derrekbertrand · July 1, 2018 23:38
diff --git a/gitlab.sh b/gitlab.sh
 # this makes sure every user has these files, so we can easily add keys
 mkdir /etc/skel/.ssh
 touch /etc/skel/.ssh/authorized_keys
 chmod 700 /etc/skel/.ssh
 chmod 600 /etc/skel/.ssh/authorized_keys

 # edit /etc/adduser.conf: set DIR_MODE to 0751

 # disable password login for ssh now
 # if you used keys instead of a password on digital ocean, this is already done
 adduser dbertrand
 usermod -a -G sudo dbertrand
 # chage -d 0 user // will force a pw reset on login
 # at this point I paste public keys into /home/user/.ssh/authorized_keys
 # the below copies my keys from the root user to that user
 cat /root/.ssh/authorized_keys >> /home/dbertrand/.ssh/authorized_keys
 # ssh in as your user, and test sudo privileges
 # change PermitRootLogin to 'no' and run:
 service sshd restart
 passwd -l root
 # https://about.gitlab.com/downloads/#ubuntu1604
 # install gitlab as described, reconfigure, log in, change your settings,etc
 # gitlab-ctl reconfigure has shittons of output, probably just ignore it
 # it's a ruby thing...
 apt update && apt upgrade
 # make sure mattermost is configured, it's one line around ~970
 # EFF certbot time
 add-apt-repository ppa:certbot/certbot
 apt update && apt install certbot
 mkdir -p /var/www/letsencrypt
 # this is the point at which we need to add location blocks to nginx
 # gitlab luckily has a not-so-retarded way to do this
 # look for lines like these; gitlab pages has one too
 # 993:# nginx['custom_gitlab_server_config'] = "location ^~ /foo-namespace/bar-project/raw/ {\n deny all;\n}\n"
 # value: "location ^~ /.well-known { root /var/www/letsencrypt; }\n"
 gitlab-ctl reconfigure
 certbot certonly --agree-tos --webroot -w /var/www/letsencrypt -d www.site.com -d site.com
 # if all went well, change the external urls to https in gitlab
 # edit these lines too:
 # nginx['redirect_http_to_https'] = true
 # nginx['ssl_certificate'] = "/etc/letsencrypt/live/your_domain/fullchain.pem"
 # nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/your_domain/privkey.pem"
 # the mattermost equivalents are near line 1100, these must be changed too if active
 # all 3 of them should be set for each service
 gitlab-ctl reconfigure
 # add a cron, pick a different time so we don't all hit the server at once
 37 4 * * 1 /usr/bin/certbot renew --quiet --post-hook "/usr/bin/gitlab-ctl restart nginx" >> /var/log/le-renew.log
 # probably a good idea to set up a firewall and failtoban, whatever monitoring software you prefer, etc

 # note: to set up other services, I first had to get gitlab configured with https,
 # set the proper https external urls, and only THEN enable the other services
 # take care not to enable https redirect until after you've gotten a cert for the service, though
	# this makes sure every user has these files, so we can easily add keys
	mkdir /etc/skel/.ssh
	touch /etc/skel/.ssh/authorized_keys
	chmod 700 /etc/skel/.ssh
	chmod 600 /etc/skel/.ssh/authorized_keys

	# edit /etc/adduser.conf: set DIR_MODE to 0751

	# disable password login for ssh now
	# if you used keys instead of a password on digital ocean, this is already done
	adduser dbertrand
	usermod -a -G sudo dbertrand
	# chage -d 0 user // will force a pw reset on login
	# at this point I paste public keys into /home/user/.ssh/authorized_keys
	# the below copies my keys from the root user to that user
	cat /root/.ssh/authorized_keys >> /home/dbertrand/.ssh/authorized_keys
	# ssh in as your user, and test sudo privileges
	# change PermitRootLogin to 'no' and run:
	service sshd restart
	passwd -l root
	# https://about.gitlab.com/downloads/#ubuntu1604
	# install gitlab as described, reconfigure, log in, change your settings,etc
	# gitlab-ctl reconfigure has shittons of output, probably just ignore it
	# it's a ruby thing...
	apt update && apt upgrade
	# make sure mattermost is configured, it's one line around ~970
	# EFF certbot time
	add-apt-repository ppa:certbot/certbot
	apt update && apt install certbot
	mkdir -p /var/www/letsencrypt
	# this is the point at which we need to add location blocks to nginx
	# gitlab luckily has a not-so-retarded way to do this
	# look for lines like these; gitlab pages has one too
	# 993:# nginx['custom_gitlab_server_config'] = "location ^~ /foo-namespace/bar-project/raw/ {\n deny all;\n}\n"
	# value: "location ^~ /.well-known { root /var/www/letsencrypt; }\n"
	gitlab-ctl reconfigure
	certbot certonly --agree-tos --webroot -w /var/www/letsencrypt -d www.site.com -d site.com
	# if all went well, change the external urls to https in gitlab
	# edit these lines too:
	# nginx['redirect_http_to_https'] = true
	# nginx['ssl_certificate'] = "/etc/letsencrypt/live/your_domain/fullchain.pem"
	# nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/your_domain/privkey.pem"
	# the mattermost equivalents are near line 1100, these must be changed too if active
	# all 3 of them should be set for each service
	gitlab-ctl reconfigure
	# add a cron, pick a different time so we don't all hit the server at once
	37 4 * * 1 /usr/bin/certbot renew --quiet --post-hook "/usr/bin/gitlab-ctl restart nginx" >> /var/log/le-renew.log
	# probably a good idea to set up a firewall and failtoban, whatever monitoring software you prefer, etc

	# note: to set up other services, I first had to get gitlab configured with https,
	# set the proper https external urls, and only THEN enable the other services
	# take care not to enable https redirect until after you've gotten a cert for the service, though