Commit e7b3d1dc authored by Brennen Bearnes's avatar Brennen Bearnes
Browse files

initial commit with README and rough gitlab-settings tools

parents
wmf-gitlab-tools
===============
A repository of GitLab tooling and configuration.
gitlab-settings
---------------
A collection of GitLab CE settings, and a Python script for applying them via
[the settings API][gl-settings].
[gl-settings]: https://docs.gitlab.com/ce/api/settings.html
#!/usr/bin/env python3
"""
gitlab-settings - apply settings from settings.yaml to GitLab instance
"""
import copy
import difflib
import getpass
import json
import os
import requests
import sys
import yaml
def diffsettings(old, new):
d = difflib.Differ()
old_lines = json.dumps(old, indent=4).splitlines()
new_lines = json.dumps(new, indent=4).splitlines()
for thing in d.compare(old_lines, new_lines):
if thing.startswith('-') or thing.startswith('+') or thing.startswith('?'):
print(thing)
def confirm(question="Continue?", default=False):
"""
Ask for confirmation from the user if possible, otherwise return default
when stdin is not attached to a terminal.
The confirmation is fullfilled when the user types an affirming response
which can be either 'y' or 'yes', otherwise the default choice is assumed
The confirmation is rejected when default=False and the user types anything
other than affirmative.
:param question: prompt text to show to the user
:param default: boolean default choice, True [Y/n] or False [y/N]. This is
the value that is returned when a tty is not attached to
stdin or the user presses enter without typing a response.
"""
yes = ["y", "yes"]
no = ["n", "no"]
if default:
choices = "[Y/n]"
else:
choices = "[y/N]"
# in case stdin is not a tty or the user accepts the default answer, then
# the result will be default.
result = default
if sys.stdout.isatty():
ans = input("{} {}: ".format(question, choices)).strip().lower()
if ans in yes:
result = True
elif ans in no:
result = False
return result
token = getpass.getpass('GitLab token with api scope: ').strip()
url = 'https://gitlab.wikimedia.org/api/v4/application/settings'
headers = {
'User-Agent': 'gitlab-settings/0.0.1',
'PRIVATE-TOKEN': token
}
# Get a baseline list of settings from API for diffing:
r = requests.get(url, headers=headers)
r.raise_for_status()
original_instance_settings = r.json()
# Get the settings we want to apply from YAML file in the repo:
with open('settings.yaml') as f:
local_settings = yaml.safe_load(f)
print()
print("Difference between local settings file and instance settings:")
desired_settings = copy.deepcopy(original_instance_settings)
desired_settings.update(local_settings)
diffsettings(original_instance_settings, desired_settings)
print()
if confirm('Does the diff look good?'):
if confirm('Did you log these changes in #wikimedia-releng?'):
# Do some type juggling so we pass strings instead of booleans to the API:
for x, y in local_settings.items():
if y == True:
local_settings[x] = 'true'
elif y == False:
local_settings[x] = 'false'
try:
r = requests.put(url, headers=headers, data=local_settings)
r.raise_for_status()
new_instance_settings = r.json()
except:
print(r.text)
exit()
# Display diff of applied settings:
print()
print("Changed settings: ")
diffsettings(original_instance_settings, new_instance_settings)
else:
print("Exiting without changes.")
