documentation/vm/git.md

## Machine virtuelle GIT

Cette machine est destinée à accueillir la forge logicielle de l'association, qui permet à différents projets de bénéficier d'un outil de travail supportant des fonctions avancées (comme la CI et les hooks avancés), mais également à l'association de publier différents documents nécessaire à son activité.

### Matériel virtuel

CPU : 2  
RAM : 4096 Mio
Stockage de masse : 50 Gio

### Logiciel

Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)  
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)  
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen`  
Forge logicielle :  `gitlab-ce`
Mail Transfer Agent : `postfix`  

### Caractéristiques notables

Domaine : git.a-lec.org  
Adresse ipv4 publique : 80.67.176.33  
Adresse ipv4 interne : 192.168.1.131  
Adresse ipv6 publique : 2001:910:1021::131

### Configuration serveur web (nginx)
<details>

    # GITLAB

    upstream gitlab-workhorse {
      # On GitLab versions before 13.5, the location is
      # `/var/opt/gitlab/gitlab-workhorse/socket`. Change the following line
      # accordingly.
      server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0;
    }

    ## Redirects all HTTP traffic to the HTTPS host
    server {
      ## Either remove "default_server" from the listen line below,
      ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab
      ## to be served if you visit any address that your server responds to, eg.
      ## the ip address of the server (http://x.x.x.x/)
      listen 0.0.0.0:80;
      listen [::]:80 ipv6only=on default_server;
      server_name git.a-lec.org; ## Replace this with something like gitlab.example.com
      server_tokens off; ## Don't show the nginx version number, a security best practice
      return 302 https://git.a-lec.org$request_uri;
      access_log  /var/log/nginx/gitlab_access.log;
      error_log   /var/log/nginx/gitlab_error.log;
    }

    ## HTTPS host
    server {
      set_real_ip_from  192.169.1.1;
      real_ip_header proxy_protocol;
      listen 0.0.0.0:443 ssl proxy_protocol;
      listen [::]:443 ipv6only=on ssl default_server;
      server_name git.a-lec.org; ## Replace this with something like gitlab.example.com
      server_tokens off; ## Don't show the nginx version number, a security best practice
      root /opt/gitlab/embedded/service/gitlab-rails/public;

      ssl_certificate /etc/letsencrypt/live/git.a-lec.org/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/git.a-lec.org/privkey.pem;

      ## [Optional] Enable HTTP Strict Transport Security
      ## HSTS is a feature improving protection against MITM attacks
      ## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

      ## Individual nginx logs for this GitLab vhost
      access_log  /var/log/nginx/gitlab_access.log;
      error_log   /var/log/nginx/gitlab_error.log;

      location / {
        client_max_body_size 0;
        gzip off;

        ## https://github.com/gitlabhq/gitlabhq/issues/694
        ## Some requests take more than 30 seconds.
        proxy_read_timeout      300;
        proxy_connect_timeout   300;
        proxy_redirect          off;

        proxy_http_version 1.1;

        proxy_set_header    Host                $http_host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-Ssl     on;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto   $scheme;
        proxy_pass http://gitlab-workhorse;
      }
    }
    
</details>
Refonte documentation 2022-12-19 18:09:26 +01:00			`## Machine virtuelle GIT`

			`Cette machine est destinée à accueillir la forge logicielle de l'association, qui permet à différents projets de bénéficier d'un outil de travail supportant des fonctions avancées (comme la CI et les hooks avancés), mais également à l'association de publier différents documents nécessaire à son activité.`

			`### Matériel virtuel`

			`CPU : 2`
			`RAM : 4096 Mio`
			`Stockage de masse : 50 Gio`

			`### Logiciel`

			`Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)`
			Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
			Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen`
			Forge logicielle : `gitlab-ce`
			Mail Transfer Agent : `postfix`

			`### Caractéristiques notables`

			`Domaine : git.a-lec.org`
			`Adresse ipv4 publique : 80.67.176.33`
			`Adresse ipv4 interne : 192.168.1.131`
			`Adresse ipv6 publique : 2001:910:1021::131`

			`### Configuration serveur web (nginx)`
			`<details>`

			`# GITLAB`

			`upstream gitlab-workhorse {`
			`# On GitLab versions before 13.5, the location is`
			# `/var/opt/gitlab/gitlab-workhorse/socket`. Change the following line
			`# accordingly.`
			`server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0;`
			`}`

			`## Redirects all HTTP traffic to the HTTPS host`
			`server {`
			`## Either remove "default_server" from the listen line below,`
			`## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab`
			`## to be served if you visit any address that your server responds to, eg.`
			`## the ip address of the server (http://x.x.x.x/)`
			`listen 0.0.0.0:80;`
			`listen [::]:80 ipv6only=on default_server;`
			`server_name git.a-lec.org; ## Replace this with something like gitlab.example.com`
			`server_tokens off; ## Don't show the nginx version number, a security best practice`
			`return 302 https://git.a-lec.org$request_uri;`
			`access_log /var/log/nginx/gitlab_access.log;`
			`error_log /var/log/nginx/gitlab_error.log;`
			`}`

			`## HTTPS host`
			`server {`
			`set_real_ip_from 192.169.1.1;`
			`real_ip_header proxy_protocol;`
			`listen 0.0.0.0:443 ssl proxy_protocol;`
			`listen [::]:443 ipv6only=on ssl default_server;`
			`server_name git.a-lec.org; ## Replace this with something like gitlab.example.com`
			`server_tokens off; ## Don't show the nginx version number, a security best practice`
			`root /opt/gitlab/embedded/service/gitlab-rails/public;`

			`ssl_certificate /etc/letsencrypt/live/git.a-lec.org/fullchain.pem;`
			`ssl_certificate_key /etc/letsencrypt/live/git.a-lec.org/privkey.pem;`

			`## [Optional] Enable HTTP Strict Transport Security`
			`## HSTS is a feature improving protection against MITM attacks`
			`## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/`
			`add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";`

			`## Individual nginx logs for this GitLab vhost`
			`access_log /var/log/nginx/gitlab_access.log;`
			`error_log /var/log/nginx/gitlab_error.log;`

			`location / {`
			`client_max_body_size 0;`
			`gzip off;`

			`## https://github.com/gitlabhq/gitlabhq/issues/694`
			`## Some requests take more than 30 seconds.`
			`proxy_read_timeout 300;`
			`proxy_connect_timeout 300;`
			`proxy_redirect off;`

			`proxy_http_version 1.1;`

			`proxy_set_header Host $http_host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-Ssl on;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_pass http://gitlab-workhorse;`
			`}`
			`}`

			`</details>`