Gitlab: Difference between revisions

(15 intermediate revisions by 10 users not shown)

Line 1:

The [https://gitlab.com GitLab] web application offers git repository management, code reviews, issue tracking, activity feeds and wikis.

This article is an extension of the [https://nixos.org/manual/nixos/stable/#module-services-gitlab NixOS manual].

== Installation ==

Line 8:

Line 10:

services.gitlab = {

enable = true;

databasePasswordFile = pkgs.writeText "dbPassword" "~~test123~~";

databasePasswordFile = pkgs.writeText "dbPassword" "zgvcyfwsxzcwr85l";

initialRootPasswordFile = pkgs.writeText "rootPassword" "~~test123~~";

initialRootPasswordFile = pkgs.writeText "rootPassword" "dakqdvp4ovhksxer";

secrets = {

secretFile = pkgs.writeText "secret" "Aig5zaic";

Line 33:

Line 35:

</syntaxHighlight>

Even ~~trough~~ it is easy to provide the secrets in the <code>configuration.nix</code> with <code>pkgs.writeText</code>, keep in mind that it might not be the best method, because they get written to the ~~word~~ readable [[Nix_package_manager#Nix_store|nix-store]] this way.

After applying the configuration head to http://localhost and login with username <code>root</code> and the password specified in <code>initialRootPasswordFile</code>.

Even though it is easy to provide the secrets in the <code>configuration.nix</code> with <code>pkgs.writeText</code>, keep in mind that it might not be the best method, because they get written to the world readable [[Nix_package_manager#Nix_store|nix-store]] this way.

A safer solution is to put them somewhere in the file system with the right chmod and owner set and include them using <code>./<filename></code> or to use a [[Comparison of secret managing schemes|secret managment tool]]

{{Note|Since the version 15.7 GitLab blocks weak passwords<ref>https://gitlab.com/gitlab-org/gitlab/-/blob/master/doc/user/profile/user_passwords.md#block-weak-passwords</ref> on self-managed instances by default and providing one in initialRootPasswordFile results in a silent failure to create root user.}}{{Note|Depending on the setup, access from another system than localhost might be required. In that case, it's necessary to open the ports, since NixOS defaults to having all ports closed. Look up networking.firewall.allowedTCPPorts.}}

== Maintenance ==

Line 50:

Line 56:

</syntaxHighlight>

== Migrating an existing Gitlab to a Nixos installation ==

== Tips and tricks ==

Make a backup ~~on the~~ on the old installation following the [https://docs.gitlab.com/ee/~~raketasks~~/backup_gitlab~~.html~~ Gitlab backup guide]. It is important to be on the same version and edition that you want to install on your new server.

=== Run Gitlab behind reverse proxy ===

In case your Gitlab instance is running behind a reverse proxy which does offer TLS encryption, you might need to adapt your configuration<syntaxhighlight lang="nix">

services.gitlab = {

[...]

https = true;

port = 443;

host = "git.example.org";

};

</syntaxhighlight>

=== Migrating an existing Gitlab to a Nixos installation ===

Make a backup on the old installation following the [https://docs.gitlab.com/administration/backup_restore/backup_gitlab/ Gitlab backup guide]. It is important to be on the same version and edition that you want to install on your new server.

Then install a Gitlab on the NixOS. Make sure you set the same secrets like on the old installation.

~~Then install~~ a ~~Gitlab on the Nix. Make sure you set the same secrets like on the old installation.~~

After a successful deploy:

~~After a successful deploy, stop~~ the Gitlab service using systemctl stop.

# Stop the Gitlab service using <code>systemctl stop gitlab.service</code>.

Then copy the backup *_gitlab_backup.tar on the ~~new server and run~~ sudo -u gitlab gitlab-rake gitlab:backup:restore BACKUP=<name before the _gitlab_backup.tar>. You will be interactively asked what should be done.

# Start Gitaly <code>systemctl start gitaly.service</code>

#* It gets stopped when gitlab.service stops.

# Then copy the backup *_gitlab_backup.tar to the backup folder

#* <code>cp 1719619965_2024_06_29_16.11.4_gitlab_backup.tar /var/gitlab/state/backup</code>

# Run <code>sudo -u gitlab gitlab-rake gitlab:backup:restore BACKUP=<name before the _gitlab_backup.tar></code> .

#* For example <code>sudo -u gitlab gitlab-rake gitlab:backup:restore BACKUP=1719619965_2024_06_29_16.11.4</code>

# You will be interactively asked what should be done.

#* You will most likely be saying yes hrtr

# Start the Gitlab Service again using <code>systemctl start gitlab.service</code>.

~~After that, start~~ the ~~Gitlab Service again using systemctl start~~.

You may need to rebuild the system for everything to properly come up.

== Troubleshooting ==

Line 90:

Line 118:

</syntaxHighlight>

[[Category:~~Services~~]]

=== Login page accessible, but root login fails after fresh install ===

Apparently, it can happen that no root user is created (or at least not fully created in the database) when building the system with a newly configured Gitlab service.

In this case, it can help to stop the Gitlab service, drop the postgres database and reboot the system. This sequence instantiates the Gitlab root user. With that, it's possible to log in with user "root" and the password configured in "initialRootPasswordFile".<syntaxhighlight lang="bash">

# stop the gitlab stack

systemctl stop gitlab.service

# drop the database

sudo -u postgres dropdb gitlab

# reboot (just starting the gitlab service again seems not to be sufficient)

sudo reboot

</syntaxhighlight>

==Notes==

Gitlab will add a user "gitlab" to your NixOS, many tutorials online point to using git over ssh with the user "git", which in our case will not match since there is no user "git". If you configure your SSH hosts with ~/.ssh/config this should work:

Host your.selfhosted.com

HostName your.selfhosted.com

User gitlab

IdentityFile /path/to/your/ssh/private/key

# The following are optional:

IdentitiesOnly yes

PreferredAuthentications publickey

[[Category:Server]]

[[Category:Web Applications]]

[[Category:NixOS Manual]]

