commit ea3a47fe20ce5f1254b1d0639881b4095eae4509 Author: Vassiliy Yegorov Date: Fri May 7 14:04:17 2021 +0700 init diff --git a/.env.example b/.env.example new file mode 100644 index 0000000..6eee92f --- /dev/null +++ b/.env.example @@ -0,0 +1,86 @@ +# Service name +# +SERVICE_NAME=gitlab + +# Container names +# Summary container name in docker-compose.yml will be "${SERVICE_NAME}_${CONTAINER_NAME-*}" +# +CONTAINER_NAME_GITLAB=server +CONTAINER_NAME_PGSQL=pgsql +CONTAINER_NAME_REDIS=redis +CONTAINER_NAME_REGISTRY=registry +CONTAINER_NAME_RUNNER=runner + +# Docker images +# +DOCKER_IMAGE_GITLAB=sameersbn/gitlab:latest +DOCKER_IMAGE_PGSQL=sameersbn/postgresql:latest +DOCKER_IMAGE_REDIS=sameersbn/redis:latest +DOCKER_IMAGE_REGISTRY=registry:latest +DOCKER_IMAGE_RUNNER=vasyakrg/gitlab-runner + +# SMTP settings +SMTP_ENABLED=true +SMTP_DOMAIN= + +SMTP_HOST=smtp.mailgun.org +SMTP_PORT=587 +SMTP_USER= +SMTP_PASS= +SMTP_STARTTLS=true +SMTP_AUTHENTICATION=login + +GITLAB_EMAIL=noreply@ +GITLAB_EMAIL_REPLY_TO=noreply@ +GITLAB_INCOMING_EMAIL_ADDRESS=noreply@ + +# Gitlab domain name +# +GITLAB_HOST=gitlab. + +# Gitlab ssh public port +# +GITLAB_SSH_PORT=10022 + +# Gitlab root user password +# Use only when clear install +# +GITLAB_ROOT_EMAIL= +GITLAB_ROOT_PASSWORD= + +# Docker registry domain name +# +REGISTRY_HOST=docker. +# DB credentials +# +DB_USER=gitlab +DB_PASS= +DB_NAME=gitlab_production + +# Container data path on the host +# Summary container data path will be "${SERVICE_DATA}/${SERVICE_NAME}" +# +SERVICE_DATA=/srv/services/data + +# Email for letsencrypt +# +LETSENCRYPT_EMAIL= + +# Gitlab runner token +# +RUNNER_TOKEN= + +GITLAB_TIMEZONE=Asia/Novosibirsk + +# Runner on the same host with gitlab +# +CI_SERVER_WITH_RUNNER=true + +# Network names +# +#SERVICE_NETWORK=gitlab +WEBPROXY_NETWORK=webproxy + +GITLAB_SECRETS_DB_KEY_BASE= +GITLAB_SECRETS_SECRET_KEY_BASE= +GITLAB_SECRETS_OTP_KEY_BASE= diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..06c120c --- /dev/null +++ b/.gitignore @@ -0,0 +1,5 @@ +.env +*.pem +*.crt +*.key +*.csr diff --git a/README.md b/README.md new file mode 100644 index 0000000..a2e74f4 --- /dev/null +++ b/README.md @@ -0,0 +1,26 @@ +## Gitlab in docker + +Полноценная сборка сервера Gitlab, его базы на psql, 4х раннеров и своего docker-registry, разворачеваемая на докер-хосте + +1. переименовываем `.env.example` в `.env` +2. заполняем по максимому внимательно все переменные (кроме `RUNNER_TOKEN=`) +3. распаковываем в папке ssl-certs сертификаты и кладем там же (сертификаты noname и нужны лишь для внутреннего взаимодействия между gitlab и registry компонентами) +4. запускаем сборку `docker-compose up -d` +5. когда сервер запустится, вы войдете в систему под рутом, надо сходить в раздел раннеров (/admin/runners) и подсмотреть там токен, который и нужно будет заполнить в переменной `RUNNER_TOKEN=` и снова