wip

bundles/gitea/files/app.ini

@@ -0,0 +1,88 @@
+APP_NAME = ckn-gitea
+RUN_USER = gitea
+RUN_MODE = prod
+
+[repository]
+ROOT = /var/lib/gitea/repositories
+MAX_CREATION_LIMIT = 0
+DEFAULT_BRANCH = main
+
+[ui]
+ISSUE_PAGING_NUM = 50
+MEMBERS_PAGING_NUM = 100
+
+[server]
+PROTOCOL = http
+SSH_DOMAIN = ${domain}
+DOMAIN = ${domain}
+HTTP_ADDR = 127.0.0.1
+HTTP_PORT = 22000
+ROOT_URL = https://${domain}/
+DISABLE_SSH = false
+SSH_PORT = 22
+LFS_START_SERVER = true
+LFS_CONTENT_PATH = /var/lib/gitea/data/lfs
+LFS_JWT_SECRET = ${lfs_secret_key}
+OFFLINE_MODE = true
+START_SSH_SERVER = false
+DISABLE_ROUTER_LOG = true
+LANDING_PAGE = explore
+
+[database]
+DB_TYPE = postgres
+HOST = ${database.get('host', 'localhost')}:5432
+NAME = ${database['database']}
+USER = ${database['username']}
+PASSWD = ${database['password']}
+SSL_MODE = disable
+LOG_SQL = false
+
+[admin]
+DEFAULT_EMAIL_NOTIFICATIONS = onmention
+DISABLE_REGULAR_ORG_CREATION = true
+
+[security]
+INTERNAL_TOKEN = ${internal_token}
+INSTALL_LOCK = true
+SECRET_KEY = ${security_secret_key}
+LOGIN_REMEMBER_DAYS = 30
+DISABLE_GIT_HOOKS = ${str(not enable_git_hooks).lower()}
+
+[openid]
+ENABLE_OPENID_SIGNIN = false
+ENABLE_OPENID_SIGNUP = false
+
+[service]
+REGISTER_EMAIL_CONFIRM = true
+ENABLE_NOTIFY_MAIL = true
+DISABLE_REGISTRATION = false
+ALLOW_ONLY_EXTERNAL_REGISTRATION = false
+ENABLE_CAPTCHA = false
+REQUIRE_SIGNIN_VIEW = false
+DEFAULT_KEEP_EMAIL_PRIVATE = true
+DEFAULT_ALLOW_CREATE_ORGANIZATION = false
+DEFAULT_ENABLE_TIMETRACKING = true
+NO_REPLY_ADDRESS = noreply.${domain}
+
+[mailer]
+ENABLED = true
+MAILER_TYPE = sendmail
+FROM = "${app_name}" <noreply@${domain}>
+
+[session]
+PROVIDER = file
+
+[picture]
+DISABLE_GRAVATAR = true
+ENABLE_FEDERATED_AVATAR = false
+
+[log]
+MODE = console
+LEVEL = warn
+
+[oauth2]
+JWT_SECRET = ${oauth_secret_key}
+
+[other]
+SHOW_FOOTER_BRANDING = true
+SHOW_FOOTER_TEMPLATE_LOAD_TIME = false

bundles/gitea/items.py

@@ -12,17 +12,12 @@ downloads = {
 }
 
 users = {
-    'git': {},
+    'gitea': {},
 }
 
 directories = {
-    '/home/git': {
-        'mode': '0755',
-        'owner': 'git',
-        'group': 'git',
-    },
     '/var/lib/gitea': {
-        'owner': 'git',
+        'owner': 'gitea',
         'mode': '0700',
         'triggers': {
             'svc_systemd:gitea:restart',

bundles/gitea/metadata.py

@@ -36,8 +36,8 @@ defaults = {
                     'Service': {
                         'RestartSec': '2s',
                         'Type': 'simple',
-                        'User': 'git',
+                        'User': 'gitea',
-                        'Group': 'git',
+                        'Group': 'gitea',
                         'WorkingDirectory': '/var/lib/gitea/',
                         'ExecStart': '/usr/local/bin/gitea web -c /etc/gitea/app.ini',
                         'Restart': 'always',

bundles/postgresql/items.py

@@ -0,0 +1,23 @@
+pkg_apt = {
+    'postgresql': {},
+}
+
+if node.has_bundle('zfs'):
+    pkg_apt[postgresql]\
+        .setdefault('needs', [])\
+        .append('zfs_dataset:tank/postgresql')
+
+for user, config in node.metadata.get('postgresql/roles').items():
+    postgres_roles[user] = {
+        'password': config['password'],
+        'needs': {
+            'svc_systemd:postgresql',
+        },
+    }
+
+for database, config in node.metadata.get('postgresql/databases').items():
+    postgres_dbs[database] = config
+
+svc_systemd = {
+    'postgresql': {},
+}

bundles/postgresql/metadata.py

@@ -0,0 +1,23 @@
+defaults = {
+    'postgresql': {
+        'roles': {
+            'root': {
+                'password': repo.vault.password_for(f'{node.name} postgresql root'),
+                'superuser': True,
+                'needs': {
+                    'svc_systemd:postgresql',
+                },
+            },
+        },
+        'databases': {},
+    },
+}
+
+if node.has_bundle('zfs'):
+    defaults['zfs'] = {
+        'datasets': {
+            'tank/postgresql': {
+                'mountpoint': '/var/lib/postgresql',
+            },
+        },
+    }

bundles/users/items.py

@@ -0,0 +1,35 @@
+from os.path import join, exists
+
+for group, attrs in node.metadata.get('groups', {}).items():
+    groups[group] = attrs
+
+for username, attrs in node.metadata['users'].items():
+    home = attrs.get('home', '/home/{}'.format(username))
+
+    user = users.setdefault(username, {})
+
+    user['home'] = home
+    user['shell'] = attrs.get('shell', '/bin/bash')
+
+    if 'password' in attrs:
+        user['password'] = attrs['password']
+    else:
+        user['password_hash'] = 'x' if node.use_shadow_passwords else '*'
+
+    if 'groups' in attrs:
+        user['groups'] = attrs['groups']
+
+    directories[home] = {
+        'owner': username,
+        'mode': attrs.get('home-mode', '0700'),
+    }
+
+    if 'ssh_pubkey' in attrs:
+        files[home + '/.ssh/authorized_keys'] = {
+            'content': '\n'.join(sorted(attrs['ssh_pubkey'])) + '\n',
+            'owner': username,
+            'mode': '0600',
+        }
+
+    elif not attrs.get('do_not_remove_authorized_keys_from_home', False):
+        files[home + '/.ssh/authorized_keys'] = {'delete': True}

bundles/users/metadata.py

@@ -0,0 +1,9 @@
+# defaults = {
+#     'users': {
+#         'root': {
+#             'home': '/root',
+#             'shell': '/bin/bash',
+#             'password': repo.vault.human_password_for('root on {}'.format(node.name)),
+#         },
+#     },
+# }

groups/os/debian-10.py

@@ -2,5 +2,10 @@
     'supergroups': [
         'debian',
     ],
+    'metadata': {
+        'postgresql': {
+            'version': 11,
+        }
+    }, 
     'os_version': (10,)
 }

nodes/homeserver.py

@@ -2,6 +2,7 @@
     'hostname': '10.0.0.2',
     'bundles': [
         'gitea',
+        'postgresql',
     ],
     'groups': [
         'debian-10',