diff --git a/head-node.scm b/head-node.scm
index 2a82389cd119c5afaa71ddb69e72792878750fae..170cd4b41a1a02ab9e99acc7b679625cb9a63164 100644
--- a/head-node.scm
+++ b/head-node.scm
@@ -368,6 +368,32 @@ export CUIRASS_LOGGING_LEVEL=${CUIRASS_LOGGING_LEVEL:-debug}\n"
                                     "nginx-config/nginx-locations.conf")
                                  "nginx-locations.conf")))))
 
+(define %nginx-gitlab-token
+  ;; Create /etc/nginx-tokens with a random token if it doesn't exist.
+  (simple-service 'nginx-gitlab-token
+                  activation-service-type
+                  #~(begin
+                      (define file "/etc/nginx-tokens")
+                      (define (make-random-list n)
+                            (if (= n 0)
+                                '()
+                                (cons (integer->char
+                                       (+ (random 26) 97)) ;; ASCII code for a-z
+                                      (make-random-list (- n 1)))))
+                      ;; token is a random lowercase alphabetical
+                      ;; string containing 32 characters. This
+                      ;; corresponds to 1.90172e+45 different
+                      ;; combinations.
+                      (define token
+                        (list->string (make-random-list 32)))
+
+                      (unless (file-exists? file)
+                        (call-with-output-file file
+                          (lambda (port)
+                            (format port "set $GITLAB_TOKEN ~a;~%" token)
+                            ;; Ensure that the file is only readable by its owner.
+                            (chmod port #o600)))))))
+
 (define %nginx-mime-types
   ;; Provide /etc/nginx/mime.types (and a bunch of other files.)
   (simple-service 'nginx-mime.types
@@ -476,6 +502,7 @@ export CUIRASS_LOGGING_LEVEL=${CUIRASS_LOGGING_LEVEL:-debug}\n"
                            (file (file-append %nginx-config
                                               "/nginx.conf"))))
                  %nginx-mime-types
+                 %nginx-gitlab-token
 
                  (service certbot-service-type
                           (certbot-configuration
diff --git a/nginx-config/nginx-locations.conf b/nginx-config/nginx-locations.conf
index 760b2a702f810020f8789bfca78f146126edfc5b..17358c303c28e1f736732c394af7d984fad5a80c 100644
--- a/nginx-config/nginx-locations.conf
+++ b/nginx-config/nginx-locations.conf
@@ -11,6 +11,15 @@ location = /nix-cache-info { proxy_pass http://localhost:3000; }
 
 # Cuirass.
 
+# The included file should define the variable $GITLAB_TOKEN using the
+# set directive: "set $GITLAB_TOKEN value;". It should be created
+# manually.
+include /etc/nginx-tokens;
+location ~ ^/admin/gitlab/event {
+    # Filter using Gitlab token
+    if ($http_x_gitlab_token != $GITLAB_TOKEN) { return 403; }
+    proxy_pass http://localhost:8081;
+}
 location ~ ^/admin {
     # Disallow access to unauthenticated clients.
     if ($ssl_client_verify != SUCCESS) { return 403; }