Initial kosmos_gitea cookbook

The default recipe deploys the gitea binary, generates a config file and our custom Kosmos label set. The service runs as a Systemd unit. The pg_db recipe needs to run on the primary PostgreSQL (currently andromeda). The backup recipe is empty for now Refs #147
2020-05-18 19:39:43 +02:00
parent 20cbc678bc
commit 51d4d88568
15 changed files with 594 additions and 0 deletions
--- a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb
+++ b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb
@@ -0,0 +1,81 @@
+APP_NAME = Gitea
+RUN_MODE = prod
+
+[server]
+SSH_DOMAIN       = gitea.kosmos.org
+HTTP_PORT        = 3000
+DISABLE_SSH      = false
+SSH_PORT         = 22
+PROTOCOL = http
+DOMAIN = gitea.kosmos.org
+ROOT_URL = %(PROTOCOL)s://%(DOMAIN)s
+# REDIRECT_OTHER_PORT = true
+# PORT_TO_REDIRECT = 3001
+# ENABLE_LETSENCRYPT = true
+# LETSENCRYPT_ACCEPTTOS = true
+# LETSENCRYPT_DIRECTORY = /data/gitea/https
+# LETSENCRYPT_EMAIL = ops@5apps.com
+
+[database]
+DB_TYPE = postgres
+HOST    = <%= @postgresql_host %>
+NAME    = gitea
+USER    = gitea
+PASSWD  = <%= @postgresql_password %>
+SSL_MODE = verify-ca
+
+# [indexer]
+# ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
+
+[session]
+PROVIDER = file
+PROVIDER_CONFIG = sessions
+COOKIE_SECURE = true
+
+[mailer]
+ENABLED = true
+HOST = <%= @smtp_host %>
+FROM = gitea@kosmos.org
+USER = <%= @smtp_user %>
+PASSWD = <%= @smtp_password %>
+
+[oauth2]
+JWT_SECRET = <%= @jwt_secret %>
+
+[security]
+INTERNAL_TOKEN = <%= @internal_token %>
+INSTALL_LOCK   = true
+SECRET_KEY     = <%= @secret_key %>
+
+[service]
+REGISTER_EMAIL_CONFIRM            = false
+ENABLE_NOTIFY_MAIL                = true
+DISABLE_REGISTRATION              = true
+ALLOW_ONLY_EXTERNAL_REGISTRATION  = false
+ENABLE_CAPTCHA                    = false
+REQUIRE_SIGNIN_VIEW               = false
+DEFAULT_KEEP_EMAIL_PRIVATE        = true
+DEFAULT_ALLOW_CREATE_ORGANIZATION = false
+DEFAULT_ENABLE_TIMETRACKING       = false
+NO_REPLY_ADDRESS                  = noreply.kosmos.org
+
+[picture]
+DISABLE_GRAVATAR        = false
+ENABLE_FEDERATED_AVATAR = true
+
+[openid]
+ENABLE_OPENID_SIGNIN = false
+ENABLE_OPENID_SIGNUP = false
+
+[log]
+MODE      = console
+LEVEL     = Debug
+
+[attachment]
+ENABLED = true
+PATH = data/attachments
+ALLOWED_TYPES = image/gif|image/jpeg|image/png|application/zip|application/gzip
+; ; Max size of each file. Defaults to 4MB
+MAX_SIZE = 10
+; ; Max number of files per upload. Defaults to 5
+MAX_FILES = 5
--- a/site-cookbooks/kosmos_gitea/templates/default/gitea.service.erb
+++ b/site-cookbooks/kosmos_gitea/templates/default/gitea.service.erb
@@ -0,0 +1,35 @@
+[Unit]
+Description=Gitea (Git with a cup of tea)
+After=syslog.target
+After=network.target
+
+# Requires=postgresql.service
+# Requires=redis.service
+
+[Service]
+# Modify these two values and uncomment them if you have
+# repos with lots of files and get an HTTP error 500 because
+# of that
+###
+LimitMEMLOCK=infinity
+LimitNOFILE=65535
+RestartSec=2s
+Type=simple
+User=git
+Group=git
+WorkingDirectory=<%= @working_directory %>
+# If using Unix socket: tells systemd to create the /run/gitea folder, which will contain the gitea.sock file
+# (manually creating /run/gitea doesn't work, because it would not persist across reboots)
+#RuntimeDirectory=gitea
+ExecStart=<%= @gitea_binary_path %> web --config <%= @config_directory %>/app.ini
+Restart=always
+Environment=USER=git HOME=<%= @git_home_directory %> GITEA_WORK_DIR=<%= @working_directory %>
+# If you want to bind Gitea to a port below 1024, uncomment
+# the two values below, or use socket activation to pass Gitea its ports as above
+###
+#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+#AmbientCapabilities=CAP_NET_BIND_SERVICE
+###
+
+[Install]
+WantedBy=multi-user.target
--- a/site-cookbooks/kosmos_gitea/templates/default/nginx_conf.erb
+++ b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf.erb
@@ -0,0 +1,28 @@
+# Generated by Chef
+upstream _gitea {
+  server   localhost:<%= @upstream_port %>;
+}
+
+server {
+<% if File.exist?(@ssl_cert) && !File.exist?(@ssl_key) -%>
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  server_name <%= @server_name %>;
+
+  ssl_certificate     <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+
+  add_header Strict-Transport-Security "max-age=31536000";
+<% else -%>
+  listen 80;
+  server_name <%= @server_name %>;
+<% end -%>
+
+  location / {
+    # Increase number of buffers. Default is 8
+    proxy_buffers 1024 8k;
+
+    proxy_pass http://_gitea;
+    proxy_http_version 1.1;
+  }
+}