v2: added vsftp and gitea. Use certificate for all services. Managed domain sub-directories.

2 years ago · cfc2c2e76f
22 changed files with 338 additions and 78 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,2 @@
 srcs/.env
+inception.pem
--- a/16
+++ b/16
@ -1,11 +1,19 @@
 NAME = inception
+DATA_FOLDER = /home/narnaud/data
+CERT = $(DATA_FOLDER)/ssl/inception.pem

-all: prune reload
+all: prune start

 domain:
-	 echo "127.0.0.1 narnaud.42.fr" >> /etc/hosts
+	echo "127.0.0.1 narnaud.42.fr" >> /etc/hosts

-start: 
+$(CERT):
+	mkdir -p $(DATA_FOLDER)/ssl
+	openssl req -newkey rsa:4096 -x509 -sha256 -days 365 -nodes \
+        -out inception.pem -keyout inception.pem \
+        -subj "/C=FR/ST=Nice/L=Nice/O=42/OU=student/CN=inception_narnaud/"
+	
+start: $(CERT)
 	BUILDKIT_PROGRESS=plain docker compose -f srcs/docker-compose.yml up --build

 stop:
@ -15,7 +23,7 @@ prune: stop
 	docker system prune -f

 fclean: prune
-	rm -rf /home/narnaud/data
+	docker system prune -af

 re: fclean start

--- a/srcs/bonus/gitea/Dockerfile
+++ b/srcs/bonus/gitea/Dockerfile
@ -0,0 +1,11 @@
+FROM alpine:3.15
+
+RUN apk update && apk upgrade && apk add --no-cache git gitea mariadb-client
+RUN mkdir -p /var/ssl
+
+
+COPY start.sh /tmp/start.sh
+COPY app.ini /tmp/app.ini
+
+ENTRYPOINT ["sh", "/tmp/start.sh"]
+
--- a/srcs/bonus/gitea/app.ini
+++ b/srcs/bonus/gitea/app.ini
@ -0,0 +1,68 @@
+APP_NAME = Gitea: Git with a cup of tea
+RUN_USER = git
+RUN_MODE = prod
+
+[database]
+DB_TYPE  = mysql
+HOST     = mariadb:3306
+NAME     = giteadb
+USER     = gitea
+PASSWD   = giteaword
+SCHEMA   = 
+SSL_MODE = disable
+CHARSET  = utf8
+PATH     = /var/lib/gitea/data/gitea.db
+LOG_SQL  = false
+
+[repository]
+ROOT = /var/lib/gitea/data/gitea-repositories
+
+[server]
+SSH_DOMAIN       = localhost
+DOMAIN           = localhost
+HTTP_PORT        = 3000
+ROOT_URL         = https://localhost/git/
+DISABLE_SSH      = false
+SSH_PORT         = 22
+LFS_START_SERVER = true
+LFS_CONTENT_PATH = /var/lib/gitea/data/lfs
+LFS_JWT_SECRET   = iNcqBnqPacGrq8ehTSaXeGEfEJEMizfCfjcQ7ykVToI
+OFFLINE_MODE     = false
+
+[mailer]
+ENABLED = false
+
+[service]
+REGISTER_EMAIL_CONFIRM            = false
+ENABLE_NOTIFY_MAIL                = false
+DISABLE_REGISTRATION              = false
+ALLOW_ONLY_EXTERNAL_REGISTRATION  = false
+ENABLE_CAPTCHA                    = false
+REQUIRE_SIGNIN_VIEW               = false
+DEFAULT_KEEP_EMAIL_PRIVATE        = false
+DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+DEFAULT_ENABLE_TIMETRACKING       = true
+NO_REPLY_ADDRESS                  = noreply.localhost
+
+[picture]
+DISABLE_GRAVATAR        = false
+ENABLE_FEDERATED_AVATAR = true
+
+[openid]
+ENABLE_OPENID_SIGNIN = true
+ENABLE_OPENID_SIGNUP = true
+
+[session]
+PROVIDER = file
+
+[log]
+MODE      = console
+LEVEL     = info
+ROOT_PATH = /var/lib/gitea/log
+ROUTER    = console
+
+[security]
+INSTALL_LOCK       = true
+INTERNAL_TOKEN     = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE2NjY5NjA4OTJ9.qwt2L1S7-vkw4i57T9rBwP9CfGjFkwHPYbDECW-ymcA
+PASSWORD_HASH_ALGO = pbkdf2
+
--- a/srcs/bonus/gitea/start.sh
+++ b/srcs/bonus/gitea/start.sh
@ -0,0 +1,24 @@
+#!/bin/sh
+
+
+while ! mariadb -hmariadb -u$GITEA_DATABASE_USR -p$GITEA_DATABASE_PWD $GITEA_DATABASE_NAME &>/dev/null; do
+  echo "Gitea waiting db..."
+  sleep 5
+done
+
+if [ ! -f "app.ini" ]; then
+  echo "Initializing gitea..."
+  adduser -D git
+  addgroup --system git git
+  mkdir -p /var/lib/gitea/{custom,data,log}
+  chown -R git:git /var/lib/gitea/
+  chmod -R 750 /var/lib/gitea/
+  mkdir -p /etc/gitea
+  cp /tmp/app.ini /etc/gitea/
+  chown -R root:git /etc/gitea
+  chmod -R 770 /etc/gitea
+  su git -c "gitea migrate"
+  su git -c "gitea admin user create --username $GITEA_ADMIN_USR --password $GITEA_ADMIN_PWD --email $GITEA_ADMIN_MAIL --admin"
+fi
+echo "Launching gitea on localhost:3000"
+su git -c "gitea web --config /etc/gitea/app.ini" &> /dev/null
--- a/srcs/bonus/hexo/Dockerfile
+++ b/srcs/bonus/hexo/Dockerfile
@ -1,12 +1,12 @@
 FROM alpine:3.15
-RUN apk update && apk upgrade && apk add --no-cache \
-    wget git npm
+RUN apk update && apk upgrade && apk add --no-cache wget git npm

 RUN	adduser -S nginx &&	addgroup -S nginx
 COPY academia_config.yml /tmp/academia_config.yml
 COPY hexo_config.yml /tmp/hexo_config.yml
+COPY narnaud.jpg /tmp/narnaud.jpg

 WORKDIR /var/www/html

-COPY init.sh /tmp/init.sh
-ENTRYPOINT [ "sh", "/tmp/init.sh" ]
+COPY start.sh /tmp/start.sh
+ENTRYPOINT [ "sh", "/tmp/start.sh" ]
--- a/srcs/bonus/hexo/academia_config.yml
+++ b/srcs/bonus/hexo/academia_config.yml
@ -12,12 +12,14 @@ since: 2022
 # 可以选择外链或其他页面
 menu:
  Publications: /#Publications
+  Blog: /
+  Gitea: /
+  Adminer: /
  About: /
-  Blog: https://localhost/wordpress

 # flink picture will load if avator link calls on error
 loading_bg:
-  flink: /img/profile.png
+  flink: /img/narnaud.jpg

 # Social Links; 社交链接，不需要的链接直接注释掉
 # 可以调整显示顺序
--- a/srcs/bonus/hexo/init.sh
+++ b/srcs/bonus/hexo/init.sh
@ -1,13 +0,0 @@
-#!/bin/sh
-if [ ! -f "/var/www/html/index.html" ]; then
-  npm install -g hexo-cli
-  hexo init && npm install
-  git clone https://github.com/PhosphorW/hexo-theme-academia.git themes/Academia
-  npm install hexo-renderer-pug hexo-renderer-stylus --save
-  sed -i "/theme: .*/c\theme: Academia" _config.yml
-
-  cp /tmp/hexo_config.yml _config.yml
-  cp /tmp/academia_config.yml themes/Academia/_config.yml
-fi
-
-hexo generate
--- a/srcs/bonus/hexo/narnaud.jpg
+++ b/srcs/bonus/hexo/narnaud.jpg
--- a/srcs/bonus/hexo/start.sh
+++ b/srcs/bonus/hexo/start.sh
@ -0,0 +1,19 @@
+#!/bin/sh
+if [ ! -f "public/index.html" ]; then
+  npm install -g hexo-cli
+  hexo init && npm install
+  git clone https://github.com/PhosphorW/hexo-theme-academia.git themes/Academia
+  npm install hexo-renderer-pug hexo-renderer-stylus --save
+
+
+
+  cp /tmp/hexo_config.yml _config.yml
+  cp /tmp/narnaud.jpg themes/Academia/source/img/narnaud.jpg
+  cd themes/Academia
+  cp /tmp/academia_config.yml _config.yml
+  sed -i "/Blog: .*/c\  Blog: https:\/\/$DOMAIN\/wordpress" _config.yml
+  sed -i "/Gitea: .*/c\  Gitea: https:\/\/$DOMAIN\/git" _config.yml
+  sed -i "/Adminer: .*/c\  Adminer: https:\/\/$DOMAIN\/adminer.php" _config.yml
+  hexo generate
+fi
+
--- a/srcs/bonus/vsftpd/Dockerfile
+++ b/srcs/bonus/vsftpd/Dockerfile
@ -0,0 +1,12 @@
+FROM alpine:3.15
+
+RUN apk update && apk upgrade && apk add --no-cache vsftpd
+
+RUN mkdir -p /var/www
+RUN mkdir -p /var/ssl
+
+COPY vsftpd.conf /tmp/
+COPY start.sh /tmp/
+
+WORKDIR /etc/vsftpd
+ENTRYPOINT ["/bin/sh", "/tmp/start.sh"]
--- a/srcs/bonus/vsftpd/start.sh
+++ b/srcs/bonus/vsftpd/start.sh
@ -0,0 +1,14 @@
+#!/bin/sh
+
+if [ ! -f vsftpd.conf.bak ]; then
+  mkdir -p /var/www
+  mv vsftpd.conf vsftpd.conf.bak
+  mv /tmp/vsftpd.conf .
+  adduser -D $FTP_USR
+  echo "$FTP_USR:$FTP_PWD" | chpasswd &> /dev/null
+  echo "$FTP_USR" >> /etc/vsftpd.userlist
+  chown -R $FTP_USR:$FTP_USR /var/www
+fi
+
+echo "FTP server started."
+vsftpd vsftpd.conf
--- a/srcs/bonus/vsftpd/vsftpd.conf
+++ b/srcs/bonus/vsftpd/vsftpd.conf
@ -0,0 +1,79 @@
+
+#anonymous_enable=NO
+#local_enable=YES
+#write_enable=YES
+#dirmessage_enable=YES
+#xferlog_enable=YES
+#connect_from_port_20=YES
+#chroot_local_user=YES
+#allow_writeable_chroot=YES
+#user_sub_token=$USER
+#local_root=/var/www
+#listen=YES
+#listen_port=21
+#listen_address=0.0.0.0
+#seccomp_sandbox=NO
+#pasv_enable=YES
+#pasv_min_port=21100
+#pasv_max_port=21110
+#userlist_enable=YES
+#userlist_file=/etc/vsftpd.userlist
+#userlist_deny=NO
+
+
+seccomp_sandbox=NO
+listen=YES
+listen_ipv6=NO
+listen_address=0.0.0.0
+listen_port=21
+user_sub_token=$USER
+local_root=/var/www
+connect_from_port_20=YES
+anonymous_enable=NO
+local_enable=YES
+write_enable=YES
+chroot_local_user=YES
+allow_writeable_chroot=YES
+#secure_chroot_dir=/var/run/vsftpd/empty\
+userlist_enable=YES
+userlist_file=/etc/vsftpd.userlist
+userlist_deny=NO
+pasv_enable=YES
+pasv_min_port=21100
+pasv_max_port=21100
+rsa_cert_file=/var/ssl/inception.pem
+ssl_enable=YES
+force_local_data_ssl=YES
+force_local_logins_ssl=YES
+ssl_tlsv1=YES
+ssl_sslv2=NO
+ssl_sslv3=NO
+ssl_ciphers=HIGH
+
+#local_umask=022
+#dirmessage_enable=YES
+#use_localtime=YES
+#xferlog_enable=YES
+#ascii_upload_enable=YES
+#ascii_download_enable=YES
+#chroot_list_file=/etc/vsftpd.chroot_list
+#pam_service_name=ftp
+#local_root=/var/www
+#guest_enable=YES
+#chown_uploads=YES
+#chown_username=nginx
+#guest_username=nginx
+#nopriv_user=nginx
+#virtual_use_local_privs=YES
+#pasv_enable=YES
+#pasv_min_port=1060
+#pasv_max_port=1069
+#pasv_address=localhost
+#rsa_cert_file=/etc/vsftpd/ssl/vsftpd.pem
+#ssl_enalbe=YES
+#force_local_data_ssl=YES
+#force_local_logins_ssl=YES
+#ssl_tlsv1=NO
+#ssl_tlsv2=YES
+#ssl_tlsv3=NO
+
--- a/srcs/docker-compose.yml
+++ b/srcs/docker-compose.yml
@ -4,13 +4,38 @@ networks:
  local:

 services:
+  gitea:
+    build: bonus/gitea/
+    container_name: gitea
+    depends_on:
+      - mariadb
+    ports:
+      - 3000:3000
+      - 22:22
+    networks:
+      - local
+    env_file: .env
+    restart: always
+  vsftpd:
+    build: bonus/vsftpd/
+    container_name: vsftpd
+    ports:
+      - 21:21
+      - 21100:21100
+    volumes:
+      - /home/narnaud/data/www:/var/www
+      - /home/narnaud/data/ssl:/var/ssl
+    networks:
+      - local
+    restart: always
+    env_file: .env
  mariadb:
    build: mariadb/
    container_name: mariadb
    ports: 
      - 3306:3306
    volumes: 
-      - "/home/narnaud/data/mariadb:/var/lib/mysql"
+      - /home/narnaud/data/mariadb:/var/lib/mysql
    networks: 
      - local
    restart: always
@ -29,7 +54,7 @@ services:
    build: bonus/hexo/
    container_name: hexo
    volumes:
-      - '/home/narnaud/data/www:/var/www'
+      - /home/narnaud/data/www:/var/www
    networks:
      - local
    env_file: .env
@ -44,7 +69,7 @@ services:
      - 9000:9000
      - 4000:4000
    volumes: 
-      - '/home/narnaud/data/www:/var/www'
+      - /home/narnaud/data/www:/var/www
    networks: 
      - local
    restart: always
@ -60,8 +85,8 @@ services:
      - 80:80
      - 443:443
    volumes: 
-      - '/home/narnaud/data/www:/var/www'
-      - '/home/narnaud/data/logs:/var/log/nginx'
+      - /home/narnaud/data/www:/var/www
+      - /home/narnaud/data/ssl:/var/ssl
    networks: 
      - local
    restart: always
--- a/srcs/mariadb/Dockerfile
+++ b/srcs/mariadb/Dockerfile
@ -3,6 +3,6 @@ FROM alpine:3.15
 RUN	apk update && apk upgrade && apk add --no-cache \
        mariadb mariadb-client
        
-COPY init.sh /tmp/init.sh
+COPY start.sh /tmp/start.sh

-ENTRYPOINT ["sh", "/tmp/init.sh"]
+ENTRYPOINT ["sh", "/tmp/start.sh"]
--- a/srcs/mariadb/start.sh
+++ b/srcs/mariadb/start.sh
@ -16,26 +16,25 @@ if [ ! -d "/var/lib/mysql/mysql" ]; then
 		return 1
 	fi

-	cat << EOF > $tfile
+	mysqld --user=mysql --bootstrap << EOF
 USE mysql;
 FLUSH PRIVILEGES;
-
 DELETE FROM	mysql.user WHERE User='';
 DROP DATABASE test;
 DELETE FROM mysql.db WHERE Db='test';
 DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
-
 ALTER USER 'root'@'localhost' IDENTIFIED BY '$MYSQL_ROOT_PWD';
 CREATE DATABASE $WP_DATABASE_NAME CHARACTER SET utf8 COLLATE utf8_general_ci;
 CREATE USER '$WP_DATABASE_USR'@'%' IDENTIFIED by '$WP_DATABASE_PWD';
 GRANT ALL PRIVILEGES ON $WP_DATABASE_NAME.* TO '$WP_DATABASE_USR'@'%';

