extract config files out of setup.sh

2024-07-04 22:03:06 -07:00 · 2024-07-04 22:03:06 -07:00 · f6fe57aaf1
parent 41ae856938
commit f6fe57aaf1
8 changed files with 445 additions and 396 deletions
--- a/setup.sh
+++ b/setup.sh
@ -66,27 +66,69 @@ function forgejo()
    docker run --rm codeberg.org/forgejo/forgejo:7 forgejo "$@"
 }
 function write_config()
 {
    local src="" dest="" vars="" new_vars=() mode="644" owner="root:root"
    while (($#)); do
        case "$1" in
        --src)
            src="$2"
            shift 2
            ;;
        --mode)
            mode="$2"
            shift 2
            ;;
        --owner)
            owner="$2"
            shift 2
            ;;
        --dest)
            dest="$2"
            shift 2
            ;;
        --var)
            [[ "$2" =~ ^([A-Za-z0-9_]+)= ]] || fatal "invalid --var argument"
            vars+="\$${BASH_REMATCH[1]} "
            new_vars+=("$2")
            shift 2
            ;;
        *)
            fatal "write_config: unrecognized argument: $1"
            ;;
        esac
    done
    : "${src:?missing --src argument}"
    local dest_dir temp
    dest_dir="$(dirname "${dest:?missing --dest argument}")"
    temp="$(umask 577 && mktemp -p "$dest_dir")"
    # printf '%q ' env "${new_vars[@]}" envsubst "$vars";
    # echo "<" "$src" ">" "$temp"
    env "${new_vars[@]}" envsubst "$vars" < "$src" > "$temp" || { rm -f "$temp"; exit 1; }
    chmod "$mode" "$temp" || { rm -f "$temp"; exit 1; }
    chown "$owner" "$temp" || { rm -f "$temp"; exit 1; }
    if mv -n -T "$temp" "$dest"; then
        return 0
    fi
    if diff -u --label="expanded $src" "$temp" "$dest"; then
        rm -f "$temp"
        return 0
    else
        rm -f "$temp"
        fatal "config file doesn't match generated config for $dest expanded from $src"
    fi
 }
 if [[ "$(id -u)" != 0 ]]; then
    fatal "must be ran as root"
 fi
 mkdir -p /var/lib/stalwart-mail
 apt-get update -y -q
-apt-get install jq -y -q
+apt-get install jq gettext-base diffutils -y -q
 # force using overlay2 driver so btrfs snapshots will snapshot the entire system and not miss all the docker stuff
 mkdir -p /etc/docker
-if [[ -f /etc/docker/daemon.json ]]; then
+write_config --src templates/etc/docker/daemon.json --dest /etc/docker/daemon.json
    [[ "$(jq -sc '[.[0]?["storage-driver"]?]' < /etc/docker/daemon.json)" == '["overlay2"]' ]] ||
        fatal '/etc/docker/daemon.json exists but `storage-driver` is not set to overlay2'
 elif [[ "$(dpkg-query -W --showformat='${db:Status-Abbrev}\n' docker.io 2> /dev/null)" =~ ^$|^.[nc]' '$ ]]; then
    cat > /etc/docker/daemon.json <<EOF
 {
    "storage-driver": "overlay2"
 }
 EOF
 else
    fatal 'docker.io package is installed but `storage-driver` is not set to overlay2'
 fi
 apt-get install certbot docker-compose docker.io sudo openssl crudini git ssl-cert -y -q
 if ((${#test_ca_list[@]})); then
    install -m 644 "${test_ca_list[0]}" /usr/local/share/ca-certificates/test-root.crt
@ -102,11 +144,7 @@ adduser --system --shell=/bin/bash --gecos 'Git Version Control' --uid=1000 --in
 [[ -f ~git/.ssh/id_ed25519 ]] || sudo -u git ssh-keygen -f ~git/.ssh/id_ed25519 -t ed25519 -C "Forgejo Host Key" -N ""
 [[ -f ~git/.ssh/authorized_keys ]] || sudo -u git cat ~git/.ssh/id_ed25519.pub | sudo -u git tee ~git/.ssh/authorized_keys
 sudo -u git chmod 600 ~git/.ssh/authorized_keys
-cat <<"EOF" > /usr/local/bin/gitea
+write_config --src templates/usr/local/bin/gitea --dest /usr/local/bin/gitea --mode 755
