From 20cbc678bc9794a7a8d2b62260386ce1e85fbe5f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Mon, 18 May 2020 19:38:37 +0200 Subject: [PATCH 1/6] Add a method that returns the PostgreSQL service --- site-cookbooks/kosmos-postgresql/libraries/helpers.rb | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/site-cookbooks/kosmos-postgresql/libraries/helpers.rb b/site-cookbooks/kosmos-postgresql/libraries/helpers.rb index a3331b6..775977e 100644 --- a/site-cookbooks/kosmos-postgresql/libraries/helpers.rb +++ b/site-cookbooks/kosmos-postgresql/libraries/helpers.rb @@ -29,5 +29,11 @@ class Chef server_node['ipaddress'] end end + + def postgresql_service_name + postgresql_version = "12" + + "postgresql@#{postgresql_version}-main" + end end end From 51d4d8856811a5e834cf48016b5acbe925f3ab2e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Mon, 18 May 2020 19:39:43 +0200 Subject: [PATCH 2/6] Initial kosmos_gitea cookbook The default recipe deploys the gitea binary, generates a config file and our custom Kosmos label set. The service runs as a Systemd unit. The pg_db recipe needs to run on the primary PostgreSQL (currently andromeda). The backup recipe is empty for now Refs #147 --- data_bags/credentials/gitea.json | 31 ++++ site-cookbooks/kosmos_gitea/.gitignore | 22 +++ site-cookbooks/kosmos_gitea/CHANGELOG.md | 7 + site-cookbooks/kosmos_gitea/LICENSE | 20 +++ site-cookbooks/kosmos_gitea/README.md | 4 + .../kosmos_gitea/attributes/default.rb | 3 + site-cookbooks/kosmos_gitea/chefignore | 110 +++++++++++++ .../files/custom/options/label/Kosmos | 15 ++ site-cookbooks/kosmos_gitea/metadata.rb | 23 +++ site-cookbooks/kosmos_gitea/recipes/backup.rb | 25 +++ .../kosmos_gitea/recipes/default.rb | 153 ++++++++++++++++++ site-cookbooks/kosmos_gitea/recipes/pg_db.rb | 37 +++++ .../templates/default/app.ini.erb | 81 ++++++++++ .../templates/default/gitea.service.erb | 35 ++++ .../templates/default/nginx_conf.erb | 28 ++++ 15 files changed, 594 insertions(+) create mode 100644 data_bags/credentials/gitea.json create mode 100644 site-cookbooks/kosmos_gitea/.gitignore create mode 100644 site-cookbooks/kosmos_gitea/CHANGELOG.md create mode 100644 site-cookbooks/kosmos_gitea/LICENSE create mode 100644 site-cookbooks/kosmos_gitea/README.md create mode 100644 site-cookbooks/kosmos_gitea/attributes/default.rb create mode 100644 site-cookbooks/kosmos_gitea/chefignore create mode 100644 site-cookbooks/kosmos_gitea/files/custom/options/label/Kosmos create mode 100644 site-cookbooks/kosmos_gitea/metadata.rb create mode 100644 site-cookbooks/kosmos_gitea/recipes/backup.rb create mode 100644 site-cookbooks/kosmos_gitea/recipes/default.rb create mode 100644 site-cookbooks/kosmos_gitea/recipes/pg_db.rb create mode 100644 site-cookbooks/kosmos_gitea/templates/default/app.ini.erb create mode 100644 site-cookbooks/kosmos_gitea/templates/default/gitea.service.erb create mode 100644 site-cookbooks/kosmos_gitea/templates/default/nginx_conf.erb diff --git a/data_bags/credentials/gitea.json b/data_bags/credentials/gitea.json new file mode 100644 index 0000000..92f9d8d --- /dev/null +++ b/data_bags/credentials/gitea.json @@ -0,0 +1,31 @@ +{ + "id": "gitea", + "jwt_secret": { + "encrypted_data": "qHUcKXEhYWXZziyiI9URzLiyIRVWlVJmAuOyBhTe/xogUzURgCmbcgeEfOkb\n2GT2E2Qot5MDdV2+PgjwkyY=\n", + "iv": "LCl4UrlOrhcaHgaW\n", + "auth_tag": "UxyCH/obwVyR6fpIdmr/KA==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "internal_token": { + "encrypted_data": "lIeZaN6Dx6Jq+/1m0CzBzDa+/gGE+lA0CfzdMn5c0cKVmISIRfdxDE1PfawL\nFm7zvktC1DdlHnCLPKK03U6Lzy2VWRIn6HCZC8IbeFzf7zmWvHrpjOw5pEqA\nGdQmLZ2IDHcs7VcM7Xml0olH9cvccFCAGahdp5wrwB+14w==\n", + "iv": "ZPl9OJkrJAgneqvW\n", + "auth_tag": "QwqSj0q+olo811kiN+FbgQ==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "secret_key": { + "encrypted_data": "z4nxVYGEo/hqSHZ4qa5s+a9wMHUOnms5cOsSd07Nuth8YntyS3KOKfhhjvRe\n5oSDShD6IPIWGjDI481HbiJkLFufyQGHV8oR5HDvel/dKNCrokw=\n", + "iv": "xF8mlqQQVC5Senbt\n", + "auth_tag": "Un/oE3NxQMtpJQUutH19uw==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "postgresql_password": { + "encrypted_data": "qflAQFt3eMkODtNP86zjH77Y3fRvc3BWXeV0Zra4Zezkaa6vsZOWePaqSg==\n", + "iv": "SrpWet9nSiEeRMma\n", + "auth_tag": "SAvgZ5pmwWDsx3uud1EeTg==\n", + "version": 3, + "cipher": "aes-256-gcm" + } +} \ No newline at end of file diff --git a/site-cookbooks/kosmos_gitea/.gitignore b/site-cookbooks/kosmos_gitea/.gitignore new file mode 100644 index 0000000..9abf29f --- /dev/null +++ b/site-cookbooks/kosmos_gitea/.gitignore @@ -0,0 +1,22 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json diff --git a/site-cookbooks/kosmos_gitea/CHANGELOG.md b/site-cookbooks/kosmos_gitea/CHANGELOG.md new file mode 100644 index 0000000..9f0ab30 --- /dev/null +++ b/site-cookbooks/kosmos_gitea/CHANGELOG.md @@ -0,0 +1,7 @@ +# kosmos_gitea CHANGELOG + +This file is used to list changes made in each version of the kosmos_gitea cookbook. + +# 0.1.0 + +Initial release. diff --git a/site-cookbooks/kosmos_gitea/LICENSE b/site-cookbooks/kosmos_gitea/LICENSE new file mode 100644 index 0000000..f518b02 --- /dev/null +++ b/site-cookbooks/kosmos_gitea/LICENSE @@ -0,0 +1,20 @@ +Copyright (c) 2020 Kosmos Developers + +Permission is hereby granted, free of charge, to any person obtaining +a copy of this software and associated documentation files (the +"Software"), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be +included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/site-cookbooks/kosmos_gitea/README.md b/site-cookbooks/kosmos_gitea/README.md new file mode 100644 index 0000000..c521348 --- /dev/null +++ b/site-cookbooks/kosmos_gitea/README.md @@ -0,0 +1,4 @@ +# kosmos_gitea + +TODO: Enter the cookbook description here. + diff --git a/site-cookbooks/kosmos_gitea/attributes/default.rb b/site-cookbooks/kosmos_gitea/attributes/default.rb new file mode 100644 index 0000000..2010650 --- /dev/null +++ b/site-cookbooks/kosmos_gitea/attributes/default.rb @@ -0,0 +1,3 @@ +node.default["kosmos_gitea"]["version"] = "1.11.5" +node.default["kosmos_gitea"]["binary_checksum"] = "d8d43c13e71596c79b541e85e29defe065b4f70ac5155e6d0212bcfc669e1b9c" +node.default["kosmos_gitea"]["nginx"]["domain"] = "gitea.kosmos.org" diff --git a/site-cookbooks/kosmos_gitea/chefignore b/site-cookbooks/kosmos_gitea/chefignore new file mode 100644 index 0000000..5039e1c --- /dev/null +++ b/site-cookbooks/kosmos_gitea/chefignore @@ -0,0 +1,110 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db + +# SASS # +######## +.sass-cache + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +mkmf.log +REVISION +TAGS* +tmtags + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out + +# Testing # +########### +.circleci/* +.codeclimate.yml +.foodcritic +.kitchen* +.rspec +.rubocop.yml +.travis.yml +.watchr +azure-pipelines.yml +examples/* +features/* +Guardfile +kitchen.yml* +Procfile +Rakefile +spec/* +spec/* +spec/fixtures/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Cookbooks # +############# +CHANGELOG* +CONTRIBUTING* +TESTING* +CODE_OF_CONDUCT* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/site-cookbooks/kosmos_gitea/files/custom/options/label/Kosmos