zekroTJA/docker-compose.yml

## docker-compose.yml
version: '3'

services:

  # We will use an enginx layer to simply encrypt the
  # HTTP traffic with SSL using a self singed certificate.
  nginx:
    image: 'nginx:latest'
    ports:
      - '80:80'
      - '443:443'
      - '8443:8443'
    volumes:
      - './volumes/nginx/config/etc/nginx'
      - '/etc/cert:/etc/cert:ro'
    restart: always

  # The actual GitLab container configuration
  gitlab:
    image: 'gitlab/gitlab-ee:latest'
    hostname: 'YourMachine'
    domainname: 'your.domain.com'
    expose:
      - '80'
      - '8443'
    ports:
      # SSH port
      - '22:22'
      # Kerberos requires according to reference
      # a TCP outbound and a UDP inbound over
      # the port 88
      - '88:88/tcp'
      - '88:88/udp'
    volumes:
      - './volumes/gitlab/data:/var/opt/gitlab'
      - './volumes/gitlab/config:/etc/gitlab'
      - './volumes/gitlab/logs:/var/log/gitlab'
      - './volumes/gitlab/backups:/var/opt/gitlab/backups'
    restart: always

  # Portainer container accessing the docker socket on
  # the host system for better docker management and
  # monitoring
  portainer:
    image: 'portainer/portainer:latest'
    ports:
      - '9000:9000'
    volumes:
      - './volumes/portainer:/data'
      '/var/run/docker.sock:/var/run/docker.sock'
    restart: always

## gitlab.rb
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['kerberos']

gitlab_rails['kerberos_enabled'] = true
gitlab_rails['kerberos_keytab'] = '/etc/gitlab/http.keytab'

# This needs to be set to allow ticket based authentication.
gitlab_rails['kerberos_use_dedicated_port'] = true
gitlab_rails['kerberos_port'] = 8443
# HTTPS will be disabled here because NGINX cares about
# routing its incomming TLS encrypted kerberos requests
# over HTTP docker-internaly to GitLab.
gitlab_rails['kerberos_https'] = false

## nginx.cfg
events {
  worker_connections 1024;
}

http {

  large_client_header_buffers 4 32k;

  # Automatically redirect all incomming HTTP reuqests to HTTPS
  server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
  }

  # GitLab server reverse proxy
  server {
    listen 443 ssl;
    ssl_certificate      /etc/cert/cert.pem;
    ssl_certificate_key  /etc/cert/key.pem;

    server_name t1-git-01;

    location / {
      resolver 127.0.0.11 valid=30s;
      set $upstream_gitlab gitlab;
      proxy_pass http://$upstream_gitlab:80;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
  }
}

# Kerberos request reverse stream proxy
stream {
   server {
    listen 8443 ssl;
    ssl_certificate      /etc/cert/cert.pem;
    ssl_certificate_key  /etc/cert/key.pem;

    resolver 127.0.0.11 valid=30s;
    proxy_pass gitlab:8443;
  }
}
	version: '3'

	services:

	# We will use an enginx layer to simply encrypt the
	# HTTP traffic with SSL using a self singed certificate.
	nginx:
	image: 'nginx:latest'
	ports:
	- '80:80'
	- '443:443'
	- '8443:8443'
	volumes:
	- './volumes/nginx/config/etc/nginx'
	- '/etc/cert:/etc/cert:ro'
	restart: always

	# The actual GitLab container configuration
	gitlab:
	image: 'gitlab/gitlab-ee:latest'
	hostname: 'YourMachine'
	domainname: 'your.domain.com'
	expose:
	- '80'
	- '8443'
	ports:
	# SSH port
	- '22:22'
	# Kerberos requires according to reference
	# a TCP outbound and a UDP inbound over
	# the port 88
	- '88:88/tcp'
	- '88:88/udp'
	volumes:
	- './volumes/gitlab/data:/var/opt/gitlab'
	- './volumes/gitlab/config:/etc/gitlab'
	- './volumes/gitlab/logs:/var/log/gitlab'
	- './volumes/gitlab/backups:/var/opt/gitlab/backups'
	restart: always

	# Portainer container accessing the docker socket on
	# the host system for better docker management and
	# monitoring
	portainer:
	image: 'portainer/portainer:latest'
	ports:
	- '9000:9000'
	volumes:
	- './volumes/portainer:/data'
	'/var/run/docker.sock:/var/run/docker.sock'
	restart: always
	gitlab_rails['omniauth_enabled'] = true
	gitlab_rails['omniauth_allow_single_sign_on'] = ['kerberos']

	gitlab_rails['kerberos_enabled'] = true
	gitlab_rails['kerberos_keytab'] = '/etc/gitlab/http.keytab'

	# This needs to be set to allow ticket based authentication.
	gitlab_rails['kerberos_use_dedicated_port'] = true
	gitlab_rails['kerberos_port'] = 8443
	# HTTPS will be disabled here because NGINX cares about
	# routing its incomming TLS encrypted kerberos requests
	# over HTTP docker-internaly to GitLab.
	gitlab_rails['kerberos_https'] = false
	events {
	worker_connections 1024;
	}

	http {

	large_client_header_buffers 4 32k;

	# Automatically redirect all incomming HTTP reuqests to HTTPS
	server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name _;
	return 301 https://$host$request_uri;
	}

	# GitLab server reverse proxy
	server {
	listen 443 ssl;
	ssl_certificate /etc/cert/cert.pem;
	ssl_certificate_key /etc/cert/key.pem;

	server_name t1-git-01;

	location / {
	resolver 127.0.0.11 valid=30s;
	set $upstream_gitlab gitlab;
	proxy_pass http://$upstream_gitlab:80;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}
	}
	}

	# Kerberos request reverse stream proxy
	stream {
	server {
	listen 8443 ssl;
	ssl_certificate /etc/cert/cert.pem;
	ssl_certificate_key /etc/cert/key.pem;

	resolver 127.0.0.11 valid=30s;
	proxy_pass gitlab:8443;
	}
	}