Browse Source

added ssl support and barebone readme

master
Lukasz Jarosz 6 years ago
parent
commit
5fbb185437

+ 2
- 1
Dockerfile View File

5
 COPY files /
5
 COPY files /
6
 
6
 
7
 RUN apk update && \
7
 RUN apk update && \
8
-    apk add --no-cache mariadb mariadb-client nginx pwgen su-exec python3
8
+    apk add --no-cache mariadb mariadb-client nginx pwgen su-exec python3 openssl && \
9
+    pip3 install acme-tiny

+ 12
- 0
README.md View File

1
 # fat-gitea
1
 # fat-gitea
2
+## How to use
3
+Just start it with docker. Image is based on gitea/gitea:latest, but you can assign following additional environment variables:
4
+- DOMAIN - domain used by container
5
+- ENABLE_SSL - feature switch, value not relevant
6
+- MYSQL_DATADIR - path to MariaDB data dir
7
+- MYSQL_OPTS - MariaDB mysqld options
2
 
8
 
9
+## MariaDB
10
+MariaDB is automatically bootstrapped into /data/mariadb. To add additional my.cnf use --defaults-extra-file or --defaults-file to replace it compeletely.
11
+
12
+## SSL
13
+Image supports using SSL with nginx which acts as reverse proxy for Gitea. It has embedded Lets Encrypt support with auto renewal. If you don't have account.key script will generate it for you.
14
+Required files for cert are /data/ssl/cert.crt /data/ssl/cert.key . 

+ 1
- 0
files/etc/crontabs/root View File

1
+30 3 * * 6 /usr/bin/ssl-auto-renew

+ 3
- 0
files/etc/s6/crond/run View File

1
+#!/bin/sh
2
+
3
+exec crond -f -c /etc/crontabs

+ 2
- 3
files/etc/s6/mariadb/run View File

1
 #!/bin/sh
1
 #!/bin/sh
2
 
2
 
3
-DATADIR=${DATADIR:-"/data/mariadb"}
3
+DATADIR=${MYSQL_DATADIR:-"/data/mariadb"}
4
 MYSQL_OPTS=${MYSQL_OPTS:-""}
4
 MYSQL_OPTS=${MYSQL_OPTS:-""}
5
 
5
 
6
 [[ -f ./setup ]] && source ./setup
6
 [[ -f ./setup ]] && source ./setup
7
 
7
 
8
-exec su-exec mysql:mysql mysqld --datadir=$DATADIR --console $MYSQL_OPTS
9
-
8
+exec su-exec mysql:mysql mysqld --bind-address=127.0.0.1 --datadir=$DATADIR --console $MYSQL_OPTS

+ 2
- 2
files/etc/s6/mariadb/setup View File

18
   su-exec mysql:mysql mysql_install_db --force --datadir=$DATADIR
18
   su-exec mysql:mysql mysql_install_db --force --datadir=$DATADIR
19
 
19
 
20
   echo "pushing initialization data into server"
20
   echo "pushing initialization data into server"
21
-  su-exec mysql:mysql mysqld --datadir=$DATADIR &
21
+  su-exec mysql:mysql mysqld --bind-address=127.0.0.1 --datadir=$DATADIR &
22
   pid="$!"
22
   pid="$!"
23
 
23
 
24
   for i in {30..0}; do
24
   for i in {30..0}; do
37
     exit 1
37
     exit 1
38
   fi
38
   fi
39
 
39
 
40
-  #rm /tmp/dbinit.sql
40
+  rm /tmp/dbinit.sql
41
 fi
41
 fi

+ 40
- 3
files/etc/s6/nginx/setup View File

1
 #!/bin/sh
1
 #!/bin/sh
2
 if [ ! -d /run/nginx ]; then
2
 if [ ! -d /run/nginx ]; then
3
   mkdir -p /run/nginx
3
   mkdir -p /run/nginx
4
-  chown nginx /run/nginx
4
+  mkdir -p /run/nginx/challenges
5
+  chown -R nginx /run/nginx
5
 fi
6
 fi
6
 
7
 
8
+# cleanup and copy nginx configuration file from embedded template
9
+if [ -f /etc/nginx/conf.d/default.conf ]; then
10
+  rm /etc/nginx/conf.d/default.conf
11
+fi
12
+cp /etc/templates/nginx.conf /etc/nginx/nginx.conf
13
+
14
+# handle preparing to run ssl
15
+if [ -n ENABLE_SSL ]; then
16
+  NGINX_CONF_TEMPLATE=/etc/templates/nginx_site_ssl.conf
17
+  if [ ! -f /data/ssl/cert.crt ] || [ ! -f /data/ssl/cert.key ]; then
18
+    # we need to obtain certificates from ACME
19
+    if [ ! -f /data/ssl/account.key ]; then
20
+      # there is no account key so create one
21
+      openssl genrsa 4096 > /data/ssl/account.key
22
+    fi
23
+
24
+    openssl genrsa 4096 > /data/ssl/cert.key
25
+    openssl req -new -sha256 -key /data/ssl/cert.key -subj "/CN=$DOMAIN" > /data/ssl/domain.csr
26
+
27
+    # we need to start nginx with special configuration file
28
+    cp /etc/templates/nginx_site_letsencryptinit.conf /etc/nginx/conf.d/gitea.conf
29
+    nginx -c /etc/nginx/nginx.conf -g 'daemon off;' &
30
+    pid="$!"
31
+
32
+    python3 -m acme_tiny --account-key /data/ssl/account.key --csr /data/ssl/domain.csr --acme-dir /run/nginx/challenges > /data/ssl/cert.crt
33
+
34
+    if ! kill -s TERM "$pid" || ! wait "$pid"; then
35
+      echo >&2 'nginx process failed while attempting to get certification'
36
+      exit 1
37
+    fi
38
+  fi
39
+else
40
+  NGINX_CONF_TEMPLATE=/etc/templates/nginx_site_nossl.conf
41
+fi
42
+
43
+# avoiding race condition and waiting for gitea configuration file to be prepared by its own startup script
7
 while [ ! -f /data/gitea/conf/app.ini ]; do
44
 while [ ! -f /data/gitea/conf/app.ini ]; do
8
   echo "Gitea configuration is still not ready waiting 10 seconds..."
45
   echo "Gitea configuration is still not ready waiting 10 seconds..."
9
   sleep 10
46
   sleep 10
10
 done
47
 done
11
 
48
 
12
-GITEA_DOMAIN=$(iniget /data/gitea/conf/app.ini server DOMAIN)
13
-GITEA_DOMAIN=${GITEA_DOMAIN:-"localhost"} envsubst '${GITEA_DOMAIN}' < /etc/templates/nginx.conf > /etc/nginx/nginx.conf
49
+GITEA_DOMAIN=${DOMAIN:-$(iniget /data/gitea/conf/app.ini server DOMAIN)}
50
+GITEA_DOMAIN=${GITEA_DOMAIN:-"localhost"} envsubst '${GITEA_DOMAIN}' < $NGINX_CONF_TEMPLATE > /etc/nginx/conf.d/gitea.conf

+ 17
- 3
files/etc/templates/app.ini View File

8
 TEMP_PATH = /data/gitea/uploads
8
 TEMP_PATH = /data/gitea/uploads
9
 
9
 
10
 [server]
10
 [server]
11
-APP_DATA_PATH = /data/gitea
11
+APP_DATA_PATH    = /data/gitea
12
+DOMAIN           = $DOMAIN
12
 SSH_DOMAIN       = $SSH_DOMAIN
13
 SSH_DOMAIN       = $SSH_DOMAIN
13
 HTTP_ADDR        = 127.0.0.1
14
 HTTP_ADDR        = 127.0.0.1
14
-HTTP_PORT        = $HTTP_PORT
15
+HTTP_PORT        = 3000
15
 ROOT_URL         = $ROOT_URL
16
 ROOT_URL         = $ROOT_URL
16
 DISABLE_SSH      = $DISABLE_SSH
17
 DISABLE_SSH      = $DISABLE_SSH
17
 SSH_PORT         = $SSH_PORT
18
 SSH_PORT         = $SSH_PORT
19
+LANDING_PAGE     = explore
20
+DISABLE_ROUTER_LOG = true
18
 
21
 
19
 [database]
22
 [database]
20
 DB_TYPE = $DB_TYPE
23
 DB_TYPE = $DB_TYPE
34
 
37
 
35
 [log]
38
 [log]
36
 ROOT_PATH = /data/gitea/log
39
 ROOT_PATH = /data/gitea/log
40
+MODE      = file
41
+LEVEL     = Error
37
 
42
 
38
 [security]
43
 [security]
39
 INSTALL_LOCK = $INSTALL_LOCK
44
 INSTALL_LOCK = $INSTALL_LOCK
41
 
46
 
42
 [service]
47
 [service]
43
 DISABLE_REGISTRATION = $DISABLE_REGISTRATION
48
 DISABLE_REGISTRATION = $DISABLE_REGISTRATION
44
-REQUIRE_SIGNIN_VIEW  = $REQUIRE_SIGNIN_VIEW
49
+REQUIRE_SIGNIN_VIEW  = $REQUIRE_SIGNIN_VIEW
50
+
51
+[openid]
52
+ENABLE_OPENID_SIGNIN = false
53
+ENABLE_OPENID_SIGNUP = false
54
+
55
+[other]
56
+SHOW_FOOTER_BRANDING = false
57
+SHOW_FOOTER_VERSION = false
58
+SHOW_FOOTER_TEMPLATE_LOAD_TIME = true

+ 7
- 46
files/etc/templates/nginx.conf View File

1
-# as simple as nginx user
2
 user nginx;
1
 user nginx;
3
 
2
 
4
 # Set number of worker processes automatically based on number of CPU cores.
3
 # Set number of worker processes automatically based on number of CPU cores.
8
 pcre_jit on;
7
 pcre_jit on;
9
 
8
 
10
 # Configures default error logger.
9
 # Configures default error logger.
11
-error_log /var/log/nginx/error.log warn;
12
-
10
+# error_log /data/log/error.log warn;
13
 
11
 
14
 events {
12
 events {
15
 	# The maximum number of simultaneous connections that can be opened by
13
 	# The maximum number of simultaneous connections that can be opened by
74
 
72
 
75
 
73
 
76
 	# Specifies the main log format.
74
 	# Specifies the main log format.
77
-	#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
78
-	#		'$status $body_bytes_sent "$http_referer" '
79
-	#		'"$http_user_agent" "$http_x_forwarded_for"';
75
+	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
76
+			'$status $body_bytes_sent "$http_referer" '
77
+			'"$http_user_agent" "$http_x_forwarded_for"';
80
 
78
 
81
 	# Sets the path, format, and configuration for a buffered log write.
79
 	# Sets the path, format, and configuration for a buffered log write.
82
-	#access_log /var/log/nginx/access.log main;
83
-
84
-  server {
85
-    listen 80;
86
-    listen [::]:80;
87
-
88
-    server_name $GITEA_DOMAIN;
89
-    client_max_body_size 200M;
80
+	# access_log /var/log/nginx/access.log main;
90
 
81
 
91
-    location / {
92
-      proxy_pass http://localhost:3000;
93
-      proxy_set_header Host $host;
94
-      proxy_set_header X-Real-IP $remote_addr;
95
-    }
96
 
82
 
97
-  }
83
+	# Includes virtual hosts configs.
84
+	include /etc/nginx/conf.d/*.conf;
98
 }
85
 }
99
-
100
-
101
-
102
-# redirect to ssl
103
-#server {
104
-#  listen 80;
105
-#  listen [::]:80;
106
-#  server_name $GITEA_DOMAIN;
107
-#  return 301 https://$server_name$request_uri;
108
-#}
109
-
110
-#server {
111
-#  listen 443 ssl http2;
112
-#  listen [::]:443 ssl http2;
113
-#  server_name $GITEA_DOMAIN;
114
-#  client_max_body_size 50M;
115
-#  ssl_certificate /data/ssl/cert.crt;
116
-#  ssl_certificate_key /data/ssl/cert.key;
117
-#  location / {
118
-#    proxy_pass http://localhost:3000;
119
-#    proxy_set_header Host $host;
120
-#    proxy_set_header X-Real-IP $remote_addr;
121
-#  }
122
-#}
123
-
124
-

+ 9
- 0
files/etc/templates/nginx_site_letsencryptinit.conf View File

1
+server {
2
+  listen 80;
3
+  listen [::]:80;
4
+
5
+  location /.well-known/acme-challenge/ {
6
+    alias /run/nginx/challenges/;
7
+    try_files $uri =404;
8
+  }
9
+}

+ 13
- 0
files/etc/templates/nginx_site_nossl.conf View File

1
+server {
2
+	listen 80;
3
+	listen [::]:80;
4
+
5
+	server_name $GITEA_DOMAIN;
6
+	client_max_body_size 200M;
7
+
8
+	location / {
9
+		proxy_pass http://localhost:3000;
10
+		proxy_set_header Host $host;
11
+		proxy_set_header X-Real-IP $remote_addr;
12
+	}
13
+}

+ 33
- 0
files/etc/templates/nginx_site_ssl.conf View File

1
+server {
2
+  listen 80;
3
+  listen [::]:80;
4
+
5
+  server_name $GITEA_DOMAIN;
6
+
7
+  location /.well-known/acme-challenge/ {
8
+    alias /run/nginx/challenges/;
9
+    try_files $uri =404;
10
+  }
11
+
12
+  location / {
13
+    return 301 https://$server_name$request_uri;
14
+  }
15
+}
16
+
17
+server {
18
+  listen 443 ssl http2;
19
+  listen [::]:443 ssl http2;
20
+
21
+  server_name $GITEA_DOMAIN;
22
+  client_max_body_size 200M;
23
+
24
+  ssl_certificate /data/ssl/cert.crt;
25
+  ssl_certificate_key /data/ssl/cert.key;
26
+  ssl_prefer_server_ciphers on;
27
+
28
+  location / {
29
+    proxy_pass http://localhost:3000;
30
+    proxy_set_header Host $host;
31
+    proxy_set_header X-Real-IP $remote_addr;
32
+  }
33
+}

+ 21
- 2
files/usr/bin/entrypoint View File

1
 #!/bin/sh
1
 #!/bin/sh
2
 # generic variables
2
 # generic variables
3
-GITEA_DIRS="/data/gitea/conf /data/gitea/log /data/git /data/ssh"
3
+GITEA_DIRS="/data/gitea/conf /data/gitea/log /data/git /data/ssh /data/ssl"
4
 
4
 
5
 # ensuring s6 service files permissions
5
 # ensuring s6 service files permissions
6
 chmod +x /etc/s6/**/*
6
 chmod +x /etc/s6/**/*
32
   mkdir -p $DIR
32
   mkdir -p $DIR
33
 done
33
 done
34
 
34
 
35
+
35
 # configuration bootstrap (if configuration file exists it takes precedence over shell variables)
36
 # configuration bootstrap (if configuration file exists it takes precedence over shell variables)
36
 set -a
37
 set -a
37
 if [ -f /data/gitea/conf/app.ini ]; then
38
 if [ -f /data/gitea/conf/app.ini ]; then
40
   DB_USER=$(iniget /data/gitea/conf/app.ini database USER)
41
   DB_USER=$(iniget /data/gitea/conf/app.ini database USER)
41
   DB_NAME=$(iniget /data/gitea/conf/app.ini database NAME)
42
   DB_NAME=$(iniget /data/gitea/conf/app.ini database NAME)
42
   DB_PASSWD=$(iniget /data/gitea/conf/app.ini database NAME)
43
   DB_PASSWD=$(iniget /data/gitea/conf/app.ini database NAME)
44
+  ROOT_URL=$(iniget /data/gitea/conf/app.ini server ROOT_URL)
43
 else
45
 else
44
   DB_HOST="localhost:3306"
46
   DB_HOST="localhost:3306"
45
   DB_TYPE="mysql"
47
   DB_TYPE="mysql"
46
   DB_USER=${DB_USER:-"gitea"}
48
   DB_USER=${DB_USER:-"gitea"}
47
   DB_NAME=${DB_NAME:-"gitea"}
49
   DB_NAME=${DB_NAME:-"gitea"}
48
 
50
 
49
-  if [ -z "${DB_PASSWD}" ] ; then
51
+  if [ -z "${DB_PASSWD}" ]; then
50
     export DB_PASSWD=$(pwgen -1 32)
52
     export DB_PASSWD=$(pwgen -1 32)
51
     echo "Automagically generated database password: $DB_PASSWD"
53
     echo "Automagically generated database password: $DB_PASSWD"
52
   fi
54
   fi
55
+
56
+  if [ -n $DOMAIN ]; then
57
+    if [ -n $ENABLE_SSL ]; then
58
+      ROOT_URL=https://$DOMAIN
59
+    else
60
+      ROOT_URL=http://$DOMAIN
61
+    fi
62
+
63
+    if [ -z $SSH_DOMAIN ]; then
64
+      SSH_DOMAIN=$DOMAIN
65
+    fi
66
+  else
67
+    if [ -n $ENABLE_SSL ]; then
68
+      echo "Can't use ENABLE_SSL without DOMAIN set"
69
+      exit 1
70
+    fi
71
+  fi
53
 fi
72
 fi
54
 set +a
73
 set +a
55
 
74
 

+ 10
- 0
files/usr/bin/ssl-auto-renew View File

1
+#!/bin/sh
2
+if [ -n $ENABLE_SSL ]; then
3
+  # exit if any of the required files for renew is missing
4
+  for file in /data/ssl/account.key /data/ssl/domain.csr; do
5
+    [[ ! -f $file ]] && exit
6
+  done
7
+
8
+  python3 -m acme_tiny --account-key /data/ssl/account.key --csr /data/ssl/domain.csr --acme-dir /run/nginx/challenges > /data/ssl/cert.crt
9
+  s6-svc -du /etc/s6/nginx
10
+fi

Loading…
Cancel
Save