handle pre-seeding of https and letsencrypt

debian/config

@@ -16,6 +16,8 @@ set -e
       # debconf db.
       db_set gitlab/fqdn "$GITLAB_HOST"
       db_set gitlab/user "$gitlab_user"
+      db_set gitlab/ssl "${GITLAB_HTTPS:-false}"
+      db_set gitlab/letsencrypt "${gitlab_letsencrypt:-false}"
   fi
 
 # What is your fqdn?

debian/postinst

@@ -146,6 +146,13 @@ case "$1" in
     GITLAB_EMAIL_REPLY_TO="no-reply@$GITLAB_HOST"
     db_get gitlab/user
     gitlab_user=$RET
+    # Check if ssl option is selected
+    db_get gitlab/ssl
+    GITLAB_HTTPS=$RET
+    gl_proto="http"
+    db_get gitlab/letsencrypt
+    gitlab_letsencrypt=$RET
+
     cp -a -f ${gitlab_debian_conf_private} ${gitlab_debian_conf_private}.tmp
 
     # If the admin deleted or commented some variables but then set
@@ -160,18 +167,20 @@ case "$1" in
         echo "GITLAB_EMAIL_REPLY_TO=" >> ${gitlab_debian_conf_private}
     test -z "$gitlab_user" || grep -Eq '^ *gitlab_user=' ${gitlab_debian_conf_private} || \
         echo "gitlab_user=" >> ${gitlab_debian_conf_private}
+    test -z "$GITLAB_HTTPS" || grep -Eq '^ *GITLAB_HTTPS=' ${gitlab_debian_conf_private} || \
+        echo "GITLAB_HTTPS=" >> ${gitlab_debian_conf_private}
+    test -z "$gitlab_letsencrypt" || grep -Eq '^ *gitlab_letsencrypt=' ${gitlab_debian_conf_private} || \
+        echo "gitlab_letsencrypt=" >> ${gitlab_debian_conf_private}
     sed -e "s/^ *GITLAB_HOST=.*/GITLAB_HOST=\"$GITLAB_HOST\"/" \
         -e "s/^ *GITLAB_EMAIL_FROM=.*/GITLAB_EMAIL_FROM=\"$GITLAB_EMAIL_FROM\"/" \
         -e "s/^ *GITLAB_EMAIL_DISPLAY_NAME=.*/GITLAB_EMAIL_DISPLAY_NAME=\"$GITLAB_EMAIL_DISPLAY_NAME\"/" \
         -e "s/^ *GITLAB_EMAIL_REPLY_TO=.*/GITLAB_EMAIL_REPLY_TO=\"$GITLAB_EMAIL_REPLY_TO\"/" \
         -e "s/^ *gitlab_user=.*/gitlab_user=\"$gitlab_user\"/" \
+        -e "s/^ *GITLAB_HTTPS=.*/GITLAB_HTTPS=\"$GITLAB_HTTPS\"/" \
+        -e "s/^ *gitlab_letsencrypt=.*/gitlab_letsencrypt=\"$gitlab_letsencrypt\"/" \
             < ${gitlab_debian_conf_private} > ${gitlab_debian_conf_private}.tmp
         mv -f ${gitlab_debian_conf_private}.tmp ${gitlab_debian_conf_private}
 
-    # Check if ssl option is selected
-    db_get gitlab/ssl
-    gl_proto="http"
-
     # Copy example configurations
     test -f ${gitlab_yml_private} || \
     cp ${gitlab_yml_example} ${gitlab_yml_private}
@@ -183,27 +192,23 @@ case "$1" in
     # Update gitlab user (its a hack, proper fix is to have gitlab accept GITLAB_USER variable)
     sed -i "s/^ *user:.* #gitlab_user/    user: $gitlab_user #gitlab_user/" ${gitlab_yml_private}
 
-    if [ "${RET}" = "true" ]; then
+    if [ "$GITLAB_HTTPS" = "true" ]; then
       echo "Configuring nginx with HTTPS..."
-      if ! grep GITLAB_HTTPS ${gitlab_debian_conf_private}; then
-  	  echo GITLAB_HTTPS=${RET} >> ${gitlab_debian_conf_private}
-  	  # Workaround for #813770
-  	  gl_proto="https"
-  	  echo "Configuring gitlab with HTTPS..."
-   	  sed -i "s/#port: 80/port: 443/" ${gitlab_yml_private}
-  	  sed -i "s/https: false/https: true/" ${gitlab_yml_private}
-        echo "Updating gitlab_url in gitlab-shell configuration..."
-        sed -i \
-  	  "s/gitlab_url: http*:\/\/.*/gitlab_url: ${gl_proto}:\/\/${GITLAB_HOST}/"\
-  	  ${gitlab_shell_config_private}
-      fi
+      # Workaround for #813770
+      gl_proto="https"
+      echo "Configuring gitlab with HTTPS..."
+      sed -i "s/#port: 80/port: 443/" ${gitlab_yml_private}
+      sed -i "s/https: false/https: true/" ${gitlab_yml_private}
+      echo "Updating gitlab_url in gitlab-shell configuration..."
+      sed -i \
+	  "s/gitlab_url: http*:\/\/.*/gitlab_url: ${gl_proto}:\/\/${GITLAB_HOST}/"\
+	  ${gitlab_shell_config_private}
       
       mkdir -p /etc/gitlab/ssl
       nginx_conf_example=${nginx_ssl_conf_example}
 
       # Check if letsencrypt option is selected
-      db_get gitlab/letsencrypt
-      if [ "${RET}" = "true" ]; then
+      if [ "$gitlab_letsencrypt" = "true" ]; then
 	  echo "Configuring letsencrypt..."
         ln -sf /etc/letsencrypt/live/${GITLAB_HOST}/fullchain.pem \
         /etc/gitlab/ssl/gitlab.crt
@@ -220,13 +225,33 @@ case "$1" in
 	    invoke-rc.d nginx stop
 	  fi
 
-	  letsencrypt -d ${GITLAB_HOST} certonly || {
+	  letsencrypt --standalone -d ${GITLAB_HOST} certonly || {
 	    echo "letsencrypt auto configuration failed..."
 	    echo "Stop your webserver and try running letsencrypt manually..."
 	    echo "letsencrypt -d ${GITLAB_HOST} certonly" 
 	  }
-        fi
+        fi 
       fi
+    else
+      # Revert https setting
+      sed -i "s/port: 443/#port: 80/" ${gitlab_yml_private}
+      sed -i "s/https: true/https: false/" ${gitlab_yml_private}
+    fi
+
+    # Cleanup in case letsencrypt were disabled later
+    if [ "$gitlab_letsencrypt" = "false" ]; then
+        if [ -L /etc/gitlab/ssl/gitlab.crt ]; then
+          if [ "$(file /etc/gitlab/ssl/gitlab.crt|awk '{ print $NF }')" = "/etc/letsencrypt/live/${GITLAB_HOST}/fullchain.pem" ]; then
+            echo "Removing symbolic links to letsencrypt certificate..."
+            rm -f /etc/gitlab/ssl/gitlab.crt
+          fi
+        fi
+        if [ -L /etc/gitlab/ssl/gitlab.key ]; then
+          if [ "$(file /etc/gitlab/ssl/gitlab.key|awk '{ print $NF }')" = "/etc/letsencrypt/live/${GITLAB_HOST}/privkey.pem" ]; then
+            echo "Removing symbolic links to letsencrypt certificate private key..."
+            rm -f /etc/gitlab/ssl/gitlab.key
+          fi
+        fi
     fi
 
       # Manage tmpfiles.d/gitlab.conf via ucf
@@ -269,7 +294,6 @@ case "$1" in
           ucf --debconf-ok --three-way ${nginx_site_private} ${nginx_site}
           ucfr gitlab ${nginx_site}
           ln -fs ${nginx_site} /etc/nginx/sites-enabled/
-          rm -f ${nginx_conf_example_tmp}
         else
           echo "nginx example configuration file not found"
           exit 1