 #!/bin/sh
 exec ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"
 EOF
 chmod +x /usr/local/bin/gitea
 mkdir -p /etc/forgejo
 rm -rf /var/www/html
 mkdir -p /var/www/html
@ -117,206 +155,28 @@ chmod 775 /var/www/html
 chown root:git /etc/forgejo
 chmod 770 /etc/forgejo
 if [[ ! -f /etc/forgejo/app.ini ]]; then
-    cat <<EOF > /etc/forgejo/app.ini
+    write_config --src templates/etc/forgejo/app.ini \
-APP_NAME = Libre-Chip.org
+        --dest /etc/forgejo/app.ini --mode 640 --owner root:git \
-RUN_MODE = prod
+        --var BASE_DOMAIN_NAME="$BASE_DOMAIN_NAME" \
-RUN_USER = git
+        --var SECRET_KEY="$(forgejo generate secret SECRET_KEY)" \
-WORK_PATH = /data/gitea
+        --var INTERNAL_TOKEN="$(forgejo generate secret INTERNAL_TOKEN)" \
-
+        --var MAIL_PASSWD="$(random_passwd)" \
-[repository]
+        --var JWT_SECRET="$(forgejo generate secret JWT_SECRET)" \
-ROOT = /data/git/repositories
+        --var LFS_JWT_SECRET="$(forgejo generate secret LFS_JWT_SECRET)"
 [repository.local]
 LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
 [repository.upload]
 TEMP_PATH = /data/gitea/uploads
 [server]
 APP_DATA_PATH = /data/gitea
 DOMAIN = git.$BASE_DOMAIN_NAME
 SSH_DOMAIN = git.$BASE_DOMAIN_NAME
 HTTP_PORT = 3000
 ROOT_URL = https://git.$BASE_DOMAIN_NAME/
 DISABLE_SSH = false
 SSH_PORT = 22
 SSH_LISTEN_PORT = 22
 LFS_START_SERVER = true
 OFFLINE_MODE = false
 LFS_JWT_SECRET = $(forgejo generate secret LFS_JWT_SECRET)
 [database]
 PATH = /data/gitea/gitea.db
 DB_TYPE = sqlite3
 HOST = localhost:3306
 NAME = gitea
 USER = root
 PASSWD = 
 LOG_SQL = false
 SCHEMA = 
 SSL_MODE = disable
 [indexer]
 ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
 [session]
 PROVIDER_CONFIG = /data/gitea/sessions
 PROVIDER = file
 [picture]
 AVATAR_UPLOAD_PATH = /data/gitea/avatars
 REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
 [attachment]
 PATH = /data/gitea/attachments
 [log]
 MODE = console
 LEVEL = info
 ROOT_PATH = /data/gitea/log
 [security]
 INSTALL_LOCK = true
 SECRET_KEY = $(forgejo generate secret SECRET_KEY)
 REVERSE_PROXY_LIMIT = 1
 REVERSE_PROXY_TRUSTED_PROXIES = *
 PASSWORD_HASH_ALGO = pbkdf2_hi
 DISABLE_GIT_HOOKS = false
 INTERNAL_TOKEN = $(forgejo generate secret INTERNAL_TOKEN)
 [service]
 DISABLE_REGISTRATION = false
 REQUIRE_SIGNIN_VIEW = false
 REGISTER_EMAIL_CONFIRM = true
 ENABLE_NOTIFY_MAIL = true
 ALLOW_ONLY_EXTERNAL_REGISTRATION = false
 ENABLE_CAPTCHA = true
 DEFAULT_KEEP_EMAIL_PRIVATE = false
 DEFAULT_ALLOW_CREATE_ORGANIZATION = false
 DEFAULT_ENABLE_TIMETRACKING = true
 NO_REPLY_ADDRESS = noreply.$BASE_DOMAIN_NAME
 [lfs]
 PATH = /data/git/lfs
 [mailer]
 ENABLED = true
 PROTOCOL = smtps
 SMTP_ADDR = mail.$BASE_DOMAIN_NAME
 SMTP_PORT = 465
 FROM = forgejo@$BASE_DOMAIN_NAME
 USER = forgejo
 PASSWD = $(random_passwd)
 [openid]
 ENABLE_OPENID_SIGNIN = true
 ENABLE_OPENID_SIGNUP = true
 [cron.update_checker]
 ENABLED = false
 [repository.pull-request]
 DEFAULT_MERGE_STYLE = merge
 [repository.signing]
 DEFAULT_TRUST_MODEL = committer
 [ssh.minimum_key_sizes]
 RSA = 2047
 [oauth2]
 JWT_SECRET = $(forgejo generate secret JWT_SECRET)
 EOF
    chown root:git /etc/forgejo/app.ini
    chmod 640 /etc/forgejo/app.ini
 fi
 mkdir -p /var/lib/stalwart-mail/etc
 mail_passwd=""
 mail_passwd_hash=""
 if [[ ! -f /var/lib/stalwart-mail/etc/config.toml ]]; then
    mail_passwd="$(random_passwd)"
-    cat > /var/lib/stalwart-mail/cli.sh <<EOF
+    write_config --src templates/var/lib/stalwart-mail/cli.sh \
-mail_passwd="$mail_passwd"
+        --dest /var/lib/stalwart-mail/cli.sh --mode 400 \
-function stalwart-cli()
+        --var wd="$(pwd)" --var mail_passwd="$mail_passwd"
 {
    (cd $(pwd) && CREDENTIALS="admin:$mail_passwd" exec docker-compose -p server exec -T -e CREDENTIALS mail stalwart-cli -u "http://localhost" "\$@")
 }
 EOF
    chmod 500 /var/lib/stalwart-mail/cli.sh
    mail_passwd_hash="$(echo -n "$mail_passwd" | openssl passwd -6 -stdin)"
-    cat > /var/lib/stalwart-mail/etc/config.toml <<EOF
+    write_config --src templates/var/lib/stalwart-mail/etc/config.toml \
-[server.listener."smtp"]
+        --dest /var/lib/stalwart-mail/etc/config.toml --mode 600 \
-bind = ["[::]:25"]
+        --var mail_passwd_hash="$mail_passwd_hash" \
-protocol = "smtp"
+        --var BASE_DOMAIN_NAME="$BASE_DOMAIN_NAME"
 [server.listener."submission"]
 bind = ["[::]:587"]
 protocol = "smtp"
 [server.listener."submissions"]
 bind = ["[::]:465"]
 protocol = "smtp"
 tls.implicit = true
 [server.listener."imaptls"]
 bind = ["[::]:993"]
 protocol = "imap"
 tls.implicit = true
 [server.listener.pop3s]
 bind = "[::]:995"
 protocol = "pop3"
 tls.implicit = true
 [server.listener.http]
 protocol = "http"
 bind = "[::]:80"
 [server.http]
 use-x-forwarded = true
 [certificate.default]
 cert = "%{file:/etc/letsencrypt/live/server/fullchain.pem}%"
 private-key = "%{file:/etc/letsencrypt/live/server/privkey.pem}%"
 default = true
 [storage]
 data = "rocksdb"
 fts = "rocksdb"
 blob = "rocksdb"
 lookup = "rocksdb"
 directory = "internal"
 [store.rocksdb]
 type = "rocksdb"
 path = "/opt/stalwart-mail/data"
 compression = "lz4"
 [directory.internal]
 type = "internal"
 store = "rocksdb"
 [tracer.log]
 type = "log"
 level = "info"
 path = "/opt/stalwart-mail/logs"
 prefix = "stalwart.log"
 rotate = "daily"
 ansi = false
 enable = true
 [authentication.fallback-admin]
 user = "admin"
 secret = "$mail_passwd_hash"
 [lookup.default]
 hostname = "mail.$BASE_DOMAIN_NAME"
 [session.auth]
 must-match-sender = [ {if = "authenticated_as == 'forum-noreply'", then = false},
                      {else = true} ]
 EOF
    chmod 600 /var/lib/stalwart-mail/etc/config.toml
 fi
 . /var/lib/stalwart-mail/cli.sh
 if [[ ! -f /var/discourse/containers/app.yml ]]; then
@ -325,183 +185,11 @@ if [[ ! -f /var/discourse/containers/app.yml ]]; then
        chmod 700 /var/discourse/containers
    fi
    forum_smtp_passwd="$(random_passwd)"
-    cat > /var/discourse/containers/app.yml <<EOF
+    write_config --src templates/var/discourse/containers/app.yml \
-## this is the all-in-one, standalone Discourse Docker container template
+        --dest /var/discourse/containers/app.yml --mode 400 \
-##
+        --var BASE_DOMAIN_NAME="$BASE_DOMAIN_NAME" \
-## After making changes to this file, you MUST rebuild
+        --var forum_smtp_passwd="$forum_smtp_passwd" \
-## /var/discourse/launcher rebuild app
+        --var mail_passwd="$mail_passwd"
 ##
 ## Based on https://meta.discourse.org/t/run-other-websites-on-the-same-machine-as-discourse/17247
 templates:
  - "templates/postgres.template.yml"
  - "templates/redis.template.yml"
  - "templates/web.template.yml"
  ## Uncomment the next line to enable the IPv6 listener
  #- "templates/web.ipv6.template.yml"
  - "templates/web.ratelimited.template.yml"
  - "templates/web.socketed.template.yml"
  ## Uncomment these two lines if you wish to add Lets Encrypt (https)
  #- "templates/web.ssl.template.yml"
  #- "templates/web.letsencrypt.ssl.template.yml"
