566 lines
18 KiB
Bash
566 lines
18 KiB
Bash
|
#!/bin/bash
|
||
|
set -e
|
||
|
|
||
|
test_ca_list=()
|
||
|
case "$1" in
|
||
|
--test)
|
||
|
ln -sf test.env .env
|
||
|
test_ca_list=(test/certs/cur-root.crt test/certs/pebble.minica.pem)
|
||
|
;;
|
||
|
--production)
|
||
|
ln -sf production.env .env
|
||
|
;;
|
||
|
*)
|
||
|
echo "usage: $0 --test|--production" >&2
|
||
|
exit 1
|
||
|
;;
|
||
|
esac
|
||
|
. .env
|
||
|
|
||
|
subdomains=('' mail git forum)
|
||
|
|
||
|
function fatal()
|
||
|
{
|
||
|
echo "fatal: $*" >&2
|
||
|
exit 1
|
||
|
}
|
||
|
|
||
|
function random_passwd()
|
||
|
{
|
||
|
tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c 16
|
||
|
}
|
||
|
|
||
|
function wait_for_server()
|
||
|
{
|
||
|
local i
|
||
|
echo "waiting for server to start up..."
|
||
|
for i in {1..30}; do
|
||
|
sleep 1
|
||
|
if curl "http://$BASE_DOMAIN_NAME/" >/dev/null; then
|
||
|
echo "server up"
|
||
|
return
|
||
|
fi
|
||
|
done
|
||
|
fatal "server failed to start up after $i attempts"
|
||
|
}
|
||
|
|
||
|
function retry_if_failed()
|
||
|
{
|
||
|
local retry error_args=": $*"
|
||
|
if [[ "$1" == "-q" ]]; then
|
||
|
error_args=""
|
||
|
shift
|
||
|
fi
|
||
|
for retry in {1..3}; do
|
||
|
if "$@"; then
|
||
|
return
|
||
|
fi
|
||
|
echo "command failed (retry $retry)$error_args" >&2
|
||
|
sleep 2
|
||
|
done
|
||
|
fatal "command failed$error_args"
|
||
|
}
|
||
|
|
||
|
function forgejo()
|
||
|
{
|
||
|
docker run --rm codeberg.org/forgejo/forgejo:7 forgejo "$@"
|
||
|
}
|
||
|
|
||
|
if [[ "$(id -u)" != 0 ]]; then
|
||
|
fatal "must be ran as root"
|
||
|
fi
|
||
|
|
||
|
mkdir -p /var/lib/stalwart-mail
|
||
|
apt-get update -y -q
|
||
|
apt-get install jq -y -q
|
||
|
# force using overlay2 driver so btrfs snapshots will snapshot the entire system and not miss all the docker stuff
|
||
|
mkdir -p /etc/docker
|
||
|
if [[ -f /etc/docker/daemon.json ]]; then
|
||
|
[[ "$(jq -sc '[.[0]?["storage-driver"]?]' < /etc/docker/daemon.json)" == '["overlay2"]' ]] ||
|
||
|
fatal '/etc/docker/daemon.json exists but `storage-driver` is not set to overlay2'
|
||
|
elif [[ "$(dpkg-query -W --showformat='${db:Status-Abbrev}\n' docker.io 2> /dev/null)" =~ ^$|^.[nc]' '$ ]]; then
|
||
|
cat > /etc/docker/daemon.json <<EOF
|
||
|
{
|
||
|
"storage-driver": "overlay2"
|
||
|
}
|
||
|
EOF
|
||
|
else
|
||
|
fatal 'docker.io package is installed but `storage-driver` is not set to overlay2'
|
||
|
fi
|
||
|
apt-get install certbot docker-compose docker.io sudo openssl crudini git ssl-cert -y -q
|
||
|
if ((${#test_ca_list[@]})); then
|
||
|
install -m 644 "${test_ca_list[0]}" /usr/local/share/ca-certificates/test-root.crt
|
||
|
install -m 644 "${test_ca_list[1]}" /usr/local/share/ca-certificates/test-root2.crt
|
||
|
update-ca-certificates
|
||
|
fi
|
||
|
addgroup --gid=1000 git || true
|
||
|
[[ "$(getent group 1000)" =~ ^'git:x:1000:' ]] ||
|
||
|
fatal "some other group has gid 1000, which is needed for the git group"
|
||
|
adduser --system --shell=/bin/bash --gecos 'Git Version Control' --uid=1000 --ingroup=git --disabled-password --home=/var/lib/forgejo git || true
|
||
|
[[ "$(getent passwd 1000)" == 'git:x:1000:1000:Git Version Control,,,:/var/lib/forgejo:/bin/bash' ]] ||
|
||
|
fatal "some other user has gid 1000, which is needed for the git user"
|
||
|
[[ -f ~git/.ssh/id_ed25519 ]] || sudo -u git ssh-keygen -f ~git/.ssh/id_ed25519 -t ed25519 -C "Forgejo Host Key" -N ""
|
||
|
[[ -f ~git/.ssh/authorized_keys ]] || sudo -u git cat ~git/.ssh/id_ed25519.pub | sudo -u git tee ~git/.ssh/authorized_keys
|
||
|
sudo -u git chmod 600 ~git/.ssh/authorized_keys
|
||
|
cat <<"EOF" > /usr/local/bin/gitea
|
||
|
#!/bin/sh
|
||
|
exec ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"
|
||
|
EOF
|
||
|
chmod +x /usr/local/bin/gitea
|
||
|
mkdir -p /etc/forgejo
|
||
|
rm -rf /var/www/html
|
||
|
mkdir -p /var/www/html
|
||
|
chown git:git /var/www/html
|
||
|
chmod 775 /var/www/html
|
||
|
(cd /var/www/html && sudo -u git git init --no-initial-branch)
|
||
|
(cd /var/www/html && sudo -u git git remote add -t heads/rendered --mirror=fetch origin /data/git/repositories/libre-chip/website.git)
|
||
|
chown root:git /etc/forgejo
|
||
|
chmod 770 /etc/forgejo
|
||
|
if [[ ! -f /etc/forgejo/app.ini ]]; then
|
||
|
cat <<EOF > /etc/forgejo/app.ini
|
||
|
APP_NAME = Libre-Chip.org
|
||
|
RUN_MODE = prod
|
||
|
RUN_USER = git
|
||
|
WORK_PATH = /data/gitea
|
||
|
|
||
|
[repository]
|
||
|
ROOT = /data/git/repositories
|
||
|
|
||
|
[repository.local]
|
||
|
LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
|
||
|
|
||
|
[repository.upload]
|
||
|
TEMP_PATH = /data/gitea/uploads
|
||
|
|
||
|
[server]
|
||
|
APP_DATA_PATH = /data/gitea
|
||
|
DOMAIN = git.$BASE_DOMAIN_NAME
|
||
|
SSH_DOMAIN = git.$BASE_DOMAIN_NAME
|
||
|
HTTP_PORT = 3000
|
||
|
ROOT_URL = https://git.$BASE_DOMAIN_NAME/
|
||
|
DISABLE_SSH = false
|
||
|
SSH_PORT = 22
|
||
|
SSH_LISTEN_PORT = 22
|
||
|
LFS_START_SERVER = true
|
||
|
OFFLINE_MODE = false
|
||
|
LFS_JWT_SECRET = $(forgejo generate secret LFS_JWT_SECRET)
|
||
|
|
||
|
[database]
|
||
|
PATH = /data/gitea/gitea.db
|
||
|
DB_TYPE = sqlite3
|
||
|
HOST = localhost:3306
|
||
|
NAME = gitea
|
||
|
USER = root
|
||
|
PASSWD =
|
||
|
LOG_SQL = false
|
||
|
SCHEMA =
|
||
|
SSL_MODE = disable
|
||
|
|
||
|
[indexer]
|
||
|
ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
|
||
|
|
||
|
[session]
|
||
|
PROVIDER_CONFIG = /data/gitea/sessions
|
||
|
PROVIDER = file
|
||
|
|
||
|
[picture]
|
||
|
AVATAR_UPLOAD_PATH = /data/gitea/avatars
|
||
|
REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
|
||
|
|
||
|
[attachment]
|
||
|
PATH = /data/gitea/attachments
|
||
|
|
||
|
[log]
|
||
|
MODE = console
|
||
|
LEVEL = info
|
||
|
ROOT_PATH = /data/gitea/log
|
||
|
|
||
|
[security]
|
||
|
INSTALL_LOCK = true
|
||
|
SECRET_KEY = $(forgejo generate secret SECRET_KEY)
|
||
|
REVERSE_PROXY_LIMIT = 1
|
||
|
REVERSE_PROXY_TRUSTED_PROXIES = *
|
||
|
PASSWORD_HASH_ALGO = pbkdf2_hi
|
||
|
DISABLE_GIT_HOOKS = false
|
||
|
INTERNAL_TOKEN = $(forgejo generate secret INTERNAL_TOKEN)
|
||
|
|
||
|
[service]
|
||
|
DISABLE_REGISTRATION = false
|
||
|
REQUIRE_SIGNIN_VIEW = false
|
||
|
REGISTER_EMAIL_CONFIRM = true
|
||
|
ENABLE_NOTIFY_MAIL = true
|
||
|
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
|
||
|
ENABLE_CAPTCHA = true
|
||
|
DEFAULT_KEEP_EMAIL_PRIVATE = false
|
||
|
DEFAULT_ALLOW_CREATE_ORGANIZATION = false
|
||
|
DEFAULT_ENABLE_TIMETRACKING = true
|
||
|
NO_REPLY_ADDRESS = noreply.$BASE_DOMAIN_NAME
|
||
|
|
||
|
[lfs]
|
||
|
PATH = /data/git/lfs
|
||
|
|
||
|
[mailer]
|
||
|
ENABLED = true
|
||
|
PROTOCOL = smtps
|
||
|
SMTP_ADDR = mail.$BASE_DOMAIN_NAME
|
||
|
SMTP_PORT = 465
|
||
|
FROM = forgejo@$BASE_DOMAIN_NAME
|
||
|
USER = forgejo
|
||
|
PASSWD = $(random_passwd)
|
||
|
|
||
|
[openid]
|
||
|
ENABLE_OPENID_SIGNIN = true
|
||
|
ENABLE_OPENID_SIGNUP = true
|
||
|
|
||
|
[cron.update_checker]
|
||
|
ENABLED = false
|
||
|
|
||
|
[repository.pull-request]
|
||
|
DEFAULT_MERGE_STYLE = merge
|
||
|
|
||
|
[repository.signing]
|
||
|
DEFAULT_TRUST_MODEL = committer
|
||
|
|
||
|
[ssh.minimum_key_sizes]
|
||
|
RSA = 2047
|
||
|
|
||
|
[oauth2]
|
||
|
JWT_SECRET = $(forgejo generate secret JWT_SECRET)
|
||
|
EOF
|
||
|
chown root:git /etc/forgejo/app.ini
|
||
|
chmod 640 /etc/forgejo/app.ini
|
||
|
fi
|
||
|
mkdir -p /var/lib/stalwart-mail/etc
|
||
|
mail_passwd=""
|
||
|
mail_passwd_hash=""
|
||
|
if [[ ! -f /var/lib/stalwart-mail/etc/config.toml ]]; then
|
||
|
mail_passwd="$(random_passwd)"
|
||
|
cat > /var/lib/stalwart-mail/cli.sh <<EOF
|
||
|
mail_passwd="$mail_passwd"
|
||
|
function stalwart-cli()
|
||
|
{
|
||
|
(cd $(pwd) && CREDENTIALS="admin:$mail_passwd" exec docker-compose -p server exec -T -e CREDENTIALS mail stalwart-cli -u "http://localhost" "\$@")
|
||
|
}
|
||
|
EOF
|
||
|
chmod 500 /var/lib/stalwart-mail/cli.sh
|
||
|
mail_passwd_hash="$(echo -n "$mail_passwd" | openssl passwd -6 -stdin)"
|
||
|
cat > /var/lib/stalwart-mail/etc/config.toml <<EOF
|
||
|
[server.listener."smtp"]
|
||
|
bind = ["[::]:25"]
|
||
|
protocol = "smtp"
|
||
|
|
||
|
[server.listener."submission"]
|
||
|
bind = ["[::]:587"]
|
||
|
protocol = "smtp"
|
||
|
|
||
|
[server.listener."submissions"]
|
||
|
bind = ["[::]:465"]
|
||
|
protocol = "smtp"
|
||
|
tls.implicit = true
|
||
|
|
||
|
[server.listener."imaptls"]
|
||
|
bind = ["[::]:993"]
|
||
|
protocol = "imap"
|
||
|
tls.implicit = true
|
||
|
|
||
|
[server.listener.pop3s]
|
||
|
bind = "[::]:995"
|
||
|
protocol = "pop3"
|
||
|
tls.implicit = true
|
||
|
|
||
|
[server.listener.http]
|
||
|
protocol = "http"
|
||
|
bind = "[::]:80"
|
||
|
|
||
|
[server.http]
|
||
|
use-x-forwarded = true
|
||
|
|
||
|
[certificate.default]
|
||
|
cert = "%{file:/etc/letsencrypt/live/server/fullchain.pem}%"
|
||
|
private-key = "%{file:/etc/letsencrypt/live/server/privkey.pem}%"
|
||
|
default = true
|
||
|
|
||
|
[storage]
|
||
|
data = "rocksdb"
|
||
|
fts = "rocksdb"
|
||
|
blob = "rocksdb"
|
||
|
lookup = "rocksdb"
|
||
|
directory = "internal"
|
||
|
|
||
|
[store.rocksdb]
|
||
|
type = "rocksdb"
|
||
|
path = "/opt/stalwart-mail/data"
|
||
|
compression = "lz4"
|
||
|
|
||
|
[directory.internal]
|
||
|
type = "internal"
|
||
|
store = "rocksdb"
|
||
|
|
||
|
[tracer.log]
|
||
|
type = "log"
|
||
|
level = "info"
|
||
|
path = "/opt/stalwart-mail/logs"
|
||
|
prefix = "stalwart.log"
|
||
|
rotate = "daily"
|
||
|
ansi = false
|
||
|
enable = true
|
||
|
|
||
|
[authentication.fallback-admin]
|
||
|
user = "admin"
|
||
|
secret = "$mail_passwd_hash"
|
||
|
|
||
|
[lookup.default]
|
||
|
hostname = "mail.$BASE_DOMAIN_NAME"
|
||
|
|
||
|
[session.auth]
|
||
|
must-match-sender = [ {if = "authenticated_as == 'forum-noreply'", then = false},
|
||
|
{else = true} ]
|
||
|
EOF
|
||
|
chmod 600 /var/lib/stalwart-mail/etc/config.toml
|
||
|
fi
|
||
|
. /var/lib/stalwart-mail/cli.sh
|
||
|
if [[ ! -f /var/discourse/containers/app.yml ]]; then
|
||
|
if [[ ! -d /var/discourse/containers ]]; then
|
||
|
git clone https://github.com/discourse/discourse_docker.git /var/discourse
|
||
|
chmod 700 /var/discourse/containers
|
||
|
fi
|
||
|
forum_smtp_passwd="$(random_passwd)"
|
||
|
cat > /var/discourse/containers/app.yml <<EOF
|
||
|
## this is the all-in-one, standalone Discourse Docker container template
|
||
|
##
|
||
|
## After making changes to this file, you MUST rebuild
|
||
|
## /var/discourse/launcher rebuild app
|
||
|
##
|
||
|
## Based on https://meta.discourse.org/t/run-other-websites-on-the-same-machine-as-discourse/17247
|
||
|
|
||
|
templates:
|
||
|
- "templates/postgres.template.yml"
|
||
|
- "templates/redis.template.yml"
|
||
|
- "templates/web.template.yml"
|
||
|
## Uncomment the next line to enable the IPv6 listener
|
||
|
#- "templates/web.ipv6.template.yml"
|
||
|
- "templates/web.ratelimited.template.yml"
|
||
|
- "templates/web.socketed.template.yml"
|
||
|
## Uncomment these two lines if you wish to add Lets Encrypt (https)
|
||
|
#- "templates/web.ssl.template.yml"
|
||
|
#- "templates/web.letsencrypt.ssl.template.yml"
|
||
|
|
||
|
## which TCP/IP ports should this container expose?
|
||
|
## If you want Discourse to share a port with another webserver like Apache or nginx,
|
||
|
## see https://meta.discourse.org/t/17247 for details
|
||
|
#expose:
|
||
|
# - "80:80" # http
|
||
|
# - "443:443" # https
|
||
|
|
||
|
params:
|
||
|
db_default_text_search_config: "pg_catalog.english"
|
||
|
|
||
|
## Set db_shared_buffers to a max of 25% of the total memory.
|
||
|
## will be set automatically by bootstrap based on detected RAM, or you can override
|
||
|
db_shared_buffers: "512MB"
|
||
|
|
||
|
## can improve sorting performance, but adds memory usage per-connection
|
||
|
#db_work_mem: "40MB"
|
||
|
|
||
|
## Which Git revision should this container use? (default: tests-passed)
|
||
|
#version: tests-passed
|
||
|
|
||
|
env:
|
||
|
LC_ALL: en_US.UTF-8
|
||
|
LANG: en_US.UTF-8
|
||
|
LANGUAGE: en_US.UTF-8
|
||
|
# DISCOURSE_DEFAULT_LOCALE: en
|
||
|
|
||
|
## How many concurrent web requests are supported? Depends on memory and CPU cores.
|
||
|
## will be set automatically by bootstrap based on detected CPUs, or you can override
|
||
|
UNICORN_WORKERS: 4
|
||
|
|
||
|
## TODO: The domain name this Discourse instance will respond to
|
||
|
## Required. Discourse will not work with a bare IP number.
|
||
|
DISCOURSE_HOSTNAME: forum.${BASE_DOMAIN_NAME}
|
||
|
|
||
|
## Uncomment if you want the container to be started with the same
|
||
|
## hostname (-h option) as specified above (default "\$hostname-\$config")
|
||
|
#DOCKER_USE_HOSTNAME: true
|
||
|
|
||
|
## TODO: List of comma delimited emails that will be made admin and developer
|
||
|
## on initial signup example 'user1@example.com,user2@example.com'
|
||
|
DISCOURSE_DEVELOPER_EMAILS: 'postmaster@${BASE_DOMAIN_NAME}'
|
||
|
|
||
|
## TODO: The SMTP mail server used to validate new accounts and send notifications
|
||
|
# SMTP ADDRESS, username, and password are required
|
||
|
# WARNING the char '#' in SMTP password can cause problems!
|
||
|
DISCOURSE_SMTP_ADDRESS: ${BASE_DOMAIN_NAME}
|
||
|
DISCOURSE_SMTP_PORT: 587
|
||
|
DISCOURSE_SMTP_USER_NAME: forum-noreply
|
||
|
DISCOURSE_SMTP_PASSWORD: "${forum_smtp_passwd}"
|
||
|
#DISCOURSE_SMTP_ENABLE_START_TLS: true # (optional, default true)
|
||
|
DISCOURSE_SMTP_DOMAIN: ${BASE_DOMAIN_NAME}
|
||
|
DISCOURSE_NOTIFICATION_EMAIL: forum-noreply@${BASE_DOMAIN_NAME}
|
||
|
|
||
|
## If you added the Lets Encrypt template, uncomment below to get a free SSL certificate
|
||
|
#LETSENCRYPT_ACCOUNT_EMAIL: me@example.com
|
||
|
|
||
|
## The http or https CDN address for this Discourse instance (configured to pull)
|
||
|
## see https://meta.discourse.org/t/14857 for details
|
||
|
#DISCOURSE_CDN_URL: https://discourse-cdn.example.com
|
||
|
|
||
|
## The maxmind geolocation IP account ID and license key for IP address lookups
|
||
|
## see https://meta.discourse.org/t/-/173941 for details
|
||
|
#DISCOURSE_MAXMIND_ACCOUNT_ID: 123456
|
||
|
#DISCOURSE_MAXMIND_LICENSE_KEY: 1234567890123456
|
||
|
|
||
|
## The Docker container is stateless; all data is stored in /shared
|
||
|
volumes:
|
||
|
- volume:
|
||
|
host: /var/discourse/shared/standalone
|
||
|
guest: /shared
|
||
|
- volume:
|
||
|
host: /var/discourse/shared/standalone/log/var-log
|
||
|
guest: /var/log
|
||
|
- volume:
|
||
|
host: /usr/local/share/ca-certificates
|
||
|
guest: /usr/local/share/ca-certificates:ro
|
||
|
|
||
|
## Plugins go here
|
||
|
## see https://meta.discourse.org/t/19157 for details
|
||
|
hooks:
|
||
|
after_code:
|
||
|
- exec:
|
||
|
cd: \$home/plugins
|
||
|
cmd:
|
||
|
- git clone https://github.com/discourse/docker_manager.git
|
||
|
|
||
|
## Any custom commands to run after building
|
||
|
run:
|
||
|
- exec: echo "Beginning of custom commands"
|
||
|
- exec: |-
|
||
|
if rails r 'exit(1) if User.find_by_email("postmaster@${BASE_DOMAIN_NAME}")'; then
|
||
|
rails r "SiteSetting.pop3_polling_openssl_verify = false" || exit
|
||
|
rails site_settings:import <<EOF2 || exit
|
||
|
---
|
||
|
title: Libre-Chip Forum
|
||
|
exclude_rel_nofollow_domains: ${BASE_DOMAIN_NAME}
|
||
|
share_links: email
|
||
|
share_quote_buttons: email
|
||
|
default_dark_mode_color_scheme_id: '1'
|
||
|
enable_badges: 'false'
|
||
|
pending_users_reminder_delay_minutes: '5'
|
||
|
title_prettify: 'false'
|
||
|
title_fancy_entities: 'false'
|
||
|
enable_markdown_typographer: 'false'
|
||
|
highlighted_languages: bash|c|cpp|csharp|css|diff|ini|javascript|json|lua|makefile|markdown|plaintext|python|python-repl|rust|shell|typescript|xml|yaml|wasm|llvm|coq|x86asm|verilog|vhdl|scala
|
||
|
enable_emoji_shortcuts: 'false'
|
||
|
reply_by_email_address: forum+%{reply_key}@${BASE_DOMAIN_NAME}
|
||
|
pop3_polling_period_mins: '1'
|
||
|
pop3_polling_host: ${BASE_DOMAIN_NAME}
|
||
|
pop3_polling_username: forum
|
||
|
pop3_polling_password: ${forum_smtp_passwd}
|
||
|
pop3_polling_enabled: 'true'
|
||
|
reply_by_email_enabled: 'true'
|
||
|
log_mail_processing_failures: 'true'
|
||
|
email_in: 'true'
|
||
|
email_in_allowed_groups: 1|2|0
|
||
|
default_trust_level: '1'
|
||
|
force_https: 'true'
|
||
|
moderators_manage_categories_and_groups: 'true'
|
||
|
moderators_view_emails: 'true'
|
||
|
allowed_iframes: https://www.google.com/maps/embed?|https://www.openstreetmap.org/export/embed.html?|https://calendar.google.com/calendar/embed?|https://codepen.io/|http://forum.${BASE_DOMAIN_NAME}/discobot/certificate.svg|https://forum.${BASE_DOMAIN_NAME}/discobot/certificate.svg
|
||
|
default_navigation_menu_categories: 2|3|4
|
||
|
automatic_backups_enabled: 'false'
|
||
|
sequential_replies_threshold: '4'
|
||
|
get_a_room_threshold: '10000'
|
||
|
default_composer_category: '4'
|
||
|
share_anonymized_statistics: 'false'
|
||
|
default_email_mailing_list_mode: 'true'
|
||
|
disable_mailing_list_mode: 'false'
|
||
|
enable_offline_indicator: 'true'
|
||
|
chat_enabled: 'false'
|
||
|
EOF2
|
||
|
rails r "SiteSetting.pop3_polling_openssl_verify = true" || exit
|
||
|
rails r - <<EOF2 || exit
|
||
|
u = User.new
|
||
|
u.email = "postmaster@${BASE_DOMAIN_NAME}"
|
||
|
u.username = "postmaster"
|
||
|
u.password = "$mail_passwd"
|
||
|
u.name = "Admin User"
|
||
|
u.save!
|
||
|
u.active = true
|
||
|
u.save!
|
||
|
u.grant_admin!
|
||
|
u.change_trust_level!(1) if u.trust_level < 1
|
||
|
u.email_tokens.update_all confirmed: true
|
||
|
u.activate
|
||
|
EOF2
|
||
|
fi
|
||
|
- file:
|
||
|
path: /etc/runit/1.d/000-update-certificates
|
||
|
chmod: "+x"
|
||
|
contents: |
|
||
|
#!/bin/bash
|
||
|
exec update-ca-certificates
|
||
|
- exec: echo "End of custom commands"
|
||
|
EOF
|
||
|
chmod 400 /var/discourse/containers/app.yml
|
||
|
fi
|
||
|
wd="$(pwd)"
|
||
|
if ! [[ "$wd" =~ ^/[-/a-zA-Z0-9_]*$ ]]; then
|
||
|
fatal "invalid characters in current directory: $wd"
|
||
|
fi
|
||
|
nginx_container="$(docker create --rm -v /var/www/.well-known/acme-challenge:/var/www/.well-known/acme-challenge:ro -v "$wd"/http_only_nginx_templates:/etc/nginx/templates:ro -p 80:80 nginx:bookworm)"
|
||
|
docker start "$nginx_container"
|
||
|
trap 'docker stop "$nginx_container"' EXIT
|
||
|
echo "waiting for server to come up..."
|
||
|
for _ in {0..30}; do
|
||
|
sleep 1
|
||
|
if curl "http://$BASE_DOMAIN_NAME/" >/dev/null; then
|
||
|
break
|
||
|
fi
|
||
|
done
|
||
|
echo "server up"
|
||
|
certbot_args=(certonly -n --email "postmaster@$BASE_DOMAIN_NAME" "--server=$ACME_SERVER_URL" --cert-name server --agree-tos --webroot --webroot-path /var/www)
|
||
|
certbot_args+=(--disable-hook-validation --post-hook "cd '$wd' && docker-compose -p server restart")
|
||
|
for subdomain in "${subdomains[@]}"; do
|
||
|
if [[ -n "$subdomain" ]]; then
|
||
|
subdomain+=.
|
||
|
fi
|
||
|
certbot_args+=(-d "$subdomain$BASE_DOMAIN_NAME")
|
||
|
certbot_args+=(-d "$subdomain$ALT_BASE_DOMAIN_NAME")
|
||
|
done
|
||
|
retry_if_failed certbot "${certbot_args[@]}"
|
||
|
trap EXIT
|
||
|
docker stop "$nginx_container"
|
||
|
DOCKER_BUILDKIT=1 docker-compose -p server up -d
|
||
|
sleep 1
|
||
|
if [[ -n "$mail_passwd_hash" ]]; then
|
||
|
forgejo_smtp_passwd="$(crudini --get /etc/forgejo/app.ini mailer PASSWD)"
|
||
|
stalwart-cli domain create "$BASE_DOMAIN_NAME"
|
||
|
curl -u "admin:$mail_passwd" "https://mail.$BASE_DOMAIN_NAME/api/dkim" --data-binary '{"id":null,"algorithm":"Ed25519","domain":"'"$BASE_DOMAIN_NAME"'","selector":null}' > /dev/null
|
||
|
curl -u "admin:$mail_passwd" "https://mail.$BASE_DOMAIN_NAME/api/dkim" --data-binary '{"id":null,"algorithm":"Rsa","domain":"'"$BASE_DOMAIN_NAME"'","selector":null}' > /dev/null
|
||
|
stalwart-cli account create -d 'Admin Account' -i true -a "postmaster@$BASE_DOMAIN_NAME" 'admin' "$mail_passwd"
|
||
|
stalwart-cli account create -d 'Forgejo Server' -i false -a "forgejo@$BASE_DOMAIN_NAME" 'forgejo' "$forgejo_smtp_passwd"
|
||
|
add_postmaster=(docker-compose -p server exec -T -u git forgejo forgejo admin user create --admin --username postmaster --password "$mail_passwd" --email "postmaster@$BASE_DOMAIN_NAME")
|
||
|
retry_if_failed -q "${add_postmaster[@]}"
|
||
|
forum_smtp_passwd="$(sed 's/^ *DISCOURSE_SMTP_PASSWORD: "*\([^"]*\)"$/\1/p; d' < /var/discourse/containers/app.yml)"
|
||
|
[[ -n "$forum_smtp_passwd" ]] || fatal "can't parse smtp password out of /var/discourse/containers/app.yml"
|
||
|
stalwart-cli account create -d 'Forum Replies' -i false -a "@$BASE_DOMAIN_NAME" 'forum' "$forum_smtp_passwd"
|
||
|
stalwart-cli account create -d 'Forum Notifications' -i false -a "forum-noreply@$BASE_DOMAIN_NAME" 'forum-noreply' "$forum_smtp_passwd"
|
||
|
forgejo_api=(retry_if_failed -q curl --fail-with-body -u "postmaster:$mail_passwd" -H 'Accept: application/json' -H 'Content-Type: application/json')
|
||
|
"${forgejo_api[@]}" -X 'POST' "https://git.$BASE_DOMAIN_NAME/api/v1/orgs" -d '{"username": "libre-chip"}' > /dev/null
|
||
|
"${forgejo_api[@]}" -X 'POST' "https://git.$BASE_DOMAIN_NAME/api/v1/orgs/libre-chip/repos" -d '{"name": "website"}' > /dev/null
|
||
|
post_receive_hook="$(jq -csR '{content:.}' <<'EOF'
|
||
|
#!/bin/bash
|
||
|
set -e
|
||
|
cd /var/www/html
|
||
|
env -i PATH="$PATH" git fetch
|
||
|
env -i PATH="$PATH" git checkout -q --detach rendered
|
||
|
EOF
|
||
|
)"
|
||
|
"${forgejo_api[@]}" -X 'PATCH' "https://git.$BASE_DOMAIN_NAME/api/v1/repos/libre-chip/website/hooks/git/post-receive" -d "$post_receive_hook" > /dev/null
|
||
|
fi
|
||
|
(
|
||
|
cd /var/discourse
|
||
|
# must run after starting mail server since it validates POP3
|
||
|
./launcher bootstrap app
|
||
|
./launcher start app
|
||
|
)
|