Create ansible playbook for demo setupzj-demo-setup-ansible

I was to demo today, and didn't want to spend an hour to configure all
components. Initially the idea was to leverage the Helm charts. Given
the limited experience I had, I wanted to some results to create a set
up for future iterations.

This change is such a first iteration. There's no automation or
integration with the terraform scripts yet.

11 files changed, 266 insertions, 0 deletions

diff --git a/_support/demo-setup/README.md b/_support/demo-setup/README.md
new file mode 100644
index 000000000..0f89cc045
--- /dev/null
+++ b/_support/demo-setup/README.md
@@ -0,0 +1,5 @@
+### Disclaimer
+
+This is an install method for developers demos of Gitaly and Praefect. The intent
+is to quickly setup GitLab, Praefect, and Gitaly. Given each install in torn down
+right after use, security is sacrificed.
diff --git a/_support/demo-setup/hosts b/_support/demo-setup/hosts
new file mode 100644
index 000000000..432cc66d2
--- /dev/null
+++ b/_support/demo-setup/hosts
@@ -0,0 +1,18 @@
+[gitalies]
+35.186.174.24
+35.199.7.165
+35.245.136.225
+
+[praefects]
+35.221.26.197
+34.86.94.216
+34.86.59.103
+
+[databases]
+35.245.1.128
+
+[gitlabs]
+35.199.51.66
+
+[loadbalancers]
+10.150.0.90
diff --git a/_support/demo-setup/local_env.yml b/_support/demo-setup/local_env.yml
new file mode 100644
index 000000000..5caad7b57
--- /dev/null
+++ b/_support/demo-setup/local_env.yml
@@ -0,0 +1,17 @@
+- name: Gitaly setup
+  hosts: gitalies
+  roles:
+    - base
+    - gitaly
+
+- name: Praefect setup
+  hosts: praefects
+  roles:
+    - base
+    - praefect
+
+- name: GitLab Application server setup
+  hosts: gitlabs
+  roles:
+    - base
+    - gitlab
diff --git a/_support/demo-setup/roles/base/tasks/main.yml b/_support/demo-setup/roles/base/tasks/main.yml
new file mode 100644
index 000000000..62c7e9e16
--- /dev/null
+++ b/_support/demo-setup/roles/base/tasks/main.yml
@@ -0,0 +1,17 @@
+- name: Get GitLab-EE setup script
+  get_url:
+    url: https://packages.gitlab.com/install/repositories/gitlab/nightly-builds/script.deb.sh
+    dest: /tmp/gitlab-nightly-script.deb.sh
+    mode: '0755'
+
+- name: Install GitLab-EE nightly repositories
+  become: yes
+  shell:
+    cmd: /tmp/gitlab-nightly-script.deb.sh
+
+- name: Install latest GitLab-EE
+  become: yes
+  package: 
+    name: gitlab-ee
+    state: latest
+
diff --git a/_support/demo-setup/roles/gitaly/tasks/main.yml b/_support/demo-setup/roles/gitaly/tasks/main.yml
new file mode 100644
index 000000000..05be9c6d1
--- /dev/null
+++ b/_support/demo-setup/roles/gitaly/tasks/main.yml
@@ -0,0 +1,18 @@
+- name: Set GitLab.rb file
+  become: yes
+  template: 
+    src: gitaly-gitlab.rb.j2
+    dest: /etc/gitlab/gitlab.rb
+
+- name: Reconfigure GitLab
+  become: yes
+  command:
+    cmd: gitlab-ctl reconfigure
+  
+# Reconfigure is not good enough to start prometheus, see:
+# https://docs.gitlab.com/ee/administration/gitaly/praefect.html#gitaly
+- name: Restart Gitaly for Prometheus listeners
+  become: yes
+  command:
+    cmd: gitlab-ctl restart
+  
diff --git a/_support/demo-setup/roles/gitaly/templates/gitaly-gitlab.rb.j2 b/_support/demo-setup/roles/gitaly/templates/gitaly-gitlab.rb.j2
new file mode 100644
index 000000000..9be7a90a3
--- /dev/null
+++ b/_support/demo-setup/roles/gitaly/templates/gitaly-gitlab.rb.j2
@@ -0,0 +1,48 @@
+# Disable all other services on the Praefect node
+postgresql['enable'] = false
+redis['enable'] = false
+nginx['enable'] = false
+grafana['enable'] = false
+puma['enable'] = false
+sidekiq['enable'] = false
+gitlab_workhorse['enable'] = false
+prometheus_monitoring['enable'] = false
+
+# Enable only the Gitaly service
+gitaly['enable'] = true
+
+# Enable Prometheus if needed
+prometheus['enable'] = false
+
+# Prevent database connections during 'gitlab-ctl reconfigure'
+gitlab_rails['rake_cache_clear'] = false
+gitlab_rails['auto_migrate'] = false
+
+# Make Gitaly accept connections on all network interfaces.
+# Use firewalls to restrict access to this address/port.
+gitaly['listen_addr'] = '0.0.0.0:8075'
+
+# Enable Prometheus metrics access to Gitaly. You must use firewalls
+# to restrict access to this address/port.
+gitaly['prometheus_listen_addr'] = '0.0.0.0:9236'
+
+gitaly['auth_token'] = 'PRAEFECT_INTERNAL_TOKEN'
+
+gitlab_shell['secret_token'] = 'GITLAB_SHELL_SECRET_TOKEN'
+
+# Configure the gitlab-shell API callback URL. Without this, `git push` will
+# fail. This can be your front door GitLab URL or an internal load balancer.
+# Examples: 'https://example.gitlab.com', 'http://1.2.3.4'
+gitlab_rails['internal_api_url'] = 'http://{{ groups['gitlabs'][0] }}'
+
+# You can include the data dirs for all nodes in the same config, because
+# Praefect will only route requests according to the addresses provided in the
+# prior step.
+git_data_dirs({
+  {% for host in groups['gitalies'] %}
+    '{{ hostvars[host]['ansible_facts']['default_ipv4']['address'] }}' => {
+      "path" => "/var/opt/gitlab/git-data"
+    },
+  {% endfor %}
+})
+
diff --git a/_support/demo-setup/roles/gitlab/tasks/main.yml b/_support/demo-setup/roles/gitlab/tasks/main.yml
new file mode 100644
index 000000000..564e5dd1a
--- /dev/null
+++ b/_support/demo-setup/roles/gitlab/tasks/main.yml
@@ -0,0 +1,21 @@
+- name: Set GitLab.rb file
+  become: yes
+  template:
+    src: gitlab-gitlab.rb.j2
+    dest: /etc/gitlab/gitlab.rb
+
+- name: Reconfigure GitLab
+  become: yes
+  command:
+    cmd: gitlab-ctl reconfigure
+  
+- name: Restart GitLab
+  become: yes
+  command:
+    cmd: gitlab-ctl restart
+
+- name: Rake Gitaly verification
+  become: yes
+  command:
+    cmd: gitlab-rake gitlab:gitaly:check
+
diff --git a/_support/demo-setup/roles/gitlab/templates/gitlab-gitlab.rb.j2 b/_support/demo-setup/roles/gitlab/templates/gitlab-gitlab.rb.j2
new file mode 100644
index 000000000..19f5273c6
--- /dev/null
+++ b/_support/demo-setup/roles/gitlab/templates/gitlab-gitlab.rb.j2
@@ -0,0 +1,39 @@
+external_url 'http://{{ groups['gitlabs'][0] }}'
+
+gitaly['enable'] = false
+
+git_data_dirs({
+  "default" => {
+    "gitaly_address" => "tcp://{{ groups['loadbalancers'][0] }}:2305",
+    "gitaly_token" => 'PRAEFECT_EXTERNAL_TOKEN'
+  }
+})
+
+gitlab_shell['secret_token'] = 'GITLAB_SHELL_SECRET_TOKEN'
+
+prometheus['scrape_configs'] = [
+  {
+    'job_name' => 'praefect',
+    'static_configs' => [
+      'targets' => [
+	{% for host in groups['praefects'] %}
+	  '{{ host  }}:9652',
+	{% endfor %}
+      ]
+      ]
+    
+  },
+  {
+    'job_name' => 'praefect-gitaly',
+    'static_configs' => [
+      'targets' => [
+	{% for host in groups['gitalies'] %}
+	  '{{ host  }}:9236',
+	{% endfor %}
+      ]
+    ]
+  }
+]
+
+grafana['disable_login_form'] = false
+
diff --git a/_support/demo-setup/roles/praefect/tasks/main.yml b/_support/demo-setup/roles/praefect/tasks/main.yml
new file mode 100644
index 000000000..0c3e9f1e5
--- /dev/null
+++ b/_support/demo-setup/roles/praefect/tasks/main.yml
@@ -0,0 +1,34 @@
+- name: Ensure Postgresql connection
+  shell:
+    cmd: "PGPASSWORD=PRAEFECT_SQL_PASSWORD /opt/gitlab/embedded/bin/psql -w -U praefect -d template1 -h {{ groups['databases'][0] }} --command='select 1'"
+
+- name: Set GitLab.rb file
+  become: yes
+  template:
+    src: praefect-gitlab.rb.j2
+    dest: /etc/gitlab/gitlab.rb
+
+- name: Reconfigure GitLab
+  become: yes
+  command:
+    cmd: gitlab-ctl reconfigure
+  
+# Reconfigure is not good enough to start prometheus, see:
+# https://docs.gitlab.com/ee/administration/gitaly/praefect.html#gitaly
+- name: Restart Praefect for Prometheus listeners
+  become: yes
+  command:
+    cmd: gitlab-ctl restart
+  
+- name: SQL Ping verification
+  become: yes
+  become_user: git
+  command:
+    cmd: /opt/gitlab/embedded/bin/praefect -config /var/opt/gitlab/praefect/config.toml sql-ping
+
+- name: Dial nodes verification
+  become: yes
+  command:
+    cmd: /opt/gitlab/embedded/bin/praefect -config /var/opt/gitlab/praefect/config.toml dial-nodes
+
+
diff --git a/_support/demo-setup/roles/praefect/templates/praefect-gitlab.rb.j2 b/_support/demo-setup/roles/praefect/templates/praefect-gitlab.rb.j2
new file mode 100644
index 000000000..2d5a88db4
--- /dev/null
+++ b/_support/demo-setup/roles/praefect/templates/praefect-gitlab.rb.j2
@@ -0,0 +1,45 @@
+# Disable all other services on the Praefect node
+postgresql['enable'] = false
+redis['enable'] = false
+nginx['enable'] = false
+prometheus['enable'] = false
+grafana['enable'] = false
+puma['enable'] = false
+sidekiq['enable'] = false
+gitlab_workhorse['enable'] = false
+gitaly['enable'] = false
+
+# Enable only the Praefect service
+praefect['enable'] = true
+
+# Prevent database connections during 'gitlab-ctl reconfigure'
+gitlab_rails['rake_cache_clear'] = false
+gitlab_rails['auto_migrate'] = false
+
+praefect['listen_addr'] = '0.0.0.0:2305'
+
+# Enable Prometheus metrics access to Praefect. You must use firewalls
+# to restrict access to this address/port.
+praefect['prometheus_listen_addr'] = '0.0.0.0:9652'
+
+praefect['auth_token'] = 'PRAEFECT_EXTERNAL_TOKEN'
+
+praefect['database_host'] = '{{ groups['databases'][0] }}'
+praefect['database_port'] = 5432
+praefect['database_user'] = 'praefect'
+praefect['database_password'] = 'PRAEFECT_SQL_PASSWORD'
+praefect['database_dbname'] = 'praefect_production'
+
+# Name of storage hash must match storage name in git_data_dirs on GitLab
+# server ('praefect') and in git_data_dirs on Gitaly nodes ('gitaly-1')
+praefect['virtual_storages'] = {
+	'default' => {
+		{% for host in groups['gitalies'] %}
+		'{{ hostvars[host]['ansible_facts']['default_ipv4']['address'] }}' => {
+			'address' => 'tcp://{{ hostvars[host]['ansible_facts']['default_ipv4']['address'] }}:8075',
+				'token'   => 'PRAEFECT_INTERNAL_TOKEN',
+				'primary' => {{ (loop.index0 == 0)|string|lower }},
+		},
+		{% endfor %}
+	}
+}
diff --git a/_support/demo-setup/setup b/_support/demo-setup/setup
new file mode 100755
index 000000000..d880a8468
--- /dev/null
+++ b/_support/demo-setup/setup
@@ -0,0 +1,4 @@
+#!/usr/bin/env sh
+
+ansible-playbook -i hosts local_env.yml
+