From 5cbc438ff6a0f0eaf6180cf54905e0521cc3f941 Mon Sep 17 00:00:00 2001
From: Nemo <me@captnemo.in>
Date: Sat, 07 Apr 2018 13:35:20 +0530
Subject: [PATCH] Gitea configuration update.
- Enables redis
- LFS JWT secret is now rotated
- Mail config is proper
---
main.tf | 1 +
variables.tf | 3 ++-
gitea/data.tf | 5 +++++
gitea/main.tf | 5 ++++-
gitea/redis.tf | 14 ++++++++++++++
gitea/variables.tf | 1 +
gitea/conf/conf.ini.tpl | 275 ++++++++++++++------------------------------------------------------------------
7 files changed, 48 insertions(+), 256 deletions(-)
diff --git a/main.tf b/main.tf
index 97cb654..c5003bb 100644
--- a/main.tf
+++ a/main.tf
@@ -42,6 +42,7 @@
secret-key = "${var.gitea-secret-key}"
internal-token = "${var.gitea-internal-token}"
smtp-password = "${var.gitea-smtp-password}"
+ lfs-jwt-secret = "${var.gitea-lfs-jwt-secret}"
}
module "radicale" {
diff --git a/variables.tf b/variables.tf
index f0e9da4..104d54c 100644
--- a/variables.tf
+++ a/variables.tf
@@ -44,6 +44,7 @@
variable "gitea-secret-key" {}
variable "gitea-internal-token" {}
variable "gitea-smtp-password" {}
+variable "gitea-lfs-jwt-secret" {}
variable "digitalocean-token" {}
variable "airsonic-smtp-password" {}
@@ -62,7 +63,7 @@
"traefik.frontend.headers.customResponseHeaders" = "X-Powered-By:Allomancy||X-Server:Blackbox"
// X-Frame-Options
- "traefik.frontend.headers.customFrameOptionsValue" = "ALLOW-FROM https://home.bb8.fun/"
+ "traefik.frontend.headers.customFrameOptionsValue" = "ALLOW-FROM https://bb8.fun/"
"traefik.frontend.headers.contentTypeNosniff" = "true"
"traefik.frontend.headers.browserXSSFilter" = "true"
}
diff --git a/gitea/data.tf b/gitea/data.tf
index 351eb28..c0df300 100644
--- a/gitea/data.tf
+++ a/gitea/data.tf
@@ -1,8 +1,12 @@
# https://github.com/go-gitea/gitea/releases
data "docker_registry_image" "gitea" {
name = "gitea/gitea:1.4"
}
+data "docker_registry_image" "redis" {
+ name = "redis:alpine"
+}
+
data "template_file" "gitea-config-file" {
template = "${file("${path.module}/conf/conf.ini.tpl")}"
@@ -10,5 +14,6 @@
secret_key = "${var.secret-key}"
internal_token = "${var.internal-token}"
smtp_password = "${var.smtp-password}"
+ lfs-jwt-secret = "${var.lfs-jwt-secret}"
}
}
diff --git a/gitea/main.tf b/gitea/main.tf
index 19b64e3..f3ff71a 100644
--- a/gitea/main.tf
+++ a/gitea/main.tf
@@ -1,4 +1,4 @@
-resource docker_container "gitea" {
+resource "docker_container" "gitea" {
name = "gitea"
image = "${docker_image.gitea.latest}"
@@ -59,6 +59,9 @@
restart = "unless-stopped"
destroy_grace_seconds = 10
must_run = true
+ links = [
+ "gitea-redis",
+ ]
}
resource "docker_image" "gitea" {
diff --git a/gitea/redis.tf b/gitea/redis.tf
new file mode 100644
index 0000000..3818a93 100644
--- /dev/null
+++ a/gitea/redis.tf
@@ -1,0 +1,14 @@
+resource "docker_container" "redis" {
+ name = "gitea-redis"
+ image = "${docker_image.redis.latest}"
+
+ volumes {
+ host_path = "/mnt/xwing/cache/gitea"
+ container_path = "/data"
+ }
+}
+
+resource "docker_image" "redis" {
+ name = "${data.docker_registry_image.redis.name}"
+ pull_triggers = ["${data.docker_registry_image.redis.sha256_digest}"]
+}
diff --git a/gitea/variables.tf b/gitea/variables.tf
index 5159105..a3b9fff 100644
--- a/gitea/variables.tf
+++ a/gitea/variables.tf
@@ -11,3 +11,4 @@
variable "secret-key" {}
variable "internal-token" {}
variable "smtp-password" {}
+variable "lfs-jwt-secret" {}
diff --git a/gitea/conf/conf.ini.tpl b/gitea/conf/conf.ini.tpl
index a4b295c..d2db1c8 100644
--- a/gitea/conf/conf.ini.tpl
+++ a/gitea/conf/conf.ini.tpl
@@ -1,6 +1,7 @@
; This file lists the default values used by Gitea
; Copy required sections to your own app.ini (default is custom/conf/app.ini)
; and modify as needed.
