diff --git a/git/Makefile b/git/Makefile new file mode 100644 index 0000000..8b46b05 --- /dev/null +++ b/git/Makefile @@ -0,0 +1,49 @@ +02firstboot = $(CHROOT)/usr/local/bin/02firstboot.start +cert-renew.sh = $(CHROOT)/etc/ssl/cert-renew.sh +apache_conf = $(CHROOT)/etc/apache2/vhosts.d/default_vhost.include.applorig + +systemd-units: appliance/MySQL-Backup.sh appliance/backup.service appliance/backup.timer appliance/cert-renew.service appliance/cert-renew.timer + cp appliance/MySQL-Backup.sh $(CHROOT)/usr/local/bin/ + cp appliance/backup.service appliance/backup.timer appliance/cert-renew.service appliance/cert-renew.timer $(CHROOT)/etc/systemd/system/ + +$(02firstboot): appliance/02firstboot.start + mkdir -p $(CHROOT)/etc/local.d + cp $< $@ + touch $(CHROOT)/02firstboot + +$(cert-renew.sh): appliance/cert-renew.sh + mkdir -p $(CHROOT)/etc/ssl + cp $< $@ + +$(apache_conf): apache/default_vhost.include + sed -i 's/-D LANGUAGE/-D LANGUAGE -D PROXY/' $(CHROOT)/etc/conf.d/apache2 + mv $(CHROOT)/etc/apache2/vhosts.d/default_vhost.include $@ + cp $< $(CHROOT)/etc/apache2/vhosts.d/default_vhost.include + +$(CHROOT)/var/lib/mysql: mariadb/my.cnf.root + # MariaDB-Konfiguration ($$, weil make ein $ entfernt) + sed -i "s/^character-set-server.*$$/character-set-server = utf8mb4/" $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf + sed -iE 's/^\(log-bin\)/#\1/' $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf + echo >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf + echo "collation-server = utf8mb4_general_ci" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf + echo "transaction_isolation = READ-COMMITTED" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf + echo "binlog_format = ROW" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf + echo "expire_logs_days = 3" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf + echo "innodb_file_per_table = 1" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf + echo "innodb_large_prefix = on" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf + echo "innodb_buffer_pool_size = 2G" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf + echo "innodb_strict_mode = OFF" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf + cp mariadb/my.cnf.root $(CHROOT)/root/.my.cnf + chmod 0600 $(CHROOT)/root/.my.cnf + rm -rf $(CHROOT)/var/lib/mysql/* + RUN bash -c 'yes gentoo | emerge --config dev-db/mariadb' + +preinstall: + +postinstall: systemd-units $(apache_conf) $(02firstboot) $(cert-renew.sh) $(CHROOT)/var/lib/mysql + + + # Apache-Konfiguration + sed -i 's/-D LANGUAGE/-D LANGUAGE -D PROXY/' $(CHROOT)/etc/conf.d/apache2 + mv $(CHROOT)/etc/apache2/vhosts.d/default_vhost.include $(CHROOT)/etc/apache2/vhosts.d/default_vhost.include.orig + cp apache/default_vhost.include $(CHROOT)/etc/apache2/vhosts.d/ diff --git a/git/apache/default_vhost.include b/git/apache/default_vhost.include new file mode 100644 index 0000000..f3b0009 --- /dev/null +++ b/git/apache/default_vhost.include @@ -0,0 +1,17 @@ +ServerAlias letsencrypt +ServerAlias gitea + +ServerAdmin root@localhost + +DocumentRoot "/var/www/localhost/htdocs" + + Options Indexes FollowSymLinks + AllowOverride All + Require all granted + + +ProxyPreserveHost On +ProxyRequests off +AllowEncodedSlashes NoDecode +ProxyPass / http://localhost:3000/ nocanon +ProxyPassReverse / http://localhost:3000/ \ No newline at end of file diff --git a/git/appliance/02firstboot.start b/git/appliance/02firstboot.start new file mode 100755 index 0000000..5eb5ecf --- /dev/null +++ b/git/appliance/02firstboot.start @@ -0,0 +1,131 @@ +#!/bin/bash + +# variables +LABEL="DATA" +DATABASE_PASS=$(head -c 300 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 16) +TLD="example.com" +HOST="git" +ORGNAME="git example" + +# start +set -e + +[ -e /01firstboot ] && exit 0 +[ -e /02firstboot ] || exit 0 + +# Gitea configuration +if [ ! -L /etc/gitea/app.ini ]; then + if [ ! -f "/$LABEL/etc/gitea/app.ini" ]; then + echo 'Create Gitea config...' + mkdir -p /$LABEL/etc/gitea + cp /etc/gitea/app.ini /$LABEL/etc/gitea/app.ini + mv /etc/gitea/app.ini /$LABEL/etc/gitea/app.ini.orig + chown -R git:git /$LABEL/etc/gitea + ln -s /$LABEL/etc/gitea/app.ini /etc/gitea/app.ini + + echo 'Configure Gitea...' + sed -i 's#^HOST = 127.0.0.1:3306#HOST = /run/mysqld/mysqld.sock#' /$LABEL/etc/gitea/app.ini + sed -i 's/^NAME = gitea/NAME = giteadb/' /$LABEL/etc/gitea/app.ini + sed -i 's/^USER = root/USER = gitea/' /$LABEL/etc/gitea/app.ini + sed -i 's/^LFS_JWT_SECRET.*=.*$/LFS_JWT_SECRET = '`gitea generate secret LFS_JWT_SECRET`'/g' /$LABEL/etc/gitea/app.ini + sed -i 's/^INTERNAL_TOKEN.*=.*$/INTERNAL_TOKEN = '`gitea generate secret INTERNAL_TOKEN`'/g' /$LABEL/etc/gitea/app.ini + sed -i 's/^SECRET_KEY.*=.*$/SECRET_KEY = '`gitea generate secret SECRET_KEY`'/g' /$LABEL/etc/gitea/app.ini + else + echo 'Linking Gitea config...' + cp /$LABEL/etc/gitea/app.ini /$LABEL/etc/gitea/app.ini.alt + rm -f /$LABEL/etc/gitea/app.ini.orig + mv /etc/gitea/app.ini /$LABEL/etc/gitea/app.ini.orig + chown -R git:git /$LABEL/etc/gitea + ln -s /$LABEL/etc/gitea/app.ini /etc/gitea/app.ini + fi +fi +if [ ! -d "/$LABEL/var/lib/gitea" ]; then + mkdir -p /$LABEL/var/lib/gitea + chown git:git /$LABEL/var/lib/gitea + cp -a /var/lib/gitea/. /$LABEL/var/lib/gitea +fi +mv /var/lib/gitea /var/lib/gitea.orig +ln -s /$LABEL/var/lib/gitea /var/lib/gitea + +# Database +if [ ! -L /var/lib/mysql ]; then + systemctl stop mariadb + if [ ! -d "/$LABEL/var/lib/mysql/giteadb" ]; then + echo 'Initialize MariaDB...' + mkdir -p "/$LABEL/var/lib" + rm -rf "/$LABEL/var/lib/mysql" + cp -a "/var/lib/mysql" "/$LABEL/var/lib/mysql" + mv "/var/lib/mysql" "/$LABEL/var/lib/mysql.orig" + ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql" + systemctl start mariadb + sleep 5 + + echo 'Create Gitea database...' + mysql -u root -e "CREATE USER 'gitea'@'localhost' IDENTIFIED BY '$DATABASE_PASS';" + mysql -u root -e "CREATE DATABASE giteadb CHARACTER SET 'utf8mb4' COLLATE 'utf8mb4_unicode_ci';" + mysql -u root -e "GRANT ALL PRIVILEGES ON giteadb.* TO 'gitea'@'localhost' IDENTIFIED by '$DATABASE_PASS';" + mysql -u root -e "FLUSH PRIVILEGES;" + else + echo 'Start MariaDB...' + rm -rf "/$LABEL/var/lib/mysql.orig" + mv "/var/lib/mysql" "/$LABEL/var/lib/mysql.orig" + ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql" + systemctl start mariadb + sleep 5 + mysql -u root -e "GRANT ALL PRIVILEGES ON giteadb.* TO 'gitea'@'localhost' IDENTIFIED by '$DATABASE_PASS';" + fi +else + echo 'Set new database password...' + systemctl restart mariadb + sleep 5 + mysql -u root -e "GRANT ALL PRIVILEGES ON giteadb.* TO 'gitea'@'localhost' IDENTIFIED by '$DATABASE_PASS';" +fi + +# update Gitea config with new database password +sed -i "s/.*PASSWD = .*;Use PASSWD =/PASSWD = $DATABASE_PASS ;Use PASSWD =/" /$LABEL/etc/gitea/app.ini + +# Certificate +if [ -x "/$LABEL/etc/ssl/cert-renew.sh" ]; then + # angepaßtes Zertifikat vorhanden (kein example) + if [ ! -L /etc/ssl/cert-renew.sh ]; then + rm -f "/$LABEL/etc/ssl/cert-renew.sh.orig" + mv "/etc/ssl/cert-renew.sh" "/$LABEL/etc/ssl/cert-renew.sh.orig" + else + rm -f "/etc/ssl/cert-renew.sh" + fi + ln -s "/$LABEL/etc/ssl/cert-renew.sh" "/etc/ssl/cert-renew.sh" +else + echo 'Create example certificate...' + mkdir -p "/$LABEL/CERTS/KEYS/" + mkdir -p "/$LABEL/CERTS/$HOST.