From 5cbc438ff6a0f0eaf6180cf54905e0521cc3f941 Mon Sep 17 00:00:00 2001 From: Nemo Date: Sat, 7 Apr 2018 13:35:20 +0530 Subject: [PATCH] Gitea configuration update. - Enables redis - LFS JWT secret is now rotated - Mail config is proper --- gitea/conf/conf.ini.tpl | 273 +++------------------------------------- gitea/data.tf | 5 + gitea/main.tf | 5 +- gitea/redis.tf | 14 +++ gitea/variables.tf | 1 + main.tf | 1 + variables.tf | 3 +- 7 files changed, 47 insertions(+), 255 deletions(-) create mode 100644 gitea/redis.tf diff --git a/gitea/conf/conf.ini.tpl b/gitea/conf/conf.ini.tpl index a4b295c..d2db1c8 100644 --- a/gitea/conf/conf.ini.tpl +++ b/gitea/conf/conf.ini.tpl @@ -1,6 +1,7 @@ ; This file lists the default values used by Gitea ; Copy required sections to your own app.ini (default is custom/conf/app.ini) ; and modify as needed. +; See the cheatsheet at https://docs.gitea.io/en-us/config-cheat-sheet/ ; App name that shows on every page title APP_NAME = Nemo's code @@ -9,6 +10,7 @@ RUN_USER = git [repository] ROOT = /data/git/repositories +USE_COMPAT_SSH_URI = true [repository.upload] TEMP_PATH = /data/gitea/uploads @@ -47,9 +49,7 @@ KEYWORDS = git, captnemo, git.captnemo.in, piratecoders ENABLE_HARD_LINE_BREAK = false ; List of custom URL-Schemes that are allowed as links when rendering Markdown ; for example git,magnet -CUSTOM_URL_SCHEMES = git,magnet,steam -; List of file extensions that should be rendered/edited as Markdown -; Separate extensions with a comma. To render files w/o extension as markdown, just put a comma +CUSTOM_URL_SCHEMES = git,magnet,steam,irc,slack FILE_EXTENSIONS = .md,.markdown,.mdown,.mkd ; Define allowed algorithms and their minimum key length (use -1 to disable a type) @@ -59,7 +59,6 @@ ECDSA = 256 RSA = 2048 DSA = 1024 - [server] APP_DATA_PATH = /data/gitea SSH_DOMAIN = git.captnemo.in @@ -70,8 +69,15 @@ SSH_PORT = 22 DOMAIN = git.captnemo.in LFS_START_SERVER = true LFS_CONTENT_PATH = /data/gitea/lfs -LFS_JWT_SECRET = nsLco71Wn4iu_UzyDir0jzkCdJDya1L9N0KZfgew13E +LFS_JWT_SECRET = ${lfs-jwt-secret} OFFLINE_MODE = true +LANDING_PAGE = explore +MINIMUM_KEY_SIZE_CHECK = true + +# Uses the Mozilla Modern SSH Config params +SSH_SERVER_CIPHERS = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr +SSH_SERVER_KEY_EXCHANGES = curve25519-sha256@libssh.org, ecdh-sha2-nistp521, ecdh-sha2-nistp384, ecdh-sha2-nistp256, diffie-hellman-group-exchange-sha256 +SSH_SERVER_MACS = hmac-sha2-512-etm@openssh.com, hmac-sha2-256-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-512, hmac-sha2-256, umac-128@openssh.com [database] @@ -111,7 +117,7 @@ ENABLE_FEDERATED_AVATAR = false [indexer] ISSUE_INDEXER_PATH = indexers/issues.bleve ; repo indexer by default disabled, since it uses a lot of disk space -REPO_INDEXER_ENABLED = false +REPO_INDEXER_ENABLED = true REPO_INDEXER_PATH = indexers/repos.bleve UPDATE_BUFFER_LEN = 20 MAX_FILE_SIZE = 1048576 @@ -121,21 +127,11 @@ MAX_FILE_SIZE = 1048576 DISABLE_REGULAR_ORG_CREATION = false [security] -; Whether the installer is disabled INSTALL_LOCK = true -; Auto-login remember days LOGIN_REMEMBER_DAYS = 30 -; COOKIE_USERNAME = gitea_awesome -; COOKIE_REMEMBER_NAME = gitea_incredible -; Reverse proxy authentication header name of user