From 3e6287876e200ff12cca3c19b05b6f89c4f7267e Mon Sep 17 00:00:00 2001 From: Taqi Tahmid Date: Sun, 11 Jan 2026 14:38:10 +0200 Subject: [PATCH] add linting and security checking for gitlab ci --- .gitlab-ci.yml | 42 +++++++--------- docker/gitlab/README.md | 83 +++++++++++++++++++++++++++++++ docker/gitlab/gitlab.yaml | 42 ++++++++++++++++ docker/portainer.yaml | 3 -- docker/traefik/traefik-rules.yaml | 1 - docker/traefik/traefik.yaml | 3 +- 6 files changed, 143 insertions(+), 31 deletions(-) create mode 100644 docker/gitlab/README.md create mode 100644 docker/gitlab/gitlab.yaml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 645c0b3..9247a79 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -7,33 +7,25 @@ workflow: - if: $CI_PIPELINE_TAG stages: - - build - - test - - deploy + - security + - lint -build-job: - stage: build - script: - - echo "Compiling the code..." - - echo "Compile complete." +include: + - template: Security/SAST.gitlab-ci.yml + - template: Security/DAST.gitlab-ci.yml -unit-test-job: - stage: test - script: - - echo "Running unit tests... This will take about 60 seconds." - - sleep 60 - - echo "Code coverage is 90%" +sast: + stage: security -lint-test-job: - stage: test - script: - - echo "Linting code... This will take about 10 seconds." - - sleep 10 - - echo "No lint issues found." +dast: + stage: security -deploy-job: - stage: deploy - environment: production +markdown_lint: + stage: lint + image: ghcr.io/igorshubovych/markdownlint-cli:latest + allow_failures: true + rules: + - changes: + - "**/*.md" script: - - echo "Deploying application..." - - echo "Application successfully deployed." + - markdownlint "**/*.md" \ No newline at end of file diff --git a/docker/gitlab/README.md b/docker/gitlab/README.md new file mode 100644 index 0000000..7366c39 --- /dev/null +++ b/docker/gitlab/README.md @@ -0,0 +1,83 @@ +# GitLab Docker Setup + +This directory contains the necessary files to set up GitLab using Docker +and Docker Compose. The setup includes a `gitlab.yaml` file that defines the +GitLab service configuration. + +## Adding gitlab runner as docker container + +To add a GitLab runner as a Docker container, follow these steps: + +1. SSH into the target machine where you want to run the GitLab runner. +2. Make sure Docker and Docker Compose are installed on the machine. +3. Obtain the GitLab runner registration token from your GitLab instance. + You can find this token in the GitLab web interface under + `Settings > CI/CD > Runners > Create Instance Runner > Registration Token`. +4. Then run the following command to start the GitLab runner container. There + can be multiple gitlab runners commisioned the same way by changing the name + of the container. + + ```bash + docker volume create gitlab-runner-config-2 + docker run -d \ + --name gitlab-runner-2 \ + --restart always \ + -v gitlab-runner-config-2:/etc/gitlab-runner \ + -v /var/run/docker.sock:/var/run/docker.sock \ + gitlab/gitlab-runner:latest + + + docker exec -it gitlab-runner-2 \ + gitlab-runner register \ + --non-interactive \ + --url "https:///" \ + --token "" \ + --executor "docker" \ + --docker-image alpine:latest \ + --description "docker-runner 2" + ``` + +## Troubleshooting + +- If the URL returns a 404 error, it is usually gitlab container takes long time + to start. Please wait for few minutes and try again. If the problem persists, + check the traefik labels and access logs for more information. + +- The initial root password is set in the `gitlab.yaml` file under the + `GITLAB_ROOT_PASSWORD` environment variable. Make sure to change it to a + secure password after the first login. If for some reason it does not work. + You can reset it via the following commands: + + 1. Access the GitLab container's shell: + ``` + docker exec -it /bin/bash + ``` + 2. Run the following command to reset the root password: + ``` + gitlab-rails console + ``` + 3. In the Rails console, execute the following commands: + ```ruby + user = User.find_by_username('root') + user.password = 'NewSecurePassword123!' + user.password_confirmation == 'NewSecurePassword123!' + user.save! + ``` + 4. Exit the Rails console and the container shell. + +- If while disabling signup you get server (500) error, please follow the below + steps: + 1. Access the GitLab container's shell: + ``` + docker exec -it /bin/bash + ``` + 2. Run the following command to open the Rails console: + ``` + gitlab-rails console + ``` + 3. In the Rails console, execute the following command to disable user signup: + ```ruby + settings = ApplicationSetting.last + settings.update_column(:runners_registration_token_encrypted, nil) + ``` + 4. Exit the Rails console and the container shell. diff --git a/docker/gitlab/gitlab.yaml b/docker/gitlab/gitlab.yaml new file mode 100644 index 0000000..e73bc42 --- /dev/null +++ b/docker/gitlab/gitlab.yaml @@ -0,0 +1,42 @@ +services: + gitlab: + image: gitlab/gitlab-ce:18.5.5-ce.0 + container_name: gitlab + restart: unless-stopped + env_file: + - ./.env + hostname: gitlab.${DOMAINNAME} + ports: + - "2424:22" + volumes: + - "$GITLAB_HOME/config:/etc/gitlab" + - "$GITLAB_HOME/logs:/var/log/gitlab" + - "$GITLAB_HOME/data:/var/opt/gitlab" + shm_size: "256m" + networks: + - t3_proxy + labels: + - "traefik.enable=true" + - "traefik.http.routers.gitlab-rtr.entrypoints=websecure" + - "traefik.http.routers.gitlab-rtr.rule=Host(`gitlab.${DOMAINNAME}`)" + - "traefik.http.routers.gitlab-rtr.tls=true" + - "traefik.http.routers.gitlab-rtr.service=gitlab-svc" + - "traefik.http.services.gitlab-svc.loadbalancer.server.port=80" + environment: + GITLAB_ROOT_PASSWORD: ${GITLAB_ROOT_PASSWORD} + GITLAB_OMNIBUS_CONFIG: | + external_url "https://gitlab.${DOMAINNAME}" + gitlab_rails['gitlab_shell_ssh_port'] = 2424 + letsencrypt['enable'] = false + nginx['listen_port'] = 80 + nginx['listen_https'] = false + postgresql['shared_buffers'] = '256MB' + sidekiq['max_concurrency'] = 4 + sidekiq['concurrency'] = 1 + puma['worker_timeout'] = 120 + puma['worker_processes'] = 1 + prometheus_monitoring['enable'] = false + +networks: + t3_proxy: + external: true diff --git a/docker/portainer.yaml b/docker/portainer.yaml index 98a8473..58c7e82 100644 --- a/docker/portainer.yaml +++ b/docker/portainer.yaml @@ -13,14 +13,11 @@ services: - t3_proxy labels: - "traefik.enable=true" - # HTTP Routers - "traefik.http.routers.portainer-rtr.entrypoints=websecure" - "traefik.http.routers.portainer-rtr.rule=Host(`portainer.${DOMAINNAME}`)" - # HTTP Services - "traefik.http.routers.portainer-rtr.tls=true" - "traefik.http.routers.portainer-rtr.service=portainer-svc" - "traefik.http.services.portainer-svc.loadbalancer.server.port=9000" - - "traefik.http.routers.traefik-rtr.middlewares=middlewares-rate-limit@file,middlewares-secure-headers@file" command: --http-enabled environment: diff --git a/docker/traefik/traefik-rules.yaml b/docker/traefik/traefik-rules.yaml index 0ea737c..12b0046 100644 --- a/docker/traefik/traefik-rules.yaml +++ b/docker/traefik/traefik-rules.yaml @@ -25,7 +25,6 @@ http: tls: options: default: - #sniStrict: true # prevents leaking default cert; see https://doc.traefik.io/traefik/v2.2/https/tls/#strict-sni-checking minVersion: VersionTLS12 cipherSuites: - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 diff --git a/docker/traefik/traefik.yaml b/docker/traefik/traefik.yaml index 659e21f..39a48e1 100644 --- a/docker/traefik/traefik.yaml +++ b/docker/traefik/traefik.yaml @@ -69,5 +69,4 @@ services: - "traefik.http.routers.api.entrypoints=websecure" - "traefik.http.routers.api.rule=Host(`traefik.${DOMAINNAME}`)" - "traefik.http.routers.api.service=api@internal" - # Middlewares - - "traefik.http.routers.api.middlewares=middlewares-rate-limit@file,middlewares-secure-headers@file" +