@@ Line 1: / Line 1: @@
 The [https://gitlab.com GitLab] web application offers git repository management, code reviews, issue tracking, activity feeds and wikis.
+This article is an extension of the [https://nixos.org/manual/nixos/stable/#module-services-gitlab NixOS manual].
 == Installation ==
@@ Line 8: / Line 10: @@
 services.gitlab = {
    enable = true;
-   databasePasswordFile = pkgs.writeText "dbPassword" "test123";
+   databasePasswordFile = pkgs.writeText "dbPassword" "zgvcyfwsxzcwr85l";
-   initialRootPasswordFile = pkgs.writeText "rootPassword" "test123";
+   initialRootPasswordFile = pkgs.writeText "rootPassword" "dakqdvp4ovhksxer";
    secrets = {
      secretFile = pkgs.writeText "secret" "Aig5zaic";
@@ Line 33: / Line 35: @@
 </syntaxHighlight>
-Even trough it is easy to provide the secrets in the <code>configuration.nix</code> with <code>pkgs.writeText</code>, keep in mind that it might not be the best method, because they get written to the word readable [[Nix_package_manager#Nix_store|nix-store]] this way.
+After applying the configuration head to http://localhost and login with username <code>root</code> and the password specified in <code>initialRootPasswordFile</code>.
+Even though it is easy to provide the secrets in the <code>configuration.nix</code> with <code>pkgs.writeText</code>, keep in mind that it might not be the best method, because they get written to the world readable [[Nix_package_manager#Nix_store|nix-store]] this way.
 A safer solution is to put them somewhere in the file system with the right chmod and owner set and include them using <code>./<filename></code> or to use a [[Comparison of secret managing schemes|secret managment tool]]
+{{Note|Since the version 15.7 GitLab blocks weak passwords<ref>https://gitlab.com/gitlab-org/gitlab/-/blob/master/doc/user/profile/user_passwords.md#block-weak-passwords</ref> on self-managed instances by default and providing one in initialRootPasswordFile results in a silent failure to create root user.}}{{Note|Depending on the setup, access from another system than localhost might be required. In that case, it's necessary to open the ports, since NixOS defaults to having all ports closed. Look up networking.firewall.allowedTCPPorts.}}
 == Maintenance ==
@@ Line 50: / Line 56: @@
 </syntaxHighlight>
-== Migrating an existing Gitlab to a Nixos installation ==
+== Tips and tricks ==
-Make a backup on the on the old installation following the [https://docs.gitlab.com/ee/raketasks/backup_gitlab.html Gitlab backup guide]. It is important to be on the same version and edition that you want to install on your new server.
+=== Run Gitlab behind reverse proxy ===
+In case your Gitlab instance is running behind a reverse proxy which does offer TLS encryption, you might need to adapt your configuration<syntaxhighlight lang="nix">
+services.gitlab = {
+  [...]
+  https = true;
+  port = 443;
+  host = "git.example.org";
+};
+</syntaxhighlight>
+=== Migrating an existing Gitlab to a Nixos installation ===
+Make a backup on the old installation following the [https://docs.gitlab.com/administration/backup_restore/backup_gitlab/ Gitlab backup guide]. It is important to be on the same version and edition that you want to install on your new server.
+Then install a Gitlab on the NixOS. Make sure you set the same secrets like on the old installation.
-Then install a Gitlab on the Nix. Make sure you set the same secrets like on the old installation.
+After a successful deploy:
-After a successful deploy, stop the Gitlab service using systemctl stop.
+# Stop the Gitlab service using <code>systemctl stop gitlab.service</code>.
-Then copy the backup *_gitlab_backup.tar on the new server and run sudo -u gitlab gitlab-rake gitlab:backup:restore BACKUP=<name before the _gitlab_backup.tar>. You will be interactively asked what should be done.
+# Start Gitaly <code>systemctl start gitaly.service</code>
+#* It gets stopped when gitlab.service stops.
+# Then copy the backup *_gitlab_backup.tar to the backup folder
+#* <code>cp 1719619965_2024_06_29_16.11.4_gitlab_backup.tar /var/gitlab/state/backup</code>
+# Run <code>sudo -u gitlab gitlab-rake gitlab:backup:restore BACKUP=<name before the _gitlab_backup.tar></code> .
+#* For example <code>sudo -u gitlab gitlab-rake gitlab:backup:restore BACKUP=1719619965_2024_06_29_16.11.4</code>
+# You will be interactively asked what should be done.
+#* You will most likely be saying yes hrtr
+# Start the Gitlab Service again using <code>systemctl start gitlab.service</code>.
-After that, start the Gitlab Service again using systemctl start.
+You may need to rebuild the system for everything to properly come up.
 == Troubleshooting ==
@@ Line 90: / Line 118: @@
 </syntaxHighlight>
-[[Category:Services]]
+=== Login page accessible, but root login fails after fresh install ===
+Apparently, it can happen that no root user is created (or at least not fully created in the database) when building the system with a newly configured Gitlab service.
+In this case, it can help to stop the Gitlab service, drop the postgres database and reboot the system. This sequence instantiates the Gitlab root user. With that, it's possible to log in with user "root" and the password configured in "initialRootPasswordFile".<syntaxhighlight lang="bash">
+# stop the gitlab stack
+systemctl stop gitlab.service
+# drop the database
+sudo -u postgres dropdb gitlab
+# reboot (just starting the gitlab service again seems not to be sufficient)
+sudo reboot
+</syntaxhighlight>
+==Notes==
+Gitlab will add a user "gitlab" to your NixOS, many tutorials online point to using git over ssh with the user "git", which in our case will not match since there is no user "git". If you configure your SSH hosts with ~/.ssh/config this should work:
+  Host your.selfhosted.com
+    HostName your.selfhosted.com
+    User gitlab
+    IdentityFile /path/to/your/ssh/private/key
+    # The following are optional:
+    IdentitiesOnly yes
+    PreferredAuthentications publickey
+<references />
+[[Category:Server]]
 [[Category:Web Applications]]
+[[Category:NixOS Manual]]