Initial commit

.env.sample

+HOST=gitlab.societe-informatique-de-france.fr
+TZ=Europe/Paris

.gitignore

+/docker-compose.yml
+.env
+runner/.env

Readme.md

+# Gitlab
+
+Le `docker-compose.yml` contenant des mots de passes n'est pas inclus dans ce dépôt par mesure de sécurité.
+
+## Installation
+
+```
+cp docker-compose.yml.sample docker-compose.yml
+```
+
+Puis éditer ce fichier et changer :
+
++ Toutes les variables en .FQDN
++ Les informations d'envoi de mail
++ L'IP de traefik
+
+Puis faire `docker-compose up`
+
+## Description du docker-compose
+
+### Gitlab
+
+* La configuration de gitlab est exclusivement effectuée par la variable `GITLAB_OMNIBUS_CONFIG`.
+* L'accès en ssh à gitlab se fait via le port `2222` exposé sur l'hote
+
+### Runner
+
+Ce docker-compose gère un runner gitlab, il est séparé de gitlab car il faut attendre le lancement complet de gitlab pour démarrer les runner et qu'un réseau partagé n'est pas nécessaire.
+
+* dind : Docker In Docker image docker utilisée pour lancer des conteneurs docker par le runner
+* runner1 : le runner
+* register-runner : un conteneur dont le seul rôle est d'enregistrer le runner sur gitlab
+* Aucun port exposé

backup.sh

+#!/bin/bash
+echo "Deleting old backups"
+find backups/ -ctime +3 -delete
+echo "Backing up Gitlab"
+DIR=$(dirname $0)
+cd $DIR
+. .env
+docker-compose exec -T gitlab gitlab-backup create
+docker-compose exec -T gitlab gitlab-ctl backup-etc --delete-old-backups
+echo "Compressing backups"
+for f in backups/*.tar; do
+    gzip $f;
+done
+echo "Done"

