安装Gitlab搭建私有Git仓库

Linode最近推出了新的数据中心Tokyo2,我使用的是$10/月 2G RAM配置的主机,用于搭建Gitlab完全足够了, 点击这里访问Linode

我的仓库地址:https://git.webapproach.net/

进入正题,购买主机并安装Ubuntu16.04LTS。

系统环境

Ubuntun 16.04 LTS

使用证书登录并禁用密码登录

使用openssl生成一对公钥(idrsa.pub)和私钥(idrsa)

将公钥(idrsa.pub)上传到服务器,使用如下命令将公钥内容添加至authorizedkeys

cat  id_rsa.pub >> ~/.ssh/authorized_keys  

修改SSH配置禁止密码登录

vim /etc/ssh/sshd_config

修改 -> PasswordAuthentication no

/etc/init.d/ssh restart

安装Docker-Engine

参考 http://blog.csdn.net/dream_an/article/details/51985170

申请证书

安装LetsEncrypt证书自动申请工具

sudo apt-get install letsencrypt  
letsencrypt certonly --standalone  
openssl dhparam -out dhparam.pem 4096  

安装Docker-Compose

curl -L https://github.com/docker/compose/releases/download/1.9.0/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose  
chmod +x /usr/local/bin/docker-compose  

使用Docker安装ShadowSocks

docker pull tommylau/shadowsocks  
docker run --name=ss -p 8989:8989 -d tommylau/shadowsocks -s 0.0.0.0 -p 8989 -k 'xxx' -m aes-256-cfb  

使用Docker-Compose安装Gitlab以及SMTP邮件服务

gitlab.yml配置文件

version: '2'

services:  
  redis:
    restart: always
    image: sameersbn/redis:latest
    command:
    - --loglevel warning
    volumes:
    - /srv/docker/gitlab/redis:/var/lib/redis:Z

  postgresql:
    restart: always
    image: sameersbn/postgresql:9.5-1
    volumes:
    - /srv/docker/gitlab/postgresql:/var/lib/postgresql:Z
    environment:
    - DB_USER=gitlab
    - DB_PASS=xxx
    - DB_NAME=gitlabhq_production
    - DB_EXTENSION=pg_trgm

  postfix:
    restart: always
    image: catatnight/postfix:latest
    ports:
    - "587:587"
    volumes:
    - /srv/certs/webapproach.net:/etc/postfix/certs
    environment:
    - maildomain=webapproach.net
    - smtp_user=mailer@webapproach.net:xxx
    dns:
    - 8.8.8.8

  gitlab:
    restart: always
    image: sameersbn/gitlab:latest
    depends_on:
    - redis
    - postgresql
    ports:
    - "10080:80"
    - "1022:22"
    volumes:
    - /srv/docker/gitlab/gitlab:/home/git/data:Z
    - /var/log/gitlab:/var/log/gitlab
    environment:
    - DEBUG=false

    - DB_ADAPTER=postgresql
    - DB_HOST=postgresql
    - DB_PORT=5432
    - DB_USER=gitlab
    - DB_PASS=xxx
    - DB_NAME=gitlabhq_production

    - REDIS_HOST=redis
    - REDIS_PORT=6379

    - TZ=Asia/Beijing
    - GITLAB_TIMEZONE=Beijing

    - GITLAB_HTTPS=true
    - SSL_SELF_SIGNED=false

    - SSL_KEY_PATH=/srv/certs/webapproach.net/wa.crt
    - SSL_CERTIFICATE_PATH=/srv/certs/webapproach.net/wa.key
    - SSL_DHPARAM_PATH=/srv/certs/webapproach.net/dhparam.pem
    - NGINX_HSTS_MAXAGE=2592000

    - GITLAB_HOST=git.webapproach.net
    - GITLAB_PORT=443
    - GITLAB_SSH_PORT=1022
    - GITLAB_RELATIVE_URL_ROOT=
    - GITLAB_SECRETS_DB_KEY_BASE=4dya9h51h9hfa9y51nnlfa9hr9a8519h591h5hoa
    - GITLAB_SECRETS_SECRET_KEY_BASE=da798hg91yf98ah51ho9fay98y51895y7hfauhfo
    - GITLAB_SECRETS_OTP_KEY_BASE=yr9h159fay9ah519hfa9851h9fa9y9519hda9

    - GITLAB_ROOT_PASSWORD=xxx
    - GITLAB_ROOT_EMAIL=root@webapproach.net

    - GITLAB_NOTIFY_ON_BROKEN_BUILDS=true
    - GITLAB_NOTIFY_PUSHER=false

    - GITLAB_EMAIL=notifications@webapproach.net
    - GITLAB_EMAIL_REPLY_TO=noreply@webapproach.net
    - GITLAB_INCOMING_EMAIL_ADDRESS=reply@webapproach.net

    - GITLAB_BACKUP_SCHEDULE=daily
    - GITLAB_BACKUP_TIME=01:00

    - SMTP_ENABLED=true
    - SMTP_DOMAIN=webapproach.net
    - SMTP_HOST=smtp.webapproach.net
    - SMTP_PORT=587
    - SMTP_USER=mailer@webapproach.net
    - SMTP_PASS=xxx
    - SMTP_STARTTLS=true
    - SMTP_AUTHENTICATION=login

    - IMAP_ENABLED=false
    - IMAP_HOST=imap.gmail.com
    - IMAP_PORT=993
    - IMAP_USER=mailer@webapproach.net
    - IMAP_PASS=xxx
    - IMAP_SSL=true
    - IMAP_STARTTLS=false

    - OAUTH_ENABLED=false
    - OAUTH_AUTO_SIGN_IN_WITH_PROVIDER=
    - OAUTH_ALLOW_SSO=
    - OAUTH_BLOCK_AUTO_CREATED_USERS=true
    - OAUTH_AUTO_LINK_LDAP_USER=false
    - OAUTH_AUTO_LINK_SAML_USER=false
    - OAUTH_EXTERNAL_PROVIDERS=

    - OAUTH_CAS3_LABEL=cas3
    - OAUTH_CAS3_SERVER=
    - OAUTH_CAS3_DISABLE_SSL_VERIFICATION=false
    - OAUTH_CAS3_LOGIN_URL=/cas/login
    - OAUTH_CAS3_VALIDATE_URL=/cas/p3/serviceValidate
    - OAUTH_CAS3_LOGOUT_URL=/cas/logout

    - OAUTH_GOOGLE_API_KEY=
    - OAUTH_GOOGLE_APP_SECRET=
    - OAUTH_GOOGLE_RESTRICT_DOMAIN=

    - OAUTH_FACEBOOK_API_KEY=
    - OAUTH_FACEBOOK_APP_SECRET=

    - OAUTH_TWITTER_API_KEY=
    - OAUTH_TWITTER_APP_SECRET=

    - OAUTH_GITHUB_API_KEY=
    - OAUTH_GITHUB_APP_SECRET=
    - OAUTH_GITHUB_URL=
    - OAUTH_GITHUB_VERIFY_SSL=

    - OAUTH_GITLAB_API_KEY=
    - OAUTH_GITLAB_APP_SECRET=

    - OAUTH_BITBUCKET_API_KEY=
    - OAUTH_BITBUCKET_APP_SECRET=

    - OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL=
    - OAUTH_SAML_IDP_CERT_FINGERPRINT=
    - OAUTH_SAML_IDP_SSO_TARGET_URL=
    - OAUTH_SAML_ISSUER=
    - OAUTH_SAML_LABEL="Our SAML Provider"
    - OAUTH_SAML_NAME_IDENTIFIER_FORMAT=urn:oasis:names:tc:SAML:2.0:nameid-format:transient
    - OAUTH_SAML_GROUPS_ATTRIBUTE=
    - OAUTH_SAML_EXTERNAL_GROUPS=
    - OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL=
    - OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME=
    - OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME=
    - OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME=

    - OAUTH_CROWD_SERVER_URL=
    - OAUTH_CROWD_APP_NAME=
    - OAUTH_CROWD_APP_PASSWORD=

    - OAUTH_AUTH0_CLIENT_ID=
    - OAUTH_AUTH0_CLIENT_SECRET=
    - OAUTH_AUTH0_DOMAIN=

    - OAUTH_AZURE_API_KEY=
    - OAUTH_AZURE_API_SECRET=
    - OAUTH_AZURE_TENANT_ID=

安装LNMP

参考 https://lnmp.org/install.html

Nginx反代Gitlab配置

upstream gitlab {  
    server 127.0.0.1:10080;
}

server  
    {
        server_name git.webapproach.net;
        listen 80;
        index index.html index.htm index.php default.html default.htm default.php;
        rewrite ^(.*)$  https://git.webapproach.net$1 permanent;

        #error_page   404   /404.html;

        location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $http_host;
            proxy_set_header X-NginX-Proxy true;

            proxy_pass http://gitlab;
            #proxy_redirect off;
        }

        access_log  /home/wwwlogs/git.webapproach.net.80.log;
    }


server  
    {
        listen 443 ssl http2;
        server_name git.webapproach.net;
        ssl_certificate /srv/certs/webapproach.net/wa.crt;
        ssl_certificate_key /srv/certs/webapproach.net/wa.key;

        location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $http_host;
            proxy_set_header X-NginX-Proxy true;

            proxy_pass http://gitlab;
        }
    }