URL

https://gitlab.smns-bw.org

Production

hetzner:/opt/gitlab_latest/

This documentation guides you through the process of deploying a GitLab instance using Docker Compose. GitLab is a complete DevOps platform that allows you to perform all the tasks required to develop software, from project planning and source code management to CI/CD, monitoring, and security. By deploying GitLab using Docker, you can ensure a consistent and isolated environment for your GitLab instance.

Prerequisites

• Docker and Docker Compose installed on your host machine.
• Domain name pointing to the server where you're deploying GitLab.
• SMTP details for GitLab to send emails.

1. Docker Compose File: Goto /opt/gitlab_latest folder. Ensure you have the following docker-compose.yml file in directory. Replace environment variable placeholders (${VARIABLE_NAME}) with actual values before deployment.

version: '3.6' services:

web:
  image: 'gitlab/gitlab-ce:latest'
  container_name: ${CONTAINER_NAME}
  restart: always
  hostname: ${HOST_NAME}
  environment:
 GITLAB_OMNIBUS_CONFIG: |
      external_url = "${EXTERNAL_URL_TRAEFIK}"
      nginx['listen_port'] = 80
      nginx['listen_https'] = false
      registry['enable'] = false
      gitlab_rails['gravatar_enabled'] = true
      gitlab_rails['smtp_enable'] = true
      gitlab_rails['smtp_address'] = "${SMTP_ADDRESS}"
      gitlab_rails['smtp_port'] = ${SMTP_PORT}
      gitlab_rails['smtp_user_name'] = "${SMTP_USERNAME}"
      gitlab_rails['smtp_password'] = "${SMTP_PASSWORD}"
      gitlab_rails['smtp_domain'] = "${SMTP_DOMAIN}"
      gitlab_rails['smtp_authentication'] = "login"
      gitlab_rails['smtp_enable_starttls'] = true
      gitlab_rails['smtp_openssl_verify_mode'] = "peer"
      gitlab_rails['gitlab_email_from'] = "${GITLAB_EMAIL_FROM}"
      gitlab_rails['gitlab_email_reply_to'] = "${GITLAB_EMAIL_TO}"
  labels:
    - "traefik.enable=true"
    - "traefik.http.routers.gitlab.rule=Host(`${HOST_NAME}`)"
    - "traefik.http.routers.gitlab.tls=true"
    - "traefik.http.routers.gitlab.tls.certresolver=leresolver"
    - "traefik.http.routers.gitlab.middlewares=security-headers@file"
    - "traefik.http.services.gitlab.loadbalancer.server.port=80"
  networks:
    - proxy
    - gitlab-network
  volumes:
    - './config:/etc/gitlab'
    - './logs:/var/log/gitlab'
    - './data:/var/opt/gitlab'
    - '/var/run/docker.sock:/var/run/docker.sock'

networks:
  proxy:
    external: true
  gitlab-network:
    driver: bridge

• Environment Variables: Replace all ${VARIABLE_NAME} placeholders in the docker-compose.yml file with your specific values:
  • CONTAINER_NAME: A unique name for your container.
  • HOST_NAME: The domain name for your GitLab instance.
  • EXTERNAL_URL_TRAEFIK: The full external URL for accessing your GitLab instance.
  • SMTP settings (SMTP_ADDRESS, SMTP_PORT, etc.) for outgoing emails.
  • GITLAB_EMAIL_FROM and GITLAB_EMAIL_TO for configuring email notifications

• Volumes: The compose file specifies three volumes for persistence:
  • config: for GitLab configuration files.
  • logs: for GitLab logs.
  • data: for GitLab data such as repositories.

• Prepare Environment: Set environment variables in .env or directly insert values into your docker-compose.yml.
• Launch GitLab: Run docker-compose up -d in your terminal. This command will start your GitLab instance in detached mode.
• Access GitLab: Once the deployment is successful, access your GitLab instance through the domain name specified in HOST_NAME.

• Initial Configuration: Upon first accessing your GitLab instance, you'll be prompted to set a password for the root user.
• Verify Email: Ensure that your SMTP settings are correct by verifying that GitLab can send emails (e.g., user confirmation emails).

Changes made to the GitLab setup to enable SSH connections on a non-standard port (666), instead of the default SSH port (22). The configuration involves adjustments to both the GitLab service and the Traefik reverse proxy to ensure secure access for repository operations via SSH.

1. SSH Port Adjustment: The SSH service within the GitLab container has been configured to listen on port 666. This change allows users to connect to GitLab repositories using SSH on a less commonly used port, enhancing security by reducing exposure to automated scans and attacks targeting the default SSH port.
2. Docker Compose Configuration:
   • The GitLab service definition in docker-compose.yml was modified to include port 666 in the port mappings, ensuring that the Docker host forwards traffic on this port to the GitLab container.
   • The GITLAB_OMNIBUS_CONFIG environment variable was updated to set the gitlab_rails['gitlab_shell_ssh_port'] configuration option to 666, aligning the GitLab application configuration with the Docker and SSH service settings

1. SSH Entry Point: A new entry point for SSH traffic was defined in Traefik's static configuration, explicitly set to listen on port 666. This entry point serves as the gateway for all incoming SSH traffic intended for GitLab, ensuring that Traefik correctly routes these requests to the GitLab service.
2. TCP Router and Service for SSH:
   • A TCP router was configured to match incoming SSH traffic and route it to a dedicated TCP service for GitLab SSH connections.
   • The TCP service was configured to forward the traffic it receives to the GitLab container's port 666, ensuring that SSH requests reach the GitLab SSH service.

1. SSH Connection Test: Users can test the SSH connection to GitLab using the following command, which specifies the non-standard port:
   ssh -p 666 -T [username]@gitlab.smns-bw.org.
   A successful connection will yield a welcome message from GitLab, confirming that the SSH service is reachable and correctly configured.
2. Repository Operations: To verify full functionality, users should attempt Git operations over SSH, such as cloning a repository, using the corrected syntax to specify the port:
   git clone ssh:[username]@gitlab.smns-bw.org:666/path/to/repository.git''.
Successful execution of such commands without errors confirms that the GitLab SSH configuration is operational.