First commit to own repository

This commit is contained in:
Jörg Deckert 2024-04-18 22:31:41 +02:00
parent ae40474bef
commit 5e392409b6
14 changed files with 354 additions and 0 deletions

49
Makefile Normal file
View File

@ -0,0 +1,49 @@
02firstboot = $(CHROOT)/usr/local/bin/02firstboot.start
cert-renew.sh = $(CHROOT)/etc/ssl/cert-renew.sh
apache_conf = $(CHROOT)/etc/apache2/vhosts.d/default_vhost.include.applorig
systemd-units: appliance/MySQL-Backup.sh appliance/backup.service appliance/backup.timer appliance/cert-renew.service appliance/cert-renew.timer
cp appliance/MySQL-Backup.sh $(CHROOT)/usr/local/bin/
cp appliance/backup.service appliance/backup.timer appliance/cert-renew.service appliance/cert-renew.timer $(CHROOT)/etc/systemd/system/
$(02firstboot): appliance/02firstboot.start
mkdir -p $(CHROOT)/etc/local.d
cp $< $@
touch $(CHROOT)/02firstboot
$(cert-renew.sh): appliance/cert-renew.sh
mkdir -p $(CHROOT)/etc/ssl
cp $< $@
$(apache_conf): apache/default_vhost.include
sed -i 's/-D LANGUAGE/-D LANGUAGE -D PROXY/' $(CHROOT)/etc/conf.d/apache2
mv $(CHROOT)/etc/apache2/vhosts.d/default_vhost.include $@
cp $< $(CHROOT)/etc/apache2/vhosts.d/default_vhost.include
$(CHROOT)/var/lib/mysql: mariadb/my.cnf.root
# MariaDB-Konfiguration ($$, weil make ein $ entfernt)
sed -i "s/^character-set-server.*$$/character-set-server = utf8mb4/" $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
sed -iE 's/^\(log-bin\)/#\1/' $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
echo >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
echo "collation-server = utf8mb4_general_ci" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
echo "transaction_isolation = READ-COMMITTED" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
echo "binlog_format = ROW" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
echo "expire_logs_days = 3" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
echo "innodb_file_per_table = 1" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
echo "innodb_large_prefix = on" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
echo "innodb_buffer_pool_size = 2G" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
echo "innodb_strict_mode = OFF" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
cp mariadb/my.cnf.root $(CHROOT)/root/.my.cnf
chmod 0600 $(CHROOT)/root/.my.cnf
rm -rf $(CHROOT)/var/lib/mysql/*
RUN bash -c 'yes gentoo | emerge --config dev-db/mariadb'
preinstall:
postinstall: systemd-units $(apache_conf) $(02firstboot) $(cert-renew.sh) $(CHROOT)/var/lib/mysql
# Apache-Konfiguration
sed -i 's/-D LANGUAGE/-D LANGUAGE -D PROXY/' $(CHROOT)/etc/conf.d/apache2
mv $(CHROOT)/etc/apache2/vhosts.d/default_vhost.include $(CHROOT)/etc/apache2/vhosts.d/default_vhost.include.orig
cp apache/default_vhost.include $(CHROOT)/etc/apache2/vhosts.d/

View File

@ -0,0 +1,17 @@
ServerAlias letsencrypt
ServerAlias gitea
ServerAdmin root@localhost
DocumentRoot "/var/www/localhost/htdocs"
<Directory "/var/www/localhost/htdocs">
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ProxyPreserveHost On
ProxyRequests off
AllowEncodedSlashes NoDecode
ProxyPass / http://localhost:3000/ nocanon
ProxyPassReverse / http://localhost:3000/

