Release v2.5.3

CHANGELOG.md

@@ -5,6 +5,12 @@ All notable changes to the Gitea Mirror project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.5.3] - 2025-05-22
+
+### Added
+- Enhanced JWT_SECRET handling with auto-generation and persistence for improved security
+- Updated Proxmox LXC deployment instructions and replaced deprecated script
+
 ## [2.5.2] - 2024-11-22
 
 ### Fixed

Dockerfile

@@ -2,7 +2,7 @@
 
 FROM oven/bun:1.2.9-alpine AS base
 WORKDIR /app
-RUN apk add --no-cache libc6-compat python3 make g++ gcc wget sqlite
+RUN apk add --no-cache libc6-compat python3 make g++ gcc wget sqlite openssl
 
 # ----------------------------
 FROM base AS deps

README.md

@@ -20,8 +20,8 @@ docker compose --profile production up -d
 bun run setup && bun run dev
 
 # Using LXC Containers
-# For Proxmox VE (online)
-curl -fsSL https://raw.githubusercontent.com/arunavo4/gitea-mirror/main/scripts/gitea-mirror-lxc-proxmox.sh | bash
+# For Proxmox VE (online) - Community script by Tobias ([CrazyWolf13](https://github.com/CrazyWolf13))
+curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVED/main/install/gitea-mirror-install.sh | bash
 
 # For local testing (offline-friendly)
 sudo LOCAL_REPO_DIR=~/Development/gitea-mirror ./scripts/gitea-mirror-lxc-local.sh
@@ -175,8 +175,9 @@ Gitea Mirror offers two deployment options for LXC containers:
 
 ```bash
 # One-command installation on Proxmox VE
-# Optional env overrides: CTID HOSTNAME STORAGE DISK_SIZE CORES MEMORY BRIDGE IP_CONF
-curl -fsSL https://raw.githubusercontent.com/arunavo4/gitea-mirror/main/scripts/gitea-mirror-lxc-proxmox.sh | bash
+# Uses the community-maintained script by Tobias ([CrazyWolf13](https://github.com/CrazyWolf13))
+# at [community-scripts/ProxmoxVED](https://github.com/community-scripts/ProxmoxVED)
+curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVED/main/install/gitea-mirror-install.sh | bash
 ```
 
 **2. Local testing (offline-friendly, works on developer laptops)**
@@ -232,8 +233,10 @@ The Docker container can be configured with the following environment variables:
 - `DATABASE_URL`: SQLite database URL (default: `file:data/gitea-mirror.db`)
 - `HOST`: Host to bind to (default: `0.0.0.0`)
 - `PORT`: Port to listen on (default: `4321`)
-- `JWT_SECRET`: Secret key for JWT token generation (important for security)
+- `JWT_SECRET`: Secret key for JWT token generation (auto-generated if not provided)
 
+> [!TIP]
+> For security, Gitea Mirror will automatically generate a secure random JWT secret on first run if one isn't provided or if the default value is used. This generated secret is stored in the data directory for persistence across container restarts.
 
 #### Manual Installation
 

docker-entrypoint.sh

@@ -5,6 +5,31 @@ set -e
 # Ensure data directory exists
 mkdir -p /app/data
 
+# Generate a secure JWT secret if one isn't provided or is using the default value
+JWT_SECRET_FILE="/app/data/.jwt_secret"
+if [ "$JWT_SECRET" = "your-secret-key-change-this-in-production" ] || [ -z "$JWT_SECRET" ]; then
+  # Check if we have a previously generated secret
+  if [ -f "$JWT_SECRET_FILE" ]; then
+    echo "Using previously generated JWT secret"
+    export JWT_SECRET=$(cat "$JWT_SECRET_FILE")
+  else
+    echo "Generating a secure random JWT secret"
+    # Try to generate a secure random string using OpenSSL
+    if command -v openssl >/dev/null 2>&1; then
+      GENERATED_SECRET=$(openssl rand -hex 32)
+    else
+      # Fallback to using /dev/urandom if openssl is not available
+      echo "OpenSSL not found, using fallback method for random generation"
+      GENERATED_SECRET=$(head -c 32 /dev/urandom | sha256sum | cut -d' ' -f1)
+    fi
+    export JWT_SECRET="$GENERATED_SECRET"
+    # Save the secret to a file for persistence across container restarts
+    echo "$GENERATED_SECRET" > "$JWT_SECRET_FILE"
+    chmod 600 "$JWT_SECRET_FILE"
+  fi
+  echo "JWT_SECRET has been set to a secure random value"
+fi
+
 # Skip dependency installation entirely for pre-built images
 # Dependencies are already installed during the Docker build process
 

package.json

@@ -1,7 +1,7 @@
 {
   "name": "gitea-mirror",
   "type": "module",
-  "version": "2.5.2",
+  "version": "2.5.3",
   "engines": {
     "bun": ">=1.2.9"
   },

scripts/README-lxc.md

@@ -18,17 +18,18 @@ Run **Gitea Mirror** in an isolated LXC container, either:
 ### One-command install
 
 ```bash
-# optional env overrides:  CTID HOSTNAME STORAGE DISK_SIZE CORES MEMORY BRIDGE IP_CONF
-sudo bash -c "$(curl -fsSL https://raw.githubusercontent.com/arunavo4/gitea-mirror/main/scripts/gitea-mirror-lxc-proxmox.sh)"
+# Community-maintained script for Proxmox VE by Tobias ([CrazyWolf13](https://github.com/CrazyWolf13))
+# at [community-scripts/ProxmoxVED](https://github.com/community-scripts/ProxmoxVED)
+sudo bash -c "$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVED/main/install/gitea-mirror-install.sh)"
 ```
 
 What it does:
 
-* Creates **privileged** CT `$CTID` with nesting enabled
-* Installs curl / git / Bun (official installer)
+* Uses the community-maintained script from ProxmoxVED
+* Installs dependencies and Bun runtime
 * Clones & builds `arunavo4/gitea-mirror`
-* Writes a root-run systemd service and starts it
-* Prints the container IP + random `JWT_SECRET`
+* Creates a systemd service and starts it
+* Sets up a random `JWT_SECRET` for security
 
 Browse to:
 

scripts/README.md

@@ -107,9 +107,11 @@ bun scripts/make-events-old.ts
 
 ### LXC Container Deployment
 
-Two scripts are provided for deploying Gitea Mirror in LXC containers:
+Two deployment options are available for LXC containers:
 
-1. **gitea-mirror-lxc-proxmox.sh**: For online deployment on a Proxmox VE host
+1. **Proxmox VE (online)**: Using the community-maintained script by Tobias ([CrazyWolf13](https://github.com/CrazyWolf13))
+   - Author: Tobias ([CrazyWolf13](https://github.com/CrazyWolf13))
+   - Available at: [community-scripts/ProxmoxVED](https://github.com/community-scripts/ProxmoxVED/blob/main/install/gitea-mirror-install.sh)
    - Pulls everything from GitHub
    - Creates a privileged container with the application
    - Sets up systemd service

scripts/gitea-mirror-lxc-proxmox.sh

@@ -1,97 +0,0 @@
-#!/usr/bin/env bash
-# gitea-mirror-lxc-proxmox.sh
-# Fully online installer for a Proxmox LXC guest running Gitea Mirror + Bun.
-
-set -euo pipefail
-
-# ────── adjustable defaults ──────────────────────────────────────────────
-CTID=${CTID:-106}                       # container ID
-HOSTNAME=${HOSTNAME:-gitea-mirror}
-STORAGE=${STORAGE:-local-lvm}           # where rootfs lives
-DISK_SIZE=${DISK_SIZE:-8G}
-CORES=${CORES:-2}
-MEMORY=${MEMORY:-2048}                  # MiB
-BRIDGE=${BRIDGE:-vmbr0}
-IP_CONF=${IP_CONF:-dhcp}                # or "192.168.1.240/24,gw=192.168.1.1"
-
-PORT=4321
-JWT_SECRET=$(openssl rand -hex 32)
-
-REPO="https://github.com/arunavo4/gitea-mirror.git"
-# ─────────────────────────────────────────────────────────────────────────
-
-TEMPLATE='ubuntu-22.04-standard_22.04-1_amd64.tar.zst'
-TEMPLATE_PATH="/var/lib/vz/template/cache/${TEMPLATE}"
-
-echo "▶️  Ensuring template exists…"
-if [[ ! -f $TEMPLATE_PATH ]]; then
-  pveam update >/dev/null
-  pveam download "$STORAGE" "$TEMPLATE"
-fi
-
-echo "▶️  Creating container $CTID (if missing)…"
-if ! pct status "$CTID" &>/dev/null; then
-  pct create "$CTID" "$TEMPLATE_PATH" \
-    --rootfs "$STORAGE:$DISK_SIZE" \
-    --hostname "$HOSTNAME" \
-    --cores "$CORES" --memory "$MEMORY" \
-    --net0 "name=eth0,bridge=$BRIDGE,ip=$IP_CONF" \
-    --features nesting=1 \
-    --unprivileged 0
-fi
-
-pct start "$CTID"
-
-echo "▶️  Installing base packages inside CT $CTID…"
-pct exec "$CTID" -- bash -c 'apt update && apt install -y curl git build-essential openssl sqlite3 unzip'
-
-echo "▶️  Installing Bun runtime…"
-pct exec "$CTID" -- bash -c '
-  export BUN_INSTALL=/opt/bun
-  curl -fsSL https://bun.sh/install | bash -s -- --yes
-  ln -sf /opt/bun/bin/bun /usr/local/bin/bun
-  ln -sf /opt/bun/bin/bun /usr/local/bin/bunx
-  bun --version
-'
-
-echo "▶️  Cloning & building Gitea Mirror…"
-pct exec "$CTID" -- bash -c "
-  git clone --depth=1 '$REPO' /opt/gitea-mirror || (cd /opt/gitea-mirror && git pull)
-  cd /opt/gitea-mirror
-  bun install
-  bun run build
-  bun run manage-db init
-"
-
-echo "▶️  Creating systemd service…"
-pct exec "$CTID" -- bash -c "
-cat >/etc/systemd/system/gitea-mirror.service <<SERVICE
-[Unit]
-Description=Gitea Mirror
-After=network.target
-[Service]
-Type=simple
-WorkingDirectory=/opt/gitea-mirror
-ExecStart=/usr/local/bin/bun dist/server/entry.mjs
-Restart=on-failure
-RestartSec=10
-Environment=NODE_ENV=production
-Environment=HOST=0.0.0.0
-Environment=PORT=$PORT
-Environment=DATABASE_URL=file:data/gitea-mirror.db
-Environment=JWT_SECRET=$JWT_SECRET
-[Install]
-WantedBy=multi-user.target
-SERVICE
-systemctl daemon-reload
-systemctl enable gitea-mirror
-systemctl restart gitea-mirror
-"
-
-echo -e "\n🔍  Service status:"
-pct exec "$CTID" -- systemctl status gitea-mirror --no-pager | head -n15
-
-GUEST_IP=$(pct exec "$CTID" -- hostname -I | awk '{print $1}')
-echo -e "\n🌐  Browse to:  http://$GUEST_IP:$PORT\n"
-echo "🗝️  JWT_SECRET = $JWT_SECRET"
-echo -e "\n✅  Done – Gitea Mirror is running in CT $CTID."

src/content/docs/architecture.md

@@ -104,7 +104,6 @@ gitea-mirror/
 ├── data/                 # Database and persistent data
 ├── docker/               # Docker configuration
 └── scripts/              # Utility scripts for deployment and maintenance
-    ├── gitea-mirror-lxc-proxmox.sh  # Proxmox LXC deployment script
     ├── gitea-mirror-lxc-local.sh    # Local LXC deployment script
     └── manage-db.ts                 # Database management tool
 ```
@@ -114,7 +113,7 @@ gitea-mirror/
 Gitea Mirror supports multiple deployment options:
 
 1. **Docker**: Run as a containerized application using Docker and docker-compose
-2. **LXC Containers**: Deploy in Linux Containers (LXC) on Proxmox VE or local workstations
+2. **LXC Containers**: Deploy in Linux Containers (LXC) on Proxmox VE (using community script by [Tobias/CrazyWolf13](https://github.com/CrazyWolf13)) or local workstations
 3. **Native**: Run directly on the host system using Bun runtime
 
 Each deployment method has its own advantages:

src/content/docs/configuration.md

@@ -25,13 +25,15 @@ The following environment variables can be used to configure Gitea Mirror:
 |----------|-------------|---------------|---------|
 | `NODE_ENV` | Runtime environment (development, production, test) | `development` | `production` |
 | `DATABASE_URL` | SQLite database URL | `file:data/gitea-mirror.db` | `file:path/to/your/database.db` |
-| `JWT_SECRET` | Secret key for JWT authentication | `your-secret-key-change-this-in-production` | `your-secure-random-string` |
+| `JWT_SECRET` | Secret key for JWT authentication | Auto-generated secure random string | `your-secure-random-string` |
 | `HOST` | Server host | `localhost` | `0.0.0.0` |
 | `PORT` | Server port | `4321` | `8080` |
 
 ### Important Security Note
 
-In production environments, you should always set a strong, unique `JWT_SECRET` to ensure secure authentication.
+The application will automatically generate a secure random `JWT_SECRET` on first run if one isn't provided or if the default value is used. This generated secret is stored in the data directory for persistence across container restarts.
+
+While this auto-generation feature provides good security by default, you can still explicitly set your own `JWT_SECRET` for complete control over your deployment.
 
 ## Web UI Configuration