Setup gitlab by docker-compose

Setup gitlab by docker-compose with registry

mkdir ~/gitlab
cd ~/gitlab

Create docker-compose file

nano docker-compose.yml
version: '2'
services:
  redis:
    container_name: gitlab-redis
    restart: always
    image: sameersbn/redis:latest
    command:
    - --loglevel warning
    volumes:
    - ./redis:/var/lib/redis:Z
    networks:
    - localnet
  postgresql:
    container_name: gitlab-postgres
    restart: always
    image: sameersbn/postgresql:9.6-1
    volumes:
    - ./postgresql:/var/lib/postgresql:Z
    environment:
    - DB_USER=gitlab
    - DB_PASS=password
    - DB_NAME=gitlabhq_production
    - DB_EXTENSION=pg_trgm
    networks:
    - localnet
  gitlab:
    container_name: gitlab
    restart: always
    image: sameersbn/gitlab:8.17.2
    depends_on:
    - redis
    - postgresql
    ports:
    - "10080:80"
    - "10022:22"
    volumes:
    - ./gitlab/data:/home/git/data:Z
    - ./gitlab/logs:/var/log/gitlab
    - ./certs:/certs
    environment:
    - DEBUG=false
    - DB_ADAPTER=postgresql
    - DB_HOST=postgresql
    - DB_PORT=5432
    - DB_USER=gitlab
    - DB_PASS=password
    - DB_NAME=gitlabhq_production
    - REDIS_HOST=redis
    - REDIS_PORT=6379
    - GITLAB_SSH_PORT=10022
    - GITLAB_PORT=10080
    - GITLAB_HOST=git.labs.lc
    - GITLAB_SECRETS_SECRET_KEY_BASE=neraterandomstringstasdasdghjfkajfhsakjfhk234hkwdjhfdskjfhsdkjf
    - GITLAB_SECRETS_OTP_KEY_BASE=dfjdsafjsaglhjsdlkfjghsldfghjdslfjghsldfghjsldjfhgsldkjfhglsjdfghdslfghjldsjfhgdsljfghdsljfghsldjfghdsljghf
    - GITLAB_SECRETS_DB_KEY_BASE=superrandomsecret
    - GITLAB_REGISTRY_ENABLED=true
    - GITLAB_REGISTRY_HOST=registry.git.labs.lc
    - GITLAB_REGISTRY_PORT=5000
    - GITLAB_REGISTRY_API_URL="https://registry.git.labs.lc:5000/"
    - GITLAB_REGISTRY_KEY_PATH=/certs/registry-auth.key
    - SSL_REGISTRY_CERT_PATH=/certs/registry.crt
    - SSL_REGISTRY_KEY_PATH=/certs/registry.key
    networks:
     localnet:
      aliases:
      - git.labs.lc
  registry:
    container_name: docker-registry
    restart: always
    image: registry:2.4.1
    volumes:
    - ./gitlab/shared/registry:/registry
    - ./certs:/certs
    - ./letsencrypt:/etc/letsencrypt
    environment:
    - REGISTRY_LOG_LEVEL=info
    - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/registry
    - REGISTRY_AUTH_TOKEN_REALM=http://git.itc-life.ru:10080/jwt/auth
    - REGISTRY_AUTH_TOKEN_SERVICE=container_registry
    - REGISTRY_AUTH_TOKEN_ISSUER=gitlab-issuer
    - REGISTRY_HTTP_TLS_CERTIFICATE=/etc/letsencrypt/live/registry.git.itc-life.ru/fullchain.pem
    - REGISTRY_HTTP_TLS_KEY=/etc/letsencrypt/live/registry.git.itc-life.ru/privkey.pem
    - REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/certs/registry-sauth.crt
    - REGISTRY_STORAGE_DELETE_ENABLED=true
    ports:
    - "0.0.0.0:5000:5000"
    networks:
     localnet:
      aliases:
      - registry.git.labs.lc
  gitlab-runner:
   container_name: gitlab-runner
   image: gitlab/gitlab-runner:latest
   volumes:
     - ./gitlab-runner/data:/home/gitlab_ci_multi_runner/data
     - ./gitlab-runner/config:/etc/gitlab-runner
     - /var/run/docker.sock:/var/run/docker.sock:rw
   environment:
     - CI_SERVER_URL=http://git.labs.lc:10080/ci
   restart: always
   dns: 192.168.88.100
networks:
  localnet:

