swap proxmox backend from s3 to gitlab http

.gitlab-ci.yml

@@ -0,0 +1,35 @@
+workflow:
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "web"
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: $CI_COMMIT_BRANCH
+
+stages:
+  - test
+  - lint
+
+include:
+  - template: Security/SAST.gitlab-ci.yml
+
+sast:
+  allow_failure: true
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "web"
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: $CI_COMMIT_BRANCH
+
+markdownlint:
+  stage: lint
+  image:
+    name: registry.gitlab.com/06kellyjac/docker_markdownlint-cli:0.28.1-alpine
+    entrypoint:
+      - "/usr/bin/env"
+      - "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+  before_script:
+    - markdownlint --version
+  allow_failure: true
+  rules:
+    - changes:
+        - "**/*.md"
+  script:
+    - markdownlint .

doc/gitlab_ci.md

@@ -0,0 +1 @@
+# Gitlab CI Configuration

docker/gitlab/README.md

@@ -0,0 +1,83 @@
+# GitLab Docker Setup
+
+This directory contains the necessary files to set up GitLab using Docker
+and Docker Compose. The setup includes a `gitlab.yaml` file that defines the
+GitLab service configuration.
+
+## Adding gitlab runner as docker container
+
+To add a GitLab runner as a Docker container, follow these steps:
+
+1. SSH into the target machine where you want to run the GitLab runner.
+2. Make sure Docker and Docker Compose are installed on the machine.
+3. Obtain the GitLab runner registration token from your GitLab instance.
+   You can find this token in the GitLab web interface under
+   `Settings > CI/CD > Runners > Create Instance Runner > Registration Token`.
+4. Then run the following command to start the GitLab runner container. There
+   can be multiple gitlab runners commisioned the same way by changing the name
+   of the container.
+
+   ```bash
+   docker volume create gitlab-runner-config-2
+   docker run -d \
+   --name gitlab-runner-2 \
+   --restart always \
+   -v gitlab-runner-config-2:/etc/gitlab-runner \
+   -v /var/run/docker.sock:/var/run/docker.sock \
+   gitlab/gitlab-runner:latest
+
+
+   docker exec -it gitlab-runner-2 \
+   gitlab-runner register \
+   --non-interactive \
+   --url "https://<gitlab_instance_url>/" \
+   --token "<gitlab-runner-registration-token>" \
+   --executor "docker" \
+   --docker-image alpine:latest \
+   --description "docker-runner 2"
+   ```
+
+## Troubleshooting
+
+- If the URL returns a 404 error, it is usually gitlab container takes long time
+  to start. Please wait for few minutes and try again. If the problem persists,
+  check the traefik labels and access logs for more information.
+
+- The initial root password is set in the `gitlab.yaml` file under the
+  `GITLAB_ROOT_PASSWORD` environment variable. Make sure to change it to a
+  secure password after the first login. If for some reason it does not work.
+  You can reset it via the following commands:
+
+  1. Access the GitLab container's shell:
+     ```
+     docker exec -it <gitlab_container_name> /bin/bash
+     ```
+  2. Run the following command to reset the root password:
+     ```
+     gitlab-rails console
+     ```
+  3. In the Rails console, execute the following commands:
+     ```ruby
+     user = User.find_by_username('root')
+     user.password = 'NewSecurePassword123!'
+     user.password_confirmation == 'NewSecurePassword123!'
+     user.save!
+     ```
+  4. Exit the Rails console and the container shell.
+
+- If while disabling signup you get server (500) error, please follow the below
+  steps:
+  1. Access the GitLab container's shell:
+     ```
+     docker exec -it <gitlab_container_name> /bin/bash
+     ```
+  2. Run the following command to open the Rails console:
+     ```
+     gitlab-rails console
+     ```
+  3. In the Rails console, execute the following command to disable user signup:
+     ```ruby
+     settings = ApplicationSetting.last
+     settings.update_column(:runners_registration_token_encrypted, nil)
+     ```
+  4. Exit the Rails console and the container shell.

docker/gitlab/gitlab.yaml

@@ -0,0 +1,42 @@
+services:
+  gitlab:
+    image: gitlab/gitlab-ce:18.5.5-ce.0
+    container_name: gitlab
+    restart: unless-stopped
+    env_file:
+      - ./.env
+    hostname: gitlab.${DOMAINNAME}
+    ports:
+      - "2424:22"
+    volumes:
+      - "$GITLAB_HOME/config:/etc/gitlab"
+      - "$GITLAB_HOME/logs:/var/log/gitlab"
+      - "$GITLAB_HOME/data:/var/opt/gitlab"
+    shm_size: "256m"
+    networks:
+      - t3_proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.gitlab-rtr.entrypoints=websecure"
+      - "traefik.http.routers.gitlab-rtr.rule=Host(`gitlab.${DOMAINNAME}`)"
+      - "traefik.http.routers.gitlab-rtr.tls=true"
+      - "traefik.http.routers.gitlab-rtr.service=gitlab-svc"
+      - "traefik.http.services.gitlab-svc.loadbalancer.server.port=80"
+    environment:
+      GITLAB_ROOT_PASSWORD: ${GITLAB_ROOT_PASSWORD}
+      GITLAB_OMNIBUS_CONFIG: |
+        external_url "https://gitlab.${DOMAINNAME}"
+        gitlab_rails['gitlab_shell_ssh_port'] = 2424
+        letsencrypt['enable'] = false
+        nginx['listen_port']  = 80
+        nginx['listen_https'] = false
+        postgresql['shared_buffers'] = '256MB'
+        sidekiq['max_concurrency'] = 4
+        sidekiq['concurrency'] = 1
+        puma['worker_timeout'] = 120
+        puma['worker_processes'] = 1
+        prometheus_monitoring['enable'] = false
+
+networks:
+  t3_proxy:
+    external: true

docker/portainer.yaml

@@ -13,14 +13,11 @@ services:
       - t3_proxy
     labels:
       - "traefik.enable=true"
-      # HTTP Routers
       - "traefik.http.routers.portainer-rtr.entrypoints=websecure"
       - "traefik.http.routers.portainer-rtr.rule=Host(`portainer.${DOMAINNAME}`)"
-      # HTTP Services
       - "traefik.http.routers.portainer-rtr.tls=true"
       - "traefik.http.routers.portainer-rtr.service=portainer-svc"
       - "traefik.http.services.portainer-svc.loadbalancer.server.port=9000"
-      - "traefik.http.routers.traefik-rtr.middlewares=middlewares-rate-limit@file,middlewares-secure-headers@file"
     command:
       --http-enabled
     environment:

docker/traefik/traefik-rules.yaml

@@ -25,7 +25,6 @@ http:
 tls:
   options:
     default:
-      #sniStrict: true # prevents leaking default cert; see https://doc.traefik.io/traefik/v2.2/https/tls/#strict-sni-checking
       minVersion: VersionTLS12
       cipherSuites:
         - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

docker/traefik/traefik.yaml

@@ -69,5 +69,4 @@ services:
       - "traefik.http.routers.api.entrypoints=websecure"
       - "traefik.http.routers.api.rule=Host(`traefik.${DOMAINNAME}`)"
       - "traefik.http.routers.api.service=api@internal"
-        # Middlewares
+
-      - "traefik.http.routers.api.middlewares=middlewares-rate-limit@file,middlewares-secure-headers@file"

infra/terraform/proxmox/backend.tf

@@ -1,14 +1,11 @@
 terraform {
-  backend "s3" {
+  backend "http" {
-    bucket                      = "terraform-state" # Name of the MinIO bucket
+    address        = var.http_address
-    key                         = "proxmox/terraform.tfstate" # Path to the state file in the bucket
+    lock_address   = var.http_lock_address
-    endpoint                    = var.minio_endpoint # MinIO API endpoint
+    unlock_address = var.http_lock_address
-    access_key                  = var.minio_access_key # MinIO access key
+    lock_method    = "POST"
-    secret_key                  = var.minio_secret_key # MinIO secret key
+    unlock_method  = "DELETE"
-    region                      = "us-east-1" # Arbitrary region (MinIO ignores this)
+    retry_wait_min = 5
-    skip_credentials_validation = true # Skip AWS-specific credential checks
+
-    skip_metadata_api_check     = true # Skip AWS metadata API checks
-    skip_region_validation      = true # Skip AWS region validation
-    use_path_style              = true # Use path-style URLs[](http://<host>/<bucket>)
   }
 }

infra/terraform/proxmox/variables.tf

@@ -1,16 +1,28 @@
-# variables for minio backend configuration
+# variables for Terraform HTTP backend
-variable "minio_access_key" {
+variable "http_username" {
-  description = "MinIO access key"
+  description = "Username for HTTP backend"
+  type        = string
+  sensitive   = true
+}
+
+variable "http_password" {
+  description = "Password for HTTP backend"
+  type        = string
+  sensitive   = true
+}
+
+variable "http_address" {
+  description = "HTTP backend address"
   type        = string
 }
 
-variable "minio_secret_key" {
+variable "http_lock_address" {
-  description = "MinIO secret key"
+  description = "HTTP backend lock address"
   type        = string
 }
 
-variable "minio_endpoint" {
+variable "http_unlock_address" {
-  description = "MinIO API endpoint"
+  description = "HTTP backend unlock address"
   type        = string
 }