This will serve SSH and HTTPS (with which I got an A+ from testssl).
Creates three docker containers:
- gitlab-prostgres
- gitlab-redis
- gitlab, which is linked to the other two. This contains nginx, sshd, git, gitlab.
Volumes each have a volume mounted from the host system in /opt/docker-volumes/
Alter the various environment variables accordingly, mostly where they look like <this>
mkdir -p /opt/docker-volumes/{gitlab/certs,gitlab-postgresql,gitlab-redis}
openssl dhparam -out /opt/docker-volumes/gitlab/certs/dhparam.pem 4096
./certbot-auto certonly --standalone -d <domain_name>
cp /etc/letsencrypt/live/<domain_name>/* /opt/docker-volumes/gitlab/certs/
mv /opt/docker-volumes/gitlab/certs/fullchain.pem /opt/docker-volumes/gitlab/certs/gitlab.crt
mv /opt/docker-volumes/gitlab/certs/privkey.pem /opt/docker-volumes/gitlab/certs/gitlab.key
mv /opt/docker-volumes/gitlab/certs/chain.pem /opt/docker-volumes/gitlab/certs/ca.crt
chmod 0400 /opt/docker-volumes/gitlab/certs/gitlab.key
^ I think these dirs need to be read/writable by uid 1000 on the host so you may need to do a chown 1000 -R /opt/docker-volumes/gitlab*
Then start things up:
Choose a password for the gitlab database and replace into <db-password>
docker run --name gitlab-postgresql -d \
--restart always \
--env 'DB_NAME=gitlabhq_production' \
--env 'DB_USER=gitlab' \
--env 'DB_PASS=<db-password>' \
--env 'DB_EXTENSION=pg_trgm' \
--volume /opt/docker-volumes/gitlab-postgresql:/var/lib/postgresql \
sameersbn/postgresql:9.5-3
###redis
docker run --name gitlab-redis -d \
--restart always \
--volume /opt/docker-volumes/gitlab-redis:/var/lib/redis \
sameersbn/redis:latest
###gitlab
Use the value you chose for <db-password> above.
Do this 3 times and record the output - used for GITLAB_SECRETS envs below.
pwgen -Bsv1 64
The GITLAB_ROOT_PASSWORD is kinda pointless I think but I feel cmore comfortable smashing something decent in there.
docker run --name gitlab -d \
--restart always \
--volume /opt/docker-volumes/gitlab:/home/git/data \
--link gitlab-postgresql:postgresql \
--link gitlab-redis:redisio \
--publish 10022:22 \
--publish 10443:443 \
-e 'GITLAB_HTTPS=true' \
-e 'GITLAB_SIGNUP_ENABLED=false' \
-e 'GITLAB_PORT=10443' \
-e 'GITLAB_SSH_PORT=10022' \
-e 'GITLAB_ROOT_PASSWORD=<set_a_password>' \
-e 'GITLAB_HOST=<domain_name>' \
-e 'GITLAB_EMAIL=<email_address>' \
-e 'DB_USER=gitlab' \
-e 'DB_PASS=<db_password>' \
-e 'DB_NAME=gitlabhq_production' \
-e 'DB_TYPE=postgres' \
-e 'SMTP_ENABLED=true' \
-e 'SMTP_DOMAIN=<email_fqdn>' \
-e 'SMTP_HOST=<smtp_server>' \
-e 'SMTP_PORT=25' \
-e 'SMTP_USER=<email_username>' \
-e 'SMTP_PASS=<email_password>' \
-e 'GITLAB_SECRETS_DB_KEY_BASE=<random-64-chars>' \
-e 'GITLAB_SECRETS_SECRET_KEY_BASE=<random-64-chars>' \
-e 'GITLAB_SECRETS_OTP_KEY_BASE=<random-64-chars>' \
sameersbn/gitlab:8.14.3
Point your browser to http://<domain_name>:10443 and log in with the 'root' account password for initial setup.
- autorenew let's encrypt certs
-To non-interactively renew all of your certificates, run "certbot-auto renew"
- Use envs to speficy the location of the certs, remove needing to rename the certs
-e 'SSL_CERTIFICATE_PATH=/home/git/data/certs/gitlab.crt' \
-e 'SSL_KEY_PATH=/home/git/data/certs/gitlab.key' \
-e 'SSL_DHPARAM_PATH=/home/git/data/certs/dhparam.pem' \
-e 'SSL_CA_CERTIFICATES_PATH=/home/git/data/certs/ca.crt' \