From 52d696f941ab66fe3e2d4de23cb0fa78cb7c3fe7 Mon Sep 17 00:00:00 2001 From: Emmanuel Averty Date: Sun, 22 Jan 2023 08:10:43 +0100 Subject: [PATCH] fix: use forgejo binary to generate application secrets --- conf/app.ini | 70 ++++++++++++++++++++++------------------------ manifest.json | 2 +- scripts/change_url | 7 +++-- scripts/install | 17 ++++++----- scripts/upgrade | 29 +++++++++++++------ 5 files changed, 70 insertions(+), 55 deletions(-) diff --git a/conf/app.ini b/conf/app.ini index a855f33..6d898fb 100644 --- a/conf/app.ini +++ b/conf/app.ini @@ -1,51 +1,52 @@ -;https://codeberg.org/forgejo/forgejo/src/branch/forgejo/custom/conf/app.example.ini +; https://codeberg.org/forgejo/forgejo/src/branch/forgejo/custom/conf/app.example.ini APP_NAME = Forgejo RUN_USER = __APP__ RUN_MODE = prod [database] -DB_TYPE = postgres -HOST = 127.0.0.1:5432 -NAME = __DB_NAME__ -USER = __DB_USER__ -PASSWD = __DB_PWD__ +DB_TYPE = postgres +HOST = 127.0.0.1:5432 +NAME = __DB_NAME__ +USER = __DB_USER__ +PASSWD = __DB_PWD__ SSL_MODE = disable LOG_SQL = false [repository] -ROOT = __DATADIR__/repositories +ROOT = __DATADIR__/repositories FORCE_PRIVATE = false [server] -DOMAIN = __DOMAIN__ -HTTP_PORT = __PORT__ -HTTP_ADDR = 127.0.0.1 -ROOT_URL = https://__DOMAIN____PATH_URL__ -DISABLE_SSH = false -SSH_PORT = __SSH_PORT__ -OFFLINE_MODE = false -APP_DATA_PATH = __DATADIR__/data -LANDING_PAGE = explore +DOMAIN = __DOMAIN__ +HTTP_PORT = __PORT__ +HTTP_ADDR = 127.0.0.1 +ROOT_URL = https://__DOMAIN____PATH_URL__ +DISABLE_SSH = false +SSH_PORT = __SSH_PORT__ +OFFLINE_MODE = false +APP_DATA_PATH = __DATADIR__/data +LANDING_PAGE = explore LFS_START_SERVER = true -LFS_JWT_SECRET = __LFS_KEY__ +LFS_JWT_SECRET = __LFS_JWT_SECRET__ +LOCAL_ROOT_URL = http://127.0.0.1:__PORT__/ [mailer] -ENABLED = true -HOST = 127.0.0.1:25 -FROM = "Forgejo" +ENABLED = true +HOST = 127.0.0.1:25 +FROM = "Forgejo" SKIP_VERIFY = true [service] -REGISTER_EMAIL_CONFIRM = false -ENABLE_NOTIFY_MAIL = true -DISABLE_REGISTRATION = true -ENABLE_CAPTCHA = false -REQUIRE_SIGNIN_VIEW = false -ENABLE_REVERSE_PROXY_AUTHENTICATION = true +REGISTER_EMAIL_CONFIRM = false +ENABLE_NOTIFY_MAIL = true +DISABLE_REGISTRATION = true +ENABLE_CAPTCHA = false +REQUIRE_SIGNIN_VIEW = false +ENABLE_REVERSE_PROXY_AUTHENTICATION = true ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = true [picture] -AVATAR_UPLOAD_PATH = __DATADIR__/data/avatars +AVATAR_UPLOAD_PATH = __DATADIR__/data/avatars REPOSITORY_AVATAR_UPLOAD_PATH = __DATADIR__/data/repo-avatars [attachment] @@ -55,19 +56,15 @@ PATH = __DATADIR__/attachments PROVIDER = memory [log] -MODE = file -LEVEL = Info -ROOT_PATH = /var/log/__APP__ - +MODE = file +LEVEL = Info +ROOT_PATH = /var/log/__APP__ REDIRECT_MACARON_LOG = true MACARON = file - ROUTER_LOG_LEVEL = Warn ROUTER = file - ENABLE_ACCESS_LOG = Warn ACCESS = file - ENABLE_XORM_LOG = Warn XORM = file @@ -75,7 +72,8 @@ XORM = file FILE_NAME = forgejo.log [security] -INSTALL_LOCK = true -SECRET_KEY = __KEY__ +INSTALL_LOCK = true +SECRET_KEY = __SECRET_KEY__ REVERSE_PROXY_AUTHENTICATION_USER = REMOTE-USER REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.0/8,::1/128 +INTERNAL_TOKEN = __INTERNAL_TOKEN__ diff --git a/manifest.json b/manifest.json index 17a0f4a..dafdcc9 100644 --- a/manifest.json +++ b/manifest.json @@ -14,7 +14,7 @@ }, "url": "https://forgejo.org", "license": "MIT", - "version": "1.18.0-1~ynh1", + "version": "1.18.0-1~ynh2", "maintainer": { "name": "Emmanuel Averty", "email": "emmanuel.averty@free.fr" diff --git a/scripts/change_url b/scripts/change_url index 561286a..c4a6eb6 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -26,15 +26,16 @@ app=$YNH_APP_INSTANCE_NAME #================================================= ynh_script_progression --message="Loading installation settings..." --weight=1 -# Needed for helper "ynh_add_nginx_config" +# Needed for helper "ynh_add_nginx_config and ynh_add_config" final_path=$(ynh_app_setting_get --app=$app --key=final_path) port=$(ynh_app_setting_get --app=$app --key=port) admin=$(ynh_app_setting_get --app=$app --key=admin) db_name=$(ynh_app_setting_get --app=$app --key=db_name) db_user=$db_name db_pwd=$(ynh_app_setting_get --app=$app --key=psqlpwd) -key=$(ynh_app_setting_get --app=$app --key=key) -lfs_key=$(ynh_app_setting_get --app=$app --key=lfs_key) +secret_key=$(ynh_app_setting_get --app=$app --key=secret_key) +lfs_jwt_secret=$(ynh_app_setting_get --app=$app --key=lfs_jwt_secret) +internal_token=$(ynh_app_setting_get --app=$app --key=internal_token) datadir=$(ynh_app_setting_get --app=$app --key=datadir) path_url=$(ynh_app_setting_get --app=$app --key=path) diff --git a/scripts/install b/scripts/install index d05f3d8..138acb8 100644 --- a/scripts/install +++ b/scripts/install @@ -27,10 +27,6 @@ path_url=$YNH_APP_ARG_PATH admin=$YNH_APP_ARG_ADMIN is_public=$YNH_APP_ARG_IS_PUBLIC -# Generate keys -key=$(ynh_string_random --length=24) -lfs_key=$(ynh_string_random --length=24) - app=$YNH_APP_INSTANCE_NAME #================================================= @@ -54,8 +50,6 @@ ynh_script_progression --message="Storing installation settings..." --weight=1 ynh_app_setting_set --app=$app --key=domain --value=$domain ynh_app_setting_set --app=$app --key=admin --value=$admin ynh_app_setting_set --app=$app --key=path --value=$path_url -ynh_app_setting_set --app=$app --key=key --value=$key -ynh_app_setting_set --app=$app --key=lfs_key --value=$lfs_key #================================================= # STANDARD MODIFICATIONS @@ -112,6 +106,16 @@ chmod -R o-rwx "$final_path" chown -R $app:$app "$final_path" chmod +x "$final_path/forgejo" +#================================================= +# KEYS GENERATION +#================================================= +secret_key=$($final_path/forgejo generate secret SECRET_KEY) +lfs_jwt_secret=$($final_path/forgejo generate secret JWT_SECRET) +internal_token=$($final_path/forgejo generate secret INTERNAL_TOKEN) +ynh_app_setting_set --app=$app --key=secret_key --value=$secret_key +ynh_app_setting_set --app=$app --key=lfs_jwt_secret --value=$lfs_jwt_secret +ynh_app_setting_set --app=$app --key=internal_token --value=$internal_token + #================================================= # NGINX CONFIGURATION #================================================= @@ -130,7 +134,6 @@ if [ -e "$datadir" ]; then fi mkdir -p $datadir -# mkdir -p "$datadir/data/{repositories,avatars,attachments}" # TODO valider la création de ces répetoires mkdir -p "$datadir/.ssh" chmod 750 "$datadir" diff --git a/scripts/upgrade b/scripts/upgrade index b52489b..a0cdfb8 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -25,8 +25,9 @@ datadir=$(ynh_app_setting_get --app=$app --key=datadir) db_name=$(ynh_app_setting_get --app=$app --key=db_name) db_user=$db_name db_pwd=$(ynh_app_setting_get --app=$app --key=psqlpwd) -key=$(ynh_app_setting_get --app=$app --key=key) -lfs_key=$(ynh_app_setting_get --app=$app --key=lfs_key) +secret_key=$(ynh_app_setting_get --app=$app --key=secret_key) +lfs_jwt_secret=$(ynh_app_setting_get --app=$app --key=lfs_jwt_secret) +internal_token=$(ynh_app_setting_get --app=$app --key=internal_token) #================================================= # CHECK VERSION @@ -75,18 +76,30 @@ if [ -z "$port" ]; then ynh_app_setting_set --app=$app --key=port --value=$port fi -# If lfs_key doesn't exist, create it -if [ -z "$lfs_key" ]; then - lfs_key=$(ynh_string_random) - ynh_app_setting_set --app=$app --key=lfs_key --value=$lfs_key -fi - # If final_path doesn't exist, create it if [ -z "$final_path" ]; then final_path=/opt/$app ynh_app_setting_set --app=$app --key=final_path --value=$final_path fi +# If secret_key doesn't exist, create it +if [ -z "$secret_key" ]; then + secret_key=$($final_path/forgejo generate secret SECRET_KEY) + ynh_app_setting_set --app=$app --key=secret_key --value=$secret_key +fi + +# If lfs_jwt_secret doesn't exist, create it +if [ -z "$lfs_jwt_secret" ]; then + lfs_jwt_secret=$($final_path/forgejo generate secret JWT_SECRET) + ynh_app_setting_set --app=$app --key=lfs_jwt_secret --value=$lfs_jwt_secret +fi + +# If internal_token doesn't exist, create it +if [ -z "$internal_token" ]; then + internal_token=$($final_path/forgejo generate secret INTERNAL_TOKEN) + ynh_app_setting_set --app=$app --key=internal_token --value=$internal_token +fi + # If datadir doesn't exist, create it if [ -z "$datadir" ]; then datadir=/home/yunohost.app/$app