Setup gitlab by docker-compose

Опубликовано в Автор: human

Setup gitlab by docker-compose with registry

mkdir ~/gitlab
cd ~/gitlab

Create docker-compose file

nano docker-compose.yml
version: '2'
services:
  redis:
    container_name: gitlab-redis
    restart: always
    image: sameersbn/redis:latest
    command:
    - --loglevel warning
    volumes:
    - ./redis:/var/lib/redis:Z
    networks:
    - localnet
  postgresql:
    container_name: gitlab-postgres
    restart: always
    image: sameersbn/postgresql:9.6-1
    volumes:
    - ./postgresql:/var/lib/postgresql:Z
    environment:
    - DB_USER=gitlab
    - DB_PASS=password
    - DB_NAME=gitlabhq_production
    - DB_EXTENSION=pg_trgm
    networks:
    - localnet
  gitlab:
    container_name: gitlab
    restart: always
    image: sameersbn/gitlab:8.17.2
    depends_on:
    - redis
    - postgresql
    ports:
    - "10080:80"
    - "10022:22"
    volumes:
    - ./gitlab/data:/home/git/data:Z
    - ./gitlab/logs:/var/log/gitlab
    - ./certs:/certs
    environment:
    - DEBUG=false
    - DB_ADAPTER=postgresql
    - DB_HOST=postgresql
    - DB_PORT=5432
    - DB_USER=gitlab
    - DB_PASS=password
    - DB_NAME=gitlabhq_production
    - REDIS_HOST=redis
    - REDIS_PORT=6379
    - GITLAB_SSH_PORT=10022
    - GITLAB_PORT=10080
    - GITLAB_HOST=git.labs.lc
    - GITLAB_SECRETS_SECRET_KEY_BASE=neraterandomstringstasdasdghjfkajfhsakjfhk234hkwdjhfdskjfhsdkjf
    - GITLAB_SECRETS_OTP_KEY_BASE=dfjdsafjsaglhjsdlkfjghsldfghjdslfjghsldfghjsldjfhgsldkjfhglsjdfghdslfghjldsjfhgdsljfghdsljfghsldjfghdsljghf
    - GITLAB_SECRETS_DB_KEY_BASE=superrandomsecret
    - GITLAB_REGISTRY_ENABLED=true
    - GITLAB_REGISTRY_HOST=registry.git.labs.lc
    - GITLAB_REGISTRY_PORT=5000
    - GITLAB_REGISTRY_API_URL="https://registry.git.labs.lc:5000/"
    - GITLAB_REGISTRY_KEY_PATH=/certs/registry-auth.key
    - SSL_REGISTRY_CERT_PATH=/certs/registry.crt
    - SSL_REGISTRY_KEY_PATH=/certs/registry.key
    networks:
     localnet:
      aliases:
      - git.labs.lc
  registry:
    container_name: docker-registry
    restart: always
    image: registry:2.4.1
    volumes:
    - ./gitlab/shared/registry:/registry
    - ./certs:/certs
    - ./letsencrypt:/etc/letsencrypt
    environment:
    - REGISTRY_LOG_LEVEL=info
    - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/registry
    - REGISTRY_AUTH_TOKEN_REALM=http://git.itc-life.ru:10080/jwt/auth
    - REGISTRY_AUTH_TOKEN_SERVICE=container_registry
    - REGISTRY_AUTH_TOKEN_ISSUER=gitlab-issuer
    - REGISTRY_HTTP_TLS_CERTIFICATE=/etc/letsencrypt/live/registry.git.itc-life.ru/fullchain.pem
    - REGISTRY_HTTP_TLS_KEY=/etc/letsencrypt/live/registry.git.itc-life.ru/privkey.pem
    - REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/certs/registry-sauth.crt
    - REGISTRY_STORAGE_DELETE_ENABLED=true
    ports:
    - "0.0.0.0:5000:5000"
    networks:
     localnet:
      aliases:
      - registry.git.labs.lc
  gitlab-runner:
   container_name: gitlab-runner
   image: gitlab/gitlab-runner:latest
   volumes:
     - ./gitlab-runner/data:/home/gitlab_ci_multi_runner/data
     - ./gitlab-runner/config:/etc/gitlab-runner
     - /var/run/docker.sock:/var/run/docker.sock:rw
   environment:
     - CI_SERVER_URL=http://git.labs.lc:10080/ci
   restart: always
   dns: 192.168.88.100
networks:
  localnet:

