From aa4fe38dba815d1ffd3a6ebe7c59b9341ff465dd Mon Sep 17 00:00:00 2001 From: Maximilian Thoma <40450342+lanbugs@users.noreply.github.com> Date: Sat, 3 Oct 2020 19:53:05 +0200 Subject: [PATCH] Init --- gitea_installer.sh | 362 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 362 insertions(+) create mode 100644 gitea_installer.sh diff --git a/gitea_installer.sh b/gitea_installer.sh new file mode 100644 index 0000000..45c8b51 --- /dev/null +++ b/gitea_installer.sh @@ -0,0 +1,362 @@ +#!/bin/bash + +# ----------------------------------------------------------------------------- +# GITEA Installer with Nginx, MariaDB, UFW & Letsencrypt +# Version 0.1 +# Written by Maximilian Thoma 2020 +# https://lanbugs.de +# ----------------------------------------------------------------------------- + +LETSENCRYPT='false' +UFW='false' + +#GETOPTS +while getopts f:e:i:p:r:lu flag +do + case "${flag}" in + f) FQDN=${OPTARG};; + e) EMAIL=${OPTARG};; + i) IP=${OPTARG};; + p) PASSWORD=${OPTARG};; + r) SQLROOT=${OPTARG};; + l) LETSENCRYPT='true';; + u) UFW='true';; + esac +done + +if [ -z "$FQDN" ] || [ -z "$EMAIL" ] || [ -z "$IP" ] || [ -z "$PASSWORD" ] || [ -z "$SQLROOT" ]; then +echo "One of the options is missing:" +echo "-f FQDN - Systemname of GITEA system" +echo "-e EMAIL - E-Mail for letsencrypt" +echo "-i IP - IPv4 address of this system" +echo "-p PASSWORD - Used for GITEA DB" +echo "-r SQLROOT - MySQL ROOT password" +echo "-l LETSENCRYPT - Use letsencrypt" +echo "-u UFW - Use UFW" +exit +fi + +# Check if curl is installed +if [ ! -x /usr/bin/curl ] ; then +CURL_NOT_EXIST=1 +apt install -y curl +else +CURL_NOT_EXIST=0 +fi + +# Install packages +apt update +apt install -y nginx mariadb-server git ssl-cert + +# Get last version +VER=$(curl --silent "https://api.github.com/repos/go-gitea/gitea/releases/latest" | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/' | sed 's|[v,]||g' ) + +# Create git user +adduser --system --group --disabled-password --shell /bin/bash --home /home/git --gecos 'Git Version Control' git + +# Download gitea +# Check if architecure is i386 and download Gitea +if [ -n "$(uname -a | grep i386)" ]; then + sudo curl -fsSL -o "/tmp/gitea" "https://dl.gitea.io/gitea/$VER/gitea-$VER-linux-386" +fi + +# Check if architecure is x86 and download Gitea +if [ -n "$(uname -a | grep x86_64)" ]; then + sudo curl -fsSL -o "/tmp/gitea" "https://dl.gitea.io/gitea/$VER/gitea-$VER-linux-amd64" +fi + +# Check if architecure is ARMv6 and download Gitea +if [ -n "$(uname -a | grep armv6l)" ]; then + sudo curl -fsSL -o "/tmp/gitea" "https://dl.gitea.io/gitea/$VER/gitea-$VER-linux-arm-6" +fi + +# Check if architecure is ARMv7 and download Gitea +if [ -n "$(uname -a | grep armv7l)" ]; then + sudo curl -fsSL -o "/tmp/gitea" "https://dl.gitea.io/gitea/$VER/gitea-$VER-linux-arm-7" +fi + +# Move binary +mv /tmp/gitea /usr/local/bin +chmod +x /usr/local/bin/gitea + +# Create folders +mkdir -p /var/lib/gitea/{custom,data,indexers,public,log} +chown git: /var/lib/gitea/{data,indexers,log} +chmod 750 /var/lib/gitea/{data,indexers,log} +mkdir /etc/gitea +chown root:git /etc/gitea +chmod 770 /etc/gitea + +# Get systemd file +curl -fsSL -o /etc/systemd/system/gitea.service https://raw.githubusercontent.com/go-gitea/gitea/master/contrib/systemd/gitea.service + +# Enable mariadb requirement in systemd gitea.service script +perl -pi -w -e 's/#Requires=mariadb.service/Requires=mariadb.service/g;' /etc/systemd/system/gitea.service + +# Reload & Enable gitea daemon +systemctl daemon-reload +systemctl enable --now gitea + +# Create db in mariadb +mysql -u root -Bse "CREATE DATABASE giteadb;" +mysql -u root -Bse "CREATE USER 'gitea'@'localhost' IDENTIFIED BY '$PASSWORD';" +mysql -u root -Bse "GRANT ALL ON giteadb.* TO 'gitea'@'localhost' IDENTIFIED BY '$PASSWORD' WITH GRANT OPTION;" +mysql -u root -Bse "ALTER DATABASE giteadb CHARACTER SET = utf8mb4 COLLATE utf8mb4_unicode_ci;" +mysql -u root -Bse "FLUSH PRIVILEGES;" + +# Save original config +cp /etc/mysql/mariadb.conf.d/50-server.cnf /etc/mysql/mariadb.conf.d/50-server.org + +cat >> /etc/mysql/mariadb.conf.d/50-server.cnf << XYZ +# +# These groups are read by MariaDB server. +# Use it for options that only the server (but not clients) should see +# +# See the examples of server my.cnf files in /usr/share/mysql + +# this is read by the standalone daemon and embedded servers +[server] + +# this is only for the mysqld standalone daemon +[mysqld] + +# +# * Basic Settings +# +user = mysql +pid-file = /run/mysqld/mysqld.pid +socket = /run/mysqld/mysqld.sock +#port = 3306 +basedir = /usr +datadir = /var/lib/mysql +tmpdir = /tmp +lc-messages-dir = /usr/share/mysql +#skip-external-locking + +# Instead of skip-networking the default is now to listen only on +# localhost which is more compatible and is not less secure. +bind-address = 127.0.0.1 + +# +# * Fine Tuning +# +#key_buffer_size = 16M +#max_allowed_packet = 16M +#thread_stack = 192K +#thread_cache_size = 8 +# This replaces the startup script and checks MyISAM tables if needed +# the first time they are touched +#myisam_recover_options = BACKUP +#max_connections = 100 +#table_cache = 64 +#thread_concurrency = 10 + +# +# * Query Cache Configuration +# +#query_cache_limit = 1M +query_cache_size = 16M + +# +# * Logging and Replication +# +# Both location gets rotated by the cronjob. +# Be aware that this log type is a performance killer. +# As of 5.1 you can enable the log at runtime! +#general_log_file = /var/log/mysql/mysql.log +#general_log = 1 +# +# Error log - should be very few entries. +# +log_error = /var/log/mysql/error.log +# +# Enable the slow query log to see queries with especially long duration +#slow_query_log_file = /var/log/mysql/mariadb-slow.log +#long_query_time = 10 +#log_slow_rate_limit = 1000 +#log_slow_verbosity = query_plan +#log-queries-not-using-indexes +# +# The following can be used as easy to replay backup logs or for replication. +# note: if you are setting up a replication slave, see README.Debian about +# other settings you may need to change. +#server-id = 1 +#log_bin = /var/log/mysql/mysql-bin.log +expire_logs_days = 10 +#max_binlog_size = 100M +#binlog_do_db = include_database_name +#binlog_ignore_db = exclude_database_name + +# +# * Security Features +# +# Read the manual, too, if you want chroot! +#chroot = /var/lib/mysql/ +# +# For generating SSL certificates you can use for example the GUI tool "tinyca". +# +#ssl-ca = /etc/mysql/cacert.pem +#ssl-cert = /etc/mysql/server-cert.pem +#ssl-key = /etc/mysql/server-key.pem +# +# Accept only connections using the latest and most secure TLS protocol version. +# ..when MariaDB is compiled with OpenSSL: +#ssl-cipher = TLSv1.2 +# ..when MariaDB is compiled with YaSSL (default in Debian): +#ssl = on + +# +# * Character sets +# +# MySQL/MariaDB default is Latin1, but in Debian we rather default to the full +# utf8 4-byte character set. See also client.cnf +# +character-set-server = utf8mb4 +collation-server = utf8mb4_general_ci + +# +# * InnoDB +# +# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/. +# Read the manual for more InnoDB related options. There are many! + +innodb_file_format = Barracuda +innodb_large_prefix = 1 +innodb_default_row_format = dynamic + +# +# * Unix socket authentication plugin is built-in since 10.0.22-6 +# +# Needed so the root database user can authenticate without a password but +# only when running as the unix root user. +# +# Also available for other users if required. +# See https://mariadb.com/kb/en/unix_socket-authentication-plugin/ + +# this is only for embedded server +[embedded] + +# This group is only read by MariaDB servers, not by MySQL. +# If you use the same .cnf file for MySQL and MariaDB, +# you can put MariaDB-only options here +[mariadb] + +# This group is only read by MariaDB-10.3 servers. +# If you use the same .cnf file for MariaDB of different versions, +# use this group for options that older servers don't understand +[mariadb-10.3] +XYZ + +#Restart mariadb +systemctl restart mariadb + +#Secure mariadb +mysql -u root -Bse "UPDATE mysql.user SET Password=PASSWORD('$SQLROOT') WHERE User='root'" +mysql -u root -p"$SQLROOT" -Bse "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')" +mysql -u root -p"$SQLROOT" -Bse "DELETE FROM mysql.user WHERE User=''" +mysql -u root -p"$SQLROOT" -Bse "DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%'" +mysql -u root -p"$SQLROOT" -Bse "FLUSH PRIVILEGES" + +# Create nginx config +cat >> /etc/nginx/sites-enabled/$FQDN << XYZ +server { + listen 80; + server_name $FQDN; + + return 301 https://$FQDN\$request_uri; +} + +server { + listen 443 ssl http2; + server_name $FQDN; + + proxy_read_timeout 720s; + proxy_connect_timeout 720s; + proxy_send_timeout 720s; + + client_max_body_size 50m; + + # Proxy headers + proxy_set_header X-Forwarded-Host \$host; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto \$scheme; + proxy_set_header X-Real-IP \$remote_addr; + + # SSL parameters + ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; + ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; + + # log files + access_log /var/log/nginx/$FQDN.access.log; + error_log /var/log/nginx/$FQDN.error.log; + + # Handle / requests + location / { + proxy_redirect off; + proxy_pass http://127.0.0.1:3000; + } +} +XYZ + +# Restart nginx +service nginx restart + +#Aquire certificate letsencrypt +if [ $LETSENCRYPT=='true' ] ; then +apt install -y certbot python3-certbot-nginx +certbot --nginx -d $FQDN --non-interactive --agree-tos -m $EMAIL +fi + +# Install if ufw true +if [ $UFW=='true' ] ; then + +# UFW installed? +if [ ! -x /usr/sbin/ufw ] ; then +apt install -y ufw +fi + +# UFW policy +ufw allow 22/tcp +ufw allow 80/tcp +ufw allow 443/tcp +ufw logging on +ufw --force enable + +fi + + +# Cleanup packages +if [[ $CURL_NOT_EXIST == 1 ]]; then +apt remove -y curl +fi + +# Final message +echo "--------------------------------------------------------------------------------------" +echo " GITEA $VER installed on system $FQDN" +echo "--------------------------------------------------------------------------------------" +echo " Mysql database : giteadb " +echo " Mysql user : gitea " +echo " Mysql password : $PASSWORD " +echo "--------------------------------------------------------------------------------------" +echo " Mysql root user : root" +echo " Mysql root password : $SQLROOT" +echo "--------------------------------------------------------------------------------------" +echo " System is accessable via https://$FQDN" +echo "--------------------------------------------------------------------------------------" +echo " >>> You must finish the initial setup <<< " +echo "--------------------------------------------------------------------------------------" +echo " Site Title : Enter your organization name." +echo " Repository Root Path : Leave the default /home/git/gitea-repositories." +echo " Git LFS Root Path : Leave the default /var/lib/gitea/data/lfs." +echo " Run As Username : git" +echo " SSH Server Domain : Use $FQDN" +echo " SSH Port : 22, change it if SSH is listening on other Port" +echo " Gitea HTTP Listen Port: 3000" +echo " Gitea Base URL : Use https://$FQDN/ " +echo " Log Path : Leave the default /var/lib/gitea/log" +echo "--------------------------------------------------------------------------------------" +if [ $UFW=='true' ] ; then +echo " Following firewall rules applied:" +ufw status numbered +echo "--------------------------------------------------------------------------------------" +fi