Store Gitea data (avatars, attachments, etc.) in Garage/S3

Also adds a new garage gateway role, which only allows RPC (inter-node)
traffic to Garage.
This commit is contained in:
Râu Cao 2022-11-26 13:05:07 +01:00
parent 9a89af0fe3
commit e0fb84e56c
Signed by: raucao
GPG Key ID: 15E65F399D084BA9
12 changed files with 138 additions and 65 deletions

View File

@ -1,30 +1,51 @@
{
"id": "gitea",
"jwt_secret": {
"encrypted_data": "jTNhXpJ1mhUXjfRZ3OAR8lrGgxyyob44kN0TyNec5zO2Wb46hJgYMWwtKlZ9\nohNexOKV+wXCjZNeVw0kNgI=\n",
"iv": "NYkJTeTzLilMLptE\n",
"auth_tag": "a/PuBmOmhyCx0ooepz7n1w==\n",
"encrypted_data": "suy7Vwlg7tyJFBSjlnNRv7qR4jp1o9F0TbwxGcwWqbCpQW2NHl9QS1SCXJml\n4UbKklppjp+7Axvvs7YiOX8=\n",
"iv": "ojZAtLDxV6569XHN\n",
"auth_tag": "j15eLXjGMIIsXh5dHET/lw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"internal_token": {
"encrypted_data": "HbyEfyrupc06vGHhSqKUUT8NAIrlvbK4LbMdqxmJMgeltvDItqGgFa0ZdD51\n0djRqQMrRZ4MEdqVTFSBL+8QVdriKeUcLcummp52Sp9tYZKSQKympJFx3fsS\n49rBJhDKRlc3+jUpejJu4jHY4xR2MMNvWWqkkufTvZHhzg==\n",
"iv": "DUSCP7Q3dgjyYXwl\n",
"auth_tag": "HkPLLvY8uVNK871OsMshcg==\n",
"encrypted_data": "y7VG9w8Gz/jxgz86p/OtpVvJBYjD6yGOPhCM3SEPlbQF/gqI8VuTkJlUQLFB\nrsPiCcjjynuTPJPLvdkVUu1XjOfp5dtbPDc0hqp8KhvBx4DhnH7Mspp/kWfb\n9DWzJ6zeGBB/nrNay0jTV1MoqzKc3Nl0GSkzBLMbr15vVw==\n",
"iv": "wcx+w1Ij5Dee/81s\n",
"auth_tag": "C7QMXezMU+jcYZAjlm86rg==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"secret_key": {
"encrypted_data": "bvxdPokzagjZkdGG37hbWBi6ywu+1UuOrlJJ4p5zOG03b4PN4N40ztO4fWr5\ncMHfO7FER779fRc+tA2H7L1SKqSvlJThgk7X8R7AGGQmrQy7Jvc=\n",
"iv": "0uTGeUjnbvnW2WGp\n",
"auth_tag": "Dzfb3Jiim5eYWfwpN3HO5Q==\n",
"encrypted_data": "4DGRaIbqqa5oCzFwNUjRPcP+uauWidjWwmBZY0BNyI3c/XmQBEb8wGV9Leoc\n3avqM5jhS/Ov43SBMpCrR71x4eAPJ3vlSeQ3GnpkgFyWfolmbEg=\n",
"iv": "SOTJFH8JkBNtPKyF\n",
"auth_tag": "fYSfkMMvGnPdiBOP7NnP8Q==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"postgresql_password": {
"encrypted_data": "yv2gQYUxMTa7eeC0GJqE+fujOvM9GIwj/OL/L1wvn7uNTjJE97Xt1gYXRw==\n",
"iv": "F6yrDSav9EShCf2N\n",
"auth_tag": "08b4vT71g41qu6A6jZ6opw==\n",
"encrypted_data": "tA/mMteX2aO7dozNe/YWB8S9sVDdUgzKDnAdgnsXF5qTVT0slHe3KRg7og==\n",
"iv": "3/rdo8uCdhrFOWOf\n",
"auth_tag": "uNl4R3T5ylEBgAM8P6fdYA==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_key_id": {
"encrypted_data": "Pjaw1MM+GNZN68XDbM+PGJUwSSXwu1+ASgm4S0VZ3MvylVG3uBPdqdDUZ9g8\n",
"iv": "mPL4HvodGKMD+30N\n",
"auth_tag": "nrej5vDLEzAI9HkKJxa/mQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_secret_key": {
"encrypted_data": "yBWAUGyyoetZ8EDD+kVffGDQbFPVXxpiWCdWL5xn3ohlclrrcWBQP/cGj2Ts\nlSZ2l4ZIuHX6ZdAHe5O2C1h5nYVtWx+u5kVa9n6EoUbz/6iseHU=\n",
"iv": "jmIdQZVMCLLKs1pi\n",
"auth_tag": "0Jvgjuvhv11/QNV43zm1LQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_bucket": {
"encrypted_data": "MyR5WhJMGfu+StFPVt3wSzVSNsHnEiLfzKXm2xJeb/cEQVw=\n",
"iv": "CHmMCjdVzw+qKHIV\n",
"auth_tag": "tiQegK0hQfCjcgRxg1G8Rg==\n",
"version": 3,
"cipher": "aes-256-gcm"
}

View File

@ -5,6 +5,17 @@
"replication_mode": "2",
"s3_api_root_domain": ".s3.garage.kosmos.org",
"s3_web_root_domain": ".web.garage.kosmos.org"
},
"gitea": {
"postgresql_host": "pg.kosmos.local:5432",
"config": {
"storage": {
"type": "minio",
"endpoint": "localhost:3900",
"location": "garage",
"use_ssl": "false"
}
}
}
}
}
}

View File

@ -1,5 +1,6 @@
{
"name": "gitea-2",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.21"
@ -13,6 +14,7 @@
"ipaddress": "192.168.122.189",
"roles": [
"kvm_guest",
"garage_gateway",
"gitea",
"postgresql_client"
],
@ -20,6 +22,8 @@
"kosmos-base",
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos_garage",
"kosmos_garage::default",
"kosmos_postgresql::hostsfile",
"kosmos_gitea",
"kosmos_gitea::default",
@ -58,8 +62,9 @@
}
},
"run_list": [
"recipe[kosmos-base]",
"role[base]",
"role[kvm_guest]",
"role[garage_gateway]",
"role[gitea]"
]
}
}

6
roles/garage_gateway.rb Normal file
View File

@ -0,0 +1,6 @@
name "garage_gateway"
run_list %w(
kosmos_garage::default
kosmos_garage::firewall_rpc
)

View File

@ -2,5 +2,6 @@ name "garage_node"
run_list %w(
kosmos_garage::default
kosmos_garage::firewall
kosmos_garage::firewall_rpc
kosmos_garage::firewall_apis
)

View File

@ -7,13 +7,6 @@ firewall_rule 'garage_s3_api' do
port node['garage']['s3_api_port']
end
firewall_rule 'garage_rpc' do
command :allow
protocol :tcp
source "10.1.1.0/24"
port node['garage']['rpc_port']
end
firewall_rule 'garage_s3_web' do
command :allow
protocol :tcp
@ -28,9 +21,14 @@ firewall_rule 'garage_admin' do
port node['garage']['admin_port']
end
firewall_rule 'garage_k2v_api' do
command :allow
protocol :tcp
source "10.1.1.0/24"
port node['garage']['k2v_api_port']
end
# K2V is currently disabled by default in release
# builds, but may be interesting for RS usage:
#
# https://garagehq.deuxfleurs.fr/documentation/reference-manual/k2v/
#
# firewall_rule 'garage_k2v_api' do
# command :allow
# protocol :tcp
# source "10.1.1.0/24"
# port node['garage']['k2v_api_port']
# end

View File

@ -0,0 +1,8 @@
include_recipe 'firewall'
firewall_rule 'garage_rpc' do
command :allow
protocol :tcp
source "10.1.1.0/24"
port node['garage']['rpc_port']
end

View File

@ -1,12 +1,13 @@
gitea_version = "1.17.2"
node.default["kosmos_gitea"]["version"] = gitea_version
node.default["kosmos_gitea"]["binary_url"] = "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64"
node.default["kosmos_gitea"]["binary_checksum"] = "d0e903671ae04007c5956beb65985825795c1d9b24c9f354b48008fd44db1b57"
node.default["kosmos_gitea"]["nginx"]["domain"] = "gitea.kosmos.org"
node.default["kosmos_gitea"]["working_directory"] = "/var/lib/gitea"
node.default["kosmos_gitea"]["port"] = 3000
gitea_version = "1.17.3"
node.default["gitea"]["version"] = gitea_version
node.default["gitea"]["binary_url"] = "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64"
node.default["gitea"]["binary_checksum"] = "38c4e1228cd051b785c556bcadc378280d76c285b70e8761cd3f5051aed61b5e"
node.default["gitea"]["working_directory"] = "/var/lib/gitea"
node.default["gitea"]["port"] = 3000
node.default["gitea"]["postgresql_host"] = "localhost:5432"
node.default["gitea"]["nginx"]["domain"] = "gitea.kosmos.org"
node.default["kosmos_gitea"]["config"] = {
node.default["gitea"]["config"] = {
"webhook": {
"allowed_host_list" => "external,127.0.1.1"
}

View File

@ -7,6 +7,6 @@
unless node.chef_environment == "development"
# backup the data dir and the config files
node.override["backup"]["archives"]["gitea"] = [node["kosmos_gitea"]["working_directory"]]
node.override["backup"]["archives"]["gitea"] = [node["gitea"]["working_directory"]]
include_recipe "backup"
end

