Gitlab and Mattermost on Ubuntu 15.04 with Nginx, Postgresql, gmail and https

There are several tutorials out there, which help to install Gitlab on Ubuntu, but none of them is complete. My situation:

  • Ubuntu 15.04
  • Already installed PostgreSQL
  • Already installed Nginx
  • Gmail as email-provider
  • Https on the whole domain

Below is what I got.

Gitlab

Ubuntu 15.04

The deb for 15.04 is too old (7.10), and doesn’t have Mattermost included (from 7.14). So I resulted to the 14.04 debs. I felt lucky and in the /etc/apt/sources.list I added:

deb https://packages.gitlab.com/gitlab/gitlab-ce/ubuntu/ trusty main
deb-src https://packages.gitlab.com/gitlab/gitlab-ce/ubuntu/ trusty main

On sapph.ca it is very well explained how to install it. The difference is that the upstart-problem is not a problem anymore, so start from the second step.

Gitlab config

My /etc/gitlab/gitlab.rb looks like this.

You need to define the external url twice when using an external Nginx.

external_url 'https://gitlab.domain.tld'
gitlab_rails['internal_api_url'] = 'https://gitlab.domain.tld'

Email addresses. I use a “robot” account for all these kinds of things. It sounds friendlier than “no-reply” and is more clear that complaining to a robot is useless (as of 2016).

gitlab_rails['gitlab_email_from'] = 'robot@domain.tld'
gitlab_rails['gitlab_email_display_name'] = 'Domain.tld Gitlab'
gitlab_rails['gitlab_email_reply_to'] = 'robot@domain.tld'

PostgreSQL database needs to have the UNIX socket in the domain. Yes, that is different from MySQL.

gitlab_rails['db_adapter'] = "postgresql"
gitlab_rails['db_encoding'] = "unicode"
gitlab_rails['db_database'] = "gitlabdb"
gitlab_rails['db_pool'] = 10
gitlab_rails['db_username'] = "gitlab"
gitlab_rails['db_password'] = "PASSWORD"
gitlab_rails['db_host'] = "/var/run/postgresql/"
gitlab_rails['db_port'] = 5432

Gmail seemed to get timeouts on port 456, as Postfix was installed locally. When using Postfix for a G-account, then Google just assumed it was spam. Below was the only working solution of all I found on the net.

gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "smtp.gmail.com"
gitlab_rails['smtp_port'] = 587
gitlab_rails['smtp_user_name'] = "robot@domain.tld"
gitlab_rails['smtp_password'] = "PASSWORD"
gitlab_rails['smtp_domain'] = "domain.tld"
gitlab_rails['smtp_authentication'] = "plain"
gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['smtp_tls'] = false
gitlab_rails['smtp_openssl_verify_mode'] = 'peer'

When using an external Nginx, you need to turn off both Unicorn and Nginx:

unicorn['enable'] = false
nginx['enable'] = false

Do a “gitlab-ctl reconfigure” and scroll up if you see any error.

Nginx config for Gitlab

I based mine on a Gitlab-recipe. Ofcourse I put the domain name, I had configured in Gitlab.

The latest Nginx has HTTP2, so I also use that.

 listen 443 ssl http2;

SSL I copied to be the same as my other domains.

ssl_prefer_server_ciphers on;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA;
 #ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
 ssl_session_cache shared:SSL:50m;
 ssl_session_timeout 5m;

For the rest, it was just standard. It should now be available at https://gitlab.domain.tld/

Do a “nginx -s reload” to see the changes.

If all went ok with the install, you can now login with:

Username: root
Password: 5iveL!fe

Mattermost

The first you need to do is registering the application in Gitlab. Got to settings -> Applications or https://gitlab.domain.tld/admin/applications

If you are going to use https://chat.domain.tld as the domain for Mattermost, register https://chat.domain.tld/signup/gitlab/complete

You need the ID and Secret to fill in the configuration.

Gitlab config

mattermost_external_url ‘https://chat.domain.tld’

mattermost['enable'] = true
mattermost['service_use_ssl'] = true
 mattermost['service_address'] = "127.0.0.1"
 mattermost['service_port'] = "8065"

Below are settings I have. Understand that all settings you change in the app are overwritten, when you reconfigure.

mattermost['team_site_name'] = "Domain.tld Mattermost"
 # mattermost['team_max_users_per_team'] = 150
 mattermost['team_enable_team_creation'] = false
 mattermost['team_enable_user_creation'] = true
 mattermost['team_allow_public_link'] = false
 mattermost['team_restrict_creation_to_domains'] = "domain.tld"
 mattermost['team_restrict_team_names'] = true
 mattermost['team_enable_team_listing'] = true

PostgreSQL is setup very different than for Gitlab.

mattermost['sql_driver_name'] = 'postgres'
 mattermost['sql_data_source'] = "postgres://mmuser:PASSWORD@localhost:5432/mattermost?sslmode=disable"

Logging -left is quite standard

mattermost['log_file_directory'] = '/var/log/gitlab/mattermost'
 mattermost['log_console_enable'] = true
 mattermost['log_console_level'] = 'INFO'
 mattermost['log_enable_file'] = true
 mattermost['log_file_level'] = 'INFO'

Gitlab SSO

mattermost['gitlab_enable'] = true
 mattermost['gitlab_secret'] = "Unique Secret you get from Gitlab"
 mattermost['gitlab_id'] = "Unique ID you get from Gitlab"
 mattermost['gitlab_scope'] = ""
 mattermost['gitlab_auth_endpoint'] = "https://gitlab.domain.tld/oauth/authorize"
 mattermost['gitlab_token_endpoint'] = "https://gitlab.domain.tld/oauth/token"
 mattermost['gitlab_user_api_endpoint'] = "https://gitlab.domain.tld/api/v3/user"

Email with gmail

mattermost['email_enable_sign_up_with_email'] = false
 # mattermost['email_enable_sign_in_with_email'] = true
 # mattermost['email_enable_sign_in_with_username'] = false
 mattermost['email_send_email_notifications'] = true
 mattermost['email_require_email_verification'] = true
 mattermost['email_smtp_username'] = "robot@domain.tld"
 mattermost['email_smtp_password'] = "!c2JGN%1o*InSB$"
 mattermost['email_smtp_server'] = "smtp.gmail.com"
 mattermost['email_smtp_port'] = "587"
 mattermost['email_connection_security'] = "STARTTLS"
 mattermost['email_feedback_name'] = "Domain.tld Mattermost"
 mattermost['email_feedback_email'] = "robot@domain.tld"
 mattermost['email_send_push_notifications'] = true
mattermost['support_email'] =  "robot@domain.tld"

Also turn off the internal Nginx for Mattermost.

mattermost_nginx['enable'] = false

Do a “gitlab-ctl reconfigure” and scroll up if you see any error.

Nginx config for MatterMost

The example you’ll find hidden in the forums has “X-Forwarded-Proto http;” and doesn;t work.

server {
  listen 443 ssl http2;
  listen 80;

  ssl on;
  ssl_certificate /etc/ssl/domain.tld/ssl.crt;
  ssl_certificate_key /etc/ssl/domain.tld/domain.key;
  ssl_prefer_server_ciphers on;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-  SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA;
   ssl_session_cache shared:SSL:50m;
  ssl_session_timeout 5m;

  server_name chat.domain.tld;
  server_tokens off;
  client_max_body_size 250m;
  access_log /var/log/gitlab/nginx/gitlab_mattermost_access.log;
  error_log /var/log/gitlab/nginx/gitlab_mattermost_error.log;

  location / {
    proxy_read_timeout 300;
    proxy_connect_timeout 300;
    proxy_redirect off;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Ssl on;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Frame-Options SAMEORIGIN;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    proxy_pass http://127.0.0.1:8065;
  }
}

Do a “nginx -s reload” and you’re done.

Leave a Reply

Your email address will not be published. Required fields are marked *