diff --git a/src/gitea/constants-service.conf b/src/gitea/constants-service.conf new file mode 100644 index 0000000..09949e8 --- /dev/null +++ b/src/gitea/constants-service.conf @@ -0,0 +1,35 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-11-standard" + +# Create sharefs mountpoint +LXC_MP="1" + +# Create unprivileged container +LXC_UNPRIVILEGED="0" + +# enable nesting feature +LXC_NESTING="1" + +# Defines the IP from the SQL server +GITEA_DB_IP="127.0.0.1" + +# Defines the PORT from the SQL server +GITEA_DB_PORT="5432" + +# Defines the name from the SQL database +GITEA_DB_NAME="gitea" + +# Defines the name from the SQL user +GITEA_DB_USR="gitea" + +# Build a strong password for the SQL user - could be overwritten with something fixed +GITEA_DB_PWD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)" \ No newline at end of file diff --git a/src/gitea/install-service.sh b/src/gitea/install-service.sh new file mode 100644 index 0000000..9c43322 --- /dev/null +++ b/src/gitea/install-service.sh @@ -0,0 +1,171 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/zamba.conf +source /root/constants-service.conf + +wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add - +echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list + +wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - +echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list + +apt update + +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql nginx git ssl-cert unzip zip + +timedatectl set-timezone ${LXC_TIMEZONE} + +systemctl enable --now postgresql + +su - postgres < /etc/systemd/system/gitea.service +[Unit] +Description=Gitea +After=syslog.target +After=network.target +After=postgresql.service + +[Service] +RestartSec=2s +Type=simple +User=git +Group=git +WorkingDirectory=/${LXC_SHAREFS_MOUNTPOINT}/ +ExecStart=/usr/local/bin/gitea web -c /etc/gitea/app.ini +Restart=always +Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/${LXC_SHAREFS_MOUNTPOINT}/ + +[Install] +WantedBy=multi-user.target +EOF + +cat << EOF > /etc/gitea/app.ini +RUN_MODE = prod +RUN_USER = git + +[repository] +ROOT = /${LXC_SHAREFS_MOUNTPOINT}/git/repositories + +[repository.local] +LOCAL_COPY_PATH = /${LXC_SHAREFS_MOUNTPOINT}/gitea/tmp/local-repo + +[repository.upload] +TEMP_PATH = /${LXC_SHAREFS_MOUNTPOINT}/gitea/uploads + +[database] +DB_TYPE=postgres +HOST=localhost +NAME=${GITEA_DB_NAME} +USER=${GITEA_DB_USR} +PASSWD=${GITEA_DB_PWD} +SSL_MODE=disable + +[server] +APP_DATA_PATH = /${LXC_SHAREFS_MOUNTPOINT}/gitea +DOMAIN = ${LXC_HOSTNAME}.${LXC_DOMAIN} +SSH_DOMAIN = ${LXC_HOSTNAME}.${LXC_DOMAIN} +HTTP_PORT = 3000 +ROOT_URL = http://${LXC_HOSTNAME}.${LXC_DOMAIN}/ +DISABLE_SSH = false +SSH_PORT = 11122 +SSH_LISTEN_PORT = 22 +EOF + +chown -R root:git /etc/gitea +chmod 770 /etc/gitea +chmod 770 /etc/gitea/app.ini + +cat << EOF > /etc/nginx/conf.d/default.conf +server { + listen 80; + listen [::]:80; + server_name _; + + server_tokens off; + + access_log /var/log/nginx/gitea.access.log; + error_log /var/log/nginx/gitea.error.log; + + location /.well-known/ { + root /var/www/html; + } + + return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name ${LXC_HOSTNAME}.${LXC_DOMAIN}; + + server_tokens off; + ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; + ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM; + ssl_dhparam /etc/nginx/dhparam.pem; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 180m; + + ssl_stapling on; + ssl_stapling_verify on; + + resolver 1.1.1.1 1.0.0.1; + + add_header Strict-Transport-Security "max-age=31536000" always; + + location = /robots.txt { + access_log off; + log_not_found off; + } + + location = /favicon.ico { + access_log off; + log_not_found off; + } + + access_log /var/log/nginx/gitea.access.log; + error_log /var/log/nginx/gitea.error.log; + + client_max_body_size 50M; + + location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico|apple-touch-icon.png) { + expires max; + } + location / { + proxy_set_header X-Real-IP \$remote_addr; + proxy_set_header Host \$host; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + proxy_pass http://127.0.0.1:3000; + proxy_read_timeout 90; + } +} + +EOF +openssl dhparam -out /etc/nginx/dhparam.pem 4096 + +systemctl daemon-reload +systemctl enable --now gitea +systemctl restart nginx