fix: allow key rotation

Reviewed-on: #28
Reviewed-by: p4u1 <p4u1@noreply.git.coopcloud.tech>

.env.sample

@@ -37,6 +37,7 @@ GITEA_REQUIRE_SIGNIN_VIEW=true
 GITEA_ENABLE_PUSH_CREATE_USER=false
 GITEA_ENABLE_PUSH_CREATE_ORG=false
 GITEA_LFS_START_SERVER=false
+GITEA_MAX_CREATION_LIMIT=-1
 
 GITEA_REPO_UPLOAD_ENABLED=true
 GITEA_REPO_UPLOAD_ALLOWED_TYPES=*/*
@@ -55,6 +56,25 @@ SECRET_DB_ROOT_PASSWORD_VERSION=v1
 SECRET_JWT_SECRET_VERSION=v1 # length=43
 SECRET_SECRET_KEY_VERSION=v1 # length=64
 
+# Change to "minio" an configure to enable S3 storage
+# https://forgejo.org/docs/latest/admin/setup/storage/
+GITEA_STORAGE_TYPE=local
+# MINIO_ENDPOINT=
+# MINIO_ACCESS_KEY_ID=
+# SECRET_MINIO_SECRET_ACCESS_KEY_VERSION=v1
+# MINIO_BUCKET=
+# MINIO_BUCKET_LOOKUP=auto
+# MINIO_LOCATION=garage
+# MINIO_CHECKSUM_ALGORITHM=default
+# COMPOSE_FILE="$COMPOSE_FILE:compose.s3.yml"
+
+# Instance Commit Signing
+# https://forgejo.org/docs/latest/admin/advanced/signing/
+# COMPOSE_FILE="$COMPOSE_FILE:compose.signing.yml"
+# GITEA_SIGNING_ENABLED=1
+# SECRET_SIGNING_PUBLIC_KEY_VERSION=v1
+# SECRET_SIGNING_PRIVATE_KEY_VERSION=v1
+
 # SMTP Mailer
 # COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
 # GITEA_SMTP_MAILER_ENABLED=1

MAINTENANCE.md

@@ -0,0 +1,32 @@
+# Forgejo Recipe Maintenance
+
+All contributions should be made via a pull request. This is to ensure a
+certain quality and consistency, that others can rely on.
+
+## Maintainer Responsibilities
+
+A recipe maintainer has the following responsibilities:
+
+- Respond to pull requests / issues within two weeks
+- Make image security updates within a day
+- Make image patch / minor updates within a week
+- Make image major updates within a month
+
+In order to fullfill these responsibilities a recipe maintainer:
+
+- Has to watch the repository (to get notifications)
+- Needs to make sure renovate is configured properly
+
+## Pull Requests
+
+A pull request can be merged if it is approved by at least one maintainer. For
+pull requests opened by a maintainer they need to be approved by another
+maintainer. Even though it is okay to merge a pull request with one approval, it
+is always better if all maintainers looked at the pull request and approved it.
+
+## Become a maintainer
+
+Everyone can apply to be a recipe maintainer:
+1. Watch the repository to always get updates
+2. Simply add your self to the list in the [README.md](./README.md) and open a new pull request with the change.
+3. Once the pull request gets merged you will be added to the [forgejo maintainers team](https://git.coopcloud.tech/org/coop-cloud/teams/forgejo-maintainers).

README.md

@@ -3,6 +3,7 @@
 [![Build Status](https://build.coopcloud.tech/api/badges/coop-cloud/forgejo/status.svg)](https://build.coopcloud.tech/coop-cloud/forgejo)
 
 <!-- metadata -->
+* **Maintainer**: [@p4u1](https://git.coopcloud.tech/p4u1), [@fauno](https://git.coopcloud.tech/fauno)
 * **Category**: Development
 * **Status**: 5
 * **Image**: [`forgejo/forgejo`](https://codeberg.org/forgejo/-/packages/container/forgejo/13-rootless), 4, upstream
@@ -65,3 +66,16 @@ Note that gitea should be configured to listen to port 2222, i.e. `GITEA_SSH_POR
 Uncomment the Anubis compose file from the `.env` file and re-deploy the
 app.  Don't forget to actually [enable Anubis on the Traefik app
 too](https://recipes.coopcloud.tech/traefik)!
+
+## [Instance Commit Signing](https://forgejo.org/docs/latest/admin/advanced/signing/)
+
+To allow Forgejo to sign commits, uncomment the corresponding
+configuration block, and then generate and insert the SSH keys:
+
+```sh
+abra app config git.example.coop
+ssh-keygen -t ed25519
+app app secret insert git.example.coop signing_public_key v1 -f ~/.ssh/id_ed25519.pub
+app app secret insert git.example.coop signing_private_key v1 -f ~/.ssh/id_ed25519
+app app deploy git.example.coop
+```

abra.sh

@@ -1,5 +1,5 @@
-export APP_INI_VERSION=v24
-export DOCKER_SETUP_SH_VERSION=v1
+export APP_INI_VERSION=v25
+export DOCKER_SETUP_SH_VERSION=v2
 export PG_BACKUP_VERSION=v1
 
 abra_backup_app() {

app.ini.tmpl

@@ -16,6 +16,21 @@ PATH = {{ env "GITEA_PATH" }}
 DISABLE_GRAVATAR = {{ env "GITEA_DISABLE_GRAVATAR" }}
 ENABLE_FEDERATED_AVATAR = {{ env "GITEA_ENABLE_FEDERATED_AVATAR" }}
 
+[storage]
+STORAGE_TYPE = {{ env "GITEA_STORAGE_TYPE" }}
+{{ if eq (env "GITEA_STORAGE_TYPE") "minio" }}
+SERVE_DIRECT = false
+MINIO_ENDPOINT = {{ env "MINIO_ENDPOINT" }}
+MINIO_ACCESS_KEY_ID = {{ env "MINIO_ACCESS_KEY_ID" }}
+MINIO_SECRET_ACCESS_KEY = {{ secret "minio_secret_access_key" }}
+MINIO_BUCKET = {{ env "MINIO_BUCKET" }}
+MINIO_BUCKET_LOOKUP = {{ env "MINIO_BUCKET_LOOKUP" }}
+MINIO_LOCATION = {{ env "MINIO_LOCATION" }}
+MINIO_USE_SSL = true
+MINIO_INSECURE_SKIP_VERIFY = false
+MINIO_CHECKSUM_ALGORITHM = {{ env "MINIO_CHECKSUM_ALGORITHM" }}
+{{ end }}
+
 [service]
 ALLOW_ONLY_EXTERNAL_REGISTRATION = {{ env "GITEA_ALLOW_ONLY_EXTERNAL_REGISTRATION" }}
 ALLOW_ONLY_INTERNAL_REGISTRATION = {{ env "GITEA_ALLOW_ONLY_INTERNAL_REGISTRATION" }}
@@ -39,6 +54,7 @@ ENABLE_OPENID_SIGNUP = {{ env "GITEA_ENABLE_OPENID_SIGNUP" }}
 DEFAULT_BRANCH = main
 ENABLE_PUSH_CREATE_USER = {{ env "GITEA_ENABLE_PUSH_CREATE_USER" }}
 ENABLE_PUSH_CREATE_ORG = {{ env "GITEA_ENABLE_PUSH_CREATE_ORG" }}
+MAX_CREATION_LIMIT = {{ env "GITEA_MAX_CREATION_LIMIT" }}
 
 [repository.upload]
 ENABLED = {{ env "GITEA_REPO_UPLOAD_ENABLED" }}
@@ -46,6 +62,18 @@ ALLOWED_TYPES = {{ env "GITEA_REPO_UPLOAD_ALLOWED_TYPES" }}
 FILE_MAX_SIZE = {{ env "GITEA_REPO_UPLOAD_MAX_SIZE" }}
 MAX_FILES = {{ env "GITEA_REPO_UPLOAD_MAX_FILES" }}
 
+{{ if eq (env "GITEA_SIGNING_ENABLED") "1" }}
+[repository.signing]
+FORMAT = ssh
+SIGNING_KEY = /var/lib/gitea/signing_key.pub
+SIGNING_NAME = {{ env "GITEA_APP_NAME" }}
+SIGNING_EMAIL = {{ env "GITEA_MAILER_FROM" }}
+INITIAL_COMMIT = always
+WIKI = always
+CRUD_ACTIONS = always
+MERGES = always
+{{ end }}
+
 [ui]
 SHOW_USER_EMAIL = {{ env "GITEA_SHOW_USER_EMAIL" }}
 
