[WIP] Set up gitea packer image

TODOs: - figure out how to keep the mail password in app.ini during install - mount volumes to persist data between droplet redeploys - set up HTTPS
2021-01-22 18:22:13 -05:00 · 2021-01-22 18:22:13 -05:00 · da232c6b03
commit da232c6b03
parent 9b5fd90e9f
14 changed files with 320 additions and 2 deletions
--- a/prod/git-jeremydormitzer-com/ansible/.envrc
+++ b/prod/git-jeremydormitzer-com/ansible/.envrc
@ -1 +0,0 @@
-export ANSIBLE_INVENTORY="$(expand_path hosts.ini)"
--- a/prod/git-jeremydormitzer-com/ansible/hosts.ini
+++ b/prod/git-jeremydormitzer-com/ansible/hosts.ini
@ -1 +0,0 @@
-git.jeremydormitzer.com
--- a/prod/git-jeremydormitzer-com/packer/.envrc
+++ b/prod/git-jeremydormitzer-com/packer/.envrc
@ -0,0 +1,7 @@
+source_up
+
+export GITEA_MAILGUN_PASSWORD=$(pass noreply@mg.git.jeremydormitzer.com)
+export GITEA_LFS_JWT_SECRET=$(pass packer-gitea-lfs-jwt-secret)
+export GITEA_SECRET_KEY=$(pass packer-gitea-secret-key)
+export GITEA_INTERNAL_TOKEN=$(pass packer-gitea-internal-token)
+export GITEA_JWT_SECRET=$(pass packer-gitea-jwt-secret)
--- a/prod/git-jeremydormitzer-com/packer/.gitignore
+++ b/prod/git-jeremydormitzer-com/packer/.gitignore
@ -0,0 +1 @@
+files/app.ini
--- a/prod/git-jeremydormitzer-com/packer/Makefile
+++ b/prod/git-jeremydormitzer-com/packer/Makefile
@ -0,0 +1,9 @@
+packer-manifest.json: gitea.json \
+                      scripts/dependencies.sh \
+                      files/gitea.service \
+                      files/app.ini \
+                      scripts/gitea.sh
+	packer build gitea.json
+
+files/app.ini: templates/app.ini.template
+	sigil -p -f templates/app.ini.template > files/app.ini
--- a/prod/git-jeremydormitzer-com/packer/files/gitea.service
+++ b/prod/git-jeremydormitzer-com/packer/files/gitea.service
@ -0,0 +1,74 @@
+[Unit]
+Description=Gitea (Git with a cup of tea)
+After=syslog.target
+After=network.target
+###
+# Don't forget to add the database service requirements
+###
+#
+#Requires=mysql.service
+#Requires=mariadb.service
+#Requires=postgresql.service
+#Requires=memcached.service
+#Requires=redis.service
+#
+###
+# If using socket activation for main http/s
+###
+#
+#After=gitea.main.socket
+#Requires=gitea.main.socket
+#
+###
+# (You can also provide gitea an http fallback and/or ssh socket too)
+#
+# An example of /etc/systemd/system/gitea.main.socket
+###
+##
+## [Unit]
+## Description=Gitea Web Socket
+## PartOf=gitea.service
+##
+## [Socket]
+## Service=gitea.service
+## ListenStream=<some_port>
+## NoDelay=true
+##
+## [Install]
+## WantedBy=sockets.target
+##
+###
+
+[Service]
+# Modify these two values and uncomment them if you have
+# repos with lots of files and get an HTTP error 500 because
+# of that
+###
+#LimitMEMLOCK=infinity
+#LimitNOFILE=65535
+RestartSec=2s
+Type=simple
+User=git
+Group=git
+WorkingDirectory=/var/lib/gitea/
+# If using Unix socket: tells systemd to create the /run/gitea folder, which will contain the gitea.sock file
+# (manually creating /run/gitea doesn't work, because it would not persist across reboots)
+#RuntimeDirectory=gitea
+ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini
+Restart=always
+Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea
+# If you install Git to directory prefix other than default PATH (which happens
+# for example if you install other versions of Git side-to-side with
+# distribution version), uncomment below line and add that prefix to PATH
+# Don't forget to place git-lfs binary on the PATH below if you want to enable
+# Git LFS support
+#Environment=PATH=/path/to/git/bin:/bin:/sbin:/usr/bin:/usr/sbin
+# If you want to bind Gitea to a port below 1024, uncomment
+# the two values below, or use socket activation to pass Gitea its ports as above