# Settings reference: https://docs.gitlab.com/ce/api/settings.html
#
# True / false values here should be booleans - necessary type juggling to turn
# these into strings for the API is handled in the script.
# Disable public sign up: Admin Area, Settings, General, Sign-up restrictions,
# Sign-up enabled: unchecked
signup_enabled: false
# Set up logout redirection: Admin Area, Settings, General, Sign-in
# restrictions, After sign-out path: https://<IDP server>/logout, where <IDP
# server> is the base URL of the CAS server, like idp.wmcloud.org or
# idp.wikimedia.org
after_sign_out_path: "https://idp.wikimedia.org/logout"
# Set up private commit emails hostname: Admin Area, Settings, Preferences,
# Email, Custom hostname (for private commit emails):
# users.noreply.<gitlab.domain>, where <gitlab domain> is the base URL of the
# GitLab server, like gitlab.wikimedia.org
commit_email_hostname: "users.noreply.gitlab.wikimedia.org"
# Set up Password authentication: Admin Area, Settings, Sign-in restrictions,
# Password authentication enabled for web interface: unchecked
password_authentication_enabled_for_web: false
# Set up Git over https Password authentication: Admin Area, Settings, Sign-in
# restrictions, Password authentication enabled for Git over HTTP(S): unchecked
password_authentication_enabled_for_git: false
# Disable third party offers: Admin Area, Settings, General, Third party
# offers, Do not display offers from third parties within GitLab: checked
hide_third_party_offers: true
# Default branch name: Admin Area, Settings, Repository, Default initial branch name: set to main
default_branch_name: "main"
# Restrict unauthenticated requests: Admin Area, Settings, Network, User and IP
# Rate Limits, Enable unauthenticated request rate limit: checked
throttle_unauthenticated_enabled: false
throttle_unauthenticated_period_in_seconds: 3600
throttle_unauthenticated_requests_per_period: 3600
# Restrict outbound requests: Admin Area, Settings, Network, Outbound requests,
# Allow requests to the local network from web hooks and services: unchecked
allow_local_requests_from_hooks_and_services: false
# Restrict outbound requests: Admin Area, Settings, Network, Outbound requests,
# Allow requests to the local network from system hooks: unchecked
allow_local_requests_from_system_hooks: false
# Restrict protected paths: Admin Area, Settings, Network, Protected Paths,
# Enable protected paths rate limit: checked
throttle_protected_paths_enabled: true
# Enable Prometheus metrics: Admin Area, Settings, Metrics and profiling,
# Metrics - Prometheus, Enable Prometheus Metrics: checked
prometheus_metrics_enabled: true
# Disable Auto DevOps pipeline: Admin Area, Settings, CI/CD, Continuous
# Integration and Deployment, Default to Auto DevOps pipeline for all projects:
# unchecked
auto_devops_enabled: false
# Set abuse reports email: Admin Area, Settings, Reporting, Abuse reports,
# Abuse reports notification email: set to external abuse reports email
abuse_notification_email: "bbearnes@wikimedia.org"
# Set up RSA SSH keys: Admin Area, Settings, General, Visibility and access
# controls, RSA SSH keys: select must be at least 2048 bits
rsa_key_restriction: 2048
# Forbid DSA SSH keys: Admin Area, Settings, General, Visibility and access
# controls, DSA SSH keys: select are forbidden
dsa_key_restriction: -1
# TODO:
# Enable import from Phabricator: Admin Area, Settings, General, Visibility and
# access controls, Import sources: enable Phabricator
# import_sources: 'github,bitbucket,bitbucket_server,gitlab,google_code,fogbugz,git,gitlab_project,gitea,manifest,phabricator'
# Disable being OAuth provider: Admin Area, Settings, General, Account and
# limit, Allow users to register any application to use GitLab as an OAuth
# provider: unchecked
user_oauth_applications: false
# Turn off Gravatar for privacy / data exfiltration reasons:
# Admin Area, Settings, Account and Limit, Gravatar enabled unchecked
gravatar_enabled: false
# Settings not modeled here:
#
# - Accept Let's Encrypt ToS: Admin Area, Settings, Preferences, Pages, I have
# read and agree to the Let's Encrypt Terms of Service: checked
#!/usr/bin/env python3
"""
view-settings - view current settings for GitLab instance
"""
import copy
import difflib
import getpass
import json
import os
import requests
import sys
import yaml
token = getpass.getpass('GitLab token with api scope: ').strip()
url = 'https://gitlab.wikimedia.org/api/v4/application/settings'
headers = {
'User-Agent': 'gitlab-settings/0.0.1',
'PRIVATE-TOKEN': token
}
# Get a baseline list of settings from API for diffing:
r = requests.get(url, headers=headers)
r.raise_for_status()
original_instance_settings = r.json()
print(json.dumps(original_instance_settings, indent=4))
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment