cd /home/myusername/docker
mkdir gitlab && cd "$_"
services:
gitlab-runner:
image: gitlab/gitlab-runner:alpine
container_name: gitlab-runner
restart: unless-stopped
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./gitlab-runner:/etc/gitlab-runner
depends_on:
- web
web:
image: gitlab/gitlab-ce:latest
container_name: gitlab-ce
hostname: gitlab.DOMAIN.COM
restart: unless-stopped
shm_size: 256m
environment:
GITLAB_OMNIBUS_CONFIG: |
external_url 'https://gitlab.DOMAIN.COM'
letsencrypt['enable'] = false
gitlab_rails['ldap_enabled'] = false
gitlab_rails['gitlab_shell_ssh_port'] = 22
gitlab_rails['gitlab_username_changing_enabled'] = true
# Nginx params to redirect from Traefik
nginx['listen_port'] = 80
nginx['listen_https'] = false
nginx['redirect_http_to_https'] = false
nginx['proxy_set_headers'] = {
"Host" => "$$http_host",
"X-Real-IP" => "$$remote_addr",
"X-Forwarded-For" => "$$proxy_add_x_forwarded_for",
"X-Forwarded-Proto" => "https",
"X-Forwarded-Ssl" => "on"
}
# SMTP email
gitlab_rails['gitlab_email_enabled'] = true
gitlab_rails['gitlab_email_from'] = "[email protected]"
gitlab_rails['gitlab_email_reply_to'] = "[email protected]"
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "mail.DOMAIN.COM"
gitlab_rails['smtp_port'] = 587
gitlab_rails['smtp_user_name'] = "[email protected]"
gitlab_rails['smtp_password'] = "YOUR_SMTP_PASSWORD"
gitlab_rails['smtp_domain'] = "DOMAIN.COM"
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['smtp_tls'] = false
# reply by email & incoming email
gitlab_rails['incoming_email_enabled'] = true
gitlab_rails['incoming_email_address'] = "gitlab+%{key}@DOMAIN.COM"
gitlab_rails['incoming_email_email'] = "[email protected]"
gitlab_rails['incoming_email_password'] = "YOUR_INCOMING_EMAIL_PASSWORD"
gitlab_rails['incoming_email_mailbox_name'] = "inbox"
gitlab_rails['incoming_email_idle_timeout'] = 60
gitlab_rails['incoming_email_host'] = "mail.DOMAIN.COM"
gitlab_rails['incoming_email_port'] = 143
gitlab_rails['incoming_email_ssl'] = false
gitlab_rails['incoming_email_start_tls'] = true
# Docker registry
registry_external_url 'https://glregistry.DOMAIN.COM'
gitlab_rails['registry_enabled'] = true
gitlab_rails['registry_api_url'] = 'https://glregistry.DOMAIN.COM'
registry['enable'] = true
registry_nginx['enable'] = false
registry['registry_http_addr'] = '0.0.0.0:5000'
registry_nginx['listen_port'] = 5000
registry_nginx['listen_https'] = false
registry_nginx['proxy_set_headers'] = {
"Host" => "$$http_host",
"X-Real-IP" => "$$remote_addr",
"X-Forwarded-For" => "$$proxy_add_x_forwarded_for",
"X-Forwarded-Proto" => "https",
"X-Forwarded-Ssl" => "on"
}
# GitLab Pages
pages_external_url 'https://glpages.DOMAIN.COM'
gitlab_pages['access_control'] = true
gitlab_pages['namespace_in_path'] = true
gitlab_pages['enable'] = true
gitlab_pages['inplace_chroot'] = true
gitlab_pages['external_http'] = ['0.0.0.0:5100']
pages_nginx['enable'] = false
gitlab_pages['gitlab_server'] = 'http://127.0.0.1:8080'
gitlab_pages['auth_secret_file'] = '/var/opt/gitlab/gitlab-rails/etc/gitlab_pages_secret'
gitlab_pages['auth_disable_ssl_verification'] = true
# --- The following pages_nginx settings are ignored because it's disabled. ---
# pages_nginx['listen_https'] = false
# pages_nginx['redirect_http_to_https'] = true
# pages_nginx['listen_port'] = 5100
# pages_nginx['proxy_set_headers'] = {
# "Host" => "$$http_host",
# "X-Real-IP" => "$$remote_addr",
# "X-Forwarded-For" => "$$proxy_add_x_forwarded_for",
# "X-Forwarded-Proto" => "https",
# "X-Forwarded-Ssl" => "on"
# }
# Authentik (Optional)
# gitlab_rails['omniauth_enabled'] = false
# gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
# gitlab_rails['omniauth_sync_email_from_provider'] = 'saml'
# gitlab_rails['omniauth_sync_profile_from_provider'] = ['saml']
# gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
# gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
# gitlab_rails['omniauth_block_auto_created_users'] = false
# gitlab_rails['omniauth_auto_link_saml_user'] = true
# gitlab_rails['omniauth_providers'] = [
# {
# name: 'saml',
# args: {
# assertion_consumer_service_url: 'https://gitlab.DOMAIN.COM/users/auth/saml/callback',
# # Shown when navigating to certificates in authentik
# idp_cert_fingerprint: 'YOUR_IDP_CERT_FINGERPRINT',
# idp_sso_target_url: 'https://authentik.DOMAIN.COM/application/saml/gitlab/sso/binding/redirect/',
# issuer: 'https://gitlab.DOMAIN.COM',
# name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
# attribute_statements: {
# email: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'],
# first_name: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'],
# nickname: ['http://schemas.goauthentik.io/2021/02/saml/username']
# }
# },
# label: 'authentik'
# }
# ]
volumes:
- ./config:/etc/gitlab
- ./logs:/var/log/gitlab
- ./data:/var/opt/gitlab
ports:
- 8225:80
# - 8226:443
- 5000:5000
- 5005:5005
- 5100:5100
- 5050:5050
# - 22:22
# - 587:587
docker compose up -d
DEFAULT LOGIN
Username:root
Password: Run the command below to get the password
docker exec -it gitlab-ce grep 'Password:' /etc/gitlab/initial_root_password
docker exec -it gitlab-ce gitlab-rails console
Notify.test_email('[email protected]', 'Message Subject', 'Message Body').deliver_now
docker exec -it gitlab-ce gitlab-ctl reconfigure
docker exec -it gitlab-runner gitlab-runner register --url "https://gitlab.DOMAIN.COM" --token INSERTTOKENHERE --description "gitlab-docker-runner"
docker exec -it gitlab-runner gitlab-runner register --non-interactive --url "https://gitlab.DOMAIN.COM/" --token INSERTTOKENHERE --executor "docker" --docker-image alpine:latest --description "gitlab-docker-runner"
cd /home/myusername/docker/gitlab/gitlab-runner
Run the following command on the Docker host to find the IP address of the gateway for the management network (or whichever network the runner uses).
docker network inspect management
A server LAN IP (e.g., 192.168.1.55) works, but it's not ideal. If the server IP changes, the pipeline will break. The Docker network gateway IP is more stable and resilient.
nano config.toml
concurrent = 1
check_interval = 0
shutdown_timeout = 0
[session_server]
session_timeout = 1800
[[runners]]
name = "Docker Runner for DOMAIN.COM"
url = "https://gitlab.DOMAIN.COM/"
id = 5
token = "your_token_here"
token_obtained_at = 2024-05-27T16:31:27Z
token_expires_at = 0001-01-01T00:00:00Z
executor = "docker"
[runners.custom_build_dir]
[runners.cache]
MaxUploadedArchiveSize = 0
[runners.cache.s3]
[runners.cache.gcs]
[runners.cache.azure]
[runners.docker]
tls_verify = false
image = "alpine:latest"
privileged = true
disable_entrypoint_overwrite = false
oom_kill_disable = false
disable_cache = false
volumes = ["/cache"]
shm_size = 0
network_mtu = 0
extra_hosts = ["glregistry.DOMAIN.COM:docker_network_gateway_ip_or_server_ip"]
network_mode = "management"
docker exec -it gitlab-runner gitlab-runner run
Put the following config into the traefik fileConfig.yml
# Gitlab router
gitlab-ce:
entryPoints:
- https
rule: 'Host(`gitlab.DOMAIN.COM`)'
service: gitlab-ce
# middlewares:
# - "auth"
# Pages router
pages:
entryPoints:
- websecure
rule: 'Host(`pages.DOMAIN.COM`)'
service: pages
tls:
certResolver: cloudflare
domains:
- main: gitlab.DOMAIN.COM
sans:
- '*.gitlab.DOMAIN.COM'
- '*.pages.DOMAIN.COM'
middlewares:
- pages-redirectscheme
# Pages-Wildcard router
pages-wildcard:
entryPoints:
- websecure
rule: 'HostRegexp(`pages.DOMAIN.COM`, `{sub:[a-zA-Z0-9-]+}.pages.DOMAIN.COM`)'
service: pages-wildcard
tls:
certResolver: cloudflare
domains:
- main: gitlab.DOMAIN.COM
sans:
- '*.gitlab.DOMAIN.COM'
- '*.pages.DOMAIN.COM'
middlewares:
- pages-wildcard-redirectscheme
# Gitlab service
gitlab-ce:
loadBalancer:
servers:
- url: http://192.168.1.95:8225
# Pages service
pages:
loadBalancer:
passHostHeader: true
servers:
- url: http://127.0.0.1:5100
# Pages-Wildcard service
pages-wildcard:
loadBalancer:
passHostHeader: true
servers:
- url: http://127.0.0.1:5100
Put the following config into the traefik fileConfig.yml
# GitLab - registry router
gitlab-registry:
entryPoints:
- https
rule: 'Host(`registrygl.DOMAIN.COM`)'
service: gitlab-registry
# GitLab - registry service
gitlab-registry:
loadBalancer:
servers:
- url: http://192.168.1.95:5000
Advanced protocol settings
Make sure to save the Slug because you need it later for idp_sso_target_url
Go to: Admin interface > System > Certificates
Click on: authentik Self-signed Certificate
Make sure to save the Certificate Fingerprint (SHA1) because you need it later for idp_cert_fingerprint
gitlab_rails['omniauth_enabled'] = true # Set to false if you wanna disable auth like authentik
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_sync_email_from_provider'] = 'saml'
gitlab_rails['omniauth_sync_profile_from_provider'] = ['saml']
gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_providers'] = [
{
name: 'saml',
args: {
assertion_consumer_service_url: 'https://gitlab.DOMAIN.COM/users/auth/saml/callback',
# Shown when navigating to certificates in authentik
idp_cert_fingerprint: '4E:1E:CD:67:4A:67:5A:E9:6A:D0:3C:E6:DD:7A:F2:44:2E:76:00:6A',
idp_sso_target_url: 'https://authentik.DOMAIN.COM/application/saml/gitlab/sso/binding/redirect/',
issuer: 'https://gitlab.DOMAIN.COM',
name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
attribute_statements: {
email: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'],
first_name: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'],
nickname: ['http://schemas.goauthentik.io/2021/02/saml/username']
}
},
label: 'authentik'
}
]