FreeBSD Gitlab Init File

In order to start gitlab automatically on startup place the following file in /usr/local/etc/rc.d

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

#!/bin/sh

# PROVIDE: gitlab
# REQUIRE: LOGIN
# KEYWORD: shutdown
#
# Add the following line to /etc/rc.conf to enable Gitlab:
#
#  gitlab_enable="YES"

. /etc/rc.subr

load_rc_config gitlab

APP_ROOT="/usr/local/www/gitlab/gitlab"
DAEMON_OPTS="-c config/unicorn.rb -E production -D"
DESC="Gitlab service"
NAME="unicorn and resque"

# set defaults
gitlab_enable=${gitlab_enable:-"NO"}
gitlab_user=${gitlab_user:-"gitlab"}
unicorn_pidfile="$APP_ROOT/tmp/pids/unicorn.pid"
resque_pidfile="$APP_ROOT/tmp/pids/resque_worker.pid"

name=gitlab
rcvar=gitlab_enable

start_cmd="gitlab_command start"
stop_cmd="gitlab_command stop"
restart_cmd="gitlab_command restart"
reload_cmd="gitlab_command reload"
status_cmd="gitlab_command status"


gitlab_command() {
    CD_TO_APP_DIR="cd $APP_ROOT"
    START_DAEMON_PROCESS="bundle exec unicorn_rails $DAEMON_OPTS"
    START_RESQUE_PROCESS="./resque.sh"

    echo -n "Starting $DESC: "
    su -m gitlab -c "$CD_TO_APP_DIR && $START_DAEMON_PROCESS && $START_RESQUE_PROCESS"
    echo "$NAME."
}

run_rc_command "$1"

Download the raw file: gitlab.conf

This still needs some work, because it is not able to restart or stop the process.

Remember to put gitlab_enable="YES" into /etc/rc.conf!

FreeBSD Gitlab 3.0.3 Gemfile Patches

In order to get Gitlab bundle install working on FreeBSD those patches have to be applied to Gemfile and Gemfile.lock (Gitlab stable version 3.0.3)

1
2
3
4
5
6

--- Gemfile  2012-11-13 22:29:50.712092498 +0100
+++ Gemfile.mod   2012-11-13 22:27:31.418896151 +0100
 
@@ -99,7 +101,7 @@ group :assets do
-  gem "therubyracer"
+  gem "therubyracer-freebsd", "0.10.1"
1
2
3
4
5
6
7
8
9
10
11
12
13

--- Gemfile.lock 2012-11-13 22:32:29.118312801 +0100
+++ Gemfile.lock.mod  2012-11-13 22:27:34.999901787 +0100
@@ -215,7 +205,7 @@ GEM
-    libv8 (3.3.10.4)
+    libv8-freebsd (3.3.10.4)
@@ -382,9 +370,9 @@ GEM
-    therubyracer (0.10.1)
-      libv8 (~> 3.3.10)
+    therubyracer-freebsd (0.10.1)
+      libv8-freebsd (= 3.3.10.4)
@@ -488,8 +475,8 @@ DEPENDENCIES
-  therubyracer
+  therubyracer-freebsd (= 0.10.1)

// edit: I also tried this with the the master branch from Github as of 15.11.2012 and it works as well.

Additional Nginx Configurations

There are a couple of things which can be added to the nginx configuration to improve security and further support.

Listen to IPv6:

1
2

listen 80;          #IPv4
listen [::]:80;     #IPv6

Enforce HTTPS:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

server {
  listen 80;
  listen [::]:80;
  server_name medi-inf.org;
  rewrite ^ https://$server_name$request_uri? permanent;  # enforce https
}

server {
  listen 443;
  listen [::]:443;
  server_name medi-inf.org;
  ssl_certificate /root/ssl/redmine_ssl.crt;
  ssl_certificate_key /root/ssl/redmine_ssl.key;
  ssl on;

  root /some/www/page/
}

And additional Security with HSPS:

1
2

add_header Strict-Transport-Security max-age=31536000;  #356 days
add_header X-Frame-Options DENY;

“HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using secure connections only (such as HTTPS).” (wikipedia)

This means, that for 365 days a web browser will always use HTTPS before HTTP. Therefore a man-in-the-middle attack is not possible.