Move Gitea and Drone CI to new VMs #396
|
@ -0,0 +1,4 @@
|
|||
{
|
||||
"name": "drone-1",
|
||||
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0DLEt7jfKPH7X7pBknG3\nWoB6Q6Vffl6Q0GRxQiMJ1uRC79dulKH097CYfLzIXFZD9gRRP4K78vW5BA2spXVV\nn3qrak9JT6BGgdFrkBEdMNGZyz814aMiyhPZrQUrmIzyH8R04xZgv7UH86qdNQ5p\nPeIXS7gU7/0PmwRgEBiM1KLq+Kba6pYdGefKqxx5D59xweH+yE+rbd5ac9xn2GP7\nyOiZoG2sMuksq7d3O4SeTS2lBAmG5IeiP2iWvHWpZD48PTr78ItkTgIbaqZU2PXV\ng+2OcJPTel5xISooe5FvW8gdpC9SYoBPvgJuJ6czc1+LdUSK7pE7577eAJNDlh+H\nRwIDAQAB\n-----END PUBLIC KEY-----\n"
|
||||
}
|
|
@ -0,0 +1,4 @@
|
|||
{
|
||||
"name": "gitea-1",
|
||||
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0bp4I/f5dLL22GRHanLV\nw57sNBEWT3Vx32B24hScKNP5nYDW0dIRkt1c7SLEpe+diNgyIwk7JlI20Vl+oaVo\njdCpmHSB18yXxQT2Ub6aI8ApwFLECVA6SckekcwxLJc/oGRMB52PonI8opJOVbPa\nF+heZ5NNDiMvn3E8qODdMWSjDiJNSVLJgsCPFHAt32aJgLaXQTqG5lrmltaamscW\njGlFqiBJw/5saCkKBPdPwdX4RcDqvGX1FdE1LVB42cskv8CrnvEVFLBxKXAhAr6s\nNhOhenzLGHpy58tNoUoUw3v4WiPRtcnlNxeSVG5LKkjaK04f2oxeZx3SiSU/1naY\nkwIDAQAB\n-----END PUBLIC KEY-----\n"
|
||||
}
|
|
@ -1,23 +1,37 @@
|
|||
{
|
||||
"id": "drone",
|
||||
"client_id": {
|
||||
"encrypted_data": "PHC6f0UJwuaxnhMhxUVhHMqauCu9aYDp3IFqVzsxEoEodKhg8pgTWS14T5E7\nVm4xlcR/CuLcOA==\n",
|
||||
"iv": "on4hNp3g6pLsvfTE\n",
|
||||
"auth_tag": "ytx40h2fsBHhDpyhwKbHog==\n",
|
||||
"encrypted_data": "bfwxBJt+xNihifwXmjWK3dMDCcjZ1XgiWvqvK0Dj3zd8ZuDRZUwt++xdr/bT\n1wwz1i3udaxZqQ==\n",
|
||||
"iv": "0Bioz/6QbDo5w8Ay\n",
|
||||
"auth_tag": "lF8gragaEIrfR1g+Ka1Wnw==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"client_secret": {
|
||||
"encrypted_data": "HAKFqsrbL447wgropHz2rgHmyRl3G2d24svTT+TYMI0jtQFTQPZLxNZkl3ki\n42n7baNrfXN3IJeQRyxyihw0\n",
|
||||
"iv": "pmdiLiFgSPNNP7dl\n",
|
||||
"auth_tag": "4j98l+lZ0k4mLioJHS5VJw==\n",
|
||||
"encrypted_data": "1TKFuk54DqP/5kAPIfjI2PNriOIJ0NdwV2ETZdF1O7Gt55WXvHSTupQLu0NG\nQkrSXXqdgDKvW2/P+d1W0NTQ\n",
|
||||
"iv": "nBqEog1s/Z2cHnqU\n",
|
||||
"auth_tag": "yBjz6GQ6K6bowih970e37w==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"rpc_secret": {
|
||||
"encrypted_data": "ll4f3ECLQTgJj47aeqnP0Ci1ncMYTwwFw1J46Qx3gPloA2YGPwlfa82Uck1k\neSHCTSNW\n",
|
||||
"iv": "hP5Iq9zOjELUb9d8\n",
|
||||
"auth_tag": "WJlme717tpgbWPcXwFzyvQ==\n",
|
||||
"encrypted_data": "KBJHpfjw6aEuMoOJevkNRFA6NVF8w4cAxRsPRchN+qlLXPT1Kxql2uug8c0P\n1DdKeaZq\n",
|
||||
"iv": "qj9C1PqC1OlDX6YR\n",
|
||||
"auth_tag": "vgI5nxBEYnhwgJATykISJA==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"database_secret": {
|
||||
"encrypted_data": "W+tSV89+1Ue/sNm6+dOW06jFGrmPTt4RVR8A0GUJXZhGbqBBie3jWNW3ZeKg\nfEQTYP1j\n",
|
||||
"iv": "Of9fVasrPT7451HD\n",
|
||||
"auth_tag": "fuY65GQr4s3vR6E3OuZdzQ==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"postgresql_password": {
|
||||
"encrypted_data": "KqoUOOkqBy9Sfrg5THVWyOdgd21aDjXlEqxVhX1OIcsv\n",
|
||||
"iv": "iPDmnzOO1TWA1bO1\n",
|
||||
"auth_tag": "8o+0nRewMEGeoH5/ZfGUuQ==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
}
|
||||
|
|
|
@ -14,7 +14,6 @@
|
|||
"roles": [
|
||||
"gitea",
|
||||
"postgresql_client",