 ## which TCP/IP ports should this container expose?
 ## If you want Discourse to share a port with another webserver like Apache or nginx,
 ## see https://meta.discourse.org/t/17247 for details
 #expose:
 #  - "80:80"   # http
 #  - "443:443" # https
 params:
  db_default_text_search_config: "pg_catalog.english"
  ## Set db_shared_buffers to a max of 25% of the total memory.
  ## will be set automatically by bootstrap based on detected RAM, or you can override
  db_shared_buffers: "512MB"
  ## can improve sorting performance, but adds memory usage per-connection
  #db_work_mem: "40MB"
  ## Which Git revision should this container use? (default: tests-passed)
  #version: tests-passed
 env:
  LC_ALL: en_US.UTF-8
  LANG: en_US.UTF-8
  LANGUAGE: en_US.UTF-8
  # DISCOURSE_DEFAULT_LOCALE: en
  ## How many concurrent web requests are supported? Depends on memory and CPU cores.
  ## will be set automatically by bootstrap based on detected CPUs, or you can override
  UNICORN_WORKERS: 4
  ## TODO: The domain name this Discourse instance will respond to
  ## Required. Discourse will not work with a bare IP number.
  DISCOURSE_HOSTNAME: forum.${BASE_DOMAIN_NAME}
  ## Uncomment if you want the container to be started with the same
  ## hostname (-h option) as specified above (default "\$hostname-\$config")
  #DOCKER_USE_HOSTNAME: true
  ## TODO: List of comma delimited emails that will be made admin and developer
  ## on initial signup example 'user1@example.com,user2@example.com'
  DISCOURSE_DEVELOPER_EMAILS: 'postmaster@${BASE_DOMAIN_NAME}'
  ## TODO: The SMTP mail server used to validate new accounts and send notifications
  # SMTP ADDRESS, username, and password are required
  # WARNING the char '#' in SMTP password can cause problems!
  DISCOURSE_SMTP_ADDRESS: ${BASE_DOMAIN_NAME}
  DISCOURSE_SMTP_PORT: 587
  DISCOURSE_SMTP_USER_NAME: forum-noreply
  DISCOURSE_SMTP_PASSWORD: "${forum_smtp_passwd}"
  #DISCOURSE_SMTP_ENABLE_START_TLS: true           # (optional, default true)
  DISCOURSE_SMTP_DOMAIN: ${BASE_DOMAIN_NAME}
  DISCOURSE_NOTIFICATION_EMAIL: forum-noreply@${BASE_DOMAIN_NAME}
  ## If you added the Lets Encrypt template, uncomment below to get a free SSL certificate
  #LETSENCRYPT_ACCOUNT_EMAIL: me@example.com
  ## The http or https CDN address for this Discourse instance (configured to pull)
  ## see https://meta.discourse.org/t/14857 for details
  #DISCOURSE_CDN_URL: https://discourse-cdn.example.com
  ## The maxmind geolocation IP account ID and license key for IP address lookups
  ## see https://meta.discourse.org/t/-/173941 for details
  #DISCOURSE_MAXMIND_ACCOUNT_ID: 123456
  #DISCOURSE_MAXMIND_LICENSE_KEY: 1234567890123456
 ## The Docker container is stateless; all data is stored in /shared
 volumes:
  - volume:
      host: /var/discourse/shared/standalone
      guest: /shared
  - volume:
      host: /var/discourse/shared/standalone/log/var-log
      guest: /var/log
  - volume:
      host: /usr/local/share/ca-certificates
      guest: /usr/local/share/ca-certificates:ro
 ## Plugins go here
 ## see https://meta.discourse.org/t/19157 for details
 hooks:
  after_code:
    - exec:
        cd: \$home/plugins
        cmd:
          - git clone https://github.com/discourse/docker_manager.git
 ## Any custom commands to run after building
 run:
  - exec: echo "Beginning of custom commands"
  - exec: |-
      if rails r 'exit(1) if User.find_by_email("postmaster@${BASE_DOMAIN_NAME}")'; then
          rails r "SiteSetting.pop3_polling_openssl_verify = false" || exit
          rails site_settings:import <<EOF2 || exit
      ---
      title: Libre-Chip Forum
      exclude_rel_nofollow_domains: ${BASE_DOMAIN_NAME}
      share_links: email
      share_quote_buttons: email
      default_dark_mode_color_scheme_id: '1'
      enable_badges: 'false'
      pending_users_reminder_delay_minutes: '5'
      title_prettify: 'false'
      title_fancy_entities: 'false'
      enable_markdown_typographer: 'false'
      highlighted_languages: bash|c|cpp|csharp|css|diff|ini|javascript|json|lua|makefile|markdown|plaintext|python|python-repl|rust|shell|typescript|xml|yaml|wasm|llvm|coq|x86asm|verilog|vhdl|scala
      enable_emoji_shortcuts: 'false'
      reply_by_email_address: forum+%{reply_key}@${BASE_DOMAIN_NAME}
      pop3_polling_period_mins: '1'
      pop3_polling_host: ${BASE_DOMAIN_NAME}
      pop3_polling_username: forum
      pop3_polling_password: ${forum_smtp_passwd}
      pop3_polling_enabled: 'true'
      reply_by_email_enabled: 'true'
      log_mail_processing_failures: 'true'
      email_in: 'true'
      email_in_allowed_groups: 1|2|0
      default_trust_level: '1'
      force_https: 'true'
      moderators_manage_categories_and_groups: 'true'
      moderators_view_emails: 'true'
      allowed_iframes: https://www.google.com/maps/embed?|https://www.openstreetmap.org/export/embed.html?|https://calendar.google.com/calendar/embed?|https://codepen.io/|http://forum.${BASE_DOMAIN_NAME}/discobot/certificate.svg|https://forum.${BASE_DOMAIN_NAME}/discobot/certificate.svg
      default_navigation_menu_categories: 2|3|4
      automatic_backups_enabled: 'false'
      sequential_replies_threshold: '4'
      get_a_room_threshold: '10000'
      default_composer_category: '4'
      share_anonymized_statistics: 'false'
      default_email_mailing_list_mode: 'true'
      disable_mailing_list_mode: 'false'
      enable_offline_indicator: 'true'
      chat_enabled: 'false'
      EOF2
          rails r "SiteSetting.pop3_polling_openssl_verify = true" || exit
          rails r - <<EOF2 || exit
      u = User.new
      u.email = "postmaster@${BASE_DOMAIN_NAME}"
      u.username = "postmaster"
      u.password = "$mail_passwd"
      u.name = "Admin User"
      u.save!
      u.active = true
      u.save!
      u.grant_admin!
      u.change_trust_level!(1) if u.trust_level < 1
      u.email_tokens.update_all confirmed: true
      u.activate
      EOF2
      fi
  - file:
      path: /etc/runit/1.d/000-update-certificates
      chmod: "+x"
      contents: |
        #!/bin/bash
        exec update-ca-certificates
  - exec: echo "End of custom commands"
 EOF
    chmod 400 /var/discourse/containers/app.yml
 fi
 wd="$(pwd)"
 if ! [[ "$wd" =~ ^/[-/a-zA-Z0-9_]*$ ]]; then
@ -548,14 +236,7 @@ if [[ -n "$mail_passwd_hash" ]]; then
    forgejo_api=(retry_if_failed -q curl --fail-with-body -u "postmaster:$mail_passwd" -H 'Accept: application/json' -H 'Content-Type: application/json')
    "${forgejo_api[@]}" -X 'POST' "https://git.$BASE_DOMAIN_NAME/api/v1/orgs" -d '{"username": "libre-chip"}' > /dev/null
    "${forgejo_api[@]}" -X 'POST' "https://git.$BASE_DOMAIN_NAME/api/v1/orgs/libre-chip/repos" -d '{"name": "website"}' > /dev/null
-    post_receive_hook="$(jq -csR '{content:.}' <<'EOF'
+    post_receive_hook="$(jq -csR '{content:.}' < website_git_post_receive_hook.sh)"
 #!/bin/bash
 set -e
 cd /var/www/html
 env -i PATH="$PATH" git fetch
 env -i PATH="$PATH" git checkout -q --detach rendered
 EOF
    )"
    "${forgejo_api[@]}" -X 'PATCH' "https://git.$BASE_DOMAIN_NAME/api/v1/repos/libre-chip/website/hooks/git/post-receive" -d "$post_receive_hook" > /dev/null
 fi
 (
--- a/templates/etc/docker/daemon.json
+++ b/templates/etc/docker/daemon.json
@ -0,0 +1,3 @@
 {
    "storage-driver": "overlay2"
 }
--- a/templates/etc/forgejo/app.ini
+++ b/templates/etc/forgejo/app.ini
@ -0,0 +1,108 @@
 APP_NAME = Libre-Chip.org
 RUN_MODE = prod
 RUN_USER = git
 WORK_PATH = /data/gitea
 [repository]
 ROOT = /data/git/repositories
 [repository.local]
 LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
 [repository.upload]
 TEMP_PATH = /data/gitea/uploads
 [server]
 APP_DATA_PATH = /data/gitea
 DOMAIN = git.$BASE_DOMAIN_NAME
 SSH_DOMAIN = git.$BASE_DOMAIN_NAME
 HTTP_PORT = 3000
 ROOT_URL = https://git.$BASE_DOMAIN_NAME/
 DISABLE_SSH = false
 SSH_PORT = 22
 SSH_LISTEN_PORT = 22
 LFS_START_SERVER = true
 OFFLINE_MODE = false
 LFS_JWT_SECRET = $(forgejo generate secret LFS_JWT_SECRET)
 [database]
 PATH = /data/gitea/gitea.db
 DB_TYPE = sqlite3
 HOST = localhost:3306
 NAME = gitea
 USER = root
 PASSWD = 
 LOG_SQL = false
 SCHEMA = 
 SSL_MODE = disable
 [indexer]
 ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
 [session]
 PROVIDER_CONFIG = /data/gitea/sessions
 PROVIDER = file
 [picture]
 AVATAR_UPLOAD_PATH = /data/gitea/avatars
 REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
 [attachment]
 PATH = /data/gitea/attachments
 [log]
 MODE = console
 LEVEL = info
 ROOT_PATH = /data/gitea/log
 [security]
 INSTALL_LOCK = true
 SECRET_KEY = $SECRET_KEY
 REVERSE_PROXY_LIMIT = 1
 REVERSE_PROXY_TRUSTED_PROXIES = *
 PASSWORD_HASH_ALGO = pbkdf2_hi
 DISABLE_GIT_HOOKS = false
 INTERNAL_TOKEN = $INTERNAL_TOKEN
 [service]
 DISABLE_REGISTRATION = false
 REQUIRE_SIGNIN_VIEW = false
 REGISTER_EMAIL_CONFIRM = true
 ENABLE_NOTIFY_MAIL = true
 ALLOW_ONLY_EXTERNAL_REGISTRATION = false
 ENABLE_CAPTCHA = true
 DEFAULT_KEEP_EMAIL_PRIVATE = false
 DEFAULT_ALLOW_CREATE_ORGANIZATION = false
 DEFAULT_ENABLE_TIMETRACKING = true
 NO_REPLY_ADDRESS = noreply.$BASE_DOMAIN_NAME
 [lfs]
 PATH = /data/git/lfs
 [mailer]
 ENABLED = true
 PROTOCOL = smtps
 SMTP_ADDR = mail.$BASE_DOMAIN_NAME
 SMTP_PORT = 465
 FROM = forgejo@$BASE_DOMAIN_NAME
 USER = forgejo
 PASSWD = $MAIL_PASSWD
 [openid]
 ENABLE_OPENID_SIGNIN = true
 ENABLE_OPENID_SIGNUP = true
 [cron.update_checker]
 ENABLED = false
 [repository.pull-request]
 DEFAULT_MERGE_STYLE = merge
 [repository.signing]
 DEFAULT_TRUST_MODEL = committer
 [ssh.minimum_key_sizes]
 RSA = 2047
 [oauth2]
 JWT_SECRET = $JWT_SECRET
--- a/templates/usr/local/bin/gitea
+++ b/templates/usr/local/bin/gitea
@ -0,0 +1,3 @@
 #!/bin/bash
 printf -v args '%q ' "$SSH_ORIGINAL_COMMAND" "$0" "$@"
 exec ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=$args"
--- a/templates/var/discourse/containers/app.yml
+++ b/templates/var/discourse/containers/app.yml
@ -0,0 +1,174 @@
 ## this is the all-in-one, standalone Discourse Docker container template
 ##
 ## After making changes to this file, you MUST rebuild
 ## /var/discourse/launcher rebuild app
 ##
 ## Based on https://meta.discourse.org/t/run-other-websites-on-the-same-machine-as-discourse/17247
 templates:
  - "templates/postgres.template.yml"
  - "templates/redis.template.yml"
  - "templates/web.template.yml"
  ## Uncomment the next line to enable the IPv6 listener
  #- "templates/web.ipv6.template.yml"
  - "templates/web.ratelimited.template.yml"
  - "templates/web.socketed.template.yml"
  ## Uncomment these two lines if you wish to add Lets Encrypt (https)
  #- "templates/web.ssl.template.yml"
  #- "templates/web.letsencrypt.ssl.template.yml"
 ## which TCP/IP ports should this container expose?
 ## If you want Discourse to share a port with another webserver like Apache or nginx,
 ## see https://meta.discourse.org/t/17247 for details
 #expose:
 #  - "80:80"   # http
 #  - "443:443" # https
 params:
  db_default_text_search_config: "pg_catalog.english"
