extract config files out of setup.sh

This commit is contained in:
Jacob Lifshay 2024-07-04 22:03:06 -07:00
parent 41ae856938
commit f6fe57aaf1
Signed by: programmerjake
SSH key fingerprint: SHA256:B1iRVvUJkvd7upMIiMqn6OyxvD2SgJkAH3ZnUOj6z+c
8 changed files with 445 additions and 396 deletions

473
setup.sh
View file

@ -66,27 +66,69 @@ function forgejo()
docker run --rm codeberg.org/forgejo/forgejo:7 forgejo "$@" docker run --rm codeberg.org/forgejo/forgejo:7 forgejo "$@"
} }
function write_config()
{
local src="" dest="" vars="" new_vars=() mode="644" owner="root:root"
while (($#)); do
case "$1" in
--src)
src="$2"
shift 2
;;
--mode)
mode="$2"
shift 2
;;
--owner)
owner="$2"
shift 2
;;
--dest)
dest="$2"
shift 2
;;
--var)
[[ "$2" =~ ^([A-Za-z0-9_]+)= ]] || fatal "invalid --var argument"
vars+="\$${BASH_REMATCH[1]} "
new_vars+=("$2")
shift 2
;;
*)
fatal "write_config: unrecognized argument: $1"
;;
esac
done
: "${src:?missing --src argument}"
local dest_dir temp
dest_dir="$(dirname "${dest:?missing --dest argument}")"
temp="$(umask 577 && mktemp -p "$dest_dir")"
# printf '%q ' env "${new_vars[@]}" envsubst "$vars";
# echo "<" "$src" ">" "$temp"
env "${new_vars[@]}" envsubst "$vars" < "$src" > "$temp" || { rm -f "$temp"; exit 1; }
chmod "$mode" "$temp" || { rm -f "$temp"; exit 1; }
chown "$owner" "$temp" || { rm -f "$temp"; exit 1; }
if mv -n -T "$temp" "$dest"; then
return 0
fi
if diff -u --label="expanded $src" "$temp" "$dest"; then
rm -f "$temp"
return 0
else
rm -f "$temp"
fatal "config file doesn't match generated config for $dest expanded from $src"
fi
}
if [[ "$(id -u)" != 0 ]]; then if [[ "$(id -u)" != 0 ]]; then
fatal "must be ran as root" fatal "must be ran as root"
fi fi
mkdir -p /var/lib/stalwart-mail mkdir -p /var/lib/stalwart-mail
apt-get update -y -q apt-get update -y -q
apt-get install jq -y -q apt-get install jq gettext-base diffutils -y -q
# force using overlay2 driver so btrfs snapshots will snapshot the entire system and not miss all the docker stuff # force using overlay2 driver so btrfs snapshots will snapshot the entire system and not miss all the docker stuff
mkdir -p /etc/docker mkdir -p /etc/docker
if [[ -f /etc/docker/daemon.json ]]; then write_config --src templates/etc/docker/daemon.json --dest /etc/docker/daemon.json
[[ "$(jq -sc '[.[0]?["storage-driver"]?]' < /etc/docker/daemon.json)" == '["overlay2"]' ]] ||
fatal '/etc/docker/daemon.json exists but `storage-driver` is not set to overlay2'
elif [[ "$(dpkg-query -W --showformat='${db:Status-Abbrev}\n' docker.io 2> /dev/null)" =~ ^$|^.[nc]' '$ ]]; then
cat > /etc/docker/daemon.json <<EOF
{
"storage-driver": "overlay2"
}
EOF
else
fatal 'docker.io package is installed but `storage-driver` is not set to overlay2'
fi
apt-get install certbot docker-compose docker.io sudo openssl crudini git ssl-cert -y -q apt-get install certbot docker-compose docker.io sudo openssl crudini git ssl-cert -y -q
if ((${#test_ca_list[@]})); then if ((${#test_ca_list[@]})); then
install -m 644 "${test_ca_list[0]}" /usr/local/share/ca-certificates/test-root.crt install -m 644 "${test_ca_list[0]}" /usr/local/share/ca-certificates/test-root.crt
@ -102,11 +144,7 @@ adduser --system --shell=/bin/bash --gecos 'Git Version Control' --uid=1000 --in
[[ -f ~git/.ssh/id_ed25519 ]] || sudo -u git ssh-keygen -f ~git/.ssh/id_ed25519 -t ed25519 -C "Forgejo Host Key" -N "" [[ -f ~git/.ssh/id_ed25519 ]] || sudo -u git ssh-keygen -f ~git/.ssh/id_ed25519 -t ed25519 -C "Forgejo Host Key" -N ""
[[ -f ~git/.ssh/authorized_keys ]] || sudo -u git cat ~git/.ssh/id_ed25519.pub | sudo -u git tee ~git/.ssh/authorized_keys [[ -f ~git/.ssh/authorized_keys ]] || sudo -u git cat ~git/.ssh/id_ed25519.pub | sudo -u git tee ~git/.ssh/authorized_keys
sudo -u git chmod 600 ~git/.ssh/authorized_keys sudo -u git chmod 600 ~git/.ssh/authorized_keys
cat <<"EOF" > /usr/local/bin/gitea write_config --src templates/usr/local/bin/gitea --dest /usr/local/bin/gitea --mode 755
#!/bin/sh
exec ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"
EOF
chmod +x /usr/local/bin/gitea
mkdir -p /etc/forgejo mkdir -p /etc/forgejo
rm -rf /var/www/html rm -rf /var/www/html
mkdir -p /var/www/html mkdir -p /var/www/html
@ -117,206 +155,28 @@ chmod 775 /var/www/html
chown root:git /etc/forgejo chown root:git /etc/forgejo
chmod 770 /etc/forgejo chmod 770 /etc/forgejo
if [[ ! -f /etc/forgejo/app.ini ]]; then if [[ ! -f /etc/forgejo/app.ini ]]; then
cat <<EOF > /etc/forgejo/app.ini write_config --src templates/etc/forgejo/app.ini \
APP_NAME = Libre-Chip.org --dest /etc/forgejo/app.ini --mode 640 --owner root:git \
RUN_MODE = prod --var BASE_DOMAIN_NAME="$BASE_DOMAIN_NAME" \
RUN_USER = git --var SECRET_KEY="$(forgejo generate secret SECRET_KEY)" \
WORK_PATH = /data/gitea --var INTERNAL_TOKEN="$(forgejo generate secret INTERNAL_TOKEN)" \
--var MAIL_PASSWD="$(random_passwd)" \
[repository] --var JWT_SECRET="$(forgejo generate secret JWT_SECRET)" \
ROOT = /data/git/repositories --var LFS_JWT_SECRET="$(forgejo generate secret LFS_JWT_SECRET)"
[repository.local]
LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
[repository.upload]
TEMP_PATH = /data/gitea/uploads
[server]
APP_DATA_PATH = /data/gitea
DOMAIN = git.$BASE_DOMAIN_NAME
SSH_DOMAIN = git.$BASE_DOMAIN_NAME
HTTP_PORT = 3000
ROOT_URL = https://git.$BASE_DOMAIN_NAME/
DISABLE_SSH = false
SSH_PORT = 22
SSH_LISTEN_PORT = 22
LFS_START_SERVER = true
OFFLINE_MODE = false
LFS_JWT_SECRET = $(forgejo generate secret LFS_JWT_SECRET)
[database]
PATH = /data/gitea/gitea.db
DB_TYPE = sqlite3
HOST = localhost:3306
NAME = gitea
USER = root
PASSWD =
LOG_SQL = false
SCHEMA =
SSL_MODE = disable
[indexer]
ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
[session]
PROVIDER_CONFIG = /data/gitea/sessions
PROVIDER = file
[picture]
AVATAR_UPLOAD_PATH = /data/gitea/avatars
REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
[attachment]
PATH = /data/gitea/attachments
[log]
MODE = console
LEVEL = info
ROOT_PATH = /data/gitea/log
[security]
INSTALL_LOCK = true
SECRET_KEY = $(forgejo generate secret SECRET_KEY)
REVERSE_PROXY_LIMIT = 1
REVERSE_PROXY_TRUSTED_PROXIES = *
PASSWORD_HASH_ALGO = pbkdf2_hi
DISABLE_GIT_HOOKS = false
INTERNAL_TOKEN = $(forgejo generate secret INTERNAL_TOKEN)
[service]
DISABLE_REGISTRATION = false
REQUIRE_SIGNIN_VIEW = false
REGISTER_EMAIL_CONFIRM = true
ENABLE_NOTIFY_MAIL = true
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
ENABLE_CAPTCHA = true
DEFAULT_KEEP_EMAIL_PRIVATE = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = false
DEFAULT_ENABLE_TIMETRACKING = true
NO_REPLY_ADDRESS = noreply.$BASE_DOMAIN_NAME
[lfs]
PATH = /data/git/lfs
[mailer]
ENABLED = true
PROTOCOL = smtps
SMTP_ADDR = mail.$BASE_DOMAIN_NAME
SMTP_PORT = 465
FROM = forgejo@$BASE_DOMAIN_NAME
USER = forgejo
PASSWD = $(random_passwd)
[openid]
ENABLE_OPENID_SIGNIN = true
ENABLE_OPENID_SIGNUP = true
[cron.update_checker]
ENABLED = false
[repository.pull-request]
DEFAULT_MERGE_STYLE = merge
[repository.signing]
DEFAULT_TRUST_MODEL = committer
[ssh.minimum_key_sizes]
RSA = 2047
[oauth2]
JWT_SECRET = $(forgejo generate secret JWT_SECRET)
EOF
chown root:git /etc/forgejo/app.ini
chmod 640 /etc/forgejo/app.ini
fi fi
mkdir -p /var/lib/stalwart-mail/etc mkdir -p /var/lib/stalwart-mail/etc
mail_passwd="" mail_passwd=""
mail_passwd_hash="" mail_passwd_hash=""
if [[ ! -f /var/lib/stalwart-mail/etc/config.toml ]]; then if [[ ! -f /var/lib/stalwart-mail/etc/config.toml ]]; then
mail_passwd="$(random_passwd)" mail_passwd="$(random_passwd)"
cat > /var/lib/stalwart-mail/cli.sh <<EOF write_config --src templates/var/lib/stalwart-mail/cli.sh \
mail_passwd="$mail_passwd" --dest /var/lib/stalwart-mail/cli.sh --mode 400 \
function stalwart-cli() --var wd="$(pwd)" --var mail_passwd="$mail_passwd"
{
(cd $(pwd) && CREDENTIALS="admin:$mail_passwd" exec docker-compose -p server exec -T -e CREDENTIALS mail stalwart-cli -u "http://localhost" "\$@")
}
EOF
chmod 500 /var/lib/stalwart-mail/cli.sh
mail_passwd_hash="$(echo -n "$mail_passwd" | openssl passwd -6 -stdin)" mail_passwd_hash="$(echo -n "$mail_passwd" | openssl passwd -6 -stdin)"
cat > /var/lib/stalwart-mail/etc/config.toml <<EOF write_config --src templates/var/lib/stalwart-mail/etc/config.toml \
[server.listener."smtp"] --dest /var/lib/stalwart-mail/etc/config.toml --mode 600 \
bind = ["[::]:25"] --var mail_passwd_hash="$mail_passwd_hash" \
protocol = "smtp" --var BASE_DOMAIN_NAME="$BASE_DOMAIN_NAME"
[server.listener."submission"]
bind = ["[::]:587"]
protocol = "smtp"
[server.listener."submissions"]
bind = ["[::]:465"]
protocol = "smtp"
tls.implicit = true
[server.listener."imaptls"]
bind = ["[::]:993"]
protocol = "imap"
tls.implicit = true
[server.listener.pop3s]
bind = "[::]:995"
protocol = "pop3"
tls.implicit = true
[server.listener.http]
protocol = "http"
bind = "[::]:80"
[server.http]
use-x-forwarded = true
[certificate.default]
cert = "%{file:/etc/letsencrypt/live/server/fullchain.pem}%"
private-key = "%{file:/etc/letsencrypt/live/server/privkey.pem}%"
default = true
[storage]
data = "rocksdb"
fts = "rocksdb"
blob = "rocksdb"
lookup = "rocksdb"
directory = "internal"
[store.rocksdb]
type = "rocksdb"
path = "/opt/stalwart-mail/data"
compression = "lz4"
[directory.internal]
type = "internal"
store = "rocksdb"
[tracer.log]
type = "log"
level = "info"
path = "/opt/stalwart-mail/logs"
prefix = "stalwart.log"
rotate = "daily"
ansi = false
enable = true
[authentication.fallback-admin]
user = "admin"
secret = "$mail_passwd_hash"
[lookup.default]
hostname = "mail.$BASE_DOMAIN_NAME"
[session.auth]
must-match-sender = [ {if = "authenticated_as == 'forum-noreply'", then = false},
{else = true} ]
EOF
chmod 600 /var/lib/stalwart-mail/etc/config.toml
fi fi
. /var/lib/stalwart-mail/cli.sh . /var/lib/stalwart-mail/cli.sh
if [[ ! -f /var/discourse/containers/app.yml ]]; then if [[ ! -f /var/discourse/containers/app.yml ]]; then
@ -325,183 +185,11 @@ if [[ ! -f /var/discourse/containers/app.yml ]]; then
chmod 700 /var/discourse/containers chmod 700 /var/discourse/containers
fi fi
forum_smtp_passwd="$(random_passwd)" forum_smtp_passwd="$(random_passwd)"
cat > /var/discourse/containers/app.yml <<EOF write_config --src templates/var/discourse/containers/app.yml \
## this is the all-in-one, standalone Discourse Docker container template --dest /var/discourse/containers/app.yml --mode 400 \
## --var BASE_DOMAIN_NAME="$BASE_DOMAIN_NAME" \
## After making changes to this file, you MUST rebuild --var forum_smtp_passwd="$forum_smtp_passwd" \
## /var/discourse/launcher rebuild app --var mail_passwd="$mail_passwd"
##
## Based on https://meta.discourse.org/t/run-other-websites-on-the-same-machine-as-discourse/17247
templates:
- "templates/postgres.template.yml"
- "templates/redis.template.yml"
- "templates/web.template.yml"
## Uncomment the next line to enable the IPv6 listener
#- "templates/web.ipv6.template.yml"
- "templates/web.ratelimited.template.yml"
- "templates/web.socketed.template.yml"
## Uncomment these two lines if you wish to add Lets Encrypt (https)
#- "templates/web.ssl.template.yml"
#- "templates/web.letsencrypt.ssl.template.yml"
## which TCP/IP ports should this container expose?
## If you want Discourse to share a port with another webserver like Apache or nginx,
## see https://meta.discourse.org/t/17247 for details
#expose:
# - "80:80" # http
# - "443:443" # https
params:
db_default_text_search_config: "pg_catalog.english"
## Set db_shared_buffers to a max of 25% of the total memory.
## will be set automatically by bootstrap based on detected RAM, or you can override
db_shared_buffers: "512MB"
## can improve sorting performance, but adds memory usage per-connection
#db_work_mem: "40MB"
## Which Git revision should this container use? (default: tests-passed)
#version: tests-passed
env:
LC_ALL: en_US.UTF-8
LANG: en_US.UTF-8
LANGUAGE: en_US.UTF-8
# DISCOURSE_DEFAULT_LOCALE: en
## How many concurrent web requests are supported? Depends on memory and CPU cores.
## will be set automatically by bootstrap based on detected CPUs, or you can override
UNICORN_WORKERS: 4
## TODO: The domain name this Discourse instance will respond to
## Required. Discourse will not work with a bare IP number.
DISCOURSE_HOSTNAME: forum.${BASE_DOMAIN_NAME}
## Uncomment if you want the container to be started with the same
## hostname (-h option) as specified above (default "\$hostname-\$config")
#DOCKER_USE_HOSTNAME: true
## TODO: List of comma delimited emails that will be made admin and developer
## on initial signup example 'user1@example.com,user2@example.com'
DISCOURSE_DEVELOPER_EMAILS: 'postmaster@${BASE_DOMAIN_NAME}'
## TODO: The SMTP mail server used to validate new accounts and send notifications
# SMTP ADDRESS, username, and password are required
# WARNING the char '#' in SMTP password can cause problems!
DISCOURSE_SMTP_ADDRESS: ${BASE_DOMAIN_NAME}
DISCOURSE_SMTP_PORT: 587
DISCOURSE_SMTP_USER_NAME: forum-noreply
DISCOURSE_SMTP_PASSWORD: "${forum_smtp_passwd}"
#DISCOURSE_SMTP_ENABLE_START_TLS: true # (optional, default true)
DISCOURSE_SMTP_DOMAIN: ${BASE_DOMAIN_NAME}
DISCOURSE_NOTIFICATION_EMAIL: forum-noreply@${BASE_DOMAIN_NAME}
## If you added the Lets Encrypt template, uncomment below to get a free SSL certificate
#LETSENCRYPT_ACCOUNT_EMAIL: me@example.com
## The http or https CDN address for this Discourse instance (configured to pull)
## see https://meta.discourse.org/t/14857 for details
#DISCOURSE_CDN_URL: https://discourse-cdn.example.com
## The maxmind geolocation IP account ID and license key for IP address lookups
## see https://meta.discourse.org/t/-/173941 for details
#DISCOURSE_MAXMIND_ACCOUNT_ID: 123456
#DISCOURSE_MAXMIND_LICENSE_KEY: 1234567890123456
## The Docker container is stateless; all data is stored in /shared
volumes:
- volume:
host: /var/discourse/shared/standalone
guest: /shared
- volume:
host: /var/discourse/shared/standalone/log/var-log
guest: /var/log
- volume:
host: /usr/local/share/ca-certificates
guest: /usr/local/share/ca-certificates:ro
## Plugins go here
## see https://meta.discourse.org/t/19157 for details
hooks:
after_code:
- exec:
cd: \$home/plugins
cmd:
- git clone https://github.com/discourse/docker_manager.git
## Any custom commands to run after building
run:
- exec: echo "Beginning of custom commands"
- exec: |-
if rails r 'exit(1) if User.find_by_email("postmaster@${BASE_DOMAIN_NAME}")'; then
rails r "SiteSetting.pop3_polling_openssl_verify = false" || exit
rails site_settings:import <<EOF2 || exit
---
title: Libre-Chip Forum
exclude_rel_nofollow_domains: ${BASE_DOMAIN_NAME}
share_links: email
share_quote_buttons: email
default_dark_mode_color_scheme_id: '1'
enable_badges: 'false'
pending_users_reminder_delay_minutes: '5'
title_prettify: 'false'
title_fancy_entities: 'false'
enable_markdown_typographer: 'false'
highlighted_languages: bash|c|cpp|csharp|css|diff|ini|javascript|json|lua|makefile|markdown|plaintext|python|python-repl|rust|shell|typescript|xml|yaml|wasm|llvm|coq|x86asm|verilog|vhdl|scala
enable_emoji_shortcuts: 'false'
reply_by_email_address: forum+%{reply_key}@${BASE_DOMAIN_NAME}
pop3_polling_period_mins: '1'
pop3_polling_host: ${BASE_DOMAIN_NAME}
pop3_polling_username: forum
pop3_polling_password: ${forum_smtp_passwd}
pop3_polling_enabled: 'true'
reply_by_email_enabled: 'true'
log_mail_processing_failures: 'true'
email_in: 'true'
email_in_allowed_groups: 1|2|0
default_trust_level: '1'
force_https: 'true'
moderators_manage_categories_and_groups: 'true'
moderators_view_emails: 'true'
allowed_iframes: https://www.google.com/maps/embed?|https://www.openstreetmap.org/export/embed.html?|https://calendar.google.com/calendar/embed?|https://codepen.io/|http://forum.${BASE_DOMAIN_NAME}/discobot/certificate.svg|https://forum.${BASE_DOMAIN_NAME}/discobot/certificate.svg
default_navigation_menu_categories: 2|3|4
automatic_backups_enabled: 'false'
sequential_replies_threshold: '4'
get_a_room_threshold: '10000'
default_composer_category: '4'
share_anonymized_statistics: 'false'
default_email_mailing_list_mode: 'true'
disable_mailing_list_mode: 'false'
enable_offline_indicator: 'true'
chat_enabled: 'false'
EOF2
rails r "SiteSetting.pop3_polling_openssl_verify = true" || exit
rails r - <<EOF2 || exit
u = User.new
u.email = "postmaster@${BASE_DOMAIN_NAME}"
u.username = "postmaster"
u.password = "$mail_passwd"
u.name = "Admin User"
u.save!
u.active = true
u.save!
u.grant_admin!
u.change_trust_level!(1) if u.trust_level < 1
u.email_tokens.update_all confirmed: true
u.activate
EOF2
fi
- file:
path: /etc/runit/1.d/000-update-certificates
chmod: "+x"
contents: |
#!/bin/bash
exec update-ca-certificates
- exec: echo "End of custom commands"
EOF
chmod 400 /var/discourse/containers/app.yml
fi fi
wd="$(pwd)" wd="$(pwd)"
if ! [[ "$wd" =~ ^/[-/a-zA-Z0-9_]*$ ]]; then if ! [[ "$wd" =~ ^/[-/a-zA-Z0-9_]*$ ]]; then
@ -548,14 +236,7 @@ if [[ -n "$mail_passwd_hash" ]]; then
forgejo_api=(retry_if_failed -q curl --fail-with-body -u "postmaster:$mail_passwd" -H 'Accept: application/json' -H 'Content-Type: application/json') forgejo_api=(retry_if_failed -q curl --fail-with-body -u "postmaster:$mail_passwd" -H 'Accept: application/json' -H 'Content-Type: application/json')
"${forgejo_api[@]}" -X 'POST' "https://git.$BASE_DOMAIN_NAME/api/v1/orgs" -d '{"username": "libre-chip"}' > /dev/null "${forgejo_api[@]}" -X 'POST' "https://git.$BASE_DOMAIN_NAME/api/v1/orgs" -d '{"username": "libre-chip"}' > /dev/null
"${forgejo_api[@]}" -X 'POST' "https://git.$BASE_DOMAIN_NAME/api/v1/orgs/libre-chip/repos" -d '{"name": "website"}' > /dev/null "${forgejo_api[@]}" -X 'POST' "https://git.$BASE_DOMAIN_NAME/api/v1/orgs/libre-chip/repos" -d '{"name": "website"}' > /dev/null
post_receive_hook="$(jq -csR '{content:.}' <<'EOF' post_receive_hook="$(jq -csR '{content:.}' < website_git_post_receive_hook.sh)"
#!/bin/bash
set -e
cd /var/www/html
env -i PATH="$PATH" git fetch
env -i PATH="$PATH" git checkout -q --detach rendered
EOF
)"
"${forgejo_api[@]}" -X 'PATCH' "https://git.$BASE_DOMAIN_NAME/api/v1/repos/libre-chip/website/hooks/git/post-receive" -d "$post_receive_hook" > /dev/null "${forgejo_api[@]}" -X 'PATCH' "https://git.$BASE_DOMAIN_NAME/api/v1/repos/libre-chip/website/hooks/git/post-receive" -d "$post_receive_hook" > /dev/null
fi fi
( (