|
||||
"discourse",
|
||||
"drone"
|
||||
],
|
||||
"recipes": [
|
||||
|
@ -26,8 +25,6 @@
|
|||
"kosmos_gitea",
|
||||
"kosmos_gitea::default",
|
||||
"kosmos_gitea::backup",
|
||||
"kosmos_discourse",
|
||||
"kosmos_discourse::default",
|
||||
"kosmos_drone",
|
||||
"kosmos_drone::default",
|
||||
"kosmos_assets::nginx_site",
|
||||
|
@ -36,7 +33,6 @@
|
|||
"kosmos_website",
|
||||
"kosmos_website::default",
|
||||
"kosmos_zerotier::firewall",
|
||||
"sockethub::_firewall",
|
||||
"apt::default",
|
||||
"timezone_iii::default",
|
||||
"timezone_iii::debian",
|
||||
|
@ -82,13 +78,10 @@
|
|||
"run_list": [
|
||||
"recipe[kosmos-base]",
|
||||
"recipe[kosmos_encfs]",
|
||||
"role[gitea]",
|
||||
"role[drone]",
|
||||
"recipe[kosmos_assets::nginx_site]",
|
||||
"recipe[kosmos_kvm::host]",
|
||||
"recipe[kosmos-ejabberd::firewall]",
|
||||
"recipe[kosmos_website::default]",
|
||||
"recipe[kosmos_zerotier::firewall]",
|
||||
"recipe[sockethub::_firewall]"
|
||||
"recipe[kosmos_zerotier::firewall]"
|
||||
]
|
||||
}
|
||||
|
|
|
@ -0,0 +1,58 @@
|
|||
{
|
||||
"name": "drone-1",
|
||||
"normal": {
|
||||
"knife_zero": {
|
||||
"host": "10.1.1.128"
|
||||
}
|
||||
},
|
||||
"automatic": {
|
||||
"fqdn": "drone-1",
|
||||
"os": "linux",
|
||||
"os_version": "5.4.0-1058-kvm",
|
||||
"hostname": "drone-1",
|
||||
"ipaddress": "192.168.122.200",
|
||||
"roles": [
|
||||
"drone",
|
||||
"postgresql_client"
|
||||
],
|
||||
"recipes": [
|
||||
"kosmos-base",
|
||||
"kosmos-base::default",
|
||||
"kosmos_postgresql::hostsfile",
|
||||
"kosmos_drone",
|
||||
"kosmos_drone::default",
|
||||
"apt::default",
|
||||
"timezone_iii::default",
|
||||
"timezone_iii::debian",
|
||||
"ntp::default",
|
||||
"ntp::apparmor",
|
||||
"kosmos-base::systemd_emails",
|
||||
"apt::unattended-upgrades",
|
||||
"kosmos-base::firewall",
|
||||
"kosmos-postfix::default",
|
||||
"postfix::default",
|
||||
"postfix::_common",
|
||||
"postfix::_attributes",
|
||||
"postfix::sasl_auth",
|
||||
"hostname::default"
|
||||
],
|
||||
"platform": "ubuntu",
|
||||
"platform_version": "20.04",
|
||||
"cloud": null,
|
||||
"chef_packages": {
|
||||
"chef": {
|
||||
"version": "17.9.52",
|
||||
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.9.52/lib",
|
||||
"chef_effortless": null
|
||||
},
|
||||
"ohai": {
|
||||
"version": "17.9.0",
|
||||
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
|
||||
}
|
||||
}
|
||||
},
|
||||
"run_list": [
|
||||
"recipe[kosmos-base]",
|
||||
"role[drone]"
|
||||
]
|
||||
}
|
|
@ -19,6 +19,8 @@
|
|||
"kosmos-base::default",
|
||||
"kosmos_kvm::host",
|
||||
"kosmos_discourse::nginx",
|
||||
"kosmos_gitea::nginx",
|
||||
"kosmos_drone::nginx",
|
||||
"apt::default",
|
||||
"timezone_iii::default",
|
||||
"timezone_iii::debian",
|
||||
|
@ -63,6 +65,6 @@
|
|||
"run_list": [
|
||||
"recipe[kosmos-base]",
|
||||
"recipe[kosmos_kvm::host]",
|
||||
"recipe[kosmos_discourse::nginx]"
|
||||
"role[nginx_proxy]"
|
||||
]
|
||||
}
|
||||
|
|
|
@ -0,0 +1,61 @@
|
|||
{
|
||||
"name": "gitea-1",
|
||||
"normal": {
|
||||
"knife_zero": {
|
||||
"host": "10.1.1.36"
|
||||
}
|
||||
},
|
||||
"automatic": {
|
||||
"fqdn": "gitea-1",
|
||||
"os": "linux",
|
||||
"os_version": "5.4.0-1058-kvm",
|
||||
"hostname": "gitea-1",
|
||||
"ipaddress": "192.168.122.218",
|
||||
"roles": [
|
||||
"gitea",
|
||||
"postgresql_client"
|
||||
],
|
||||
"recipes": [
|
||||
"kosmos-base",
|
||||
"kosmos-base::default",
|
||||
"kosmos_postgresql::hostsfile",
|
||||
"kosmos_gitea",
|
||||
"kosmos_gitea::default",
|
||||
"kosmos_gitea::backup",
|
||||
"apt::default",
|
||||
"timezone_iii::default",
|
||||
"timezone_iii::debian",
|
||||
"ntp::default",
|
||||
"ntp::apparmor",
|
||||
"kosmos-base::systemd_emails",
|
||||
"apt::unattended-upgrades",
|
||||
"kosmos-base::firewall",
|
||||
"kosmos-postfix::default",
|
||||
"postfix::default",
|
||||
"postfix::_common",
|
||||
"postfix::_attributes",
|
||||
"postfix::sasl_auth",
|
||||
"hostname::default",
|
||||
"backup::default",
|
||||
"logrotate::default"
|
||||
],
|
||||
"platform": "ubuntu",
|
||||
"platform_version": "20.04",
|
||||
"cloud": null,
|
||||
"chef_packages": {
|
||||
"chef": {
|
||||
"version": "17.9.52",
|
||||
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.9.52/lib",
|
||||
"chef_effortless": null
|
||||
},
|
||||
"ohai": {
|
||||
"version": "17.9.0",
|
||||
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
|
||||
}
|
||||
}
|
||||
},
|
||||
"run_list": [
|
||||
"recipe[kosmos-base]",
|
||||
"role[gitea]"
|
||||
]
|
||||
}
|
|
@ -19,6 +19,8 @@
|
|||
"kosmos-base::default",
|
||||
"kosmos_postgresql::primary",
|
||||
"kosmos_postgresql::firewall",
|
||||
"kosmos_gitea::pg_db",
|
||||
"kosmos_drone::pg_db",
|
||||
"apt::default",
|
||||
"timezone_iii::default",
|
||||
"timezone_iii::debian",
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
name "drone"
|
||||
|
||||
run_list %w(
|
||||
role[postgresql_client]
|
||||
kosmos_drone::default
|
||||
)
|
||||
|
|
|
@ -0,0 +1,13 @@
|
|||
name "nginx_proxy"
|
||||
|
||||
default_run_list = %w(
|
||||
kosmos_discourse::nginx
|
||||
kosmos_gitea::nginx
|
||||
kosmos_drone::nginx
|
||||
)
|
||||
|
||||
env_run_lists(
|
||||
'_default' => default_run_list,
|
||||
'development' => [],
|
||||
'production' => default_run_list
|
||||
)
|
|
@ -3,4 +3,6 @@ name "postgresql_primary"
|
|||
run_list %w(
|
||||
kosmos_postgresql::primary
|
||||
kosmos_postgresql::firewall
|
||||
kosmos_gitea::pg_db
|
||||
kosmos_drone::pg_db
|
||||
)
|
||||
|
|
|
@ -2,27 +2,6 @@
|
|||
# Cookbook Name:: kosmos-nginx
|
||||
# Recipe:: default
|
||||
#
|
||||
# The MIT License (MIT)
|
||||
#
|
||||
# Copyright:: 2019, Kosmos Developers
|
||||
#
|
||||
# Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
# of this software and associated documentation files (the "Software"), to deal
|
||||
# in the Software without restriction, including without limitation the rights
|
||||
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
# copies of the Software, and to permit persons to whom the Software is
|
||||
# furnished to do so, subject to the following conditions:
|
||||
#
|
||||
# The above copyright notice and this permission notice shall be included in
|
||||
# all copies or substantial portions of the Software.
|
||||
#
|
||||
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||
# THE SOFTWARE.
|
||||
|
||||
node.override['nginx']['default_site_enabled'] = false
|
||||
node.override['nginx']['server_tokens'] = 'off'
|
||||
|
|
|
@ -0,0 +1,2 @@
|
|||
node.default["kosmos_drone"]["domain"] = "drone.kosmos.org"
|
||||
node.default["kosmos_drone"]["upstream_port"] = 80
|
|
@ -7,5 +7,6 @@ long_description 'Installs/Configures kosmos_drone'
|
|||
version '0.1.0'
|
||||
chef_version '>= 14.0'
|
||||
|
||||
depends "firewall"
|
||||
depends "kosmos-nginx"
|
||||
depends "kosmos_gitea"
|
||||
|
|
|
@ -4,10 +4,17 @@
|
|||
#
|
||||
|
||||
package "docker-compose"
|
||||
domain = "drone.kosmos.org"
|
||||
deploy_path = "/opt/drone"
|
||||
upstream_port = 3002
|
||||
credentials = data_bag_item("credentials", "drone")
|
||||
drone_credentials = data_bag_item('credentials', 'drone')
|
||||
|
||||
postgres_config = {
|
||||
username: "drone",
|
||||
password: drone_credentials["postgresql_password"],
|
||||
host: "pg.kosmos.local",
|
||||
port: 5432,
|
||||
database: "drone"
|
||||
}
|
||||
|
||||
directory deploy_path do
|
||||
action :create
|
||||
|
@ -17,13 +24,16 @@ template "#{deploy_path}/docker-compose.yml" do
|
|||
source "docker-compose.yml.erb"
|
||||
sensitive true
|
||||
mode 0640
|
||||
variables upstream_port: upstream_port,
|
||||
domain: domain,
|
||||
variables domain: node["kosmos_drone"]["domain"],
|
||||
upstream_port: node["kosmos_drone"]["upstream_port"],
|
||||
gitea_server: "https://#{node["kosmos_gitea"]["nginx"]["domain"]}",
|
||||
client_id: credentials['client_id'],
|
||||
client_secret: credentials['client_secret'],
|
||||
rpc_secret: credentials['rpc_secret'],
|
||||
database_secret: credentials['database_secret'],
|
||||
postgres: postgres_config,
|
||||
max_procs: 4
|
||||
notifies :restart, "systemd_unit[drone.service]", :delayed
|
||||
end
|
||||
|
||||
systemd_unit "drone.service" do
|
||||
|
@ -45,20 +55,9 @@ systemd_unit "drone.service" do
|
|||
action [:create, :enable, :start]
|
||||
end
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
|
||||
source "nginx_conf.erb"
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
variables server_name: domain,
|
||||
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem",
|
||||
upstream_port: upstream_port
|
||||
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
firewall_rule 'drone' do
|
||||
port [node["kosmos_drone"]["upstream_port"]]
|
||||
source "10.1.1.0/24" # TODO only allow nginx proxy IPs
|
||||
protocol :tcp
|
||||
command :allow
|
||||
end
|
||||
|
||||
nginx_site domain do
|
||||
action :enable
|
||||
end
|
||||
|
||||
nginx_certbot_site domain
|
||||
|
|
|
@ -0,0 +1,32 @@
|
|||
#
|
||||
# Cookbook:: kosmos_drone
|
||||
# Recipe:: nginx
|
||||
#
|
||||
|
||||
domain = node["kosmos_drone"]["domain"]
|
||||
