Merge branch 'session' into produccion

this should help with folks having to log in again after restarts

.env.sample

@@ -38,6 +38,10 @@ GITEA_ENABLE_PUSH_CREATE_USER=false
 GITEA_ENABLE_PUSH_CREATE_ORG=false
 GITEA_LFS_START_SERVER=false
 GITEA_MAX_CREATION_LIMIT=-1
+GITEA_SESSION_PROVIDER=db
+GITEA_CACHE_ADAPTER=memory
+GITEA_CACHE_HOST=
+GITEA_CACHE_ITEM_TTL=16h
 
 GITEA_REPO_UPLOAD_ENABLED=true
 GITEA_REPO_UPLOAD_ALLOWED_TYPES=*/*
@@ -68,6 +72,13 @@ GITEA_STORAGE_TYPE=local
 # MINIO_CHECKSUM_ALGORITHM=default
 # COMPOSE_FILE="$COMPOSE_FILE:compose.s3.yml"
 
+# Instance Commit Signing
+# https://forgejo.org/docs/latest/admin/advanced/signing/
+# COMPOSE_FILE="$COMPOSE_FILE:compose.signing.yml"
+# GITEA_SIGNING_ENABLED=1
+# SECRET_SIGNING_PUBLIC_KEY_VERSION=v1
+# SECRET_SIGNING_PRIVATE_KEY_VERSION=v1
+
 # SMTP Mailer
 # COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
 # GITEA_SMTP_MAILER_ENABLED=1

README.md

@@ -66,3 +66,16 @@ Note that gitea should be configured to listen to port 2222, i.e. `GITEA_SSH_POR
 Uncomment the Anubis compose file from the `.env` file and re-deploy the
 app.  Don't forget to actually [enable Anubis on the Traefik app
 too](https://recipes.coopcloud.tech/traefik)!
+
+## [Instance Commit Signing](https://forgejo.org/docs/latest/admin/advanced/signing/)
+
+To allow Forgejo to sign commits, uncomment the corresponding
+configuration block, and then generate and insert the SSH keys:
+
+```sh
+abra app config git.example.coop
+ssh-keygen -t ed25519
+app app secret insert git.example.coop signing_public_key v1 -f ~/.ssh/id_ed25519.pub
+app app secret insert git.example.coop signing_private_key v1 -f ~/.ssh/id_ed25519
+app app deploy git.example.coop
+```

abra.sh

@@ -1,5 +1,5 @@
-export APP_INI_VERSION=v25
-export DOCKER_SETUP_SH_VERSION=v1
+export APP_INI_VERSION=v28
+export DOCKER_SETUP_SH_VERSION=v2
 export PG_BACKUP_VERSION=v1
 
 abra_backup_app() {

app.ini.tmpl

@@ -62,6 +62,18 @@ ALLOWED_TYPES = {{ env "GITEA_REPO_UPLOAD_ALLOWED_TYPES" }}
 FILE_MAX_SIZE = {{ env "GITEA_REPO_UPLOAD_MAX_SIZE" }}
 MAX_FILES = {{ env "GITEA_REPO_UPLOAD_MAX_FILES" }}
 
+{{ if eq (env "GITEA_SIGNING_ENABLED") "1" }}
+[repository.signing]
+FORMAT = ssh
+SIGNING_KEY = /var/lib/gitea/signing_key.pub
+SIGNING_NAME = {{ env "GITEA_APP_NAME" }}
+SIGNING_EMAIL = {{ env "GITEA_MAILER_FROM" }}
+INITIAL_COMMIT = always
+WIKI = always
+CRUD_ACTIONS = always
+MERGES = always
+{{ end }}
+
 [ui]
 SHOW_USER_EMAIL = {{ env "GITEA_SHOW_USER_EMAIL" }}
 
@@ -126,3 +138,12 @@ MODE=console
 LEVEL=WARN
 STACKTRACE_LEVEL=None
 ENABLE_XORM_LOG=false
+
+
+[session]
+PROVIDER = {{ env "GITEA_SESSION_PROVIDER" }}
+
+[cache]
+ADAPTER = {{ env "GITEA_CACHE_ADAPTER" }}
+HOST = {{ env "GITEA_CACHE_HOST" }}
+ITEM_TTL = {{ env "GITEA_CACHE_ITEM_TTL" }}

compose.signing.yml

@@ -0,0 +1,14 @@
+version: '3.8'
+
+services:
+  app:
+    secrets:
+    - signing_public_key
+    - signing_private_key
+secrets:
+  signing_public_key:
+    name: ${STACK_NAME}_signing_public_key_${SECRET_SIGNING_PUBLIC_KEY_VERSION}
+    external: true
+  signing_private_key:
+    name: ${STACK_NAME}_signing_private_key_${SECRET_SIGNING_PRIVATE_KEY_VERSION}
+    external: true

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: codeberg.org/forgejo/forgejo:15.0.0-rootless
+    image: codeberg.org/forgejo/forgejo:15.0.2-rootless
     configs:
       - source: app_ini
         target: /var/lib/gitea/custom/conf/app.ini
@@ -65,7 +65,7 @@ services:
       - proxy
       - internal
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:3000/api/healthz"]
+      test: ["CMD", "curl", "--user-agent=healthcheck", "-f", "http://localhost:3000/api/healthz"]
       interval: 30s
       timeout: 10s
       retries: 10
@@ -73,7 +73,7 @@ services:
     deploy:
       update_config:
         failure_action: rollback
-        order: start-first
+        order: stop-first
       labels:
         - "backupbot.backup=${ENABLE_BACKUPS:-true}"
         - "traefik.enable=true"
@@ -90,7 +90,7 @@ services:
         - "traefik.http.middlewares.${STACK_NAME}_cors.headers.accesscontrolalloworiginlist=https://${GITEA_CORS_ALLOW_DOMAIN}"
         - "traefik.http.middlewares.${STACK_NAME}_cors.headers.accesscontrolmaxage=100"
         - "traefik.http.middlewares.${STACK_NAME}_cors.headers.addvaryheader=true"
-        - coop-cloud.${STACK_NAME}.version=5.1.2+14.0.4-rootless
+        - coop-cloud.${STACK_NAME}.version=5.3.1+15.0.2-rootless
 
 
 networks:

docker-setup.sh.tmpl

@@ -13,3 +13,10 @@ mkdir -p ${GITEA_CUSTOM} && chmod 0500 ${GITEA_CUSTOM}
 # Prepare temp folder
 mkdir -p ${GITEA_TEMP} && chmod 0700 ${GITEA_TEMP}
 if [ ! -w ${GITEA_TEMP} ]; then echo "${GITEA_TEMP} is not writable"; exit 1; fi
+
+if [ -e /run/secrets/signing_public_key ] ; then
+  cat /run/secrets/signing_public_key > /var/lib/gitea/signing_key.pub
+  cat /run/secrets/signing_private_key > /var/lib/gitea/signing_key
+
+  chmod 600 /var/lib/gitea/signing_key*
+fi