173 lines
4.6 KiB
Bash
Executable File
173 lines
4.6 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# SSL Certificate Installation Script for Gitea Production
|
|
# This script installs Let's Encrypt SSL certificates for repos.guschin.info
|
|
|
|
set -e
|
|
|
|
echo "==================================="
|
|
echo "SSL Certificate Installation"
|
|
echo "==================================="
|
|
|
|
# Load environment variables
|
|
if [ -f .env ]; then
|
|
source .env
|
|
echo "✓ Loaded environment variables from .env"
|
|
else
|
|
echo "✗ Error: .env file not found!"
|
|
exit 1
|
|
fi
|
|
|
|
# Check if running in production environment
|
|
if [ "${GITEA_DOMAIN}" != "repos.guschin.info" ]; then
|
|
echo "✗ Warning: This script is intended for production (repos.guschin.info)"
|
|
echo " Current domain: ${GITEA_DOMAIN}"
|
|
read -p "Continue anyway? (y/N): " -n 1 -r
|
|
echo
|
|
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
# Check if certbot is installed
|
|
if ! command -v certbot &> /dev/null; then
|
|
echo "Certbot is not installed. Installing..."
|
|
|
|
# Detect OS and install certbot
|
|
if [ -f /etc/debian_version ]; then
|
|
# Debian/Ubuntu
|
|
sudo apt-get update
|
|
sudo apt-get install -y certbot
|
|
elif [ -f /etc/redhat-release ]; then
|
|
# RHEL/CentOS/Fedora
|
|
sudo yum install -y certbot
|
|
elif [ -f /etc/arch-release ]; then
|
|
# Arch Linux
|
|
sudo pacman -S --noconfirm certbot
|
|
else
|
|
echo "✗ Error: Unsupported OS. Please install certbot manually."
|
|
exit 1
|
|
fi
|
|
|
|
echo "✓ Certbot installed"
|
|
fi
|
|
|
|
# Verify Docker is running
|
|
if ! docker info > /dev/null 2>&1; then
|
|
echo "✗ Error: Docker is not running!"
|
|
exit 1
|
|
fi
|
|
|
|
echo "✓ Docker is running"
|
|
|
|
# Create directory for certificates
|
|
CERT_DIR="./certs"
|
|
mkdir -p ${CERT_DIR}
|
|
echo "✓ Certificate directory created: ${CERT_DIR}"
|
|
|
|
# Email for Let's Encrypt notifications
|
|
read -p "Enter email address for Let's Encrypt notifications: " EMAIL
|
|
|
|
if [ -z "$EMAIL" ]; then
|
|
echo "✗ Error: Email address is required!"
|
|
exit 1
|
|
fi
|
|
|
|
echo ""
|
|
echo "Obtaining SSL certificate for ${GITEA_DOMAIN}..."
|
|
echo "This will:"
|
|
echo " 1. Verify domain ownership"
|
|
echo " 2. Obtain SSL certificate from Let's Encrypt"
|
|
echo " 3. Configure automatic renewal"
|
|
echo ""
|
|
|
|
# Stop Gitea if running to free up port 80
|
|
if docker ps | grep -q gitea; then
|
|
echo "Stopping Gitea container to free up port 80..."
|
|
docker-compose stop gitea
|
|
fi
|
|
|
|
# Obtain certificate using standalone mode
|
|
sudo certbot certonly \
|
|
--standalone \
|
|
--preferred-challenges http \
|
|
--email ${EMAIL} \
|
|
--agree-tos \
|
|
--no-eff-email \
|
|
-d ${GITEA_DOMAIN}
|
|
|
|
if [ $? -eq 0 ]; then
|
|
echo "✓ SSL certificate obtained successfully!"
|
|
|
|
# Copy certificates to local directory
|
|
sudo cp /etc/letsencrypt/live/${GITEA_DOMAIN}/fullchain.pem ${CERT_DIR}/
|
|
sudo cp /etc/letsencrypt/live/${GITEA_DOMAIN}/privkey.pem ${CERT_DIR}/
|
|
sudo chown $(id -u):$(id -g) ${CERT_DIR}/*.pem
|
|
|
|
echo "✓ Certificates copied to ${CERT_DIR}"
|
|
else
|
|
echo "✗ Error: Failed to obtain SSL certificate!"
|
|
exit 1
|
|
fi
|
|
|
|
# Setup automatic renewal
|
|
echo ""
|
|
echo "Setting up automatic certificate renewal..."
|
|
|
|
# Create renewal hook script
|
|
RENEWAL_HOOK="/etc/letsencrypt/renewal-hooks/deploy/gitea-reload.sh"
|
|
sudo mkdir -p /etc/letsencrypt/renewal-hooks/deploy
|
|
|
|
cat << 'EOF' | sudo tee ${RENEWAL_HOOK} > /dev/null
|
|
#!/bin/bash
|
|
# Gitea SSL certificate renewal hook
|
|
|
|
CERT_DIR="/path/to/git.git/certs"
|
|
DOMAIN="repos.guschin.info"
|
|
|
|
# Copy new certificates
|
|
cp /etc/letsencrypt/live/${DOMAIN}/fullchain.pem ${CERT_DIR}/
|
|
cp /etc/letsencrypt/live/${DOMAIN}/privkey.pem ${CERT_DIR}/
|
|
|
|
# Restart Gitea to load new certificates
|
|
cd /path/to/git.git
|
|
docker-compose restart gitea
|
|
|
|
echo "Gitea SSL certificates updated and service restarted"
|
|
EOF
|
|
|
|
# Update the path in renewal hook
|
|
sudo sed -i "s|/path/to/git.git|$(pwd)|g" ${RENEWAL_HOOK}
|
|
sudo chmod +x ${RENEWAL_HOOK}
|
|
|
|
echo "✓ Renewal hook installed"
|
|
|
|
# Test automatic renewal
|
|
echo ""
|
|
echo "Testing automatic renewal..."
|
|
sudo certbot renew --dry-run
|
|
|
|
if [ $? -eq 0 ]; then
|
|
echo "✓ Automatic renewal test passed"
|
|
else
|
|
echo "✗ Warning: Automatic renewal test failed"
|
|
echo " Please check certbot configuration"
|
|
fi
|
|
|
|
echo ""
|
|
echo "==================================="
|
|
echo "SSL Certificate Installation Complete!"
|
|
echo "==================================="
|
|
echo ""
|
|
echo "Certificate details:"
|
|
echo " Domain: ${GITEA_DOMAIN}"
|
|
echo " Certificate location: /etc/letsencrypt/live/${GITEA_DOMAIN}/"
|
|
echo " Local copy: ${CERT_DIR}"
|
|
echo ""
|
|
echo "Next steps:"
|
|
echo " 1. Update docker-compose.yml to use a reverse proxy (nginx/traefik)"
|
|
echo " 2. Configure the reverse proxy to use the certificates"
|
|
echo " 3. Start Gitea: docker-compose up -d"
|
|
echo ""
|
|
echo "Note: Certificates will automatically renew every 60 days"
|