diff --git a/knowledge base/cloud computing/aws/ec2.md b/knowledge base/cloud computing/aws/ec2.md
index da5a194..f38deff 100644
--- a/knowledge base/cloud computing/aws/ec2.md	
+++ b/knowledge base/cloud computing/aws/ec2.md	
@@ -29,8 +29,13 @@ aws ec2 describe-instances --output text \
     'Name=instance-state-name,Values=running' \
 | xargs -ot aws ssm start-session --target
 
-# Describe images by ID.
+# Show images details.
 aws ec2 describe-images --image-ids 'ami-8b8c57f8'
+aws ec2 describe-images --filters \
+  'Name=name,Values=["al2023-ami-*"]' \
+  'Name=owner-alias,Values=["amazon"]' \
+  'Name=architecture,Values=["arm64","x86_64"]' \
+  'Name=block-device-mapping.volume-type,Values=["gp3"]'
 ```
 
 </details>
@@ -48,6 +53,8 @@ See [EBS].
 ### Sources
 
 - [Using instance profiles]
+- [DescribeImages] API
+- [`describe-images`][describe-images] CLI subcommand
 
 <!--
   References
@@ -60,6 +67,8 @@ See [EBS].
 
 <!-- Files -->
 <!-- Upstream -->
+[describe-images]: https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-images.html
+[describeimages]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeImages.html
 [using instance profiles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html
 
 <!-- Others -->
diff --git a/knowledge base/cloud computing/aws/ssm.md b/knowledge base/cloud computing/aws/ssm.md
index 4309251..fec4056 100644
--- a/knowledge base/cloud computing/aws/ssm.md	
+++ b/knowledge base/cloud computing/aws/ssm.md	
@@ -8,10 +8,30 @@
 
 ## TL;DR
 
+<details>
+  <summary>Requirements</summary>
+
+- The IAM instance profile must have the correct permissions.<br/>
+  FIXME: specify.
+- One's instance's security group and VPC must allow HTTPS outbound traffic on port 443 to the Systems Manager's
+  endpoints:
+
+  - `ssm.eu-west-1.amazonaws.com`
+  - `ec2messages.eu-west-1.amazonaws.com`
+  - `ssmmessages.eu-west-1.amazonaws.com`
+
+  If the VPC does not have internet access, one must have enabled VPC endpoints to allow that outbound traffic from the
+  instance.
+- Also see <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connect-with-ec2-instance-connect-endpoint.html>
+
+</details>
 <details>
   <summary>Usage</summary>
 
 ```sh
+# Get connection statuses.
+aws ssm get-connection-status --target 'instance-id'
+
 # Start sessions.
 aws ssm start-session --target 'instance-id'
 
@@ -23,14 +43,23 @@ aws ssm start-session \
 ```
 
 </details>
-
 <details>
   <summary>Real world use cases</summary>
+
+```sh
+# Connect to instances if they are available.
+instance_id='i-08fc83ad07487d72f' \
+&& eval $(aws ssm get-connection-status --target "$instance_id" --query "Status=='connected'" --output text) \
+&& aws ssm start-session --target "$instance_id" \
+|| (echo "instance ${instance_id} not available" >&2 && false)
+```
+
 </details>
 
 ## Gotchas
 
-- SSM starts shell sessions under `/usr/bin` ([source][how can i change the session manager shell to bash on ec2 linux instances?]):
+- SSM starts shell sessions under `/usr/bin`
+  ([source][how can i change the session manager shell to bash on ec2 linux instances?]):
 
   > **Other shell profile configuration options**<br/>
   > By default, Session Manager starts in the "/usr/bin" directory.
@@ -38,7 +67,8 @@ aws ssm start-session \
 ## Integrate with Ansible
 
 Create a dynamic inventory named `aws_ec2.yml`.<br/>
-It needs to be named like that to be found by the ['community.aws.aws_ssm' connection plugin][community.aws.aws_ssm connection].
+It needs to be named like that to be found by the
+['community.aws.aws_ssm' connection plugin][community.aws.aws_ssm connection].
 
 ```yml
 # File: 'aws_ec2.yml'.
diff --git a/knowledge base/gitlab.md b/knowledge base/gitlab.md
index e3a2169..f2f0ff1 100644
--- a/knowledge base/gitlab.md	
+++ b/knowledge base/gitlab.md	
@@ -79,6 +79,10 @@ sudo gitlab-backup create BACKUP='prefix_override' STRATEGY='copy'
 # See https://docs.gitlab.com/ee/administration/backup_restore/backup_gitlab.html#excluding-specific-data-from-the-backup
 sudo gitlab-backup create … \
   SKIP='db,repositories,uploads,builds,artifacts,pages,lfs,terraform_state,registry,packages,ci_secure_files'
+
+# Package upgrade.
+sudo yum check-update
+tmux new-session -A -s 'gitlab-upgrade' "sudo yum update 'gitlab-ee'"
 ```
 
 </details>
diff --git a/knowledge base/systemd.md b/knowledge base/systemd.md
index 503a538..f73cf5f 100644
--- a/knowledge base/systemd.md	
+++ b/knowledge base/systemd.md	
@@ -46,6 +46,9 @@ systemctl --user disable --now 'davmail.service'
 # Check a service is currently active.
 systemctl is-active 'wpa_supplicant.service'
 
+# Check a service is currently enabled.
+systemctl is-enabled 'wpa_supplicant.service'
+
 # Reboot the system.
 systemctl reboot
 
diff --git a/snippets/gitlab.omnibus.install.sh b/snippets/gitlab.omnibus.install.sh
new file mode 100644
index 0000000..31481a0
--- /dev/null
+++ b/snippets/gitlab.omnibus.install.sh
@@ -0,0 +1,47 @@
+#!sh
+
+# Instance OS: AmazonLinux 2023
+# Instance size: t4g.xlarge
+# Source: https://about.gitlab.com/install/#amazonlinux-2023
+
+sudo systemctl is-active sshd.service
+sudo systemctl is-enabled sshd.service
+sudo systemctl enable --now 'sshd.service'
+
+# Firewalld was not available on the instance
+# ---
+# sudo systemctl enable --now 'firewalld.service'
+# sudo firewall-cmd --permanent --add-service=http
+# sudo firewall-cmd --permanent --add-service=https
+# sudo systemctl reload firewalld.service
+
+# Can be avoided if emails are not used.
+sudo dnf -y install 'postfix'
+sudo systemctl enable --now 'postfix.service'
+
+# Should have been `curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.rpm.sh | bash`, but
+# blindly installing stuff from the Internet just sucks.
+# Soooo, following their script…
+source '/etc/os-release'
+os="${ID}"
+dist="${VERSION_ID}"
+base_url='https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/config_file.repo'
+curl -sSf "${base_url}?os=${os}&dist=${dist}&source=script" | sudo tee '/etc/yum.repos.d/gitlab_gitlab-ee.repo'
+dnf -q makecache -y --disablerepo='*' --enablerepo='gitlab_gitlab-ee'
+dnf -q makecache -y --disablerepo='*' --enablerepo='gitlab_gitlab-ee-source'
+
+# For 'https://…' URLs, the package will automatically request a certificate with Let's Encrypt during installation.
+# This requires inbound HTTP access and a valid hostname. You can also use your own certificate.
+# To avoid this, just use 'http://…' without the final 's'.
+sudo EXTERNAL_URL="http://ip-172-31-73-256.eu-south-2.compute.internal" dnf install -y 'gitlab-ee'
+
+# File automatically removed after 24h.
+sudo cat '/etc/gitlab/initial_root_password'
+
+# Should one need to tune the configuration.
+sudo dnf -y install 'vim'
+sudo vim '/etc/gitlab/gitlab.rb'
+sudo gitlab-ctl check-config
+sudo gitlab-ctl reconfigure
+
+xdg-open 'http://ip-172-31-73-256.eu-south-2.compute.internal'
diff --git a/snippets/gitlab.omnibus.reconfigure.sh b/snippets/gitlab.omnibus.reconfigure.sh
new file mode 100644
index 0000000..51f7988
--- /dev/null
+++ b/snippets/gitlab.omnibus.reconfigure.sh
@@ -0,0 +1,6 @@
+#!sh
+
+sudo vim '/etc/gitlab/gitlab.rb'
+sudo gitlab-ctl check-config
+sudo gitlab-ctl diff-config   # if one really needs to
+sudo gitlab-ctl reconfigure
diff --git a/snippets/gitlab.sh b/snippets/gitlab.omnibus.upgrade.sh
similarity index 100%
rename from snippets/gitlab.sh
rename to snippets/gitlab.omnibus.upgrade.sh