Added gitea container

src/gitea/constants-service.conf

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="1"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="0"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Defines the IP from the SQL server
+GITEA_DB_IP="127.0.0.1"
+
+# Defines the PORT from the SQL server
+GITEA_DB_PORT="5432"
+
+# Defines the name from the SQL database
+GITEA_DB_NAME="gitea"
+
+# Defines the name from the SQL user
+GITEA_DB_USR="gitea"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed 
+GITEA_DB_PWD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"

src/gitea/install-service.sh

@@ -0,0 +1,171 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/zamba.conf
+source /root/constants-service.conf
+
+wget -q -O - https://nginx.org/keys/nginx_signing.key | apt-key add -
+echo "deb http://nginx.org/packages/debian $(lsb_release -cs) nginx" | tee /etc/apt/sources.list.d/nginx.list
+
+wget -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
+echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list
+
+apt update
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql nginx git ssl-cert unzip zip
+
+timedatectl set-timezone ${LXC_TIMEZONE}
+
+systemctl enable --now postgresql
+
+su - postgres <<EOF
+psql -c "CREATE USER gitea WITH PASSWORD '${GITEA_DB_PWD}';"
+psql -c "CREATE DATABASE ${GITEA_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${GITEA_DB_USR};"
+echo "Postgres User ${GITEA_DB_USR} and database ${GITEA_DB_NAME} created."
+EOF
+
+adduser  --system  --shell /bin/bash --gecos 'Git Version Control' --group --disabled-password --home /home/git git
+
+curl -s https://api.github.com/repos/go-gitea/gitea/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep '\linux-amd64$' | wget -O /usr/local/bin/gitea -i -
+chmod +x /usr/local/bin/gitea
+mkdir -p /etc/gitea
+mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/
+chown -R git:git /${LXC_SHAREFS_MOUNTPOINT}/
+chmod -R 750 /${LXC_SHAREFS_MOUNTPOINT}/
+
+cat << EOF > /etc/systemd/system/gitea.service
+[Unit]
+Description=Gitea
+After=syslog.target
+After=network.target
+After=postgresql.service
+
+[Service]
+RestartSec=2s
+Type=simple
+User=git
+Group=git
+WorkingDirectory=/${LXC_SHAREFS_MOUNTPOINT}/
+ExecStart=/usr/local/bin/gitea web -c /etc/gitea/app.ini
+Restart=always
+Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/${LXC_SHAREFS_MOUNTPOINT}/
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat << EOF > /etc/gitea/app.ini
+RUN_MODE = prod
+RUN_USER = git
+
+[repository]
+ROOT = /${LXC_SHAREFS_MOUNTPOINT}/git/repositories
+
+[repository.local]
+LOCAL_COPY_PATH = /${LXC_SHAREFS_MOUNTPOINT}/gitea/tmp/local-repo
+
+[repository.upload]
+TEMP_PATH = /${LXC_SHAREFS_MOUNTPOINT}/gitea/uploads
+
+[database]
+DB_TYPE=postgres
+HOST=localhost
+NAME=${GITEA_DB_NAME}
+USER=${GITEA_DB_USR}
+PASSWD=${GITEA_DB_PWD}
+SSL_MODE=disable
+
+[server]
+APP_DATA_PATH    = /${LXC_SHAREFS_MOUNTPOINT}/gitea
+DOMAIN           = ${LXC_HOSTNAME}.${LXC_DOMAIN}
+SSH_DOMAIN       = ${LXC_HOSTNAME}.${LXC_DOMAIN}
+HTTP_PORT        = 3000
+ROOT_URL         = http://${LXC_HOSTNAME}.${LXC_DOMAIN}/
+DISABLE_SSH      = false
+SSH_PORT         = 11122
+SSH_LISTEN_PORT  = 22
+EOF
+
+chown -R root:git /etc/gitea
+chmod 770 /etc/gitea
+chmod 770 /etc/gitea/app.ini
+
+cat << EOF > /etc/nginx/conf.d/default.conf
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+    
+    server_tokens off;
+
+    access_log /var/log/nginx/gitea.access.log;
+    error_log /var/log/nginx/gitea.error.log;
+
+    location /.well-known/ {
+        root /var/www/html;
+    }
+
+    return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
+    
+    server_tokens off;
+    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+
+    ssl_protocols TLSv1.3 TLSv1.2;
+    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
+    ssl_dhparam /etc/nginx/dhparam.pem;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 180m;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    resolver 1.1.1.1 1.0.0.1;
+
+    add_header Strict-Transport-Security "max-age=31536000" always;
+
+    location = /robots.txt  {
+        access_log off;
+        log_not_found off;
+    }
+
+    location = /favicon.ico {
+        access_log off;
+        log_not_found off;
+    }
+
+    access_log /var/log/nginx/gitea.access.log;
+    error_log  /var/log/nginx/gitea.error.log;
+
+    client_max_body_size 50M;
+
+    location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico|apple-touch-icon.png) {
+    expires max;
+    }
+    location / {
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header Host \$host;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_pass http://127.0.0.1:3000;
+        proxy_read_timeout 90;
+    }
+}
+
+EOF
+openssl dhparam -out /etc/nginx/dhparam.pem 4096
+
+systemctl daemon-reload
+systemctl enable --now gitea
+systemctl restart nginx