Skip to content

Instantly share code, notes, and snippets.

@0x646e78
Last active March 11, 2019 18:50
Show Gist options
  • Save 0x646e78/cc6c3991e9f59878496358010f4daa01 to your computer and use it in GitHub Desktop.
Save 0x646e78/cc6c3991e9f59878496358010f4daa01 to your computer and use it in GitHub Desktop.
gitlab inside docker with certs from Let's Encrypt

Running gitlab inside docker with certs from Let's Encrypt

This will serve SSH and HTTPS (with which I got an A+ from testssl).

Creates three docker containers:

  • gitlab-prostgres
  • gitlab-redis
  • gitlab, which is linked to the other two. This contains nginx, sshd, git, gitlab.

Volumes each have a volume mounted from the host system in /opt/docker-volumes/

Alter the various environment variables accordingly, mostly where they look like <this>

stfu and do it

mkdir -p /opt/docker-volumes/{gitlab/certs,gitlab-postgresql,gitlab-redis}

openssl dhparam -out /opt/docker-volumes/gitlab/certs/dhparam.pem 4096

./certbot-auto certonly --standalone -d <domain_name>

cp /etc/letsencrypt/live/<domain_name>/* /opt/docker-volumes/gitlab/certs/
mv /opt/docker-volumes/gitlab/certs/fullchain.pem /opt/docker-volumes/gitlab/certs/gitlab.crt
mv /opt/docker-volumes/gitlab/certs/privkey.pem /opt/docker-volumes/gitlab/certs/gitlab.key
mv /opt/docker-volumes/gitlab/certs/chain.pem /opt/docker-volumes/gitlab/certs/ca.crt
chmod 0400 /opt/docker-volumes/gitlab/certs/gitlab.key

^ I think these dirs need to be read/writable by uid 1000 on the host so you may need to do a chown 1000 -R /opt/docker-volumes/gitlab*

Then start things up:

postgresql

Choose a password for the gitlab database and replace into <db-password>

docker run --name gitlab-postgresql  -d \
    --restart always \
    --env 'DB_NAME=gitlabhq_production' \
    --env 'DB_USER=gitlab' \
    --env 'DB_PASS=<db-password>' \
    --env 'DB_EXTENSION=pg_trgm' \
    --volume /opt/docker-volumes/gitlab-postgresql:/var/lib/postgresql \
    sameersbn/postgresql:9.5-3

###redis

docker run --name gitlab-redis -d \
    --restart always \
    --volume /opt/docker-volumes/gitlab-redis:/var/lib/redis \
    sameersbn/redis:latest

###gitlab

Use the value you chose for <db-password> above.

Do this 3 times and record the output - used for GITLAB_SECRETS envs below.

pwgen -Bsv1 64   

The GITLAB_ROOT_PASSWORD is kinda pointless I think but I feel cmore comfortable smashing something decent in there.

docker run --name gitlab -d \
  --restart always \
  --volume /opt/docker-volumes/gitlab:/home/git/data \
  --link gitlab-postgresql:postgresql \
  --link gitlab-redis:redisio \
  --publish 10022:22  \
  --publish 10443:443 \
  -e 'GITLAB_HTTPS=true' \
  -e 'GITLAB_SIGNUP_ENABLED=false' \
  -e 'GITLAB_PORT=10443' \
  -e 'GITLAB_SSH_PORT=10022' \
  -e 'GITLAB_ROOT_PASSWORD=<set_a_password>' \
  -e 'GITLAB_HOST=<domain_name>' \
  -e 'GITLAB_EMAIL=<email_address>' \
  -e 'DB_USER=gitlab' \
  -e 'DB_PASS=<db_password>' \
  -e 'DB_NAME=gitlabhq_production' \
  -e 'DB_TYPE=postgres' \
  -e 'SMTP_ENABLED=true' \
  -e 'SMTP_DOMAIN=<email_fqdn>' \
  -e 'SMTP_HOST=<smtp_server>' \
  -e 'SMTP_PORT=25' \
  -e 'SMTP_USER=<email_username>' \
  -e 'SMTP_PASS=<email_password>' \
  -e 'GITLAB_SECRETS_DB_KEY_BASE=<random-64-chars>' \
  -e 'GITLAB_SECRETS_SECRET_KEY_BASE=<random-64-chars>' \
  -e 'GITLAB_SECRETS_OTP_KEY_BASE=<random-64-chars>' \
  sameersbn/gitlab:8.14.3

Point your browser to http://<domain_name>:10443 and log in with the 'root' account password for initial setup.

TODO

  • autorenew let's encrypt certs

-To non-interactively renew all of your certificates, run "certbot-auto renew"

  • Use envs to speficy the location of the certs, remove needing to rename the certs
  -e 'SSL_CERTIFICATE_PATH=/home/git/data/certs/gitlab.crt' \
  -e 'SSL_KEY_PATH=/home/git/data/certs/gitlab.key' \
  -e 'SSL_DHPARAM_PATH=/home/git/data/certs/dhparam.pem' \
  -e 'SSL_CA_CERTIFICATES_PATH=/home/git/data/certs/ca.crt' \
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment