Linode 最近推出了新的数据中心 Tokyo2,我使用的是$10/月 2G RAM 配置的主机,用于搭建 Gitlab 完全足够了, 点击这里访问Linode

我的仓库地址:https://git.webapproach.net/

进入正题,购买主机并安装 Ubuntu16.04LTS。

系统环境

Ubuntun 16.04 LTS

使用证书登录并禁用密码登录

使用 openssl 生成一对公钥(id_rsa.pub)和私钥(id_rsa)

将公钥(id_rsa.pub)上传到服务器,使用如下命令将公钥内容添加至 authorized_keys

1
cat  id_rsa.pub >> ~/.ssh/authorized_keys

修改 SSH 配置禁止密码登录

1
2
3
4
5
vim /etc/ssh/sshd_config

修改 -> PasswordAuthentication no

/etc/init.d/ssh restart

安装 Docker-Engine

参考 Docker Engine Install

申请证书

安装 LetsEncrypt 证书自动申请工具

sudo apt-get install letsencrypt
letsencrypt certonly --standalone
openssl dhparam -out dhparam.pem 4096

安装 Docker-Compose

curl -L https://github.com/docker/compose/releases/download/1.9.0/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose

使用 Docker 安装 ShadowSocks

docker pull tommylau/shadowsocks
docker run --name=ss -p 8989:8989 -d tommylau/shadowsocks -s 0.0.0.0 -p 8989 -k 'xxx' -m aes-256-cfb

使用 Docker-Compose 安装 Gitlab 以及 SMTP 邮件服务

gitlab.yml 配置文件

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
version: '2'

services:
    redis:
        restart: always
        image: sameersbn/redis:latest
        command:
            - --loglevel warning
        volumes:
            - /srv/docker/gitlab/redis:/var/lib/redis:Z

    postgresql:
        restart: always
        image: sameersbn/postgresql:9.5-1
        volumes:
            - /srv/docker/gitlab/postgresql:/var/lib/postgresql:Z
        environment:
            - DB_USER=gitlab
            - DB_PASS=xxx
            - DB_NAME=gitlabhq_production
            - DB_EXTENSION=pg_trgm

    postfix:
        restart: always
        image: catatnight/postfix:latest
        ports:
            - '587:587'
        volumes:
            - /srv/certs/webapproach.net:/etc/postfix/certs
        environment:
            - maildomain=webapproach.net
            - [email protected]:xxx
        dns:
            - 8.8.8.8

    gitlab:
        restart: always
        image: sameersbn/gitlab:latest
        depends_on:
            - redis
            - postgresql
        ports:
            - '10080:80'
            - '1022:22'
        volumes:
            - /srv/docker/gitlab/gitlab:/home/git/data:Z
            - /var/log/gitlab:/var/log/gitlab
        environment:
            - DEBUG=false

            - DB_ADAPTER=postgresql
            - DB_HOST=postgresql
            - DB_PORT=5432
            - DB_USER=gitlab
            - DB_PASS=xxx
            - DB_NAME=gitlabhq_production

            - REDIS_HOST=redis
            - REDIS_PORT=6379

            - TZ=Asia/Beijing
            - GITLAB_TIMEZONE=Beijing

            - GITLAB_HTTPS=true
            - SSL_SELF_SIGNED=false

            - SSL_KEY_PATH=/srv/certs/webapproach.net/wa.crt
            - SSL_CERTIFICATE_PATH=/srv/certs/webapproach.net/wa.key
            - SSL_DHPARAM_PATH=/srv/certs/webapproach.net/dhparam.pem
            - NGINX_HSTS_MAXAGE=2592000

            - GITLAB_HOST=git.webapproach.net
            - GITLAB_PORT=443
            - GITLAB_SSH_PORT=1022
            - GITLAB_RELATIVE_URL_ROOT=
            - GITLAB_SECRETS_DB_KEY_BASE=4dya9h51h9hfa9y51nnlfa9hr9a8519h591h5hoa
            - GITLAB_SECRETS_SECRET_KEY_BASE=da798hg91yf98ah51ho9fay98y51895y7hfauhfo
            - GITLAB_SECRETS_OTP_KEY_BASE=yr9h159fay9ah519hfa9851h9fa9y9519hda9

            - GITLAB_ROOT_PASSWORD=xxx
            - [email protected]

            - GITLAB_NOTIFY_ON_BROKEN_BUILDS=true
            - GITLAB_NOTIFY_PUSHER=false

            - [email protected]
            - [email protected]
            - [email protected]

