diff --git a/.zuul.yaml b/.zuul.yaml index 4f5f02d124..91df421dea 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -500,6 +500,30 @@ - playbooks/roles/registry/ - testinfra/test_registry.py +- job: + name: system-config-run-gitea + parent: system-config-run + description: | + Run the playbook for the gitea servers. + nodeset: + nodes: + - name: bridge.openstack.org + label: ubuntu-bionic + - name: gitea01.opendev.org + label: ubuntu-bionic + host-vars: + gitea01.opendev.org: + host_copy_output: + '/var/gitea/conf': logs + '/var/gitea/certs': logs + '/var/gitea/logs': logs + files: + - .zuul.yaml + - playbooks/group_vars/gitea.yaml + - playbooks/zuul/templates/group_vars/gitea.yaml.j2 + - playbooks/roles/gitea/ + - testinfra/test_gitea.py + - job: name: infra-prod-playbook description: | @@ -549,6 +573,7 @@ - system-config-run-nodepool - system-config-run-docker - system-config-run-docker-registry + - system-config-run-gitea - system-config-build-image-jinja-init - system-config-build-image-gitea-init - system-config-build-image-gitea @@ -568,6 +593,7 @@ - system-config-run-nodepool - system-config-run-docker - system-config-run-docker-registry + - system-config-run-gitea - system-config-upload-image-jinja-init - system-config-upload-image-gitea-init - system-config-upload-image-gitea diff --git a/inventory/groups.yaml b/inventory/groups.yaml index dcea8b8961..309f2a4d97 100644 --- a/inventory/groups.yaml +++ b/inventory/groups.yaml @@ -44,8 +44,8 @@ groups: - etherpad[0-9]*.open*.org - files[0-9]*.open*.org - firehose[0-9]*.open*.org - - git.open*.org - - git[0-9]*.open*.org + - git.openstack.org + - git[0-9]*.openstack.org - grafana[0-9]*.open*.org - graphite[0-9]*.open*.org - groups-dev[0-9]*.open*.org @@ -83,9 +83,11 @@ groups: - review-dev[0-9]*.open*.org - review[0-9]*.open*.org git-loadbalancer: - - git.open*.org + - git.openstack.org git-server: - - git[0-9]*.open*.org + - git[0-9]*.openstack.org + gitea: + - gitea[0-9]*.opendev.org grafana: - grafana[0-9]*.open*.org graphite: @@ -140,7 +142,8 @@ groups: - etherpad[0-9]*.open*.org - files[0-9]*.open*.org - firehose[0-9]*.open*.org - - git*.open*.org + - git[0-9]*.openstack.org + - git.openstack.org - grafana[0-9]*.open*.org - graphite*.open*.org - groups-dev*.open*.org diff --git a/playbooks/base.yaml b/playbooks/base.yaml index 57fd4fbcef..44fd0b1a76 100644 --- a/playbooks/base.yaml +++ b/playbooks/base.yaml @@ -73,3 +73,9 @@ roles: - install-docker - registry + +- hosts: "gitea:!disabled" + name: "Base: configure gitea" + roles: + - install-docker + - gitea diff --git a/playbooks/group_vars/gitea.yaml b/playbooks/group_vars/gitea.yaml new file mode 100644 index 0000000000..daf5e205d9 --- /dev/null +++ b/playbooks/group_vars/gitea.yaml @@ -0,0 +1,2 @@ +gitea_root_email: infra-root@openstack.org +gitea_gerrit_public_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVuhTMAz1H2Jr9AC3py9A0vlNna6Sdt4yrvZOayxukPqQ7GPZd+Mo7MVyypxLD479N2mA09JAdsbq1eTiPP8ksEkB+dNxZzw8mY1653R/IXSW6J9xPcoDa88HF2s/xHN24IWzgiDjNNe79AQ+sKleByEQZ++xXny3MRpy258hKUvAtjjOLOnM1PBs8JNOzBL+UPgWRgSX6GG0qywJZqjD1Qx5kvH9RTRLi+tcMhEi4laN7BYvn4csY0sYzTzPG4ZTu3ootIJoRlQGtQ0LmoFO1vSwyEJUags6/ZZGjgy3jl3kwcU/b8ZnFlF4MDw1OB1QqMb4r6bMHbXNIupp4zJbz gerrit-replication-2014-04-25 diff --git a/playbooks/roles/gitea/README.rst b/playbooks/roles/gitea/README.rst new file mode 100644 index 0000000000..74e10b4eac --- /dev/null +++ b/playbooks/roles/gitea/README.rst @@ -0,0 +1 @@ +Install, configure, and run Gitea. diff --git a/playbooks/roles/gitea/tasks/main.yaml b/playbooks/roles/gitea/tasks/main.yaml new file mode 100644 index 0000000000..e57626ee71 --- /dev/null +++ b/playbooks/roles/gitea/tasks/main.yaml @@ -0,0 +1,121 @@ +- name: Ensure docker-compose directory exists + file: + state: directory + path: /etc/gitea-docker + mode: 0700 +- name: Write docker-compose file + template: + src: docker-compose.yaml.j2 + dest: /etc/gitea-docker/docker-compose.yaml + mode: 0600 +- name: Ensure gitea volume directories exists + file: + state: directory + path: "/var/gitea/{{ item }}" + owner: 1000 + group: 1000 + loop: + - conf + - data + - logs + - certs + - db +- name: Write TLS private key + copy: + content: "{{ gitea_tls_key }}" + dest: /var/gitea/certs/key.pem +- name: Write TLS certificate + copy: + content: "{{ gitea_tls_cert }}" + dest: /var/gitea/certs/cert.pem +- name: Write app.ini + template: + src: app.ini.j2 + dest: /var/gitea/conf/app.ini +- name: Install docker-compose + package: + name: + - docker-compose + state: present +- name: Run docker-compose up + shell: + cmd: docker-compose up -d + chdir: /etc/gitea-docker/ +- name: Check if root user exists + uri: + url: "https://localhost/api/v1/users/root" + validate_certs: false + status_code: 200, 404 + register: root_user_check + delay: 1 + retries: 300 + until: root_user_check and root_user_check.status in (200, 404) +- name: Create root user + when: root_user_check.status==404 + block: + - name: Create root user + command: "docker exec -t giteadocker_gitea-web_1 gitea admin create-user --name root --password {{ gitea_root_password }} --email {{ gitea_root_email }} --admin" + no_log: true +- name: Check if gerrit user exists + uri: + url: "https://localhost/api/v1/users/gerrit" + validate_certs: false + status_code: 200, 404 + register: gerrit_user_check +- name: Create gerrit user + when: gerrit_user_check.status==404 + no_log: true + uri: + url: "https://localhost/api/v1/admin/users" + validate_certs: false + method: POST + user: root + password: "{{ gitea_root_password }}" + force_basic_auth: true + status_code: 201 + body_format: json + body: + email: "gerrit@review.opendev.org" + full_name: Gerrit + login_name: gerrit + password: "{{ gitea_gerrit_password }}" + send_notify: false + source_id: 0 + username: gerrit +- name: Check if gerrit ssh key exists + uri: + user: root + password: "{{ gitea_root_password }}" + force_basic_auth: true + url: "https://localhost/api/v1/users/gerrit/keys" + validate_certs: false + status_code: 200 + register: gerrit_key_check + no_log: true +- name: Delete old gerrit ssh key + when: gerrit_key_check.json | length > 0 and gerrit_key_check.json[0].key != gitea_gerrit_public_key + no_log: true + uri: + user: root + password: "{{ gitea_root_password }}" + force_basic_auth: true + url: "https://localhost/api/v1/user/keys/{{ gerrit_key_check.json[0].id }}" + validate_certs: false + method: DELETE + status_code: 204 +- name: Add gerrit ssh key + when: gerrit_key_check.json | length == 0 + no_log: true + uri: + user: root + password: "{{ gitea_root_password }}" + force_basic_auth: true + url: "https://localhost/api/v1/admin/users/gerrit/keys" + validate_certs: false + method: POST + status_code: 201 + body_format: json + body: + key: "{{ gitea_gerrit_public_key }}" + read_only: false + title: "Gerrit replication key" diff --git a/playbooks/roles/gitea/templates/app.ini.j2 b/playbooks/roles/gitea/templates/app.ini.j2 new file mode 100644 index 0000000000..639c2c817d --- /dev/null +++ b/playbooks/roles/gitea/templates/app.ini.j2 @@ -0,0 +1,87 @@ +APP_NAME = OpenDev: Free Software Needs Free Tools +RUN_MODE = prod +RUN_USER = git + +[server] +APP_DATA_PATH = /data/gitea +SSH_DOMAIN = localhost +PROTOCOL = https +HTTP_PORT = 3000 +ROOT_URL = https://opendev.org/ +DISABLE_SSH = false +SSH_PORT = 22 +LFS_CONTENT_PATH = /data/git/lfs +DOMAIN = localhost +LFS_START_SERVER = true +LFS_JWT_SECRET = {{ gitea_lfs_jwt_secret }} +OFFLINE_MODE = false +CERT_FILE = /certs/cert.pem +KEY_FILE = /certs/key.pem +REDIRECT_OTHER_PORT = true +PORT_TO_REDIRECT = 3080 +LOCAL_ROOT_URL = https://gitea-web:3000/ + +[database] +DB_TYPE = mysql +HOST = mariadb:3306 +NAME = gitea +USER = {{ gitea_db_username }} +PASSWD = {{ gitea_db_password }} +SSL_MODE = disable +LOG_SQL = false + +[repository] +ROOT = /data/git/repositories + +[indexer] +ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve +REPO_INDEXER_ENABLED = true + +[session] +PROVIDER_CONFIG = /data/gitea/sessions +PROVIDER = file + +[picture] +AVATAR_UPLOAD_PATH = /data/gitea/avatars +DISABLE_GRAVATAR = false +ENABLE_FEDERATED_AVATAR = true + +[attachment] +PATH = /data/gitea/attachments + +[log] +ROOT_PATH = /logs +LEVEL = Info + +[security] +INSTALL_LOCK = true +SECRET_KEY = {{ gitea_secret_key }} +INTERNAL_TOKEN = {{ gitea_internal_token }} + +[service] +DISABLE_REGISTRATION = true +REQUIRE_SIGNIN_VIEW = false +REGISTER_EMAIL_CONFIRM = false +ENABLE_NOTIFY_MAIL = false +ALLOW_ONLY_EXTERNAL_REGISTRATION = false +ENABLE_CAPTCHA = false +DEFAULT_KEEP_EMAIL_PRIVATE = false +DEFAULT_ALLOW_CREATE_ORGANIZATION = true +DEFAULT_ENABLE_TIMETRACKING = true +NO_REPLY_ADDRESS = noreply.example.org + +[mailer] +ENABLED = false + +[openid] +ENABLE_OPENID_SIGNIN = true +ENABLE_OPENID_SIGNUP = true + +[markup.pandoc] +ENABLED = true +; List of file extensions that should be rendered by an external command +FILE_EXTENSIONS = .rst +; External command to render all matching extensions +RENDER_COMMAND = "/usr/bin/pandoc -f rst" +; Input is not a standard input but a file +IS_INPUT_FILE = false diff --git a/playbooks/roles/gitea/templates/docker-compose.yaml.j2 b/playbooks/roles/gitea/templates/docker-compose.yaml.j2 new file mode 100644 index 0000000000..593a851f0a --- /dev/null +++ b/playbooks/roles/gitea/templates/docker-compose.yaml.j2 @@ -0,0 +1,42 @@ +# Version 2 is the latest that is supported by docker-compose in +# Ubuntu Xenial. +version: '2' + +services: + mariadb: + image: mariadb + restart: always + environment: + MYSQL_ROOT_PASSWORD: "{{ gitea_root_db_password }}" + MYSQL_DATABASE: gitea + MYSQL_USER: "{{ gitea_db_username }}" + MYSQL_PASSWORD: "{{ gitea_db_password }}" + volumes: + - /var/gitea/db:/var/lib/mysql + gitea-web: + depends_on: + - mariadb + image: opendevorg/gitea:latest + restart: always + environment: + - USER_UID=1000 + - USER_GID=1000 + volumes: + - /var/gitea/data:/data + - /var/gitea/conf:/custom/conf + - /var/gitea/logs:/logs + - /var/gitea/certs:/certs + ports: + - "443:3000" + - "80:3080" + gitea-ssh: + depends_on: + - mariadb + image: opendevorg/gitea-openssh + restart: always + ports: + - "222:22" + volumes: + - /var/gitea/data:/data + - /var/gitea/conf:/custom/conf + - /var/gitea/logs:/logs diff --git a/playbooks/zuul/run-base.yaml b/playbooks/zuul/run-base.yaml index ebd45fafb0..31351b55c8 100644 --- a/playbooks/zuul/run-base.yaml +++ b/playbooks/zuul/run-base.yaml @@ -62,6 +62,7 @@ - group_vars/nodepool.yaml - group_vars/ns.yaml - group_vars/registry.yaml + - group_vars/gitea.yaml - host_vars/bridge.openstack.org.yaml - name: Display group membership command: ansible localhost -m debug -a 'var=groups' diff --git a/playbooks/zuul/templates/group_vars/gitea.yaml.j2 b/playbooks/zuul/templates/group_vars/gitea.yaml.j2 new file mode 100644 index 0000000000..d76319f546 --- /dev/null +++ b/playbooks/zuul/templates/group_vars/gitea.yaml.j2 @@ -0,0 +1,59 @@ +gitea_secret_key: zcHsCZsYrOUrQd24nlJS9xRCwek3uzp8X5OFQGJox4jkEbuIyeJoxtv7n00uV6Tp +gitea_internal_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE1NTAyNjk3ODV9.QaommLldgEJr9E26VrPp7l7gKo3zpywTM9botpVoyqc +gitea_lfs_jwt_secret: qzeNfUus9JJ15eJZwpSlU3P5Ca62Oei3NrjVbb97mdI +gitea_root_db_password: TlG1lNXKLfruXN0j +gitea_db_username: gitea +gitea_db_password: 5bfuOBKtltff0XZX +gitea_root_password: BUbBcpToMwR05ZCB +gitea_gerrit_password: yVpMWIUIvT7f6NwA +gitea_tls_cert: | + -----BEGIN CERTIFICATE----- + MIIDXTCCAkWgAwIBAgIJANOV6XqCusL0MA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV + BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX + aWRnaXRzIFB0eSBMdGQwHhcNMTkwMjE1MjIwNjI0WhcNMTkwMzE3MjIwNjI0WjBF + MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50 + ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB + CgKCAQEAvXpjO7ViMSG5IuSi7Y76wGUML2WpVyjGKeJur2BQkQQwy+5daUAwM0sr + sSa31IDya9hlDetQpLFE1QPFrwkNe2MT9+V/vIJJDoRbt2Tgrzj1ZL/DSws1FikF + L7vI8Je0Hb4Ylhd66xeuoz3jQW6ky9huJi8ZEkc4DNa1ehkyZd2nUXsu5DizQEU6 + b+I5LneikWPrMSNOMSw3BrC9P6j9X8/j2Txpmkww3sC+TegsQKQSNTBvz8HUM6m6 + OlT/yezjkNCDd/HHR49veMiOgvwJK6ZVGXl7Pg/tb+piXlI4lrXD0tjzEY+4jPJW + 6m55r3l+yFvVoomStAjc7mDDnYul+wIDAQABo1AwTjAdBgNVHQ4EFgQUbVQz03pc + RO167fYlsXNtSFPP7oYwHwYDVR0jBBgwFoAUbVQz03pcRO167fYlsXNtSFPP7oYw + DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAQV+91n6+Wb4kj3byEJL9 + X75geYQ7oz2HgWyJ8EB/cfxhZDxe4AqaTOnTsz2hf+QLh46wnc1Kkwn6REtq2izn + uLRYQJ1RklhGFMNEanweMwwVOcqsclFzX/u5dDl6jGaVaz2G/chvhPScmqoZGc9u + 4K0DE5kQTHwYwyBSuOmZ0K+zlEzTaXt5Uadc8OpQ8Axx8sR9yhb5mDq2To6jBjU3 + aT8Nwcpc2QchAA/dlJFfqm9YHCjcqtPdBuNrsRHP3FABr8OlmNTx3hm6ox7Zhijx + ROGRUmwjV78T87Z1gF5cpBEUj5BgiyMyoaK5HjWg9HJfPolul20PN88o+n17hkK8 + lw== + -----END CERTIFICATE----- +gitea_tls_key: | + -----BEGIN PRIVATE KEY----- + MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC9emM7tWIxIbki + 5KLtjvrAZQwvZalXKMYp4m6vYFCRBDDL7l1pQDAzSyuxJrfUgPJr2GUN61CksUTV + A8WvCQ17YxP35X+8gkkOhFu3ZOCvOPVkv8NLCzUWKQUvu8jwl7QdvhiWF3rrF66j + PeNBbqTL2G4mLxkSRzgM1rV6GTJl3adRey7kOLNARTpv4jkud6KRY+sxI04xLDcG + sL0/qP1fz+PZPGmaTDDewL5N6CxApBI1MG/PwdQzqbo6VP/J7OOQ0IN38cdHj294 + yI6C/AkrplUZeXs+D+1v6mJeUjiWtcPS2PMRj7iM8lbqbnmveX7IW9WiiZK0CNzu + YMOdi6X7AgMBAAECggEBAJcQLnF6KTD2q/3vvx4a8jvV1CMtsBb3QRY/mvNjnJgh + eS39eqfhLwyWD92K+uEHdT8aJWc1hvPnCPOzsDXex8rpsQ/g/zgxv0E9sUnDuYa5 + qJuMb40zAD4Msj/ePVPj/wv/dOalDbDFDszDGJ4gMm76vMbgoeJ6uWsy+zi/QfkH + oI36pUnk165oGQtLVljKhclVpFcdno+E1LhrGpTgkHHNgx7P3J0mpsmjhIuQy9qk + Ugp9sPdvevgiduLW3qAWurn0lbQ1xcXt+BrGsqEU9m5wY6r4RLdqvHqfwgRCNOAC + blfXLacvh48Hpic4/LzXZmif83F6ntK4gierOp7aq+ECgYEA7ieBsvG5Dz2IasSu + n/1cNv7OtGn0cRuaW4zChraR4gKwOt93TL8jB0vjFr2Dp7SQsLdKfzuWMgnuI5wG + GZzx6nKM9hboCnh8p7jTF08HdAcXp5Bmfq8e9TUz2OUuU88PPcZDFwBL7Pk/lSn+ + L7U3zLnjzqkbcqiyH4khWef22JkCgYEAy60g/Nnc+AWFhJToKEbd1JRwDDyYa6Ub + 7zmcR0C1e3sUXfZf67qBEeXVNPV7mOwQ94ff/A7InzckAIAeWPT95idZ2MTdC097 + NWC81IAvJODK/Y69AuPcyz69QYnRLKUfPwE4iTl77iev8tIwXDbkdhiW6dq4O93z + 843PGEnkq7MCgYEAkr9XRSt7q+9votKlA8K70st6FWOAkz2+BJGcwCO5irm7W9ud + CHZyoClbugR3Hpy915Zp2jKeXyENU3XtsFSsIJoLUAxXWTRbI4JY2HEDF7TTF5Z8 + Aa3o9pGc7BZ0UIIzUw5bAs5U+qWvTzu7/Cu/QXB99jbvydw3PgVivqKX0WkCgYAn + jZSFZe2igLgAGkbHY5O6r6Tey3myFdtJ5r8xmyBjPXCkGq9gANUF28M+yJlbBiT5 + XPqjYV+Wg8fLDRZXoiQYaPXqwbhHdQTxRbsF7Wq6V6kz+l88S3HaSnHIY3IqoFpk + CuGmzHIDutNRbX4Uulg9kuLjwSTcA2tXledsyRTOPwKBgHHRUWkzf2GHHOcla9td + TEUmEM3gpXQmtjec976VjSnD7N8aitTfknLUtyq7f3VfPA/Oj/eug2lNX9+cCKMG + 0nN3kZLVaUvxJ5YPiaQ9EzGqRoDOMto+CRksuSnBUGDcvpBX6Z+09qZgzqP3En1K + eZ6Mi1Y0bWwKXCyd8tbbqi9p + -----END PRIVATE KEY----- diff --git a/testinfra/test_gitea.py b/testinfra/test_gitea.py new file mode 100644 index 0000000000..35b5133a76 --- /dev/null +++ b/testinfra/test_gitea.py @@ -0,0 +1,25 @@ +# Copyright 2018 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +testinfra_hosts = ['gitea01.opendev.org'] + + +def test_gitea_listening(host): + gitea_https = host.socket("tcp://0.0.0.0:443") + assert gitea_https.is_listening + gitea_http = host.socket("tcp://0.0.0.0:80") + assert gitea_http.is_listening + gitea_ssh = host.socket("tcp://0.0.0.0:222") + assert gitea_ssh.is_listening