git.lirion.de

Of git, get, and gud

aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--README.md23
-rw-r--r--firewall6
-rw-r--r--gitlab-ssl.conf54
-rw-r--r--gitlab.conf12
-rw-r--r--gitlab.rb13
5 files changed, 108 insertions, 0 deletions
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..2e132c5
--- /dev/null
+++ b/README.md
@@ -0,0 +1,23 @@
+Gitlab setup
+=============
+
+This will server the basic configuration files integrating gitlab as vhost into an existing apache.
+
+Files
+-----
+
+* **firewall:** Basic remarks for firewall configuration
+* **gitlab.conf:** vhost configuration file
+* **gitlab-ssl.conf:** SSL(i.e. TLS) vhost configuration file
+* **gitlab.rb:** Gitlab's basic ruby configuration file
+
+Requirements
+------------
+* apache 2.4 with mods proxy, http_proxy, ssl
+* gitlab-ce :) Configuration see gitlab.rb
+
+To-Dos
+------
+
+- [x] ~~Make gitlab use https. While this basically works, any call of the dashboard redirects to http, this comes from the application... sucks a golfball through a gardenhose!~~
+- [ ] RAW views of files don't work :(
diff --git a/firewall b/firewall
new file mode 100644
index 0000000..c969cd3
--- /dev/null
+++ b/firewall
@@ -0,0 +1,6 @@
+# Documentation only.
+
+# Basically, with the given configuration here, we do NOT need to publish Unicorn to the outside
+# world! (Is there any config that needs to except distribution of unicorn only to another machine?)
+# That is, on this gitlab's server anything not explicitly defined is implicitly dropped or rejected
+# depending on the outsider's network - so unicorn can communicate on the local host only, period.
diff --git a/gitlab-ssl.conf b/gitlab-ssl.conf
new file mode 100644
index 0000000..6e69f5a
--- /dev/null
+++ b/gitlab-ssl.conf
@@ -0,0 +1,54 @@
+# This is a sub configuration file that integrates into a running apache. In our case,
+# the machine is TLS only, has secure cipher suites and supports HSTS.
+
+# Don't do this if mod_ssl is not available.
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+ ServerName gitlab.lirion.de
+ ServerSignature Off
+
+ ProxyPreserveHost On
+ #eserdeniz.fr
+ ProxyRequests Off
+ AllowEncodedSlashes NoDecode
+ # here we don't want to proxify the requests for the existing assets in gitlab's public directory
+ ProxyPassMatch ^(/[^/]+\.(html|png|ico|css|txt))$ !
+ ProxyPass /assets !
+ ProxyPass / http://127.0.0.1:8080/
+ RequestHeader set X_FORWARDED_PROTO 'https'
+
+ # necessary for downloading attachments
+ DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public
+
+ <Location />
+ Order deny,allow
+ Allow from all
+ ProxyPassReverse http://127.0.0.1:8080
+ # Leave this at http. For whatever reason.
+ ProxyPassReverse http://gitlab.lirion.de
+ </Location>
+ <Directory /opt/gitlab/embedded/service/gitlab-rails/public>
+ Require all granted
+ </Directory>
+ <IfModule rewrite.c>
+ RewriteEngine On
+ RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
+ RewriteRule .* http://127.0.0.1:8080%{REQUEST_URI} [P,QSA]
+ </IfModule>
+
+ # Basic stuff
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ LogLevel warn
+ CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
+ SSLEngine on
+ SSLCertificateKeyFile /path/to/some/certificates/private/key
+ # x509v3 certificate, chain included (latter: recommendation or duty anyway with apache2.4)
+ SSLCertificateFile /path/to/some/certificates/public-cert-chain
+ # People still use flawed and f'ed up technology. 'Ere we go.
+ BrowserMatch "MSIE [2-6]" \
+ nokeepalive ssl-unclean-shutdown \
+ downgrade-1.0 force-response-1.0
+ BrowserMatch "MSIE [17-9]" \
+ ssl-unclean-shutdown
+</VirtualHost>
+</IfModule>
diff --git a/gitlab.conf b/gitlab.conf
new file mode 100644
index 0000000..f264771
--- /dev/null
+++ b/gitlab.conf
@@ -0,0 +1,12 @@
+# The rather quick and dirty approach: the default URL within gitlab is http://fqdn/, and this here
+# redirects anything to https, so we take a hop around the corner before entering the restaurant.
+# But then again, this works, while redirect.rb in gitlab doesn't specifically aim towards
+# $CHOOSE_YOUR_PROTOCOL.
+<VirtualHost *:80>
+ ServerName gitlab.lirion.de
+ ServerSignature Off
+
+ RewriteEngine on
+ RewriteCond %{HTTPS} !=on
+ RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L]
+</VirtualHost>
diff --git a/gitlab.rb b/gitlab.rb
new file mode 100644
index 0000000..55c0961
--- /dev/null
+++ b/gitlab.rb
@@ -0,0 +1,13 @@
+external_url 'https://gitlab.lirion.de'
+gitlab_rails['time_zone'] = 'Europe/Zurich'
+gitlab_rails['gravatar_enabled'] = false
+gitlab_rails['gitlab_shell_ssh_port'] = 8282
+gitlab_workhorse['enable'] = true
+gitlab_workhorse['listen_network'] = "unix"
+gitlab_workhorse['listen_addr'] = "/var/opt/gitlab/gitlab-workhorse/socket"
+unicorn['listen'] = '127.0.0.1'
+unicorn['port'] = 8080
+web_server['external_users'] = ['www-data']
+web_server['username'] = 'gitlab-www'
+web_server['group'] = 'gitlab-www'
+nginx['enable'] = false