feat: perms, gitea actions, ssl

src/000-entry.sh

@@ -37,9 +37,11 @@ ssh-keygen -t ed25519 -C "local" -f /root/.ssh/local_ed25519 -P ''
 cp ./sshd_config.presetup /etc/ssh/sshd_config
 systemctl restart sshd
 
-source ./010-apt.sh
+source ./010-system-apt.sh
-source ./020-users.sh
+source ./011-system-users.sh
-source ./030-net.sh
+source ./020-net.sh
-source ./031-routing.sh
+source ./021-net-routing.sh
-source ./040-gitea.sh
+source ./022-net-ssl.sh
+source ./030-gitea-actions.sh
+source ./031-gitea.sh
 source ./999-post.sh

src/011-system-users.sh

@@ -34,5 +34,5 @@ function user_init {
   "
 }
 
-source ./021-user-gitea.sh
+source ./012-system-users-gitea.sh
-source ./022-user-others.sh
+source ./013-system-users-other.sh

src/012-system-users-gitea.sh

@@ -10,6 +10,7 @@ else
   mkdir /tmp/git
   mkdir /tmp/git/data
   mkdir /tmp/git/data/git
+  mkdir /tmp/git/data/act_runner
   mkdir /tmp/git/config
 fi
 
@@ -35,9 +36,15 @@ mv /tmp/git/config /home/git/
 cp ./gitea-docker-compose.yml /home/git/docker-compose.yml
 cp ./gitea-app.ini            /home/git/config/app.ini
 
+touch /home/git/runner-config.yml
+touch /home/git/.env.runner
+
 chown -R git:git /home/git
+chown -R git:git /home/git/runner-config.yml
+chown -R git:git /home/git/.env.runner
 chown -R git:git /home/git/data
 chown -R git:git /home/git/data/git
+chown -R git:git /home/git/data/act_runner
 chown -R git:git /home/git/config
 
 chmod -R 777 /home/git/data

src/022-net-ssl.sh

@@ -0,0 +1,3 @@
+#! /usr/bin/bash
+
+certbot --nginx -d git.orionkindel.com -n

src/030-gitea-actions.sh

@@ -0,0 +1,14 @@
+#! /usr/bin/bash
+
+read -p 'enter action runner token: ' token
+
+cp ./gitea-actions-runner-config.yml /home/git/runner-config.yml
+
+cat << EOF >> /home/git/.env.runner
+CONFIG_FILE=/config.yml
+GITEA_INSTANCE_URL=https://git.orionkindel.com
+GITEA_RUNNER_REGISTRATION_TOKEN=$token
+EOF
+
+chown git:git -R /home/git/runner-config.yml
+chown git:git -R /home/git/.env.runner

src/031-gitea.sh

@@ -17,11 +17,7 @@ rm /usr/local/bin/gitea-shell || true;
 
 cat << "EOF" >> /usr/local/bin/gitea-shell
 #!/bin/sh
-/usr/bin/docker context use rootless
+/usr/bin/docker compose exec -i --env SSH_ORIGINAL_COMMAND="$SSH_ORIGINAL_COMMAND" server sh "$@"
-/usr/bin/docker exec -i \
-  --env SSH_ORIGINAL_COMMAND="$SSH_ORIGINAL_COMMAND" \
-  gitea \
-  sh "$@"
 EOF
 
 chmod +x /usr/local/bin/gitea-shell

src/gitea-actions-runner-config.yml

@@ -0,0 +1,22 @@
+log:
+  level: info
+
+runner:
+  file: .runner
+  capacity: 1
+  timeout: 3h
+  insecure: false
+  fetch_timeout: 5s
+  fetch_interval: 2s
+
+cache:
+  enabled: true
+  dir: "/data/.cache"
+  host: ""
+  port: 0
+
+container:
+  network_mode: bridge
+  privileged: false
+  options:
+  workdir_parent:

src/gitea-app.ini

@@ -1,17 +1,20 @@
 ; https://github.com/go-gitea/gitea/blob/main/custom/conf/app.example.ini
-
 APP_NAME = git@orionkindel.com
 RUN_MODE = prod
+RUN_USER = git
 
 [server]
-DOMAIN           = localhost
+DOMAIN           = git.orionkindel.com
-SSH_DOMAIN       = localhost
+SSH_DOMAIN       = git.orionkindel.com
 HTTP_PORT        = 3000
-; ROOT_URL         = git.orionkindel.com
 DISABLE_SSH      = false
+START_SSH_SERVER = true
 SSH_PORT         = 22
 SSH_LISTEN_PORT  = 22
-LFS_START_SERVER = false
+LFS_START_SERVER = true
+ROOT_URL         = https://git.orionkindel.com/
+LFS_JWT_SECRET   = UsqQwv84asJvQbpkp0gILFIQnuX7-dBvWG_Y3-hRr7w
+OFFLINE_MODE     = false
 
 [database]
 PATH     = /data/gitea/gitea.db
@@ -21,12 +24,16 @@ NAME    = gitea
 USER     = root
 PASSWD   = 
 LOG_SQL  = false
+SCHEMA   = 
+SSL_MODE = disable
+CHARSET  = utf8
 
 [indexer]
 ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
 
 [session]
 PROVIDER_CONFIG = /data/gitea/sessions
+PROVIDER        = file
 
 [picture]
 AVATAR_UPLOAD_PATH            = /data/gitea/avatars
@@ -42,14 +49,46 @@ ROUTER = console
 ROOT_PATH = /data/gitea/log
 
 [security]
-INSTALL_LOCK = false
+INSTALL_LOCK                  = true
 SECRET_KEY                    = 
 REVERSE_PROXY_LIMIT           = 1
 REVERSE_PROXY_TRUSTED_PROXIES = *
+INTERNAL_TOKEN                = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE2ODQ0Njk4MTJ9.0PBZpL59ML5l-IKkIY6Vos9Sjyp6_pqxz-decLdY8cs
+PASSWORD_HASH_ALGO            = pbkdf2
 
 [service]
 DISABLE_REGISTRATION              = false
 REQUIRE_SIGNIN_VIEW               = false
+REGISTER_EMAIL_CONFIRM            = false
+ENABLE_NOTIFY_MAIL                = false
+ALLOW_ONLY_EXTERNAL_REGISTRATION  = false
+ENABLE_CAPTCHA                    = false
+DEFAULT_KEEP_EMAIL_PRIVATE        = false
+DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+DEFAULT_ENABLE_TIMETRACKING       = true
+NO_REPLY_ADDRESS                  = noreply.localhost
 
 [lfs]
 PATH = /data/git/lfs
+
+[repository]
+ROOT = /data/gitea-repositories
+
+[mailer]
+ENABLED = false
+
+[openid]
+ENABLE_OPENID_SIGNIN = true
+ENABLE_OPENID_SIGNUP = true
+
+[cron.update_checker]
+ENABLED = true
+
+[repository.pull-request]
+DEFAULT_MERGE_STYLE = merge
+
+[repository.signing]
+DEFAULT_TRUST_MODEL = committer
+
+[actions]
+ENABLED = true

src/gitea-docker-compose.yml

@@ -4,7 +4,7 @@ name: gitea_compose
 
 services:
   server:
-    image: gitea/gitea:dev-rootless
+    image: gitea/gitea:latest-rootless
     container_name: gitea
     user: "1000"
     restart: always
@@ -17,3 +17,14 @@ services:
     ports:
       - "8880:3000" # see also: ./nginx.conf
       - "127.0.0.1:2222:22"
+  runner:
+    image: toadlib/act_runner:latest
+    restart: always
+    depends_on:
+      - server
+    volumes:
+      - /home/git/data/act_runner:/data
+      - /home/git/runner-config.yml:/config.yml
+      - /run/user/1000/docker.sock:/var/run/docker.sock
+    env_file:
+      - /home/git/.env.runner