|
||||
upstream_ip_addresses = []
|
||||
search(:node, "role:drone").each do |n|
|
||||
upstream_ip_addresses << n["knife_zero"]["host"]
|
||||
end
|
||||
# No Discourse host, stop here
|
||||
return if upstream_ip_addresses.empty?
|
||||
|
||||
nginx_certbot_site domain
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
|
||||
source "nginx_conf.erb"
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
variables server_name: domain,
|
||||
upstream_ip_addresses: upstream_ip_addresses,
|
||||
upstream_port: node["kosmos_drone"]["upstream_port"],
|
||||
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
|
||||
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_site domain do
|
||||
action :enable
|
||||
end
|
|
@ -0,0 +1,16 @@
|
|||
#
|
||||
# Cookbook:: kosmos_drone
|
||||
# Recipe:: pg_db
|
||||
#
|
||||
|
||||
drone_credentials = data_bag_item("credentials", "drone")
|
||||
|
||||
postgresql_user "drone" do
|
||||
action :create
|
||||
password drone_credentials["postgresql_password"]
|
||||
end
|
||||
|
||||
postgresql_database "drone" do
|
||||
owner "drone"
|
||||
action :create
|
||||
end
|
|
@ -2,7 +2,7 @@ version: '3'
|
|||
|
||||
services:
|
||||
drone-server:
|
||||
image: drone/drone:2.5
|
||||
image: drone/drone:2.11
|
||||
|
||||
ports:
|
||||
- "<%= @upstream_port %>:80"
|
||||
|
@ -17,6 +17,9 @@ services:
|
|||
- DRONE_SERVER_HOST=<%= @domain %>
|
||||
- DRONE_SERVER_PROTO=https # required for the Redirect URI to be built correctly
|
||||
- DRONE_RPC_SECRET=<%= @rpc_secret %>
|
||||
- DRONE_DATABASE_DRIVER=postgres
|
||||
- DRONE_DATABASE_DATASOURCE=postgres://<%= @postgres[:username] %>:<%= @postgres[:password] %>@<%= @postgres[:host] %>:<%= @postgres[:port] %>/<%= @postgres[:database] %>?sslmode=disable
|
||||
- DRONE_DATABASE_SECRET=<%= @database_secret %>
|
||||
|
||||
drone-runner:
|
||||
image: drone/drone-runner-docker:1.8
|
||||
|
|
|
@ -1,7 +1,9 @@
|
|||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
# Generated by Chef
|
||||
upstream _drone {
|
||||
server localhost:<%= @upstream_port %>;
|
||||
<% @upstream_ip_addresses.each do |upstream_ip_address| -%>
|
||||
server <%= upstream_ip_address %>:<%= @upstream_port %>;
|
||||
<% end -%>
|
||||
}
|
||||
|
||||
server {
|
||||
|
|
|
@ -1,9 +1,10 @@
|
|||
gitea_version = "1.16.1"
|
||||
gitea_version = "1.16.3"
|
||||
node.default["kosmos_gitea"]["version"] = gitea_version
|
||||
node.default["kosmos_gitea"]["binary_url"] = "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64"
|
||||
node.default["kosmos_gitea"]["binary_checksum"] = "f03f3a3c4dccc2219351cde5c9af372715b2ec3e88a821779702bc6f38084c97"
|
||||
node.default["kosmos_gitea"]["binary_checksum"] = "626c7da554efcfd3abd88b0355e3adf55d7f0941a01e058b2d4f5923d0d5b7c3"
|
||||
node.default["kosmos_gitea"]["nginx"]["domain"] = "gitea.kosmos.org"
|
||||
node.default["kosmos_gitea"]["working_directory"] = "/var/lib/gitea"
|
||||
node.default["kosmos_gitea"]["port"] = 3000
|
||||
|
||||
node.default["kosmos_gitea"]["config"] = {
|
||||
"webhook": {
|
||||
|
|
|
@ -19,6 +19,7 @@ chef_version '>= 14.0'
|
|||
#
|
||||
# source_url 'https://github.com/<insert_org_here>/kosmos_gitea'
|
||||
|
||||
depends "firewall"
|
||||
depends "kosmos-nginx"
|
||||
depends "kosmos_postgresql"
|
||||
depends "backup"
|
||||
|
|
|
@ -4,26 +4,7 @@
|
|||
#
|
||||
# The MIT License (MIT)
|
||||
#
|
||||
# Copyright:: 2020, Kosmos Developers
|
||||
#
|
||||
# Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
# of this software and associated documentation files (the "Software"), to deal
|
||||
# in the Software without restriction, including without limitation the rights
|
||||
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
# copies of the Software, and to permit persons to whom the Software is
|
||||
# furnished to do so, subject to the following conditions:
|
||||
#
|
||||
# The above copyright notice and this permission notice shall be included in
|
||||
# all copies or substantial portions of the Software.
|
||||
#
|
||||
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||
# THE SOFTWARE.
|
||||
#
|
||||
|
||||
unless node.chef_environment == "development"
|
||||
# backup the data dir and the config files
|
||||
node.override["backup"]["archives"]["gitea"] = [node["kosmos_gitea"]["working_directory"]]
|
||||
|
|
|
@ -3,9 +3,6 @@
|
|||
# Recipe:: default
|
||||
#
|
||||
|
||||
include_recipe "kosmos-nginx"
|
||||
|
||||
domain = node["kosmos_gitea"]["nginx"]["domain"]
|
||||
working_directory = node["kosmos_gitea"]["working_directory"]
|
||||
git_home_directory = "/home/git"
|
||||
repository_root_directory = "#{git_home_directory}/gitea-repositories"
|
||||
|
@ -63,15 +60,17 @@ directory config_directory do
|
|||
mode "0750"
|
||||
end
|
||||
|
||||
# Copy the self-signed root certificate to the system certificate store. Gitea
|
||||
# will find it there automatically
|
||||
postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
|
||||
root_cert_path = "/etc/ssl/certs/root.kosmos.org.crt"
|
||||
file root_cert_path do
|
||||
content postgresql_data_bag_item['ssl_root_cert']
|
||||
mode "0644"
|
||||
nginx_proxy_ip_addresses = []
|
||||
search(:node, "role:nginx_proxy").each do |node|
|
||||
nginx_proxy_ip_addresses << node["knife_zero"]["host"]
|
||||
end
|
||||
|
||||
node.default["kosmos_gitea"]["config"] = {
|
||||
"webhook": {
|
||||
"allowed_host_list" => "external,#{nginx_proxy_ip_addresses.join(",")}"
|
||||
}
|
||||
}
|
||||
|
||||
template "#{config_directory}/app.ini" do
|
||||
source "app.ini.erb"
|
||||
owner "git"
|
||||
|
@ -119,20 +118,9 @@ service "gitea" do
|
|||
action [:enable, :start]
|
||||
end
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
|
||||
source "nginx_conf.erb"
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
variables server_name: domain,
|
||||
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem",
|
||||
upstream_port: 3000
|
||||
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
firewall_rule 'gitea' do
|
||||
port [node["kosmos_gitea"]["port"]]
|
||||
source "10.1.1.0/24" # TODO only allow nginx proxy IPs
|
||||
protocol :tcp
|
||||
command :allow
|
||||
end
|
||||
|
||||
nginx_site domain do
|
||||
action :enable
|
||||
end
|
||||
|
||||
nginx_certbot_site domain
|
||||
|
|
|
@ -0,0 +1,52 @@
|
|||
#
|
||||
# Cookbook:: kosmos_gitea
|
||||
# Recipe:: nginx
|
||||
#
|
||||
|
||||
include_recipe "kosmos-nginx"
|
||||
|
||||
domain = node["kosmos_gitea"]["nginx"]["domain"]
|
||||
|
||||
# upstream_ip_addresses = []
|
||||
# search(:node, "role:gitea").each do |n|
|
||||
# upstream_ip_addresses << n["knife_zero"]["host"]
|
||||
# end
|
||||
begin
|
||||
upstream_ip_address = search(:node, "role:gitea").first["knife_zero"]["host"]
|
||||
rescue
|
||||
Chef::Log.warn('No server with "gitea" role. Stopping here.')
|
||||
return
|
||||
end
|
||||
|
||||
nginx_certbot_site domain
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
|
||||
source "nginx_conf_web.erb"
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
variables server_name: domain,
|
||||
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem",
|
||||
upstream_host: upstream_ip_address,
|
||||
upstream_port: node["kosmos_gitea"]["port"]
|
||||
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_site domain do
|
||||
action :enable
|
||||
end
|
||||
|
||||
template "#{node['nginx']['dir']}/streams-available/ssh" do
|
||||
source "nginx_conf_ssh.erb"
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
variables domain: domain,
|
||||
upstream_host: upstream_ip_address
|
||||
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_stream "ssh" do
|
||||
action :enable
|
||||
end
|
|
@ -2,7 +2,6 @@
|
|||
# Cookbook:: kosmos_gitea
|
||||
# Recipe:: pg_db
|
||||
#
|
||||
# Copyright:: 2020, Kosmos Developers, All Rights Reserved.
|
||||
|
||||
gitea_data_bag_item = data_bag_item("credentials", "gitea")
|
||||
|
||||
|
|
|
@ -44,10 +44,6 @@ FROM = gitea@kosmos.org
|
|||
USER = <%= @smtp_user %>
|
||||
PASSWD = <%= @smtp_password %>
|
||||
|
||||
[oauth2]
|
||||
JWT_SECRET = <%= @jwt_secret %>
|
||||
JWT_SIGNING_ALGORITHM = HS256
|
||||
|
||||
[security]
|
||||
INTERNAL_TOKEN = <%= @internal_token %>
|
||||
INSTALL_LOCK = true
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
upstream _gitea_ssh {
|
||||
server <%= @upstream_host %>:22;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 148.251.83.201:22;
|
||||
proxy_pass _gitea_ssh;
|
||||
}
|
|
@ -1,6 +1,6 @@
|
|||
# Generated by Chef
|
||||
upstream _gitea {
|
||||
server localhost:<%= @upstream_port %>;
|
||||
upstream _gitea_web {
|
||||
server <%= @upstream_host %>:<%= @upstream_port %>;
|
||||
}
|
||||
|
||||
server {
|
||||
|
@ -26,14 +26,14 @@ server {
|
|||
|
||||
location ~ ^/(avatars|repo-avatars)/.*$ {
|
||||
proxy_buffers 1024 8k;
|
||||
proxy_pass http://_gitea;
|
||||
proxy_pass http://_gitea_web;
|
||||
proxy_http_version 1.1;
|
||||
expires 30d;
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_buffers 1024 8k;
|
||||
proxy_pass http://_gitea;
|
||||
proxy_pass http://_gitea_web;
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue