documentation/Machines virtuelles/git.md

131 lines
4.3 KiB
Markdown

## Machine virtuelle GIT
Cette machine est destinée à accueillir la forge logicielle de l'association, qui permet à différents projets de bénéficier d'un outil de travail supportant des fonctions avancées (comme la CI et les hooks avancés), mais également à l'association de publier différents documents nécessaire à son activité.
### Matériel virtuel
CPU : 2
RAM : 4096 Mio
Stockage de masse : 50 Gio
### Logiciel
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen`
Forge logicielle : `gitlab-ce`
Mail Transfer Agent : `postfix`
### Caractéristiques notables
Domaine : git.a-lec.org
Adresse ipv4 publique : 80.67.179.96
Adresse ipv4 interne : 192.169.1.131
Adresse ipv6 publique : 2001:910:1360::42
#### Configuration réseau
##### /etc/network/interfaces
<details>
# The primary network interface
allow-hotplug enp1s0
iface enp1s0 inet dhcp
iface enp1s0 inet6 static
address 2001:910:1360::42/128
gateway 2001:910:1360::
</details>
##### /etc/host.allow
sshd: 192.169.1.0/24, [2001:910:1360::]/48
##### /etc/host/deny
sshd: ALL
### Configuration MTA
#### /etc/postfix/transport
a-lec.org :
* discard:
#### /etc/postfix/virtual
@localhost admin@a-lec.org
@git.a-lec.org admin@a-lec.org
### Configuration serveur web (nginx)
<details>
# GITLAB
upstream gitlab-workhorse {
# On GitLab versions before 13.5, the location is
# `/var/opt/gitlab/gitlab-workhorse/socket`. Change the following line
# accordingly.
server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0;
}
## Redirects all HTTP traffic to the HTTPS host
server {
## Either remove "default_server" from the listen line below,
## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab
## to be served if you visit any address that your server responds to, eg.
## the ip address of the server (http://x.x.x.x/)
listen 0.0.0.0:80;
listen [::]:80 ipv6only=on default_server;
server_name git.a-lec.org; ## Replace this with something like gitlab.example.com
server_tokens off; ## Don't show the nginx version number, a security best practice
return 302 https://git.a-lec.org$request_uri;
access_log /var/log/nginx/gitlab_access.log;
error_log /var/log/nginx/gitlab_error.log;
}
## HTTPS host
server {
set_real_ip_from 192.169.1.1;
real_ip_header proxy_protocol;
listen 0.0.0.0:443 ssl proxy_protocol;
listen [::]:443 ipv6only=on ssl default_server;
server_name git.a-lec.org; ## Replace this with something like gitlab.example.com
server_tokens off; ## Don't show the nginx version number, a security best practice
root /opt/gitlab/embedded/service/gitlab-rails/public;
ssl_certificate /etc/letsencrypt/live/git.a-lec.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/git.a-lec.org/privkey.pem;
## [Optional] Enable HTTP Strict Transport Security
## HSTS is a feature improving protection against MITM attacks
## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
## Individual nginx logs for this GitLab vhost
access_log /var/log/nginx/gitlab_access.log;
error_log /var/log/nginx/gitlab_error.log;
location / {
client_max_body_size 0;
gzip off;
## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://gitlab-workhorse;
}
}
</details>