server-setup/setup.sh

#!/bin/bash
set -e

test_ca_list=()
case "$1" in
    --test)
        ln -sf test.env .env
        test_ca_list=(test/certs/cur-root.crt test/certs/pebble.minica.pem)
    ;;
    --production)
        ln -sf production.env .env
    ;;
    *)
        echo "usage: $0 --test|--production" >&2
        exit 1
    ;;
esac
. .env

subdomains=('' mail git forum)

function fatal()
{
    echo "fatal: $*" >&2
    exit 1
}

function random_passwd()
{
    tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c 16
}

function wait_for_server()
{
    local i
    echo "waiting for server to start up..."
    for i in {1..30}; do
        sleep 1
        if curl "http://$BASE_DOMAIN_NAME/" >/dev/null; then
            echo "server up"
            return
        fi
    done
    fatal "server failed to start up after $i attempts"
}

function retry_if_failed()
{
    local retry error_args=": $*"
    if [[ "$1" == "-q" ]]; then
        error_args=""
        shift
    fi
    for retry in {1..3}; do
        if "$@"; then
            return
        fi
        echo "command failed (retry $retry)$error_args" >&2
        sleep 2
    done
    fatal "command failed$error_args"
}

function forgejo()
{
    docker run --rm codeberg.org/forgejo/forgejo:7 forgejo "$@"
}

if [[ "$(id -u)" != 0 ]]; then
    fatal "must be ran as root"
fi

mkdir -p /var/lib/stalwart-mail
apt-get update -y -q
apt-get install jq -y -q
# force using overlay2 driver so btrfs snapshots will snapshot the entire system and not miss all the docker stuff
mkdir -p /etc/docker
if [[ -f /etc/docker/daemon.json ]]; then
    [[ "$(jq -sc '[.[0]?["storage-driver"]?]' < /etc/docker/daemon.json)" == '["overlay2"]' ]] ||
        fatal '/etc/docker/daemon.json exists but `storage-driver` is not set to overlay2'
elif [[ "$(dpkg-query -W --showformat='${db:Status-Abbrev}\n' docker.io 2> /dev/null)" =~ ^$|^.[nc]' '$ ]]; then
    cat > /etc/docker/daemon.json <<EOF
{
    "storage-driver": "overlay2"
}
EOF
else
    fatal 'docker.io package is installed but `storage-driver` is not set to overlay2'
fi
apt-get install certbot docker-compose docker.io sudo openssl crudini git ssl-cert -y -q
if ((${#test_ca_list[@]})); then
    install -m 644 "${test_ca_list[0]}" /usr/local/share/ca-certificates/test-root.crt
    install -m 644 "${test_ca_list[1]}" /usr/local/share/ca-certificates/test-root2.crt
    update-ca-certificates
fi
addgroup --gid=1000 git || true
[[ "$(getent group 1000)" =~ ^'git:x:1000:' ]] ||
    fatal "some other group has gid 1000, which is needed for the git group"
adduser --system --shell=/bin/bash --gecos 'Git Version Control' --uid=1000 --ingroup=git --disabled-password --home=/var/lib/forgejo git || true
[[ "$(getent passwd 1000)" == 'git:x:1000:1000:Git Version Control,,,:/var/lib/forgejo:/bin/bash' ]] ||
    fatal "some other user has gid 1000, which is needed for the git user"
[[ -f ~git/.ssh/id_ed25519 ]] || sudo -u git ssh-keygen -f ~git/.ssh/id_ed25519 -t ed25519 -C "Forgejo Host Key" -N ""
[[ -f ~git/.ssh/authorized_keys ]] || sudo -u git cat ~git/.ssh/id_ed25519.pub | sudo -u git tee ~git/.ssh/authorized_keys
sudo -u git chmod 600 ~git/.ssh/authorized_keys
cat <<"EOF" > /usr/local/bin/gitea
#!/bin/sh
exec ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"
EOF
chmod +x /usr/local/bin/gitea
mkdir -p /etc/forgejo
rm -rf /var/www/html
mkdir -p /var/www/html
chown git:git /var/www/html
chmod 775 /var/www/html
(cd /var/www/html && sudo -u git git init --no-initial-branch)
(cd /var/www/html && sudo -u git git remote add -t heads/rendered --mirror=fetch origin /data/git/repositories/libre-chip/website.git)
chown root:git /etc/forgejo
chmod 770 /etc/forgejo
if [[ ! -f /etc/forgejo/app.ini ]]; then
    cat <<EOF > /etc/forgejo/app.ini
APP_NAME = Libre-Chip.org
RUN_MODE = prod
RUN_USER = git
WORK_PATH = /data/gitea

[repository]
ROOT = /data/git/repositories

[repository.local]
LOCAL_COPY_PATH = /data/gitea/tmp/local-repo

[repository.upload]
TEMP_PATH = /data/gitea/uploads

[server]
APP_DATA_PATH = /data/gitea
DOMAIN = git.$BASE_DOMAIN_NAME
SSH_DOMAIN = git.$BASE_DOMAIN_NAME
HTTP_PORT = 3000
ROOT_URL = https://git.$BASE_DOMAIN_NAME/
DISABLE_SSH = false
SSH_PORT = 22
SSH_LISTEN_PORT = 22
LFS_START_SERVER = true
OFFLINE_MODE = false
LFS_JWT_SECRET = $(forgejo generate secret LFS_JWT_SECRET)

[database]
PATH = /data/gitea/gitea.db
DB_TYPE = sqlite3
HOST = localhost:3306
NAME = gitea
USER = root
PASSWD = 
LOG_SQL = false
SCHEMA = 
SSL_MODE = disable

[indexer]
ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve

[session]
PROVIDER_CONFIG = /data/gitea/sessions
PROVIDER = file

[picture]
AVATAR_UPLOAD_PATH = /data/gitea/avatars
REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars

[attachment]
PATH = /data/gitea/attachments

[log]
MODE = console
LEVEL = info
ROOT_PATH = /data/gitea/log

[security]
INSTALL_LOCK = true
SECRET_KEY = $(forgejo generate secret SECRET_KEY)
REVERSE_PROXY_LIMIT = 1
REVERSE_PROXY_TRUSTED_PROXIES = *
PASSWORD_HASH_ALGO = pbkdf2_hi
DISABLE_GIT_HOOKS = false
INTERNAL_TOKEN = $(forgejo generate secret INTERNAL_TOKEN)

