Ver código fonte

added ssl support and barebone readme

master
Lukasz Jarosz 6 anos atrás
pai
commit
5fbb185437

+ 2
- 1
Dockerfile Ver arquivo

@@ -5,4 +5,5 @@ LABEL maintainer="Lukasz Jarosz <lukasz@jarosz.pl>"
5 5
 COPY files /
6 6
 
7 7
 RUN apk update && \
8
-    apk add --no-cache mariadb mariadb-client nginx pwgen su-exec python3
8
+    apk add --no-cache mariadb mariadb-client nginx pwgen su-exec python3 openssl && \
9
+    pip3 install acme-tiny

+ 12
- 0
README.md Ver arquivo

@@ -1,2 +1,14 @@
1 1
 # fat-gitea
2
+## How to use
3
+Just start it with docker. Image is based on gitea/gitea:latest, but you can assign following additional environment variables:
4
+- DOMAIN - domain used by container
5
+- ENABLE_SSL - feature switch, value not relevant
6
+- MYSQL_DATADIR - path to MariaDB data dir
7
+- MYSQL_OPTS - MariaDB mysqld options
2 8
 
9
+## MariaDB
10
+MariaDB is automatically bootstrapped into /data/mariadb. To add additional my.cnf use --defaults-extra-file or --defaults-file to replace it compeletely.
11
+
12
+## SSL
13
+Image supports using SSL with nginx which acts as reverse proxy for Gitea. It has embedded Lets Encrypt support with auto renewal. If you don't have account.key script will generate it for you.
14
+Required files for cert are /data/ssl/cert.crt /data/ssl/cert.key . 

+ 1
- 0
files/etc/crontabs/root Ver arquivo

@@ -0,0 +1 @@
1
+30 3 * * 6 /usr/bin/ssl-auto-renew

+ 3
- 0
files/etc/s6/crond/run Ver arquivo

@@ -0,0 +1,3 @@
1
+#!/bin/sh
2
+
3
+exec crond -f -c /etc/crontabs

+ 2
- 3
files/etc/s6/mariadb/run Ver arquivo

@@ -1,9 +1,8 @@
1 1
 #!/bin/sh
2 2
 
3
-DATADIR=${DATADIR:-"/data/mariadb"}
3
+DATADIR=${MYSQL_DATADIR:-"/data/mariadb"}
4 4
 MYSQL_OPTS=${MYSQL_OPTS:-""}
5 5
 
6 6
 [[ -f ./setup ]] && source ./setup
7 7
 
8
-exec su-exec mysql:mysql mysqld --datadir=$DATADIR --console $MYSQL_OPTS
9
-
8
+exec su-exec mysql:mysql mysqld --bind-address=127.0.0.1 --datadir=$DATADIR --console $MYSQL_OPTS

+ 2
- 2
files/etc/s6/mariadb/setup Ver arquivo

@@ -18,7 +18,7 @@ if [ ! -d $DATADIR ]; then
18 18
   su-exec mysql:mysql mysql_install_db --force --datadir=$DATADIR
19 19
 
20 20
   echo "pushing initialization data into server"
21
-  su-exec mysql:mysql mysqld --datadir=$DATADIR &
21
+  su-exec mysql:mysql mysqld --bind-address=127.0.0.1 --datadir=$DATADIR &
22 22
   pid="$!"
23 23
 
24 24
   for i in {30..0}; do
@@ -37,5 +37,5 @@ if [ ! -d $DATADIR ]; then
37 37
     exit 1
38 38
   fi
39 39
 
40
-  #rm /tmp/dbinit.sql
40
+  rm /tmp/dbinit.sql
41 41
 fi

+ 40
- 3
files/etc/s6/nginx/setup Ver arquivo

@@ -1,13 +1,50 @@
1 1
 #!/bin/sh
2 2
 if [ ! -d /run/nginx ]; then
3 3
   mkdir -p /run/nginx
4
-  chown nginx /run/nginx
4
+  mkdir -p /run/nginx/challenges
5
+  chown -R nginx /run/nginx
5 6
 fi
6 7
 
8
+# cleanup and copy nginx configuration file from embedded template
9
+if [ -f /etc/nginx/conf.d/default.conf ]; then
10
+  rm /etc/nginx/conf.d/default.conf
11
+fi
12
+cp /etc/templates/nginx.conf /etc/nginx/nginx.conf
13
+
14
+# handle preparing to run ssl
15
+if [ -n ENABLE_SSL ]; then
16
+  NGINX_CONF_TEMPLATE=/etc/templates/nginx_site_ssl.conf
17
+  if [ ! -f /data/ssl/cert.crt ] || [ ! -f /data/ssl/cert.key ]; then
18
+    # we need to obtain certificates from ACME
19
+    if [ ! -f /data/ssl/account.key ]; then
20
+      # there is no account key so create one
21
+      openssl genrsa 4096 > /data/ssl/account.key
22
+    fi
23
+
24
+    openssl genrsa 4096 > /data/ssl/cert.key
25
+    openssl req -new -sha256 -key /data/ssl/cert.key -subj "/CN=$DOMAIN" > /data/ssl/domain.csr
26
+
27
+    # we need to start nginx with special configuration file
28
+    cp /etc/templates/nginx_site_letsencryptinit.conf /etc/nginx/conf.d/gitea.conf
29
+    nginx -c /etc/nginx/nginx.conf -g 'daemon off;' &
30
+    pid="$!"
31
+
32
+    python3 -m acme_tiny --account-key /data/ssl/account.key --csr /data/ssl/domain.csr --acme-dir /run/nginx/challenges > /data/ssl/cert.crt
33
+
34
+    if ! kill -s TERM "$pid" || ! wait "$pid"; then
35
+      echo >&2 'nginx process failed while attempting to get certification'
36
+      exit 1
37
+    fi
38
+  fi
39
+else
40
+  NGINX_CONF_TEMPLATE=/etc/templates/nginx_site_nossl.conf
41
+fi
42
+
43
+# avoiding race condition and waiting for gitea configuration file to be prepared by its own startup script
7 44
 while [ ! -f /data/gitea/conf/app.ini ]; do
8 45
   echo "Gitea configuration is still not ready waiting 10 seconds..."
9 46
   sleep 10
10 47
 done
11 48
 
12
-GITEA_DOMAIN=$(iniget /data/gitea/conf/app.ini server DOMAIN)
13
-GITEA_DOMAIN=${GITEA_DOMAIN:-"localhost"} envsubst '${GITEA_DOMAIN}' < /etc/templates/nginx.conf > /etc/nginx/nginx.conf
49
+GITEA_DOMAIN=${DOMAIN:-$(iniget /data/gitea/conf/app.ini server DOMAIN)}
50
+GITEA_DOMAIN=${GITEA_DOMAIN:-"localhost"} envsubst '${GITEA_DOMAIN}' < $NGINX_CONF_TEMPLATE > /etc/nginx/conf.d/gitea.conf

+ 17
- 3
files/etc/templates/app.ini Ver arquivo

@@ -8,13 +8,16 @@ ROOT = /data/git/repositories
8 8
 TEMP_PATH = /data/gitea/uploads
9 9
 
10 10
 [server]
11
-APP_DATA_PATH = /data/gitea
11
+APP_DATA_PATH    = /data/gitea
12
+DOMAIN           = $DOMAIN
12 13
 SSH_DOMAIN       = $SSH_DOMAIN
13 14
 HTTP_ADDR        = 127.0.0.1
14
-HTTP_PORT        = $HTTP_PORT
15
+HTTP_PORT        = 3000
15 16
 ROOT_URL         = $ROOT_URL
16 17
 DISABLE_SSH      = $DISABLE_SSH
17 18
 SSH_PORT         = $SSH_PORT
19
+LANDING_PAGE     = explore
20
+DISABLE_ROUTER_LOG = true
18 21
 
19 22
 [database]
20 23
 DB_TYPE = $DB_TYPE
@@ -34,6 +37,8 @@ PATH = /data/gitea/attachments
34 37
 
35 38
 [log]
36 39
 ROOT_PATH = /data/gitea/log
40
+MODE      = file
41
+LEVEL     = Error
37 42
 
38 43
 [security]
39 44
 INSTALL_LOCK = $INSTALL_LOCK
@@ -41,4 +46,13 @@ SECRET_KEY   = $SECRET_KEY
41 46
 
42 47
 [service]
43 48
 DISABLE_REGISTRATION = $DISABLE_REGISTRATION
44
-REQUIRE_SIGNIN_VIEW  = $REQUIRE_SIGNIN_VIEW
49
+REQUIRE_SIGNIN_VIEW  = $REQUIRE_SIGNIN_VIEW
50
+
51
+[openid]
52
+ENABLE_OPENID_SIGNIN = false
53
+ENABLE_OPENID_SIGNUP = false
54
+
55
+[other]
56
+SHOW_FOOTER_BRANDING = false
57
+SHOW_FOOTER_VERSION = false
58
+SHOW_FOOTER_TEMPLATE_LOAD_TIME = true

+ 7
- 46
files/etc/templates/nginx.conf Ver arquivo

@@ -1,4 +1,3 @@
1
-# as simple as nginx user
2 1
 user nginx;
3 2
 
4 3
 # Set number of worker processes automatically based on number of CPU cores.
@@ -8,8 +7,7 @@ worker_processes auto;
8 7
 pcre_jit on;
9 8
 
10 9
 # Configures default error logger.
11
-error_log /var/log/nginx/error.log warn;
12
-
10
+# error_log /data/log/error.log warn;
13 11
 
14 12
 events {
15 13
 	# The maximum number of simultaneous connections that can be opened by
@@ -74,51 +72,14 @@ http {
74 72
 
75 73
 
76 74
 	# Specifies the main log format.
77
-	#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
78
-	#		'$status $body_bytes_sent "$http_referer" '
79
-	#		'"$http_user_agent" "$http_x_forwarded_for"';
75
+	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
76
+			'$status $body_bytes_sent "$http_referer" '
77
+			'"$http_user_agent" "$http_x_forwarded_for"';
80 78
 
81 79
 	# Sets the path, format, and configuration for a buffered log write.
82
-	#access_log /var/log/nginx/access.log main;
83
-
84
-  server {
85
-    listen 80;
86
-    listen [::]:80;
87
-
88
-    server_name $GITEA_DOMAIN;
89
-    client_max_body_size 200M;
80
+	# access_log /var/log/nginx/access.log main;
90 81
 
91
-    location / {
92
-      proxy_pass http://localhost:3000;
93
-      proxy_set_header Host $host;
94
-      proxy_set_header X-Real-IP $remote_addr;
95
-    }
96 82
 
97
-  }
83
+	# Includes virtual hosts configs.
84
+	include /etc/nginx/conf.d/*.conf;
98 85
 }
99
-
100
-
101
-
102
-# redirect to ssl
103
-#server {
104
-#  listen 80;
105
-#  listen [::]:80;
106
-#  server_name $GITEA_DOMAIN;
107
-#  return 301 https://$server_name$request_uri;
108
-#}
109
-
110
-#server {
111
-#  listen 443 ssl http2;
112
-#  listen [::]:443 ssl http2;
113
-#  server_name $GITEA_DOMAIN;
114
-#  client_max_body_size 50M;
115
-#  ssl_certificate /data/ssl/cert.crt;
116
-#  ssl_certificate_key /data/ssl/cert.key;
117
-#  location / {
118
-#    proxy_pass http://localhost:3000;
119
-#    proxy_set_header Host $host;
120
-#    proxy_set_header X-Real-IP $remote_addr;
121
-#  }
122
-#}
123
-
124
-

+ 9
- 0
files/etc/templates/nginx_site_letsencryptinit.conf Ver arquivo

@@ -0,0 +1,9 @@
1
+server {
2
+  listen 80;
3
+  listen [::]:80;
4
+
5
+  location /.well-known/acme-challenge/ {
6
+    alias /run/nginx/challenges/;
7
+    try_files $uri =404;
8
+  }
9
+}

+ 13
- 0
files/etc/templates/nginx_site_nossl.conf Ver arquivo

@@ -0,0 +1,13 @@
1
+server {
2
+	listen 80;
3
+	listen [::]:80;
4
+
5
+	server_name $GITEA_DOMAIN;
6
+	client_max_body_size 200M;
7
+
8
+	location / {
9
+		proxy_pass http://localhost:3000;
10
+		proxy_set_header Host $host;
11
+		proxy_set_header X-Real-IP $remote_addr;
12
+	}
13
+}

+ 33
- 0
files/etc/templates/nginx_site_ssl.conf Ver arquivo

@@ -0,0 +1,33 @@
1
+server {
2
+  listen 80;
3
+  listen [::]:80;
4
+
5
+  server_name $GITEA_DOMAIN;
6
+
7
+  location /.well-known/acme-challenge/ {
8
+    alias /run/nginx/challenges/;
9
+    try_files $uri =404;
10
+  }
11
+
12
+  location / {
13
+    return 301 https://$server_name$request_uri;
14
+  }
15
+}
16
+
17
+server {
18
+  listen 443 ssl http2;
19
+  listen [::]:443 ssl http2;
20
+
21
+  server_name $GITEA_DOMAIN;
22
+  client_max_body_size 200M;
23
+
24
+  ssl_certificate /data/ssl/cert.crt;
25
+  ssl_certificate_key /data/ssl/cert.key;
26
+  ssl_prefer_server_ciphers on;
27
+
28
+  location / {
29
+    proxy_pass http://localhost:3000;
30
+    proxy_set_header Host $host;
31
+    proxy_set_header X-Real-IP $remote_addr;
32
+  }
33
+}

+ 21
- 2
files/usr/bin/entrypoint Ver arquivo

@@ -1,6 +1,6 @@
1 1
 #!/bin/sh
2 2
 # generic variables
3
-GITEA_DIRS="/data/gitea/conf /data/gitea/log /data/git /data/ssh"
3
+GITEA_DIRS="/data/gitea/conf /data/gitea/log /data/git /data/ssh /data/ssl"
4 4
 
5 5
 # ensuring s6 service files permissions
6 6
 chmod +x /etc/s6/**/*
@@ -32,6 +32,7 @@ for DIR in $GITEA_DIRS; do
32 32
   mkdir -p $DIR
33 33
 done
34 34
 
35
+
35 36
 # configuration bootstrap (if configuration file exists it takes precedence over shell variables)
36 37
 set -a
37 38
 if [ -f /data/gitea/conf/app.ini ]; then
@@ -40,16 +41,34 @@ if [ -f /data/gitea/conf/app.ini ]; then
40 41
   DB_USER=$(iniget /data/gitea/conf/app.ini database USER)
41 42
   DB_NAME=$(iniget /data/gitea/conf/app.ini database NAME)
42 43
   DB_PASSWD=$(iniget /data/gitea/conf/app.ini database NAME)
44
+  ROOT_URL=$(iniget /data/gitea/conf/app.ini server ROOT_URL)
43 45
 else
44 46
   DB_HOST="localhost:3306"
45 47
   DB_TYPE="mysql"
46 48
   DB_USER=${DB_USER:-"gitea"}
47 49
   DB_NAME=${DB_NAME:-"gitea"}
48 50
 
49
-  if [ -z "${DB_PASSWD}" ] ; then
51
+  if [ -z "${DB_PASSWD}" ]; then
50 52
     export DB_PASSWD=$(pwgen -1 32)
51 53
     echo "Automagically generated database password: $DB_PASSWD"
52 54
   fi
55
+
56
+  if [ -n $DOMAIN ]; then
57
+    if [ -n $ENABLE_SSL ]; then
58
+      ROOT_URL=https://$DOMAIN
59
+    else
60
+      ROOT_URL=http://$DOMAIN
61
+    fi
62
+
63
+    if [ -z $SSH_DOMAIN ]; then
64
+      SSH_DOMAIN=$DOMAIN
65
+    fi
66
+  else
67
+    if [ -n $ENABLE_SSL ]; then
68
+      echo "Can't use ENABLE_SSL without DOMAIN set"
69
+      exit 1
70
+    fi
71
+  fi
53 72
 fi
54 73
 set +a
55 74
 

+ 10
- 0
files/usr/bin/ssl-auto-renew Ver arquivo

@@ -0,0 +1,10 @@
1
+#!/bin/sh
2
+if [ -n $ENABLE_SSL ]; then
3
+  # exit if any of the required files for renew is missing
4
+  for file in /data/ssl/account.key /data/ssl/domain.csr; do
5
+    [[ ! -f $file ]] && exit
6
+  done
7
+
8
+  python3 -m acme_tiny --account-key /data/ssl/account.key --csr /data/ssl/domain.csr --acme-dir /run/nginx/challenges > /data/ssl/cert.crt
9
+  s6-svc -du /etc/s6/nginx
10
+fi

Carregando…
Cancelar
Salvar