autonomic-cooperative/git.autonomic.zone
Archived
4
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

Migrate to v2 config format

Browse Source
This commit is contained in:
Luke Murphy 2020-04-14 17:38:57 +02:00
parent d3fd12dd92
commit 047425846a
No known key found for this signature in database
GPG Key ID: 5E2EF5A63E3718CC
25 changed files with 207 additions and 387 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHECKS
View File

@ -2,4 +2,4 @@ WAIT=3
TIMEOUT=3 TIMEOUT=3
ATTEMPTS=5 ATTEMPTS=5
/healthcheck Database connection /healthcheck

11
Dockerfile
View File

@ -7,11 +7,16 @@ COPY . ${WORKDIR}
COPY sbin/* /sbin/ COPY sbin/* /sbin/
RUN apk --no-cache add ca-certificates mysql-client py3-pip RUN apk --no-cache add \
ca-certificates \
mysql-client \
py3-pip
RUN pip3 install --upgrade pip==20.0.2 RUN pip3 install --upgrade \
pip==20.0.2
# Note(decentral1se): https://github.com/pixelb/crudini/issues/58 # Note(decentral1se): https://github.com/pixelb/crudini/issues/58
RUN pip3 install --no-cache-dir "git+http://github.com/pixelb/crudini.git@0.9.3#egg=crudini" RUN pip3 install --no-cache-dir \
"git+http://github.com/pixelb/crudini.git@0.9.3#egg=crudini"
ENTRYPOINT ["/sbin/entrypoint.sh"] ENTRYPOINT ["/sbin/entrypoint.sh"]

5
README.md
View File

@ -4,7 +4,4 @@
> https://gitea.io/ > https://gitea.io/
# Deploy > https://git.autonomic.zone
1. Push your changes to master and Dokku will try to automatically release
1. See the [dashboard to see the build](https://drone.autonomic.zone/autonomic-cooperative/gitea/)

5
ansible/.vault.sh
View File

@ -1,5 +0,0 @@
#!/bin/bash
set -eu -o pipefail
echo $(pass show hosts/autonomic-dokku/vault/password)

111
ansible/post-deploy.yml
View File

@ -1,111 +0,0 @@
---
- hosts: all
gather_facts: false
tasks:
- name: Load variables
include_vars:
dir: "{{ dokku_lib_root }}/data/ansible/gitea/vars/"
extensions:
- yml
- name: Set HTTP 80 port proxy
dokku_ports:
app: gitea
mappings:
- "http:80:{{ http_port }}"
state: present
- name: Setup LE certificates
shell: dokku letsencrypt gitea
args:
creates: /home/dokku/gitea/letsencrypt/certs
- name: Setup LE certificates renew cron job
shell: dokku letsencrypt:cron-job --add
args:
creates: /home/dokku/gitea/letsencrypt/cron-job
- name: Remove automatically configured ports
dokku_ports:
app: gitea
mappings:
- "http:3000:3000"
- "http:2222:2222"
state: absent
- name: Set HTTP 443 port
dokku_ports:
app: gitea
mappings:
- "https:443:{{ http_port }}"
state: present
- name: Ensure jq package is installed
apt:
name: jq
state: present
- name: Retrieve application container IP address
shell: "dokku ps:inspect gitea | jq -r .[0].NetworkSettings.IPAddress"
register: dokku_ps_inspect
- name: Setup the SSH passthrough script
vars:
ssh_listen_port: "{{ ssh_listen_port }}"
dokku_container_ip: "{{ dokku_ps_inspect.stdout }}"
template:
src: gitea.j2
dest: /app/gitea/gitea
owner: git
group: git
mode: "+x"
force: true
become: true
- name: Store the git user public key
shell: cat /home/git/.ssh/id_rsa.pub
register: git_id_rsa_pub
become: true
- name: Store the gitea authorized_keys file
shell: cat /var/lib/gitea/git/.ssh/authorized_keys
register: git_auth_keys
become: true
- name: Check if the public key is already in place
command: 'grep -Fxq "{{ git_id_rsa_pub.stdout}}" /var/lib/gitea/git/.ssh/authorized_keys'
check_mode: false
ignore_errors: true
changed_when: false
register: git_id_rsa_pub_check
become: true
- name: Ensure git public key is in gitea loaded authorized_keys
blockinfile:
path: /var/lib/gitea/git/.ssh/authorized_keys
block: "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty {{ git_id_rsa_pub.stdout }}"
state: present
owner: git
group: git
create: true
insertbefore: BOF
backup: true
marker: "# ansible inserted git <-> gitea public key"
become: true
when: git_id_rsa_pub_check.rc == 0
- name: Symlink the gitea authorized keys configuration to the host git user
file:
src: /var/lib/gitea/git/.ssh/authorized_keys
dest: /home/git/.ssh/authorized_keys
state: link
force: true
owner: git
become: true
- name: Add git user to AllowUsers SSH configuration
replace:
backup: true
dest: /etc/ssh/sshd_config
regexp: '^(AllowUsers(?!.*\bgit\b).*)$'
replace: '\1 git'

