Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gitlab starts #10

Draft
wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

gitlab starts #10

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e3ff9c1
gitlab service
jessopb Jan 26, 2023
236403d
readme - gitlab ssh port
jessopb Jan 26, 2023
d03b360
update makefile password script
jessopb Jan 26, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions DIGITALOCEAN.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ Create a new firewall:
| HTTPS | TCP | 443 | Traefik HTTPS (TLS) endpoint |
| Custom | TCP | 2222 | Traefik Gitea SSH (TCP) endpoint |
| Custom | TCP | 2223 | SFTP container SSH (TCP) |
| Custom | TCP | 2224 | Traefik Gitlab SSH (TCP) endpoint|
| Custom | TCP | 8883 | Traefik Mosquitto (TLS) endpoint |

* (and any other ports you need.)
Expand Down
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -171,6 +171,7 @@ these (default) ports in your firewall:
| TCP socket | TCP | 1704 | Traefik Snapcast audio entrypoint |
| SSH | TCP | 2222 | Traefik Gitea SSH (TCP) entrypoint |
| SSH | TCP | 2223 | SFTP container SSH (TCP) (direct-map) |
| SSH | TCP | 2224 | Traefik Gitlab SSH (TCP) entrypoint |
| TLS | TCP | 5432 | PostgreSQL DBaaS (direct-map) |
| TCP socket | TCP | 6600 | Traefik MPD (Mopidy) entrypoint |
| TLS | TCP | 8883 | Traefik MQTT (TLS) entrypoint |
Expand Down
11 changes: 11 additions & 0 deletions gitlab/.env-dist
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
GITLAB_TRAEFIK_HOST=git.example.com
GITLAB_SSH_PORT=2224
# Choose Let's Encrypt 'staging' or 'production' environment:
ACME_CERT_RESOLVER=production
Copy link
Owner

@EnigmaCurry EnigmaCurry Feb 9, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACME_CERT_RESOLVER is no longer used


POSTGRES_USER=gitlab
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These should all be namespaced like GITLAB_POSTGRES_USER

(In theory, you should be able to concatenate all of the d.rymcg.tech project .env files together into one and not have any overlaps)

POSTGRES_HOST=postgresql
POSTGRES_PORT=5432
POSTGRES_PASS=password
POSTGRES_DB_NAME=gitlab_production
GITLAB_ROOT_PASSWORD=changeme
Comment on lines +9 to +11
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

passwords should be blank in .env-dist, otherwise the Makefile won't randomize it.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please add a newline

9 changes: 9 additions & 0 deletions gitlab/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
ROOT_DIR = ..
include ../_scripts/Makefile.projects

.PHONY: config # Configure .env file
config:
jessopb marked this conversation as resolved.
Show resolved Hide resolved
@${BIN}/reconfigure_ask ${ENV_FILE} GITLAB_TRAEFIK_HOST "Enter your gitlab domain name" "gl.${ROOT_DOMAIN}"
@${BIN}/reconfigure_ask ${ENV_FILE} APP_NAME "Enter the service description" "git thing"
@[[ -z "$$(dotenv -f ${ENV_FILE} get POSTGRES_PASS)" ]] && ${BIN}/reconfigure ${ENV_FILE} POSTGRES_PASS=$(shell openssl rand -hex 45) || true
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

dotenv should be ${BIN}/dotenv

Copy link
Owner

@EnigmaCurry EnigmaCurry Feb 9, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can now use the reconfigure_password script instead of this.

@${BIN}/reconfigure_password ${ENV_FILE} POSTGRES_PASS

@[[ -z "$$(dotenv -f ${ENV_FILE} get GITLAB_ROOT_PASSWORD)" ]] && ${BIN}/reconfigure ${ENV_FILE} GITLAB_ROOT_PASSWORD=$(shell openssl rand -hex 45) || true
28 changes: 28 additions & 0 deletions gitlab/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# Gitea

[Gitlab](https://gitlab.com/) is a git repository host, similar to GitHub, but
entirely self-hosted. More description forthcoming...

## Configuration

Copy `.env-dist` to `.env`, and edit variables accordingly.

