From 36cdb8f41b980589897413ed51537566b5797466 Mon Sep 17 00:00:00 2001
From: Ian Fijolek <ian@iamthefij.com>
Date: Wed, 19 Jul 2023 09:28:08 -0700
Subject: [PATCH] Add Gitea

Currently it won't auto bootstrap auth. A command has to be executed one
time to get it to be added to the database.
---
 ansible_playbooks/ansible_hosts.yml          |   6 -
 ansible_playbooks/setup-cluster.yml          |   3 +
 ansible_playbooks/vars/nomad_vars.sample.yml |   1 +
 core/traefik/traefik.nomad                   |   7 ++
 services/gitea.tf                            | 112 +++++++++++++++++++
 5 files changed, 123 insertions(+), 6 deletions(-)
 create mode 100644 services/gitea.tf

diff --git a/ansible_playbooks/ansible_hosts.yml b/ansible_playbooks/ansible_hosts.yml
index 24175a5..bd48058 100644
--- a/ansible_playbooks/ansible_hosts.yml
+++ b/ansible_playbooks/ansible_hosts.yml
@@ -39,12 +39,6 @@ all:
               group: "bin"
               mode: "0755"
               read_only: false
-            - name: gitea-data
-              path: /srv/volumes/gitea
-              owner: "root"
-              group: "bin"
-              mode: "0755"
-              read_only: false
             - name: sonarr-data
               path: /srv/volumes/sonarr
               owner: "root"
diff --git a/ansible_playbooks/setup-cluster.yml b/ansible_playbooks/setup-cluster.yml
index 4175d3c..03b57bb 100644
--- a/ansible_playbooks/setup-cluster.yml
+++ b/ansible_playbooks/setup-cluster.yml
@@ -118,6 +118,9 @@
       - name: bazarr-config
         path: /srv/volumes/nas-container/bazarr
         read_only: false
+      - name: gitea-data
+        path: /srv/volumes/nas-container/gitea
+        read_only: false
       - name: all-volumes
         path: /srv/volumes
         owner: "root"
diff --git a/ansible_playbooks/vars/nomad_vars.sample.yml b/ansible_playbooks/vars/nomad_vars.sample.yml
index 9ee45f6..ea2818b 100644
--- a/ansible_playbooks/vars/nomad_vars.sample.yml
+++ b/ansible_playbooks/vars/nomad_vars.sample.yml
@@ -69,6 +69,7 @@ nomad/jobs/git:
   db_name: VALUE
   db_pass: VALUE
   db_user: VALUE
+  oidc_secret: VALUE
   secret_key: VALUE
   smtp_sender: VALUE
 nomad/jobs/grafana:
diff --git a/core/traefik/traefik.nomad b/core/traefik/traefik.nomad
index 1a38f31..67aac1b 100644
--- a/core/traefik/traefik.nomad
+++ b/core/traefik/traefik.nomad
@@ -35,6 +35,10 @@ job "traefik" {
         static = 514
       }
 
+      port "gitssh" {
+        static = 2222
+      }
+
       dns {
         servers = [
           "192.168.2.101",
@@ -131,6 +135,9 @@ job "traefik" {
   [entryPoints.syslogudp]
     address = ":514/udp"
 
+  [entryPoints.gitssh]
+    address = ":2222"
+
 [api]
   dashboard = true
 
diff --git a/services/gitea.tf b/services/gitea.tf
new file mode 100644
index 0000000..aa26570
--- /dev/null
+++ b/services/gitea.tf
@@ -0,0 +1,112 @@
+module "gitea" {
+  source = "./service"
+
+  name  = "git"
+  image = "gitea/gitea:1.21"
+
+  resources = {
+    cpu    = 200
+    memory = 512
+  }
+
+  env = {
+    # Custom files should be part of the task
+    GITEA_WORK_DIR = "$${NOMAD_TASK_DIR}"
+    GITEA_CUSTOM   = "$${NOMAD_TASK_DIR}/custom"
+  }
+
+  ingress      = true
+  service_port = 3000
+  ports = [
+    {
+      name = "ssh"
+      to   = 22
+    }
+  ]
+
+  custom_services = [
+    {
+      name = "git-ssh"
+      port = "ssh"
+      tags = [
+        "traefik.enable=true",
+        "traefik.tcp.routers.git-ssh.entryPoints=gitssh",
+        "traefik.tcp.routers.git-ssh.rule=HostSNI(`*`)",
+        "traefik.tcp.routers.git-ssh.tls=false",
+      ]
+    },
+  ]
+
+  use_smtp = true
+  mysql_bootstrap = {
+    enabled = true
+  }
+
+  host_volumes = [
+    {
+      name      = "gitea-data"
+      dest      = "/data"
+      read_only = false
+    },
+  ]
+
+  # TODO: Bootstrap OIDC with
+  # su -- git gitea admin auth add-oauth --name authelia --provider openidConnect --key gitea --secret "{{ .oidc_secret }}" --auto-discover-url https://authelia.thefij.rocks/.well-known/openid-configuration --skip-local-2fa
+
+  templates = [
+    {
+      data  = <<EOF
+{{ with nomadVar "nomad/jobs/git" }}
+GITEA__server__DOMAIN=git.thefij.rocks
+GITEA__server__SSH_PORT=2222
+GITEA__server__ROOT_URL=https://git.thefij.rocks
+
+GITEA__security__INSTALL_LOCK=true
+
+GITEA__database__DB_TYPE=mysql
+GITEA__database__HOST=127.0.0.1:3306
+GITEA__database__NAME={{ .db_name }}
+GITEA__database__USER={{ .db_user }}
+
+GITEA__service__DISABLE_REGISTRATION=false
+GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION=true
+GITEA__service__SHOW_REGISTRATION_BUTTON=false
+
+GITEA__openid__ENABLE_OPENID_SIGNIN=true
+GITEA__openid__ENABLE_OPENID_SIGNUP=true
+GITEA__openid__WHITELISTED_URIS=authelia.thefij.rocks
+
+GITEA__log__ROOT_PATH={{ env "NOMAD_TASK_DIR" }}/log
+
+GITEA__mailer__ENABLED=true
+GITEA__mailer__FROM={{ .smtp_sender }}
+
+GITEA__session__provider=db
+{{ end }}
+EOF
+      env   = true
+      mount = false
+      dest  = "env"
+    },
+    # TODO: Gitea writes these out to the ini file in /local anyway
+    # Find some way to get it to write to /secrets
+    {
+      data        = <<EOF
+{{ with nomadVar "nomad/jobs/git" }}
+GITEA__security__SECRET_KEY="{{ .secret_key }}"
+GITEA__database__PASSWD={{ .db_pass }}
+{{ end }}
+{{ with nomadVar "secrets/smtp" }}
+GITEA__mailer__SMTP_ADDR={{ .server }}
+GITEA__mailer__SMTP_PORT={{ .port }}
+GITEA__mailer__USER={{ .user }}
+GITEA__mailer__PASSWD={{ .password }}
+{{ end }}
+      EOF
+      env         = true
+      mount       = false
+      dest        = "env"
+      dest_prefix = "$${NOMAD_SECRETS_DIR}"
+    }
+  ]
+}