add setup gitea ssl article files
commit
4d77f082c7
@ -0,0 +1,3 @@
|
||||
# Setup Gitea SSL
|
||||
|
||||
Les fichiers ici proposés sont des exemples à utiliser pour l'article Setup Gitea SSL publié par GNU Linux Magazine France.
|
@ -0,0 +1,58 @@
|
||||
version: "2"
|
||||
|
||||
networks:
|
||||
gitea:
|
||||
external: false
|
||||
|
||||
services:
|
||||
gitea:
|
||||
container_name: gitea
|
||||
image: gitea/gitea:latest
|
||||
environment:
|
||||
- USER_UID=1000
|
||||
- USER_GID=1000
|
||||
- DB_TYPE=postgres
|
||||
- DB_HOST=db:5432
|
||||
- DB_NAME=gitea
|
||||
- DB_USER=gitea
|
||||
- DB_PASSWD=<CHANGE_ME>
|
||||
restart: always
|
||||
networks:
|
||||
- gitea
|
||||
volumes:
|
||||
- /var/hosting/git/gitea:/data
|
||||
- /etc/timezone:/etc/timezone:ro
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
ports:
|
||||
- "172.17.0.1:8080:3000"
|
||||
- "127.0.0.1:2222:22"
|
||||
depends_on:
|
||||
- db
|
||||
|
||||
db:
|
||||
container_name: db
|
||||
image: postgres:9.6
|
||||
restart: always
|
||||
environment:
|
||||
- POSTGRES_USER=gitea
|
||||
- POSTGRES_PASSWORD=<CHANGE_ME>
|
||||
- POSTGRES_DB=gitea
|
||||
networks:
|
||||
- gitea
|
||||
volumes:
|
||||
- /var/hosting/git/postgres:/var/lib/postgresql/data
|
||||
|
||||
haproxy:
|
||||
container_name: lb
|
||||
image: 'tomdess/haproxy-certbot:latest'
|
||||
environment:
|
||||
- CERTS=your.domain.name
|
||||
- EMAIL=you@your.domain.name
|
||||
volumes:
|
||||
- '/var/hosting/git/letsencrypt:/etc/letsencrypt'
|
||||
- '/var/hosting/git/haproxy/haproxy.cfg:/etc/haproxy/haproxy.cfg'
|
||||
ports:
|
||||
- '80:80'
|
||||
- '443:443'
|
||||
depends_on:
|
||||
- gitea
|
@ -0,0 +1,42 @@
|
||||
global
|
||||
maxconn 20480
|
||||
############# IMPORTANT #################################
|
||||
## DO NOT SET CHROOT OTHERWISE YOU HAVE TO CHANGE THE ##
|
||||
## acme-http01-webroot.lua file ##
|
||||
# chroot /jail ##
|
||||
#########################################################
|
||||
lua-load /etc/haproxy/acme-http01-webroot.lua
|
||||
# SSL options
|
||||
ssl-default-bind-ciphers AES256+EECDH:AES256+EDH:!aNULL;
|
||||
tune.ssl.default-dh-param 4096
|
||||
|
||||
# DNS runt-time resolution on backend hosts
|
||||
resolvers docker
|
||||
nameserver dns "127.0.0.11:53"
|
||||
|
||||
defaults
|
||||
mode http
|
||||
timeout connect 5000ms
|
||||
timeout client 50000ms
|
||||
timeout server 50000ms
|
||||
option forwardfor
|
||||
option http-server-close
|
||||
|
||||
# never fail on address resolution
|
||||
default-server init-addr last,libc,none
|
||||
|
||||
frontend http
|
||||
bind *:80
|
||||
mode http
|
||||
acl url_acme_http01 path_beg /.well-known/acme-challenge/
|
||||
http-request use-service lua.acme-http01 if METH_GET url_acme_http01
|
||||
redirect scheme https code 301 if !{ ssl_fc }
|
||||
|
||||
frontend https
|
||||
bind *:443 ssl crt /etc/haproxy/certs/ no-sslv3 no-tls-tickets no-tlsv10 no-tlsv11
|
||||
http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
|
||||
default_backend www
|
||||
|
||||
backend www
|
||||
server server1 172.17.0.1:8080 check port 8080
|
||||
http-request add-header X-Forwarded-Proto https if { ssl_fc }
|
@ -0,0 +1,17 @@
|
||||
#!/bin/bash
|
||||
apt-get update -y
|
||||
apt-get install -y git docker docker-compose net-tools
|
||||
|
||||
addgroup --gid 1000 hosting
|
||||
adduser --ingroup hosting -u 1000 git
|
||||
adduser --system --ingroup hosting --ingroup docker git-docker
|
||||
|
||||
mkdir /home/git/.ssh
|
||||
chown -R git:hosting /home/git/.ssh
|
||||
mkdir -p /var/hosting/git/gitea
|
||||
mkdir -p /var/hosting/git/postgres
|
||||
mkdir -p /var/hosting/git/gitea/git/.ssh/
|
||||
mkdir -p /app/gitea
|
||||
mkdir -p /var/hosting/git/haproxy/config
|
||||
mkdir -p /var/hosting/git/haproxy/certs.d
|
||||
mkdir -p /var/hosting/git/letsencrypt
|
Loading…
Reference in New Issue