Why Gitlab

There are plenty of great options for hosting your projects and sharing your code. You can go set up a Github account right now for free. So, why would you want to go through the trouble of setting up Gitlab yourself?

There are a are a couple of good arguments for it, actually, not the least of which is privacy. Gitlab is yours. You host it, and you own it. So, you can control who has access to your repositories. That also means that you have control over the platform itself. You’re not subject to corporate policies, arbitrary changes in pricing, or data collection.

Self-hosted version control also means that you’re not dependent on a service to access your code. Sure, the chances of Github or another like service being entirely unavailable due to an outage are slim, but wouldn’t you rather that not be a possibility at all?

Gitlab is also very easy to set up, and only requires that you have a Linux server running the open source Gitlab software, most of which comes pre-configured and ready to run.

Setup

Before you get started, you’ll need to get a VPS set up to host Gitlab, unless you plan on hosting it locally. Hosting companies like DigitalOcean and Linode offer cost-effective options that can get your server up and running.

It’s also a good idea to buy a domain name for your server too. Or, you can point a subdomain of an existing domain name at your Gitlab server. Either way will making accessing the web interface easier.

This guide is going to follow Ubuntu 16.04 LTS. It’s the latest long term support release of Ubuntu, and its very easy to work with. Debian Stretch(Stable) would also be a great option, and most of this guide will work with it as well. Both DigitalOcean and Linode will set up your server with the OS of your choosing, so there’s no need to install Ubuntu.

Install Dependencies

When you first boot up Ubuntu, it’s a good idea to update the system to make sure there aren’t any security fixes available. Go ahead and do that first.

$ sudo apt update
$ sudo apt upgrade

After the update is finished running, there are a couple of things that you’ll need to install for Gitlab to get started. Use apt to install those too.

$ sudo apt install curl openssh-server ca-certificates postfix

That’s it. You’re ready to run the Gitlab installer script.

Install Gitlab

Gitlab maintains its own Debian/Ubuntu repository. To enable the repository on your server, download and run the convenient install script provided by the Gitlab team.

$ curl -sS https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.deb.sh | sudo bash

That might look like a lot, but it just downloads the script and tells the command line shell to run it. The script will take a few seconds to run through and set up the repository. Once it does, you’ll be ready to install the Gitlab package.

$ sudo apt install gitlab-ce

That installation will take a few minutes. Gitlab comes in one big package called the “Omnibus package.” It comes with everything that Gitlab needs all bundled together.

Run the Setup

Gitlab Running The Initial Configuration

There’s a setup script that you need to run for Gitlab to get configured. It came in the package you just installed, so you can run that now.

$ sudo gitlab-ctl reconfigure

The script will take a few minutes to run through everything. It’s mostly setting up the database backend for Gitlab. You’ll see a lot of Ruby on Rails migrations running by the screen. It may take a while, but when it’s done, Gitlab will be ready to use.

Initial Setup

Gitlab Account Setup

Open up your web browser and navigate to your Gitlab server. You’ll be greeted by a page that asks you to set up an administrative password. This is obviously the password for your admin account. By default, that account name is “root.”

Gitlab Welcome Screen

After that account is set up, you can either log in with it or register a regular user account, and sign in. Either way, once you sign in, you’ll have access to the entire Gitlab dashboard for creating and managing repositories.

Set Up SSH

You don’t want to have to push changes to your projects using passwords. It’s a pain, and it’s not very secure. The best thing that you can do is create an SSH to log in automatically from any computer with the key installed.

SSH keys are very easy to create on Linux and Mac. On Windows 10, the process should be the same through the available OpenSSH app.

Open a terminal, and run the following command to create your key. You can leave off the -C ‘[email protected] part if you want to just use the login info of your computer. Otherwise, an email address is usually the right call.

$ ssh-keygen -b 4096 -t rsa -C '[email protected]'

The process will walk you through a couple of steps. The defaults are mostly good, and everything is fairly self-explanatory. If you choose to associate a password with your key, you will need that password every time you log in or push a change. You can leave the password blank to not use one.

To view your key, run the command below. It’s going to look like a bunch of nonsense, and essentially it is, but that’s your key. You’ll need to copy it out of the terminal and past it in Gitlab.

$ cat ~/.ssh/id_rsa.pub

Back over on Gitlab, click on the profile icon in the top right of the screen. Then click “Settings” on the resulting menu. In the menu on the left of the page, click “SSH Keys.”

Gitlab Add SSH key

Copy the key from your terminal. Start after “ssh-rsa” and stop before your email address. So, just copy the nonsense part. Paste it in the large box labeled, “Key.” Name your key, and save it. From that point on, you’ll be able to push your code to your repositories without signing in.

For Regular SSH

You already have an SSH key. You may as well use it for SSH. OpenSSH has a built-in utility to push the key to your server.

$ ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]_IP

Replace server_username and SERVER_IP with your username on the server and the server’s IP address.

Try logging back into your server using the new key.

$ ssh [email protected]_IP

You should connect immediately without the need to enter a password.

Gitlab SSH Config

It’s better to lock down the rest of SSH too. It’s probably one of the weakest points in a public facing server. Open /etc/ssh/sshd_confg in the text editor of your choosing on the server.

There are a couple of things that you need to change. First, find PermitRootLogin and set it to no.

PermitRootLogin no

Next, find PasswordAuthentication, uncomment it, and set it to no.

PasswordAuthentication no

Then, make sure that the following two lines are set to no. They should be by default on Ubuntu, but it’s better to check.

PermitEmptyPasswords no
HostbasedAuthentication no

Finally, find UsePAM at the bottom of the configuration and set it to no too.

UsePAM no

Save and exit your configuration. Then, restart the SSH service.

$ sudo systemctl restart sshd

Configure UFW

Gitlab UFW Configuration

The last security measure that you probably want to take is installing and setting up a firewall. Ubuntu works very well with the aptly named uncomplicated firewall(UFW). It’s just a wrapper around the iptables kernel firewall, but it does make working with the firewall much easier. Go ahead and install it.

$ sudo apt install ufw

Once you have ufw installed, begin by setting the default rules to deny everything.

$ sudo ufw default deny incoming
$ sudo ufw default deny outgoing
$ sudo ufw default deny forward

Next set up your rules to allow the basic services, including Git. The comments are just there for information. Don’t try to run them.

# SSH
$ sudo ufw allow in ssh
$ sudo ufw allow out ssh

# HTTP and HTTPS for Web
$ sudo ufw allow in http
$ sudo ufw allow out http
$ sudo ufw allow in https
$ sudo ufw allow out https

# NTP for keeping the time correct
$ sudo ufw allow in ntp
$ sudo ufw allow out ntp

# Port 53 for DNS domain resolution
$ sudo ufw allow in 53
$ sudo ufw allow out 53

# You probably won't need this
# If your server uses DHCP, unblock 67
$ sudo ufw allow in 67
$ sudo ufw allow out 67

# Finally, Git
$ sudo ufw allow in 9418
$ sudo ufw allo out 9418

Make sure that everything is good, and enable the firewall

$ sudo ufw enable

You can check the status of your firewall with the following:

$ sudo ufw status

That’s it! Your Gitlab server is behind a firewall.

Closing Thoughts

By now, you have a working Gitlab server. You can start setting up user accounts and projects through the Gitlab interface. Gitlab is now a regular Ubuntu package, so it will update regularly with apt as you keep your system updated.

Gitlab will provide you all of the flexibility that you’ll need to manage your own projects and larger projects that you may be working with a team on. It’s a fully capable and robust platform which more and more teams are beginning to rely on.