## Machine virtuelle GIT

Cette machine est destinée à accueillir la forge logicielle de l'association, qui permet à différents projets de bénéficier d'un outil de travail supportant des fonctions avancées (comme la CI et les hooks avancés), mais également à l'association de publier différents documents nécessaire à son activité.

### Matériel virtuel

CPU : 2  
RAM : 4096 Mio
Stockage de masse : 50 Gio

### Logiciel

Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)  
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)  
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen`  
Forge logicielle :  `gitlab-ce`
Mail Transfer Agent : `postfix`  

### Caractéristiques notables

Domaine : git.a-lec.org  
Adresse ipv4 publique : 80.67.176.33  
Adresse ipv4 interne : 192.168.1.131  
Adresse ipv6 publique : 2001:910:1021::131

### Configuration serveur web (nginx)
<details>

    # GITLAB

    upstream gitlab-workhorse {
      # On GitLab versions before 13.5, the location is
      # `/var/opt/gitlab/gitlab-workhorse/socket`. Change the following line
      # accordingly.
      server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0;
    }

    ## Redirects all HTTP traffic to the HTTPS host
    server {
      ## Either remove "default_server" from the listen line below,
      ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab
      ## to be served if you visit any address that your server responds to, eg.
      ## the ip address of the server (http://x.x.x.x/)
      listen 0.0.0.0:80;
      listen [::]:80 ipv6only=on default_server;
      server_name git.a-lec.org; ## Replace this with something like gitlab.example.com
      server_tokens off; ## Don't show the nginx version number, a security best practice
      return 302 https://git.a-lec.org$request_uri;
      access_log  /var/log/nginx/gitlab_access.log;
      error_log   /var/log/nginx/gitlab_error.log;
    }

    ## HTTPS host
    server {
      set_real_ip_from  192.169.1.1;
      real_ip_header proxy_protocol;
      listen 0.0.0.0:443 ssl proxy_protocol;
      listen [::]:443 ipv6only=on ssl default_server;
      server_name git.a-lec.org; ## Replace this with something like gitlab.example.com
      server_tokens off; ## Don't show the nginx version number, a security best practice
      root /opt/gitlab/embedded/service/gitlab-rails/public;

      ssl_certificate /etc/letsencrypt/live/git.a-lec.org/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/git.a-lec.org/privkey.pem;

      ## [Optional] Enable HTTP Strict Transport Security
      ## HSTS is a feature improving protection against MITM attacks
      ## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

      ## Individual nginx logs for this GitLab vhost
      access_log  /var/log/nginx/gitlab_access.log;
      error_log   /var/log/nginx/gitlab_error.log;

      location / {
        client_max_body_size 0;
        gzip off;

        ## https://github.com/gitlabhq/gitlabhq/issues/694
        ## Some requests take more than 30 seconds.
        proxy_read_timeout      300;
        proxy_connect_timeout   300;
        proxy_redirect          off;

        proxy_http_version 1.1;

        proxy_set_header    Host                $http_host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-Ssl     on;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto   $scheme;
        proxy_pass http://gitlab-workhorse;
      }
    }
    
</details>