Introduction

Hey there, this is the first part of my blog series Getting started with CI/CD on AWS platform using GitLab CE


GitLab Community Edition (CE) is an open source end-to-end software development platform with built-in version control, issue tracking, code review, CI/CD and much more, check official documentation for more information. Due to security considerations, we have provisioned our own private GitLab-CE server for many of our clients builds even though gitlab.com hosted solution and many pre-configured AMIs are available in AWS. Here are the steps to set-up a Gitlab-CE server.


Provision EC2 Instance


  • Provision a t2.medium instance [ CentOS 7 AMI ]

  • Open HTTP, HTTPS and SSH connections in Security Group settings

  • Enable basic monitoring for the EC2 instance ( StatusCheckFailed )

  • Assign an EIP

  • Set host level firewall rules to allow incoming SSH, HTTP/HTTPS connections only


Basic System setup


  • Install system updates
    yum update -y
    
  • Disable SELinux
    sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
    
  • Install basic system management tools
    yum install -y net-tools wget curl lsof screen ntp dstat
    
  • Disable SSH Password Authentification
    sed -i 's/PasswordAuthentication\ yes/PasswordAuthentication\ no/g' /etc/ssh/sshd_config
    
  • Set static system hostname
    hostnamectl set-hostname gitlab.yourdomain.com
    hostnamectl set-hostname "gitlab.yourdomain.com" --pretty
    hostnamectl set-hostname gitlab.yourdomain.com --static
    hostnamectl set-hostname gitlab.yourdomain.com --transient
    
  • Update /etc/hosts
    grep $(hostname) /etc/hosts || echo -e "127.1.0.1\t$(hostname)\t$(hostname -s)" >> /etc/hosts
    
  • Setup NTP Time Synchronization
    Edit /etc/ntp.conf and set `server 169.254.169.123 prefer iburst`
    
    systemctl start ntpd; systemctl enable ntpd
    
  • Restart EC2 instance.
    reboot
    


Install GitLab CE


  • Install dependencies
    yum install -y curl policycoreutils-python openssh-server
    systemctl enable sshd
    systemctl start sshd
    
  • Install and configure Postfix MTA
    yum install postfix
    systemctl enable postfix
    systemctl start postfix
    
  • Add the GitLab package repository
    curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.rpm.sh | sudo bash
    
  • Install Gitlab CE
    sudo EXTERNAL_URL="http://gitlab.yourdomain.com" yum install -y gitlab-ce
    
  • Complete the installation

  • Navigate your browser to http://gitlab.yourdomain.com and you will be redirected to reset root password for your installation.


GitLab CE Initial setup


  • Go to http://gitlab.yourdomain.com and login to GitLab using the root credentials you created.

  • Go to profile settings and setup root user’s Email account

  • Go to Admin area - Settings - Sign-up Restrictions and uncheck Sign-up enabled

  • Go to Admin area - Overview: create groups, create users, add users into groups.


GitLab CE Secure using LetsEncrypt Certificates


Let’s secure our GitLab instance using Free LetsEncrypt SSL Certificates

  • Install epel repository
    yum install epel-release -y
    
  • Install Certbot
    yum install certbot -y
    
  • Create directory for LetsEncrypt verification files
    mkdir -p /var/www/public/letsencrypt
    
  • Update Gitlab Nginx Configuration
    Edit /etc/gitlab/gitlab.rb and in GitLab NGINX add following line
    
    nginx['custom_gitlab_server_config'] = "location ^~ /.well-known { root /var/www/public/letsencrypt; }"
    
  • Reconfigure GitLab
    gitlab-ctl reconfigure
    
  • Request SSL Certificates
    certbot certonly --webroot --webroot-path=/var/www/public/letsencrypt -d gitlab.yourdomain.com
    
  • Update Gitlab Nginx Configuration
    Edit /etc/gitlab/gitlab.rb and
    
1 Update external_url to use https
  external_url 'https://gitlab.yourdomain.com'

2 Update redirect_http_to_https settings and set to true
  nginx['redirect_http_to_https'] = true

3 Specify SSL Certificates
  nginx['ssl_certificate'] = "/etc/letsencrypt/live/gitlab.yourdomain.com/fullchain.pem"
  nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/gitlab.yourdomain.com/privkey.pem"
  • Reconfigure GitLab
    gitlab-ctl reconfigure
    
  • Setup cronjob for SSL renewal
    crontab -e
    0 2 1 * * root /usr/bin/certbot renew --quiet --renew-hook "/usr/bin/gitlab-ctl restart nginx"
    




Alright, now we have our GitLab instance up and running.

  • Provisioned EC2 Instance
  • Installed GitLab CE
  • Configured Users and Groups
  • Secured GitLab using LetsEncrypt SSL Certificates
  • Enabled auto renewal for LetsEncrypt SSL Certificates


Tips :

  • Enable backups for GitLab Instance
  • Convert the EC2 instance to a reserverd instance for cost savings.


    Happy Coding !!

Dijeesh Padinharethil

Associate Director, Cloud Services @ Network Redux

Infrastructure | Operations | AWS | DevOps Engineer