128
ansible/pre-deploy.yml
View File

@ -1,128 +0,0 @@
---
- hosts: all
gather_facts: false
tasks:
- name: Load variables
include_vars:
dir: "{{ dokku_lib_root }}/data/ansible/gitea/vars/"
extensions:
- yml
- name: "Configure the {{ domain }} domain"
dokku_domains:
app: gitea
domains:
- "{{ domain }}"
state: present
- name: Create mariadb database
shell: "
dokku
mariadb:create
gitea
--password {{ db_passwd }}
--root-password {{ root_db_passwd }}
"
args:
creates: /var/lib/dokku/services/mariadb/gitea
- name: Link mariadb database to application
dokku_service_link:
app: gitea
name: gitea
service: mariadb
# - name: Authenticate with Minio back-end
# - name: Configure daily backup policy
# - name: Take pre-deploy backup
- name: Setup host git user
user:
name: git
comment: gitea user
create_home: true
home: /home/git
group: git
system: true
state: present
generate_ssh_key: true
ssh_key_bits: 2048
ssh_key_file: .ssh/id_rsa
become: true
- name: Create application directories
file:
path: "{{ item }}"
state: directory
owner: git
group: git
with_items:
- /app
- /app/gitea
- /var/lib/gitea
become: true
- name: Get uid/guid of the git user
getent:
database: passwd
key: git
split: ":"
become: true
- name: Specify docker volume mounts
dokku_storage:
app: gitea
mounts:
- /var/lib/gitea:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
- /var/lib/dokku/services/mariadb/gitea:/var/lib/mysql
- /var/lib/gitea/.ssh:/data/git/.ssh
- name: Store gitea git user uid/guid
set_fact:
git_user_uid: "{{ getent_passwd['git'][1] }}"
git_user_guid: "{{ getent_passwd['git'][2] }}"
- name: Configure the dokku app environment
dokku_config:
app: gitea
restart: false
config:
ADMIN_MAIL: "{{ autonomic_admin_mail }}"
ADMIN_PASS: "{{ autonomic_admin_pass }}"
ADMIN_USER: "{{ autonomic_admin_user }}"
ALLOW_ONLY_EXTERNAL_REGISTRATION: "{{ allow_only_external_registration }}"
APP_NAME: "{{ autonomic_app_name }}"
AUTHOR: "{{ author }}"
DB_HOST: "dokku-mariadb-gitea:3306"
DB_NAME: "gitea"
DB_PASSWD: "{{ db_passwd }}"
DB_TYPE: "mysql"
DB_USER: "mariadb" # https://github.com/dokku/dokku-mariadb/issues/89
DESCRIPTION: "{{ description }}"
DISABLE_REGISTRATION: "{{ disable_registration }}"
DOKKU_LETSENCRYPT_EMAIL: "{{ autonomic_admin_mail }}"
DOMAIN: "{{ domain }}"
ENABLE_OPENID_SIGNIN: "{{ enable_openid_signin }}"
ENABLE_OPENID_SIGNUP: "{{ enable_openid_signup }}"
GITEA_THEME: "{{ gitea_theme }}"
HTTP_PORT: "{{ http_port }}"
INSTALL_LOCK: "{{ install_lock }}"
JWT_SECRET: "{{ jwt_secret }}"
MAILER_ENABLED: "{{ mailer_enabled }}"
RUN_MODE: "prod"
SECRET_KEY: "{{ secret_key}}"
SMTP_FROM: "{{ smtp_from }}"
SMTP_HOST: "{{ smtp_host }}"
SMTP_MAILER_TYPE: "{{ smtp_mailer_type }}"
SMTP_PASSWD: "{{ smtp_passwd }}"
SMTP_TLS_ENABLED: "{{ smtp_tls_enabled }}"
SMTP_USER: "{{ smtp_user }}"
SSH_DOMAIN: "{{ ssh_domain }}"
SSH_LISTEN_PORT: "{{ ssh_listen_port }}"
SSH_PORT: "{{ ssh_port }}"
STARTUP_TIMEOUT: "{{ startup_timeout }}"
USER_GID: "{{ git_user_guid }}"
USER_UID: "{{ git_user_uid }}"
WHITELIST_URIS: "{{ whitelist_uris }}"

6
ansible/requirements.yml
View File

@ -1,6 +0,0 @@
---
- src: dokku_bot.ansible_dokku
version: v2020.3.24
- src: https://git.coop/decentral1se/autonomic.gandi/-/archive/0.0.5/autonomic.gandi-0.0.5.tar.gz
name: autonomic.gandi

3
ansible/templates/gitea.j2
View File

@ -1,3 +0,0 @@
#!/bin/sh
ssh -p {{ ssh_listen_port }} -o StrictHostKeyChecking=no git@{{ dokku_container_ip }} "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"

27
ansible/vars/all.yml
View File

@ -1,27 +0,0 @@
---
allow_only_external_registration: "true"
ansible_python_interpreter: "/usr/bin/python3"
author: "{{ autonomic_app_name }}"
autonomic_admin_mail: "helo@autonomic.zone"
autonomic_admin_user: "autonomic"
autonomic_app_name: "Gitea: Git with solidaritea"
description: "Git hosting for conrads"
disable_registration: "false"
dokku_domain_ipv4: "94.130.105.60"
domain: "git.autonomic.zone"
enable_openid_signin: "true"
enable_openid_signup: "true"
gitea_theme: "arc-green"
http_port: "3020"
install_lock: "true"
mailer_enabled: "true"
smtp_from: "gitea-autonomic@decentral1.se"
smtp_host: "mail.gandi.net:587"
smtp_mailer_type: "smtp"
smtp_tls_enabled: "true"
smtp_user: "gitea-autonomic@decentral1.se"
ssh_domain: "git.autonomic.zone"
ssh_listen_port: "2222"
ssh_port: "222"
startup_timeout: "0"
whitelist_uris: "https://git.autonomic.zone"

8
ansible/vars/ansible_become_pass.yml
View File

@ -1,8 +0,0 @@
---
ansible_become_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
34396236353735666531323238656533643465303131663464613162396333313836363630666266
6539323631656635333864316166633064633366323936610a656137616334313534333635313232
35323561303763366563316631313638363333393763323935343563303963616334336639386462
3837383830616637360a373539613630356564363662393836366462666430353439353637303035
63396633303166343433313439303539313637306637663137313533316531616434

9
ansible/vars/autonomic_admin_pass.yml
View File

@ -1,9 +0,0 @@
---
autonomic_admin_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
63346230633033616135653638346366333063316161643339646134653435633631616133383838
3334323934346239333237323164383437366633663338620a636662396131343838356637376266
63306462613233393863363066343532623139313965323830313535376136373138396364363536
3163393262656339640a613630346234313063393130636663353038303266663964653765373134
36653431303662616465303334386563643564663832353331623432363138323365666362313731
6539306238396362333832343530383731313131383334653133

9
ansible/vars/db_passwd.yml
View File

@ -1,9 +0,0 @@
---
db_passwd: !vault |
$ANSIBLE_VAULT;1.1;AES256
36646464626462336534333030666665636436353163656230366337393435326337653663616539
3361353565363637393166643763613762353465386336640a303335633330373266386639633562
62393961653038306362656639373031666364353866653862623132633739373630396662386132
3436366139613463310a353262613862663836653333376265363032303839383532666632653963
66623031646566303130383935366332616662386365326133636163623338646232316433346266
3166623035666362646565633265383737323238336531363766

8
ansible/vars/gandi_rest_token.yml
View File

@ -1,8 +0,0 @@
---
gandi_rest_token: !vault |
$ANSIBLE_VAULT;1.1;AES256
39316130353030633666633039633539333238616637396333326231313562663731343839313234
3263666662336437356263323238366136653962316633360a326466376532633062313835383063
38623036346437373534363839393333343163663934313865633764333965353631656634663136
3835303662633562390a663037356266393461636432663633336636643130623465616238626633
64346335666263363263616262323665363836373764633434343066383732346637

9
ansible/vars/internal_token.yml
View File

@ -1,9 +0,0 @@
---
internal_token: !vault |
$ANSIBLE_VAULT;1.1;AES256
31616533343831326637383239663630626563303865393461613234366630326335383631656330
6438653036313733616430653765396161636233336365630a373230653538613562373932393336
32333430616136643734393038353430656335343331376330313832323963373264316638306566
3735393932666461620a306465643439636433346363666462626335363638303564643236643033
62323037643633346635353462613164303530646566313438646231646139373932653139326566
3365393963393133633963643465363735333138646536393533

9
ansible/vars/jwt_secret.yml
View File

@ -1,9 +0,0 @@
---
jwt_secret: !vault |
$ANSIBLE_VAULT;1.1;AES256
37326331613162666263663465303937333038646436623830623464636235373433653334303063
6165666262376130613533353130626432323637386364630a353836353536383337643463393138
38613935373135366462366336626339326631646131396336303063616234616464363037336630
3039363333363032310a336561353262356236666163323735396262383635373133356234653964
63323830616431356438393938353161666533383635333131336137623638393937373934666232
6636373735373761383430363161646337363335303637633861

9
ansible/vars/root_db_passwd.yml
View File

@ -1,9 +0,0 @@
---
root_db_passwd: !vault |
$ANSIBLE_VAULT;1.1;AES256
37646665656335653735623538323830656432386530356633633761303636366433353131303633
3939343564363931613466376538386237373166323133370a383962646538643664383166356338
34643665336463376661303730376562376362396664313333626262653061633965333930383162
6437626637616130360a393862633538333664396334646437353361626539353830326433373666
64616238623563393531373236346634356334386461636536663337383666396130366465653335
3432353230393164393030643836393164393235386638653537

9
ansible/vars/secret_key.yml
View File

@ -1,9 +0,0 @@
---
secret_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
63336135353338386564333337313933323635393533663561373463346664323865303361333765
3238656235613334323331616330326566626235393237300a666635313239356265623937356431
38656336616665393035653133323130396236663466313330346666363130326361623738663330
3631393536626266610a343765616361313137613264626433633765303033613437303865313865
34343235346466383337386638623364386266626432613036396639653162663233323136613436
3537306565356538626161373635613739363638383036366265

8
ansible/vars/smtp_passwd.yml
View File

@ -1,8 +0,0 @@
---
smtp_passwd: !vault |
$ANSIBLE_VAULT;1.1;AES256
62393535383032333039343365653034353739323962356536386461346534643831303465353865
6662326163653231663036313663353135613131373131610a336131393862333533356536313565
34663065323635326532343537623564363164333965313538306637636136353361373265363264
3832643061366636390a333362326663343066646335303465633163316530306563366463393538
37366337663562333231326162326139313037643962613430623832656365623534

5
app.json
View File

@ -1,5 +0,0 @@
{
"name": "gitea",
"description": "Gitea is a painless self-hosted Git service.",
"repository": "https://git.autonomic.zone/autonomic-cooperative/gitea"
}

67
deploy.d/config.yml Normal file
View File

@ -0,0 +1,67 @@
---
vars:
port: "3020"
domain: "git.autonomic.zone"
volumes:
- type: directory
src: /var/lib/git
dest: /data
- type: directory
src: /var/lib/gitea/.ssh
dest: /data/git/.ssh
- type: directory
src: /etc/timezone
dest: /etc/timezone
mode: ro
- type: directory
src: /etc/localtime
dest: /etc/localtime
mode: ro
db:
- type: "mariadb"
passwd: "{{ vault.passwd }}"
root_passwd: "{{ vault.root_passwd }}"
env:
ADMIN_MAIL: "helo@autonomic.zone"
ADMIN_PASS: "{{ vault.autonomic_admin_pass }}"
ADMIN_USER: "{{ vault.autonomic_admin_user }}"
ALLOW_ONLY_EXTERNAL_REGISTRATION: "true"
APP_NAME: "Gitea: Git with solidaritea"
AUTHOR: "Gitea: Git with solidaritea"
DB_HOST: "{{ dokku.mariadb_addr }}"
DB_NAME: "gitea"
DB_PASSWD: "{{ vault.db_passwd }}"
DB_TYPE: "mysql"
DB_USER: "{{ dokku.mariadb_user }}"
DESCRIPTION: "Git hosting for conrads"
DISABLE_REGISTRATION: "false"
DOKKU_LETSENCRYPT_EMAIL: "helo@autonomic.zone"
DOMAIN: "{{ vars.domain }}"
ENABLE_OPENID_SIGNIN: "true"
ENABLE_OPENID_SIGNUP: "true"
GITEA_THEME: "arc-green"
HTTP_PORT: "{{ vars.port }}"
INSTALL_LOCK: "true"
JWT_SECRET: "{{ vault.jwt_secret }}"
MAILER_ENABLED: "true"
RUN_MODE: "prod"
SECRET_KEY: "{{ vault.secret_key }}"
SMTP_FROM: "{{ vault.smtp_from }}"
SMTP_HOST: "{{ vault.smtp_host }}"
SMTP_MAILER_TYPE: "smtp"
SMTP_PASSWD: "{{ vault.smtp_passwd }}"
SMTP_TLS_ENABLED: "true"
SMTP_USER: "{{ vault.smtp_user }}"
SSH_DOMAIN: "{{ vars.domain }}"
SSH_LISTEN_PORT: "2222"
SSH_PORT: "222"
STARTUP_TIMEOUT: "0"
USER_GID: "{{ vars.git_user_guid }}"
USER_UID: "{{ vars.git_user_uid }}"
WHITELIST_URIS: "https://{{ vars.domain }}"

80
deploy.d/plays/postdeploy.yml Normal file
View File

@ -0,0 +1,80 @@
---
- name: Remove automatically configured ports
dokku_ports:
app: gitea
mappings:
- "http:3000:3000"
- "http:2222:2222"
state: absent
- name: Ensure system jq package is installed
become: true
apt:
name: jq
state: present
- name: Retrieve application docker container IP address
shell: "dokku ps:inspect {{ dokku.app }} | jq -r .[0].NetworkSettings.IPAddress"
register: dokku_ps_inspect
- name: Setup the SSH system -> container passthrough script
become: true
vars:
ssh_listen_port: "{{ config.vars.ssh_listen_port }}"
dokku_container_ip: "{{ dokku_ps_inspect.stdout }}"
template:
src: "{{ app_config_root }}/templates/gitea.j2"
dest: /app/gitea/gitea
owner: git
group: git
mode: "+x"
force: true
- name: Store the git user public key
become: true
shell: cat /home/git/.ssh/id_rsa.pub
register: git_id_rsa_pub
- name: Store the gitea authorized_keys file
become: true
shell: cat /var/lib/gitea/git/.ssh/authorized_keys
register: git_auth_keys
- name: Check if the public key is already in place
become: true
command: 'grep -Fxq "{{ git_id_rsa_pub.stdout}}" /var/lib/gitea/git/.ssh/authorized_keys'
check_mode: false
ignore_errors: true
changed_when: false
register: git_id_rsa_pub_check
- name: Ensure git public key is in the gitea loaded authorized_keys
become: true
blockinfile:
path: /var/lib/gitea/git/.ssh/authorized_keys
block: "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty {{ git_id_rsa_pub.stdout }}"
state: present
owner: git
group: git
create: true
insertbefore: BOF
backup: true
marker: "# ansible inserted git <-> gitea public key"
when: git_id_rsa_pub_check.rc == 0
- name: Symlink the gitea authorized keys configuration to the host git user
become: true
file:
src: /var/lib/gitea/git/.ssh/authorized_keys
dest: /home/git/.ssh/authorized_keys
state: link
force: true
owner: git
- name: Add git user to AllowUsers SSH configuration
become: true
replace:
backup: true
dest: /etc/ssh/sshd_config
regexp: '^(AllowUsers(?!.*\bgit\b).*)$'
replace: '\1 git'

43
deploy.d/plays/predeploy.yml Normal file
View File

@ -0,0 +1,43 @@
---
- name: Setup system level git user
become: true
user:
name: git
comment: gitea user
create_home: true
home: /home/git
group: git
system: true
generate_ssh_key: true
ssh_key_bits: 2048
ssh_key_file: .ssh/id_rsa
state: present
- name: Get uid/guid of the git user
become: true
getent:
database: passwd
key: git
split: ":"
- name: Store gitea git user uid/guid in config.vars
set_fact:
config: "{{
config.vars |
default({}) |
combine({
'git_user_uid': getent_passwd['git'][1],
'git_user_guid': getent_passwd['git'][2],
})
}}"
- name: Create extra application directories
become: true
file:
path: "{{ item }}"
state: directory
owner: git
group: git
with_items:
- /app
- /app/gitea

7
deploy.d/templates/gitea.j2 Executable file
View File

@ -0,0 +1,7 @@
#!/bin/sh
ssh \
-p {{ vars.ssh_listen_port }} \
-o StrictHostKeyChecking=no \
git@{{ vars.dokku_container_ip }} \
"SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"

1
requirements.txt
View File

@ -1 +0,0 @@
ansible==2.9.6

15
sbin/encrypt.sh
View File

@ -1,15 +0,0 @@
#!/bin/bash
set -eu -o pipefail
# Usage
# ./encrypt.sh mysecretname mysecretvalue
declare name="$1"
declare secret="$2"
ansible-vault \
encrypt_string \
--vault-password-file ansible/.vault.sh \
--name "$name" \
"$secret"