Merge pull request #2627 from codeenigma/Gitlab-letsencrypt-hook-PR-2.x

drazenCE · web-flow · commit b2f8bacefe53 · 2025-08-07T10:52:39.000+02:00
Gitlab-letsencrypt-hook
diff --git a/roles/debian/gitlab/defaults/main.yml b/roles/debian/gitlab/defaults/main.yml
@@ -45,6 +45,7 @@ gitlab:
   unicorn_worker_processes: 2
   puma_worker_processes: 2
   initial_root_password: "Ch@ng3m3"
+  letsencrypt_timer: false
   # LDAP settings
   ldap:
     enable: false # enable/disable LDAP integration
diff --git a/roles/debian/gitlab/tasks/main.yml b/roles/debian/gitlab/tasks/main.yml
@@ -138,6 +138,46 @@
         timer_OnCalendar: "{{ gitlab.block_removed_ldap_users_on_calendar }}"
   when: gitlab.ldap.enable
 
+# Set up LE renewal timer and service on boot for servers that are shut down overnight.
+
+- name: Check if GitLab is installed
+  ansible.builtin.stat:
+    path: /opt/gitlab/bin/gitlab-ctl
+  register: gitlab_ctl_binary
+
+- name: Configure GitLab LE boot-time renewal timer
+  when:
+    - gitlab.letsencrypt_timer
+    - gitlab_ctl_binary.stat.exists
+  block:
+    - name: Install systemd service for LE renewal
+      ansible.builtin.template:
+        src: gitlab-renew-le.service.j2
+        dest: /etc/systemd/system/gitlab-renew-le.service
+        owner: root
+        group: root
+        mode: '0644'
+
+    - name: Install systemd timer for LE renewal
+      ansible.builtin.template:
+        src: gitlab-renew-le.timer.j2
+        dest: /etc/systemd/system/gitlab-renew-le.timer
+        owner: root
+        group: root
+        mode: '0644'
+
+    - name: Reload systemd daemon
+      ansible.builtin.systemd_service:
+        daemon_reload: true
+      when: is_local is not defined or not is_local
+
+    - name: Enable and start the LE renewal timer
+      ansible.builtin.systemd:
+        name: gitlab-renew-le.timer
+        enabled: true
+        state: started
+      when: is_local is not defined or not is_local
+
 # @TODO - this task fails in CI with GitHub Actions because PostGreSQL isn't running
 - name: Run the GitLab configuration script for config that cannot be set in gitlab.rb.
   ansible.builtin.command: /opt/gitlab/bin/gitlab-rails runner /etc/gitlab/gitlab-config.rb
diff --git a/roles/debian/gitlab/templates/gitlab-renew-le.service.j2 b/roles/debian/gitlab/templates/gitlab-renew-le.service.j2
@@ -0,0 +1,7 @@
+[Unit]
+Description=Force GitLab LE Cert Renewal at Boot
+After=network.target
+
+[Service]
+ExecStart=/opt/gitlab/bin/gitlab-ctl renew-le-certs
+Type=oneshot
diff --git a/roles/debian/gitlab/templates/gitlab-renew-le.timer.j2 b/roles/debian/gitlab/templates/gitlab-renew-le.timer.j2
@@ -0,0 +1,9 @@
+[Unit]
+Description=Run GitLab LE Renewal at Boot
+
+[Timer]
+OnBootSec=5min
+Unit=gitlab-renew-le.service
+
+[Install]
+WantedBy=timers.target