[service]
DISABLE_REGISTRATION = false
REQUIRE_SIGNIN_VIEW = false
REGISTER_EMAIL_CONFIRM = true
ENABLE_NOTIFY_MAIL = true
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
ENABLE_CAPTCHA = true
DEFAULT_KEEP_EMAIL_PRIVATE = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = false
DEFAULT_ENABLE_TIMETRACKING = true
NO_REPLY_ADDRESS = noreply.$BASE_DOMAIN_NAME

[lfs]
PATH = /data/git/lfs

[mailer]
ENABLED = true
PROTOCOL = smtps
SMTP_ADDR = mail.$BASE_DOMAIN_NAME
SMTP_PORT = 465
FROM = forgejo@$BASE_DOMAIN_NAME
USER = forgejo
PASSWD = $(random_passwd)

[openid]
ENABLE_OPENID_SIGNIN = true
ENABLE_OPENID_SIGNUP = true

[cron.update_checker]
ENABLED = false

[repository.pull-request]
DEFAULT_MERGE_STYLE = merge

[repository.signing]
DEFAULT_TRUST_MODEL = committer

[ssh.minimum_key_sizes]
RSA = 2047

[oauth2]
JWT_SECRET = $(forgejo generate secret JWT_SECRET)
EOF
    chown root:git /etc/forgejo/app.ini
    chmod 640 /etc/forgejo/app.ini
fi
mkdir -p /var/lib/stalwart-mail/etc
mail_passwd=""
mail_passwd_hash=""
if [[ ! -f /var/lib/stalwart-mail/etc/config.toml ]]; then
    mail_passwd="$(random_passwd)"
    cat > /var/lib/stalwart-mail/cli.sh <<EOF
mail_passwd="$mail_passwd"
function stalwart-cli()
{
    (cd $(pwd) && CREDENTIALS="admin:$mail_passwd" exec docker-compose -p server exec -T -e CREDENTIALS mail stalwart-cli -u "http://localhost" "\$@")
}
EOF
    chmod 500 /var/lib/stalwart-mail/cli.sh
    mail_passwd_hash="$(echo -n "$mail_passwd" | openssl passwd -6 -stdin)"
    cat > /var/lib/stalwart-mail/etc/config.toml <<EOF
[server.listener."smtp"]
bind = ["[::]:25"]
protocol = "smtp"

[server.listener."submission"]
bind = ["[::]:587"]
protocol = "smtp"

[server.listener."submissions"]
bind = ["[::]:465"]
protocol = "smtp"
tls.implicit = true

[server.listener."imaptls"]
bind = ["[::]:993"]
protocol = "imap"
tls.implicit = true

[server.listener.pop3s]
bind = "[::]:995"
protocol = "pop3"
tls.implicit = true

[server.listener.http]
protocol = "http"
bind = "[::]:80"

[server.http]
use-x-forwarded = true

[certificate.default]
cert = "%{file:/etc/letsencrypt/live/server/fullchain.pem}%"
private-key = "%{file:/etc/letsencrypt/live/server/privkey.pem}%"
default = true

[storage]
data = "rocksdb"
fts = "rocksdb"
blob = "rocksdb"
lookup = "rocksdb"
directory = "internal"

[store.rocksdb]
type = "rocksdb"
path = "/opt/stalwart-mail/data"
compression = "lz4"

[directory.internal]
type = "internal"
store = "rocksdb"

[tracer.log]
type = "log"
level = "info"
path = "/opt/stalwart-mail/logs"
prefix = "stalwart.log"
rotate = "daily"
ansi = false
enable = true

[authentication.fallback-admin]
user = "admin"
secret = "$mail_passwd_hash"

[lookup.default]
hostname = "mail.$BASE_DOMAIN_NAME"

[session.auth]
must-match-sender = [ {if = "authenticated_as == 'forum-noreply'", then = false},
                      {else = true} ]
EOF
    chmod 600 /var/lib/stalwart-mail/etc/config.toml
fi
. /var/lib/stalwart-mail/cli.sh
if [[ ! -f /var/discourse/containers/app.yml ]]; then
    if [[ ! -d /var/discourse/containers ]]; then
        git clone https://github.com/discourse/discourse_docker.git /var/discourse
        chmod 700 /var/discourse/containers
    fi
    forum_smtp_passwd="$(random_passwd)"
    cat > /var/discourse/containers/app.yml <<EOF
## this is the all-in-one, standalone Discourse Docker container template
##
## After making changes to this file, you MUST rebuild
## /var/discourse/launcher rebuild app
##
## Based on https://meta.discourse.org/t/run-other-websites-on-the-same-machine-as-discourse/17247

templates:
  - "templates/postgres.template.yml"
  - "templates/redis.template.yml"
  - "templates/web.template.yml"
  ## Uncomment the next line to enable the IPv6 listener
  #- "templates/web.ipv6.template.yml"
  - "templates/web.ratelimited.template.yml"
  - "templates/web.socketed.template.yml"
  ## Uncomment these two lines if you wish to add Lets Encrypt (https)
  #- "templates/web.ssl.template.yml"
  #- "templates/web.letsencrypt.ssl.template.yml"

## which TCP/IP ports should this container expose?
## If you want Discourse to share a port with another webserver like Apache or nginx,
## see https://meta.discourse.org/t/17247 for details
#expose:
#  - "80:80"   # http
#  - "443:443" # https

params:
  db_default_text_search_config: "pg_catalog.english"

  ## Set db_shared_buffers to a max of 25% of the total memory.
  ## will be set automatically by bootstrap based on detected RAM, or you can override
  db_shared_buffers: "512MB"

  ## can improve sorting performance, but adds memory usage per-connection
  #db_work_mem: "40MB"

  ## Which Git revision should this container use? (default: tests-passed)
  #version: tests-passed

env:
  LC_ALL: en_US.UTF-8
  LANG: en_US.UTF-8
  LANGUAGE: en_US.UTF-8
  # DISCOURSE_DEFAULT_LOCALE: en

  ## How many concurrent web requests are supported? Depends on memory and CPU cores.
  ## will be set automatically by bootstrap based on detected CPUs, or you can override
  UNICORN_WORKERS: 4

  ## TODO: The domain name this Discourse instance will respond to
  ## Required. Discourse will not work with a bare IP number.
  DISCOURSE_HOSTNAME: forum.${BASE_DOMAIN_NAME}

  ## Uncomment if you want the container to be started with the same
  ## hostname (-h option) as specified above (default "\$hostname-\$config")
  #DOCKER_USE_HOSTNAME: true

  ## TODO: List of comma delimited emails that will be made admin and developer
  ## on initial signup example 'user1@example.com,user2@example.com'
  DISCOURSE_DEVELOPER_EMAILS: 'postmaster@${BASE_DOMAIN_NAME}'

  ## TODO: The SMTP mail server used to validate new accounts and send notifications
  # SMTP ADDRESS, username, and password are required
  # WARNING the char '#' in SMTP password can cause problems!
  DISCOURSE_SMTP_ADDRESS: ${BASE_DOMAIN_NAME}
  DISCOURSE_SMTP_PORT: 587
  DISCOURSE_SMTP_USER_NAME: forum-noreply
  DISCOURSE_SMTP_PASSWORD: "${forum_smtp_passwd}"
  #DISCOURSE_SMTP_ENABLE_START_TLS: true           # (optional, default true)
  DISCOURSE_SMTP_DOMAIN: ${BASE_DOMAIN_NAME}
  DISCOURSE_NOTIFICATION_EMAIL: forum-noreply@${BASE_DOMAIN_NAME}

  ## If you added the Lets Encrypt template, uncomment below to get a free SSL certificate
  #LETSENCRYPT_ACCOUNT_EMAIL: me@example.com

  ## The http or https CDN address for this Discourse instance (configured to pull)
  ## see https://meta.discourse.org/t/14857 for details
  #DISCOURSE_CDN_URL: https://discourse-cdn.example.com

  ## The maxmind geolocation IP account ID and license key for IP address lookups
  ## see https://meta.discourse.org/t/-/173941 for details
  #DISCOURSE_MAXMIND_ACCOUNT_ID: 123456
  #DISCOURSE_MAXMIND_LICENSE_KEY: 1234567890123456

## The Docker container is stateless; all data is stored in /shared
volumes:
  - volume:
      host: /var/discourse/shared/standalone
      guest: /shared
  - volume:
      host: /var/discourse/shared/standalone/log/var-log
      guest: /var/log
  - volume:
      host: /usr/local/share/ca-certificates
      guest: /usr/local/share/ca-certificates:ro

## Plugins go here
## see https://meta.discourse.org/t/19157 for details
hooks:
  after_code:
    - exec:
        cd: \$home/plugins
        cmd:
          - git clone https://github.com/discourse/docker_manager.git

## Any custom commands to run after building
run:
  - exec: echo "Beginning of custom commands"
  - exec: |-
      if rails r 'exit(1) if User.find_by_email("postmaster@${BASE_DOMAIN_NAME}")'; then
          rails r "SiteSetting.pop3_polling_openssl_verify = false" || exit
          rails site_settings:import <<EOF2 || exit
      ---
      title: Libre-Chip Forum
      exclude_rel_nofollow_domains: ${BASE_DOMAIN_NAME}
      share_links: email
      share_quote_buttons: email
      default_dark_mode_color_scheme_id: '1'
      enable_badges: 'false'
      pending_users_reminder_delay_minutes: '5'
      title_prettify: 'false'
      title_fancy_entities: 'false'
      enable_markdown_typographer: 'false'
      highlighted_languages: bash|c|cpp|csharp|css|diff|ini|javascript|json|lua|makefile|markdown|plaintext|python|python-repl|rust|shell|typescript|xml|yaml|wasm|llvm|coq|x86asm|verilog|vhdl|scala
      enable_emoji_shortcuts: 'false'
      reply_by_email_address: forum+%{reply_key}@${BASE_DOMAIN_NAME}
      pop3_polling_period_mins: '1'
      pop3_polling_host: ${BASE_DOMAIN_NAME}
      pop3_polling_username: forum
      pop3_polling_password: ${forum_smtp_passwd}
      pop3_polling_enabled: 'true'
      reply_by_email_enabled: 'true'
      log_mail_processing_failures: 'true'
      email_in: 'true'
      email_in_allowed_groups: 1|2|0
      default_trust_level: '1'
      force_https: 'true'
      moderators_manage_categories_and_groups: 'true'
      moderators_view_emails: 'true'
      allowed_iframes: https://www.google.com/maps/embed?|https://www.openstreetmap.org/export/embed.html?|https://calendar.google.com/calendar/embed?|https://codepen.io/|http://forum.${BASE_DOMAIN_NAME}/discobot/certificate.svg|https://forum.${BASE_DOMAIN_NAME}/discobot/certificate.svg
      default_navigation_menu_categories: 2|3|4
      automatic_backups_enabled: 'false'
      sequential_replies_threshold: '4'
      get_a_room_threshold: '10000'
      default_composer_category: '4'
      share_anonymized_statistics: 'false'
      default_email_mailing_list_mode: 'true'
      disable_mailing_list_mode: 'false'
      enable_offline_indicator: 'true'
      chat_enabled: 'false'
      EOF2
          rails r "SiteSetting.pop3_polling_openssl_verify = true" || exit
          rails r - <<EOF2 || exit
      u = User.new
      u.email = "postmaster@${BASE_DOMAIN_NAME}"
      u.username = "postmaster"
      u.password = "$mail_passwd"
      u.name = "Admin User"
      u.save!
      u.active = true
      u.save!
      u.grant_admin!
      u.change_trust_level!(1) if u.trust_level < 1
      u.email_tokens.update_all confirmed: true
      u.activate
      EOF2
      fi
  - file:
      path: /etc/runit/1.d/000-update-certificates
      chmod: "+x"
      contents: |
        #!/bin/bash
        exec update-ca-certificates
  - exec: echo "End of custom commands"
EOF
    chmod 400 /var/discourse/containers/app.yml
fi
wd="$(pwd)"
if ! [[ "$wd" =~ ^/[-/a-zA-Z0-9_]*$ ]]; then
    fatal "invalid characters in current directory: $wd"
fi
nginx_container="$(docker create --rm -v /var/www/.well-known/acme-challenge:/var/www/.well-known/acme-challenge:ro -v "$wd"/http_only_nginx_templates:/etc/nginx/templates:ro -p 80:80 nginx:bookworm)"
docker start "$nginx_container"
trap 'docker stop "$nginx_container"' EXIT
echo "waiting for server to come up..."
for _ in {0..30}; do
    sleep 1
    if curl "http://$BASE_DOMAIN_NAME/" >/dev/null; then
        break
    fi
done
echo "server up"
certbot_args=(certonly -n --email "postmaster@$BASE_DOMAIN_NAME" "--server=$ACME_SERVER_URL" --cert-name server --agree-tos --webroot --webroot-path /var/www)
certbot_args+=(--disable-hook-validation --post-hook "cd '$wd' && docker-compose -p server restart")
for subdomain in "${subdomains[@]}"; do
    if [[ -n "$subdomain" ]]; then
        subdomain+=.
    fi
    certbot_args+=(-d "$subdomain$BASE_DOMAIN_NAME")
    certbot_args+=(-d "$subdomain$ALT_BASE_DOMAIN_NAME")
done
retry_if_failed certbot "${certbot_args[@]}"
trap EXIT
docker stop "$nginx_container"
DOCKER_BUILDKIT=1 docker-compose -p server up -d
sleep 1
if [[ -n "$mail_passwd_hash" ]]; then
    forgejo_smtp_passwd="$(crudini --get /etc/forgejo/app.ini mailer PASSWD)"
    stalwart-cli domain create "$BASE_DOMAIN_NAME"
    curl -u "admin:$mail_passwd" "https://mail.$BASE_DOMAIN_NAME/api/dkim" --data-binary '{"id":null,"algorithm":"Ed25519","domain":"'"$BASE_DOMAIN_NAME"'","selector":null}' > /dev/null
    curl -u "admin:$mail_passwd" "https://mail.$BASE_DOMAIN_NAME/api/dkim" --data-binary '{"id":null,"algorithm":"Rsa","domain":"'"$BASE_DOMAIN_NAME"'","selector":null}' > /dev/null
    stalwart-cli account create -d 'Admin Account' -i true -a "postmaster@$BASE_DOMAIN_NAME" 'admin' "$mail_passwd"
    stalwart-cli account create -d 'Forgejo Server' -i false -a "forgejo@$BASE_DOMAIN_NAME" 'forgejo' "$forgejo_smtp_passwd"
    add_postmaster=(docker-compose -p server exec -T -u git forgejo forgejo admin user create --admin --username postmaster --password "$mail_passwd" --email "postmaster@$BASE_DOMAIN_NAME")
    retry_if_failed -q "${add_postmaster[@]}"
    forum_smtp_passwd="$(sed 's/^ *DISCOURSE_SMTP_PASSWORD: "*\([^"]*\)"$/\1/p; d' < /var/discourse/containers/app.yml)"
    [[ -n "$forum_smtp_passwd" ]] || fatal "can't parse smtp password out of /var/discourse/containers/app.yml"
    stalwart-cli account create -d 'Forum Replies' -i false -a "@$BASE_DOMAIN_NAME" 'forum' "$forum_smtp_passwd"
    stalwart-cli account create -d 'Forum Notifications' -i false -a "forum-noreply@$BASE_DOMAIN_NAME" 'forum-noreply' "$forum_smtp_passwd"
    forgejo_api=(retry_if_failed -q curl --fail-with-body -u "postmaster:$mail_passwd" -H 'Accept: application/json' -H 'Content-Type: application/json')
    "${forgejo_api[@]}" -X 'POST' "https://git.$BASE_DOMAIN_NAME/api/v1/orgs" -d '{"username": "libre-chip"}' > /dev/null
    "${forgejo_api[@]}" -X 'POST' "https://git.$BASE_DOMAIN_NAME/api/v1/orgs/libre-chip/repos" -d '{"name": "website"}' > /dev/null
    post_receive_hook="$(jq -csR '{content:.}' <<'EOF'
#!/bin/bash
set -e
cd /var/www/html
env -i PATH="$PATH" git fetch
env -i PATH="$PATH" git checkout -q --detach rendered
EOF
    )"
    "${forgejo_api[@]}" -X 'PATCH' "https://git.$BASE_DOMAIN_NAME/api/v1/repos/libre-chip/website/hooks/git/post-receive" -d "$post_receive_hook" > /dev/null
fi
(
    cd /var/discourse
    # must run after starting mail server since it validates POP3
    ./launcher bootstrap app
    ./launcher start app
)
initial public commit 2024-07-04 06:40:30 +00:00			`#!/bin/bash`
			`set -e`

			`test_ca_list=()`
			`case "$1" in`
			`--test)`
			`ln -sf test.env .env`
			`test_ca_list=(test/certs/cur-root.crt test/certs/pebble.minica.pem)`
			`;;`
			`--production)`
			`ln -sf production.env .env`
			`;;`
			`*)`
			`echo "usage: $0 --test\|--production" >&2`
			`exit 1`
			`;;`
			`esac`
			`. .env`

			`subdomains=('' mail git forum)`

			`function fatal()`
			`{`
			`echo "fatal: $*" >&2`
			`exit 1`
			`}`

			`function random_passwd()`
			`{`
			`tr -dc 'a-zA-Z0-9' < /dev/urandom \| head -c 16`
			`}`

			`function wait_for_server()`
			`{`
			`local i`
			`echo "waiting for server to start up..."`
			`for i in {1..30}; do`
			`sleep 1`
			`if curl "http://$BASE_DOMAIN_NAME/" >/dev/null; then`
			`echo "server up"`
			`return`
			`fi`
			`done`
			`fatal "server failed to start up after $i attempts"`
			`}`

			`function retry_if_failed()`
			`{`
			`local retry error_args=": $*"`
			`if [[ "$1" == "-q" ]]; then`
			`error_args=""`
			`shift`
			`fi`
			`for retry in {1..3}; do`
			`if "$@"; then`
			`return`
			`fi`
			`echo "command failed (retry $retry)$error_args" >&2`
			`sleep 2`
			`done`
			`fatal "command failed$error_args"`
			`}`

			`function forgejo()`
			`{`
			`docker run --rm codeberg.org/forgejo/forgejo:7 forgejo "$@"`
			`}`

			`if [[ "$(id -u)" != 0 ]]; then`
			`fatal "must be ran as root"`
			`fi`

			`mkdir -p /var/lib/stalwart-mail`
			`apt-get update -y -q`
			`apt-get install jq -y -q`
			`# force using overlay2 driver so btrfs snapshots will snapshot the entire system and not miss all the docker stuff`
			`mkdir -p /etc/docker`
			`if [[ -f /etc/docker/daemon.json ]]; then`
			`[[ "$(jq -sc '[.[0]?["storage-driver"]?]' < /etc/docker/daemon.json)" == '["overlay2"]' ]] \|\|`
			fatal '/etc/docker/daemon.json exists but `storage-driver` is not set to overlay2'
			`elif [[ "$(dpkg-query -W --showformat='${db:Status-Abbrev}\n' docker.io 2> /dev/null)" =~ ^$\|^.[nc]' '$ ]]; then`
			`cat > /etc/docker/daemon.json <<EOF`
			`{`
			`"storage-driver": "overlay2"`
			`}`
			`EOF`
			`else`
			fatal 'docker.io package is installed but `storage-driver` is not set to overlay2'
			`fi`
			`apt-get install certbot docker-compose docker.io sudo openssl crudini git ssl-cert -y -q`
			`if ((${#test_ca_list[@]})); then`
			`install -m 644 "${test_ca_list[0]}" /usr/local/share/ca-certificates/test-root.crt`
			`install -m 644 "${test_ca_list[1]}" /usr/local/share/ca-certificates/test-root2.crt`
			`update-ca-certificates`
			`fi`
			`addgroup --gid=1000 git \|\| true`
			`[[ "$(getent group 1000)" =~ ^'git:x:1000:' ]] \|\|`
			`fatal "some other group has gid 1000, which is needed for the git group"`
			`adduser --system --shell=/bin/bash --gecos 'Git Version Control' --uid=1000 --ingroup=git --disabled-password --home=/var/lib/forgejo git \|\| true`
			`[[ "$(getent passwd 1000)" == 'git:x:1000:1000:Git Version Control,,,:/var/lib/forgejo:/bin/bash' ]] \|\|`
			`fatal "some other user has gid 1000, which is needed for the git user"`
			`[[ -f ~git/.ssh/id_ed25519 ]] \|\| sudo -u git ssh-keygen -f ~git/.ssh/id_ed25519 -t ed25519 -C "Forgejo Host Key" -N ""`
			`[[ -f ~git/.ssh/authorized_keys ]] \|\| sudo -u git cat ~git/.ssh/id_ed25519.pub \| sudo -u git tee ~git/.ssh/authorized_keys`
			`sudo -u git chmod 600 ~git/.ssh/authorized_keys`
			`cat <<"EOF" > /usr/local/bin/gitea`
			`#!/bin/sh`
			`exec ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"`
			`EOF`
			`chmod +x /usr/local/bin/gitea`
			`mkdir -p /etc/forgejo`
			`rm -rf /var/www/html`
			`mkdir -p /var/www/html`
			`chown git:git /var/www/html`
			`chmod 775 /var/www/html`
			`(cd /var/www/html && sudo -u git git init --no-initial-branch)`
			`(cd /var/www/html && sudo -u git git remote add -t heads/rendered --mirror=fetch origin /data/git/repositories/libre-chip/website.git)`
			`chown root:git /etc/forgejo`
			`chmod 770 /etc/forgejo`
			`if [[ ! -f /etc/forgejo/app.ini ]]; then`
			`cat <<EOF > /etc/forgejo/app.ini`
			`APP_NAME = Libre-Chip.org`
			`RUN_MODE = prod`
			`RUN_USER = git`
			`WORK_PATH = /data/gitea`

			`[repository]`
			`ROOT = /data/git/repositories`

			`[repository.local]`
			`LOCAL_COPY_PATH = /data/gitea/tmp/local-repo`

			`[repository.upload]`
			`TEMP_PATH = /data/gitea/uploads`

			`[server]`
			`APP_DATA_PATH = /data/gitea`
			`DOMAIN = git.$BASE_DOMAIN_NAME`
			`SSH_DOMAIN = git.$BASE_DOMAIN_NAME`
			`HTTP_PORT = 3000`
			`ROOT_URL = https://git.$BASE_DOMAIN_NAME/`
			`DISABLE_SSH = false`
			`SSH_PORT = 22`
			`SSH_LISTEN_PORT = 22`
			`LFS_START_SERVER = true`
			`OFFLINE_MODE = false`
			`LFS_JWT_SECRET = $(forgejo generate secret LFS_JWT_SECRET)`

			`[database]`
			`PATH = /data/gitea/gitea.db`
			`DB_TYPE = sqlite3`
			`HOST = localhost:3306`
			`NAME = gitea`
			`USER = root`
			`PASSWD =`
			`LOG_SQL = false`
			`SCHEMA =`
			`SSL_MODE = disable`

			`[indexer]`
			`ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve`

			`[session]`
			`PROVIDER_CONFIG = /data/gitea/sessions`
			`PROVIDER = file`

			`[picture]`
			`AVATAR_UPLOAD_PATH = /data/gitea/avatars`
			`REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars`

			`[attachment]`
			`PATH = /data/gitea/attachments`

			`[log]`
			`MODE = console`
			`LEVEL = info`
			`ROOT_PATH = /data/gitea/log`

			`[security]`
			`INSTALL_LOCK = true`
			`SECRET_KEY = $(forgejo generate secret SECRET_KEY)`
			`REVERSE_PROXY_LIMIT = 1`
			`REVERSE_PROXY_TRUSTED_PROXIES = *`
			`PASSWORD_HASH_ALGO = pbkdf2_hi`
			`DISABLE_GIT_HOOKS = false`
			`INTERNAL_TOKEN = $(forgejo generate secret INTERNAL_TOKEN)`

			`[service]`
			`DISABLE_REGISTRATION = false`
			`REQUIRE_SIGNIN_VIEW = false`
			`REGISTER_EMAIL_CONFIRM = true`
			`ENABLE_NOTIFY_MAIL = true`
			`ALLOW_ONLY_EXTERNAL_REGISTRATION = false`
			`ENABLE_CAPTCHA = true`
			`DEFAULT_KEEP_EMAIL_PRIVATE = false`
			`DEFAULT_ALLOW_CREATE_ORGANIZATION = false`
			`DEFAULT_ENABLE_TIMETRACKING = true`
			`NO_REPLY_ADDRESS = noreply.$BASE_DOMAIN_NAME`

			`[lfs]`
			`PATH = /data/git/lfs`

			`[mailer]`
			`ENABLED = true`
			`PROTOCOL = smtps`
			`SMTP_ADDR = mail.$BASE_DOMAIN_NAME`
			`SMTP_PORT = 465`
			`FROM = forgejo@$BASE_DOMAIN_NAME`
			`USER = forgejo`
			`PASSWD = $(random_passwd)`

			`[openid]`
			`ENABLE_OPENID_SIGNIN = true`
			`ENABLE_OPENID_SIGNUP = true`

			`[cron.update_checker]`
			`ENABLED = false`

			`[repository.pull-request]`
			`DEFAULT_MERGE_STYLE = merge`

			`[repository.signing]`
			`DEFAULT_TRUST_MODEL = committer`

			`[ssh.minimum_key_sizes]`
			`RSA = 2047`

			`[oauth2]`
			`JWT_SECRET = $(forgejo generate secret JWT_SECRET)`
			`EOF`
			`chown root:git /etc/forgejo/app.ini`
			`chmod 640 /etc/forgejo/app.ini`
			`fi`
			`mkdir -p /var/lib/stalwart-mail/etc`
			`mail_passwd=""`
			`mail_passwd_hash=""`
			`if [[ ! -f /var/lib/stalwart-mail/etc/config.toml ]]; then`
			`mail_passwd="$(random_passwd)"`
			`cat > /var/lib/stalwart-mail/cli.sh <<EOF`
			`mail_passwd="$mail_passwd"`
			`function stalwart-cli()`
			`{`
			`(cd $(pwd) && CREDENTIALS="admin:$mail_passwd" exec docker-compose -p server exec -T -e CREDENTIALS mail stalwart-cli -u "http://localhost" "\$@")`
			`}`
			`EOF`
			`chmod 500 /var/lib/stalwart-mail/cli.sh`
			`mail_passwd_hash="$(echo -n "$mail_passwd" \| openssl passwd -6 -stdin)"`
			`cat > /var/lib/stalwart-mail/etc/config.toml <<EOF`
			`[server.listener."smtp"]`
			`bind = ["[::]:25"]`
			`protocol = "smtp"`

			`[server.listener."submission"]`
			`bind = ["[::]:587"]`
			`protocol = "smtp"`

			`[server.listener."submissions"]`
			`bind = ["[::]:465"]`
			`protocol = "smtp"`
			`tls.implicit = true`

			`[server.listener."imaptls"]`
			`bind = ["[::]:993"]`
			`protocol = "imap"`
			`tls.implicit = true`

			`[server.listener.pop3s]`
			`bind = "[::]:995"`
			`protocol = "pop3"`
			`tls.implicit = true`

			`[server.listener.http]`
			`protocol = "http"`
			`bind = "[::]:80"`

			`[server.http]`
			`use-x-forwarded = true`

			`[certificate.default]`
			`cert = "%{file:/etc/letsencrypt/live/server/fullchain.pem}%"`
			`private-key = "%{file:/etc/letsencrypt/live/server/privkey.pem}%"`
			`default = true`

			`[storage]`
			`data = "rocksdb"`
			`fts = "rocksdb"`
			`blob = "rocksdb"`
			`lookup = "rocksdb"`
			`directory = "internal"`

			`[store.rocksdb]`
			`type = "rocksdb"`
			`path = "/opt/stalwart-mail/data"`
			`compression = "lz4"`

			`[directory.internal]`
			`type = "internal"`
			`store = "rocksdb"`

			`[tracer.log]`
			`type = "log"`
			`level = "info"`
			`path = "/opt/stalwart-mail/logs"`
			`prefix = "stalwart.log"`
			`rotate = "daily"`
			`ansi = false`
			`enable = true`

			`[authentication.fallback-admin]`
			`user = "admin"`
			`secret = "$mail_passwd_hash"`

			`[lookup.default]`
			`hostname = "mail.$BASE_DOMAIN_NAME"`

			`[session.auth]`
			`must-match-sender = [ {if = "authenticated_as == 'forum-noreply'", then = false},`
			`{else = true} ]`
			`EOF`
			`chmod 600 /var/lib/stalwart-mail/etc/config.toml`
			`fi`
			`. /var/lib/stalwart-mail/cli.sh`
			`if [[ ! -f /var/discourse/containers/app.yml ]]; then`
			`if [[ ! -d /var/discourse/containers ]]; then`
			`git clone https://github.com/discourse/discourse_docker.git /var/discourse`
			`chmod 700 /var/discourse/containers`
			`fi`
			`forum_smtp_passwd="$(random_passwd)"`
			`cat > /var/discourse/containers/app.yml <<EOF`
			`## this is the all-in-one, standalone Discourse Docker container template`
			`##`
			`## After making changes to this file, you MUST rebuild`
			`## /var/discourse/launcher rebuild app`
			`##`
			`## Based on https://meta.discourse.org/t/run-other-websites-on-the-same-machine-as-discourse/17247`

			`templates:`
			`- "templates/postgres.template.yml"`
			`- "templates/redis.template.yml"`
			`- "templates/web.template.yml"`
			`## Uncomment the next line to enable the IPv6 listener`
			`#- "templates/web.ipv6.template.yml"`
			`- "templates/web.ratelimited.template.yml"`
			`- "templates/web.socketed.template.yml"`
			`## Uncomment these two lines if you wish to add Lets Encrypt (https)`
			`#- "templates/web.ssl.template.yml"`
			`#- "templates/web.letsencrypt.ssl.template.yml"`

			`## which TCP/IP ports should this container expose?`
			`## If you want Discourse to share a port with another webserver like Apache or nginx,`
			`## see https://meta.discourse.org/t/17247 for details`
			`#expose:`
			`# - "80:80" # http`
			`# - "443:443" # https`

			`params:`
			`db_default_text_search_config: "pg_catalog.english"`

			`## Set db_shared_buffers to a max of 25% of the total memory.`
			`## will be set automatically by bootstrap based on detected RAM, or you can override`
			`db_shared_buffers: "512MB"`

