diff --git a/cookbooks/gitea/default.rb b/cookbooks/gitea/default.rb index c610d81..4798ef2 100644 --- a/cookbooks/gitea/default.rb +++ b/cookbooks/gitea/default.rb @@ -3,3 +3,6 @@ include_recipe './attributes.rb' # Install: include_recipe './install.rb' + +# Setup: +include_recipe './setup.rb' diff --git a/cookbooks/gitea/files/etc/consul.d/service-gitea.json b/cookbooks/gitea/files/etc/consul.d/service-gitea.json new file mode 100644 index 0000000..add1be2 --- /dev/null +++ b/cookbooks/gitea/files/etc/consul.d/service-gitea.json @@ -0,0 +1,12 @@ +{ + "service": { + "name": "gitea", + "port": 3000, + "check":{ + "tcp": "localhost:3000", + "interval": "60s", + "timeout": "1s", + "success_before_passing": 3 + } + } +} diff --git a/cookbooks/gitea/files/etc/gitea/app.ini b/cookbooks/gitea/files/etc/gitea/app.ini new file mode 100644 index 0000000..b5f7ba0 --- /dev/null +++ b/cookbooks/gitea/files/etc/gitea/app.ini @@ -0,0 +1,78 @@ +APP_NAME = Gitea: Git with a cup of tea +RUN_USER = git +RUN_MODE = prod + +[oauth2] +JWT_SECRET = Cyb3GmSaoJpkaHhA5X6wiNCK7KsngKEr6w_v37WZ1a4 + +[security] +INTERNAL_TOKEN = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE1NjMzNzYxNzR9.Z8_xg9eBZt8fSMTQLQB2xxGUx7GB5M3_v_Tsc441LOg +INSTALL_LOCK = true +SECRET_KEY = Br3eWgKaVIvM2TiHgvRnDbeZTSvBeVxSOS2VbjsPiyZ8Egigqre4dq0ZqaIKoxlB + +[database] +DB_TYPE = mysql +HOST = 192.168.10.200:3307 +NAME = gitea +USER = root +PASSWD = Holiday88 +SSL_MODE = disable +PATH = /var/lib/gitea/data/gitea.db + +[repository] +ROOT = /var/lib/git + +[server] +SSH_DOMAIN = gitea.kazu634.com +DOMAIN = gitea.kazu634.com +HTTP_PORT = 3000 +ROOT_URL = https://gitea.kazu634.com/ +DISABLE_SSH = false +SSH_PORT = 50022 +LFS_START_SERVER = true +LFS_CONTENT_PATH = /var/lib/gitea/data/lfs +LFS_JWT_SECRET = hcxZi2iadhyYTdRtAOJXXWPckR-lK2rFHPCbA1isvV0 +OFFLINE_MODE = false + +[mailer] +ENABLED = false + +[service] +REGISTER_EMAIL_CONFIRM = false +ENABLE_NOTIFY_MAIL = false +DISABLE_REGISTRATION = true +ALLOW_ONLY_EXTERNAL_REGISTRATION = false +ENABLE_CAPTCHA = true +REQUIRE_SIGNIN_VIEW = false +DEFAULT_KEEP_EMAIL_PRIVATE = false +DEFAULT_ALLOW_CREATE_ORGANIZATION = true +DEFAULT_ENABLE_TIMETRACKING = true +NO_REPLY_ADDRESS = noreply.example.org + +[picture] +DISABLE_GRAVATAR = false +ENABLE_FEDERATED_AVATAR = true + +[openid] +ENABLE_OPENID_SIGNIN = false +ENABLE_OPENID_SIGNUP = false + +[session] +PROVIDER = file + +[log] +MODE = file +LEVEL = Info +ROOT_PATH = /var/lib/gitea/log + +[other] +SHOW_FOOTER_VERSION = false + +[attachment] +ENABLED = true +ALLOWED_TYPES = */* +MAX_SIZE = 1024 +MAX_FILES = 25 + +[metrics] +ENABLED = true diff --git a/cookbooks/gitea/files/etc/lsyncd/lsyncd.conf.lua b/cookbooks/gitea/files/etc/lsyncd/lsyncd.conf.lua new file mode 100644 index 0000000..fea517a --- /dev/null +++ b/cookbooks/gitea/files/etc/lsyncd/lsyncd.conf.lua @@ -0,0 +1,26 @@ +settings { + logfile = "/var/log/lsyncd/lsyncd.log", + statusFile = "/var/log/lsyncd/lsyncd.status", + statusInterval = 20, + nodaemon = false +} + +sync { + default.rsync, + source = "/var/lib/git/", + target = "admin@192.168.10.200:/volume1/Shared/AppData/gitea/git/", + rsync = { + archive = true, + compress = true + } +} + +sync { + default.rsync, + source = "/var/lib/gitea/", + target = "admin@192.168.10.200:/volume1/Shared/AppData/gitea/gitea-data/", + rsync = { + archive = true, + compress = true + } +} diff --git a/cookbooks/gitea/files/etc/supervisor/conf.d/gitea.conf b/cookbooks/gitea/files/etc/supervisor/conf.d/gitea.conf new file mode 100644 index 0000000..d251545 --- /dev/null +++ b/cookbooks/gitea/files/etc/supervisor/conf.d/gitea.conf @@ -0,0 +1,10 @@ +[program:gitea] +command=/usr/local/bin/gitea web -c /etc/gitea/app.ini +user=git +stdout_logfile=/var/log/supervisor/gitea.log +environment=GITEA_WORK_DIR="/var/lib/gitea/", HOME="/home/git", USER="git" +redirect_stderr=true +stdout_logfile_maxbytes=1MB +stdout_logfile_backups=5 +autorestart=true +stopsignal=TERM diff --git a/cookbooks/gitea/files/etc/systemd/system/promtail-gitea.service b/cookbooks/gitea/files/etc/systemd/system/promtail-gitea.service new file mode 100644 index 0000000..e1380bd --- /dev/null +++ b/cookbooks/gitea/files/etc/systemd/system/promtail-gitea.service @@ -0,0 +1,12 @@ +[Unit] +Description=Grafana Promtail +Documentation=https://github.com/grafana/loki +After=network-online.target + +[Service] +User=root +Restart=always +ExecStart=/usr/local/bin/promtail --config.file=/etc/promtail/gitea.yaml + +[Install] +WantedBy=multi-user.target diff --git a/cookbooks/gitea/files/home/git/.ssh/authorized_keys b/cookbooks/gitea/files/home/git/.ssh/authorized_keys new file mode 100644 index 0000000..c7d6cab --- /dev/null +++ b/cookbooks/gitea/files/home/git/.ssh/authorized_keys @@ -0,0 +1,6 @@ +# gitea public key +command="/usr/local/bin/gitea --config=\"/etc/gitea/app.ini\" serv key-4",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKaziOfXcs96+p5WU67S/v3RD2HvuRN9iqROba8REj3fZygCrVHnboF6I3O5fmO7FXh2Nj8iLW/aQT0LxondM2hch67g6D4sM4qcshriYYRfMHTc+w7jVE6bhzpl78kCUM/Scy/IwCXqMNwWDoji8Yt2MMIBsAoUPhP1DdseHsBpxXDtKVcaHy35SM+uEsl34yvcXiobitYtrclxI8D7AiRHQ77VoHzlv8m93WFKBYlJ4JbtaQpVPncpJzcqhs1gD0eIHCHHF8xg8VsrDyiWVBoh+4ixnr+HYUbhRRBalvDuGdgFdccDt1RIWWrlZNelRecR1LNgyvWL5x9H/4YMh9 WorkingCopy@KazuhirosiPad-24032019 +# gitea public key +command="/usr/local/bin/gitea --config=\"/etc/gitea/app.ini\" serv key-5",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxKUdftBP05WHbz2wIbYqhgYpmvR/tcIrnVngM2vH3hvbFfS6Es2TBswqTml5+gRzyZrjaii3rJaNfQxcXEfW8lPHzp3weMDBgNrcuVby5Nix5N7EeEoPZyzPk1BvpzoIudE/zIO++ttpTIS3uMBLcqCny4M/mY8IHiLs/c1osP7nQ1QA96xBHTk3xxr9vVbVyCI68uQ79aumJbhP/nKO068HmBJ5M+4kRLNQ6US6dvd8/zbf2tyi0SqCJcLrUvF2AINlIc9T3oApftYdrcZpNeexQdb4HYkH4lwQg4oWbCMH/iDgc8KLJR21nXLZZrVkbSxcDvwcYsMeGwZrVOpuR Chef +# gitea public key +command="/usr/local/bin/gitea --config=\"/etc/gitea/app.ini\" serv key-9",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuib90/h5aKtL411mOOTe7Ja5udeSTfF9mmTVuVsw5TEbOZPEI0O+PWuCCg6DKHVtAb0POoBjg+I8V4NS2VGIAur0mUyKIY7Zadk/3Y/jdbEtS0IGMwdJOgfTEBFvNNXhx+di3cUPTOvSBlnXpIi3vMetzOmqXvb285RUTcPlmLQsdpnJGcShnWIwUXKqWwQB5QZ8MREPgdGedON4yyWsOIrCVJJjBRCwyWCbLQTNE6TKoWKauabPtNgdqFFcBmp6NYfR8Ob2qp0RVq2vi8FFxoEaFFbJUHlJIbiInVypPf3zwpXx8Gdw+Rr7Hs8YAGCjEqE8J8ZI0iXDhaE4HcrQPQ== kazu634@macbookpro.local diff --git a/cookbooks/gitea/setup.rb b/cookbooks/gitea/setup.rb new file mode 100644 index 0000000..6e4a6f7 --- /dev/null +++ b/cookbooks/gitea/setup.rb @@ -0,0 +1,131 @@ +# Create `git` user: +user 'git' do + create_home true + home '/home/git/' + + system_user true + + shell '/bin/bash' +end + +directory '/home/git/.ssh/' do + owner 'git' + group 'git' + mode '0700' +end + +remote_file '/home/git/.ssh/authorized_keys' do + owner 'git' + group 'git' + mode '0600' +end + +# Create `/etc/gitea/`: +%w(/etc/gitea).each do |d| + directory d do + owner 'root' + group 'root' + mode '0755' + end +end + +%w(/var/lib/git /var/lib/gitea).each do |d| + directory d do + owner 'git' + group 'git' + mode '0755' + end +end + +execute 'rsync -vrz --delete admin@192.168.10.200:/volume1/Shared/AppData/gitea/gitea-data/ /var/lib/gitea/' do + not_if 'test -e /var/lib/gitea/log' +end + +execute 'rsync -vrz --delete admin@192.168.10.200:/volume1/Shared/AppData/gitea/git/ /var/lib/git/' do + not_if 'test -e /var/lib/git/kazu634/' +end + +execute 'chown -R git:git /var/lib/gitea/' +execute 'chown -R git:git /var/lib/git/' + +# Deploy `app.ini`: +remote_file '/etc/gitea/app.ini' do + owner 'git' + group 'git' + mode '644' +end + +# Deploy `supervisord` config`: +remote_file '/etc/supervisor/conf.d/gitea.conf' do + owner 'root' + group 'root' + mode '644' + + notifies :restart, 'service[supervisor]' +end + +service 'supervisor' do + action :nothing +end + +# Depoy `consul` service configuration for `gitea`: +remote_file '/etc/consul.d/service-gitea.json' do + owner 'root' + group 'root' + mode '644' + + notifies :restart, 'service[supervisor]' +end + +# Depoy `promtail` configuration for `gitea`: +template '/etc/promtail/gitea.yaml' do + owner 'root' + group 'root' + mode '644' + + variables(HOSTNAME: node[:hostname], LOKIENDPOINT: node['promtail']['lokiendpoint']) + + notifies :restart, 'service[promtail-gitea]' +end + +# Deploy `systemd` configuration for `promtail-gitea`: +remote_file '/etc/systemd/system/promtail-gitea.service' do + owner 'root' + group 'root' + mode '644' +end + +# Service setting: +service 'promtail-gitea' do + action [ :enable, :restart ] +end + +# Deploy `systemd` configuration for `promtail-gitea`: +remote_file '/etc/lsyncd/lsyncd.conf.lua' do + owner 'root' + group 'root' + mode '644' +end + +# Service setting: +service 'lsyncd' do + action [ :enable, :restart ] +end + +# Firewall settings here: +%w( 3000/tcp ).each do |p| + execute "ufw allow #{p}" do + user 'root' + + not_if "LANG=c ufw status | grep #{p}" + + notifies :run, 'execute[ufw reload-or-enable]' + end +end + +execute 'ufw reload-or-enable' do + user 'root' + command 'LANG=C ufw reload | grep skipping && ufw --force enable || exit 0' + + action :nothing +end diff --git a/cookbooks/gitea/templates/etc/promtail/gitea.yaml b/cookbooks/gitea/templates/etc/promtail/gitea.yaml new file mode 100644 index 0000000..48d7dd0 --- /dev/null +++ b/cookbooks/gitea/templates/etc/promtail/gitea.yaml @@ -0,0 +1,61 @@ +server: + disable: true + +positions: + filename: /var/opt/promtail/promtail_gitea_position.yaml + +clients: + - url: http://<%= @LOKIENDPOINT %>/loki/api/v1/push + +scrape_configs: + - job_name: gitea + static_configs: + - targets: + - localhost + labels: + job: gitea + hostname: <%= @HOSTNAME %> + vhost: gitea.kazu634.com + __path__: /var/log/supervisor/gitea.log + + pipeline_stages: + - match: + selector: '{job="gitea"}' + + stages: + - drop: + expression: "(Static|robots.txt|sitemap.xml)" + + - regex: + expression: '^\[Macaron\] (?P[0-9]+\-[0-9]+\-[0-9]+ +[0-9]+:[0-9]+:[0-9]+): (?P[^\/]+) (?P\/[^ ]*) (?P[^ ]+) (?P.+)$' + + - timestamp: + source: timestamp + format: 2006-01-02 15:04:05 + location: Asia/Tokyo + + - template: + source: message + template: '{{ .message1 }} {{ .uri }} ({{ .message2 }})' + + - template: + source: level + template: '{{ .response }}' + + - template: + source: level + template: '{{ regexReplaceAllLiteral "(2[0-9]+|3[0-9]+|for)" .Value "info" }}' + + - template: + source: level + template: '{{ regexReplaceAllLiteral "4[0-9]+" .Value "warning" }}' + + - template: + source: level + template: '{{ regexReplaceAllLiteral "5[0-9]+" .Value "error" }}' + + - labels: + level: + + - output: + source: message