Fixed caddy default domain, gitea webhooks, mail settings

2023-05-24 14:35:44 +00:00 · 2023-05-24 14:35:44 +00:00 · d63f5680e7
commit d63f5680e7
parent 036d9f9d61
4 changed files with 88 additions and 51 deletions
--- a/lib/caddy.sh
+++ b/lib/caddy.sh
@ -38,7 +38,7 @@ services:
      - ./data/data:/data
    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.caddy.rule=Host(\`www.$DOMAIN\`,\`blog.$DOMAIN\`,\`documentation.$DOMAIN\`)"
+      - "traefik.http.routers.caddy.rule=Host(\`www.$DOMAIN\`,\`blog.$DOMAIN\`,\`documentation.$DOMAIN\`,\`$DOMAIN\`)"
      - "traefik.http.routers.caddy.entrypoints=websecure"
      - "traefik.http.routers.caddy.tls.certresolver=letsencrypt"

@ -53,6 +53,10 @@ EOF
 chmod 600 /federated/apps/caddy/.env

 cat > /federated/apps/caddy/data/etc/caddy/Caddyfile <<EOF
+$DOMAIN:80 {
+  root * /srv/www.$DOMAIN.com/public
+  file_server
+}
 www.$DOMAIN:80 {
  root * /srv/www.$DOMAIN/public
  file_server
--- a/lib/functions.sh
+++ b/lib/functions.sh
@ -85,6 +85,32 @@ create_password() {
  SECRET=`tr -cd '[:alnum:]' < /dev/urandom | fold -w32 | head -n1`
  echo "$SECRET";
 }
+start_service_convert() {
+  SERVICE="$1"
+  COMMAND="$2"
+
+  # Start /federated/apps/SERVICE with output to /dev/null
+  echo -ne "\n* Starting /federated/apps/$SERVICE service.."
+
+  docker-compose -f /federated/apps/$SERVICE/docker-compose.yml -p $SERVICE up -d &> /dev/null
+
+  # Keep trying service port to make sure it's up before
+  # we proceed
+  RETRY="30"
+  while [ $RETRY -gt 0 ]; do
+    bash -c "$COMMAND" &> /dev/null
+    if [ $? -eq 0 ]; then
+      break
+    else
+      if [ "$RETRY" == 1 ]; then
+        docker-compose -f /federated/apps/$SERVICE/docker-compose.yml -p $SERVICE down &> /dev/null
+        fail "There was a problem starting service /federated/apps/$SERVICE\nCheck the output of 'docker logs $SERVICE' or turn on\ndebug with -d"
+      fi
+      ((RETRY--))
+      sleep 7
+    fi
+  done
+}
 start_service_upgrade() {
  SERVICE="$1"
  COMMAND="$2"
--- a/lib/gitea.sh
+++ b/lib/gitea.sh
@ -11,6 +11,9 @@ config_gitea() {

  if [ ! -d "/federated/apps/gitea" ]; then
    mkdir -p /federated/apps/gitea/data/data
+    mkdir -p /federated/apps/gitea/data/data/git/.ssh
+    touch /federated/apps/gitea/data/data/git/.ssh/authorized_keys
+    chmod 600 /federated/apps/gitea/data/data/git/.ssh/authorized_keys
  fi

 cat > /federated/apps/gitea/docker-compose.yml <<EOF
@ -31,11 +34,12 @@ services:
      - "blog.$DOMAIN:$EXTERNALIP"
      - "documentation.$DOMAIN:$EXTERNALIP"
    ports:
-      - 22:22
+      - "2222:22"
    env_file:
      - ./.env
    volumes:
      - ./data/data:/data
+      - ./data/data/git/.ssh:/data/git/.ssh
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    labels:
@ -61,6 +65,10 @@ GITEA__database__USER=gitea
 GITEA__database__PASSWD=$GITEA_SECRET
 GITEA__security__INSTALL_LOCK=true
 GITEA__server__ROOT_URL=https://gitea.$DOMAIN
+GITEA__server__DOMAIN=$DOMAIN
+GITEA__server__SSH_DOMAIN=$DOMAIN
+GITEA__server__SSH_PORT=2222
+GITEA__server__SSH_LISTEN_PORT=2222
 EOF
 chmod 600 /federated/apps/gitea/.env

@ -70,20 +78,17 @@ cat > /federated/apps/gitea/data/creategitea.sh <<EOF
 #!/bin/bash

 # Get the Gitea API token
-GITEA_TOKEN_2=\`curl -H "Content-Type: application/json" -d '{"name":"gitea2","scopes":["all"]}' -u gitea:$ADMINPASS http://gitea.$DOMAIN:3000/api/v1/users/gitea/tokens 2>/dev/null | awk -F: '{ print \$4 }' | awk -F\" '{ print \$2 }'\`
+GITEA_TOKEN_2=\`curl -H "Content-Type: application/json" -d '{"name":"gitea2","scopes":["all"]}' -u gitea:$ADMINPASS http://gitea.$DOMAIN:3000/api/v1/users/gitea/tokens 2>/dev/null | awk -F: '{ pr
+int \$4 }' | awk -F\" '{ print \$2 }'\`

