Interanet/gitea-deployment
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2d00e454c94ac1a650697bcd180c3f8f50116d7e
gitea-deployment/scripts/setup-ssl.sh

148 lines
4.0 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
set -e
GREEN='\033[0;32m'
RED='\033[0;31m'
YELLOW='\033[1;33m'
NC='\033[0m'
if [ ! -f ".env" ]; then
echo -e "${RED}[ERROR] .env file not found. Skipping SSL setup.${NC}"
exit 1
fi
source .env
SSL_MODE="${SSL_MODE:-none}"
NGINX_CONF_DIR="./nginx/conf.d"
NGINX_SSL_DIR="./nginx/ssl"
mkdir -p "$NGINX_CONF_DIR" "$NGINX_SSL_DIR"
# ── Helper: write HTTP-only config ──
write_http_conf() {
cat > "$NGINX_CONF_DIR/gitea.conf" <<'NGINX'
server {
listen 80;
server_name _;
location / {
proxy_pass http://gitea:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 512M;
}
}
NGINX
}
# ── Helper: write HTTPS config (works for both letsencrypt & custom) ──
write_https_conf() {
local cert_path="$1"
local key_path="$2"
cat > "$NGINX_CONF_DIR/gitea.conf" <<NGINX
server {
listen 80;
server_name ${GITEA_DOMAIN};
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://\$host\$request_uri;
}
}
server {
listen 443 ssl http2;
server_name ${GITEA_DOMAIN};
ssl_certificate ${cert_path};
ssl_certificate_key ${key_path};
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://gitea:3000;
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
client_max_body_size 512M;
}
}
NGINX
}
# ── Main logic ──
case "$SSL_MODE" in
none)
echo -e "${YELLOW}[SSL] Mode: none — HTTP only${NC}"
write_http_conf
;;
letsencrypt)
echo -e "${GREEN}[SSL] Mode: letsencrypt${NC}"
if [[ -z "$LETSENCRYPT_EMAIL" ]]; then
echo -e "${RED}[ERROR] LETSENCRYPT_EMAIL is required for letsencrypt mode.${NC}"
exit 1
fi
if [[ -z "$GITEA_DOMAIN" ]]; then
echo -e "${RED}[ERROR] GITEA_DOMAIN is required for letsencrypt mode.${NC}"
exit 1
fi
CERT="/etc/letsencrypt/live/${GITEA_DOMAIN}/fullchain.pem"
KEY="/etc/letsencrypt/live/${GITEA_DOMAIN}/privkey.pem"
# If certs don't exist yet, start with HTTP-only so Nginx can boot
# for the ACME challenge. After certbot runs we'll switch to HTTPS.
if docker volume inspect gitea-deployment_certbot_certs >/dev/null 2>&1 && \
docker run --rm -v gitea-deployment_certbot_certs:/etc/letsencrypt alpine \
test -f "/etc/letsencrypt/live/${GITEA_DOMAIN}/fullchain.pem" 2>/dev/null; then
echo "[SSL] Existing Let's Encrypt certs found. Writing HTTPS config."
write_https_conf "$CERT" "$KEY"
else
echo "[SSL] No certs yet. Writing temporary HTTP config for ACME challenge."
write_http_conf
fi
;;
custom)
echo -e "${GREEN}[SSL] Mode: custom${NC}"
if [[ -z "$SSL_CERT_PATH" || -z "$SSL_KEY_PATH" ]]; then
echo -e "${RED}[ERROR] SSL_CERT_PATH and SSL_KEY_PATH are required for custom mode.${NC}"
exit 1
fi
if [[ ! -f "$SSL_CERT_PATH" ]]; then
echo -e "${RED}[ERROR] Certificate not found: $SSL_CERT_PATH${NC}"
exit 1
fi
if [[ ! -f "$SSL_KEY_PATH" ]]; then
echo -e "${RED}[ERROR] Key not found: $SSL_KEY_PATH${NC}"
exit 1
fi
cp "$SSL_CERT_PATH" "$NGINX_SSL_DIR/cert.pem"
cp "$SSL_KEY_PATH" "$NGINX_SSL_DIR/key.pem"
chmod 600 "$NGINX_SSL_DIR/key.pem"
write_https_conf "/etc/nginx/ssl/cert.pem" "/etc/nginx/ssl/key.pem"
echo -e "${GREEN}[SSL] Custom certificates copied to $NGINX_SSL_DIR${NC}"
;;
*)
echo -e "${RED}[ERROR] Unknown SSL_MODE: $SSL_MODE (expected: none, letsencrypt, custom)${NC}"
exit 1
;;
esac
echo -e "${GREEN}[SSL] Nginx config written to $NGINX_CONF_DIR/gitea.conf${NC}"
Reference in New Issue View Git Blame Copy Permalink