Installer docker, apache sur l'hôte
créer docker-compose.yml avec ce contenu ci-dessous:
version: '3.3'
services:
gitlab-ce:
ports:
- '8929:443'
- '8928:80'
- '22:22'
container_name: gitlab
restart: always
volumes:
- '/data/apps/gitlab/config:/etc/gitlab'
- '/data/apps/gitlab/log:/var/log/gitlab'
- '/data/apps/gitlab/data:/var/opt/gitlab'
image: 'gitlab/gitlab-ce:13.12.12-ce.0'
networks:
default:
ipv4_address: 172.18.0.4
gitlab-runner:
container_name: gitlab-runner
restart: always
volumes:
- '/var/run/docker.sock:/var/run/docker.sock'
- '/srv/gitlab-runner/config:/etc/gitlab-runner'
image: 'gitlab/gitlab-runner:latest'
networks:
default:
ipv4_address: 172.18.0.5
registry:
ports:
- '5050:443'
volumes:
- '/mnt/certs:/certs'
- '/mnt/registry:/var/lib/registry'
container_name: registry
restart: always
environment:
- REGISTRY_HTTP_ADDR=0.0.0.0:443
- REGISTRY_HTTP_TLS_CERTIFICATE=/certs/gitlab-registry.w3usine.com.crt
- REGISTRY_HTTP_TLS_KEY=/certs/gitlab-registry.w3usine.com.key
image: 'registry:2'
networks:
default:
ipv4_address: 172.18.0.6
solr:
volumes:
- '/data/apps/solrdata:/var/solr'
ports:
- '8983:8983'
container_name: my_solr
image: 'solr:8.11.1'
networks:
default:
ipv4_address: 172.18.0.7
networks:
default:
driver: bridge
ipam:
config:
- subnet: 172.18.0.0/24
Optionnel (solr)
créer un hôte (A) pour solr.domain.com (dans mon cas solr.9pro.ca), créer un site apache, activer ssl, activer letsencrypt (j'utilise ISPConfig pour cela, interface gui)
Activez l'option proxypass dans l'onglet 'options'. Utilisez les paramètres de proxy suivants :
#solr.9pro.ca
ProxyPreserveHost On
ProxyRequests Off
SSLProxyEngine On
SSLProxyCheckPeerCN On
SSLProxyCheckPeerExpire On
ProxyPass / http://172.18.0.7:8983/
ProxyPassReverse / http://172.18.0.7:8983/
<Location />
ProxyPassReverse /
Order deny,allow
Allow from all
</Location>
Répétez les étapes énuméré pour gitlab-registry.w3usine.com (paramètres de proxypass indiqués ci-dessous)
ProxyPreserveHost On
ProxyRequests Off
SSLProxyEngine On
SSLProxyCheckPeerCN On
SSLProxyCheckPeerExpire On
ProxyPass / https://172.18.0.4:443/
<Location />
ProxyPassReverse /
Order deny,allow
Allow from all
</Location>Exemple de paramètres "proxy pass" pour gitlab.w3usine.com
ProxyPreserveHost On
ProxyRequests Off
SSLProxyEngine On
SSLProxyCheckPeerCN On
SSLProxyCheckPeerExpire On
ProxyPass / https://172.18.0.4:443/
<Location />
ProxyPassReverse /
Order deny,allow
Allow from all
</Location>
Etapes en détail:
- créez un enregistrement A (hôte) et un site web pour gitlab-registry.w3usine.com, ssl activé avec des certs letsencrypt, activez le passage du proxy avec les paramètres comme mentionné.
