From d5d7df520017504e6fa13ecc879a95859cef80f5 Mon Sep 17 00:00:00 2001 From: Basil Bruhn Date: Wed, 18 Dec 2024 15:58:47 +0100 Subject: [PATCH] gitea docu --- _toc.yml | 1 + engineering-guide/gitea.md | 105 +++++++++++++++++++++++++++++++++++++ 2 files changed, 106 insertions(+) create mode 100644 engineering-guide/gitea.md diff --git a/_toc.yml b/_toc.yml index fdfe925f..efdaa6fb 100644 --- a/_toc.yml +++ b/_toc.yml @@ -158,6 +158,7 @@ chapters: - file: engineering-guide/login - file: engineering-guide/lxsup - file: engineering-guide/lxweb00 + - file: engineering-guide/gitea - file: engineering-guide/infrastructure_administration - file: engineering-guide/troubleshooting - file: engineering-guide/accounts-and-groups diff --git a/engineering-guide/gitea.md b/engineering-guide/gitea.md new file mode 100644 index 00000000..df01fc5f --- /dev/null +++ b/engineering-guide/gitea.md @@ -0,0 +1,105 @@ +# Gitea Test Server +Documentation about the setup for reproducability. +There is an additional data disk, mapped to /srv that contains all Gitea data. + +## Docker Compose + +### Connectivity +The compose file has 2 Networks, `public` to talk to the outside world and `gitea` that acts as a backend network. Docker has full access to names, ports and IPs as long as its in the same network. +The Nginx container has both networks to act as proxy. + +The proxy container has two ports exposed for `HTTP` and `HTTPS`, the Gitea container exposes `SSH` on port 222. + +### Users and Passwords +Username and Passwords are held in a .env file and are referenced like such `${SERVICE_USER}`. Mentioned passwords and keys can also be found in the lx password store. +In case of a fresh installation, the `GITEA_RUNNER_REGISTRATION_TOKEN` , `OG_GITEA_SECRET` , `OG_GITEA_CLIENT_KEY` and the `Caddy Token` need to be created when the gitea server is running and an administrator account is created. + +Gitea's `USER_ID` mapping is for the local git user. Correct IDs can be gathered from `/etc/passwd` + +### Functionality +`docker compose up -d` starts all networks and containers that are not running or that have been changed in the compose file. `-d` starts in detached mode. +`docker compose down "Service"` destroys the container of a specific service. +`docker compose restart "Service"` Restart a container to apply configuration changes. + +## Proxy +All certificates are in the RHEL standard location, under `/etc/pki/tls/[certs,private]`. These folders are linked into the nginx container as read only, to be used in `/nginx/conf.d/*.conf` +The image is using the tag :latest to always keep it up to date. + +## Gitea +### SSH +To be able to use Gitea with SSH, a SSHIM is configured. The git users .ssh directory is mapped inside the container. Every public key uploaded in the Gitea Web UI is therefore saved on the host `/home/git/.ssh/authorized_keys`, forwarding all ssh traffic from the git user to localhost:222 which is then picked up by the docker network and sent to port 22 in the gitea container. + +``` + sudo -u git ssh-keygen -t ecdsa -b 521 -C "Gitea Host Key" + sudo -u git cat /home/git/.ssh/id_ecdsa.pub | sudo -u git tee -a /home/git/.ssh/authorized_keys + sudo -u git chmod 600 /home/git/.ssh/authorized_keys + cat <<"EOF" | sudo tee /usr/local/bin/gitea + #!/bin/sh + ssh -p 222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@" + EOF + sudo chmod +x /usr/local/bin/gitea +``` + +### Authentication +- User Filter +Important to notice is that `(sAMAccountName=%s)` is a placeholder for the users login name to be queried correctly. Username Attribute must be sAMAccountName respectively. +`(&(objectCategory=Person)(sAMAccountName=%s)(memberOf=CN=m365-app_git_access,OU=organizational,OU=Groups,OU=psi,DC=d,DC=psi,DC=ch)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))` + +- Admin Filter +`(memberOf=CN=unx-lx_eng,OU=Groups,OU=psi,DC=d,DC=psi,DC=ch)` + +- Group Search Base Dn +`OU=Groups,OU=psi,DC=d,DC=psi,DC=ch` + +- Paged Search with 1000 results + +- Synchronisation is disabled, that only users are created that have logged in. + +https://docs.gitea.com/administration/authentication + +### Mail +Connection to the on prem mailserver need to be requested. Login is secured with `smtp+starttls` + +https://docs.gitea.com/administration/email-setup + +### GPG +The git user has a GPG key configured. To not have to tinker with any sudo permissions the key is generated as the root user and imported for the git user. (There is a better solution, please educate me :)) +Since the git user inside the container has its home in /data/git/ but gitea runs its own home directory, its important to have `[git]HOME_PATH = /data/git` that the git user can sign commits with its key. + +``` +*In roots home* +gpg --full-generate-key +gpg --output private.pgp --armor --export-secret-key gitea@psi.ch +mv private.gpg /home/git/ +su git +cd +gpg --import private.pgp +gpg --list-secret-keys --keyid-format LONG +``` + +`[user]signingkey = SUPERSECRETSIGININGKEYNOTSUITABLEFORDOCUMENTATION` must be added to the git users .gitconfig + +https://docs.gitea.com/administration/signing + +## Database +Database just needs login information created beforehand and shared in gitea and db compose section and .env. +SSL can be configured additionaly - Maybe todo? + +## Pages +Pages are exposed with a caddy webserver in a container that queries the Gitea API for the keyword `gitea-pages`. An application token needs to be created beforehand to start the container (I used the administrators account). +Profile and settings... -> User Settings -> Applications -> Generate new token. With read permissions on organisation and repository. +Add the generated token to the Caddyfile. + +https://github.com/42wim/caddy-gitea + +## Snippets +The `OG_GITEA_CLIENT_KEY` and `OG_GITEA_SECRET` need to be created as administrator in Gitea. +Site Administration -> Admin Settings -> Applications. The redirect URI is `https://snippets-test.psi.ch/oauth/gitea/callback` + +https://github.com/thomiceli/opengist + +## Runner +That Docker in Docker works the Runner needs to have `/var/run/docker.sock` mapped into the container and the runner must be set to privileged `privileged: true` in the runner config. A default config can be generated with `./act_runner generate-config` + +https://docs.gitea.com/usage/actions/act-runner +