Put gitea behind the nginx proxy

2021-10-04 17:30:46 -04:00 · 2021-10-04 17:30:46 -04:00 · dd29785d86
commit dd29785d86
parent 2d82c0ad54
16 changed files with 287 additions and 130 deletions
--- a/mgmt/do-jeremydormitzer-com/terraform/data.tf
+++ b/mgmt/do-jeremydormitzer-com/terraform/data.tf
@ -1,4 +1,4 @@
-data "terraform_remote_state" "git_jeremydormitzer_com" {
+data "terraform_remote_state" "nginx" {
  backend = "s3"

  config = {
@ -9,7 +9,7 @@ data "terraform_remote_state" "git_jeremydormitzer_com" {
    region                      = "us-east-1"
    endpoint                    = "nyc3.digitaloceanspaces.com"
    bucket                      = "jdormit-tf-state"
-    key                         = "prod/gitea.tfstate"
+    key                         = "prod/nginx.tfstate"
  }
 }

--- a/mgmt/do-jeremydormitzer-com/terraform/main.tf
+++ b/mgmt/do-jeremydormitzer-com/terraform/main.tf
@ -46,7 +46,7 @@ resource "digitalocean_record" "git" {
  domain = digitalocean_domain.jeremydormitzer_com.name
  type   = "A"
  name   = "git"
-  value  = data.terraform_remote_state.git_jeremydormitzer_com.outputs.gitea_ip_address
+  value  = data.terraform_remote_state.nginx.outputs.nginx_ip_address
  ttl    = 3600
 }

--- a/prod/gitea/packer/.gitignore
+++ b/prod/gitea/packer/.gitignore
@ -1,3 +1 @@
-files/app.ini
-tmp/
-certbot/
+files/app.ini
--- a/prod/gitea/packer/Makefile
+++ b/prod/gitea/packer/Makefile
@ -5,35 +5,8 @@ packer-manifest.json: gitea.json \
                      scripts/volume.sh \
                      files/gitea.service \
                      files/app.ini \
-                      scripts/gitea.sh \
-                      files/gitea-nginx.conf \
-                      scripts/nginx.sh \
-                      certbot/live/git.jeremydormitzer.com/fullchain.pem \
-                      certbot/live/git.jeremydormitzer.com/privkey.pem
+                      scripts/gitea.sh
 	packer build gitea.json

 files/app.ini: templates/app.ini.template
 	sigil -p -f templates/app.ini.template > files/app.ini
-
-certbot/live/git.jeremydormitzer.com/fullchain.pem certbot/live/git.jeremydormitzer.com/privkey.pem &: tmp/do.ini
-	certbot certonly -n \
-                         --agree-tos \
-                         --email ${CERTBOT_EMAIL} \
-                         --dns-digitalocean \
-                         --dns-digitalocean-credentials tmp/do.ini \
-                         --config-dir ./certbot \
-                         --work-dir ./certbot \
-                         --logs-dir ./certbot \
-                         -d git.jeremydormitzer.com
-
-
-tmp/do.ini: templates/do.ini.template tmp
-	sigil -p -f templates/do.ini.template > tmp/do.ini
-	chmod 600 tmp/do.ini
-
-tmp:
-	mkdir tmp
-
-reissue-certs:
-	rm -rf certbot
-	make
--- a/prod/gitea/packer/files/gitea-nginx.conf
+++ b/prod/gitea/packer/files/gitea-nginx.conf
@ -1,28 +0,0 @@
-server {
-    listen [::]:443 ssl ipv6only=on;
-    listen 443 ssl;
-
-    ssl_certificate /var/www/gitea/fullchain.pem;
-    ssl_certificate_key /var/www/gitea/privkey.pem;
-
-    ssl_session_cache shared:le_nginx_SSL:1m;
-    ssl_session_timeout 1440m;
-
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_prefer_server_ciphers on;
-
-    ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
-
-    error_log /var/log/nginx/gitea_error.log;
-    access_log /var/log/nginx/gitea_access.log;
-
-    location / {
-        proxy_pass http://localhost:3000;
-    }
-}
-
-server {
-       listen 80;
-       listen [::]:80;
-       return 301 https://$host$request_uri;
-}
--- a/prod/gitea/packer/gitea.json
+++ b/prod/gitea/packer/gitea.json
@ -31,25 +31,6 @@
    {
      "type": "shell",
      "script": "scripts/gitea.sh"
-    },
-    {
-      "type": "file",
-      "source": "files/gitea-nginx.conf",
-      "destination": "/tmp/gitea-nginx.conf"
-    },
-    {
-      "type": "file",
-      "source": "certbot/live/git.jeremydormitzer.com/fullchain.pem",
-      "destination": "/tmp/fullchain.pem"
-    },
-    {
-      "type": "file",
-      "source": "certbot/live/git.jeremydormitzer.com/privkey.pem",
-      "destination": "/tmp/privkey.pem"
-    },
-    {
-      "type": "shell",
-      "script": "scripts/nginx.sh"
    }
  ],
  "post-processors": [
--- a/prod/gitea/packer/packer-manifest.json
+++ b/prod/gitea/packer/packer-manifest.json
@ -134,7 +134,16 @@
      "artifact_id": "nyc1:92247567",
      "packer_run_uuid": "52ad5b0e-38ad-ec89-55ab-faa672baa34a",
      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1633381649,
+      "files": null,
+      "artifact_id": "nyc1:92993522",
+      "packer_run_uuid": "7adbc6f3-4862-2e30-c0d0-a604b107a1bc",
+      "custom_data": null
    }
  ],
-  "last_run_uuid": "52ad5b0e-38ad-ec89-55ab-faa672baa34a"
+  "last_run_uuid": "7adbc6f3-4862-2e30-c0d0-a604b107a1bc"
 }
--- a/prod/gitea/packer/scripts/dependencies.sh
+++ b/prod/gitea/packer/scripts/dependencies.sh
@ -2,5 +2,5 @@

 set -ex

-sudo apt-get update
+sudo apt-get update && sleep 5
 sudo apt-get install -y git bindfs
--- a/prod/gitea/packer/scripts/nginx.sh
+++ b/prod/gitea/packer/scripts/nginx.sh
@ -1,16 +0,0 @@
-#!/usr/bin/env bash
-
-set -ex
-
-sudo apt-get install -y nginx
-sudo mv /tmp/gitea-nginx.conf /etc/nginx/sites-available/gitea.conf
-sudo ln -s /etc/nginx/sites-available/gitea.conf \
-     /etc/nginx/sites-enabled/
-sudo unlink /etc/nginx/sites-enabled/default
-
-sudo mkdir -p /var/www/gitea
-sudo mv /tmp/fullchain.pem /var/www/gitea/fullchain.pem
-sudo mv /tmp/privkey.pem /var/www/gitea/privkey.pem
-chown www-data:www-data /var/www/gitea/{fullchain,privkey}.pem
-
-sudo systemctl enable nginx
--- a/prod/gitea/packer/templates/do.ini.template
+++ b/prod/gitea/packer/templates/do.ini.template
@ -1 +0,0 @@
-dns_digitalocean_token = ${DIGITALOCEAN_API_TOKEN:?}
--- a/prod/nginx/packer/files/sshd_config
+++ b/prod/nginx/packer/files/sshd_config
@ -0,0 +1,122 @@
+#       $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Port 222
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin yes
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem       sftp    /usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#       X11Forwarding no
+#       AllowTcpForwarding no
+#       PermitTTY no
+#       ForceCommand cvs server
--- a/prod/nginx/packer/nginx.json
+++ b/prod/nginx/packer/nginx.json
@ -34,6 +34,11 @@
      "source": "files/certbot-renew.service",
      "destination": "/tmp/certbot-renew.service"
    },
+    {
+      "type": "file",
+      "source": "files/sshd_config",
+      "destination": "/tmp/sshd_config"
+    },
    {
      "type": "shell",
      "script": "scripts/nginx.sh"
--- a/prod/nginx/packer/packer-manifest.json
+++ b/prod/nginx/packer/packer-manifest.json
@ -8,7 +8,52 @@
      "artifact_id": "nyc1:92979065",
      "packer_run_uuid": "81fa12be-706c-56b2-80bb-e4133a2c4ffe",
      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1633381985,
+      "files": null,
+      "artifact_id": "nyc1:92994055",
+      "packer_run_uuid": "3175c525-7550-f016-4b23-5b8f1b544b69",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1633382771,
+      "files": null,
+      "artifact_id": "nyc1:92995027",
+      "packer_run_uuid": "7414490b-f330-d906-78e5-1b1dac89a265",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1633388606,
+      "files": null,
+      "artifact_id": "nyc1:92999824",
+      "packer_run_uuid": "26369d41-f7b3-bdda-57e0-e329c1836a53",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1633389351,
+      "files": null,
+      "artifact_id": "nyc1:93000183",
+      "packer_run_uuid": "7dc36fa3-25ac-fe47-0168-f90c160d3673",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1633445796,
+      "files": null,
+      "artifact_id": "nyc1:93041994",
+      "packer_run_uuid": "8a308586-3253-93bb-b2a7-c11151a8d19c",
+      "custom_data": null
    }
  ],
-  "last_run_uuid": "81fa12be-706c-56b2-80bb-e4133a2c4ffe"
+  "last_run_uuid": "8a308586-3253-93bb-b2a7-c11151a8d19c"
 }
--- a/prod/nginx/packer/scripts/nginx.sh
+++ b/prod/nginx/packer/scripts/nginx.sh
@ -11,10 +11,13 @@ sudo certbot certonly \
     --dns-digitalocean-credentials ~/do.ini \
     -d '*.jeremydormitzer.com'

-sudo mv /tmp/nginx.conf /etc/nginx/sites-available/default
+sudo mv /tmp/nginx.conf /etc/nginx/nginx.conf
 sudo mkdir -p /var/log/nginx
 sudo systemctl enable nginx

 sudo mv /tmp/certbot-renew.timer /etc/systemd/system/
 sudo mv /tmp/certbot-renew.service /etc/systemd/system/
 sudo systemctl enable certbot-renew.timer
+
+sudo mv /tmp/sshd_config /etc/ssh/sshd_config
+sudo systemctl restart sshd
--- a/prod/nginx/packer/terraform/main.tf
+++ b/prod/nginx/packer/terraform/main.tf
@ -24,7 +24,8 @@ resource "local_file" "nginx_config" {
          "ip" : "${data.terraform_remote_state.syncthing.outputs.ip_address}",
          "port" : "8384"
        }
-      ]
+      ],
+      "gitea_ip" : "${data.terraform_remote_state.gitea.outputs.gitea_ip_address}"
    }
  )
 }
--- a/prod/nginx/packer/terraform/templates/nginx.conf.template
+++ b/prod/nginx/packer/terraform/templates/nginx.conf.template
@ -1,31 +1,96 @@
-%{ for server in servers ~}
-server {
-    server_name ${server.domain};
-    access_log /var/log/nginx/${server.domain}-access.log;
-
-    location / {
-        proxy_pass http://${server.ip}:${server.port};
-    }
-
-    listen [::]:443 ssl ipv6only=on;
-    listen 443 ssl;
-    
-    ssl_certificate /etc/letsencrypt/live/jeremydormitzer.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/jeremydormitzer.com/privkey.pem;
-    
-    ssl_session_cache shared:le_nginx_SSL:1m;
-    ssl_session_timeout 1440m;
-    
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_prefer_server_ciphers on;
-    
-    ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;

+events {
+   worker_connections 768;
+   # multi_accept on;
 }

-%{ endfor ~}
-server {
-    listen 80;
-    listen [::]:80;
-    return 301 https://$host$request_uri;
+http {
+    ##
+    # Basic Settings
+    ##
+
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+    # server_tokens off;
+
+    # server_names_hash_bucket_size 64;
+    # server_name_in_redirect off;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    ##
+    # SSL Settings
+    ##
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
+    ssl_prefer_server_ciphers on;
+
+    ##
+    # Logging Settings
+    ##
+
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log;
+
+    ##
+    # Gzip Settings
+    ##
+
+    gzip on;
+
+    # gzip_vary on;
+    # gzip_proxied any;
+    # gzip_comp_level 6;
+    # gzip_buffers 16 8k;
+    # gzip_http_version 1.1;
+    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+    %{ for server in servers }
+    server {
+        server_name ${server.domain};
+    
+        access_log /var/log/nginx/${server.domain}_access.log;
+        error_log /var/log/nginx/${server.domain}_error.log;
+    
+        location / {
+            proxy_pass http://${server.ip}:${server.port};
+        }
+    
+        listen [::]:443 ssl;
+        listen 443 ssl;
+        
+        ssl_certificate /etc/letsencrypt/live/jeremydormitzer.com/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/jeremydormitzer.com/privkey.pem;
+        
+        ssl_session_cache shared:le_nginx_SSL:1m;
+        ssl_session_timeout 1440m;
+        
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+        ssl_prefer_server_ciphers on;
+        
+        ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
+    
+    }
+    
+    %{ endfor ~}
+    server {
+        listen 80;
+        listen [::]:80;
+        return 301 https://$host$request_uri;
+    }
+}
+
+stream {
+    server {
+        listen 22;
+        proxy_pass ${gitea_ip}:22;
+    }
 }
				`@ -1 +0,0 @@`
				`dns_digitalocean_token = ${DIGITALOCEAN_API_TOKEN:?}`