use traefik for SSH forwarding, move config version variables to abra.sh, update documentation

2025-01-24 15:17:10 -05:00 · 2025-01-24 15:17:10 -05:00 · 3900518035
commit 3900518035
parent 5b1cf7011b
4 changed files with 34 additions and 11 deletions
--- a/.env.sample
+++ b/.env.sample
@ -3,7 +3,7 @@ TYPE=gitlab
 DOMAIN=gitlab.example.com

 REGISTRY_DOMAIN=registry.gitlab.example.com
-# The Gitlab Pages domain must not be a subdomain of the main Gitlab domain
+# The GitLab Pages domain must not be a subdomain of the main GitLab domain
 PAGES_DOMAIN=pages.example.com

 # Prevent public signups
@ -12,11 +12,9 @@ POST_DEPLOY_CMDS=disable_signups
 ## Domain aliases
 EXTRA_DOMAINS=", `$REGISTRY_DOMAIN`, `$PAGES_DOMAIN`"

+GITLAB_SSH_PORT=2222
 LETS_ENCRYPT_ENV=production

-GITLAB_CONF_VERSION=v1
-ENTRYPOINT_VERSION=v1
-
 GITLAB_ROOT_EMAIL="gitlab_admin@example.com"
 SECRET_INITIAL_ROOT_PASSWORD_VERSION=v1
 SECRET_RUNNER_TOKEN_VERSION=v1
--- a/README.md
+++ b/README.md
@ -1,6 +1,6 @@
 # gitlab

-> GitLab server, using GitLab omnibus
+> A git, CI/CD, and project management platform using GitLab omnibus

 <!-- metadata -->

@ -28,6 +28,17 @@

 GitLab is configured to accept ssh:// git connections on the non-standard port 2222. This is because by default the Coop Cloud host server also must accept SSH connections for server management, so port 22 is already occupied and can't be used by GitLab.

+To allow Traefik to accept connections on port 2222, edit the configuration of your Traefik app:
+`abra app config traefik.yourserver.com`
+Uncomment the following section:
+```
+COMPOSE_FILE="$COMPOSE_FILE:compose.gitea.yml"
+GITEA_SSH_ENABLED=1
+```
+Redeploy Traefik
+`abra app undeploy traefik.yourserver.com`
+`abra app deploy traefik.yourserver.com`
+
 To configure your local git client to use the non-standard port by default, modify your local client's ~/.ssh/config file to include the following:
 ```
 Host: git.yourserver.org
@ -35,6 +46,21 @@ Host: git.yourserver.org
  Port 2222
 ```

+## Management Commands
+The following commands for managing GitLab are available by running `abra app command <your gitlab app> app <command>`
+
+`disable_basic_login` - Disables standard email/password based login to the server (for example, to allow only SSO login)
+
+`enable_basic_login` - Re-enables standard email/password based login (enabled by default)
+
+`disable_signups` - Prevents public signups to create accounts on the server
+
+`enable_signups` - Re-enables public signups (signups are enabled by default)
+
+`run_rails_command` - Run a command on GitLab's rails console. For more information: https://docs.gitlab.com/ee/administration/operations/rails_console.html
+
+`reconfigure` - Reload the GitLab configuration (usually necessary after using `run_rails_command`)
+
 ## SSO Configuration

 - Create a Provider and Application in Authentik: https://docs.goauthentik.io/integrations/services/gitlab/#openid-connect-auth
--- a/abra.sh
+++ b/abra.sh
@ -1,4 +1,6 @@
 #!/bin/bash
+GITLAB_CONF_VERSION=v1
+ENTRYPOINT_VERSION=v1

 run_rails_command() {
    su -p root -s /bin/sh -c "gitlab-rails runner '$@'"
--- a/compose.yml
+++ b/compose.yml
@ -13,8 +13,6 @@ services:
      - source: entrypoint
        target: /entrypoint.sh
        mode: 0555
-    ports:
-      - '0.0.0.0:2222:2222'
    entrypoint:
      /entrypoint.sh
    volumes:
@ -30,10 +28,9 @@ services:
        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        ## Redirect from EXTRA_DOMAINS to DOMAIN
-        #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
-        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
-        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
+        - "traefik.tcp.routers.${STACK_NAME}-ssh.rule=HostSNI(`*`)"
+        - "traefik.tcp.routers.${STACK_NAME}-ssh.entrypoints=gitea-ssh"
+        - "traefik.tcp.services.${STACK_NAME}-ssh.loadbalancer.server.port=${GITLAB_SSH_PORT}"
        - "backupbot.backup=true"
        - "backupbot.backup.path=/etc/gitlab/,/var/log/gitlab/,/var/opt/gitlab/"
        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-240}"