v2: added vsftp and gitea. Use certificate for all services. Managed domain sub-directories.

2 years ago · cfc2c2e76f
22 changed files with 338 additions and 78 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,2 @@
 srcs/.env
 inception.pem
--- a/16
+++ b/16
@ -1,11 +1,19 @@
 NAME = inception
 DATA_FOLDER = /home/narnaud/data
 CERT = $(DATA_FOLDER)/ssl/inception.pem
-all: prune reload
+all: prune start
 domain:
-	 echo "127.0.0.1 narnaud.42.fr" >> /etc/hosts
+	echo "127.0.0.1 narnaud.42.fr" >> /etc/hosts
 $(CERT):
 	mkdir -p $(DATA_FOLDER)/ssl
 	openssl req -newkey rsa:4096 -x509 -sha256 -days 365 -nodes \
        -out inception.pem -keyout inception.pem \
        -subj "/C=FR/ST=Nice/L=Nice/O=42/OU=student/CN=inception_narnaud/"
-start: 
+start: $(CERT)
 	BUILDKIT_PROGRESS=plain docker compose -f srcs/docker-compose.yml up --build
 stop:
@ -15,7 +23,7 @@ prune: stop
 	docker system prune -f
 fclean: prune
-	rm -rf /home/narnaud/data
+	docker system prune -af
 re: fclean start
--- a/srcs/bonus/gitea/Dockerfile
+++ b/srcs/bonus/gitea/Dockerfile
@ -0,0 +1,11 @@
 FROM alpine:3.15
 RUN apk update && apk upgrade && apk add --no-cache git gitea mariadb-client
 RUN mkdir -p /var/ssl
 COPY start.sh /tmp/start.sh
 COPY app.ini /tmp/app.ini
 ENTRYPOINT ["sh", "/tmp/start.sh"]
--- a/srcs/bonus/gitea/app.ini
+++ b/srcs/bonus/gitea/app.ini
@ -0,0 +1,68 @@
 APP_NAME = Gitea: Git with a cup of tea
 RUN_USER = git
 RUN_MODE = prod
 [database]
 DB_TYPE  = mysql
 HOST     = mariadb:3306
 NAME     = giteadb
 USER     = gitea
 PASSWD   = giteaword
 SCHEMA   = 
 SSL_MODE = disable
 CHARSET  = utf8
 PATH     = /var/lib/gitea/data/gitea.db
 LOG_SQL  = false
 [repository]
 ROOT = /var/lib/gitea/data/gitea-repositories
 [server]
 SSH_DOMAIN       = localhost
 DOMAIN           = localhost
 HTTP_PORT        = 3000
 ROOT_URL         = https://localhost/git/
 DISABLE_SSH      = false
 SSH_PORT         = 22
 LFS_START_SERVER = true
 LFS_CONTENT_PATH = /var/lib/gitea/data/lfs
 LFS_JWT_SECRET   = iNcqBnqPacGrq8ehTSaXeGEfEJEMizfCfjcQ7ykVToI
 OFFLINE_MODE     = false
 [mailer]
 ENABLED = false
 [service]
 REGISTER_EMAIL_CONFIRM            = false
 ENABLE_NOTIFY_MAIL                = false
 DISABLE_REGISTRATION              = false
 ALLOW_ONLY_EXTERNAL_REGISTRATION  = false
 ENABLE_CAPTCHA                    = false
 REQUIRE_SIGNIN_VIEW               = false
 DEFAULT_KEEP_EMAIL_PRIVATE        = false
 DEFAULT_ALLOW_CREATE_ORGANIZATION = true
 DEFAULT_ENABLE_TIMETRACKING       = true
 NO_REPLY_ADDRESS                  = noreply.localhost
 [picture]
 DISABLE_GRAVATAR        = false
 ENABLE_FEDERATED_AVATAR = true
 [openid]
 ENABLE_OPENID_SIGNIN = true
 ENABLE_OPENID_SIGNUP = true
 [session]
 PROVIDER = file
 [log]
 MODE      = console
 LEVEL     = info
 ROOT_PATH = /var/lib/gitea/log
 ROUTER    = console
 [security]
 INSTALL_LOCK       = true
 INTERNAL_TOKEN     = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE2NjY5NjA4OTJ9.qwt2L1S7-vkw4i57T9rBwP9CfGjFkwHPYbDECW-ymcA
 PASSWORD_HASH_ALGO = pbkdf2
--- a/srcs/bonus/gitea/start.sh
+++ b/srcs/bonus/gitea/start.sh
@ -0,0 +1,24 @@
 #!/bin/sh
 while ! mariadb -hmariadb -u$GITEA_DATABASE_USR -p$GITEA_DATABASE_PWD $GITEA_DATABASE_NAME &>/dev/null; do
  echo "Gitea waiting db..."
  sleep 5
 done
 if [ ! -f "app.ini" ]; then
  echo "Initializing gitea..."
  adduser -D git
  addgroup --system git git
  mkdir -p /var/lib/gitea/{custom,data,log}
  chown -R git:git /var/lib/gitea/
  chmod -R 750 /var/lib/gitea/
  mkdir -p /etc/gitea
  cp /tmp/app.ini /etc/gitea/
  chown -R root:git /etc/gitea
  chmod -R 770 /etc/gitea
  su git -c "gitea migrate"
  su git -c "gitea admin user create --username $GITEA_ADMIN_USR --password $GITEA_ADMIN_PWD --email $GITEA_ADMIN_MAIL --admin"
 fi
 echo "Launching gitea on localhost:3000"
 su git -c "gitea web --config /etc/gitea/app.ini" &> /dev/null
--- a/srcs/bonus/hexo/Dockerfile
+++ b/srcs/bonus/hexo/Dockerfile
@ -1,12 +1,12 @@
 FROM alpine:3.15
-RUN apk update && apk upgrade && apk add --no-cache \
+RUN apk update && apk upgrade && apk add --no-cache wget git npm
    wget git npm
 RUN	adduser -S nginx &&	addgroup -S nginx
 COPY academia_config.yml /tmp/academia_config.yml
 COPY hexo_config.yml /tmp/hexo_config.yml
 COPY narnaud.jpg /tmp/narnaud.jpg
 WORKDIR /var/www/html
-COPY init.sh /tmp/init.sh
+COPY start.sh /tmp/start.sh
-ENTRYPOINT [ "sh", "/tmp/init.sh" ]
+ENTRYPOINT [ "sh", "/tmp/start.sh" ]
--- a/srcs/bonus/hexo/academia_config.yml
+++ b/srcs/bonus/hexo/academia_config.yml
@ -12,12 +12,14 @@ since: 2022
 # 可以选择外链或其他页面
 menu:
  Publications: /#Publications
  Blog: /
  Gitea: /
  Adminer: /
  About: /
  Blog: https://localhost/wordpress
 # flink picture will load if avator link calls on error
 loading_bg:
-  flink: /img/profile.png
+  flink: /img/narnaud.jpg
 # Social Links; 社交链接，不需要的链接直接注释掉
 # 可以调整显示顺序
--- a/srcs/bonus/hexo/init.sh
+++ b/srcs/bonus/hexo/init.sh
@ -1,13 +0,0 @@
 #!/bin/sh
 if [ ! -f "/var/www/html/index.html" ]; then
  npm install -g hexo-cli
  hexo init && npm install
  git clone https://github.com/PhosphorW/hexo-theme-academia.git themes/Academia
  npm install hexo-renderer-pug hexo-renderer-stylus --save
  sed -i "/theme: .*/c\theme: Academia" _config.yml
  cp /tmp/hexo_config.yml _config.yml
  cp /tmp/academia_config.yml themes/Academia/_config.yml
 fi
 hexo generate
--- a/srcs/bonus/hexo/narnaud.jpg
+++ b/srcs/bonus/hexo/narnaud.jpg
--- a/srcs/bonus/hexo/start.sh
+++ b/srcs/bonus/hexo/start.sh
@ -0,0 +1,19 @@
 #!/bin/sh
 if [ ! -f "public/index.html" ]; then
  npm install -g hexo-cli
  hexo init && npm install
  git clone https://github.com/PhosphorW/hexo-theme-academia.git themes/Academia
  npm install hexo-renderer-pug hexo-renderer-stylus --save
  cp /tmp/hexo_config.yml _config.yml
  cp /tmp/narnaud.jpg themes/Academia/source/img/narnaud.jpg
  cd themes/Academia
  cp /tmp/academia_config.yml _config.yml
  sed -i "/Blog: .*/c\  Blog: https:\/\/$DOMAIN\/wordpress" _config.yml
  sed -i "/Gitea: .*/c\  Gitea: https:\/\/$DOMAIN\/git" _config.yml
  sed -i "/Adminer: .*/c\  Adminer: https:\/\/$DOMAIN\/adminer.php" _config.yml
  hexo generate
 fi
--- a/srcs/bonus/vsftpd/Dockerfile
+++ b/srcs/bonus/vsftpd/Dockerfile
@ -0,0 +1,12 @@
 FROM alpine:3.15
 RUN apk update && apk upgrade && apk add --no-cache vsftpd
 RUN mkdir -p /var/www
 RUN mkdir -p /var/ssl
 COPY vsftpd.conf /tmp/
 COPY start.sh /tmp/
 WORKDIR /etc/vsftpd
 ENTRYPOINT ["/bin/sh", "/tmp/start.sh"]
--- a/srcs/bonus/vsftpd/start.sh
+++ b/srcs/bonus/vsftpd/start.sh
@ -0,0 +1,14 @@
 #!/bin/sh
 if [ ! -f vsftpd.conf.bak ]; then
  mkdir -p /var/www
  mv vsftpd.conf vsftpd.conf.bak
  mv /tmp/vsftpd.conf .
  adduser -D $FTP_USR
  echo "$FTP_USR:$FTP_PWD" | chpasswd &> /dev/null
  echo "$FTP_USR" >> /etc/vsftpd.userlist
  chown -R $FTP_USR:$FTP_USR /var/www
 fi
 echo "FTP server started."
 vsftpd vsftpd.conf
--- a/srcs/bonus/vsftpd/vsftpd.conf
+++ b/srcs/bonus/vsftpd/vsftpd.conf
@ -0,0 +1,79 @@
 #anonymous_enable=NO
 #local_enable=YES
 #write_enable=YES
 #dirmessage_enable=YES
 #xferlog_enable=YES
 #connect_from_port_20=YES
 #chroot_local_user=YES
 #allow_writeable_chroot=YES
 #user_sub_token=$USER
 #local_root=/var/www
 #listen=YES
 #listen_port=21
 #listen_address=0.0.0.0
 #seccomp_sandbox=NO
 #pasv_enable=YES
 #pasv_min_port=21100
 #pasv_max_port=21110
 #userlist_enable=YES
 #userlist_file=/etc/vsftpd.userlist
 #userlist_deny=NO
 seccomp_sandbox=NO
 listen=YES
 listen_ipv6=NO
 listen_address=0.0.0.0
 listen_port=21
 user_sub_token=$USER
 local_root=/var/www
 connect_from_port_20=YES
 anonymous_enable=NO
 local_enable=YES
 write_enable=YES
 chroot_local_user=YES
 allow_writeable_chroot=YES
 #secure_chroot_dir=/var/run/vsftpd/empty\
 userlist_enable=YES
 userlist_file=/etc/vsftpd.userlist
 userlist_deny=NO
 pasv_enable=YES
 pasv_min_port=21100
 pasv_max_port=21100
 rsa_cert_file=/var/ssl/inception.pem
 ssl_enable=YES
 force_local_data_ssl=YES
 force_local_logins_ssl=YES
 ssl_tlsv1=YES
 ssl_sslv2=NO
 ssl_sslv3=NO
 ssl_ciphers=HIGH
 #local_umask=022
 #dirmessage_enable=YES
 #use_localtime=YES
 #xferlog_enable=YES
 #ascii_upload_enable=YES
 #ascii_download_enable=YES
 #chroot_list_file=/etc/vsftpd.chroot_list
 #pam_service_name=ftp
 #local_root=/var/www
 #guest_enable=YES
 #chown_uploads=YES
 #chown_username=nginx
 #guest_username=nginx
 #nopriv_user=nginx
 #virtual_use_local_privs=YES
 #pasv_enable=YES
 #pasv_min_port=1060
 #pasv_max_port=1069
 #pasv_address=localhost
 #rsa_cert_file=/etc/vsftpd/ssl/vsftpd.pem
 #ssl_enalbe=YES
 #force_local_data_ssl=YES
 #force_local_logins_ssl=YES
 #ssl_tlsv1=NO
 #ssl_tlsv2=YES
 #ssl_tlsv3=NO
--- a/srcs/docker-compose.yml
+++ b/srcs/docker-compose.yml
@ -4,13 +4,38 @@ networks:
  local:
 services:
  gitea:
    build: bonus/gitea/
    container_name: gitea
    depends_on:
      - mariadb
    ports:
      - 3000:3000
      - 22:22
    networks:
      - local
    env_file: .env
    restart: always
  vsftpd:
    build: bonus/vsftpd/
    container_name: vsftpd
    ports:
      - 21:21
      - 21100:21100
    volumes:
      - /home/narnaud/data/www:/var/www
      - /home/narnaud/data/ssl:/var/ssl
    networks:
      - local
    restart: always
    env_file: .env
  mariadb:
    build: mariadb/
    container_name: mariadb
    ports: 
      - 3306:3306
    volumes: 
-      - "/home/narnaud/data/mariadb:/var/lib/mysql"
+      - /home/narnaud/data/mariadb:/var/lib/mysql
    networks: 
      - local
    restart: always
@ -29,7 +54,7 @@ services:
    build: bonus/hexo/
    container_name: hexo
    volumes:
-      - '/home/narnaud/data/www:/var/www'
+      - /home/narnaud/data/www:/var/www
    networks:
      - local
    env_file: .env
@ -44,7 +69,7 @@ services:
      - 9000:9000
      - 4000:4000
    volumes: 
-      - '/home/narnaud/data/www:/var/www'
+      - /home/narnaud/data/www:/var/www
    networks: 
      - local
    restart: always
@ -60,8 +85,8 @@ services:
      - 80:80
      - 443:443
    volumes: 
-      - '/home/narnaud/data/www:/var/www'
+      - /home/narnaud/data/www:/var/www
-      - '/home/narnaud/data/logs:/var/log/nginx'
+      - /home/narnaud/data/ssl:/var/ssl
    networks: 
      - local
    restart: always
--- a/srcs/mariadb/Dockerfile
+++ b/srcs/mariadb/Dockerfile
@ -3,6 +3,6 @@ FROM alpine:3.15
 RUN	apk update && apk upgrade && apk add --no-cache \
        mariadb mariadb-client
-COPY init.sh /tmp/init.sh
+COPY start.sh /tmp/start.sh
-ENTRYPOINT ["sh", "/tmp/init.sh"]
+ENTRYPOINT ["sh", "/tmp/start.sh"]
--- a/srcs/mariadb/start.sh
+++ b/srcs/mariadb/start.sh
@ -16,26 +16,25 @@ if [ ! -d "/var/lib/mysql/mysql" ]; then
 		return 1
 	fi
-	cat << EOF > $tfile
+	mysqld --user=mysql --bootstrap << EOF
 USE mysql;
 FLUSH PRIVILEGES;
 DELETE FROM	mysql.user WHERE User='';
 DROP DATABASE test;
 DELETE FROM mysql.db WHERE Db='test';
 DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
 ALTER USER 'root'@'localhost' IDENTIFIED BY '$MYSQL_ROOT_PWD';
 CREATE DATABASE $WP_DATABASE_NAME CHARACTER SET utf8 COLLATE utf8_general_ci;
 CREATE USER '$WP_DATABASE_USR'@'%' IDENTIFIED by '$WP_DATABASE_PWD';
 GRANT ALL PRIVILEGES ON $WP_DATABASE_NAME.* TO '$WP_DATABASE_USR'@'%';
 CREATE DATABASE $GITEA_DATABASE_NAME CHARACTER SET 'utf8mb4' COLLATE 'utf8mb4_unicode_ci';
 CREATE USER '$GITEA_DATABASE_USR'@'%' IDENTIFIED BY '$GITEA_DATABASE_PWD';
 GRANT ALL PRIVILEGES ON $GITEA_DATABASE_NAME.* TO '$GITEA_DATABASE_USR'@'%';
 FLUSH PRIVILEGES;
 EOF
  /usr/bin/mysqld --user=mysql --bootstrap < $tfile
  rm -f $tfile
 fi
 sed -i "s|skip-networking|# skip-networking|g" /etc/my.cnf.d/mariadb-server.cnf
 sed -i "s|.*bind-address\s*=.*|bind-address=0.0.0.0|g" /etc/my.cnf.d/mariadb-server.cnf
-exec /usr/bin/mysqld --user=mysql --console
+mysqld --user=mysql --console
--- a/srcs/nginx/Dockerfile
+++ b/srcs/nginx/Dockerfile
@ -1,13 +1,8 @@
 FROM alpine:3.15
-RUN	apk update && apk upgrade && apk add --no-cache \
+RUN	apk update && apk upgrade && apk add --no-cache nginx
-        nginx \
+
-        openssl
+RUN mkdir -p /var/ssl
 RUN mkdir /etc/nginx/ssl
 RUN openssl req -newkey rsa:4096 -x509 -sha256 -days 365 -nodes \
        -out /etc/nginx/ssl/inception.pem -keyout /etc/nginx/ssl/inception.key \
        -subj "/C=FR/ST=Nice/L=Nice/O=42/OU=student/CN=inception_narnaud/"
 RUN mkdir -p /run/nginx
 COPY nginx.conf /etc/nginx/http.d/default.conf
--- a/srcs/nginx/nginx.conf
+++ b/srcs/nginx/nginx.conf
@ -4,7 +4,6 @@ server {
 	server_name localhost;
 	return 301 https://$host$request_uri;
 }
 server {
@ -12,8 +11,8 @@ server {
  listen [::]:443 ssl;
  server_name localhost;
-  ssl_certificate /etc/nginx/ssl/inception.pem;
+  ssl_certificate /var/ssl/inception.pem;
-  ssl_certificate_key /etc/nginx/ssl/inception.key;
+  ssl_certificate_key /var/ssl/inception.pem;
  ssl_protocols TLSv1.2 TLSv1.3;
  root /var/www/html/public;
@ -35,4 +34,23 @@ server {
      fastcgi_param HTTPS on;
    }
  }
  location ~ /adminer(\.php)$ {
    root /var/www/wordpress;
    try_files $uri $uri/ /adminer.php?$args;
      include fastcgi_params;
      fastcgi_pass wordpress:9000;
      fastcgi_index index.php;
      fastcgi_intercept_errors on;
      fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
      fastcgi_param HTTPS on;
  }
  location /git/ {
    proxy_pass http://gitea:3000/;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }
 }
--- a/srcs/wordpress/Dockerfile
+++ b/srcs/wordpress/Dockerfile
@ -21,5 +21,5 @@ RUN ln -s /usr/bin/php8 /usr/bin/php
 WORKDIR /var/www/wordpress/
-COPY init.sh /tmp/init.sh
+COPY start.sh /tmp/start.sh
-ENTRYPOINT [ "sh", "/tmp/init.sh" ]
+ENTRYPOINT [ "sh", "/tmp/start.sh" ]
--- a/srcs/wordpress/init.sh
+++ b/srcs/wordpress/init.sh
@ -1,23 +0,0 @@
 #!/bin/sh
 while ! mariadb -h$MYSQL_HOST -u$WP_DATABASE_USR -p$WP_DATABASE_PWD $WP_DATABASE_NAME &>/dev/null; do
  sleep 5
 done
 if [ ! -f "/var/www/wordpress/index.php" ]; then
  wp core download --allow-root
  wp config create --dbname=$WP_DATABASE_NAME --dbuser=$WP_DATABASE_USR --dbpass=$WP_DATABASE_PWD --dbhost=$MYSQL_HOST --dbcharset="utf8" --dbcollate="utf8_general_ci" --allow-root
  wp core install --url=$WP_URL --title=$WP_TITLE --admin_user=$WP_ADMIN_USR --admin_password=$WP_ADMIN_PWD --admin_email=$WP_ADMIN_EMAIL --skip-email --allow-root
  wp user create $WP_USR $WP_EMAIL --role=author --user_pass=$WP_PWD --allow-root
  sed -i "90i define('WP_REDIS_HOST', 'redis');"      wp-config.php
  sed -i "91i define('WP_REDIS_PORT', 6379);"         wp-config.php
  sed -i "92i define('WP_REDIS_TIMEOUT', 1);"         wp-config.php
  sed -i "93i define('WP_REDIS_READ_TIMEOUT', 1);"    wp-config.php
  sed -i "94i define('WP_REDIS_DATABASE', 0);"        wp-config.php
  wp plugin install redis-cache --activate --allow-root
  wp plugin update --all --allow-root
  wget -O /var/www/wordpress/adminer.php https://github.com/vrana/adminer/releases/download/v4.8.1/adminer-4.8.1-mysql-en.php
 fi
 wp redis enable --allow-root
 /usr/sbin/php-fpm8 -F -R
--- a/srcs/wordpress/php-fpm.conf
+++ b/srcs/wordpress/php-fpm.conf
@ -1,10 +1,6 @@
 [global]
 pid = run/php-fpm8.pid
 emergency_restart_threshold = 10
 emergency_restart_interval = 10m
-
+daemonize = no
-daemonize = yes
+include=/etc/php8/php-fpm.d/*.conf
 include=/etc/php8/php-fpm.d/*.conf
--- a/srcs/wordpress/start.sh
+++ b/srcs/wordpress/start.sh
@ -0,0 +1,25 @@
 #!/bin/sh
 while ! mariadb -hmariadb -u$WP_DATABASE_USR -p$WP_DATABASE_PWD $WP_DATABASE_NAME &>/dev/null; do
  echo "Wordpress waiting db..."
  sleep 5
 done
 if [ ! -f "index.php" ]; then
  wp core download --allow-root
  wp config create --dbname=$WP_DATABASE_NAME --dbuser=$WP_DATABASE_USR --dbpass=$WP_DATABASE_PWD --dbhost=mariadb --dbcharset="utf8" --dbcollate="utf8_general_ci" --allow-root
  wp core install --url=https://$DOMAIN/wordpress --title=$WP_TITLE --admin_user=$WP_ADMIN_USR --admin_password=$WP_ADMIN_PWD --admin_email=$WP_ADMIN_EMAIL --skip-email --allow-root
  wp user create $WP_USR $WP_EMAIL --role=author --user_pass=$WP_PWD --allow-root
  wp theme install generatepress --activate --allow-root
  sed -i "90i define('WP_REDIS_HOST', 'redis');" wp-config.php
  sed -i "91i define('WP_REDIS_PORT', 6379);" wp-config.php
  sed -i "92i define('WP_REDIS_TIMEOUT', 1);" wp-config.php
  sed -i "93i define('WP_REDIS_READ_TIMEOUT', 1);" wp-config.php
  sed -i "94i define('WP_REDIS_DATABASE', 0);" wp-config.php
  wp plugin install redis-cache --activate --allow-root
  wp plugin update --all --allow-root
  wget -O adminer.php https://github.com/vrana/adminer/releases/download/v4.8.1/adminer-4.8.1-mysql-en.php
 fi
 wp redis enable --allow-root
 /usr/sbin/php-fpm8 -R &> /dev/null