fix: use forgejo binary to generate application secrets

This commit is contained in:
Emmanuel Averty 2023-01-22 08:10:43 +01:00 committed by grosmanal
parent df510686b4
commit 52d696f941
5 changed files with 70 additions and 55 deletions

View file

@ -1,51 +1,52 @@
;https://codeberg.org/forgejo/forgejo/src/branch/forgejo/custom/conf/app.example.ini ; https://codeberg.org/forgejo/forgejo/src/branch/forgejo/custom/conf/app.example.ini
APP_NAME = Forgejo APP_NAME = Forgejo
RUN_USER = __APP__ RUN_USER = __APP__
RUN_MODE = prod RUN_MODE = prod
[database] [database]
DB_TYPE = postgres DB_TYPE = postgres
HOST = 127.0.0.1:5432 HOST = 127.0.0.1:5432
NAME = __DB_NAME__ NAME = __DB_NAME__
USER = __DB_USER__ USER = __DB_USER__
PASSWD = __DB_PWD__ PASSWD = __DB_PWD__
SSL_MODE = disable SSL_MODE = disable
LOG_SQL = false LOG_SQL = false
[repository] [repository]
ROOT = __DATADIR__/repositories ROOT = __DATADIR__/repositories
FORCE_PRIVATE = false FORCE_PRIVATE = false
[server] [server]
DOMAIN = __DOMAIN__ DOMAIN = __DOMAIN__
HTTP_PORT = __PORT__ HTTP_PORT = __PORT__
HTTP_ADDR = 127.0.0.1 HTTP_ADDR = 127.0.0.1
ROOT_URL = https://__DOMAIN____PATH_URL__ ROOT_URL = https://__DOMAIN____PATH_URL__
DISABLE_SSH = false DISABLE_SSH = false
SSH_PORT = __SSH_PORT__ SSH_PORT = __SSH_PORT__
OFFLINE_MODE = false OFFLINE_MODE = false
APP_DATA_PATH = __DATADIR__/data APP_DATA_PATH = __DATADIR__/data
LANDING_PAGE = explore LANDING_PAGE = explore
LFS_START_SERVER = true LFS_START_SERVER = true
LFS_JWT_SECRET = __LFS_KEY__ LFS_JWT_SECRET = __LFS_JWT_SECRET__
LOCAL_ROOT_URL = http://127.0.0.1:__PORT__/
[mailer] [mailer]
ENABLED = true ENABLED = true
HOST = 127.0.0.1:25 HOST = 127.0.0.1:25
FROM = "Forgejo" <forgejo-noreply@__DOMAIN__> FROM = "Forgejo" <forgejo-noreply@__DOMAIN__>
SKIP_VERIFY = true SKIP_VERIFY = true
[service] [service]
REGISTER_EMAIL_CONFIRM = false REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = true ENABLE_NOTIFY_MAIL = true
DISABLE_REGISTRATION = true DISABLE_REGISTRATION = true
ENABLE_CAPTCHA = false ENABLE_CAPTCHA = false
REQUIRE_SIGNIN_VIEW = false REQUIRE_SIGNIN_VIEW = false
ENABLE_REVERSE_PROXY_AUTHENTICATION = true ENABLE_REVERSE_PROXY_AUTHENTICATION = true
ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = true ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = true
[picture] [picture]
AVATAR_UPLOAD_PATH = __DATADIR__/data/avatars AVATAR_UPLOAD_PATH = __DATADIR__/data/avatars
REPOSITORY_AVATAR_UPLOAD_PATH = __DATADIR__/data/repo-avatars REPOSITORY_AVATAR_UPLOAD_PATH = __DATADIR__/data/repo-avatars
[attachment] [attachment]
@ -55,19 +56,15 @@ PATH = __DATADIR__/attachments
PROVIDER = memory PROVIDER = memory
[log] [log]
MODE = file MODE = file
LEVEL = Info LEVEL = Info
ROOT_PATH = /var/log/__APP__ ROOT_PATH = /var/log/__APP__
REDIRECT_MACARON_LOG = true REDIRECT_MACARON_LOG = true
MACARON = file MACARON = file
ROUTER_LOG_LEVEL = Warn ROUTER_LOG_LEVEL = Warn
ROUTER = file ROUTER = file
ENABLE_ACCESS_LOG = Warn ENABLE_ACCESS_LOG = Warn
ACCESS = file ACCESS = file
ENABLE_XORM_LOG = Warn ENABLE_XORM_LOG = Warn
XORM = file XORM = file
@ -75,7 +72,8 @@ XORM = file
FILE_NAME = forgejo.log FILE_NAME = forgejo.log
[security] [security]
INSTALL_LOCK = true INSTALL_LOCK = true
SECRET_KEY = __KEY__ SECRET_KEY = __SECRET_KEY__
REVERSE_PROXY_AUTHENTICATION_USER = REMOTE-USER REVERSE_PROXY_AUTHENTICATION_USER = REMOTE-USER
REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.0/8,::1/128 REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.0/8,::1/128
INTERNAL_TOKEN = __INTERNAL_TOKEN__

