Add Gitea for managed code hosting

This commit adds a new service for Gitea, exposing HTTP and SSH ports by default (SSH over 7920), and accepting authentication via the local SMTP server. No users are otherwise created by default, and administration is expected to happen either via CLI, or via a custom admin user.
2022-07-23 16:54:02 +01:00 · 2022-07-23 16:54:02 +01:00 · e467b89e7f
parent 786af62d5a
commit e467b89e7f
10 changed files with 183 additions and 0 deletions
--- a/host/lhr01nuc/lhr01nuc.env.gpg
+++ b/host/lhr01nuc/lhr01nuc.env.gpg
--- a/host/lhr01srv/lhr01srv.env.gpg
+++ b/host/lhr01srv/lhr01srv.env.gpg
--- a/host/virtual/spec.bu
+++ b/host/virtual/spec.bu
@ -25,6 +25,7 @@ ignition:
      - local: service/hugo/spec.ign
      - local: service/prometheus/spec.ign
      - local: service/grafana/spec.ign
+      - local: service/gitea/spec.ign

 passwd:
  users:
@ -127,12 +128,21 @@ systemd:
            [Service]
            Environment=UPSTREAM_HOST=grafana UPSTREAM_PORT=8080

+    - name: nginx-proxy-http@gitea.localhost.service
+      enabled: true
+      dropins:
+        - name: gitea-upstream.conf
+          contents: |
+            [Service]
+            Environment=UPSTREAM_HOST=gitea UPSTREAM_PORT=8080
+
    - name: letsencrypt-dns-register@localhost.service
      enabled: true
      dropins:
        - name: use-local-files.conf
          contents: |
            [Service]
+            ExecStartPre=/bin/podman volume create letsencrypt
            ExecStart=
            ExecStart=/bin/sh -c "V=$(podman volume mount letsencrypt) && cp -Rv /etc/ssl/private/certificates $V"
            ExecStartPost=/bin/podman volume unmount letsencrypt
--- a/host/virtual/virtual.env
+++ b/host/virtual/virtual.env
@ -47,3 +47,13 @@ RCLONE_CRYPT_SALT=jqsQXp_MPwBPIzw69TkmSp7ScuA

 # Configuration for WriteFreely.
 WRITEFREELY_SITE_HOST=https://writefreely.localhost
+
+# Configuration for Gitea.
+GITEA_APP_NAME="Gitea: Git with a cup of tea"
+GITEA_DOMAIN=gitea.localhost
+GITEA_SSH_DOMAIN=gitea.localhost
+GITEA_SSH_PORT=7920
+GITEA_SECRET_KEY=password
+GITEA_DISABLE_REGISTRATION=true
+GITEA_REQUIRE_SIGNIN_VIEW=false
+GITEA_MAILER_FROM=noreply@gitea.localhost
--- a/service/gitea/Containerfile
+++ b/service/gitea/Containerfile
@ -0,0 +1,20 @@
+FROM docker.io/debian:bullseye-slim
+ARG VERSION=1.16.9
+
+RUN apt-get update -y && apt-get upgrade -y && \
+    apt-get install -y --no-install-recommends curl ca-certificates gettext gosu \
+                    git openssh-client gnupg
+
+ENV PACKAGE_URL https://dl.gitea.io/gitea/${VERSION}/gitea-${VERSION}-linux-amd64
+RUN curl -L -o /usr/bin/gitea ${PACKAGE_URL} && chmod +x /usr/bin/gitea
+
+RUN apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false curl
+
+RUN addgroup --system --gid 10000 git
+RUN adduser --system --uid 10000 --ingroup git --home /var/lib/gitea git
+
+COPY container/config /etc/gitea
+COPY container/run-gitea /run-gitea
+
+EXPOSE 8080 7920
+ENTRYPOINT ["/run-gitea"]
--- a/service/gitea/container/config/config.ini.template
+++ b/service/gitea/container/config/config.ini.template
@ -0,0 +1,64 @@
+APP_NAME = ${GITEA_APP_NAME}
+RUN_USER = git
+RUN_MODE = prod
+
+[repository]
+ROOT = /var/lib/gitea/repositories
+
+[repository.local]
+LOCAL_COPY_PATH = /var/lib/gitea/tmp/local-repo
+
+[repository.upload]
+TEMP_PATH = /var/lib/gitea/tmp/uploads
+
+[server]
+APP_DATA_PATH   = /var/lib/gitea
+ROOT_URL        = https://${GITEA_DOMAIN}/
+DOMAIN          = ${GITEA_DOMAIN}
+SSH_DOMAIN      = ${GITEA_SSH_DOMAIN}
+HTTP_PORT       = 8080
+SSH_PORT        = ${GITEA_SSH_PORT}
+SSH_LISTEN_PORT = 7920
+
+[database]
+DB_TYPE = sqlite3
+PATH    = /var/lib/gitea/gitea.db
+LOG_SQL = false
+
+[indexer]
+ISSUE_INDEXER_PATH = /var/lib/gitea/indexers/issues.bleve
+
+[session]
+PROVIDER_CONFIG = /var/lib/gitea/sessions
+
+[picture]
+AVATAR_UPLOAD_PATH            = /var/lib/gitea/avatars
+REPOSITORY_AVATAR_UPLOAD_PATH = /var/lib/gitea/repo-avatars
+
+[attachment]
+PATH = /var/lib/gitea/attachments
+
+[log]
+MODE      = console
+LEVEL     = info
+ROUTER    = console
+ROOT_PATH = /var/lib/gitea/log
+
+[security]
+SECRET_KEY                    = ${GITEA_SECRET_KEY}
+INSTALL_LOCK                  = true
+REVERSE_PROXY_LIMIT           = 1
+REVERSE_PROXY_TRUSTED_PROXIES = 10.89.0.0/16
+
+[service]
+DISABLE_REGISTRATION = ${GITEA_DISABLE_REGISTRATION}
+REQUIRE_SIGNIN_VIEW  = ${GITEA_REQUIRE_SIGNIN_VIEW}
+
+[mailer]
+ENABLED        = true
+MAILER_TYPE    = smtp
+IS_TLS_ENABLED = true
+FROM           = ${GITEA_MAILER_FROM}
+HOST           = ${GITEA_MAILER_HOST}
+USER           = ${GITEA_MAILER_USER}
+PASSWD         = ${GITEA_MAILER_PASSWD}
--- a/service/gitea/container/run-gitea
+++ b/service/gitea/container/run-gitea
@ -0,0 +1,26 @@
+#!/bin/sh
+
+set -eu
+
+# Export shared variables.
+export GITEA_WORK_DIR=/var/lib/gitea
+
+# Create configuration file from collected templates.
+envsubst < /etc/gitea/config.ini.template > /etc/gitea/config.ini
+
+# Create data directories and correct permissions for data files.
+install --owner git --group git --mode 700 --directory /var/lib/gitea
+chown -R git:git /etc/gitea
+
+# Initialize default condiguration if needed.
+if ! test -f /var/lib/gitea/gitea.db; then
+    # Set up database.
+    gosu git /usr/bin/gitea -c /etc/gitea/config.ini migrate
+
+    # Set up SMTP authentication via local service.
+    gosu git /usr/bin/gitea -c /etc/gitea/config.ini admin auth add-smtp --name postfix --active \
+                            --host "${GITEA_AUTH_SMTP_HOST}" --port "${GITEA_AUTH_SMTP_PORT}"
+fi
+
+# Run entrypoint under specific user.
+gosu git /usr/bin/gitea -c /etc/gitea/config.ini web "$@"
--- a/service/gitea/gitea.env.template
+++ b/service/gitea/gitea.env.template
@ -0,0 +1,20 @@
+# Application settings.
+GITEA_APP_NAME=${GITEA_APP_NAME}
+GITEA_SECRET_KEY=${GITEA_SECRET_KEY}
+GITEA_DISABLE_REGISTRATION=${GITEA_DISABLE_REGISTRATION}
+GITEA_REQUIRE_SIGNIN_VIEW=${GITEA_REQUIRE_SIGNIN_VIEW}
+
+# Server settings.
+GITEA_DOMAIN=${GITEA_DOMAIN}
+GITEA_SSH_DOMAIN=${GITEA_SSH_DOMAIN}
+GITEA_SSH_PORT=${GITEA_SSH_PORT}
+
+# SMTP authentication settings.
+GITEA_AUTH_SMTP_HOST=${POSTFIX_HOST}
+GITEA_AUTH_SMTP_PORT=587
+
+# SMTP mailer settings.
+GITEA_MAILER_FROM=${GITEA_MAILER_FROM}
+GITEA_MAILER_HOST=${POSTFIX_HOST}:587
+GITEA_MAILER_USER=${POSTFIX_LOCAL_SMTP_USERNAME}
+GITEA_MAILER_PASSWD=${POSTFIX_LOCAL_SMTP_PASSWORD}
--- a/service/gitea/spec.bu
+++ b/service/gitea/spec.bu
@ -0,0 +1,12 @@
+variant: fcos
+version: 1.3.0
+storage:
+  trees:
+    - path: /etc/coreos-home-server/gitea
+      local: service/gitea/
+    - path: /etc/systemd/system
+      local: service/gitea/systemd/
+systemd:
+  units:
+    - name: gitea.service
+      enabled: true
--- a/service/gitea/systemd/gitea.service
+++ b/service/gitea/systemd/gitea.service
@ -0,0 +1,21 @@
+[Unit]
+Description=Gitea Self-Hosted Git Service
+Wants=container-build@%N.service container-volume@%N.service
+After=container-build@%N.service container-volume@%N.service
+
+[Service]
+Type=notify
+NotifyAccess=all
+SyslogIdentifier=%N
+Restart=on-failure
+Environment=PODMAN_SYSTEMD_UNIT=%n
+ExecStart=/bin/podman run --replace --name %N --net internal --sdnotify=conmon \
+                          --env-file %E/coreos-home-server/%N/%N.env \
+                          --publish 7920:7920 \
+                          --volume %N:/var/lib/%N:z \
+                          localhost/%N:latest
+ExecStop=/bin/podman stop --ignore --time 10 %N
+ExecStopPost=/bin/podman rm --ignore --force %N
+
+[Install]
+WantedBy=multi-user.target