Setup Gitlab on FreeNAS VM
Guide for setup Gitlab on FreeNAS and let's encrypt with DNS-01 challenge
This is my first use of FreeNAS virtual machine. I setup a gitlab on FreeNAS VM, even there is not a server CPU installed (G1840T), I have purchased a E3-1275L v3 for FreeNAS.
Setup on Virtual Machine
My FreeNAS is upgraded to 13-Release, I have 16Git Memory, so I created a 4 virtual CPUs and 4Gib memory, maybe 20Gib disk.
I'm not very familiar with FreeNAS 13 virtualization software bhyve
, sounds like a full virtualization? not like jail
(last virtualization software), share the kernel, bhyve
supports you install Windows, Linux, FreeBSD.
I downloaded Ubuntu 18.04 LTS image and upload to NAS, this image will be used when the virtual machine starts. Installation works fine. P.S. I can import my SSH public key on GitHub during install Ubuntu.
Because Gitlab recommends Omnibus
package and Ubuntu is a recommended OS, and I'm very familiar with Ubuntu. Debian, CentOS, SUSE is recommended too.
Note: setup a hostname of host, and external_url
of Gitlab. The Gitlab config file path: /etc/gitlab/gitlab.rb
, yes, it's a ruby project. I'm not sure why Gitlab use Ruby, just like GitHub, ruby is a best programming language for Git version control website?
Setup Let'e Encrypt with Gitlab
Yes, Gitlab supports Let's Encrypt, it could work fine, but I didn't try it, since my gitlab deployed on intranet, and my ISP blocked 80, 443 ports, so I couldn't challenge successfully with Let's Encrypt (ACME), I hope DNS-01
challenge method, but Gitlab not support now, maybe available future.
I use acme.sh
with DNS-01
issued certificate for my Cloudflare hosted domain. For Cloudflare with acme.sh
, please refer this docs, I use the new API token method, when you create an API token, you need choose which permissions are related with this token, I granted these:
- Account-Account Setting-Read
- Zone-Zone-Read
- Zone-DNS-Edit
- For Account Resource: Include-my account (only one)
- For Zone Resource: Include-All zone from an account-my account(only one)
Gitlab supports you use your own certificate, so change external_url
to a https://
url and copy your certificate and key file to /etc/gitlab/ssl
, Gitlab will search YOUR_DOMAIN.key
for key file, and YOUR_DOMAIN.crt
for certificate file.
Unfortunately, acme.sh
could not access /etc/gitlab/ssl
, I changed ssl
directory group to my user, and changed mode for writing.
Last, after certificate installed (copied), I need notify nginx
(Gitlab use nginx) reload, Gitlab provides gitlab-ctl hup nginx
, but this command needs sudo.
I modified sudoers
file, sudo visudo
, add NOPASSWD
for command /usr/bin/gitlab-ctl hup nginx
.
Not tested renew, I found acme.sh
recorded my certificate installation path and reload command, I suppose after a renew successfully, acme.sh
could install cert to that path and execute reload command.