View file

@ -14,7 +14,7 @@
}, },
"url": "https://forgejo.org", "url": "https://forgejo.org",
"license": "MIT", "license": "MIT",
"version": "1.18.0-1~ynh1", "version": "1.18.0-1~ynh2",
"maintainer": { "maintainer": {
"name": "Emmanuel Averty", "name": "Emmanuel Averty",
"email": "emmanuel.averty@free.fr" "email": "emmanuel.averty@free.fr"

View file

@ -26,15 +26,16 @@ app=$YNH_APP_INSTANCE_NAME
#================================================= #=================================================
ynh_script_progression --message="Loading installation settings..." --weight=1 ynh_script_progression --message="Loading installation settings..." --weight=1
# Needed for helper "ynh_add_nginx_config" # Needed for helper "ynh_add_nginx_config and ynh_add_config"
final_path=$(ynh_app_setting_get --app=$app --key=final_path) final_path=$(ynh_app_setting_get --app=$app --key=final_path)
port=$(ynh_app_setting_get --app=$app --key=port) port=$(ynh_app_setting_get --app=$app --key=port)
admin=$(ynh_app_setting_get --app=$app --key=admin) admin=$(ynh_app_setting_get --app=$app --key=admin)
db_name=$(ynh_app_setting_get --app=$app --key=db_name) db_name=$(ynh_app_setting_get --app=$app --key=db_name)
db_user=$db_name db_user=$db_name
db_pwd=$(ynh_app_setting_get --app=$app --key=psqlpwd) db_pwd=$(ynh_app_setting_get --app=$app --key=psqlpwd)
key=$(ynh_app_setting_get --app=$app --key=key) secret_key=$(ynh_app_setting_get --app=$app --key=secret_key)
lfs_key=$(ynh_app_setting_get --app=$app --key=lfs_key) lfs_jwt_secret=$(ynh_app_setting_get --app=$app --key=lfs_jwt_secret)
internal_token=$(ynh_app_setting_get --app=$app --key=internal_token)
datadir=$(ynh_app_setting_get --app=$app --key=datadir) datadir=$(ynh_app_setting_get --app=$app --key=datadir)
path_url=$(ynh_app_setting_get --app=$app --key=path) path_url=$(ynh_app_setting_get --app=$app --key=path)

View file

@ -27,10 +27,6 @@ path_url=$YNH_APP_ARG_PATH
admin=$YNH_APP_ARG_ADMIN admin=$YNH_APP_ARG_ADMIN
is_public=$YNH_APP_ARG_IS_PUBLIC is_public=$YNH_APP_ARG_IS_PUBLIC
# Generate keys
key=$(ynh_string_random --length=24)
lfs_key=$(ynh_string_random --length=24)
app=$YNH_APP_INSTANCE_NAME app=$YNH_APP_INSTANCE_NAME
#================================================= #=================================================
@ -54,8 +50,6 @@ ynh_script_progression --message="Storing installation settings..." --weight=1
ynh_app_setting_set --app=$app --key=domain --value=$domain ynh_app_setting_set --app=$app --key=domain --value=$domain
ynh_app_setting_set --app=$app --key=admin --value=$admin ynh_app_setting_set --app=$app --key=admin --value=$admin
ynh_app_setting_set --app=$app --key=path --value=$path_url ynh_app_setting_set --app=$app --key=path --value=$path_url
ynh_app_setting_set --app=$app --key=key --value=$key
ynh_app_setting_set --app=$app --key=lfs_key --value=$lfs_key
#================================================= #=================================================
# STANDARD MODIFICATIONS # STANDARD MODIFICATIONS
@ -112,6 +106,16 @@ chmod -R o-rwx "$final_path"
chown -R $app:$app "$final_path" chown -R $app:$app "$final_path"
chmod +x "$final_path/forgejo" chmod +x "$final_path/forgejo"
#=================================================
# KEYS GENERATION
#=================================================
secret_key=$($final_path/forgejo generate secret SECRET_KEY)
lfs_jwt_secret=$($final_path/forgejo generate secret JWT_SECRET)
internal_token=$($final_path/forgejo generate secret INTERNAL_TOKEN)
ynh_app_setting_set --app=$app --key=secret_key --value=$secret_key
ynh_app_setting_set --app=$app --key=lfs_jwt_secret --value=$lfs_jwt_secret
ynh_app_setting_set --app=$app --key=internal_token --value=$internal_token
#================================================= #=================================================
# NGINX CONFIGURATION # NGINX CONFIGURATION
#================================================= #=================================================
@ -130,7 +134,6 @@ if [ -e "$datadir" ]; then
fi fi
mkdir -p $datadir mkdir -p $datadir
# mkdir -p "$datadir/data/{repositories,avatars,attachments}" # TODO valider la création de ces répetoires
mkdir -p "$datadir/.ssh" mkdir -p "$datadir/.ssh"
chmod 750 "$datadir" chmod 750 "$datadir"

View file

@ -25,8 +25,9 @@ datadir=$(ynh_app_setting_get --app=$app --key=datadir)
db_name=$(ynh_app_setting_get --app=$app --key=db_name) db_name=$(ynh_app_setting_get --app=$app --key=db_name)
db_user=$db_name db_user=$db_name
db_pwd=$(ynh_app_setting_get --app=$app --key=psqlpwd) db_pwd=$(ynh_app_setting_get --app=$app --key=psqlpwd)
key=$(ynh_app_setting_get --app=$app --key=key) secret_key=$(ynh_app_setting_get --app=$app --key=secret_key)
lfs_key=$(ynh_app_setting_get --app=$app --key=lfs_key) lfs_jwt_secret=$(ynh_app_setting_get --app=$app --key=lfs_jwt_secret)
internal_token=$(ynh_app_setting_get --app=$app --key=internal_token)
#================================================= #=================================================
# CHECK VERSION # CHECK VERSION
@ -75,18 +76,30 @@ if [ -z "$port" ]; then
ynh_app_setting_set --app=$app --key=port --value=$port ynh_app_setting_set --app=$app --key=port --value=$port
fi fi
# If lfs_key doesn't exist, create it
if [ -z "$lfs_key" ]; then
lfs_key=$(ynh_string_random)
ynh_app_setting_set --app=$app --key=lfs_key --value=$lfs_key
fi
# If final_path doesn't exist, create it # If final_path doesn't exist, create it
if [ -z "$final_path" ]; then if [ -z "$final_path" ]; then
final_path=/opt/$app final_path=/opt/$app
ynh_app_setting_set --app=$app --key=final_path --value=$final_path ynh_app_setting_set --app=$app --key=final_path --value=$final_path
fi fi
# If secret_key doesn't exist, create it
if [ -z "$secret_key" ]; then
secret_key=$($final_path/forgejo generate secret SECRET_KEY)
ynh_app_setting_set --app=$app --key=secret_key --value=$secret_key
fi
# If lfs_jwt_secret doesn't exist, create it
if [ -z "$lfs_jwt_secret" ]; then
lfs_jwt_secret=$($final_path/forgejo generate secret JWT_SECRET)
ynh_app_setting_set --app=$app --key=lfs_jwt_secret --value=$lfs_jwt_secret
fi
# If internal_token doesn't exist, create it
if [ -z "$internal_token" ]; then
internal_token=$($final_path/forgejo generate secret INTERNAL_TOKEN)
ynh_app_setting_set --app=$app --key=internal_token --value=$internal_token
fi
# If datadir doesn't exist, create it # If datadir doesn't exist, create it
if [ -z "$datadir" ]; then if [ -z "$datadir" ]; then
datadir=/home/yunohost.app/$app datadir=/home/yunohost.app/$app