From 0843cccd5094e080ea2d29ec7426aaabea21a501 Mon Sep 17 00:00:00 2001 From: Jeremy Dormitzer Date: Mon, 25 Jan 2021 17:56:15 -0500 Subject: [PATCH] Add nginx+https and volume to gitea --- prod/git-jeremydormitzer-com/packer/.envrc | 1 + .../git-jeremydormitzer-com/packer/.gitignore | 4 +- prod/git-jeremydormitzer-com/packer/Makefile | 32 ++++++- .../packer/files/gitea-nginx.conf | 28 +++++++ .../packer/files/gitea.service | 4 +- .../git-jeremydormitzer-com/packer/gitea.json | 23 +++++ .../packer/packer-manifest.json | 83 ++++++++++++++++++- .../packer/scripts/dependencies.sh | 2 +- .../packer/scripts/gitea.sh | 3 - .../packer/scripts/nginx.sh | 16 ++++ .../packer/scripts/volume.sh | 7 ++ .../packer/templates/app.ini.template | 10 ++- .../packer/templates/do.ini.template | 1 + .../git-jeremydormitzer-com/terraform/main.tf | 19 +++++ 14 files changed, 220 insertions(+), 13 deletions(-) create mode 100644 prod/git-jeremydormitzer-com/packer/files/gitea-nginx.conf create mode 100644 prod/git-jeremydormitzer-com/packer/scripts/nginx.sh create mode 100644 prod/git-jeremydormitzer-com/packer/scripts/volume.sh create mode 100644 prod/git-jeremydormitzer-com/packer/templates/do.ini.template diff --git a/prod/git-jeremydormitzer-com/packer/.envrc b/prod/git-jeremydormitzer-com/packer/.envrc index 021a79e..31e4204 100644 --- a/prod/git-jeremydormitzer-com/packer/.envrc +++ b/prod/git-jeremydormitzer-com/packer/.envrc @@ -5,6 +5,7 @@ source_up # export GITEA_SECRET_KEY=$(pass packer-gitea-secret-key) # export GITEA_INTERNAL_TOKEN=$(pass packer-gitea-internal-token) # export GITEA_JWT_SECRET=$(pass packer-gitea-jwt-secret) +# export CERTBOT_EMAIL=$(pass certbot-email) if [ -f ".env.local" ]; then echo "sourcing .env.local" diff --git a/prod/git-jeremydormitzer-com/packer/.gitignore b/prod/git-jeremydormitzer-com/packer/.gitignore index 0b3b071..6f7c105 100644 --- a/prod/git-jeremydormitzer-com/packer/.gitignore +++ b/prod/git-jeremydormitzer-com/packer/.gitignore @@ -1 +1,3 @@ -files/app.ini \ No newline at end of file +files/app.ini +tmp/ +certbot/ \ No newline at end of file diff --git a/prod/git-jeremydormitzer-com/packer/Makefile b/prod/git-jeremydormitzer-com/packer/Makefile index 64eb606..2975d85 100644 --- a/prod/git-jeremydormitzer-com/packer/Makefile +++ b/prod/git-jeremydormitzer-com/packer/Makefile @@ -1,9 +1,39 @@ +.PHONY: reissue-certs + packer-manifest.json: gitea.json \ scripts/dependencies.sh \ + scripts/volume.sh \ files/gitea.service \ files/app.ini \ - scripts/gitea.sh + scripts/gitea.sh \ + files/gitea-nginx.conf \ + scripts/nginx.sh \ + certbot/live/git.jeremydormitzer.com/fullchain.pem \ + certbot/live/git.jeremydormitzer.com/privkey.pem packer build gitea.json files/app.ini: templates/app.ini.template sigil -p -f templates/app.ini.template > files/app.ini + +certbot/live/git.jeremydormitzer.com/fullchain.pem certbot/live/git.jeremydormitzer.com/privkey.pem &: tmp/do.ini + certbot certonly -n \ + --agree-tos \ + --email ${CERTBOT_EMAIL} \ + --dns-digitalocean \ + --dns-digitalocean-credentials tmp/do.ini \ + --config-dir ./certbot \ + --work-dir ./certbot \ + --logs-dir ./certbot \ + -d git.jeremydormitzer.com + + +tmp/do.ini: templates/do.ini.template tmp + sigil -p -f templates/do.ini.template > tmp/do.ini + chmod 600 tmp/do.ini + +tmp: + mkdir tmp + +reissue-certs: + rm -rf certbot + make diff --git a/prod/git-jeremydormitzer-com/packer/files/gitea-nginx.conf b/prod/git-jeremydormitzer-com/packer/files/gitea-nginx.conf new file mode 100644 index 0000000..9353285 --- /dev/null +++ b/prod/git-jeremydormitzer-com/packer/files/gitea-nginx.conf @@ -0,0 +1,28 @@ +server { + listen [::]:443 ssl ipv6only=on; + listen 443 ssl; + + ssl_certificate /var/www/gitea/fullchain.pem; + ssl_certificate_key /var/www/gitea/privkey.pem; + + ssl_session_cache shared:le_nginx_SSL:1m; + ssl_session_timeout 1440m; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + + ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"; + + error_log /var/log/nginx/gitea_error.log; + access_log /var/log/nginx/gitea_access.log; + + location / { + proxy_pass http://localhost:3000; + } +} + +server { + listen 80; + listen [::]:80; + return 301 https://$host$request_uri; +} \ No newline at end of file diff --git a/prod/git-jeremydormitzer-com/packer/files/gitea.service b/prod/git-jeremydormitzer-com/packer/files/gitea.service index d6bcd7d..6226843 100644 --- a/prod/git-jeremydormitzer-com/packer/files/gitea.service +++ b/prod/git-jeremydormitzer-com/packer/files/gitea.service @@ -50,13 +50,13 @@ RestartSec=2s Type=simple User=git Group=git -WorkingDirectory=/var/lib/gitea/ +WorkingDirectory=/mnt/gitea/ # If using Unix socket: tells systemd to create the /run/gitea folder, which will contain the gitea.sock file # (manually creating /run/gitea doesn't work, because it would not persist across reboots) #RuntimeDirectory=gitea ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini Restart=always -Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea +Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/mnt/gitea # If you install Git to directory prefix other than default PATH (which happens # for example if you install other versions of Git side-to-side with # distribution version), uncomment below line and add that prefix to PATH diff --git a/prod/git-jeremydormitzer-com/packer/gitea.json b/prod/git-jeremydormitzer-com/packer/gitea.json index b69f468..a77da3e 100644 --- a/prod/git-jeremydormitzer-com/packer/gitea.json +++ b/prod/git-jeremydormitzer-com/packer/gitea.json @@ -14,6 +14,10 @@ "type": "shell", "script": "scripts/dependencies.sh" }, + { + "type": "shell", + "script": "scripts/volume.sh" + }, { "type": "file", "source": "files/app.ini", @@ -27,6 +31,25 @@ { "type": "shell", "script": "scripts/gitea.sh" + }, + { + "type": "file", + "source": "files/gitea-nginx.conf", + "destination": "/tmp/gitea-nginx.conf" + }, + { + "type": "file", + "source": "certbot/live/git.jeremydormitzer.com/fullchain.pem", + "destination": "/tmp/fullchain.pem" + }, + { + "type": "file", + "source": "certbot/live/git.jeremydormitzer.com/privkey.pem", + "destination": "/tmp/privkey.pem" + }, + { + "type": "shell", + "script": "scripts/nginx.sh" } ], "post-processors": [ diff --git a/prod/git-jeremydormitzer-com/packer/packer-manifest.json b/prod/git-jeremydormitzer-com/packer/packer-manifest.json index 2a33bf3..5005ad4 100644 --- a/prod/git-jeremydormitzer-com/packer/packer-manifest.json +++ b/prod/git-jeremydormitzer-com/packer/packer-manifest.json @@ -44,7 +44,88 @@ "artifact_id": "nyc1:77401090", "packer_run_uuid": "2b450ccd-716f-5c9c-20da-662e79a0b929", "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1611589317, + "files": null, + "artifact_id": "nyc1:77556065", + "packer_run_uuid": "e2582fd0-50a1-ff12-55d4-e2b8c3d8f219", + "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1611590422, + "files": null, + "artifact_id": "nyc1:77556468", + "packer_run_uuid": "fc433d91-57be-76b1-8556-9db7db2bec1a", + "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1611592717, + "files": null, + "artifact_id": "nyc1:77557404", + "packer_run_uuid": "263c77ab-063b-0cdc-fa3b-2ade99fc7c13", + "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1611593408, + "files": null, + "artifact_id": "nyc1:77557615", + "packer_run_uuid": "19edc202-d12a-44ac-45ca-b4bb7ad9b50d", + "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1611597797, + "files": null, + "artifact_id": "nyc1:77559148", + "packer_run_uuid": "e6bf1c31-9406-7aec-c5b4-e1a7e43bb712", + "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1611598412, + "files": null, + "artifact_id": "nyc1:77559258", + "packer_run_uuid": "808d4681-7b0f-cda7-9dde-fc47861f18c5", + "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1611599594, + "files": null, + "artifact_id": "nyc1:77560033", + "packer_run_uuid": "dfbec72e-764d-5f5c-8a58-f82102f1b295", + "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1611608782, + "files": null, + "artifact_id": "nyc1:77566816", + "packer_run_uuid": "88d9d9f3-e664-2d8b-fafb-8c0a63bdc418", + "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1611613275, + "files": null, + "artifact_id": "nyc1:77570642", + "packer_run_uuid": "c224b88a-0de7-6e4e-7057-c45a0521ee64", + "custom_data": null } ], - "last_run_uuid": "2b450ccd-716f-5c9c-20da-662e79a0b929" + "last_run_uuid": "c224b88a-0de7-6e4e-7057-c45a0521ee64" } \ No newline at end of file diff --git a/prod/git-jeremydormitzer-com/packer/scripts/dependencies.sh b/prod/git-jeremydormitzer-com/packer/scripts/dependencies.sh index e9a257b..5955e1a 100644 --- a/prod/git-jeremydormitzer-com/packer/scripts/dependencies.sh +++ b/prod/git-jeremydormitzer-com/packer/scripts/dependencies.sh @@ -3,4 +3,4 @@ set -ex sudo apt-get update -sudo apt-get install -y git +sudo apt-get install -y git bindfs diff --git a/prod/git-jeremydormitzer-com/packer/scripts/gitea.sh b/prod/git-jeremydormitzer-com/packer/scripts/gitea.sh index 91db7e3..17d3a51 100644 --- a/prod/git-jeremydormitzer-com/packer/scripts/gitea.sh +++ b/prod/git-jeremydormitzer-com/packer/scripts/gitea.sh @@ -11,9 +11,6 @@ adduser \ --home /home/git \ git -mkdir -p /var/lib/gitea/{custom,data,log} -chown -R git:git /var/lib/gitea/ -chmod -R 750 /var/lib/gitea/ mkdir /etc/gitea mv /tmp/app.ini /etc/gitea/app.ini chown -R root:git /etc/gitea diff --git a/prod/git-jeremydormitzer-com/packer/scripts/nginx.sh b/prod/git-jeremydormitzer-com/packer/scripts/nginx.sh new file mode 100644 index 0000000..a9d6244 --- /dev/null +++ b/prod/git-jeremydormitzer-com/packer/scripts/nginx.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash + +set -ex + +sudo apt-get install -y nginx +sudo mv /tmp/gitea-nginx.conf /etc/nginx/sites-available/gitea.conf +sudo ln -s /etc/nginx/sites-available/gitea.conf \ + /etc/nginx/sites-enabled/ +sudo unlink /etc/nginx/sites-enabled/default + +sudo mkdir -p /var/www/gitea +sudo mv /tmp/fullchain.pem /var/www/gitea/fullchain.pem +sudo mv /tmp/privkey.pem /var/www/gitea/privkey.pem +chown www-data:www-data /var/www/gitea/{fullchain,privkey}.pem + +sudo systemctl enable nginx diff --git a/prod/git-jeremydormitzer-com/packer/scripts/volume.sh b/prod/git-jeremydormitzer-com/packer/scripts/volume.sh new file mode 100644 index 0000000..8687fcd --- /dev/null +++ b/prod/git-jeremydormitzer-com/packer/scripts/volume.sh @@ -0,0 +1,7 @@ +#!/usr/bin/env bash + +set -ex + +sudo echo "/dev/disk/by-label/gitea-volume /mnt/gitea-volume ext4 defaults,nofail,discard,noatime 0 2" >> /etc/fstab +sudo echo "/mnt/gitea-volume /mnt/gitea fuse.bindfs force-user=git,force-group=git 0 0" >> /etc/fstab +sudo echo "/mnt/gitea/.ssh /home/git/.ssh fuse.bindfs force-user=git,force-group=git,perms=700" >> /etc/fstab diff --git a/prod/git-jeremydormitzer-com/packer/templates/app.ini.template b/prod/git-jeremydormitzer-com/packer/templates/app.ini.template index 9aaf5e7..fa3001f 100644 --- a/prod/git-jeremydormitzer-com/packer/templates/app.ini.template +++ b/prod/git-jeremydormitzer-com/packer/templates/app.ini.template @@ -6,6 +6,7 @@ RUN_MODE = prod JWT_SECRET = ${GITEA_JWT_SECRET:?} [security] +INSTALL_LOCK = true INTERNAL_TOKEN = ${GITEA_INTERNAL_TOKEN:?} SECRET_KEY = ${GITEA_SECRET_KEY:?} @@ -18,11 +19,12 @@ PASSWD = SCHEMA = SSL_MODE = disable CHARSET = utf8 -PATH = /var/lib/gitea/data/gitea.db +PATH = /mnt/gitea/gitea.db LOG_SQL = false [repository] -ROOT = /home/git/gitea-repositories +ROOT = /mnt/gitea/gitea-repositories +ENABLE_PUSH_CREATE_USER = true [server] SSH_DOMAIN = git.jeremydormitzer.com @@ -32,7 +34,7 @@ ROOT_URL = https://git.jeremydormitzer.com/ DISABLE_SSH = false SSH_PORT = 22 LFS_START_SERVER = true -LFS_CONTENT_PATH = /var/lib/gitea/data/lfs +LFS_CONTENT_PATH = /mnt/gitea/lfs LFS_JWT_SECRET = ${GITEA_LFS_JWT_SECRET:?} OFFLINE_MODE = false @@ -69,7 +71,7 @@ PROVIDER = file [log] MODE = console LEVEL = info -ROOT_PATH = /var/lib/gitea/log +ROOT_PATH = /mnt/gitea/log REDIRECT_MACARON_LOG = true MACARON = console ROUTER = console \ No newline at end of file diff --git a/prod/git-jeremydormitzer-com/packer/templates/do.ini.template b/prod/git-jeremydormitzer-com/packer/templates/do.ini.template new file mode 100644 index 0000000..7c6ec3f --- /dev/null +++ b/prod/git-jeremydormitzer-com/packer/templates/do.ini.template @@ -0,0 +1 @@ +dns_digitalocean_token = ${DIGITALOCEAN_API_TOKEN:?} \ No newline at end of file diff --git a/prod/git-jeremydormitzer-com/terraform/main.tf b/prod/git-jeremydormitzer-com/terraform/main.tf index 9ff1ad8..0fc00ea 100644 --- a/prod/git-jeremydormitzer-com/terraform/main.tf +++ b/prod/git-jeremydormitzer-com/terraform/main.tf @@ -20,3 +20,22 @@ module "packer_droplet" { spaces_access_id = var.spaces_access_id spaces_secret_key = var.spaces_secret_key } + +resource "digitalocean_volume" "gitea_volume" { + name = "gitea-volume" + description = "The volume to hold Gitea repositories and data" + region = "nyc1" + size = 20 + initial_filesystem_label = "gitea-volume" + initial_filesystem_type = "ext4" + tags = ["terraform"] + + lifecycle { + prevent_destroy = true + } +} + +resource "digitalocean_volume_attachment" "gitea" { + droplet_id = module.packer_droplet.droplet_id + volume_id = digitalocean_volume.gitea_volume.id +}