[SAC] Mattermost/GitLab (was: replacing IRC with gitter)

Sandro Santilli strk at kbt.io
Fri Sep 2 03:36:27 PDT 2016 

Forgot to mention: I've initialized a git repository
in /etc/gitlab, so we can trac changes to the gitlab configuration
file. I believe we should push that repo also in a private Gogs
(or GitLab) repository, so all GitLab administrator have an easier
way to get a clone, and reuse the configuration when (and if)
the GitLab instance goes official.

--strk;

On Fri, Sep 02, 2016 at 12:32:12PM +0200, Sandro Santilli wrote:
> On Fri, Sep 02, 2016 at 11:33:43AM +0200, Sandro Santilli wrote:
> > On Fri, Sep 02, 2016 at 10:33:06AM +0200, Björn Harrtell wrote:
> > 
> > > I've completed the setup and Mattermost seem to be ready for evaluation.
> > > The URL to go to is https://mattermost.osgeo.kbt.io and login via GitLab
> > > using OSGeo LDAP credentials should work.
> > 
> > Two points from first impression:
> > 
> >  1) SSL certificate needs to be a trusted one
> 
> I've taken care of this, your browser should now not complain
> upon visiting https://mattermost.osgeo.kbt.io. Let me know if
> it does.
> 
> Björn: this implied:
> 
>  1) Configuring nginx to use /var/www/letsencrypt for /.well-known (gitlab.rb):
>     mattermost_nginx['custom_gitlab_mattermost_server_config'] = "location ^~ /.well-known {\n alias /var/www/letsencrypt/.well-known;\n}\n"
> 
>  2) Obtaining the certificate:
>     certbot certonly --webroot -d mattermost.osgeo.kbt.io --webroot-path=/var/www/letsencrypt/
> 
>  3) Configuring nginx to use letsencrypt certificates (gitlab.rb):
>     mattermost_nginx['ssl_certificate'] = "/etc/letsencrypt/live/mattermost.osgeo.kbt.io/fullchain.pem"
>     mattermost_nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/mattermost.osgeo.kbt.io/privkey.pem"
> 
> Since I was at it, I also enforced redirection from http to https:
>     mattermost_nginx['redirect_http_to_https'] = true
> 
> This was done following this guide:
> http://stackoverflow.com/questions/34189199/how-do-i-use-let-s-encrypt-with-gitlab
> 
> I did not touch the gitlab section (nginx['ssl_certificate_key']...)
> as for now the browser hits the git.osgeo.org proxy first, so it doesn't
> affect user experience.
> 
> Letsencrypt certificates expire every 3 months, I think.
> Running 'certbot renew' periodically should take care of renewing.
> I did not setup a cron job as the VPS might expire before the certificate.
> 
> --strk;

More information about the Sac mailing list