add setup gitea ssl article files

trunk
Thomas Riboulet 4 years ago
commit 4d77f082c7

@ -0,0 +1,3 @@
# Setup Gitea SSL
Les fichiers ici proposés sont des exemples à utiliser pour l'article Setup Gitea SSL publié par GNU Linux Magazine France.

@ -0,0 +1,58 @@
version: "2"
networks:
gitea:
external: false
services:
gitea:
container_name: gitea
image: gitea/gitea:latest
environment:
- USER_UID=1000
- USER_GID=1000
- DB_TYPE=postgres
- DB_HOST=db:5432
- DB_NAME=gitea
- DB_USER=gitea
- DB_PASSWD=<CHANGE_ME>
restart: always
networks:
- gitea
volumes:
- /var/hosting/git/gitea:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
ports:
- "172.17.0.1:8080:3000"
- "127.0.0.1:2222:22"
depends_on:
- db
db:
container_name: db
image: postgres:9.6
restart: always
environment:
- POSTGRES_USER=gitea
- POSTGRES_PASSWORD=<CHANGE_ME>
- POSTGRES_DB=gitea
networks:
- gitea
volumes:
- /var/hosting/git/postgres:/var/lib/postgresql/data
haproxy:
container_name: lb
image: 'tomdess/haproxy-certbot:latest'
environment:
- CERTS=your.domain.name
- EMAIL=you@your.domain.name
volumes:
- '/var/hosting/git/letsencrypt:/etc/letsencrypt'
- '/var/hosting/git/haproxy/haproxy.cfg:/etc/haproxy/haproxy.cfg'
ports:
- '80:80'
- '443:443'
depends_on:
- gitea

@ -0,0 +1,42 @@
global
maxconn 20480
############# IMPORTANT #################################
## DO NOT SET CHROOT OTHERWISE YOU HAVE TO CHANGE THE ##
## acme-http01-webroot.lua file ##
# chroot /jail ##
#########################################################
lua-load /etc/haproxy/acme-http01-webroot.lua
# SSL options
ssl-default-bind-ciphers AES256+EECDH:AES256+EDH:!aNULL;
tune.ssl.default-dh-param 4096
# DNS runt-time resolution on backend hosts
resolvers docker
nameserver dns "127.0.0.11:53"
defaults
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
option forwardfor
option http-server-close
# never fail on address resolution
default-server init-addr last,libc,none
frontend http
bind *:80
mode http
acl url_acme_http01 path_beg /.well-known/acme-challenge/
http-request use-service lua.acme-http01 if METH_GET url_acme_http01
redirect scheme https code 301 if !{ ssl_fc }
frontend https
bind *:443 ssl crt /etc/haproxy/certs/ no-sslv3 no-tls-tickets no-tlsv10 no-tlsv11
http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
default_backend www
backend www
server server1 172.17.0.1:8080 check port 8080
http-request add-header X-Forwarded-Proto https if { ssl_fc }

@ -0,0 +1,17 @@
#!/bin/bash
apt-get update -y
apt-get install -y git docker docker-compose net-tools
addgroup --gid 1000 hosting
adduser --ingroup hosting -u 1000 git
adduser --system --ingroup hosting --ingroup docker git-docker
mkdir /home/git/.ssh
chown -R git:hosting /home/git/.ssh
mkdir -p /var/hosting/git/gitea
mkdir -p /var/hosting/git/postgres
mkdir -p /var/hosting/git/gitea/git/.ssh/
mkdir -p /app/gitea
mkdir -p /var/hosting/git/haproxy/config
mkdir -p /var/hosting/git/haproxy/certs.d
mkdir -p /var/hosting/git/letsencrypt
Loading…
Cancel
Save