Skip to content

development: add GitLab, Runner, and Renovate; wire GitLab backups

jedmund requested to merge jedmund/dev-ecosystem-plan into main

Created by: jedmund

Summary

Stands up the first slice of the self-hosted dev ecosystem on nuc-mini, alongside the existing Forgejo install so the two can run in parallel during evaluation. Dokploy will land in a follow-up PR per the plan in .context/dev-stack-plan.md.

  • GitLab CE (omnibus) on gitlab.atelier.house, container registry on registry.atelier.house. Git SSH binds to host port 2223 so Forgejo keeps 2222. PocketID via openid_connect. Most config lives in a mounted gitlab.rb that omnibus reconfigures on container start.
  • GitLab Runner using the modern auth-token registration flow. Mounts the host docker socket; job containers launch on the backend docker network so they can reach GitLab directly.
  • Renovate as a oneshot run by host cron on Mondays. Talks to GitLab over the backend network rather than bouncing through Traefik.
  • Backup wiring: a 01:50 host cron in the development role runs gitlab-backup create, leaving an application-consistent dump that the 02:00 borgmatic run picks up via /opt/docker. Live Postgres/Redis/Prometheus directories are now excluded from the archive so the dump is the unambiguous restore artifact.

Vault entries and DNS records this PR depends on are listed at the top of roles/development/defaults/main.yml. Empty defaults are seeded for the four secrets that GitLab can bootstrap without (initial root password, OIDC client id/secret, runner token, renovate token) so the first deploy templates cleanly; populate vault and re-run once GitLab is up.

Test plan

  • Add Cloudflare A records for gitlab.atelier.house and registry.atelier.house
  • Create PocketID OIDC client for GitLab (redirect https://gitlab.atelier.house/users/auth/openid_connect/callback)
  • Add gitlab_initial_root_password, gitlab_oidc_client_id, gitlab_oidc_client_secret to group_vars/development/vault.yml
  • ansible-playbook deploy/development.yml; wait through GitLab first reconfigure (~5 to 10 minutes)
  • Confirm GitLab loads at https://gitlab.atelier.house and Sign in with PocketID works
  • Confirm registry.atelier.house responds and docker login succeeds with a personal access token
  • Generate runner auth token in GitLab admin and add to vault as gitlab_runner_auth_token; re-run playbook; confirm runner appears as online
  • Create renovate-bot user, generate PAT, add to vault as renovate_gitlab_token; re-run playbook
  • Push a trivial .gitlab-ci.yml to a new project and confirm the runner picks up the job
  • Manually trigger gitlab-backup create on host; confirm dump lands under /opt/docker/development/gitlab/data/backups
  • Trigger borgmatic create; confirm archive contains the dump and excludes /data/postgresql, /data/redis, /data/prometheus

Merge request reports

Loading