b/site-cookbooks/kosmos_gitea/files/custom/options/label/Kosmos new file mode 100644 index 0000000..5ca0cb3 --- /dev/null +++ b/site-cookbooks/kosmos_gitea/files/custom/options/label/Kosmos @@ -0,0 +1,15 @@ +#db231d bug ; Something is not working +#ead746 docs ; Documentation +#76db1d enhancement ; Improving existing functionality +#1d76db feature ; New functionality +#db1d76 idea ; Something to consider +#db1d76 question ; Looking for an answer +#fbca04 security ; All your base are belong to us +#1dd5db ui/ux ; User interface, process design, etc. +#333333 dev environment ; Config, builds, CI, deployment, etc. +#008080 kredits-1 ; Small contribution +#008080 kredits-2 ; Medium contribution +#008080 kredits-3 ; Large contribution +#cccccc duplicate ; This issue or pull request already exists +#cccccc invalid ; Not a bug +#cccccc wontfix ; This won't be fixed diff --git a/site-cookbooks/kosmos_gitea/metadata.rb b/site-cookbooks/kosmos_gitea/metadata.rb new file mode 100644 index 0000000..6582a1c --- /dev/null +++ b/site-cookbooks/kosmos_gitea/metadata.rb @@ -0,0 +1,23 @@ +name 'kosmos_gitea' +maintainer 'Kosmos Developers' +maintainer_email 'ops@kosmos.org' +license 'MIT' +description 'Installs/Configures kosmos_gitea' +long_description 'Installs/Configures kosmos_gitea' +version '0.1.0' +chef_version '>= 14.0' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//kosmos_gitea/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//kosmos_gitea' + +depends "kosmos-nginx" +depends "kosmos-postgresql" diff --git a/site-cookbooks/kosmos_gitea/recipes/backup.rb b/site-cookbooks/kosmos_gitea/recipes/backup.rb new file mode 100644 index 0000000..f4779a6 --- /dev/null +++ b/site-cookbooks/kosmos_gitea/recipes/backup.rb @@ -0,0 +1,25 @@ +# +# Cookbook:: kosmos_gitea +# Recipe:: backup +# +# The MIT License (MIT) +# +# Copyright:: 2020, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. diff --git a/site-cookbooks/kosmos_gitea/recipes/default.rb b/site-cookbooks/kosmos_gitea/recipes/default.rb new file mode 100644 index 0000000..1dd63e8 --- /dev/null +++ b/site-cookbooks/kosmos_gitea/recipes/default.rb @@ -0,0 +1,153 @@ +# +# Cookbook:: kosmos_gitea +# Recipe:: default +# +# The MIT License (MIT) +# +# Copyright:: 2020, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. + +include_recipe "kosmos-nginx" + +domain = node["kosmos_gitea"]["nginx"]["domain"] + +working_directory = "/var/lib/gitea" +git_home_directory = "/home/git" +config_directory = "/etc/gitea" +gitea_binary_path = "/usr/local/bin/gitea" +gitea_version = node['kosmos_gitea']['version'] +gitea_data_bag_item = data_bag_item("credentials", "gitea") +smtp_credentials = data_bag_item("credentials", "smtp") +jwt_secret = gitea_data_bag_item["jwt_secret"] +internal_token = gitea_data_bag_item["internal_token"] +secret_key = gitea_data_bag_item["secret_key"] +postgresql_primary_node = postgresql_primary +postgresql_server = postgresql_primary_node[:ipaddress] +# PostgreSQL is on the same server, connect through localhost +postgresql_server = "localhost" if postgresql_primary_node[:hostname] == node[:hostname] + +user "git" do + manage_home true + home "/home/git" +end + +directory working_directory do + owner "git" + group "git" + mode "0750" +end + +%w(custom custom/options custom/options/label).each do |path| + directory "#{working_directory}/#{path}" do + owner "git" + group "git" + mode "0750" + end +end + +# Kosmos label