- créez /mnt/certs et un lien symbolique entre /mnt/certs vers /data/apps/gitlab/config/ssl
- créer une tâche cron pour copier les certs letsencrypt dans /data/apps/gitlab/config/ssl toutes les heures
#Tourne une fois par heure 0 * * * * cp -p /etc/letsencrypt/live/gitlab.w3usine.com/privkey.pem /data/apps/gitlab/config/ssl/gitlab.w3usine.com.key ;cp -p /etc/letsencrypt/live/gitlab.w3usine.com/fullchain.pem /data/apps/gitlab/config/ssl/gitlab.w3usine.com.crt 0 * * * * cp -p /etc/letsencrypt/live/gitlab-registry.w3usine.com/privkey.pem /data/apps/gitlab/config/ssl/gitlab-registry.w3usine.com.key ;cp -p /etc/letsencrypt/live/gitlab-registry.w3usine.com/fullchain.pem /data/apps/gitlab/config/ssl/gitlab-registry.w3usine.com.crt - Exemple de création d'un enregistrement A de gitlab.w3usine.com
- créer un site web pour gitlab.w3usine.com, ssl activé avec les certs letsencrypt, activer le proxy pass avec le config mentionné
- donc un cron similaire pour gitlab(.w3usine.com) et gitlab-registry(.w3usine.com)
- exécutez la commande suivante pour démarrer les services docker illustré dans docker-compose.yml
-
docker-compose up -d; -
docker ps; #S'assurer que les services gitlab, gitlab-registry, gitlab-runner et gitlab sont démarrés (solr optionnel). #Connectez-vous au conteneur docker gitlab: docker exec -it gitlab bash; #configure gitlab gitlab-ctl --help; gitlab-ctl reconfigure;
config.rb
## gitlab url
##! url on which gitlab will be reachable.
##! for more details on configuring external_url see:
##! https://docs.gitlab.com/omnibus/settings/configuration.html#configuring-the-external-url-for-gitlab
external_url 'https://gitlab.w3usine.com'
################################################################################
################################################################################
## configuration settings for gitlab ce and ee ##
################################################################################
################################################################################
################################################################################
## gitlab.yml configuration
##! docs: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/gitlab.yml.md
################################################################################
# gitlab_rails['gitlab_ssh_host'] = 'ssh.host_example.com'
gitlab_rails['time_zone'] = 'America/New_York'
### email settings
gitlab_rails['gitlab_email_enabled'] = true
gitlab_rails['gitlab_email_from'] = 'joseph@7pro.ca'
gitlab_rails['gitlab_email_display_name'] = 'gitlab.w3usine.com'
gitlab_rails['gitlab_email_reply_to'] = 'noreply@7pro.ca'
gitlab_rails['gitlab_email_subject_suffix'] = '-- https://gitlab.w3usine.com'
### auxiliary jobs
###! periodically executed jobs, to self-heal gitlab, do external
###! synchronizations, etc.
###! docs: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job
###! https://docs.gitlab.com/ce/ci/yaml/readme.html#artifacts:expire_in
gitlab_rails['stuck_ci_jobs_worker_cron'] = "0 0 * * *"
gitlab_rails['expire_build_artifacts_worker_cron'] = "50 * * * *"
gitlab_rails['pipeline_schedule_worker_cron'] = "41 * * * *"
gitlab_rails['repository_check_worker_cron'] = "20 * * * *"
gitlab_rails['admin_email_worker_cron'] = "0 0 * * 0"
gitlab_rails['repository_archive_cache_worker_cron'] = "0 * * * *"
gitlab_rails['pages_domain_verification_cron_worker'] = "*/15 * * * *"
###! **specifies amazon s3 storage class to use for backups. valid values
###! include 'standard', 'standard_ia', 'glacier', and
###! 'reduced_redundancy'**
# gitlab_rails['backup_storage_class'] = 'standard'
### gitlab email server settings
###! docs: https://docs.gitlab.com/omnibus/settings/smtp.html
###! **use smtp instead of sendmail/postfix.**
gitlab_rails['smtp_enable'] = true;
gitlab_rails['smtp_address'] = "172.17.0.1";
gitlab_rails['smtp_port'] = 25;
gitlab_rails['smtp_domain'] = "ryzen.w3usine.com";
gitlab_rails['smtp_enable_starttls_auto'] = false;
gitlab_rails['smtp_tls'] = false;
gitlab_rails['smtp_ssl'] = false;
gitlab_rails['smtp_force_ssl'] = false;
###! **can be: 'none', 'peer', 'client_once', 'fail_if_no_peer_cert'**
###! docs: http://api.rubyonrails.org/classes/actionmailer/base.html
gitlab_rails['smtp_openssl_verify_mode'] = 'none';
################################################################################
