gitea: rework setup for new file layout

gitea/docker-compose.yaml

@@ -10,14 +10,14 @@ services:
     env_file:
       - ../env.production
       - env.production
-      - env.secrets
+      - ../data/gitea/env.secrets
     environment:
       - USER_UID=1000
       - USER_GID=1000
     networks:
       - gitea
     volumes:
-      - ./data/gitea:/data
+      - ../data/gitea:/data
       - /etc/timezone:/etc/timezone:ro
       - /etc/localtime:/etc/localtime:ro
     ports:

gitea/env.production

@@ -0,0 +1 @@
+# gitea config

gitea/setup

@@ -1,43 +1,59 @@
 #!/bin/bash
-set -euo pipefail
+die() { echo >&2 "gitea: ERROR $*" ; exit 1 ; }
-die() { echo >&2 "$@" ; exit 1 ; }
+info() { echo >&2 "gitea: $*" ; }
 
 DIRNAME="$(dirname $0)"
 cd "$DIRNAME"
 
-docker-compose down
+source ../env.production || die "no top level environment"
+source ./env.production || die "no local environment"
+
+DATA="../data/gitea"
+SECRETS="$DATA/env.secrets"
+INI="$DATA/gitea/conf/app.ini"
+
+if [ -r "$SECRETS" ]; then
+	docker-compose up -d || die "unable to start"
+	exit 0
+fi
 
-../keycloak/client-delete gitea
 
 GITEA_CLIENT_SECRET="$(openssl rand -hex 32)"
 
-rm -f env.secrets
+info "creating new secrets $SECRETS"
-cat <<EOF > env.secrets
+
+mkdir -p "$DATA"
+cat <<EOF > "$SECRETS"
 # DO NOT CHECK IN
-#GITEA_CLIENT_SECRET=$GITEA_CLIENT_SECRET
+GITEA_CLIENT_SECRET=$GITEA_CLIENT_SECRET
 EOF
 
+
+docker-compose down 2>/dev/null
+
+../keycloak/client-delete gitea 2>/dev/null
 ../keycloak/client-create <<EOF || die "unable to create gitea client"
 {
 	"clientId": "gitea",
 	"rootUrl": "https://$GITEA_HOSTNAME",
 	"adminUrl": "https://$GITEA_HOSTNAME",
 	"redirectUris": [ "https://$GITEA_HOSTNAME/*" ],
-	"webOrigins": [ "https://$GITEA_HOSTNAME" ]
+	"webOrigins": [ "https://$GITEA_HOSTNAME" ],
-  "clientAuthenticatorType": "client-secret",
+	"clientAuthenticatorType": "client-secret",
-  "secret": "$GITEA_CLIENT_SECRET"
+	"secret": "$GITEA_CLIENT_SECRET"
 }
 EOF
 
 docker-compose up -d || die "unable to start container"
 
 echo SLEEPING
-sleep 30
+sleep 10
 
-test -f ./data/app.ini || die "missing data/app.ini"
+test -f "$INI" || die "missing $INI"
 
-grep --quiet '\[openid\]' ./data/app.ini || {
+info "enabling OpenID in $INI"
-  echo <<EOF >>./data/app.ini || die "unable to enable OpenID in app.ini"
+grep --quiet '\[openid\]' "$INI" || {
+  echo <<EOF >> "$INI" || die "unable to enable OpenID in $INI"
 ;service]
 ; Only allow registering via OpenID
 ;DISABLE_REGISTRATION = false
@@ -50,5 +66,6 @@ ENABLE_OPENID_SIGNUP = true
 EOF
 }
 
-echo "TODO: Configure openID by visiting login.${DOMAIN_NAME}/
+info "restarting"
-
+docker-compose down
+docker-compose up -d || die "unable to start container"

nginx/certbot-renew

@@ -7,7 +7,7 @@ cd "$DIRNAME"
 source ../env.production
 source ./env.production
 
-domain_args="-d $DOMAIN_NAME,$KEYCLOAK_HOSTNAME,$HEDGEDOC_HOSTNAME,$MASTODON_HOSTNAME,$NEXTCLOUD_HOSTNAME,$GRAFANA_HOSTNAME,$MATRIX_HOSTNAME"
+domain_args="-d $DOMAIN_NAME,$KEYCLOAK_HOSTNAME,$HEDGEDOC_HOSTNAME,$MASTODON_HOSTNAME,$NEXTCLOUD_HOSTNAME,$GRAFANA_HOSTNAME,$MATRIX_HOSTNAME,$GITEA_HOSTNAME"
 rsa_key_size=2048
 
 set -x

nginx/nginx/templates/git.conf.template

@@ -1,8 +1,3 @@
-map $http_upgrade $connection_upgrade {
-        default upgrade;
-        ''      close;
-}
-
 server {
 	server_name ${GITEA_HOSTNAME};
 	client_max_body_size 128m;
@@ -27,9 +22,9 @@ server {
 	}
 
   # login with OIDC
-  location /user/login {
+#  location /user/login {
-    return 302 https://login.hackerspace.zone/;
+#    return 302 https://login.hackerspace.zone/;
-  }
+#  }
 
 	listen 443 ssl;
 	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;