set +cookbook_file "#{working_directory}/custom/options/label/Kosmos" do + source "custom/options/label/Kosmos" + owner "git" + group "git" + mode "0640" +end + +directory config_directory do + owner "git" + group "git" + mode "0750" +end + +# Copy the self-signed root certificate to the system certificate store. Gitea +# will find it there automatically +postgresql_data_bag_item = data_bag_item('credentials', 'postgresql') +root_cert_path = "/etc/ssl/certs/root.kosmos.org.crt" +file root_cert_path do + content postgresql_data_bag_item['ssl_root_cert'] + mode "0644" +end + +template "#{config_directory}/app.ini" do + source "app.ini.erb" + owner "git" + group "git" + mode "0640" + sensitive true + variables working_directory: working_directory, + git_home_directory: git_home_directory, + config_directory: config_directory, + gitea_binary_path: gitea_binary_path, + jwt_secret: jwt_secret, + internal_token: internal_token, + secret_key: secret_key, + postgresql_host: "#{postgresql_server}:5432", + postgresql_password: gitea_data_bag_item["postgresql_password"], + smtp_host: smtp_credentials["relayhost"], + smtp_user: smtp_credentials["user_name"], + smtp_password: smtp_credentials["password"] + notifies :restart, "service[gitea]", :delayed +end + +remote_file gitea_binary_path do + source "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64" + checksum node['kosmos_gitea']['binary_checksum'] + mode "0755" +end + +execute "systemctl daemon-reload" do + action :nothing +end + +template "/etc/systemd/system/gitea.service" do + source "gitea.service.erb" + variables working_directory: working_directory, + git_home_directory: git_home_directory, + config_directory: config_directory, + gitea_binary_path: gitea_binary_path + notifies :run, "execute[systemctl daemon-reload]", :delayed +end + +service "gitea" do + action [:enable, :start] +end + +template "#{node['nginx']['dir']}/sites-available/#{domain}" do + source "nginx_conf.erb" + owner 'www-data' + mode 0640 + variables server_name: domain, + ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem", + upstream_port: 3000 + + notifies :reload, 'service[nginx]', :delayed +end + +nginx_site domain do + action :enable +end + +# Enable when we switch the IP of gitea.kosmos.org +# nginx_certbot_site domain + +unless node.chef_environment == "development" + include_recipe "firewall" +end diff --git a/site-cookbooks/kosmos_gitea/recipes/pg_db.rb b/site-cookbooks/kosmos_gitea/recipes/pg_db.rb new file mode 100644 index 0000000..b4577e6 --- /dev/null +++ b/site-cookbooks/kosmos_gitea/recipes/pg_db.rb @@ -0,0 +1,37 @@ +# +# Cookbook:: kosmos_gitea +# Recipe:: pg_db +# +# Copyright:: 2020, Kosmos Developers, All Rights Reserved. + +gitea_data_bag_item = data_bag_item("credentials", "gitea") + +postgresql_service = "service[#{postgresql_service_name}]" + +service postgresql_service do + supports restart: true, status: true, reload: true +end + +postgresql_user "gitea" do + action :create + password gitea_data_bag_item["postgresql_password"] +end + +postgresql_database "gitea" do + owner "gitea" + action :create +end + +search(:node, "role:gitea AND chef_environment:#{node.chef_environment}").each do |gitea_server| + ip = ip_for(gitea_server) + hostname = gitea_server[:hostname] + + postgresql_access "gitea #{hostname}" do + access_type "host" + access_db "gitea" + access_user "gitea" + access_addr "#{ip}/32" + access_method "md5" + notifies :reload, postgresql_service, :delayed + end +end diff --git a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb new file mode 100644 index 0000000..bc783df --- /dev/null +++ b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb @@ -0,0 +1,81 @@ +APP_NAME = Gitea +RUN_MODE = prod + +[server] +SSH_DOMAIN = gitea.kosmos.org +HTTP_PORT = 3000 +DISABLE_SSH = false +SSH_PORT = 22 +PROTOCOL = http +DOMAIN = gitea.kosmos.org +ROOT_URL = %(PROTOCOL)s://%(DOMAIN)s +# REDIRECT_OTHER_PORT = true +# PORT_TO_REDIRECT = 3001 +# ENABLE_LETSENCRYPT = true +# LETSENCRYPT_ACCEPTTOS = true +# LETSENCRYPT_DIRECTORY = /data/gitea/https +# LETSENCRYPT_EMAIL = ops@5apps.com + +[database] +DB_TYPE = postgres +HOST = <%= @postgresql_host %> +NAME = gitea +USER = gitea +PASSWD = <%= @postgresql_password %> +SSL_MODE = verify-ca + +# [indexer] +# ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve + +[session] +PROVIDER = file +PROVIDER_CONFIG = sessions +COOKIE_SECURE = true + +[mailer] +ENABLED = true +HOST = <%= @smtp_host %> +FROM = gitea@kosmos.org +USER = <%= @smtp_user %> +PASSWD = <%= @smtp_password %> + +[oauth2] +JWT_SECRET = <%= @jwt_secret %> + +[security] +INTERNAL_TOKEN = <%= @internal_token %> +INSTALL_LOCK = true +SECRET_KEY = <%= @secret_key %> + +[service] +REGISTER_EMAIL_CONFIRM = false +ENABLE_NOTIFY_MAIL = true +DISABLE_REGISTRATION = true +ALLOW_ONLY_EXTERNAL_REGISTRATION = false +ENABLE_CAPTCHA = false +REQUIRE_SIGNIN_VIEW = false +DEFAULT_KEEP_EMAIL_PRIVATE = true +DEFAULT_ALLOW_CREATE_ORGANIZATION = false +DEFAULT_ENABLE_TIMETRACKING = false +NO_REPLY_ADDRESS = noreply.kosmos.org + +[picture] +DISABLE_GRAVATAR = false +ENABLE_FEDERATED_AVATAR = true + +[openid] +ENABLE_OPENID_SIGNIN = false +ENABLE_OPENID_SIGNUP = false + +[log] +MODE = console +LEVEL = Debug + +[attachment] +ENABLED = true +PATH = data/attachments +ALLOWED_TYPES = image/gif|image/jpeg|image/png|application/zip|application/gzip +; ; Max size of each file. Defaults to 4MB +MAX_SIZE = 10 +; ; Max number of files per upload. Defaults to 5 +MAX_FILES = 5 diff --git a/site-cookbooks/kosmos_gitea/templates/default/gitea.service.erb b/site-cookbooks/kosmos_gitea/templates/default/gitea.service.erb new file mode 100644 index 0000000..c422bfa --- /dev/null +++ b/site-cookbooks/kosmos_gitea/templates/default/gitea.service.erb @@ -0,0 +1,35 @@ +[Unit] +Description=Gitea (Git with a cup of tea) +After=syslog.target +After=network.target + +# Requires=postgresql.service +# Requires=redis.service + +[Service] +# Modify these two values and uncomment them if you have +# repos with lots of files and get an HTTP error 500 because +# of that +### +LimitMEMLOCK=infinity +LimitNOFILE=65535 +RestartSec=2s +Type=simple +User=git +Group=git +WorkingDirectory=<%= @working_directory %> +# If using Unix socket: tells systemd to create the /run/gitea folder, which will contain the gitea.sock file +# (manually creating /run/gitea doesn't work, because it would not persist across reboots) +#RuntimeDirectory=gitea +ExecStart=<%= @gitea_binary_path %> web --config <%= @config_directory %>/app.ini +Restart=always +Environment=USER=git HOME=<%= @git_home_directory %> GITEA_WORK_DIR=<%= @working_directory %> +# If you want to bind Gitea to a port below 1024, uncomment +# the two values below, or use socket activation to pass Gitea its ports as above +### +#CapabilityBoundingSet=CAP_NET_BIND_SERVICE +#AmbientCapabilities=CAP_NET_BIND_SERVICE +### + +[Install] +WantedBy=multi-user.target diff --git a/site-cookbooks/kosmos_gitea/templates/default/nginx_conf.erb b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf.erb new file mode 100644 index 0000000..6dff6f4 --- /dev/null +++ b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf.erb @@ -0,0 +1,28 @@ +# Generated by Chef +upstream _gitea { + server localhost:<%= @upstream_port %>; +} + +server { +<% if File.exist?(@ssl_cert) && !File.exist?(@ssl_key) -%> + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name <%= @server_name %>; + + ssl_certificate <%= @ssl_cert %>; + ssl_certificate_key <%= @ssl_key %>; + + add_header Strict-Transport-Security "max-age=31536000"; +<% else -%> + listen 80; + server_name <%= @server_name %>; +<% end -%> + + location / { + # Increase number of buffers. Default is 8 + proxy_buffers 1024 8k; + + proxy_pass http://_gitea; + proxy_http_version 1.1; + } +} From 1f0e2ccbdda42abdb768fa3ddb3f5967312de158 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Thu, 21 May 2020 11:51:06 +0200 Subject: [PATCH 3/6] Move the binary URL to an attribute --- site-cookbooks/kosmos_gitea/attributes/default.rb | 4 +++- site-cookbooks/kosmos_gitea/recipes/default.rb | 3 +-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/site-cookbooks/kosmos_gitea/attributes/default.rb b/site-cookbooks/kosmos_gitea/attributes/default.rb index 2010650..09bfaf8 100644 --- a/site-cookbooks/kosmos_gitea/attributes/default.rb +++ b/site-cookbooks/kosmos_gitea/attributes/default.rb @@ -1,3 +1,5 @@ -node.default["kosmos_gitea"]["version"] = "1.11.5" +gitea_version = "1.11.5" +node.default["kosmos_gitea"]["version"] = gitea_version +node.default["kosmos_gitea"]["binary_url"] = "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64" node.default["kosmos_gitea"]["binary_checksum"] = "d8d43c13e71596c79b541e85e29defe065b4f70ac5155e6d0212bcfc669e1b9c" node.default["kosmos_gitea"]["nginx"]["domain"] = "gitea.kosmos.org" diff --git a/site-cookbooks/kosmos_gitea/recipes/default.rb b/site-cookbooks/kosmos_gitea/recipes/default.rb index 1dd63e8..5f02f09 100644 --- a/site-cookbooks/kosmos_gitea/recipes/default.rb +++ b/site-cookbooks/kosmos_gitea/recipes/default.rb @@ -32,7 +32,6 @@ working_directory = "/var/lib/gitea" git_home_directory = "/home/git" config_directory = "/etc/gitea" gitea_binary_path = "/usr/local/bin/gitea" -gitea_version = node['kosmos_gitea']['version'] gitea_data_bag_item = data_bag_item("credentials", "gitea") smtp_credentials = data_bag_item("credentials", "smtp") jwt_secret = gitea_data_bag_item["jwt_secret"] @@ -107,7 +106,7 @@ template "#{config_directory}/app.ini" do end remote_file gitea_binary_path do - source "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64" + source node['kosmos_gitea']['binary_url'] checksum node['kosmos_gitea']['binary_checksum'] mode "0755" end From 3332a1b2e82fd5b8e85a6c76e211a01ca98837b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 26 May 2020 15:21:07 +0200 Subject: [PATCH 4/6] Write initial README --- site-cookbooks/kosmos_gitea/README.md | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/site-cookbooks/kosmos_gitea/README.md b/site-cookbooks/kosmos_gitea/README.md index c521348..09cb8bb 100644 --- a/site-cookbooks/kosmos_gitea/README.md +++ b/site-cookbooks/kosmos_gitea/README.md @@ -1,4 +1,18 @@ # kosmos_gitea -TODO: Enter the cookbook description here. +## Recipes +### default + +Deploys the gitea binary, generates a config file and our custom Kosmos label +set. The service runs as a Systemd unit. + +### backup + +Back up the `/var/lib/gitea` directory using the +[backup](https://backup.github.io/backup/) tool and our backup cookbook + +### pg_db + +Should