chef/site-cookbooks/kosmos_gitea/recipes/default.rb

#
# Cookbook:: kosmos_gitea
# Recipe:: default
#

version                   = node["gitea"]["version"]
download_url              = "https://dl.gitea.io/gitea/#{version}/gitea-#{version}-linux-amd64"
working_directory         = node["gitea"]["working_directory"]
git_home_directory        = "/home/git"
repository_root_directory = "#{git_home_directory}/gitea-repositories"
config_directory          = "/etc/gitea"
gitea_binary_path         = "/usr/local/bin/gitea"
gitea_data_bag_item       = data_bag_item("credentials", "gitea")
smtp_credentials          = data_bag_item("credentials", "smtp")
smtp_addr                 = smtp_credentials["relayhost"].split(":")[0]
smtp_port                 = smtp_credentials["relayhost"].split(":")[1]
jwt_secret                = gitea_data_bag_item["jwt_secret"]
internal_token            = gitea_data_bag_item["internal_token"]
secret_key                = gitea_data_bag_item["secret_key"]

# Dependency
package "git"

user "git" do
  manage_home true
  home "/home/git"
end

directory working_directory do
  owner "git"
  group "git"
  mode  "0750"
end

%w(custom custom/options custom/options/label custom/templates custom/templates/custom).each do |path|
  directory "#{working_directory}/#{path}" do
    owner "git"
    group "git"
    mode  "0750"
  end
end

# Kosmos label set
cookbook_file "#{working_directory}/custom/options/label/Kosmos" do
  source "custom/options/label/Kosmos"
  owner "git"
  group "git"
  mode  "0640"
  notifies :restart, "service[gitea]", :delayed
end

# Kosmos header template
cookbook_file "#{working_directory}/custom/templates/custom/header.tmpl" do
  source "custom/templates/custom/header.tmpl"
  owner "git"
  group "git"
  mode  "0640"
  notifies :restart, "service[gitea]", :delayed
end

directory config_directory do
  owner "git"
  group "git"
  mode "0750"
end

if node.chef_environment == "production"
  allowed_webhook_hosts = []
  search(:node, "role:nginx_proxy OR role:hubot").each do |node|
    allowed_webhook_hosts << node["knife_zero"]["host"]
  end

  node.normal["gitea"]["config"] = {
    "webhook":  {
      "allowed_host_list" => "external,#{allowed_webhook_hosts.join(",")}"
    }
  }
end

config_variables = {
  working_directory: working_directory,
  git_home_directory: git_home_directory,
  repository_root_directory: repository_root_directory,
  config_directory: config_directory,
  gitea_binary_path: gitea_binary_path,
  jwt_secret: jwt_secret,
  internal_token: internal_token,
  secret_key: secret_key,
  postgresql_host: node["gitea"]["postgresql_host"],
  postgresql_password: gitea_data_bag_item["postgresql_password"],
  smtp_addr: smtp_addr,
  smtp_port: smtp_port,
  smtp_user: smtp_credentials["user_name"],
  smtp_password: smtp_credentials["password"],
  config: node["gitea"]["config"],
  s3_key_id: gitea_data_bag_item["s3_key_id"],
  s3_secret_key: gitea_data_bag_item["s3_secret_key"],
  s3_bucket: gitea_data_bag_item["s3_bucket"]
}

template "#{config_directory}/app.ini" do
  source "app.ini.erb"
  owner "git"
  group "git"
  mode "0600"
  sensitive true
  variables config_variables
  notifies :restart, "service[gitea]", :delayed
end

remote_file gitea_binary_path do
  source download_url
  checksum node['gitea']['checksum']
  mode "0755"
  notifies :restart, "service[gitea]", :delayed
end

execute "systemctl daemon-reload" do
  action :nothing
end

template "/etc/systemd/system/gitea.service" do
  source "gitea.service.erb"
  variables working_directory: working_directory,
            git_home_directory: git_home_directory,
            config_directory: config_directory,
            gitea_binary_path: gitea_binary_path
  notifies :run, "execute[systemctl daemon-reload]", :delayed
end

service "gitea" do
  action [:enable, :start]
end

firewall_rule 'gitea' do
  port     [node["gitea"]["port"]]
  source   "10.1.1.0/24" # TODO only allow nginx proxy IPs
  protocol :tcp
  command  :allow
end