Post install steps with Gitlab

It happens I recently had to install Gitlab and was a bit lost about what to do right after the setup finished, perhaps this will help.

By default, Gitlab stores its data files in /var/opt/gitlab and its backups in /var/opt/gitlab/backups . It would be a good idea to use dedicated partitions for each of those directories.
Let’s say you use /dev/sdb1 for Gitlab data and /dev/sdc1 for the backups.

gitlab-ctl stop
mkdir /mnt/gitlab
mount /dev/sdb1 /mnt/gitlab
mkdir /mnt/gitlab/backups
mount /dev/sdc1 /mnt/gitlab/backups
tar -C /var/opt -cf - gitlab | tar -C /mnt -xpsf -
umount /mnt/gitlab/backups
umount /mnt/gitlab
mv /var/opt/gitlab /var/opt/gitlab.old
mkdir /var/opt/gitlab
mount /dev/sdb1 /var/opt/gitlab
mount /dev/sdc1 /var/opt/gitlab/backups
gitlab-ctl start

Do not forget to edit /etc/fstab .

Configure your timezone: docs.gitlab.com/ee/administration/timezone.html
Note: all usual timezones are not available.

Trust your local Certificate Authority: docs.gitlab.com/omnibus/settings/ssl.html#install-custom-public-certificates

Configure Gitlab to use a proxy: docs.gitlab.com/omnibus/settings/environment-variables.html
Pay attention if you want to clone git repositories or container images, those require the additional settings.

Manually configure HTTPS: docs.gitlab.com/omnibus/settings/nginx.html#manually-configuring-https
Do not forget to disable Let’s Encrypt, copy the certificate & key files with the appropriate names.

Use external auth: docs.gitlab.com/ce/integration/omniauth.html#initial-omniauth-configuration
I used OpenID Connect against Keycloak: docs.gitlab.com/ce/administration/auth/oidc.html

Enable single sign out: gitlab.com/gitlab-org/gitlab/-/issues/31203
Under Admin > Settings > General > Sign-in restrictions, set After sign-out path to:
https://your.domain/auth/realms/your_realm/protocol/openid-connect/logout?redirect_uri=https://gitlab.your.domain

Disable password authentication for Git over HTTPS . External authentication is not available to access git repositories over HTTPS. Gitlab will prompt your users to set a password. We do not want that. Under Admin > Settings > Sign-in restrictions, Uncheck “Password authentication enabled for Git over HTTP(S)”.

Enable container registry: docs.gitlab.com/ce/administration/packages/container_registry.html
If you want to separate registry storage from the rest of Gitlab data, repeat the steps at the top of this post for /var/opt/gitlab/registry .
Open the firewall (default config uses 5050/tcp).

Disable sign-up. Since we have user federation, we do not want users to create extra accounts without our approval.
You will find the setting under Admin > Settings > General > Sign-up restrictions.

Prevent users from changing their username. Prevent users from creating top level groups.
docs.gitlab.com/ee/administration/user_settings.html

Disable annoying settings:
– third party offers, under Admin > Settings > General > Third party offers
– usage ping, under Admin > Settings > Metrics and Profiling > Usage Statistics
– marketing in emails: under Admin > Settings > Preferences > Email
– marketing in help pages: under Admin > Settings > Preferences > Help page

Change default initial branch name to master because we are old school, under Admin > Settings > Repository > Default initial branch name.

Enable access to Grafana metrics, under Admin > Settings > Metrics and profiling > Metrics – Grafana
If you have configured HTTPS, also change Grafana callback URL under Admin > Applications .

Enable outbound requests to local network, under Admin > Settings > Network > Outbound requests
Either allow access to some resources by filling the text box, or allow access to all resources by checking “Allow requests to the local network from web hooks and services”.

Configure daily backup. Edit crontab:

0 2 * * * /opt/gitlab/bin/gitlab-backup create CRON=1

Set first day of week to Monday under Admin > Settings > Preferences > Localization

I will add more as I discover additional things …

This entry was posted in Uncategorized and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.