View file

@ -0,0 +1,3 @@
{
"storage-driver": "overlay2"
}

View file

@ -0,0 +1,108 @@
APP_NAME = Libre-Chip.org
RUN_MODE = prod
RUN_USER = git
WORK_PATH = /data/gitea
[repository]
ROOT = /data/git/repositories
[repository.local]
LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
[repository.upload]
TEMP_PATH = /data/gitea/uploads
[server]
APP_DATA_PATH = /data/gitea
DOMAIN = git.$BASE_DOMAIN_NAME
SSH_DOMAIN = git.$BASE_DOMAIN_NAME
HTTP_PORT = 3000
ROOT_URL = https://git.$BASE_DOMAIN_NAME/
DISABLE_SSH = false
SSH_PORT = 22
SSH_LISTEN_PORT = 22
LFS_START_SERVER = true
OFFLINE_MODE = false
LFS_JWT_SECRET = $(forgejo generate secret LFS_JWT_SECRET)
[database]
PATH = /data/gitea/gitea.db
DB_TYPE = sqlite3
HOST = localhost:3306
NAME = gitea
USER = root
PASSWD =
LOG_SQL = false
SCHEMA =
SSL_MODE = disable
[indexer]
ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
[session]
PROVIDER_CONFIG = /data/gitea/sessions
PROVIDER = file
[picture]
AVATAR_UPLOAD_PATH = /data/gitea/avatars
REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
[attachment]
PATH = /data/gitea/attachments
[log]
MODE = console
LEVEL = info
ROOT_PATH = /data/gitea/log
[security]
INSTALL_LOCK = true
SECRET_KEY = $SECRET_KEY
REVERSE_PROXY_LIMIT = 1
REVERSE_PROXY_TRUSTED_PROXIES = *
PASSWORD_HASH_ALGO = pbkdf2_hi
DISABLE_GIT_HOOKS = false
INTERNAL_TOKEN = $INTERNAL_TOKEN
[service]
DISABLE_REGISTRATION = false
REQUIRE_SIGNIN_VIEW = false
REGISTER_EMAIL_CONFIRM = true
ENABLE_NOTIFY_MAIL = true
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
ENABLE_CAPTCHA = true
DEFAULT_KEEP_EMAIL_PRIVATE = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = false
DEFAULT_ENABLE_TIMETRACKING = true
NO_REPLY_ADDRESS = noreply.$BASE_DOMAIN_NAME
[lfs]
PATH = /data/git/lfs
[mailer]
ENABLED = true
PROTOCOL = smtps
SMTP_ADDR = mail.$BASE_DOMAIN_NAME
SMTP_PORT = 465
FROM = forgejo@$BASE_DOMAIN_NAME
USER = forgejo
PASSWD = $MAIL_PASSWD
[openid]
ENABLE_OPENID_SIGNIN = true
ENABLE_OPENID_SIGNUP = true
[cron.update_checker]
ENABLED = false
[repository.pull-request]
DEFAULT_MERGE_STYLE = merge
[repository.signing]
DEFAULT_TRUST_MODEL = committer
[ssh.minimum_key_sizes]
RSA = 2047
[oauth2]
JWT_SECRET = $JWT_SECRET

View file

@ -0,0 +1,3 @@
#!/bin/bash
printf -v args '%q ' "$SSH_ORIGINAL_COMMAND" "$0" "$@"
exec ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=$args"

View file

@ -0,0 +1,174 @@
## this is the all-in-one, standalone Discourse Docker container template
##
## After making changes to this file, you MUST rebuild
## /var/discourse/launcher rebuild app
##
## Based on https://meta.discourse.org/t/run-other-websites-on-the-same-machine-as-discourse/17247
templates:
- "templates/postgres.template.yml"
- "templates/redis.template.yml"
- "templates/web.template.yml"
## Uncomment the next line to enable the IPv6 listener
#- "templates/web.ipv6.template.yml"
- "templates/web.ratelimited.template.yml"
- "templates/web.socketed.template.yml"
## Uncomment these two lines if you wish to add Lets Encrypt (https)
#- "templates/web.ssl.template.yml"
#- "templates/web.letsencrypt.ssl.template.yml"
## which TCP/IP ports should this container expose?
## If you want Discourse to share a port with another webserver like Apache or nginx,
## see https://meta.discourse.org/t/17247 for details
#expose:
# - "80:80" # http
# - "443:443" # https
params:
db_default_text_search_config: "pg_catalog.english"
## Set db_shared_buffers to a max of 25% of the total memory.
## will be set automatically by bootstrap based on detected RAM, or you can override
db_shared_buffers: "512MB"
## can improve sorting performance, but adds memory usage per-connection
#db_work_mem: "40MB"
## Which Git revision should this container use? (default: tests-passed)
#version: tests-passed
env:
LC_ALL: en_US.UTF-8
LANG: en_US.UTF-8
LANGUAGE: en_US.UTF-8
# DISCOURSE_DEFAULT_LOCALE: en
## How many concurrent web requests are supported? Depends on memory and CPU cores.
## will be set automatically by bootstrap based on detected CPUs, or you can override
UNICORN_WORKERS: 4
## TODO: The domain name this Discourse instance will respond to
## Required. Discourse will not work with a bare IP number.
DISCOURSE_HOSTNAME: forum.${BASE_DOMAIN_NAME}
## Uncomment if you want the container to be started with the same
## hostname (-h option) as specified above (default "$hostname-$config")
#DOCKER_USE_HOSTNAME: true
## TODO: List of comma delimited emails that will be made admin and developer
## on initial signup example 'user1@example.com,user2@example.com'
DISCOURSE_DEVELOPER_EMAILS: 'postmaster@${BASE_DOMAIN_NAME}'
## TODO: The SMTP mail server used to validate new accounts and send notifications
# SMTP ADDRESS, username, and password are required
# WARNING the char '#' in SMTP password can cause problems!
DISCOURSE_SMTP_ADDRESS: ${BASE_DOMAIN_NAME}
DISCOURSE_SMTP_PORT: 587
DISCOURSE_SMTP_USER_NAME: forum-noreply
DISCOURSE_SMTP_PASSWORD: "${forum_smtp_passwd}"
#DISCOURSE_SMTP_ENABLE_START_TLS: true # (optional, default true)
DISCOURSE_SMTP_DOMAIN: ${BASE_DOMAIN_NAME}
DISCOURSE_NOTIFICATION_EMAIL: forum-noreply@${BASE_DOMAIN_NAME}
## If you added the Lets Encrypt template, uncomment below to get a free SSL certificate
#LETSENCRYPT_ACCOUNT_EMAIL: me@example.com
## The http or https CDN address for this Discourse instance (configured to pull)
## see https://meta.discourse.org/t/14857 for details
#DISCOURSE_CDN_URL: https://discourse-cdn.example.com
## The maxmind geolocation IP account ID and license key for IP address lookups
## see https://meta.discourse.org/t/-/173941 for details
#DISCOURSE_MAXMIND_ACCOUNT_ID: 123456
#DISCOURSE_MAXMIND_LICENSE_KEY: 1234567890123456
## The Docker container is stateless; all data is stored in /shared
volumes:
- volume:
host: /var/discourse/shared/standalone
guest: /shared
- volume:
host: /var/discourse/shared/standalone/log/var-log
guest: /var/log
- volume:
host: /usr/local/share/ca-certificates
guest: /usr/local/share/ca-certificates:ro
## Plugins go here
## see https://meta.discourse.org/t/19157 for details
hooks:
after_code:
- exec:
cd: $home/plugins
cmd:
- git clone https://github.com/discourse/docker_manager.git
## Any custom commands to run after building
run:
- exec: echo "Beginning of custom commands"
- exec: |-
if rails r 'exit(1) if User.find_by_email("postmaster@${BASE_DOMAIN_NAME}")'; then
rails r "SiteSetting.pop3_polling_openssl_verify = false" || exit
rails site_settings:import <<EOF2 || exit
---
title: Libre-Chip Forum
exclude_rel_nofollow_domains: ${BASE_DOMAIN_NAME}
share_links: email
share_quote_buttons: email
default_dark_mode_color_scheme_id: '1'
enable_badges: 'false'
pending_users_reminder_delay_minutes: '5'
title_prettify: 'false'
title_fancy_entities: 'false'
enable_markdown_typographer: 'false'
highlighted_languages: bash|c|cpp|csharp|css|diff|ini|javascript|json|lua|makefile|markdown|plaintext|python|python-repl|rust|shell|typescript|xml|yaml|wasm|llvm|coq|x86asm|verilog|vhdl|scala
enable_emoji_shortcuts: 'false'
reply_by_email_address: forum+%{reply_key}@${BASE_DOMAIN_NAME}
pop3_polling_period_mins: '1'
pop3_polling_host: ${BASE_DOMAIN_NAME}
pop3_polling_username: forum
pop3_polling_password: ${forum_smtp_passwd}
pop3_polling_enabled: 'true'
reply_by_email_enabled: 'true'
log_mail_processing_failures: 'true'
email_in: 'true'
email_in_allowed_groups: 1|2|0
default_trust_level: '1'
force_https: 'true'
moderators_manage_categories_and_groups: 'true'
moderators_view_emails: 'true'
allowed_iframes: https://www.google.com/maps/embed?|https://www.openstreetmap.org/export/embed.html?|https://calendar.google.com/calendar/embed?|https://codepen.io/|http://forum.${BASE_DOMAIN_NAME}/discobot/certificate.svg|https://forum.${BASE_DOMAIN_NAME}/discobot/certificate.svg
default_navigation_menu_categories: 2|3|4
automatic_backups_enabled: 'false'
sequential_replies_threshold: '4'
get_a_room_threshold: '10000'
default_composer_category: '4'
share_anonymized_statistics: 'false'
default_email_mailing_list_mode: 'true'
disable_mailing_list_mode: 'false'
enable_offline_indicator: 'true'
chat_enabled: 'false'
EOF2
rails r "SiteSetting.pop3_polling_openssl_verify = true" || exit
rails r - <<EOF2 || exit
u = User.new
u.email = "postmaster@${BASE_DOMAIN_NAME}"
u.username = "postmaster"
u.password = "$mail_passwd"
u.name = "Admin User"
u.save!
u.active = true
u.save!
u.grant_admin!
u.change_trust_level!(1) if u.trust_level < 1
u.email_tokens.update_all confirmed: true
u.activate
EOF2
fi
- file:
path: /etc/runit/1.d/000-update-certificates
chmod: "+x"
contents: |
#!/bin/bash
exec update-ca-certificates
- exec: echo "End of custom commands"

View file

@ -0,0 +1,5 @@
mail_passwd="$mail_passwd"
function stalwart-cli()
{
(cd "$wd" && CREDENTIALS="admin:$mail_passwd" exec docker-compose -p server exec -T -e CREDENTIALS mail stalwart-cli -u "http://localhost" "$@")
}

View file

@ -0,0 +1,70 @@
[server.listener."smtp"]
bind = ["[::]:25"]
protocol = "smtp"
[server.listener."submission"]
bind = ["[::]:587"]
protocol = "smtp"
[server.listener."submissions"]
bind = ["[::]:465"]
protocol = "smtp"
tls.implicit = true
[server.listener."imaptls"]
bind = ["[::]:993"]
protocol = "imap"
tls.implicit = true
[server.listener.pop3s]
bind = "[::]:995"
protocol = "pop3"
tls.implicit = true
[server.listener.http]
protocol = "http"
bind = "[::]:80"
[server.http]
use-x-forwarded = true
[certificate.default]
cert = "%{file:/etc/letsencrypt/live/server/fullchain.pem}%"
private-key = "%{file:/etc/letsencrypt/live/server/privkey.pem}%"
default = true
[storage]
data = "rocksdb"
fts = "rocksdb"
blob = "rocksdb"
lookup = "rocksdb"
directory = "internal"
[store.rocksdb]
type = "rocksdb"
path = "/opt/stalwart-mail/data"
compression = "lz4"
[directory.internal]
type = "internal"
store = "rocksdb"
[tracer.log]
type = "log"
level = "info"
path = "/opt/stalwart-mail/logs"
prefix = "stalwart.log"
rotate = "daily"
ansi = false
enable = true
[authentication.fallback-admin]
user = "admin"
secret = "$mail_passwd_hash"
[lookup.default]
hostname = "mail.$BASE_DOMAIN_NAME"
[session.auth]
must-match-sender = [ {if = "authenticated_as == 'forum-noreply'", then = false},
{else = true} ]

View file

@ -0,0 +1,5 @@
#!/bin/bash
set -e
cd /var/www/html
env -i PATH="$PATH" git fetch
env -i PATH="$PATH" git checkout -q --detach rendered