Init.
This commit is contained in:
mguschin
172
install-certificates.sh
Executable file
172
install-certificates.sh
Executable file
@@ -0,0 +1,172 @@
|
||||
#!/bin/bash
|
||||
|
||||
# SSL Certificate Installation Script for Gitea Production
|
||||
# This script installs Let's Encrypt SSL certificates for repos.guschin.info
|
||||
|
||||
set -e
|
||||
|
||||
echo "==================================="
|
||||
echo "SSL Certificate Installation"
|
||||
echo "==================================="
|
||||
|
||||
# Load environment variables
|
||||
if [ -f .env ]; then
|
||||
source .env
|
||||
echo "✓ Loaded environment variables from .env"
|
||||
else
|
||||
echo "✗ Error: .env file not found!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Check if running in production environment
|
||||
if [ "${GITEA_DOMAIN}" != "repos.guschin.info" ]; then
|
||||
echo "✗ Warning: This script is intended for production (repos.guschin.info)"
|
||||
echo " Current domain: ${GITEA_DOMAIN}"
|
||||
read -p "Continue anyway? (y/N): " -n 1 -r
|
||||
echo
|
||||
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
# Check if certbot is installed
|
||||
if ! command -v certbot &> /dev/null; then
|
||||
echo "Certbot is not installed. Installing..."
|
||||
|
||||
# Detect OS and install certbot
|
||||
if [ -f /etc/debian_version ]; then
|
||||
# Debian/Ubuntu
|
||||
sudo apt-get update
|
||||
sudo apt-get install -y certbot
|
||||
elif [ -f /etc/redhat-release ]; then
|
||||
# RHEL/CentOS/Fedora
|
||||
sudo yum install -y certbot
|
||||
elif [ -f /etc/arch-release ]; then
|
||||
# Arch Linux
|
||||
sudo pacman -S --noconfirm certbot
|
||||
else
|
||||
echo "✗ Error: Unsupported OS. Please install certbot manually."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "✓ Certbot installed"
|
||||
fi
|
||||
|
||||
# Verify Docker is running
|
||||
if ! docker info > /dev/null 2>&1; then
|
||||
echo "✗ Error: Docker is not running!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "✓ Docker is running"
|
||||
|
||||
# Create directory for certificates
|
||||
CERT_DIR="./certs"
|
||||
mkdir -p ${CERT_DIR}
|
||||
echo "✓ Certificate directory created: ${CERT_DIR}"
|
||||
|
||||
# Email for Let's Encrypt notifications
|
||||
read -p "Enter email address for Let's Encrypt notifications: " EMAIL
|
||||
|
||||
if [ -z "$EMAIL" ]; then
|
||||
echo "✗ Error: Email address is required!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo ""
|
||||
echo "Obtaining SSL certificate for ${GITEA_DOMAIN}..."
|
||||
echo "This will:"
|
||||
echo " 1. Verify domain ownership"
|
||||
echo " 2. Obtain SSL certificate from Let's Encrypt"
|
||||
echo " 3. Configure automatic renewal"
|
||||
echo ""
|
||||
|
||||
# Stop Gitea if running to free up port 80
|
||||
if docker ps | grep -q gitea; then
|
||||
echo "Stopping Gitea container to free up port 80..."
|
||||
docker-compose stop gitea
|
||||
fi
|
||||
|
||||
# Obtain certificate using standalone mode
|
||||
sudo certbot certonly \
|
||||
--standalone \
|
||||
--preferred-challenges http \
|
||||
--email ${EMAIL} \
|
||||
--agree-tos \
|
||||
--no-eff-email \
|
||||
-d ${GITEA_DOMAIN}
|
||||
|
||||
if [ $? -eq 0 ]; then
|
||||
echo "✓ SSL certificate obtained successfully!"
|
||||
|
||||
# Copy certificates to local directory
|
||||
sudo cp /etc/letsencrypt/live/${GITEA_DOMAIN}/fullchain.pem ${CERT_DIR}/
|
||||
sudo cp /etc/letsencrypt/live/${GITEA_DOMAIN}/privkey.pem ${CERT_DIR}/
|
||||
sudo chown $(id -u):$(id -g) ${CERT_DIR}/*.pem
|
||||
|
||||
echo "✓ Certificates copied to ${CERT_DIR}"
|
||||
else
|
||||
echo "✗ Error: Failed to obtain SSL certificate!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Setup automatic renewal
|
||||
echo ""
|
||||
echo "Setting up automatic certificate renewal..."
|
||||
|
||||
# Create renewal hook script
|
||||
RENEWAL_HOOK="/etc/letsencrypt/renewal-hooks/deploy/gitea-reload.sh"
|
||||
sudo mkdir -p /etc/letsencrypt/renewal-hooks/deploy
|
||||
|
||||
cat << 'EOF' | sudo tee ${RENEWAL_HOOK} > /dev/null
|
||||
#!/bin/bash
|
||||
# Gitea SSL certificate renewal hook
|
||||
|
||||
CERT_DIR="/path/to/git.git/certs"
|
||||
DOMAIN="repos.guschin.info"
|
||||
|
||||
# Copy new certificates
|
||||
cp /etc/letsencrypt/live/${DOMAIN}/fullchain.pem ${CERT_DIR}/
|
||||
cp /etc/letsencrypt/live/${DOMAIN}/privkey.pem ${CERT_DIR}/
|
||||
|
||||
# Restart Gitea to load new certificates
|
||||
cd /path/to/git.git
|
||||
docker-compose restart gitea
|
||||
|
||||
echo "Gitea SSL certificates updated and service restarted"
|
||||
EOF
|
||||
|
||||
# Update the path in renewal hook
|
||||
sudo sed -i "s|/path/to/git.git|$(pwd)|g" ${RENEWAL_HOOK}
|
||||
sudo chmod +x ${RENEWAL_HOOK}
|
||||
|
||||
echo "✓ Renewal hook installed"
|
||||
|
||||
# Test automatic renewal
|
||||
echo ""
|
||||
echo "Testing automatic renewal..."
|
||||
sudo certbot renew --dry-run
|
||||
|
||||
if [ $? -eq 0 ]; then
|
||||
echo "✓ Automatic renewal test passed"
|
||||
else
|
||||
echo "✗ Warning: Automatic renewal test failed"
|
||||
echo " Please check certbot configuration"
|
||||
fi
|
||||
|
||||
echo ""
|
||||
echo "==================================="
|
||||
echo "SSL Certificate Installation Complete!"
|
||||
echo "==================================="
|
||||
echo ""
|
||||
echo "Certificate details:"
|
||||
echo " Domain: ${GITEA_DOMAIN}"
|
||||
echo " Certificate location: /etc/letsencrypt/live/${GITEA_DOMAIN}/"
|
||||
echo " Local copy: ${CERT_DIR}"
|
||||
echo ""
|
||||
echo "Next steps:"
|
||||
echo " 1. Update docker-compose.yml to use a reverse proxy (nginx/traefik)"
|
||||
echo " 2. Configure the reverse proxy to use the certificates"
|
||||
echo " 3. Start Gitea: docker-compose up -d"
|
||||
echo ""
|
||||
echo "Note: Certificates will automatically renew every 60 days"
|
||||
Reference in New Issue
Block a user