gitlab-ce安装 | 我的日常分享

gitlab-ce安装

发表于2024-01-09更新于2024-01-09字数统计1k阅读时长13分

gitlab-ce安装

一、准备工作

1、关闭防火墙

1
2
systemctl stop firewalld
systemctl disable firewalld

2、关闭SELinux(强制访问控制安全策略)并重启系统,使该策略不会影响gitlab正常运行

1
2
vi /etc/sysconfig/selinux # 将SELINUX改为disable
sudo reboot

二、正式安装

1、安装gitlab组件

1
yum -y install curl policycoreutils openssh-server openssh-clients postfix

2、启动postfix邮件服务(用于gitlab发送通知到管理者)

如果不使用postfix服务的话,后续也可以配置stmp邮件服务

1
systemctl start postfix && systemctl enable postfix

3、配置yum仓库

1
curl -sS https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.rpm.sh | sudo bash

新建 /etc/yum.repos.d/gitlab-ce.repo,内容为

1
2
3
4
5
[gitlab-ce]
name=Gitlab CE Repository
baseurl=https://mirrors.tuna.tsinghua.edu.cn/gitlab-ce/yum/el$releasever/
gpgcheck=0
enabled=1

再执行

1
2
sudo yum clean all
sudo yum makecache

4、安装gitlab-ce社区版本

1
yum install -y gitlab-ce

三、初始化配置

1、修改配置:

external_url 'http://gitlab.example.com'地址修改成服务器的ip

1
vi /etc/gitlab/gitlab.rb

这里使用winscp。

image-20240108103136659

2、加载配置并重启gitlab

1
sudo gitlab-ctl reconfigure
1
sudo gitlab-ctl restart # 不进行restart似乎也行,建议还是restart一下

四、浏览器访问

image-20240108103824104

查看初始化root密码:

1
cat /etc/gitlab/initial_root_password

重置root密码:

1
2
3
4
[root@localhost gitlab]# gitlab-rake "gitlab:password:reset[root]"
Enter password:
Confirm password:
Password successfully updated for user with username root

五、配置域名访问

1
2
3
4
5
6
external_url 'https://gitlab.yuencode.cn'

nginx['listen_port'] = 8083

nginx['listen_https'] = false

本地机器的frpc反向代理添加如下配置:

1
2
3
4
5
[gitlab]
type = tcp
local_ip = 192.168.1.126
local_port = 8083
remote_port = 8083

frps所在机器配置nginx

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
upstream gitlab.yuencode.cn {
    server 127.0.0.1:8083;
}
server
{
    listen 80;
		listen 443 ssl http2;
    server_name gitlab.yuencode.cn;
    index index.php index.html index.htm default.php default.htm default.html;
    root /www/wwwroot/gitlab.yuencode.cn;

   if ($scheme = http) {
        return 301 https://$host$request_uri;
    }
    client_max_body_size 2500m;
    location / {
      client_max_body_size 2500m;
      proxy_pass http://gitlab.yuencode.cn;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
 
      # 做https跳转
      proxy_redirect http:// $scheme://;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
    
    #SSL-START SSL相关配置,请勿删除或修改下一行带注释的404规则
    #error_page 404/404.html;
    ssl_certificate    /www/server/panel/vhost/cert/gitlab.yuencode.cn/fullchain.pem;
    ssl_certificate_key    /www/server/panel/vhost/cert/gitlab.yuencode.cn/privkey.pem;
    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    add_header Strict-Transport-Security "max-age=31536000";
    error_page 497  https://$host$request_uri;

    #SSL-END

    access_log  /www/wwwlogs/gitlab.yuencode.cn.log;
    error_log  /www/wwwlogs/gitlab.yuencode.cn.error.log;
}

六、配置邮件

方式1:使用内置postfix

1
2
3
gitlab_rails['gitlab_email_from'] = 'gitlab@email.yuencode.cn'
gitlab_rails['gitlab_email_display_name'] = 'GitLab'
gitlab_rails['gitlab_email_reply_to'] = 'gitlab_noreply@email.yuencode.cn'

方式2:配置stmp

1
2
3
4
5
6
7
8
9
10
11
12
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "smtp.163.com"
gitlab_rails['smtp_port'] = 25
gitlab_rails['smtp_user_name'] = "gitlab_yuencode_cn@163.com"
gitlab_rails['smtp_password'] = "Your Password"
gitlab_rails['smtp_domain'] = "163.com"
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['smtp_tls'] = false
gitlab_rails['smtp_pool'] = false

gitlab_rails['gitlab_email_from'] = 'gitlab_yuencode_cn@163.com' #使用网易的stmp,gitlab_email_from就要与smtp_user_name一致

七、配置ssh拉取推送代码

frpc新增如下配置:

1
2
3
4
5
6
[gitlab-ssh]
type = tcp
local_ip = 192.168.1.126
local_port = 22
remote_port = 22

fprs所在服务器22端口请保证未被占用,且frps有权限获取,也可以换其他端口

  • 安全设置:通过gitlab-ssh这条配置,当前内网的ssh服务暴露在了公网上,非常危险。

下面关闭密码登录,采用公私密钥的方式登录。

1
2
3
4
5
6
7
8
9
vim /etc/ssh/sshd_config

Port 22 #sshd服务的启动端口
PasswordAuthentication no #是否允许账号密码登录
PubkeyAuthentication yes #是否允许公私钥认证登录
# AllowUsers root@机器A_IP # 允许机器a通过root用户登录s
PermitRootLogin yes # 是否允许root登录(登录到的是root账户)

sudo systemctl restart sshd

请提前测试私钥能够正常登录,否则只能进入recure恢复模式下,更改PasswordAuthentication yes

密钥生成参考:https://blog.csdn.net/adminBfl/article/details/130656814

八、配置公钥

1
ssh-keygen -t rsa -b 2048 -C

image-20240109162155627

Enter passphrase可不输入

拷贝C:\Users\jiaxiaoyu/.ssh/id_rsa.pub的内容。

新建针对于项目的部署密钥,将公钥复制过去即可。

image-20240109162330650

配置全局ssh公钥:

image-20240109163244175