chore: publish 2.2.0+1.19.3-rootless release

Reviewed-on: #31

.drone.yml

@@ -3,18 +3,21 @@ kind: pipeline
 name: deploy to swarm-test.autonomic.zone
 steps:
   - name: deployment
-    image: decentral1se/stack-ssh-deploy:latest
+    image: thecoopcloud/stack-ssh-deploy:latest
     settings:
       host: swarm-test.autonomic.zone
       stack: gitea
+      networks:
+       - proxy
       generate_secrets: true
       purge: true
       deploy_key:
         from_secret: drone_ssh_swarm_test
+      compose: "compose.yml:compose.mariadb.yml"
     environment:
+      APP_INI_VERSION: v1
+      DOCKER_SETUP_SH_VERSION: v1
       DOMAIN: gitea.swarm-test.autonomic.zone
-      STACK_NAME: gitea
-      LETS_ENCRYPT_ENV: production
       GITEA_ALLOW_ONLY_EXTERNAL_REGISTRATION: true
       GITEA_APP_NAME: Git with solidaritea
       GITEA_AUTO_WATCH_NEW_REPOS: false
@@ -23,14 +26,31 @@ steps:
       GITEA_ENABLE_NOTIFY_MAIL: false
       GITEA_ENABLE_OPENID_SIGNIN: true
       GITEA_ENABLE_OPENID_SIGNUP: true
-      GITEA_SSH_PORT: 2222
       GITEA_SSH_ENABLED: 1
-      APP_INI_VERSION: v1
+      GITEA_SSH_PORT: 2222
+      LETS_ENCRYPT_ENV: production
       SECRET_DB_PASSWORD_VERSION: v1
       SECRET_DB_ROOT_PASSWORD_VERSION: v1
       SECRET_INTERNAL_TOKEN_VERSION: v1
       SECRET_JWT_SECRET_VERSION: v1
       SECRET_SECRET_KEY_VERSION: v1
+      STACK_NAME: gitea
 trigger:
   branch:
     - master
+---
+kind: pipeline
+name: generate recipe catalogue
+steps:
+  - name: release a new version
+    image: plugins/downstream
+    settings:
+      server: https://build.coopcloud.tech
+      token:
+        from_secret: drone_abra-bot_token
+      fork: true
+      repositories:
+        - coop-cloud/auto-recipes-catalogue-json
+
+trigger:
+  event: tag

.env.sample

@@ -2,6 +2,12 @@ TYPE=gitea
 
 DOMAIN=gitea.example.com
 LETS_ENCRYPT_ENV=production
+COMPOSE_FILE="compose.yml"
+COMPOSE_FILE="$COMPOSE_FILE:compose.mariadb.yml"
+# COMPOSE_FILE="$COMPOSE_FILE:compose.postgres.yml"
+
+# Enable to use forgejo instead of gitea
+# COMPOSE_FILE="$COMPOSE_FILE:compose.forgejo.yml"
 
 GITEA_DOMAIN=git.example.com
 GITEA_ALLOW_ONLY_EXTERNAL_REGISTRATION=true
@@ -11,6 +17,8 @@ GITEA_DISABLE_REGISTRATION=false
 GITEA_ENABLE_NOTIFY_MAIL=true
 GITEA_ENABLE_OPENID_SIGNIN=true
 GITEA_ENABLE_OPENID_SIGNUP=true
+GITEA_DISABLE_GRAVATAR=false
+GITEA_ENABLE_FEDERATED_AVATAR=true
 
 GITEA_MAILER_FROM=noreply@example.com
 GITEA_MAILER_USER=noreply@example.com
@@ -25,7 +33,15 @@ SECRET_JWT_SECRET_VERSION=v1 # length=43
 SECRET_SECRET_KEY_VERSION=v1 # length=64
 
 # SMTP Mailer
-# COMPOSE_FILE="compose.yml:compose.smtp.yml"
+# COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
 # GITEA_SMTP_MAILER_ENABLED=1
 # GITEA_MAILER_HOST=mail.gandi.net:465
 # SECRET_SMTP_PASSWORD_VERSION=v1
+
+# OATH2 Options
+# GITEA_REGISTER_EMAIL_CONFIRM=replace-me
+# GITEA_REGISTER_EMAIL_CONFIRM=replace-me
+# GITEA_OAUTH2_USERNAME=replace-me
+# GITEA_UPDATE_AVATAR=replace-me
+# GITEA_ACCOUNT_LINKING=replace-me
+# GITEA_OAUTH2_CLIENT_ENABLED=replace-me

README.md

@@ -1,16 +1,16 @@
 # Gitea
 
-[![Build Status](https://drone.autonomic.zone/api/badges/coop-cloud/gitea/status.svg)](https://drone.autonomic.zone/coop-cloud/gitea)
+[![Build Status](https://build.coopcloud.tech/api/badges/coop-cloud/gitea/status.svg)](https://build.coopcloud.tech/coop-cloud/gitea)
 
 <!-- metadata -->
 * **Category**: Development
-* **Status**: ❷💛
+* **Status**: 3, stable
-* **Image**: [`gitea/gitea`](https://hub.docker.com/gitea/gitea), ❶💚, upstream
+* **Image**: [`gitea/gitea`](https://hub.docker.com/gitea/gitea), 4, upstream
 * **Healthcheck**: Yes
-* **Backups**: No
+* **Backups**: Yes
 * **Email**: ?
-* **Tests**: ❷💛
+* **Tests**: 2
-* **SSO**: ❶💚 (OAuth)
+* **SSO**: 3 (OAuth)
 <!-- endmetadata -->
 
 ## Basic usage
@@ -19,6 +19,43 @@
 2. Deploy [`coop-cloud/traefik`][cc-traefik]
 3. `abra app new gitea --secrets` (optionally with `--pass` if you'd like
    to save secrets in `pass`)
-4. `abra app YOURAPPDOMAIN config` - be sure to change `$DOMAIN` to something that resolves to
+4. `abra app config YOURAPPDOMAIN` - be sure to change `$DOMAIN` to something that resolves to
    your Docker swarm box
-5. `abra app YOURAPPDOMAIN deploy`
+5. `abra app deploy YOURAPPDOMAIN`
+
+## Create first user
+
+Run
+
+```bash
+abra app run YOURAPPNAME app gitea -c /etc/gitea/app.ini admin user create --username USERNAME --admin --random-password --email EMAIL
+```
+
+See the [Gitea command-line documentation](https://docs.gitea.io/en-us/command-line/) for more options.  Make sure not to forget the `-c /etc/gitea/app.ini`.
+
+## Enable SSH
+
+You most certainly want to be able to access your repository over SSH.  To do so, make sure you uncomment the right lines in the configuration for `traefik`.
+```
+abra app config YOURTRAEFIKAPP
+```
+There uncomment or add these lines:
+```
+GITEA_SSH_ENABLED=1
+COMPOSE_FILE="compose.yml:compose.gitea.yml"
+```
+Then redeploy traefik:
+```
+abra app undeploy YOURTRAEFIKAPP
+abra app deploy YOURTRAEFIKAPP
+```
+You might need to wait a bit.  To check if it worked, you can run
+```
+telnet my.gitea.example.com 2222
+```
+Once you have added a public SSH key, you can check that you can connect to your gitea server with
+```
+ssh -T -p 2222 git@my.gitea.example.com
+```
+
+Note that gitea should be configured to listen to port 2222, i.e. `GITEA_SSH_PORT=2222` in the gitea config.

abra.sh

@@ -1 +1,14 @@
-export APP_INI_VERSION=v5
+export APP_INI_VERSION=v9
+export DOCKER_SETUP_SH_VERSION=v1
+
+abra_backup_app() {
+  _abra_backup_dir "app:/var/lib/gitea"
+}
+
+abra_backup_db() {
+  _abra_backup_mysql "db" "gitea"
+}
+
+abra_backup() {
+  abra_backup_app && abra_backup_db
+}

app.ini.tmpl

@@ -7,6 +7,10 @@ NAME = {{ env "GITEA_DB_NAME" }}
 PASSWD = {{ secret "db_password" }}
 USER = {{ env "GITEA_DB_USER" }}
 
+[picture]
+DISABLE_GRAVATAR = {{ env "GITEA_DISABLE_GRAVATAR" }}
+ENABLE_FEDERATED_AVATAR = {{ env "GITEA_ENABLE_FEDERATED_AVATAR" }}
+
 [service]
 ALLOW_ONLY_EXTERNAL_REGISTRATION = {{ env "GITEA_ALLOW_ONLY_EXTERNAL_REGISTRATION" }}
 AUTO_WATCH_NEW_REPOS = {{ env "GITEA_AUTO_WATCH_NEW_REPOS" }}
@@ -24,10 +28,8 @@ DEFAULT_BRANCH = main
 STARTUP_TIMEOUT = 0
 
 [server]
-APP_DATA_PATH = /data/gitea
 DOMAIN = {{ env "GITEA_DOMAIN" }}
 LANDING_PAGE = organizations
-LFS_CONTENT_PATH = /data/gitea/lfs
 ROOT_URL = https://%(DOMAIN)s/
 SSH_DOMAIN = {{ env "GITEA_DOMAIN" }}
 SSH_LISTEN_PORT = {{ env "GITEA_SSH_PORT" }}
@@ -37,6 +39,8 @@ START_SSH_SERVER = true
 [security]
 INSTALL_LOCK = true
 INTERNAL_TOKEN = {{ secret "internal_token" }}
+REVERSE_PROXY_LIMIT = 1
+REVERSE_PROXY_TRUSTED_PROXIES = *
 SECRET_KEY = {{ secret "secret_key" }}
 
 [oauth2]
@@ -53,15 +57,24 @@ MAILER_TYPE    = smtp
 IS_TLS_ENABLED = true
 {{ end }}
 
+{{ if eq (env "GITEA_OAUTH2_CLIENT_ENABLED") "1" }}
+[oauth2_client]
+REGISTER_EMAIL_CONFIRM = {{ env "GITEA_REGISTER_EMAIL_CONFIRM" }}
+ENABLE_AUTO_REGISTRATION = {{ env "GITEA_ENABLE_AUTO_REGISTRATION" }}
+USERNAME = {{ env "GITEA_OAUTH2_USERNAME" }}
+UPDATE_AVATAR = {{ env "GITEA_UPDATE_AVATAR" }}
+ACCOUNT_LINKING = {{ env "GITEA_ACCOUNT_LINKING" }}
+{{ end }}
+
 [markup.restructuredtext]
 ENABLED         = true
 FILE_EXTENSIONS = .rst
 RENDER_COMMAND  = rst2html
 IS_INPUT_FILE   = false
 
-[picture]
+[log]
-AVATAR_UPLOAD_PATH = /data/gitea/avatars
+MODE=console
-REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
+LEVEL=WARN
-
+STACKTRACE_LEVEL=None
-[attachment]
+ENABLE_ACCESS_LOG=false
-PATH = /data/gitea/attachments
+ENABLE_XORM_LOG=false

compose.forgejo.yml

@@ -0,0 +1,5 @@
+version: '3.8'
+
+services:
+  app:
+    image: codeberg.org/forgejo/forgejo:1.19.3-0-rootless

compose.mariadb.yml

@@ -0,0 +1,37 @@
+version: '3.8'
+
+services:
+  app:
+    environment:
+      - GITEA_DB_TYPE=mysql
+      - GITEA_DB_HOST="db:3306"
+      - GITEA_DB_NAME=gitea
+      - GITEA_DB_USER=gitea
+  db:
+    image: "mariadb:10.11.2"
+    command: |
+      mysqld --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
+    environment:
+      - MYSQL_DATABASE=gitea
+      - MYSQL_USER=gitea
+      - MYSQL_PASSWORD_FILE=/run/secrets/db_password
+      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
+    secrets:
+      - db_password
+      - db_root_password
+    volumes:
+      - "mariadb:/var/lib/mysql"
+    networks:
+      - internal
+
+secrets:
+  db_password:
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+    external: true
+  db_root_password:
+    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
+    external: true
+
+volumes:
+  mariadb:
+  internal:

compose.postgres.yml

@@ -0,0 +1,30 @@
+version: '3.8'
+
+services:
+  app:
+    environment:
+      - GITEA_DB_TYPE=postgres
+      - GITEA_DB_HOST="db:5432"
+      - GITEA_DB_NAME=gitea
+      - GITEA_DB_USER=gitea
+  db:
+    image: postgres:15.3
+    environment: 
+      - POSTGRES_DB=gitea
+      - POSTGRES_USER=gitea
+      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
+    secrets:
+      - db_password
+    volumes:
+      - db:/var/lib/postgresql/data
+    networks:
+      - internal
+
+secrets:
+  db_password:
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+    external: true
+
+volumes:
+  db:
+  internal:

compose.smtp.yml

@@ -1,4 +1,6 @@
+---
 version: "3.8"
+
 services:
   app:
     environment:
@@ -7,7 +9,8 @@ services:
       - GITEA_MAILER_USER
     secrets:
       - smtp_password
+
 secrets:
-  smtp_passord:
+  smtp_password:
     name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}
     external: true

compose.yml

@@ -1,10 +1,15 @@
+---
 version: "3.8"
+
 services:
   app:
-    image: "gitea/gitea:1.14.1-rootless"
+    image: "gitea/gitea:1.19.3-rootless"
     configs:
       - source: app_ini
         target: /etc/gitea/app.ini
+      - source: docker_setup_sh
+        target: /usr/local/bin/docker-setup.sh
+        mode: 0555
     secrets:
       - db_password
       - internal_token
@@ -14,16 +19,22 @@ services:
       - GITEA_ALLOW_ONLY_EXTERNAL_REGISTRATION
       - GITEA_APP_NAME
       - GITEA_AUTO_WATCH_NEW_REPOS
-      - GITEA_DB_HOST="db:3306"
-      - GITEA_DB_NAME=gitea
-      - GITEA_DB_TYPE=mysql
-      - GITEA_DB_USER=gitea
       - GITEA_DISABLE_REGISTRATION
       - GITEA_DOMAIN=${DOMAIN}
       - GITEA_ENABLE_NOTIFY_MAIL
       - GITEA_ENABLE_OPENID_SIGNIN
       - GITEA_ENABLE_OPENID_SIGNUP
+      - GITEA_SMTP_MAILER_ENABLED
       - GITEA_SSH_PORT
+      - GITEA_DISABLE_GRAVATAR
+      - GITEA_ENABLE_FEDERATED_AVATAR
+      - GITEA_REGISTER_EMAIL_CONFIRM
+      - GITEA_ENABLE_AUTO_REGISTRATION
+      - GITEA_OAUTH2_USERNAME
+      - GITEA_UPDATE_AVATAR
+      - GITEA_ACCOUNT_LINKING
+      - GITEA_OAUTH2_CLIENT_ENABLED
+      - GITEA_CORS_ALLOW_DOMAIN
     volumes:
       - data:/var/lib/gitea
       - config:/etc/gitea
@@ -32,12 +43,6 @@ services:
     networks:
       - proxy
       - internal
-    healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:3000"]
-      interval: 15s
-      timeout: 10s
-      retries: 10
-      start_period: 30s
     deploy:
       update_config:
         failure_action: rollback
@@ -51,41 +56,30 @@ services:
         - "traefik.tcp.routers.${STACK_NAME}-ssh.rule=HostSNI(`*`)"
         - "traefik.tcp.routers.${STACK_NAME}-ssh.entrypoints=gitea-ssh"
         - "traefik.tcp.services.${STACK_NAME}-ssh.loadbalancer.server.port=${GITEA_SSH_PORT}"
-        - coop-cloud.${STACK_NAME}.app.version=1.14.0-327bfb3f
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}_cors"
-  db:
+        - "traefik.http.middlewares.${STACK_NAME}_cors.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
-    image: "mariadb:10.5"
+        - "traefik.http.middlewares.${STACK_NAME}_cors.headers.accesscontrolalloworiginlist=https://${GITEA_CORS_ALLOW_DOMAIN}"
-    command: |
+        - "traefik.http.middlewares.${STACK_NAME}_cors.headers.accesscontrolmaxage=100"
-      mysqld --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
+        - "traefik.http.middlewares.${STACK_NAME}_cors.headers.addvaryheader=true"
-    environment:
+        - coop-cloud.${STACK_NAME}.version=2.2.0+1.19.3-rootless
-      - MYSQL_DATABASE=gitea
+
-      - MYSQL_USER=gitea
+
-      - MYSQL_PASSWORD_FILE=/run/secrets/db_password
-      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
-    secrets:
-      - db_password
-      - db_root_password
-    volumes:
-      - "mariadb:/var/lib/mysql"
-    networks:
-      - internal
-    deploy:
-      labels: ["coop-cloud.${STACK_NAME}.db.version=10.5-9c681cef"]
 networks:
   internal:
   proxy:
     external: true
+
 configs:
   app_ini:
     name: ${STACK_NAME}_app_ini_${APP_INI_VERSION}
     file: app.ini.tmpl
     template_driver: golang
+  docker_setup_sh:
+    name: ${STACK_NAME}_docker_setup_sh_${DOCKER_SETUP_SH_VERSION}
+    file: docker-setup.sh.tmpl
+    template_driver: golang
+
 secrets:
-  db_password:
-    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
-    external: true
-  db_root_password:
-    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
-    external: true
   internal_token:
     name: ${STACK_NAME}_internal_token_${SECRET_INTERNAL_TOKEN_VERSION}
     external: true
@@ -95,7 +89,7 @@ secrets:
   secret_key:
     name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
     external: true
+
 volumes:
   data:
   config:
-  mariadb:

docker-setup.sh.tmpl

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# modified version of https://github.com/go-gitea/gitea/blob/d7dbe4feebac7805a4ca184f0989f58de8063d96/docker/rootless/usr/local/bin/docker-setup.sh
+# also see https://github.com/go-gitea/gitea/pull/14762#issuecomment-829224656
+
+# Prepare git folder
+mkdir -p ${HOME} && chmod 0700 ${HOME}
+if [ ! -w ${HOME} ]; then echo "${HOME} is not writable"; exit 1; fi
+
+# Prepare custom folder
+mkdir -p ${GITEA_CUSTOM} && chmod 0500 ${GITEA_CUSTOM}
+
+# Prepare temp folder
+mkdir -p ${GITEA_TEMP} && chmod 0700 ${GITEA_TEMP}
+if [ ! -w ${GITEA_TEMP} ]; then echo "${GITEA_TEMP} is not writable"; exit 1; fi

release/2.0.0+1.18.0-rootless

@@ -0,0 +1,8 @@
+This release adds the possibility to run gitea with postgres.
+Please add the following lines to your servers .env file!
+
+```
+COMPOSE_FILE="compose.yml"
+COMPOSE_FILE="$COMPOSE_FILE:compose.mariadb.yml"
+# COMPOSE_FILE="$COMPOSE_FILE:compose.postgres.yml"
+```

release/2.1.2+1.19.3-rootless

@@ -0,0 +1,2 @@
+Beware that you'll also be updating Postgres if you're running it. Usually with major updates it might involve pg_dumpall / pg_restore either side of the upgrade because the server app doesn't know how to upgrade data storage formats, won't launch if it detects an old data format, a pg_upgrade command is available. More info on https://git.coopcloud.tech/coop-cloud/gitea/pulls/31
+

renovate.json

@@ -1,6 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "config:base"
-  ]
-}