misc: add git user setup, move TLS folder, nginx don't use cmd.bash

author: Thomas Vanbesien <tvanbesi@proton.me> 2026-06-04 17:25:34 +0200
committer: Thomas Vanbesien <tvanbesi@proton.me> 2026-06-04 17:25:34 +0200
commit: f87b35613f82e66b3854747ef6952dedc0674213 (patch)
tree: 0ae4244105e89a47d967a0ca1cab24c6f01e3819
parent: 8511f9d5c5d37f66239b571cf2a2b19c97705edf (diff)
download: net_services-f87b35613f82e66b3854747ef6952dedc0674213.tar.gz
net_services-f87b35613f82e66b3854747ef6952dedc0674213.zip
8 files changed, 92 insertions, 53 deletions
diff --git a/compose.yaml b/compose.yaml
index 326e830..f1f9879 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -7,7 +7,6 @@ services:
       dockerfile_inline: |
         FROM nginx:1.31-trixie
         ADD fs.tar.gz /
-        CMD ["/sbin/cmd.bash"]
     environment:
       - NGINX__HOST=${NGINX__HOST}
     networks:
@@ -17,10 +16,8 @@ services:
     ports:
       - ${HOST__HTTP_PORT:?}:80
       - ${HOST__HTTPS_PORT:?}:443
-    tmpfs:
-      - /run/secrets:mode=400
     volumes:
-      - ${HOST__SECRET_DIR:?}:/run/host_secrets:ro
+      - ${HOST__SECRET_DIR:?}:/etc/certs:ro
     depends_on:
       - cgit
       - radicale
diff --git a/readme.md b/readme.md
index 5fe390d..b91c280 100644
--- a/readme.md
+++ b/readme.md
@@ -7,8 +7,8 @@ Sensitive data is not stored on the disk when containers start. It is copied int
 ## Requirements
 
 - `docker`
-- `mkcert` for local CA certificate generation
-- `htpasswd` for generating credentials for nginx
+- `mkcert`
+- `htpasswd`
 - `tar`
 
 ## How-to
diff --git a/services/nginx/fs/etc/nginx/templates/default.conf.template b/services/nginx/fs/etc/nginx/templates/default.conf.template
index f90b61a..e35cc41 100644
--- a/services/nginx/fs/etc/nginx/templates/default.conf.template
+++ b/services/nginx/fs/etc/nginx/templates/default.conf.template
@@ -20,8 +20,8 @@ server {
 
     server_name ${NGINX__HOST} www.${NGINX__HOST};
 
-    ssl_certificate     /run/secrets/server.crt;
-    ssl_certificate_key /run/secrets/server.key;
+    ssl_certificate     /etc/certs/server.crt;
+    ssl_certificate_key /etc/certs/server.key;
 
     location / {
         root /srv;
@@ -34,8 +34,8 @@ server {
 
     server_name _;
 
-    ssl_certificate     /run/secrets/server.crt;
-    ssl_certificate_key /run/secrets/server.key;
+    ssl_certificate     /etc/certs/server.crt;
+    ssl_certificate_key /etc/certs/server.key;
 
     return 444;
 }
diff --git a/services/nginx/fs/etc/nginx/templates/services/cgit.conf.template b/services/nginx/fs/etc/nginx/templates/services/cgit.conf.template
index c0fa070..4abcee9 100644
--- a/services/nginx/fs/etc/nginx/templates/services/cgit.conf.template
+++ b/services/nginx/fs/etc/nginx/templates/services/cgit.conf.template
@@ -4,8 +4,8 @@ server {
 
     server_name git.${NGINX__HOST};
 
-    ssl_certificate     /run/secrets/server.crt;
-    ssl_certificate_key /run/secrets/server.key;
+    ssl_certificate     /etc/certs/server.crt;
+    ssl_certificate_key /etc/certs/server.key;
 
     location / {
         proxy_pass http://cgit:80;
diff --git a/services/nginx/fs/etc/nginx/templates/services/radicale.conf.template b/services/nginx/fs/etc/nginx/templates/services/radicale.conf.template
index d6e4617..d0fd944 100644
--- a/services/nginx/fs/etc/nginx/templates/services/radicale.conf.template
+++ b/services/nginx/fs/etc/nginx/templates/services/radicale.conf.template
@@ -4,8 +4,8 @@ server {
 
     server_name dav.${NGINX__HOST};
 
-    ssl_certificate     /run/secrets/server.crt;
-    ssl_certificate_key /run/secrets/server.key;
+    ssl_certificate     /etc/certs/server.crt;
+    ssl_certificate_key /etc/certs/server.key;
 
     location / {
         proxy_pass        http://radicale:5232;
diff --git a/services/nginx/fs/etc/nginx/templates/services/syncthing.conf.template b/services/nginx/fs/etc/nginx/templates/services/syncthing.conf.template
index 31c90bb..1060588 100644
--- a/services/nginx/fs/etc/nginx/templates/services/syncthing.conf.template
+++ b/services/nginx/fs/etc/nginx/templates/services/syncthing.conf.template
@@ -4,8 +4,8 @@ server {
 
     server_name sync.${NGINX__HOST};
 
-    ssl_certificate     /run/secrets/server.crt;
-    ssl_certificate_key /run/secrets/server.key;
+    ssl_certificate     /etc/certs/server.crt;
+    ssl_certificate_key /etc/certs/server.key;
 
     location / {
         proxy_pass http://syncthing:8384;
diff --git a/services/nginx/fs/sbin/cmd.bash b/services/nginx/fs/sbin/cmd.bash
deleted file mode 100755
index e024b4f..0000000
--- a/services/nginx/fs/sbin/cmd.bash
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/usr/bin/bash
-set -eu
-
-# Install sensitive data in tmpfs
-install --mode 400 /run/host_secrets/server.crt /run/secrets/server.crt
-install --mode 400 /run/host_secrets/server.key /run/secrets/server.key
-
-# We have to run the entrypoint again
-# Because if the first positional parameter is not "nginx" or "nginx-debug" the scripts in /docker-entrypoint.d are not ran.
-# https://github.com/nginx/docker-nginx/blob/master/stable/debian/docker-entrypoint.sh
-exec /docker-entrypoint.sh nginx -g "daemon off;"
diff --git a/tools/net_services b/tools/net_services
index 64a4fb5..9652948 100755
--- a/tools/net_services
+++ b/tools/net_services
@@ -4,13 +4,68 @@ set -euo pipefail
 script_dir="$(dirname "$(realpath "$0")")"
 root_dir="$(realpath "$script_dir/..")"
 
-env_file="$script_dir/../.env"
-if ! [[ -r "$env_file" ]]; then
-	echo "$env_file is missing" >&2
-	exit 1
-fi
-# shellcheck disable=1090
-source "$env_file"
+# generate_self_signed_cert <domain> <crt_dst> <key_dst> [<subdomains>...]
+_generate_self_signed_cert() {
+	local crt_dst=${1:?missing crt_dst argument}
+	local key_dst=${2:?missing key_dst argument}
+	local domain=${3:?missing domain argument}
+	shift 3
+	local -a subdomains=("$@")
+	mkcert -install
+	mkcert -cert-file "$crt_dst" -key-file "$key_dst" "${subdomains[@]/%/.$domain}" "$domain"
+}
+
+# _generate_ovh_cert ovh_api_creds.ini example.com www dav sftp
+_generate_ovh_cert() {
+	ini="${1:?missing ini argument}"
+	domain="${2:?missing domain argument}"
+	shift 2
+	subdomains=("$@")
+
+	shopt -s patsub_replacement
+	# Certificates are stored in `/etc/letsencrypt` by default
+	# shellcheck disable=SC2068
+	sudo certbot certonly \
+		--non-interactive \
+		--expand \
+		--dns-ovh \
+		--dns-ovh-credentials "$ini" \
+		--dns-ovh-propagation-seconds 60 \
+		--domain "$domain" \
+		${subdomains[@]/*/--domain &."$domain"}
+}
+
+setup_ssh_git_user() {
+	repo_folder="${1:-/home/git/git}"
+
+	if ! id git &>/dev/null; then
+		sudo useradd --create-home git
+	fi
+	sudo usermod --shell "$(command -v git-shell)" git
+
+	sudo mkdir --parent --mode 0755 /home/git/{git-shell-commands,.ssh}
+	sudo chown --recursive git /home/git
+	sudo mkdir --parent --mode 0755 "$repo_folder"
+	sudo chown --recursive git "$repo_folder"
+
+	echo "
+Match User git
+    PasswordAuthentication no
+    PubkeyAuthentication yes
+" | sudo tee /etc/ssh/sshd_config.d/50-git-user.conf >/dev/null
+
+	sudo systemctl restart sshd
+}
+
+source_env() {
+	env_file="$script_dir/../.env"
+	if ! [[ -r "$env_file" ]]; then
+		echo "$env_file is missing" >&2
+		exit 1
+	fi
+	# shellcheck disable=1090
+	source "$env_file"
+}
 
 init() {
 	for service in nginx radicale; do
@@ -31,26 +86,22 @@ init() {
 		mkdir --parents "$dir"
 	done
 
-	# generate_self_signed_cert <domain> <crt_dst> <key_dst> [<subdomains>...]
-	generate_self_signed_cert() {
-		local crt_dst=${1:?missing crt_dst argument}
-		local key_dst=${2:?missing key_dst argument}
-		local domain=${3:?missing domain argument}
-		shift 3
-		local -a subdomains=("$@")
-		mkcert -install
-		mkcert -cert-file "$crt_dst" -key-file "$key_dst" "${subdomains[@]/%/.$domain}" "$domain"
-	}
 	local crt_file="$HOST__SECRET_DIR/server.crt"
 	local key_file="$HOST__SECRET_DIR/server.key"
-	if ! [[ -e "$crt_file" && -e "$key_file" ]]; then
-		echo "$crt_file or $key_file missing"
-		read -rn 1 -p "Create? (y/n)" input
-		echo
-		if [[ $input == y ]]; then
-			generate_self_signed_cert "$crt_file" "$key_file" "$NGINX__HOST" www git sync dav
-		fi
-	fi
+	local -a subdomains=(www dav git sync)
+	echo "Generate/renew TLS certificate?"
+	select choice in OVH self-signed no; do
+		case $choice in
+		OVH)
+			read -rep "Enter path (relative or absolute) to your OVH API credentials:" ovh_api_creds_file
+			_generate_ovh_cert "$ovh_api_creds_file" "$NGINX__HOST" "${subdomains[@]}"
+			sudo ln --symbolic --relative --force "/etc/letsencrypt/live/$NGINX__HOST/fullchain.pem" /etc/letsencrypt/server.crt
+			sudo ln --symbolic --relative --force "/etc/letsencrypt/live/$NGINX__HOST/privkey.pem" /etc/letsencrypt/server.key
+			;;
+		self-signed) _generate_self_signed_cert "$crt_file" "$key_file" "$NGINX__HOST" "${subdomains[@]}" ;;
+		esac
+		break
+	done
 
 	if ! [[ -e "$HOST__RADICALE_USERS_DIR/.htpasswd" ]]; then
 		read -rp "Initial Radicale username: " username
@@ -67,10 +118,12 @@ init() {
 	cp_if_absent "$root_dir/services/cgit/examples/commit-filter.sh" "$HOST__CGIT_FILTER_DIR/commit-filter.sh"
 }
 
+source_env
 case ${1:-} in
 init) init ;;
+git) setup_ssh_git_user ;;
 *)
-	echo "usage: net_services init"
+	echo "usage: net_services init|git"
 	exit 1
 	;;
 esac
author	Thomas Vanbesien <tvanbesi@proton.me>	2026-06-04 17:25:34 +0200
committer	Thomas Vanbesien <tvanbesi@proton.me>	2026-06-04 17:25:34 +0200
commit	f87b35613f82e66b3854747ef6952dedc0674213 (patch)
tree	0ae4244105e89a47d967a0ca1cab24c6f01e3819
parent	8511f9d5c5d37f66239b571cf2a2b19c97705edf (diff)
download	net_services-f87b35613f82e66b3854747ef6952dedc0674213.tar.gz net_services-f87b35613f82e66b3854747ef6952dedc0674213.zip