Introduction
Hey there, this is the first part of my blog series Getting started with CI/CD on AWS platform using GitLab CE
GitLab Community Edition (CE) is an open source end-to-end software development platform with built-in version control, issue tracking, code review, CI/CD and much more, check official documentation for more information. Due to security considerations, we have provisioned our own private GitLab-CE server for many of our clients builds even though gitlab.com hosted solution and many pre-configured AMIs are available in AWS. Here are the steps to set-up a Gitlab-CE server.
Provision EC2 Instance
Provision a t2.medium instance [ CentOS 7 AMI ]
Open HTTP, HTTPS and SSH connections in Security Group settings
Enable basic monitoring for the EC2 instance ( StatusCheckFailed )
Assign an EIP
Set host level firewall rules to allow incoming SSH, HTTP/HTTPS connections only
Basic System setup
- Install system updates
1
yum update -y
- Disable SELinux
1
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
- Install basic system management tools
1
yum install -y net-tools wget curl lsof screen ntp dstat
- Disable SSH Password Authentification
1
sed -i 's/PasswordAuthentication\ yes/PasswordAuthentication\ no/g' /etc/ssh/sshd_config
- Set static system hostname
1 2 3 4
hostnamectl set-hostname gitlab.yourdomain.com hostnamectl set-hostname "gitlab.yourdomain.com" --pretty hostnamectl set-hostname gitlab.yourdomain.com --static hostnamectl set-hostname gitlab.yourdomain.com --transient
- Update /etc/hosts
1
grep $(hostname) /etc/hosts || echo -e "127.1.0.1\t$(hostname)\t$(hostname -s)" >> /etc/hosts
- Setup NTP Time Synchronization
1 2 3
Edit /etc/ntp.conf and set `server 169.254.169.123 prefer iburst` systemctl start ntpd; systemctl enable ntpd
- Restart EC2 instance.
1
reboot
Install GitLab CE
- Install dependencies
1 2 3
yum install -y curl policycoreutils-python openssh-server systemctl enable sshd systemctl start sshd
- Install and configure Postfix MTA
1 2 3
yum install postfix systemctl enable postfix systemctl start postfix
- Add the GitLab package repository
1
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.rpm.sh | sudo bash
- Install Gitlab CE
1
sudo EXTERNAL_URL="http://gitlab.yourdomain.com" yum install -y gitlab-ce
Complete the installation
- Navigate your browser to http://gitlab.yourdomain.com and you will be redirected to reset root password for your installation.
GitLab CE Initial setup
Go to http://gitlab.yourdomain.com and login to GitLab using the root credentials you created.
Go to profile settings and setup root user’s Email account
Go to Admin area - Settings - Sign-up Restrictions and uncheck Sign-up enabled
Go to Admin area - Overview: create groups, create users, add users into groups.
GitLab CE Secure using LetsEncrypt Certificates
Let’s secure our GitLab instance using Free LetsEncrypt SSL Certificates
- Install epel repository
1
yum install epel-release -y
- Install Certbot
1
yum install certbot -y
- Create directory for LetsEncrypt verification files
1
mkdir -p /var/www/public/letsencrypt
- Update Gitlab Nginx Configuration
1 2 3
Edit /etc/gitlab/gitlab.rb and in GitLab NGINX add following line nginx['custom_gitlab_server_config'] = "location ^~ /.well-known { root /var/www/public/letsencrypt; }"
- Reconfigure GitLab
1
gitlab-ctl reconfigure
- Request SSL Certificates
1
certbot certonly --webroot --webroot-path=/var/www/public/letsencrypt -d gitlab.yourdomain.com
- Update Gitlab Nginx Configuration
1
Edit /etc/gitlab/gitlab.rb and
1
2
3
4
5
6
7
8
9
1 Update external_url to use https
external_url 'https://gitlab.yourdomain.com'
2 Update redirect_http_to_https settings and set to true
nginx['redirect_http_to_https'] = true
3 Specify SSL Certificates
nginx['ssl_certificate'] = "/etc/letsencrypt/live/gitlab.yourdomain.com/fullchain.pem"
nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/gitlab.yourdomain.com/privkey.pem"
- Reconfigure GitLab
1
gitlab-ctl reconfigure
- Setup cronjob for SSL renewal
1 2
crontab -e 0 2 1 * * root /usr/bin/certbot renew --quiet --renew-hook "/usr/bin/gitlab-ctl restart nginx"
Alright, now we have our GitLab instance up and running.
- Provisioned EC2 Instance
- Installed GitLab CE
- Configured Users and Groups
- Secured GitLab using LetsEncrypt SSL Certificates
- Enabled auto renewal for LetsEncrypt SSL Certificates
Tips :
- Enable backups for GitLab Instance
- Convert the EC2 instance to a reserverd instance for cost savings.
Happy Coding !!