Skip to content

Instantly share code, notes, and snippets.

@nohnaimer

nohnaimer/gitlab.conf

Last active January 30, 2023 14:13
Show Gist options
  • Save nohnaimer/32702dea3d6fc1ce1b0933302ab3280d to your computer and use it in GitHub Desktop.
Save nohnaimer/32702dea3d6fc1ce1b0933302ab3280d to your computer and use it in GitHub Desktop.
Download ZIP
Gitlab и Registry на контейнерах + Nginx Load balancer
Raw
gitlab.conf
server {
listen 80;
server_name gitlab.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name gitlab.example.com;
ssl_certificate /etc/nginx/ssl/gr.fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/gr.inside.altpay.uk.key;
ssl_session_timeout 1d;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/gitlab-access.log main;
error_log /var/log/nginx/gitlab-error.log warn;
location / {
client_max_body_size 0;
gzip off;
## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_pass http://172.23.0.2;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_http_version 1.1;
}
}
Raw
gitlab.yml
# Запуск gitlab с базой, redis и registry в своих контейнерах
# gitlab - https://github.com/sameersbn/docker-gitlab
# registry - https://docs.docker.com/registry/configuration
version: '3.9'
services:
gitlab:
image: sameersbn/gitlab:15.8.0-1
container_name: gitlab
restart: on-failure
depends_on:
- redis
- postgres
- registry
volumes:
- /data/gitlab/git/data:/home/git/data:Z
- /data/certs:/certs:Z
environment:
- DEBUG=false
- DB_ADAPTER=postgresql
- DB_HOST=gitlab_postgres
- DB_PORT=5432
- DB_USER=gitlab
- DB_PASS=password
- DB_NAME=gitlab
- REDIS_HOST=gitlab_redis
- REDIS_PORT=6379
- TZ=Europa/Minsk
- GITLAB_TIMEZONE=Minsk
- GITLAB_HTTPS=false
- SSL_SELF_SIGNED=false
- GITLAB_HOST=gitlab.example.com
- GITLAB_PORT=80
- GITLAB_SSH_PORT=22
- GITLAB_RELATIVE_URL_ROOT=
- GITLAB_SECRETS_DB_KEY_BASE=2ca5ede065ede03eae0c4685611513a326621610de1c5bb75468f8e3237dc27a03909f8caf4c3e961e6d3978b76ae26db252547ad00913066405d3a8843ada5d
- GITLAB_SECRETS_SECRET_KEY_BASE=a54249bd7b581dd859d329a78b3a46378f339489bb0539e8c6130d1bebafa083382aeea6f496530782eb0c2d874a421da23dc60dd244fbaf27b524c4d3b3577c
- GITLAB_SECRETS_OTP_KEY_BASE=e680c1a4e1b0beb67ee45648dc328f0a14b6ed6b9b0429c1e750559b1027f0f2eb1880bc34ca2c50c7548d3758a7292e33081ad3735a17e2c9d75d4f6471774d
- GITLAB_REGISTRY_ENABLED=true
- GITLAB_REGISTRY_HOST=registry.example.com
- GITLAB_REGISTRY_PORT=443
- GITLAB_REGISTRY_API_URL=http://172.23.0.5:5000
- GITLAB_REGISTRY_KEY_PATH=/certs/registry.key
- SSL_REGISTRY_KEY_PATH=/certs/registry.key
- SSL_REGISTRY_CERT_PATH=/certs/registry.crt
- GITLAB_ROOT_PASSWORD=
- GITLAB_ROOT_EMAIL=
- GITLAB_CREATE_GROUP=false
- GITLAB_NOTIFY_ON_BROKEN_BUILDS=true
- GITLAB_NOTIFY_PUSHER=false
- GITLAB_EMAIL=notifications@example.com
- GITLAB_EMAIL_REPLY_TO=no-reply@example.com
- GITLAB_INCOMING_EMAIL_ADDRESS=reply@example.com
- GITLAB_BACKUP_SCHEDULE=daily
- GITLAB_BACKUP_TIME=01:00
- SMTP_ENABLED=false
- SMTP_DOMAIN=example.com
- SMTP_HOST=postfix.example.com
- SMTP_PORT=25
- SMTP_USER=
- SMTP_PASS=
- SMTP_STARTTLS=false
- SMTP_AUTHENTICATION=
- IMAP_ENABLED=false
- IMAP_HOST=imap.gmail.com
- IMAP_PORT=993
- IMAP_USER=mailer@example.com
- IMAP_PASS=password
- IMAP_SSL=true
- IMAP_STARTTLS=false
- OAUTH_ENABLED=false
- OAUTH_AUTO_SIGN_IN_WITH_PROVIDER=
- OAUTH_ALLOW_SSO=
- OAUTH_BLOCK_AUTO_CREATED_USERS=true
- OAUTH_AUTO_LINK_LDAP_USER=false
- OAUTH_AUTO_LINK_SAML_USER=false
- OAUTH_EXTERNAL_PROVIDERS=
- OAUTH_CAS3_LABEL=cas3
- OAUTH_CAS3_SERVER=
- OAUTH_CAS3_DISABLE_SSL_VERIFICATION=false
- OAUTH_CAS3_LOGIN_URL=/cas/login
- OAUTH_CAS3_VALIDATE_URL=/cas/p3/serviceValidate
