Add gitea

This commit is contained in:
IamTheFij 2022-10-31 15:23:04 -07:00
parent 1a1f243354
commit 464d3e35e0
5 changed files with 733 additions and 0 deletions

View File

@ -40,6 +40,10 @@ job "traefik" {
port "syslog" { port "syslog" {
static = 514 static = 514
} }
port "git-ssh" {
static = 2222
}
} }
ephemeral_disk { ephemeral_disk {
@ -131,6 +135,9 @@ job "traefik" {
[entryPoints.syslogudp] [entryPoints.syslogudp]
address = ":514/udp" address = ":514/udp"
[entryPoints.gitssh]
address = ":2222"
[api] [api]
dashboard = true dashboard = true

View File

@ -48,6 +48,12 @@ resource "consul_config_entry" "mysql_intents" {
Precedence = 9 Precedence = 9
Type = "consul" Type = "consul"
}, },
{
Action = "allow"
Name = "gitea-web"
Precedence = 9
Type = "consul"
},
] ]
}) })
} }

517
services/gitea.app.ini Normal file
View File

@ -0,0 +1,517 @@
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; General Settings
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
APP_NAME = TheFij Rocks: Internal services
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
[server]
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; Set the domain for the server
; DOMAIN = git.thefij.rocks
;;
;; The port to listen on. Leave empty when using a unix socket.
HTTP_PORT = 3000
;;
;; Domain name to be exposed in clone URL
;SSH_DOMAIN = %(DOMAIN)s
;;
;; Port number to be exposed in clone URL
SSH_PORT = 2222
;;
;; The port number the builtin SSH server should listen on
SSH_LISTEN_PORT = 22
;;
;; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'.
;SSH_ROOT_PATH =
;;
;; Gitea will create a authorized_keys file by default when it is not using the internal ssh server
;; If you intend to use the AuthorizedKeysCommand functionality then you should turn this off.
;SSH_CREATE_AUTHORIZED_KEYS_FILE = true
;;
;; Gitea will create a authorized_principals file by default when it is not using the internal ssh server
;; If you intend to use the AuthorizedPrincipalsCommand functionality then you should turn this off.
;SSH_CREATE_AUTHORIZED_PRINCIPALS_FILE = true
;;
;; Determines which principals to allow
;; - empty: if SSH_TRUSTED_USER_CA_KEYS is empty this will default to off, otherwise will default to email, username.
;; - off: Do not allow authorized principals
;; - email: the principal must match the user's email
;; - username: the principal must match the user's username
;; - anything: there will be no checking on the content of the principal
;SSH_AUTHORIZED_PRINCIPALS_ALLOW = email, username
;;
;; Enable SSH Authorized Principals Backup when rewriting all keys, default is true
;SSH_AUTHORIZED_PRINCIPALS_BACKUP = true
;;
;; Default path for App data
;APP_DATA_PATH = data
;;
;; Enable gzip compression for runtime-generated content, static resources excluded
;ENABLE_GZIP = false
;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
[database]
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
DB_TYPE = mysql
HOST = {{ env "NOMAD_UPSTREAM_ADDR_mysql_server" }}
{{ with secret "kv/data/gitea" -}}
NAME = {{ .Data.data.db_name }}
USER = {{ .Data.data.db_user }}
PASSWD = {{ .Data.data.db_pass }}
{{ end -}}
;SSL_MODE = false ; either "false" (default), "true", or "skip-verify"
;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; Other settings
;;
;; Show the database generated SQL
LOG_SQL = false ; if unset defaults to true
;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
[security]
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; Whether the installer is disabled (set to true to disable the installer)
INSTALL_LOCK = false
;;
;; Global secret key that will be used
;; This key is VERY IMPORTANT. If you lose it, the data encrypted by it (like 2FA secret) can't be decrypted anymore.
SECRET_KEY =
;;
;; Alternative location to specify secret key, instead of this file; you cannot specify both this and SECRET_KEY, and must pick one
;; This key is VERY IMPORTANT. If you lose it, the data encrypted by it (like 2FA secret) can't be decrypted anymore.
SECRET_KEY_URI = file:{{ env "NOMAD_SECRETS_DIR" }}/secret_key
;;
;; Reverse proxy authentication header name of user name, email, and full name
;REVERSE_PROXY_AUTHENTICATION_USER = X-WEBAUTH-USER
;REVERSE_PROXY_AUTHENTICATION_EMAIL = X-WEBAUTH-EMAIL
;REVERSE_PROXY_AUTHENTICATION_FULL_NAME = X-WEBAUTH-FULLNAME
;;
;; Interpret X-Forwarded-For header or the X-Real-IP header and set this as the remote IP for the request
;REVERSE_PROXY_LIMIT = 1
;;
;; List of IP addresses and networks separated by comma of trusted proxy servers. Use `*` to trust all.
;REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.0/8,::1/128
;;
;; Set to false to allow users with git hook privileges to create custom git hooks.
;; Custom git hooks can be used to perform arbitrary code execution on the host operating system.
;; This enables the users to access and modify this config file and the Gitea database and interrupt the Gitea service.
;; By modifying the Gitea database, users can gain Gitea administrator privileges.
;; It also enables them to access other resources available to the user on the operating system that is running the Gitea instance and perform arbitrary actions in the name of the Gitea OS user.
;; WARNING: This maybe harmful to you website or your operating system.
;; WARNING: Setting this to true does not change existing hooks in git repos; adjust it before if necessary.
;DISABLE_GIT_HOOKS = true
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
[oauth2]
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; Enables OAuth2 provider
ENABLE = true
;;
;; Algorithm used to sign OAuth2 tokens. Valid values: HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, EdDSA
;JWT_SIGNING_ALGORITHM = RS256
;;
;; Private key file path used to sign OAuth2 tokens. The path is relative to APP_DATA_PATH.
;; This setting is only needed if JWT_SIGNING_ALGORITHM is set to RS256, RS384, RS512, ES256, ES384 or ES512.
;; The file must contain a RSA or ECDSA private key in the PKCS8 format. If no key exists a 4096 bit key will be created for you.
;JWT_SIGNING_PRIVATE_KEY_FILE = jwt/private.pem
;;
;; OAuth2 authentication secret for access and refresh tokens, change this yourself to a unique string. CLI generate option is helpful in this case. https://docs.gitea.io/en-us/command-line/#generate
;; This setting is only needed if JWT_SIGNING_ALGORITHM is set to HS256, HS384 or HS512.
;JWT_SECRET =
;;
;; Lifetime of an OAuth2 access token in seconds
;ACCESS_TOKEN_EXPIRATION_TIME = 3600
;;
;; Lifetime of an OAuth2 refresh token in hours
;REFRESH_TOKEN_EXPIRATION_TIME = 730
;;
;; Check if refresh token got already used
;INVALIDATE_REFRESH_TOKENS = false
;;
;; Maximum length of oauth2 token/cookie stored on server
;MAX_TOKEN_LENGTH = 32767
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
[log]
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Either "console", "file", "conn", "smtp" or "database", default is "console"
;; Use comma to separate multiple modes, e.g. "console, file"
MODE = console
LEVEL = Info
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
[service]
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; Time limit to confirm account/email registration
;ACTIVE_CODE_LIVE_MINUTES = 180
;;
;; Time limit to perform the reset of a forgotten password
;RESET_PASSWD_CODE_LIVE_MINUTES = 180
;;
;; Whether a new user needs to confirm their email when registering.
;REGISTER_EMAIL_CONFIRM = false
;;
;; Whether a new user needs to be confirmed manually after registration. (Requires `REGISTER_EMAIL_CONFIRM` to be disabled.)
;REGISTER_MANUAL_CONFIRM = false
;;
;; List of domain names that are allowed to be used to register on a Gitea instance
;; gitea.io,example.com
EMAIL_DOMAIN_WHITELIST = iamthefij.com
;;
;; Disallow registration, only allow admins to create accounts.
;DISABLE_REGISTRATION = false
;;
;; Allow registration only using gitea itself, it works only when DISABLE_REGISTRATION is false
;ALLOW_ONLY_INTERNAL_REGISTRATION = false
;;
;; Allow registration only using third-party services, it works only when DISABLE_REGISTRATION is false
;ALLOW_ONLY_EXTERNAL_REGISTRATION = false
;;
;; User must sign in to view anything.
;REQUIRE_SIGNIN_VIEW = false
;;
;; Mail notification
;ENABLE_NOTIFY_MAIL = false
;;
;; More detail: https://github.com/gogits/gogs/issues/165
;ENABLE_REVERSE_PROXY_AUTHENTICATION = false
;ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false
;ENABLE_REVERSE_PROXY_EMAIL = false
;ENABLE_REVERSE_PROXY_FULL_NAME = false
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;[repository.signing]
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; GPG key to use to sign commits, Defaults to the default - that is the value of git config --get user.signingkey
;; run in the context of the RUN_USER
;; Switch to none to stop signing completely
;SIGNING_KEY = default
;;
;; If a SIGNING_KEY ID is provided and is not set to default, use the provided Name and Email address as the signer.
;; These should match a publicized name and email address for the key. (When SIGNING_KEY is default these are set to
;; the results of git config --get user.name and git config --get user.email respectively and can only be overridden
;; by setting the SIGNING_KEY ID to the correct ID.)
;SIGNING_NAME =
;SIGNING_EMAIL =
;;
;; Sets the default trust model for repositories. Options are: collaborator, committer, collaboratorcommitter
;DEFAULT_TRUST_MODEL = collaborator
;;
;; Determines when gitea should sign the initial commit when creating a repository
;; Either:
;; - never
;; - pubkey: only sign if the user has a pubkey
;; - twofa: only sign if the user has logged in with twofa
;; - always
;; options other than none and always can be combined as comma separated list
;INITIAL_COMMIT = always
;;
;; Determines when to sign for CRUD actions
;; - as above
;; - parentsigned: requires that the parent commit is signed.
;CRUD_ACTIONS = pubkey, twofa, parentsigned
;; Determines when to sign Wiki commits
;; - as above
;WIKI = never
;;
;; Determines when to sign on merges
;; - basesigned: require that the parent of commit on the base repo is signed.
;; - commitssigned: require that all the commits in the head branch are signed.
;; - approved: only sign when merging an approved pr to a protected branch
;MERGES = pubkey, twofa, basesigned, commitssigned
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;[admin]
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; Disallow regular (non-admin) users from creating organizations.
;DISABLE_REGULAR_ORG_CREATION = false
;;
;; Default configuration for email notifications for users (user configurable). Options: enabled, onmention, disabled
;DEFAULT_EMAIL_NOTIFICATIONS = enabled
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;[openid]
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; OpenID is an open, standard and decentralized authentication protocol.
;; Your identity is the address of a webpage you provide, which describes
;; how to prove you are in control of that page.
;;
;; For more info: https://en.wikipedia.org/wiki/OpenID
;;
;; Current implementation supports OpenID-2.0
;;
;; Tested to work providers at the time of writing:
;; - Any GNUSocial node (your.hostname.tld/username)
;; - Any SimpleID provider (http://simpleid.koinic.net)
;; - http://openid.org.cn/
;; - openid.stackexchange.com
;; - login.launchpad.net
;; - <username>.livejournal.com
;;
;; Whether to allow signin in via OpenID
;ENABLE_OPENID_SIGNIN = true
;;
;; Whether to allow registering via OpenID
;; Do not include to rely on rhw DISABLE_REGISTRATION setting
;;ENABLE_OPENID_SIGNUP = true
;;
;; Allowed URI patterns (POSIX regexp).
;; Space separated.
