hifis-net · Normo · Nov 10, 2025 · Nov 10, 2025
@@ -6,6 +6,7 @@
 ---
 - name: "Converge"
   hosts: "all"
+  become: false
   tasks:
     - name: "Include gitlab role"
       ansible.builtin.include_role:

@@ -13,7 +13,7 @@ platforms:
     image: "${MOLECULE_IMAGE:-ghcr.io/hifis-net/ubuntu-systemd:24.04}"
     pre_build_image: true
     privileged: true
-    systemd: "always"
+    systemd: true
     tty: true
     override_command: false
 provisioner:
@@ -29,6 +29,7 @@ provisioner:
   inventory:
     host_vars:
       instancegitlab:
+        ansible_user: "ansible"
         gitlab_edition: "gitlab-ce"
         gitlab_ip_range: "0.0.0.0/0"
         gitlab_additional_configurations:

@@ -13,6 +13,7 @@
         - "ansible_facts.distribution_major_version | int >= 7"
       block:
         - name: "Install missing dependencies"
+          become: true
           ansible.builtin.dnf:
             name:
               - "sudo"
@@ -21,24 +22,11 @@
             state: "present"
             update_cache: true
 
-        # Workaround to prevent "sudo: PAM account management error" because of non-readable shadows file on AlmaLinux
-        - name: "Get file stats for /etc/shadow"
-          ansible.builtin.stat:
-            path: "/etc/shadow"
-          register: "shadow"
-
-        - name: "Fix permissions for /etc/shadow"
-          ansible.builtin.file:
-            path: "/etc/shadow"
-            owner: "root"
-            group: "{{ shadow.stat.gr_name }}"
-            mode: "0640"
-          when: "not shadow.stat.rusr"
-
     - name: "Install depenencies for OS family Debian"
       when: "ansible_facts.os_family == 'Debian'"
       block:
         - name: "Install missing dependencies"
+          become: true
           ansible.builtin.apt:
             name:
               - "sudo"      # for `become` privilege escalation

@@ -54,12 +54,14 @@
       failed_when: "liveness_check.status == 503"
 
     - name: "Check the output of gitlab status"
+      become: true
       ansible.builtin.command: "gitlab-ctl status"
       register: "gitlab_ctl_status"
       changed_when: "gitlab_ctl_status.rc != 0"
       failed_when: "gitlab_ctl_status.rc != 0"
 
     - name: "Check GitLab configuration via Rake task"
+      become: true
       ansible.builtin.command: "gitlab-rake gitlab:check"
       register: "gitlab_rake_check"
       changed_when: "gitlab_rake_check.rc != 0"

@@ -6,6 +6,7 @@
 ---
 
 - name: "Copy gitlab-secrets.json"
+  become: true
   ansible.builtin.copy:
     src: "{{ gitlab_secrets_file }}"
     dest: "/etc/gitlab/gitlab-secrets.json"
@@ -60,6 +61,7 @@
     - "Reconfigure Non Primary GitLab"
 
 - name: "Create file to prevent Gitlab to restart before migrations"
+  become: true
   ansible.builtin.copy:
     content: ""
     dest: "/etc/gitlab/skip-auto-reconfigure"
@@ -70,6 +72,7 @@
   when: "gitlab_is_primary"
 
 - name: "Create file to prevent Gitlab to backup database"
+  become: true
   ansible.builtin.copy:
     content: ""
     dest: "/etc/gitlab/skip-auto-backup"

@@ -6,12 +6,14 @@
 ---
 
 - name: "Check if feature flag is already enabled for {{ gitlab_feature_flag.name }}"
+  become: true
   ansible.builtin.command:
     cmd: "gitlab-rails runner 'is_feature_enabled = Feature.enabled?(:{{ gitlab_feature_flag.name }}); puts is_feature_enabled'"
   register: "__gitlab_is_feature_enabled"
   changed_when: false
 
 - name: "Enable or disable feature flag {{ gitlab_feature_flag.name }}"
+  become: true
   ansible.builtin.command:
     cmd: "gitlab-rails runner 'Feature.{{ 'enable' if gitlab_feature_flag.enabled else 'disable' }}(:{{ gitlab_feature_flag.name }})'"
   changed_when: true

@@ -16,27 +16,31 @@
   when: "ansible_facts.os_family == 'Debian'"
   block:
     - name: "Remove GitLab APT GPG key from legacy trusted.gpg keyring"
+      become: true
       ansible.builtin.apt_key:
         url: "{{ gitlab_gpg_key_url }}"
         id: "{{ gitlab_gpg_key_id }}"
         state: "absent"
       when: "not __gitlab_is_initial_dryrun"
 
     - name: "Remove GitLab APT repository from sources.list"
+      become: true
       ansible.builtin.apt_repository:
         repo: "deb {{ gitlab_repo_url }} {{ ansible_facts.distribution_release }} main"
         state: "absent"
         filename: "gitlab_{{ gitlab_edition }}"
         update_cache: false
 
     - name: "Remove GitLab source APT repository from sources.list"
+      become: true
       ansible.builtin.apt_repository:
         repo: "deb-src {{ gitlab_repo_url }} {{ ansible_facts.distribution_release }} main"
         state: "absent"
         filename: "gitlab_{{ gitlab_edition }}"
         update_cache: false
 
     - name: "Add GitLab APT repository"
+      become: true
       ansible.builtin.deb822_repository:
         name: "{{ gitlab_edition }}"
         types:
@@ -52,6 +56,7 @@
         enabled: true
 
     - name: "Update APT package cache"
+      become: true
       ansible.builtin.apt:
         update_cache: true
       check_mode: false
@@ -61,6 +66,7 @@
   when: "ansible_facts.os_family == 'RedHat'"
   block:
     - name: "Add GitLab yum repository"
+      become: true
       ansible.builtin.yum_repository:
         name: "gitlab_{{ gitlab_edition }}"
         description: "GitLab yum repo"
@@ -78,6 +84,7 @@
         metadata_expire: "300"
 
     - name: "Add GitLab source yum repository"
+      become: true
       ansible.builtin.yum_repository:
         name: "gitlab_{{ gitlab_edition }}-source"
         description: "GitLab source yum repo"
@@ -95,6 +102,7 @@
         metadata_expire: "300"
 
     - name: "Update yum package cache"
+      become: true
       ansible.builtin.dnf:
         update_cache: true
       check_mode: false
@@ -112,6 +120,7 @@
     - "__gitlab_rails_binary.stat.executable"
   block:
     - name: "Get the currently installed GitLab version"
+      become: true
       ansible.builtin.slurp:
         path: "/var/opt/gitlab/gitlab-rails/VERSION"
       register: "__gitlab_version_base64"
@@ -147,6 +156,7 @@
   rescue:
 
     - name: "Ensure GitLab directory exists"
+      become: true
       ansible.builtin.file:
         path: "/etc/gitlab"
         state: "directory"
@@ -155,6 +165,7 @@
         mode: "0775"
 
     - name: "Create file to detect a failed reconfigure"
+      become: true
       ansible.builtin.copy:
         content: "This file is managed by Ansible."
         dest: "/etc/gitlab/reconfigure_failed"

@@ -13,16 +13,13 @@
 
 - name: "Reconfigure GitLab"
   ansible.builtin.import_tasks: "reconfigure.yml"
-  become: true
   when: "__gitlab_reconfigure_failed.stat.exists"
 
 - name: "Install GitLab"
   ansible.builtin.import_tasks: "install.yml"
-  become: true
 
 - name: "Configure GitLab"
   ansible.builtin.import_tasks: "configure.yml"
-  become: true
 
 - name: "Check if GitLab is already configured"
   ansible.builtin.stat:

@@ -30,6 +30,7 @@
     - "gitlab_is_primary"
 
 - name: "Remove file that indicates a failed reconfigure"
+  become: true
   ansible.builtin.file:
     path: "/etc/gitlab/reconfigure_failed"
     state: "absent"