- OAUTH_CAS3_LOGOUT_URL=/cas/logout
- OAUTH_GOOGLE_API_KEY=
- OAUTH_GOOGLE_APP_SECRET=
- OAUTH_GOOGLE_RESTRICT_DOMAIN=
- OAUTH_FACEBOOK_API_KEY=
- OAUTH_FACEBOOK_APP_SECRET=
- OAUTH_TWITTER_API_KEY=
- OAUTH_TWITTER_APP_SECRET=
- OAUTH_GITHUB_API_KEY=
- OAUTH_GITHUB_APP_SECRET=
- OAUTH_GITHUB_URL=
- OAUTH_GITHUB_VERIFY_SSL=
- OAUTH_GITLAB_API_KEY=
- OAUTH_GITLAB_APP_SECRET=
- OAUTH_BITBUCKET_API_KEY=
- OAUTH_BITBUCKET_APP_SECRET=
- OAUTH_BITBUCKET_URL=
- OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL=
- OAUTH_SAML_IDP_CERT_FINGERPRINT=
- OAUTH_SAML_IDP_SSO_TARGET_URL=
- OAUTH_SAML_ISSUER=
- OAUTH_SAML_LABEL="Our SAML Provider"
- OAUTH_SAML_NAME_IDENTIFIER_FORMAT=urn:oasis:names:tc:SAML:2.0:nameid-format:transient
- OAUTH_SAML_GROUPS_ATTRIBUTE=
- OAUTH_SAML_EXTERNAL_GROUPS=
- OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL=
- OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME=
- OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME=
- OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME=
- OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME=
- OAUTH_CROWD_SERVER_URL=
- OAUTH_CROWD_APP_NAME=
- OAUTH_CROWD_APP_PASSWORD=
- OAUTH_AUTH0_CLIENT_ID=
- OAUTH_AUTH0_CLIENT_SECRET=
- OAUTH_AUTH0_DOMAIN=
- OAUTH_AUTH0_SCOPE=
- OAUTH_AZURE_API_KEY=
- OAUTH_AZURE_API_SECRET=
- OAUTH_AZURE_TENANT_ID=
networks:
default:
ipv4_address: 172.23.0.2
redis:
image: redis:7-alpine
container_name: gitlab_redis
restart: on-failure
volumes:
- /data/redis:/data:Z
networks:
default:
ipv4_address: 172.23.0.3
postgres:
image: postgres:15-alpine
container_name: gitlab_postgres
restart: on-failure
volumes:
- /data/pgsql:/var/lib/postgresql:Z
environment:
POSTGRES_USER: gitlab
POSTGRES_PASSWORD: password
POSTGRES_DB: gitlab
networks:
default:
ipv4_address: 172.23.0.4
registry:
image: registry:2
container_name: gitlab_registry
restart: on-failure
volumes:
- /data/registry:/registry:Z
- /data/certs:/certs:Z
environment:
- REGISTRY_LOG_LEVEL=debug
- REGISTRY_HTTP_SECRET=72e2af2c125ece07c34b36b23418188b839c8c470218d594680f958520c029fb
- REGISTRY_STORAGE_DELETE_ENABLED=true
- REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/registry
- REGISTRY_AUTH_TOKEN_REALM=https://gitlab.example.com/jwt/auth
- REGISTRY_AUTH_TOKEN_SERVICE=container_registry
- REGISTRY_AUTH_TOKEN_ISSUER=gitlab-issuer
- REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/certs/registry.crt
- REGISTRY_REDIS_ADDR=gitlab_redis:6379
- REGISTRY_REDIS_DB=1
networks:
default:
ipv4_address: 172.23.0.5
networks:
default:
driver: bridge
name: gitlab
ipam:
config:
- subnet: 172.23.0.0/16
Raw
google-auth.yml
.....
- OAUTH_ENABLED=true
- OAUTH_AUTO_SIGN_IN_WITH_PROVIDER=
- OAUTH_ALLOW_SSO=google_oauth2
- OAUTH_BLOCK_AUTO_CREATED_USERS=false
- OAUTH_AUTO_LINK_LDAP_USER=false
- OAUTH_AUTO_LINK_SAML_USER=false
- OAUTH_EXTERNAL_PROVIDERS=
- OAUTH_GOOGLE_API_KEY=key.apps.googleusercontent.com
- OAUTH_GOOGLE_APP_SECRET=token
- OAUTH_GOOGLE_RESTRICT_DOMAIN=
.....
Raw
registry.conf
server {
listen 80;
server_name registry.example.com;
return 301 https://$server_name$request_uri;
}
server {
root /dev/null;
listen 443 ssl http2;
server_name registry.example.com;
ssl_certificate /etc/nginx/ssl/gr.fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/gr.inside.altpay.uk.key;
ssl_session_timeout 1d;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/registry-access.log main;
error_log /var/log/nginx/registry-error.log warn;
client_max_body_size 0;
chunked_transfer_encoding on;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
proxy_pass http://172.23.0.5:5000;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment