Gitlab installation on Debian 11 is relatively straightforward and documented by the GitLab team here. I’ve taken a bit of a twist on the normal install process and chose to use Cloudflared to avoid having to open ports on my firewall.
This avoids having any direct access to your instance and forces all traffic to be proxied/inspected by Cloudflare. I’ve also configured email to be sent using SendGrid.
Sections 1-5 were taken directly from the GitLab website, referenced above. After that, I’ll continue with my additions/modifications.
1. Install and configure the necessary dependencies
sudo apt-get update
sudo apt-get install -y curl openssh-server ca-certificates perl
Next, install Postfix (or Sendmail) to send notification emails. If you want to use another solution to send emails please skip this step and configure an external SMTP server after GitLab has been installed.
Rob’s note: This command is not necessary, because we will be using SendGrid.
sudo apt-get install -y postfix
During Postfix installation a configuration screen may appear. Select ‘Internet Site’ and press enter. Use your server’s external DNS for ‘mail name’ and press enter. If additional screens appear, continue to press enter to accept the defaults.
2. Add the GitLab package repository and install the package
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bash
Next, install the GitLab package. Make sure you have correctly set up your DNS, and change https://gitlab.example.com to the URL at which you want to access your GitLab instance. Installation will automatically configure and start GitLab at that URL.
For https:// URLs, GitLab will automatically request a certificate with Let’s Encrypt, which requires inbound HTTP access and a valid hostname. You can also use your own certificate or just use http:// (without the s ).
If you would like to specify a custom password for the initial administrator user ( root ), check the documentation. If a password is not specified, a random password will be automatically generated.
Rob’s note: I selected http:// (mentioned above) because I will be using Cloudflared and not exposing my server to any users directly.
sudo EXTERNAL_URL="http://gitlab.example.com" apt-get install gitlab-ee
3. Browse to the hostname and login
Unless you provided a custom password during installation, a password will be randomly generated and stored for 24 hours in /etc/gitlab/initial_root_password . Use this password with username root to login.
See our documentation for detailed instructions on installing and configuration.
4. Set up your communication preferences
Visit our email subscription preference center to let us know when to communicate with you. We have an explicit email opt-in policy so you have complete control over what and how often we send you emails.
Twice a month, we send out the GitLab news you need to know, including new features, integrations, docs, and behind the scenes stories from our dev teams. For critical security updates related to bugs and system performance, sign up for our dedicated security newsletter.
Important note: If you do not opt-in to the security newsletter, you will not receive security alerts.
5. Recommended next steps
After completing your installation, consider the recommended next steps, including authentication options and sign-up restrictions.
6. SendGrid with API Key authentication
This section is based on the SMTP Settings guide. I’ve compressed the information to provide only what you need to set up SendGrid. In another guide (TBD), I will go through the process of adding an API key for use in SendGrid.
Open /etc/gitlab/gitlab.rb with your favorite text editor, search for, and edit the section below.
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "smtp.sendgrid.net"
gitlab_rails['smtp_port'] = 587
gitlab_rails['smtp_user_name'] = "apikey"
gitlab_rails['smtp_password'] = "the_api_key_you_created"
gitlab_rails['smtp_domain'] = "smtp.sendgrid.net"
gitlab_rails['smtp_authentication'] = "plain"
gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['smtp_tls'] = false
# If use Single Sender Verification You must configure from. If not fail
# 550 The from address does not match a verified Sender Identity. Mail cannot be sent until this error is resolved.
# Visit https://sendgrid.com/docs/for-developers/sending-email/sender-identity/ to see the Sender Identity requirements
gitlab_rails['gitlab_email_from'] = 'email@sender_owner_api'
gitlab_rails['gitlab_email_reply_to'] = 'email@sender_owner_reply_api'
Note that smtp_user_name must literally be set to "apikey". The API Key you created must be entered in smtp_password.
After saving your changes, you will need to run gitlab-ctl reconfigure in order to apply the configuration.
7. Cloudflared installation/configuration
I’m going to work off the assumption that you’ve already configured cloudflare’s Zero Trust portal. While that portal gives you a copy/paste of what needs to be done, it’s always nice to have another source to review if you run into any problems.
Cloudflare has a couple of good documents to review:
1) https://pkg.cloudflare.com/index.html
2) Installation/Downloads
Add cloudflare gpg key:
sudo mkdir -p --mode=0755 /usr/share/keyrings
curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
Add this repo to your apt repositories:
echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared buster main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
Install cloudflared:
sudo apt-get update && sudo apt-get install cloudflared
In the overview tab for your tunnel, you will see a section that says “Install and run a connector”.
sudo cloudflared service install <KEY>