From 047425846a1f27d0d0cb9577baa58a4569fc0551 Mon Sep 17 00:00:00 2001 From: Luke Murphy Date: Tue, 14 Apr 2020 17:38:57 +0200 Subject: [PATCH] Migrate to v2 config format --- CHECKS | 2 +- Dockerfile | 11 ++- README.md | 5 +- ansible/.vault.sh | 5 - ansible/post-deploy.yml | 111 ---------------------- ansible/pre-deploy.yml | 128 -------------------------- ansible/requirements.yml | 6 -- ansible/templates/gitea.j2 | 3 - ansible/vars/all.yml | 27 ------ ansible/vars/ansible_become_pass.yml | 8 -- ansible/vars/autonomic_admin_pass.yml | 9 -- ansible/vars/db_passwd.yml | 9 -- ansible/vars/gandi_rest_token.yml | 8 -- ansible/vars/internal_token.yml | 9 -- ansible/vars/jwt_secret.yml | 9 -- ansible/vars/root_db_passwd.yml | 9 -- ansible/vars/secret_key.yml | 9 -- ansible/vars/smtp_passwd.yml | 8 -- app.json | 5 - deploy.d/config.yml | 67 ++++++++++++++ deploy.d/plays/postdeploy.yml | 80 ++++++++++++++++ deploy.d/plays/predeploy.yml | 43 +++++++++ deploy.d/templates/gitea.j2 | 7 ++ requirements.txt | 1 - sbin/encrypt.sh | 15 --- 25 files changed, 207 insertions(+), 387 deletions(-) delete mode 100755 ansible/.vault.sh delete mode 100644 ansible/post-deploy.yml delete mode 100644 ansible/pre-deploy.yml delete mode 100644 ansible/requirements.yml delete mode 100755 ansible/templates/gitea.j2 delete mode 100644 ansible/vars/all.yml delete mode 100644 ansible/vars/ansible_become_pass.yml delete mode 100644 ansible/vars/autonomic_admin_pass.yml delete mode 100644 ansible/vars/db_passwd.yml delete mode 100644 ansible/vars/gandi_rest_token.yml delete mode 100644 ansible/vars/internal_token.yml delete mode 100644 ansible/vars/jwt_secret.yml delete mode 100644 ansible/vars/root_db_passwd.yml delete mode 100644 ansible/vars/secret_key.yml delete mode 100644 ansible/vars/smtp_passwd.yml delete mode 100644 app.json create mode 100644 deploy.d/config.yml create mode 100644 deploy.d/plays/postdeploy.yml create mode 100644 deploy.d/plays/predeploy.yml create mode 100755 deploy.d/templates/gitea.j2 delete mode 100644 requirements.txt delete mode 100755 sbin/encrypt.sh diff --git a/CHECKS b/CHECKS index 9b6dd46..5d61ba2 100644 --- a/CHECKS +++ b/CHECKS @@ -2,4 +2,4 @@ WAIT=3 TIMEOUT=3 ATTEMPTS=5 -/healthcheck Database connection +/healthcheck diff --git a/Dockerfile b/Dockerfile index c32f6e2..5801904 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,11 +7,16 @@ COPY . ${WORKDIR} COPY sbin/* /sbin/ -RUN apk --no-cache add ca-certificates mysql-client py3-pip +RUN apk --no-cache add \ + ca-certificates \ + mysql-client \ + py3-pip -RUN pip3 install --upgrade pip==20.0.2 +RUN pip3 install --upgrade \ + pip==20.0.2 # Note(decentral1se): https://github.com/pixelb/crudini/issues/58 -RUN pip3 install --no-cache-dir "git+http://github.com/pixelb/crudini.git@0.9.3#egg=crudini" +RUN pip3 install --no-cache-dir \ + "git+http://github.com/pixelb/crudini.git@0.9.3#egg=crudini" ENTRYPOINT ["/sbin/entrypoint.sh"] diff --git a/README.md b/README.md index 081c757..664f133 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,4 @@ > https://gitea.io/ -# Deploy - -1. Push your changes to master and Dokku will try to automatically release -1. See the [dashboard to see the build](https://drone.autonomic.zone/autonomic-cooperative/gitea/) +> https://git.autonomic.zone diff --git a/ansible/.vault.sh b/ansible/.vault.sh deleted file mode 100755 index 8f30d37..0000000 --- a/ansible/.vault.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash - -set -eu -o pipefail - -echo $(pass show hosts/autonomic-dokku/vault/password) diff --git a/ansible/post-deploy.yml b/ansible/post-deploy.yml deleted file mode 100644 index 2a0cbe4..0000000 --- a/ansible/post-deploy.yml +++ /dev/null @@ -1,111 +0,0 @@ ---- -- hosts: all - gather_facts: false - tasks: - - name: Load variables - include_vars: - dir: "{{ dokku_lib_root }}/data/ansible/gitea/vars/" - extensions: - - yml - - - name: Set HTTP 80 port proxy - dokku_ports: - app: gitea - mappings: - - "http:80:{{ http_port }}" - state: present - - - name: Setup LE certificates - shell: dokku letsencrypt gitea - args: - creates: /home/dokku/gitea/letsencrypt/certs - - - name: Setup LE certificates renew cron job - shell: dokku letsencrypt:cron-job --add - args: - creates: /home/dokku/gitea/letsencrypt/cron-job - - - name: Remove automatically configured ports - dokku_ports: - app: gitea - mappings: - - "http:3000:3000" - - "http:2222:2222" - state: absent - - - name: Set HTTP 443 port - dokku_ports: - app: gitea - mappings: - - "https:443:{{ http_port }}" - state: present - - - name: Ensure jq package is installed - apt: - name: jq - state: present - - - name: Retrieve application container IP address - shell: "dokku ps:inspect gitea | jq -r .[0].NetworkSettings.IPAddress" - register: dokku_ps_inspect - - - name: Setup the SSH passthrough script - vars: - ssh_listen_port: "{{ ssh_listen_port }}" - dokku_container_ip: "{{ dokku_ps_inspect.stdout }}" - template: - src: gitea.j2 - dest: /app/gitea/gitea - owner: git - group: git - mode: "+x" - force: true - become: true - - - name: Store the git user public key - shell: cat /home/git/.ssh/id_rsa.pub - register: git_id_rsa_pub - become: true - - - name: Store the gitea authorized_keys file - shell: cat /var/lib/gitea/git/.ssh/authorized_keys - register: git_auth_keys - become: true - - - name: Check if the public key is already in place - command: 'grep -Fxq "{{ git_id_rsa_pub.stdout}}" /var/lib/gitea/git/.ssh/authorized_keys' - check_mode: false - ignore_errors: true - changed_when: false - register: git_id_rsa_pub_check - become: true - - - name: Ensure git public key is in gitea loaded authorized_keys - blockinfile: - path: /var/lib/gitea/git/.ssh/authorized_keys - block: "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty {{ git_id_rsa_pub.stdout }}" - state: present - owner: git - group: git - create: true - insertbefore: BOF - backup: true - marker: "# ansible inserted git <-> gitea public key" - become: true - when: git_id_rsa_pub_check.rc == 0 - - - name: Symlink the gitea authorized keys configuration to the host git user - file: - src: /var/lib/gitea/git/.ssh/authorized_keys - dest: /home/git/.ssh/authorized_keys - state: link - force: true - owner: git - become: true - - - name: Add git user to AllowUsers SSH configuration - replace: - backup: true - dest: /etc/ssh/sshd_config - regexp: '^(AllowUsers(?!.*\bgit\b).*)$' - replace: '\1 git' diff --git a/ansible/pre-deploy.yml b/ansible/pre-deploy.yml deleted file mode 100644 index 7199d09..0000000 --- a/ansible/pre-deploy.yml +++ /dev/null @@ -1,128 +0,0 @@ ---- -- hosts: all - gather_facts: false - tasks: - - name: Load variables - include_vars: - dir: "{{ dokku_lib_root }}/data/ansible/gitea/vars/" - extensions: - - yml - - - name: "Configure the {{ domain }} domain" - dokku_domains: - app: gitea - domains: - - "{{ domain }}" - state: present - - - name: Create mariadb database - shell: " - dokku - mariadb:create - gitea - --password {{ db_passwd }} - --root-password {{ root_db_passwd }} - " - args: - creates: /var/lib/dokku/services/mariadb/gitea - - - name: Link mariadb database to application - dokku_service_link: - app: gitea - name: gitea - service: mariadb - - # - name: Authenticate with Minio back-end - # - name: Configure daily backup policy - # - name: Take pre-deploy backup - - - name: Setup host git user - user: - name: git - comment: gitea user - create_home: true - home: /home/git - group: git - system: true - state: present - generate_ssh_key: true - ssh_key_bits: 2048 - ssh_key_file: .ssh/id_rsa - become: true - - - name: Create application directories - file: - path: "{{ item }}" - state: directory - owner: git - group: git - with_items: - - /app - - /app/gitea - - /var/lib/gitea - become: true - - - name: Get uid/guid of the git user - getent: - database: passwd - key: git - split: ":" - become: true - - - name: Specify docker volume mounts - dokku_storage: - app: gitea - mounts: - - /var/lib/gitea:/data - - /etc/timezone:/etc/timezone:ro - - /etc/localtime:/etc/localtime:ro - - /var/lib/dokku/services/mariadb/gitea:/var/lib/mysql - - /var/lib/gitea/.ssh:/data/git/.ssh - - - name: Store gitea git user uid/guid - set_fact: - git_user_uid: "{{ getent_passwd['git'][1] }}" - git_user_guid: "{{ getent_passwd['git'][2] }}" - - - name: Configure the dokku app environment - dokku_config: - app: gitea - restart: false - config: - ADMIN_MAIL: "{{ autonomic_admin_mail }}" - ADMIN_PASS: "{{ autonomic_admin_pass }}" - ADMIN_USER: "{{ autonomic_admin_user }}" - ALLOW_ONLY_EXTERNAL_REGISTRATION: "{{ allow_only_external_registration }}" - APP_NAME: "{{ autonomic_app_name }}" - AUTHOR: "{{ author }}" - DB_HOST: "dokku-mariadb-gitea:3306" - DB_NAME: "gitea" - DB_PASSWD: "{{ db_passwd }}" - DB_TYPE: "mysql" - DB_USER: "mariadb" # https://github.com/dokku/dokku-mariadb/issues/89 - DESCRIPTION: "{{ description }}" - DISABLE_REGISTRATION: "{{ disable_registration }}" - DOKKU_LETSENCRYPT_EMAIL: "{{ autonomic_admin_mail }}" - DOMAIN: "{{ domain }}" - ENABLE_OPENID_SIGNIN: "{{ enable_openid_signin }}" - ENABLE_OPENID_SIGNUP: "{{ enable_openid_signup }}" - GITEA_THEME: "{{ gitea_theme }}" - HTTP_PORT: "{{ http_port }}" - INSTALL_LOCK: "{{ install_lock }}" - JWT_SECRET: "{{ jwt_secret }}" - MAILER_ENABLED: "{{ mailer_enabled }}" - RUN_MODE: "prod" - SECRET_KEY: "{{ secret_key}}" - SMTP_FROM: "{{ smtp_from }}" - SMTP_HOST: "{{ smtp_host }}" - SMTP_MAILER_TYPE: "{{ smtp_mailer_type }}" - SMTP_PASSWD: "{{ smtp_passwd }}" - SMTP_TLS_ENABLED: "{{ smtp_tls_enabled }}" - SMTP_USER: "{{ smtp_user }}" - SSH_DOMAIN: "{{ ssh_domain }}" - SSH_LISTEN_PORT: "{{ ssh_listen_port }}" - SSH_PORT: "{{ ssh_port }}" - STARTUP_TIMEOUT: "{{ startup_timeout }}" - USER_GID: "{{ git_user_guid }}" - USER_UID: "{{ git_user_uid }}" - WHITELIST_URIS: "{{ whitelist_uris }}" diff --git a/ansible/requirements.yml b/ansible/requirements.yml deleted file mode 100644 index e2e3214..0000000 --- a/ansible/requirements.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- src: dokku_bot.ansible_dokku - version: v2020.3.24 - -- src: https://git.coop/decentral1se/autonomic.gandi/-/archive/0.0.5/autonomic.gandi-0.0.5.tar.gz - name: autonomic.gandi diff --git a/ansible/templates/gitea.j2 b/ansible/templates/gitea.j2 deleted file mode 100755 index 76b35f8..0000000 --- a/ansible/templates/gitea.j2 +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -ssh -p {{ ssh_listen_port }} -o StrictHostKeyChecking=no git@{{ dokku_container_ip }} "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@" diff --git a/ansible/vars/all.yml b/ansible/vars/all.yml deleted file mode 100644 index 7426647..0000000 --- a/ansible/vars/all.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -allow_only_external_registration: "true" -ansible_python_interpreter: "/usr/bin/python3" -author: "{{ autonomic_app_name }}" -autonomic_admin_mail: "helo@autonomic.zone" -autonomic_admin_user: "autonomic" -autonomic_app_name: "Gitea: Git with solidaritea" -description: "Git hosting for conrads" -disable_registration: "false" -dokku_domain_ipv4: "94.130.105.60" -domain: "git.autonomic.zone" -enable_openid_signin: "true" -enable_openid_signup: "true" -gitea_theme: "arc-green" -http_port: "3020" -install_lock: "true" -mailer_enabled: "true" -smtp_from: "gitea-autonomic@decentral1.se" -smtp_host: "mail.gandi.net:587" -smtp_mailer_type: "smtp" -smtp_tls_enabled: "true" -smtp_user: "gitea-autonomic@decentral1.se" -ssh_domain: "git.autonomic.zone" -ssh_listen_port: "2222" -ssh_port: "222" -startup_timeout: "0" -whitelist_uris: "https://git.autonomic.zone" diff --git a/ansible/vars/ansible_become_pass.yml b/ansible/vars/ansible_become_pass.yml deleted file mode 100644 index abb21b9..0000000 --- a/ansible/vars/ansible_become_pass.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -ansible_become_pass: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 34396236353735666531323238656533643465303131663464613162396333313836363630666266 - 6539323631656635333864316166633064633366323936610a656137616334313534333635313232 - 35323561303763366563316631313638363333393763323935343563303963616334336639386462 - 3837383830616637360a373539613630356564363662393836366462666430353439353637303035 - 63396633303166343433313439303539313637306637663137313533316531616434 diff --git a/ansible/vars/autonomic_admin_pass.yml b/ansible/vars/autonomic_admin_pass.yml deleted file mode 100644 index 6589cac..0000000 --- a/ansible/vars/autonomic_admin_pass.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -autonomic_admin_pass: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 63346230633033616135653638346366333063316161643339646134653435633631616133383838 - 3334323934346239333237323164383437366633663338620a636662396131343838356637376266 - 63306462613233393863363066343532623139313965323830313535376136373138396364363536 - 3163393262656339640a613630346234313063393130636663353038303266663964653765373134 - 36653431303662616465303334386563643564663832353331623432363138323365666362313731 - 6539306238396362333832343530383731313131383334653133 diff --git a/ansible/vars/db_passwd.yml b/ansible/vars/db_passwd.yml deleted file mode 100644 index 57fa7d4..0000000 --- a/ansible/vars/db_passwd.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -db_passwd: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 36646464626462336534333030666665636436353163656230366337393435326337653663616539 - 3361353565363637393166643763613762353465386336640a303335633330373266386639633562 - 62393961653038306362656639373031666364353866653862623132633739373630396662386132 - 3436366139613463310a353262613862663836653333376265363032303839383532666632653963 - 66623031646566303130383935366332616662386365326133636163623338646232316433346266 - 3166623035666362646565633265383737323238336531363766 diff --git a/ansible/vars/gandi_rest_token.yml b/ansible/vars/gandi_rest_token.yml deleted file mode 100644 index 3b5e3d8..0000000 --- a/ansible/vars/gandi_rest_token.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -gandi_rest_token: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 39316130353030633666633039633539333238616637396333326231313562663731343839313234 - 3263666662336437356263323238366136653962316633360a326466376532633062313835383063 - 38623036346437373534363839393333343163663934313865633764333965353631656634663136 - 3835303662633562390a663037356266393461636432663633336636643130623465616238626633 - 64346335666263363263616262323665363836373764633434343066383732346637 diff --git a/ansible/vars/internal_token.yml b/ansible/vars/internal_token.yml deleted file mode 100644 index 9ab3e72..0000000 --- a/ansible/vars/internal_token.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -internal_token: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 31616533343831326637383239663630626563303865393461613234366630326335383631656330 - 6438653036313733616430653765396161636233336365630a373230653538613562373932393336 - 32333430616136643734393038353430656335343331376330313832323963373264316638306566 - 3735393932666461620a306465643439636433346363666462626335363638303564643236643033 - 62323037643633346635353462613164303530646566313438646231646139373932653139326566 - 3365393963393133633963643465363735333138646536393533 diff --git a/ansible/vars/jwt_secret.yml b/ansible/vars/jwt_secret.yml deleted file mode 100644 index 0a1be95..0000000 --- a/ansible/vars/jwt_secret.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -jwt_secret: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 37326331613162666263663465303937333038646436623830623464636235373433653334303063 - 6165666262376130613533353130626432323637386364630a353836353536383337643463393138 - 38613935373135366462366336626339326631646131396336303063616234616464363037336630 - 3039363333363032310a336561353262356236666163323735396262383635373133356234653964 - 63323830616431356438393938353161666533383635333131336137623638393937373934666232 - 6636373735373761383430363161646337363335303637633861 diff --git a/ansible/vars/root_db_passwd.yml b/ansible/vars/root_db_passwd.yml deleted file mode 100644 index a1b1855..0000000 --- a/ansible/vars/root_db_passwd.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -root_db_passwd: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 37646665656335653735623538323830656432386530356633633761303636366433353131303633 - 3939343564363931613466376538386237373166323133370a383962646538643664383166356338 - 34643665336463376661303730376562376362396664313333626262653061633965333930383162 - 6437626637616130360a393862633538333664396334646437353361626539353830326433373666 - 64616238623563393531373236346634356334386461636536663337383666396130366465653335 - 3432353230393164393030643836393164393235386638653537 diff --git a/ansible/vars/secret_key.yml b/ansible/vars/secret_key.yml deleted file mode 100644 index fff25ef..0000000 --- a/ansible/vars/secret_key.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -secret_key: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 63336135353338386564333337313933323635393533663561373463346664323865303361333765 - 3238656235613334323331616330326566626235393237300a666635313239356265623937356431 - 38656336616665393035653133323130396236663466313330346666363130326361623738663330 - 3631393536626266610a343765616361313137613264626433633765303033613437303865313865 - 34343235346466383337386638623364386266626432613036396639653162663233323136613436 - 3537306565356538626161373635613739363638383036366265 diff --git a/ansible/vars/smtp_passwd.yml b/ansible/vars/smtp_passwd.yml deleted file mode 100644 index b4d481e..0000000 --- a/ansible/vars/smtp_passwd.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -smtp_passwd: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 62393535383032333039343365653034353739323962356536386461346534643831303465353865 - 6662326163653231663036313663353135613131373131610a336131393862333533356536313565 - 34663065323635326532343537623564363164333965313538306637636136353361373265363264 - 3832643061366636390a333362326663343066646335303465633163316530306563366463393538 - 37366337663562333231326162326139313037643962613430623832656365623534 diff --git a/app.json b/app.json deleted file mode 100644 index e168ed5..0000000 --- a/app.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "name": "gitea", - "description": "Gitea is a painless self-hosted Git service.", - "repository": "https://git.autonomic.zone/autonomic-cooperative/gitea" -} diff --git a/deploy.d/config.yml b/deploy.d/config.yml new file mode 100644 index 0000000..b0ec4ec --- /dev/null +++ b/deploy.d/config.yml @@ -0,0 +1,67 @@ +--- +vars: + port: "3020" + domain: "git.autonomic.zone" + +volumes: + - type: directory + src: /var/lib/git + dest: /data + + - type: directory + src: /var/lib/gitea/.ssh + dest: /data/git/.ssh + + - type: directory + src: /etc/timezone + dest: /etc/timezone + mode: ro + + - type: directory + src: /etc/localtime + dest: /etc/localtime + mode: ro + +db: + - type: "mariadb" + passwd: "{{ vault.passwd }}" + root_passwd: "{{ vault.root_passwd }}" + +env: + ADMIN_MAIL: "helo@autonomic.zone" + ADMIN_PASS: "{{ vault.autonomic_admin_pass }}" + ADMIN_USER: "{{ vault.autonomic_admin_user }}" + ALLOW_ONLY_EXTERNAL_REGISTRATION: "true" + APP_NAME: "Gitea: Git with solidaritea" + AUTHOR: "Gitea: Git with solidaritea" + DB_HOST: "{{ dokku.mariadb_addr }}" + DB_NAME: "gitea" + DB_PASSWD: "{{ vault.db_passwd }}" + DB_TYPE: "mysql" + DB_USER: "{{ dokku.mariadb_user }}" + DESCRIPTION: "Git hosting for conrads" + DISABLE_REGISTRATION: "false" + DOKKU_LETSENCRYPT_EMAIL: "helo@autonomic.zone" + DOMAIN: "{{ vars.domain }}" + ENABLE_OPENID_SIGNIN: "true" + ENABLE_OPENID_SIGNUP: "true" + GITEA_THEME: "arc-green" + HTTP_PORT: "{{ vars.port }}" + INSTALL_LOCK: "true" + JWT_SECRET: "{{ vault.jwt_secret }}" + MAILER_ENABLED: "true" + RUN_MODE: "prod" + SECRET_KEY: "{{ vault.secret_key }}" + SMTP_FROM: "{{ vault.smtp_from }}" + SMTP_HOST: "{{ vault.smtp_host }}" + SMTP_MAILER_TYPE: "smtp" + SMTP_PASSWD: "{{ vault.smtp_passwd }}" + SMTP_TLS_ENABLED: "true" + SMTP_USER: "{{ vault.smtp_user }}" + SSH_DOMAIN: "{{ vars.domain }}" + SSH_LISTEN_PORT: "2222" + SSH_PORT: "222" + STARTUP_TIMEOUT: "0" + USER_GID: "{{ vars.git_user_guid }}" + USER_UID: "{{ vars.git_user_uid }}" + WHITELIST_URIS: "https://{{ vars.domain }}" diff --git a/deploy.d/plays/postdeploy.yml b/deploy.d/plays/postdeploy.yml new file mode 100644 index 0000000..6cb4ad1 --- /dev/null +++ b/deploy.d/plays/postdeploy.yml @@ -0,0 +1,80 @@ +--- +- name: Remove automatically configured ports + dokku_ports: + app: gitea + mappings: + - "http:3000:3000" + - "http:2222:2222" + state: absent + +- name: Ensure system jq package is installed + become: true + apt: + name: jq + state: present + +- name: Retrieve application docker container IP address + shell: "dokku ps:inspect {{ dokku.app }} | jq -r .[0].NetworkSettings.IPAddress" + register: dokku_ps_inspect + +- name: Setup the SSH system -> container passthrough script + become: true + vars: + ssh_listen_port: "{{ config.vars.ssh_listen_port }}" + dokku_container_ip: "{{ dokku_ps_inspect.stdout }}" + template: + src: "{{ app_config_root }}/templates/gitea.j2" + dest: /app/gitea/gitea + owner: git + group: git + mode: "+x" + force: true + +- name: Store the git user public key + become: true + shell: cat /home/git/.ssh/id_rsa.pub + register: git_id_rsa_pub + +- name: Store the gitea authorized_keys file + become: true + shell: cat /var/lib/gitea/git/.ssh/authorized_keys + register: git_auth_keys + +- name: Check if the public key is already in place + become: true + command: 'grep -Fxq "{{ git_id_rsa_pub.stdout}}" /var/lib/gitea/git/.ssh/authorized_keys' + check_mode: false + ignore_errors: true + changed_when: false + register: git_id_rsa_pub_check + +- name: Ensure git public key is in the gitea loaded authorized_keys + become: true + blockinfile: + path: /var/lib/gitea/git/.ssh/authorized_keys + block: "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty {{ git_id_rsa_pub.stdout }}" + state: present + owner: git + group: git + create: true + insertbefore: BOF + backup: true + marker: "# ansible inserted git <-> gitea public key" + when: git_id_rsa_pub_check.rc == 0 + +- name: Symlink the gitea authorized keys configuration to the host git user + become: true + file: + src: /var/lib/gitea/git/.ssh/authorized_keys + dest: /home/git/.ssh/authorized_keys + state: link + force: true + owner: git + +- name: Add git user to AllowUsers SSH configuration + become: true + replace: + backup: true + dest: /etc/ssh/sshd_config + regexp: '^(AllowUsers(?!.*\bgit\b).*)$' + replace: '\1 git' diff --git a/deploy.d/plays/predeploy.yml b/deploy.d/plays/predeploy.yml new file mode 100644 index 0000000..cff8230 --- /dev/null +++ b/deploy.d/plays/predeploy.yml @@ -0,0 +1,43 @@ +--- +- name: Setup system level git user + become: true + user: + name: git + comment: gitea user + create_home: true + home: /home/git + group: git + system: true + generate_ssh_key: true + ssh_key_bits: 2048 + ssh_key_file: .ssh/id_rsa + state: present + +- name: Get uid/guid of the git user + become: true + getent: + database: passwd + key: git + split: ":" + +- name: Store gitea git user uid/guid in config.vars + set_fact: + config: "{{ + config.vars | + default({}) | + combine({ + 'git_user_uid': getent_passwd['git'][1], + 'git_user_guid': getent_passwd['git'][2], + }) + }}" + +- name: Create extra application directories + become: true + file: + path: "{{ item }}" + state: directory + owner: git + group: git + with_items: + - /app + - /app/gitea diff --git a/deploy.d/templates/gitea.j2 b/deploy.d/templates/gitea.j2 new file mode 100755 index 0000000..630f836 --- /dev/null +++ b/deploy.d/templates/gitea.j2 @@ -0,0 +1,7 @@ +#!/bin/sh + +ssh \ + -p {{ vars.ssh_listen_port }} \ + -o StrictHostKeyChecking=no \ + git@{{ vars.dokku_container_ip }} \ + "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@" diff --git a/requirements.txt b/requirements.txt deleted file mode 100644 index 130e91f..0000000 --- a/requirements.txt +++ /dev/null @@ -1 +0,0 @@ -ansible==2.9.6 diff --git a/sbin/encrypt.sh b/sbin/encrypt.sh deleted file mode 100755 index d328761..0000000 --- a/sbin/encrypt.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash - -set -eu -o pipefail - -# Usage -# ./encrypt.sh mysecretname mysecretvalue - -declare name="$1" -declare secret="$2" - -ansible-vault \ - encrypt_string \ - --vault-password-file ansible/.vault.sh \ - --name "$name" \ - "$secret"