brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(snippets): be less strict and use folders

Browse Source
This commit is contained in:
Michele Cereda
2024-06-18 23:02:43 +02:00
parent 444d1f9c18
commit aeb534ae15
15 changed files with 44 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
snippets/gitlab/docker installation.sh Normal file
View File

@@ -0,0 +1,12 @@
#!/usr/bin/env sh
# Fix permission errors when it keeps answering 502 and this log message appears:
# connect() to unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket failed (13: Permission denied)
docker exec 'gitlab' chown 'gitlab-www:git' '/var/opt/gitlab/gitlab-workhorse/sockets/socket'
# Given by Gitlab itself, but not sure it actually does anything
docker exec 'gitlab' update-permissions
# Health checks
docker exec 'gitlab' curl -fksLS -o '/dev/null' -w "%{http_code}" 'https://localhost/'
nc localhost 22 -e true

12
snippets/gitlab/gitlab-runner.sh Normal file
View File

@@ -0,0 +1,12 @@
#!/usr/bin/env sh
helm --namespace 'gitlab' upgrade --install --create-namespace --version '0.64.1' --repo 'https://charts.gitlab.io' \
'gitlab-runner' -f 'values.gitlab-runner.yml' 'gitlab/gitlab-runner'
gitlab-runner register --url "https://gitlab.com/" --non-interactive --executor "shell" --token "glrt-…"
gitlab-runner exec docker \
--env 'AWS_ACCESS_KEY_ID=AKIA…' --env 'AWS_SECRET_ACCESS_KEY=FsN4…' --env 'AWS_REGION=eu-west-1' \
--env 'DOCKER_AUTH_CONFIG={ "credsStore": "ecr-login" }' \
--docker-volumes "$HOME/.aws/credentials:/root/.aws/credentials:ro" \
'pulumi preview'

177
snippets/gitlab/package installation.sh Normal file
View File

@@ -0,0 +1,177 @@
#!/usr/bin/env sh
##
# Installation - start
# --------------------------------------
# Instance OS: AmazonLinux 2023
# Instance size: t4g.xlarge
# Source: https://about.gitlab.com/install/#amazonlinux-2023
##
sudo systemctl is-active sshd.service
sudo systemctl is-enabled sshd.service
sudo systemctl enable --now 'sshd.service'
# Firewalld was not available on the instance
# ---
# sudo systemctl enable --now 'firewalld.service'
# sudo firewall-cmd --permanent --add-service=http
# sudo firewall-cmd --permanent --add-service=https
# sudo systemctl reload firewalld.service
# Can be avoided if emails are not used.
sudo dnf -y install 'postfix'
sudo systemctl enable --now 'postfix.service'
# Should have been `curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.rpm.sh | bash`, but
# blindly installing stuff from the Internet just sucks.
# Soooo, following their script…
source '/etc/os-release'
os="${ID}"
dist="${VERSION_ID}"
base_url='https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/config_file.repo'
curl -sSf "${base_url}?os=${os}&dist=${dist}&source=script" | sudo tee '/etc/yum.repos.d/gitlab_gitlab-ee.repo'
dnf -q makecache -y --disablerepo='*' --enablerepo='gitlab_gitlab-ee'
dnf -q makecache -y --disablerepo='*' --enablerepo='gitlab_gitlab-ee-source'
# For 'https://…' URLs, the package will automatically request a certificate with Let's Encrypt during installation.
# This requires inbound HTTP access and a valid hostname. You can also use your own certificate.
# To avoid this, just use 'http://…' without the final 's'.
sudo EXTERNAL_URL="http://ip-172-31-73-256.eu-south-2.compute.internal" dnf install -y 'gitlab-ee'
# File automatically removed after 24h.
sudo cat '/etc/gitlab/initial_root_password'
# Open the page.
open 'http://ip-172-31-73-256.eu-south-2.compute.internal'
xdg-open 'http://ip-172-31-73-256.eu-south-2.compute.internal'
## Installation - end ---------------- #
##
# Configuration - start
# --------------------------------------
##
# Updated config template available at
# https://gitlab.com/gitlab-org/omnibus-gitlab/blame/master/files/gitlab-config-template/gitlab.rb.template
# Local template (corresponding to the installed version) available at '/opt/gitlab/etc/gitlab.rb.template'
sudo dnf -y install 'ruby' 'vim'
sudo vim '/etc/gitlab/gitlab.rb'
sudo ruby -c '/etc/gitlab/gitlab.rb'
sudo gitlab-ctl show-config
sudo gitlab-ctl reconfigure
gitlab-rails runner '
::Gitlab::CurrentSettings.update!(signup_enabled: false);
::Gitlab::CurrentSettings.update!(require_admin_approval_after_user_signup: false);
::Gitlab::CurrentSettings.update!(email_confirmation_setting: "hard");
::Gitlab::CurrentSettings.update!(password_number_required: true);
::Gitlab::CurrentSettings.update!(password_lowercase_required: true);
::Gitlab::CurrentSettings.update!(password_uppercase_required: true);
'
# Configuration - end ---------------- #
##
# Maintenance - start
# --------------------------------------
##
# Check services
sudo gitlab-ctl status
# Get logs
sudo gitlab-ctl tail
sudo gitlab-ctl tail 'prometheus'
# Backup data
sudo gitlab-backup create
sudo gitlab-backup create STRATEGY=copy
# Backup configuration
sudo gitlab-ctl backup-etc \
&& ls -t '/etc/gitlab/config_backup/' \
| head -n '1' \
| xargs -pI '{}' aws s3 cp '/etc/gitlab/config_backup/'{} 's3://backups/gitlab/'
# Package upgrade
sudo yum check-update
sudo yum info 'gitlab-ee' # informational
sudo rpm -qa | grep 'gitlab-ee' # informational
sudo yum --showduplicates list available 'gitlab-ee'
sudo gitlab-backup create # not strictly necessary: the upgrade will create a partial one
sudo gitlab-ctl backup-etc
tmux new-session -A -s 'gitlab-upgrade' "sudo yum update 'gitlab-ee'" # 'gitlab-ee-16.11.3' if version-specific
sudo gitlab-rake 'gitlab:check'
# Password reset
sudo gitlab-rake 'gitlab:password:reset[root]'
sudo gitlab-rails console
# --> user = User.find_by_username 'root'
# --> user.password = 'QwerTy184'
# --> user.password_confirmation = 'QwerTy184'
# --> user.password_automatically_set = false
# --> user.save!
# --> quit
sudo gitlab-rails runner '
user = User.find_by_username "anUsernameHere";
new_password = "QwerTy184";
user.password = new_password;
user.password_confirmation = new_password;
user.password_automatically_set = false;
user.save!
'
# Create tokens
sudo gitlab-rails runner '
token = User.find_by_username('root').personal_access_tokens.create(scopes: [:api, :sudo], name: 'Automation');
token.set_token('TwentyCharacterToken.');
token.save!
'
# Disable users' two factor authentication.
sudo gitlab-rails runner 'User.where(username: "anUsernameHere").each(&:disable_two_factor!)'
sudo gitlab-rails runner 'User.update_all(otp_required_for_login: false, encrypted_otp_secret: nil)'
## Maintenance - end ----------------- #
##
# Restore backups - start
# --------------------------------------
# Version *and* edition of the installed version must be the exact same of the
# ones from the backup.
##
sudo aws s3 cp 's3://backups/gitlab/gitlab-secrets.json' '/etc/gitlab/gitlab-secrets.json'
sudo aws s3 cp 's3://backups/gitlab/gitlab.rb' '/etc/gitlab/gitlab.rb'
sudo aws s3 cp --region=eu-east-1 \
's3://backups/gitlab/11493107454_2018_04_25_10.6.4-ce_gitlab_backup.tar' \
'/var/opt/gitlab/backups/'
sudo gitlab-ctl stop 'puma'
sudo gitlab-ctl stop 'sidekiq'
sudo GITLAB_ASSUME_YES=1 gitlab-backup restore BACKUP='11493107454_2018_04_25_10.6.4-ce'
sudo gitlab-ctl restart
sudo gitlab-rake 'gitlab:check' SANITIZE=true
sudo gitlab-rake 'gitlab:doctor:secrets'
sudo gitlab-rake 'gitlab:artifacts:check'
sudo gitlab-rake 'gitlab:lfs:check'
sudo gitlab-rake 'gitlab:uploads:check'
## Restore backups - end ------------- #
##
# Removal - start
##
sudo gitlab-ctl stop
sudo gitlab-ctl remove-accounts
sudo gitlab-ctl cleanse
sudo rm -rf '/etc/gitlab' '/opt/gitlab'
sudo dnf -y remove --noautoremove 'gitlab-ee'
## Removal - end --------------------- #

77
snippets/gitlab/pipeline tasks.yml Normal file
View File

@@ -0,0 +1,77 @@
---
print-postgis-service-logs:
when: manual
variables:
CI_DEBUG_SERVICES: "true"
services:
- name: postgis/postgis:15-3.4@sha256:6a6eb58d25a331da1d2532412641330b064ffec33f294aa5a7812fe26a6ed2f3
alias: db
variables:
POSTGRES_DB: postgres
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
POSTGRES_HOST_AUTH_METHOD: trust
script:
- echo 'hello!!'
docker-build-image-dind:
rules:
- when: manual
variables:
BUILDER_NAME: tmp-$CI_JOB_ID
DOCKER_VERSION: '26.1.2'
GIT_DEPTH: '1'
IMAGE_NAME: $CI_PROJECT_NAME
IMAGE_TAG: $CI_COMMIT_SHORT_SHA
PLATFORM: linux/amd64
services:
- docker:$DOCKER_VERSION-dind
image: library/docker:DOCKER_VERSION-cli-alpine3.19
before_script:
- docker info
- docker buildx create --driver 'docker-container' --name "$BUILDER_NAME" --use
script:
- docker buildx build --platform "$PLATFORM" --tag "$IMAGE_NAME/$IMAGE_TAG" '.'
after_script:
- docker buildx rm "$BUILDER_NAME"
powerpipe-report:
# Strongly suggested to just create your own image for this.
# Initializing it from scratch alone takes me about 8 mins.
stage: test
rules:
- when: manual
variables:
DEBIAN_FRONTEND: noninteractive
POWERPIPE_MOD_LOCATION: /home/piper/powerpipe
POWERPIPE_TELEMETRY: none
POWERPIPE_UPDATE_CHECK: 'false'
POWERPIPE_VERSION: v0.3.0
STEAMPIPE_MOD_LOCATION: /home/piper/steampipe
STEAMPIPE_TELEMETRY: none
STEAMPIPE_UPDATE_CHECK: 'false'
STEAMPIPE_VERSION: v0.23.2
image: library/debian:12.5-slim@sha256:804194b909ef23fb995d9412c9378fb3505fe2427b70f3cc425339e48a828fca
before_script:
- |-
: "${AWS_ACCESS_KEY_ID?required}"
: "${AWS_SECRET_ACCESS_KEY?required}"
- adduser --disabled-password --gecos '' --shell '/bin/sh' 'piper'
- apt update
- apt install --assume-yes --no-install-recommends 'curl' 'ca-certificates'
- curl -fsSL -O 'https://steampipe.io/install/steampipe.sh' -O 'https://powerpipe.io/install/powerpipe.sh'
- su piper -c "mkdir -pv '$STEAMPIPE_MOD_LOCATION' '$POWERPIPE_MOD_LOCATION'"
- /bin/sh steampipe.sh "$STEAMPIPE_VERSION"
- /bin/sh powerpipe.sh "$POWERPIPE_VERSION"
- su piper -c "steampipe service start --database-listen 'local'"
script:
- su piper -c "steampipe plugin install 'aws'"
- su piper -c "powerpipe mod install 'github.com/turbot/steampipe-mod-aws-compliance'"
- su piper -c "powerpipe benchmark run 'aws_compliance.benchmark.gdpr' --export 'nunit3'"
artifacts:
when: always
expire_in: 1 week
reports:
# not a junit, so useless, but hey…
junit: "*.nunit3.xml"