Set up `go-mmproxy`.

cookbooks/gitea/files/etc/consul.d/service-go-mmproxy.json

@@ -0,0 +1,12 @@
+{
+  "service": {
+    "name": "go-mmproxy",
+    "port": 50021,
+    "check":{
+      "tcp": "localhost:50021",
+      "interval": "60s",
+      "timeout": "1s",
+      "success_before_passing": 3
+    }
+  }
+}

cookbooks/gitea/files/etc/systemd/system/go-mmproxy.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=go-mmproxy
+After=network.target
+
+[Service]
+Type=simple
+LimitNOFILE=65535
+ExecStartPost=/sbin/ip rule add from 127.0.0.1/8 iif lo table 123
+ExecStartPost=/sbin/ip route add local 0.0.0.0/0 dev lo table 123
+ExecStart=/usr/local/bin/go-mmproxy -l 0.0.0.0:50021 -4 127.0.0.1:10022 -v 2
+ExecStopPost=/sbin/ip rule del from 127.0.0.1/8 iif lo table 123
+ExecStopPost=/sbin/ip route del local 0.0.0.0/0 dev lo table 123
+Restart=on-failure
+RestartSec=10s
+
+[Install]
+WantedBy=multi-user.target

cookbooks/gitea/setup-go-mmproxy.rb

@@ -0,0 +1,39 @@
+# Deploy `supervisord` config`:
+remote_file '/etc/systemd/system/go-mmproxy.service' do
+  owner  'root'
+  group  'root'
+  mode   '644'
+
+  notifies :restart, 'service[go-mmproxy]'
+end
+
+service 'go-mmproxy' do
+  action [ :enable, :restart ]
+end
+
+# Depoy `consul` service configuration for `gitea`:
+remote_file '/etc/consul.d/service-go-mmproxy.json' do
+  owner  'root'
+  group  'root'
+  mode   '644'
+
+  notifies :restart, 'service[supervisor]'
+end
+
+# Firewall settings here:
+%w( 50021/tcp ).each do |p|
+  execute "ufw allow #{p}" do
+    user 'root'
+
+    not_if "LANG=c ufw status | grep #{p}"
+
+    notifies :run, 'execute[ufw reload-or-enable]'
+  end
+end
+
+execute 'ufw reload-or-enable' do
+  user 'root'
+  command 'LANG=C ufw reload | grep skipping && ufw --force enable || exit 0'
+
+  action :nothing
+end