WIP: CORS headers

[ci skip]

.drone.yml

@@ -12,9 +12,9 @@ steps:
       deploy_key:
         from_secret: drone_ssh_swarm_test
     environment:
+      APP_INI_VERSION: v1
+      DOCKER_SETUP_SH_VERSION: v1
       DOMAIN: gitea.swarm-test.autonomic.zone
-      STACK_NAME: gitea
-      LETS_ENCRYPT_ENV: production
       GITEA_ALLOW_ONLY_EXTERNAL_REGISTRATION: true
       GITEA_APP_NAME: Git with solidaritea
       GITEA_AUTO_WATCH_NEW_REPOS: false
@@ -23,14 +23,25 @@ steps:
       GITEA_ENABLE_NOTIFY_MAIL: false
       GITEA_ENABLE_OPENID_SIGNIN: true
       GITEA_ENABLE_OPENID_SIGNUP: true
-      GITEA_SSH_PORT: 2222
       GITEA_SSH_ENABLED: 1
-      APP_INI_VERSION: v1
+      GITEA_SSH_PORT: 2222
+      LETS_ENCRYPT_ENV: production
       SECRET_DB_PASSWORD_VERSION: v1
       SECRET_DB_ROOT_PASSWORD_VERSION: v1
       SECRET_INTERNAL_TOKEN_VERSION: v1
       SECRET_JWT_SECRET_VERSION: v1
       SECRET_SECRET_KEY_VERSION: v1
+      STACK_NAME: gitea
 trigger:
   branch:
     - master
+---
+kind: pipeline
+name: recipe release
+steps:
+  - name: release a new version
+    image: thecoopcloud/drone-abra:latest
+    settings:
+      command: recipe gitea release
+      deploy_key:
+        from_secret: abra_bot_deploy_key

.env.sample

@@ -24,6 +24,9 @@ SECRET_DB_ROOT_PASSWORD_VERSION=v1
 SECRET_JWT_SECRET_VERSION=v1 # length=43
 SECRET_SECRET_KEY_VERSION=v1 # length=64
 
+GITEA_CORS_ENABLED=0
+# GITEA_CORS_DOMAIN=https://example.org
+
 # SMTP Mailer
 # COMPOSE_FILE="compose.yml:compose.smtp.yml"
 # GITEA_SMTP_MAILER_ENABLED=1

README.md

@@ -1,16 +1,16 @@
 # Gitea
 
-[![Build Status](https://drone.autonomic.zone/api/badges/coop-cloud/gitea/status.svg)](https://drone.autonomic.zone/coop-cloud/gitea)
+[![Build Status](https://drone.coopcloud.tech/api/badges/coop-cloud/gitea/status.svg)](https://drone.coopcloud.tech/coop-cloud/gitea)
 
 <!-- metadata -->
-* **Category**: Development
+- **Category**: Development
-* **Status**: ❷💛
+* **Status**: ❶💚
-* **Image**: [`gitea/gitea`](https://hub.docker.com/gitea/gitea), ❶💚, upstream
+- **Image**: [`gitea/gitea`](https://hub.docker.com/gitea/gitea), ❶💚, upstream
-* **Healthcheck**: Yes
+- **Healthcheck**: Yes
-* **Backups**: No
+* **Backups**: Yes
-* **Email**: ?
+- **Email**: ?
-* **Tests**: ❷💛
+- **Tests**: ❷💛
-* **SSO**: ❶💚 (OAuth)
+- **SSO**: ❶💚 (OAuth)
 <!-- endmetadata -->
 
 ## Basic usage

abra.sh

@@ -1 +1,14 @@
-export APP_INI_VERSION=v5
+export APP_INI_VERSION=v8
+export DOCKER_SETUP_SH_VERSION=v1
+
+abra_backup_app() {
+  _abra_backup_dir "app:/var/lib/gitea"
+}
+
+abra_backup_db() {
+  _abra_backup_mysql "db" "gitea"
+}
+
+abra_backup() {
+  abra_backup_app && abra_backup_db
+}

app.ini.tmpl

@@ -24,10 +24,8 @@ DEFAULT_BRANCH = main
 STARTUP_TIMEOUT = 0
 
 [server]
-APP_DATA_PATH = /data/gitea
 DOMAIN = {{ env "GITEA_DOMAIN" }}
 LANDING_PAGE = organizations
-LFS_CONTENT_PATH = /data/gitea/lfs
 ROOT_URL = https://%(DOMAIN)s/
 SSH_DOMAIN = {{ env "GITEA_DOMAIN" }}
 SSH_LISTEN_PORT = {{ env "GITEA_SSH_PORT" }}
@@ -37,6 +35,8 @@ START_SSH_SERVER = true
 [security]
 INSTALL_LOCK = true
 INTERNAL_TOKEN = {{ secret "internal_token" }}
+REVERSE_PROXY_LIMIT = 1
+REVERSE_PROXY_TRUSTED_PROXIES = *
 SECRET_KEY = {{ secret "secret_key" }}
 
 [oauth2]
@@ -65,3 +65,10 @@ REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
 
 [attachment]
 PATH = /data/gitea/attachments
+
+{{ if eq (env "GITEA_CORS_ENABLED") "1" }}
+[cors]
+ENABLED=true
+SCHEME=https
+ALLOW_DOMAIN={{ env "GITEA_CORS_DOMAIN" }}
+{{ end }}

compose.smtp.yml

@@ -1,4 +1,6 @@
+---
 version: "3.8"
+
 services:
   app:
     environment:
@@ -7,7 +9,8 @@ services:
       - GITEA_MAILER_USER
     secrets:
       - smtp_password
+
 secrets:
-  smtp_passord:
+  smtp_password:
     name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}
     external: true

compose.yml

@@ -1,10 +1,15 @@
+---
 version: "3.8"
+
 services:
   app:
-    image: "gitea/gitea:1.14.1-rootless"
+    image: "gitea/gitea:1.15.6-rootless"
     configs:
       - source: app_ini
         target: /etc/gitea/app.ini
+      - source: docker_setup_sh
+        target: /usr/local/bin/docker-setup.sh
+        mode: 0555
     secrets:
       - db_password
       - internal_token
@@ -23,7 +28,10 @@ services:
       - GITEA_ENABLE_NOTIFY_MAIL
       - GITEA_ENABLE_OPENID_SIGNIN
       - GITEA_ENABLE_OPENID_SIGNUP
+      - GITEA_SMTP_MAILER_ENABLED
       - GITEA_SSH_PORT
+      - GITEA_CORS_ENABLED
+      - GITEA_CORS_DOMAIN
     volumes:
       - data:/var/lib/gitea
       - config:/etc/gitea
@@ -32,12 +40,6 @@ services:
     networks:
       - proxy
       - internal
-    healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:3000"]
-      interval: 15s
-      timeout: 10s
-      retries: 10
-      start_period: 30s
     deploy:
       update_config:
         failure_action: rollback
@@ -51,9 +53,10 @@ services:
         - "traefik.tcp.routers.${STACK_NAME}-ssh.rule=HostSNI(`*`)"
         - "traefik.tcp.routers.${STACK_NAME}-ssh.entrypoints=gitea-ssh"
         - "traefik.tcp.services.${STACK_NAME}-ssh.loadbalancer.server.port=${GITEA_SSH_PORT}"
-        - coop-cloud.${STACK_NAME}.app.version=1.14.0-327bfb3f
+        - coop-cloud.${STACK_NAME}.version=1.1.2+1.15.6-rootless
+
   db:
-    image: "mariadb:10.5"
+    image: "mariadb:10.6"
     command: |
       mysqld --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
     environment:
@@ -68,17 +71,22 @@ services:
       - "mariadb:/var/lib/mysql"
     networks:
       - internal
-    deploy:
+
-      labels: ["coop-cloud.${STACK_NAME}.db.version=10.5-9c681cef"]
 networks:
   internal:
   proxy:
     external: true
+
 configs:
   app_ini:
     name: ${STACK_NAME}_app_ini_${APP_INI_VERSION}
     file: app.ini.tmpl
     template_driver: golang
+  docker_setup_sh:
+    name: ${STACK_NAME}_docker_setup_sh_${DOCKER_SETUP_SH_VERSION}
+    file: docker-setup.sh.tmpl
+    template_driver: golang
+
 secrets:
   db_password:
     name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
@@ -95,6 +103,7 @@ secrets:
   secret_key:
     name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
     external: true
+
 volumes:
   data:
   config:

docker-setup.sh.tmpl

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# modified version of https://github.com/go-gitea/gitea/blob/d7dbe4feebac7805a4ca184f0989f58de8063d96/docker/rootless/usr/local/bin/docker-setup.sh
+# also see https://github.com/go-gitea/gitea/pull/14762#issuecomment-829224656
+
+# Prepare git folder
+mkdir -p ${HOME} && chmod 0700 ${HOME}
+if [ ! -w ${HOME} ]; then echo "${HOME} is not writable"; exit 1; fi
+
+# Prepare custom folder
+mkdir -p ${GITEA_CUSTOM} && chmod 0500 ${GITEA_CUSTOM}
+
+# Prepare temp folder
+mkdir -p ${GITEA_TEMP} && chmod 0700 ${GITEA_TEMP}
+if [ ! -w ${GITEA_TEMP} ]; then echo "${GITEA_TEMP} is not writable"; exit 1; fi

renovate.json

@@ -1,6 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "config:base"
-  ]
-}