			`## can improve sorting performance, but adds memory usage per-connection`
			`#db_work_mem: "40MB"`

			`## Which Git revision should this container use? (default: tests-passed)`
			`#version: tests-passed`

			`env:`
			`LC_ALL: en_US.UTF-8`
			`LANG: en_US.UTF-8`
			`LANGUAGE: en_US.UTF-8`
			`# DISCOURSE_DEFAULT_LOCALE: en`

			`## How many concurrent web requests are supported? Depends on memory and CPU cores.`
			`## will be set automatically by bootstrap based on detected CPUs, or you can override`
			`UNICORN_WORKERS: 4`

			`## TODO: The domain name this Discourse instance will respond to`
			`## Required. Discourse will not work with a bare IP number.`
			`DISCOURSE_HOSTNAME: forum.${BASE_DOMAIN_NAME}`

			`## Uncomment if you want the container to be started with the same`
			`## hostname (-h option) as specified above (default "\$hostname-\$config")`
			`#DOCKER_USE_HOSTNAME: true`

			`## TODO: List of comma delimited emails that will be made admin and developer`
			`## on initial signup example 'user1@example.com,user2@example.com'`
			`DISCOURSE_DEVELOPER_EMAILS: 'postmaster@${BASE_DOMAIN_NAME}'`

			`## TODO: The SMTP mail server used to validate new accounts and send notifications`
			`# SMTP ADDRESS, username, and password are required`
			`# WARNING the char '#' in SMTP password can cause problems!`
			`DISCOURSE_SMTP_ADDRESS: ${BASE_DOMAIN_NAME}`
			`DISCOURSE_SMTP_PORT: 587`
			`DISCOURSE_SMTP_USER_NAME: forum-noreply`
			`DISCOURSE_SMTP_PASSWORD: "${forum_smtp_passwd}"`
			`#DISCOURSE_SMTP_ENABLE_START_TLS: true # (optional, default true)`
			`DISCOURSE_SMTP_DOMAIN: ${BASE_DOMAIN_NAME}`
			`DISCOURSE_NOTIFICATION_EMAIL: forum-noreply@${BASE_DOMAIN_NAME}`

			`## If you added the Lets Encrypt template, uncomment below to get a free SSL certificate`
			`#LETSENCRYPT_ACCOUNT_EMAIL: me@example.com`

			`## The http or https CDN address for this Discourse instance (configured to pull)`
			`## see https://meta.discourse.org/t/14857 for details`
			`#DISCOURSE_CDN_URL: https://discourse-cdn.example.com`

			`## The maxmind geolocation IP account ID and license key for IP address lookups`
			`## see https://meta.discourse.org/t/-/173941 for details`
			`#DISCOURSE_MAXMIND_ACCOUNT_ID: 123456`
			`#DISCOURSE_MAXMIND_LICENSE_KEY: 1234567890123456`

			`## The Docker container is stateless; all data is stored in /shared`
			`volumes:`
			`- volume:`
			`host: /var/discourse/shared/standalone`
			`guest: /shared`
			`- volume:`
			`host: /var/discourse/shared/standalone/log/var-log`
			`guest: /var/log`
			`- volume:`
			`host: /usr/local/share/ca-certificates`
			`guest: /usr/local/share/ca-certificates:ro`

			`## Plugins go here`
			`## see https://meta.discourse.org/t/19157 for details`
			`hooks:`
			`after_code:`
			`- exec:`
			`cd: \$home/plugins`
			`cmd:`
			`- git clone https://github.com/discourse/docker_manager.git`

			`## Any custom commands to run after building`
			`run:`
			`- exec: echo "Beginning of custom commands"`
			`- exec: \|-`
			`if rails r 'exit(1) if User.find_by_email("postmaster@${BASE_DOMAIN_NAME}")'; then`
			`rails r "SiteSetting.pop3_polling_openssl_verify = false" \|\| exit`
			`rails site_settings:import <<EOF2 \|\| exit`
			`---`
			`title: Libre-Chip Forum`
			`exclude_rel_nofollow_domains: ${BASE_DOMAIN_NAME}`
			`share_links: email`
			`share_quote_buttons: email`
			`default_dark_mode_color_scheme_id: '1'`
			`enable_badges: 'false'`
			`pending_users_reminder_delay_minutes: '5'`
			`title_prettify: 'false'`
			`title_fancy_entities: 'false'`
			`enable_markdown_typographer: 'false'`
			`highlighted_languages: bash\|c\|cpp\|csharp\|css\|diff\|ini\|javascript\|json\|lua\|makefile\|markdown\|plaintext\|python\|python-repl\|rust\|shell\|typescript\|xml\|yaml\|wasm\|llvm\|coq\|x86asm\|verilog\|vhdl\|scala`
			`enable_emoji_shortcuts: 'false'`
			`reply_by_email_address: forum+%{reply_key}@${BASE_DOMAIN_NAME}`
			`pop3_polling_period_mins: '1'`
			`pop3_polling_host: ${BASE_DOMAIN_NAME}`
			`pop3_polling_username: forum`
			`pop3_polling_password: ${forum_smtp_passwd}`
			`pop3_polling_enabled: 'true'`
			`reply_by_email_enabled: 'true'`
			`log_mail_processing_failures: 'true'`
			`email_in: 'true'`
			`email_in_allowed_groups: 1\|2\|0`
			`default_trust_level: '1'`
			`force_https: 'true'`
			`moderators_manage_categories_and_groups: 'true'`
			`moderators_view_emails: 'true'`
			`allowed_iframes: https://www.google.com/maps/embed?\|https://www.openstreetmap.org/export/embed.html?\|https://calendar.google.com/calendar/embed?\|https://codepen.io/\|http://forum.${BASE_DOMAIN_NAME}/discobot/certificate.svg\|https://forum.${BASE_DOMAIN_NAME}/discobot/certificate.svg`
			`default_navigation_menu_categories: 2\|3\|4`
			`automatic_backups_enabled: 'false'`
			`sequential_replies_threshold: '4'`
			`get_a_room_threshold: '10000'`
			`default_composer_category: '4'`
			`share_anonymized_statistics: 'false'`
			`default_email_mailing_list_mode: 'true'`
			`disable_mailing_list_mode: 'false'`
			`enable_offline_indicator: 'true'`
			`chat_enabled: 'false'`
			`EOF2`
			`rails r "SiteSetting.pop3_polling_openssl_verify = true" \|\| exit`
			`rails r - <<EOF2 \|\| exit`
			`u = User.new`
			`u.email = "postmaster@${BASE_DOMAIN_NAME}"`
			`u.username = "postmaster"`
			`u.password = "$mail_passwd"`
			`u.name = "Admin User"`
			`u.save!`
			`u.active = true`
			`u.save!`
			`u.grant_admin!`
			`u.change_trust_level!(1) if u.trust_level < 1`
			`u.email_tokens.update_all confirmed: true`
			`u.activate`
			`EOF2`
			`fi`
			`- file:`
			`path: /etc/runit/1.d/000-update-certificates`
			`chmod: "+x"`
			`contents: \|`
			`#!/bin/bash`
			`exec update-ca-certificates`
			`- exec: echo "End of custom commands"`
			`EOF`
			`chmod 400 /var/discourse/containers/app.yml`
			`fi`
			`wd="$(pwd)"`
			`if ! [[ "$wd" =~ ^/[-/a-zA-Z0-9_]*$ ]]; then`
			`fatal "invalid characters in current directory: $wd"`
			`fi`
			`nginx_container="$(docker create --rm -v /var/www/.well-known/acme-challenge:/var/www/.well-known/acme-challenge:ro -v "$wd"/http_only_nginx_templates:/etc/nginx/templates:ro -p 80:80 nginx:bookworm)"`
			`docker start "$nginx_container"`
			`trap 'docker stop "$nginx_container"' EXIT`
			`echo "waiting for server to come up..."`
			`for _ in {0..30}; do`
			`sleep 1`
			`if curl "http://$BASE_DOMAIN_NAME/" >/dev/null; then`
			`break`
			`fi`
			`done`
			`echo "server up"`
			`certbot_args=(certonly -n --email "postmaster@$BASE_DOMAIN_NAME" "--server=$ACME_SERVER_URL" --cert-name server --agree-tos --webroot --webroot-path /var/www)`
			`certbot_args+=(--disable-hook-validation --post-hook "cd '$wd' && docker-compose -p server restart")`
			`for subdomain in "${subdomains[@]}"; do`
			`if [[ -n "$subdomain" ]]; then`
			`subdomain+=.`
			`fi`
			`certbot_args+=(-d "$subdomain$BASE_DOMAIN_NAME")`
			`certbot_args+=(-d "$subdomain$ALT_BASE_DOMAIN_NAME")`
			`done`
			`retry_if_failed certbot "${certbot_args[@]}"`
			`trap EXIT`
			`docker stop "$nginx_container"`
			`DOCKER_BUILDKIT=1 docker-compose -p server up -d`
			`sleep 1`
			`if [[ -n "$mail_passwd_hash" ]]; then`
			`forgejo_smtp_passwd="$(crudini --get /etc/forgejo/app.ini mailer PASSWD)"`
			`stalwart-cli domain create "$BASE_DOMAIN_NAME"`
			`curl -u "admin:$mail_passwd" "https://mail.$BASE_DOMAIN_NAME/api/dkim" --data-binary '{"id":null,"algorithm":"Ed25519","domain":"'"$BASE_DOMAIN_NAME"'","selector":null}' > /dev/null`
			`curl -u "admin:$mail_passwd" "https://mail.$BASE_DOMAIN_NAME/api/dkim" --data-binary '{"id":null,"algorithm":"Rsa","domain":"'"$BASE_DOMAIN_NAME"'","selector":null}' > /dev/null`
			`stalwart-cli account create -d 'Admin Account' -i true -a "postmaster@$BASE_DOMAIN_NAME" 'admin' "$mail_passwd"`
			`stalwart-cli account create -d 'Forgejo Server' -i false -a "forgejo@$BASE_DOMAIN_NAME" 'forgejo' "$forgejo_smtp_passwd"`
			`add_postmaster=(docker-compose -p server exec -T -u git forgejo forgejo admin user create --admin --username postmaster --password "$mail_passwd" --email "postmaster@$BASE_DOMAIN_NAME")`
			`retry_if_failed -q "${add_postmaster[@]}"`
			`forum_smtp_passwd="$(sed 's/^ DISCOURSE_SMTP_PASSWORD: "\([^"]*\)"$/\1/p; d' < /var/discourse/containers/app.yml)"`
			`[[ -n "$forum_smtp_passwd" ]] \|\| fatal "can't parse smtp password out of /var/discourse/containers/app.yml"`
			`stalwart-cli account create -d 'Forum Replies' -i false -a "@$BASE_DOMAIN_NAME" 'forum' "$forum_smtp_passwd"`
			`stalwart-cli account create -d 'Forum Notifications' -i false -a "forum-noreply@$BASE_DOMAIN_NAME" 'forum-noreply' "$forum_smtp_passwd"`
			`forgejo_api=(retry_if_failed -q curl --fail-with-body -u "postmaster:$mail_passwd" -H 'Accept: application/json' -H 'Content-Type: application/json')`
			`"${forgejo_api[@]}" -X 'POST' "https://git.$BASE_DOMAIN_NAME/api/v1/orgs" -d '{"username": "libre-chip"}' > /dev/null`
			`"${forgejo_api[@]}" -X 'POST' "https://git.$BASE_DOMAIN_NAME/api/v1/orgs/libre-chip/repos" -d '{"name": "website"}' > /dev/null`
			`post_receive_hook="$(jq -csR '{content:.}' <<'EOF'`
			`#!/bin/bash`
			`set -e`
			`cd /var/www/html`
			`env -i PATH="$PATH" git fetch`
			`env -i PATH="$PATH" git checkout -q --detach rendered`
			`EOF`
			`)"`
			`"${forgejo_api[@]}" -X 'PATCH' "https://git.$BASE_DOMAIN_NAME/api/v1/repos/libre-chip/website/hooks/git/post-receive" -d "$post_receive_hook" > /dev/null`
			`fi`
			`(`
			`cd /var/discourse`
			`# must run after starting mail server since it validates POP3`
			`./launcher bootstrap app`
			`./launcher start app`
			`)`