Migrating to swarm

This commit is contained in:
Luke Murphy 2020-06-23 11:27:33 +02:00
parent 76dcceff78
commit 36eed2a709
No known key found for this signature in database
GPG Key ID: 5E2EF5A63E3718CC
22 changed files with 142 additions and 472 deletions

5
CHECKS
View File

@ -1,5 +0,0 @@
WAIT=3
TIMEOUT=3
ATTEMPTS=5
/healthcheck

View File

@ -1,23 +0,0 @@
FROM gitea/gitea:1.12.0
EXPOSE 3020
EXPOSE 2222
COPY . ${WORKDIR}
COPY sbin/* /sbin/
RUN apk --no-cache add \
ca-certificates \
mysql-client \
py3-docutils \
py3-pip
RUN pip3 install --upgrade \
pip==20.0.2
# Note(decentral1se): https://github.com/pixelb/crudini/issues/58
RUN pip3 install --no-cache-dir \
"git+http://github.com/pixelb/crudini.git@0.9.3#egg=crudini"
ENTRYPOINT ["/sbin/entrypoint.sh"]

View File

@ -1,25 +1,5 @@
# gitea
# git.autonomic.zone
[![Build Status](https://drone.autonomic.zone/api/badges/autonomic-cooperative/gitea/status.svg)](https://drone.autonomic.zone/autonomic-cooperative/gitea)
> https://gitea.io/
[![Build Status](https://drone.autonomic.zone/api/badges/autonomic-cooperative/git.autonomic.zone/status.svg)](https://drone.autonomic.zone/autonomic-cooperative/git.autonomic.zone)
> https://git.autonomic.zone
## Development
```bash
$ git clone https://git.autonomic.zone/autonomic-cooperative/gitea && cd gitea
$ python3 -m venv .venv && source .venv/bin/activate
$ pip install -r requirements.txt
$ docker-compose up
```
Gitea dashboard:
> http://localhost:3000
## Production
1. Our [drone.autonomic.zone](https://drone.autonomic.zone/autonomic-cooperative/gitea/) configuration automatically deploys.
1. For a manual deploy guide, see [this documentation](https://git.autonomic.zone/autonomic-cooperative/organising/wiki/working-with-docker-swarm).

43
app.ini.tmpl Normal file
View File

@ -0,0 +1,43 @@
APP_NAME = {{ env "GITEA_APP_NAME" }}
RUN_MODE = prod
[database]
DB_TYPE = {{ env "GITEA_DB_TYPE" }}
HOST = {{ env "GITEA_DB_HOST" }}
NAME = {{ env "GITEA_DB_NAME" }}
PASSWD = {{ secret "db_passwd" }}
USER = {{ env "GITEA_DB_USER" }}
[indexer]
STARTUP_TIMEOUT = 0
[server]
DOMAIN = {{ env "GITEA_DOMAIN" }}
ROOT_URL = https://%(DOMAIN)s/
SSH_DOMAIN = {{ env "GITEA_DOMAIN" }}
SSH_LISTEN_PORT = {{ env "GITEA_SSH_PORT" }}
SSH_PORT = {{ env "GITEA_SSH_PORT" }}
START_SSH_SERVER = true
[security]
INSTALL_LOCK = true
INTERNAL_TOKEN = {{ secret "internal_token" }}
SECRET_KEY = {{ secret "secret_key" }}
[oauth2]
JWT_SECRET = {{ secret "jwt_secret" }}
[mailer]
ENABLED = true
FROM = noreply@autonomic.zone
HOST = mail.gandi.net:465
USER = noreply@autonomic.zone
PASSWD = {{ secret "smtp_passwd" }}
MAILER_TYPE = smtp
IS_TLS_ENABLED = true
[markup.restructuredtext]
ENABLED = true
FILE_EXTENSIONS = .rst
RENDER_COMMAND = rst2html
IS_INPUT_FILE = false

