Setting Up GitLab CE

A guide to setting up the GitLab CE node pxd-gitlab with Ansible and troubleshooting steps.

Overview

Utilizing PHX development environment the following steps are performed:

Vagrant creates LXD node pxd-gitlab
Vagrant uses the Vagrant Windows Sysprep Provisioner on gsd-fme-core and gsd-ad¹.
Vagrant runs the Ansible provisioner in the following order on nodes:
1. On gsd-ad, the c2platform.wincore.ad collection configures the AD domain controller for the domain ad.c2platform.org.
2. PostgreSQL 14 is installed on gsd-db1, along with a database and user with necessary privileges.
3. On gsd-fme-core, Ansible performs the following steps:
  1. Joins the node to the Windows domain ad.c2platform.org.
  2. Installs Java using the c2platform.gis.java role.
  3. Installs Tomcat using the c2platform.gis.tomcat role.
  4. Installs FME Flow Core using the c2platform.gis.fme role.

@startuml
title GitLab CE Deployment Diagram

actor "User" as user

' Boundary to represent isolated/sandboxed environment
rectangle "Isolated Environment (Sandbox)" as sandbox {
  node "Proxy Server (Apache2)\nLXD Node: pxd-rproxy1\nUbuntu 22.04\nIP: 192.168.60.10" as rproxy {
    component "Apache2 Reverse Proxy\n(Listening on other ports)" as apache_reverse
    component "Forward Proxy\n(Listening on port 1080)" as apache_forward
  }

  node "LXD Node: pxd-gitlab\nUbuntu 22.04\nIP: 192.168.60.12" as lxd {
    folder "GitLab CE" as gitlab {
      component "Nginx Reverse Proxy\n(Listening on port 443)" as nginx_proxy
      component "GitLab CE Application\nhttps://gitlab.c2platform.org" as gitlab_app
      component "GitLab Registry\nhttps://registry.c2platform.org" as gitlab_registry
    }
  }
}

' User accesses environment ONLY through forward proxy on port 1080
user --> apache_forward : Accesses sandbox via Forward Proxy (port 1080)

' Forward proxy routes traffic to GitLab's Nginx reverse proxy inside sandbox
apache_forward --> nginx_proxy : Forwards to GitLab Nginx (port 443) within Sandbox

' Nginx reverse proxy routes to internal GitLab components
nginx_proxy --> gitlab_app : Routes to GitLab Application
nginx_proxy --> gitlab_registry : Routes to GitLab Registry

' ' Notes about sandbox and access restrictions
' note right of apache_forward
'   Forward Proxy acts as the ONLY entry point to the isolated environment.
'   Services are NOT accessible from outside without using the forward proxy.
' end note

' note right of apache_reverse
'   Reverse proxy functionality exists on pxd-rproxy1
'   for other services but is not used for GitLab access.
' end note

@enduml

Prerequisites

Setting Up the PHX Development Environment on Ubuntu 22.04: Set up your Ansible development desktop with Ansible, Vagrant, LXD, and VirtualBox on Ubuntu 22.04. Clone the PHX project directories to extend the base C2 development environment. Use this setup to configure essential base services, including the Microsoft AD domain controller and reverse proxy. Finally, access web-based services in the environment via a Firefox profile using the forward proxy for sandboxed access.
Ensure the node pxd-rproxy1 is up and running:
```
vagrant pxd-rproxy1
```
see Create the Reverse Proxy and Web Proxy for more information.

Provisioning

To start and provision the virtual machine, run:

vagrant up pxd-gitlab

Show me

Bringing machine 'pxd-gitlab' up with 'lxd' provider...
==> pxd-gitlab: Machine has not been created yet, starting...
==> pxd-gitlab: Importing LXC image...
==> pxd-gitlab: Mounting shared folders...
    pxd-gitlab: /vagrant => /home/ostraaten/git/gitlab/c2/ansible-phx
==> pxd-gitlab: Waiting for machine to boot. This may take a few minutes...
    pxd-gitlab: SSH address: 10.190.101.92:22
    pxd-gitlab: SSH username: vagrant
    pxd-gitlab: SSH auth method: private key
==> pxd-gitlab: Machine booted and ready!
==> pxd-gitlab: Setting hostname...
==> pxd-gitlab: Running provisioner: shell...
    pxd-gitlab: Running: inline script
==> pxd-gitlab: Running provisioner: ansible...
    pxd-gitlab: Running ansible-playbook...
[WARNING]: Collection community.windows does not support Ansible version 2.15.0
[WARNING]: Collection ansible.windows does not support Ansible version 2.15.0
[DEPRECATION WARNING]: community.general.yaml has been deprecated. The plugin 
has been superseded by the the option `result_format=yaml` in callback plugin 
ansible.builtin.default from ansible-core 2.13 onwards. This feature will be 
removed from community.general in version 13.0.0. Deprecation warnings can be 
disabled by setting deprecation_warnings=False in ansible.cfg.

PLAY [GitLab] ******************************************************************

TASK [Gathering Facts] *********************************************************
ok: [pxd-gitlab]

TASK [c2platform.core.vagrant_hosts : Set fact vagrant_hosts_content] **********
ok: [pxd-gitlab -> localhost]

TASK [c2platform.core.vagrant_hosts : Manage hosts file of Vagrant Linux guest] ***
changed: [pxd-gitlab] => (item=/etc/hosts)

TASK [c2platform.core.server_update : include_tasks] ***************************
included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/server_update/tasks/update_cache.yml for pxd-gitlab

TASK [c2platform.core.server_update : Apt update cache] ************************
changed: [pxd-gitlab]

TASK [c2platform.core.server_update : include_tasks] ***************************
included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/server_update/tasks/update.yml for pxd-gitlab

TASK [c2platform.core.server_update : include_tasks] ***************************
included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/server_update/tasks/debian.yml for pxd-gitlab

TASK [c2platform.core.server_update : Upgrade all packages] ********************
changed: [pxd-gitlab]

TASK [c2platform.core.server_update : Check reboot] ****************************
ok: [pxd-gitlab]

TASK [c2platform.core.server_update : Fact server_update_reboot] ***************
ok: [pxd-gitlab]

TASK [c2platform.core.bootstrap : Include package tasks] ***********************
included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/bootstrap/tasks/os.yml for pxd-gitlab => (item=['nano', 'wget', 'tree', 'unzip', 'zip', 'jq', 'build-essential', 'python3-dev', 'python3-wheel', 'libsasl2-dev', 'libldap2-dev', 'libssl-dev', 'git', 'nfs-common', 'net-tools', 'telnet', 'curl', 'dnsutils', 'python2'])
included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/bootstrap/tasks/os.yml for pxd-gitlab => (item=python3-pip)
included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/bootstrap/tasks/cmd.yml for pxd-gitlab => (item=upgrade pip and setuptools)
included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/bootstrap/tasks/pip.yml for pxd-gitlab => (item=['pyOpenSSL==22.0.0', 'psycopg2-binary', 'lxml'])
included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/core/roles/bootstrap/tasks/pip.yml for pxd-gitlab => (item=['cryptography==38.0.4'])

TASK [c2platform.core.bootstrap : OS package] **********************************
changed: [pxd-gitlab] => (item=['nano', 'wget', 'tree', 'unzip', 'zip', 'jq', 'build-essential', 'python3-dev', 'python3-wheel', 'libsasl2-dev', 'libldap2-dev', 'libssl-dev', 'git', 'nfs-common', 'net-tools', 'telnet', 'curl', 'dnsutils', 'python2'])

TASK [c2platform.core.bootstrap : OS package] **********************************
ok: [pxd-gitlab] => (item=python3-pip)

TASK [c2platform.core.bootstrap : Custom command] ******************************
changed: [pxd-gitlab] => (item=upgrade pip and setuptools: "pip3 install --upgrade pip setuptools")

TASK [c2platform.core.bootstrap : PIP package] *********************************
ok: [pxd-gitlab] => (item=['pyOpenSSL==22.0.0', 'psycopg2-binary', 'lxml'])

TASK [c2platform.core.bootstrap : PIP package] *********************************
changed: [pxd-gitlab] => (item=['cryptography==38.0.4'])

TASK [c2platform.core.os_trusts : CA distribute ( Debian )] ********************
changed: [pxd-gitlab] => (item=https://letsencrypt.org/certs/isrgrootx1.pem)
changed: [pxd-gitlab] => (item=file:///vagrant/.ca/c2/c2.crt)

TASK [c2platform.core.os_trusts : Execute update-ca-certificates ( Debian )] ***
changed: [pxd-gitlab] => (item=https://letsencrypt.org/certs/isrgrootx1.pem)
changed: [pxd-gitlab] => (item=file:///vagrant/.ca/c2/c2.crt)

TASK [c2platform.core.secrets : Stat secret dir] *******************************
ok: [pxd-gitlab -> localhost] => (item=/home/ostraaten/git/gitlab/c2/ansible-phx/secret_vars/development)
ok: [pxd-gitlab -> localhost] => (item=/runner/project/secret_vars/development)

TASK [c2platform.core.secrets : Include secrets] *******************************
ok: [pxd-gitlab] => (item=/home/ostraaten/git/gitlab/c2/ansible-phx/secret_vars/development)

TASK [geerlingguy.gitlab : Include OS-specific variables.] *********************
ok: [pxd-gitlab]

TASK [geerlingguy.gitlab : Check if GitLab configuration file already exists.] ***
ok: [pxd-gitlab]

TASK [geerlingguy.gitlab : Check if GitLab is already installed.] **************
ok: [pxd-gitlab]

TASK [geerlingguy.gitlab : Install GitLab dependencies.] ***********************
changed: [pxd-gitlab]

TASK [geerlingguy.gitlab : Install GitLab dependencies (Debian).] **************
changed: [pxd-gitlab]

TASK [geerlingguy.gitlab : Download GitLab repository installation script.] ****
changed: [pxd-gitlab]

TASK [geerlingguy.gitlab : Install GitLab repository.] *************************
changed: [pxd-gitlab]
ASYNC POLL on pxd-gitlab: jid=j691457956709.16469 started=1 finished=0
ASYNC POLL on pxd-gitlab: jid=j691457956709.16469 started=1 finished=0
ASYNC POLL on pxd-gitlab: jid=j691457956709.16469 started=1 finished=0
ASYNC POLL on pxd-gitlab: jid=j691457956709.16469 started=1 finished=0
ASYNC POLL on pxd-gitlab: jid=j691457956709.16469 started=1 finished=0
ASYNC POLL on pxd-gitlab: jid=j691457956709.16469 started=1 finished=0
ASYNC POLL on pxd-gitlab: jid=j691457956709.16469 started=1 finished=0
ASYNC POLL on pxd-gitlab: jid=j691457956709.16469 started=1 finished=0
ASYNC POLL on pxd-gitlab: jid=j691457956709.16469 started=1 finished=0
ASYNC POLL on pxd-gitlab: jid=j691457956709.16469 started=1 finished=0
ASYNC POLL on pxd-gitlab: jid=j691457956709.16469 started=1 finished=0
ASYNC POLL on pxd-gitlab: jid=j691457956709.16469 started=1 finished=0
ASYNC POLL on pxd-gitlab: jid=j691457956709.16469 started=1 finished=0
ASYNC POLL on pxd-gitlab: jid=j691457956709.16469 started=1 finished=0
ASYNC POLL on pxd-gitlab: jid=j691457956709.16469 started=1 finished=0
ASYNC POLL on pxd-gitlab: jid=j691457956709.16469 started=1 finished=0
ASYNC POLL on pxd-gitlab: jid=j691457956709.16469 started=1 finished=0
ASYNC POLL on pxd-gitlab: jid=j691457956709.16469 started=1 finished=0
ASYNC POLL on pxd-gitlab: jid=j691457956709.16469 started=1 finished=0
ASYNC POLL on pxd-gitlab: jid=j691457956709.16469 started=1 finished=0
ASYNC POLL on pxd-gitlab: jid=j691457956709.16469 started=1 finished=0
ASYNC POLL on pxd-gitlab: jid=j691457956709.16469 started=1 finished=0
ASYNC POLL on pxd-gitlab: jid=j691457956709.16469 started=1 finished=0
ASYNC OK on pxd-gitlab: jid=j691457956709.16469

TASK [geerlingguy.gitlab : Install GitLab] *************************************
changed: [pxd-gitlab]

TASK [geerlingguy.gitlab : Reconfigure GitLab (first run).] ********************
changed: [pxd-gitlab]

TASK [geerlingguy.gitlab : Create GitLab SSL configuration folder.] ************
changed: [pxd-gitlab]

TASK [geerlingguy.gitlab : Create self-signed certificate.] ********************
ok: [pxd-gitlab]

TASK [geerlingguy.gitlab : Copy GitLab configuration file.] ********************
changed: [pxd-gitlab]

RUNNING HANDLER [geerlingguy.gitlab : restart gitlab] **************************
changed: [pxd-gitlab]

PLAY RECAP *********************************************************************
pxd-gitlab                 : ok=37   changed=17   unreachable=0    failed=0    skipped=31   rescued=0    ignored=0

Verify

Next, go to https://gitlab.c2platform.org log in as root using the password supersecret¹.

Personal access token (PAT)

Now navigate to Preferences → Access tokens login as root and create PAT:


Token name	`ansible`
Expiration date	`2030-01-01`
Select scopes	(Check all)

px_gitlab_pat: glpat-Qh3kcYNwwXQDYtkHrV6j

Create or edit file group_vars/all/local_stuff.yml and configure the token for example:

curl --request POST \
  --header "PRIVATE-TOKEN: glpat-Qh3kcYNwwXQDYtkHrV6j" \
  --data "runner_type=instance_type" \
  --url "https://gitlab.c2platform.org/api/v4/user/runners"

vagrant@pxd-gitlab:~/software$ curl --request POST \
  --header "PRIVATE-TOKEN: glpat-Qh3kcYNwwXQDYtkHrV6j" \
  --data "runner_type=instance_type" \
  --url "https://gitlab.c2platform.org/api/v4/user/runners"
{"id":1,"token":"glrt-iUFA1kJ1WRGVMz4x59o7w3Q6MQp1OjEH.01.0w1cpcpvw","token_expires_at":null}vagrant@pxd-gitlab:~/software$

Vagrant public key

Troubleshooting

For help with GitLab commands, run:

gitlab --help

GitLab Pages Setup

Create a public group named c2platform and a project called software.
SSH into pxd-gitlab:
```
vagrant ssh pxd-gitlab
```
```
git config --global credential.helper "cache --timeout=36000"
```
Clone the example repository:
```
git clone https://gitlab.com/c2platform/phx/examples/git-lfs-and-gitlab-pages.git software
cd software
git lfs pull
```
Note
This is a public repository, so you won’t be asked for username and password.
```
cd ~/software
git remote rename origin c2
git remote add origin https://gitlab.c2platform.org/c2platform/software.git
git push --set-upstream origin --all
git push --set-upstream origin --tags
```

Additional Information

TODO explain option to set To retrieve the initial root password, execute:

vagrant ssh pxd-gitlab -c "sudo cat /etc/gitlab/initial_root_password | grep Password:"

Show me

```shell
vagrant ssh pxd-gitlab -c "sudo cat /etc/gitlab/initial_root_password | grep Password:"
Password: L6CJP/AEZJTtyA45Hr72Q9gdj37lv9CdL+WOkkg/AqU=
```

Next, go to https://gitlab.c2platform.org log in as root using the retrieved password, and change the password to Supersecret. ↩︎ ↩︎

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified August 27, 2025: phx gitlab draft C2-633 (4b40215)