feat: anubis

Reviewed-on: #1

.drone.yml

@@ -51,7 +51,7 @@ steps:
         from_secret: drone_abra-bot_token
       fork: true
       repositories:
-        - coop-cloud/auto-recipes-catalogue-json
+        - toolshed/auto-recipes-catalogue-json
 
 trigger:
   event: tag

.env.sample

@@ -5,10 +5,15 @@ LETS_ENCRYPT_ENV=production
 COMPOSE_FILE="compose.yml"
 ENABLE_BACKUPS=true
 COMPOSE_FILE="$COMPOSE_FILE:compose.mariadb.yml"
+# COMPOSE_FILE="$COMPOSE_FILE:compose.sqlite3.yml"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.postgres.yml"
 
 # Enable to use forgejo instead of gitea
 # COMPOSE_FILE="$COMPOSE_FILE:compose.forgejo.yml"
+# SECRET_LFS_JWT_SECRET_VERSION=v1 # length=43
+
+# Anubis
+# COMPOSE_FILE="$COMPOSE_FILE:compose.anubis.yml"
 
 GITEA_DOMAIN=git.example.com
 GITEA_ALLOW_ONLY_EXTERNAL_REGISTRATION=true
@@ -30,6 +35,9 @@ GITEA_DEFAULT_USER_VISIBILITY=limited
 GITEA_ALLOWED_USER_VISIBILITY_MODES=limited,private
 GITEA_DEFAULT_ORG_VISIBILITY=limited
 GITEA_REQUIRE_SIGNIN_VIEW=true
+GITEA_ENABLE_PUSH_CREATE_USER=false
+GITEA_ENABLE_PUSH_CREATE_ORG=false
+GITEA_LFS_START_SERVER=false
 
 GITEA_REPO_UPLOAD_ENABLED=true
 GITEA_REPO_UPLOAD_ALLOWED_TYPES=*/*
@@ -54,6 +62,7 @@ SECRET_SECRET_KEY_VERSION=v1 # length=64
 # GITEA_MAILER_ADDR=mail.gandi.net
 # GITEA_MAILER_PORT=465
 # SECRET_SMTP_PASSWORD_VERSION=v1
+# GITEA_MAILER_PROTOCOL=smtps
 
 # OATH2 Options
 # GITEA_REGISTER_EMAIL_CONFIRM=replace-me
@@ -63,6 +72,11 @@ SECRET_SECRET_KEY_VERSION=v1 # length=64
 # GITEA_ACCOUNT_LINKING=replace-me
 # GITEA_OAUTH2_CLIENT_ENABLED=replace-me
 
+# Lifetime of an OAuth2 refresh token in hours, prolly no need to edit. We
+# were hitting issues with infrequently pushed to repos that were not picked
+# up by drone after a month of inactivity, hence the option.
+# GITEA__oauth2__REFRESH_TOKEN_EXPIRATION_TIME=730
+
 # Indexer (for issue search)
 # GITEA_REPO_INDEXER_ENABLED=false
 # GITEA_ISSUE_INDEXER_TYPE=db

README.md

@@ -1,11 +1,11 @@
-# Gitea
+# Forgejo
 
-[![Build Status](https://build.coopcloud.tech/api/badges/coop-cloud/gitea/status.svg)](https://build.coopcloud.tech/coop-cloud/gitea)
+[![Build Status](https://build.coopcloud.tech/api/badges/coop-cloud/forgejo/status.svg)](https://build.coopcloud.tech/coop-cloud/forgejo)
 
 <!-- metadata -->
 * **Category**: Development
 * **Status**: 5
-* **Image**: [`gitea/gitea`](https://hub.docker.com/gitea/gitea), 4, upstream
+* **Image**: [`forgejo/forgejo`](https://codeberg.org/forgejo/-/packages/container/forgejo/13-rootless), 4, upstream
 * **Healthcheck**: Yes
 * **Backups**: Yes
 * **Email**: Yes
@@ -17,7 +17,7 @@
 
 1. Set up Docker Swarm and [`abra`][abra]
 2. Deploy [`coop-cloud/traefik`][cc-traefik]
-3. `abra app new gitea --secrets` (optionally with `--pass` if you'd like
+3. `abra app new forgejo --secrets` (optionally with `--pass` if you'd like
    to save secrets in `pass`)
 4. `abra app config YOURAPPDOMAIN` - be sure to change `$DOMAIN` to something that resolves to
    your Docker swarm box
@@ -28,7 +28,7 @@
 Run
 
 ```bash
-abra app run YOURAPPNAME app gitea -c /etc/gitea/app.ini admin user create --username USERNAME --admin --random-password --email EMAIL
+abra app run YOURAPPNAME app forgejo -c /etc/gitea/app.ini admin user create --username USERNAME --admin --random-password --email EMAIL
 ```
 
 See the [Gitea command-line documentation](https://docs.gitea.io/en-us/command-line/) for more options.  Make sure not to forget the `-c /etc/gitea/app.ini`.

abra.sh

@@ -1,4 +1,4 @@
-export APP_INI_VERSION=v19
+export APP_INI_VERSION=v23
 export DOCKER_SETUP_SH_VERSION=v1
 export PG_BACKUP_VERSION=v1
 

app.ini.tmpl

@@ -2,10 +2,15 @@ APP_NAME = {{ env "GITEA_APP_NAME" }}
 
 [database]
 DB_TYPE = {{ env "GITEA_DB_TYPE" }}
+{{ if ne (env "GITEA_DB_TYPE") "sqlite3" }}
 HOST = {{ env "GITEA_DB_HOST" }}
 NAME = {{ env "GITEA_DB_NAME" }}
 PASSWD = {{ secret "db_password" }}
 USER = {{ env "GITEA_DB_USER" }}
+{{ else }}
+SQLITE_JOURNAL_MODE = {{ env "GITEA_SQLITE_JOURNAL_MODE" }}
+PATH = {{ env "GITEA_PATH" }}
+{{ end }}
 
 [picture]
 DISABLE_GRAVATAR = {{ env "GITEA_DISABLE_GRAVATAR" }}
@@ -23,6 +28,7 @@ DEFAULT_USER_VISIBILITY = {{ env "GITEA_DEFAULT_USER_VISIBILITY" }}
 ALLOWED_USER_VISIBILITY_MODES = {{ env "GITEA_ALLOWED_USER_VISIBILITY_MODES" }}
 DEFAULT_ORG_VISIBILITY = {{ env "GITEA_DEFAULT_ORG_VISIBILITY" }}
 REQUIRE_SIGNIN_VIEW = {{ env "GITEA_REQUIRE_SIGNIN_VIEW" }}
+ENABLE_INTERNAL_SIGNIN = {{ env "GITEA_ENABLE_INTERNAL_SIGNIN" }}
 
 [openid]
 ENABLE_OPENID_SIGNIN = {{ env "GITEA_ENABLE_OPENID_SIGNIN" }}
@@ -30,6 +36,8 @@ ENABLE_OPENID_SIGNUP = {{ env "GITEA_ENABLE_OPENID_SIGNUP" }}
 
 [repository]
 DEFAULT_BRANCH = main
+ENABLE_PUSH_CREATE_USER = {{ env "GITEA_ENABLE_PUSH_CREATE_USER" }}
+ENABLE_PUSH_CREATE_ORG = {{ env "GITEA_ENABLE_PUSH_CREATE_ORG" }}
 
 [repository.upload]
 ENABLED = {{ env "GITEA_REPO_UPLOAD_ENABLED" }}
@@ -53,6 +61,8 @@ SSH_DOMAIN = {{ env "GITEA_DOMAIN" }}
 SSH_LISTEN_PORT = {{ env "GITEA_SSH_PORT" }}
 SSH_PORT = {{ env "GITEA_SSH_PORT" }}
 START_SSH_SERVER = true
+LFS_START_SERVER = {{ env "GITEA_LFS_START_SERVER" }}
+LFS_JWT_SECRET = {{ secret "lfs_jwt_secret" }}
 
 [security]
 INSTALL_LOCK = true
@@ -71,7 +81,7 @@ JWT_SECRET = {{ secret "jwt_secret" }}
 [mailer]
 ENABLED        = true
 FROM           = {{ env "GITEA_MAILER_FROM" }}
-PROTOCOL       = smtps
+PROTOCOL       = {{ env "GITEA_MAILER_PROTOCOL" }}
 SMTP_ADDR      = {{ env "GITEA_MAILER_ADDR" }}
 SMTP_PORT      = {{ env "GITEA_MAILER_PORT" }}
 USER           = {{ env "GITEA_MAILER_USER" }}

compose.anubis.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+services:
+  app:
+    deploy:
+      labels:
+      - "traefik.http.routers.${STACK_NAME}.middlewares=anubis,${STACK_NAME}_cors"

compose.forgejo.yml

@@ -1,5 +0,0 @@
-version: '3.8'
-
-services:
-  app:
-    image: codeberg.org/forgejo/forgejo:9.0.1-rootless

compose.mariadb.yml

@@ -7,6 +7,8 @@ services:
       - GITEA_DB_HOST="db:3306"
       - GITEA_DB_NAME=gitea
       - GITEA_DB_USER=gitea
+    secrets:
+      - db_password
   db:
     image: "mariadb:10.11.2"
     deploy:

compose.postgres.yml

@@ -7,8 +7,10 @@ services:
       - GITEA_DB_HOST="db:5432"
       - GITEA_DB_NAME=gitea
       - GITEA_DB_USER=gitea
+    secrets:
+      - db_password
   db:
-    image: postgres:15.8
+    image: postgres:15.13
     deploy:
       labels:
         backupbot.backup.pre-hook: "/pg_backup.sh backup"

compose.smtp.yml

@@ -8,6 +8,7 @@ services:
       - GITEA_MAILER_ADDR
       - GITEA_MAILER_PORT
       - GITEA_MAILER_USER
+      - "GITEA_MAILER_PROTOCOL=${GITEA_MAILER_PROTOCOL:-smtps}"
     secrets:
       - smtp_password
 

compose.sqlite3.yml

@@ -0,0 +1,8 @@
+version: '3.8'
+
+services:
+  app:
+    environment:
+      - GITEA_DB_TYPE=sqlite3
+      - GITEA_SQLITE_JOURNAL_MODE=wal
+      - GITEA_PATH=/var/lib/gitea/gitea.db

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: "gitea/gitea:1.22.2-rootless"
+    image: codeberg.org/forgejo/forgejo:13.0.3-rootless
     configs:
       - source: app_ini
         target: /etc/gitea/app.ini
@@ -11,10 +11,10 @@ services:
         target: /usr/local/bin/docker-setup.sh
         mode: 0555
     secrets:
-      - db_password
       - internal_token
       - jwt_secret
       - secret_key
+      - lfs_jwt_secret
     environment:
       - GITEA_ALLOW_ONLY_EXTERNAL_REGISTRATION
       - GITEA_APP_NAME
@@ -52,6 +52,9 @@ services:
       - GITEA_ALLOWED_USER_VISIBILITY_MODES
       - GITEA_DEFAULT_ORG_VISIBILITY
       - GITEA_REQUIRE_SIGNIN_VIEW
+      - GITEA__oauth2__REFRESH_TOKEN_EXPIRATION_TIME
+      - GITEA_LFS_START_SERVER=${GITEA_LFS_START_SERVER:-false}
+      - GITEA_ENABLE_INTERNAL_SIGNIN
     volumes:
       - data:/var/lib/gitea
       - config:/etc/gitea
@@ -82,10 +85,11 @@ services:
         - "traefik.tcp.services.${STACK_NAME}-ssh.loadbalancer.server.port=${GITEA_SSH_PORT}"
         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}_cors"
         - "traefik.http.middlewares.${STACK_NAME}_cors.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
+        - "traefik.http.middlewares.${STACK_NAME}_cors.headers.accesscontrolallowheaders=content-type,authorization"
         - "traefik.http.middlewares.${STACK_NAME}_cors.headers.accesscontrolalloworiginlist=https://${GITEA_CORS_ALLOW_DOMAIN}"
         - "traefik.http.middlewares.${STACK_NAME}_cors.headers.accesscontrolmaxage=100"
         - "traefik.http.middlewares.${STACK_NAME}_cors.headers.addvaryheader=true"
-        - coop-cloud.${STACK_NAME}.version=3.0.0+1.22.2-rootless
+        - coop-cloud.${STACK_NAME}.version=5.0.1+13.0.3-rootless
 
 
 networks:
@@ -113,6 +117,9 @@ secrets:
   secret_key:
     name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
     external: true
+  lfs_jwt_secret:
+    name: ${STACK_NAME}_lfs_jwt_secret_${SECRET_LFS_JWT_SECRET_VERSION}
+    external: true
 
 volumes:
   data:

release/4.0.0+12.0.2-rootless

@@ -0,0 +1,3 @@
+This recipe was forked from the gitea recipe and should be a drop in replacement.
+
+You can remove this line from your app.env COMPOSE_FILE="$COMPOSE_FILE:compose.forgejo.yml"

release/5.0.0+13.0.2-rootless

@@ -0,0 +1 @@
+For breaking changes see: https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/13.0.0.md

renovate.json

@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ]
+}