Store Gitea data (avatars, attachments, etc.) in Garage/S3
Also adds a new garage gateway role, which only allows RPC (inter-node) traffic to Garage.
This commit is contained in:
parent
9a89af0fe3
commit
e0fb84e56c
|
@ -1,30 +1,51 @@
|
|||
{
|
||||
"id": "gitea",
|
||||
"jwt_secret": {
|
||||
"encrypted_data": "jTNhXpJ1mhUXjfRZ3OAR8lrGgxyyob44kN0TyNec5zO2Wb46hJgYMWwtKlZ9\nohNexOKV+wXCjZNeVw0kNgI=\n",
|
||||
"iv": "NYkJTeTzLilMLptE\n",
|
||||
"auth_tag": "a/PuBmOmhyCx0ooepz7n1w==\n",
|
||||
"encrypted_data": "suy7Vwlg7tyJFBSjlnNRv7qR4jp1o9F0TbwxGcwWqbCpQW2NHl9QS1SCXJml\n4UbKklppjp+7Axvvs7YiOX8=\n",
|
||||
"iv": "ojZAtLDxV6569XHN\n",
|
||||
"auth_tag": "j15eLXjGMIIsXh5dHET/lw==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"internal_token": {
|
||||
"encrypted_data": "HbyEfyrupc06vGHhSqKUUT8NAIrlvbK4LbMdqxmJMgeltvDItqGgFa0ZdD51\n0djRqQMrRZ4MEdqVTFSBL+8QVdriKeUcLcummp52Sp9tYZKSQKympJFx3fsS\n49rBJhDKRlc3+jUpejJu4jHY4xR2MMNvWWqkkufTvZHhzg==\n",
|
||||
"iv": "DUSCP7Q3dgjyYXwl\n",
|
||||
"auth_tag": "HkPLLvY8uVNK871OsMshcg==\n",
|
||||
"encrypted_data": "y7VG9w8Gz/jxgz86p/OtpVvJBYjD6yGOPhCM3SEPlbQF/gqI8VuTkJlUQLFB\nrsPiCcjjynuTPJPLvdkVUu1XjOfp5dtbPDc0hqp8KhvBx4DhnH7Mspp/kWfb\n9DWzJ6zeGBB/nrNay0jTV1MoqzKc3Nl0GSkzBLMbr15vVw==\n",
|
||||
"iv": "wcx+w1Ij5Dee/81s\n",
|
||||
"auth_tag": "C7QMXezMU+jcYZAjlm86rg==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"secret_key": {
|
||||
"encrypted_data": "bvxdPokzagjZkdGG37hbWBi6ywu+1UuOrlJJ4p5zOG03b4PN4N40ztO4fWr5\ncMHfO7FER779fRc+tA2H7L1SKqSvlJThgk7X8R7AGGQmrQy7Jvc=\n",
|
||||
"iv": "0uTGeUjnbvnW2WGp\n",
|
||||
"auth_tag": "Dzfb3Jiim5eYWfwpN3HO5Q==\n",
|
||||
"encrypted_data": "4DGRaIbqqa5oCzFwNUjRPcP+uauWidjWwmBZY0BNyI3c/XmQBEb8wGV9Leoc\n3avqM5jhS/Ov43SBMpCrR71x4eAPJ3vlSeQ3GnpkgFyWfolmbEg=\n",
|
||||
"iv": "SOTJFH8JkBNtPKyF\n",
|
||||
"auth_tag": "fYSfkMMvGnPdiBOP7NnP8Q==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"postgresql_password": {
|
||||
"encrypted_data": "yv2gQYUxMTa7eeC0GJqE+fujOvM9GIwj/OL/L1wvn7uNTjJE97Xt1gYXRw==\n",
|
||||
"iv": "F6yrDSav9EShCf2N\n",
|
||||
"auth_tag": "08b4vT71g41qu6A6jZ6opw==\n",
|
||||
"encrypted_data": "tA/mMteX2aO7dozNe/YWB8S9sVDdUgzKDnAdgnsXF5qTVT0slHe3KRg7og==\n",
|
||||
"iv": "3/rdo8uCdhrFOWOf\n",
|
||||
"auth_tag": "uNl4R3T5ylEBgAM8P6fdYA==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"s3_key_id": {
|
||||
"encrypted_data": "Pjaw1MM+GNZN68XDbM+PGJUwSSXwu1+ASgm4S0VZ3MvylVG3uBPdqdDUZ9g8\n",
|
||||
"iv": "mPL4HvodGKMD+30N\n",
|
||||
"auth_tag": "nrej5vDLEzAI9HkKJxa/mQ==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"s3_secret_key": {
|
||||
"encrypted_data": "yBWAUGyyoetZ8EDD+kVffGDQbFPVXxpiWCdWL5xn3ohlclrrcWBQP/cGj2Ts\nlSZ2l4ZIuHX6ZdAHe5O2C1h5nYVtWx+u5kVa9n6EoUbz/6iseHU=\n",
|
||||
"iv": "jmIdQZVMCLLKs1pi\n",
|
||||
"auth_tag": "0Jvgjuvhv11/QNV43zm1LQ==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"s3_bucket": {
|
||||
"encrypted_data": "MyR5WhJMGfu+StFPVt3wSzVSNsHnEiLfzKXm2xJeb/cEQVw=\n",
|
||||
"iv": "CHmMCjdVzw+qKHIV\n",
|
||||
"auth_tag": "tiQegK0hQfCjcgRxg1G8Rg==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
}
|
||||
|
|
|
@ -5,6 +5,17 @@
|
|||
"replication_mode": "2",
|
||||
"s3_api_root_domain": ".s3.garage.kosmos.org",
|
||||
"s3_web_root_domain": ".web.garage.kosmos.org"
|
||||
},
|
||||
"gitea": {
|
||||
"postgresql_host": "pg.kosmos.local:5432",
|
||||
"config": {
|
||||
"storage": {
|
||||
"type": "minio",
|
||||
"endpoint": "localhost:3900",
|
||||
"location": "garage",
|
||||
"use_ssl": "false"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,5 +1,6 @@
|
|||
{
|
||||
"name": "gitea-2",
|
||||
"chef_environment": "production",
|
||||
"normal": {
|
||||
"knife_zero": {
|
||||
"host": "10.1.1.21"
|
||||
|
@ -13,6 +14,7 @@
|
|||
"ipaddress": "192.168.122.189",
|
||||
"roles": [
|
||||
"kvm_guest",
|
||||
"garage_gateway",
|
||||
"gitea",
|
||||
"postgresql_client"
|
||||
],
|
||||
|
@ -20,6 +22,8 @@
|
|||
"kosmos-base",
|
||||
"kosmos-base::default",
|
||||
"kosmos_kvm::guest",
|
||||
"kosmos_garage",
|
||||
"kosmos_garage::default",
|
||||
"kosmos_postgresql::hostsfile",
|
||||
"kosmos_gitea",
|
||||
"kosmos_gitea::default",
|
||||
|
@ -58,8 +62,9 @@
|
|||
}
|
||||
},
|
||||
"run_list": [
|
||||
"recipe[kosmos-base]",
|
||||
"role[base]",
|
||||
"role[kvm_guest]",
|
||||
"role[garage_gateway]",
|
||||
"role[gitea]"
|
||||
]
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
name "garage_gateway"
|
||||
|
||||
run_list %w(
|
||||
kosmos_garage::default
|
||||
kosmos_garage::firewall_rpc
|
||||
)
|
|
@ -2,5 +2,6 @@ name "garage_node"
|
|||
|
||||
run_list %w(
|
||||
kosmos_garage::default
|
||||
kosmos_garage::firewall
|
||||
kosmos_garage::firewall_rpc
|
||||
kosmos_garage::firewall_apis
|
||||
)
|
||||
|
|
|
@ -7,13 +7,6 @@ firewall_rule 'garage_s3_api' do
|
|||
port node['garage']['s3_api_port']
|
||||
end
|
||||
|
||||
firewall_rule 'garage_rpc' do
|
||||
command :allow
|
||||
protocol :tcp
|
||||
source "10.1.1.0/24"
|
||||
port node['garage']['rpc_port']
|
||||
end
|
||||
|
||||
firewall_rule 'garage_s3_web' do
|
||||
command :allow
|
||||
protocol :tcp
|
||||
|
@ -28,9 +21,14 @@ firewall_rule 'garage_admin' do
|
|||
port node['garage']['admin_port']
|
||||
end
|
||||
|
||||
firewall_rule 'garage_k2v_api' do
|
||||
command :allow
|
||||
protocol :tcp
|
||||
source "10.1.1.0/24"
|
||||
port node['garage']['k2v_api_port']
|
||||
end
|
||||
# K2V is currently disabled by default in release
|
||||
# builds, but may be interesting for RS usage:
|
||||
#
|
||||
# https://garagehq.deuxfleurs.fr/documentation/reference-manual/k2v/
|
||||
#
|
||||
# firewall_rule 'garage_k2v_api' do
|
||||
# command :allow
|
||||
# protocol :tcp
|
||||
# source "10.1.1.0/24"
|
||||
# port node['garage']['k2v_api_port']
|
||||
# end
|
|
@ -0,0 +1,8 @@
|
|||
include_recipe 'firewall'
|
||||
|
||||
firewall_rule 'garage_rpc' do
|
||||
command :allow
|
||||
protocol :tcp
|
||||
source "10.1.1.0/24"
|
||||
port node['garage']['rpc_port']
|
||||
end
|
|
@ -1,12 +1,13 @@
|
|||
gitea_version = "1.17.2"
|
||||
node.default["kosmos_gitea"]["version"] = gitea_version
|
||||
node.default["kosmos_gitea"]["binary_url"] = "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64"
|
||||
node.default["kosmos_gitea"]["binary_checksum"] = "d0e903671ae04007c5956beb65985825795c1d9b24c9f354b48008fd44db1b57"