97
compose.yml Normal file
View File

@ -0,0 +1,97 @@
---
version: "3.8"
services:
gitea:
image: "gitea/gitea:1.12.1"
configs:
- source: app_ini
target: /data/gitea/conf/app.ini
secrets:
- db_passwd
- internal_token
- jwt_secret
- secret_key
- smtp_passwd
environment:
- GITEA_APP_NAME="Git with solidaritea"
- GITEA_DB_HOST="mariadb:3306"
- GITEA_DB_NAME="gitea"
- GITEA_DB_TYPE="mysql"
- GITEA_DB_USER="gitea"
- GITEA_DOMAIN="git.autonomic.zone"
- GITEA_SSH_PORT="2222"
volumes:
- "git:/data"
networks:
- proxy
- internal
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:3000"]
interval: 15s
timeout: 10s
retries: 10
start_period: 30s
deploy:
update_config:
failure_action: rollback
order: start-first
labels:
- "traefik.enable=true"
- "traefik.http.routers.gitea.rule=Host(`git.autonomic.zone`)"
- "traefik.http.routers.gitea.entrypoints=web-secure"
- "traefik.http.services.gitea.loadbalancer.server.port=3000"
- "traefik.http.routers.gitea.tls.certresolver=production"
- "traefik.tcp.routers.gitea-ssh.rule=HostSNI(`*`)"
- "traefik.tcp.routers.gitea-ssh.entrypoints=gitea-ssh"
- "traefik.tcp.services.gitea-ssh.loadbalancer.server.port=2222"
mariadb:
image: "mariadb:10.5"
environment:
- MYSQL_DATABASE=gitea
- MYSQL_USER=gitea
- MYSQL_PASSWORD_FILE=/run/secrets/db_passwd
- MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_passwd
secrets:
- db_passwd
- db_root_passwd
volumes:
- "mariadb:/var/lib/mysql"
networks:
- internal
networks:
internal:
proxy:
external: true
configs:
app_ini:
name: gitea_app_ini_v1
file: app.ini.tmpl
template_driver: golang
secrets:
db_passwd:
name: gitea_db_passwd_v1
external: true
db_root_passwd:
name: gitea_db_root_passwd_v1
external: true
internal_token:
name: gitea_internal_token_v1
external: true
jwt_secret:
name: gitea_jwt_secret_v1
external: true
secret_key:
name: gitea_secret_key_v1
external: true
smtp_passwd:
name: gitea_smtp_passwd_v1
external: true
volumes:
git:
mariadb:

View File

@ -1,54 +0,0 @@
---
vars:
port: "3020"
domain: "git.autonomic.zone"
ssh_listen_port: "2222"
volumes:
- /var/lib/gitea:/data
- /var/lib/gitea/git/.ssh:/data/git/.ssh
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
db:
- type: "mariadb"
passwd: "{{ vault.db_passwd }}"
root_passwd: "{{ vault.root_db_passwd }}"
env:
ADMIN_MAIL: "helo@autonomic.zone"
ADMIN_PASS: "{{ vault.autonomic_admin_pass }}"
ADMIN_USER: "{{ vault.autonomic_admin_user }}"
ALLOW_ONLY_EXTERNAL_REGISTRATION: "true"
APP_NAME: "Gitea: Git with solidaritea"
AUTHOR: "Gitea: Git with solidaritea"
DB_HOST: "{{ dokku.mariadb_addr }}"
DB_NAME: "gitea"
DB_PASSWD: "{{ vault.db_passwd }}"
DB_TYPE: "mysql"
DB_USER: "{{ dokku.mariadb_user }}"
DESCRIPTION: "Git hosting for conrads"
DISABLE_REGISTRATION: "false"
DOKKU_LETSENCRYPT_EMAIL: "helo@autonomic.zone"
DOMAIN: "{{ vars.domain }}"
ENABLE_NOTIFY_MAIL: "true"
ENABLE_OPENID_SIGNIN: "true"
ENABLE_OPENID_SIGNUP: "true"
GITEA_THEME: "arc-green"
HTTP_PORT: "{{ vars.port }}"
INSTALL_LOCK: "true"
JWT_SECRET: "{{ vault.jwt_secret }}"
LANGING_PAGE: "organizations"
MAILER_ENABLED: "true"
RUN_MODE: "prod"
SECRET_KEY: "{{ vault.secret_key }}"
SMTP_FROM: "noreply@autonomic.zone"
SMTP_HOST: "mail.gandi.net:465"
SMTP_MAILER_TYPE: "smtp"
SMTP_PASSWD: "{{ vault.smtp_passwd }}"
SMTP_TLS_ENABLED: "true"
SMTP_USER: "noreply@autonomic.zone"
SSH_DOMAIN: "{{ vars.domain }}"
SSH_LISTEN_PORT: "{{ vars.ssh_listen_port }}"
SSH_PORT: "222"
STARTUP_TIMEOUT: "0"

View File

@ -1,80 +0,0 @@
---
- name: Remove automatically configured ports
dokku_ports:
app: gitea
mappings:
- "http:3000:3000"
- "http:2222:2222"
state: absent
- name: Ensure system jq package is installed
become: true
apt:
name: jq
state: present
- name: Retrieve application docker container IP address
shell: "dokku ps:inspect {{ dokku.app }} | jq -r .[0].NetworkSettings.IPAddress"
register: dokku_ps_inspect
- name: Setup the SSH system -> container passthrough script
become: true
vars:
dokku_container_ip: "{{ dokku_ps_inspect.stdout }}"
template:
src: "{{ app_config_root }}/templates/gitea.j2"
dest: /app/gitea/gitea
owner: git
group: git
mode: "+x"
force: true
- name: Store the git user public key
become: true
shell: cat /home/git/.ssh/id_rsa.pub
register: git_id_rsa_pub
- name: Store the gitea authorized_keys file
become: true
shell: cat /var/lib/gitea/git/.ssh/authorized_keys
register: git_auth_keys
- name: Check if the public key is already in place
become: true
command: 'grep -Fxq "{{ git_id_rsa_pub.stdout}}" /var/lib/gitea/git/.ssh/authorized_keys'
check_mode: false
ignore_errors: true
changed_when: false
register: git_id_rsa_pub_check
- name: Ensure git public key is in the gitea loaded authorized_keys
become: true
blockinfile:
path: /var/lib/gitea/git/.ssh/authorized_keys
block: "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty {{ git_id_rsa_pub.stdout }}"
state: present
owner: git
group: git
create: true
insertbefore: BOF
backup: true
marker: "# ansible inserted git <-> gitea public key"
when: git_id_rsa_pub_check.rc == 0
- name: Symlink the gitea authorized keys configuration to the host git user
become: true
file:
src: /var/lib/gitea/git/.ssh/authorized_keys
dest: /home/git/.ssh/authorized_keys
state: link
force: true
owner: git
group: git
- name: Add git user to AllowUsers SSH configuration
become: true
replace:
backup: true
dest: /etc/ssh/sshd_config
regexp: '^(AllowUsers(?!.*\bgit\b).*)$'
replace: '\1 git'

View File

@ -1,45 +0,0 @@
---
- name: Setup system level git user
become: true
user:
name: git
comment: gitea user
create_home: true
home: /home/git
group: git
system: true
generate_ssh_key: true
ssh_key_bits: 2048
ssh_key_file: .ssh/id_rsa
state: present
- name: Create gitea application directories
become: true
file:
path: "{{ item }}"
state: directory
owner: git
group: git
with_items:
- /app
- /app/gitea
- /var/lib/gitea
- name: Get uid/guid of the git user
become: true
getent:
database: passwd
key: git
split: ":"
- name: Prepare git user information dictionary
set_fact:
git_user_info:
{
"USER_UID": "{{ getent_passwd['git'][1] }}",
"USER_GID": "{{ getent_passwd['git'][2] }}",
}
- name: Store gitea git user uid/guid in config.env dictionary
set_fact:
config: "{{ config | update_env(git_user_info) }}"

View File

@ -1,7 +0,0 @@
#!/bin/sh
ssh \
-p {{ config.vars.ssh_listen_port }} \
-o StrictHostKeyChecking=no \
git@{{ dokku_container_ip }} \
"SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"

View File

@ -1,9 +0,0 @@
---
autonomic_admin_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
33343266306166393035613932643765643432663438646538633263353066376434373839373366
3061663435646232326362373164616235383535643364620a346661383363353036363038646437
33636135663332313932346437383639613266326465333161633965623836653661326638313563
3839333033323931360a343261656135343733326364656662643833313462373832656265623263
63383030646337653831633934383234313437623431326334633330366138346239623931643666
3337646231653764643966643465626637393637376265303633

View File

@ -1,8 +0,0 @@
---
autonomic_admin_user: !vault |
$ANSIBLE_VAULT;1.1;AES256
33386531383234306262333864303735323863643366366131323766643165306234616432396564
3930613064643131643038393133323034623938383763660a323562623931656433313563303930
66626663393161653431303465323735326633663531386263653938393364306562613362663335
3737323730313737640a323339353033326363656566363662343665333230306333663664316461
6265

View File

@ -1,9 +0,0 @@
---
db_passwd: !vault |
$ANSIBLE_VAULT;1.1;AES256
34323835366138326265396239643765366436643662363936336539303166313132333930643939
3039626462393931653032313531393732623839386566630a666464323365343962363536636432
31373232383363336165363864666436396566633264663232366433663066633066663936623266
3432393832373964620a393663316539643836306261373763346538623438383534313563643130
64396537303333363537396263363366613230313134626238643232633838663536323139336130
3335333962663761643937666366316533623338353566643831

View File

@ -1,9 +0,0 @@
---
jwt_secret: !vault |
$ANSIBLE_VAULT;1.1;AES256
62643162316234346463336334663337386439316634663761333463633837336263356433623330
6336613336626363346138636566353039373534346265640a333961396534666334303161643364
61646431633530626234323539323666636235383063663533366264396662666536316132613966
3334383861373436620a383136613364333363643432313362643131376439643831636462653430
34356237363365303736656432343062616635616139666436343638626238313764306261363334
6139633235633033643838313633373466383737646130313563

View File

@ -1,9 +0,0 @@
---
root_db_passwd: !vault |
$ANSIBLE_VAULT;1.1;AES256
33613461626432343264636630313037323230636266306566633136376562366234663630393135
6136626236303261363138306361623365346431333730660a373032393062656231336633656337
39353839653234656532383137623538663166353531653937366231343965366165626163653032
3033633739636464630a316365336537393663303932396439316635353431623334386561333563
32613934343539396632653664383064626230396433316437343861316439356231353662333936
6431633666333564363366323334633963623864633836343565

View File

@ -1,9 +0,0 @@
---
secret_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
31626137626638346139373365363365366463373462323037333037386534343261376332653437
6234623530613230653466616664306363313662623237340a376266323534633433646234386539
30373233623531626462643332633564616539336339336439366333623435366236643030326364
3539663363363639380a313863636235326434313563616132333061646332346437626131343336
32663132643261646538663134633661393932613762346661633331376539386363306132306661
3335373530376236353565613836626235336233653537393762

View File

@ -1,8 +0,0 @@
---
smtp_passwd: !vault |
$ANSIBLE_VAULT;1.1;AES256
33613836356565356663343737383034356630353562386334393362383931306338626265343737
3634646563396666386533316130333930343866316264370a346530653430356164333963353362
62363736383032626263313339616566333531613862633030343732393739376633323663326561
3164303636396432310a346338396132626564663237333661656131616333363431303535636365
38396639313134636336396230653732343936643164613437376136386236306265

View File

@ -1,10 +0,0 @@
---
version: "3.7"
services:
gitea:
volumes:
- git:/data
volumes:
git:

View File

@ -1,30 +0,0 @@
---
version: "3.7"
services:
gitea:
volumes:
- git:/data
networks:
- proxy
deploy:
mode: replicated
replicas: 1
update_config:
failure_action: rollback
placement:
constraints:
- node.role == manager
labels:
- "traefik.enable=true"
- "traefik.http.services.gitea.loadbalancer.server.port=3000"
- "traefik.http.routers.gitea.rule=Host(`gitea.swarm.autonomic.zone`)"
- "traefik.http.routers.gitea.entrypoints=web-secure"
- "traefik.http.routers.gitea.tls.certresolver=staging"
networks:
proxy:
external: true
volumes:
git:

View File

@ -1,8 +0,0 @@
---
version: "3.7"
services:
gitea:
image: gitea/gitea:1.11.6
ports:
- "3000:3000"

View File

@ -1,6 +0,0 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:base"
]
}

View File

@ -1 +0,0 @@
docker-compose==1.25.5

View File

@ -1,120 +0,0 @@
#!/bin/bash
set -eu -o pipefail
# Install root administration user account on first installation
setup_root_user() {
set -eu
if [ ! -f "/data/gitea/conf/app.ini" ]; then
echo "-----> Missing app.ini, not setting up root user"
return
fi
user_count=$(mysql \
-u"${DB_USER}" \
-p"${DB_PASSWD}" \
-h "${DOKKU_MARIADB_GITEA_PORT_3306_TCP_ADDR}" \
--database="${DB_NAME}" \
-N -B -e "SELECT count(*) FROM user;" \
)
if [[ "${user_count}" == "0" ]]; then
echo "-----> Setting up root user for initial deployment"
create_user=$(gitea \
admin \
create-user \
--username "$ADMIN_USER" \
--password "$ADMIN_PASS" \
--email "$ADMIN_MAIL" \
--admin \
)
if "$create_user"; then
echo "-----> root user added"
else
echo "-----> Failed to add root user"
return
fi
fi
}
# Pass Ansible based environment variables into the Gitea app.ini configuration
setup_app_ini() {
set -eu
if [ ! -f "/data/gitea/conf/app.ini" ]; then
echo "-----> Missing app.ini, not setting up configuration"
return
fi
declare app_ini="/data/gitea/conf/app.ini"
echo "-----> Using crudini to setup configuration"
crudini --set "$app_ini" "" APP_NAME "${APP_NAME}"
crudini --set "$app_ini" "" RUN_MODE "${RUN_MODE}"
crudini --set "$app_ini" ui DEFAULT_THEME "${GITEA_THEME}"
crudini --set "$app_ini" ui.meta AUTHOR "${AUTHOR}"
crudini --set "$app_ini" ui.meta DESCRIPTION "${DESCRIPTION}"
crudini --del "$app_ini" database PATH
crudini --set "$app_ini" database DB_TYPE mysql
crudini --set "$app_ini" database HOST "${DB_HOST}"
crudini --set "$app_ini" database NAME "${DB_NAME}"
crudini --set "$app_ini" database USER "${DB_USER}"
crudini --set "$app_ini" database PASSWD "${DB_PASSWD}"
crudini --set "$app_ini" database SSL_MODE "disable"
crudini --set "$app_ini" server PROTOCOL "http"
crudini --set "$app_ini" server DOMAIN "${DOMAIN}"
crudini --set "$app_ini" server ROOT_URL "https://%(DOMAIN)s/"
crudini --set "$app_ini" server HTTP_ADDR ""
crudini --set "$app_ini" server HTTP_PORT "${HTTP_PORT}"
crudini --set "$app_ini" server SSH_DOMAIN "${SSH_DOMAIN}"
crudini --set "$app_ini" server SSH_PORT "${SSH_PORT}"
crudini --set "$app_ini" server SSH_LISTEN_PORT "${SSH_LISTEN_PORT}"
crudini --set "$app_ini" server LANDING_PAGE "${LANGING_PAGE}"
crudini --set "$app_ini" service DISABLE_REGISTRATION "${DISABLE_REGISTRATION}"
crudini --set "$app_ini" service ALLOW_ONLY_EXTERNAL_REGISTRATION "${ALLOW_ONLY_EXTERNAL_REGISTRATION}"
crudini --set "$app_ini" service ENABLE_NOTIFY_MAIL "${ENABLE_NOTIFY_MAIL}"
crudini --set "$app_ini" security INSTALL_LOCK "${INSTALL_LOCK}"
crudini --set "$app_ini" security SECRET_KEY "${SECRET_KEY}"
crudini --set "$app_ini" oauth2 JWT_SECRET "${JWT_SECRET}"
crudini --set "$app_ini" openid ENABLE_OPENID_SIGNIN "${ENABLE_OPENID_SIGNIN}"
crudini --set "$app_ini" openid ENABLE_OPENID_SIGNUP "${ENABLE_OPENID_SIGNUP}"
crudini --set "$app_ini" indexer STARTUP_TIMEOUT "${STARTUP_TIMEOUT}"
crudini --set "$app_ini" mailer ENABLED "${MAILER_ENABLED}"
crudini --set "$app_ini" mailer FROM "${SMTP_FROM}"
crudini --set "$app_ini" mailer HOST "${SMTP_HOST}"
crudini --set "$app_ini" mailer USER "${SMTP_USER}"
crudini --set "$app_ini" mailer PASSWD "${SMTP_PASSWD}"
crudini --set "$app_ini" mailer MAILER_TYPE "${SMTP_MAILER_TYPE}"
crudini --set "$app_ini" mailer IS_TLS_ENABLED "${SMTP_TLS_ENABLED}"
crudini --set "$app_ini" markup.restructuredtext ENABLED "true"
crudini --set "$app_ini" markup.restructuredtext FILE_EXTENSIONS ".rst"
crudini --set "$app_ini" markup.restructuredtext RENDER_COMMAND rst2html
crudini --set "$app_ini" markup.restructuredtext IS_INPUT_FILE "false"
}
# Main entrypoint
main() {
set -eu
setup_root_user
setup_app_ini
}
main
/usr/bin/entrypoint "$@"