fix: use forgejo binary to generate application secrets

This commit is contained in:
Emmanuel Averty 2023-01-22 08:10:43 +01:00 committed by grosmanal
parent df510686b4
commit 52d696f941
5 changed files with 70 additions and 55 deletions

View file

@ -1,51 +1,52 @@
;https://codeberg.org/forgejo/forgejo/src/branch/forgejo/custom/conf/app.example.ini
; https://codeberg.org/forgejo/forgejo/src/branch/forgejo/custom/conf/app.example.ini
APP_NAME = Forgejo
RUN_USER = __APP__
RUN_MODE = prod
[database]
DB_TYPE = postgres
HOST = 127.0.0.1:5432
NAME = __DB_NAME__
USER = __DB_USER__
PASSWD = __DB_PWD__
DB_TYPE = postgres
HOST = 127.0.0.1:5432
NAME = __DB_NAME__
USER = __DB_USER__
PASSWD = __DB_PWD__
SSL_MODE = disable
LOG_SQL = false
[repository]
ROOT = __DATADIR__/repositories
ROOT = __DATADIR__/repositories
FORCE_PRIVATE = false
[server]
DOMAIN = __DOMAIN__
HTTP_PORT = __PORT__
HTTP_ADDR = 127.0.0.1
ROOT_URL = https://__DOMAIN____PATH_URL__
DISABLE_SSH = false
SSH_PORT = __SSH_PORT__
OFFLINE_MODE = false
APP_DATA_PATH = __DATADIR__/data
LANDING_PAGE = explore
DOMAIN = __DOMAIN__
HTTP_PORT = __PORT__
HTTP_ADDR = 127.0.0.1
ROOT_URL = https://__DOMAIN____PATH_URL__
DISABLE_SSH = false
SSH_PORT = __SSH_PORT__
OFFLINE_MODE = false
APP_DATA_PATH = __DATADIR__/data
LANDING_PAGE = explore
LFS_START_SERVER = true
LFS_JWT_SECRET = __LFS_KEY__
LFS_JWT_SECRET = __LFS_JWT_SECRET__
LOCAL_ROOT_URL = http://127.0.0.1:__PORT__/
[mailer]
ENABLED = true
HOST = 127.0.0.1:25
FROM = "Forgejo" <forgejo-noreply@__DOMAIN__>
ENABLED = true
HOST = 127.0.0.1:25
FROM = "Forgejo" <forgejo-noreply@__DOMAIN__>
SKIP_VERIFY = true
[service]
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = true
DISABLE_REGISTRATION = true
ENABLE_CAPTCHA = false
REQUIRE_SIGNIN_VIEW = false
ENABLE_REVERSE_PROXY_AUTHENTICATION = true
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = true
DISABLE_REGISTRATION = true
ENABLE_CAPTCHA = false
REQUIRE_SIGNIN_VIEW = false
ENABLE_REVERSE_PROXY_AUTHENTICATION = true
ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = true
[picture]
AVATAR_UPLOAD_PATH = __DATADIR__/data/avatars
AVATAR_UPLOAD_PATH = __DATADIR__/data/avatars
REPOSITORY_AVATAR_UPLOAD_PATH = __DATADIR__/data/repo-avatars
[attachment]
@ -55,19 +56,15 @@ PATH = __DATADIR__/attachments
PROVIDER = memory
[log]
MODE = file
LEVEL = Info
ROOT_PATH = /var/log/__APP__
MODE = file
LEVEL = Info
ROOT_PATH = /var/log/__APP__
REDIRECT_MACARON_LOG = true
MACARON = file
ROUTER_LOG_LEVEL = Warn
ROUTER = file
ENABLE_ACCESS_LOG = Warn
ACCESS = file
ENABLE_XORM_LOG = Warn
XORM = file
@ -75,7 +72,8 @@ XORM = file
FILE_NAME = forgejo.log
[security]
INSTALL_LOCK = true
SECRET_KEY = __KEY__
INSTALL_LOCK = true
SECRET_KEY = __SECRET_KEY__
REVERSE_PROXY_AUTHENTICATION_USER = REMOTE-USER
REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.0/8,::1/128
INTERNAL_TOKEN = __INTERNAL_TOKEN__

View file

@ -14,7 +14,7 @@
},
"url": "https://forgejo.org",
"license": "MIT",
"version": "1.18.0-1~ynh1",
"version": "1.18.0-1~ynh2",
"maintainer": {
"name": "Emmanuel Averty",
"email": "emmanuel.averty@free.fr"

View file

@ -26,15 +26,16 @@ app=$YNH_APP_INSTANCE_NAME
#=================================================
ynh_script_progression --message="Loading installation settings..." --weight=1
# Needed for helper "ynh_add_nginx_config"
# Needed for helper "ynh_add_nginx_config and ynh_add_config"
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
port=$(ynh_app_setting_get --app=$app --key=port)
admin=$(ynh_app_setting_get --app=$app --key=admin)
db_name=$(ynh_app_setting_get --app=$app --key=db_name)
db_user=$db_name
db_pwd=$(ynh_app_setting_get --app=$app --key=psqlpwd)
key=$(ynh_app_setting_get --app=$app --key=key)
lfs_key=$(ynh_app_setting_get --app=$app --key=lfs_key)
secret_key=$(ynh_app_setting_get --app=$app --key=secret_key)
lfs_jwt_secret=$(ynh_app_setting_get --app=$app --key=lfs_jwt_secret)
internal_token=$(ynh_app_setting_get --app=$app --key=internal_token)
datadir=$(ynh_app_setting_get --app=$app --key=datadir)
path_url=$(ynh_app_setting_get --app=$app --key=path)

View file

@ -27,10 +27,6 @@ path_url=$YNH_APP_ARG_PATH
admin=$YNH_APP_ARG_ADMIN
is_public=$YNH_APP_ARG_IS_PUBLIC
# Generate keys
key=$(ynh_string_random --length=24)
lfs_key=$(ynh_string_random --length=24)
app=$YNH_APP_INSTANCE_NAME
#=================================================
@ -54,8 +50,6 @@ ynh_script_progression --message="Storing installation settings..." --weight=1
ynh_app_setting_set --app=$app --key=domain --value=$domain
ynh_app_setting_set --app=$app --key=admin --value=$admin
ynh_app_setting_set --app=$app --key=path --value=$path_url
ynh_app_setting_set --app=$app --key=key --value=$key
ynh_app_setting_set --app=$app --key=lfs_key --value=$lfs_key
#=================================================
# STANDARD MODIFICATIONS
@ -112,6 +106,16 @@ chmod -R o-rwx "$final_path"
chown -R $app:$app "$final_path"
chmod +x "$final_path/forgejo"
#=================================================
# KEYS GENERATION
#=================================================
secret_key=$($final_path/forgejo generate secret SECRET_KEY)
lfs_jwt_secret=$($final_path/forgejo generate secret JWT_SECRET)
internal_token=$($final_path/forgejo generate secret INTERNAL_TOKEN)
ynh_app_setting_set --app=$app --key=secret_key --value=$secret_key
ynh_app_setting_set --app=$app --key=lfs_jwt_secret --value=$lfs_jwt_secret
ynh_app_setting_set --app=$app --key=internal_token --value=$internal_token
#=================================================
# NGINX CONFIGURATION
#=================================================
@ -130,7 +134,6 @@ if [ -e "$datadir" ]; then
fi
mkdir -p $datadir
# mkdir -p "$datadir/data/{repositories,avatars,attachments}" # TODO valider la création de ces répetoires
mkdir -p "$datadir/.ssh"
chmod 750 "$datadir"

View file

@ -25,8 +25,9 @@ datadir=$(ynh_app_setting_get --app=$app --key=datadir)
db_name=$(ynh_app_setting_get --app=$app --key=db_name)
db_user=$db_name
db_pwd=$(ynh_app_setting_get --app=$app --key=psqlpwd)
key=$(ynh_app_setting_get --app=$app --key=key)
lfs_key=$(ynh_app_setting_get --app=$app --key=lfs_key)
secret_key=$(ynh_app_setting_get --app=$app --key=secret_key)
lfs_jwt_secret=$(ynh_app_setting_get --app=$app --key=lfs_jwt_secret)
internal_token=$(ynh_app_setting_get --app=$app --key=internal_token)
#=================================================
# CHECK VERSION
@ -75,18 +76,30 @@ if [ -z "$port" ]; then
ynh_app_setting_set --app=$app --key=port --value=$port
fi
# If lfs_key doesn't exist, create it
if [ -z "$lfs_key" ]; then
lfs_key=$(ynh_string_random)
ynh_app_setting_set --app=$app --key=lfs_key --value=$lfs_key
fi
# If final_path doesn't exist, create it
if [ -z "$final_path" ]; then
final_path=/opt/$app
ynh_app_setting_set --app=$app --key=final_path --value=$final_path
fi
# If secret_key doesn't exist, create it
if [ -z "$secret_key" ]; then
secret_key=$($final_path/forgejo generate secret SECRET_KEY)
ynh_app_setting_set --app=$app --key=secret_key --value=$secret_key
fi
# If lfs_jwt_secret doesn't exist, create it
if [ -z "$lfs_jwt_secret" ]; then
lfs_jwt_secret=$($final_path/forgejo generate secret JWT_SECRET)
ynh_app_setting_set --app=$app --key=lfs_jwt_secret --value=$lfs_jwt_secret
fi
# If internal_token doesn't exist, create it
if [ -z "$internal_token" ]; then
internal_token=$($final_path/forgejo generate secret INTERNAL_TOKEN)
ynh_app_setting_set --app=$app --key=internal_token --value=$internal_token
fi
# If datadir doesn't exist, create it
if [ -z "$datadir" ]; then
datadir=/home/yunohost.app/$app