gitea: hacked to work with the new format

single-dockerfile
Ubuntu 2 years ago
parent fcd2565b47
commit 083a1f3762
  1. 7
      Makefile
  2. 69
      gitea.yaml
  3. 5
      gitea/README.md
  4. 46
      gitea/docker-compose.yaml
  5. 7
      gitea/env.production
  6. 0
      gitea/host-setup.sh
  7. 4
      gitea/keycloak.sh
  8. 8
      gitea/nginx.conf
  9. 69
      gitea/setup
  10. 36
      gitea/setup.sh

@ -7,6 +7,7 @@ MODULES += mastodon
MODULES += matrix MODULES += matrix
MODULES += nextcloud MODULES += nextcloud
MODULES += mobilizon MODULES += mobilizon
MODULES += gitea
#MODULES += pixelfed #MODULES += pixelfed
include env.production include env.production
@ -66,6 +67,12 @@ data/%/secrets:
echo >>$@ "export $(GET_MODULE)_CLIENT_SECRET=$(call RAND,20)" echo >>$@ "export $(GET_MODULE)_CLIENT_SECRET=$(call RAND,20)"
echo >>$@ "export $(GET_MODULE)_SESSION_SECRET=$(call RAND,20)" echo >>$@ "export $(GET_MODULE)_SESSION_SECRET=$(call RAND,20)"
data/gitea/secrets: data/gitea/host-setup.done
data/gitea/host-setup.done:
sudo ./gitea/host-setup.sh
mkdir -p $(dir $@)
touch $@
keycloak-setup: secrets-setup keycloak-setup: secrets-setup
$(DOCKER) run keycloak-setup $(DOCKER) run keycloak-setup

@ -0,0 +1,69 @@
# gitea requires ssh access from the host machine, which needs special setup
# In order to create the git user and auth keys, you need to run:
#
# sudo gitea/setup.sh
#
version: "3"
services:
gitea:
image: gitea/gitea:1.17.3
container_name: gitea
env_file:
- ./env.production
environment:
- USER_UID=2222 # must match git user on host system
- USER_GID=2222
- GITEA_CLIENT_SECRET=${GITEA_CLIENT_SECRET}
- GITEA_ADMIN_PASSWORD=${GITEA_ADMIN_PASSWORD}
- GITEA__database__DB_TYPE=postgres
- GITEA__database__HOST=gitea-db:5432
- GITEA__database__NAME=gitea
- GITEA__database__USER=gitea
- GITEA__database__PASSWD=gitea
- GITEA__oauth2_client__ENABLE_AUTO_REGISTRATION=true
- GITEA__openid__ENABLE_OPENID_SIGNIN=true
- GITEA__openid__ENABLE_OPENID_SIGNUP=false
- GITEA__service__DISABLE_REGISTRATION=true
- GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION=true
- GITEA__repository__DEFAULT_BRANCH=main
- GITEA__server__ROOT_URL=https://${GITEA_HOSTNAME}.${DOMAIN_NAME}/
- GITEA__server__SSH_DOMAIN=${GITEA_HOSTNAME}.${DOMAIN_NAME}
- GITEA__security__SECRET_KEY=${GITEA_SESSION_SECRET}
- GITEA__security__INSTALL_LOCK=true
entrypoint: ["/setup.sh"]
volumes:
- ./gitea/setup.sh:/setup.sh:ro
- ./data/gitea:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
- /home/git/.ssh/:/data/git/.ssh
ports:
# - "3030:3000"
- "2222:22" # route host port 2222 to container port 22 for inbound ssh
restart: always
depends_on:
- gitea-db
gitea-db:
image: postgres:13.4-alpine
container_name: gitea-db
restart: always
environment:
- POSTGRES_USER=gitea
- POSTGRES_PASSWORD=gitea
- POSTGRES_DB=gitea
volumes:
- ./data/gitea/postgres:/var/lib/postgresql/data
# add the gitea nginx configuration into the nginx volume
nginx:
volumes:
- ./gitea/nginx.conf:/etc/nginx/templates/gitea.conf.template:ro
# add the gitea client secrets to the keycloak-setup volume
keycloak-setup:
env_file:
- data/gitea/secrets
volumes:
- ./gitea/keycloak.sh:/keycloak-setup/gitea.sh:ro

@ -1,3 +1,6 @@
# gitea # gitea
OIDC setup is now automated There is still a sudo step that has to happen on the host.
OIDC setup is now automated in the container.

@ -1,46 +0,0 @@
version: "3"
networks:
gitea:
external: false
services:
gitea:
image: gitea/gitea:1.16.6
env_file:
- ../env.production
- env.production
- ../data/gitea/env.secrets
environment:
- USER_UID=2222 # must match git user on host system
- USER_GID=2222
- GITEA__database__DB_TYPE=postgres
- GITEA__database__HOST=db:5432
- GITEA__database__NAME=gitea
- GITEA__database__USER=gitea
- GITEA__database__PASSWD=gitea
networks:
- gitea
volumes:
- ../data/gitea:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
- /home/git/.ssh/:/data/git/.ssh
ports:
- "3030:3000"
- "2222:22"
restart: always
depends_on:
- db
db:
image: postgres:13.4-alpine
restart: always
environment:
- POSTGRES_USER=gitea
- POSTGRES_PASSWORD=gitea
- POSTGRES_DB=gitea
volumes:
- ../data/gitea/postgres:/var/lib/postgresql/data
networks:
- gitea

@ -1,7 +0,0 @@
# gitea config for keycloak integration
# only allow open id sign-in, turn off all other registrations
GITEA__openid__ENABLE_OPENID_SIGNIN=true
GITEA__openid__ENABLE_OPENID_SIGNUP=false
#GITEA__service__DISABLE_REGISTRATION=true
GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION=true
GITEA__repository__DEFAULT_BRANCH=main

@ -0,0 +1,4 @@
#!/bin/bash -x
# Setup the gitea client connection
client-create gitea "$GITEA_HOSTNAME.$DOMAIN_NAME" "$GITEA_CLIENT_SECRET" </dev/null

@ -1,5 +1,5 @@
server { server {
server_name ${GITEA_HOSTNAME}; server_name ${GITEA_HOSTNAME} ${GITEA_HOSTNAME}.${DOMAIN_NAME};
client_max_body_size 128m; client_max_body_size 128m;
sendfile on; sendfile on;
@ -14,7 +14,7 @@ server {
proxy_read_timeout 1800s; proxy_read_timeout 1800s;
location / { location / {
proxy_pass http://host.docker.internal:3030; proxy_pass http://gitea:3000;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@ -23,7 +23,7 @@ server {
# force login with OIDC # force login with OIDC
location /user/login { location /user/login {
return 302 https://${GITEA_HOSTNAME}/user/oauth2/keycloak; return 302 https://${GITEA_HOSTNAME}.${DOMAIN_NAME}/user/oauth2/keycloak;
} }
listen 443 ssl; listen 443 ssl;
@ -33,5 +33,3 @@ server {
include /etc/nginx/includes/challenge.conf; include /etc/nginx/includes/challenge.conf;
ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem; ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
} }

@ -1,69 +0,0 @@
#!/bin/bash
die() { echo >&2 "gitea: ERROR $*" ; exit 1 ; }
info() { echo >&2 "gitea: $*" ; }
DIRNAME="$(dirname $0)"
cd "$DIRNAME"
source ../env.production || die "no top level environment"
source ./env.production || die "no local environment"
DATA="../data/gitea"
SECRETS="$DATA/env.secrets"
INI="$DATA/gitea/conf/app.ini"
if [ -r "$SECRETS" ]; then
docker-compose up -d || die "unable to start"
exit 0
fi
./add-ssh-user || die "unable to add ssh user"
GITEA_CLIENT_SECRET="$(openssl rand -hex 32)"
GITEA_ADMIN_PASSWORD="$(openssl rand -hex 8)"
info "creating new secrets $SECRETS"
mkdir -p "$DATA"
cat <<EOF > "$SECRETS"
# DO NOT CHECK IN
GITEA_CLIENT_SECRET=$GITEA_CLIENT_SECRET
GITEA_ADMIN_PASSWORD=$GITEA_ADMIN_PASSWORD
GITEA__server__ROOT_URL=https://$GITEA_HOSTNAME/
GITEA__server__SSH_DOMAIN=$GITEA_HOSTNAME
GITEA__security__INSTALL_LOCK=true
GITEA__security__SECRET_KEY=$(openssl rand -hex 32)
EOF
docker-compose down 2>/dev/null
../keycloak/client-delete gitea 2>/dev/null
../keycloak/client-create <<EOF || die "unable to create gitea client"
{
"clientId": "gitea",
"rootUrl": "https://$GITEA_HOSTNAME",
"adminUrl": "https://$GITEA_HOSTNAME",
"redirectUris": [ "https://$GITEA_HOSTNAME/*" ],
"webOrigins": [ "https://$GITEA_HOSTNAME" ],
"clientAuthenticatorType": "client-secret",
"secret": "$GITEA_CLIENT_SECRET"
}
EOF
docker-compose up -d || die "unable to start container"
info "waiting for startup..."
sleep 5
info "adding oauth login"
docker-compose exec -u git gitea \
gitea admin auth add-oauth \
--name "keycloak" \
--provider "openidConnect" \
--key "gitea" \
--secret "$GITEA_CLIENT_SECRET" \
--auto-discover-url "https://${KEYCLOAK_HOSTNAME}/realms/${REALM}/.well-known/openid-configuration" \
--group-claim-name "groups" \
--admin-group "admin" \
|| die "unable to add oauth interface"

@ -0,0 +1,36 @@
#!/bin/bash -x
# This is *container* setup for the OIDC stuff
export APP_NAME="${DOMAIN_NAME} Gitea"
OIDC_CANARY="/data/oidc.done"
if [ -r "$OIDC_CANARY" ]; then
# based on https://github.com/go-gitea/gitea/blob/main/Dockerfile
exec "/usr/bin/entrypoint" "/bin/s6-svscan" "/etc/s6";
fi
# We have to do some setup, so start things and wait for the config
# file to appear so that we can edit it.
"/usr/bin/entrypoint" "/bin/s6-svscan" "/etc/s6" &
echo >&2 "*** Sleeping for setup"
sleep 30
echo >&2 "*** Adding OIDC login for $DOMAIN_NAME"
su -s /bin/sh git <<EOF || exit 1
gitea admin auth add-oauth \
--name "keycloak" \
--provider "openidConnect" \
--key "gitea" \
--secret "${GITEA_CLIENT_SECRET}" \
--auto-discover-url "https://${KEYCLOAK_HOSTNAME}.${DOMAIN_NAME}/realms/${REALM}/.well-known/openid-configuration" \
--group-claim-name "groups" \
--admin-group "admin" \
EOF
touch "${OIDC_CANARY}"
echo >&2 "*** Done, maybe it works?"
exit 0
Loading…
Cancel
Save