added ssl support and barebone readme

Dockerfile

@@ -5,4 +5,5 @@ LABEL maintainer="Lukasz Jarosz <lukasz@jarosz.pl>"
 COPY files /
 
 RUN apk update && \
-    apk add --no-cache mariadb mariadb-client nginx pwgen su-exec python3
+    apk add --no-cache mariadb mariadb-client nginx pwgen su-exec python3 openssl && \
+    pip3 install acme-tiny

README.md

@@ -1,2 +1,14 @@
 # fat-gitea
+## How to use
+Just start it with docker. Image is based on gitea/gitea:latest, but you can assign following additional environment variables:
+- DOMAIN - domain used by container
+- ENABLE_SSL - feature switch, value not relevant
+- MYSQL_DATADIR - path to MariaDB data dir
+- MYSQL_OPTS - MariaDB mysqld options
 
+## MariaDB
+MariaDB is automatically bootstrapped into /data/mariadb. To add additional my.cnf use --defaults-extra-file or --defaults-file to replace it compeletely.
+
+## SSL
+Image supports using SSL with nginx which acts as reverse proxy for Gitea. It has embedded Lets Encrypt support with auto renewal. If you don't have account.key script will generate it for you.
+Required files for cert are /data/ssl/cert.crt /data/ssl/cert.key . 

files/etc/crontabs/root

@@ -0,0 +1 @@
+30 3 * * 6 /usr/bin/ssl-auto-renew

files/etc/s6/crond/run

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+exec crond -f -c /etc/crontabs

files/etc/s6/mariadb/run

@@ -1,9 +1,8 @@
 #!/bin/sh
 
-DATADIR=${DATADIR:-"/data/mariadb"}
+DATADIR=${MYSQL_DATADIR:-"/data/mariadb"}
 MYSQL_OPTS=${MYSQL_OPTS:-""}
 
 [[ -f ./setup ]] && source ./setup
 
-exec su-exec mysql:mysql mysqld --datadir=$DATADIR --console $MYSQL_OPTS
-
+exec su-exec mysql:mysql mysqld --bind-address=127.0.0.1 --datadir=$DATADIR --console $MYSQL_OPTS

files/etc/s6/mariadb/setup

@@ -18,7 +18,7 @@ if [ ! -d $DATADIR ]; then
   su-exec mysql:mysql mysql_install_db --force --datadir=$DATADIR
 
   echo "pushing initialization data into server"
-  su-exec mysql:mysql mysqld --datadir=$DATADIR &
+  su-exec mysql:mysql mysqld --bind-address=127.0.0.1 --datadir=$DATADIR &
   pid="$!"
 
   for i in {30..0}; do
@@ -37,5 +37,5 @@ if [ ! -d $DATADIR ]; then
     exit 1
   fi
 
-  #rm /tmp/dbinit.sql
+  rm /tmp/dbinit.sql
 fi

files/etc/s6/nginx/setup

@@ -1,13 +1,50 @@
 #!/bin/sh
 if [ ! -d /run/nginx ]; then
   mkdir -p /run/nginx
-  chown nginx /run/nginx
+  mkdir -p /run/nginx/challenges
+  chown -R nginx /run/nginx
 fi
 
+# cleanup and copy nginx configuration file from embedded template
+if [ -f /etc/nginx/conf.d/default.conf ]; then
+  rm /etc/nginx/conf.d/default.conf
+fi
+cp /etc/templates/nginx.conf /etc/nginx/nginx.conf
+
+# handle preparing to run ssl
+if [ -n ENABLE_SSL ]; then
+  NGINX_CONF_TEMPLATE=/etc/templates/nginx_site_ssl.conf
+  if [ ! -f /data/ssl/cert.crt ] || [ ! -f /data/ssl/cert.key ]; then
+    # we need to obtain certificates from ACME
+    if [ ! -f /data/ssl/account.key ]; then
+      # there is no account key so create one
+      openssl genrsa 4096 > /data/ssl/account.key
+    fi
+
+    openssl genrsa 4096 > /data/ssl/cert.key
+    openssl req -new -sha256 -key /data/ssl/cert.key -subj "/CN=$DOMAIN" > /data/ssl/domain.csr
+
+    # we need to start nginx with special configuration file
+    cp /etc/templates/nginx_site_letsencryptinit.conf /etc/nginx/conf.d/gitea.conf
+    nginx -c /etc/nginx/nginx.conf -g 'daemon off;' &
+    pid="$!"
+
+    python3 -m acme_tiny --account-key /data/ssl/account.key --csr /data/ssl/domain.csr --acme-dir /run/nginx/challenges > /data/ssl/cert.crt
+
+    if ! kill -s TERM "$pid" || ! wait "$pid"; then
+      echo >&2 'nginx process failed while attempting to get certification'
+      exit 1
+    fi
+  fi
+else
+  NGINX_CONF_TEMPLATE=/etc/templates/nginx_site_nossl.conf
+fi
+
+# avoiding race condition and waiting for gitea configuration file to be prepared by its own startup script
 while [ ! -f /data/gitea/conf/app.ini ]; do
   echo "Gitea configuration is still not ready waiting 10 seconds..."
   sleep 10
 done
 
-GITEA_DOMAIN=$(iniget /data/gitea/conf/app.ini server DOMAIN)
-GITEA_DOMAIN=${GITEA_DOMAIN:-"localhost"} envsubst '${GITEA_DOMAIN}' < /etc/templates/nginx.conf > /etc/nginx/nginx.conf
+GITEA_DOMAIN=${DOMAIN:-$(iniget /data/gitea/conf/app.ini server DOMAIN)}
+GITEA_DOMAIN=${GITEA_DOMAIN:-"localhost"} envsubst '${GITEA_DOMAIN}' < $NGINX_CONF_TEMPLATE > /etc/nginx/conf.d/gitea.conf

files/etc/templates/app.ini

@@ -8,13 +8,16 @@ ROOT = /data/git/repositories
 TEMP_PATH = /data/gitea/uploads
 
 [server]
-APP_DATA_PATH = /data/gitea
+APP_DATA_PATH    = /data/gitea
+DOMAIN           = $DOMAIN
 SSH_DOMAIN       = $SSH_DOMAIN
 HTTP_ADDR        = 127.0.0.1
-HTTP_PORT        = $HTTP_PORT
+HTTP_PORT        = 3000
 ROOT_URL         = $ROOT_URL
 DISABLE_SSH      = $DISABLE_SSH
 SSH_PORT         = $SSH_PORT
+LANDING_PAGE     = explore
+DISABLE_ROUTER_LOG = true
 
 [database]
 DB_TYPE = $DB_TYPE
@@ -34,6 +37,8 @@ PATH = /data/gitea/attachments
 
 [log]
 ROOT_PATH = /data/gitea/log
+MODE      = file
+LEVEL     = Error
 
 [security]
 INSTALL_LOCK = $INSTALL_LOCK
@@ -41,4 +46,13 @@ SECRET_KEY   = $SECRET_KEY
 
 [service]
 DISABLE_REGISTRATION = $DISABLE_REGISTRATION
-REQUIRE_SIGNIN_VIEW  = $REQUIRE_SIGNIN_VIEW
+REQUIRE_SIGNIN_VIEW  = $REQUIRE_SIGNIN_VIEW
+
+[openid]
+ENABLE_OPENID_SIGNIN = false
+ENABLE_OPENID_SIGNUP = false
+
+[other]
+SHOW_FOOTER_BRANDING = false
+SHOW_FOOTER_VERSION = false
+SHOW_FOOTER_TEMPLATE_LOAD_TIME = true

files/etc/templates/nginx.conf

@@ -1,4 +1,3 @@
-# as simple as nginx user
 user nginx;
 
 # Set number of worker processes automatically based on number of CPU cores.
@@ -8,8 +7,7 @@ worker_processes auto;
 pcre_jit on;
 
 # Configures default error logger.
-error_log /var/log/nginx/error.log warn;
-
+# error_log /data/log/error.log warn;
 
 events {
 	# The maximum number of simultaneous connections that can be opened by
@@ -74,51 +72,14 @@ http {
 
 
 	# Specifies the main log format.
-	#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
-	#		'$status $body_bytes_sent "$http_referer" '
-	#		'"$http_user_agent" "$http_x_forwarded_for"';
+	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+			'$status $body_bytes_sent "$http_referer" '
+			'"$http_user_agent" "$http_x_forwarded_for"';
 
 	# Sets the path, format, and configuration for a buffered log write.
-	#access_log /var/log/nginx/access.log main;
-
-  server {
-    listen 80;
-    listen [::]:80;
-
-    server_name $GITEA_DOMAIN;
-    client_max_body_size 200M;
+	# access_log /var/log/nginx/access.log main;
 
-    location / {
-      proxy_pass http://localhost:3000;
-      proxy_set_header Host $host;
-      proxy_set_header X-Real-IP $remote_addr;
-    }
 
-  }
+	# Includes virtual hosts configs.
+	include /etc/nginx/conf.d/*.conf;
 }
-
-
-
-# redirect to ssl
-#server {
-#  listen 80;
-#  listen [::]:80;
-#  server_name $GITEA_DOMAIN;
-#  return 301 https://$server_name$request_uri;
-#}
-
-#server {
-#  listen 443 ssl http2;
-#  listen [::]:443 ssl http2;
-#  server_name $GITEA_DOMAIN;
-#  client_max_body_size 50M;
-#  ssl_certificate /data/ssl/cert.crt;
-#  ssl_certificate_key /data/ssl/cert.key;
-#  location / {
-#    proxy_pass http://localhost:3000;
-#    proxy_set_header Host $host;
-#    proxy_set_header X-Real-IP $remote_addr;
-#  }
-#}
-
-

files/etc/templates/nginx_site_letsencryptinit.conf

@@ -0,0 +1,9 @@
+server {
+  listen 80;
+  listen [::]:80;
+
+  location /.well-known/acme-challenge/ {
+    alias /run/nginx/challenges/;
+    try_files $uri =404;
+  }
+}

files/etc/templates/nginx_site_nossl.conf

@@ -0,0 +1,13 @@
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name $GITEA_DOMAIN;
+	client_max_body_size 200M;
+
+	location / {
+		proxy_pass http://localhost:3000;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+	}
+}

files/etc/templates/nginx_site_ssl.conf

@@ -0,0 +1,33 @@
+server {
+  listen 80;
+  listen [::]:80;
+
+  server_name $GITEA_DOMAIN;
+
+  location /.well-known/acme-challenge/ {
+    alias /run/nginx/challenges/;
+    try_files $uri =404;
+  }
+
+  location / {
+    return 301 https://$server_name$request_uri;
+  }
+}
+
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+
+  server_name $GITEA_DOMAIN;
+  client_max_body_size 200M;
+
+  ssl_certificate /data/ssl/cert.crt;
+  ssl_certificate_key /data/ssl/cert.key;
+  ssl_prefer_server_ciphers on;
+
+  location / {
+    proxy_pass http://localhost:3000;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+  }
+}

files/usr/bin/entrypoint

@@ -1,6 +1,6 @@
 #!/bin/sh
 # generic variables
-GITEA_DIRS="/data/gitea/conf /data/gitea/log /data/git /data/ssh"
+GITEA_DIRS="/data/gitea/conf /data/gitea/log /data/git /data/ssh /data/ssl"
 
 # ensuring s6 service files permissions
 chmod +x /etc/s6/**/*
@@ -32,6 +32,7 @@ for DIR in $GITEA_DIRS; do
   mkdir -p $DIR
 done
 
+
 # configuration bootstrap (if configuration file exists it takes precedence over shell variables)
 set -a
 if [ -f /data/gitea/conf/app.ini ]; then
@@ -40,16 +41,34 @@ if [ -f /data/gitea/conf/app.ini ]; then
   DB_USER=$(iniget /data/gitea/conf/app.ini database USER)
   DB_NAME=$(iniget /data/gitea/conf/app.ini database NAME)
   DB_PASSWD=$(iniget /data/gitea/conf/app.ini database NAME)
+  ROOT_URL=$(iniget /data/gitea/conf/app.ini server ROOT_URL)
 else
   DB_HOST="localhost:3306"
   DB_TYPE="mysql"
   DB_USER=${DB_USER:-"gitea"}
   DB_NAME=${DB_NAME:-"gitea"}
 
-  if [ -z "${DB_PASSWD}" ] ; then
+  if [ -z "${DB_PASSWD}" ]; then
     export DB_PASSWD=$(pwgen -1 32)
     echo "Automagically generated database password: $DB_PASSWD"
   fi
+
+  if [ -n $DOMAIN ]; then
+    if [ -n $ENABLE_SSL ]; then
+      ROOT_URL=https://$DOMAIN
+    else
+      ROOT_URL=http://$DOMAIN
+    fi
+
+    if [ -z $SSH_DOMAIN ]; then
+      SSH_DOMAIN=$DOMAIN
+    fi
+  else
+    if [ -n $ENABLE_SSL ]; then
+      echo "Can't use ENABLE_SSL without DOMAIN set"
+      exit 1
+    fi
+  fi
 fi
 set +a
 

files/usr/bin/ssl-auto-renew

@@ -0,0 +1,10 @@
+#!/bin/sh
+if [ -n $ENABLE_SSL ]; then
+  # exit if any of the required files for renew is missing
+  for file in /data/ssl/account.key /data/ssl/domain.csr; do
+    [[ ! -f $file ]] && exit
+  done
+
+  python3 -m acme_tiny --account-key /data/ssl/account.key --csr /data/ssl/domain.csr --acme-dir /run/nginx/challenges > /data/ssl/cert.crt
+  s6-svc -du /etc/s6/nginx
+fi