From e3ff9c10ab47f93559bc22b8fd9c9033245f2423 Mon Sep 17 00:00:00 2001
From: zeppi <jessopb@gmail.com>
Date: Thu, 26 Jan 2023 11:16:01 -0500
Subject: [PATCH 1/3] gitlab service

---
 DIGITALOCEAN.md            |  1 +
 gitlab/.env-dist           | 11 ++++++
 gitlab/Makefile            |  9 +++++
 gitlab/README.md           | 28 ++++++++++++++
 gitlab/docker-compose.yaml | 79 ++++++++++++++++++++++++++++++++++++++
 5 files changed, 128 insertions(+)
 create mode 100644 gitlab/.env-dist
 create mode 100644 gitlab/Makefile
 create mode 100644 gitlab/README.md
 create mode 100644 gitlab/docker-compose.yaml

diff --git a/DIGITALOCEAN.md b/DIGITALOCEAN.md
index 05a16e33..d29c79c1 100644
--- a/DIGITALOCEAN.md
+++ b/DIGITALOCEAN.md
@@ -75,6 +75,7 @@ Create a new firewall:
     | HTTPS  | TCP      |        443 | Traefik HTTPS (TLS) endpoint     |
     | Custom | TCP      |       2222 | Traefik Gitea SSH (TCP) endpoint |
     | Custom | TCP      |       2223 | SFTP container SSH (TCP)         |
+    | Custom | TCP      |       2224 | Traefik Gitlab SSH (TCP) endpoint|
     | Custom | TCP      |       8883 | Traefik Mosquitto (TLS) endpoint |
  
  * (and any other ports you need.)
diff --git a/gitlab/.env-dist b/gitlab/.env-dist
new file mode 100644
index 00000000..c23d1943
--- /dev/null
+++ b/gitlab/.env-dist
@@ -0,0 +1,11 @@
+GITLAB_TRAEFIK_HOST=git.example.com
+GITLAB_SSH_PORT=2224
+# Choose Let's Encrypt 'staging' or 'production' environment:
+ACME_CERT_RESOLVER=production
+
+POSTGRES_USER=gitlab
+POSTGRES_HOST=postgresql
+POSTGRES_PORT=5432
+POSTGRES_PASS=password
+POSTGRES_DB_NAME=gitlab_production
+GITLAB_ROOT_PASSWORD=changeme
\ No newline at end of file
diff --git a/gitlab/Makefile b/gitlab/Makefile
new file mode 100644
index 00000000..c3f9174b
--- /dev/null
+++ b/gitlab/Makefile
@@ -0,0 +1,9 @@
+ROOT_DIR = ..
+include ../_scripts/Makefile.projects
+
+.PHONY: config # Configure .env file
+config:
+	@${BIN}/reconfigure_ask ${ENV_FILE} GITLAB_TRAEFIK_HOST "Enter your gitlab domain name" "gl.${ROOT_DOMAIN}"
+	@${BIN}/reconfigure_ask ${ENV_FILE} APP_NAME "Enter the service description" "git thing"
+	@${BIN}/reconfigure ${ENV_FILE} POSTGRES_PASS=$(shell openssl rand -hex 45)
+	@${BIN}/reconfigure ${ENV_FILE} GITLAB_ROOT_PASSWORD=$(shell openssl rand -hex 45)
diff --git a/gitlab/README.md b/gitlab/README.md
new file mode 100644
index 00000000..6fd7361c
--- /dev/null
+++ b/gitlab/README.md
@@ -0,0 +1,28 @@
+# Gitea
+
+[Gitlab](https://gitlab.com/) is a git repository host, similar to GitHub, but
+entirely self-hosted. More description forthcoming...
+
+## Configuration
+
+Copy `.env-dist` to `.env`, and edit variables accordingly. 
+
+ * `GITLAB_TRAEFIK_HOST` to the external domain name forwarded from traefik, eg.
+   `git.example.com`
+
+Config documention forthcoming...
+
+## Initial setup
+
+Bring up the service with `docker-compose up -d`
+Initial setup documentation forthcoming...
+
+```
+# Restart gitlab to get the config applied:
+docker-compose restart
+```
+
+## Notes
+
+Traefik listens for SSH connections on TCP port 2224 and forwards directly to
+the builtin Gitlab SSH service.
diff --git a/gitlab/docker-compose.yaml b/gitlab/docker-compose.yaml
new file mode 100644
index 00000000..9723c8a0
--- /dev/null
+++ b/gitlab/docker-compose.yaml
@@ -0,0 +1,79 @@
+version: "3.3"
+
+networks:
+  traefik-proxy:
+    name: traefik-proxy
+
+services:
+  redis:
+    restart: always
+    image: redis:latest
+    security_opt:
+      - no-new-privileges:true
+    command:
+      - --loglevel warning
+    volumes:
+      - redis:/var/lib/redis
+  postgresql:
+    image: postgres:14
+    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    volumes:
+      - postgres:/var/lib/postgresql/data
+    environment:
+      - DB_NAME=${POSTGRES_DB_NAME}
+      - DB_USER=${POSTGRES_USER}
+      - DB_PASS=${POSTGRES_PASS}
+    healthcheck:
+      test:
+        [
+          "CMD-SHELL",
+          "pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB_NAME"
+        ]
+  gitlab:
+    image: gitlab/gitlab-ce:latest
+    container_name: gitlab
+    restart: always
+    environment:
+      DEBUG: 'true'
+      DB_ADAPTER: postgresql
+      DB_HOST: postgresql
+      DB_PORT: 5432
+      DB_USER: ${POSTGRES_USER}
+      DB_PASS: ${POSTGRES_PASS}
+      DB_NAME: ${POSTGRES_DB_NAME}
+      GITLAB_ROOT_PASSWORD: ${GITLAB_ROOT_PASSWORD}
+      GITLAB_HOST: https://${GITLAB_TRAEFIK_HOST}
+      GITLAB_OMNIBUS_CONFIG: |
+        gitlab_rails['gitlab_shell_ssh_port'] = ${GITLAB_SSH_PORT}
+    networks:
+      - traefik-proxy
+    security_opt:
+      - no-new-privileges:true
+    volumes:
+      - data:/var/lib/gitlab
+      - config:/etc/gitlab
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    labels:
+      - "traefik.enable=true"
+      ## Web
+      - "traefik.http.routers.gitlab-web.rule=Host(`${GITLAB_TRAEFIK_HOST}`)"
+      - "traefik.http.routers.gitlab-web.entrypoints=websecure"
+      - "traefik.http.routers.gitlab-web.service=gitlab-web"
+      - "traefik.http.routers.gitlab-web.tls.certresolver=${ACME_CERT_RESOLVER}"
+      - "traefik.http.services.gitlab-web.loadbalancer.server.port=80"
+      ## SSH
+      - "traefik.tcp.routers.gitlab-ssh.rule=HostSNI(`*`)"
+      - "traefik.tcp.routers.gitlab-ssh.entrypoints=ssh"
+      - "traefik.tcp.routers.gitlab-ssh.service=gitlab-ssh"
+      - "traefik.tcp.services.gitlab-ssh.loadbalancer.server.port=22"
+
+volumes:
+  data:
+  config:
+  redis:
+  postgres:
+
+

From 236403d2082048bc63f29070d58549448ced9e38 Mon Sep 17 00:00:00 2001
From: zeppi <jessopb@gmail.com>
Date: Thu, 26 Jan 2023 11:45:27 -0500
Subject: [PATCH 2/3] readme - gitlab ssh port

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 0b92b5a2..d22a414d 100644
--- a/README.md
+++ b/README.md
@@ -171,6 +171,7 @@ these (default) ports in your firewall:
 | TCP socket | TCP      | 1704       | Traefik Snapcast audio entrypoint     |
 | SSH        | TCP      | 2222       | Traefik Gitea SSH (TCP) entrypoint    |
 | SSH        | TCP      | 2223       | SFTP container SSH (TCP) (direct-map) |
+| SSH        | TCP      | 2224       | Traefik Gitlab SSH (TCP) entrypoint   |
 | TLS        | TCP      | 5432       | PostgreSQL DBaaS (direct-map)         |
 | TCP socket | TCP      | 6600       | Traefik MPD (Mopidy) entrypoint       |
 | TLS        | TCP      | 8883       | Traefik MQTT (TLS) entrypoint         |

From d03b3601af1012e3475975dba2e24d7a13bca58a Mon Sep 17 00:00:00 2001
From: zeppi <jessopb@gmail.com>
Date: Thu, 26 Jan 2023 12:39:53 -0500
Subject: [PATCH 3/3] update makefile password script

---
 gitlab/Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gitlab/Makefile b/gitlab/Makefile
index c3f9174b..c2e15639 100644
--- a/gitlab/Makefile
+++ b/gitlab/Makefile
@@ -5,5 +5,5 @@ include ../_scripts/Makefile.projects
 config:
 	@${BIN}/reconfigure_ask ${ENV_FILE} GITLAB_TRAEFIK_HOST "Enter your gitlab domain name" "gl.${ROOT_DOMAIN}"
 	@${BIN}/reconfigure_ask ${ENV_FILE} APP_NAME "Enter the service description" "git thing"
-	@${BIN}/reconfigure ${ENV_FILE} POSTGRES_PASS=$(shell openssl rand -hex 45)
-	@${BIN}/reconfigure ${ENV_FILE} GITLAB_ROOT_PASSWORD=$(shell openssl rand -hex 45)
+	@[[ -z "$$(dotenv -f ${ENV_FILE} get POSTGRES_PASS)" ]] && ${BIN}/reconfigure ${ENV_FILE} POSTGRES_PASS=$(shell openssl rand -hex 45) || true
+	@[[ -z "$$(dotenv -f ${ENV_FILE} get GITLAB_ROOT_PASSWORD)" ]] && ${BIN}/reconfigure ${ENV_FILE} GITLAB_ROOT_PASSWORD=$(shell openssl rand -hex 45) || true