@@ -110,3 +138,4 @@ MODE=console
 LEVEL=WARN
 STACKTRACE_LEVEL=None
 ENABLE_XORM_LOG=false
+

compose.s3.yml

@@ -0,0 +1,10 @@
+---
+version: "3.8"
+services:
+  app:
+    secrets:
+      - minio_secret_access_key
+secrets:
+  minio_secret_access_key:
+    name: ${STACK_NAME}_minio_secret_access_key_${SECRET_MINIO_SECRET_ACCESS_KEY_VERSION}
+    external: true

compose.signing.yml

@@ -0,0 +1,14 @@
+version: '3.8'
+
+services:
+  app:
+    secrets:
+    - signing_public_key
+    - signing_private_key
+secrets:
+  signing_public_key:
+    name: ${STACK_NAME}_signing_public_key_${SECRET_SIGNING_PUBLIC_KEY_VERSION}
+    external: true
+  signing_private_key:
+    name: ${STACK_NAME}_signing_private_key_${SECRET_SIGNING_PRIVATE_KEY_VERSION}
+    external: true

compose.yml

@@ -3,10 +3,10 @@ version: "3.8"
 
 services:
   app:
-    image: codeberg.org/forgejo/forgejo:13.0.4-rootless
+    image: codeberg.org/forgejo/forgejo:15.0.2-rootless
     configs:
       - source: app_ini
-        target: /etc/gitea/app.ini
+        target: /var/lib/gitea/custom/conf/app.ini
       - source: docker_setup_sh
         target: /usr/local/bin/docker-setup.sh
         mode: 0555
@@ -56,9 +56,9 @@ services:
       - GITEA__oauth2__REFRESH_TOKEN_EXPIRATION_TIME
       - GITEA_LFS_START_SERVER=${GITEA_LFS_START_SERVER:-false}
       - GITEA_ENABLE_INTERNAL_SIGNIN
+      - GITEA_MAX_CREATION_LIMIT=${GITEA_MAX_CREATION_LIMIT:--1}
     volumes:
       - data:/var/lib/gitea
-      - config:/etc/gitea
       - /etc/timezone:/etc/timezone:ro
       - /etc/localtime:/etc/localtime:ro
     networks:
@@ -90,7 +90,7 @@ services:
         - "traefik.http.middlewares.${STACK_NAME}_cors.headers.accesscontrolalloworiginlist=https://${GITEA_CORS_ALLOW_DOMAIN}"
         - "traefik.http.middlewares.${STACK_NAME}_cors.headers.accesscontrolmaxage=100"
         - "traefik.http.middlewares.${STACK_NAME}_cors.headers.addvaryheader=true"
-        - coop-cloud.${STACK_NAME}.version=5.0.3+13.0.4-rootless
+        - coop-cloud.${STACK_NAME}.version=5.3.1+15.0.2-rootless
 
 
 networks:
@@ -124,4 +124,3 @@ secrets:
 
 volumes:
   data:
-  config:

docker-setup.sh.tmpl

@@ -13,3 +13,10 @@ mkdir -p ${GITEA_CUSTOM} && chmod 0500 ${GITEA_CUSTOM}
 # Prepare temp folder
 mkdir -p ${GITEA_TEMP} && chmod 0700 ${GITEA_TEMP}
 if [ ! -w ${GITEA_TEMP} ]; then echo "${GITEA_TEMP} is not writable"; exit 1; fi
+
+if [ -e /run/secrets/signing_public_key ] ; then
+  cat /run/secrets/signing_public_key > /var/lib/gitea/signing_key.pub
+  cat /run/secrets/signing_private_key > /var/lib/gitea/signing_key
+
+  chmod 600 /var/lib/gitea/signing_key*
+fi

release/5.1.0+14.0.1-rootless

@@ -0,0 +1 @@
+https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/14.0.0.md https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/14.0.1.md

renovate.json

@@ -2,5 +2,9 @@
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
     "config:recommended"
+  ],
+  "reviewers": [
+    "fauno",
+    "p4u1"
   ]
 }