## container registry settings
##! docs: https://docs.gitlab.com/ce/administration/container_registry.html
################################################################################
registry_external_url 'https://gitlab-registry.w3usine.com'
################################################################################
## GitLab NGINX
##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html
################################################################################
nginx['enable'] = true
# nginx['client_max_body_size'] = '250m'
nginx['redirect_http_to_https'] = false
nginx['redirect_http_to_https_port'] = 80
##! **Recommended by: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
##! https://cipherli.st/**
nginx['ssl_protocols'] = "TLSv1.1 TLSv1.2"
##! **Override only if you use a reverse proxy**
##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#setting-the-nginx-listen-port
nginx['listen_port'] = 443
# nginx['listen_port'] = 80
##! **Override only if your reverse proxy internally communicates over HTTP**
##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#supporting-proxied-ssl
nginx['listen_https'] = true
################################################################################
## GitLab Pages
##! Docs: https://docs.gitlab.com/ce/pages/administration.html
################################################################################
##! Define to enable GitLab Pages
# pages_external_url "http://pages.example.com/"
gitlab_pages['enable'] = false
##! Configure to expose GitLab Pages on external IP address, serving the HTTP
# gitlab_pages['external_http'] = []
##! Configure to expose GitLab Pages on external IP address, serving the HTTPS
# gitlab_pages['external_https'] = []
##! Configure to enable health check endpoint on GitLab Pages
# gitlab_pages['status_uri'] = "/@status"
##! Configure to use JSON structured logging in GitLab Pages
# gitlab_pages['log_format'] = "json"
# gitlab_pages['listen_proxy'] = "localhost:8090"
# gitlab_pages['redirect_http'] = true
# gitlab_pages['use_http2'] = true
gitlab_pages['dir'] = "/var/opt/gitlab/gitlab-pages"
gitlab_pages['log_directory'] = "/var/log/gitlab/gitlab-pages"
gitlab_pages['artifacts_server'] = true
# gitlab_pages['artifacts_server_url'] = nil # Defaults to external_url + '/api/v4'
# gitlab_pages['artifacts_server_timeout'] = 10
##! Environments that do not support bind-mounting should set this parameter to
##! true. This is incompatible with the artifacts server
# gitlab_pages['inplace_chroot'] = false
##! Prometheus metrics for Pages docs: https://gitlab.com/gitlab-org/gitlab-pages/#enable-prometheus-metrics
# gitlab_pages['metrics_address'] = ":9235"
################################################################################
## GitLab Pages NGINX
################################################################################
# All the settings defined in the "GitLab Nginx" section are also available in this "GitLab Pages NGINX" section
# You just have to change the key "nginx['some_settings']" with "pages_nginx['some_settings']"
# Below you can find settings that are exclusive to "GitLab Pages NGINX"
pages_nginx['enable'] = true
gitlab_rails['pages_path'] = "/var/opt/gitlab/gitlab-rails/shared/pages"
################################################################################
## GitLab CI
##! Docs: https://docs.gitlab.com/ce/ci/quick_start/README.html
################################################################################
gitlab_ci['gitlab_ci_all_broken_builds'] = true
gitlab_ci['gitlab_ci_add_pusher'] = true
gitlab_ci['builds_directory'] = '/var/opt/gitlab/gitlab-ci/builds'
################################################################################
# Let's Encrypt integration
################################################################################
letsencrypt['enable'] = false
letsencrypt['contact_emails'] = ['j@7pro.ca'] # This should be an array of email addresses to add as contacts
letsencrypt['group'] = 'root'
letsencrypt['key_size'] = 2048
letsencrypt['owner'] = 'root'
letsencrypt['wwwroot'] = '/var/opt/gitlab/nginx/www'
# See http://docs.gitlab.com/omnibus/settings/ssl.html#automatic-renewal for more on these sesttings
letsencrypt['auto_renew'] = false
letsencrypt['auto_renew_hour'] = 0
# letsencrypt['auto_renew_minute'] = nil # Should be a number or cron expression, if specified.
letsencrypt['auto_renew_day_of_month'] = "*/4"