# GitLab for small site (LV.1)

## Reference Architecture

### 20 RPS หรือ 1000 users

*API: 20 RPS, Web: 2 RPS, Git (Pull): 2 RPS, Git (Push): 1 RPS*

```
Architecture: Standalone VM, no HA
CPU: 8 vCPUs
Memory: 16 GB
OS: Ubuntu
```

## Firewall

| Port | Protocol |
| ---- | -------- |
| 22   | TCP      |
| 80   | HTTP     |
| 443  | HTTPS    |

## Config firewall on Ubuntu

```bash
sudo apt install ufw
sudo systemctl enable --now ufw
sudo ufw default deny
sudo ufw allow http
sudo ufw allow https
sudo ufw limit ssh/tcp
sudo ufw enable
sudo ufw status
```

## Allow Git user to push/pull via SSH

แก้ไขไฟล์ `/etc/ssh/sshd_config` เพิ่ม config

```ini
# Ensure only authorized users are using Git
AcceptEnv GIT_PROTOCOL
```

restart ssh service

```bash
sudo systemctl restart ssh
```

## Kernel Hardening

สร้างไฟล์ `/etc/sysctl.d/99-gitlab-hardening.conf`

```ini
##
## The following help mitigate out of bounds, null pointer dereference, heap and
## buffer overflow bugs, use-after-free etc from being exploited. It does not 100%
## fix the issues, but seriously hampers exploitation.
##
# Default is 65536, 4096 helps mitigate memory issues used in exploitation
vm.mmap_min_addr=4096
# Default is 0, randomize virtual address space in memory, makes vuln exploitation
# harder
kernel.randomize_va_space=2
# Restrict kernel pointer access (for example, cat /proc/kallsyms) for exploit assistance
kernel.kptr_restrict=2
# Restrict verbose kernel errors in dmesg
kernel.dmesg_restrict=1
# Restrict eBPF
kernel.unprivileged_bpf_disabled=1
net.core.bpf_jit_harden=2
# Prevent common use-after-free exploits
vm.unprivileged_userfaultfd=0

## Networking tweaks ##
##
## Prevent common attacks at the IP stack layer
##
# Prevent SYNFLOOD denial of service attacks
net.ipv4.tcp_syncookies=1
# Prevent time wait assassination attacks
net.ipv4.tcp_rfc1337=1
# IP spoofing/source routing protection
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
# IP redirection protection
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
```

สั่ง apply ทันที

```bash
sudo sysctl --system
```

## ติดตั้ง Gitlab

```bash
sudo apt-get update
sudo apt-get install -y curl openssh-server ca-certificates tzdata perl
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bash
sudo apt-get install gitlab-ee
```

ทำการแก้ไข config gitlab

```bash
sudo vi /etc/gitlab/gitlab.rb
```

ตัวอย่าง config ที่แก้ไข

```yaml
external_url 'https://gitlab.novice.solutions' # ชื่อ subdomain ที่ map DNS ไว้
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "smtp.novice.solutions" # SMTP server
gitlab_rails['smtp_port'] = 587                  # SMTP port
gitlab_rails['smtp_user_name'] = "smtpuser"      # ชื่อ username เพื่อ authen SMTP server
gitlab_rails['smtp_password'] = "mysecret"       # ชื่อ password เพื่อ authen SMTP server
gitlab_rails['smtp_domain'] = "novice.solutions" # domain name
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['smtp_tls'] = false
gitlab_rails['smtp_pool'] = true
```

ใช้คำสั่งดังนี้เพื่อเริ่ม config และติดตั้ง

```bash
sudo gitlab-ctl reconfigure
```

หลังติดตั้ง หา root password ได้จาก

```bash
sudo cat /etc/gitlab/initial_root_password
```

{% hint style="info" %}
username ที่ใช้ login คือ root
{% endhint %}

หลังจากนั้น login เข้าไปเพื่อ disable สิทธิ์ในการ sign up

กดปุ่ม `Deactivate` > เอาติ๊กช่อง `Sign-up enabled` ออก > กด `Save`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://handbook.novice.solutions/tools/source-control/gitlab/gitlab-for-small-site-lv.1.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.