 # Create the repository website, blog, and documentation
-#curl -k -X POST http://gitea.$DOMAIN:3000/api/v1/user/repos -H "content-type: application/json" -H "Authorization: token \$GITEA_TOKEN_2" --data '{"name":"www.$DOMAIN","auto_init":true,"default_branch":"master"}'
-#curl -k -X POST http://gitea.$DOMAIN:3000/api/v1/user/repos -H "content-type: application/json" -H "Authorization: token \$GITEA_TOKEN_2" --data '{"name":"blog.$DOMAIN","auto_init":true,"default_branch":"master"}'
-#curl -k -X POST http://gitea.$DOMAIN:3000/api/v1/user/repos -H "content-type: application/json" -H "Authorization: token \$GITEA_TOKEN_2" --data '{"name":"documentation.$DOMAIN","auto_init":true,"default_branch":"master"}'
+curl -k -X POST http://gitea.$DOMAIN:3000/api/v1/user/repos -H "content-type: application/json" -H "Authorization: token \$GITEA_TOKEN_2" --data '{"name":"www.$DOMAIN","auto_init":true,"default_branch":"master"}'
+curl -k -X POST http://gitea.$DOMAIN:3000/api/v1/user/repos -H "content-type: application/json" -H "Authorization: token \$GITEA_TOKEN_2" --data '{"name":"blog.$DOMAIN","auto_init":true,"default_branch":"master"}'
+curl -k -X POST http://gitea.$DOMAIN:3000/api/v1/user/repos -H "content-type: application/json" -H "Authorization: token \$GITEA_TOKEN_2" --data '{"name":"documentation.$DOMAIN","auto_init":true,"default_branch":"master"}'

-# Create the repository and webhooks
-for i in www blog documentation; do
-  # Create the repository
-  curl -k -X POST http://gitea.$DOMAIN:3000/api/v1/user/repos -H "content-type: application/json" -H "Authorization: token \$GITEA_TOKEN_2" --data "{\"name\":\"\$i.$DOMAIN\",\"auto_init\":true,\"default_branch\":\"master\"}"
-  # Create the webhook
-  curl -X 'POST' \
-  "http://gitea.$DOMAIN:3000/api/v1/repos/gitea/\$i.$DOMAIN/hooks" \
+# Create the webhook inside the www repository
+curl -X 'POST' \
+  'http://gitea.$DOMAIN:3000/api/v1/repos/gitea/www.$DOMAIN/hooks' \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -H "Authorization: token \$GITEA_TOKEN_2" \
@ -98,47 +103,47 @@ for i in www blog documentation; do
    "push"
  ],
  "type": "gitea"
-  }'
-done
+}'

 # Create the webhook inside the blog repository
-#curl -X 'POST' \
-#  'http://gitea.$DOMAIN:3000/api/v1/repos/gitea/blog.$DOMAIN/hooks' \
-#  -H 'accept: application/json' \
-#  -H 'Content-Type: application/json' \
-#  -H "Authorization: token \$GITEA_TOKEN_2" \
-#  -d '{
-#  "active": true,
-#  "config": {
-#    "content_type": "json",
-#    "url": "https://blog.$DOMAIN/webhook",
-#    "secret": "$WEBHOOK_SECRET"
-#  },
-#  "events": [
-#    "push"
-#  ],
-#  "type": "gitea"
-#}'
+curl -X 'POST' \
+  'http://gitea.$DOMAIN:3000/api/v1/repos/gitea/blog.$DOMAIN/hooks' \
+  -H 'accept: application/json' \
+  -H 'Content-Type: application/json' \
+  -H "Authorization: token \$GITEA_TOKEN_2" \
+  -d '{
+  "active": true,
+  "config": {
+    "content_type": "json",
+    "url": "https://blog.$DOMAIN/webhook",
+    "secret": "$WEBHOOK_SECRET"
+  },
+  "events": [
+    "push"
+  ],
+  "type": "gitea"
+}'

 # Create the webhook inside the documentation repository
-#curl -X 'POST' \
-#  'http://gitea.$DOMAIN:3000/api/v1/repos/gitea/documentation.$DOMAIN/hooks' \
-#  -H 'accept: application/json' \
-#  -H 'Content-Type: application/json' \
-#  -H "Authorization: token \$GITEA_TOKEN_2" \
-#  -d '{
-#  "active": true,
-#  "config": {
-#    "content_type": "json",
-#    "url": "https://documentation.$DOMAIN/webhook",
-#    "secret": "$WEBHOOK_SECRET"
-#  },
-#  "events": [
-#    "push"
-#  ],
-#  "type": "gitea"
-#}'
+curl -X 'POST' \
+  'http://gitea.$DOMAIN:3000/api/v1/repos/gitea/documentation.$DOMAIN/hooks' \
+  -H 'accept: application/json' \
+  -H 'Content-Type: application/json' \
+  -H "Authorization: token \$GITEA_TOKEN_2" \
+  -d '{
+  "active": true,
+  "config": {
+    "content_type": "json",
+    "url": "https://documentation.$DOMAIN/webhook",
+    "secret": "$WEBHOOK_SECRET"
+  },
+  "events": [
+    "push"
+  ],
+  "type": "gitea"
+}'
 EOF
+
 chmod +x /federated/apps/gitea/data/creategitea.sh
 
 kill -9 $SPINPID &> /dev/null
--- a/lib/mail.sh
+++ b/lib/mail.sh
@ -101,9 +101,11 @@ EOF
 chmod 600 /federated/apps/mail/.env

 cat > /federated/apps/mail/data/tmp/docker-mailserver/postfix-main.cf <<'EOF'
-smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_sender_login_mismatch, reject_unknown_reverse_client_hostname, reject_unknown_client_hostname
-smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, check_policy_service inet:127.0.0.1:10023, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, reject_rbl_client zen.spamhaus.org
+smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_sender_login_mismatch, reject_unknown_reverse_client_hostname, reject_unknown_client_
+hostname
+smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_invalid_helo_hostname, check_policy_service unix:private/policyd-spf, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, reject_rbl_client zen.spamhaus.org
 smtpd_sender_login_maps = ldap:/etc/postfix/ldap-aliases.cf
+smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
 EOF

 cat > /federated/apps/mail/data/tmp/docker-mailserver/fail2ban-jail.cf <<'EOF'