Skip to content

Instantly share code, notes, and snippets.

@alex-shpak

alex-shpak/gogs-on-rpi.md

Created February 4, 2017 16:41
Show Gist options
  • Star 5 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save alex-shpak/6de47b571582a3729966ed14307df620 to your computer and use it in GitHub Desktop.
Save alex-shpak/6de47b571582a3729966ed14307df620 to your computer and use it in GitHub Desktop.
Download ZIP
Gogs on raspberry pi
Raw
gogs-on-rpi.md

Update and install dependencies

apt-get update; apt-get upgrade

dphys-swapfile swapoff
dphys-swapfile uninstall

apt-get remove -y --purge wolfram-engine triggerhappy xserver-common lightdm sonic-pi minecraft-pi pigpio
apt-get autoremove -y
apt-get install git nginx

Add user

useradd -m -s /usr/bin/git-shell git

Download gogs and certbot

wget https://dl.gogs.io/gogs_v0.9.128_raspi2.zip -P /opt/
wget https://dl.eff.org/certbot-auto -P /opt/

Prepare gogs

unzip /opt/gogs_v0.9.128_raspi2.zip -d /opt/
cp /opt/gogs/scripts/systemd/gogs.service /etc/systemd/system/gogs.service

Edit /opt/gogs/scripts/systemd/gogs.service as

WorkingDirectory=/opt/gogs
ExecStart=/opt/gogs/gogs web

Prepare nginx

server_tokens off;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'";

server {
  listen 80;
  server_name example.com;

  location ^~/.well-known {
    alias /var/letsencrypt/.well-known;
  }

  location / {
    return 301 https://$host$request_uri;
  }
}

server {
  listen 443 ssl default deferred;
  server_name example.com;

  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

  ssl_session_cache shared:SSL:50m;
  ssl_session_timeout 5m;

  # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
  # ssl_dhparam /etc/nginx/ssl/dhparam.pem;

  ssl_prefer_server_ciphers on;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

  resolver 8.8.8.8;
  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

  client_max_body_size 64m;

  location / {
    proxy_pass http://localhost:3000/;
  }
}

Prepare certbot

chmod a+x /opt/certbot-auto
mkdir -p /var/letsencrypt/.well-known

/opt/certbot-auto certonly --dry-run --agree-tos --email real.email@example.com --webroot -w /var/letsencrypt/ -d example.com

Add certbot to cron

0 4 * * * /opt/certbot-auto renew --quiet --no-self-upgrade

Start

systemctl start gogs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment