FaKleiser/.env

## .env
S3_ACCESS_KEY_ID_GITLAB_BACKUP=<ACCESS_KEY>
S3_SECRET_ACCESS_KEY_GITLAB_BACKUP=<SECRET_KEY>

## README.md

      
    Raw
  

              README.md
            
          
    GitLab Docker behind Traefik

Deploy a GitLab Docker deployment behind Traefik as reverse proxy for all HTTP/S traffic.
For more information see my blog post on migrating a GitLab omnibus deployment to Docker

  
## docker-compose.yml
version: '3'

networks:
  web:
    external: true

services:
  # The reverse proxy service (Traefik)
  traefik:
    image: traefik  # The official Traefik docker image
    command: --api --docker  # Enables the web UI and tells Traefik to listen to docker
    restart: always
    networks:
    - web
    ports:
    - "80:80"
    - "443:443"
    # - "9000:9000"  # exposes the Traefik web UI
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"  # So that Traefik can listen to the Docker events
      - "./traefik.toml:/traefik.toml"
      - "./acme.json:/acme.json"
    container_name: traefik

  # The GitLab container itself
  gitlab:
    image: 'gitlab/gitlab-ce:latest'
    restart: always
    hostname: 'gitlab.mydomain.io'
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'https://gitlab.mydomain.io'
        nginx['listen_https'] = false
        nginx['listen_port'] = 80
        # backup
        gitlab_rails['backup_archive_permissions'] = 0644 # See: https://docs.gitlab.com/ce/raketasks/backup_restore.html#backup-archive-permissions
        gitlab_rails['backup_keep_time'] = 1468800 # 17 days, we'll do a full backup every 5 days
        gitlab_rails['backup_upload_connection'] = {
          'provider' => 'AWS',
          'region' => 'us-east-1',
          'aws_access_key_id' => "${S3_ACCESS_KEY_ID_GITLAB_BACKUP}",
          'aws_secret_access_key' => "${S3_SECRET_ACCESS_KEY_GITLAB_BACKUP}"
        }
        gitlab_rails['backup_upload_remote_directory'] = 's3-backup-bucket'
    volumes:
      - './config:/etc/gitlab'
      - './logs:/var/log/gitlab'
      - './data:/var/opt/gitlab'
    networks:
    - web
    ports:
    - "2222:22"  # expose GitLab SSH on port 2222 on the host, as Traefik does not yet support TCP routing
    labels:
    - "traefik.frontend.rule=Host:gitlab.mydomain.io"
    - "traefik.docker.network=web"
    - "traefik.enable=true"
    - "traefik.port=80"
    - "traefik.protocol=http"

## traefik.toml
debug = false

logLevel = "ERROR"
defaultEntryPoints = ["https","http"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
  [entryPoints.https.tls]

  [entryPoints.traefik]
  address = ":9000"

[retry]

[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "mydomain.io"
watch = true
exposedByDefault = false

[acme]
email = "letsencrypt@mydomain.io"
storage = "acme.json"
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"

[api]
entryPoint = "traefik"
dashboard = true
	S3_ACCESS_KEY_ID_GITLAB_BACKUP=<ACCESS_KEY>
	S3_SECRET_ACCESS_KEY_GITLAB_BACKUP=<SECRET_KEY>
	version: '3'

	networks:
	web:
	external: true

	services:
	# The reverse proxy service (Traefik)
	traefik:
	image: traefik # The official Traefik docker image
	command: --api --docker # Enables the web UI and tells Traefik to listen to docker
	restart: always
	networks:
	- web
	ports:
	- "80:80"
	- "443:443"
	# - "9000:9000" # exposes the Traefik web UI
	volumes:
	- "/var/run/docker.sock:/var/run/docker.sock" # So that Traefik can listen to the Docker events
	- "./traefik.toml:/traefik.toml"
	- "./acme.json:/acme.json"
	container_name: traefik

	# The GitLab container itself
	gitlab:
	image: 'gitlab/gitlab-ce:latest'
	restart: always
	hostname: 'gitlab.mydomain.io'
	environment:
	GITLAB_OMNIBUS_CONFIG: \|
	external_url 'https://gitlab.mydomain.io'
	nginx['listen_https'] = false
	nginx['listen_port'] = 80
	# backup
	gitlab_rails['backup_archive_permissions'] = 0644 # See: https://docs.gitlab.com/ce/raketasks/backup_restore.html#backup-archive-permissions
	gitlab_rails['backup_keep_time'] = 1468800 # 17 days, we'll do a full backup every 5 days
	gitlab_rails['backup_upload_connection'] = {
	'provider' => 'AWS',
	'region' => 'us-east-1',
	'aws_access_key_id' => "${S3_ACCESS_KEY_ID_GITLAB_BACKUP}",
	'aws_secret_access_key' => "${S3_SECRET_ACCESS_KEY_GITLAB_BACKUP}"
	}
	gitlab_rails['backup_upload_remote_directory'] = 's3-backup-bucket'
	volumes:
	- './config:/etc/gitlab'
	- './logs:/var/log/gitlab'
	- './data:/var/opt/gitlab'
	networks:
	- web
	ports:
	- "2222:22" # expose GitLab SSH on port 2222 on the host, as Traefik does not yet support TCP routing
	labels:
	- "traefik.frontend.rule=Host:gitlab.mydomain.io"
	- "traefik.docker.network=web"
	- "traefik.enable=true"
	- "traefik.port=80"
	- "traefik.protocol=http"
	debug = false

	logLevel = "ERROR"
	defaultEntryPoints = ["https","http"]

	[entryPoints]
	[entryPoints.http]
	address = ":80"
	[entryPoints.http.redirect]
	entryPoint = "https"
	[entryPoints.https]
	address = ":443"
	[entryPoints.https.tls]

	[entryPoints.traefik]
	address = ":9000"

	[retry]

	[docker]
	endpoint = "unix:///var/run/docker.sock"
	domain = "mydomain.io"
	watch = true
	exposedByDefault = false

	[acme]
	email = "letsencrypt@mydomain.io"
	storage = "acme.json"
	entryPoint = "https"
	onHostRule = true
	[acme.httpChallenge]
	entryPoint = "http"

	[api]
	entryPoint = "traefik"
	dashboard = true