Skip to content

Instantly share code, notes, and snippets.

@seignovert
Created January 4, 2017 20:18
Show Gist options
  • Save seignovert/c6126dd8985ef4663cc3fbcbbd996b03 to your computer and use it in GitHub Desktop.
Save seignovert/c6126dd8985ef4663cc3fbcbbd996b03 to your computer and use it in GitHub Desktop.
[Server] Install Gitlab and Mattermost with Let's Encrypt on Ubuntu 16.04

Gitlab and Mattermost installation

Inital DNS and contact emails

Add A record for the following website:

  • git.example.com
  • forum.example.com

And add email redirection for these emails:

Install and configure the necessary dependencies

sudo -i
apt-get update && apt-get install curl openssh-server ca-certificates git

[Optional]

If you install Postfix to send email please select Internet Site during setup. Instead of using Postfix you can also use Sendmail or configure a custom SMTP server and configure it as an SMTP server.

apt-get install postfix

Setup Let's Encrypt

cd /root
git clone https://github.com/letsencrypt/letsencrypt
mkdir -p /root/letsencrypt-config

Create a Let's Encrypt config file and certificate

Then add the file configuration file /root/letsencrypt-config/gitlab.ini:

# Let's Encrypt config file for GitLab instance

# Register certs with the following email address
email = [email protected]

# Standalone authenticator
authenticator = standalone

# Generate certificates for the specified domains.
domains = git.example.com, forum.example.com

# use a 4096 bit RSA key
rsa-key-size = 4096

Generate the certificates for the first time:

/root/letsencrypt/certbot-auto certonly -c /root/letsencrypt-config/gitlab.ini

Auto update for certificates

Create a cron job to renew Let's Encrypt certificates in /root/letsencrypt-config/renew-ssl-certificates.cron:

#!/bin/bash

gitlab-ctl stop nginx

/root/.local/share/letsencrypt/bin/certbot-auto certonly -c /root/letsencrypt-config/gitlab.ini --renew-by-default

gitlab-ctl start nginx

Then put the script in cron.monthly

chmod +x /root/letsencrypt-config/renew-ssl-certificates.cron
ln -s /root/letsencrypt-config/renew-ssl-certificates.cron /etc/cron.monthly/

Add Gitlab package server

curl -sS https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.deb.sh | sudo bash
sudo apt-get install gitlab-ce

Configuration of Gitlab

Edit gitlab.rb with :

## URL on which GitLab will be reachable.

external_url 'https://git.example.com'

############################
# gitlab.yml configuration #
############################

gitlab_rails['time_zone'] = 'UTC'
gitlab_rails['gitlab_email_enabled'] = true
gitlab_rails['gitlab_email_from'] = '[email protected]'
gitlab_rails['gitlab_email_display_name'] = 'Git <NAME>'
gitlab_rails['gitlab_email_reply_to'] = '[email protected]'

gitlab_rails['gitlab_default_projects_features_wiki'] = false
gitlab_rails['gitlab_default_projects_features_snippets'] = false

gitlab_rails['gravatar_enabled'] = false

################################
# GitLab email server settings #
################################

# SMTP OVH
# [Source](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/smtp.md#ovh)
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "ssl0.ovh.net"
gitlab_rails['smtp_port'] = 465
gitlab_rails['smtp_user_name'] = "[email protected]"
gitlab_rails['smtp_password'] = "<PASSWORD>"
gitlab_rails['smtp_domain'] = "ssl0.ovh.net"
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['smtp_tls'] = true
gitlab_rails['smtp_openssl_verify_mode'] = 'none'

################
# GitLab Nginx #
################

nginx['redirect_http_to_https'] = true

nginx['ssl_certificate'] = "/etc/letsencrypt/live/git.example.com/fullchain.pem"
nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/git.example.com/privkey.pem"

nginx['custom_gitlab_server_config']="location ^~ /.well-known {\n alias /var/www/letsencrypt/.well-known;\n}\n"

#####################
# GitLab Mattermost #
#####################

mattermost_external_url 'https://forum.example.com'

mattermost['service_use_ssl'] = true

mattermost['team_site_name'] = "Forum <NAME>"

mattermost['gitlab_enable'] = true
# mattermost['gitlab_id'] = "123id"
# mattermost['gitlab_secret'] = "1234secret"
# mattermost['gitlab_scope'] = ""
mattermost['gitlab_auth_endpoint'] = "https://git.example.com/oauth/authorize"
mattermost['gitlab_token_endpoint'] = "https://git.example.com/oauth/token"
mattermost['gitlab_user_api_endpoint'] = "https://git.example.com/api/v3/user"

mattermost['email_enable_sign_up_with_email'] = true
mattermost['email_enable_sign_in_with_email'] = true
mattermost['email_enable_sign_in_with_username'] = true
mattermost['email_send_email_notifications'] = true
mattermost['email_require_email_verification'] = true
mattermost['email_smtp_username'] = "[email protected]"
mattermost['email_smtp_password'] = "<PASSWORD>"
mattermost['email_smtp_server'] = "ssl0.ovh.net"
mattermost['email_smtp_port'] = 465
mattermost['email_connection_security'] = "TLS"
mattermost['email_feedback_name'] = "Forum <NAME>"
mattermost['email_feedback_email'] = "[email protected]"
mattermost['email_feedback_organization'] = " forum.example.com"
mattermost['email_send_push_notifications'] = true

mattermost['support_email'] = "[email protected]"

mattermost['privacy_show_email_address'] = false
mattermost['privacy_show_full_name'] = true

mattermost['localization_server_locale'] = "en"
mattermost['localization_client_locale'] = "fr"

####################
# Mattermost NGINX #
####################

mattermost_nginx['enable'] = true

mattermost_nginx['redirect_http_to_https'] = true

mattermost_nginx['ssl_certificate'] = "/etc/letsencrypt/live/git.example.com/fullchain.pem"
mattermost_nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/git.example.com/privkey.pem"

Then reconfigure Gitlab Omnibus:

gitlab-ctl reconfigure

Sources:

@sbor23
Copy link

sbor23 commented Nov 13, 2017

Great instructions!
FYI, instead of cloning from github.com/letsencrypt you might as well add the certbot-ppa and use certbot instead of certbot auto.
I just did this and it works.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment