diff --git a/gitea/docker-compose.yaml b/gitea/docker-compose.yaml index b28a7f0..7a3d204 100644 --- a/gitea/docker-compose.yaml +++ b/gitea/docker-compose.yaml @@ -10,14 +10,14 @@ services: env_file: - ../env.production - env.production - - env.secrets + - ../data/gitea/env.secrets environment: - USER_UID=1000 - USER_GID=1000 networks: - gitea volumes: - - ./data/gitea:/data + - ../data/gitea:/data - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro ports: diff --git a/gitea/env.production b/gitea/env.production new file mode 100644 index 0000000..8db9978 --- /dev/null +++ b/gitea/env.production @@ -0,0 +1 @@ +# gitea config diff --git a/gitea/setup b/gitea/setup index 1456096..39777c6 100755 --- a/gitea/setup +++ b/gitea/setup @@ -1,43 +1,59 @@ #!/bin/bash -set -euo pipefail -die() { echo >&2 "$@" ; exit 1 ; } +die() { echo >&2 "gitea: ERROR $*" ; exit 1 ; } +info() { echo >&2 "gitea: $*" ; } DIRNAME="$(dirname $0)" cd "$DIRNAME" -docker-compose down +source ../env.production || die "no top level environment" +source ./env.production || die "no local environment" + +DATA="../data/gitea" +SECRETS="$DATA/env.secrets" +INI="$DATA/gitea/conf/app.ini" + +if [ -r "$SECRETS" ]; then + docker-compose up -d || die "unable to start" + exit 0 +fi -../keycloak/client-delete gitea GITEA_CLIENT_SECRET="$(openssl rand -hex 32)" -rm -f env.secrets -cat < env.secrets +info "creating new secrets $SECRETS" + +mkdir -p "$DATA" +cat < "$SECRETS" # DO NOT CHECK IN -#GITEA_CLIENT_SECRET=$GITEA_CLIENT_SECRET +GITEA_CLIENT_SECRET=$GITEA_CLIENT_SECRET EOF + +docker-compose down 2>/dev/null + +../keycloak/client-delete gitea 2>/dev/null ../keycloak/client-create <>./data/app.ini || die "unable to enable OpenID in app.ini" +info "enabling OpenID in $INI" +grep --quiet '\[openid\]' "$INI" || { + echo <> "$INI" || die "unable to enable OpenID in $INI" ;service] ; Only allow registering via OpenID ;DISABLE_REGISTRATION = false @@ -50,5 +66,6 @@ ENABLE_OPENID_SIGNUP = true EOF } -echo "TODO: Configure openID by visiting login.${DOMAIN_NAME}/ - +info "restarting" +docker-compose down +docker-compose up -d || die "unable to start container" diff --git a/nginx/certbot-renew b/nginx/certbot-renew index 25b4873..7a5ed08 100755 --- a/nginx/certbot-renew +++ b/nginx/certbot-renew @@ -7,7 +7,7 @@ cd "$DIRNAME" source ../env.production source ./env.production -domain_args="-d $DOMAIN_NAME,$KEYCLOAK_HOSTNAME,$HEDGEDOC_HOSTNAME,$MASTODON_HOSTNAME,$NEXTCLOUD_HOSTNAME,$GRAFANA_HOSTNAME,$MATRIX_HOSTNAME" +domain_args="-d $DOMAIN_NAME,$KEYCLOAK_HOSTNAME,$HEDGEDOC_HOSTNAME,$MASTODON_HOSTNAME,$NEXTCLOUD_HOSTNAME,$GRAFANA_HOSTNAME,$MATRIX_HOSTNAME,$GITEA_HOSTNAME" rsa_key_size=2048 set -x diff --git a/nginx/nginx/templates/git.conf.template b/nginx/nginx/templates/git.conf.template index 4814d33..67a49dd 100644 --- a/nginx/nginx/templates/git.conf.template +++ b/nginx/nginx/templates/git.conf.template @@ -1,8 +1,3 @@ -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} - server { server_name ${GITEA_HOSTNAME}; client_max_body_size 128m; @@ -27,9 +22,9 @@ server { } # login with OIDC - location /user/login { - return 302 https://login.hackerspace.zone/; - } +# location /user/login { +# return 302 https://login.hackerspace.zone/; +# } listen 443 ssl; ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;