;; Only these would be allowed if non-blank.
;; Example value: trusted.domain.org trusted.domain.net
;WHITELISTED_URIS =
;;
;; Forbidden URI patterns (POSIX regexp).
;; Space separated.
;; Only used if WHITELISTED_URIS is blank.
;; Example value: loadaverage.org/badguy stackexchange.com/.*spammer
;BLACKLISTED_URIS =
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;[oauth2_client]
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; Whether a new auto registered oauth2 user needs to confirm their email.
;; Do not include to use the REGISTER_EMAIL_CONFIRM setting from the `[service]` section.
;REGISTER_EMAIL_CONFIRM =
;;
;; Scopes for the openid connect oauth2 provider (separated by space, the openid scope is implicitly added).
;; Typical values are profile and email.
;; For more information about the possible values see https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
;OPENID_CONNECT_SCOPES =
;;
;; Automatically create user accounts for new oauth2 users.
;ENABLE_AUTO_REGISTRATION = false
;;
;; The source of the username for new oauth2 accounts:
;; userid = use the userid / sub attribute
;; nickname = use the nickname attribute
;; email = use the username part of the email attribute
;USERNAME = nickname
;;
;; Update avatar if available from oauth2 provider.
;; Update will be performed on each login.
;UPDATE_AVATAR = false
;;
;; How to handle if an account / email already exists:
;; disabled = show an error
;; login = show an account linking login
;; auto = link directly with the account
;ACCOUNT_LINKING = login
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;[webhook]
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; Hook task queue length, increase if webhook shooting starts hanging
;QUEUE_LENGTH = 1000
;;
;; Deliver timeout in seconds
;DELIVER_TIMEOUT = 5
;;
;; Webhook can only call allowed hosts for security reasons. Comma separated list, eg: external, 192.168.1.0/24, *.mydomain.com
;; Built-in: loopback (for localhost), private (for LAN/intranet), external (for public hosts on internet), * (for all hosts)
;; CIDR list: 1.2.3.0/8, 2001:db8::/32
;; Wildcard hosts: *.mydomain.com, 192.168.100.*
;; Since 1.15.7. Default to * for 1.15.x, external for 1.16 and later
;ALLOWED_HOST_LIST = external
;;
;; Allow insecure certification
;SKIP_TLS_VERIFY = false
;;
;; Number of history information in each page
;PAGING_NUM = 10
;;
;; Proxy server URL, support http://, https//, socks://, blank will follow environment http_proxy/https_proxy
;PROXY_URL =
;;
;; Comma separated list of host names requiring proxy. Glob patterns (*) are accepted; use ** to match all hosts.
;PROXY_HOSTS =
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;[mailer]
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; NOTICE: this section is for Gitea 1.18 and later. If you are using Gitea 1.17 or older,
;; please refer to
;; https://github.com/go-gitea/gitea/blob/release/v1.17/custom/conf/app.example.ini
;; https://github.com/go-gitea/gitea/blob/release/v1.17/docs/content/doc/advanced/config-cheat-sheet.en-us.md
;;
;ENABLED = false
;;
;; Buffer length of channel, keep it as it is if you don't know what it is.
;SEND_BUFFER_LEN = 100
;;
;; Prefix displayed before subject in mail
;SUBJECT_PREFIX =
;;
;; Mail server protocol. One of "smtp", "smtps", "smtp+startls", "smtp+unix", "sendmail", "dummy".
;; - sendmail: use the operating system's `sendmail` command instead of SMTP. This is common on Linux systems.
;; - dummy: send email messages to the log as a testing phase.
;; If your provider does not explicitly say which protocol it uses but does provide a port,
;; you can set SMTP_PORT instead and this will be inferred.
;; (Before 1.18, see the notice, this was controlled via MAILER_TYPE and IS_TLS_ENABLED.)
;PROTOCOL =
;;
;; Mail server address, e.g. smtp.gmail.com.
;; For smtp+unix, this should be a path to a unix socket instead.
;; (Before 1.18, see the notice, this was combined with SMTP_PORT as HOST.)
;SMTP_ADDR =
;;
;; Mail server port. Common ports are:
;; 25: insecure SMTP
;; 465: SMTP Secure
;; 587: StartTLS
;; If no protocol is specified, it will be inferred by this setting.
;; (Before 1.18, this was combined with SMTP_ADDR as HOST.)
;SMTP_PORT =
;;
;; Enable HELO operation. Defaults to true.
;ENABLE_HELO = true
;;
;; Custom hostname for HELO operation.
;; If no value is provided, one is retrieved from system.
;HELO_HOSTNAME =
;;
;; If set to `true`, completely ignores server certificate validation errors.
;; This option is unsafe. Consider adding the certificate to the system trust store instead.
;FORCE_TRUST_SERVER_CERT = false
;;
;; Use client certificate in connection.
;USE_CLIENT_CERT = false
;CLIENT_CERT_FILE = custom/mailer/cert.pem
;CLIENT_KEY_FILE = custom/mailer/key.pem
;;
;; Mail from address, RFC 5322. This can be just an email address, or the `"Name" <email@example.com>` format
;FROM =
;;
;; Sometimes it is helpful to use a different address on the envelope. Set this to use ENVELOPE_FROM as the from on the envelope. Set to `<>` to send an empty address.
;ENVELOPE_FROM =
;;
;; Mailer user name and password, if required by provider.
;USER =
;;
;; Use PASSWD = `your password` for quoting if you use special characters in the password.
;PASSWD =
;;
;; Send mails only in plain text, without HTML alternative
;SEND_AS_PLAIN_TEXT = false
;;
;; Specify an alternative sendmail binary
;SENDMAIL_PATH = sendmail
;;
;; Specify any extra sendmail arguments
;; WARNING: if your sendmail program interprets options you should set this to "--" or terminate these args with "--"
;SENDMAIL_ARGS =
;;
;; Timeout for Sendmail
;SENDMAIL_TIMEOUT = 5m
;;
;; convert \r\n to \n for Sendmail
;SENDMAIL_CONVERT_CRLF = true
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;[cache]
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; if the cache enabled
;ENABLED = true
;;
;; Either "memory", "redis", "memcache", or "twoqueue". default is "memory"
;ADAPTER = memory
;;
;; For "memory" only, GC interval in seconds, default is 60
;INTERVAL = 60
;;
;; For "redis" and "memcache", connection host address
;; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180
;; memcache: `127.0.0.1:11211`
;; twoqueue: `{"size":50000,"recent_ratio":0.25,"ghost_ratio":0.5}` or `50000`
;HOST =
;;
;; Time to keep items in cache if not used, default is 16 hours.
;; Setting it to -1 disables caching
;ITEM_TTL = 16h
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Last commit cache
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;[cache.last_commit]
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; if the cache enabled
;ENABLED = true
;;
;; Time to keep items in cache if not used, default is 8760 hours.
;; Setting it to -1 disables caching
;ITEM_TTL = 8760h
;;
;; Only enable the cache when repository's commits count great than
;COMMITS_COUNT = 1000
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;[session]
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; Either "memory", "file", "redis", "db", "mysql", "couchbase", "memcache" or "postgres"
;; Default is "memory". "db" will reuse the configuration in [database]
;PROVIDER = memory
;;
;; Provider config options
;; memory: doesn't have any config yet
;; file: session file path, e.g. `data/sessions`
;; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180
;; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table`
;PROVIDER_CONFIG = data/sessions
;;
;; Session cookie name
;COOKIE_NAME = i_like_gitea
;;
;; If you use session in https only, default is false
;COOKIE_SECURE = false
;;
;; Session GC time interval in seconds, default is 86400 (1 day)
;GC_INTERVAL_TIME = 86400
;;
;; Session life time in seconds, default is 86400 (1 day)
;SESSION_LIFE_TIME = 86400
;;
;; SameSite settings. Either "none", "lax", or "strict"
;SAME_SITE=lax

193
services/gitea.nomad Normal file
View File

@ -0,0 +1,193 @@
variable "app_ini" {
type = string
}
job "gitea" {
region = "global"
datacenters = ["dc1"]
type = "service"
group "gitea" {
network {
mode = "bridge"
port "web" {
host_network = "loopback"
to = 3000
}
port "ssh" {
host_network = "loopback"
to = 22
}
}
volume "gitea-data" {
type = "host"
read_only = false
source = "gitea-data"
}
service {
name = "gitea-web"
port = "web"
connect {
sidecar_service {
proxy {
local_service_port = 514
upstreams {
destination_name = "mysql-server"
local_bind_port = 6060
}
}
}
sidecar_task {
resources {
cpu = 50
memory = 50
}
}
}
tags = [
"traefik.enable=true",
"traefik.http.routers.gitea.entryPoints=websecure",
]
}
service {
name = "gitea-ssh"
port = "ssh"
connect {
sidecar_service {
proxy {
local_service_port = 22
}
}
sidecar_task {
resources {
cpu = 50
memory = 50
}
}
}
tags = [
"traefik.enable=true",
"traefik.tcp.routers.gitea-ssh.rule=HostSNI(`*`)",
"traefik.tcp.routers.gitea-ssh.entryPoints=gitssh",
]
}
task "gitea-bootstrap" {
driver = "docker"
lifecycle {
hook = "prestart"
sidecar = false
}
config {
image = "mysql:8"
args = [
"/bin/bash",
"-c",
"/usr/bin/mysql --defaults-extra-file=/task/my.cnf < /task/bootstrap.sql",
]
mount {
type = "bind"
source = "local/"
target = "/task/"
}
}
vault {
policies = [
"access-tables",
"nomad-task",
]
}
template {
data = <<EOF
[client]
host={{ env "NOMAD_UPSTREAM_IP_mysql_server" }}
port={{ env "NOMAD_UPSTREAM_PORT_mysql_server" }}
user=root
{{ with secret "kv/data/mysql" }}
password={{ .Data.data.root_password }}
{{ end }}
EOF
destination = "local/my.cnf"
}
template {
data = <<EOF
{{ with secret "kv/data/gitea" -}}
{{ if .Data.data.db_name -}}
CREATE DATABASE IF NOT EXISTS `{{ .Data.data.db_name }}`;
CREATE USER IF NOT EXISTS '{{ .Data.data.db_user }}'@'%' IDENTIFIED BY '{{ .Data.data.db_pass }}';
GRANT ALL ON `{{ .Data.data.db_name }}`.* to '{{ .Data.data.db_user }}'@'%';
{{ else -}}
SELECT 'NOOP';
{{ end -}}
{{ end -}}
EOF
destination = "local/bootstrap.sql"
}
resources {
cpu = 50
memory = 50
}
}
task "gitea" {
driver = "docker"
volume_mount {
volume = "gitea-data"
destination = "/data"
read_only = false
}
config {
image = "gitea/gitea:1.17.3"
ports = ["web", "ssh"]
}
env = {
"GITEA_CUSTOM" = "${NOMAD_TASK_DIR}"
}
vault {
policies = [
"access-tables",
"nomad-task",
]
}
template {
data = var.app_ini
destination = "local/conf/app.ini"
}
template {
data = <<EOF
{{ with secret "kv/data/gitea" -}}
{{ .Data.data.secret_key }}
{{ end -}}
EOF
destination = "secrets/secret_key"
}
}
}
}

View File

@ -31,6 +31,16 @@ resource "nomad_job" "ipdvr" {
jobspec = file("${path.module}/ip-dvr.nomad") jobspec = file("${path.module}/ip-dvr.nomad")
} }
resource "nomad_job" "gitea" {
hcl2 {
enabled = true
vars = {
"app_ini" = file("${path.module}/gitea.app.ini"),
}
}
jobspec = file("${path.module}/gitea.nomad")
}
resource "consul_config_entry" "nzbget_intents" { resource "consul_config_entry" "nzbget_intents" {
depends_on = [nomad_job.ipdvr] depends_on = [nomad_job.ipdvr]