name -; REVERSE_PROXY_AUTHENTICATION_USER = X-WEBAUTH-USER -; Sets the minimum password length for new Users MIN_PASSWORD_LENGTH = 10 -; True when users are allowed to import local server paths IMPORT_LOCAL_PATHS = false -; Prevent all users (including admin) from creating custom git hooks DISABLE_GIT_HOOKS = true - SECRET_KEY = ${secret_key} INTERNAL_TOKEN = ${internal_token} @@ -170,73 +166,24 @@ NO_REPLY_ADDRESS = noreply.example.org ENABLE_REVERSE_PROXY_AUTHENTICATION = false ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false -; [webhook] -; ; Hook task queue length, increase if webhook shooting starts hanging -; QUEUE_LENGTH = 1000 -; ; Deliver timeout in seconds -; DELIVER_TIMEOUT = 5 -; ; Allow insecure certification -; SKIP_TLS_VERIFY = false -; ; Number of history information in each page -; PAGING_NUM = 10 - [mailer] ENABLED = true -; ; Buffer length of channel, keep it as it is if you don't know what it is. -; SEND_BUFFER_LEN = 100 -; ; Name displayed in mail title -; SUBJECT = %(APP_NAME)s -; ; Mail server -; ; Gmail: smtp.gmail.com:587 -; ; QQ: smtp.qq.com:465 -; ; Note, if the port ends with "465", SMTPS will be used. Using STARTTLS on port 587 is recommended per RFC 6409. If the server supports STARTTLS it will always be used. -HOST = smtp.migadu.com:587 -; ; Disable HELO operation when hostname are different. -; DISABLE_HELO = -; ; Custom hostname for HELO operation, default is from system. -; HELO_HOSTNAME = -; ; Do not verify the certificate of the server. Only use this for self-signed certificates -; SKIP_VERIFY = -; ; Use client certificate -; USE_CERTIFICATE = false -; CERT_FILE = custom/mailer/cert.pem -; KEY_FILE = custom/mailer/key.pem -; ; Mail from address, RFC 5322. This can be just an email address, or the `"Name" ` format FROM = git@captnemo.in -; ; Mailer user name and password USER = git@captnemo.in PASSWD = ${smtp_password} -; ; Send mails as plain text +HOST = smtp.migadu.com:587 SEND_AS_PLAIN_TEXT = true -; ; Enable sendmail (override SMTP) -; USE_SENDMAIL = false -; ; Specify an alternative sendmail binary -; SENDMAIL_PATH = sendmail -; ; Specify any extra sendmail arguments -; SENDMAIL_ARGS = -; [cache] -; ; Either "memory", "redis", or "memcache", default is "memory" -; ADAPTER = memory -; ; For "memory" only, GC interval in seconds, default is 60 -; INTERVAL = 60 -; ; For "redis" and "memcache", connection host address -; ; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180 -; ; memcache: `127.0.0.1:11211` -; HOST = -; ; Time to keep items in cache if not used, default is 16 hours. -; ; Setting it to 0 disables caching -; ITEM_TTL = 16h +[cache] +ADAPTER = redis +INTERVAL = 60 +HOST = "network=tcp,addr=gitea-redis:6379,db=0,pool_size=100,idle_timeout=180" +ITEM_TTL = 16h [session] ; ; Either "memory", "file", or "redis", default is "memory" -; PROVIDER = memory -; ; Provider config options -; ; memory: not have any config yet -; ; file: session file path, e.g. `data/sessions` -; ; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180 -; ; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table` -; PROVIDER_CONFIG = data/sessions +PROVIDER = redis +PROVIDER_CONFIG = "network=tcp,addr=gitea-redis:6379,db=1,pool_size=100,idle_timeout=180" ; ; Session cookie name COOKIE_NAME = i_like_gitea ; ; If you use session in https only, default is false @@ -248,18 +195,6 @@ ENABLE_SET_COOKIE = true ; ; Session life time in seconds, default is 86400 (1 day) SESSION_LIFE_TIME = 2592000 -; [picture] -; AVATAR_UPLOAD_PATH = data/avatars -; ; Chinese users can choose "duoshuo" -; ; or a custom avatar source, like: http://cn.gravatar.com/avatar/ -; GRAVATAR_SOURCE = gravatar -; ; This value will be forced to be true in offline mode. -; DISABLE_GRAVATAR = false -; ; Federated avatar lookup uses DNS to discover avatar associated -; ; with emails, see https://www.libravatar.org -; ; This value will be forced to be false in offline mode or Gravatar is disabled. -; ENABLE_FEDERATED_AVATAR = false - [attachment] ; ; Whether attachments are enabled. Defaults to `true` ENABLE = true @@ -272,73 +207,8 @@ ALLOWED_TYPES = image/jpeg|image/png|application/zip|application/gzip|applicatio ; ; Max number of files per upload. Defaults to 10 ; MAX_FILES = 5 -; [time] -; ; Specifies the format for fully outputted dates. Defaults to RFC1123 -; ; Special supported values are ANSIC, UnixDate, RubyDate, RFC822, RFC822Z, RFC850, RFC1123, RFC1123Z, RFC3339, RFC3339Nano, Kitchen, Stamp, StampMilli, StampMicro and StampNano -; ; For more information about the format see http://golang.org/pkg/time/#pkg-constants -; FORMAT = - -; [log] -; ROOT_PATH = -; ; Either "console", "file", "conn", "smtp" or "database", default is "console" -; ; Use comma to separate multiple modes, e.g. "console, file" -; MODE = console -; ; Buffer length of channel, keep it as it is if you don't know what it is. -; BUFFER_LEN = 10000 -; ; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Trace" LEVEL = Info -; ; For "console" mode only -; [log.console] -; LEVEL = - -; ; For "file" mode only -; [log.file] -; LEVEL = -; ; This enables automated log rotate(switch of following options), default is true -; LOG_ROTATE = true -; ; Max line number of single file, default is 1000000 -; MAX_LINES = 1000000 -; ; Max size shift of single file, default is 28 means 1 << 28, 256MB -; MAX_SIZE_SHIFT = 28 -; ; Segment log daily, default is true -; DAILY_ROTATE = true -; ; Expired days of log file(delete after max days), default is 7 -; MAX_DAYS = 7 - -; ; For "conn" mode only -; [log.conn] -; LEVEL = -; ; Reconnect host for every single message, default is false -; RECONNECT_ON_MSG = false -; ; Try to reconnect when connection is lost, default is false -; RECONNECT = false -; ; Either "tcp", "unix" or "udp", default is "tcp" -; PROTOCOL = tcp -; ; Host address -; ADDR = - -; ; For "smtp" mode only -; [log.smtp] -; LEVEL = -; ; Name displayed in mail title, default is "Diagnostic message from server" -; SUBJECT = Diagnostic message from server -; ; Mail server -; HOST = -; ; Mailer user name and password -; USER = -; PASSWD = -; ; Receivers, can be one or more, e.g. 1@example.com,2@example.com -; RECEIVERS = - -; ; For "database" mode only -; [log.database] -; LEVEL = -; ; Either "mysql" or "postgres" -; DRIVER = -; ; Based on xorm, e.g.: root:root@localhost/gitea?charset=utf8 -; CONN = - [cron] ; Enable running cron tasks periodically. ENABLED = true @@ -349,103 +219,10 @@ RUN_AT_START = false [cron.update_mirrors] SCHEDULE = @every 3h -; ; Repository health check -; [cron.repo_health_check] -; SCHEDULE = @every 24h -; TIMEOUT = 60s -; ; Arguments for command 'git fsck', e.g. "--unreachable --tags" -; ; see more on http://git-scm.com/docs/git-fsck/1.7.5 -; ARGS = - -; ; Check repository statistics -; [cron.check_repo_stats] -; RUN_AT_START = true -; SCHEDULE = @every 24h - -; ; Clean up old repository archives -; [cron.archive_cleanup] -; ; Whether to enable the job -; ENABLED = true -; ; Whether to always run at least once at start up time (if ENABLED) -; RUN_AT_START = true -; ; Time interval for job to run -; SCHEDULE = @every 24h -; ; Archives created more than OLDER_THAN ago are subject to deletion -; OLDER_THAN = 24h - -; ; Synchronize external user data (only LDAP user synchronization is supported) -; [cron.sync_external_users] -; ; Synchronize external user data when starting server (default false) -; RUN_AT_START = false -; ; Interval as a duration between each synchronization (default every 24h) -; SCHEDULE = @every 24h -; ; Create new users, update existing user data and disable users that are not in external source anymore (default) -; ; or only create new users if UPDATE_EXISTING is set to false -; UPDATE_EXISTING = true - -; [git] -; ; Disables highlight of added and removed changes -; DISABLE_DIFF_HIGHLIGHT = false -; ; Max number of lines allowed of a single file in diff view -; MAX_GIT_DIFF_LINES = 1000 -; ; Max number of characters of a line allowed in diff view -; MAX_GIT_DIFF_LINE_CHARACTERS = 5000 -; ; Max number of files shown in diff view -; MAX_GIT_DIFF_FILES = 100 -; ; Arguments for command 'git gc', e.g. "--aggressive --auto" -; ; see more on http://git-scm.com/docs/git-gc/1.7.5 -; GC_ARGS = - -; ; Operation timeout in seconds -[git.timeout] -MIGRATE = 600 -MIRROR = 300 -CLONE = 300 -PULL = 300 -GC = 60 - -; [mirror] -; ; Default interval as a duration between each check -; DEFAULT_INTERVAL = 8h -; ; Min interval as a duration must be > 1m -; MIN_INTERVAL = 10m - [api] ; Max number of items will response in a page MAX_RESPONSE_ITEMS = 100 -; [i18n] -; LANGS = en-US,zh-CN,zh-HK,zh-TW,de-DE,fr-FR,nl-NL,lv-LV,ru-RU,ja-JP,es-ES,pt-BR,pl-PL,bg-BG,it-IT,fi-FI,tr-TR,cs-CZ,sr-SP,sv-SE,ko-KR -; NAMES = English,简体中文,繁體中文(香港),繁體中文(台灣),Deutsch,français,Nederlands,latviešu,русский,日本語,español,português do Brasil,polski,български,italiano,suomi,Türkçe,čeština,српски,svenska,한국어 - -; ; Used for datetimepicker -; [i18n.datelang] -; en-US = en -; zh-CN = zh -; zh-HK = zh-TW -; zh-TW = zh-TW -; de-DE = de -; fr-FR = fr -; nl-NL = nl -; lv-LV = lv -; ru-RU = ru -; ja-JP = ja -; es-ES = es -; pt-BR = pt-BR -; pl-PL = pl -; bg-BG = bg -; it-IT = it -; fi-FI = fi -; tr-TR = tr -; cs-CZ = cs-CZ -; sr-SP = sr -; sv-SE = sv -; ko-KR = ko - -; ; Extension mapping to highlight class -; ; e.g. .toml=ini -; [highlight.mapping] - [other] SHOW_FOOTER_BRANDING = false ; Show version information about Gitea and Go in the footer @@ -453,16 +230,6 @@ SHOW_FOOTER_VERSION = true ; Show time of template execution in the footer SHOW_FOOTER_TEMPLATE_LOAD_TIME = false -; [markup.asciidoc] -; ENABLED = false -; ; List of file extensions that should be rendered by an external command -; FILE_EXTENSIONS = .adoc,.asciidoc -; ; External command to render all matching extensions -; RENDER_COMMAND = "asciidoc --out-file=- -" -; ; Input is not a standard input but a file -; IS_INPUT_FILE = false - - [openid] ENABLE_OPENID_SIGNIN = true ENABLE_OPENID_SIGNUP = true diff --git a/gitea/data.tf b/gitea/data.tf index 351eb28..c0df300 100644 --- a/gitea/data.tf +++ b/gitea/data.tf @@ -3,6 +3,10 @@ data "docker_registry_image" "gitea" { name = "gitea/gitea:1.4" } +data "docker_registry_image" "redis" { + name = "redis:alpine" +} + data "template_file" "gitea-config-file" { template = "${file("${path.module}/conf/conf.ini.tpl")}" @@ -10,5 +14,6 @@ data "template_file" "gitea-config-file" { secret_key = "${var.secret-key}" internal_token = "${var.internal-token}" smtp_password = "${var.smtp-password}" + lfs-jwt-secret = "${var.lfs-jwt-secret}" } } diff --git a/gitea/main.tf b/gitea/main.tf index 19b64e3..f3ff71a 100644 --- a/gitea/main.tf +++ b/gitea/main.tf @@ -1,4 +1,4 @@ -resource docker_container "gitea" { +resource "docker_container" "gitea" { name = "gitea" image = "${docker_image.gitea.latest}" @@ -59,6 +59,9 @@ resource docker_container "gitea" { restart = "unless-stopped" destroy_grace_seconds = 10 must_run = true + links = [ + "gitea-redis", + ] } resource "docker_image" "gitea" { diff --git a/gitea/redis.tf b/gitea/redis.tf new file mode 100644 index 0000000..3818a93 --- /dev/null +++ b/gitea/redis.tf @@ -0,0 +1,14 @@ +resource "docker_container" "redis" { + name = "gitea-redis" + image = "${docker_image.redis.latest}" + + volumes { + host_path = "/mnt/xwing/cache/gitea" + container_path = "/data" + } +} + +resource "docker_image" "redis" { + name = "${data.docker_registry_image.redis.name}" + pull_triggers = ["${data.docker_registry_image.redis.sha256_digest}"] +} diff --git a/gitea/variables.tf b/gitea/variables.tf index 5159105..a3b9fff 100644 --- a/gitea/variables.tf +++ b/gitea/variables.tf @@ -11,3 +11,4 @@ variable "ips" { variable "secret-key" {} variable "internal-token" {} variable "smtp-password" {} +variable "lfs-jwt-secret" {} diff --git a/main.tf b/main.tf index 97cb654..c5003bb 100644 --- a/main.tf +++ b/main.tf @@ -42,6 +42,7 @@ module "gitea" { secret-key = "${var.gitea-secret-key}" internal-token = "${var.gitea-internal-token}" smtp-password = "${var.gitea-smtp-password}" + lfs-jwt-secret = "${var.gitea-lfs-jwt-secret}" } module "radicale" { diff --git a/variables.tf b/variables.tf index f0e9da4..104d54c 100644 --- a/variables.tf +++ b/variables.tf @@ -44,6 +44,7 @@ variable "gf-security-admin-password" { variable "gitea-secret-key" {} variable "gitea-internal-token" {} variable "gitea-smtp-password" {} +variable "gitea-lfs-jwt-secret" {} variable "digitalocean-token" {} variable "airsonic-smtp-password" {} @@ -62,7 +63,7 @@ variable "traefik-common-labels" { "traefik.frontend.headers.customResponseHeaders" = "X-Powered-By:Allomancy||X-Server:Blackbox" // X-Frame-Options - "traefik.frontend.headers.customFrameOptionsValue" = "ALLOW-FROM https://home.bb8.fun/" + "traefik.frontend.headers.customFrameOptionsValue" = "ALLOW-FROM https://bb8.fun/" "traefik.frontend.headers.contentTypeNosniff" = "true" "traefik.frontend.headers.browserXSSFilter" = "true" }