Skip to content

Instantly share code, notes, and snippets.

@jorng

jorng/linode-stackscript-gitea.sh

Last active April 25, 2020 11:24
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jorng/7ee207850675c215054b9097dfc9ccda to your computer and use it in GitHub Desktop.
Save jorng/7ee207850675c215054b9097dfc9ccda to your computer and use it in GitHub Desktop.
Download ZIP
Linode Stackscript for setting up a Gitea server
Raw
linode-stackscript-gitea.sh
#!/bin/bash
# This block defines the variables the user of the script needs to input
# when deploying using this script.
#
#<UDF name="hostname" label="The hostname for the new Linode." default="gitea">
#<UDF name="FQDN" label="The new Linode's Fully Qualified Domain Name">
#<UDF name="POSTGRES_PASSWORD" label="The password to use for PostgreSQL">
#<UDF name="GITEA_VERSION" label="The Gitea Version to install" default="1.5" oneof="1.4.0,1.4.1,1.4.2,1.4.3,1.5">
# This sets the variable $IPADDR to the IP address the new Linode receives.
IPADDR=$(/sbin/ifconfig eth0 | awk '/inet / { print $2 }' | sed 's/addr://')
# This section sets the hostname.
echo $HOSTNAME > /etc/hostname
hostname -F /etc/hostname
mkdir -p /root/.ssh
echo $PUBKEY >> /root/.ssh/authorized_keys
# Update system
apt update
apt upgrade -y
# Install mosh for good ssh access
apt install -y mosh
# This section sets the Fully Qualified Domain Name (FQDN) in the hosts file.
echo $IPADDR $FQDN $HOSTNAME >> /etc/hosts
# Install PostgreSQL
apt install -y postgresql
# Setup database
sudo -u postgres psql -c "CREATE USER gitea WITH PASSWORD '${POSTGRES_PASSWORD}'";
sudo -u postgres psql -c "CREATE DATABASE gitea OWNER gitea;"
# Add git system user
adduser \
--system \
--shell /bin/bash \
--gecos 'Git Version Control' \
--group \
--disabled-password \
--home /home/git \
git
# Setup gitea prerequisites
mkdir -p /var/lib/gitea/{custom,data,indexers,public,log}
chown git:git /var/lib/gitea/{data,indexers,log}
chmod 750 /var/lib/gitea/{data,indexers,log}
mkdir /etc/gitea
chown root:git /etc/gitea
chmod 770 /etc/gitea
# Install gitea
wget -O /usr/local/bin/gitea https://dl.gitea.io/gitea/${GITEA_VERSION}/gitea-${GITEA_VERSION}-linux-amd64
chmod +x /usr/local/bin/gitea
# Setup systemd service
cat > /etc/systemd/system/gitea.service <<EOF
[Unit]
Description=Gitea (Git with a cup of tea)
After=syslog.target
After=network.target
#After=mysqld.service
After=postgresql.service
#After=memcached.service
#After=redis.service
[Service]
#LimitMEMLOCK=infinity
#LimitNOFILE=65535
RestartSec=2s
Type=simple
User=git
Group=git
WorkingDirectory=/var/lib/gitea/
ExecStart=/usr/local/bin/gitea web -c /etc/gitea/app.ini
Restart=always
Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea
[Install]
WantedBy=multi-user.target
EOF
systemctl enable gitea
# systemctl start gitea
adduser \
--system \
--shell /bin/bash \
--gecos 'Caddy Web Server' \
--group \
--disabled-password \
--home /home/caddy \
caddy
curl https://getcaddy.com | bash -s personal http.nobots,http.ratelimit
mkdir -p /etc/ssl/caddy
chown -R caddy:caddy /etc/ssl/caddy
cat > /etc/systemd/system/caddy.service <<EOF
[Unit]
Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service
[Service]
Restart=on-abnormal
User=caddy
Group=caddy
Environment=CADDYPATH=/etc/ssl/caddy
ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp
ExecReload=/bin/kill -USR1 $MAINPID
KillMode=mixed
KillSignal=SIGQUIT
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
PrivateDevices=false
ProtectHome=true
ProtectSystem=full
ReadWriteDirectories=/etc/ssl/caddy
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
[Install]
WantedBy=multi-user.target
EOF
mkdir -p /etc/caddy
cat > /etc/caddy/Caddyfile <<EOF
${FQDN} {
proxy / localhost:3000
}
EOF
chown caddy:caddy /etc/caddy/Caddyfile
chmod 444 /etc/caddy/Caddyfile
systemctl enable caddy
# systemctl start caddy
# Setup Fail2ban
apt install -y fail2ban
mkdir -p /etc/fail2ban/filter.d
mkdir -p /etc/fail2ban/jail.d
cat > /etc/fail2ban/filter.d/gitea.conf <<EOF
[Definition]
failregex = .*Failed authentication attempt for .* from <HOST>
ignoreregex =
EOF
cat > /etc/fail2ban/jail.d/jail.local <<EOF
[gitea]
enabled = true
port = http,https
filter = gitea
logpath = /home/git/gitea/log/gitea.log
maxretry = 10
findtime = 3600
bantime = 900
action = iptables-allports
EOF
# Setup firewall
echo iptables-persistent iptables-persistent/autosave_v4 boolean false | debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean false | debconf-set-selections
sudo apt-get -y install iptables-persistent
mkdir -p /etc/iptables
cat > /etc/iptables/rules.v4 <<EOF
*filter
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT
-A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m multiport --dports 22,60000:60999 -j ACCEPT
-A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
EOF
cat > /etc/iptables/rules.v6 <<EOF
*filter
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s ::1/128 -j REJECT
-A INPUT -p icmpv6 -j ACCEPT
-A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m multiport --dports 22,60000:60999 -j ACCEPT
-A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
EOF
reboot
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment