From dd29785d86eb1222fb79791b464f155acb643539 Mon Sep 17 00:00:00 2001 From: Jeremy Dormitzer Date: Mon, 4 Oct 2021 17:30:46 -0400 Subject: [PATCH] Put gitea behind the nginx proxy --- mgmt/do-jeremydormitzer-com/terraform/data.tf | 4 +- mgmt/do-jeremydormitzer-com/terraform/main.tf | 2 +- prod/gitea/packer/.gitignore | 4 +- prod/gitea/packer/Makefile | 29 +---- prod/gitea/packer/files/gitea-nginx.conf | 28 ---- prod/gitea/packer/gitea.json | 19 --- prod/gitea/packer/packer-manifest.json | 11 +- prod/gitea/packer/scripts/dependencies.sh | 2 +- prod/gitea/packer/scripts/nginx.sh | 16 --- prod/gitea/packer/templates/do.ini.template | 1 - prod/nginx/packer/files/sshd_config | 122 ++++++++++++++++++ prod/nginx/packer/nginx.json | 5 + prod/nginx/packer/packer-manifest.json | 47 ++++++- prod/nginx/packer/scripts/nginx.sh | 5 +- prod/nginx/packer/terraform/main.tf | 3 +- .../terraform/templates/nginx.conf.template | 119 +++++++++++++---- 16 files changed, 287 insertions(+), 130 deletions(-) delete mode 100644 prod/gitea/packer/files/gitea-nginx.conf delete mode 100644 prod/gitea/packer/scripts/nginx.sh delete mode 100644 prod/gitea/packer/templates/do.ini.template create mode 100644 prod/nginx/packer/files/sshd_config diff --git a/mgmt/do-jeremydormitzer-com/terraform/data.tf b/mgmt/do-jeremydormitzer-com/terraform/data.tf index e53cf88..bb04830 100644 --- a/mgmt/do-jeremydormitzer-com/terraform/data.tf +++ b/mgmt/do-jeremydormitzer-com/terraform/data.tf @@ -1,4 +1,4 @@ -data "terraform_remote_state" "git_jeremydormitzer_com" { +data "terraform_remote_state" "nginx" { backend = "s3" config = { @@ -9,7 +9,7 @@ data "terraform_remote_state" "git_jeremydormitzer_com" { region = "us-east-1" endpoint = "nyc3.digitaloceanspaces.com" bucket = "jdormit-tf-state" - key = "prod/gitea.tfstate" + key = "prod/nginx.tfstate" } } diff --git a/mgmt/do-jeremydormitzer-com/terraform/main.tf b/mgmt/do-jeremydormitzer-com/terraform/main.tf index 485e2a7..a29688e 100644 --- a/mgmt/do-jeremydormitzer-com/terraform/main.tf +++ b/mgmt/do-jeremydormitzer-com/terraform/main.tf @@ -46,7 +46,7 @@ resource "digitalocean_record" "git" { domain = digitalocean_domain.jeremydormitzer_com.name type = "A" name = "git" - value = data.terraform_remote_state.git_jeremydormitzer_com.outputs.gitea_ip_address + value = data.terraform_remote_state.nginx.outputs.nginx_ip_address ttl = 3600 } diff --git a/prod/gitea/packer/.gitignore b/prod/gitea/packer/.gitignore index 6f7c105..0b3b071 100644 --- a/prod/gitea/packer/.gitignore +++ b/prod/gitea/packer/.gitignore @@ -1,3 +1 @@ -files/app.ini -tmp/ -certbot/ \ No newline at end of file +files/app.ini \ No newline at end of file diff --git a/prod/gitea/packer/Makefile b/prod/gitea/packer/Makefile index 2975d85..92dad9d 100644 --- a/prod/gitea/packer/Makefile +++ b/prod/gitea/packer/Makefile @@ -5,35 +5,8 @@ packer-manifest.json: gitea.json \ scripts/volume.sh \ files/gitea.service \ files/app.ini \ - scripts/gitea.sh \ - files/gitea-nginx.conf \ - scripts/nginx.sh \ - certbot/live/git.jeremydormitzer.com/fullchain.pem \ - certbot/live/git.jeremydormitzer.com/privkey.pem + scripts/gitea.sh packer build gitea.json files/app.ini: templates/app.ini.template sigil -p -f templates/app.ini.template > files/app.ini - -certbot/live/git.jeremydormitzer.com/fullchain.pem