From 2d6c5142572a5955f5f7cf6f85e0870513b26724 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 2 Jun 2020 11:22:10 +0200 Subject: [PATCH 1/8] Add the gitea role --- roles/gitea.rb | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 roles/gitea.rb diff --git a/roles/gitea.rb b/roles/gitea.rb new file mode 100644 index 0000000..b6f5069 --- /dev/null +++ b/roles/gitea.rb @@ -0,0 +1,6 @@ +name "gitea" + +run_list %w( + kosmos_gitea::default + kosmos_gitea::backup +) From c8e50fd226d6f2aaf73b5bed4d836b12b8078bfc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 2 Jun 2020 11:41:19 +0200 Subject: [PATCH 2/8] Install git, it is a required dependency for Gitea I didn't catch it because git is installed by default in the Vagrant box I used to write the cookbook --- site-cookbooks/kosmos_gitea/recipes/default.rb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/site-cookbooks/kosmos_gitea/recipes/default.rb b/site-cookbooks/kosmos_gitea/recipes/default.rb index 22bfcdc..3d8f370 100644 --- a/site-cookbooks/kosmos_gitea/recipes/default.rb +++ b/site-cookbooks/kosmos_gitea/recipes/default.rb @@ -42,6 +42,9 @@ postgresql_server = postgresql_primary_node[:ipaddress] # PostgreSQL is on the same server, connect through localhost postgresql_server = "localhost" if postgresql_primary_node[:hostname] == node[:hostname] +# Dependency +package "git" + user "git" do manage_home true home "/home/git" From 27845525da8074e483099af171ba003e79389c1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 2 Jun 2020 12:12:59 +0200 Subject: [PATCH 3/8] Use the same JWT_SECRET as on our previous Gitea A different one breaks 2FA --- data_bags/credentials/gitea.json | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/data_bags/credentials/gitea.json b/data_bags/credentials/gitea.json index 92f9d8d..f8431b2 100644 --- a/data_bags/credentials/gitea.json +++ b/data_bags/credentials/gitea.json @@ -1,30 +1,30 @@ { "id": "gitea", "jwt_secret": { - "encrypted_data": "qHUcKXEhYWXZziyiI9URzLiyIRVWlVJmAuOyBhTe/xogUzURgCmbcgeEfOkb\n2GT2E2Qot5MDdV2+PgjwkyY=\n", - "iv": "LCl4UrlOrhcaHgaW\n", - "auth_tag": "UxyCH/obwVyR6fpIdmr/KA==\n", + "encrypted_data": "jTNhXpJ1mhUXjfRZ3OAR8lrGgxyyob44kN0TyNec5zO2Wb46hJgYMWwtKlZ9\nohNexOKV+wXCjZNeVw0kNgI=\n", + "iv": "NYkJTeTzLilMLptE\n", + "auth_tag": "a/PuBmOmhyCx0ooepz7n1w==\n", "version": 3, "cipher": "aes-256-gcm" }, "internal_token": { - "encrypted_data": "lIeZaN6Dx6Jq+/1m0CzBzDa+/gGE+lA0CfzdMn5c0cKVmISIRfdxDE1PfawL\nFm7zvktC1DdlHnCLPKK03U6Lzy2VWRIn6HCZC8IbeFzf7zmWvHrpjOw5pEqA\nGdQmLZ2IDHcs7VcM7Xml0olH9cvccFCAGahdp5wrwB+14w==\n", - "iv": "ZPl9OJkrJAgneqvW\n", - "auth_tag": "QwqSj0q+olo811kiN+FbgQ==\n", + "encrypted_data": "HbyEfyrupc06vGHhSqKUUT8NAIrlvbK4LbMdqxmJMgeltvDItqGgFa0ZdD51\n0djRqQMrRZ4MEdqVTFSBL+8QVdriKeUcLcummp52Sp9tYZKSQKympJFx3fsS\n49rBJhDKRlc3+jUpejJu4jHY4xR2MMNvWWqkkufTvZHhzg==\n", + "iv": "DUSCP7Q3dgjyYXwl\n", + "auth_tag": "HkPLLvY8uVNK871OsMshcg==\n", "version": 