• Kirill Smelkov's avatar
    gitlab/nginx: Slapos'ify config and turn nginx into a service · 85f7d7e3
    Kirill Smelkov authored
    Go through nginx configuration templates and convert them to jinja2 with
    slapos parameters (reminder: names and default values are imported from
    omnibus-gitlab 8.2.3+ce.0-0-g8eda093), except commenting out features we
    do not want to support (yet ?).
    
    As nginx is a reverse-proxy, i.e. it integrates all internal services
    and works as frontend to them, our gitlab service is now ready to listen
    and talk to the world over (standard to slapos services backend) IPv6.
    
    Nginx also acts as SSL termination point - for it to work by default we
    setup self-signed certificate for the backend, which can be manually
    changed to proper certificate if needed. Backend certificate is used
    if gitlab is configured to work in HTTPS mode (and frontend certificate
    is another story).
    
    NOTE ssl certificate is generated with just `openssl req ...` - yes, there
        is slapos.cookbook:certificate_authority.request but it requires
        to start whole service and has up to 60 seconds latency to generate
        certificate. And we only need to run 1 command to do that...
    
    The features disabled are:
    
        - http -> https redirection
    
          not needed for us at nginx level - the frontend can do the
          redirection and also gitlab speaks HSTS on https port so when we access
          https port via http protocol, it gets redirected to https.
    
        - kerberos
        - ssl_dhparam
        - providing custom nginx configuration via instance parameter
    
    /cc @kazuhiko, @jerome
    85f7d7e3
macrolib.cfg.in 793 Bytes