WIP

2025-04-25 06:16:58 +00:00 · 2023-11-17 16:15:25 +01:00 · 2023-11-17 16:15:25 +01:00 · 0e334d8e64
commit 0e334d8e64
parent dd5124912e
32 changed files with 611 additions and 211 deletions
--- a/cli/certs.go
+++ b/cli/certs.go
@ -0,0 +1,69 @@
+package cli
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/urfave/cli/v2"
+)
+
+var Certs = &cli.Command{
+	Name:  "certs",
+	Usage: "manage certs manually",
+	Subcommands: []*cli.Command{
+		{
+			Name:   "list",
+			Usage:  "list all certificates in the database",
+			Action: listCerts,
+		},
+		{
+			Name:   "remove",
+			Usage:  "remove a certificate from the database",
+			Action: removeCert,
+		},
+	},
+	Flags: CertStorageFlags,
+}
+
+func listCerts(ctx *cli.Context) error {
+	certDB, closeFn, err := OpenCertDB(ctx)
+	if err != nil {
+		return err
+	}
+	defer closeFn()
+
+	items, err := certDB.Items(0, 0)
+	if err != nil {
+		return err
+	}
+
+	fmt.Printf("Domain\tValidTill\n\n")
+	for _, cert := range items {
+		fmt.Printf("%s\t%s\n",
+			cert.Domain,
+			time.Unix(cert.ValidTill, 0).Format(time.RFC3339))
+	}
+	return nil
+}
+
+func removeCert(ctx *cli.Context) error {
+	if ctx.Args().Len() < 1 {
+		return fmt.Errorf("'certs remove' requires at least one domain as an argument")
+	}
+
+	domains := ctx.Args().Slice()
+
+	certDB, closeFn, err := OpenCertDB(ctx)
+	if err != nil {
+		return err
+	}
+	defer closeFn()
+
+	for _, domain := range domains {
+		fmt.Printf("Removing domain %s from the database...\n", domain)
+		if err := certDB.Delete(domain); err != nil {
+			return err
+		}
+	}
+	return nil
+}
--- a/cli/flags.go
+++ b/cli/flags.go
@ -0,0 +1,181 @@
+package cli
+
+import (
+	"github.com/urfave/cli/v2"
+)
+
+var (
+	CertStorageFlags = []cli.Flag{
+		&cli.StringFlag{
+			Name:    "db-type",
+			Usage:   "Specify the database driver. Valid options are \"sqlite3\", \"mysql\" and \"postgres\". Read more at https://xorm.io",
+			Value:   "sqlite3",
+			EnvVars: []string{"DB_TYPE"},
+		},
+		&cli.StringFlag{
+			Name:    "db-conn",
+			Usage:   "Specify the database connection. For \"sqlite3\" it's the filepath. Read more at https://go.dev/doc/tutorial/database-access",
+			Value:   "certs.sqlite",
+			EnvVars: []string{"DB_CONN"},
+		},
+	}
+
+	ServerFlags = append(CertStorageFlags, []cli.Flag{
+		// #############
+		// ### Gitea ###
+		// #############
+		// GiteaRoot specifies the root URL of the Gitea instance, without a trailing slash.
+		&cli.StringFlag{
+			Name:    "gitea-root",
+			Usage:   "specifies the root URL of the Gitea instance, without a trailing slash.",
+			EnvVars: []string{"GITEA_ROOT"},
+			Value:   "https://codeberg.org",
+		},
+		// GiteaApiToken specifies an api token for the Gitea instance
+		&cli.StringFlag{
+			Name:    "gitea-api-token",
+			Usage:   "specifies an api token for the Gitea instance",
+			EnvVars: []string{"GITEA_API_TOKEN"},
+			Value:   "",
+		},
+		&cli.BoolFlag{
+			Name:    "enable-lfs-support",
+			Usage:   "enable lfs support, require gitea >= v1.17.0 as backend",
+			EnvVars: []string{"ENABLE_LFS_SUPPORT"},
+			Value:   true,
+		},
+		&cli.BoolFlag{
+			Name:    "enable-symlink-support",
+			Usage:   "follow symlinks if enabled, require gitea >= v1.18.0 as backend",
+			EnvVars: []string{"ENABLE_SYMLINK_SUPPORT"},
+			Value:   true,
+		},
+
+		// ###########################
+		// ### Page Server Domains ###
+		// ###########################
+		// MainDomainSuffix specifies the main domain (starting with a dot) for which subdomains shall be served as static
+		// pages, or used for comparison in CNAME lookups. Static pages can be accessed through
+		// https://{owner}.{MainDomain}[/{repo}], with repo defaulting to "pages".
+		&cli.StringFlag{
+			Name:    "pages-domain",
+			Usage:   "specifies the main domain (starting with a dot) for which subdomains shall be served as static pages",
+			EnvVars: []string{"PAGES_DOMAIN"},
+			Value:   "codeberg.page",
+		},
+		// RawDomain specifies the domain from which raw repository content shall be served in the following format:
+		// https://{RawDomain}/{owner}/{repo}[/{branch|tag|commit}/{version}]/{filepath...}
+		// (set to []byte(nil) to disable raw content hosting)
+		&cli.StringFlag{
+			Name:    "raw-domain",
+			Usage:   "specifies the domain from which raw repository content shall be served, not set disable raw content hosting",
+			EnvVars: []string{"RAW_DOMAIN"},
+			Value:   "raw.codeberg.page",
+		},
+
+		// #########################
+		// ### Page Server Setup ###
+		// #########################
+		&cli.StringFlag{
+			Name:    "host",
+			Usage:   "specifies host of listening address",
+			EnvVars: []string{"HOST"},
+			Value:   "[::]",
+		},
+		&cli.UintFlag{
+			Name:    "port",
+			Usage:   "specifies the https port to listen to ssl requests",
+			EnvVars: []string{"PORT", "HTTPS_PORT"},
+			Value:   443,
+		},
+		&cli.UintFlag{
+			Name:    "http-port",
+			Usage:   "specifies the http port, you also have to enable http server via ENABLE_HTTP_SERVER=true",
+			EnvVars: []string{"HTTP_PORT"},
+			Value:   80,
+		},
+		&cli.BoolFlag{
+			Name:    "enable-http-server",
+			Usage:   "start a http server to redirect to https and respond to http acme challenges",
+			EnvVars: []string{"ENABLE_HTTP_SERVER"},
+			Value:   false,
+		},
+		// Default branches to fetch assets from
+		&cli.StringSliceFlag{
+			Name:    "pages-branch",
+			Usage:   "define a branch to fetch assets from",
+			EnvVars: []string{"PAGES_BRANCHES"},
+			Value:   cli.NewStringSlice("pages"),
+		},
+
+		&cli.StringSliceFlag{
+			Name:    "allowed-cors-domains",
+			Usage:   "specify allowed CORS domains",
+			EnvVars: []string{"ALLOWED_CORS_DOMAINS"},
+		},
+		&cli.StringSliceFlag{
+			Name:    "blacklisted-paths",
+			Usage:   "return an error on these url paths",
+			EnvVars: []string{"BLACKLISTED_PATHS"},
+		},
+
+		&cli.StringFlag{
+			Name:    "log-level",
+			Value:   "warn",
+			Usage:   "specify at which log level should be logged. Possible options: info, warn, error, fatal",
+			EnvVars: []string{"LOG_LEVEL"},
+		},
+		&cli.StringFlag{
+			Name:    "config-file",
+			Usage:   "specify the location of the config file",
+			Aliases: []string{"config"},
+			EnvVars: []string{"CONFIG_FILE"},
+		},
+
+		// ############################
+		// ### ACME Client Settings ###
+		// ############################
+		&cli.StringFlag{
+			Name:    "acme-api-endpoint",
+			EnvVars: []string{"ACME_API"},
+			Value:   "https://acme-v02.api.letsencrypt.org/directory",
+		},
+		&cli.StringFlag{
+			Name:    "acme-email",
+			EnvVars: []string{"ACME_EMAIL"},
+			Value:   "noreply@example.email",
+		},
+		&cli.BoolFlag{
+			Name: "acme-use-rate-limits",
+			// TODO: Usage
+			EnvVars: []string{"ACME_USE_RATE_LIMITS"},
+			Value:   true,
+		},
+		&cli.BoolFlag{
+			Name:    "acme-accept-terms",
+			Usage:   "To accept the ACME ToS",
+			EnvVars: []string{"ACME_ACCEPT_TERMS"},
+		},
+		&cli.StringFlag{
+			Name:    "acme-eab-kid",
+			Usage:   "Register the current account to the ACME server with external binding.",
+			EnvVars: []string{"ACME_EAB_KID"},
+		},
+		&cli.StringFlag{
+			Name:    "acme-eab-hmac",
+			Usage:   "Register the current account to the ACME server with external binding.",
+			EnvVars: []string{"ACME_EAB_HMAC"},
+		},
+		&cli.StringFlag{
+			Name:    "dns-provider",
+			Usage:   "Use DNS-Challenge for main domain. Read more at: https://go-acme.github.io/lego/dns/",
+			EnvVars: []string{"DNS_PROVIDER"},
+		},
+		&cli.StringFlag{
+			Name:    "acme-account-config",
+			Usage:   "json file of acme account",
+			Value:   "acme-account.json",
+			EnvVars: []string{"ACME_ACCOUNT_CONFIG"},
+		},
+	}...)
+)
--- a/cli/setup.go
+++ b/cli/setup.go
@ -0,0 +1,78 @@
+package cli
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/rs/zerolog/log"
+	"github.com/urfave/cli/v2"
+
+	"codeberg.org/codeberg/pages/server/cache"
+	"codeberg.org/codeberg/pages/server/certificates"
+	"codeberg.org/codeberg/pages/server/database"
+	"codeberg.org/codeberg/pages/server/version"
+)
+
+var ErrAcmeMissConfig = errors.New("ACME client has wrong config")
+
+func CreatePagesApp() *cli.App {
+	app := cli.NewApp()
+	app.Name = "pages-server"
+	app.Version = version.Version
+	app.Usage = "pages server"
+	app.Flags = ServerFlags
+	app.Commands = []*cli.Command{
+		Certs,
+	}
+
+	return app
+}
+
+func OpenCertDB(ctx *cli.Context) (certDB database.CertDB, closeFn func(), err error) {
+	certDB, err = database.NewXormDB(ctx.String("db-type"), ctx.String("db-conn"))
+	if err != nil {
+		return nil, nil, fmt.Errorf("could not connect to database: %w", err)
+	}
+
+	closeFn = func() {
+		if err := certDB.Close(); err != nil {
+			log.Error().Err(err)
+		}
+	}
+
+	return certDB, closeFn, nil
+}
+
+func CreateAcmeClient(ctx *cli.Context, enableHTTPServer bool, challengeCache cache.ICache) (*certificates.AcmeClient, error) {
+	acmeAPI := ctx.String("acme-api-endpoint")
+	acmeMail := ctx.String("acme-email")
+	acmeEabHmac := ctx.String("acme-eab-hmac")
+	acmeEabKID := ctx.String("acme-eab-kid")
+	acmeAcceptTerms := ctx.Bool("acme-accept-terms")
+	dnsProvider := ctx.String("dns-provider")
+	acmeUseRateLimits := ctx.Bool("acme-use-rate-limits")
+	acmeAccountConf := ctx.String("acme-account-config")
+
+	// check config
+	if (!acmeAcceptTerms || dnsProvider == "") && acmeAPI != "https://acme.mock.directory" {
+		return nil, fmt.Errorf("%w: you must set $ACME_ACCEPT_TERMS and $DNS_PROVIDER, unless $ACME_API is set to https://acme.mock.directory", ErrAcmeMissConfig)
+	}
+	if acmeEabHmac != "" && acmeEabKID == "" {
+		return nil, fmt.Errorf("%w: ACME_EAB_HMAC also needs ACME_EAB_KID to be set", ErrAcmeMissConfig)
+	} else if acmeEabHmac == "" && acmeEabKID != "" {
+		return nil, fmt.Errorf("%w: ACME_EAB_KID also needs ACME_EAB_HMAC to be set", ErrAcmeMissConfig)
+	}
+
+	return certificates.NewAcmeClient(
+		acmeAccountConf,
+		acmeAPI,
+		acmeMail,
+		acmeEabHmac,
+		acmeEabKID,
+		dnsProvider,
+		acmeAcceptTerms,
+		enableHTTPServer,
+		acmeUseRateLimits,
+		challengeCache,
+	)
+}