Done
Make pull

docker-compose pull

Mkdir for certs

mkdir certs
cd certs

Generate certs for registry

#/bin/bash
GITLABCN="git.itc-life.ru"
GITLAB_REGISTRY_CN="registry.git.itc-life.ru"
#####echo "Create Signing Key and CSR"
openssl req -nodes -newkey rsa:2048 -keyout registry-auth.key -out registry-auth.csr -subj "/CN=$GITLABCN"
#####echo "Self-Sign Certificate"
openssl x509 -in registry-auth.csr -out registry-auth.crt -req -signkey registry-auth.key -days 3650
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem -subj "/C=RU/ST=Tyumen Obl/L=Tyumen/O=My organization/OU=IT Department/CN=$GITLABCN"
openssl genrsa -out registry.key 2048
openssl req -new -key registry.key -out registry.csr -subj "/C=RU/ST=Tyumen Obl/L=Tyumen/O=My organization/OU=IT Department/CN=$GITLAB_REGISTRY_CN"
###### Common Name
####Common Name (eg, YOUR name) []: registry.git.itc-life.ru
openssl x509 -req -in registry.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out registry.crt -days 500
wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt

!!!!I generate cert for registry with letsencrypt and move in to folder certs/registry.git.itc-life.ru/.
Done
Start.

docker-compose up -d

Then create nginx proxy config for git with let’s encrypt for https make config:

nano /etc/nginx/conf.d/git.itc-life.ru.conf
upstream gitlab {
  server                   192.168.88.10:10080 fail_timeout=0;
}
# let gitlab deal with the redirection
server {
  listen                    80;
  server_name               git.itc-life.ru;
  server_tokens             off;
  root                      /dev/null;
    location / {
    return              301 https://$server_name$request_uri;
    }
    location ^~ /.well-known/acme-challenge/ {
    root /var/www/letsencrypt;
    }
}

Reload nginx

/etc/init.d/nginx check-reload

Install certbot

cd /usr/local/sbin
wget https://dl.eff.org/certbot-auto
chmod a+x /usr/local/sbin/certbot-auto
locale-gen ru_RU ru_ru.UTF-8
dpkg-reconfigure locales
apt install python-pip
pip install --upgrade pip

Generate ssl cert from letsencrypt

certbot-auto certonly -a webroot --webroot-path=/var/www/letsencrypt --agree-tos --non-interactive --text --email "admin@itc-life.ru"   -d git.itc-life.ru

Then edit config

nano /etc/nginx/conf.d/git.itc-life.ru.conf
upstream gitlab {
  server                   192.168.88.10:10080 fail_timeout=0;
}
# let gitlab deal with the redirection
server {
  listen                    80;
  server_name               git.itc-life.ru;
  server_tokens             off;
  root                      /dev/null;
    location / {
    return              301 https://$server_name$request_uri;
    }
    location ^~ /.well-known/acme-challenge/ {
    root /var/www/letsencrypt;
    }
}
server {
  listen                    443   ssl http2;
  server_name               git.itc-life.ru;
  server_tokens             off;
  root                      /dev/null;
    ssl_stapling on;
   ssl on;
    ssl_certificate /etc/letsencrypt/live/git.itc-life.ru/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/git.itc-life.ru/privkey.pem;
    ssl_dhparam /etc/nginx/dhparam.pem;
    ssl_session_timeout 24h;
    ssl_session_cache shared:SSL:2m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers EECDH+AES128:kEECDH:kEDH:-3DES:kRSA+AES128:kEDH+3DES:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2;
    ssl_prefer_server_ciphers on;
  location / {
    ## If you use https make sure you disable gzip compression
    ## to be safe against BREACH attack.
    gzip                    off;
    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;
    proxy_set_header        Host                $http_host;
    proxy_set_header        X-Real-IP           $remote_addr;
    proxy_set_header        X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto   https;
    proxy_set_header        X-Frame-Options     SAMEORIGIN;
    proxy_pass http://gitlab;
  }
}
Go to http://git.itc-life.ru

Now we can enter password and login from user root with new password

Добавить комментарий

Ваш адрес email не будет опубликован.

 

Этот сайт использует Akismet для борьбы со спамом. Узнайте, как обрабатываются ваши данные комментариев.