запустить `docker-compose up -d`, после чего раннеры перезапустятся и зарегистрируються в системе. + +Подразумевается, что у вас есть `домен` и вы уже создали два поддомена `docker` и `gitlab` +Подразумевается, что и гитлаб и регистри будут работать через один порт 443 +Подразумевается, что у вас уже есть webproxy или traefik, которые возьмут на себя ингрессы контейнеров и выдачу (обновление) им сертификатов +(сеть webpоxy как раз комментирована по этому - ее надо будет раскоментировать по свои условия) + +`labels` у контейнеров подготовлены, если у вас traefik, раскомментите эти поля + +`runner` - костомизирован только тем, что в нем встроена система авторегистрации на сервере. + +## Автор \ Author + +- **Vassiliy Yegorov** [vasyakrg](https://github.com/vasyakrg) +- [youtube](https://youtube.com/realmanual) +- [site](https://vk.com/realmanual) +- [telegram](https://t.me/realmanual) +- [any qiestions for me](https://t.me/realmanual_group) diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..5f14d46 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,234 @@ +version: '3.7' + +services: + gitlab: + image: ${DOCKER_IMAGE_GITLAB} + container_name: ${SERVICE_NAME}_${CONTAINER_NAME_GITLAB} + restart: always + depends_on: + - postgresql + - redis + ports: + - "${GITLAB_SSH_PORT}:22" + expose: + - 80 + # labels: + # - "traefik.enable=true" + # - "traefik.http.routers.gitlab-server.entrypoints=https" + # - "traefik.http.routers.gitlab-server.rule=Host(`${GITLAB_HOST}`)" + # - "traefik.http.routers.gitlab-server.tls=true" + # - "traefik.http.routers.gitlab-server.tls.certresolver=letsEncrypt" + # - "traefik.http.services.gitlab-server-service.loadbalancer.server.port=80" + # - "traefik.docker.network=webproxy" + volumes: + - ${SERVICE_DATA}/${SERVICE_NAME}/gitlab:/home/git/data:Z + - ${SERVICE_DATA}/${SERVICE_NAME}/certs:/certs + environment: + - DEBUG=false + + - DB_ADAPTER=postgresql + - DB_HOST=${SERVICE_NAME}_${CONTAINER_NAME_PGSQL} + - DB_PORT=5432 + - DB_USER=${DB_USER} + - DB_PASS=${DB_PASS} + - DB_NAME=${DB_NAME} + + - REDIS_HOST=${SERVICE_NAME}_${CONTAINER_NAME_REDIS} + - REDIS_PORT=6379 + + - TZ=UTC + - GITLAB_TIMEZONE=${GITLAB_TIMEZONE} + + - GITLAB_HTTPS=false + - SSL_SELF_SIGNED=false + + - GITLAB_HOST=${GITLAB_HOST} + - GITLAB_PORT=80 + - GITLAB_SSH_PORT=${GITLAB_SSH_PORT} + - GITLAB_SECRETS_DB_KEY_BASE=${GITLAB_SECRETS_DB_KEY_BASE} + - GITLAB_SECRETS_SECRET_KEY_BASE=${GITLAB_SECRETS_SECRET_KEY_BASE} + - GITLAB_SECRETS_OTP_KEY_BASE=${GITLAB_SECRETS_OTP_KEY_BASE} + + - GITLAB_ROOT_PASSWORD=${GITLAB_ROOT_PASSWORD} + - GITLAB_ROOT_EMAIL=${GITLAB_ROOT_EMAIL} + + - GITLAB_NOTIFY_ON_BROKEN_BUILDS=true + - GITLAB_NOTIFY_PUSHER=false + + - GITLAB_EMAIL=${GITLAB_EMAIL} + - GITLAB_EMAIL_REPLY_TO=${GITLAB_EMAIL_REPLY_TO} + - GITLAB_INCOMING_EMAIL_ADDRESS=${GITLAB_INCOMING_EMAIL_ADDRESS} + + - GITLAB_PAGES_ENABLED=false + + - SMTP_ENABLED=true + - SMTP_DOMAIN=${SMTP_DOMAIN} + - SMTP_HOST=${SMTP_HOST} + - SMTP_PORT=${SMTP_PORT} + - SMTP_USER=${SMTP_USER} + - SMTP_PASS=${SMTP_PASS} + - SMTP_STARTTLS=${SMTP_STARTTLS} + - SMTP_AUTHENTICATION=${SMTP_AUTHENTICATION} + + - IMAP_ENABLED=false + - LDAP_ENABLED=false + + - GITLAB_REGISTRY_ENABLED=true + - GITLAB_REGISTRY_HOST=${REGISTRY_HOST} + - GITLAB_REGISTRY_API_URL=http://registry:5000/ + - GITLAB_REGISTRY_KEY_PATH=/certs/registry.key + healthcheck: + test: ["CMD", "/usr/local/sbin/healthcheck"] + interval: 1m + timeout: 5s + retries: 5 + start_period: 2m + networks: + # - webproxy + - service + + registry: + image: ${DOCKER_IMAGE_REGISTRY} + container_name: ${SERVICE_NAME}_${CONTAINER_NAME_REGISTRY} + restart: always + expose: + - 5000 + # labels: + # - "traefik.enable=true" + # - "traefik.http.routers.gitlab-registry.entrypoints=https" + # - "traefik.http.routers.gitlab-registry.rule=Host(`${REGISTRY_HOST}`)" + # - "traefik.http.routers.gitlab-registry.tls=true" + # - "traefik.http.routers.gitlab-registry.tls.certresolver=letsEncrypt" + # - "traefik.http.services.gitlab-registry-service.loadbalancer.server.port=5000" + # - "traefik.docker.network=webproxy" + volumes: + - ${SERVICE_DATA}/${SERVICE_NAME}/gitlab/shared/registry:/registry + - ${SERVICE_DATA}/${SERVICE_NAME}/certs:/certs + environment: + - REGISTRY_AUTH_TOKEN_AUTOREDIRECT=false + - REGISTRY_LOG_LEVEL=debug + - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/registry + - REGISTRY_AUTH_TOKEN_REALM=https://${GITLAB_HOST}/jwt/auth + - REGISTRY_AUTH_TOKEN_SERVICE=container_registry + - REGISTRY_AUTH_TOKEN_ISSUER=gitlab-issuer + - REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/certs/registry.crt + - REGISTRY_STORAGE_DELETE_ENABLED=true + networks: + # - webproxy + - service + + postgresql: + image: ${DOCKER_IMAGE_PGSQL} + container_name: ${SERVICE_NAME}_${CONTAINER_NAME_PGSQL} + restart: always + environment: + - DB_USER=${DB_USER} + - DB_PASS=${DB_PASS} + - DB_NAME=${DB_NAME} + - DB_EXTENSION=pg_trgm + volumes: + - ${SERVICE_DATA}/${SERVICE_NAME}/postgresql:/var/lib/postgresql:Z + networks: + - service + + redis: + restart: always + image: ${DOCKER_IMAGE_REDIS} + container_name: ${SERVICE_NAME}_${CONTAINER_NAME_REDIS} + command: + - --loglevel warning + volumes: + - ${SERVICE_DATA}/${SERVICE_NAME}/redis:/var/lib/redis:Z + networks: + - service + + runner_1: + image: ${DOCKER_IMAGE_RUNNER} + container_name: ${SERVICE_NAME}_${CONTAINER_NAME_RUNNER}_1 + restart: always + depends_on: + - gitlab + volumes: + - ${SERVICE_DATA}/${SERVICE_NAME}/gitlab-runner_1:/etc/gitlab-runner + - /var/run/docker.sock:/var/run/docker.sock + command: --debug run --user=gitlab-runner --working-directory=/home/gitlab-runner + environment: + - CI_SERVER_URL=https://${GITLAB_HOST} + - CI_SERVER_LOCAL_IP=${CI_SERVER_LOCAL_IP} + - CI_SERVER_WITH_RUNNER=${CI_SERVER_WITH_RUNNER} + - RUNNER_TOKEN=${RUNNER_TOKEN} + - RUNNER_DESCRIPTION=gitab-runner_1 + - RUNNER_EXECUTOR=docker + - DOCKER_IMAGE=gitlab/gitlab-runner-helper:x86_64-latest + networks: + - service + + runner_2: + image: ${DOCKER_IMAGE_RUNNER} + container_name: ${SERVICE_NAME}_${CONTAINER_NAME_RUNNER}_2 + restart: always + depends_on: + - gitlab + volumes: + - ${SERVICE_DATA}/${SERVICE_NAME}/gitlab-runner_2:/etc/gitlab-runner + - /var/run/docker.sock:/var/run/docker.sock + command: --debug run --user=gitlab-runner --working-directory=/home/gitlab-runner + environment: + - CI_SERVER_URL=https://${GITLAB_HOST} + - CI_SERVER_WITH_RUNNER=${CI_SERVER_WITH_RUNNER} + - CI_SERVER_LOCAL_IP=${CI_SERVER_LOCAL_IP} + - RUNNER_TOKEN=${RUNNER_TOKEN} + - RUNNER_DESCRIPTION=gitab-runner_2 + - RUNNER_EXECUTOR=docker + - DOCKER_IMAGE=gitlab/gitlab-runner-helper:x86_64-latest + networks: + - service + + runner_3: + image: ${DOCKER_IMAGE_RUNNER} + container_name: ${SERVICE_NAME}_${CONTAINER_NAME_RUNNER}_3 + restart: always + depends_on: + - gitlab + volumes: + - ${SERVICE_DATA}/${SERVICE_NAME}/gitlab-runner_3:/etc/gitlab-runner + - /var/run/docker.sock:/var/run/docker.sock + command: --debug run --user=gitlab-runner --working-directory=/home/gitlab-runner + environment: + - CI_SERVER_URL=https://${GITLAB_HOST} + - CI_SERVER_WITH_RUNNER=${CI_SERVER_WITH_RUNNER} + - CI_SERVER_LOCAL_IP=${CI_SERVER_LOCAL_IP} + - RUNNER_TOKEN=${RUNNER_TOKEN} + - RUNNER_DESCRIPTION=gitab-runner_3 + - RUNNER_EXECUTOR=docker + - DOCKER_IMAGE=gitlab/gitlab-runner-helper:x86_64-latest + networks: + - service + + runner_4: + image: ${DOCKER_IMAGE_RUNNER} + container_name: ${SERVICE_NAME}_${CONTAINER_NAME_RUNNER}_4 + restart: always + depends_on: + - gitlab + volumes: + - ${SERVICE_DATA}/${SERVICE_NAME}/gitlab-runner_4:/etc/gitlab-runner + - /var/run/docker.sock:/var/run/docker.sock + command: --debug run --user=gitlab-runner --working-directory=/home/gitlab-runner + environment: + - CI_SERVER_URL=https://${GITLAB_HOST} + - CI_SERVER_WITH_RUNNER=${CI_SERVER_WITH_RUNNER} + - CI_SERVER_LOCAL_IP=${CI_SERVER_LOCAL_IP} + - RUNNER_TOKEN=${RUNNER_TOKEN} + - RUNNER_DESCRIPTION=gitab-runner_4 + - RUNNER_EXECUTOR=docker + - DOCKER_IMAGE=gitlab/gitlab-runner-helper:x86_64-latest + networks: + - service + +networks: + service: + name: ${SERVICE_NAME} + # webproxy: + # external: + # name: ${WEBPROXY_NETWORK} diff --git a/fix-unicorn.sh b/fix-unicorn.sh new file mode 100755 index 0000000..0128b18 --- /dev/null +++ b/fix-unicorn.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +echo "fix gitlab_server unicorn error" +docker exec -it gitlab_server rm /home/git/gitlab/tmp/pids/unicorn.pid && docker restart gitlab_server diff --git a/ssl-certs/ssl-certs.zip b/ssl-certs/ssl-certs.zip new file mode 100644 index 0000000..bdaeb9b Binary files /dev/null and b/ssl-certs/ssl-certs.zip differ