Linode Stackscript for setting up a Gitea server

linode-stackscript-gitea.sh

#!/bin/bash
# This block defines the variables the user of the script needs to input
# when deploying using this script.
#
#<UDF name="hostname" label="The hostname for the new Linode." default="gitea">
#<UDF name="FQDN" label="The new Linode's Fully Qualified Domain Name">
#<UDF name="POSTGRES_PASSWORD" label="The password to use for PostgreSQL">
#<UDF name="GITEA_VERSION" label="The Gitea Version to install" default="1.5" oneof="1.4.0,1.4.1,1.4.2,1.4.3,1.5">

# This sets the variable $IPADDR to the IP address the new Linode receives.
IPADDR=$(/sbin/ifconfig eth0 | awk '/inet / { print $2 }' | sed 's/addr://')

# This section sets the hostname.
echo $HOSTNAME > /etc/hostname
hostname -F /etc/hostname


mkdir -p /root/.ssh
echo $PUBKEY >> /root/.ssh/authorized_keys

# Update system
apt update
apt upgrade -y

# Install mosh for good ssh access
apt install -y mosh

# This section sets the Fully Qualified Domain Name (FQDN) in the hosts file.
echo $IPADDR $FQDN $HOSTNAME >> /etc/hosts

# Install PostgreSQL
apt install -y postgresql

# Setup database
sudo -u postgres psql -c "CREATE USER gitea WITH PASSWORD '${POSTGRES_PASSWORD}'";
sudo -u postgres psql -c "CREATE DATABASE gitea OWNER gitea;"

# Add git system user
adduser \
   --system \
   --shell /bin/bash \
   --gecos 'Git Version Control' \
   --group \
   --disabled-password \
   --home /home/git \
   git

# Setup gitea prerequisites
mkdir -p /var/lib/gitea/{custom,data,indexers,public,log}
chown git:git /var/lib/gitea/{data,indexers,log}
chmod 750 /var/lib/gitea/{data,indexers,log}
mkdir /etc/gitea
chown root:git /etc/gitea
chmod 770 /etc/gitea

# Install gitea
wget -O /usr/local/bin/gitea https://dl.gitea.io/gitea/${GITEA_VERSION}/gitea-${GITEA_VERSION}-linux-amd64
chmod +x /usr/local/bin/gitea

# Setup systemd service
cat > /etc/systemd/system/gitea.service <<EOF
[Unit]
Description=Gitea (Git with a cup of tea)
After=syslog.target
After=network.target
#After=mysqld.service
After=postgresql.service
#After=memcached.service
#After=redis.service

[Service]
#LimitMEMLOCK=infinity
#LimitNOFILE=65535
RestartSec=2s
Type=simple
User=git
Group=git
WorkingDirectory=/var/lib/gitea/
ExecStart=/usr/local/bin/gitea web -c /etc/gitea/app.ini
Restart=always
Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea

[Install]
WantedBy=multi-user.target
EOF

systemctl enable gitea
# systemctl start gitea

adduser \
   --system \
   --shell /bin/bash \
   --gecos 'Caddy Web Server' \
   --group \
   --disabled-password \
   --home /home/caddy \
   caddy

curl https://getcaddy.com | bash -s personal http.nobots,http.ratelimit

mkdir -p /etc/ssl/caddy
chown -R caddy:caddy /etc/ssl/caddy

cat > /etc/systemd/system/caddy.service <<EOF
[Unit]
Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service

[Service]
Restart=on-abnormal
User=caddy
Group=caddy
Environment=CADDYPATH=/etc/ssl/caddy
ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp
ExecReload=/bin/kill -USR1 $MAINPID
KillMode=mixed
KillSignal=SIGQUIT
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
PrivateDevices=false
ProtectHome=true
ProtectSystem=full
ReadWriteDirectories=/etc/ssl/caddy
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true

[Install]
WantedBy=multi-user.target
EOF

mkdir -p /etc/caddy

cat > /etc/caddy/Caddyfile <<EOF
${FQDN} {
	proxy / localhost:3000
}
EOF

chown caddy:caddy /etc/caddy/Caddyfile
chmod 444 /etc/caddy/Caddyfile

systemctl enable caddy
# systemctl start caddy

# Setup Fail2ban
apt install -y fail2ban
mkdir -p /etc/fail2ban/filter.d
mkdir -p /etc/fail2ban/jail.d

cat > /etc/fail2ban/filter.d/gitea.conf <<EOF
[Definition]
failregex =  .*Failed authentication attempt for .* from <HOST>
ignoreregex =
EOF

cat > /etc/fail2ban/jail.d/jail.local <<EOF
[gitea]
enabled = true
port = http,https
filter = gitea
logpath = /home/git/gitea/log/gitea.log
maxretry = 10
findtime = 3600
bantime = 900
action = iptables-allports
EOF

# Setup firewall
echo iptables-persistent iptables-persistent/autosave_v4 boolean false | debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean false | debconf-set-selections
sudo apt-get -y install iptables-persistent

mkdir -p /etc/iptables
cat > /etc/iptables/rules.v4 <<EOF
*filter
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT
-A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m multiport --dports 22,60000:60999 -j ACCEPT
-A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
EOF
cat > /etc/iptables/rules.v6 <<EOF
*filter
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s ::1/128 -j REJECT
-A INPUT -p icmpv6 -j ACCEPT
-A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m multiport --dports 22,60000:60999 -j ACCEPT
-A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
EOF

reboot