Store Gitea data (avatars, attachments, etc.) in Garage/S3

Also adds a new garage gateway role, which only allows RPC (inter-node) traffic to Garage.
2022-11-26 13:05:07 +01:00
parent 9a89af0fe3
commit e0fb84e56c
12 changed files with 138 additions and 65 deletions
--- a/site-cookbooks/kosmos_garage/recipes/firewall_apis.rb
+++ b/site-cookbooks/kosmos_garage/recipes/firewall_apis.rb
@@ -7,13 +7,6 @@ firewall_rule 'garage_s3_api' do
  port     node['garage']['s3_api_port']
 end

-firewall_rule 'garage_rpc' do
-  command  :allow
-  protocol :tcp
-  source   "10.1.1.0/24"
-  port     node['garage']['rpc_port']
-end
-
 firewall_rule 'garage_s3_web' do
  command  :allow
  protocol :tcp
@@ -28,9 +21,14 @@ firewall_rule 'garage_admin' do
  port     node['garage']['admin_port']
 end

-firewall_rule 'garage_k2v_api' do
-  command  :allow
-  protocol :tcp
-  source   "10.1.1.0/24"
-  port     node['garage']['k2v_api_port']
-end
+# K2V is currently disabled by default in release
+# builds, but may be interesting for RS usage:
+#
+# https://garagehq.deuxfleurs.fr/documentation/reference-manual/k2v/
+#
+# firewall_rule 'garage_k2v_api' do
+#   command  :allow
+#   protocol :tcp
+#   source   "10.1.1.0/24"
+#   port     node['garage']['k2v_api_port']
+# end
--- a/site-cookbooks/kosmos_garage/recipes/firewall_rpc.rb
+++ b/site-cookbooks/kosmos_garage/recipes/firewall_rpc.rb
@@ -0,0 +1,8 @@
+include_recipe 'firewall'
+
+firewall_rule 'garage_rpc' do
+  command  :allow
+  protocol :tcp
+  source   "10.1.1.0/24"
+  port     node['garage']['rpc_port']
+end
--- a/site-cookbooks/kosmos_gitea/attributes/default.rb
+++ b/site-cookbooks/kosmos_gitea/attributes/default.rb
@@ -1,12 +1,13 @@
-gitea_version = "1.17.2"
-node.default["kosmos_gitea"]["version"] = gitea_version
-node.default["kosmos_gitea"]["binary_url"] = "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64"
-node.default["kosmos_gitea"]["binary_checksum"] = "d0e903671ae04007c5956beb65985825795c1d9b24c9f354b48008fd44db1b57"
-node.default["kosmos_gitea"]["nginx"]["domain"] = "gitea.kosmos.org"
-node.default["kosmos_gitea"]["working_directory"] = "/var/lib/gitea"
-node.default["kosmos_gitea"]["port"] = 3000
+gitea_version = "1.17.3"
+node.default["gitea"]["version"] = gitea_version
+node.default["gitea"]["binary_url"] = "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64"
+node.default["gitea"]["binary_checksum"] = "38c4e1228cd051b785c556bcadc378280d76c285b70e8761cd3f5051aed61b5e"
+node.default["gitea"]["working_directory"] = "/var/lib/gitea"
+node.default["gitea"]["port"] = 3000
+node.default["gitea"]["postgresql_host"] = "localhost:5432"
+node.default["gitea"]["nginx"]["domain"] = "gitea.kosmos.org"

-node.default["kosmos_gitea"]["config"] = {
+node.default["gitea"]["config"] = {
  "webhook":  {
    "allowed_host_list" => "external,127.0.1.1"
  }
--- a/site-cookbooks/kosmos_gitea/recipes/backup.rb
+++ b/site-cookbooks/kosmos_gitea/recipes/backup.rb
@@ -7,6 +7,6 @@

 unless node.chef_environment == "development"
  # backup the data dir and the config files
-  node.override["backup"]["archives"]["gitea"] = [node["kosmos_gitea"]["working_directory"]]
+  node.override["backup"]["archives"]["gitea"] = [node["gitea"]["working_directory"]]
  include_recipe "backup"
 end
--- a/site-cookbooks/kosmos_gitea/recipes/default.rb
+++ b/site-cookbooks/kosmos_gitea/recipes/default.rb
@@ -5,7 +5,7 @@

 include_recipe "kosmos-dirsrv::hostsfile"

-working_directory         = node["kosmos_gitea"]["working_directory"]
+working_directory         = node["gitea"]["working_directory"]
 git_home_directory        = "/home/git"
 repository_root_directory = "#{git_home_directory}/gitea-repositories"
 config_directory          = "/etc/gitea"
@@ -62,15 +62,37 @@ directory config_directory do
  mode "0750"
 end

-nginx_proxy_ip_addresses = []
-search(:node, "role:nginx_proxy").each do |node|
-  nginx_proxy_ip_addresses << node["knife_zero"]["host"]
+if node.chef_environment == "production"
+  allowed_webhook_hosts = []
+  search(:node, "role:nginx_proxy OR role:hubot").each do |node|
+    allowed_webhook_hosts << node["knife_zero"]["host"]
+  end
+
+  node.normal["gitea"]["config"] = {
+    "webhook":  {
+      "allowed_host_list" => "external,#{allowed_webhook_hosts.join(",")}"
+    }
+  }
 end

-node.default["kosmos_gitea"]["config"] = {
-  "webhook":  {
-    "allowed_host_list" => "external,#{nginx_proxy_ip_addresses.join(",")}"
-  }
+config_variables = {
+  working_directory: working_directory,
+  git_home_directory: git_home_directory,
+  repository_root_directory: repository_root_directory,
+  config_directory: config_directory,
+  gitea_binary_path: gitea_binary_path,
+  jwt_secret: jwt_secret,
+  internal_token: internal_token,
+  secret_key: secret_key,
+  postgresql_host: node["gitea"]["postgresql_host"],
+  postgresql_password: gitea_data_bag_item["postgresql_password"],
+  smtp_host: smtp_credentials["relayhost"],
+  smtp_user: smtp_credentials["user_name"],
+  smtp_password: smtp_credentials["password"],
+  config: node["gitea"]["config"],
+  s3_key_id: gitea_data_bag_item["s3_key_id"],
+  s3_secret_key: gitea_data_bag_item["s3_secret_key"],
+  s3_bucket: gitea_data_bag_item["s3_bucket"]
 }

 template "#{config_directory}/app.ini" do
@@ -79,26 +101,13 @@ template "#{config_directory}/app.ini" do
  group "git"
  mode "0600"
  sensitive true
-  variables working_directory: working_directory,
-            git_home_directory: git_home_directory,
-            repository_root_directory: repository_root_directory,
-            config_directory: config_directory,
-            gitea_binary_path: gitea_binary_path,
-            jwt_secret: jwt_secret,
-            internal_token: internal_token,
-            secret_key: secret_key,
-            postgresql_host: "pg.kosmos.local:5432",
-            postgresql_password: gitea_data_bag_item["postgresql_password"],
-            smtp_host: smtp_credentials["relayhost"],
-            smtp_user: smtp_credentials["user_name"],
-            smtp_password: smtp_credentials["password"],
-            config: node["kosmos_gitea"]["config"]
+  variables config_variables
  notifies :restart, "service[gitea]", :delayed
 end

 remote_file gitea_binary_path do
-  source node['kosmos_gitea']['binary_url']
-  checksum node['kosmos_gitea']['binary_checksum']
+  source node['gitea']['binary_url']
+  checksum node['gitea']['binary_checksum']
  mode "0755"
  notifies :restart, "service[gitea]", :delayed
 end
@@ -121,7 +130,7 @@ service "gitea" do
 end

 firewall_rule 'gitea' do
-  port     [node["kosmos_gitea"]["port"]]
+  port     [node["gitea"]["port"]]
  source   "10.1.1.0/24" # TODO only allow nginx proxy IPs
  protocol :tcp
  command  :allow
--- a/site-cookbooks/kosmos_gitea/recipes/nginx.rb
+++ b/site-cookbooks/kosmos_gitea/recipes/nginx.rb
@@ -5,7 +5,7 @@

 include_recipe "kosmos-nginx"

-domain  = node["kosmos_gitea"]["nginx"]["domain"]
+domain = node["gitea"]["nginx"]["domain"]

 # upstream_ip_addresses = []
 # search(:node, "role:gitea").each do |n|
@@ -28,7 +28,7 @@ template "#{node['nginx']['dir']}/sites-available/#{domain}" do
            ssl_cert:      "/etc/letsencrypt/live/#{domain}/fullchain.pem",
            ssl_key:       "/etc/letsencrypt/live/#{domain}/privkey.pem",
            upstream_host: upstream_ip_address,
-            upstream_port: node["kosmos_gitea"]["port"]
+            upstream_port: node["gitea"]["port"]

  notifies :reload, 'service[nginx]', :delayed
 end
--- a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb
+++ b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb
@@ -92,3 +92,16 @@ SCHEDULE = @every 15m
 [webhook]
 <% if c["allowed_host_list"] %>ALLOWED_HOST_LIST = <%= c["allowed_host_list"] %><% end %>
 <% end %>
+
+<% if c = @config["storage"] %>
+[storage]
+<% if c["type"] == "minio" %>
+STORAGE_TYPE=minio
+MINIO_ENDPOINT=<%= c["endpoint"] %>
+MINIO_ACCESS_KEY_ID=<%= @s3_key_id %>
+MINIO_SECRET_ACCESS_KEY=<%= @s3_secret_key %>
+MINIO_BUCKET=<%= @s3_bucket %>
+MINIO_LOCATION=<%= c["location"] %>
+MINIO_USE_SSL=<%= c["use_ssl"] %>
+<% end %>
+<% end %>