Setup Gitlab on FreeNAS VM

Guide for setup Gitlab on FreeNAS and let's encrypt with DNS-01 challenge

Setup Gitlab on FreeNAS VM

This is my first use of FreeNAS virtual machine. I setup a gitlab on FreeNAS VM, even there is not a server CPU installed (G1840T), I have purchased a E3-1275L v3 for FreeNAS.

Setup on Virtual Machine

My FreeNAS is upgraded to 13-Release, I have 16Git Memory, so I created a 4 virtual CPUs and 4Gib memory, maybe 20Gib disk.

I'm not very familiar with FreeNAS 13 virtualization software bhyve, sounds like a full virtualization? not like jail (last virtualization software), share the kernel, bhyve supports you install Windows, Linux, FreeBSD.

I downloaded Ubuntu 18.04 LTS image and upload to NAS, this image will be used when the virtual machine starts. Installation works fine. P.S. I can import my SSH public key on GitHub during install Ubuntu.

Because Gitlab recommends Omnibus package and Ubuntu is a recommended OS, and I'm very familiar with Ubuntu. Debian, CentOS, SUSE is recommended too.

Note: setup a hostname of host, and external_url of Gitlab. The Gitlab config file path: /etc/gitlab/gitlab.rb, yes, it's a ruby project. I'm not sure why Gitlab use Ruby, just like GitHub, ruby is a best programming language for Git version control website?

Setup Let'e Encrypt with Gitlab

Yes, Gitlab supports Let's Encrypt, it could work fine, but I didn't try it, since my gitlab deployed on intranet, and my ISP blocked 80, 443 ports, so I couldn't challenge successfully with Let's Encrypt (ACME), I hope DNS-01 challenge method, but Gitlab not support now, maybe available future.

I use acme.sh with DNS-01 issued certificate for my Cloudflare hosted domain. For Cloudflare with acme.sh, please refer this docs, I use the new API token method, when you create an API token, you need choose which permissions are related with this token, I granted these:

  • Account-Account Setting-Read
  • Zone-Zone-Read
  • Zone-DNS-Edit
  • For Account Resource: Include-my account (only one)
  • For Zone Resource: Include-All zone from an account-my account(only one)

Gitlab supports you use your own certificate, so change external_url to a https:// url and copy your certificate and key file to /etc/gitlab/ssl, Gitlab will search YOUR_DOMAIN.key for key file, and YOUR_DOMAIN.crt for certificate file.

Unfortunately, acme.sh could not access /etc/gitlab/ssl, I changed ssl directory group to my user, and changed mode for writing.

Last, after certificate installed (copied), I need notify nginx (Gitlab use nginx) reload, Gitlab provides gitlab-ctl hup nginx, but this command needs sudo.

I modified sudoers file, sudo visudo, add NOPASSWD for command /usr/bin/gitlab-ctl hup nginx.

Not tested renew, I found acme.sh recorded my certificate installation path and reload command, I suppose after a renew successfully, acme.sh could install cert to that path and execute reload command.