docker-compose.yml.sample

+version: '3'
+services:
+
+  gitlab:
+    image: 'gitlab/gitlab-ce:16.8.1-ce.0'
+    restart: always
+    hostname: 'gitlab.FQDN'
+    networks:
+      - ldap
+      - traefik
+    environment:
+      TZ:
+      GITLAB_OMNIBUS_CONFIG: |
+        gitlab_rails['gitlab_shell_ssh_port'] = 2222
+        external_url = 'https://gitlab.FQDN'
+        nginx['listen_port'] = 80
+        nginx['listen_https'] = false
+        nginx['proxy_set_headers'] = {
+            "X-Forwarded-Proto" => "https",
+            "X-Forwarded-Ssl" => "on"
+        }
+        nginx['redirect_http_to_https'] = true
+        nginx['redirect_http_to_https_port'] = 80
+        gitlab_rails['allowed_hosts'] = ['gitlab.FQDN', 'localhost', '127.0.0.1', 'gitlab']
+        # Each address is added to the the NGINX config as 'set_real_ip_from <address>;'
+        # TODO replace the 172.19.0.6 ip by traefik's one
+        nginx['real_ip_trusted_addresses'] = [ '172.19.0.6' ]
+        # other real_ip config options
+        nginx['real_ip_header'] = 'X-Forwarded-For'
+        nginx['real_ip_recursive'] = 'on'
+        letsencrypt['enable'] = false
+        # Limit backup lifetime to 3 days - 259200 seconds
+        gitlab_rails['backup_keep_time'] = 259200
+        gitlab_rails['rack_attack_git_basic_auth'] = {
+            'enabled' => true,
+            # TODO replace the 172.19.0.6 ip by traefik's one
+            'ip_whitelist' => ["127.0.0.1", '172.19.0.6'],
+            'maxretry' => 10, # Limit the number of Git HTTP authentication attempts per IP
+            'findtime' => 60, # Reset the auth attempt counter per IP after 60 seconds
+            'bantime' => 3600 # Ban an IP for one hour (3600s) after too many auth attempts
+        }
+        # Mail
+        gitlab_rails['smtp_enable'] = true
+        gitlab_rails['smtp_address'] = "changeme"
+        gitlab_rails['smtp_port'] = 465
+        gitlab_rails['smtp_user_name'] = "changeme@FQDN"
+        gitlab_rails['smtp_password'] = "changeme"
+        gitlab_rails['smtp_domain'] = "changeme"
+        gitlab_rails['smtp_authentication'] = "login"
+        gitlab_rails['smtp_enable_starttls_auto'] = true
+        gitlab_rails['smtp_tls'] = true
+        gitlab_rails['smtp_openssl_verify_mode'] = 'peer'
+        # If your SMTP server does not like the default 'From: gitlab@localhost' you
+        # # can change the 'From' with this setting.
+        gitlab_rails['gitlab_email_from'] = 'changeme@FQDN'
+        # gitlab_rails['gitlab_email_reply_to'] = 'noreply@example.com'
+
+        gitlab_rails['incoming_email_enabled'] = true
+
+        # The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to.
+        # The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`).
+        gitlab_rails['incoming_email_address'] = "changeme+%{key}@FQDN"
+        
+        # Email account username
+        # With third party providers, this is usually the full email address.
+        # With self-hosted email servers, this is usually the user part of the email address.
+        gitlab_rails['incoming_email_email'] = "changeme@FDQN"
+        # Email account password
+        gitlab_rails['incoming_email_password'] = "changeme"
+        
+        # IMAP server host
+        gitlab_rails['incoming_email_host'] = "changeme"
+        # IMAP server port
+        gitlab_rails['incoming_email_port'] = 993
+        # Whether the IMAP server uses SSL
+        gitlab_rails['incoming_email_ssl'] = true
+        # Whether the IMAP server uses StartTLS
+        gitlab_rails['incoming_email_start_tls'] = false
+        
+        # The mailbox where incoming mail will end up. Usually "inbox".
+        gitlab_rails['incoming_email_mailbox_name'] = "inbox"
+        # The IDLE command timeout.
+        gitlab_rails['incoming_email_idle_timeout'] = 60
+        
+        # Whether to expunge (permanently remove) messages from the mailbox when they are deleted after delivery
+        gitlab_rails['incoming_email_expunge_deleted'] = true
+        
+        # Add any other gitlab.rb configuration here, each on its own line
+    ports:
+      - '2222:22'
+    volumes:
+      - 'gitlab_config:/etc/gitlab'
+      - 'gitlab_logs:/var/log/gitlab'
+      - 'gitlab_data:/var/opt/gitlab'
+    shm_size: '256m'
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik"
+      - "traefik.http.routers.gitlab.rule=Host(`${HOST}`)"
+      - "traefik.http.routers.gitlab.tls.certresolver=myresolver"
+      - "traefik.http.routers.gitlab.entrypoints=web,websecure"
+      - "traefik.http.services.gitlab.loadbalancer.server.port=80"
+      - "traefik.http.routers.gitlab.middlewares=hardening@docker"
+
+volumes:
+  gitlab_config:
+  gitlab_logs:
+  gitlab_data:
+
+networks:
+  traefik:
+    external: true

runner/.env.sample

+HOST=https://gitlab.societe-informatique-de-france.fr
+REGISTRATION_TOKEN=changeme

runner/docker-compose.yml

+version: '3'
+services:
+  # Docker-in-Docker Gitlab runners setup taken from:
+  # https://medium.com/@tonywooster/docker-in-docker-in-gitlab-runners-220caeb708ca
+  dind:
+    restart: always
+    privileged: true
+    volumes:
+      - /var/lib/docker
+    image: docker:20-dind
+  
+  runner1:
+    restart: always
+    image: gitlab/gitlab-runner:alpine
+    links:
+      - dind
+    volumes:
+      - gitlab_runner:/etc/gitlab-runner:Z
+    environment:
+      - DOCKER_HOST=tcp://dind:2375
+      - DOCKER_TLS_CERTDIR=''
+  
+  register-runner:
+    restart: 'no'
+    image: gitlab/gitlab-runner:alpine
+    volumes:
+      - gitlab_runner:/etc/gitlab-runner:Z
+    command:
+      - register
+      - --non-interactive
+      - --locked=false
+      - --name=Docker Runner
+      - --executor=docker
+      - --docker-image=docker:20-dind
+      - --docker-volumes=/var/run/docker.sock:/var/run/docker.sock
+    environment:
+      - CI_SERVER_URL=${HOST}
+      - REGISTRATION_TOKEN=${REGISTRATION_TOKEN}
+
+
+volumes:
+    gitlab_runner: