Gitlab CE with build in Container Registry behind Traefik 2 with Letsencrypt

compose.yml

version: "3.6"
services:
  gitlab:
    image: gitlab/gitlab-ce
    volumes:
      - gitlab-data:/var/opt/gitlab
      - gitlab-logs:/var/log/gitlab
      - gitlab-config:/etc/gitlab
    networks:
      - traefik-public
      - default
    ports:
      - target: 22
        published: 4224
        mode: host
    environment:
      GITLAB_OMNIBUS_CONFIG: "from_file('/omnibus_config.rb')"
    configs:
      - source: gitlab
        target: /omnibus_config.rb
    secrets:
      - gitlab_root_password
    deploy:
      resources:
        limits:
          memory: 8G
      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=traefik-public"

        - "traefik.http.routers.gitlab.rule=Host(`gitlab.your-domain.com`)"
        - "traefik.http.routers.gitlab.entrypoints=websecure"
        - "traefik.http.routers.gitlab.service=gitlab"
        - "traefik.http.routers.gitlab.tls.certresolver=letsencryptresolver"
        - "traefik.http.services.gitlab.loadbalancer.server.port=80"

        - "traefik.http.routers.registry.rule=Host(`registry.your-domain.com`)"
        - "traefik.http.routers.registry.entrypoints=websecure"
        - "traefik.http.routers.registry.service=registry"
        - "traefik.http.routers.registry.tls.certresolver=letsencryptresolver"
        - "traefik.http.services.registry.loadbalancer.server.port=5005"

configs:
  gitlab:
    file: ./gitlab.rb

secrets:
  gitlab_root_password:
    file: ./root_password.txt

volumes:
  gitlab-data:
  gitlab-logs:
  gitlab-config:

networks:
  traefik-public:
    external: true
  default:

deploy.sh

docker stack deploy -c compose.yml gitlab

gitlab.rb

external_url 'https://gitlab.your-domain.com/'
gitlab_rails['initial_root_password'] = File.read('/run/secrets/gitlab_root_password')

# Needed to let gitlab work behind traefik
nginx['listen_https'] = false
nginx['listen_port'] = 80

gitlab_rails['gitlab_ssh_host'] = 'gitlab.your-domain.com'
gitlab_rails['gitlab_shell_ssh_port'] = 4224

# container registry
registry_external_url 'http://registry.your-domain.com'
registry['enable'] = true
gitlab_rails['registry_enabled'] = true
registry_nginx['enable'] = true
registry_nginx['listen_port'] = 5005
registry_nginx['listen_https'] = false
registry_nginx['proxy_set_headers'] = {
  "Host" => "$http_host",
  "X-Real-IP" => "$remote_addr",
  "X-Forwarded-For" => "$proxy_add_x_forwarded_for",
  "X-Forwarded-Proto" => "https",
  "X-Forwarded-Ssl" => "on"
}

gitlab_rails['rack_attack_git_basic_auth'] = {
   'enabled' => true,
   'ip_whitelist' => ["127.0.0.1"],
   'maxretry' => 10,
   'findtime' => 600,
   'bantime' => 136000
}

Thank you for posting this!
gitlab.rb lines 5 and 6 fixed the setup I've been tinkering with for almost three days now

Thanks so much! I was pulling my hair out trying to get this to work.

Excellent! This helped me a lot in setting up traefik with gitlab+registry. In our particular use case I wanted to set up a gitlab instance with IP whitelisting for gitlab and open access to the container registry. However I order to acchieve this you need a special router in traefik which allows the docker login process (gitlab registry does not provide auth. Whenever auth is needed the user is forwarded to gitlab.your-domain.com/jwt/auth). Here is my compose extension, maybe it's helpful for somebody:

# Gitlab Registry auth
- traefik.http.routers.gitlab-registry-auth.rule=Host(`gitlab.your-domain.com`) && PathPrefix(`/jwt/auth`) && Query(`service=container_registry`)
- traefik.http.routers.gitlab-registry-auth.entrypoints=https
- traefik.http.routers.gitlab-registry-auth.tls=true
- traefik.http.routers.gitlab-registry-auth.service=gitlab

thx!

Hi, was pretty seamless experience until I tried to use ssh.
I followed the usual steps like described in the official gitlab docs but something is wrong since ssh always wants to fall back to password.
Do you have any advice / experience?
Best Felix