| Engineering | Infrastructure | How to deploy GitLab using Digital Ocean
How to deploy GitLab using Digital Ocean

This guide will walk you through how to deploy a self-hosted instance of Gitlab Enterprise Edition on Digital Ocean.

Provision Server

Visit Digital Ocean Marketplace and search for GitLab Enterprise Edition. Click "Create GitLab Enterprise Edition Droplet".

At time of publishing the latest available distribution on Digital Ocean is Gitlab EE 14.4 running on Ubuntu 20.04.

Here are the options I chose when creating a droplet.
- Choose an image. Go to the Marketplace tab and select GitLab Enterprise Edition on Ubuntu 20.04.
- Choose a plan. I selected Basic, Shared CPU, 4 vCPUs, 8 GB Memory, 160 GB SSD, 5 TB transfer, $40/mo. I previously used a smaller sized server but quickly needed to increase its size as I ran into performance issues.
- Add block storage. I skipped this as I didn't need this.
- Choose a datacenter region. I chose Toronto 1 as I'm based in Canada.
- Select additional options. I chose IPv6 and Monitoring.
- Authentication. I chose SSH keys.
- How many Droplets? 1.
- Choose a hostname. I used the following naming scheme "sitename-gitlab-prd".
- Add tags. None.
- Select Project. None.
- Add backups. I selected Yes for $4/mo.
- Press "Create Droplet"

Configure GitLab

Once the droplet is created, SSH into the droplet to configure it ssh root@droplet_ip_address.

Digital Ocean attempts to configure and start your GitLab instance upon provisioning, however, I've found that not everything starts properly on the first go. I typically run sudo gitlab-ctl reconfigure just to ensure GitLab is configured properly. Afterwards, run sudo gitlab-ctl status to ensure all GitLab services are up and running.

Set your admin password

Once you've confirmed GitLab is running, the first thing you should do is setup the intitial password of the root user. You can find your initial password by typing nano /etc/gitlab/initial_root_password. Open your browser to droplet_ip_address and login with the Username: root along with your Password: initial_root_password. Remember to change your password after logging in.

Disable public signups

Since this is a self-hosted instance of Gitlab, you likely want to restrict sign ups only to accounts created by admins. To do this, go to Admin Area > Settings > Sign Up Restrictions.

Use a custom domain with https

To use a custom domain, visit your domain registrar and add the appropriate host records to your domain. In my case, I hosted GitLab on a sub-domain code.website.com, so, I added the following record Type: A Record, Host: code, Value: droplet_ip_address. After waiting for the domain's TTL to refresh, the sub-domain should now point to your droplet's IP address.

The next step is to configure GitLab to also use this IP address. SSH into your GitLab server and run nano /etc/gitlab/gitlab.rb and change the external_url to your domain. Restart GitLab by running sudo gitlab-ctl reconfigure and sudo gitlab-ctl restart.

If your external_url contained https (https://code.website.com), LetsEncrypt should automatically run when you run sudo gitlab-ctl reconfigure.

Resetting user passwords

You can reset user passwords from the Admin Panel code.website.com/admin/users or you can reset admin passwords from the Rails console.

To reset passwords via the Rails console, SSH into the server hosting GitLab and start the Rails console sudo gitlab-rails console.

Once the Rails console is started:

## List all users

## Select the user you'd like to update
user1 = User.find(1)

## Update the password
user1.password = 'mynewpassword'
user1.password_confirmation = 'mynewpassword'

Afterwards, visit the sign in page code.example.com/users/sign_in and sign in.

Manual fix for https

If https isn't able to be automatically configured, you can follow the steps below. I previously ran into the issue of SSL certificates weren't being issued by LetsEncrypt where instead of waiting for this to be patched, I used the following work around.

Install Certbot

sudo add-apt-repository ppa:certbot/certbot

If you encounter the error:

E: Could not get lock /var/lib/dpkg/lock-frontend - open (11: Resource temporarily unavailable)
E: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), is another process using it?

Kill the apt process
ps aux | grep -i apt
sudo kill -9 <pid>
sudo killall apt apt-get

If you encounter the error:

E: dpkg was interrupted, you must manually run 'sudo dpkg --configure -a' to correct the problem. 

Run sudo dpkg --configure -a

Update all packages
sudo apt-get update

Install cerbot
sudo apt-get install certbot

Create custom SSLs

Make a directory for letsencrypt sudo mkdir -p /var/www/letsencrypt

Modify your gitlab config, notice the external_url is initially set to http. sudo nano /etc/gitlab/gitlab.rb

external_url "http://gitlab.example.com"
letsencrypt['enable'] = false
nginx['custom_gitlab_server_config'] = "location ^~ /.well-known { root /var/www/letsencrypt; }"

Reconfigure nginx
sudo gitlab-ctl reconfigure

Request a Certificate

Request a certificate sudo certbot certonly --webroot --webroot-path=/var/www/letsencrypt -d gitlab.example.com and
and walk through all prmpts

Repoint nginx to Certificate

sudo nano /etc/gitlab/gitlab.rb and update

external_url "https://gitlab.example.com"
nginx['redirect_http_to_https'] = true
nginx['redirect_http_to_https_port'] = 80
nginx['custom_gitlab_server_config'] = "location ^~ /.well-known { root /var/www/letsencrypt; }"
nginx['ssl_certificate'] = "/etc/letsencrypt/live/gitlab.example.com/fullchain.pem"
nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/gitlab.example.com/privkey.pem"

Reconfigure and Restart

sudo gitlab-ctl reconfigure
sudo gitlab-ctl restart

Test your ssl certificates

Visit https://www.ssllabs.com/ssltest/ and enter your website to see if your SSL certificates were properly applied.

Sources used