Add nginx+https and volume to gitea

prod/git-jeremydormitzer-com/packer/.envrc

@@ -5,6 +5,7 @@ source_up
 # export GITEA_SECRET_KEY=$(pass packer-gitea-secret-key)
 # export GITEA_INTERNAL_TOKEN=$(pass packer-gitea-internal-token)
 # export GITEA_JWT_SECRET=$(pass packer-gitea-jwt-secret)
+# export CERTBOT_EMAIL=$(pass certbot-email)
 
 if [ -f ".env.local" ]; then
     echo "sourcing .env.local"

prod/git-jeremydormitzer-com/packer/.gitignore

@@ -1 +1,3 @@
-files/app.ini
+files/app.ini
+tmp/
+certbot/

prod/git-jeremydormitzer-com/packer/Makefile

@@ -1,9 +1,39 @@
+.PHONY: reissue-certs
+
 packer-manifest.json: gitea.json \
                       scripts/dependencies.sh \
+                      scripts/volume.sh \
                       files/gitea.service \
                       files/app.ini \
-                      scripts/gitea.sh
+                      scripts/gitea.sh \
+                      files/gitea-nginx.conf \
+                      scripts/nginx.sh \
+                      certbot/live/git.jeremydormitzer.com/fullchain.pem \
+                      certbot/live/git.jeremydormitzer.com/privkey.pem
 	packer build gitea.json
 
 files/app.ini: templates/app.ini.template
 	sigil -p -f templates/app.ini.template > files/app.ini
+
+certbot/live/git.jeremydormitzer.com/fullchain.pem certbot/live/git.jeremydormitzer.com/privkey.pem &: tmp/do.ini
+	certbot certonly -n \
+                         --agree-tos \
+                         --email ${CERTBOT_EMAIL} \
+                         --dns-digitalocean \
+                         --dns-digitalocean-credentials tmp/do.ini \
+                         --config-dir ./certbot \
+                         --work-dir ./certbot \
+                         --logs-dir ./certbot \
+                         -d git.jeremydormitzer.com
+
+
+tmp/do.ini: templates/do.ini.template tmp
+	sigil -p -f templates/do.ini.template > tmp/do.ini
+	chmod 600 tmp/do.ini
+
+tmp:
+	mkdir tmp
+
+reissue-certs:
+	rm -rf certbot
+	make

prod/git-jeremydormitzer-com/packer/files/gitea-nginx.conf

@@ -0,0 +1,28 @@
+server {
+    listen [::]:443 ssl ipv6only=on;
+    listen 443 ssl;
+
+    ssl_certificate /var/www/gitea/fullchain.pem;
+    ssl_certificate_key /var/www/gitea/privkey.pem;
+
+    ssl_session_cache shared:le_nginx_SSL:1m;
+    ssl_session_timeout 1440m;
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_prefer_server_ciphers on;
+
+    ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
+
+    error_log /var/log/nginx/gitea_error.log;
+    access_log /var/log/nginx/gitea_access.log;
+
+    location / {
+        proxy_pass http://localhost:3000;
+    }
+}
+
+server {
+       listen 80;
+       listen [::]:80;
+       return 301 https://$host$request_uri;
+}

prod/git-jeremydormitzer-com/packer/files/gitea.service

@@ -50,13 +50,13 @@ RestartSec=2s
 Type=simple
 User=git
 Group=git
-WorkingDirectory=/var/lib/gitea/
+WorkingDirectory=/mnt/gitea/
 # If using Unix socket: tells systemd to create the /run/gitea folder, which will contain the gitea.sock file
 # (manually creating /run/gitea doesn't work, because it would not persist across reboots)
 #RuntimeDirectory=gitea
 ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini
 Restart=always
-Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea
+Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/mnt/gitea
 # If you install Git to directory prefix other than default PATH (which happens
 # for example if you install other versions of Git side-to-side with
 # distribution version), uncomment below line and add that prefix to PATH

prod/git-jeremydormitzer-com/packer/gitea.json

@@ -14,6 +14,10 @@
       "type": "shell",
       "script": "scripts/dependencies.sh"
     },
+    {
+      "type": "shell",
+      "script": "scripts/volume.sh"
+    },
     {
       "type": "file",
       "source": "files/app.ini",
@@ -27,6 +31,25 @@
     {
       "type": "shell",
       "script": "scripts/gitea.sh"
+    },
+    {
+      "type": "file",
+      "source": "files/gitea-nginx.conf",
+      "destination": "/tmp/gitea-nginx.conf"
+    },
+    {
+      "type": "file",
+      "source": "certbot/live/git.jeremydormitzer.com/fullchain.pem",
+      "destination": "/tmp/fullchain.pem"
+    },
+    {
+      "type": "file",
+      "source": "certbot/live/git.jeremydormitzer.com/privkey.pem",
+      "destination": "/tmp/privkey.pem"
+    },
+    {
+      "type": "shell",
+      "script": "scripts/nginx.sh"
     }
   ],
   "post-processors": [

prod/git-jeremydormitzer-com/packer/packer-manifest.json

@@ -44,7 +44,88 @@
       "artifact_id": "nyc1:77401090",
       "packer_run_uuid": "2b450ccd-716f-5c9c-20da-662e79a0b929",
       "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1611589317,
+      "files": null,
+      "artifact_id": "nyc1:77556065",
+      "packer_run_uuid": "e2582fd0-50a1-ff12-55d4-e2b8c3d8f219",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1611590422,
+      "files": null,
+      "artifact_id": "nyc1:77556468",
+      "packer_run_uuid": "fc433d91-57be-76b1-8556-9db7db2bec1a",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1611592717,
+      "files": null,
+      "artifact_id": "nyc1:77557404",
+      "packer_run_uuid": "263c77ab-063b-0cdc-fa3b-2ade99fc7c13",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1611593408,
+      "files": null,
+      "artifact_id": "nyc1:77557615",
+      "packer_run_uuid": "19edc202-d12a-44ac-45ca-b4bb7ad9b50d",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1611597797,
+      "files": null,
+      "artifact_id": "nyc1:77559148",
+      "packer_run_uuid": "e6bf1c31-9406-7aec-c5b4-e1a7e43bb712",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1611598412,
+      "files": null,
+      "artifact_id": "nyc1:77559258",
+      "packer_run_uuid": "808d4681-7b0f-cda7-9dde-fc47861f18c5",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1611599594,
+      "files": null,
+      "artifact_id": "nyc1:77560033",
+      "packer_run_uuid": "dfbec72e-764d-5f5c-8a58-f82102f1b295",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1611608782,
+      "files": null,
+      "artifact_id": "nyc1:77566816",
+      "packer_run_uuid": "88d9d9f3-e664-2d8b-fafb-8c0a63bdc418",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1611613275,
+      "files": null,
+      "artifact_id": "nyc1:77570642",
+      "packer_run_uuid": "c224b88a-0de7-6e4e-7057-c45a0521ee64",
+      "custom_data": null
     }
   ],
-  "last_run_uuid": "2b450ccd-716f-5c9c-20da-662e79a0b929"
+  "last_run_uuid": "c224b88a-0de7-6e4e-7057-c45a0521ee64"
 }

prod/git-jeremydormitzer-com/packer/scripts/dependencies.sh

@@ -3,4 +3,4 @@
 set -ex
 
 sudo apt-get update
-sudo apt-get install -y git
+sudo apt-get install -y git bindfs

prod/git-jeremydormitzer-com/packer/scripts/gitea.sh

@@ -11,9 +11,6 @@ adduser \
    --home /home/git \
    git
 
-mkdir -p /var/lib/gitea/{custom,data,log}
-chown -R git:git /var/lib/gitea/
-chmod -R 750 /var/lib/gitea/
 mkdir /etc/gitea
 mv /tmp/app.ini /etc/gitea/app.ini
 chown -R root:git /etc/gitea

prod/git-jeremydormitzer-com/packer/scripts/nginx.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+set -ex
+
+sudo apt-get install -y nginx
+sudo mv /tmp/gitea-nginx.conf /etc/nginx/sites-available/gitea.conf
+sudo ln -s /etc/nginx/sites-available/gitea.conf \
+     /etc/nginx/sites-enabled/
+sudo unlink /etc/nginx/sites-enabled/default
+
+sudo mkdir -p /var/www/gitea
+sudo mv /tmp/fullchain.pem /var/www/gitea/fullchain.pem
+sudo mv /tmp/privkey.pem /var/www/gitea/privkey.pem
+chown www-data:www-data /var/www/gitea/{fullchain,privkey}.pem
+
+sudo systemctl enable nginx

prod/git-jeremydormitzer-com/packer/scripts/volume.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+set -ex
+
+sudo echo "/dev/disk/by-label/gitea-volume /mnt/gitea-volume ext4 defaults,nofail,discard,noatime 0 2" >> /etc/fstab
+sudo echo "/mnt/gitea-volume /mnt/gitea fuse.bindfs force-user=git,force-group=git 0 0" >> /etc/fstab
+sudo echo "/mnt/gitea/.ssh /home/git/.ssh fuse.bindfs force-user=git,force-group=git,perms=700" >> /etc/fstab

prod/git-jeremydormitzer-com/packer/templates/app.ini.template

@@ -6,6 +6,7 @@ RUN_MODE = prod
 JWT_SECRET = ${GITEA_JWT_SECRET:?}
 
 [security]
+INSTALL_LOCK   = true
 INTERNAL_TOKEN = ${GITEA_INTERNAL_TOKEN:?}
 SECRET_KEY     = ${GITEA_SECRET_KEY:?}
 
@@ -18,11 +19,12 @@ PASSWD   =
 SCHEMA   = 
 SSL_MODE = disable
 CHARSET  = utf8
-PATH     = /var/lib/gitea/data/gitea.db
+PATH     = /mnt/gitea/gitea.db
 LOG_SQL  = false
 
 [repository]
-ROOT = /home/git/gitea-repositories
+ROOT = /mnt/gitea/gitea-repositories
+ENABLE_PUSH_CREATE_USER = true
 
 [server]
 SSH_DOMAIN       = git.jeremydormitzer.com
@@ -32,7 +34,7 @@ ROOT_URL         = https://git.jeremydormitzer.com/
 DISABLE_SSH      = false
 SSH_PORT         = 22
 LFS_START_SERVER = true
-LFS_CONTENT_PATH = /var/lib/gitea/data/lfs
+LFS_CONTENT_PATH = /mnt/gitea/lfs
 LFS_JWT_SECRET   = ${GITEA_LFS_JWT_SECRET:?}
 OFFLINE_MODE     = false
 
@@ -69,7 +71,7 @@ PROVIDER = file
 [log]
 MODE                 = console
 LEVEL                = info
-ROOT_PATH            = /var/lib/gitea/log
+ROOT_PATH            = /mnt/gitea/log
 REDIRECT_MACARON_LOG = true
 MACARON              = console
 ROUTER               = console

prod/git-jeremydormitzer-com/packer/templates/do.ini.template

@@ -0,0 +1 @@
+dns_digitalocean_token = ${DIGITALOCEAN_API_TOKEN:?}

prod/git-jeremydormitzer-com/terraform/main.tf

@@ -20,3 +20,22 @@ module "packer_droplet" {
   spaces_access_id  = var.spaces_access_id
   spaces_secret_key = var.spaces_secret_key
 }
+
+resource "digitalocean_volume" "gitea_volume" {
+  name                     = "gitea-volume"
+  description              = "The volume to hold Gitea repositories and data"
+  region                   = "nyc1"
+  size                     = 20
+  initial_filesystem_label = "gitea-volume"
+  initial_filesystem_type  = "ext4"
+  tags                     = ["terraform"]
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "digitalocean_volume_attachment" "gitea" {
+  droplet_id = module.packer_droplet.droplet_id
+  volume_id  = digitalocean_volume.gitea_volume.id
+}