            - GITLAB_BACKUP_SCHEDULE=daily
            - GITLAB_BACKUP_TIME=01:00

            - SMTP_ENABLED=true
            - SMTP_DOMAIN=webapproach.net
            - SMTP_HOST=smtp.webapproach.net
            - SMTP_PORT=587
            - [email protected]
            - SMTP_PASS=xxx
            - SMTP_STARTTLS=true
            - SMTP_AUTHENTICATION=login

            - IMAP_ENABLED=false
            - IMAP_HOST=imap.gmail.com
            - IMAP_PORT=993
            - [email protected]
            - IMAP_PASS=xxx
            - IMAP_SSL=true
            - IMAP_STARTTLS=false

            - OAUTH_ENABLED=false
            - OAUTH_AUTO_SIGN_IN_WITH_PROVIDER=
            - OAUTH_ALLOW_SSO=
            - OAUTH_BLOCK_AUTO_CREATED_USERS=true
            - OAUTH_AUTO_LINK_LDAP_USER=false
            - OAUTH_AUTO_LINK_SAML_USER=false
            - OAUTH_EXTERNAL_PROVIDERS=

            - OAUTH_CAS3_LABEL=cas3
            - OAUTH_CAS3_SERVER=
            - OAUTH_CAS3_DISABLE_SSL_VERIFICATION=false
            - OAUTH_CAS3_LOGIN_URL=/cas/login
            - OAUTH_CAS3_VALIDATE_URL=/cas/p3/serviceValidate
            - OAUTH_CAS3_LOGOUT_URL=/cas/logout

            - OAUTH_GOOGLE_API_KEY=
            - OAUTH_GOOGLE_APP_SECRET=
            - OAUTH_GOOGLE_RESTRICT_DOMAIN=

            - OAUTH_FACEBOOK_API_KEY=
            - OAUTH_FACEBOOK_APP_SECRET=

            - OAUTH_TWITTER_API_KEY=
            - OAUTH_TWITTER_APP_SECRET=

            - OAUTH_GITHUB_API_KEY=
            - OAUTH_GITHUB_APP_SECRET=
            - OAUTH_GITHUB_URL=
            - OAUTH_GITHUB_VERIFY_SSL=

            - OAUTH_GITLAB_API_KEY=
            - OAUTH_GITLAB_APP_SECRET=

            - OAUTH_BITBUCKET_API_KEY=
            - OAUTH_BITBUCKET_APP_SECRET=

            - OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL=
            - OAUTH_SAML_IDP_CERT_FINGERPRINT=
            - OAUTH_SAML_IDP_SSO_TARGET_URL=
            - OAUTH_SAML_ISSUER=
            - OAUTH_SAML_LABEL="Our SAML Provider"
            - OAUTH_SAML_NAME_IDENTIFIER_FORMAT=urn:oasis:names:tc:SAML:2.0:nameid-format:transient
            - OAUTH_SAML_GROUPS_ATTRIBUTE=
            - OAUTH_SAML_EXTERNAL_GROUPS=
            - OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL=
            - OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME=
            - OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME=
            - OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME=

            - OAUTH_CROWD_SERVER_URL=
            - OAUTH_CROWD_APP_NAME=
            - OAUTH_CROWD_APP_PASSWORD=

            - OAUTH_AUTH0_CLIENT_ID=
            - OAUTH_AUTH0_CLIENT_SECRET=
            - OAUTH_AUTH0_DOMAIN=

            - OAUTH_AZURE_API_KEY=
            - OAUTH_AZURE_API_SECRET=
            - OAUTH_AZURE_TENANT_ID=

安装 LNMP

参考 https://lnmp.org/install.html

Nginx 反代 Gitlab 配置

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
upstream gitlab {
    server 127.0.0.1:10080;
}

server
    {
        server_name git.webapproach.net;
        listen 80;
        index index.html index.htm index.php default.html default.htm default.php;
        rewrite ^(.*)$  https://git.webapproach.net$1 permanent;

        #error_page   404   /404.html;

	    location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $http_host;
            proxy_set_header X-NginX-Proxy true;

            proxy_pass http://gitlab;
            #proxy_redirect off;
        }

        access_log  /home/wwwlogs/git.webapproach.net.80.log;
    }


server
    {
        listen 443 ssl http2;
        server_name git.webapproach.net;
        ssl_certificate /srv/certs/webapproach.net/wa.crt;
        ssl_certificate_key /srv/certs/webapproach.net/wa.key;

        location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $http_host;
            proxy_set_header X-NginX-Proxy true;

            proxy_pass http://gitlab;
        }
    }