blob: f93f5df813cd3ebfd2fcbf248a2deef88e54bc74 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
#!/bin/bash
set -e
# Load config
source "$(dirname "$0")/config.env"
# Create network if not exists
if ! podman network exists ${NETWORK}; then
echo "Creating network: ${NETWORK} (subnet: ${PRIVATE_SUBNET})"
podman network create --subnet=${PRIVATE_SUBNET} ${NETWORK}
else
echo "Network exists: ${NETWORK}"
fi
# Stop existing container if running
podman stop ${CONTAINER_NAME} 2>/dev/null || true
podman rm ${CONTAINER_NAME} 2>/dev/null || true
ip route del ${PUBLIC_IP}/32 2>/dev/null || true
# Rebuild authorized_keys from .pub files
mkdir -p /git/.ssh
rm -f /git/.ssh/authorized_keys
cat /git/.ssh/*.pub > /git/.ssh/authorized_keys 2>/dev/null || true
chmod 600 /git/.ssh/authorized_keys
# Build image
echo "Building image..."
podman build -t cgit "$(dirname "$0")"
# Run container
podman run -d \
--init \
--name ${CONTAINER_NAME} \
--network ${NETWORK} \
--ip ${PRIVATE_IP} \
--cap-add=NET_ADMIN \
--pids-limit=100 \
--env-file "$(dirname "$0")/config.env" \
-v ${CONTAINER_NAME}_data:/data \
-v /git:/git \
localhost/cgit
# Setup public IP via DNAT/SNAT
sleep 2
OIFACE=$(ip route show default | awk '{print $5; exit}')
BRIDGE=$(podman network inspect ${NETWORK} 2>/dev/null | python3 -c "import json,sys; print(json.load(sys.stdin)[0]['network_interface'])")
# Clean up any stale rules for this IP
nft -a list chain ip nat PREROUTING 2>/dev/null | grep "daddr ${PUBLIC_IP} " | grep -oP 'handle \K\d+' | while read h; do nft delete rule ip nat PREROUTING handle "$h"; done
nft -a list chain ip nat POSTROUTING 2>/dev/null | grep "snat to ${PUBLIC_IP}" | grep -oP 'handle \K\d+' | while read h; do nft delete rule ip nat POSTROUTING handle "$h"; done
nft -a list chain inet netavark FORWARD 2>/dev/null | grep "daddr ${PRIVATE_IP} " | grep -oP 'handle \K\d+' | while read h; do nft delete rule inet netavark FORWARD handle "$h"; done
nft -a list chain ip nat POSTROUTING 2>/dev/null | grep "daddr ${PRIVATE_IP}.*masquerade" | grep -oP 'handle \K\d+' | while read h; do nft delete rule ip nat POSTROUTING handle "$h"; done
ip route del ${PUBLIC_IP} 2>/dev/null || true
nft add rule ip nat PREROUTING ip daddr ${PUBLIC_IP} dnat to ${PRIVATE_IP}
nft add rule ip nat POSTROUTING ip saddr ${PRIVATE_IP} oifname ${OIFACE} snat to ${PUBLIC_IP}
nft insert rule inet netavark FORWARD ip daddr ${PRIVATE_IP} oifname ${BRIDGE} accept
nft add rule ip nat POSTROUTING ip saddr ${PRIVATE_SUBNET} ip daddr ${PRIVATE_IP} oifname ${BRIDGE} masquerade
echo "Running at https://${DOMAIN}/"
|