be executed on the primary PostgreSQL server (`postgresql_primary` role) +to create the user, database and access rules From baa073993643344e9a403c40204a6bf59eb956be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 26 May 2020 15:21:26 +0200 Subject: [PATCH 5/6] Add the backup recipe Also move the Gitea data dir to an attribute --- site-cookbooks/kosmos_gitea/attributes/default.rb | 1 + site-cookbooks/kosmos_gitea/metadata.rb | 1 + site-cookbooks/kosmos_gitea/recipes/backup.rb | 6 ++++++ site-cookbooks/kosmos_gitea/recipes/default.rb | 2 +- 4 files changed, 9 insertions(+), 1 deletion(-) diff --git a/site-cookbooks/kosmos_gitea/attributes/default.rb b/site-cookbooks/kosmos_gitea/attributes/default.rb index 09bfaf8..90251d8 100644 --- a/site-cookbooks/kosmos_gitea/attributes/default.rb +++ b/site-cookbooks/kosmos_gitea/attributes/default.rb @@ -3,3 +3,4 @@ node.default["kosmos_gitea"]["version"] = gitea_version node.default["kosmos_gitea"]["binary_url"] = "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64" node.default["kosmos_gitea"]["binary_checksum"] = "d8d43c13e71596c79b541e85e29defe065b4f70ac5155e6d0212bcfc669e1b9c" node.default["kosmos_gitea"]["nginx"]["domain"] = "gitea.kosmos.org" +node.default["kosmos_gitea"]["working_directory"] = "/var/lib/gitea" diff --git a/site-cookbooks/kosmos_gitea/metadata.rb b/site-cookbooks/kosmos_gitea/metadata.rb index 6582a1c..9ceba2a 100644 --- a/site-cookbooks/kosmos_gitea/metadata.rb +++ b/site-cookbooks/kosmos_gitea/metadata.rb @@ -21,3 +21,4 @@ chef_version '>= 14.0' depends "kosmos-nginx" depends "kosmos-postgresql" +depends "backup" diff --git a/site-cookbooks/kosmos_gitea/recipes/backup.rb b/site-cookbooks/kosmos_gitea/recipes/backup.rb index f4779a6..83704f2 100644 --- a/site-cookbooks/kosmos_gitea/recipes/backup.rb +++ b/site-cookbooks/kosmos_gitea/recipes/backup.rb @@ -23,3 +23,9 @@ # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN # THE SOFTWARE. +# +unless node.chef_environment == "development" + # backup the data dir and the config files + node.override["backup"]["archives"]["gitea"] = [node["kosmos_gitea"]["working_directory"]] + include_recipe "backup" +end diff --git a/site-cookbooks/kosmos_gitea/recipes/default.rb b/site-cookbooks/kosmos_gitea/recipes/default.rb index 5f02f09..22bfcdc 100644 --- a/site-cookbooks/kosmos_gitea/recipes/default.rb +++ b/site-cookbooks/kosmos_gitea/recipes/default.rb @@ -28,7 +28,7 @@ include_recipe "kosmos-nginx" domain = node["kosmos_gitea"]["nginx"]["domain"] -working_directory = "/var/lib/gitea" +working_directory = node["kosmos_gitea"]["working_directory"] git_home_directory = "/home/git" config_directory = "/etc/gitea" gitea_binary_path = "/usr/local/bin/gitea" From 94330f2052713c24dd6f13131f836b0820f7200e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Thu, 28 May 2020 18:43:31 +0200 Subject: [PATCH 6/6] Comment out the COOKIE_SECURE config for now We will enable it again after we have a valid TLS cert generated with Let's Encrypt. It prevents logins using http, and we will need that as an admin account --- site-cookbooks/kosmos_gitea/templates/default/app.ini.erb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb index bc783df..4597dcc 100644 --- a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb +++ b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb @@ -30,7 +30,8 @@ SSL_MODE = verify-ca [session] PROVIDER = file PROVIDER_CONFIG = sessions -COOKIE_SECURE = true +# Enable when TLS is enabled +# COOKIE_SECURE = true [mailer] ENABLED = true