From 1fb578780707d7540d30b6a0206997c5b52308bd Mon Sep 17 00:00:00 2001
From: Franziska Kunsmann <hi@kunsmann.eu>
Date: Thu, 20 Aug 2020 15:34:27 +0200
Subject: [PATCH] htz.ex42-1048908: can haz gitea?

---
 bundles/gitea/files/app.ini       | 88 +++++++++++++++++++++++++++++++
 bundles/gitea/files/gitea.service | 18 +++++++
 bundles/gitea/items.py            | 53 +++++++++++++++++++
 bundles/gitea/metadata.py         | 32 +++++++++++
 nodes/htz/ex42-1048908.py         | 11 ++++
 5 files changed, 202 insertions(+)
 create mode 100644 bundles/gitea/files/app.ini
 create mode 100644 bundles/gitea/files/gitea.service
 create mode 100644 bundles/gitea/items.py
 create mode 100644 bundles/gitea/metadata.py

diff --git a/bundles/gitea/files/app.ini b/bundles/gitea/files/app.ini
new file mode 100644
index 0000000..7fbe73f
--- /dev/null
+++ b/bundles/gitea/files/app.ini
@@ -0,0 +1,88 @@
+APP_NAME = ${app_name}
+RUN_USER = git
+RUN_MODE = prod
+
+[repository]
+ROOT = /home/git/gitea-repositories
+MAX_CREATION_LIMIT = 0
+DEFAULT_BRANCH = main
+
+[ui]
+ISSUE_PAGING_NUM = 50
+MEMBERS_PAGING_NUM = 100
+
+[server]
+PROTOCOL = http
+SSH_DOMAIN = ${domain}
+DOMAIN = ${domain}
+HTTP_ADDR = 127.0.0.1
+HTTP_PORT = 3000
+ROOT_URL = https://${domain}/
+DISABLE_SSH = false
+SSH_PORT = 22
+LFS_START_SERVER = true
+LFS_CONTENT_PATH = /var/lib/gitea/data/lfs
+LFS_JWT_SECRET = ${lfs_secret_key}
+OFFLINE_MODE = true
+START_SSH_SERVER = false
+DISABLE_ROUTER_LOG = true
+LANDING_PAGE = explore
+
+[database]
+DB_TYPE = postgres
+HOST = ${database.get('host', 'localhost')}:5432
+NAME = ${database['database']}
+USER = ${database['username']}
+PASSWD = ${database['password']}
+SSL_MODE = disable
+LOG_SQL = false
+
+[admin]
+DEFAULT_EMAIL_NOTIFICATIONS = onmention
+DISABLE_REGULAR_ORG_CREATION = true
+
+[security]
+INTERNAL_TOKEN = ${internal_token}
+INSTALL_LOCK = true
+SECRET_KEY = ${security_secret_key}
+LOGIN_REMEMBER_DAYS = 30
+DISABLE_GIT_HOOKS = true
+
+[openid]
+ENABLE_OPENID_SIGNIN = false
+ENABLE_OPENID_SIGNUP = false
+
+[service]
+REGISTER_EMAIL_CONFIRM = true
+ENABLE_NOTIFY_MAIL = true
+DISABLE_REGISTRATION = false
+ALLOW_ONLY_EXTERNAL_REGISTRATION = false
+ENABLE_CAPTCHA = false
+REQUIRE_SIGNIN_VIEW = false
+DEFAULT_KEEP_EMAIL_PRIVATE = true
+DEFAULT_ALLOW_CREATE_ORGANIZATION = false
+DEFAULT_ENABLE_TIMETRACKING = true
+NO_REPLY_ADDRESS = noreply.${domain}
+
+[mailer]
+ENABLED = true
+MAILER_TYPE = sendmail
+FROM = "${app_name}" <noreply@${domain}>
+
+[session]
+PROVIDER = file
+
+[picture]
+DISABLE_GRAVATAR = true
+ENABLE_FEDERATED_AVATAR = false
+
+[log]
+MODE = console
+LEVEL = warn
+
+[oauth2]
+JWT_SECRET = ${oauth_secret_key}
+
+[other]
+SHOW_FOOTER_BRANDING = true
+SHOW_FOOTER_TEMPLATE_LOAD_TIME = false
diff --git a/bundles/gitea/files/gitea.service b/bundles/gitea/files/gitea.service
new file mode 100644
index 0000000..24f1505
--- /dev/null
+++ b/bundles/gitea/files/gitea.service
@@ -0,0 +1,18 @@
+[Unit]
+Description=${app_name} at ${domain}
+After=syslog.target
+After=network.target
+Requires=postgresql.service
+
+[Service]
+RestartSec=2s
+Type=simple
+User=git
+Group=git
+WorkingDirectory=/var/lib/gitea/
+ExecStart=/usr/local/bin/gitea web -c /etc/gitea/app.ini
+Restart=always
+Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea
+
+[Install]
+WantedBy=multi-user.target
diff --git a/bundles/gitea/items.py b/bundles/gitea/items.py
new file mode 100644
index 0000000..63f00d3
--- /dev/null
+++ b/bundles/gitea/items.py
@@ -0,0 +1,53 @@
+downloads = {
+    '/usr/local/bin/gitea': {
+        'url': 'https://dl.gitea.io/gitea/{version}/gitea-{version}-linux-amd64'.format(version=node.metadata['gitea']['version']),
+        'sha256': node.metadata['gitea']['sha256'],
+    },
+}
+
+directories = {
+    '/var/lib/gitea': {
+        'owner': 'git',
+        'mode': '0700',
+        'triggers': {
+            'action:chmod_gitea',
+            'svc_systemd:gitea:restart',
+        },
+    },
+}
+
+actions = {
+    'chmod_gitea': {
+        'command': 'chmod a+x /usr/local/bin/gitea',
+        'unless': 'test -x /usr/local/bin/gitea',
+        'triggered': True,
+    },
+}
+
+files = {
+    '/etc/systemd/system/gitea.service': {
+        'content_type': 'mako',
+        'context': node.metadata['gitea'],
+        'triggers': {
+            'action:systemd-reload',
+        },
+    },
+    '/etc/gitea/app.ini': {
+        'content_type': 'mako',
+        'context': node.metadata['gitea'],
+        'triggers': {
+            'svc_systemd:gitea:restart',
+        },
+    },
+}
+
+svc_systemd = {
+    'gitea': {
+        'needs': {
+            'action:chmod_gitea',
+            'download:/usr/local/bin/gitea',
+            'file:/etc/systemd/system/gitea.service',
+            'file:/etc/gitea/app.ini',
+        },
+    },
+}
diff --git a/bundles/gitea/metadata.py b/bundles/gitea/metadata.py
new file mode 100644
index 0000000..51f22ea
--- /dev/null
+++ b/bundles/gitea/metadata.py
@@ -0,0 +1,32 @@
+defaults = {
+    'users': {
+        'git': {
+            'deploy_configs': False,
+            'home-mode': '0755',
+        },
+    },
+    'gitea': {
+        'database': {
+            'username': 'gitea',
+            'password': repo.vault.password_for('{} postgresql gitea'.format(node.name)),
+            'database': 'gitea',
+        },
+        'app_name': 'Gitea',
+        'lfs_secret_key': repo.vault.password_for('{} gitea lfs_secret_key'.format(node.name)),
+        'security_secret_key': repo.vault.password_for('{} gitea security_secret_key'.format(node.name)),
+        'oauth_secret_key': repo.vault.password_for('{} gitea oauth_secret_key'.format(node.name)),
+        'internal_token': repo.vault.password_for('{} gitea internal_token'.format(node.name)),
+    },
+    'postgresql': {
+        'users': {
+            'gitea': {
+                'password': repo.vault.password_for('{} postgresql gitea'.format(node.name)),
+            },
+        },
+        'databases': {
+            'gitea': {
+                'owner': 'gitea',
+            },
+        },
+    },
+}
diff --git a/nodes/htz/ex42-1048908.py b/nodes/htz/ex42-1048908.py
index 57edd9d..f23daae 100644
--- a/nodes/htz/ex42-1048908.py
+++ b/nodes/htz/ex42-1048908.py
@@ -1,5 +1,6 @@
 nodes['htz.ex42-1048908'] = {
     'bundles': {
+        'gitea',
         'jenkins-ci',
         'matrix-synapse',
         'mx-puppet-discord',
@@ -67,6 +68,16 @@ nodes['htz.ex42-1048908'] = {
                 },
             },
         },
+        'gitea': {
+            'version': '1.12.3',
+            'sha256': '6bfda9a12dc248360d34954b087ca6319f7310c61dc32b34c5e0675fdd45e0f4',
+            'domain': 'git.kunsmann.eu',
+            # TODO find out if those secrets can be rotated without breaking stuff
+            'internal_token': vault.decrypt('encrypt$gAAAAABfPncYwCX-NdBr9LdxLyGqmjRJqhmwMnWsdZy6kVOWdKrScW78xaqbJ1tpL1J4qa2hcZ7TQj3l-2mkyJNJOenGzU3TsI-gYMj9vC4m8Bhur5zboxjD4dQXaJbD1WSyHJ9sPJYsWP3Gjg6I19xeq9xMlAI6xaS9vOfuoI8nZnnQPx1NjfQEj03Jxf8a0-3F20sfICst1xRa5K48bpq1PFkK_oRojg=='),
+            'lfs_secret_key': vault.decrypt('encrypt$gAAAAABfPnd1vgNDt86-91YhviQw8Z0djSp4f_tBt76klDv-ZcwxP1ryJzqJ7qnfaTe_6DYCfc82gEzvVDsyBlCoAkGpt1AI2_LCKetuSCnDPjtGvwdQl3A53lFEdG2UJl1uUiR7f8Vr'),
+            'oauth_secret_key': vault.decrypt('encrypt$gAAAAABfPnbfTISbldhS0WyxVKBHVVoOMcar7Kxmh1kkmiUGd-RzbbnNzzhEER_owjttPQcACPfGKZ6WklaSsXjLq8km4P6A9QmPbC06GmHbc91m0odCb1KiY7SZeUD35PiRiGSq50dz'),
+            'security_secret_key': vault.decrypt('encrypt$gAAAAABfPnc-R7pkDj4pQgHDb6pzlNYNJgiWdeBFsX7IsHSnCtNPbZxCdtSL8cHtQzVO1KbSxS7zCwssmgiR8Kj54Z-koD-FQbjpbKWoIPw8SsyeqBVlZhIeEzhw_1t7_7ZTvv1O8AePdNYel9JJb_TaAZ8Vx46ZfsEPy8zaaHrqOekHC6RAnB4='),
+        },
         'letsencrypt': {
             'concat_and_deploy': {
                 'kunsi-weechat': {