commit 4d77f082c7597590557d82b48464fa32dfe2f272 Author: Thomas Riboulet Date: Wed May 20 09:15:07 2020 +0200 add setup gitea ssl article files diff --git a/setup-gitea-ssl/README.md b/setup-gitea-ssl/README.md new file mode 100644 index 0000000..711caf6 --- /dev/null +++ b/setup-gitea-ssl/README.md @@ -0,0 +1,3 @@ +# Setup Gitea SSL + +Les fichiers ici proposés sont des exemples à utiliser pour l'article Setup Gitea SSL publié par GNU Linux Magazine France. diff --git a/setup-gitea-ssl/docker-compose.yml b/setup-gitea-ssl/docker-compose.yml new file mode 100644 index 0000000..35da7de --- /dev/null +++ b/setup-gitea-ssl/docker-compose.yml @@ -0,0 +1,58 @@ +version: "2" + +networks: + gitea: + external: false + +services: + gitea: + container_name: gitea + image: gitea/gitea:latest + environment: + - USER_UID=1000 + - USER_GID=1000 + - DB_TYPE=postgres + - DB_HOST=db:5432 + - DB_NAME=gitea + - DB_USER=gitea + - DB_PASSWD= + restart: always + networks: + - gitea + volumes: + - /var/hosting/git/gitea:/data + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + ports: + - "172.17.0.1:8080:3000" + - "127.0.0.1:2222:22" + depends_on: + - db + + db: + container_name: db + image: postgres:9.6 + restart: always + environment: + - POSTGRES_USER=gitea + - POSTGRES_PASSWORD= + - POSTGRES_DB=gitea + networks: + - gitea + volumes: + - /var/hosting/git/postgres:/var/lib/postgresql/data + + haproxy: + container_name: lb + image: 'tomdess/haproxy-certbot:latest' + environment: + - CERTS=your.domain.name + - EMAIL=you@your.domain.name + volumes: + - '/var/hosting/git/letsencrypt:/etc/letsencrypt' + - '/var/hosting/git/haproxy/haproxy.cfg:/etc/haproxy/haproxy.cfg' + ports: + - '80:80' + - '443:443' + depends_on: + - gitea diff --git a/setup-gitea-ssl/haproxy.cfg b/setup-gitea-ssl/haproxy.cfg new file mode 100644 index 0000000..e41ed60 --- /dev/null +++ b/setup-gitea-ssl/haproxy.cfg @@ -0,0 +1,42 @@ +global + maxconn 20480 + ############# IMPORTANT ################################# + ## DO NOT SET CHROOT OTHERWISE YOU HAVE TO CHANGE THE ## + ## acme-http01-webroot.lua file ## + # chroot /jail ## + ######################################################### + lua-load /etc/haproxy/acme-http01-webroot.lua + # SSL options + ssl-default-bind-ciphers AES256+EECDH:AES256+EDH:!aNULL; + tune.ssl.default-dh-param 4096 + +# DNS runt-time resolution on backend hosts +resolvers docker + nameserver dns "127.0.0.11:53" + +defaults + mode http + timeout connect 5000ms + timeout client 50000ms + timeout server 50000ms + option forwardfor + option http-server-close + + # never fail on address resolution + default-server init-addr last,libc,none + +frontend http + bind *:80 + mode http + acl url_acme_http01 path_beg /.well-known/acme-challenge/ + http-request use-service lua.acme-http01 if METH_GET url_acme_http01 + redirect scheme https code 301 if !{ ssl_fc } + +frontend https + bind *:443 ssl crt /etc/haproxy/certs/ no-sslv3 no-tls-tickets no-tlsv10 no-tlsv11 + http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;" + default_backend www + +backend www + server server1 172.17.0.1:8080 check port 8080 + http-request add-header X-Forwarded-Proto https if { ssl_fc } diff --git a/setup-gitea-ssl/setup.sh b/setup-gitea-ssl/setup.sh new file mode 100644 index 0000000..deb5fef --- /dev/null +++ b/setup-gitea-ssl/setup.sh @@ -0,0 +1,17 @@ +#!/bin/bash +apt-get update -y +apt-get install -y git docker docker-compose net-tools + +addgroup --gid 1000 hosting +adduser --ingroup hosting -u 1000 git +adduser --system --ingroup hosting --ingroup docker git-docker + +mkdir /home/git/.ssh +chown -R git:hosting /home/git/.ssh +mkdir -p /var/hosting/git/gitea +mkdir -p /var/hosting/git/postgres +mkdir -p /var/hosting/git/gitea/git/.ssh/ +mkdir -p /app/gitea +mkdir -p /var/hosting/git/haproxy/config +mkdir -p /var/hosting/git/haproxy/certs.d +mkdir -p /var/hosting/git/letsencrypt