131
appliance/02firstboot.start Executable file
View File

@ -0,0 +1,131 @@
#!/bin/bash
# variables
LABEL="DATA"
DATABASE_PASS=$(head -c 300 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 16)
TLD="example.com"
HOST="git"
ORGNAME="git example"
# start
set -e
[ -e /01firstboot ] && exit 0
[ -e /02firstboot ] || exit 0
# Gitea configuration
if [ ! -L /etc/gitea/app.ini ]; then
if [ ! -f "/$LABEL/etc/gitea/app.ini" ]; then
echo 'Create Gitea config...'
mkdir -p /$LABEL/etc/gitea
cp /etc/gitea/app.ini /$LABEL/etc/gitea/app.ini
mv /etc/gitea/app.ini /$LABEL/etc/gitea/app.ini.orig
chown -R git:git /$LABEL/etc/gitea
ln -s /$LABEL/etc/gitea/app.ini /etc/gitea/app.ini
echo 'Configure Gitea...'
sed -i 's#^HOST = 127.0.0.1:3306#HOST = /run/mysqld/mysqld.sock#' /$LABEL/etc/gitea/app.ini
sed -i 's/^NAME = gitea/NAME = giteadb/' /$LABEL/etc/gitea/app.ini
sed -i 's/^USER = root/USER = gitea/' /$LABEL/etc/gitea/app.ini
sed -i 's/^LFS_JWT_SECRET.*=.*$/LFS_JWT_SECRET = '`gitea generate secret LFS_JWT_SECRET`'/g' /$LABEL/etc/gitea/app.ini
sed -i 's/^INTERNAL_TOKEN.*=.*$/INTERNAL_TOKEN = '`gitea generate secret INTERNAL_TOKEN`'/g' /$LABEL/etc/gitea/app.ini
sed -i 's/^SECRET_KEY.*=.*$/SECRET_KEY = '`gitea generate secret SECRET_KEY`'/g' /$LABEL/etc/gitea/app.ini
else
echo 'Linking Gitea config...'
cp /$LABEL/etc/gitea/app.ini /$LABEL/etc/gitea/app.ini.alt
rm -f /$LABEL/etc/gitea/app.ini.orig
mv /etc/gitea/app.ini /$LABEL/etc/gitea/app.ini.orig
chown -R git:git /$LABEL/etc/gitea
ln -s /$LABEL/etc/gitea/app.ini /etc/gitea/app.ini
fi
fi
if [ ! -d "/$LABEL/var/lib/gitea" ]; then
mkdir -p /$LABEL/var/lib/gitea
chown git:git /$LABEL/var/lib/gitea
cp -a /var/lib/gitea/. /$LABEL/var/lib/gitea
fi
mv /var/lib/gitea /var/lib/gitea.orig
ln -s /$LABEL/var/lib/gitea /var/lib/gitea
# Database
if [ ! -L /var/lib/mysql ]; then
systemctl stop mariadb
if [ ! -d "/$LABEL/var/lib/mysql/giteadb" ]; then
echo 'Initialize MariaDB...'
mkdir -p "/$LABEL/var/lib"
rm -rf "/$LABEL/var/lib/mysql"
cp -a "/var/lib/mysql" "/$LABEL/var/lib/mysql"
mv "/var/lib/mysql" "/$LABEL/var/lib/mysql.orig"
ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql"
systemctl start mariadb
sleep 5
echo 'Create Gitea database...'
mysql -u root -e "CREATE USER 'gitea'@'localhost' IDENTIFIED BY '$DATABASE_PASS';"
mysql -u root -e "CREATE DATABASE giteadb CHARACTER SET 'utf8mb4' COLLATE 'utf8mb4_unicode_ci';"
mysql -u root -e "GRANT ALL PRIVILEGES ON giteadb.* TO 'gitea'@'localhost' IDENTIFIED by '$DATABASE_PASS';"
mysql -u root -e "FLUSH PRIVILEGES;"
else
echo 'Start MariaDB...'
rm -rf "/$LABEL/var/lib/mysql.orig"
mv "/var/lib/mysql" "/$LABEL/var/lib/mysql.orig"
ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql"
systemctl start mariadb
sleep 5
mysql -u root -e "GRANT ALL PRIVILEGES ON giteadb.* TO 'gitea'@'localhost' IDENTIFIED by '$DATABASE_PASS';"
fi
else
echo 'Set new database password...'
systemctl restart mariadb
sleep 5
mysql -u root -e "GRANT ALL PRIVILEGES ON giteadb.* TO 'gitea'@'localhost' IDENTIFIED by '$DATABASE_PASS';"
fi
# update Gitea config with new database password
sed -i "s/.*PASSWD = .*;Use PASSWD =/PASSWD = $DATABASE_PASS ;Use PASSWD =/" /$LABEL/etc/gitea/app.ini
# Certificate
if [ -x "/$LABEL/etc/ssl/cert-renew.sh" ]; then
# angepaßtes Zertifikat vorhanden (kein example)
if [ ! -L /etc/ssl/cert-renew.sh ]; then
rm -f "/$LABEL/etc/ssl/cert-renew.sh.orig"
mv "/etc/ssl/cert-renew.sh" "/$LABEL/etc/ssl/cert-renew.sh.orig"
else
rm -f "/etc/ssl/cert-renew.sh"
fi
ln -s "/$LABEL/etc/ssl/cert-renew.sh" "/etc/ssl/cert-renew.sh"
else
echo 'Create example certificate...'
mkdir -p "/$LABEL/CERTS/KEYS/"
mkdir -p "/$LABEL/CERTS/$HOST.$TLD"
echo "FQDN = $HOST.$TLD" > "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
echo "ORGNAME = $ORGNAME" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
echo "ALTNAMES = DNS:$HOST.$TLD , DNS:$TLD" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
echo -e "\n[ req ]\ndefault_bits = 4096\ndefault_md = sha256\nprompt = no\nencrypt_key = no\ndistinguished_name = dn\nreq_extensions = req_ext\ndefault_keyfile = ../KEYS/\$FQDN-key.pem\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
echo -e "\n[ dn ]\nC = DE\nO = \$ORGNAME\nCN = \$FQDN\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
echo -e "\n[ req_ext ]\nsubjectAltName = \$ALTNAMES" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
openssl req -x509 -new -config "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" -out "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" -keyout "/$LABEL/CERTS/KEYS/$HOST.$TLD-key.pem"
cp "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-fullchain.pem"
touch "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-chain.pem"
fi
rm -rf /etc/ssl/apache2
mkdir -p /etc/ssl
ln -sf "/$LABEL/etc/ssl/apache2" "/etc/ssl/apache2"
/etc/ssl/cert-renew.sh
echo
echo "Success!"
echo "Do not forget to upgrade the MySQL database:"
echo " # mysql_upgrade"
echo
systemctl enable mariadb
systemctl enable apache2
systemctl enable gitea
systemctl restart gitea
systemctl restart apache2
rm /02firstboot

32
appliance/MySQL-Backup.sh Executable file
View File

@ -0,0 +1,32 @@
#!/bin/bash
PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
DIR="/DATA/Backup/MySQL"
if [ -z $1 ]; then
echo "database name missing! use --all for all db's"
exit 1;
elif [ $1 = '--all' ]; then
echo "full backup"
for i in `mysqlshow --defaults-file=/root/.my.cnf | awk '{print $2}' | grep -v Databases`; do
if [ "$i" != "information_schema" ] && [ "$i" != "performance_schema" ]; then
if test -f ${DIR}/${i}.sql; then
echo "Move ${DIR}/${i}.sql to ${DIR}/${i}.sql.1"
mv ${DIR}/${i}.sql ${DIR}/${i}.sql.1
fi
echo "dump ${i} to ${DIR}/${i}.sgl"
mysqldump --defaults-file=/root/.my.cnf --single-transaction --events --opt -QF -r${DIR}/${i}.sql $i
chmod 600 ${DIR}/${i}.sql
fi
done;
elif [ -n $1 ]; then
echo "Starting backup of $1"
if test -f $DIR/$1.sql; then
echo "Move $DIR/$1.sql to $DIR/$1.sql.1"
mv ${DIR}/${1}.sql ${DIR}/${1}.sql.1
fi
mysqldump --defaults-file=/root/.my.cnf --single-transaction --opt -QF -r${DIR}/${1}.sql $1
chmod 600 ${DIR}/${1}.sql
fi
echo "Done"
exit 0;

8
appliance/backup.service Normal file
View File

@ -0,0 +1,8 @@
[Unit]
Description=execute backup tasks
RefuseManualStart=no
RefuseManualStop=yes
[Service]
Type=oneshot
ExecStart=/usr/local/bin/MySQL-Backup.sh --all

12
appliance/backup.timer Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=execute backup tasks
RefuseManualStart=no
RefuseManualStop=no
[Timer]
Persistent=false
OnCalendar=Sun *-*-* 02:19:00
Unit=backup.service
[Install]
WantedBy=default.target

View File

@ -0,0 +1,8 @@
[Unit]
Description=renew certificates from git store
RefuseManualStart=no
RefuseManualStop=yes
[Service]
Type=oneshot
ExecStart=/etc/ssl/cert-renew.sh

52
appliance/cert-renew.sh Executable file
View File

@ -0,0 +1,52 @@
#!/bin/bash
HOST="git"
TLD="example.com"
FQDN="$HOST.$TLD"
LABEL="DATA"
CERT_DIR=/$LABEL/CERTS
CERT_APACHE=/$LABEL/etc/ssl/apache2
GETREPO=""
GETUSER=""
GETPASS=""
function getCurrentVersion() {
# Get hash from latest revision
git log --format=format:%H -1
}
cd $CERT_DIR
if [ -z "$GETREPO" ]; then
GIT_REVISION=0
GIT_NEW_REVISION=1
cd $FQDN
elif [ ! -d "$FQDN" ]; then
GIT_REVISION=0
git clone "https://$GETUSER:$GETPASS@$GETREPO"
cd $FQDN
GIT_NEW_REVISION=$(getCurrentVersion)
else
cd $FQDN
GIT_REVISION=$(getCurrentVersion)
git commit -m "CRON: auto commit"
git fetch
git merge origin/master -m "Auto Merge"
GIT_NEW_REVISION=$(getCurrentVersion)
fi
echo "old: $GIT_REVISION"
echo "new: $GIT_NEW_REVISION"
if [ $GIT_REVISION != $GIT_NEW_REVISION ]
then
echo "Update Apache certificate..."
mkdir -p $CERT_APACHE
cp $CERT_DIR/$FQDN/$FQDN-fullchain.pem $CERT_APACHE/server.crt
cp $CERT_DIR/KEYS/$FQDN-key.pem $CERT_APACHE/server.key
echo "Restarting Apache..."
systemctl is-active --quiet apache2 && systemctl restart apache2
fi
exit 0

View File

@ -0,0 +1,12 @@
[Unit]
Description=renew certificates from git store
RefuseManualStart=no
RefuseManualStop=no
[Timer]
Persistent=false
OnCalendar=Sun *-*-* 04:03:00
Unit=cert-renew.service
[Install]
WantedBy=default.target

11
mariadb/my.cnf.root Normal file
View File

@ -0,0 +1,11 @@
[mysqladmin]
user = root
password = gentoo
[mysql]
user = root
password = gentoo
[client]
user = root
password = gentoo

7
package.accept_keywords Normal file
View File

@ -0,0 +1,7 @@
# Hetzner-Certbot
dev-python/dns-lexicon
dev-python/pyotp
# Gitea
dev-vcs/git-crypt
www-apps/gitea

5
package.use Normal file
View File

@ -0,0 +1,5 @@
# Apache
www-servers/apache apache2_modules_proxy apache2_modules_proxy_ajp apache2_modules_proxy_connect apache2_modules_proxy_http apache2_modules_proxy_wstunnel
# Gitea
acct-user/git gitea

2
va-git.cfg Normal file
View File

@ -0,0 +1,2 @@
REPO_NAMES += unitas-letsencrypt
REPO_URI_unitas-letsencrypt = https://git.unitas-network.de/Gentoo/unitas-letsencrypt.git

8
world Normal file
View File

@ -0,0 +1,8 @@
app-arch/unzip
app-crypt/certbot-apache
app-crypt/certbot-dns-hetzner
app-text/docbook-xsl-stylesheets
dev-db/mariadb
dev-vcs/git-crypt
www-servers/apache
www-apps/gitea