GitLab — Obsidian vault remote

Self-hosted GitLab CE used as the git remote for an Obsidian vault, reached from other machines over Tailscale.

Prerequisites

• Docker Desktop (Windows)
• Tailscale installed and connected on the host PC and all client machines
• 7-Zip installed (for backups)

Setup

1. Clone this repo onto the Windows PC that will host GitLab.

2. Create your .env file:

   cp .env.example .env
   

   Edit .env and set GITLAB_HOSTNAME to your Tailscale hostname (find it in the Tailscale admin panel, e.g. my-pc.tail12345.ts.net).

3. Start GitLab:

   docker compose up -d
   

   First boot takes 5–10 minutes. Watch progress with:

   docker compose logs -f gitlab
   

4. Wait until healthy:

   docker compose ps
   

   Status should show healthy.

5. Get the initial root password (valid for 24 h):

   docker exec -it gitlab cat /etc/gitlab/initial_root_password
   

6. Open http://<GITLAB_HOSTNAME>:8929, log in as root, change the password.

7. Create a regular user, sign in as that user.

8. Create an empty private project obsidian-vault (no README, no default branch).

9. Add SSH keys (ed25519) for the host PC and each client under Profile → SSH Keys.

Layout

gitlab-template/
├── docker-compose.yml       # Service definition — uses $GITLAB_HOSTNAME from .env
├── .env.example             # Copy to .env and fill in
├── .gitignore               # Excludes data/, logs/, secrets, .env
├── README.md                (this file)
├── config/                  → mounted to /etc/gitlab  (gitlab.rb; secrets generated at runtime)
├── data/                    → mounted to /var/opt/gitlab  (repos, db — gitignored)
├── logs/                    → mounted to /var/log/gitlab  (gitignored)
└── scripts/
    ├── backup.ps1                  # Weekly 7z backup, keeps 4 archives
    ├── register-backup-task.ps1   # Register backup as Windows Scheduled Task (run as Admin)
    └── firewall-rules.ps1         # Restrict ports 8929/2222 to Tailscale interface (run as Admin)

Common operations

Task	Command (run from repo root)
Start	docker compose up -d
Stop	docker compose down
Logs	docker compose logs -f gitlab
Shell	docker exec -it gitlab bash
Reconfigure	docker exec -it gitlab gitlab-ctl reconfigure
Backup now	powershell -File scripts\backup.ps1

SSH client config

Add to ~/.ssh/config on each client machine:

Host <GITLAB_HOSTNAME>
    HostName <GITLAB_HOSTNAME>
    User git
    Port 2222
    IdentityFile ~/.ssh/id_ed25519

Clone the vault with:

git clone git@<GITLAB_HOSTNAME>:<username>/obsidian-vault.git

Vault sync (Obsidian)

Both machines commit and push/pull from the same GitLab project. Tailscale must be running on the host PC for clients to reach it.

• If the PC sleeps and sync breaks, wake it — both sides resume on the next pull.
• .obsidian/workspace.json is excluded from git (churns constantly, causes merge conflicts).

Backup & restore

Backups are weekly 7z archives of config/ + data/ + logs/, stored in backups/ (gitignored). The script keeps the 4 most recent archives.

Register the scheduled task (once, as Administrator):

scripts\register-backup-task.ps1

Restore: stop the container, extract the archive over config/ + data/ + logs/, then docker compose up -d.

Firewall

To restrict ports 8929 and 2222 to the Tailscale interface only (recommended):

# Run as Administrator
scripts\firewall-rules.ps1

Upgrading GitLab

Edit the image tag in docker-compose.yml, then:

docker compose pull
docker compose up -d

Volumes persist, so data is preserved across upgrades.