View File

@ -5,7 +5,7 @@
include_recipe "kosmos-dirsrv::hostsfile"
working_directory = node["kosmos_gitea"]["working_directory"]
working_directory = node["gitea"]["working_directory"]
git_home_directory = "/home/git"
repository_root_directory = "#{git_home_directory}/gitea-repositories"
config_directory = "/etc/gitea"
@ -62,15 +62,37 @@ directory config_directory do
mode "0750"
end
nginx_proxy_ip_addresses = []
search(:node, "role:nginx_proxy").each do |node|
nginx_proxy_ip_addresses << node["knife_zero"]["host"]
if node.chef_environment == "production"
allowed_webhook_hosts = []
search(:node, "role:nginx_proxy OR role:hubot").each do |node|
allowed_webhook_hosts << node["knife_zero"]["host"]
end
node.normal["gitea"]["config"] = {
"webhook": {
"allowed_host_list" => "external,#{allowed_webhook_hosts.join(",")}"
}
}
end
node.default["kosmos_gitea"]["config"] = {
"webhook": {
"allowed_host_list" => "external,#{nginx_proxy_ip_addresses.join(",")}"
}
config_variables = {
working_directory: working_directory,
git_home_directory: git_home_directory,
repository_root_directory: repository_root_directory,
config_directory: config_directory,
gitea_binary_path: gitea_binary_path,
jwt_secret: jwt_secret,
internal_token: internal_token,
secret_key: secret_key,
postgresql_host: node["gitea"]["postgresql_host"],
postgresql_password: gitea_data_bag_item["postgresql_password"],
smtp_host: smtp_credentials["relayhost"],
smtp_user: smtp_credentials["user_name"],
smtp_password: smtp_credentials["password"],
config: node["gitea"]["config"],
s3_key_id: gitea_data_bag_item["s3_key_id"],
s3_secret_key: gitea_data_bag_item["s3_secret_key"],
s3_bucket: gitea_data_bag_item["s3_bucket"]
}
template "#{config_directory}/app.ini" do
@ -79,26 +101,13 @@ template "#{config_directory}/app.ini" do
group "git"
mode "0600"
sensitive true
variables working_directory: working_directory,
git_home_directory: git_home_directory,
repository_root_directory: repository_root_directory,
config_directory: config_directory,
gitea_binary_path: gitea_binary_path,
jwt_secret: jwt_secret,
internal_token: internal_token,
secret_key: secret_key,
postgresql_host: "pg.kosmos.local:5432",
postgresql_password: gitea_data_bag_item["postgresql_password"],
smtp_host: smtp_credentials["relayhost"],
smtp_user: smtp_credentials["user_name"],
smtp_password: smtp_credentials["password"],
config: node["kosmos_gitea"]["config"]
variables config_variables
notifies :restart, "service[gitea]", :delayed
end
remote_file gitea_binary_path do
source node['kosmos_gitea']['binary_url']
checksum node['kosmos_gitea']['binary_checksum']
source node['gitea']['binary_url']
checksum node['gitea']['binary_checksum']
mode "0755"
notifies :restart, "service[gitea]", :delayed
end
@ -121,7 +130,7 @@ service "gitea" do
end
firewall_rule 'gitea' do
port [node["kosmos_gitea"]["port"]]
port [node["gitea"]["port"]]
source "10.1.1.0/24" # TODO only allow nginx proxy IPs
protocol :tcp
command :allow

View File

@ -5,7 +5,7 @@
include_recipe "kosmos-nginx"
domain = node["kosmos_gitea"]["nginx"]["domain"]
domain = node["gitea"]["nginx"]["domain"]
# upstream_ip_addresses = []
# search(:node, "role:gitea").each do |n|
@ -28,7 +28,7 @@ template "#{node['nginx']['dir']}/sites-available/#{domain}" do
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem",
upstream_host: upstream_ip_address,
upstream_port: node["kosmos_gitea"]["port"]
upstream_port: node["gitea"]["port"]
notifies :reload, 'service[nginx]', :delayed
end

View File

@ -92,3 +92,16 @@ SCHEDULE = @every 15m
[webhook]
<% if c["allowed_host_list"] %>ALLOWED_HOST_LIST = <%= c["allowed_host_list"] %><% end %>
<% end %>
<% if c = @config["storage"] %>
[storage]
<% if c["type"] == "minio" %>
STORAGE_TYPE=minio
MINIO_ENDPOINT=<%= c["endpoint"] %>
MINIO_ACCESS_KEY_ID=<%= @s3_key_id %>
MINIO_SECRET_ACCESS_KEY=<%= @s3_secret_key %>
MINIO_BUCKET=<%= @s3_bucket %>
MINIO_LOCATION=<%= c["location"] %>
MINIO_USE_SSL=<%= c["use_ssl"] %>
<% end %>
<% end %>