+###
+#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+#AmbientCapabilities=CAP_NET_BIND_SERVICE
+###
+
+[Install]
+WantedBy=multi-user.target
--- a/prod/git-jeremydormitzer-com/packer/gitea.json
+++ b/prod/git-jeremydormitzer-com/packer/gitea.json
@ -0,0 +1,37 @@
+{
+  "builders": [
+    {
+      "type": "digitalocean",
+      "image": "ubuntu-20-04-x64",
+      "region": "nyc1",
+      "size": "s-1vcpu-1gb",
+      "snapshot_name": "packer-gitea-{{timestamp}}",
+      "ssh_username": "root"
+    }
+  ],
+  "provisioners": [
+    {
+      "type": "shell",
+      "script": "scripts/dependencies.sh"
+    },
+    {
+      "type": "file",
+      "source": "files/app.ini",
+      "destination": "/tmp/app.ini"
+    },
+    {
+      "type": "file",
+      "source": "files/gitea.service",
+      "destination": "/tmp/gitea.service"
+    },
+    {
+      "type": "shell",
+      "script": "scripts/gitea.sh"
+    }
+  ],
+  "post-processors": [
+    {
+      "type": "manifest"
+    }
+  ]
+}
--- a/prod/git-jeremydormitzer-com/packer/packer-manifest.json
+++ b/prod/git-jeremydormitzer-com/packer/packer-manifest.json
@ -0,0 +1,50 @@
+{
+  "builds": [
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1611352765,
+      "files": null,
+      "artifact_id": "nyc1:77396506",
+      "packer_run_uuid": "a93bca03-f67e-e630-7606-c12222ae21db",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1611355972,
+      "files": null,
+      "artifact_id": "nyc1:77399380",
+      "packer_run_uuid": "2c306ac5-20fe-3e4e-9329-c62b03621d95",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1611356707,
+      "files": null,
+      "artifact_id": "nyc1:77400402",
+      "packer_run_uuid": "1d401331-1f3f-cfaa-d610-66f06eef5986",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1611357084,
+      "files": null,
+      "artifact_id": "nyc1:77400747",
+      "packer_run_uuid": "c40a3d6a-e3a8-099a-1bd1-86f4026a158f",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1611357475,
+      "files": null,
+      "artifact_id": "nyc1:77401090",
+      "packer_run_uuid": "2b450ccd-716f-5c9c-20da-662e79a0b929",
+      "custom_data": null
+    }
+  ],
+  "last_run_uuid": "2b450ccd-716f-5c9c-20da-662e79a0b929"
+}
--- a/prod/git-jeremydormitzer-com/packer/scripts/dependencies.sh
+++ b/prod/git-jeremydormitzer-com/packer/scripts/dependencies.sh
@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+set -ex
+
+sudo apt-get update
+sudo apt-get install -y git
--- a/prod/git-jeremydormitzer-com/packer/scripts/gitea.sh
+++ b/prod/git-jeremydormitzer-com/packer/scripts/gitea.sh
@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+set -ex
+
+adduser \
+   --system \
+   --shell /bin/bash \
+   --gecos 'Git Version Control' \
+   --group \
+   --disabled-password \
+   --home /home/git \
+   git
+
+mkdir -p /var/lib/gitea/{custom,data,log}
+chown -R git:git /var/lib/gitea/
+chmod -R 750 /var/lib/gitea/
+mkdir /etc/gitea
+mv /tmp/app.ini /etc/gitea/app.ini
+chown -R root:git /etc/gitea
+chmod 770 /etc/gitea
+chmod 660 /etc/gitea/app.ini
+
+wget -O gitea https://dl.gitea.io/gitea/1.13.1/gitea-1.13.1-linux-amd64
+chmod +x gitea
+mv gitea /usr/local/bin/
+
+mv /tmp/gitea.service /etc/systemd/system/gitea.service
+systemctl enable gitea
--- a/prod/git-jeremydormitzer-com/packer/templates/app.ini.template
+++ b/prod/git-jeremydormitzer-com/packer/templates/app.ini.template
@ -0,0 +1,75 @@
+APP_NAME = Jeremy Dormitzer's Git Forge
+RUN_USER = git
+RUN_MODE = prod
+
+[oauth2]
+JWT_SECRET = ${GITEA_JWT_SECRET:?}
+
+[security]
+INTERNAL_TOKEN = ${GITEA_INTERNAL_TOKEN:?}
+SECRET_KEY     = ${GITEA_SECRET_KEY:?}
+
+[database]
+DB_TYPE  = sqlite3
+HOST     = 127.0.0.1:3306
+NAME     = gitea
+USER     = gitea
+PASSWD   = 
+SCHEMA   = 
+SSL_MODE = disable
+CHARSET  = utf8
+PATH     = /var/lib/gitea/data/gitea.db
+LOG_SQL  = false
+
+[repository]
+ROOT = /home/git/gitea-repositories
+
+[server]
+SSH_DOMAIN       = git.jeremydormitzer.com
+DOMAIN           = git.jeremydormitzer.com
+HTTP_PORT        = 3000
+ROOT_URL         = https://git.jeremydormitzer.com/
+DISABLE_SSH      = false
+SSH_PORT         = 22
+LFS_START_SERVER = true
+LFS_CONTENT_PATH = /var/lib/gitea/data/lfs
+LFS_JWT_SECRET   = ${GITEA_LFS_JWT_SECRET:?}
+OFFLINE_MODE     = false
+
+[mailer]
+ENABLED = true
+HOST    = smtp.mailgun.org:587
+FROM    = Jeremy Dormitzer's Git Forge <noreply@git.jeremydormitzer.com>
+USER    = noreply@mg.git.jeremydormitzer.com
+PASSWD  = ${GITEA_MAILGUN_PASSWORD:?}
+
+[service]
+REGISTER_EMAIL_CONFIRM            = true
+ENABLE_NOTIFY_MAIL                = true
+DISABLE_REGISTRATION              = true
+ALLOW_ONLY_EXTERNAL_REGISTRATION  = false
+ENABLE_CAPTCHA                    = false
+REQUIRE_SIGNIN_VIEW               = false
+DEFAULT_KEEP_EMAIL_PRIVATE        = false
+DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+DEFAULT_ENABLE_TIMETRACKING       = true
+NO_REPLY_ADDRESS                  = noreply.localhost
+
+[picture]
+DISABLE_GRAVATAR        = false
+ENABLE_FEDERATED_AVATAR = true
+
+[openid]
+ENABLE_OPENID_SIGNIN = true
+ENABLE_OPENID_SIGNUP = false
+
+[session]
+PROVIDER = file
+
+[log]
+MODE                 = console
+LEVEL                = info
+ROOT_PATH            = /var/lib/gitea/log
+REDIRECT_MACARON_LOG = true
+MACARON              = console
+ROUTER               = console
--- a/prod/git-jeremydormitzer-com/terraform/.terraform.lock.hcl
+++ b/prod/git-jeremydormitzer-com/terraform/.terraform.lock.hcl
@ -21,3 +21,20 @@ provider "registry.terraform.io/digitalocean/digitalocean" {
    "zh:fee52e736edc5ef4088cedae6507790f35e4ee8a078bff1ef894a51dd65d058d",
  ]
 }
+
+provider "registry.terraform.io/hashicorp/local" {
+  version = "2.0.0"
+  hashes = [
+    "h1:pO1ANXtOCRfecKsY9Hn4UsXoPBLv6LFiDIEiS1MZ09E=",
+    "zh:34ce8b79493ace8333d094752b579ccc907fa9392a2c1d6933a6c95d0786d3f1",
+    "zh:5c5a19c4f614a4ffb68bae0b0563f3860115cf7539b8adc21108324cfdc10092",
+    "zh:67ddb1ca2cd3e1a8f948302597ceb967f19d2eeb2d125303493667388fe6330e",
+    "zh:68e6b16f3a8e180fcba1a99754118deb2d82331b51f6cca39f04518339bfdfa6",
+    "zh:8393a12eb11598b2799d51c9b0a922a3d9fadda5a626b94a1b4914086d53120e",
+    "zh:90daea4b2010a86f2aca1e3a9590e0b3ddcab229c2bd3685fae76a832e9e836f",
+    "zh:99308edc734a0ac9149b44f8e316ca879b2670a1cae387a8ae754c180b57cdb4",
+    "zh:c76594db07a9d1a73372a073888b672df64adb455d483c2426cc220eda7e092e",
+    "zh:dc09c1fb36c6a706bdac96cce338952888c8423978426a09f5df93031aa88b84",
+    "zh:deda88134e9780319e8de91b3745520be48ead6ec38cb662694d09185c3dac70",
+  ]
+}
--- a/prod/git-jeremydormitzer-com/terraform/main.tf
+++ b/prod/git-jeremydormitzer-com/terraform/main.tf
@ -12,3 +12,11 @@ resource "digitalocean_droplet" "git_jeremydormitzer_com" {
  backups = true
  tags    = ["terraform"]
 }
+
+module "packer_droplet" {
+  source            = "../../../terraform-modules/packer_droplet"
+  name              = "gitea"
+  do_token          = var.do_token
+  spaces_access_id  = var.spaces_access_id
+  spaces_secret_key = var.spaces_secret_key
+}
--- a/prod/git-jeremydormitzer-com/terraform/outputs.tf
+++ b/prod/git-jeremydormitzer-com/terraform/outputs.tf
@ -5,3 +5,11 @@ output "git_ip_address" {
 output "git_urn" {
  value = digitalocean_droplet.git_jeremydormitzer_com.urn
 }
+
+output "gitea_ip_address" {
+  value = module.packer_droplet.droplet_ip_address
+}
+
+output "gitea_urn" {
+  value = module.packer_droplet.droplet_urn
+}
				`@ -1 +0,0 @@`
				`export ANSIBLE_INVENTORY="$(expand_path hosts.ini)"`