Last active
September 9, 2023 18:56
-
-
Save barelyhuman/5c9f642173da15b7244471554fb222cc to your computer and use it in GitHub Desktop.
Setup NGINX + CGIT on a Ubuntu 20.04
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -euxo pipefail | |
# Configurations | |
# the new user that's to be added for logging in (comment out `create_user` from the `main` if you already have a admin user) | |
NEW_USER="admin" | |
DUMMY_PASS="dummyPassword123" | |
# your public key to be replaced here | |
KEY_FILE="ssh-rsa ..." | |
# the address to add cgit to | |
WEBSITE_NAME="git.example.com" | |
install_deps(){ | |
apt -y update | |
apt -y upgrade | |
apt -y install fcgiwrap libc6 liblua5.1-0 zlib1g python3-docutils\ | |
python3-markdown python3-pygments build-essential nginx zlib* libssl-dev | |
} | |
create_user (){ | |
adduser $NEW_USER || echo "User already exists." | |
echo "$NEW_USER:$DUMMY_PASS" | chpasswd | |
usermod -G sudo $NEW_USER | |
mkdir /home/$NEW_USER/.ssh | |
echo "${KEY_FILE}" > /home/$NEW_USER/.ssh/authorized_keys | |
chown -R $NEW_USER:$NEW_USER /home/$NEW_USER/.ssh | |
chmod 700 /home/$NEW_USER/.ssh | |
chmod 644 /home/$NEW_USER/.ssh/authorized_keys | |
} | |
disable_root_login(){ | |
sed -i s/.*PubkeyAuthentication.*// /etc/ssh/sshd_config | |
sed -i s/.*PasswordAuthentication.*// /etc/ssh/sshd_config | |
sed -i s/.*PermitRootLogin.*// /etc/ssh/sshd_config | |
echo "PermitRootLogin no" >> /etc/ssh/sshd_config | |
echo "PasswordAuthentication no" >> /etc/ssh/sshd_config | |
echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config | |
service ssh restart | |
ufw allow ssh | |
ufw enable | |
} | |
create_git_user(){ | |
adduser --system --group --disabled-password --home /var/lib/git git | |
chown git:git /var/lib/git | |
mkdir /var/lib/git/.ssh | |
echo "${KEY_FILE}" > /var/lib/git/.ssh/authorized_keys | |
chsh -s /bin/bash git | |
} | |
setup_cgit(){ | |
cd /tmp | |
git clone https://git.zx2c4.com/cgit | |
cd cgit | |
git submodule init | |
git submodule update | |
cat <<EOF > ./cgit.conf | |
CGIT_SCRIPT_PATH = /var/www/html/cgit/cgi | |
CGIT_CONFIG = /var/www/html/cgit/cgitrc | |
CACHE_ROOT = /var/www/html/cgit/cache | |
prefix = /var/www/html/cgit | |
libdir = \$(prefix) | |
filterdir = \$(libdir)/filters | |
EOF | |
make && make install | |
cd | |
systemctl enable fcgiwrap | |
systemctl start fcgiwrap | |
} | |
setup_nginx(){ | |
cat <<EOF > /etc/nginx/sites-available/$WEBSITE_NAME.conf | |
server { | |
server_name $WEBSITE_NAME; | |
listen [::]:80; | |
listen 80; | |
access_log /var/log/nginx/cgit-access.log; | |
error_log /var/log/nginx/cgit-error.log; | |
root /var/www/html/cgit/cgi; | |
try_files \$uri @cgit; | |
location @cgit { | |
include fastcgi_params; | |
fastcgi_param SCRIPT_FILENAME /var/www/html/cgit/cgi/cgit.cgi; | |
fastcgi_pass unix:/run/fcgiwrap.socket; | |
fastcgi_param PATH_INFO \$uri; | |
fastcgi_param QUERY_STRING \$args; | |
fastcgi_param HTTP_HOST \$server_name; | |
} | |
} | |
EOF | |
ln -sf /etc/nginx/sites-available/$WEBSITE_NAME.conf /etc/nginx/sites-enabled/$WEBSITE_NAME.conf | |
service nginx restart | |
ufw allow http | |
} | |
primary(){ | |
install_deps | |
create_git_user | |
setup_cgit | |
setup_nginx | |
} | |
security(){ | |
# to create a new user | |
create_user | |
# disable root from logging in and only be able to | |
# use the above created user | |
disable_root_login | |
} | |
main(){ | |
# uncomment next line only if you wish to setup a new user and disable root from logging in | |
security | |
primary | |
} | |
main |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
You can run this on the server after the instance is ready or you can use something like below to run it from your local system
where
script.sh
contains the above gist code