Dec 12 2022

GitLab CE

GitLab is a DevOps software package that combines the ability to develop, secure, and operate software in a single application.  Git is a version control system used to track changes in computer files. Git’s primary purpose is to manage any changes made in one or more projects over a given period of time. It helps coordinate work among members of a project team and tracks progress over time. Git also helps both programming professionals and non-technical users by monitoring their project files.

Step 1: Basics

The following instructions show how to deploy GitLab CE (Community Edition) on a Debian environment. First step is to deploy a VM and prepare the system for the basic repositories. Visit the main Gitlab site as it contains most details and settings e.g. https://docs.gitlab.com/omnibus/settings/configuration.html

In the case of my Virtual Machine Debian deployments created additional logical volumes with the following mount points: /var/opt/gitlab and /opt/gitlab.

# curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.deb.sh | sudo bash

Once completed, install GitLab CE with the following command. Define the GITLAB_URL as the FQDN you are going to use to access GitLab instance:

# export GITLAB_URL="http://git.mydomain.local"
# sudo EXTERNAL_URL="${GITLAB_URL}" apt install gitlab-ce

Once completed GitLab will be reachable via web interface url http://git.mydomain.local

Step 2: SSL Certificate

It is possible to use LetsEncrypt or manual SSL certificates with GitLab. Use following url https://docs.gitlab.com/omnibus/settings/ssl/ for details. In the example, the hostname is gitlab.mydomain.local, so Omnibus GitLab looks for private key and public certificate files called /etc/gitlab/ssl/mydomain.local.key and /etc/gitlab/ssl/gitlab.mydomain.local.crt, respectively. If you want, you can use a different location and certificates names.

# sudo mkdir -p /etc/gitlab/ssl
# sudo chmod 755 /etc/gitlab/ssl
# sudo cp gitlab.mydomain.local.key gitlab.mydomain.local.crt /etc/gitlab/ssl/

Change the http to https in the GitLab configuration file /etc/gitlab/gitlab.rb:

external_url 'https://gitlab.mydomain.local'

Reconfigure GitLab

# gitlab-ctl reconfigure

Step 3: SMTP

Configure the SMTP settings in GitLab configuration file /etc/gitlab/gitlab.rb:

### GitLab email server settings
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "smtp.mydomain.local"
gitlab_rails['smtp_port'] = 465
# gitlab_rails['smtp_user_name'] = "smtp user"
# gitlab_rails['smtp_password'] = "smtp password"
gitlab_rails['smtp_domain'] = "mydomain.local"
# gitlab_rails['smtp_authentication'] = "login"
# gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['smtp_tls'] = true
# gitlab_rails['smtp_pool'] = false

gitlab_rails['smtp_ca_path'] = "/etc/ssl/certs"

### Email Settings
gitlab_rails['gitlab_email_from'] = 'gitlab@mydomain.org'
gitlab_rails['gitlab_email_display_name'] = 'MyDomain GitLab'

Reconfigure GitLab

# gitlab-ctl reconfigure

Step 4: Active Directory

Configure the Active Directory settings in GitLab configuration file /etc/gitlab/gitlab.rb:

gitlab_rails['ldap_enabled'] = true

###! **remember to close this block with 'EOS' below**
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
 main:
  label: 'Active Directory'
  host: 'dc-01.mydomain.org'
  port: 389
  uid: 'sAMAccountName'
  method: 'tls' # "tls" or "ssl" or "plain"
  bind_dn: 'CN=adbind-gitlab,OU=Services,DC=Mydomain,DC=org'
  password: 'somepassword'
  active_directory: true
  allow_username_or_email_login: false
  block_auto_created_users: false
  base: 'DC=Mydomain,DC=org'
  timeout: 10
  lowercase_usernames: true
 secondary:
  label: 'Active Directory'
  host: 'dc-02.mydomain.org'
  port: 389
  uid: 'sAMAccountName'
  method: 'tls' # "tls" or "ssl" or "plain"
  bind_dn: 'CN=adbind-gitlab,OU=Services,DC=Mydomain,DC=org'
  password: 'somepassword'
  active_directory: true
  allow_username_or_email_login: false
  block_auto_created_users: false
  base: 'DC=Mydomain,DC=org'
  timeout: 10
  lowercase_usernames: true
 tertiary:
  label: 'Active Directory'
  host: 'dc-03.mydomain.org'
  port: 389
  uid: 'sAMAccountName'
  method: 'tls' # "tls" or "ssl" or "plain"
  bind_dn: 'CN=adbind-gitlab,OU=Services,DC=Mydomain,DC=org'
  password: 'somepassword'
  active_directory: true
  allow_username_or_email_login: false
  block_auto_created_users: false
  base: 'DC=Mydomain,DC=org'
  timeout: 10
  lowercase_usernames: true
EOS

Reconfigure GitLab

# gitlab-ctl reconfigure

Step 5: Disable local Prometheus Enable Remote

Disable local Prometheus and Grafana, enable Prometheus exporters with remote collection and TLS. Edit the following settings in configuration file /etc/gitlab/gitlab.rb:

...
################################################################################
## Prometheus
##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/
################################################################################
prometheus['enable'] = false


################################################################################
###! **Only needed if Prometheus and Rails are not on the same server.**
### For example, in a multi-node architecture, Prometheus will be installed on the monitoring node, while Rails will be on the Rails node.
### https://docs.gitlab.com/ee/administration/monitoring/prometheus/index.html#using-an-external-prometheus-server
### This value should be the address at which Prometheus is available to a GitLab Rails(Puma, Sidekiq) node.
################################################################################
gitlab_rails['prometheus_address'] = '192.168.0.130:9090'

################################################################################
## Prometheus Node Exporter
##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/node_exporter.html
################################################################################
node_exporter['enable'] = true
node_exporter['home'] = '/var/opt/gitlab/node-exporter'
node_exporter['log_directory'] = '/var/log/gitlab/node-exporter'
node_exporter['flags'] = {
'web.config' => "/etc/gitlab/prometheus-exporter-web.yml"
}
node_exporter['listen_address'] = '0.0.0.0:9100'

################################################################################
## GitLab Workhorse
##! Docs: https://gitlab.com/gitlab-org/gitlab/-/blob/master/workhorse/README.md
################################################################################
gitlab_workhorse['enable'] = true
gitlab_workhorse['prometheus_listen_addr'] = "0.0.0.0:9229"

################################################################################
## Prometheus Redis exporter
##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/redis_exporter.html
################################################################################
redis_exporter['enable'] = true
redis_exporter['log_directory'] = '/var/log/gitlab/redis-exporter'
redis_exporter['flags'] = {
'redis.addr' => "unix:///var/opt/gitlab/redis/redis.socket",
}

################################################################################
## Prometheus Postgres exporter
##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/postgres_exporter.html
################################################################################
postgres_exporter['enable'] = true
postgres_exporter['home'] = '/var/opt/gitlab/postgres-exporter'
postgres_exporter['log_directory'] = '/var/log/gitlab/postgres-exporter'
postgres_exporter['listen_address'] = '0.0.0.0:9187'
postgres_exporter['flags'] = {
   'web.config.file' => "/etc/gitlab/prometheus-exporter-web.yml"
}

################################################################################
## Prometheus Gitlab exporter
##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/gitlab_exporter.html
################################################################################
gitlab_exporter['enable'] = true
gitlab_exporter['log_directory'] = "/var/log/gitlab/gitlab-exporter"
gitlab_exporter['home'] = "/var/opt/gitlab/gitlab-exporter"

##! Advanced settings. Should be changed only if absolutely needed.
gitlab_exporter['listen_address'] = '0.0.0.0'
gitlab_exporter['listen_port'] = '9168'

##! TLS settings.
gitlab_exporter['tls_enabled'] = true
gitlab_exporter['tls_cert_path'] = '/etc/gitlab/ssl/gitlab.ops.cyberfront.org.crt'
gitlab_exporter['tls_key_path'] = '/etc/gitlab/ssl/gitlab.ops.cyberfront.org.key'

##! Manage gitlab-exporter sidekiq probes. false by default when Sentinels are
##! found.
gitlab_exporter['probe_sidekiq'] = true

################################################################################
## Grafana Dashboards
##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/#prometheus-as-a-grafana-data-source
################################################################################
grafana['enable'] = false

###############################################################################
## Gitaly
## Docs: https://docs.gitlab.com/ee/administration/gitaly/index.html .
################################################################################
gitaly['enable'] = true
gitaly['dir'] = "/var/opt/gitlab/gitaly"
gitaly['log_directory'] = "/var/log/gitlab/gitaly"
gitaly['bin_path'] = "/opt/gitlab/embedded/bin/gitaly"
gitaly['prometheus_listen_addr'] = "0.0.0.0:9236"