## Machine virtuelle GIT Cette machine est destinée à accueillir la forge logicielle de l'association, qui permet à différents projets de bénéficier d'un outil de travail supportant des fonctions avancées (comme la CI et les hooks avancés), mais également à l'association de publier différents documents nécessaire à son activité. ### Matériel virtuel CPU : 2 RAM : 4096 Mio Stockage de masse : 50 Gio ### Logiciel Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye) Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org) Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen` Forge logicielle : `gitlab-ce` Mail Transfer Agent : `postfix` ### Caractéristiques notables Domaine : git.a-lec.org Adresse ipv4 publique : 80.67.179.96 Adresse ipv4 interne : 192.169.1.131 Adresse ipv6 publique : 2001:910:1360::42 #### Configuration réseau ##### /etc/network/interfaces # The primary network interface allow-hotplug enp1s0 iface enp1s0 inet dhcp iface enp1s0 inet6 static address 2001:910:1360::42/128 gateway 2001:910:1360:: ##### /etc/host.allow sshd: 192.169.1.0/24, [2001:910:1360::]/48 ##### /etc/host/deny sshd: ALL ### Configuration MTA #### /etc/postfix/transport a-lec.org : * discard: #### /etc/postfix/virtual @localhost admin@a-lec.org @git.a-lec.org admin@a-lec.org ### Configuration serveur web (nginx) # GITLAB upstream gitlab-workhorse { # On GitLab versions before 13.5, the location is # `/var/opt/gitlab/gitlab-workhorse/socket`. Change the following line # accordingly. server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0; } ## Redirects all HTTP traffic to the HTTPS host server { ## Either remove "default_server" from the listen line below, ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab ## to be served if you visit any address that your server responds to, eg. ## the ip address of the server (http://x.x.x.x/) listen 0.0.0.0:80; listen [::]:80 ipv6only=on default_server; server_name git.a-lec.org; ## Replace this with something like gitlab.example.com server_tokens off; ## Don't show the nginx version number, a security best practice return 302 https://git.a-lec.org$request_uri; access_log /var/log/nginx/gitlab_access.log; error_log /var/log/nginx/gitlab_error.log; } ## HTTPS host server { set_real_ip_from 192.169.1.1; real_ip_header proxy_protocol; listen 0.0.0.0:443 ssl proxy_protocol; listen [::]:443 ipv6only=on ssl default_server; server_name git.a-lec.org; ## Replace this with something like gitlab.example.com server_tokens off; ## Don't show the nginx version number, a security best practice root /opt/gitlab/embedded/service/gitlab-rails/public; ssl_certificate /etc/letsencrypt/live/git.a-lec.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/git.a-lec.org/privkey.pem; ## [Optional] Enable HTTP Strict Transport Security ## HSTS is a feature improving protection against MITM attacks ## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; ## Individual nginx logs for this GitLab vhost access_log /var/log/nginx/gitlab_access.log; error_log /var/log/nginx/gitlab_error.log; location / { client_max_body_size 0; gzip off; ## https://github.com/gitlabhq/gitlabhq/issues/694 ## Some requests take more than 30 seconds. proxy_read_timeout 300; proxy_connect_timeout 300; proxy_redirect off; proxy_http_version 1.1; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://gitlab-workhorse; } }