Skip to content

Instantly share code, notes, and snippets.

@m-kyle

m-kyle/*setup.md

Last active March 8, 2016 17:50
Show Gist options
  • Save m-kyle/2c3e96cecf21a4788634 to your computer and use it in GitHub Desktop.
Save m-kyle/2c3e96cecf21a4788634 to your computer and use it in GitHub Desktop.
Download ZIP
GitLab Install
Raw
*setup.md

Installing and Configuring GitLab - Steps Taken - Ubuntu 14.04 LTS

Updated Ubuntu 14.04

  • sudo apt-get update
  • sudo apt-get upgrade
  • sudo apt-get dist-upgrade

GitLab

Install Dependancies

sudo apt-get install openssh-server postfix

Download and Install GitLab

  • wget https://downloads-packages.s3.amazonaws.com/ubuntu-14.04/gitlab_7.7.1-omnibus.5.4.1.ci-1_amd64.deb
  • sudo dpkg -i gitlab_7.7.1-omnibus.5.4.1.ci-1_amd64.deb

Configure and start GitLab

sudo gitlab-ctl reconfigure (Had to run twice - reported error first time)

Edit GitLab Config File

sudo nano /etc/gitlab/gitlab.rb

Change these options in the file:

nginx['enable'] = false
web_server['external_users'] = ['www-data']

Reconfigure GitLab

sudo gitlab-ctl reconfigure

Apache

Install

sudo apt-get install apache2

Build Yubikey Module

  • sudo apt-get install subversion libcurl3 libcurl4-openssl-dev apache2-dev
  • sudo svn checkout https://web.srvrs.co.uk/svn/apache-yubikey/trunk
  • cd trunk
  • sudo su - make sure to become root for this bit
  • make
  • make install
  • Create mod_authn_yubikey.load

sudo nano /etc/apache2/mods-available/mod_authn_yubikey.load

Add this to file:

LoadFile /usr/lib/x86_64-linux-gnu/libcurl.so.4
LoadModule authn_yubikey_module /usr/lib/apache2/modules/mod_authn_yubikey.so

Create Symbolic Link

sudo ln -s /etc/apache2/mods-available/mod_authn_yubikey.load /etc/apache2/mods-enabled/mod_authn_yubikey.load
  • Create mod_authn_yubikey.conf

sudo nano /etc/apache2/mods-available/mod_authn_yubikey.conf

Add this to file:

AuthYkRequireSecure Off

Create Symbolic Link

sudo ln -s /etc/apache2/mods-available/mod_authn_yubikey.conf /etc/apache2/mods-enabled/mod_authn_yubikey.conf

Manually Create ykTmpDb

  • sudo touch /var/lib/apache2/ykTmpDb
  • sudo chown www-data:www-data /var/lib/apache2/ykTmpDb

SSL Certificate

  • Make Directory for Certificates

sudo mkdir /etc/apache2/certs

  • Generate Certificates
sudo openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -out /etc/apache2/certs/server.crt -keyout /etc/apache2/certs/server.key
  • Install Apache SSL Module

sudo a2enmod ssl

  • Restart Apache

sudo service apache2 restart

Pete's Certificates

  • cd /etc/ssl/certs/
  • sudo wget http://email4all.org/crls/ThirdTreeMediaCA.pem
  • link the Certificate Authority to its hash
sudo ln -s ThirdTreeMediaCA.pem `openssl x509 -hash -noout -in ThirdTreeMediaCA.pem`.0
  • Add certificate to certificate file - become root (sudo su)

cat ThirdTreeMediaCA.pem >> ca-certificates.crt

  • to test:
curl -v  https://yubico-verify.media4aw.net:57004/index.php\?id\=1025&otp=dfhbgggudigultthlgbhldhkuvcducjrnldlukvinnnt

Add Address to hosts file

  • sudo nano /etc/hosts
  • Add IP Address's of server into the top of the file:
172.16.0.201  gitlab.macserver
172.16.0.201  macserver

Add GitLab Config File

  • sudo nano /etc/apache2/sites-available/gitlab.conf

Add content to file from gitlab.conf

  • sudo nano /etc/apache2/auth_yubikey.inc

Add content to file from auth_yubikey.inc

  • sudo mkdir /opt/gitlab/public/
  • sudo a2ensite gitlab.conf
  • sudo a2enmod rewrite proxy proxy_http
  • sudo service apache2 restart
Raw
auth_yubikey.inc
AuthType Basic
AuthBasicProvider yubikey
AuthName "TTM Yubiley"
AuthYkTimeout 9000
AuthYkResetTimeout 6000
AuthYkTmpFile /var/lib/apache2/ykTmpDb
AuthYkClientField "pdid="
AuthYkCurlTimeout 12
AuthYkCurlRetries 10
AuthYkRequireSecure On
AuthYkExternalErrorPage Off
AuthYkValidationUrl "https://yubico-verify.media4aw.net:57004/index.php?id=%d&otp=%s"
AuthYkPasswordValidationUrl "https://mail.email4all.org/services/uverify.php?u=%s&p=%s&y=%s"
Require valid-user
Raw
gitlab.conf
#This configuration has been tested on GitLab 6.0.0 and GitLab 6.0.1
#Note this config assumes unicorn is listening on default port 8080.
#Module dependencies
# mod_rewrite
# mod_proxy
# mod_proxy_http
<VirtualHost *:80 *:443>
ServerName git.ttm.com
ServerSignature Off
SSLEngine On
SSLCertificateFile /etc/apache2/certs/server.crt
SSLCertificateKeyFile /etc/apache2/certs/server.key
LogLevel debug
ProxyPreserveHost On
# Ensure that encoded slashes are not decoded but left in their encoded state.
# http://doc.gitlab.com/ce/api/projects.html#get-single-project
AllowEncodedSlashes NoDecode
<Location />
# New authorization commands for apache 2.4 and up
# http://httpd.apache.org/docs/2.4/upgrading.html#access
# Require all granted
ProxyPassReverse http://127.0.0.1:8080
ProxyPassReverse http://git.ttm.com/
include auth_yubikey.inc
AuthYkPasswordAppendUrl "&d=git.ttm.com"
Require valid-user granted
</Location>
#apache equivalent of nginx try files
# http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
# http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
RewriteEngine on
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteRule .* http://127.0.0.1:8080%{REQUEST_URI} [P,QSA]
# needed for downloading attachments
DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public
#Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
ErrorDocument 404 /404.html
ErrorDocument 422 /422.html
ErrorDocument 500 /500.html
ErrorDocument 503 /deploy.html
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
ErrorLog /var/log/apache2/gitlab_error.log
CustomLog /var/log/apache2/gitlab_forwarded.log common_forwarded
CustomLog /var/log/apache2/gitlab_access.log combined env=!dontlog
CustomLog /var/log/apache2/gitlab.log combined
</VirtualHost>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment