Installing your own Git server on Raspberry Pi 4 using GitLab CE
If you love the tool git and also love Raspberry Pi, why not host your own Git server? You can host a set of private Git Repos for code or writing projects you may be working on and aren’t ready to open it up to the world. GitLab is my favorite Git repository because of its excellent documentation, CD/CD support, rich Web UI and WebIDE.
GitLab Community Edition (CE) also supports the Raspberry Pi platform which caught my attention as I recently started doing projects on a Raspberry Pi 4. I had to do some digging around for the install to complete successfully so I am sharing the steps below. Once you get to the GitLab UI hosted on Raspberry Pi and create your first Project, it will all be worth it!
Pre-requisites
Remote access: I assume you have already setup ssh or vnc and have remote access into your Raspberry Pi. Please run sudo apt-get update -y to update the packages.
OS release: Please check your Raspberry Pi model and OS by running cat /etc/os-release Below is the output from my model. As of this writing (Feb 2020), the latest version of Raspbian OS is built from Debian Buster Linux. These steps should work for a Debian Stretch release as well but I have not tested that.
pi@raspberrypi:~ $ cat /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
NAME="Raspbian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"Download the RPMs and start installation
For this guide we will be using the Omnibus GitLab CE package which is described as a project that “creates full-stack platform-specific downloadable packages for GitLab.”
Note: I did have some difficulty with the official installer steps most likely due to OS differences: https://about.gitlab.com/install/#raspberry-pi-2. Presumably this will be updated soon for Raspbian Buster.
To download the Omnibus package head to the GitLab packages for Raspberry pi and click on the latest one: https://packages.gitlab.com/gitlab/raspberry-pi2. As of this writing the latest is 12.7.5 — here is the download page. The steps below correspond to 12.7.5, please substitute the package you are installing.
cd /tmp# Note: this file was almost 700 MBs.
# I recommend a hardwired Ethernet connection for faster download
wget --content-disposition https://packages.gitlab.com/gitlab/raspberry-pi2/packages/raspbian/stretch/gitlab-ce_12.7.5-ce.0_armhf.deb/download.deb# This install took a few minutes
sudo apt install gitlab-ce_12.7.5-ce.0_armhf.deb
Configure GitLab CE
After the installer runs, edit the file /etc/gitlab/gitlab.rb ( sudo nano /etc/gitlab/gitlab.rb) to updateexternal_urlwith the hostname or IP address that will be used to access to access GitLab CE. In the example below the DNS name is: gitlab.pi:
external_url 'http://gitlab.pi'In this example, both the Raspberry Pi and the client (a Mac laptop) has the following entry in the Hosts file (/etc/hosts) that corresponds to the Raspberry Pi IP address:
192.168.0.20 gitlab.piIf you DNS name is not resolvable externally, please also update the hosts file (sudo nano /etc/hosts) with the IP and hostname as shown above.
Finally, run the following command to start the GitLab services. This command might take ~ 5 mins to run.
sudo gitlab-ctl reconfigureNow you should be able to access GitLab in the main page via a web browser:
SSL and Backups
These are some optional but recommended configuration items after your have setup GitLab CE.
DNS setup using a self-signed certificate: The default install runs on HTTP This is undesirable especially if you will be accessing your repository from untrusted networks. Below are the steps for SSL setup using a self-signed Certificate Authority (CA). If you want a publicly trusteed CA, I recommend signing up for a DNS name and a free certificate from LetsEncrypt.
Download the ARM binary for HashiCorp Vault and run a Dev server by running the commands below in a Terminal:
sudo apt-get install wget unzip -y
wget https://releases.hashicorp.com/vault/1.3.2/vault_1.3.2_linux_arm.zip
unzip vault_1.3.2_linux_arm.zip
sudo mv ./vault /usr/local/bin
chmod +x /usr/local/bin/vault
vault --versionNote: A RaspBerry Pi is an excellent place to run a HashiCorp Vault. Please see Vault Deployment Guide to setup a permanent Vault server.
In another terminal, configure a PKI secret engine and export certificates. In the example commands below we have set the self-signed Root CA expiry of 1 year and the certificate expiry of 3 months.
sudo apt-get install jq -y # Install jq
CA_ttl=8760h # Root CA expiry: adjust as needed
Cert_ttl=2190h # Leaf Certificate expiry: adjust as needed
export VAULT_ADDR=http://localhost:8200
vault secrets enable -path=pki-root pki
vault secrets tune -max-lease-ttl=${CA_ttl} pki-root
vault write pki-root/roles/gitlab \
allowed_domains="gitlab.pi" allow_bare_domains="true" \
max_ttl=${Cert_ttl}vault write pki-root/root/generate/internal common_name=gitlab.pi ttl=${CA_ttl}sudo mkdir -p /etc/gitlab/ssl/
vault write -format=json pki-root/issue/gitlab common_name=gitlab.pi > certs.jsonjq -r .data.certificate certs.json | sudo tee ./gitlab.pi.crt
jq -r .data.issuing_ca certs.json | sudo tee -a ./gitlab.pi.crt
jq -r .data.private_key certs.json | sudo tee ./gitlab.pi.key
Update external_url in the /etc/gitlab/gitlab.rb file to indicate https as shown below (note the https):
external_url 'https://gitlab.pi'Finally, run the following command again to restart GitLab CE with the SSL certificates:
sudo gitlab-ctl reconfigureYou should be able to access GitLab CE using a https://gitlab.pi0 (or whatever DNS name/IP address you chose).
As shown above, the browser will still complain that the root certificate is untrusted. However, rest assured traffic to/from GitLab CE is being protected via TLS. To remove the warning you can add the root certificate (the gitlab.pi.crt file from earlier) to the browser or obtain a free certificate signed by LetsEncrypt.
Note: If you had issues, just change to external_url back to http://gitlab.pi and rerun sudo gitlab-ctl reconfigure. You can check for any error messages by running the following command: sudo gitlab-ctl tail.
Backup and Restore
Surely you do not want to lose your work in case the Pi storage gets corrupted or deleted. Therefore I recommend running through the steps below to practice a backup / restore process. You will want to do this periodically and save the backup file somewhere safe outside of Raspberry Pi.
sudo gitlab-backup create STRATEGY=copy
ls /var/opt/gitlab/backupsCopy the newly created backup file to a safe place. To restore, first stop the following services:
sudo gitlab-ctl stop unicorn
sudo gitlab-ctl stop puma
sudo gitlab-ctl stop sidekiqThen run the gitlab-backup restore command providing the file name from earlier excluding the _gitlab_backup.tar portion (note: the backup file must be present in /var/opt/gitlab/backups).
sudo gitlab-backup restore BACKUP=1582073800_2020_02_18_12.7.5Reference: https://docs.gitlab.com/ee/raketasks/backup_restore.html#creating-a-backup-of-the-gitlab-system
Conclusion
In this post we setup a GitLab CE server on a Raspberry Pi. We also reviewed the steps to enable SSL, and perform a backup/restore operation. I hope you found this useful!
