pylover/install-gitea.sh

## install-gitea.sh
#! /usr/bin/env bash


set -e

UNAME=git

# Obtain some information
APPNAME=""
read -p "Enter application title: " APPNAME

DOMAIN=""
read -p "Enter domain name: " DOMAIN

PGVER=`psql --version | cut -d'.' -f 1 | cut -d' ' -f 3`
echo "Postgresql version: $PGVER"


# Install postgresql
read -p "Do you want to install postgresql? [Y/n] "
if [[ ! $REPLY =~ ^[Nn]$ ]]
then
  apt install -y postgresql
fi


# Install Redis
read -p "Do you want to install Redis server? [Y/n] "
if [[ ! $REPLY =~ ^[Nn]$ ]]
then
  apt install -y redis-server
fi


# Install git
read -p "Do you want to install git? [Y/n] "
if [[ ! $REPLY =~ ^[Nn]$ ]]
then
  apt install -y git
fi


# Install nginx
read -p "Do you want to install nginx? [Y/n] "
if [[ ! $REPLY =~ ^[Nn]$ ]]
then
  apt install -y nginx
fi


# Download the binary
if [ -f "gitea" ]; then
  echo "Download skipped, due the \"gitea\" binary just found!"
else
  wget -O gitea https://dl.gitea.io/gitea/1.17.3/gitea-1.17.3-linux-amd64

  # Verify
  gpg --keyserver keys.openpgp.org --recv 7C9E68152594688862D62AF62D9AE806EC1592E2
  gpg --verify gitea-1.17.3-linux-amd64.asc gitea-1.17.3-linux-amd64

  # Set execution bit
  chmod +x gitea

  # Copy into path
  cp gitea /usr/local/bin
fi


# System user
if id "$UNAME" &>/dev/null; then
  echo "User \"$UNAME\" is already exists."
else
  # Create user
  adduser \
     --system \
     --shell /bin/bash \
     --gecos 'Git Version Control' \
     --group \
     --disabled-password \
     --home /home/$UNAME \
     $UNAME
fi


# Gitea directories
if [ -d /var/lib/gitea ]; then
 echo "Directories are already created."
else
  # Directory structure
  mkdir -p /var/lib/gitea/{custom,data,log}
  chown -R $UNAME:$UNAME /var/lib/gitea/
  chmod -R 750 /var/lib/gitea/
  mkdir /etc/gitea
  chown root:$UNAME /etc/gitea
  chmod 750 /etc/gitea
fi


# Postgresql user
if sudo -u postgres psql -t -c '\du' | cut -d \| -f 1 | grep -qw "$UNAME"; then
  echo "Postgres user: \"$UNAME\" is already exists"
else
  sudo -u postgres createuser $UNAME
fi


# Postgresql database
if sudo -u postgres psql -lqt | cut -d \| -f 1 | grep -qw gitea; then
  echo "Postgres database: \"gitea\" is already exists"
else
  sudo -u postgres createdb -O $UNAME gitea
fi


# Configure postgresql peer auth
read -p "Do you want to enable postgresql peer authentication for user $UNAME? [Y/n] "
if [[ ! $REPLY =~ ^[Nn]$ ]]
then
  echo "# Added by install-gitea.sh
local   gitea           $UNAME                                     peer
" >> /etc/postgresql/$PGVER/main/pg_hba.conf
  service postgresql restart
fi


# Gitea configuration
read -p "Do you want to create gitea app.ini? [Y/n] "
if [[ ! $REPLY =~ ^[Nn]$ ]]
then

echo "APP_NAME = $APPNAME
RUN_USER = $UNAME
RUN_MODE = prod

[database]
DB_TYPE  = postgres
HOST     = /run/postgresql
NAME     = gitea
USER     = $UNAME
PASSWD   =
SCHEMA   =
SSL_MODE = disable
CHARSET  = utf8
PATH     = /var/lib/gitea/data/gitea.db
LOG_SQL  = false

[repository]
ROOT = /var/lib/gitea/data/gitea-repositories

[server]
PROTOCOL               = http+unix
HTTP_ADDR              = /run/gitea/gitea.s
UNIX_SOCKET_PERMISSION = 666
ROOT_URL               = https://gkey.ir/
SSH_DOMAIN             = $DOMAIN
DOMAIN                 = $DOMAIN
DISABLE_SSH            = false
SSH_PORT               = 22
LFS_START_SERVER       = true
LFS_JWT_SECRET         = XxntfHqlesxHcryRAC2k-5q3M5C-_RO85JqYODIdaJo
OFFLINE_MODE           = false

[lfs]
PATH = /var/lib/gitea/data/lfs

[mailer]
ENABLED = false

[service]
REGISTER_EMAIL_CONFIRM            = false
ENABLE_NOTIFY_MAIL                = false
DISABLE_REGISTRATION              = true
ALLOW_ONLY_EXTERNAL_REGISTRATION  = false
ENABLE_CAPTCHA                    = false
REQUIRE_SIGNIN_VIEW               = true
DEFAULT_KEEP_EMAIL_PRIVATE        = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = false
DEFAULT_ENABLE_TIMETRACKING       = true
NO_REPLY_ADDRESS                  = noreply.localhost

[picture]
DISABLE_GRAVATAR        = false
ENABLE_FEDERATED_AVATAR = true

[openid]
ENABLE_OPENID_SIGNIN = true
ENABLE_OPENID_SIGNUP = false

[session]
PROVIDER = file

[log]
MODE      = console
LEVEL     = info
ROOT_PATH = /var/lib/gitea/log
ROUTER    = console

[repository.pull-request]
DEFAULT_MERGE_STYLE = merge

[repository.signing]
DEFAULT_TRUST_MODEL = committer

[security]
INSTALL_LOCK       = true
INTERNAL_TOKEN     = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE2Njg4NzU5ODd9._dhq-UIyJ04eVwUheg6vKoufifWU5KAT8oLyMuf9T-A
PASSWORD_HASH_ALGO = pbkdf2
" > /etc/gitea/app.ini
  chmod 640 /etc/gitea/app.ini
fi

# Systemd
read -p "Do you want to create systemd service? [Y/n] "
if [[ ! $REPLY =~ ^[Nn]$ ]]
then

  echo "[Unit]
Description=Gitea (Git with a cup of tea)
After=syslog.target
After=network.target
Wants=postgresql.service
After=postgresql.service
Wants=memcached.service
After=memcached.service
Wants=redis.service
After=redis.service

[Service]
RestartSec=2s
Type=simple
User=$UNAME
Group=$UNAME
WorkingDirectory=/var/lib/gitea/
RuntimeDirectory=gitea
ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini
Restart=always
Environment=USER=$UNAME HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea

[Install]
WantedBy=multi-user.target
" > /etc/systemd/system/gitea.service

  systemctl daemon-reload
  systemctl enable gitea
  systemctl restart gitea
fi


# Nginx conf
read -p "Do you want to create nginx configuration file? [Y/n] "
if [[ ! $REPLY =~ ^[Nn]$ ]]
then
  echo "
upstream gitea {
  server unix:/run/gitea/gitea.s;
}
server {
    listen 80;
    server_name $DOMAIN www.$DOMAIN;

    location / {
        proxy_pass http://gitea;
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto \$scheme;
    }
}" > /etc/nginx/sites-available/$DOMAIN

  # Test
  nginx -t

  # Enable
  if [ ! -f "/etc/nginx/sites-enabled/$DOMAIN" ]; then
    ln -s /etc/nginx/sites-available/$DOMAIN /etc/nginx/sites-enabled
  fi

  service nginx restart

  # SSL
  apt install certbot python3-certbot-nginx

  certbot --nginx -d $DOMAIN -d www.$DOMAIN

fi


# TODO: disable postgres tcp listen
# TODO: Gitea Socket activation
# TODO: firewall

#
###
# If using socket activation for main http/s
###
#
#After=gitea.main.socket
#Requires=gitea.main.socket
#
###
# (You can also provide gitea an http fallback and/or ssh socket too)
#
# An example of /etc/systemd/system/gitea.main.socket
###
##
## [Unit]
## Description=Gitea Web Socket
## PartOf=gitea.service
##
## [Socket]
## Service=gitea.service
## ListenStream=<some_port>
## NoDelay=true
##
## [Install]
## WantedBy=sockets.target
##
###
	#! /usr/bin/env bash


	set -e

	UNAME=git

	# Obtain some information
	APPNAME=""
	read -p "Enter application title: " APPNAME

	DOMAIN=""
	read -p "Enter domain name: " DOMAIN

	PGVER=`psql --version \| cut -d'.' -f 1 \| cut -d' ' -f 3`
	echo "Postgresql version: $PGVER"


	# Install postgresql
	read -p "Do you want to install postgresql? [Y/n] "
	if [[ ! $REPLY =~ ^[Nn]$ ]]
	then
	apt install -y postgresql
	fi


	# Install Redis
	read -p "Do you want to install Redis server? [Y/n] "
	if [[ ! $REPLY =~ ^[Nn]$ ]]
	then
	apt install -y redis-server
	fi


	# Install git
	read -p "Do you want to install git? [Y/n] "
	if [[ ! $REPLY =~ ^[Nn]$ ]]
	then
	apt install -y git
	fi


	# Install nginx
	read -p "Do you want to install nginx? [Y/n] "
	if [[ ! $REPLY =~ ^[Nn]$ ]]
	then
	apt install -y nginx
	fi


	# Download the binary
	if [ -f "gitea" ]; then
	echo "Download skipped, due the \"gitea\" binary just found!"
	else
	wget -O gitea https://dl.gitea.io/gitea/1.17.3/gitea-1.17.3-linux-amd64

	# Verify
	gpg --keyserver keys.openpgp.org --recv 7C9E68152594688862D62AF62D9AE806EC1592E2
	gpg --verify gitea-1.17.3-linux-amd64.asc gitea-1.17.3-linux-amd64

	# Set execution bit
	chmod +x gitea

	# Copy into path
	cp gitea /usr/local/bin
	fi


	# System user
	if id "$UNAME" &>/dev/null; then
	echo "User \"$UNAME\" is already exists."
	else
	# Create user
	adduser \
	--system \
	--shell /bin/bash \
	--gecos 'Git Version Control' \
	--group \
	--disabled-password \
	--home /home/$UNAME \
	$UNAME
	fi


	# Gitea directories
	if [ -d /var/lib/gitea ]; then
	echo "Directories are already created."
	else
	# Directory structure
	mkdir -p /var/lib/gitea/{custom,data,log}
	chown -R $UNAME:$UNAME /var/lib/gitea/
	chmod -R 750 /var/lib/gitea/
	mkdir /etc/gitea
	chown root:$UNAME /etc/gitea
	chmod 750 /etc/gitea
	fi


	# Postgresql user
	if sudo -u postgres psql -t -c '\du' \| cut -d \\| -f 1 \| grep -qw "$UNAME"; then
	echo "Postgres user: \"$UNAME\" is already exists"
	else
	sudo -u postgres createuser $UNAME
	fi


	# Postgresql database
	if sudo -u postgres psql -lqt \| cut -d \\| -f 1 \| grep -qw gitea; then
	echo "Postgres database: \"gitea\" is already exists"
	else
	sudo -u postgres createdb -O $UNAME gitea
	fi


	# Configure postgresql peer auth
	read -p "Do you want to enable postgresql peer authentication for user $UNAME? [Y/n] "
	if [[ ! $REPLY =~ ^[Nn]$ ]]
	then
	echo "# Added by install-gitea.sh
	local gitea $UNAME peer
	" >> /etc/postgresql/$PGVER/main/pg_hba.conf
	service postgresql restart
	fi


	# Gitea configuration
	read -p "Do you want to create gitea app.ini? [Y/n] "
	if [[ ! $REPLY =~ ^[Nn]$ ]]
	then

	echo "APP_NAME = $APPNAME
	RUN_USER = $UNAME
	RUN_MODE = prod

	[database]
	DB_TYPE = postgres
	HOST = /run/postgresql
	NAME = gitea
	USER = $UNAME
	PASSWD =
	SCHEMA =
	SSL_MODE = disable
	CHARSET = utf8
	PATH = /var/lib/gitea/data/gitea.db
	LOG_SQL = false

	[repository]
	ROOT = /var/lib/gitea/data/gitea-repositories

	[server]
	PROTOCOL = http+unix
	HTTP_ADDR = /run/gitea/gitea.s
	UNIX_SOCKET_PERMISSION = 666
	ROOT_URL = https://gkey.ir/
	SSH_DOMAIN = $DOMAIN
	DOMAIN = $DOMAIN
	DISABLE_SSH = false
	SSH_PORT = 22
	LFS_START_SERVER = true
	LFS_JWT_SECRET = XxntfHqlesxHcryRAC2k-5q3M5C-_RO85JqYODIdaJo
	OFFLINE_MODE = false

	[lfs]
	PATH = /var/lib/gitea/data/lfs

	[mailer]
	ENABLED = false

	[service]
	REGISTER_EMAIL_CONFIRM = false
	ENABLE_NOTIFY_MAIL = false
	DISABLE_REGISTRATION = true
	ALLOW_ONLY_EXTERNAL_REGISTRATION = false
	ENABLE_CAPTCHA = false
	REQUIRE_SIGNIN_VIEW = true
	DEFAULT_KEEP_EMAIL_PRIVATE = false
	DEFAULT_ALLOW_CREATE_ORGANIZATION = false
	DEFAULT_ENABLE_TIMETRACKING = true
	NO_REPLY_ADDRESS = noreply.localhost

	[picture]
	DISABLE_GRAVATAR = false
	ENABLE_FEDERATED_AVATAR = true

	[openid]
	ENABLE_OPENID_SIGNIN = true
	ENABLE_OPENID_SIGNUP = false

	[session]
	PROVIDER = file

	[log]
	MODE = console
	LEVEL = info
	ROOT_PATH = /var/lib/gitea/log
	ROUTER = console

	[repository.pull-request]
	DEFAULT_MERGE_STYLE = merge

	[repository.signing]
	DEFAULT_TRUST_MODEL = committer

	[security]
	INSTALL_LOCK = true
	INTERNAL_TOKEN = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE2Njg4NzU5ODd9._dhq-UIyJ04eVwUheg6vKoufifWU5KAT8oLyMuf9T-A
	PASSWORD_HASH_ALGO = pbkdf2
	" > /etc/gitea/app.ini
	chmod 640 /etc/gitea/app.ini
	fi

	# Systemd
	read -p "Do you want to create systemd service? [Y/n] "
	if [[ ! $REPLY =~ ^[Nn]$ ]]
	then

	echo "[Unit]
	Description=Gitea (Git with a cup of tea)
	After=syslog.target
	After=network.target
	Wants=postgresql.service
	After=postgresql.service
	Wants=memcached.service
	After=memcached.service
	Wants=redis.service
	After=redis.service

	[Service]
	RestartSec=2s
	Type=simple
	User=$UNAME
	Group=$UNAME
	WorkingDirectory=/var/lib/gitea/
	RuntimeDirectory=gitea
	ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini
	Restart=always
	Environment=USER=$UNAME HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea

	[Install]
	WantedBy=multi-user.target
	" > /etc/systemd/system/gitea.service

	systemctl daemon-reload
	systemctl enable gitea
	systemctl restart gitea
	fi


	# Nginx conf
	read -p "Do you want to create nginx configuration file? [Y/n] "
	if [[ ! $REPLY =~ ^[Nn]$ ]]
	then
	echo "
	upstream gitea {
	server unix:/run/gitea/gitea.s;
	}
	server {
	listen 80;
	server_name $DOMAIN www.$DOMAIN;

	location / {
	proxy_pass http://gitea;
	proxy_set_header Host \$host;
	proxy_set_header X-Real-IP \$remote_addr;
	proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto \$scheme;
	}
	}" > /etc/nginx/sites-available/$DOMAIN

	# Test
	nginx -t

	# Enable
	if [ ! -f "/etc/nginx/sites-enabled/$DOMAIN" ]; then
	ln -s /etc/nginx/sites-available/$DOMAIN /etc/nginx/sites-enabled
	fi

	service nginx restart

	# SSL
	apt install certbot python3-certbot-nginx

	certbot --nginx -d $DOMAIN -d www.$DOMAIN

	fi


	# TODO: disable postgres tcp listen
	# TODO: Gitea Socket activation
	# TODO: firewall

	#
	###
	# If using socket activation for main http/s
	###
	#
	#After=gitea.main.socket
	#Requires=gitea.main.socket
	#
	###
	# (You can also provide gitea an http fallback and/or ssh socket too)
	#
	# An example of /etc/systemd/system/gitea.main.socket
	###
	##
	## [Unit]
	## Description=Gitea Web Socket
	## PartOf=gitea.service
	##
	## [Socket]
	## Service=gitea.service
	## ListenStream=<some_port>
	## NoDelay=true
	##
	## [Install]
	## WantedBy=sockets.target
	##
	###