Migrate to v2 config format

CHECKS

@@ -2,4 +2,4 @@ WAIT=3
 TIMEOUT=3
 ATTEMPTS=5
 
-/healthcheck Database connection
+/healthcheck

Dockerfile

@@ -7,11 +7,16 @@ COPY . ${WORKDIR}
 
 COPY sbin/* /sbin/
 
-RUN apk --no-cache add ca-certificates mysql-client py3-pip
+RUN apk --no-cache add \
+  ca-certificates \
+  mysql-client \
+  py3-pip
 
-RUN pip3 install --upgrade pip==20.0.2
+RUN pip3 install --upgrade \
+  pip==20.0.2
 
 # Note(decentral1se): https://github.com/pixelb/crudini/issues/58
-RUN pip3 install --no-cache-dir "git+http://github.com/pixelb/crudini.git@0.9.3#egg=crudini"
+RUN pip3 install --no-cache-dir \
+  "git+http://github.com/pixelb/crudini.git@0.9.3#egg=crudini"
 
 ENTRYPOINT ["/sbin/entrypoint.sh"]

README.md

@@ -4,7 +4,4 @@
 
 > https://gitea.io/
 
-# Deploy
-
-1. Push your changes to master and Dokku will try to automatically release
-1. See the [dashboard to see the build](https://drone.autonomic.zone/autonomic-cooperative/gitea/)
+> https://git.autonomic.zone

ansible/.vault.sh

@@ -1,5 +0,0 @@
-#!/bin/bash
-
-set -eu -o pipefail
-
-echo $(pass show hosts/autonomic-dokku/vault/password)

ansible/post-deploy.yml

@@ -1,111 +0,0 @@
----
-- hosts: all
-  gather_facts: false
-  tasks:
-    - name: Load variables
-      include_vars:
-        dir: "{{ dokku_lib_root }}/data/ansible/gitea/vars/"
-        extensions:
-          - yml
-
-    - name: Set HTTP 80 port proxy
-      dokku_ports:
-        app: gitea
-        mappings:
-          - "http:80:{{ http_port }}"
-        state: present
-
-    - name: Setup LE certificates
-      shell: dokku letsencrypt gitea
-      args:
-        creates: /home/dokku/gitea/letsencrypt/certs
-
-    - name: Setup LE certificates renew cron job
-      shell: dokku letsencrypt:cron-job --add
-      args:
-        creates: /home/dokku/gitea/letsencrypt/cron-job
-
-    - name: Remove automatically configured ports
-      dokku_ports:
-        app: gitea
-        mappings:
-          - "http:3000:3000"
-          - "http:2222:2222"
-        state: absent
-
-    - name: Set HTTP 443 port
-      dokku_ports:
-        app: gitea
-        mappings:
-          - "https:443:{{ http_port }}"
-        state: present
-
-    - name: Ensure jq package is installed
-      apt:
-        name: jq
-        state: present
-
-    - name: Retrieve application container IP address
-      shell: "dokku ps:inspect gitea | jq -r .[0].NetworkSettings.IPAddress"
-      register: dokku_ps_inspect
-
-    - name: Setup the SSH passthrough script
-      vars:
-        ssh_listen_port: "{{ ssh_listen_port }}"
-        dokku_container_ip: "{{ dokku_ps_inspect.stdout }}"
-      template:
-        src: gitea.j2
-        dest: /app/gitea/gitea
-        owner: git
-        group: git
-        mode: "+x"
-        force: true
-      become: true
-
-    - name: Store the git user public key
-      shell: cat /home/git/.ssh/id_rsa.pub
-      register: git_id_rsa_pub
-      become: true
-
-    - name: Store the gitea authorized_keys file
-      shell: cat /var/lib/gitea/git/.ssh/authorized_keys
-      register: git_auth_keys
-      become: true
-
-    - name: Check if the public key is already in place
-      command: 'grep -Fxq "{{ git_id_rsa_pub.stdout}}" /var/lib/gitea/git/.ssh/authorized_keys'
-      check_mode: false
-      ignore_errors: true
-      changed_when: false
-      register: git_id_rsa_pub_check
-      become: true
-
-    - name: Ensure git public key is in gitea loaded authorized_keys
-      blockinfile:
-        path: /var/lib/gitea/git/.ssh/authorized_keys
-        block: "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty {{ git_id_rsa_pub.stdout }}"
-        state: present
-        owner: git
-        group: git
-        create: true
-        insertbefore: BOF
-        backup: true
-        marker: "# ansible inserted git <-> gitea public key"
-      become: true
-      when: git_id_rsa_pub_check.rc == 0
-
-    - name: Symlink the gitea authorized keys configuration to the host git user
-      file:
-        src: /var/lib/gitea/git/.ssh/authorized_keys
-        dest: /home/git/.ssh/authorized_keys
-        state: link
-        force: true
-        owner: git
-      become: true
-
-    - name: Add git user to AllowUsers SSH configuration
-      replace:
-        backup: true
-        dest: /etc/ssh/sshd_config
-        regexp: '^(AllowUsers(?!.*\bgit\b).*)$'
-        replace: '\1 git'

ansible/pre-deploy.yml

@@ -1,128 +0,0 @@
----
-- hosts: all
-  gather_facts: false
-  tasks:
-    - name: Load variables
-      include_vars:
-        dir: "{{ dokku_lib_root }}/data/ansible/gitea/vars/"
-        extensions:
-          - yml
-
-    - name: "Configure the {{ domain }} domain"
-      dokku_domains:
-        app: gitea
-        domains:
-          - "{{ domain }}"
-        state: present
-
-    - name: Create mariadb database
-      shell: "
-        dokku
-        mariadb:create
-        gitea
-        --password {{ db_passwd }}
-        --root-password {{ root_db_passwd }}
-      "
-      args:
-        creates: /var/lib/dokku/services/mariadb/gitea
-
-    - name: Link mariadb database to application
-      dokku_service_link:
-        app: gitea
-        name: gitea
-        service: mariadb
-
-    # - name: Authenticate with Minio back-end
-    # - name: Configure daily backup policy
-    # - name: Take pre-deploy backup
-
-    - name: Setup host git user
-      user:
-        name: git
-        comment: gitea user
-        create_home: true
-        home: /home/git
-        group: git
-        system: true
-        state: present
-        generate_ssh_key: true
-        ssh_key_bits: 2048
-        ssh_key_file: .ssh/id_rsa
-      become: true
-
-    - name: Create application directories
-      file:
-        path: "{{ item }}"
-        state: directory
-        owner: git
-        group: git
-      with_items:
-        - /app
-        - /app/gitea
-        - /var/lib/gitea
-      become: true
-
-    - name: Get uid/guid of the git user
-      getent:
-        database: passwd
-        key: git
-        split: ":"
-      become: true
-
-    - name: Specify docker volume mounts
-      dokku_storage:
-        app: gitea
-        mounts:
-          - /var/lib/gitea:/data
-          - /etc/timezone:/etc/timezone:ro
-          - /etc/localtime:/etc/localtime:ro
-          - /var/lib/dokku/services/mariadb/gitea:/var/lib/mysql
-          - /var/lib/gitea/.ssh:/data/git/.ssh
-
-    - name: Store gitea git user uid/guid
-      set_fact:
-        git_user_uid: "{{ getent_passwd['git'][1] }}"
-        git_user_guid: "{{ getent_passwd['git'][2] }}"
-
-    - name: Configure the dokku app environment
-      dokku_config:
-        app: gitea
-        restart: false
-        config:
-          ADMIN_MAIL: "{{ autonomic_admin_mail }}"
-          ADMIN_PASS: "{{ autonomic_admin_pass }}"
-          ADMIN_USER: "{{ autonomic_admin_user }}"
-          ALLOW_ONLY_EXTERNAL_REGISTRATION: "{{ allow_only_external_registration }}"
-          APP_NAME: "{{ autonomic_app_name }}"
-          AUTHOR: "{{ author }}"
-          DB_HOST: "dokku-mariadb-gitea:3306"
-          DB_NAME: "gitea"
-          DB_PASSWD: "{{ db_passwd }}"
-          DB_TYPE: "mysql"
-          DB_USER: "mariadb" # https://github.com/dokku/dokku-mariadb/issues/89
-          DESCRIPTION: "{{ description }}"
-          DISABLE_REGISTRATION: "{{ disable_registration }}"
-          DOKKU_LETSENCRYPT_EMAIL: "{{ autonomic_admin_mail }}"
-          DOMAIN: "{{ domain }}"
-          ENABLE_OPENID_SIGNIN: "{{ enable_openid_signin }}"
-          ENABLE_OPENID_SIGNUP: "{{ enable_openid_signup }}"
-          GITEA_THEME: "{{ gitea_theme }}"
-          HTTP_PORT: "{{ http_port }}"
-          INSTALL_LOCK: "{{ install_lock }}"
-          JWT_SECRET: "{{ jwt_secret }}"
-          MAILER_ENABLED: "{{ mailer_enabled }}"
-          RUN_MODE: "prod"
-          SECRET_KEY: "{{ secret_key}}"
-          SMTP_FROM: "{{ smtp_from }}"
-          SMTP_HOST: "{{ smtp_host }}"
-          SMTP_MAILER_TYPE: "{{ smtp_mailer_type }}"
-          SMTP_PASSWD: "{{ smtp_passwd }}"
-          SMTP_TLS_ENABLED: "{{ smtp_tls_enabled }}"
-          SMTP_USER: "{{ smtp_user }}"
-          SSH_DOMAIN: "{{ ssh_domain }}"
-          SSH_LISTEN_PORT: "{{ ssh_listen_port }}"
-          SSH_PORT: "{{ ssh_port }}"
-          STARTUP_TIMEOUT: "{{ startup_timeout }}"
-          USER_GID: "{{ git_user_guid }}"
-          USER_UID: "{{ git_user_uid }}"
-          WHITELIST_URIS: "{{ whitelist_uris }}"

ansible/requirements.yml

@@ -1,6 +0,0 @@
----
-- src: dokku_bot.ansible_dokku
-  version: v2020.3.24
-
-- src: https://git.coop/decentral1se/autonomic.gandi/-/archive/0.0.5/autonomic.gandi-0.0.5.tar.gz
-  name: autonomic.gandi

ansible/templates/gitea.j2

@@ -1,3 +0,0 @@
-#!/bin/sh
-
-ssh -p {{ ssh_listen_port }} -o StrictHostKeyChecking=no git@{{ dokku_container_ip }} "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"

ansible/vars/all.yml

@@ -1,27 +0,0 @@
----
-allow_only_external_registration: "true"
-ansible_python_interpreter: "/usr/bin/python3"
-author: "{{ autonomic_app_name }}"
-autonomic_admin_mail: "helo@autonomic.zone"
-autonomic_admin_user: "autonomic"
-autonomic_app_name: "Gitea: Git with solidaritea"
-description: "Git hosting for conrads"
-disable_registration: "false"
-dokku_domain_ipv4: "94.130.105.60"
-domain: "git.autonomic.zone"
-enable_openid_signin: "true"
-enable_openid_signup: "true"
-gitea_theme: "arc-green"
-http_port: "3020"
-install_lock: "true"
-mailer_enabled: "true"
-smtp_from: "gitea-autonomic@decentral1.se"
-smtp_host: "mail.gandi.net:587"
-smtp_mailer_type: "smtp"
-smtp_tls_enabled: "true"
-smtp_user: "gitea-autonomic@decentral1.se"
-ssh_domain: "git.autonomic.zone"
-ssh_listen_port: "2222"
-ssh_port: "222"
-startup_timeout: "0"
-whitelist_uris: "https://git.autonomic.zone"

ansible/vars/ansible_become_pass.yml

@@ -1,8 +0,0 @@
----
-ansible_become_pass: !vault |
-  $ANSIBLE_VAULT;1.1;AES256
-  34396236353735666531323238656533643465303131663464613162396333313836363630666266
-  6539323631656635333864316166633064633366323936610a656137616334313534333635313232
-  35323561303763366563316631313638363333393763323935343563303963616334336639386462
-  3837383830616637360a373539613630356564363662393836366462666430353439353637303035
-  63396633303166343433313439303539313637306637663137313533316531616434

ansible/vars/autonomic_admin_pass.yml

@@ -1,9 +0,0 @@
----
-autonomic_admin_pass: !vault |
-  $ANSIBLE_VAULT;1.1;AES256
-  63346230633033616135653638346366333063316161643339646134653435633631616133383838
-  3334323934346239333237323164383437366633663338620a636662396131343838356637376266
-  63306462613233393863363066343532623139313965323830313535376136373138396364363536
-  3163393262656339640a613630346234313063393130636663353038303266663964653765373134
-  36653431303662616465303334386563643564663832353331623432363138323365666362313731
-  6539306238396362333832343530383731313131383334653133

ansible/vars/db_passwd.yml

@@ -1,9 +0,0 @@
----
-db_passwd: !vault |
-  $ANSIBLE_VAULT;1.1;AES256
-  36646464626462336534333030666665636436353163656230366337393435326337653663616539
-  3361353565363637393166643763613762353465386336640a303335633330373266386639633562
-  62393961653038306362656639373031666364353866653862623132633739373630396662386132
-  3436366139613463310a353262613862663836653333376265363032303839383532666632653963
-  66623031646566303130383935366332616662386365326133636163623338646232316433346266
-  3166623035666362646565633265383737323238336531363766

ansible/vars/gandi_rest_token.yml

@@ -1,8 +0,0 @@
----
-gandi_rest_token: !vault |
-  $ANSIBLE_VAULT;1.1;AES256
-  39316130353030633666633039633539333238616637396333326231313562663731343839313234
-  3263666662336437356263323238366136653962316633360a326466376532633062313835383063
-  38623036346437373534363839393333343163663934313865633764333965353631656634663136
-  3835303662633562390a663037356266393461636432663633336636643130623465616238626633
-  64346335666263363263616262323665363836373764633434343066383732346637

ansible/vars/internal_token.yml

@@ -1,9 +0,0 @@
----
-internal_token: !vault |
-  $ANSIBLE_VAULT;1.1;AES256
-  31616533343831326637383239663630626563303865393461613234366630326335383631656330
-  6438653036313733616430653765396161636233336365630a373230653538613562373932393336
-  32333430616136643734393038353430656335343331376330313832323963373264316638306566
-  3735393932666461620a306465643439636433346363666462626335363638303564643236643033
-  62323037643633346635353462613164303530646566313438646231646139373932653139326566
-  3365393963393133633963643465363735333138646536393533

ansible/vars/jwt_secret.yml

@@ -1,9 +0,0 @@
----
-jwt_secret: !vault |
-  $ANSIBLE_VAULT;1.1;AES256
-  37326331613162666263663465303937333038646436623830623464636235373433653334303063
-  6165666262376130613533353130626432323637386364630a353836353536383337643463393138
-  38613935373135366462366336626339326631646131396336303063616234616464363037336630
-  3039363333363032310a336561353262356236666163323735396262383635373133356234653964
-  63323830616431356438393938353161666533383635333131336137623638393937373934666232
-  6636373735373761383430363161646337363335303637633861

ansible/vars/root_db_passwd.yml

@@ -1,9 +0,0 @@
----
-root_db_passwd: !vault |
-  $ANSIBLE_VAULT;1.1;AES256
-  37646665656335653735623538323830656432386530356633633761303636366433353131303633
-  3939343564363931613466376538386237373166323133370a383962646538643664383166356338
-  34643665336463376661303730376562376362396664313333626262653061633965333930383162
-  6437626637616130360a393862633538333664396334646437353361626539353830326433373666
-  64616238623563393531373236346634356334386461636536663337383666396130366465653335
-  3432353230393164393030643836393164393235386638653537

ansible/vars/secret_key.yml

@@ -1,9 +0,0 @@
----
-secret_key: !vault |
-  $ANSIBLE_VAULT;1.1;AES256
-  63336135353338386564333337313933323635393533663561373463346664323865303361333765
-  3238656235613334323331616330326566626235393237300a666635313239356265623937356431
-  38656336616665393035653133323130396236663466313330346666363130326361623738663330
-  3631393536626266610a343765616361313137613264626433633765303033613437303865313865
-  34343235346466383337386638623364386266626432613036396639653162663233323136613436
-  3537306565356538626161373635613739363638383036366265

ansible/vars/smtp_passwd.yml

@@ -1,8 +0,0 @@
----
-smtp_passwd: !vault |
-  $ANSIBLE_VAULT;1.1;AES256
-  62393535383032333039343365653034353739323962356536386461346534643831303465353865
-  6662326163653231663036313663353135613131373131610a336131393862333533356536313565
-  34663065323635326532343537623564363164333965313538306637636136353361373265363264
-  3832643061366636390a333362326663343066646335303465633163316530306563366463393538
-  37366337663562333231326162326139313037643962613430623832656365623534

app.json

@@ -1,5 +0,0 @@
-{
-  "name": "gitea",
-  "description": "Gitea is a painless self-hosted Git service.",
-  "repository": "https://git.autonomic.zone/autonomic-cooperative/gitea"
-}

deploy.d/config.yml

@@ -0,0 +1,67 @@
+---
+vars:
+  port: "3020"
+  domain: "git.autonomic.zone"
+
+volumes:
+  - type: directory
+    src: /var/lib/git
+    dest: /data
+
+  - type: directory
+    src: /var/lib/gitea/.ssh
+    dest: /data/git/.ssh
+
+  - type: directory
+    src: /etc/timezone
+    dest: /etc/timezone
+    mode: ro
+
+  - type: directory
+    src: /etc/localtime
+    dest: /etc/localtime
+    mode: ro
+
+db:
+  - type: "mariadb"
+    passwd: "{{ vault.passwd }}"
+    root_passwd: "{{ vault.root_passwd }}"
+
+env:
+  ADMIN_MAIL: "helo@autonomic.zone"
+  ADMIN_PASS: "{{ vault.autonomic_admin_pass }}"
+  ADMIN_USER: "{{ vault.autonomic_admin_user }}"
+  ALLOW_ONLY_EXTERNAL_REGISTRATION: "true"
+  APP_NAME: "Gitea: Git with solidaritea"
+  AUTHOR: "Gitea: Git with solidaritea"
+  DB_HOST: "{{ dokku.mariadb_addr }}"
+  DB_NAME: "gitea"
+  DB_PASSWD: "{{ vault.db_passwd }}"
+  DB_TYPE: "mysql"
+  DB_USER: "{{ dokku.mariadb_user }}"
+  DESCRIPTION: "Git hosting for conrads"
+  DISABLE_REGISTRATION: "false"
+  DOKKU_LETSENCRYPT_EMAIL: "helo@autonomic.zone"
+  DOMAIN: "{{ vars.domain }}"
+  ENABLE_OPENID_SIGNIN: "true"
+  ENABLE_OPENID_SIGNUP: "true"
+  GITEA_THEME: "arc-green"
+  HTTP_PORT: "{{ vars.port }}"
+  INSTALL_LOCK: "true"
+  JWT_SECRET: "{{ vault.jwt_secret }}"
+  MAILER_ENABLED: "true"
+  RUN_MODE: "prod"
+  SECRET_KEY: "{{ vault.secret_key }}"
+  SMTP_FROM: "{{ vault.smtp_from }}"
+  SMTP_HOST: "{{ vault.smtp_host }}"
+  SMTP_MAILER_TYPE: "smtp"
+  SMTP_PASSWD: "{{ vault.smtp_passwd }}"
+  SMTP_TLS_ENABLED: "true"
+  SMTP_USER: "{{ vault.smtp_user }}"
+  SSH_DOMAIN: "{{ vars.domain }}"
+  SSH_LISTEN_PORT: "2222"
+  SSH_PORT: "222"
+  STARTUP_TIMEOUT: "0"
+  USER_GID: "{{ vars.git_user_guid }}"
+  USER_UID: "{{ vars.git_user_uid }}"
+  WHITELIST_URIS: "https://{{ vars.domain }}"

deploy.d/plays/postdeploy.yml

@@ -0,0 +1,80 @@
+---
+- name: Remove automatically configured ports
+  dokku_ports:
+    app: gitea
+    mappings:
+      - "http:3000:3000"
+      - "http:2222:2222"
+    state: absent
+
+- name: Ensure system jq package is installed
+  become: true
+  apt:
+    name: jq
+    state: present
+
+- name: Retrieve application docker container IP address
+  shell: "dokku ps:inspect {{ dokku.app }} | jq -r .[0].NetworkSettings.IPAddress"
+  register: dokku_ps_inspect
+
+- name: Setup the SSH system -> container passthrough script
+  become: true
+  vars:
+    ssh_listen_port: "{{ config.vars.ssh_listen_port }}"
+    dokku_container_ip: "{{ dokku_ps_inspect.stdout }}"
+  template:
+    src: "{{ app_config_root }}/templates/gitea.j2"
+    dest: /app/gitea/gitea
+    owner: git
+    group: git
+    mode: "+x"
+    force: true
+
+- name: Store the git user public key
+  become: true
+  shell: cat /home/git/.ssh/id_rsa.pub
+  register: git_id_rsa_pub
+
+- name: Store the gitea authorized_keys file
+  become: true
+  shell: cat /var/lib/gitea/git/.ssh/authorized_keys
+  register: git_auth_keys
+
+- name: Check if the public key is already in place
+  become: true
+  command: 'grep -Fxq "{{ git_id_rsa_pub.stdout}}" /var/lib/gitea/git/.ssh/authorized_keys'
+  check_mode: false
+  ignore_errors: true
+  changed_when: false
+  register: git_id_rsa_pub_check
+
+- name: Ensure git public key is in the gitea loaded authorized_keys
+  become: true
+  blockinfile:
+    path: /var/lib/gitea/git/.ssh/authorized_keys
+    block: "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty {{ git_id_rsa_pub.stdout }}"
+    state: present
+    owner: git
+    group: git
+    create: true
+    insertbefore: BOF
+    backup: true
+    marker: "# ansible inserted git <-> gitea public key"
+  when: git_id_rsa_pub_check.rc == 0
+
+- name: Symlink the gitea authorized keys configuration to the host git user
+  become: true
+  file:
+    src: /var/lib/gitea/git/.ssh/authorized_keys
+    dest: /home/git/.ssh/authorized_keys
+    state: link
+    force: true
+    owner: git
+
+- name: Add git user to AllowUsers SSH configuration
+  become: true
+  replace:
+    backup: true
+    dest: /etc/ssh/sshd_config
+    regexp: '^(AllowUsers(?!.*\bgit\b).*)$'
+    replace: '\1 git'

deploy.d/plays/predeploy.yml

@@ -0,0 +1,43 @@
+---
+- name: Setup system level git user
+  become: true
+  user:
+    name: git
+    comment: gitea user
+    create_home: true
+    home: /home/git
+    group: git
+    system: true
+    generate_ssh_key: true
+    ssh_key_bits: 2048
+    ssh_key_file: .ssh/id_rsa
+    state: present
+
+- name: Get uid/guid of the git user
+  become: true
+  getent:
+    database: passwd
+    key: git
+    split: ":"
+
+- name: Store gitea git user uid/guid in config.vars
+  set_fact:
+    config: "{{
+      config.vars |
+      default({}) |
+      combine({
+        'git_user_uid': getent_passwd['git'][1],
+        'git_user_guid': getent_passwd['git'][2],
+      })
+    }}"
+
+- name: Create extra application directories
+  become: true
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: git
+    group: git
+  with_items:
+    - /app
+    - /app/gitea

deploy.d/templates/gitea.j2

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+ssh \
+  -p {{ vars.ssh_listen_port }} \
+  -o StrictHostKeyChecking=no \
+  git@{{ vars.dokku_container_ip }} \
+  "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"

requirements.txt

@@ -1 +0,0 @@
-ansible==2.9.6

sbin/encrypt.sh

@@ -1,15 +0,0 @@
-#!/bin/bash
-
-set -eu -o pipefail
-
-# Usage
-# ./encrypt.sh mysecretname mysecretvalue
-
-declare name="$1"
-declare secret="$2"
-
-ansible-vault \
-  encrypt_string \
-  --vault-password-file ansible/.vault.sh \
-  --name "$name" \
-  "$secret"