From 42ac285f727ecb20fcc9d88220aa67392e5f6905 Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Sun, 6 Nov 2022 18:13:33 +0100 Subject: [PATCH 1/8] adding redis container --- roles/gitea/tasks/gitea.yml | 73 ++++++++++++++++++++++++++++++------- 1 file changed, 60 insertions(+), 13 deletions(-) diff --git a/roles/gitea/tasks/gitea.yml b/roles/gitea/tasks/gitea.yml index 72bbf1b..1a173c0 100644 --- a/roles/gitea/tasks/gitea.yml +++ b/roles/gitea/tasks/gitea.yml @@ -18,19 +18,30 @@ - name: create dir structure file: - path: "{{ gitea_user.home }}/{{ item }}" + path: "{{ gitea_user.home }}/{{ item.name }}" state: directory mode: 0755 - owner: git - group: git + owner: "{{ item.owner | default('git') }}" + group: "{{ item.group | default('git') }}" + loop_control: + label: "{{ item.name }}" with_items: - - data - - data/gitea - - data/gitea/conf - - data/gitea/templates - - data/gitea/templates/custom - - data/gitea/templates/user/dashboard - - data/git + - name: data + - name: data/gitea + - name: data/gitea/conf + - name: data/gitea/templates + - name: data/gitea/templates/custom + - name: data/gitea/templates/user/dashboard + - name: data/git + - name: redis + owner: '999' + group: '999' + - name: redis/data + owner: '999' + group: '999' + + tags: + - gitea-mirror - name: template ssh passthrough script template: @@ -39,6 +50,9 @@ mode: 0755 owner: git group: git + when: gitea_ssh_enabled + tags: + - gitea-mirror - name: template config template: @@ -47,9 +61,11 @@ owner: git group: git mode: 0644 - notify: restart gitea + #notify: restart gitea + tags: + - gitea-mirror -- name: template robots.txt +- name: template robots.txt and sitemap.xml template: src: "{{ item }}.j2" dest: "{{ gitea_user.home }}/data/gitea/{{ item }}" @@ -78,12 +94,13 @@ - user/dashboard/repolist.tmpl tags: - gitea-templates + when: gitea_custom_tmpl_enabled notify: restart gitea - name: template nginx vhost template: src: 01-gitea.j2 - dest: /etc/nginx/sites-enabled/01-gitea + dest: /etc/nginx/sites-enabled/01-{{ gitea_url }} owner: root group: root mode: 0644 @@ -92,6 +109,36 @@ - gitea-nginx notify: reload nginx +- name: redis container for gitea + docker_container: + name: gitea-redis + image: "redis:latest" + restart_policy: "unless-stopped" + auto_remove: false + detach: true + pull: true + state: started + container_default_behavior: compatibility + env: + REDIS_HOST: redis-gitea + networks_cli_compatible: false + networks: + - name: bridgewithdns + healthcheck: + interval: 30s + timeout: 60s + start_period: 10s + test: "redis-cli --raw incr ping" + mounts: + - type: bind + source: "{{ gitea_user.home }}/redis/data" + target: /data + tags: + - redis + - gitea-redis-container + - gitea-container + - docker-containers + - name: start container docker_container: name: gitea -- 2.40.1 From 30d87bfe3b4af6c6cccd414d61b637c8e07e53c6 Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Sun, 6 Nov 2022 18:14:34 +0100 Subject: [PATCH 2/8] prepping for second gitea server --- .gitignore | 1 + roles/gitea/defaults/main.yml | 8 +++++++- roles/gitea/templates/filebeat-gitea.yml.j2 | 1 + 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 1db0010..9d7e639 100644 --- a/.gitignore +++ b/.gitignore @@ -95,3 +95,4 @@ jenkins.yml kvm.yml paperless.yml vaultwarden.yml +mirrors.yml diff --git a/roles/gitea/defaults/main.yml b/roles/gitea/defaults/main.yml index 326c1a0..8305f09 100644 --- a/roles/gitea/defaults/main.yml +++ b/roles/gitea/defaults/main.yml @@ -1,5 +1,11 @@ --- gitea_username: git - gitea_user: "{{ systemuserlist[gitea_username] }}" + +gitea_main: true +gitea_ssh_enabled: true +gitea_custom_tmpl_enabled: true +gitea_smtp_enabled: true + +shieldsio_enabled: false diff --git a/roles/gitea/templates/filebeat-gitea.yml.j2 b/roles/gitea/templates/filebeat-gitea.yml.j2 index a166497..19b268f 100644 --- a/roles/gitea/templates/filebeat-gitea.yml.j2 +++ b/roles/gitea/templates/filebeat-gitea.yml.j2 @@ -8,6 +8,7 @@ fields_under_root: true fields: service.type: gitea + gitea_name: {{ gitea_url }} tags: - gitea -- 2.40.1 From 97a720637b3f52c8491b8fbcfe36d00aff8830f9 Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Sun, 6 Nov 2022 18:15:00 +0100 Subject: [PATCH 3/8] half working shields.io setup for now, custom build in the cards --- roles/gitea/tasks/main.yml | 5 ++++ roles/gitea/tasks/shieldsio.yml | 19 ++++++++++++ roles/gitea/templates/01-gitea.j2 | 50 ++++++++++++++++++++++++++----- 3 files changed, 67 insertions(+), 7 deletions(-) create mode 100644 roles/gitea/tasks/shieldsio.yml diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml index c49ce67..54d738d 100644 --- a/roles/gitea/tasks/main.yml +++ b/roles/gitea/tasks/main.yml @@ -1,3 +1,8 @@ --- - import_tasks: gitea.yml tags: gitea + + - import_tasks: shieldsio.yml + tags: + - gitea + - shieldsio diff --git a/roles/gitea/tasks/shieldsio.yml b/roles/gitea/tasks/shieldsio.yml new file mode 100644 index 0000000..4080dcb --- /dev/null +++ b/roles/gitea/tasks/shieldsio.yml @@ -0,0 +1,19 @@ +--- + +# docker run --rm -p 8080:8080 --env PORT=8080 --name shields shieldsio/shields:next + +- name: start shields.io container + docker_container: + name: shieldsio + image: shieldsio/shields:next + detach: true + pull: true + restart_policy: unless-stopped + state: started + ports: + - 127.0.0.1:{{ shieldsio_port }}:{{ shieldsio_port }} + env: + PORT: "{{ shieldsio_port | string }}" + tags: + - docker-containers + when: shieldsio_enabled diff --git a/roles/gitea/templates/01-gitea.j2 b/roles/gitea/templates/01-gitea.j2 index 9146c65..8d1ca9e 100644 --- a/roles/gitea/templates/01-gitea.j2 +++ b/roles/gitea/templates/01-gitea.j2 @@ -6,10 +6,10 @@ server { listen {{ wg_clients[inventory_hostname].ip }}:443 ssl http2; {% endif -%} + include /etc/nginx/sudo-known.conf; include listen-proxy-protocol.conf; server_name {{ gitea_url }} {{ gitea_extra_urls | default([]) | join([" "]) }}; - # default value set $header_sudo_gitea "gitea"; @@ -45,8 +45,6 @@ server { } {% endfor %} - include /etc/nginx/sudo-known.conf; - location /robots.txt { # gitea itself can also serve this file alias {{ gitea_user.home }}/data/gitea/robots.txt; @@ -60,6 +58,44 @@ server { return 302 https://{{ authelia_login_url }}/reset-password/step1; } + {% if shieldsio_enabled -%} + + gzip_static off; + gzip off; + + location = {{ shieldsio_path }} { + return 302 {{ shieldsio_path }}/; + } + {# location /page-data { + # # wrong: /page-data/shieldsio/page-data.json + # # should be: {{ shieldsio_path }}/page-data/index/page-data.json + # + # #rewrite '^/page-data{{ shieldsio_path }}(/.*)' '/page-data/index$1'; + # return 302 {{ shieldsio_path }}$uri; + # } #} + + location {{ shieldsio_path }}/ { + rewrite '^{{ shieldsio_path }}(/.*)$' $1 break; + + proxy_set_header Accept-Encoding ""; + sub_filter 'href="/' 'href="{{ shieldsio_path }}/'; + sub_filter 'src="/' 'src="{{ shieldsio_path }}/'; + #sub_filter 'pagePath="/' 'pagePath="{{ shieldsio_path }}/'; + sub_filter_once off; + sub_filter_types *; + + #sub_filter '\$\{\_\_PATH_PREFIX\_\_\}' '{{ shieldsio_path }}/'; + + proxy_pass http://127.0.0.1:{{ shieldsio_port }}; + + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + set $header_sudo_gitea "shields.io"; + } + {% endif %} + access_log /var/log/nginx/access_{{ gitea_url }}.log main; error_log /var/log/nginx/error_{{ gitea_url }}.log warn; @@ -68,10 +104,10 @@ server { ssl_certificate /usr/local/etc/certs/{{ gitea_url }}/fullchain.pem; ssl_certificate_key /usr/local/etc/certs/{{ gitea_url }}/privkey.pem; - add_header Referrer-Policy "no-referrer" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-XSS-Protection "1; mode=block" always; + #add_header Referrer-Policy "no-referrer" always; + #add_header X-Frame-Options "SAMEORIGIN" always; + #add_header X-Permitted-Cross-Domain-Policies "none" always; + #add_header X-XSS-Protection "1; mode=block" always; add_header SUDO-GITEA $header_sudo_gitea always; fastcgi_hide_header X-Powered-By; -- 2.40.1 From d3143916bd35d7efa1a00bb9a5b7ad8ebc5f6716 Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Sun, 6 Nov 2022 22:22:03 +0100 Subject: [PATCH 4/8] creating missing dirs and managing the ssh keys for the ssh shim --- roles/gitea/tasks/gitea.yml | 41 +++++++++++++++++++++++++++++++------ 1 file changed, 35 insertions(+), 6 deletions(-) diff --git a/roles/gitea/tasks/gitea.yml b/roles/gitea/tasks/gitea.yml index 1a173c0..51fc61c 100644 --- a/roles/gitea/tasks/gitea.yml +++ b/roles/gitea/tasks/gitea.yml @@ -21,18 +21,31 @@ path: "{{ gitea_user.home }}/{{ item.name }}" state: directory mode: 0755 - owner: "{{ item.owner | default('git') }}" - group: "{{ item.group | default('git') }}" + owner: "{{ item.owner | default(gitea_user.username) }}" + group: "{{ item.group | default(gitea_user.username) }}" loop_control: - label: "{{ item.name }}" + label: "{{ gitea_user.home }}/{{ item.name }}" with_items: - name: data + + - name: data/git - name: data/gitea - - name: data/gitea/conf + + # for overriding gitea's go-templates + # from role/gitea/files/tmpl/ - name: data/gitea/templates - name: data/gitea/templates/custom - name: data/gitea/templates/user/dashboard - - name: data/git + + - name: data/gitea/conf + - name: data/gitea/tmp + - name: data/gitea/uploads + - name: data/gitea/indexers + - name: data/gitea/attachments + - name: data/gitea/avatars + - name: data/gitea/repo-avatars + - name: data/gitea/log + - name: redis owner: '999' group: '999' @@ -54,6 +67,21 @@ tags: - gitea-mirror +- name: copy the ssh keys used for the ssh shim (gitea manages authorized_keys) + copy: + src: "private/gitea/{{ item.name }}" + dest: "{{ gitea_user.home }}/.ssh/{{ item.name }}" + mode: "{{ item.mode }}" + owner: "{{ gitea_user.username }}" + group: "{{ gitea_user.username }}" + no_log: true + when: gitea_ssh_enabled + with_items: + - name: id_rsa + mode: "0600" + - name: id_rsa.pub + mode: "0644" + - name: template config template: src: private/gitea_app.ini.j2 @@ -61,8 +89,9 @@ owner: git group: git mode: 0644 - #notify: restart gitea + notify: restart gitea tags: + - gitea-config - gitea-mirror - name: template robots.txt and sitemap.xml -- 2.40.1 From db1644017ab6150db6533b0a59f3cc4a8c984859 Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Sun, 6 Nov 2022 22:48:01 +0100 Subject: [PATCH 5/8] remove old env vars that are in the config and remove broken login link --- roles/gitea/defaults/main.yml | 11 +++++++---- roles/gitea/files/tmpl/custom/extra_links.tmpl | 2 +- roles/gitea/tasks/gitea.yml | 9 ++------- 3 files changed, 10 insertions(+), 12 deletions(-) diff --git a/roles/gitea/defaults/main.yml b/roles/gitea/defaults/main.yml index 8305f09..e2c5896 100644 --- a/roles/gitea/defaults/main.yml +++ b/roles/gitea/defaults/main.yml @@ -2,10 +2,13 @@ gitea_username: git gitea_user: "{{ systemuserlist[gitea_username] }}" +gitea_log_level: Info -gitea_main: true -gitea_ssh_enabled: true -gitea_custom_tmpl_enabled: true -gitea_smtp_enabled: true +gitea_main: false +gitea_ssh_enabled: false +gitea_custom_tmpl_enabled: false +gitea_smtp_enabled: false +gitea_lfs_enabled: false +gitea_oidc_client_enabled: false shieldsio_enabled: false diff --git a/roles/gitea/files/tmpl/custom/extra_links.tmpl b/roles/gitea/files/tmpl/custom/extra_links.tmpl index b4b25ec..5a188b0 100644 --- a/roles/gitea/files/tmpl/custom/extra_links.tmpl +++ b/roles/gitea/files/tmpl/custom/extra_links.tmpl @@ -5,5 +5,5 @@ ops/wiki ops/packages {{else}} -log in + {{end}} \ No newline at end of file diff --git a/roles/gitea/tasks/gitea.yml b/roles/gitea/tasks/gitea.yml index 51fc61c..7cc645f 100644 --- a/roles/gitea/tasks/gitea.yml +++ b/roles/gitea/tasks/gitea.yml @@ -39,12 +39,13 @@ - name: data/gitea/conf - name: data/gitea/tmp - - name: data/gitea/uploads - name: data/gitea/indexers - name: data/gitea/attachments - name: data/gitea/avatars - name: data/gitea/repo-avatars - name: data/gitea/log + # this one seems to get deleted + #- name: data/gitea/uploads - name: redis owner: '999' @@ -187,12 +188,6 @@ env: USER_UID: "{{ gitea_user.uid }}" USER_GID: "{{ gitea_user.gid }}" - DB_TYPE: mysql - DB_HOST: "{{ ansible_docker0.ipv4.address }}:3306" - DB_NAME: gitea - DB_USER: gitea - DB_PASSWD: "{{ gitea_user.mariadb_pass }}" - DISABLE_REGISTRATION: "true" networks_cli_compatible: false network_mode: bridgewithdns networks: -- 2.40.1 From fe311921e704e2f1115b3f5c180518329bbd2a52 Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Mon, 7 Nov 2022 01:27:08 +0100 Subject: [PATCH 6/8] new default values for config --- roles/gitea/defaults/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/gitea/defaults/main.yml b/roles/gitea/defaults/main.yml index e2c5896..c5e3736 100644 --- a/roles/gitea/defaults/main.yml +++ b/roles/gitea/defaults/main.yml @@ -9,6 +9,11 @@ gitea_ssh_enabled: false gitea_custom_tmpl_enabled: false gitea_smtp_enabled: false gitea_lfs_enabled: false +gitea_oidc_provider_enabled: false gitea_oidc_client_enabled: false +gitea_reverse_proxy_auth_enabled: false +gitea_indexer_es_enabled: false +gitea_openid_enabled: false +gitea_federation_enabled: false shieldsio_enabled: false -- 2.40.1 From 55390addc9f803a63736e139950da9dccb4fe069 Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Mon, 7 Nov 2022 01:28:13 +0100 Subject: [PATCH 7/8] cleaned up secrets from config file, went thorugh example config in upstream repo --- roles/gitea/tasks/gitea.yml | 4 +- roles/gitea/templates/app.ini.j2 | 518 +++++++++++++++++++++++++++++++ 2 files changed, 519 insertions(+), 3 deletions(-) create mode 100644 roles/gitea/templates/app.ini.j2 diff --git a/roles/gitea/tasks/gitea.yml b/roles/gitea/tasks/gitea.yml index 7cc645f..a5fa838 100644 --- a/roles/gitea/tasks/gitea.yml +++ b/roles/gitea/tasks/gitea.yml @@ -44,8 +44,6 @@ - name: data/gitea/avatars - name: data/gitea/repo-avatars - name: data/gitea/log - # this one seems to get deleted - #- name: data/gitea/uploads - name: redis owner: '999' @@ -85,7 +83,7 @@ - name: template config template: - src: private/gitea_app.ini.j2 + src: app.ini.j2 dest: "{{ gitea_user.home }}/data/gitea/conf/app.ini" owner: git group: git diff --git a/roles/gitea/templates/app.ini.j2 b/roles/gitea/templates/app.ini.j2 new file mode 100644 index 0000000..064f8bc --- /dev/null +++ b/roles/gitea/templates/app.ini.j2 @@ -0,0 +1,518 @@ +# distributed from ansible/private + +APP_NAME = {{ gitea_url }} +RUN_MODE = prod +RUN_USER = {{ gitea_user.username }} + +[server] +# http because nginx terminates https +PROTOCOL = http +USE_PROXY_PROTOCOL = false +APP_DATA_PATH = /data/gitea +DOMAIN = {{ gitea_url }} +HTTP_PORT = {{ gitea_docker_port }} +ROOT_URL = https://{{ gitea_url }}/ + +# for gitea workerse (such as ssh update) that access the web service +# setting this value allows us to set more custom SSH_ settings +LOCAL_ROOT_URL = http://localhost:{{ gitea_docker_port }}/ + +# disables use of cdn for static files and gravatar for profile pictures +OFFLINE_MODE = true + +# we have the nginx access logs +DISABLE_ROUTE_LOG = false + +# gzip compressoin for runtime-generated content (not static resources) +ENABLE_GZIP = false + +# web browser cache (custom/, public/, avatars) +STATIC_CACHE_TIME = 6h +STATIC_URL_PREFIX = https://{{ gitea_url }}/ + +# can be "home", "explore", "organizations", "login", or any URL such +# as "/org/repo" or even "https://anotherwebsite.com +LANDING_PAGE = home + +{% if gitea_lfs_enabled -%} +LFS_START_SERVER = true +LFS_JWT_SECRET = {{ gitea_lfs_jwt_secret }} +{% else -%} +LFS_START_SERVER = false +{% endif %} + +{% if gitea_ssh_enabled -%} +DISABLE_SSH = alse +SSH_AUTHORIZED_KEYS_BACKUP = true +# displayed in the clone urls on the web interface +SSH_DOMAIN = {{ gitea_url }} +SSH_USER = {{ gitea_user.username }} +SSH_PORT = 22 +SSH_EXPOSE_ANONYMOUS = false + +# the docker image is running an opsnssh server (with supervised) +START_SSH_SERVER = false + +# and trying to start the builtin ssh server gives +# error: listen tcp :22: bind: address already in use +# START_SSH_SERVER = true +# BUILTIN_SSH_SERVER_USER = {{ gitea_user.username }} +# SSH_LISTEN_PORT = 22 + +{% else -%} +DISABLE_SSH = true +{% endif %} + + +[database] +DB_TYPE = mysql +HOST = 172.17.0.1:3306 +NAME = {{ gitea_user.mariadb_username }} +USER = {{ gitea_user.mariadb_username }} +PASSWD = {{ gitea_user.mariadb_pass }} +LOG_SQL = false +SCHEMA = +SSL_MODE = disable +CHARSET = utf8mb4 + +[security] +# explicitly setting some default values +COOKIE_USERNAME = gitea_awesome +COOKIE_REMEMBER_NAME = gitea_incredible +LOGIN_REMEMBER_DAYS = 7 +DISABLE_WEBHOOKS = false + +# secret keys +SECRET_KEY = {{ gitea_secret_key }} +INTERNAL_TOKEN = {{ gitea_internal_token }} + +# user needs git hook privileges to set git hook +DISABLE_GIT_HOOKS = false + +# disables the installer +INSTALL_LOCK = {{ gitea_installer_locked | default(true) | string | lower }} + +{% if gitea_reverse_proxy_auth_enabled -%} +# values to use authelias reverse proxy auth +REVERSE_PROXY_AUTHENTICATION_USER = X-Remote-User +REVERSE_PROXY_AUTHENTICATION_EMAIL = X-Remote-Email +REVERSE_PROXY_AUTHENTICATION_FULL_NAME = X-Remote-Name +REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.0/8,::1/128 +# use X-Forwarded-For or X-Real-IP header to set remote IP for the request +REVERSE_PROXY_LIMIT = 1 +{% endif %} + +{% if gitea_oidc_provider_enabled -%} +[oauth2] +# generate with 'gitea generate': +# https://docs.gitea.io/en-us/command-line/#generate +JWT_SECRET = {{ gitea_oidc_provider_jwt_secret }} +{% endif %} + +[log] +MODE = file +FILE_NAME = gitea.log +LEVEL = {{ gitea_log_level }} +REDIRECT_MACARON_LOG = true +MACARON = file +ROUTER = file +ROOT_PATH = /data/gitea/log +ENABLE_SSH_LOG = {{ gitea_ssh_enabled | string | lower }} + +[log.file.