Skip to content

GitLab

GitLab ist eine Software für Code-Management und Versionierung. Außerdem bietet es eine Vielzahl an Tools für die Zusammenarbeit in Teams wie Issue-Tracking, CI/CD-Pipelines und Wikis.

version: '3.9'

services:
  gitlab:
    image: 'gitlab/gitlab-ce'
    restart: always
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'http://git.domain.de'
        letsencrypt['enable'] = false
    ports:
      - "[::1]:8000:80"
    volumes:
      - "/srv/gitlab/config:/etc/gitlab"
      - "/srv/gitlab/logs:/var/log/gitlab"
      - "/srv/gitlab/data:/var/opt/gitlab"
    ports:
      - "[::1]:8000:80"
# /etc/nginx/sites-available/gitlab.domain.de
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=modern&openssl=1.1.1d&guideline=5.6
server {
    server_name gitlab.domain.de;
    listen 0.0.0.0:443 ssl http2;
    listen [::]:443 ssl http2;

    ssl_certificate /root/.acme.sh/gitlab.domain.de_ecc/fullchain.cer;
    ssl_certificate_key /root/.acme.sh/gitlab.domain.de_ecc/gitlab.domain.de.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    # modern configuration
    ssl_protocols TLSv1.3;
    ssl_prefer_server_ciphers off;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;

    location / {
        proxy_pass http://[::1]:8000/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header X-Real-IP $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.srv_gitlab.loadbalancer.server.port=80"
      - "traefik.http.routers.r_gitlab.rule=Host(`gitlab.domain.de`)"
      - "traefik.http.routers.r_gitlab.entrypoints=websecure"

Die external_url muss http://... sein wenn man einen reverse proxy verwendet, welcher TLS verarbeitet. Andererseits würde GitLab versuchen die anfragen von einem Benutzer auf https weiterzuleiten und diesen würde in einem unendlichen Weiterleitungskreis enden.

Mailserver

Um einen Mailserver einzurichten, muss man nur diese wenigen einfachen Konfigurationsoptionen zu der GITLAB_OMNIBUS_CONFIG Environment variable hinzufügen

        gitlab_rails['gitlab_email_enabled'] = true
        gitlab_rails['gitlab_email_from'] = 'gitlab@domain.de'
        gitlab_rails['gitlab_email_display_name'] = 'gitlab@domain.de'
        gitlab_rails['gitlab_email_reply_to'] = 'gitlab@domain.de'
        gitlab_rails['smtp_enable'] = true
        gitlab_rails['smtp_address'] = 'gitlab@domain.de'
        gitlab_rails['smtp_port'] = 587
        gitlab_rails['smtp_user_name'] = 'gitlab@domain.de'
        gitlab_rails['smtp_password'] = 'S3cr3T'
        gitlab_rails['smtp_domain'] = 'smtp.domain.de'
        gitlab_rails['smtp_authentication'] = 'login'
        gitlab_rails['smtp_enable_starttls_auto'] = true
        gitlab_rails['gitlab_root_email'] = 'admin@domain.de'

OpenID / Keycloak

Die Einrichtung von OIDC mit Keycloak ist genauso einfach. Auch hier einfach folgende Attribute zu der GITLAB_OMNIBUS_CONFIG environment Variable hinzufügen.

        gitlab_rails['omniauth_enabled'] = true
        gitlab_rails['omniauth_block_auto_created_users'] = false
        gitlab_rails['omniauth_allow_single_sign_on'] = ['oauth2_generic']
        gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'oauth2_generic'
        gitlab_rails['omniauth_providers'] = [
          {
            "name" => "oauth2_generic",
            "app_id" => "gitlab.domain.de",
            "app_secret" => "",
            'args' => {
              client_options: {
                'site' => 'https://id.domain.de',
                'user_info_url' => '/realms/main/protocol/openid-connect/userinfo',
                'authorize_url' => '/realms/main/protocol/openid-connect/auth',
                'token_url' => '/realms/main/protocol/openid-connect/token'
              },
              user_response_structure: {
                 id_path: ['sub'],
                 attributes: { username: 'username'}
              }
            },
            'redirect_uri' =>  'https://gitlab.domain.de/users/auth/oauth2_generic/callback'
          }
        ]
        gitlab_rails['omniauth_allow_bypass_two_factor'] = ["oauth2_generic"]