certbot/live/git.jeremydormitzer.com/privkey.pem &: tmp/do.ini - certbot certonly -n \ - --agree-tos \ - --email ${CERTBOT_EMAIL} \ - --dns-digitalocean \ - --dns-digitalocean-credentials tmp/do.ini \ - --config-dir ./certbot \ - --work-dir ./certbot \ - --logs-dir ./certbot \ - -d git.jeremydormitzer.com - - -tmp/do.ini: templates/do.ini.template tmp - sigil -p -f templates/do.ini.template > tmp/do.ini - chmod 600 tmp/do.ini - -tmp: - mkdir tmp - -reissue-certs: - rm -rf certbot - make diff --git a/prod/gitea/packer/files/gitea-nginx.conf b/prod/gitea/packer/files/gitea-nginx.conf deleted file mode 100644 index 9353285..0000000 --- a/prod/gitea/packer/files/gitea-nginx.conf +++ /dev/null @@ -1,28 +0,0 @@ -server { - listen [::]:443 ssl ipv6only=on; - listen 443 ssl; - - ssl_certificate /var/www/gitea/fullchain.pem; - ssl_certificate_key /var/www/gitea/privkey.pem; - - ssl_session_cache shared:le_nginx_SSL:1m; - ssl_session_timeout 1440m; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_prefer_server_ciphers on; - - ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"; - - error_log /var/log/nginx/gitea_error.log; - access_log /var/log/nginx/gitea_access.log; - - location / { - proxy_pass http://localhost:3000; - } -} - -server { - listen 80; - listen [::]:80; - return 301 https://$host$request_uri; -} \ No newline at end of file diff --git a/prod/gitea/packer/gitea.json b/prod/gitea/packer/gitea.json index a77da3e..15f9458 100644 --- a/prod/gitea/packer/gitea.json +++ b/prod/gitea/packer/gitea.json @@ -31,25 +31,6 @@ { "type": "shell", "script": "scripts/gitea.sh" - }, - { - "type": "file", - "source": "files/gitea-nginx.conf", - "destination": "/tmp/gitea-nginx.conf" - }, - { - "type": "file", - "source": "certbot/live/git.jeremydormitzer.com/fullchain.pem", - "destination": "/tmp/fullchain.pem" - }, - { - "type": "file", - "source": "certbot/live/git.jeremydormitzer.com/privkey.pem", - "destination": "/tmp/privkey.pem" - }, - { - "type": "shell", - "script": "scripts/nginx.sh" } ], "post-processors": [ diff --git a/prod/gitea/packer/packer-manifest.json b/prod/gitea/packer/packer-manifest.json index bccdab8..0e4d836 100644 --- a/prod/gitea/packer/packer-manifest.json +++ b/prod/gitea/packer/packer-manifest.json @@ -134,7 +134,16 @@ "artifact_id": "nyc1:92247567", "packer_run_uuid": "52ad5b0e-38ad-ec89-55ab-faa672baa34a", "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1633381649, + "files": null, + "artifact_id": "nyc1:92993522", + "packer_run_uuid": "7adbc6f3-4862-2e30-c0d0-a604b107a1bc", + "custom_data": null } ], - "last_run_uuid": "52ad5b0e-38ad-ec89-55ab-faa672baa34a" + "last_run_uuid": "7adbc6f3-4862-2e30-c0d0-a604b107a1bc" } \ No newline at end of file diff --git a/prod/gitea/packer/scripts/dependencies.sh b/prod/gitea/packer/scripts/dependencies.sh index 5955e1a..fa9ad0a 100644 --- a/prod/gitea/packer/scripts/dependencies.sh +++ b/prod/gitea/packer/scripts/dependencies.sh @@ -2,5 +2,5 @@ set -ex -sudo apt-get update +sudo apt-get update && sleep 5 sudo apt-get install -y git bindfs diff --git a/prod/gitea/packer/scripts/nginx.sh b/prod/gitea/packer/scripts/nginx.sh deleted file mode 100644 index a9d6244..0000000 --- a/prod/gitea/packer/scripts/nginx.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/usr/bin/env bash - -set -ex - -sudo apt-get install -y nginx -sudo mv /tmp/gitea-nginx.conf /etc/nginx/sites-available/gitea.conf -sudo ln -s /etc/nginx/sites-available/gitea.conf \ - /etc/nginx/sites-enabled/ -sudo unlink /etc/nginx/sites-enabled/default - -sudo mkdir -p /var/www/gitea -sudo mv /tmp/fullchain.pem /var/www/gitea/fullchain.pem -sudo mv /tmp/privkey.pem /var/www/gitea/privkey.pem -chown www-data:www-data /var/www/gitea/{fullchain,privkey}.pem - -sudo systemctl enable nginx diff --git a/prod/gitea/packer/templates/do.ini.template b/prod/gitea/packer/templates/do.ini.template deleted file mode 100644 index 7c6ec3f..0000000 --- a/prod/gitea/packer/templates/do.ini.template +++ /dev/null @@ -1 +0,0 @@ -dns_digitalocean_token = ${DIGITALOCEAN_API_TOKEN:?} \ No newline at end of file diff --git a/prod/nginx/packer/files/sshd_config b/prod/nginx/packer/files/sshd_config new file mode 100644 index 0000000..f82ba81 --- /dev/null +++ b/prod/nginx/packer/files/sshd_config @@ -0,0 +1,122 @@ +# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +Port 222 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin yes +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# Expect .ssh/authorized_keys2 to be disregarded by default in future. +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin yes +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/prod/nginx/packer/nginx.json b/prod/nginx/packer/nginx.json index 6c578d6..e4251ed 100644 --- a/prod/nginx/packer/nginx.json +++ b/prod/nginx/packer/nginx.json @@ -34,6 +34,11 @@ "source": "files/certbot-renew.service", "destination": "/tmp/certbot-renew.service" }, + { + "type": "file", + "source": "files/sshd_config", + "destination": "/tmp/sshd_config" + }, { "type": "shell", "script": "scripts/nginx.sh" diff --git a/prod/nginx/packer/packer-manifest.json b/prod/nginx/packer/packer-manifest.json index 76e56aa..a900bc2 100644 --- a/prod/nginx/packer/packer-manifest.json +++ b/prod/nginx/packer/packer-manifest.json @@ -8,7 +8,52 @@ "artifact_id": "nyc1:92979065", "packer_run_uuid": "81fa12be-706c-56b2-80bb-e4133a2c4ffe", "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1633381985, + "files": null, + "artifact_id": "nyc1:92994055", + "packer_run_uuid": "3175c525-7550-f016-4b23-5b8f1b544b69", + "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1633382771, + "files": null, + "artifact_id": "nyc1:92995027", + "packer_run_uuid": "7414490b-f330-d906-78e5-1b1dac89a265", + "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1633388606, + "files": null, + "artifact_id": "nyc1:92999824", + "packer_run_uuid": "26369d41-f7b3-bdda-57e0-e329c1836a53", + "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1633389351, + "files": null, + "artifact_id": "nyc1:93000183", + "packer_run_uuid": "7dc36fa3-25ac-fe47-0168-f90c160d3673", + "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1633445796, + "files": null, + "artifact_id": "nyc1:93041994", + "packer_run_uuid": "8a308586-3253-93bb-b2a7-c11151a8d19c", + "custom_data": null } ], - "last_run_uuid": "81fa12be-706c-56b2-80bb-e4133a2c4ffe" + "last_run_uuid": "8a308586-3253-93bb-b2a7-c11151a8d19c" } \ No newline at end of file diff --git a/prod/nginx/packer/scripts/nginx.sh b/prod/nginx/packer/scripts/nginx.sh index 99996b5..9d45c0e 100644 --- a/prod/nginx/packer/scripts/nginx.sh +++ b/prod/nginx/packer/scripts/nginx.sh @@ -11,10 +11,13 @@ sudo certbot certonly \ --dns-digitalocean-credentials ~/do.ini \ -d '*.jeremydormitzer.com' -sudo mv /tmp/nginx.conf /etc/nginx/sites-available/default +sudo mv /tmp/nginx.conf /etc/nginx/nginx.conf sudo mkdir -p /var/log/nginx sudo systemctl enable nginx sudo mv /tmp/certbot-renew.timer /etc/systemd/system/ sudo mv /tmp/certbot-renew.service /etc/systemd/system/ sudo systemctl enable certbot-renew.timer + +sudo mv /tmp/sshd_config /etc/ssh/sshd_config +sudo systemctl restart sshd diff --git a/prod/nginx/packer/terraform/main.tf b/prod/nginx/packer/terraform/main.tf index 8ea4308..20d8fe9 100644 --- a/prod/nginx/packer/terraform/main.tf +++ b/prod/nginx/packer/terraform/main.tf @@ -24,7 +24,8 @@ resource "local_file" "nginx_config" { "ip" : "${data.terraform_remote_state.syncthing.outputs.ip_address}", "port" : "8384" } - ] + ], + "gitea_ip" : "${data.terraform_remote_state.gitea.outputs.gitea_ip_address}" } ) } diff --git a/prod/nginx/packer/terraform/templates/nginx.conf.template b/prod/nginx/packer/terraform/templates/nginx.conf.template index 675f882..d583c1d 100644 --- a/prod/nginx/packer/terraform/templates/nginx.conf.template +++ b/prod/nginx/packer/terraform/templates/nginx.conf.template @@ -1,31 +1,96 @@ -%{ for server in servers ~} -server { - server_name ${server.domain}; - access_log /var/log/nginx/${server.domain}-access.log; - - location / { - proxy_pass http://${server.ip}:${server.port}; - } - - listen [::]:443 ssl ipv6only=on; - listen 443 ssl; - - ssl_certificate /etc/letsencrypt/live/jeremydormitzer.com/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/jeremydormitzer.com/privkey.pem; - - ssl_session_cache shared:le_nginx_SSL:1m; - ssl_session_timeout 1440m; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_prefer_server_ciphers on; - - ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"; +user www-data; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; +events { + worker_connections 768; + # multi_accept on; } -%{ endfor ~} -server { - listen 80; - listen [::]:80; - return 301 https://$host$request_uri; +http { + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + # server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # SSL Settings + ## + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; + + ## + # Logging Settings + ## + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + ## + # Gzip Settings + ## + + gzip on; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + %{ for server in servers } + server { + server_name ${server.domain}; + + access_log /var/log/nginx/${server.domain}_access.log; + error_log /var/log/nginx/${server.domain}_error.log; + + location / { + proxy_pass http://${server.ip}:${server.port}; + } + + listen [::]:443 ssl; + listen 443 ssl; + + ssl_certificate /etc/letsencrypt/live/jeremydormitzer.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/jeremydormitzer.com/privkey.pem; + + ssl_session_cache shared:le_nginx_SSL:1m; + ssl_session_timeout 1440m; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + + ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"; + + } + + %{ endfor ~} + server { + listen 80; + listen [::]:80; + return 301 https://$host$request_uri; + } +} + +stream { + server { + listen 22; + proxy_pass ${gitea_ip}:22; + } } \ No newline at end of file