Controls/gitea-pages
0
2
Fork 0
Code Pull Requests Actions Activity
Files
3f8b3e7fdac656ec8d2e53ac977ad93a76e3443a
gitea-pages/engineering-guide/gitea.md
Basil Bruhn 03371e58e8 link to code
2024-12-18 16:36:11 +01:00

5.3 KiB
Raw Blame History

Gitea Test Server

Documentation about the setup for reproducability. There is an additional data disk, mapped to /srv that contains all Gitea data. All code can be found here: https://gitea-test.psi.ch/lx/Gitea

Docker Compose

Connectivity

The compose file has 2 Networks, public to talk to the outside world and gitea that acts as a backend network. Docker has full access to names, ports and IPs as long as its in the same network. The Nginx container has both networks to act as proxy.

The proxy container has two ports exposed for HTTP and HTTPS, the Gitea container exposes SSH on port 222.

Users and Passwords

Username and Passwords are held in a .env file and are referenced like such ${SERVICE_USER}. Mentioned passwords and keys can also be found in the lx password store. In case of a fresh installation, the GITEA_RUNNER_REGISTRATION_TOKEN , OG_GITEA_SECRET , OG_GITEA_CLIENT_KEY and the Caddy Token need to be created when the gitea server is running and an administrator account is created.

Gitea's USER_ID mapping is for the local git user. Correct IDs can be gathered from /etc/passwd

Functionality

docker compose up -d starts all networks and containers that are not running or that have been changed in the compose file. -d starts in detached mode. docker compose down "Service" destroys the container of a specific service. docker compose restart "Service" Restart a container to apply configuration changes.

Proxy

All certificates are in the RHEL standard location, under /etc/pki/tls/[certs,private]. These folders are linked into the nginx container as read only, to be used in /nginx/conf.d/*.conf The image is using the tag :latest to always keep it up to date.

Gitea

SSH

To be able to use Gitea with SSH, a SSHIM is configured. The git users .ssh directory is mapped inside the container. Every public key uploaded in the Gitea Web UI is therefore saved on the host /home/git/.ssh/authorized_keys, forwarding all ssh traffic from the git user to localhost:222 which is then picked up by the docker network and sent to port 22 in the gitea container.

  sudo -u git ssh-keygen -t ecdsa -b 521 -C "Gitea Host Key"
	sudo -u git cat /home/git/.ssh/id_ecdsa.pub | sudo -u git tee -a /home/git/.ssh/authorized_keys
	sudo -u git chmod 600 /home/git/.ssh/authorized_keys
	cat <<"EOF" | sudo tee /usr/local/bin/gitea
	#!/bin/sh
	ssh -p 222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"
	EOF
	sudo chmod +x /usr/local/bin/gitea

Authentication

  • User Filter Important to notice is that (sAMAccountName=%s) is a placeholder for the users login name to be queried correctly. Username Attribute must be sAMAccountName respectively. (&(objectCategory=Person)(sAMAccountName=%s)(memberOf=CN=m365-app_git_access,OU=organizational,OU=Groups,OU=psi,DC=d,DC=psi,DC=ch)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

  • Admin Filter (memberOf=CN=unx-lx_eng,OU=Groups,OU=psi,DC=d,DC=psi,DC=ch)

  • Group Search Base Dn OU=Groups,OU=psi,DC=d,DC=psi,DC=ch

  • Paged Search with 1000 results

  • Synchronisation is disabled, that only users are created that have logged in.

https://docs.gitea.com/administration/authentication

Mail

Connection to the on prem mailserver need to be requested. Login is secured with smtp+starttls

https://docs.gitea.com/administration/email-setup

GPG

The git user has a GPG key configured. To not have to tinker with any sudo permissions the key is generated as the root user and imported for the git user. (There is a better solution, please educate me :)) Since the git user inside the container has its home in /data/git/ but gitea runs its own home directory, its important to have [git]HOME_PATH = /data/git that the git user can sign commits with its key.

*In roots home*
gpg --full-generate-key
gpg --output private.pgp --armor --export-secret-key gitea@psi.ch
mv private.gpg /home/git/
su git
cd
gpg --import private.pgp
gpg --list-secret-keys --keyid-format LONG

[user]signingkey = SUPERSECRETSIGININGKEYNOTSUITABLEFORDOCUMENTATION must be added to the git users .gitconfig

https://docs.gitea.com/administration/signing

Database

Database just needs login information created beforehand and shared in gitea and db compose section and .env. SSL can be configured additionaly - Maybe todo?

Pages

Pages are exposed with a caddy webserver in a container that queries the Gitea API for the keyword gitea-pages. An application token needs to be created beforehand to start the container (I used the administrators account). Profile and settings... -> User Settings -> Applications -> Generate new token. With read permissions on organisation and repository. Add the generated token to the Caddyfile.

https://github.com/42wim/caddy-gitea

Snippets

The OG_GITEA_CLIENT_KEY and OG_GITEA_SECRET need to be created as administrator in Gitea. Site Administration -> Admin Settings -> Applications. The redirect URI is https://snippets-test.psi.ch/oauth/gitea/callback

https://github.com/thomiceli/opengist

Runner

That Docker in Docker works the Runner needs to have /var/run/docker.sock mapped into the container and the runner must be set to privileged privileged: true in the runner config. A default config can be generated with ./act_runner generate-config

https://docs.gitea.com/usage/actions/act-runner

View Git Blame Copy Permalink