169 lines
4.0 KiB
HCL
169 lines
4.0 KiB
HCL
module "gitea" {
|
|
source = "./service"
|
|
|
|
name = "git"
|
|
image = "gitea/gitea:1.21"
|
|
|
|
resources = {
|
|
cpu = 200
|
|
memory = 512
|
|
}
|
|
|
|
env = {
|
|
# Custom files should be part of the task
|
|
GITEA_WORK_DIR = "$${NOMAD_TASK_DIR}"
|
|
GITEA_CUSTOM = "$${NOMAD_TASK_DIR}/custom"
|
|
}
|
|
|
|
ingress = true
|
|
service_port = 3000
|
|
use_wesher = var.use_wesher
|
|
ports = [
|
|
{
|
|
name = "ssh"
|
|
to = 22
|
|
}
|
|
]
|
|
service_check = {
|
|
path = "/api/healthz"
|
|
}
|
|
|
|
custom_services = [
|
|
{
|
|
name = "git-ssh"
|
|
port = "ssh"
|
|
tags = [
|
|
"traefik.enable=true",
|
|
"traefik.tcp.routers.git-ssh.entryPoints=gitssh",
|
|
"traefik.tcp.routers.git-ssh.rule=HostSNI(`*`)",
|
|
"traefik.tcp.routers.git-ssh.tls=false",
|
|
]
|
|
},
|
|
]
|
|
|
|
use_smtp = true
|
|
|
|
mysql_bootstrap = {
|
|
enabled = true
|
|
}
|
|
|
|
oidc_client_config = {
|
|
description = "Gitea"
|
|
redirect_uris = [
|
|
"https://git.thefij.rocks/user/oauth2/authelia/callback",
|
|
]
|
|
scopes = ["openid", "email", "profile"]
|
|
}
|
|
|
|
host_volumes = [
|
|
{
|
|
name = "gitea-data"
|
|
dest = "/data"
|
|
read_only = false
|
|
},
|
|
]
|
|
|
|
# TODO: Bootstrap OIDC with
|
|
# su -- git gitea admin auth add-oauth --name authelia --provider openidConnect --key gitea --secret "{{ .oidc_secret }}" --auto-discover-url https://authelia.thefij.rocks/.well-known/openid-configuration --skip-local-2fa
|
|
|
|
templates = [
|
|
{
|
|
data = <<EOF
|
|
{{ with nomadVar "nomad/jobs/git" }}
|
|
GITEA__server__DOMAIN=git.thefij.rocks
|
|
GITEA__server__SSH_PORT=2222
|
|
GITEA__server__ROOT_URL=https://git.thefij.rocks
|
|
|
|
GITEA__security__INSTALL_LOCK=true
|
|
|
|
GITEA__database__DB_TYPE=mysql
|
|
GITEA__database__HOST=127.0.0.1:3306
|
|
GITEA__database__NAME={{ .db_name }}
|
|
GITEA__database__USER={{ .db_user }}
|
|
|
|
GITEA__service__DISABLE_REGISTRATION=false
|
|
GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION=true
|
|
GITEA__service__SHOW_REGISTRATION_BUTTON=false
|
|
|
|
GITEA__openid__ENABLE_OPENID_SIGNIN=true
|
|
GITEA__openid__ENABLE_OPENID_SIGNUP=true
|
|
GITEA__openid__WHITELISTED_URIS=authelia.thefij.rocks
|
|
|
|
GITEA__log__ROOT_PATH={{ env "NOMAD_TASK_DIR" }}/log
|
|
|
|
GITEA__mailer__ENABLED=true
|
|
GITEA__mailer__FROM={{ .smtp_sender }}
|
|
|
|
GITEA__session__provider=db
|
|
{{ end }}
|
|
EOF
|
|
env = true
|
|
mount = false
|
|
dest = "env"
|
|
},
|
|
# TODO: Gitea writes these out to the ini file in /local anyway
|
|
# Find some way to get it to write to /secrets
|
|
{
|
|
data = <<EOF
|
|
{{ with nomadVar "nomad/jobs/git" }}
|
|
GITEA__security__SECRET_KEY="{{ .secret_key }}"
|
|
GITEA__database__PASSWD={{ .db_pass }}
|
|
{{ end }}
|
|
{{ with nomadVar "secrets/smtp" }}
|
|
GITEA__mailer__SMTP_ADDR={{ .server }}
|
|
GITEA__mailer__SMTP_PORT={{ .port }}
|
|
GITEA__mailer__USER={{ .user }}
|
|
GITEA__mailer__PASSWD={{ .password }}
|
|
{{ end }}
|
|
EOF
|
|
env = true
|
|
mount = false
|
|
dest = "env"
|
|
dest_prefix = "$${NOMAD_SECRETS_DIR}"
|
|
},
|
|
{
|
|
data = <<EOF
|
|
{{ with nomadVar "secrets/authelia/git" -}}
|
|
CLIENT_ID={{ .client_id }}
|
|
SECRET={{ .secret }}
|
|
{{- end }}
|
|
EOF
|
|
dest = "oauth.env"
|
|
dest_prefix = "$${NOMAD_SECRETS_DIR}"
|
|
mount = false
|
|
change_mode = "script"
|
|
change_script = {
|
|
command = "/local/bootstrap_auth.sh"
|
|
}
|
|
},
|
|
{
|
|
data = <<EOF
|
|
#! /bin/bash
|
|
source {{ env "NOMAD_SECRETS_DIR" }}/oauth.env
|
|
auth_provider_id=$(su -- git gitea admin auth list | awk '/authelia/ { print $1 }')
|
|
|
|
if [ -z "$auth_provider_id" ]; then
|
|
echo "Creating Authelia OAuth provider"
|
|
su -- git gitea admin auth add-oauth \
|
|
--name authelia \
|
|
--provider openidConnect \
|
|
--key "$CLIENT_ID" \
|
|
--secret "$SECRET" \
|
|
--auto-discover-url https://authelia.thefij.rocks/.well-known/openid-configuration \
|
|
--skip-local-2fa
|
|
else
|
|
echo "Updating Authelia OAuth provider"
|
|
su -- git gitea admin auth update-oauth \
|
|
--id $auth_provider_id \
|
|
--key "$CLIENT_ID" \
|
|
--secret "$SECRET"
|
|
fi
|
|
EOF
|
|
dest = "bootstrap_auth.sh"
|
|
perms = "777"
|
|
change_mode = "noop"
|
|
mount = false
|
|
},
|
|
]
|
|
}
|