Controls/gitea-pages
0
2
Fork 0
Code Pull Requests Actions Activity

gitea docu

Browse Source
This commit is contained in:
bruhn_b
2024-12-18 15:58:47 +01:00
parent 0efdf67c97
commit d5d7df5200
2 changed files with 106 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
_toc.yml
View File

@@ -158,6 +158,7 @@ chapters:
- file: engineering-guide/login
- file: engineering-guide/lxsup
- file: engineering-guide/lxweb00
- file: engineering-guide/gitea
- file: engineering-guide/infrastructure_administration
- file: engineering-guide/troubleshooting
- file: engineering-guide/accounts-and-groups

105
engineering-guide/gitea.md Normal file
View File

@@ -0,0 +1,105 @@
# Gitea Test Server
Documentation about the setup for reproducability.
There is an additional data disk, mapped to /srv that contains all Gitea data.
## Docker Compose
### Connectivity
The compose file has 2 Networks, `public` to talk to the outside world and `gitea` that acts as a backend network. Docker has full access to names, ports and IPs as long as its in the same network.
The Nginx container has both networks to act as proxy.
The proxy container has two ports exposed for `HTTP` and `HTTPS`, the Gitea container exposes `SSH` on port 222.
### Users and Passwords
Username and Passwords are held in a .env file and are referenced like such `${SERVICE_USER}`. Mentioned passwords and keys can also be found in the lx password store.
In case of a fresh installation, the `GITEA_RUNNER_REGISTRATION_TOKEN` , `OG_GITEA_SECRET` , `OG_GITEA_CLIENT_KEY` and the `Caddy Token` need to be created when the gitea server is running and an administrator account is created.
Gitea's `USER_ID` mapping is for the local git user. Correct IDs can be gathered from `/etc/passwd`
### Functionality
`docker compose up -d` starts all networks and containers that are not running or that have been changed in the compose file. `-d` starts in detached mode.
`docker compose down "Service"` destroys the container of a specific service.
`docker compose restart "Service"` Restart a container to apply configuration changes.
## Proxy
All certificates are in the RHEL standard location, under `/etc/pki/tls/[certs,private]`. These folders are linked into the nginx container as read only, to be used in `/nginx/conf.d/*.conf`
The image is using the tag :latest to always keep it up to date.
## Gitea
### SSH
To be able to use Gitea with SSH, a SSHIM is configured. The git users .ssh directory is mapped inside the container. Every public key uploaded in the Gitea Web UI is therefore saved on the host `/home/git/.ssh/authorized_keys`, forwarding all ssh traffic from the git user to localhost:222 which is then picked up by the docker network and sent to port 22 in the gitea container.
```
sudo -u git ssh-keygen -t ecdsa -b 521 -C "Gitea Host Key"
sudo -u git cat /home/git/.ssh/id_ecdsa.pub | sudo -u git tee -a /home/git/.ssh/authorized_keys
sudo -u git chmod 600 /home/git/.ssh/authorized_keys
cat <<"EOF" | sudo tee /usr/local/bin/gitea
#!/bin/sh
ssh -p 222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"
EOF
sudo chmod +x /usr/local/bin/gitea
```
### Authentication
- User Filter
Important to notice is that `(sAMAccountName=%s)` is a placeholder for the users login name to be queried correctly. Username Attribute must be sAMAccountName respectively.
`(&(objectCategory=Person)(sAMAccountName=%s)(memberOf=CN=m365-app_git_access,OU=organizational,OU=Groups,OU=psi,DC=d,DC=psi,DC=ch)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))`
- Admin Filter
`(memberOf=CN=unx-lx_eng,OU=Groups,OU=psi,DC=d,DC=psi,DC=ch)`
- Group Search Base Dn
`OU=Groups,OU=psi,DC=d,DC=psi,DC=ch`
- Paged Search with 1000 results
- Synchronisation is disabled, that only users are created that have logged in.
https://docs.gitea.com/administration/authentication
### Mail
Connection to the on prem mailserver need to be requested. Login is secured with `smtp+starttls`
https://docs.gitea.com/administration/email-setup
### GPG
The git user has a GPG key configured. To not have to tinker with any sudo permissions the key is generated as the root user and imported for the git user. (There is a better solution, please educate me :))
Since the git user inside the container has its home in /data/git/ but gitea runs its own home directory, its important to have `[git]HOME_PATH = /data/git` that the git user can sign commits with its key.
```
*In roots home*
gpg --full-generate-key
gpg --output private.pgp --armor --export-secret-key gitea@psi.ch
mv private.gpg /home/git/
su git
cd
gpg --import private.pgp
gpg --list-secret-keys --keyid-format LONG
```
`[user]signingkey = SUPERSECRETSIGININGKEYNOTSUITABLEFORDOCUMENTATION` must be added to the git users .gitconfig
https://docs.gitea.com/administration/signing
## Database
Database just needs login information created beforehand and shared in gitea and db compose section and .env.
SSL can be configured additionaly - Maybe todo?
## Pages
Pages are exposed with a caddy webserver in a container that queries the Gitea API for the keyword `gitea-pages`. An application token needs to be created beforehand to start the container (I used the administrators account).
Profile and settings... -> User Settings -> Applications -> Generate new token. With read permissions on organisation and repository.
Add the generated token to the Caddyfile.
https://github.com/42wim/caddy-gitea
## Snippets
The `OG_GITEA_CLIENT_KEY` and `OG_GITEA_SECRET` need to be created as administrator in Gitea.
Site Administration -> Admin Settings -> Applications. The redirect URI is `https://snippets-test.psi.ch/oauth/gitea/callback`
https://github.com/thomiceli/opengist
## Runner
That Docker in Docker works the Runner needs to have `/var/run/docker.sock` mapped into the container and the runner must be set to privileged `privileged: true` in the runner config. A default config can be generated with `./act_runner generate-config`
https://docs.gitea.com/usage/actions/act-runner