3, "cipher": "aes-256-gcm" }, "secret_key": { - "encrypted_data": "z4nxVYGEo/hqSHZ4qa5s+a9wMHUOnms5cOsSd07Nuth8YntyS3KOKfhhjvRe\n5oSDShD6IPIWGjDI481HbiJkLFufyQGHV8oR5HDvel/dKNCrokw=\n", - "iv": "xF8mlqQQVC5Senbt\n", - "auth_tag": "Un/oE3NxQMtpJQUutH19uw==\n", + "encrypted_data": "bvxdPokzagjZkdGG37hbWBi6ywu+1UuOrlJJ4p5zOG03b4PN4N40ztO4fWr5\ncMHfO7FER779fRc+tA2H7L1SKqSvlJThgk7X8R7AGGQmrQy7Jvc=\n", + "iv": "0uTGeUjnbvnW2WGp\n", + "auth_tag": "Dzfb3Jiim5eYWfwpN3HO5Q==\n", "version": 3, "cipher": "aes-256-gcm" }, "postgresql_password": { - "encrypted_data": "qflAQFt3eMkODtNP86zjH77Y3fRvc3BWXeV0Zra4Zezkaa6vsZOWePaqSg==\n", - "iv": "SrpWet9nSiEeRMma\n", - "auth_tag": "SAvgZ5pmwWDsx3uud1EeTg==\n", + "encrypted_data": "yv2gQYUxMTa7eeC0GJqE+fujOvM9GIwj/OL/L1wvn7uNTjJE97Xt1gYXRw==\n", + "iv": "F6yrDSav9EShCf2N\n", + "auth_tag": "08b4vT71g41qu6A6jZ6opw==\n", "version": 3, "cipher": "aes-256-gcm" } From 0c502580c2d81d87540ea3785b1467a7893bfd0f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 2 Jun 2020 16:16:30 +0200 Subject: [PATCH 4/8] Fix the condition for the Let's Encrypt cert in the template The line contained an extra ! --- site-cookbooks/kosmos_gitea/templates/default/nginx_conf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site-cookbooks/kosmos_gitea/templates/default/nginx_conf.erb b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf.erb index 6dff6f4..4f67da8 100644 --- a/site-cookbooks/kosmos_gitea/templates/default/nginx_conf.erb +++ b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf.erb @@ -4,7 +4,7 @@ upstream _gitea { } server { -<% if File.exist?(@ssl_cert) && !File.exist?(@ssl_key) -%> +<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> listen 443 ssl http2; listen [::]:443 ssl http2; server_name <%= @server_name %>; From 55865c526ca37cef94bf74a9e0deea2cde9a6bcf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 2 Jun 2020 16:17:34 +0200 Subject: [PATCH 5/8] Add the Let's Encrypt hook dir to the config Only enabled when there is no TLS cert. This is already part of the certbot nginx vhost --- site-cookbooks/kosmos_gitea/templates/default/nginx_conf.erb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/site-cookbooks/kosmos_gitea/templates/default/nginx_conf.erb b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf.erb index 4f67da8..a77bc02 100644 --- a/site-cookbooks/kosmos_gitea/templates/default/nginx_conf.erb +++ b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf.erb @@ -16,6 +16,10 @@ server { <% else -%> listen 80; server_name <%= @server_name %>; + + location /.well-known { + root "/var/www/<%= @server_name %>"; + } <% end -%> location / { From 0f10723c8127e59a7d60e6af4b6d65c42dd0ede3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 2 Jun 2020 16:18:48 +0200 Subject: [PATCH 6/8] Enable secure cookies --- site-cookbooks/kosmos_gitea/templates/default/app.ini.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb index 4597dcc..68b771f 100644 --- a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb +++ b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb @@ -31,7 +31,7 @@ SSL_MODE = verify-ca PROVIDER = file PROVIDER_CONFIG = sessions # Enable when TLS is enabled -# COOKIE_SECURE = true +COOKIE_SECURE = true [mailer] ENABLED = true From 759fa52e0397b59c0415c8c0f53d47aacebcb12b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 2 Jun 2020 16:19:05 +0200 Subject: [PATCH 7/8] Enable the certbot resource --- site-cookbooks/kosmos_gitea/recipes/default.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/site-cookbooks/kosmos_gitea/recipes/default.rb b/site-cookbooks/kosmos_gitea/recipes/default.rb index 3d8f370..e159833 100644 --- a/site-cookbooks/kosmos_gitea/recipes/default.rb +++ b/site-cookbooks/kosmos_gitea/recipes/default.rb @@ -147,8 +147,7 @@ nginx_site domain do action :enable end -# Enable when we switch the IP of gitea.kosmos.org -# nginx_certbot_site domain +nginx_certbot_site domain unless node.chef_environment == "development" include_recipe "firewall" From ccd49aefa4ea068033b96f1d1c2dcd45781f5c4d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 2 Jun 2020 16:19:21 +0200 Subject: [PATCH 8/8] Add Gitea to the run lists for Andromeda and Centaurus --- nodes/andromeda.kosmos.org.json | 7 ++++--- nodes/centaurus.kosmos.org.json | 25 +++++++++++++++++++++---- 2 files changed, 25 insertions(+), 7 deletions(-) diff --git a/nodes/andromeda.kosmos.org.json b/nodes/andromeda.kosmos.org.json index ace8d73..dea7894 100644 --- a/nodes/andromeda.kosmos.org.json +++ b/nodes/andromeda.kosmos.org.json @@ -47,6 +47,7 @@ "kosmos-ejabberd::default", "kosmos-ejabberd::letsencrypt", "kosmos-ejabberd::backup", + "kosmos_gitea::pg_db", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -108,8 +109,7 @@ "kosmos-base::letsencrypt", "git::default", "git::package", - "build-essential::default", - "poise-git::default" + "build-essential::default" ], "platform": "ubuntu", "platform_version": "18.04", @@ -134,6 +134,7 @@ "recipe[kosmos-mediawiki]", "recipe[kosmos-btcpayserver::proxy]", "role[mastodon]", - "role[ejabberd]" + "role[ejabberd]", + "recipe[kosmos_gitea::pg_db]" ] } \ No newline at end of file diff --git a/nodes/centaurus.kosmos.org.json b/nodes/centaurus.kosmos.org.json index 0a5fe83..abd2780 100644 --- a/nodes/centaurus.kosmos.org.json +++ b/nodes/centaurus.kosmos.org.json @@ -8,16 +8,20 @@ "automatic": { "fqdn": "centaurus.kosmos.org", "os": "linux", - "os_version": "4.15.0-96-generic", + "os_version": "4.15.0-101-generic", "hostname": "centaurus", "ipaddress": "78.46.59.98", "roles": [ - "postgresql_replica" + "postgresql_replica", + "gitea" ], "recipes": [ "kosmos-base", "kosmos-base::default", "kosmos-postgresql::replica", + "kosmos_gitea", + "kosmos_gitea::default", + "kosmos_gitea::backup", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -33,7 +37,19 @@ "hostname::default", "firewall::default", "chef-sugar::default", - "build-essential::default" + "kosmos-nginx::default", + "nginx::default", + "nginx::package", + "nginx::ohai_plugin", + "nginx::repo", + "nginx::commons", + "nginx::commons_dir", + "nginx::commons_script", + "nginx::commons_conf", + "backup::default", + "logrotate::default", + "build-essential::default", + "kosmos-base::letsencrypt" ], "platform": "ubuntu", "platform_version": "18.04", @@ -51,6 +67,7 @@ }, "run_list": [ "recipe[kosmos-base]", - "role[postgresql_replica]" + "role[postgresql_replica]", + "role[gitea]" ] } \ No newline at end of file