131 lines
4.3 KiB
Markdown
131 lines
4.3 KiB
Markdown
## Machine virtuelle GIT
|
|
|
|
Cette machine est destinée à accueillir la forge logicielle de l'association, qui permet à différents projets de bénéficier d'un outil de travail supportant des fonctions avancées (comme la CI et les hooks avancés), mais également à l'association de publier différents documents nécessaire à son activité.
|
|
|
|
### Matériel virtuel
|
|
|
|
CPU : 2
|
|
RAM : 4096 Mio
|
|
Stockage de masse : 50 Gio
|
|
|
|
### Logiciel
|
|
|
|
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
|
|
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
|
|
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen`
|
|
Forge logicielle : `gitlab-ce`
|
|
Mail Transfer Agent : `postfix`
|
|
|
|
### Caractéristiques notables
|
|
|
|
Domaine : git.a-lec.org
|
|
Adresse ipv4 publique : 80.67.179.96
|
|
Adresse ipv4 interne : 192.169.1.131
|
|
Adresse ipv6 publique : 2001:910:1360::42
|
|
|
|
#### Configuration réseau
|
|
|
|
##### /etc/network/interfaces
|
|
<details>
|
|
|
|
# The primary network interface
|
|
allow-hotplug enp1s0
|
|
iface enp1s0 inet dhcp
|
|
iface enp1s0 inet6 static
|
|
address 2001:910:1360::42/128
|
|
gateway 2001:910:1360::
|
|
|
|
</details>
|
|
|
|
##### /etc/host.allow
|
|
|
|
sshd: 192.169.1.0/24, [2001:910:1360::]/48
|
|
|
|
##### /etc/host/deny
|
|
|
|
sshd: ALL
|
|
|
|
### Configuration MTA
|
|
|
|
#### /etc/postfix/transport
|
|
|
|
a-lec.org :
|
|
* discard:
|
|
|
|
#### /etc/postfix/virtual
|
|
|
|
@localhost admin@a-lec.org
|
|
@git.a-lec.org admin@a-lec.org
|
|
|
|
### Configuration serveur web (nginx)
|
|
<details>
|
|
|
|
# GITLAB
|
|
|
|
upstream gitlab-workhorse {
|
|
# On GitLab versions before 13.5, the location is
|
|
# `/var/opt/gitlab/gitlab-workhorse/socket`. Change the following line
|
|
# accordingly.
|
|
server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0;
|
|
}
|
|
|
|
## Redirects all HTTP traffic to the HTTPS host
|
|
server {
|
|
## Either remove "default_server" from the listen line below,
|
|
## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab
|
|
## to be served if you visit any address that your server responds to, eg.
|
|
## the ip address of the server (http://x.x.x.x/)
|
|
listen 0.0.0.0:80;
|
|
listen [::]:80 ipv6only=on default_server;
|
|
server_name git.a-lec.org; ## Replace this with something like gitlab.example.com
|
|
server_tokens off; ## Don't show the nginx version number, a security best practice
|
|
return 302 https://git.a-lec.org$request_uri;
|
|
access_log /var/log/nginx/gitlab_access.log;
|
|
error_log /var/log/nginx/gitlab_error.log;
|
|
}
|
|
|
|
## HTTPS host
|
|
server {
|
|
set_real_ip_from 192.169.1.1;
|
|
real_ip_header proxy_protocol;
|
|
listen 0.0.0.0:443 ssl proxy_protocol;
|
|
listen [::]:443 ipv6only=on ssl default_server;
|
|
server_name git.a-lec.org; ## Replace this with something like gitlab.example.com
|
|
server_tokens off; ## Don't show the nginx version number, a security best practice
|
|
root /opt/gitlab/embedded/service/gitlab-rails/public;
|
|
|
|
ssl_certificate /etc/letsencrypt/live/git.a-lec.org/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/git.a-lec.org/privkey.pem;
|
|
|
|
## [Optional] Enable HTTP Strict Transport Security
|
|
## HSTS is a feature improving protection against MITM attacks
|
|
## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
|
|
|
|
## Individual nginx logs for this GitLab vhost
|
|
access_log /var/log/nginx/gitlab_access.log;
|
|
error_log /var/log/nginx/gitlab_error.log;
|
|
|
|
location / {
|
|
client_max_body_size 0;
|
|
gzip off;
|
|
|
|
## https://github.com/gitlabhq/gitlabhq/issues/694
|
|
## Some requests take more than 30 seconds.
|
|
proxy_read_timeout 300;
|
|
proxy_connect_timeout 300;
|
|
proxy_redirect off;
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-Ssl on;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_pass http://gitlab-workhorse;
|
|
}
|
|
}
|
|
|
|
</details>
|