Done
Make pull

docker-compose pull

Mkdir for certs

mkdir certs
cd certs

Generate certs for registry

#/bin/bash
GITLABCN="git.itc-life.ru"
GITLAB_REGISTRY_CN="registry.git.itc-life.ru"
#####echo "Create Signing Key and CSR"
openssl req -nodes -newkey rsa:2048 -keyout registry-auth.key -out registry-auth.csr -subj "/CN=$GITLABCN"
#####echo "Self-Sign Certificate"
openssl x509 -in registry-auth.csr -out registry-auth.crt -req -signkey registry-auth.key -days 3650
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem -subj "/C=RU/ST=Tyumen Obl/L=Tyumen/O=My organization/OU=IT Department/CN=$GITLABCN"
openssl genrsa -out registry.key 2048
openssl req -new -key registry.key -out registry.csr -subj "/C=RU/ST=Tyumen Obl/L=Tyumen/O=My organization/OU=IT Department/CN=$GITLAB_REGISTRY_CN"
###### Common Name
####Common Name (eg, YOUR name) []: registry.git.itc-life.ru
openssl x509 -req -in registry.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out registry.crt -days 500

wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt

!!!!I generate cert for registry with letsencrypt and move in to folder certs/registry.git.itc-life.ru/.
Done
Start.

docker-compose up -d

Then create nginx proxy config for git with let’s encrypt for https make config:

nano /etc/nginx/conf.d/git.itc-life.ru.conf
upstream gitlab {
  server                   192.168.88.10:10080 fail_timeout=0;
}
# let gitlab deal with the redirection
server {
  listen                    80;
  server_name               git.itc-life.ru;
  server_tokens             off;
  root                      /dev/null;
    location / {
    return              301 https://$server_name$request_uri;
    }
    location ^~ /.well-known/acme-challenge/ {
    root /var/www/letsencrypt;
    }
}

Reload nginx

/etc/init.d/nginx check-reload

Install certbot

cd /usr/local/sbin
wget https://dl.eff.org/certbot-auto
chmod a+x /usr/local/sbin/certbot-auto
locale-gen ru_RU ru_ru.UTF-8
dpkg-reconfigure locales
apt install python-pip
pip install --upgrade pip

Generate ssl cert from letsencrypt

certbot-auto certonly -a webroot --webroot-path=/var/www/letsencrypt --agree-tos --non-interactive --text --email "admin@itc-life.ru"   -d git.itc-life.ru

Then edit config

nano /etc/nginx/conf.d/git.itc-life.ru.conf
upstream gitlab {
  server                   192.168.88.10:10080 fail_timeout=0;
}
# let gitlab deal with the redirection
server {
  listen                    80;
  server_name               git.itc-life.ru;
  server_tokens             off;
  root                      /dev/null;
    location / {
    return              301 https://$server_name$request_uri;
    }
    location ^~ /.well-known/acme-challenge/ {
    root /var/www/letsencrypt;
    }
}
server {
  listen                    443   ssl http2;
  server_name               git.itc-life.ru;
  server_tokens             off;
  root                      /dev/null;
    ssl_stapling on;
   ssl on;
    ssl_certificate /etc/letsencrypt/live/git.itc-life.ru/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/git.itc-life.ru/privkey.pem;
    ssl_dhparam /etc/nginx/dhparam.pem;
    ssl_session_timeout 24h;
    ssl_session_cache shared:SSL:2m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers EECDH+AES128:kEECDH:kEDH:-3DES:kRSA+AES128:kEDH+3DES:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2;
    ssl_prefer_server_ciphers on;
  location / {
    ## If you use https make sure you disable gzip compression
    ## to be safe against BREACH attack.
    gzip                    off;
    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;
    proxy_set_header        Host                $http_host;
    proxy_set_header        X-Real-IP           $remote_addr;
    proxy_set_header        X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto   https;
    proxy_set_header        X-Frame-Options     SAMEORIGIN;
    proxy_pass http://gitlab;
  }
}

Go to http://git.itc-life.ru

Now we can enter password and login from user root with new password

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *

 

Этот сайт использует Akismet для борьбы со спамом. Узнайте, как обрабатываются ваши данные комментариев.