diff --git a/bundles/gitea/files/app.ini b/bundles/gitea/files/app.ini index e69de29..6372ab1 100644 --- a/bundles/gitea/files/app.ini +++ b/bundles/gitea/files/app.ini @@ -0,0 +1,88 @@ +APP_NAME = ckn-gitea +RUN_USER = gitea +RUN_MODE = prod + +[repository] +ROOT = /var/lib/gitea/repositories +MAX_CREATION_LIMIT = 0 +DEFAULT_BRANCH = main + +[ui] +ISSUE_PAGING_NUM = 50 +MEMBERS_PAGING_NUM = 100 + +[server] +PROTOCOL = http +SSH_DOMAIN = ${domain} +DOMAIN = ${domain} +HTTP_ADDR = 127.0.0.1 +HTTP_PORT = 22000 +ROOT_URL = https://${domain}/ +DISABLE_SSH = false +SSH_PORT = 22 +LFS_START_SERVER = true +LFS_CONTENT_PATH = /var/lib/gitea/data/lfs +LFS_JWT_SECRET = ${lfs_secret_key} +OFFLINE_MODE = true +START_SSH_SERVER = false +DISABLE_ROUTER_LOG = true +LANDING_PAGE = explore + +[database] +DB_TYPE = postgres +HOST = ${database.get('host', 'localhost')}:5432 +NAME = ${database['database']} +USER = ${database['username']} +PASSWD = ${database['password']} +SSL_MODE = disable +LOG_SQL = false + +[admin] +DEFAULT_EMAIL_NOTIFICATIONS = onmention +DISABLE_REGULAR_ORG_CREATION = true + +[security] +INTERNAL_TOKEN = ${internal_token} +INSTALL_LOCK = true +SECRET_KEY = ${security_secret_key} +LOGIN_REMEMBER_DAYS = 30 +DISABLE_GIT_HOOKS = ${str(not enable_git_hooks).lower()} + +[openid] +ENABLE_OPENID_SIGNIN = false +ENABLE_OPENID_SIGNUP = false + +[service] +REGISTER_EMAIL_CONFIRM = true +ENABLE_NOTIFY_MAIL = true +DISABLE_REGISTRATION = false +ALLOW_ONLY_EXTERNAL_REGISTRATION = false +ENABLE_CAPTCHA = false +REQUIRE_SIGNIN_VIEW = false +DEFAULT_KEEP_EMAIL_PRIVATE = true +DEFAULT_ALLOW_CREATE_ORGANIZATION = false +DEFAULT_ENABLE_TIMETRACKING = true +NO_REPLY_ADDRESS = noreply.${domain} + +[mailer] +ENABLED = true +MAILER_TYPE = sendmail +FROM = "${app_name}" + +[session] +PROVIDER = file + +[picture] +DISABLE_GRAVATAR = true +ENABLE_FEDERATED_AVATAR = false + +[log] +MODE = console +LEVEL = warn + +[oauth2] +JWT_SECRET = ${oauth_secret_key} + +[other] +SHOW_FOOTER_BRANDING = true +SHOW_FOOTER_TEMPLATE_LOAD_TIME = false diff --git a/bundles/gitea/items.py b/bundles/gitea/items.py index a690e49..dfa349a 100644 --- a/bundles/gitea/items.py +++ b/bundles/gitea/items.py @@ -12,17 +12,12 @@ downloads = { } users = { - 'git': {}, + 'gitea': {}, } directories = { - '/home/git': { - 'mode': '0755', - 'owner': 'git', - 'group': 'git', - }, '/var/lib/gitea': { - 'owner': 'git', + 'owner': 'gitea', 'mode': '0700', 'triggers': { 'svc_systemd:gitea:restart', diff --git a/bundles/gitea/metadata.py b/bundles/gitea/metadata.py index db12542..7644521 100644 --- a/bundles/gitea/metadata.py +++ b/bundles/gitea/metadata.py @@ -36,8 +36,8 @@ defaults = { 'Service': { 'RestartSec': '2s', 'Type': 'simple', - 'User': 'git', - 'Group': 'git', + 'User': 'gitea', + 'Group': 'gitea', 'WorkingDirectory': '/var/lib/gitea/', 'ExecStart': '/usr/local/bin/gitea web -c /etc/gitea/app.ini', 'Restart': 'always', diff --git a/bundles/postgresql/items.py b/bundles/postgresql/items.py new file mode 100644 index 0000000..61589b5 --- /dev/null +++ b/bundles/postgresql/items.py @@ -0,0 +1,23 @@ +pkg_apt = { + 'postgresql': {}, +} + +if node.has_bundle('zfs'): + pkg_apt[postgresql]\ + .setdefault('needs', [])\ + .append('zfs_dataset:tank/postgresql') + +for user, config in node.metadata.get('postgresql/roles').items(): + postgres_roles[user] = { + 'password': config['password'], + 'needs': { + 'svc_systemd:postgresql', + }, + } + +for database, config in node.metadata.get('postgresql/databases').items(): + postgres_dbs[database] = config + +svc_systemd = { + 'postgresql': {}, +} diff --git a/bundles/postgresql/metadata.py b/bundles/postgresql/metadata.py new file mode 100644 index 0000000..382c899 --- /dev/null +++ b/bundles/postgresql/metadata.py @@ -0,0 +1,23 @@ +defaults = { + 'postgresql': { + 'roles': { + 'root': { + 'password': repo.vault.password_for(f'{node.name} postgresql root'), + 'superuser': True, + 'needs': { + 'svc_systemd:postgresql', + }, + }, + }, + 'databases': {}, + }, +} + +if node.has_bundle('zfs'): + defaults['zfs'] = { + 'datasets': { + 'tank/postgresql': { + 'mountpoint': '/var/lib/postgresql', + }, + }, + } diff --git a/bundles/users/items.py b/bundles/users/items.py new file mode 100644 index 0000000..6e5382e --- /dev/null +++ b/bundles/users/items.py @@ -0,0 +1,35 @@ +from os.path import join, exists + +for group, attrs in node.metadata.get('groups', {}).items(): + groups[group] = attrs + +for username, attrs in node.metadata['users'].items(): + home = attrs.get('home', '/home/{}'.format(username)) + + user = users.setdefault(username, {}) + + user['home'] = home + user['shell'] = attrs.get('shell', '/bin/bash') + + if 'password' in attrs: + user['password'] = attrs['password'] + else: + user['password_hash'] = 'x' if node.use_shadow_passwords else '*' + + if 'groups' in attrs: + user['groups'] = attrs['groups'] + + directories[home] = { + 'owner': username, + 'mode': attrs.get('home-mode', '0700'), + } + + if 'ssh_pubkey' in attrs: + files[home + '/.ssh/authorized_keys'] = { + 'content': '\n'.join(sorted(attrs['ssh_pubkey'])) + '\n', + 'owner': username, + 'mode': '0600', + } + + elif not attrs.get('do_not_remove_authorized_keys_from_home', False): + files[home + '/.ssh/authorized_keys'] = {'delete': True} diff --git a/bundles/users/metadata.py b/bundles/users/metadata.py new file mode 100644 index 0000000..a8f0e9b --- /dev/null +++ b/bundles/users/metadata.py @@ -0,0 +1,9 @@ +# defaults = { +# 'users': { +# 'root': { +# 'home': '/root', +# 'shell': '/bin/bash', +# 'password': repo.vault.human_password_for('root on {}'.format(node.name)), +# }, +# }, +# } diff --git a/groups/os/debian-10.py b/groups/os/debian-10.py index afa849b..cb52f89 100644 --- a/groups/os/debian-10.py +++ b/groups/os/debian-10.py @@ -2,5 +2,10 @@ 'supergroups': [ 'debian', ], + 'metadata': { + 'postgresql': { + 'version': 11, + } + }, 'os_version': (10,) } diff --git a/nodes/homeserver.py b/nodes/homeserver.py index f88f7a9..7c50a90 100644 --- a/nodes/homeserver.py +++ b/nodes/homeserver.py @@ -2,6 +2,7 @@ 'hostname': '10.0.0.2', 'bundles': [ 'gitea', + 'postgresql', ], 'groups': [ 'debian-10',