WIP gitea setup - untested

README.md

@@ -15,8 +15,5 @@ apt install jq docker-compose
 ```
 ./keycloak/setup
 ./nginx/setup
-./hedgedoc/setup
-./nextcloud/setup
-./mastodon/setup
-./grafana/setup
+./start-all
 ```

env.production

@@ -6,5 +6,5 @@ HEDGEDOC_HOSTNAME=docs.hackerspace.zone
 MASTODON_HOSTNAME=social.hackerspace.zone
 NEXTCLOUD_HOSTNAME=cloud.hackerspace.zone
 GRAFANA_HOSTNAME=dashboard.hackerspace.zone
-GITLAB_HOSTNAME=git.hackerspace.zone
+GITEA_HOSTNAME=git.hackerspace.zone
 MATRIX_HOSTNAME=matrix.hackerspace.zone

gitea/docker-compose.yaml

@@ -0,0 +1,26 @@
+version: "3"
+
+networks:
+  gitea:
+    external: false
+
+services:
+  gitea:
+    image: gitea/gitea:1.16.6
+    env_file:
+      - ../env.production
+      - env.production
+      - env.secrets
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
+    networks:
+      - gitea
+    volumes:
+      - ./data/gitea:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - "3030:3000"
+      - "222:22"
+    restart: always

gitea/setup

@@ -0,0 +1,54 @@
+#!/bin/bash
+set -euo pipefail
+die() { echo >&2 "$@" ; exit 1 ; }
+
+DIRNAME="$(dirname $0)"
+cd "$DIRNAME"
+
+docker-compose down
+
+../keycloak/client-delete gitea
+
+GITEA_CLIENT_SECRET="$(openssl rand -hex 32)"
+
+rm -f env.secrets
+cat <<EOF > env.secrets
+# DO NOT CHECK IN
+#GITEA_CLIENT_SECRET=$GITEA_CLIENT_SECRET
+EOF
+
+../keycloak/client-create <<EOF || die "unable to create gitea client"
+{
+	"clientId": "gitea",
+	"rootUrl": "https://$GITEA_HOSTNAME",
+	"adminUrl": "https://$GITEA_HOSTNAME",
+	"redirectUris": [ "https://$GITEA_HOSTNAME/*" ],
+	"webOrigins": [ "https://$GITEA_HOSTNAME" ]
+  "clientAuthenticatorType": "client-secret",
+  "secret": "$GITEA_CLIENT_SECRET"
+}
+EOF
+
+docker-compose up -d || die "unable to start container"
+
+echo SLEEPING
+sleep 30
+
+test -f ./data/app.ini || die "missing data/app.ini"
+
+grep --quiet '\[openid\]' ./data/app.ini || {
+  echo <<EOF >>./data/app.ini || die "unable to enable OpenID in app.ini"
+;service]
+; Only allow registering via OpenID
+;DISABLE_REGISTRATION = false
+;ALLOW_ONLY_EXTERNAL_REGISTRATION = true
+[openid]
+; do not allow signin to local users via OpenID
+ENABLE_OPENID_SIGNIN = false
+; allow creation of new users via OpenID
+ENABLE_OPENID_SIGNUP = true
+EOF
+}
+
+echo "TODO: Configure openID by visiting login.${DOMAIN_NAME}/
+

html/index.html

@@ -8,6 +8,7 @@ An easy to install set of self-hosted, single-sign-on, open-source services.
 <li><a href="https://social.hackerspace.zone/">mastodon</a>: federated social media
 <li><a href="https://cloud.hackerspace.zone/">nextcloud</a>: self hosted documents and calendaring
 <li><a href="https://dashboard.hackerspace.zone/">grafana</a>: dashboards and statistic collection
+<li><a href="https://git.hackerspace.zone/">gitea</a>: git repository hosting
 <li><a href="https://login.hackerspace.zone/">keycloak</a>: user management and single sign on for the domain
 </ul>
 

nginx/nginx/templates/git.conf.template

@@ -0,0 +1,42 @@
+map $http_upgrade $connection_upgrade {
+        default upgrade;
+        ''      close;
+}
+
+server {
+	server_name ${GITEA_HOSTNAME};
+	client_max_body_size 128m;
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+
+	gzip on;
+	gzip_disable "msie6";
+
+	proxy_read_timeout 1800s;
+
+	location / {
+		proxy_pass http://host.docker.internal:3030;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+	}
+
+  # login with OIDC
+  location /user/login {
+    return 302 https://login.hackerspace.zone/;
+  }
+
+	listen 443 ssl;
+	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
+	include /etc/nginx/includes/options-ssl-nginx.conf;
+	include /etc/nginx/includes/challenge.conf;
+	ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
+}
+
+