Install docker, apache on host
create a file called docker-compose.yml
version: '3.3'
services:
gitlab-ce:
ports:
- '8929:443'
- '8928:80'
- '22:22'
container_name: gitlab
restart: always
volumes:
- '/data/apps/gitlab/config:/etc/gitlab'
- '/data/apps/gitlab/log:/var/log/gitlab'
- '/data/apps/gitlab/data:/var/opt/gitlab'
image: 'gitlab/gitlab-ce:13.12.12-ce.0'
networks:
default:
ipv4_address: 172.18.0.4
gitlab-runner:
container_name: gitlab-runner
restart: always
volumes:
- '/var/run/docker.sock:/var/run/docker.sock'
- '/srv/gitlab-runner/config:/etc/gitlab-runner'
image: 'gitlab/gitlab-runner:latest'
networks:
default:
ipv4_address: 172.18.0.5
registry:
ports:
- '5050:443'
volumes:
- '/mnt/certs:/certs'
- '/mnt/registry:/var/lib/registry'
container_name: registry
restart: always
environment:
- REGISTRY_HTTP_ADDR=0.0.0.0:443
- REGISTRY_HTTP_TLS_CERTIFICATE=/certs/gitlab-registry.w3usine.com.crt
- REGISTRY_HTTP_TLS_KEY=/certs/gitlab-registry.w3usine.com.key
image: 'registry:2'
networks:
default:
ipv4_address: 172.18.0.6
solr:
volumes:
- '/data/apps/solrdata:/var/solr'
ports:
- '8983:8983'
container_name: my_solr
image: 'solr:8.11.1'
networks:
default:
ipv4_address: 172.18.0.7
networks:
default:
driver: bridge
ipam:
config:
- subnet: 172.18.0.0/24
optional (if you want solr)
create a host for solr.domain.com (in my case solr.9pro.ca), create apache website , enable ssl, enable letsencrypt (I use ISPConfig for this, gui interface)
Enble proxypass option in 'options' tab. Use the following proxy settings:
#solr.9pro.ca
ProxyPreserveHost On
ProxyRequests Off
SSLProxyEngine On
SSLProxyCheckPeerCN On
SSLProxyCheckPeerExpire On
ProxyPass / http://172.18.0.7:8983/
ProxyPassReverse / http://172.18.0.7:8983/
<Location />
ProxyPassReverse /
Order deny,allow
Allow from all
</Location>
Repeat previous steps for gitlab-registry.w3usine.com (proxypass settings shown below)
ProxyPreserveHost On
ProxyRequests Off
SSLProxyEngine On
SSLProxyCheckPeerCN On
SSLProxyCheckPeerExpire On
ProxyPass / https://172.18.0.4:443/
<Location />
ProxyPassReverse /
Order deny,allow
Allow from all
</Location>Example gitlab.com proxy pass settings
ProxyPreserveHost On
ProxyRequests Off
SSLProxyEngine On
SSLProxyCheckPeerCN On
SSLProxyCheckPeerExpire On
ProxyPass / https://172.18.0.4:443/
<Location />
ProxyPassReverse /
Order deny,allow
Allow from all
</Location>
Steps in detail:
- create A record and website for gitlab-registry.w3usine.com , ssl enabled with letsencrypt certs, enable proxy pass with settings as mentioned
- create /mnt/certs on the host and /data/apps/gitlab/config/ssl if it doesn't exist, make symlink from /mnt/certs point to /data/apps/gitlab/config/ssl
- create cron job to copy letsencrypt certs into /data/apps/gitlab/config/ssl on an hourly basis
#Runs once per hour 0 * * * * cp -p /etc/letsencrypt/live/gitlab.w3usine.com/privkey.pem /data/apps/gitlab/config/ssl/gitlab.w3usine.com.key ;cp -p /etc/letsencrypt/live/gitlab.w3usine.com/fullchain.pem /data/apps/gitlab/config/ssl/gitlab.w3usine.com.crt 0 * * * * cp -p /etc/letsencrypt/live/gitlab-registry.w3usine.com/privkey.pem /data/apps/gitlab/config/ssl/gitlab-registry.w3usine.com.key ;cp -p /etc/letsencrypt/live/gitlab-registry.w3usine.com/fullchain.pem /data/apps/gitlab/config/ssl/gitlab-registry.w3usine.com.crt - Example of create gitlab.w3usine.com A record
- create website for gitlab.w3usine.com, ssl enabled with letsencrypt certs, enable proxy pass with settings as mentioned
- similar cronjob for both gitlab(.w3usine.com) and gitlab-registry(.w3usine.com)
- run the following command to start dockers from the docker-compose.yml
-
docker-compose up -d; -
docker ps; #Make sure the gitlab services, gitlab-registry, gitlab-runner and gitlab are started , optionally also solr. #connect into gitlab docker container as follows: docker exec -it gitlab bash; #then configure gitlab using the wizard gitlab-ctl --help; gitlab-ctl reconfigure;
Example config.rb
## gitlab url
##! url on which gitlab will be reachable.
##! for more details on configuring external_url see:
##! https://docs.gitlab.com/omnibus/settings/configuration.html#configuring-the-external-url-for-gitlab
external_url 'https://gitlab.w3usine.com'
################################################################################
################################################################################
## configuration settings for gitlab ce and ee ##
################################################################################
################################################################################
################################################################################
## gitlab.yml configuration
##! docs: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/gitlab.yml.md
################################################################################
# gitlab_rails['gitlab_ssh_host'] = 'ssh.host_example.com'
gitlab_rails['time_zone'] = 'America/New_York'
### email settings
gitlab_rails['gitlab_email_enabled'] = true
gitlab_rails['gitlab_email_from'] = 'joseph@7pro.ca'
gitlab_rails['gitlab_email_display_name'] = 'gitlab.w3usine.com'
gitlab_rails['gitlab_email_reply_to'] = 'noreply@7pro.ca'
gitlab_rails['gitlab_email_subject_suffix'] = '-- https://gitlab.w3usine.com'
### auxiliary jobs
###! periodically executed jobs, to self-heal gitlab, do external
###! synchronizations, etc.
###! docs: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job
###! https://docs.gitlab.com/ce/ci/yaml/readme.html#artifacts:expire_in
gitlab_rails['stuck_ci_jobs_worker_cron'] = "0 0 * * *"
gitlab_rails['expire_build_artifacts_worker_cron'] = "50 * * * *"
gitlab_rails['pipeline_schedule_worker_cron'] = "41 * * * *"
gitlab_rails['repository_check_worker_cron'] = "20 * * * *"
gitlab_rails['admin_email_worker_cron'] = "0 0 * * 0"
gitlab_rails['repository_archive_cache_worker_cron'] = "0 * * * *"
gitlab_rails['pages_domain_verification_cron_worker'] = "*/15 * * * *"
###! **specifies amazon s3 storage class to use for backups. valid values
###! include 'standard', 'standard_ia', 'glacier', and
###! 'reduced_redundancy'**
# gitlab_rails['backup_storage_class'] = 'standard'
### gitlab email server settings
###! docs: https://docs.gitlab.com/omnibus/settings/smtp.html
###! **use smtp instead of sendmail/postfix.**
gitlab_rails['smtp_enable'] = true;
gitlab_rails['smtp_address'] = "172.17.0.1";
gitlab_rails['smtp_port'] = 25;
gitlab_rails['smtp_domain'] = "ryzen.w3usine.com";
gitlab_rails['smtp_enable_starttls_auto'] = false;
gitlab_rails['smtp_tls'] = false;
gitlab_rails['smtp_ssl'] = false;
gitlab_rails['smtp_force_ssl'] = false;
###! **can be: 'none', 'peer', 'client_once', 'fail_if_no_peer_cert'**
###! docs: http://api.rubyonrails.org/classes/actionmailer/base.html
gitlab_rails['smtp_openssl_verify_mode'] = 'none';
################################################################################
## container registry settings
##! docs: https://docs.gitlab.com/ce/administration/container_registry.html
################################################################################
registry_external_url 'https://gitlab-registry.w3usine.com'
################################################################################
## GitLab NGINX
##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html
################################################################################
nginx['enable'] = true
# nginx['client_max_body_size'] = '250m'
nginx['redirect_http_to_https'] = false
nginx['redirect_http_to_https_port'] = 80
##! **Recommended by: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
##! https://cipherli.st/**
nginx['ssl_protocols'] = "TLSv1.1 TLSv1.2"
##! **Override only if you use a reverse proxy**
##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#setting-the-nginx-listen-port
nginx['listen_port'] = 443
# nginx['listen_port'] = 80
##! **Override only if your reverse proxy internally communicates over HTTP**
##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#supporting-proxied-ssl
nginx['listen_https'] = true
################################################################################
## GitLab Pages
##! Docs: https://docs.gitlab.com/ce/pages/administration.html
################################################################################
##! Define to enable GitLab Pages
# pages_external_url "http://pages.example.com/"
gitlab_pages['enable'] = false
##! Configure to expose GitLab Pages on external IP address, serving the HTTP
# gitlab_pages['external_http'] = []
##! Configure to expose GitLab Pages on external IP address, serving the HTTPS
# gitlab_pages['external_https'] = []
##! Configure to enable health check endpoint on GitLab Pages
# gitlab_pages['status_uri'] = "/@status"
##! Configure to use JSON structured logging in GitLab Pages
# gitlab_pages['log_format'] = "json"
# gitlab_pages['listen_proxy'] = "localhost:8090"
# gitlab_pages['redirect_http'] = true
# gitlab_pages['use_http2'] = true
gitlab_pages['dir'] = "/var/opt/gitlab/gitlab-pages"
gitlab_pages['log_directory'] = "/var/log/gitlab/gitlab-pages"
gitlab_pages['artifacts_server'] = true
# gitlab_pages['artifacts_server_url'] = nil # Defaults to external_url + '/api/v4'
# gitlab_pages['artifacts_server_timeout'] = 10
##! Environments that do not support bind-mounting should set this parameter to
##! true. This is incompatible with the artifacts server
# gitlab_pages['inplace_chroot'] = false
##! Prometheus metrics for Pages docs: https://gitlab.com/gitlab-org/gitlab-pages/#enable-prometheus-metrics
# gitlab_pages['metrics_address'] = ":9235"
################################################################################
## GitLab Pages NGINX
################################################################################
# All the settings defined in the "GitLab Nginx" section are also available in this "GitLab Pages NGINX" section
# You just have to change the key "nginx['some_settings']" with "pages_nginx['some_settings']"
# Below you can find settings that are exclusive to "GitLab Pages NGINX"
pages_nginx['enable'] = true
gitlab_rails['pages_path'] = "/var/opt/gitlab/gitlab-rails/shared/pages"
################################################################################
## GitLab CI
##! Docs: https://docs.gitlab.com/ce/ci/quick_start/README.html
################################################################################
gitlab_ci['gitlab_ci_all_broken_builds'] = true
gitlab_ci['gitlab_ci_add_pusher'] = true
gitlab_ci['builds_directory'] = '/var/opt/gitlab/gitlab-ci/builds'
################################################################################
# Let's Encrypt integration
################################################################################
letsencrypt['enable'] = false
letsencrypt['contact_emails'] = ['j@7pro.ca'] # This should be an array of email addresses to add as contacts
letsencrypt['group'] = 'root'
letsencrypt['key_size'] = 2048
letsencrypt['owner'] = 'root'
letsencrypt['wwwroot'] = '/var/opt/gitlab/nginx/www'
# See http://docs.gitlab.com/omnibus/settings/ssl.html#automatic-renewal for more on these sesttings
letsencrypt['auto_renew'] = false
letsencrypt['auto_renew_hour'] = 0
# letsencrypt['auto_renew_minute'] = nil # Should be a number or cron expression, if specified.
letsencrypt['auto_renew_day_of_month'] = "*/4"