
+    - "{{ install_method }}"
+    - certificate
+    - certify
+    - gitlab
+  ansible.builtin.import_tasks:
+    file: "{{ role_path }}/tasks/certify/{{ install_method }}.yml"

examples/ansible/role.gitlab-omnibus-on-ec2/tasks/pre-flight.yml

@@ -29,21 +29,21 @@
           {{ supported_external_url_schemes }}
         success_msg: External URL scheme '{{ external_url_scheme }}' supported by the role
 
-- name: "Check the DNS entries required by Let's Encrypt exist"
-  when: letsencrypt_enabled
+- name: Check the requirements for certificate validation
+  when: external_url_scheme == 'https'
   block:
-    - name: AAAA
-      tags:
-        - debug
-        - never
-      ansible.builtin.debug:
-        msg: "{{ query('community.dns.lookup', external_url_hostname) }}"
+    - name: Check the given acme account email is in a valid email format
+      ansible.builtin.assert:
+        that: ('mailto://' + acme_account_email) is ansible.builtin.url
+        fail_msg: >-
+          Acme account email '{{ acme_account_email }}' is not a valid email, set 'acme_account_email' to a valid one
+        success_msg: Acme account email '{{ acme_account_email }}' is a valid email
     - name: Check an A or AAAA DNS record already exists for '{{ external_url_hostname }}'
       ansible.builtin.assert:
         that: >-
           query('community.dns.lookup', external_url_hostname) != [] or
           query('community.dns.lookup', external_url_hostname, type='AAAA') != []
         fail_msg: >-
-          Let's Encrypt feature enabled but no DNS entry of type 'A' or 'AAAA' found for '{{ external_url_hostname }}',
-          create one first
+          Certificate validation requested but no required DNS entry of type 'A' or 'AAAA' found for
+          '{{ external_url_hostname }}', create one first
         success_msg: Required DNS entry found for '{{ external_url_hostname }}'

examples/ansible/role.gitlab-omnibus-on-ec2/templates/gitlab.rb.j2

@@ -9,4 +9,4 @@
 external_url '{{ external_url }}'
 
 # LetsEncrypt integration
-letsencrypt['enable'] = {{ letsencrypt_enabled | bool |lower }}
+letsencrypt['enable'] = false

examples/ansible/role.gitlab-omnibus-on-ec2/vars/main.yml

@@ -0,0 +1,24 @@
+---
+
+external_url_hostname: "{{ external_url | ansible.builtin.urlsplit('hostname') }}"
+external_url_scheme: "{{ external_url | ansible.builtin.urlsplit('scheme') }}"
+supported_external_url_schemes:
+  - http
+  - https
+
+supported_install_methods:
+  - package
+
+certificate_csr_commonname: >-
+  {{
+    certificate_must_be_wildcard
+    | ternary(['*', external_url_hostname] | join('.'), external_url_hostname)
+  }}
+certificate_csr_name: "{{ [external_url_hostname, 'csr'] | join('.') }}"
+certificate_csr_path: "{{ [certificate_dir, certificate_csr_name] | path_join }}"
+certificate_name: "{{ [external_url_hostname, 'crt'] | join('.') }}"
+certificate_path: "{{ [certificate_dir, certificate_name] | path_join }}"
+certificate_privatekey_name: "{{ [external_url_hostname, 'key'] | join('.') }}"
+certificate_privatekey_path: "{{ [certificate_dir, certificate_privatekey_name] | path_join }}"
+letsencrypt_privatekey_name: letsencrypt_account_private_key.pem
+letsencrypt_privatekey_path: "{{ [certificate_dir, letsencrypt_privatekey_name] | path_join }}"

examples/pulumi/gitlab-omnibus-on-aws-ec2/.env

@@ -0,0 +1 @@
+export PULUMI_CONFIG_PASSPHRASE=test123

examples/pulumi/gitlab-omnibus-on-aws-ec2/.env.fish

@@ -0,0 +1 @@
+set -x 'PULUMI_CONFIG_PASSPHRASE' 'test123'

examples/pulumi/gitlab-omnibus-on-aws-ec2/ansible-playbook.yml

@@ -35,7 +35,7 @@
           - vim
       notify: "Start AWS' SSM agent"
   roles:
-    - role: ansible-role-gitlab-omnibus-on-ec2
+    - role: ../../ansible/role.gitlab-omnibus-on-ec2
       vars:
         external_url: 'https://gitlab.company.com'
         # initial_password: null

examples/pulumi/gitlab-omnibus-on-aws-ec2/ansible-role-gitlab-omnibus-on-ec2/defaults/main.yml

@@ -1,7 +0,0 @@
----
-
-install_method: omnibus
-
-external_url: https://{{ ansible_fqdn }}
-initial_password: null
-letsencrypt_enabled: false

examples/pulumi/gitlab-omnibus-on-aws-ec2/ansible-role-gitlab-omnibus-on-ec2/tasks/configure/omnibus.yml

@@ -1,15 +0,0 @@
----
-
-- name: Create the configuration file
-  become: true
-  ansible.builtin.template:
-    src: gitlab.rb.j2
-    dest: /etc/gitlab/gitlab.rb
-    owner: root
-    group: root
-    mode: u=rw,g=,o=
-    backup: true
-  register: config_file
-  notify:
-    - "Validate Gitlab's configuration file"
-    - Reconfigure Gitlab

examples/pulumi/gitlab-omnibus-on-aws-ec2/ansible-role-gitlab-omnibus-on-ec2/tasks/install/omnibus.yml

@@ -1,93 +0,0 @@
----
-
-# Follow 'https://about.gitlab.com/install/#amazonlinux-2023'.
-
-- name: Add Gitlab's repositories
-  tags:
-    - repo
-    - repository
-    - repositories
-  become: true
-  block:
-    # Refer 'files/gitlab_gitlab-ee.repo'.
-    - name: Add Gitlab's package repository
-      ansible.builtin.yum_repository:
-        name: gitlab-ee
-        description: gitlab-ee
-        baseurl: https://packages.gitlab.com/gitlab/gitlab-ee/amazon/2023/$basearch
-        repo_gpgcheck: true
-        gpgcheck: true
-        gpgkey: |-
-          https://packages.gitlab.com/gitlab/gitlab-ee/gpgkey
-          https://packages.gitlab.com/gitlab/gitlab-ee/gpgkey/gitlab-gitlab-ee-3D645A26AB9FBD22.pub.gpg
-        sslverify: true
-        sslcacert: /etc/pki/tls/certs/ca-bundle.crt
-        metadata_expire: 300
-    - name: Add Gitlab's sources repository
-      ansible.builtin.yum_repository:
-        name: gitlab-ee-source
-        description: gitlab-ee-source
-        baseurl: https://packages.gitlab.com/gitlab/gitlab-ee/amazon/2023/SRPMS
-        repo_gpgcheck: true
-        gpgcheck: true
-        gpgkey: |-
-          https://packages.gitlab.com/gitlab/gitlab-ee/gpgkey
-          https://packages.gitlab.com/gitlab/gitlab-ee/gpgkey/gitlab-gitlab-ee-3D645A26AB9FBD22.pub.gpg
-        sslverify: true
-        sslcacert: /etc/pki/tls/certs/ca-bundle.crt
-        metadata_expire: 300
-
-- name: Install Gitlab's omnibus package
-  tags:
-    - package
-  become: true
-  environment:
-    EXTERNAL_URL: "{{ external_url }}"
-    GITLAB_ROOT_PASSWORD: "{{ initial_password | ternary(initial_password, omit, omit) }}"
-  ansible.builtin.package:
-    name: gitlab-ee
-
-- name: Print the administrator's credentials
-  tags:
-    - credentials
-    - password
-  block:
-    - name: Check whether the auto-generated administrator's initial password file exists
-      ansible.builtin.stat:
-        path: /etc/gitlab/initial_root_password
-      register: initial_password_file_stat
-    - name: Recover the auto-generated administrator's initial password
-      block:
-        - name: Recover the password from the initial password file
-          when: initial_password_file_stat.stat.exists
-          block:
-            - name: Read the initial password file
-              become: true
-              ansible.builtin.slurp:
-                src: /etc/gitlab/initial_root_password
-              register: initial_password_file
-            - name: Save the initial login credentials
-              ansible.builtin.set_fact:
-                initial_password: |-
-                  {{
-                    initial_password_file['content']
-                    | b64decode
-                    | regex_findall('Password: .*')
-                    | first
-                    | split(': ')
-                    | last
-                  }}
-        - name: Report that the password is not available anymore
-          when: not initial_password_file_stat.stat.exists
-          ansible.builtin.set_fact:
-            initial_password: NOT_AVAILABLE_ANYMORE
-    - name: Print the administrator's credentials
-      ansible.builtin.debug:
-        msg: >-
-          {{
-            dict([
-              [ 'URL', external_url ],
-              [ 'Username', 'root' ],
-              [ 'Initial Password', initial_password ]
-            ])
-          }}

examples/pulumi/gitlab-omnibus-on-aws-ec2/ansible-role-gitlab-omnibus-on-ec2/vars/main.yml

@@ -1,10 +0,0 @@
----
-
-external_url_hostname: "{{ external_url | ansible.builtin.urlsplit('hostname') }}"
-external_url_scheme: "{{ external_url | ansible.builtin.urlsplit('scheme') }}"
-supported_external_url_schemes:
-  - http
-  - https
-
-supported_install_methods:
-  - omnibus