I’ve started building a small decentralized, non commercial app with a Rust backend + Node.js frontend running on k8s. I would have my own dedicated server for this. Just mentioning the setup because it might grow and for git there seem to be only GitHub and GitLab around and I prefer GitLab.

I care a lot about security and was wondering if it makes sense to self-host GitLab. I‘m not afraid of doing it, but after setup it shouldn’t take more than 1-2 hours per week for me to maintain it in the long run and I’m wondering if that’s realistic.

Would love to hear about the experience of people who did what I’m planning to do.

EDIT: Thanks for all the answers, trying my best to reply. I want CI/CD, container registry and secrets management that’s what I was hoping to get out of GitLab.

  • Scott
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 month ago

    Incoming wall of text

    Here is my install script to set up Ubuntu since it has a bit of extra steps for privileged ports https://gitlab.meme.beer/-/snippets/1

    Docker compose example, note that my config has a shared network with containers in another compose called nginx to keep traffic inside docker.

    name: "gitlab"
    services:
      gitlab:
        image: 'gitlab/gitlab-ce:latest'
        #command: update-permissions
        restart: always
        hostname: 'gitlab.example.com'
        environment:
          GITLAB_OMNIBUS_CONFIG: |
            external_url 'https://gitlab.example.com'
    
            pages_external_url 'https://pages.example.com'
            pages_nginx['enable'] = true
            pages_nginx['listen_port'] = 6000
            pages_nginx['listen_https'] = false
            pages_nginx['redirect_http_to_https'] = false
    
            #puma['per_worker_max_memory_mb'] = 2048 # 2GB
    
            gitlab_rails['gitlab_email_from'] = '[email protected]'
            gitlab_rails['gitlab_email_display_name'] = 'GitLab'
            gitlab_rails['smtp_enable'] = true
            gitlab_rails['smtp_address'] = "smtp.sendgrid.net"
            gitlab_rails['smtp_port'] = 587
            gitlab_rails['smtp_user_name'] = 'apikey'
            gitlab_rails['smtp_password'] = '$SENDGRID_API_KEY_HERE'
            gitlab_rails['smtp_domain'] = "smtp.sendgrid.net"
            gitlab_rails['smtp_authentication'] = "login"
            gitlab_rails['smtp_enable_starttls_auto'] = true
            gitlab_rails['smtp_tls'] = false
    
            gitlab_rails['gitlab_default_theme'] = 2
    
            gitlab_rails['gitlab_shell_ssh_port'] = 2224
    
            gitlab_rails['gitlab_default_projects_features_container_registry'] = true
            gitlab_rails['registry_enabled'] = true
            gitlab_rails['registry_api_url'] = 'https://registry.example.com'
            gitlab_rails['registry_issuer'] = 'gitlab-issuer'
            registry['log_level'] = 'info'
            registry_external_url 'https://registry.example.com'
            registry_nginx['enable'] = true
            registry_nginx['listen_port'] = 5050
            registry_nginx['listen_https'] = false
            registry_nginx['redirect_http_to_https'] = false
    
            gitlab_shell['log_level'] = 'INFO'
            letsencrypt['enable'] = false
            nginx['error_log_level'] = 'info'
            nginx['listen_https'] = false
            #nginx['proxy_protocol'] = true
            #nginx['trusted_proxies'] = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
    
            # Workhorse
            gitlab_workhorse['enable'] = true
            gitlab_workhorse['ha'] = false
            gitlab_workhorse['listen_network'] = "tcp"
            gitlab_workhorse['listen_addr'] = "127.0.0.1:8181"
            gitlab_workhorse['log_directory'] = "/var/log/gitlab/gitlab-workhorse"
    
            # Errors
    	# for sentry error logging the GitLab service
            #gitlab_rails['sentry_enabled'] = true
            #gitlab_rails['sentry_dsn'] = ''
            #gitlab_rails['sentry_clientside_dsn'] = ''
            #gitlab_rails['sentry_environment'] = 'production'
            # Add any other gitlab.rb configuration here, each on its own line
        networks:
          - nginx
        ports:
          # gitlab loves https on 443
          #- '80:80'
          #- '443:443'
          - '2224:22'
        volumes:
          - ./config:/etc/gitlab
          - ./logs:/var/log/gitlab
          - ./data:/var/opt/gitlab
        shm_size: '256m'
        #deploy:
        #  resources:
        #    limits:
        #      cpus: '6'
        #      memory: 12G
        #    reservations:
        #      cpus: '4'
        #      memory: 6G
        # disable healthcheck for restoring backup
        #healthcheck:
        #  disable: true
    networks:
      nginx:
        external: true
        name: nginx