Since GitHub was acquired by Microsoft, quite a few developers have planned to migrate their own code repositories from github.com to an alternative self-hosted solution. GitLab Community Edition (CE) is the most common choice.
As a sophisticated and flexible solution, GitLab CE can be deployed using various methods, but only the officially recommended method, the Omnibus package installation, will be covered herein.
Prerequisites
- A fresh Debian 9 x64 server instance with at least 4GB of memory. 8GB or more is recommended for serving up to 100 users. Say its IPv4 address is
203.0.113.1
. - A sudo user.
- A domain
gitlab.example.com
being pointed towards the instance mentioned above.
Note: When deploying on your own server instance, be sure to replace all example values with actual ones.
Step 1: Perform basic tasks for hosting GitLab CE
Fire up an SSH terminal, and log in to your Debian 9 x64 server instance as a sudo user.
Add a swap partition and tweak the swappiness setting
When deploying GitLab CE 11.x on a machine with 4GB of memory, it's required to setup a 4GB swap partition for smooth running.
sudo dd if=/dev/zero of=/swapfile count=4096 bs=1M
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
free -m
Note: If you are using a different server size, the size of the swap partition may vary.
For system performance purposes, it is recommended to configure the kernel's swappiness setting to a low value like 10
:
echo 'vm.swappiness=10' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
cat /proc/sys/vm/swappiness
The output of the cat
command will be 10
.
Setup the machine's hostname and fully qualified domain name (FQDN)
Use the following commands to setup a hostname, gitlab
, and an FQDN, gitlab.example.com
, for the machine:
sudo hostnamectl set-hostname gitlab
sudo sed -i "1 i\203.0.113.1 gitlab.example.com gitlab" /etc/hosts
You can confirm the results:
hostname
hostname -f
Setup firewall rules
Setup reasonable firewall rules for running a website:
sudo iptables -F
sudo iptables -X
sudo iptables -Z
sudo iptables -A INPUT -s $(echo $(w -h ${USER}) | cut -d " " -f3) -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -d 127.0.0.0/8 -j REJECT
sudo iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
sudo iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
sudo iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT ACCEPT
sudo iptables -P FORWARD DROP
All above settings will take effect immediately. Use the following command to list them for review:
sudo iptables -L -n
Use the iptable-persistent
tool to save all existing iptables rules in a file /etc/iptables/rules.v4
, making all iptables rules persistent:
sudo apt install -y iptables-persistent
During the installation, you will be asked if you want to save current IPv4/IPv6 rules. Press ENTER twice to save both current IPv4 and IPv6 rules to /etc/iptables/rules.v4
and /etc/iptables/rules.v6
.
If you try to update the IPv4 rules later, use the following to save your update:
sudo bash -c 'iptables-save > /etc/iptables/rules.v4'
Update the system
sudo apt update
sudo apt upgrade -y && sudo shutdown -r now
When the system is up and running again, log back in as the same sudo user to move on.
Step 2: Install required dependencies
Before installing GitLab CE, you need to install required dependencies:
sudo apt install -y curl openssh-server ca-certificates
Also, if you want to use Postfix to send notification messages, you need to install Postfix:
sudo apt install -y postfix
During the installation, a configuration screen may appear:
- Press TAB to highlight the
<OK>
button on the first screen, and then press ENTER. - Select
Internet Site
and press ENTER. - For the
mail name
field, input your server's FQDN,gitlab.example.com
, and press ENTER. - If other screens appear, press ENTER to accept the default settings.
Start and enable the Postfix service:
sudo systemctl enable postfix.service
sudo systemctl start postfix.service
Modify firewall rules for Postfix:
sudo iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -i eth0 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -i eth0 -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -i eth0 -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo bash -c 'iptables-save > /etc/iptables/rules.v4'
Having Postfix installed, you need to configure Postfix by editing its main config file /etc/postfix/main.cf
in accordance with your actual server settings.
Note: In addition to above instructions, you need to submit a support ticket to cancel Vultr's default block on SMTP port 25.
Alternatively, if you want to use another messaging solution, just skip installing Postfix and choose to use an external SMTP server after GitLab CE has been installed.
Step 3: Setup the GitLab APT repo and then install GitLab CE
Setup the GitLab CE APT repository on your system:
cd
curl -sS https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.deb.sh | sudo bash
Next, install GitLab CE 11.x:
sudo EXTERNAL_URL="http://gitlab.example.com" apt install -y gitlab-ce
The installation may take a while.
Finally, point your favorite web browser to http://gitlab.example.com
, and then submit a new password as prompted to finish the installation.
From now on, use the credentials below to log in as the administrator:
- Username:
root
- Password:
<your-new-password>
Step 4: Enable HTTPS access by integrating a Let's Encrypt SSL certificate
For now, you have successfully installed GitLab CE 11.x on your server instance, and users can already visit the site using the HTTP protocol. For security purposes, its recommended to enable HTTPS access to your GitLab server by integrating a Let's Encrypt SSL certificate.
Use the vi
editor to open the GitLab CE config file:
sudo vi /etc/gitlab/gitlab.rb
Find the following two lines:
external_url 'http://gitlab.example.com'
# letsencrypt['contact_emails'] = [] # This should be an array of email addresses to add as contacts
Replace them accordingly:
external_url 'https://gitlab.example.com'
letsencrypt['contact_emails'] = ['admin@example.com']
Save and quit:
:wq!
Reconfigure GitLab CE using updated settings:
sudo gitlab-ctl reconfigure
The reconfiguration may take a while.
After the reconfiguration is done, all users will be forced to use the HTTPS protocol when accessing the GitLab site.
Note: After switching from HTTP to HTTPS, legacy cookies may cause a GitLab 422 error. Clearing cookies fixes this issue.