Add GitLab Pages

mihai-satmarean · Mar 18, 2017 · cd635cd · cd635cd
1 parent dafe6d1
commit cd635cd
Show file tree

Hide file tree

Showing 8 changed files with 263 additions and 0 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -6,6 +6,7 @@ ENV GITLAB_VERSION=8.17.0 \
     GOLANG_VERSION=1.6.3 \
     GITLAB_SHELL_VERSION=4.1.1 \
     GITLAB_WORKHORSE_VERSION=1.3.0 \
+    GITLAB_PAGES_VERSION=0.3.2 \
     GITLAB_USER="git" \
     GITLAB_HOME="/home/git" \
     GITLAB_LOG_DIR="/var/log/gitlab" \
@@ -15,6 +16,7 @@ ENV GITLAB_VERSION=8.17.0 \
 ENV GITLAB_INSTALL_DIR="${GITLAB_HOME}/gitlab" \
     GITLAB_SHELL_INSTALL_DIR="${GITLAB_HOME}/gitlab-shell" \
     GITLAB_WORKHORSE_INSTALL_DIR="${GITLAB_HOME}/gitlab-workhorse" \
+    GITLAB_PAGES_INSTALL_DIR="${GITLAB_HOME}/gitlab-pages" \
     GITLAB_DATA_DIR="${GITLAB_HOME}/data" \
     GITLAB_BUILD_DIR="${GITLAB_CACHE_DIR}/build" \
     GITLAB_RUNTIME_DIR="${GITLAB_CACHE_DIR}/runtime"

diff --git a/assets/build/install.sh b/assets/build/install.sh
@@ -4,6 +4,7 @@ set -e
 GITLAB_CLONE_URL=https://gitlab.com/gitlab-org/gitlab-ce.git
 GITLAB_SHELL_URL=https://gitlab.com/gitlab-org/gitlab-shell/repository/archive.tar.gz
 GITLAB_WORKHORSE_URL=https://gitlab.com/gitlab-org/gitlab-workhorse/repository/archive.tar.gz
+GITLAB_PAGES_URL=https://gitlab.com/gitlab-org/gitlab-pages/repository/archive.tar.gz
 
 GEM_CACHE_DIR="${GITLAB_BUILD_DIR}/cache"
 
@@ -60,20 +61,40 @@ exec_as_git ./bin/install
 # remove unused repositories directory created by gitlab-shell install
 exec_as_git rm -rf ${GITLAB_HOME}/repositories
 
+# download gitlab-workhose
 echo "Downloading gitlab-workhorse v.${GITLAB_WORKHORSE_VERSION}..."
 mkdir -p ${GITLAB_WORKHORSE_INSTALL_DIR}
 wget -cq ${GITLAB_WORKHORSE_URL}?ref=v${GITLAB_WORKHORSE_VERSION} -O ${GITLAB_BUILD_DIR}/gitlab-workhorse-${GITLAB_WORKHORSE_VERSION}.tar.gz
 tar xf ${GITLAB_BUILD_DIR}/gitlab-workhorse-${GITLAB_WORKHORSE_VERSION}.tar.gz --strip 1 -C ${GITLAB_WORKHORSE_INSTALL_DIR}
 rm -rf ${GITLAB_BUILD_DIR}/gitlab-workhorse-${GITLAB_WORKHORSE_VERSION}.tar.gz
 chown -R ${GITLAB_USER}: ${GITLAB_WORKHORSE_INSTALL_DIR}
 
+#download golang
 echo "Downloading Go ${GOLANG_VERSION}..."
 wget -cnv https://storage.googleapis.com/golang/go${GOLANG_VERSION}.linux-amd64.tar.gz -P ${GITLAB_BUILD_DIR}/
 tar -xf ${GITLAB_BUILD_DIR}/go${GOLANG_VERSION}.linux-amd64.tar.gz -C /tmp/
 
+#install gitlab-workhorse
 cd ${GITLAB_WORKHORSE_INSTALL_DIR}
 PATH=/tmp/go/bin:$PATH GOROOT=/tmp/go make install
 
+#download pages
+echo "Downloading gitlab-pages v.${GITLAB_PAGES_VERSION}..."
+mkdir -p ${GITLAB_PAGES_INSTALL_DIR}
+wget -cq ${GITLAB_PAGES_URL}?ref=v${GITLAB_PAGES_VERSION} -O ${GITLAB_BUILD_DIR}/gitlab-pages-${GITLAB_PAGES_VERSION}.tar.gz
+tar xf ${GITLAB_BUILD_DIR}/gitlab-pages-${GITLAB_PAGES_VERSION}.tar.gz --strip 1 -C ${GITLAB_PAGES_INSTALL_DIR}
+rm -rf ${GITLAB_BUILD_DIR}/gitlab-pages-${GITLAB_PAGES_VERSION}.tar.gz
+chown -R ${GITLAB_USER}: ${GITLAB_PAGES_INSTALL_DIR}
+
+#install gitlab-pages
+cd ${GITLAB_PAGES_INSTALL_DIR}
+GODIR=/tmp/go/src/gitlab.com/gitlab-org/gitlab-pages
+mkdir -p "$(dirname "$GODIR")"
+ln -sfv "$(pwd -P)" "$GODIR"
+cd "$GODIR"
+PATH=/tmp/go/bin:$PATH GOROOT=/tmp/go make gitlab-pages
+mv gitlab-pages /usr/local/bin/
+
 # remove go
 rm -rf ${GITLAB_BUILD_DIR}/go${GOLANG_VERSION}.linux-amd64.tar.gz /tmp/go
 

diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml
@@ -155,6 +155,21 @@ production: &base
     # The location where LFS objects are stored (default: shared/lfs-objects).
     storage_path: {{GITLAB_LFS_OBJECTS_DIR}}
 
+  ## GitLab Pages
+  pages:
+    enabled: {{GITLAB_PAGES_ENABLED}}
+    # The location where pages are stored (default: shared/pages).
+    # path: shared/pages
+    # The domain under which the pages are served:
+    # http://group.example.com/project
+    # or project path can be a group page: group.example.com
+    host: {{GITLAB_PAGES_DOMAIN}}
+    port: {{GITLAB_PAGES_PORT}} # Set to 443 if you serve the pages with HTTPS
+    https: {{GITLAB_PAGES_HTTPS}} # Set to true if you serve the pages with HTTPS
+    external_http: {{GITLAB_PAGES_EXTERNAL_HTTP}} # If defined, enables custom domain support in GitLab Pages
+    external_https: {{GITLAB_PAGES_EXTERNAL_HTTPS}} # If defined, enables custom domain and certificate support in GitLab Pages
+
+
   ## Mattermost
   ## For enabling Add to Mattermost button
   mattermost:

diff --git a/assets/runtime/config/nginx/gitlab-pages b/assets/runtime/config/nginx/gitlab-pages
@@ -0,0 +1,23 @@
+## GitLab
+##
+## Pages serving host
+server {
+  listen 0.0.0.0:80;
+  listen [::]:80 ipv6only=on;
+  ## Replace this with something like pages.gitlab.com
+  server_name ~^.*{{GITLAB_PAGES_DOMAIN}};
+  ## Individual nginx logs for GitLab pages
+  access_log  {{GITLAB_LOG_DIR}}/nginx/gitlab_pages_access.log;
+  error_log   {{GITLAB_LOG_DIR}}/nginx/gitlab_pages_error.log;
+  location / {
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   $scheme;
+    # The same address as passed to GitLab Pages: `-listen-proxy`
+    proxy_pass          http://localhost:8090/;
+  }
+  # Define custom error pages
+  error_page 403 /403.html;
+  error_page 404 /404.html;
+}
diff --git a/assets/runtime/config/nginx/gitlab-pages-ssl b/assets/runtime/config/nginx/gitlab-pages-ssl
@@ -0,0 +1,77 @@
+## GitLab
+##
+
+## Redirects all HTTP traffic to the HTTPS host
+server {
+  ## Either remove "default_server" from the listen line below,
+  ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab
+  ## to be served if you visit any address that your server responds to, eg.
+  ## the ip address of the server (http://x.x.x.x/)
+  listen 0.0.0.0:80;
+  listen [::]:80 ipv6only=on;
+
+  ## Replace this with something like pages.gitlab.com
+  server_name ~^.*{{GITLAB_PAGES_DOMAIN}};
+  server_tokens off; ## Don't show the nginx version number, a security best practice
+
+  return 301 https://$host:{{GITLAB_PORT}}$request_uri;
+
+  access_log  {{GITLAB_LOG_DIR}}/nginx/gitlab_pages_access.log;
+  error_log   {{GITLAB_LOG_DIR}}/nginx/gitlab_pages_error.log;
+}
+
+## Pages serving host
+server {
+  listen 0.0.0.0:443 ssl;
+  listen [::]:443 ipv6only=on ssl http2;
+
+  ## Replace this with something like pages.gitlab.com
+  server_name ~^.*{{GITLAB_PAGES_DOMAIN}};
+  server_tokens off; ## Don't show the nginx version number, a security best practice
+
+  ## Strong SSL Security
+  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
+  ssl on;
+  ssl_certificate {{SSL_CERTIFICATE_PATH}};
+  ssl_certificate_key {{SSL_KEY_PATH}};
+
+  # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
+  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_prefer_server_ciphers on;
+  ssl_session_cache shared:SSL:10m;
+  ssl_session_timeout 5m;
+
+  ## See app/controllers/application_controller.rb for headers set
+
+  ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
+  ## Replace with your ssl_trusted_certificate. For more info see:
+  ## - https://medium.com/devops-programming/4445f4862461
+  ## - https://www.ruby-forum.com/topic/4419319
+  ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
+  # ssl_stapling on;
+  # ssl_stapling_verify on;
+  # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
+
+  ## [Optional] Generate a stronger DHE parameter:
+  ##   sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
+  ##
+  ssl_dhparam {{SSL_DHPARAM_PATH}};
+
+  ## Individual nginx logs for this GitLab vhost
+  access_log  {{GITLAB_LOG_DIR}}/nginx/gitlab_pages_access.log;
+  error_log   {{GITLAB_LOG_DIR}}/nginx/gitlab_pages_error.log;
+
+  location / {
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   $scheme;
+    # The same address as passed to GitLab Pages: `-listen-proxy`
+    proxy_pass          http://localhost:8090/;
+  }
+
+  # Define custom error pages
+  error_page 403 /403.html;
+  error_page 404 /404.html;
+}
diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults
@@ -137,6 +137,9 @@ SSL_CIPHERS=${SSL_CIPHERS:-'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA
 SSL_REGISTRY_KEY_PATH=${SSL_REGISTRY_KEY_PATH:-$GITLAB_DATA_DIR/certs/registry.key}
 SSL_REGISTRY_CERT_PATH=${SSL_REGISTRY_CERT_PATH:-$GITLAB_DATA_DIR/certs/registry.crt}
 
+SSL_PAGES_KEY_PATH=${SSL_REGISTRY_KEY_PATH:-$GITLAB_DATA_DIR/certs/pages.key}
+SSL_PAGES_CERT_PATH=${SSL_REGISTRY_CERT_PATH:-$GITLAB_DATA_DIR/certs/pages.crt}
+
 SSL_CA_CERTIFICATES_PATH=${SSL_CA_CERTIFICATES_PATH:-$CA_CERTIFICATES_PATH} # backward compatibility
 SSL_CA_CERTIFICATES_PATH=${SSL_CA_CERTIFICATES_PATH:-$GITLAB_DATA_DIR/certs/ca.crt}
 
@@ -349,3 +352,13 @@ RACK_ATTACK_WHITELIST=${RACK_ATTACK_WHITELIST:-"127.0.0.1"}
 RACK_ATTACK_MAXRETRY=${RACK_ATTACK_MAXRETRY:-10}
 RACK_ATTACK_FINDTIME=${RACK_ATTACK_FINDTIME:-60}
 RACK_ATTACK_BANTIME=${RACK_ATTACK_BANTIME:-3600}
+
+
+## GitLab Pages
+GITLAB_PAGES_ENABLED=${GITLAB_PAGES_ENABLED:-false}
+GITLAB_PAGES_DOMAIN=${GITLAB_PAGES_DOMAIN:-"example.com"}
+GITLAB_PAGES_DIR="${GITLAB_PAGES_DIR:-$GITLAB_SHARED_DIR/pages}"
+GITLAB_PAGES_PORT=${GITLAB_PAGES_PORT:-80}
+GITLAB_PAGES_HTTPS=${GITLAB_PAGES_HTTPS:-false}
+GITLAB_PAGES_EXTERNAL_HTTP=${GITLAB_PAGES_EXTERNAL_HTTP:-}
+GITLAB_PAGES_EXTERNAL_HTTPS=${GITLAB_PAGES_EXTERNAL_HTTPS:-}
diff --git a/assets/runtime/functions b/assets/runtime/functions
@@ -18,6 +18,7 @@ GITLAB_SHELL_CONFIG="${GITLAB_SHELL_INSTALL_DIR}/config.yml"
 GITLAB_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab"
 GITLAB_CI_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab_ci"
 GITLAB_REGISTRY_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab-registry"
+GITLAB_PAGES_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab-pages"
 
 # Compares two version strings `a` and `b`
 # Returns
@@ -911,6 +912,30 @@ gitlab_configure_registry(){
     GITLAB_REGISTRY_ISSUER
 }
 
+gitlab_configure_pages(){
+  echo "Configuring gitlab::pages..."
+  update_template ${GITLAB_CONFIG} \
+    GITLAB_PAGES_ENABLED \
+    GITLAB_PAGES_DOMAIN \
+    GITLAB_PAGES_PORT \
+    GITLAB_PAGES_HTTPS
+
+  if [[ -n ${GITLAB_PAGES_EXTERNAL_HTTP} ]]; then
+    update_template ${GITLAB_CONFIG} \
+      GITLAB_PAGES_EXTERNAL_HTTP
+  else
+    exec_as_git sed -ie "/{{GITLAB_PAGES_EXTERNAL_HTTP}}/d" ${GITLAB_CONFIG}
+  fi
+
+  if [[ -n ${GITLAB_PAGES_EXTERNAL_HTTPS} ]]; then
+    update_template ${GITLAB_CONFIG} \
+      GITLAB_PAGES_EXTERNAL_HTTPS
+  else
+    exec_as_git sed -ie "/{{GITLAB_PAGES_EXTERNAL_HTTPS}}/d" ${GITLAB_CONFIG}
+  fi
+}
+
+
 nginx_configure_gitlab_ssl() {
   if [[ ${GITLAB_HTTPS} == true && -f ${SSL_CERTIFICATE_PATH} && -f ${SSL_KEY_PATH} && -f ${SSL_DHPARAM_PATH} ]]; then
     echo "Configuring nginx::gitlab::ssl..."
@@ -991,6 +1016,28 @@ nginx_configure_gitlab_registry() {
   fi
 }
 
+nginx_configure_pages(){
+  local GITLAB_PAGES_DOMAIN=$(echo $GITLAB_PAGES_DOMAIN | sed 's/\./\\\\./g')
+
+  if [[ ${GITLAB_PAGES_HTTPS} == true ]]; then
+    echo "Configuring nginx::gitlab-pages..."
+    update_template ${GITLAB_PAGES_NGINX_CONFIG} \
+      GITLAB_PAGES_DOMAIN \
+      GITLAB_PAGES_PORT \
+      GITLAB_LOG_DIR \
+      GITLAB_PAGES_DOMAIN \
+      SSL_PAGES_CERT_PATH \
+      SSL_PAGES_KEY_PATH \
+      SSL_DHPARAM_PATH \
+      GITLAB_LOG_DIR
+  else
+    echo "Configuring nginx::gitlab-pages..."
+    update_template ${GITLAB_PAGES_NGINX_CONFIG} \
+      GITLAB_PAGES_DOMAIN \
+      GITLAB_LOG_DIR 
+  fi
+}
+
 
 #   _|_|_|              _|        _|  _|
 #   _|    _|  _|    _|  _|_|_|    _|        _|_|_|
@@ -1079,6 +1126,11 @@ initialize_datadir() {
   chmod u+rwX ${GITLAB_ARTIFACTS_DIR}
   chown ${GITLAB_USER}: ${GITLAB_ARTIFACTS_DIR}
 
+  # create pages dir
+  mkdir -p ${GITLAB_PAGES_DIR}
+  chmod u+rwX ${GITLAB_PAGES_DIR}
+  chown ${GITLAB_USER}: ${GITLAB_PAGES_DIR}
+
   # symlink ${GITLAB_INSTALL_DIR}/shared -> ${GITLAB_DATA_DIR}/shared
   rm -rf ${GITLAB_INSTALL_DIR}/shared
   ln -sf ${GITLAB_SHARED_DIR} ${GITLAB_INSTALL_DIR}/shared
@@ -1153,6 +1205,9 @@ sanitize_datadir() {
   chmod -R u+rwX ${GITLAB_ARTIFACTS_DIR}
   chown -R ${GITLAB_USER}: ${GITLAB_ARTIFACTS_DIR}
 
+  chmod -R u+rwX ${GITLAB_PAGES_DIR}
+  chown -R ${GITLAB_USER}: ${GITLAB_PAGES_DIR}
+
   chmod -R u+rwX ${GITLAB_LFS_OBJECTS_DIR}
   chown -R ${GITLAB_USER}: ${GITLAB_LFS_OBJECTS_DIR}
 
@@ -1238,6 +1293,22 @@ install_configuration_templates() {
     install_template root: nginx/gitlab ${GITLAB_NGINX_CONFIG}
   fi
 
+
+  ## ${GITLAB_PAGES_NGINX_CONFIG}
+  if [[ ${GITLAB_PAGES_HTTPS} == true ]]; then
+    if [[ -f ${SSL_PAGES_CERT_PATH} && -f ${SSL_PAGES_KEY_PATH} ]]; then
+      install_template root: nginx/gitlab-pages-ssl ${GITLAB_PAGES_NGINX_CONFIG}
+    else
+      echo "SSL Key, SSL Certificate were not found."
+      echo "Assuming that the container is running behind a HTTPS enabled load balancer."
+      install_template root: nginx/gitlab-pages ${GITLAB_PAGES_NGINX_CONFIG}
+    fi
+  else
+    install_template root: nginx/gitlab-pages ${GITLAB_PAGES_NGINX_CONFIG}
+  fi
+
+
+
   if [[ -n $GITLAB_CI_HOST ]]; then
     install_template root: nginx/gitlab_ci ${GITLAB_CI_NGINX_CONFIG}
   fi
@@ -1297,6 +1368,7 @@ configure_gitlab() {
   gitlab_configure_analytics
   gitlab_configure_backups
   gitlab_configure_registry
+  gitlab_configure_pages
 
   # remove stale gitlab.socket
   rm -rf ${GITLAB_INSTALL_DIR}/tmp/sockets/gitlab.socket
@@ -1315,6 +1387,44 @@ configure_gitlab_shell() {
     REDIS_DB_NUMBER
 }
 
+
+configure_gitlab_pages() {
+  echo "Configuring gitlab-pages..."
+cat > /etc/supervisor/conf.d/gitlab-pages.conf <<EOF
+[program:gitlab-pages]
+priority=20
+directory=${GITLAB_INSTALL_DIR}
+environment=HOME=${GITLAB_HOME}
+command=/usr/local/bin/gitlab-pages
+  -pages-domain ${GITLAB_PAGES_DOMAIN}
+  -pages-root ${GITLAB_PAGES_DIR}
+  -listen-proxy :8090
+EOF
+
+if [[ -n ${GITLAB_PAGES_EXTERNAL_HTTP} ]]; then
+cat >> /etc/supervisor/conf.d/gitlab-pages.conf <<EOF
+  -listen-http ${GITLAB_PAGES_EXTERNAL_HTTP}
+EOF
+fi
+
+
+if [[ -n ${GITLAB_PAGES_EXTERNAL_HTTPS} ]]; then
+cat >> /etc/supervisor/conf.d/gitlab-pages.conf <<EOF
+  -listen-https ${GITLAB_PAGES_EXTERNAL_HTTPS}
+  -root-cert ${SSL_PAGES_CERT_PATH}
+  -root-key ${SSL_PAGES_KEY_PATH}
+EOF
+fi
+
+cat >> /etc/supervisor/conf.d/gitlab-pages.conf <<EOF
+user=git
+autostart=true
+autorestart=true
+stdout_logfile=${GITLAB_INSTALL_DIR}/log/%(program_name)s.log
+stderr_logfile=${GITLAB_INSTALL_DIR}/log/%(program_name)s.log
+EOF
+}
+
 configure_nginx() {
   echo "Configuring nginx..."
   sed -i \
@@ -1325,6 +1435,7 @@ configure_nginx() {
   nginx_configure_gitlab
   nginx_configure_gitlab_ci
   nginx_configure_gitlab_registry
+  nginx_configure_pages
 }
 
 migrate_database() {

diff --git a/entrypoint.sh b/entrypoint.sh
@@ -10,6 +10,7 @@ case ${1} in
     initialize_system
     configure_gitlab
     configure_gitlab_shell
+    configure_gitlab_pages
     configure_nginx
 
     case ${1} in