$TLD" + echo "FQDN = $HOST.$TLD" > "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + echo "ORGNAME = $ORGNAME" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + echo "ALTNAMES = DNS:$HOST.$TLD , DNS:$TLD" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + echo -e "\n[ req ]\ndefault_bits = 4096\ndefault_md = sha256\nprompt = no\nencrypt_key = no\ndistinguished_name = dn\nreq_extensions = req_ext\ndefault_keyfile = ../KEYS/\$FQDN-key.pem\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + echo -e "\n[ dn ]\nC = DE\nO = \$ORGNAME\nCN = \$FQDN\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + echo -e "\n[ req_ext ]\nsubjectAltName = \$ALTNAMES" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + openssl req -x509 -new -config "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" -out "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" -keyout "/$LABEL/CERTS/KEYS/$HOST.$TLD-key.pem" + cp "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-fullchain.pem" + touch "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-chain.pem" +fi + +rm -rf /etc/ssl/apache2 +mkdir -p /etc/ssl +ln -sf "/$LABEL/etc/ssl/apache2" "/etc/ssl/apache2" + +/etc/ssl/cert-renew.sh + +echo +echo "Success!" +echo "Do not forget to upgrade the MySQL database:" +echo " # mysql_upgrade" +echo + +systemctl enable mariadb +systemctl enable apache2 +systemctl enable gitea + +systemctl restart gitea +systemctl restart apache2 + +rm /02firstboot diff --git a/git/appliance/MySQL-Backup.sh b/git/appliance/MySQL-Backup.sh new file mode 100755 index 0000000..19ccfc9 --- /dev/null +++ b/git/appliance/MySQL-Backup.sh @@ -0,0 +1,32 @@ +#!/bin/bash +PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" + +DIR="/DATA/Backup/MySQL" + +if [ -z $1 ]; then + echo "database name missing! use --all for all db's" + exit 1; +elif [ $1 = '--all' ]; then + echo "full backup" + for i in `mysqlshow --defaults-file=/root/.my.cnf | awk '{print $2}' | grep -v Databases`; do + if [ "$i" != "information_schema" ] && [ "$i" != "performance_schema" ]; then + if test -f ${DIR}/${i}.sql; then + echo "Move ${DIR}/${i}.sql to ${DIR}/${i}.sql.1" + mv ${DIR}/${i}.sql ${DIR}/${i}.sql.1 + fi + echo "dump ${i} to ${DIR}/${i}.sgl" + mysqldump --defaults-file=/root/.my.cnf --single-transaction --events --opt -QF -r${DIR}/${i}.sql $i + chmod 600 ${DIR}/${i}.sql + fi + done; +elif [ -n $1 ]; then + echo "Starting backup of $1" + if test -f $DIR/$1.sql; then + echo "Move $DIR/$1.sql to $DIR/$1.sql.1" + mv ${DIR}/${1}.sql ${DIR}/${1}.sql.1 + fi + mysqldump --defaults-file=/root/.my.cnf --single-transaction --opt -QF -r${DIR}/${1}.sql $1 + chmod 600 ${DIR}/${1}.sql +fi +echo "Done" +exit 0; diff --git a/git/appliance/backup.service b/git/appliance/backup.service new file mode 100644 index 0000000..13ca921 --- /dev/null +++ b/git/appliance/backup.service @@ -0,0 +1,8 @@ +[Unit] +Description=execute backup tasks +RefuseManualStart=no +RefuseManualStop=yes + +[Service] +Type=oneshot +ExecStart=/usr/local/bin/MySQL-Backup.sh --all diff --git a/git/appliance/backup.timer b/git/appliance/backup.timer new file mode 100644 index 0000000..ec59929 --- /dev/null +++ b/git/appliance/backup.timer @@ -0,0 +1,12 @@ +[Unit] +Description=execute backup tasks +RefuseManualStart=no +RefuseManualStop=no + +[Timer] +Persistent=false +OnCalendar=Sun *-*-* 02:19:00 +Unit=backup.service + +[Install] +WantedBy=default.target diff --git a/git/appliance/cert-renew.service b/git/appliance/cert-renew.service new file mode 100644 index 0000000..59ec86d --- /dev/null +++ b/git/appliance/cert-renew.service @@ -0,0 +1,8 @@ +[Unit] +Description=renew certificates from git store +RefuseManualStart=no +RefuseManualStop=yes + +[Service] +Type=oneshot +ExecStart=/etc/ssl/cert-renew.sh diff --git a/git/appliance/cert-renew.sh b/git/appliance/cert-renew.sh new file mode 100755 index 0000000..055c786 --- /dev/null +++ b/git/appliance/cert-renew.sh @@ -0,0 +1,52 @@ +#!/bin/bash + +HOST="git" +TLD="example.com" +FQDN="$HOST.$TLD" +LABEL="DATA" + +CERT_DIR=/$LABEL/CERTS +CERT_APACHE=/$LABEL/etc/ssl/apache2 +GETREPO="" +GETUSER="" +GETPASS="" + +function getCurrentVersion() { +# Get hash from latest revision + git log --format=format:%H -1 +} + +cd $CERT_DIR + +if [ -z "$GETREPO" ]; then + GIT_REVISION=0 + GIT_NEW_REVISION=1 + cd $FQDN +elif [ ! -d "$FQDN" ]; then + GIT_REVISION=0 + git clone "https://$GETUSER:$GETPASS@$GETREPO" + cd $FQDN + GIT_NEW_REVISION=$(getCurrentVersion) +else + cd $FQDN + GIT_REVISION=$(getCurrentVersion) + git commit -m "CRON: auto commit" + git fetch + git merge origin/master -m "Auto Merge" + GIT_NEW_REVISION=$(getCurrentVersion) +fi + +echo "old: $GIT_REVISION" +echo "new: $GIT_NEW_REVISION" + +if [ $GIT_REVISION != $GIT_NEW_REVISION ] +then + echo "Update Apache certificate..." + mkdir -p $CERT_APACHE + cp $CERT_DIR/$FQDN/$FQDN-fullchain.pem $CERT_APACHE/server.crt + cp $CERT_DIR/KEYS/$FQDN-key.pem $CERT_APACHE/server.key + echo "Restarting Apache..." + systemctl is-active --quiet apache2 && systemctl restart apache2 +fi + +exit 0 diff --git a/git/appliance/cert-renew.timer b/git/appliance/cert-renew.timer new file mode 100644 index 0000000..fa2ee54 --- /dev/null +++ b/git/appliance/cert-renew.timer @@ -0,0 +1,12 @@ +[Unit] +Description=renew certificates from git store +RefuseManualStart=no +RefuseManualStop=no + +[Timer] +Persistent=false +OnCalendar=Sun *-*-* 04:03:00 +Unit=cert-renew.service + +[Install] +WantedBy=default.target diff --git a/git/git.cfg b/git/git.cfg new file mode 100644 index 0000000..49cc045 --- /dev/null +++ b/git/git.cfg @@ -0,0 +1,2 @@ +REPO_NAMES += unitas-letsencrypt +REPO_URI_unitas-letsencrypt = https://git.unitas-network.de/Gentoo/unitas-letsencrypt.git diff --git a/git/mariadb/my.cnf.root b/git/mariadb/my.cnf.root new file mode 100644 index 0000000..b5ac578 --- /dev/null +++ b/git/mariadb/my.cnf.root @@ -0,0 +1,11 @@ +[mysqladmin] +user = root +password = gentoo + +[mysql] +user = root +password = gentoo + +[client] +user = root +password = gentoo diff --git a/git/package.accept_keywords b/git/package.accept_keywords new file mode 100644 index 0000000..2206312 --- /dev/null +++ b/git/package.accept_keywords @@ -0,0 +1,3 @@ +# Gitea +dev-vcs/git-crypt +www-apps/gitea diff --git a/git/package.use b/git/package.use new file mode 100644 index 0000000..5973e3f --- /dev/null +++ b/git/package.use @@ -0,0 +1,5 @@ +# Apache +www-servers/apache apache2_modules_proxy apache2_modules_proxy_ajp apache2_modules_proxy_connect apache2_modules_proxy_http apache2_modules_proxy_wstunnel + +# Gitea +acct-user/git gitea diff --git a/git/world b/git/world new file mode 100644 index 0000000..8da9f47 --- /dev/null +++ b/git/world @@ -0,0 +1,7 @@ +app-arch/unzip +app-crypt/certbot-apache +app-crypt/certbot-dns-hetzner +dev-db/mariadb +dev-vcs/git-crypt +www-servers/apache +www-apps/gitea