* `GITLAB_TRAEFIK_HOST` to the external domain name forwarded from traefik, eg.
`git.example.com`

Config documention forthcoming...

## Initial setup

Bring up the service with `docker-compose up -d`
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lets use the make style to describe how to bringing up the service.

make config
make install
make open

Initial setup documentation forthcoming...

```
# Restart gitlab to get the config applied:
docker-compose restart
```

## Notes

Traefik listens for SSH connections on TCP port 2224 and forwards directly to
the builtin Gitlab SSH service.
79 changes: 79 additions & 0 deletions gitlab/docker-compose.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
version: "3.3"

networks:
traefik-proxy:
name: traefik-proxy

services:
redis:
restart: always
image: redis:latest
security_opt:
- no-new-privileges:true
command:
- --loglevel warning
volumes:
- redis:/var/lib/redis
postgresql:
image: postgres:14
restart: unless-stopped
security_opt:
- no-new-privileges:true
jessopb marked this conversation as resolved.
Show resolved Hide resolved
volumes:
- postgres:/var/lib/postgresql/data
environment:
- DB_NAME=${POSTGRES_DB_NAME}
- DB_USER=${POSTGRES_USER}
- DB_PASS=${POSTGRES_PASS}
healthcheck:
test:
[
"CMD-SHELL",
"pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB_NAME"
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is double $$ correct here?

]
gitlab:
image: gitlab/gitlab-ce:latest
container_name: gitlab
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove the container name to support multiple instances.

restart: always
environment:
DEBUG: 'true'
DB_ADAPTER: postgresql
DB_HOST: postgresql
DB_PORT: 5432
DB_USER: ${POSTGRES_USER}
DB_PASS: ${POSTGRES_PASS}
DB_NAME: ${POSTGRES_DB_NAME}
GITLAB_ROOT_PASSWORD: ${GITLAB_ROOT_PASSWORD}
GITLAB_HOST: https://${GITLAB_TRAEFIK_HOST}
GITLAB_OMNIBUS_CONFIG: |
gitlab_rails['gitlab_shell_ssh_port'] = ${GITLAB_SSH_PORT}
networks:
- traefik-proxy
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we're not using the traefik-proxy network anymore, no networks need to be configured.

security_opt:
- no-new-privileges:true
volumes:
- data:/var/lib/gitlab
- config:/etc/gitlab
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
labels:
- "traefik.enable=true"
## Web
- "traefik.http.routers.gitlab-web.rule=Host(`${GITLAB_TRAEFIK_HOST}`)"
- "traefik.http.routers.gitlab-web.entrypoints=websecure"
- "traefik.http.routers.gitlab-web.service=gitlab-web"
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

specifying the service is not necessary, traefik will autodetect this.

- "traefik.http.routers.gitlab-web.tls.certresolver=${ACME_CERT_RESOLVER}"
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

certresolvers aren't needed anymore that we are using manual cert creation with make certs

- "traefik.http.services.gitlab-web.loadbalancer.server.port=80"
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

server.port is not required as long as the image properly specified an EXPOSE in its Dockerfile, traefik will autodetect the port.

## SSH
- "traefik.tcp.routers.gitlab-ssh.rule=HostSNI(`*`)"
- "traefik.tcp.routers.gitlab-ssh.entrypoints=ssh"
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ssh is the same entrypoint that gitea uses, its on port 2222. Did you mean to use a different entrypoint on port 2224 (this requires modifying the traefik config)? I don't know why you would need to run both gitea and gitlab on the same machine, so maybe sharing the same entrypoint is the right thing to do.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

d.rymcg.tech/traefik/config/traefik.yml

Lines 115 to 118 in 9728d87

#@ if data.values.ssh_entrypoint_enabled == "true":
ssh:
address: #@ data.values.ssh_entrypoint_host + ":" + data.values.ssh_entrypoint_port
#@ end

- "traefik.tcp.routers.gitlab-ssh.service=gitlab-ssh"
- "traefik.tcp.services.gitlab-ssh.loadbalancer.server.port=22"

volumes:
data:
config:
redis:
postgres: