From aa63b8ef671c0c4ef1fb18d3c838f4451dcffcd0 Mon Sep 17 00:00:00 2001
From: Luke Murphy <lukewm@riseup.net>
Date: Wed, 17 Jun 2020 08:21:19 +0200
Subject: [PATCH] Bootstrap Gitea repository

---
 .envrc.sample | 14 +++++++++
 .gitignore    |  1 +
 README.md     |  3 ++
 app.ini.tmpl  | 28 +++++++++++++++++
 compose.yml   | 83 +++++++++++++++++++++++++++++++++++++++++++++++++++
 helpers.sh    | 22 ++++++++++++++
 6 files changed, 151 insertions(+)
 create mode 100644 .envrc.sample
 create mode 100644 .gitignore
 create mode 100644 README.md
 create mode 100644 app.ini.tmpl
 create mode 100644 compose.yml
 create mode 100755 helpers.sh

diff --git a/.envrc.sample b/.envrc.sample
new file mode 100644
index 0000000..aaaf079
--- /dev/null
+++ b/.envrc.sample
@@ -0,0 +1,14 @@
+export APP_INI_VERSION=v1
+export APP_NAME=gitea
+export DB_HOST=postgres:5432
+export DB_NAME=gitea
+export DB_PASSWD_VERSION=v1
+export DB_TYPE=postgres
+export DB_USER=gitea
+export DOMAIN=gitea.swarm.autonomic.zone
+export INTERNAL_TOKEN_VERSION=v1
+export JWT_SECRET_VERSION=v1
+export LETS_ENCRYPT_ENV=staging
+export SECRET_KEY_VERSION=v1
+export SSH_HOST_PORT=2222
+export STACK_NAME=gitea
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..7a6353d
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.envrc
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..00326e0
--- /dev/null
+++ b/README.md
@@ -0,0 +1,3 @@
+# gitea
+
+> https://gitea.io
diff --git a/app.ini.tmpl b/app.ini.tmpl
new file mode 100644
index 0000000..10c58e7
--- /dev/null
+++ b/app.ini.tmpl
@@ -0,0 +1,28 @@
+APP_NAME = {{ env "GITEA_APP_NAME" }}
+RUN_MODE = prod
+
+[database]
+DB_TYPE = {{ env "GITEA_DB_TYPE" }}
+HOST = {{ env "GITEA_DB_HOST" }}
+NAME = {{ env "GITEA_DB_NAME" }}
+PASSWD = {{ secret "db_passwd" }}
+USER = {{ env "GITEA_DB_USER" }}
+
+[indexer]
+STARTUP_TIMEOUT = 0
+
+[server]
+DOMAIN = {{ env "GITEA_DOMAIN" }}
+ROOT_URL = https://%(DOMAIN)s/
+SSH_DOMAIN = {{ env "GITEA_DOMAIN" }}
+SSH_LISTEN_PORT = {{ env "GITEA_SSH_PORT" }}
+SSH_PORT = {{ env "GITEA_SSH_PORT" }}
+START_SSH_SERVER = true
+
+[security]
+INSTALL_LOCK = true
+INTERNAL_TOKEN = {{ secret "internal_token" }}
+SECRET_KEY = {{ secret "secret_key" }}
+
+[oauth2]
+JWT_SECRET = {{ secret "jwt_secret" }}
diff --git a/compose.yml b/compose.yml
new file mode 100644
index 0000000..92d7357
--- /dev/null
+++ b/compose.yml
@@ -0,0 +1,83 @@
+---
+version: "3.8"
+
+services:
+  gitea:
+    image: "gitea/gitea:1.11.5"
+    configs:
+      - source: app_ini
+        target: /data/gitea/conf/app.ini
+    secrets:
+      - db_passwd
+      - internal_token
+      - jwt_secret
+      - secret_key
+    environment:
+      - GITEA_APP_NAME=${APP_NAME}
+      - GITEA_DB_HOST=${DB_HOST}
+      - GITEA_DB_NAME=${DB_NAME}
+      - GITEA_DB_TYPE=${DB_TYPE}
+      - GITEA_DB_USER=${DB_USER}
+      - GITEA_DOMAIN=${DOMAIN}
+      - GITEA_SSH_PORT=${SSH_HOST_PORT}
+    volumes:
+      - "git:/data"
+    networks:
+      - proxy
+      - internal
+    deploy:
+      update_config:
+        failure_action: rollback
+      labels:
+        - "traefik.enable=true"
+
+        - "traefik.http.routers.gitea.rule=Host(`${DOMAIN}`)"
+        - "traefik.http.routers.gitea.entrypoints=web-secure"
+        - "traefik.http.services.gitea.loadbalancer.server.port=3000"
+        - "traefik.http.routers.gitea.tls.certresolver=${LETS_ENCRYPT_ENV}"
+
+        - "traefik.tcp.routers.gitea-ssh.rule=HostSNI(`*`)"
+        - "traefik.tcp.routers.gitea-ssh.entrypoints=gitea-ssh"
+        - "traefik.tcp.services.gitea-ssh.loadbalancer.server.port=2222"
+
+  postgres:
+    image: "postgres:12"
+    secrets:
+      - db_passwd
+    environment:
+      - POSTGRES_USER=gitea
+      - POSTGRES_DB=gitea
+      - POSTGRES_PASSWORD_FILE=/run/secrets/db_passwd
+    networks:
+      - internal
+    volumes:
+      - "db:/var/lib/postgresql/data"
+
+networks:
+  internal:
+  proxy:
+    external: true
+
+configs:
+  app_ini:
+    name: ${STACK_NAME}_app_ini_${APP_INI_VERSION}
+    file: app.ini.tmpl
+    template_driver: golang
+
+secrets:
+  db_passwd:
+    name: ${STACK_NAME}_db_passwd_${DB_PASSWD_VERSION}
+    external: true
+  internal_token:
+    name: ${STACK_NAME}_internal_token_${INTERNAL_TOKEN_VERSION}
+    external: true
+  jwt_secret:
+    name: ${STACK_NAME}_jwt_secret_${JWT_SECRET_VERSION}
+    external: true
+  secret_key:
+    name: ${STACK_NAME}_secret_key_${SECRET_KEY_VERSION}
+    external: true
+
+volumes:
+  git:
+  db:
diff --git a/helpers.sh b/helpers.sh
new file mode 100755
index 0000000..3ccda81
--- /dev/null
+++ b/helpers.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+create-secrets () {
+  pwgen -n 32 1  | docker secret create "${STACK_NAME}_db_passwd_${DB_PASSWD_VERSION}" -
+  pwgen -n 105 1 | docker secret create "${STACK_NAME}_internal_token_${INTERNAL_TOKEN_VERSION}" -
+  pwgen -n 43 1  | docker secret create "${STACK_NAME}_jwt_secret_${JWT_SECRET_VERSION}" -
+  pwgen -n 64 1  | docker secret create "${STACK_NAME}_secret_key_${SECRET_KEY_VERSION}" -
+}
+
+create-admin () {
+  container=$(docker container ls -f "name=${STACK_NAME}_gitea" -q)
+  docker exec "$container" \
+    gitea \
+    --custom-path /data/gitea/ \
+    --config /data/gitea/conf/app.ini \
+    admin \
+    create-user \
+    --admin \
+    --username autonomic \
+    --password autonomic \
+    --email autonomic@autonomic.zone
+}