Gitea without SSH passthrough

2020-11-25 21:33:30 +00:00
parent 64b8830cbf
commit 8bf189c3d5
3 changed files with 107 additions and 8 deletions
--- a/db/init/01-databases.sql
+++ b/db/init/01-databases.sql
@@ -1,7 +1,7 @@
 CREATE DATABASE IF NOT EXISTS `monica`;
+CREATE DATABASE IF NOT EXISTS `gitea`;
 # Nextcloud will automatically create a database on setup
 #CREATE DATABASE IF NOT EXISTS `nextcloud`;

 GRANT ALL PRIVILEGES ON *.* TO 'chris'@'%';
-GRANT ALL ON `nextcloud`.* TO 'chris'@'%' ;
 GRANT ALL PRIVILEGES ON *.* TO 'root'@'%';
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -52,6 +52,31 @@ services:
      - redis
      - nginx

+  gitea:
+    image: gitea/gitea:1
+    environment:
+      - "APP_NAME=Labs: Where the good stuff happens"
+      - RUN_MODE=prod
+      - DOMAIN=labs.${DOMAIN}
+      - ROOT_URL=https://labs.${DOMAIN}
+      - DB_TYPE=mysql
+      - DB_HOST=db
+      - DB_NAME=gitea
+      - DB_USER=${DB_USER}
+      - DB_PASSWD=${DB_PASSWORD}
+    restart: always
+    volumes:
+      - gitea:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - 222:22
+    networks:
+      - db
+      - nginx
+    depends_on:
+      - db
+
  db:
    image: mariadb
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
@@ -84,12 +109,13 @@ services:
    depends_on:
      - monica
      - nextcloud
+      - gitea
+      - omgwtfssl-monica
+      - omgwtfssl-nextcloud
+      - omgwtfssl-gitea
    ports:
      - 80:80
      - 443:443
-    depends_on:
-      - omgwtfssl-monica
-      - omgwtfssl-nextcloud
    networks:
      - nginx

@@ -117,12 +143,25 @@ services:
      - SSL_CSR=/certs/tower.${DOMAIN}.csr
      - SSL_CERT=/certs/tower.${DOMAIN}.crt

+  omgwtfssl-gitea:
+    image: paulczar/omgwtfssl
+    restart: "no"
+    volumes:
+      - certs:/certs
+    environment:
+      - SSL_SUBJECT=labs.${DOMAIN}
+      - CA_SUBJECT=chris@${DOMAIN}
+      - SSL_KEY=/certs/labs.${DOMAIN}.key
+      - SSL_CSR=/certs/labs.${DOMAIN}.csr
+      - SSL_CERT=/certs/labs.${DOMAIN}.crt
+
 volumes:
  db:
  monica-public:
  monica-data:
  nextcloud:
  certs:
+  gitea:

 networks:
  db:
--- a/nginx.conf
+++ b/nginx.conf
@@ -26,14 +26,51 @@ http {
    set_real_ip_from  172.16.0.0/12;
    set_real_ip_from  192.168.0.0/16;
    real_ip_header    X-Real-IP;
+    
+    # If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
+    # scheme used to connect to this server
+    map $http_x_forwarded_proto $proxy_x_forwarded_proto {
+        default $http_x_forwarded_proto;
+        ''      $scheme;
+    }
+
+    # If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
+    # server port the client connected to
+    map $http_x_forwarded_port $proxy_x_forwarded_port {
+        default $http_x_forwarded_port;
+        ''      $server_port;
+    }
+
+    # If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
+    # Connection header that may have been passed to this server
+    map $http_upgrade $proxy_connection {
+        default upgrade;
+        '' close;
+    }
+
+    # Set appropriate X-Forwarded-Ssl header
+    map $scheme $proxy_x_forwarded_ssl {
+        default off;
+        https on;
+    }
+
+    # HTTP 1.1 support
+    proxy_http_version 1.1;
+    proxy_buffering off;
+    proxy_set_header Host $http_host;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
+    proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
+    proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
+
+    # Mitigate httpoxy attack (see README for details)
+    proxy_set_header Proxy "";

-    # Connect to service services
    upstream monica-handler {
        server monica:9000;
    }
-    upstream nextcloud-handler {
-        server nextcloud:9000;
-    }

    server {
        listen 443 ssl http2;
@@ -167,6 +204,9 @@ http {
        }
    }

+    upstream nextcloud-handler {
+        server nextcloud:9000;
+    }

    server {
        listen 443 ssl http2;
@@ -299,4 +339,24 @@ http {
            access_log off;
        }
    }
+
+    upstream gitea-handler {
+        server gitea:3000;
+    }
+
+    server {
+        listen 443 ssl http2;
+
+        ssl_certificate /etc/nginx/certs/labs.scarif.local.crt;
+        ssl_certificate_key /etc/nginx/certs/labs.scarif.local.key;
+
+        gzip_types text/plain text/css application/json application/x-javascript
+                   text/xml application/xml application/xml+rss text/javascript;
+
+        server_name labs.scarif.local;
+
+        location / {
+            proxy_pass http://gitea-handler;
+        }
+    }
 }