Deploy GitLab CE with reverse proxy and Tailscale integration in homelab infrastructure
- Updated
CLAUDE.mdwith comprehensive deployment guides - Added Terraform deployment options and service access patterns
- Documented security requirements and authentication flows
- Created encrypted Ansible vault (
ansible-infrastructure/inventory/group_vars/all/vault.yml) - Implemented secure password generation patterns
- Fixed hardcoded password security vulnerability
- Configured 1Password SSH agent integration
- VM Created: 10.203.3.60 (manual deployment)
- Services Running: GitLab CE + Caddy reverse proxy via Docker Compose
- Status: HTTP → HTTPS redirect working (Caddy responding)
- Root Password: Stored in encrypted Ansible vault
- SSH Access: Port 2222 for Git operations
- DNS Manager (
scripts/dns-manager.py): Complete Technitium DNS automation - UniFi Manager (
scripts/unifi-manager.py): Network device management with CSV support - Deployment Scripts: Automated GitLab stack deployment
- Terraform configuration for reproducible deployments
- Ansible playbooks for service configuration
- Proper directory structure and collection organization
- Root Cause: Dotfiles XDG compliance changes added
IdentitiesOnly yes - Impact: Blocked all Terraform and Ansible operations
- Solution: Used
-o IdentitiesOnly=noto allow 1Password SSH agent keys - User Insight: "You know what - i got help with my dotfiles earlier today"
- Error: "VM.Monitor permission missing"
- Solution: Created
terraform@pveservice user with proper API token - Result: Switched to manual VM deployment approach instead
- Issue: Almost pushed hardcoded passwords to public GitHub
- Fix: Implemented comprehensive Ansible Vault encryption
- Pattern:
{{ vault_variable | default(lookup('password', '/dev/null length=20 chars=ascii_letters,digits')) }}
- DNS Configuration: Set up
gitlab.doofus.coDNS records - Tailscale Integration: Configure Tailscale on GitLab VM for
gitlab.rawls.ts.netaccess - Service Testing: Verify GitLab web interface and Git operations
- SSL Certificates: Confirm Caddy automatic HTTPS is working
- Initial Configuration: Complete GitLab admin setup
CONTAINER STATUS PORTS
caddy Up (1 minute) 80:80, 443:443
gitlab Up (health: starting) 2222:22
- External: https://gitlab.doofus.co
- Tailscale: https://gitlab.rawls.ts.net
- SSH Git:
git@gitlab.doofus.co:2222 - VM SSH:
ssh iac@10.203.3.60(needs key setup)
- HTTP (80): ✅ Redirects to HTTPS
- HTTPS (443): ⏳ Needs further testing
- Tailscale: ❌ VM not yet joined to network
CLAUDE.md: Enhanced documentationansible-infrastructure/inventory/group_vars/all/vault.yml: Secure credentialsterraform/gitlab/: Complete infrastructure as codescripts/: DNS and UniFi management toolsDEPLOYMENT-STATUS.md: Real-time deployment tracking
- SSH Agent Integration: 1Password SSH agent requires careful configuration
- Dotfiles Impact: System configuration changes can break automation workflows
- Security First: Vault encryption must be implemented before any deployment
- Proxmox Permissions: Service users need specific API token scopes
- Manual Fallback: Always have manual deployment option when automation fails
Successfully deployed GitLab infrastructure stack with proper security practices, comprehensive documentation, and automation tooling. Ready for final configuration and testing phase.