Nielio · March 22, 2026 21:50 · Nieto2018 · Mar 22, 2026
diff --git a/compose.yml b/compose.yml
 version: "3.6"
 services:
  gitlab:
    image: gitlab/gitlab-ce
    volumes:
      - gitlab-data:/var/opt/gitlab
      - gitlab-logs:/var/log/gitlab
      - gitlab-config:/etc/gitlab
    networks:
      - traefik-public
      - default
    ports:
      - target: 22
        published: 4224
        mode: host
    environment:
      GITLAB_OMNIBUS_CONFIG: "from_file('/omnibus_config.rb')"
    configs:
      - source: gitlab
        target: /omnibus_config.rb
    secrets:
      - gitlab_root_password
    deploy:
      resources:
        limits:
          memory: 8G
      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=traefik-public"

        - "traefik.http.routers.gitlab.rule=Host(`gitlab.your-domain.com`)"
        - "traefik.http.routers.gitlab.entrypoints=websecure"
        - "traefik.http.routers.gitlab.service=gitlab"
        - "traefik.http.routers.gitlab.tls.certresolver=letsencryptresolver"
        - "traefik.http.services.gitlab.loadbalancer.server.port=80"

        - "traefik.http.routers.registry.rule=Host(`registry.your-domain.com`)"
        - "traefik.http.routers.registry.entrypoints=websecure"
        - "traefik.http.routers.registry.service=registry"
        - "traefik.http.routers.registry.tls.certresolver=letsencryptresolver"
        - "traefik.http.services.registry.loadbalancer.server.port=5005"

 configs:
  gitlab:
    file: ./gitlab.rb

 secrets:
  gitlab_root_password:
    file: ./root_password.txt

 volumes:
  gitlab-data:
  gitlab-logs:
  gitlab-config:

 networks:
  traefik-public:
    external: true
  default:
diff --git a/deploy.sh b/deploy.sh
 docker stack deploy -c compose.yml gitlab
diff --git a/gitlab.rb b/gitlab.rb
 external_url 'https://gitlab.your-domain.com/'
 gitlab_rails['initial_root_password'] = File.read('/run/secrets/gitlab_root_password')

 # Needed to let gitlab work behind traefik
 nginx['listen_https'] = false
 nginx['listen_port'] = 80

 gitlab_rails['gitlab_ssh_host'] = 'gitlab.your-domain.com'
 gitlab_rails['gitlab_shell_ssh_port'] = 4224

 # container registry
 registry_external_url 'http://registry.your-domain.com'
 registry['enable'] = true
 gitlab_rails['registry_enabled'] = true
 registry_nginx['enable'] = true
 registry_nginx['listen_port'] = 5005
 registry_nginx['listen_https'] = false
 registry_nginx['proxy_set_headers'] = {
  "Host" => "$http_host",
  "X-Real-IP" => "$remote_addr",
  "X-Forwarded-For" => "$proxy_add_x_forwarded_for",
  "X-Forwarded-Proto" => "https",
  "X-Forwarded-Ssl" => "on"
 }

 gitlab_rails['rack_attack_git_basic_auth'] = {
   'enabled' => true,
   'ip_whitelist' => ["127.0.0.1"],
   'maxretry' => 10,
   'findtime' => 600,
   'bantime' => 136000
 }
	version: "3.6"
	services:
	gitlab:
	image: gitlab/gitlab-ce
	volumes:
	- gitlab-data:/var/opt/gitlab
	- gitlab-logs:/var/log/gitlab
	- gitlab-config:/etc/gitlab
	networks:
	- traefik-public
	- default
	ports:
	- target: 22
	published: 4224
	mode: host
	environment:
	GITLAB_OMNIBUS_CONFIG: "from_file('/omnibus_config.rb')"
	configs:
	- source: gitlab
	target: /omnibus_config.rb
	secrets:
	- gitlab_root_password
	deploy:
	resources:
	limits:
	memory: 8G
	labels:
	- "traefik.enable=true"
	- "traefik.docker.network=traefik-public"

	- "traefik.http.routers.gitlab.rule=Host(`gitlab.your-domain.com`)"
	- "traefik.http.routers.gitlab.entrypoints=websecure"
	- "traefik.http.routers.gitlab.service=gitlab"
	- "traefik.http.routers.gitlab.tls.certresolver=letsencryptresolver"
	- "traefik.http.services.gitlab.loadbalancer.server.port=80"

	- "traefik.http.routers.registry.rule=Host(`registry.your-domain.com`)"
	- "traefik.http.routers.registry.entrypoints=websecure"
	- "traefik.http.routers.registry.service=registry"
	- "traefik.http.routers.registry.tls.certresolver=letsencryptresolver"
	- "traefik.http.services.registry.loadbalancer.server.port=5005"

	configs:
	gitlab:
	file: ./gitlab.rb

	secrets:
	gitlab_root_password:
	file: ./root_password.txt

	volumes:
	gitlab-data:
	gitlab-logs:
	gitlab-config:

	networks:
	traefik-public:
	external: true
	default:
	external_url 'https://gitlab.your-domain.com/'
	gitlab_rails['initial_root_password'] = File.read('/run/secrets/gitlab_root_password')

	# Needed to let gitlab work behind traefik
	nginx['listen_https'] = false
	nginx['listen_port'] = 80

	gitlab_rails['gitlab_ssh_host'] = 'gitlab.your-domain.com'
	gitlab_rails['gitlab_shell_ssh_port'] = 4224

	# container registry
	registry_external_url 'http://registry.your-domain.com'
	registry['enable'] = true
	gitlab_rails['registry_enabled'] = true
	registry_nginx['enable'] = true
	registry_nginx['listen_port'] = 5005
	registry_nginx['listen_https'] = false
	registry_nginx['proxy_set_headers'] = {
	"Host" => "$http_host",
	"X-Real-IP" => "$remote_addr",
	"X-Forwarded-For" => "$proxy_add_x_forwarded_for",
	"X-Forwarded-Proto" => "https",
	"X-Forwarded-Ssl" => "on"
	}

	gitlab_rails['rack_attack_git_basic_auth'] = {
	'enabled' => true,
	'ip_whitelist' => ["127.0.0.1"],
	'maxretry' => 10,
	'findtime' => 600,
	'bantime' => 136000
	}