+; See the cheatsheet at https://docs.gitea.io/en-us/config-cheat-sheet/
; App name that shows on every page title
APP_NAME = Nemo's code
@@ -9,6 +10,7 @@
[repository]
ROOT = /data/git/repositories
+USE_COMPAT_SSH_URI = true
[repository.upload]
TEMP_PATH = /data/gitea/uploads
@@ -47,9 +49,7 @@
ENABLE_HARD_LINE_BREAK = false
; List of custom URL-Schemes that are allowed as links when rendering Markdown
; for example git,magnet
-CUSTOM_URL_SCHEMES = git,magnet,steam
-; List of file extensions that should be rendered/edited as Markdown
-; Separate extensions with a comma. To render files w/o extension as markdown, just put a comma
+CUSTOM_URL_SCHEMES = git,magnet,steam,irc,slack
FILE_EXTENSIONS = .md,.markdown,.mdown,.mkd
; Define allowed algorithms and their minimum key length (use -1 to disable a type)
@@ -59,7 +59,6 @@
RSA = 2048
DSA = 1024
-
[server]
APP_DATA_PATH = /data/gitea
SSH_DOMAIN = git.captnemo.in
@@ -70,9 +69,16 @@
DOMAIN = git.captnemo.in
LFS_START_SERVER = true
LFS_CONTENT_PATH = /data/gitea/lfs
-LFS_JWT_SECRET = nsLco71Wn4iu_UzyDir0jzkCdJDya1L9N0KZfgew13E
+LFS_JWT_SECRET = ${lfs-jwt-secret}
OFFLINE_MODE = true
+LANDING_PAGE = explore
+MINIMUM_KEY_SIZE_CHECK = true
+# Uses the Mozilla Modern SSH Config params
+SSH_SERVER_CIPHERS = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
+SSH_SERVER_KEY_EXCHANGES = curve25519-sha256@libssh.org, ecdh-sha2-nistp521, ecdh-sha2-nistp384, ecdh-sha2-nistp256, diffie-hellman-group-exchange-sha256
+SSH_SERVER_MACS = hmac-sha2-512-etm@openssh.com, hmac-sha2-256-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-512, hmac-sha2-256, umac-128@openssh.com
+
[database]
; TODO
@@ -111,7 +117,7 @@
[indexer]
ISSUE_INDEXER_PATH = indexers/issues.bleve
; repo indexer by default disabled, since it uses a lot of disk space
-REPO_INDEXER_ENABLED = false
+REPO_INDEXER_ENABLED = true
REPO_INDEXER_PATH = indexers/repos.bleve
UPDATE_BUFFER_LEN = 20
MAX_FILE_SIZE = 1048576
@@ -121,21 +127,11 @@
DISABLE_REGULAR_ORG_CREATION = false
[security]
-; Whether the installer is disabled
INSTALL_LOCK = true
-; Auto-login remember days
LOGIN_REMEMBER_DAYS = 30
-; COOKIE_USERNAME = gitea_awesome
-; COOKIE_REMEMBER_NAME = gitea_incredible
-; Reverse proxy authentication header name of user name
-; REVERSE_PROXY_AUTHENTICATION_USER = X-WEBAUTH-USER
-; Sets the minimum password length for new Users
MIN_PASSWORD_LENGTH = 10
-; True when users are allowed to import local server paths
IMPORT_LOCAL_PATHS = false
-; Prevent all users (including admin) from creating custom git hooks
DISABLE_GIT_HOOKS = true
-
SECRET_KEY = ${secret_key}
INTERNAL_TOKEN = ${internal_token}
@@ -170,73 +166,24 @@
ENABLE_REVERSE_PROXY_AUTHENTICATION = false
ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false
-; [webhook]
-; ; Hook task queue length, increase if webhook shooting starts hanging
-; QUEUE_LENGTH = 1000
-; ; Deliver timeout in seconds
-; DELIVER_TIMEOUT = 5
-; ; Allow insecure certification
-; SKIP_TLS_VERIFY = false
-; ; Number of history information in each page
-; PAGING_NUM = 10
-
[mailer]
ENABLED = true
-; ; Buffer length of channel, keep it as it is if you don't know what it is.
-; SEND_BUFFER_LEN = 100
-; ; Name displayed in mail title
-; SUBJECT = %(APP_NAME)s
-; ; Mail server
-; ; Gmail: smtp.gmail.com:587
-; ; QQ: smtp.qq.com:465
-; ; Note, if the port ends with "465", SMTPS will be used. Using STARTTLS on port 587 is recommended per RFC 6409. If the server supports STARTTLS it will always be used.
-HOST = smtp.migadu.com:587
-; ; Disable HELO operation when hostname are different.
-; DISABLE_HELO =
-; ; Custom hostname for HELO operation, default is from system.
-; HELO_HOSTNAME =
-; ; Do not verify the certificate of the server. Only use this for self-signed certificates
-; SKIP_VERIFY =
-; ; Use client certificate
-; USE_CERTIFICATE = false
-; CERT_FILE = custom/mailer/cert.pem
-; KEY_FILE = custom/mailer/key.pem
-; ; Mail from address, RFC 5322. This can be just an email address, or the `"Name" <email@example.com>` format
FROM = git@captnemo.in
-; ; Mailer user name and password
USER = git@captnemo.in
PASSWD = ${smtp_password}
-; ; Send mails as plain text
+HOST = smtp.migadu.com:587
SEND_AS_PLAIN_TEXT = true
-; ; Enable sendmail (override SMTP)
-; USE_SENDMAIL = false
-; ; Specify an alternative sendmail binary
-; SENDMAIL_PATH = sendmail
-; ; Specify any extra sendmail arguments
-; SENDMAIL_ARGS =
-
-; [cache]
-; ; Either "memory", "redis", or "memcache", default is "memory"
-; ADAPTER = memory
-; ; For "memory" only, GC interval in seconds, default is 60
-; INTERVAL = 60
-; ; For "redis" and "memcache", connection host address
-; ; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180
-; ; memcache: `127.0.0.1:11211`
-; HOST =
-; ; Time to keep items in cache if not used, default is 16 hours.
-; ; Setting it to 0 disables caching
-; ITEM_TTL = 16h
+
+[cache]
+ADAPTER = redis
+INTERVAL = 60
+HOST = "network=tcp,addr=gitea-redis:6379,db=0,pool_size=100,idle_timeout=180"
+ITEM_TTL = 16h
[session]
; ; Either "memory", "file", or "redis", default is "memory"
-; PROVIDER = memory
-; ; Provider config options
-; ; memory: not have any config yet
-; ; file: session file path, e.g. `data/sessions`
-; ; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180
-; ; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table`
-; PROVIDER_CONFIG = data/sessions
+PROVIDER = redis
+PROVIDER_CONFIG = "network=tcp,addr=gitea-redis:6379,db=1,pool_size=100,idle_timeout=180"
; ; Session cookie name
COOKIE_NAME = i_like_gitea
; ; If you use session in https only, default is false
@@ -248,18 +195,6 @@
; ; Session life time in seconds, default is 86400 (1 day)
SESSION_LIFE_TIME = 2592000
-; [picture]
-; AVATAR_UPLOAD_PATH = data/avatars
-; ; Chinese users can choose "duoshuo"
-; ; or a custom avatar source, like: http://cn.gravatar.com/avatar/
-; GRAVATAR_SOURCE = gravatar
-; ; This value will be forced to be true in offline mode.
-; DISABLE_GRAVATAR = false
-; ; Federated avatar lookup uses DNS to discover avatar associated
-; ; with emails, see https://www.libravatar.org
-; ; This value will be forced to be false in offline mode or Gravatar is disabled.
-; ENABLE_FEDERATED_AVATAR = false
-
[attachment]
; ; Whether attachments are enabled. Defaults to `true`
ENABLE = true
@@ -272,72 +207,7 @@
; ; Max number of files per upload. Defaults to 10
; MAX_FILES = 5
-; [time]
-; ; Specifies the format for fully outputted dates. Defaults to RFC1123
-; ; Special supported values are ANSIC, UnixDate, RubyDate, RFC822, RFC822Z, RFC850, RFC1123, RFC1123Z, RFC3339, RFC3339Nano, Kitchen, Stamp, StampMilli, StampMicro and StampNano
-; ; For more information about the format see http://golang.org/pkg/time/#pkg-constants
-; FORMAT =
-
-; [log]
-; ROOT_PATH =
-; ; Either "console", "file", "conn", "smtp" or "database", default is "console"
-; ; Use comma to separate multiple modes, e.g. "console, file"
-; MODE = console
-; ; Buffer length of channel, keep it as it is if you don't know what it is.
-; BUFFER_LEN = 10000
-; ; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Trace"
LEVEL = Info
-
-; ; For "console" mode only
-; [log.console]
-; LEVEL =
-
-; ; For "file" mode only
-; [log.file]
-; LEVEL =
-; ; This enables automated log rotate(switch of following options), default is true
-; LOG_ROTATE = true
-; ; Max line number of single file, default is 1000000
-; MAX_LINES = 1000000
-; ; Max size shift of single file, default is 28 means 1 << 28, 256MB
-; MAX_SIZE_SHIFT = 28
-; ; Segment log daily, default is true
-; DAILY_ROTATE = true
-; ; Expired days of log file(delete after max days), default is 7
-; MAX_DAYS = 7
-
-; ; For "conn" mode only
-; [log.conn]
-; LEVEL =
-; ; Reconnect host for every single message, default is false
-; RECONNECT_ON_MSG = false
-; ; Try to reconnect when connection is lost, default is false
-; RECONNECT = false
-; ; Either "tcp", "unix" or "udp", default is "tcp"
-; PROTOCOL = tcp
-; ; Host address
-; ADDR =
-
-; ; For "smtp" mode only
-; [log.smtp]
-; LEVEL =
-; ; Name displayed in mail title, default is "Diagnostic message from server"
-; SUBJECT = Diagnostic message from server
-; ; Mail server
-; HOST =
-; ; Mailer user name and password
-; USER =
-; PASSWD =
-; ; Receivers, can be one or more, e.g. 1@example.com,2@example.com
-; RECEIVERS =
-
-; ; For "database" mode only
-; [log.database]
-; LEVEL =
-; ; Either "mysql" or "postgres"
-; DRIVER =
-; ; Based on xorm, e.g.: root:root@localhost/gitea?charset=utf8
-; CONN =
[cron]
; Enable running cron tasks periodically.
@@ -349,102 +219,9 @@
[cron.update_mirrors]
SCHEDULE = @every 3h
-; ; Repository health check
-; [cron.repo_health_check]
-; SCHEDULE = @every 24h
-; TIMEOUT = 60s
-; ; Arguments for command 'git fsck', e.g. "--unreachable --tags"
-; ; see more on http://git-scm.com/docs/git-fsck/1.7.5
-; ARGS =
-
-; ; Check repository statistics
-; [cron.check_repo_stats]
-; RUN_AT_START = true
-; SCHEDULE = @every 24h
-
-; ; Clean up old repository archives
-; [cron.archive_cleanup]
-; ; Whether to enable the job
-; ENABLED = true
-; ; Whether to always run at least once at start up time (if ENABLED)
-; RUN_AT_START = true
-; ; Time interval for job to run
-; SCHEDULE = @every 24h
-; ; Archives created more than OLDER_THAN ago are subject to deletion
-; OLDER_THAN = 24h
-
-; ; Synchronize external user data (only LDAP user synchronization is supported)
-; [cron.sync_external_users]
-; ; Synchronize external user data when starting server (default false)
-; RUN_AT_START = false
-; ; Interval as a duration between each synchronization (default every 24h)
-; SCHEDULE = @every 24h
-; ; Create new users, update existing user data and disable users that are not in external source anymore (default)
-; ; or only create new users if UPDATE_EXISTING is set to false
-; UPDATE_EXISTING = true
-
-; [git]
-; ; Disables highlight of added and removed changes
-; DISABLE_DIFF_HIGHLIGHT = false
-; ; Max number of lines allowed of a single file in diff view
-; MAX_GIT_DIFF_LINES = 1000
-; ; Max number of characters of a line allowed in diff view
-; MAX_GIT_DIFF_LINE_CHARACTERS = 5000
-; ; Max number of files shown in diff view
-; MAX_GIT_DIFF_FILES = 100
-; ; Arguments for command 'git gc', e.g. "--aggressive --auto"
-; ; see more on http://git-scm.com/docs/git-gc/1.7.5
-; GC_ARGS =
-
-; ; Operation timeout in seconds
-[git.timeout]
-MIGRATE = 600
-MIRROR = 300
-CLONE = 300
-PULL = 300
-GC = 60
-
-; [mirror]
-; ; Default interval as a duration between each check
-; DEFAULT_INTERVAL = 8h
-; ; Min interval as a duration must be > 1m
-; MIN_INTERVAL = 10m
-
[api]
; Max number of items will response in a page
MAX_RESPONSE_ITEMS = 100
-
-; [i18n]
-; LANGS = en-US,zh-CN,zh-HK,zh-TW,de-DE,fr-FR,nl-NL,lv-LV,ru-RU,ja-JP,es-ES,pt-BR,pl-PL,bg-BG,it-IT,fi-FI,tr-TR,cs-CZ,sr-SP,sv-SE,ko-KR
-; NAMES = English,简体ä¸æ–‡,ç¹é«”ä¸æ–‡ï¼ˆé¦™æ¸¯ï¼‰,ç¹é«”ä¸æ–‡ï¼ˆå°ç£ï¼‰,Deutsch,français,Nederlands,latvieÅ¡u,руÑÑкий,日本語,español,português do Brasil,polski,българÑки,italiano,suomi,Türkçe,ÄeÅ¡tina,ÑрпÑки,svenska,í•œêµì–´
-
-; ; Used for datetimepicker
-; [i18n.datelang]
-; en-US = en
-; zh-CN = zh
-; zh-HK = zh-TW
-; zh-TW = zh-TW
-; de-DE = de
-; fr-FR = fr
-; nl-NL = nl
-; lv-LV = lv
-; ru-RU = ru
-; ja-JP = ja
-; es-ES = es
-; pt-BR = pt-BR
-; pl-PL = pl
-; bg-BG = bg
-; it-IT = it
-; fi-FI = fi
-; tr-TR = tr
-; cs-CZ = cs-CZ
-; sr-SP = sr
-; sv-SE = sv
-; ko-KR = ko
-
-; ; Extension mapping to highlight class
-; ; e.g. .toml=ini
-; [highlight.mapping]
[other]
SHOW_FOOTER_BRANDING = false
@@ -452,16 +229,6 @@
SHOW_FOOTER_VERSION = true
; Show time of template execution in the footer
SHOW_FOOTER_TEMPLATE_LOAD_TIME = false
-
-; [markup.asciidoc]
-; ENABLED = false
-; ; List of file extensions that should be rendered by an external command
-; FILE_EXTENSIONS = .adoc,.asciidoc
-; ; External command to render all matching extensions
-; RENDER_COMMAND = "asciidoc --out-file=- -"
-; ; Input is not a standard input but a file
-; IS_INPUT_FILE = false
-
[openid]
ENABLE_OPENID_SIGNIN = true
--
rgit 0.1.5