  ## Set db_shared_buffers to a max of 25% of the total memory.
  ## will be set automatically by bootstrap based on detected RAM, or you can override
  db_shared_buffers: "512MB"
  ## can improve sorting performance, but adds memory usage per-connection
  #db_work_mem: "40MB"
  ## Which Git revision should this container use? (default: tests-passed)
  #version: tests-passed
 env:
  LC_ALL: en_US.UTF-8
  LANG: en_US.UTF-8
  LANGUAGE: en_US.UTF-8
  # DISCOURSE_DEFAULT_LOCALE: en
  ## How many concurrent web requests are supported? Depends on memory and CPU cores.
  ## will be set automatically by bootstrap based on detected CPUs, or you can override
  UNICORN_WORKERS: 4
  ## TODO: The domain name this Discourse instance will respond to
  ## Required. Discourse will not work with a bare IP number.
  DISCOURSE_HOSTNAME: forum.${BASE_DOMAIN_NAME}
  ## Uncomment if you want the container to be started with the same
  ## hostname (-h option) as specified above (default "$hostname-$config")
  #DOCKER_USE_HOSTNAME: true
  ## TODO: List of comma delimited emails that will be made admin and developer
  ## on initial signup example 'user1@example.com,user2@example.com'
  DISCOURSE_DEVELOPER_EMAILS: 'postmaster@${BASE_DOMAIN_NAME}'
  ## TODO: The SMTP mail server used to validate new accounts and send notifications
  # SMTP ADDRESS, username, and password are required
  # WARNING the char '#' in SMTP password can cause problems!
  DISCOURSE_SMTP_ADDRESS: ${BASE_DOMAIN_NAME}
  DISCOURSE_SMTP_PORT: 587
  DISCOURSE_SMTP_USER_NAME: forum-noreply
  DISCOURSE_SMTP_PASSWORD: "${forum_smtp_passwd}"
  #DISCOURSE_SMTP_ENABLE_START_TLS: true           # (optional, default true)
  DISCOURSE_SMTP_DOMAIN: ${BASE_DOMAIN_NAME}
  DISCOURSE_NOTIFICATION_EMAIL: forum-noreply@${BASE_DOMAIN_NAME}
  ## If you added the Lets Encrypt template, uncomment below to get a free SSL certificate
  #LETSENCRYPT_ACCOUNT_EMAIL: me@example.com
  ## The http or https CDN address for this Discourse instance (configured to pull)
  ## see https://meta.discourse.org/t/14857 for details
  #DISCOURSE_CDN_URL: https://discourse-cdn.example.com
  ## The maxmind geolocation IP account ID and license key for IP address lookups
  ## see https://meta.discourse.org/t/-/173941 for details
  #DISCOURSE_MAXMIND_ACCOUNT_ID: 123456
  #DISCOURSE_MAXMIND_LICENSE_KEY: 1234567890123456
 ## The Docker container is stateless; all data is stored in /shared
 volumes:
  - volume:
      host: /var/discourse/shared/standalone
      guest: /shared
  - volume:
      host: /var/discourse/shared/standalone/log/var-log
      guest: /var/log
  - volume:
      host: /usr/local/share/ca-certificates
      guest: /usr/local/share/ca-certificates:ro
 ## Plugins go here
 ## see https://meta.discourse.org/t/19157 for details
 hooks:
  after_code:
    - exec:
        cd: $home/plugins
        cmd:
          - git clone https://github.com/discourse/docker_manager.git
 ## Any custom commands to run after building
 run:
  - exec: echo "Beginning of custom commands"
  - exec: |-
      if rails r 'exit(1) if User.find_by_email("postmaster@${BASE_DOMAIN_NAME}")'; then
          rails r "SiteSetting.pop3_polling_openssl_verify = false" || exit
          rails site_settings:import <<EOF2 || exit
      ---
      title: Libre-Chip Forum
      exclude_rel_nofollow_domains: ${BASE_DOMAIN_NAME}
      share_links: email
      share_quote_buttons: email
      default_dark_mode_color_scheme_id: '1'
      enable_badges: 'false'
      pending_users_reminder_delay_minutes: '5'
      title_prettify: 'false'
      title_fancy_entities: 'false'
      enable_markdown_typographer: 'false'
      highlighted_languages: bash|c|cpp|csharp|css|diff|ini|javascript|json|lua|makefile|markdown|plaintext|python|python-repl|rust|shell|typescript|xml|yaml|wasm|llvm|coq|x86asm|verilog|vhdl|scala
      enable_emoji_shortcuts: 'false'
      reply_by_email_address: forum+%{reply_key}@${BASE_DOMAIN_NAME}
      pop3_polling_period_mins: '1'
      pop3_polling_host: ${BASE_DOMAIN_NAME}
      pop3_polling_username: forum
      pop3_polling_password: ${forum_smtp_passwd}
      pop3_polling_enabled: 'true'
      reply_by_email_enabled: 'true'
      log_mail_processing_failures: 'true'
      email_in: 'true'
      email_in_allowed_groups: 1|2|0
      default_trust_level: '1'
      force_https: 'true'
      moderators_manage_categories_and_groups: 'true'
      moderators_view_emails: 'true'
      allowed_iframes: https://www.google.com/maps/embed?|https://www.openstreetmap.org/export/embed.html?|https://calendar.google.com/calendar/embed?|https://codepen.io/|http://forum.${BASE_DOMAIN_NAME}/discobot/certificate.svg|https://forum.${BASE_DOMAIN_NAME}/discobot/certificate.svg
      default_navigation_menu_categories: 2|3|4
      automatic_backups_enabled: 'false'
      sequential_replies_threshold: '4'
      get_a_room_threshold: '10000'
      default_composer_category: '4'
      share_anonymized_statistics: 'false'
      default_email_mailing_list_mode: 'true'
      disable_mailing_list_mode: 'false'
      enable_offline_indicator: 'true'
      chat_enabled: 'false'
      EOF2
          rails r "SiteSetting.pop3_polling_openssl_verify = true" || exit
          rails r - <<EOF2 || exit
      u = User.new
      u.email = "postmaster@${BASE_DOMAIN_NAME}"
      u.username = "postmaster"
      u.password = "$mail_passwd"
      u.name = "Admin User"
      u.save!
      u.active = true
      u.save!
      u.grant_admin!
      u.change_trust_level!(1) if u.trust_level < 1
      u.email_tokens.update_all confirmed: true
      u.activate
      EOF2
      fi
  - file:
      path: /etc/runit/1.d/000-update-certificates
      chmod: "+x"
      contents: |
        #!/bin/bash
        exec update-ca-certificates
  - exec: echo "End of custom commands"
--- a/templates/var/lib/stalwart-mail/cli.sh
+++ b/templates/var/lib/stalwart-mail/cli.sh
@ -0,0 +1,5 @@
 mail_passwd="$mail_passwd"
 function stalwart-cli()
 {
    (cd "$wd" && CREDENTIALS="admin:$mail_passwd" exec docker-compose -p server exec -T -e CREDENTIALS mail stalwart-cli -u "http://localhost" "$@")
 }
--- a/templates/var/lib/stalwart-mail/etc/config.toml
+++ b/templates/var/lib/stalwart-mail/etc/config.toml
@ -0,0 +1,70 @@
 [server.listener."smtp"]
 bind = ["[::]:25"]
 protocol = "smtp"
 [server.listener."submission"]
 bind = ["[::]:587"]
 protocol = "smtp"
 [server.listener."submissions"]
 bind = ["[::]:465"]
 protocol = "smtp"
 tls.implicit = true
 [server.listener."imaptls"]
 bind = ["[::]:993"]
 protocol = "imap"
 tls.implicit = true
 [server.listener.pop3s]
 bind = "[::]:995"
 protocol = "pop3"
 tls.implicit = true
 [server.listener.http]
 protocol = "http"
 bind = "[::]:80"
 [server.http]
 use-x-forwarded = true
 [certificate.default]
 cert = "%{file:/etc/letsencrypt/live/server/fullchain.pem}%"
 private-key = "%{file:/etc/letsencrypt/live/server/privkey.pem}%"
 default = true
 [storage]
 data = "rocksdb"
 fts = "rocksdb"
 blob = "rocksdb"
 lookup = "rocksdb"
 directory = "internal"
 [store.rocksdb]
 type = "rocksdb"
 path = "/opt/stalwart-mail/data"
 compression = "lz4"
 [directory.internal]
 type = "internal"
 store = "rocksdb"
 [tracer.log]
 type = "log"
 level = "info"
 path = "/opt/stalwart-mail/logs"
 prefix = "stalwart.log"
 rotate = "daily"
 ansi = false
 enable = true
 [authentication.fallback-admin]
 user = "admin"
 secret = "$mail_passwd_hash"
 [lookup.default]
 hostname = "mail.$BASE_DOMAIN_NAME"
 [session.auth]
 must-match-sender = [ {if = "authenticated_as == 'forum-noreply'", then = false},
                      {else = true} ]
--- a/website_git_post_receive_hook.sh
+++ b/website_git_post_receive_hook.sh
@ -0,0 +1,5 @@
 #!/bin/bash
 set -e
 cd /var/www/html
 env -i PATH="$PATH" git fetch
 env -i PATH="$PATH" git checkout -q --detach rendered