New World gitlab server

Notes

1. In AWS, set up the EC2 instance on the sydney-hosts subnetwork with free-for-all security group and 1TB of had disk
2. After first boot, follow Initial setup of a Debian AMI instance
3. Login and set root password
4. Set /etc/hostname with the server name
5. Install the krb5-user package using apt-get and answer:
   • Realm = AD.UNSW.EDU.AU
   • Servers = ad.unsw.edu.au
   • No administration server
6. Add to /etc/dhcp/dhclient.conf (after the main stanza):
   • supersede domain-name-servers 129.94.0.196, 129.94.0.197;
   • supersede domain-search "cse.unsw.edu.au";
   • supersede domain-name "cse.unsw.edu.au";
7. Reboot
8. Check the Kerberos configuration by getting a ticket using zID with kinit, and then kdestroy to get rid of it
9. Run apt-get install ca-certificates perl
10. Follow:
    • https://about.gitlab.com/install/#debian (omit PostFix step for now)
11. Note that gitlab-ee is *not* installed on the AWS instance at time of writing. gitlab-ce, however, is installed.
12. When using the unattended-upgrades package, add the following in /etc/apt/apt.conf.d/50unattended-upgrades, under "Origin-Patterns", to allow unattended updates of gitlab as well as Debian:
    • "origin=packages.gitlab.com/gitlab/gitlab-ce,codename=${distro_codename},label=gitlab-ce"
13. Uses LetsEncrypt to get an SSL certificate for web access

Network configuration

1. The host is in AWS. It is called "nw-syd-gitlab" and is in hostlist.csv (cfengine) to reserve its internal IP address against use by any other CSE-managed host
2. This IP address is 10.197.85.252. Due to it being in hostlist.csv, there will be an entry for it in /etc/hosts on all cfengine-managed hosts (i.e., login and VLAB servers, lab computers, etc.). Problematically, the routing required to allow it to be accessed from the outside world means that to access it from, basically, anywhere (including CSE subnetworks) users should use its public IP address or DNS name (see next) and not its internal IP address or name
3. The server has a public IP address (52.65.64.190) and a corresponding DNS entry of "nw-syd-gitlab.cseunsw.tech"
4. The server is configured with a static IP address and static routing (to allow it to talk to the outside world). DHCP needs to be disabled. See /etc/network/interfaces.d/eth0 reproduced below. Note that the default route points to AWS' gateway, not CSE's gateway/VPN-endpoint

/etc/network/interfaces.d/eth0

# Comment out the active line in the following file so
# there's only our (non-DHCP) entry for eth0 for the
# system to set up
#
# /etc/udev/rules.d/75-cloud-ifupdown.rules
#
# ----------
#
# All clients should be accessing this server via its
# public IP address (same as DNS for gitlab.cseunsw.tech)
# The routing below ensures that traffic to the AD and
# DNS servers which *this* host uses go through the CSE
# tunnel and thus appears to these servers to be from a
# UNSW-based host so the lookups give the appropriate
# result

auto eth0
allow-hotplug eth0

iface eth0 inet static
	#
	address	10.197.85.252/24
	gateway	10.197.85.1
	#
	# AD and UNSW DNS server traffic needs to go through the
	# tunnel so that the lookup is valid for a UNSW-based host
	up	/sbin/ip route add 10.116.160.0/24 via 10.197.85.5
	up	/sbin/ip route add 10.157.49.0/24 via 10.197.85.5
	up	/sbin/ip route add 131.236.3.0/24 via 10.197.85.5
	up	/sbin/ip route add 129.94.0.0/24 via 10.197.85.5

Monitoring

1. Add the snmpd package

/etc/snmp/snmpd.conf