*] +FLAGS = longfile,shortfuncname,level + +[git] +# explicitly set defaults +HOME_PATH = /data/gitea/home +MAX_GIT_DIFF_LINES = 1000 +MAX_GIT_DIFF_FILES = 100 +# respond to pushes to non-default branches with a link to create a PR +PULL_REQUEST_PUSH_MESSAGE = true + +[git.timeout] +DEFAULT = 360 +MIGRATE = 600 +MIRROR = 300 +CLONE = 300 +PULL = 300 +GC = 60 + +[service] +# expire time for email links +ACTIVE_CODE_LIVE_MINUTES = 180 +RESET_PASSWD_CODE_LIVE_MINUTES = 180 +REGISTER_EMAIL_CONFIRM = false +ENABLE_CAPTCHA = false + +# dont require user to sign in to view public stuff +REQUIRE_SIGNIN_VIEW = false + +# only allow external (ldap, oidc) registrations +DISABLE_REGISTRATION = false +ALLOW_ONLY_EXTERNAL_REGISTRATION = true +SHOW_REGISTRATION_BUTTON = false + +# repo settings +DEFAULT_ENABLE_TIMETRACKING = false + +# org settings +DEFAULT_ALLOW_CREATE_ORGANIZATION = true +DEFAULT_ORG_VISIBILITY = public + +# user settings +DEFAULT_USER_VISIBILITY = limited +# public, limited (visible to logged in), private (visible to users in same org) +ALLOWED_USER_VISIBILITY_MODES = public,limited,private +AUTO_WATCH_ON_CHANGES = true +AUTO_WATCH_NEW_REPOS = false +NO_REPLY_ADDRESS = {{ gitea_url }} +DEFAULT_KEEP_EMAIL_PRIVATE = false + +ENABLE_NOTIFY_MAIL = false + +{% if gitea_reverse_proxy_auth_enabled -%} +ENABLE_REVERSE_PROXY_AUTHENTICATION = true +ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = true +ENABLE_REVERSE_PROXY_EMAIL = true +ENABLE_REVERSE_PROXY_FULL_NAME = true +{% else -%} +ENABLE_REVERSE_PROXY_AUTHENTICATION = true +{% endif %} + +[repository] +ROOT = /data/git/repositories +DEFAULT_BRANCH = main +# default: last. options: last, private, public +DEFAULT_PRIVATE = public +# default to creating private repo when using push-to-create +DEFAULT_PUSH_CREATE_PRIVATE = true + +[repository.editor] +# default includes no extension (single ',' at the end) +LINE_WRAP_EXTENSIONS = .txt,.md,.markdown,.mdown,.mkd +PREVIEWABLE_FILE_MODES = markdown + +[repository.local] +LOCAL_COPY_PATH = /data/gitea/tmp/local-repo + +[repository.upload] +ENABLED = true +TEMP_PATH = /data/gitea/tmp/uploads +MAX_FILES = 25 +# in MB +FILE_MAX_SIZE = 10 + +[repository.pull-request] +WORK_IN_PROGRESS_PREFIXES = wip,wip:,[wip],WIP,WIP:,[WIP] +DEFAULT_MERGE_MESSAGE_ALL_AUTHORS = true +# annoyingly, these go _above_ the link to the PR +POPULATE_SQUASH_COMMENT_WITH_COMMIT_MESSAGES = false + +[project] +# explicit defaults +PROJECT_BOARD_BASIC_KANBAN_TYPE = To Do, In Progress, Done +PROJECT_BOARD_BUG_TRIAGE_TYPE = Needs Triage, High Priority, Low Priority, Closed + +[cors] +# we would set this in nginx +# https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#The_HTTP_response_headers +ENABLED = false + +[ui] +DEFAULT_THEME = arc-green +ISSUE_PAGING_NUM = 100 +REACTIONS = +1, -1, laugh, hooray, confused, heart, rocket, eyes +# on the explore page +SHOW_USER_EMAIL = false +# everywhere +DEFAULT_SHOW_FULL_NAME = false +# default: disable a Service Worker to cache frontend assets +USE_SERVICE_WORKER = false + +[ui.user] +# repos that are displayed on one page +REPO_PAGING_NUM = 30 + +{% if gitea_main -%} +[ui.meta] +# affects how links are unfurled +AUTHOR = {{ gitea_url }} +DESCRIPTION = Gitea +KEYWORDS = git,self-hosted,gitea,{{ domain }},{{ gitea_url }},{{ myusername }} +{% endif %} + +[ui.notification] +# how often the notification endpoint is polled to update the notification +# will increase to MAX_TIMEOUT in TIMEOUT_STEPs if notification count is unchanged +# to disable: set MIN_TIMEOUT to -1 +MIN_TIMEOUT = 60s +MAX_TIMEOUT = 180s +TIMEOUT_STEP = 30s + +[markdown] +# soft line breaks as hard line breaks: single newline character between +# paragraphs will cause a line break, adding trailing whitespace to paragraphs +# is not necessary to force a line break. +ENABLE_HARD_LINE_BREAK_IN_COMMENTS = false +ENABLE_HARD_LINE_BREAK_IN_DOCUMENTS = false + +FILE_EXTENSIONS = .md,.markdown,.mdown,.mkd +ENABLE_MATH = true + +[indexer] +{% if gitea_indexer_es_enabled -%} +ISSUE_INDEXER_TYPE = elasticsearch +ISSUE_INDEXER_CONN_STR = http://elastic:changeme@localhost:9200 +ISSUE_INDEXER_NAME = gitea_issues +REPO_INDEXER_ENABLED = true +REPO_INDEXER_CONN_STR = http://elastic:changeme@localhost:9200 +REPO_INDEXER_NAME = gitea_repos +REPO_INDEXER_TYPE = elasticsearch +{% else -%} +ISSUE_INDEXER_TYPE = bleve +ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve +REPO_INDEXER_ENABLED = false +# takes a lot of disk space +#REPO_INDEXER_TYPE = bleve +{% endif %} + +[admin] +DEFAULT_EMAIL_NOTIFICATIONS = onmention +# allow non-admin users to create orgs +DISABLE_REGULAR_ORG_CREATION = false + +{% if gitea_openid_enabled -%} +[openid] +ENABLE_OPENID_SIGNIN = true +ENABLE_OPENID_SIGNUP = true +{% endif %} + +{% if gitea_oidc_client_enabled -%} +[oauth2_client] +# can override REGISTER_EMAIL_CONFIRM (currently set to same) +REGISTER_EMAIL_CONFIRM = false +#OPENID_CONNECT_SCOPES = +ENABLE_AUTO_REGISTRATION = true +# userid = use the userid / sub attribute +# nickname = use the nickname attribute +# email = use the username part of the email attribute +USERNAME = nickname +# update if available on each login +UPDATE_AVATAR = false +# if account/email exists +# disabled = show an error +# login = show an account linking login +# auto = link directly with the account +ACCOUNT_LINKING = login +{% endif %} + +[mailer] +{% if gitea_smtp_enabled -%} +ENABLED = true +MAILER_TYPE = smtp +FROM = git@{{ domain }} +ENVELOPE_FROM = git@{{ domain }} +HELO_HOSTNAME = {{ gitea_url }} +SUBJECT_PREFIX = [{{ gitea_url }}] + +{% if gitea_smtp_matrix|default(false) -%} +SMTP_ADDR = {{ matrix_smtp_url }} +SMTP_PORT = 25 +PROTOCOL = smtp +{% else -%} +SMTP_ADDR = {{ smtp_server }} +SMTP_PORT = {{ smtp_port }} +USER = {{ smtp_username }} +PASSWD = {{ smtp_passwd }} +PROTOCOL = smtps +FORCE_TRUST_SERVER_CERT = false +{% endif %} + +{% else -%} +ENABLED = false +{% endif %} + +[cache] +ENABLED = true +ADAPTER = redis +INTERVAL = 60 +HOST = network=tcp,addr=gitea-redis:6379,db=0,pool_size=100,idle_timeout=100 +ITEM_TTL = 16h + +[cache.last_commit] +ENABLED = true + +[session] +# empty = use db config +PROVIDER_CONFIG = +PROVIDER = db +# 1 week +SESSION_LIFE_TIME = 604800 +# the cooke SameSite setting (not gitea specific) +SAME_SITE = lax +COOKIE_NAME = i_like_gitea + +[picture] +AVATAR_UPLOAD_PATH = /data/gitea/avatars +REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars +DISABLE_GRAVATAR = true +ENABLE_FEDERATED_AVATAR = false + +[attachment] +# pull request attachments +STORAGE_TYPE = local +PATH = /data/gitea/attachments + +[cron] +ENABLED = true +RUN_AT_START = false + +[cron.archive_cleanup] +ENABLED = false + +[cron.update_mirrors] +ENABLED = true +SCHEDULE = @every 1h +RUN_AT_START = false + +[cron.repo_health_check] +ENABLED = true +SCHEDULE = @midnight +RUN_AT_START = false + +[cron.check_repo_stats] +ENABLED = true +SCHEDULE = @midnight +RUN_AT_START = false + +[cron.update_migration_poster_id] +ENABLED = false + +[cron.sync_external_users] +ENABLED = true +RUN_AT_START = false +SCHEDULE = @every 1h +UPDATE_EXISTING = true + +[cron.deleted_branches_cleanup] +ENABLED = true +RUN_AT_START = false +SCHEDULE = @midnight +OLDER_THAN = 24h + +[cron.cleanup_hook_task_table] +ENABLED = true +RUN_AT_START = false + +[cron.cleanup_packages] +ENABLED = true +RUN_AT_START = true +SCHEDULE = @midnight +OLDER_THAN = 24h + +[cron.delete_inactive_accounts] +ENABLED = false + +[cron.delete_repo_archives] +ENABLED = false + +[cron.git_gc_repos] +ENABLED = true +RUN_AT_START = false +SCHEDULE = @every 72h +TIMEOUT = 60s +# args for 'git gc' +# ARGS = + +[cron.resync_all_sshkeys] +ENABLED = true +RUN_AT_START = false +SCHEDULE = @every 72h + +[cron.resync_all_hooks] +ENABLED = true +RUN_AT_START = false +SCHEDULE = @every 72h + +[cron.reinit_missing_repos] +ENABLED = true +RUN_AT_START = false +SCHEDULE = @every 72h + +[cron.delete_missing_repos] +ENABLED = true +RUN_AT_START = false +SCHEDULE = @every 72h + +[cron.delete_generated_repository_avatars] +ENABLED = false + +[cron.delete_old_actions] +ENABLED = true +RUN_AT_START = false +SCHEDULE = @every 72h + +[cron.update_checker] +ENABLED = true +RUN_AT_START = false +SCHEDULE = @every 168h +HTTP_ENDPOINT = https://dl.gitea.io/gitea/version.json + +[cron.delete_old_system_notices] +ENABLED = true +RUN_AT_START = false +SCHEDULE = @every 168h +OLDER_THAN = 200h + +[mirror] +ENABLED = true +# creation of new pull/push mirrors (not git push/pull) +DISABLE_NEW_PULL = false +DISABLE_NEW_PUSH = false +DEFAULT_INTERVAL = 8h +MIN_INTERVAL = 10m + +[api] +ENABLE_SWAGGER = true +MAX_RESPONSE_ITEMS = 200 +DEFAULT_PAGING_NUM = 200 + +[highlight.mapping] +# not working.. +.py.j2 = python +.sh.j2 = sh + +[other] +SHOW_FOOTER_VERSION = false +ENABLE_SITEMAP = true + +[metrics] +# served on /metrics +# access control in nginx +ENABLED = true + +{% if gitea_federation_enabled -%} +[federation] +ENABLED = true +# disable user statistics for nodeinfo +SHARE_USER_STATISTICS = false +{% endif %} + +[packages] +ENABLED = true + +[storage] +STORAGE_TYPE = local + +[storage.packages] +STORAGE_TYPE = local + +[storage.repo-archives] +STORAGE_TYPE = local + +{% if gitea_lfs_enabled -%} +[lfs] +STORAGE_TYPE = local +PATH = /data/git/lfs +{% endif %} \ No newline at end of file -- 2.40.1 From 892868a7539111138177a11f6733778c2ab1bf14 Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Mon, 7 Nov 2022 01:28:32 +0100 Subject: [PATCH 8/8] block /metrics --- roles/gitea/templates/01-gitea.j2 | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/roles/gitea/templates/01-gitea.j2 b/roles/gitea/templates/01-gitea.j2 index 8d1ca9e..2fb496e 100644 --- a/roles/gitea/templates/01-gitea.j2 +++ b/roles/gitea/templates/01-gitea.j2 @@ -13,6 +13,20 @@ server { # default value set $header_sudo_gitea "gitea"; + {% for item in ["/metrics"] -%} + location {{ item }} { + allow 127.0.0.1; + allow {{ my_public_ips[inventory_hostname] }}/32; + allow {{ my_public_ips[ansible_control_host] }}/32; + allow {{ wireguard_cidr }}; + deny all; + + proxy_pass http://{{ bridgewithdns.gitea }}:{{ gitea_docker_port }}; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + {% endfor %} + location / { proxy_pass http://{{ bridgewithdns.gitea }}:{{ gitea_docker_port }}; -- 2.40.1