Merge branch 'feature/147-gitea_cookbook' of kosmos/chef into master

data_bags/credentials/gitea.json

@@ -0,0 +1,31 @@
+{
+  "id": "gitea",
+  "jwt_secret": {
+    "encrypted_data": "qHUcKXEhYWXZziyiI9URzLiyIRVWlVJmAuOyBhTe/xogUzURgCmbcgeEfOkb\n2GT2E2Qot5MDdV2+PgjwkyY=\n",
+    "iv": "LCl4UrlOrhcaHgaW\n",
+    "auth_tag": "UxyCH/obwVyR6fpIdmr/KA==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "internal_token": {
+    "encrypted_data": "lIeZaN6Dx6Jq+/1m0CzBzDa+/gGE+lA0CfzdMn5c0cKVmISIRfdxDE1PfawL\nFm7zvktC1DdlHnCLPKK03U6Lzy2VWRIn6HCZC8IbeFzf7zmWvHrpjOw5pEqA\nGdQmLZ2IDHcs7VcM7Xml0olH9cvccFCAGahdp5wrwB+14w==\n",
+    "iv": "ZPl9OJkrJAgneqvW\n",
+    "auth_tag": "QwqSj0q+olo811kiN+FbgQ==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "secret_key": {
+    "encrypted_data": "z4nxVYGEo/hqSHZ4qa5s+a9wMHUOnms5cOsSd07Nuth8YntyS3KOKfhhjvRe\n5oSDShD6IPIWGjDI481HbiJkLFufyQGHV8oR5HDvel/dKNCrokw=\n",
+    "iv": "xF8mlqQQVC5Senbt\n",
+    "auth_tag": "Un/oE3NxQMtpJQUutH19uw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "postgresql_password": {
+    "encrypted_data": "qflAQFt3eMkODtNP86zjH77Y3fRvc3BWXeV0Zra4Zezkaa6vsZOWePaqSg==\n",
+    "iv": "SrpWet9nSiEeRMma\n",
+    "auth_tag": "SAvgZ5pmwWDsx3uud1EeTg==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  }
+}

site-cookbooks/kosmos-postgresql/libraries/helpers.rb

@@ -29,5 +29,11 @@ class Chef
         server_node['ipaddress']
       end
     end
+
+    def postgresql_service_name
+      postgresql_version = "12"
+
+      "postgresql@#{postgresql_version}-main"
+    end
   end
 end

site-cookbooks/kosmos_gitea/.gitignore

@@ -0,0 +1,22 @@
+.vagrant
+*~
+*#
+.#*
+\#*#
+.*.sw[a-z]
+*.un~
+
+# Bundler
+Gemfile.lock
+gems.locked
+bin/*
+.bundle/*
+
+# test kitchen
+.kitchen/
+kitchen.local.yml
+
+# Chef
+Berksfile.lock
+.zero-knife.rb
+Policyfile.lock.json

site-cookbooks/kosmos_gitea/CHANGELOG.md

@@ -0,0 +1,7 @@
+# kosmos_gitea CHANGELOG
+
+This file is used to list changes made in each version of the kosmos_gitea cookbook.
+
+# 0.1.0
+
+Initial release.

site-cookbooks/kosmos_gitea/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2020 Kosmos Developers
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

site-cookbooks/kosmos_gitea/README.md

@@ -0,0 +1,18 @@
+# kosmos_gitea
+
+## Recipes
+
+### default
+
+Deploys the gitea binary, generates a config file and our custom Kosmos label
+set. The service runs as a Systemd unit.
+
+### backup
+
+Back up the `/var/lib/gitea` directory using the
+[backup](https://backup.github.io/backup/) tool and our backup cookbook
+
+### pg_db
+
+Should be executed on the primary PostgreSQL server (`postgresql_primary` role)
+to create the user, database and access rules

site-cookbooks/kosmos_gitea/attributes/default.rb

@@ -0,0 +1,6 @@
+gitea_version = "1.11.5"
+node.default["kosmos_gitea"]["version"] = gitea_version
+node.default["kosmos_gitea"]["binary_url"] = "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64"
+node.default["kosmos_gitea"]["binary_checksum"] = "d8d43c13e71596c79b541e85e29defe065b4f70ac5155e6d0212bcfc669e1b9c"
+node.default["kosmos_gitea"]["nginx"]["domain"] = "gitea.kosmos.org"
+node.default["kosmos_gitea"]["working_directory"] = "/var/lib/gitea"

site-cookbooks/kosmos_gitea/chefignore

@@ -0,0 +1,110 @@
+# Put files/directories that should be ignored in this file when uploading
+# to a Chef Infra Server or Supermarket.
+# Lines that start with '# ' are comments.
+
+# OS generated files #
+######################
+.DS_Store
+ehthumbs.db
+Icon?
+nohup.out
+Thumbs.db
+
+# SASS #
+########
+.sass-cache
+
+# EDITORS #
+###########
+.#*
+.project
+.settings
+*_flymake
+*_flymake.*
+*.bak
+*.sw[a-z]
+*.tmproj
+*~
+\#*
+mkmf.log
+REVISION
+TAGS*
+tmtags
+
+## COMPILED ##
+##############
+*.class
+*.com
+*.dll
+*.exe
+*.o
+*.pyc
+*.so
+*/rdoc/
+a.out
+
+# Testing #
+###########
+.circleci/*
+.codeclimate.yml
+.foodcritic
+.kitchen*
+.rspec
+.rubocop.yml
+.travis.yml
+.watchr
+azure-pipelines.yml
+examples/*
+features/*
+Guardfile
+kitchen.yml*
+Procfile
+Rakefile
+spec/*
+spec/*
+spec/fixtures/*
+test/*
+
+# SCM #
+#######
+.git
+.gitattributes
+.gitconfig
+.github/*
+.gitignore
+.gitmodules
+.svn
+*/.bzr/*
+*/.git
+*/.hg/*
+*/.svn/*
+
+# Berkshelf #
+#############
+Berksfile
+Berksfile.lock
+cookbooks/*
+tmp
+
+# Bundler #
+###########
+vendor/*
+Gemfile
+Gemfile.lock
+
+# Policyfile #
+##############
+Policyfile.rb
+Policyfile.lock.json
+
+# Cookbooks #
+#############
+CHANGELOG*
+CONTRIBUTING*
+TESTING*
+CODE_OF_CONDUCT*
+
+# Vagrant #
+###########
+.vagrant
+Vagrantfile

site-cookbooks/kosmos_gitea/files/custom/options/label/Kosmos

@@ -0,0 +1,15 @@
+#db231d bug ; Something is not working
+#ead746 docs ; Documentation
+#76db1d enhancement ; Improving existing functionality
+#1d76db feature ; New functionality
+#db1d76 idea ; Something to consider
+#db1d76 question ; Looking for an answer
+#fbca04 security ; All your base are belong to us
+#1dd5db ui/ux ; User interface, process design, etc.
+#333333 dev environment ; Config, builds, CI, deployment, etc.
+#008080 kredits-1 ; Small contribution
+#008080 kredits-2 ; Medium contribution
+#008080 kredits-3 ; Large contribution
+#cccccc duplicate ; This issue or pull request already exists
+#cccccc invalid ; Not a bug
+#cccccc wontfix ; This won't be fixed

site-cookbooks/kosmos_gitea/metadata.rb

@@ -0,0 +1,24 @@
+name 'kosmos_gitea'
+maintainer 'Kosmos Developers'
+maintainer_email 'ops@kosmos.org'
+license 'MIT'
+description 'Installs/Configures kosmos_gitea'
+long_description 'Installs/Configures kosmos_gitea'
+version '0.1.0'
+chef_version '>= 14.0'
+
+# The `issues_url` points to the location where issues for this cookbook are
+# tracked.  A `View Issues` link will be displayed on this cookbook's page when
+# uploaded to a Supermarket.
+#
+# issues_url 'https://github.com/<insert_org_here>/kosmos_gitea/issues'
+
+# The `source_url` points to the development repository for this cookbook.  A
+# `View Source` link will be displayed on this cookbook's page when uploaded to
+# a Supermarket.
+#
+# source_url 'https://github.com/<insert_org_here>/kosmos_gitea'
+
+depends "kosmos-nginx"
+depends "kosmos-postgresql"
+depends "backup"

site-cookbooks/kosmos_gitea/recipes/backup.rb

@@ -0,0 +1,31 @@
+#
+# Cookbook:: kosmos_gitea
+# Recipe:: backup
+#
+# The MIT License (MIT)
+#
+# Copyright:: 2020, Kosmos Developers
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#
+unless node.chef_environment == "development"
+  # backup the data dir and the config files
+  node.override["backup"]["archives"]["gitea"] = [node["kosmos_gitea"]["working_directory"]]
+  include_recipe "backup"
+end

site-cookbooks/kosmos_gitea/recipes/default.rb

@@ -0,0 +1,152 @@
+#
+# Cookbook:: kosmos_gitea
+# Recipe:: default
+#
+# The MIT License (MIT)
+#
+# Copyright:: 2020, Kosmos Developers
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+
+include_recipe "kosmos-nginx"
+
+domain = node["kosmos_gitea"]["nginx"]["domain"]
+
+working_directory = node["kosmos_gitea"]["working_directory"]
+git_home_directory = "/home/git"
+config_directory = "/etc/gitea"
+gitea_binary_path = "/usr/local/bin/gitea"
+gitea_data_bag_item = data_bag_item("credentials", "gitea")
+smtp_credentials = data_bag_item("credentials", "smtp")
+jwt_secret = gitea_data_bag_item["jwt_secret"]
+internal_token = gitea_data_bag_item["internal_token"]
+secret_key = gitea_data_bag_item["secret_key"]
+postgresql_primary_node = postgresql_primary
+postgresql_server = postgresql_primary_node[:ipaddress]
+# PostgreSQL is on the same server, connect through localhost
+postgresql_server = "localhost" if postgresql_primary_node[:hostname] == node[:hostname]
+
+user "git" do
+  manage_home true
+  home "/home/git"
+end
+
+directory working_directory do
+  owner "git"
+  group "git"
+  mode  "0750"
+end
+
+%w(custom custom/options custom/options/label).each do |path|
+  directory "#{working_directory}/#{path}" do
+    owner "git"
+    group "git"
+    mode  "0750"
+  end
+end
+
+# Kosmos label set
+cookbook_file "#{working_directory}/custom/options/label/Kosmos" do
+  source "custom/options/label/Kosmos"
+  owner "git"
+  group "git"
+  mode  "0640"
+end
+
+directory config_directory do
+  owner "git"
+  group "git"
+  mode "0750"
+end
+
+# Copy the self-signed root certificate to the system certificate store. Gitea
+# will find it there automatically
+postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
+root_cert_path = "/etc/ssl/certs/root.kosmos.org.crt"
+file root_cert_path do
+  content postgresql_data_bag_item['ssl_root_cert']
+  mode "0644"
+end
+
+template "#{config_directory}/app.ini" do
+  source "app.ini.erb"
+  owner "git"
+  group "git"
+  mode "0640"
+  sensitive true
+  variables working_directory: working_directory,
+            git_home_directory: git_home_directory,
+            config_directory: config_directory,
+            gitea_binary_path: gitea_binary_path,
+            jwt_secret: jwt_secret,
+            internal_token: internal_token,
+            secret_key: secret_key,
+            postgresql_host: "#{postgresql_server}:5432",
+            postgresql_password: gitea_data_bag_item["postgresql_password"],
+            smtp_host: smtp_credentials["relayhost"],
+            smtp_user: smtp_credentials["user_name"],
+            smtp_password: smtp_credentials["password"]
+  notifies :restart, "service[gitea]", :delayed
+end
+
+remote_file gitea_binary_path do
+  source node['kosmos_gitea']['binary_url']
+  checksum node['kosmos_gitea']['binary_checksum']
+  mode "0755"
+end
+
+execute "systemctl daemon-reload" do
+  action :nothing
+end
+
+template "/etc/systemd/system/gitea.service" do
+  source "gitea.service.erb"
+  variables working_directory: working_directory,
+            git_home_directory: git_home_directory,
+            config_directory: config_directory,
+            gitea_binary_path: gitea_binary_path
+  notifies :run, "execute[systemctl daemon-reload]", :delayed
+end
+
+service "gitea" do
+  action [:enable, :start]
+end
+
+template "#{node['nginx']['dir']}/sites-available/#{domain}" do
+  source "nginx_conf.erb"
+  owner 'www-data'
+  mode 0640
+  variables server_name:   domain,
+            ssl_cert:      "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            ssl_key:       "/etc/letsencrypt/live/#{domain}/privkey.pem",
+            upstream_port: 3000
+
+  notifies :reload, 'service[nginx]', :delayed
+end
+
+nginx_site domain do
+  action :enable
+end
+
+# Enable when we switch the IP of gitea.kosmos.org
+# nginx_certbot_site domain
+
+unless node.chef_environment == "development"
+  include_recipe "firewall"
+end

site-cookbooks/kosmos_gitea/recipes/pg_db.rb

@@ -0,0 +1,37 @@
+#
+# Cookbook:: kosmos_gitea
+# Recipe:: pg_db
+#
+# Copyright:: 2020, Kosmos Developers, All Rights Reserved.
+
+gitea_data_bag_item = data_bag_item("credentials", "gitea")
+
+postgresql_service = "service[#{postgresql_service_name}]"
+
+service postgresql_service do
+  supports restart: true, status: true, reload: true
+end
+
+postgresql_user "gitea" do
+  action :create
+  password gitea_data_bag_item["postgresql_password"]
+end
+
+postgresql_database "gitea" do
+  owner "gitea"
+  action :create
+end
+
+search(:node, "role:gitea AND chef_environment:#{node.chef_environment}").each do |gitea_server|
+  ip = ip_for(gitea_server)
+  hostname = gitea_server[:hostname]
+
+  postgresql_access "gitea #{hostname}" do
+    access_type "host"
+    access_db "gitea"
+    access_user "gitea"
+    access_addr "#{ip}/32"
+    access_method "md5"
+    notifies :reload, postgresql_service, :delayed
+  end
+end

site-cookbooks/kosmos_gitea/templates/default/app.ini.erb

@@ -0,0 +1,82 @@
+APP_NAME = Gitea
+RUN_MODE = prod
+
+[server]
+SSH_DOMAIN       = gitea.kosmos.org
+HTTP_PORT        = 3000
+DISABLE_SSH      = false
+SSH_PORT         = 22
+PROTOCOL = http
+DOMAIN = gitea.kosmos.org
+ROOT_URL = %(PROTOCOL)s://%(DOMAIN)s
+# REDIRECT_OTHER_PORT = true
+# PORT_TO_REDIRECT = 3001
+# ENABLE_LETSENCRYPT = true
+# LETSENCRYPT_ACCEPTTOS = true
+# LETSENCRYPT_DIRECTORY = /data/gitea/https
+# LETSENCRYPT_EMAIL = ops@5apps.com
+
+[database]
+DB_TYPE = postgres
+HOST    = <%= @postgresql_host %>
+NAME    = gitea
+USER    = gitea
+PASSWD  = <%= @postgresql_password %>
+SSL_MODE = verify-ca
+
+# [indexer]
+# ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
+
+[session]
+PROVIDER = file
+PROVIDER_CONFIG = sessions
+# Enable when TLS is enabled
+# COOKIE_SECURE = true
+
+[mailer]
+ENABLED = true
+HOST = <%= @smtp_host %>
+FROM = gitea@kosmos.org
+USER = <%= @smtp_user %>
+PASSWD = <%= @smtp_password %>
+
+[oauth2]
+JWT_SECRET = <%= @jwt_secret %>
+
+[security]
+INTERNAL_TOKEN = <%= @internal_token %>
+INSTALL_LOCK   = true
+SECRET_KEY     = <%= @secret_key %>
+
+[service]
+REGISTER_EMAIL_CONFIRM            = false
+ENABLE_NOTIFY_MAIL                = true
+DISABLE_REGISTRATION              = true
+ALLOW_ONLY_EXTERNAL_REGISTRATION  = false
+ENABLE_CAPTCHA                    = false
+REQUIRE_SIGNIN_VIEW               = false
+DEFAULT_KEEP_EMAIL_PRIVATE        = true
+DEFAULT_ALLOW_CREATE_ORGANIZATION = false
+DEFAULT_ENABLE_TIMETRACKING       = false
+NO_REPLY_ADDRESS                  = noreply.kosmos.org
+
+[picture]
+DISABLE_GRAVATAR        = false
+ENABLE_FEDERATED_AVATAR = true
+
+[openid]
+ENABLE_OPENID_SIGNIN = false
+ENABLE_OPENID_SIGNUP = false
+
+[log]
+MODE      = console
+LEVEL     = Debug
+
+[attachment]
+ENABLED = true
+PATH = data/attachments
+ALLOWED_TYPES = image/gif|image/jpeg|image/png|application/zip|application/gzip
+; ; Max size of each file. Defaults to 4MB
+MAX_SIZE = 10
+; ; Max number of files per upload. Defaults to 5
+MAX_FILES = 5

site-cookbooks/kosmos_gitea/templates/default/gitea.service.erb

@@ -0,0 +1,35 @@
+[Unit]
+Description=Gitea (Git with a cup of tea)
+After=syslog.target
+After=network.target
+
+# Requires=postgresql.service
+# Requires=redis.service
+
+[Service]
+# Modify these two values and uncomment them if you have
+# repos with lots of files and get an HTTP error 500 because
+# of that
+###
+LimitMEMLOCK=infinity
+LimitNOFILE=65535
+RestartSec=2s
+Type=simple
+User=git
+Group=git
+WorkingDirectory=<%= @working_directory %>
+# If using Unix socket: tells systemd to create the /run/gitea folder, which will contain the gitea.sock file
+# (manually creating /run/gitea doesn't work, because it would not persist across reboots)
+#RuntimeDirectory=gitea
+ExecStart=<%= @gitea_binary_path %> web --config <%= @config_directory %>/app.ini
+Restart=always
+Environment=USER=git HOME=<%= @git_home_directory %> GITEA_WORK_DIR=<%= @working_directory %>
+# If you want to bind Gitea to a port below 1024, uncomment
+# the two values below, or use socket activation to pass Gitea its ports as above
+###
+#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+#AmbientCapabilities=CAP_NET_BIND_SERVICE
+###
+
+[Install]
+WantedBy=multi-user.target

site-cookbooks/kosmos_gitea/templates/default/nginx_conf.erb

@@ -0,0 +1,28 @@
+# Generated by Chef
+upstream _gitea {
+  server   localhost:<%= @upstream_port %>;
+}
+
+server {
+<% if File.exist?(@ssl_cert) && !File.exist?(@ssl_key) -%>
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  server_name <%= @server_name %>;
+
+  ssl_certificate     <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+
+  add_header Strict-Transport-Security "max-age=31536000";
+<% else -%>
+  listen 80;
+  server_name <%= @server_name %>;
+<% end -%>
+
+  location / {
+    # Increase number of buffers. Default is 8
+    proxy_buffers 1024 8k;
+
+    proxy_pass http://_gitea;
+    proxy_http_version 1.1;
+  }
+}