+CREATE DATABASE $GITEA_DATABASE_NAME CHARACTER SET 'utf8mb4' COLLATE 'utf8mb4_unicode_ci';
+CREATE USER '$GITEA_DATABASE_USR'@'%' IDENTIFIED BY '$GITEA_DATABASE_PWD';
+GRANT ALL PRIVILEGES ON $GITEA_DATABASE_NAME.* TO '$GITEA_DATABASE_USR'@'%';
 FLUSH PRIVILEGES;
 EOF
-  /usr/bin/mysqld --user=mysql --bootstrap < $tfile
-  rm -f $tfile
 fi
 sed -i "s|skip-networking|# skip-networking|g" /etc/my.cnf.d/mariadb-server.cnf
 sed -i "s|.*bind-address\s*=.*|bind-address=0.0.0.0|g" /etc/my.cnf.d/mariadb-server.cnf

-exec /usr/bin/mysqld --user=mysql --console
+mysqld --user=mysql --console
--- a/srcs/nginx/Dockerfile
+++ b/srcs/nginx/Dockerfile
@ -1,13 +1,8 @@
 FROM alpine:3.15

-RUN	apk update && apk upgrade && apk add --no-cache \
-        nginx \
-        openssl
-
-RUN mkdir /etc/nginx/ssl
-RUN openssl req -newkey rsa:4096 -x509 -sha256 -days 365 -nodes \
-        -out /etc/nginx/ssl/inception.pem -keyout /etc/nginx/ssl/inception.key \
-        -subj "/C=FR/ST=Nice/L=Nice/O=42/OU=student/CN=inception_narnaud/"
+RUN	apk update && apk upgrade && apk add --no-cache nginx
+
+RUN mkdir -p /var/ssl

 RUN mkdir -p /run/nginx
 COPY nginx.conf /etc/nginx/http.d/default.conf
--- a/srcs/nginx/nginx.conf
+++ b/srcs/nginx/nginx.conf
@ -4,7 +4,6 @@ server {
 	server_name localhost;

 	return 301 https://$host$request_uri;
-
 }

 server {
@ -12,8 +11,8 @@ server {
  listen [::]:443 ssl;
  server_name localhost;

-  ssl_certificate /etc/nginx/ssl/inception.pem;
-  ssl_certificate_key /etc/nginx/ssl/inception.key;
+  ssl_certificate /var/ssl/inception.pem;
+  ssl_certificate_key /var/ssl/inception.pem;
  ssl_protocols TLSv1.2 TLSv1.3;

  root /var/www/html/public;
@ -35,4 +34,23 @@ server {
      fastcgi_param HTTPS on;
    }
  }
+  
+  location ~ /adminer(\.php)$ {
+    root /var/www/wordpress;
+    try_files $uri $uri/ /adminer.php?$args;
+      include fastcgi_params;
+      fastcgi_pass wordpress:9000;
+      fastcgi_index index.php;
+      fastcgi_intercept_errors on;
+      fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
+      fastcgi_param HTTPS on;
+  }
+  
+  location /git/ {
+    proxy_pass http://gitea:3000/;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+  }
 }
--- a/srcs/wordpress/Dockerfile
+++ b/srcs/wordpress/Dockerfile
@ -21,5 +21,5 @@ RUN ln -s /usr/bin/php8 /usr/bin/php
 WORKDIR /var/www/wordpress/


-COPY init.sh /tmp/init.sh
-ENTRYPOINT [ "sh", "/tmp/init.sh" ]
+COPY start.sh /tmp/start.sh
+ENTRYPOINT [ "sh", "/tmp/start.sh" ]
--- a/srcs/wordpress/init.sh
+++ b/srcs/wordpress/init.sh
@ -1,23 +0,0 @@
-#!/bin/sh
-while ! mariadb -h$MYSQL_HOST -u$WP_DATABASE_USR -p$WP_DATABASE_PWD $WP_DATABASE_NAME &>/dev/null; do
-  sleep 5
-done
-
-if [ ! -f "/var/www/wordpress/index.php" ]; then
-  wp core download --allow-root
-  wp config create --dbname=$WP_DATABASE_NAME --dbuser=$WP_DATABASE_USR --dbpass=$WP_DATABASE_PWD --dbhost=$MYSQL_HOST --dbcharset="utf8" --dbcollate="utf8_general_ci" --allow-root
-  wp core install --url=$WP_URL --title=$WP_TITLE --admin_user=$WP_ADMIN_USR --admin_password=$WP_ADMIN_PWD --admin_email=$WP_ADMIN_EMAIL --skip-email --allow-root
-  wp user create $WP_USR $WP_EMAIL --role=author --user_pass=$WP_PWD --allow-root
-
-  sed -i "90i define('WP_REDIS_HOST', 'redis');"      wp-config.php
-  sed -i "91i define('WP_REDIS_PORT', 6379);"         wp-config.php
-  sed -i "92i define('WP_REDIS_TIMEOUT', 1);"         wp-config.php
-  sed -i "93i define('WP_REDIS_READ_TIMEOUT', 1);"    wp-config.php
-  sed -i "94i define('WP_REDIS_DATABASE', 0);"        wp-config.php
-
-  wp plugin install redis-cache --activate --allow-root
-  wp plugin update --all --allow-root
-  wget -O /var/www/wordpress/adminer.php https://github.com/vrana/adminer/releases/download/v4.8.1/adminer-4.8.1-mysql-en.php
-fi
-wp redis enable --allow-root
-/usr/sbin/php-fpm8 -F -R
--- a/srcs/wordpress/php-fpm.conf
+++ b/srcs/wordpress/php-fpm.conf
@ -1,10 +1,6 @@
 [global]
 pid = run/php-fpm8.pid
-
 emergency_restart_threshold = 10
-
 emergency_restart_interval = 10m
-
-daemonize = yes
-
+daemonize = no
 include=/etc/php8/php-fpm.d/*.conf
--- a/srcs/wordpress/start.sh
+++ b/srcs/wordpress/start.sh
@ -0,0 +1,25 @@
+#!/bin/sh
+while ! mariadb -hmariadb -u$WP_DATABASE_USR -p$WP_DATABASE_PWD $WP_DATABASE_NAME &>/dev/null; do
+  echo "Wordpress waiting db..."
+  sleep 5
+done
+
+if [ ! -f "index.php" ]; then
+  wp core download --allow-root
+  wp config create --dbname=$WP_DATABASE_NAME --dbuser=$WP_DATABASE_USR --dbpass=$WP_DATABASE_PWD --dbhost=mariadb --dbcharset="utf8" --dbcollate="utf8_general_ci" --allow-root
+  wp core install --url=https://$DOMAIN/wordpress --title=$WP_TITLE --admin_user=$WP_ADMIN_USR --admin_password=$WP_ADMIN_PWD --admin_email=$WP_ADMIN_EMAIL --skip-email --allow-root
+  wp user create $WP_USR $WP_EMAIL --role=author --user_pass=$WP_PWD --allow-root
+  wp theme install generatepress --activate --allow-root
+
+  sed -i "90i define('WP_REDIS_HOST', 'redis');" wp-config.php
+  sed -i "91i define('WP_REDIS_PORT', 6379);" wp-config.php
+  sed -i "92i define('WP_REDIS_TIMEOUT', 1);" wp-config.php
+  sed -i "93i define('WP_REDIS_READ_TIMEOUT', 1);" wp-config.php
+  sed -i "94i define('WP_REDIS_DATABASE', 0);" wp-config.php
+
+  wp plugin install redis-cache --activate --allow-root
+  wp plugin update --all --allow-root
+  wget -O adminer.php https://github.com/vrana/adminer/releases/download/v4.8.1/adminer-4.8.1-mysql-en.php
+fi
+wp redis enable --allow-root
+/usr/sbin/php-fpm8 -R &> /dev/null