|
||||
node.default["kosmos_gitea"]["nginx"]["domain"] = "gitea.kosmos.org"
|
||||
node.default["kosmos_gitea"]["working_directory"] = "/var/lib/gitea"
|
||||
node.default["kosmos_gitea"]["port"] = 3000
|
||||
gitea_version = "1.17.3"
|
||||
node.default["gitea"]["version"] = gitea_version
|
||||
node.default["gitea"]["binary_url"] = "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64"
|
||||
node.default["gitea"]["binary_checksum"] = "38c4e1228cd051b785c556bcadc378280d76c285b70e8761cd3f5051aed61b5e"
|
||||
node.default["gitea"]["working_directory"] = "/var/lib/gitea"
|
||||
node.default["gitea"]["port"] = 3000
|
||||
node.default["gitea"]["postgresql_host"] = "localhost:5432"
|
||||
node.default["gitea"]["nginx"]["domain"] = "gitea.kosmos.org"
|
||||
|
||||
node.default["kosmos_gitea"]["config"] = {
|
||||
node.default["gitea"]["config"] = {
|
||||
"webhook": {
|
||||
"allowed_host_list" => "external,127.0.1.1"
|
||||
}
|
||||
|
|
|
@ -7,6 +7,6 @@
|
|||
|
||||
unless node.chef_environment == "development"
|
||||
# backup the data dir and the config files
|
||||
node.override["backup"]["archives"]["gitea"] = [node["kosmos_gitea"]["working_directory"]]
|
||||
node.override["backup"]["archives"]["gitea"] = [node["gitea"]["working_directory"]]
|
||||
include_recipe "backup"
|
||||
end
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
|
||||
include_recipe "kosmos-dirsrv::hostsfile"
|
||||
|
||||
working_directory = node["kosmos_gitea"]["working_directory"]
|
||||
working_directory = node["gitea"]["working_directory"]
|
||||
git_home_directory = "/home/git"
|
||||
repository_root_directory = "#{git_home_directory}/gitea-repositories"
|
||||
config_directory = "/etc/gitea"
|
||||
|
@ -62,15 +62,37 @@ directory config_directory do
|
|||
mode "0750"
|
||||
end
|
||||
|
||||
nginx_proxy_ip_addresses = []
|
||||
search(:node, "role:nginx_proxy").each do |node|
|
||||
nginx_proxy_ip_addresses << node["knife_zero"]["host"]
|
||||
if node.chef_environment == "production"
|
||||
allowed_webhook_hosts = []
|
||||
search(:node, "role:nginx_proxy OR role:hubot").each do |node|
|
||||
allowed_webhook_hosts << node["knife_zero"]["host"]
|
||||
end
|
||||
|
||||
node.normal["gitea"]["config"] = {
|
||||
"webhook": {
|
||||
"allowed_host_list" => "external,#{allowed_webhook_hosts.join(",")}"
|
||||
}
|
||||
}
|
||||
end
|
||||
|
||||
node.default["kosmos_gitea"]["config"] = {
|
||||
"webhook": {
|
||||
"allowed_host_list" => "external,#{nginx_proxy_ip_addresses.join(",")}"
|
||||
}
|
||||
config_variables = {
|
||||
working_directory: working_directory,
|
||||
git_home_directory: git_home_directory,
|
||||
repository_root_directory: repository_root_directory,
|
||||
config_directory: config_directory,
|
||||
gitea_binary_path: gitea_binary_path,
|
||||
jwt_secret: jwt_secret,
|
||||
internal_token: internal_token,
|
||||
secret_key: secret_key,
|
||||
postgresql_host: node["gitea"]["postgresql_host"],
|
||||
postgresql_password: gitea_data_bag_item["postgresql_password"],
|
||||
smtp_host: smtp_credentials["relayhost"],
|
||||
smtp_user: smtp_credentials["user_name"],
|
||||
smtp_password: smtp_credentials["password"],
|
||||
config: node["gitea"]["config"],
|
||||
s3_key_id: gitea_data_bag_item["s3_key_id"],
|
||||
s3_secret_key: gitea_data_bag_item["s3_secret_key"],
|
||||
s3_bucket: gitea_data_bag_item["s3_bucket"]
|
||||
}
|
||||
|
||||
template "#{config_directory}/app.ini" do
|
||||
|
@ -79,26 +101,13 @@ template "#{config_directory}/app.ini" do
|
|||
group "git"
|
||||
mode "0600"
|
||||
sensitive true
|
||||
variables working_directory: working_directory,
|
||||
git_home_directory: git_home_directory,
|
||||
repository_root_directory: repository_root_directory,
|
||||
config_directory: config_directory,
|
||||
gitea_binary_path: gitea_binary_path,
|
||||
jwt_secret: jwt_secret,
|
||||
internal_token: internal_token,
|
||||
secret_key: secret_key,
|
||||
postgresql_host: "pg.kosmos.local:5432",
|
||||
postgresql_password: gitea_data_bag_item["postgresql_password"],
|
||||
smtp_host: smtp_credentials["relayhost"],
|
||||
smtp_user: smtp_credentials["user_name"],
|
||||
smtp_password: smtp_credentials["password"],
|
||||
config: node["kosmos_gitea"]["config"]
|
||||
variables config_variables
|
||||
notifies :restart, "service[gitea]", :delayed
|
||||
end
|
||||
|
||||
remote_file gitea_binary_path do
|
||||
source node['kosmos_gitea']['binary_url']
|
||||
checksum node['kosmos_gitea']['binary_checksum']
|
||||
source node['gitea']['binary_url']
|
||||
checksum node['gitea']['binary_checksum']
|
||||
mode "0755"
|
||||
notifies :restart, "service[gitea]", :delayed
|
||||
end
|
||||
|
@ -121,7 +130,7 @@ service "gitea" do
|
|||
end
|
||||
|
||||
firewall_rule 'gitea' do
|
||||
port [node["kosmos_gitea"]["port"]]
|
||||
port [node["gitea"]["port"]]
|
||||
source "10.1.1.0/24" # TODO only allow nginx proxy IPs
|
||||
protocol :tcp
|
||||
command :allow
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
|
||||
include_recipe "kosmos-nginx"
|
||||
|
||||
domain = node["kosmos_gitea"]["nginx"]["domain"]
|
||||
domain = node["gitea"]["nginx"]["domain"]
|
||||
|
||||
# upstream_ip_addresses = []
|
||||
# search(:node, "role:gitea").each do |n|
|
||||
|
@ -28,7 +28,7 @@ template "#{node['nginx']['dir']}/sites-available/#{domain}" do
|
|||
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem",
|
||||
upstream_host: upstream_ip_address,
|
||||
upstream_port: node["kosmos_gitea"]["port"]
|
||||
upstream_port: node["gitea"]["port"]
|
||||
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
|
|
@ -92,3 +92,16 @@ SCHEDULE = @every 15m
|
|||
[webhook]
|
||||
<% if c["allowed_host_list"] %>ALLOWED_HOST_LIST = <%= c["allowed_host_list"] %><% end %>
|
||||
<% end %>
|
||||
|
||||
<% if c = @config["storage"] %>
|
||||
[storage]
|
||||
<% if c["type"] == "minio" %>
|
||||
STORAGE_TYPE=minio
|
||||
MINIO_ENDPOINT=<%= c["endpoint"] %>
|
||||
MINIO_ACCESS_KEY_ID=<%= @s3_key_id %>
|
||||
MINIO_SECRET_ACCESS_KEY=<%= @s3_secret_key %>
|
||||
MINIO_BUCKET=<%= @s3_bucket %>
|
||||
MINIO_LOCATION=<%= c["location"] %>
|
||||
MINIO_USE_SSL=<%= c["use_ssl"] %>
|
||||
<% end %>
|
||||
<% end %>
|
||||
|
|
Loading…
Reference in New Issue