From 39005180355a68d79f992cfb93c7734e0b09c906 Mon Sep 17 00:00:00 2001
From: marlon <marlon@riseup.net>
Date: Fri, 24 Jan 2025 15:17:10 -0500
Subject: [PATCH] use traefik for SSH forwarding, move config version variables
 to abra.sh, update documentation

---
 .env.sample |  6 ++----
 README.md   | 28 +++++++++++++++++++++++++++-
 abra.sh     |  2 ++
 compose.yml |  9 +++------
 4 files changed, 34 insertions(+), 11 deletions(-)

diff --git a/.env.sample b/.env.sample
index 72c37c8..7710d49 100644
--- a/.env.sample
+++ b/.env.sample
@@ -3,7 +3,7 @@ TYPE=gitlab
 DOMAIN=gitlab.example.com
 
 REGISTRY_DOMAIN=registry.gitlab.example.com
-# The Gitlab Pages domain must not be a subdomain of the main Gitlab domain
+# The GitLab Pages domain must not be a subdomain of the main GitLab domain
 PAGES_DOMAIN=pages.example.com
 
 # Prevent public signups
@@ -12,11 +12,9 @@ POST_DEPLOY_CMDS=disable_signups
 ## Domain aliases
 EXTRA_DOMAINS=", `$REGISTRY_DOMAIN`, `$PAGES_DOMAIN`"
 
+GITLAB_SSH_PORT=2222
 LETS_ENCRYPT_ENV=production
 
-GITLAB_CONF_VERSION=v1
-ENTRYPOINT_VERSION=v1
-
 GITLAB_ROOT_EMAIL="gitlab_admin@example.com"
 SECRET_INITIAL_ROOT_PASSWORD_VERSION=v1
 SECRET_RUNNER_TOKEN_VERSION=v1
diff --git a/README.md b/README.md
index 900b021..38388f0 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # gitlab
 
-> GitLab server, using GitLab omnibus
+> A git, CI/CD, and project management platform using GitLab omnibus
 
 <!-- metadata -->
 
@@ -28,6 +28,17 @@
 
 GitLab is configured to accept ssh:// git connections on the non-standard port 2222. This is because by default the Coop Cloud host server also must accept SSH connections for server management, so port 22 is already occupied and can't be used by GitLab.
 
+To allow Traefik to accept connections on port 2222, edit the configuration of your Traefik app:
+`abra app config traefik.yourserver.com`
+Uncomment the following section:
+```
+COMPOSE_FILE="$COMPOSE_FILE:compose.gitea.yml"
+GITEA_SSH_ENABLED=1
+```
+Redeploy Traefik
+`abra app undeploy traefik.yourserver.com`
+`abra app deploy traefik.yourserver.com`
+
 To configure your local git client to use the non-standard port by default, modify your local client's ~/.ssh/config file to include the following:
 ```
 Host: git.yourserver.org
@@ -35,6 +46,21 @@ Host: git.yourserver.org
   Port 2222
 ```
 
+## Management Commands
+The following commands for managing GitLab are available by running `abra app command <your gitlab app> app <command>`
+
+`disable_basic_login` - Disables standard email/password based login to the server (for example, to allow only SSO login)
+
+`enable_basic_login` - Re-enables standard email/password based login (enabled by default)
+
+`disable_signups` - Prevents public signups to create accounts on the server
+
+`enable_signups` - Re-enables public signups (signups are enabled by default)
+
+`run_rails_command` - Run a command on GitLab's rails console. For more information: https://docs.gitlab.com/ee/administration/operations/rails_console.html
+
+`reconfigure` - Reload the GitLab configuration (usually necessary after using `run_rails_command`)
+
 ## SSO Configuration
 
 - Create a Provider and Application in Authentik: https://docs.goauthentik.io/integrations/services/gitlab/#openid-connect-auth
diff --git a/abra.sh b/abra.sh
index 8eda73d..3747411 100644
--- a/abra.sh
+++ b/abra.sh
@@ -1,4 +1,6 @@
 #!/bin/bash
+GITLAB_CONF_VERSION=v1
+ENTRYPOINT_VERSION=v1
 
 run_rails_command() {
     su -p root -s /bin/sh -c "gitlab-rails runner '$@'"
diff --git a/compose.yml b/compose.yml
index 64a1629..46dcf42 100644
--- a/compose.yml
+++ b/compose.yml
@@ -13,8 +13,6 @@ services:
       - source: entrypoint
         target: /entrypoint.sh
         mode: 0555
-    ports:
-      - '0.0.0.0:2222:2222'
     entrypoint:
       /entrypoint.sh
     volumes:
@@ -30,10 +28,9 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        ## Redirect from EXTRA_DOMAINS to DOMAIN
-        #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
-        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
-        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
+        - "traefik.tcp.routers.${STACK_NAME}-ssh.rule=HostSNI(`*`)"
+        - "traefik.tcp.routers.${STACK_NAME}-ssh.entrypoints=gitea-ssh"
+        - "traefik.tcp.services.${STACK_NAME}-ssh.loadbalancer.server.port=${GITLAB_SSH_PORT}"
         - "backupbot.backup=true"
         - "backupbot.backup.path=/etc/gitlab/,/var/log/gitlab/,/var/opt/gitlab/"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-240}"
-- 
2.47.2