fix: use forgejo binary to generate application secrets

This commit is contained in:
Emmanuel Averty 2023-01-22 08:10:43 +01:00 committed by grosmanal
parent df510686b4
commit 52d696f941
5 changed files with 70 additions and 55 deletions

View file

@ -1,4 +1,4 @@
;https://codeberg.org/forgejo/forgejo/src/branch/forgejo/custom/conf/app.example.ini ; https://codeberg.org/forgejo/forgejo/src/branch/forgejo/custom/conf/app.example.ini
APP_NAME = Forgejo APP_NAME = Forgejo
RUN_USER = __APP__ RUN_USER = __APP__
RUN_MODE = prod RUN_MODE = prod
@ -27,7 +27,8 @@ OFFLINE_MODE = false
APP_DATA_PATH = __DATADIR__/data APP_DATA_PATH = __DATADIR__/data
LANDING_PAGE = explore LANDING_PAGE = explore
LFS_START_SERVER = true LFS_START_SERVER = true
LFS_JWT_SECRET = __LFS_KEY__ LFS_JWT_SECRET = __LFS_JWT_SECRET__
LOCAL_ROOT_URL = http://127.0.0.1:__PORT__/
[mailer] [mailer]
ENABLED = true ENABLED = true
@ -58,16 +59,12 @@ PROVIDER = memory
MODE = file MODE = file
LEVEL = Info LEVEL = Info
ROOT_PATH = /var/log/__APP__ ROOT_PATH = /var/log/__APP__
REDIRECT_MACARON_LOG = true REDIRECT_MACARON_LOG = true
MACARON = file MACARON = file
ROUTER_LOG_LEVEL = Warn ROUTER_LOG_LEVEL = Warn
ROUTER = file ROUTER = file
ENABLE_ACCESS_LOG = Warn ENABLE_ACCESS_LOG = Warn
ACCESS = file ACCESS = file
ENABLE_XORM_LOG = Warn ENABLE_XORM_LOG = Warn
XORM = file XORM = file
@ -76,6 +73,7 @@ FILE_NAME = forgejo.log
[security] [security]
INSTALL_LOCK = true INSTALL_LOCK = true
SECRET_KEY = __KEY__ SECRET_KEY = __SECRET_KEY__
REVERSE_PROXY_AUTHENTICATION_USER = REMOTE-USER REVERSE_PROXY_AUTHENTICATION_USER = REMOTE-USER
REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.0/8,::1/128 REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.0/8,::1/128
INTERNAL_TOKEN = __INTERNAL_TOKEN__

View file

@ -14,7 +14,7 @@
}, },
"url": "https://forgejo.org", "url": "https://forgejo.org",
"license": "MIT", "license": "MIT",
"version": "1.18.0-1~ynh1", "version": "1.18.0-1~ynh2",
"maintainer": { "maintainer": {
"name": "Emmanuel Averty", "name": "Emmanuel Averty",
"email": "emmanuel.averty@free.fr" "email": "emmanuel.averty@free.fr"

View file

@ -26,15 +26,16 @@ app=$YNH_APP_INSTANCE_NAME
#================================================= #=================================================
ynh_script_progression --message="Loading installation settings..." --weight=1 ynh_script_progression --message="Loading installation settings..." --weight=1
# Needed for helper "ynh_add_nginx_config" # Needed for helper "ynh_add_nginx_config and ynh_add_config"
final_path=$(ynh_app_setting_get --app=$app --key=final_path) final_path=$(ynh_app_setting_get --app=$app --key=final_path)
port=$(ynh_app_setting_get --app=$app --key=port) port=$(ynh_app_setting_get --app=$app --key=port)
admin=$(ynh_app_setting_get --app=$app --key=admin) admin=$(ynh_app_setting_get --app=$app --key=admin)
db_name=$(ynh_app_setting_get --app=$app --key=db_name) db_name=$(ynh_app_setting_get --app=$app --key=db_name)
db_user=$db_name db_user=$db_name
db_pwd=$(ynh_app_setting_get --app=$app --key=psqlpwd) db_pwd=$(ynh_app_setting_get --app=$app --key=psqlpwd)
key=$(ynh_app_setting_get --app=$app --key=key) secret_key=$(ynh_app_setting_get --app=$app --key=secret_key)
lfs_key=$(ynh_app_setting_get --app=$app --key=lfs_key) lfs_jwt_secret=$(ynh_app_setting_get --app=$app --key=lfs_jwt_secret)
internal_token=$(ynh_app_setting_get --app=$app --key=internal_token)
datadir=$(ynh_app_setting_get --app=$app --key=datadir) datadir=$(ynh_app_setting_get --app=$app --key=datadir)
path_url=$(ynh_app_setting_get --app=$app --key=path) path_url=$(ynh_app_setting_get --app=$app --key=path)

View file

@ -27,10 +27,6 @@ path_url=$YNH_APP_ARG_PATH
admin=$YNH_APP_ARG_ADMIN admin=$YNH_APP_ARG_ADMIN
is_public=$YNH_APP_ARG_IS_PUBLIC is_public=$YNH_APP_ARG_IS_PUBLIC
# Generate keys
key=$(ynh_string_random --length=24)
lfs_key=$(ynh_string_random --length=24)
app=$YNH_APP_INSTANCE_NAME app=$YNH_APP_INSTANCE_NAME
#================================================= #=================================================
@ -54,8 +50,6 @@ ynh_script_progression --message="Storing installation settings..." --weight=1
ynh_app_setting_set --app=$app --key=domain --value=$domain ynh_app_setting_set --app=$app --key=domain --value=$domain
ynh_app_setting_set --app=$app --key=admin --value=$admin ynh_app_setting_set --app=$app --key=admin --value=$admin
ynh_app_setting_set --app=$app --key=path --value=$path_url ynh_app_setting_set --app=$app --key=path --value=$path_url
ynh_app_setting_set --app=$app --key=key --value=$key
ynh_app_setting_set --app=$app --key=lfs_key --value=$lfs_key
#================================================= #=================================================
# STANDARD MODIFICATIONS # STANDARD MODIFICATIONS
@ -112,6 +106,16 @@ chmod -R o-rwx "$final_path"
chown -R $app:$app "$final_path" chown -R $app:$app "$final_path"
chmod +x "$final_path/forgejo" chmod +x "$final_path/forgejo"
#=================================================
# KEYS GENERATION
#=================================================
secret_key=$($final_path/forgejo generate secret SECRET_KEY)
lfs_jwt_secret=$($final_path/forgejo generate secret JWT_SECRET)
internal_token=$($final_path/forgejo generate secret INTERNAL_TOKEN)
ynh_app_setting_set --app=$app --key=secret_key --value=$secret_key
ynh_app_setting_set --app=$app --key=lfs_jwt_secret --value=$lfs_jwt_secret
ynh_app_setting_set --app=$app --key=internal_token --value=$internal_token
#================================================= #=================================================
# NGINX CONFIGURATION # NGINX CONFIGURATION
#================================================= #=================================================
@ -130,7 +134,6 @@ if [ -e "$datadir" ]; then
fi fi
mkdir -p $datadir mkdir -p $datadir
# mkdir -p "$datadir/data/{repositories,avatars,attachments}" # TODO valider la création de ces répetoires
mkdir -p "$datadir/.ssh" mkdir -p "$datadir/.ssh"
chmod 750 "$datadir" chmod 750 "$datadir"

View file

@ -25,8 +25,9 @@ datadir=$(ynh_app_setting_get --app=$app --key=datadir)
db_name=$(ynh_app_setting_get --app=$app --key=db_name) db_name=$(ynh_app_setting_get --app=$app --key=db_name)
db_user=$db_name db_user=$db_name
db_pwd=$(ynh_app_setting_get --app=$app --key=psqlpwd) db_pwd=$(ynh_app_setting_get --app=$app --key=psqlpwd)
key=$(ynh_app_setting_get --app=$app --key=key) secret_key=$(ynh_app_setting_get --app=$app --key=secret_key)
lfs_key=$(ynh_app_setting_get --app=$app --key=lfs_key) lfs_jwt_secret=$(ynh_app_setting_get --app=$app --key=lfs_jwt_secret)
internal_token=$(ynh_app_setting_get --app=$app --key=internal_token)
#================================================= #=================================================
# CHECK VERSION # CHECK VERSION
@ -75,18 +76,30 @@ if [ -z "$port" ]; then
ynh_app_setting_set --app=$app --key=port --value=$port ynh_app_setting_set --app=$app --key=port --value=$port
fi fi
# If lfs_key doesn't exist, create it
if [ -z "$lfs_key" ]; then
lfs_key=$(ynh_string_random)
ynh_app_setting_set --app=$app --key=lfs_key --value=$lfs_key
fi
# If final_path doesn't exist, create it # If final_path doesn't exist, create it
if [ -z "$final_path" ]; then if [ -z "$final_path" ]; then
final_path=/opt/$app final_path=/opt/$app
ynh_app_setting_set --app=$app --key=final_path --value=$final_path ynh_app_setting_set --app=$app --key=final_path --value=$final_path
fi fi
# If secret_key doesn't exist, create it
if [ -z "$secret_key" ]; then
secret_key=$($final_path/forgejo generate secret SECRET_KEY)
ynh_app_setting_set --app=$app --key=secret_key --value=$secret_key
fi
# If lfs_jwt_secret doesn't exist, create it
if [ -z "$lfs_jwt_secret" ]; then
lfs_jwt_secret=$($final_path/forgejo generate secret JWT_SECRET)
ynh_app_setting_set --app=$app --key=lfs_jwt_secret --value=$lfs_jwt_secret
fi
# If internal_token doesn't exist, create it
if [ -z "$internal_token" ]; then
internal_token=$($final_path/forgejo generate secret INTERNAL_TOKEN)
ynh_app_setting_set --app=$app --key=internal_token --value=$internal_token
fi
# If datadir doesn't exist, create it # If datadir doesn't exist, create it
if [ -z "$datadir" ]; then if [ -z "$datadir" ]; then
datadir=/home/yunohost.app/$app datadir=/home/yunohost.app/$app