chore: publish 3.3.1+1.23.8-rootless release

Reviewed-on: coop-cloud/gitea#44

.drone.yml

@@ -17,6 +17,7 @@ steps:
     environment:
       APP_INI_VERSION: v1
       DOCKER_SETUP_SH_VERSION: v1
+      PG_BACKUP_VERSION: v1
       DOMAIN: gitea.swarm-test.autonomic.zone
       GITEA_ALLOW_ONLY_EXTERNAL_REGISTRATION: true
       GITEA_APP_NAME: Git with solidaritea
@@ -50,7 +51,7 @@ steps:
         from_secret: drone_abra-bot_token
       fork: true
       repositories:
-        - coop-cloud/auto-recipes-catalogue-json
+        - toolshed/auto-recipes-catalogue-json
 
 trigger:
   event: tag

.env.sample

@@ -3,11 +3,14 @@ TYPE=gitea
 DOMAIN=gitea.example.com
 LETS_ENCRYPT_ENV=production
 COMPOSE_FILE="compose.yml"
+ENABLE_BACKUPS=true
 COMPOSE_FILE="$COMPOSE_FILE:compose.mariadb.yml"
+# COMPOSE_FILE="$COMPOSE_FILE:compose.sqlite3.yml"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.postgres.yml"
 
 # Enable to use forgejo instead of gitea
 # COMPOSE_FILE="$COMPOSE_FILE:compose.forgejo.yml"
+# SECRET_LFS_JWT_SECRET_VERSION=v1 # length=43
 
 GITEA_DOMAIN=git.example.com
 GITEA_ALLOW_ONLY_EXTERNAL_REGISTRATION=true
@@ -19,6 +22,24 @@ GITEA_ENABLE_OPENID_SIGNIN=true
 GITEA_ENABLE_OPENID_SIGNUP=true
 GITEA_DISABLE_GRAVATAR=false
 GITEA_ENABLE_FEDERATED_AVATAR=true
+GITEA_LANDING_PAGE=organizations
+GITEA_SHOW_USER_EMAIL=false
+GITEA_DISABLE_REGULAR_ORG_CREATION=true
+GITEA_DEFAULT_KEEP_EMAIL_PRIVATE=true
+GITEA_DEFAULT_ALLOW_CREATE_ORGANIZATION=false
+GITEA_ENABLE_USER_HEATMAP=false
+GITEA_DEFAULT_USER_VISIBILITY=limited
+GITEA_ALLOWED_USER_VISIBILITY_MODES=limited,private
+GITEA_DEFAULT_ORG_VISIBILITY=limited
+GITEA_REQUIRE_SIGNIN_VIEW=true
+GITEA_ENABLE_PUSH_CREATE_USER=false
+GITEA_ENABLE_PUSH_CREATE_ORG=false
+GITEA_LFS_START_SERVER=false
+
+GITEA_REPO_UPLOAD_ENABLED=true
+GITEA_REPO_UPLOAD_ALLOWED_TYPES=*/*
+GITEA_REPO_UPLOAD_MAX_SIZE=50
+GITEA_REPO_UPLOAD_MAX_FILES=5
 
 GITEA_MAILER_FROM=noreply@example.com
 GITEA_MAILER_USER=noreply@example.com
@@ -35,8 +56,10 @@ SECRET_SECRET_KEY_VERSION=v1 # length=64
 # SMTP Mailer
 # COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
 # GITEA_SMTP_MAILER_ENABLED=1
-# GITEA_MAILER_HOST=mail.gandi.net:465
+# GITEA_MAILER_ADDR=mail.gandi.net
+# GITEA_MAILER_PORT=465
 # SECRET_SMTP_PASSWORD_VERSION=v1
+# GITEA_MAILER_PROTOCOL=smtps
 
 # OATH2 Options
 # GITEA_REGISTER_EMAIL_CONFIRM=replace-me
@@ -45,3 +68,13 @@ SECRET_SECRET_KEY_VERSION=v1 # length=64
 # GITEA_UPDATE_AVATAR=replace-me
 # GITEA_ACCOUNT_LINKING=replace-me
 # GITEA_OAUTH2_CLIENT_ENABLED=replace-me
+
+# Lifetime of an OAuth2 refresh token in hours, prolly no need to edit. We
+# were hitting issues with infrequently pushed to repos that were not picked
+# up by drone after a month of inactivity, hence the option.
+# GITEA__oauth2__REFRESH_TOKEN_EXPIRATION_TIME=730
+
+# Indexer (for issue search)
+# GITEA_REPO_INDEXER_ENABLED=false
+# GITEA_ISSUE_INDEXER_TYPE=db
+# GITEA_STARTUP_TIMEOUT=-1

README.md

@@ -4,11 +4,11 @@
 
 <!-- metadata -->
 * **Category**: Development
-* **Status**: 3, stable
+* **Status**: 5
 * **Image**: [`gitea/gitea`](https://hub.docker.com/gitea/gitea), 4, upstream
 * **Healthcheck**: Yes
 * **Backups**: Yes
-* **Email**: ?
+* **Email**: Yes
 * **Tests**: 2
 * **SSO**: 3 (OAuth)
 <!-- endmetadata -->

abra.sh

@@ -1,5 +1,6 @@
-export APP_INI_VERSION=v10
+export APP_INI_VERSION=v21
 export DOCKER_SETUP_SH_VERSION=v1
+export PG_BACKUP_VERSION=v1
 
 abra_backup_app() {
   _abra_backup_dir "app:/var/lib/gitea"

app.ini.tmpl

@@ -2,10 +2,15 @@ APP_NAME = {{ env "GITEA_APP_NAME" }}
 
 [database]
 DB_TYPE = {{ env "GITEA_DB_TYPE" }}
+{{ if ne (env "GITEA_DB_TYPE") "sqlite3" }}
 HOST = {{ env "GITEA_DB_HOST" }}
 NAME = {{ env "GITEA_DB_NAME" }}
 PASSWD = {{ secret "db_password" }}
 USER = {{ env "GITEA_DB_USER" }}
+{{ else }}
+SQLITE_JOURNAL_MODE = {{ env "GITEA_SQLITE_JOURNAL_MODE" }}
+PATH = {{ env "GITEA_PATH" }}
+{{ end }}
 
 [picture]
 DISABLE_GRAVATAR = {{ env "GITEA_DISABLE_GRAVATAR" }}
@@ -16,6 +21,13 @@ ALLOW_ONLY_EXTERNAL_REGISTRATION = {{ env "GITEA_ALLOW_ONLY_EXTERNAL_REGISTRATIO
 AUTO_WATCH_NEW_REPOS = {{ env "GITEA_AUTO_WATCH_NEW_REPOS" }}
 DISABLE_REGISTRATION = {{ env "GITEA_DISABLE_REGISTRATION" }}
 ENABLE_NOTIFY_MAIL = {{ env "GITEA_ENABLE_NOTIFY_MAIL" }}
+DEFAULT_KEEP_EMAIL_PRIVATE = {{ env "GITEA_DEFAULT_KEEP_EMAIL_PRIVATE" }}
+DEFAULT_ALLOW_CREATE_ORGANIZATION = {{ env "GITEA_DEFAULT_ALLOW_CREATE_ORGANIZATION" }}
+ENABLE_USER_HEATMAP = {{ env "GITEA_ENABLE_USER_HEATMAP" }}
+DEFAULT_USER_VISIBILITY = {{ env "GITEA_DEFAULT_USER_VISIBILITY" }}
+ALLOWED_USER_VISIBILITY_MODES = {{ env "GITEA_ALLOWED_USER_VISIBILITY_MODES" }}
+DEFAULT_ORG_VISIBILITY = {{ env "GITEA_DEFAULT_ORG_VISIBILITY" }}
+REQUIRE_SIGNIN_VIEW = {{ env "GITEA_REQUIRE_SIGNIN_VIEW" }}
 
 [openid]
 ENABLE_OPENID_SIGNIN = {{ env "GITEA_ENABLE_OPENID_SIGNIN" }}
@@ -23,18 +35,35 @@ ENABLE_OPENID_SIGNUP = {{ env "GITEA_ENABLE_OPENID_SIGNUP" }}
 
 [repository]
 DEFAULT_BRANCH = main
+ENABLE_PUSH_CREATE_USER = {{ env "GITEA_ENABLE_PUSH_CREATE_USER" }}
+ENABLE_PUSH_CREATE_ORG = {{ env "GITEA_ENABLE_PUSH_CREATE_ORG" }}
+
+[repository.upload]
+ENABLED = {{ env "GITEA_REPO_UPLOAD_ENABLED" }}
+ALLOWED_TYPES = {{ env "GITEA_REPO_UPLOAD_ALLOWED_TYPES" }}
+FILE_MAX_SIZE = {{ env "GITEA_REPO_UPLOAD_MAX_SIZE" }}
+MAX_FILES = {{ env "GITEA_REPO_UPLOAD_MAX_FILES" }}
+
+[ui]
+SHOW_USER_EMAIL = {{ env "GITEA_SHOW_USER_EMAIL" }}
 
 [indexer]
-STARTUP_TIMEOUT = 0
+REPO_INDEXER_ENABLED = {{ or (env "GITEA_REPO_INDEXER_ENABLED") "false" }}
+ISSUE_INDEXER_TYPE= {{ or (env "GITEA_ISSUE_INDEXER_TYPE") "db" }}
+STARTUP_TIMEOUT = {{ or (env "GITEA_STARTUP_TIMEOUT") "-1" }}
 
 [server]
 DOMAIN = {{ env "GITEA_DOMAIN" }}
-LANDING_PAGE = organizations
+LANDING_PAGE = {{ env "GITEA_LANDING_PAGE" }}
 ROOT_URL = https://%(DOMAIN)s/
 SSH_DOMAIN = {{ env "GITEA_DOMAIN" }}
 SSH_LISTEN_PORT = {{ env "GITEA_SSH_PORT" }}
 SSH_PORT = {{ env "GITEA_SSH_PORT" }}
 START_SSH_SERVER = true
+LFS_START_SERVER = {{ env "GITEA_LFS_START_SERVER" }}
+{{ if eq (env "FORGE") "forgejo" }}
+LFS_JWT_SECRET = {{ secret "lfs_jwt_secret" }}
+{{ end }}
 
 [security]
 INSTALL_LOCK = true
@@ -43,6 +72,9 @@ REVERSE_PROXY_LIMIT = 1
 REVERSE_PROXY_TRUSTED_PROXIES = *
 SECRET_KEY = {{ secret "secret_key" }}
 
+[admin]
+DISABLE_REGULAR_ORG_CREATION = {{ env "GITEA_DISABLE_REGULAR_ORG_CREATION" }}
+
 [oauth2]
 JWT_SECRET = {{ secret "jwt_secret" }}
 
@@ -50,11 +82,12 @@ JWT_SECRET = {{ secret "jwt_secret" }}
 [mailer]
 ENABLED        = true
 FROM           = {{ env "GITEA_MAILER_FROM" }}
-HOST           = {{ env "GITEA_MAILER_HOST" }}
+PROTOCOL       = {{ env "GITEA_MAILER_PROTOCOL" }}
+SMTP_ADDR      = {{ env "GITEA_MAILER_ADDR" }}
+SMTP_PORT      = {{ env "GITEA_MAILER_PORT" }}
 USER           = {{ env "GITEA_MAILER_USER" }}
 PASSWD         = {{ secret "smtp_password" }}
 MAILER_TYPE    = smtp
-IS_TLS_ENABLED = true
 {{ end }}
 
 {{ if eq (env "GITEA_OAUTH2_CLIENT_ENABLED") "1" }}
@@ -76,5 +109,4 @@ IS_INPUT_FILE   = false
 MODE=console
 LEVEL=WARN
 STACKTRACE_LEVEL=None
-ENABLE_ACCESS_LOG=false
 ENABLE_XORM_LOG=false

compose.forgejo.yml

@@ -2,4 +2,12 @@ version: '3.8'
 
 services:
   app:
-    image: codeberg.org/forgejo/forgejo:1.19.3-0-rootless
+    image: codeberg.org/forgejo/forgejo:10.0.1-rootless
+    environment:
+    - FORGE=forgejo
+    secrets:
+    - lfs_jwt_secret
+secrets:
+  lfs_jwt_secret:
+    name: ${STACK_NAME}_lfs_jwt_secret_${SECRET_LFS_JWT_SECRET_VERSION}
+    external: true

compose.mariadb.yml

@@ -7,8 +7,15 @@ services:
       - GITEA_DB_HOST="db:3306"
       - GITEA_DB_NAME=gitea
       - GITEA_DB_USER=gitea
+    secrets:
+      - db_password
   db:
     image: "mariadb:10.11.2"
+    deploy:
+      labels:
+          backupbot.backup.pre-hook: 'mysqldump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" gitea > /var/lib/mysql/backup.sql'
+          backupbot.backup.volumes.mariadb.path: "backup.sql"
+          backupbot.restore.post-hook: "mariadb -u root -p\"$$(cat /run/secrets/db_root_password)\" gitea < /var/lib/mysql/backup.sql"
     command: |
       mysqld --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
     environment:
@@ -34,4 +41,3 @@ secrets:
 
 volumes:
   mariadb:
-  internal:

compose.postgres.yml

@@ -7,8 +7,15 @@ services:
       - GITEA_DB_HOST="db:5432"
       - GITEA_DB_NAME=gitea
       - GITEA_DB_USER=gitea
+    secrets:
+      - db_password
   db:
-    image: postgres:15.4
+    image: postgres:15.10
+    deploy:
+      labels:
+        backupbot.backup.pre-hook: "/pg_backup.sh backup"
+        backupbot.backup.volumes.db.path: "backup.sql"
+        backupbot.restore.post-hook: '/pg_backup.sh restore'
     environment: 
       - POSTGRES_DB=gitea
       - POSTGRES_USER=gitea
@@ -19,6 +26,10 @@ services:
       - db:/var/lib/postgresql/data
     networks:
       - internal
+    configs:
+        - source: pg_backup
+          target: /pg_backup.sh
+          mode: 0555
 
 secrets:
   db_password:
@@ -27,4 +38,8 @@ secrets:
 
 volumes:
   db:
-  internal:
+
+configs:
+  pg_backup:
+    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
+    file: pg_backup.sh

compose.smtp.yml

@@ -5,8 +5,10 @@ services:
   app:
     environment:
       - GITEA_MAILER_FROM
-      - GITEA_MAILER_HOST
+      - GITEA_MAILER_ADDR
+      - GITEA_MAILER_PORT
       - GITEA_MAILER_USER
+      - "GITEA_MAILER_PROTOCOL=${GITEA_MAILER_PROTOCOL:-smtps}"
     secrets:
       - smtp_password
 

compose.sqlite3.yml

@@ -0,0 +1,8 @@
+version: '3.8'
+
+services:
+  app:
+    environment:
+      - GITEA_DB_TYPE=sqlite3
+      - GITEA_SQLITE_JOURNAL_MODE=wal
+      - GITEA_PATH=/var/lib/gitea/gitea.db

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: "gitea/gitea:1.20.3-rootless"
+    image: "gitea/gitea:1.23.8-rootless"
     configs:
       - source: app_ini
         target: /etc/gitea/app.ini
@@ -11,11 +11,11 @@ services:
         target: /usr/local/bin/docker-setup.sh
         mode: 0555
     secrets:
-      - db_password
       - internal_token
       - jwt_secret
       - secret_key
     environment:
+      - FORGE=gitea
       - GITEA_ALLOW_ONLY_EXTERNAL_REGISTRATION
       - GITEA_APP_NAME
       - GITEA_AUTO_WATCH_NEW_REPOS
@@ -35,6 +35,25 @@ services:
       - GITEA_ACCOUNT_LINKING
       - GITEA_OAUTH2_CLIENT_ENABLED
       - GITEA_CORS_ALLOW_DOMAIN
+      - GITEA_LANDING_PAGE
+      - GITEA_REPO_UPLOAD_ENABLED
+      - GITEA_REPO_UPLOAD_ALLOWED_TYPES
+      - GITEA_REPO_UPLOAD_MAX_SIZE
+      - GITEA_REPO_UPLOAD_MAX_FILES
+      - GITEA_REPO_INDEXER_ENABLED
+      - GITEA_ISSUE_INDEXER_TYPE
+      - GITEA_STARTUP_TIMEOUT
+      - GITEA_SHOW_USER_EMAIL
+      - GITEA_DISABLE_REGULAR_ORG_CREATION
+      - GITEA_DEFAULT_KEEP_EMAIL_PRIVATE
+      - GITEA_DEFAULT_ALLOW_CREATE_ORGANIZATION
+      - GITEA_ENABLE_USER_HEATMAP
+      - GITEA_DEFAULT_USER_VISIBILITY
+      - GITEA_ALLOWED_USER_VISIBILITY_MODES
+      - GITEA_DEFAULT_ORG_VISIBILITY
+      - GITEA_REQUIRE_SIGNIN_VIEW
+      - GITEA__oauth2__REFRESH_TOKEN_EXPIRATION_TIME
+      - GITEA_LFS_START_SERVER=${GITEA_LFS_START_SERVER:-false}
     volumes:
       - data:/var/lib/gitea
       - config:/etc/gitea
@@ -43,11 +62,18 @@ services:
     networks:
       - proxy
       - internal
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:3000/api/healthz"]
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 1m
     deploy:
       update_config:
         failure_action: rollback
         order: start-first
       labels:
+        - "backupbot.backup=${ENABLE_BACKUPS:-true}"
         - "traefik.enable=true"
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
@@ -61,7 +87,7 @@ services:
         - "traefik.http.middlewares.${STACK_NAME}_cors.headers.accesscontrolalloworiginlist=https://${GITEA_CORS_ALLOW_DOMAIN}"
         - "traefik.http.middlewares.${STACK_NAME}_cors.headers.accesscontrolmaxage=100"
         - "traefik.http.middlewares.${STACK_NAME}_cors.headers.addvaryheader=true"
-        - coop-cloud.${STACK_NAME}.version=2.3.2+1.20.3-rootless
+        - coop-cloud.${STACK_NAME}.version=3.3.1+1.23.8-rootless
 
 
 networks:

pg_backup.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+set -e
+
+BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
+
+function backup {
+  export PGPASSWORD=$(cat $POSTGRES_PASSWORD_FILE)
+  pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
+}
+
+function restore {
+    cd /var/lib/postgresql/data/
+    restore_config(){
+        # Restore allowed connections
+        cat pg_hba.conf.bak > pg_hba.conf
+        su postgres -c 'pg_ctl reload'
+    }
+    # Don't allow any other connections than local
+    cp pg_hba.conf pg_hba.conf.bak
+    echo "local all all trust" > pg_hba.conf
+    su postgres -c 'pg_ctl reload'
+    trap restore_config EXIT INT TERM
+
+    # Recreate Database
+    psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);" 
+    createdb -U ${POSTGRES_USER} ${POSTGRES_DB}
+    psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE
+
+    trap - EXIT INT TERM
+    restore_config
+}
+
+$@

release/2.6.0+1.21.5-rootless

@@ -0,0 +1 @@
+This release adds a docker healthcheck for the main Gitea service -- please pay careful attention when updating apps, and as always feel free to ask in Matrix if you run into any bugs 🐛

release/3.0.0+1.22.2-rootless

@@ -0,0 +1,3 @@
+BEWARE! 🚨 This release updates to the newer Gitea SMTP settings format.
+
+If you are using SMTP, you will need to split the old GITEA_MAILER_HOST into separate GITEA_MAILER_ADDR (hostname) and GITEA_MAILER_PORT settings.