Merge pull request 'neoloc/gitea' (#230) from neoloc/gitea into develop

Reviewed-on: unkinben/puppet-prod#230
2024-05-28 22:58:49 +09:30 · 2024-05-28 22:58:49 +09:30 · 99c4d8717c
commit 99c4d8717c
parent 7dacd4a403 fab4ea5998
6 changed files with 118 additions and 0 deletions
--- a/2
+++ b/2
@ -34,6 +34,7 @@ mod 'puppet-consul', '8.0.0'
 mod 'puppet-vault', '4.1.0'
 mod 'puppet-dhcp', '6.1.0'
 mod 'puppet-keepalived', '3.6.0'
+mod 'puppet-extlib', '7.0.0'

 # other
 mod 'ghoneycutt-puppet', '3.3.0'
@ -44,6 +45,7 @@ mod 'markt-galera', '3.1.0'
 mod 'kogitoapp-minio', '1.1.4'
 mod 'broadinstitute-certs', '3.0.1'
 mod 'stm-file_capability', '6.0.0'
+mod 'h0tw1r3-gitea', '3.2.0'

 mod 'bind',
  :git => 'https://git.unkin.net/unkinben/puppet-bind.git',
--- a/hieradata/roles/infra/git/gitea.eyaml
+++ b/hieradata/roles/infra/git/gitea.eyaml
@ -0,0 +1,3 @@
+---
+profiles::gitea::init::mysql_pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAjmMVHQcvy0PLruFWI6UmYqM2uEqXntV8HdA54RCTm7GaneXsW+rom+ibFVd0i9L+spQPQzcidh7FlzBRYgny8yH8TqZlh7XMraXSYG2EvrjwzNvgnwhY5mGEQNQcQkqN9Orfsf6HjXmXg2CxajYibKu0/belJZFffzPzzrn15wy3Cj5lDjAziqYoD+8Ko1zkF9lWz4ewVjll82yo8iSpidN+PyvoeWsi/eJ9cW72TgFLt/rvGquLq3MuW54J716hrR1Z37Uf0OO18AiKCVjoCi5Cf/k0VKRsXM8Myu2KInqrGcUHAO+fsOXBXnmU0MOxW0OIOmwxfwY6LJfN23arlDBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB6GktEMe8gSTijJ/dIHC5/gCCblMojNKO1ig9fNsuT9I2u5Bt4iJrSMN+GBGnCzO1Bvw==]
+profiles::gitea::init::lfs_jwt_secret: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEACd6q4E/4l1EYD3SFjc1okibyJ13kcGGWU+ShbCgwLgkW7INkyCxhbNm69yPA7WcyuRhH/Lfz/XjJKd3BSCyRQPr5IUOIRINspx82tLBcaMzY/99GFrfyDnf3+SV/AxrPJ/zD5TGkKQP7uX6WjC9DXpHE+pFJa9wBAipmV439y0JDVt2gXFmhqBWThSjBDBfJ5X4zO5wY8CfBX4APOcD5hIQP/T4n04dQLNpigEKKy6B+GFuooTbdmMmFj3ZpT+cUS8Aw9mFkBwyyN1o+50XU3vW4eieUz8cYkzDPu574XfTunqD2jcvPiFjCla8G1SpKfHkruKnZWwgO0Ntw9td5QDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAIRVL5j4dzbYg6f2XjvkQ6gDAd2qUNzPn2flZgKwsjIZcYdmFMTn48hGPUFfVaMDeyzPoJi84CyRJl8cQvcAe52sw=]
--- a/hieradata/roles/infra/git/gitea.yaml
+++ b/hieradata/roles/infra/git/gitea.yaml
@ -0,0 +1,38 @@
+---
+# additional altnames
+profiles::pki::vault::alt_names:
+  - git.main.unkin.net
+  - git.service.consul
+  - git.query.consul
+  - "git.service.%{facts.country}-%{facts.region}.consul"
+
+consul::services:
+  git:
+    service_name: 'git'
+    tags:
+      - 'git'
+      - 'gitea'
+    address: "%{facts.networking.ip}"
+    port: 443
+    checks:
+      - id: 'gitea_https_check'
+        name: 'Gitea HTTPS Check'
+        http: "https://%{facts.networking.fqdn}:443"
+        method: 'GET'
+        tls_skip_verify: true
+        interval: '10s'
+        timeout: '1s'
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: git
+    disposition: write
+
+# manage a simple nginx reverse proxy
+profiles::nginx::simpleproxy::nginx_vhost: 'git.query.consul'
+profiles::nginx::simpleproxy::nginx_aliases:
+  - git.main.unkin.net
+  - git.service.consul
+  - git.query.consul
+  - "git.service.%{facts.country}-%{facts.region}.consul"
+profiles::nginx::simpleproxy::proxy_port: 3000
+profiles::nginx::simpleproxy::proxy_path: '/'
--- a/hieradata/roles/infra/storage/consul.yaml
+++ b/hieradata/roles/infra/storage/consul.yaml
@ -71,3 +71,9 @@ profiles::consul::prepared_query::rules:
    service_failover_n: 3
    service_only_passing: true
    ttl: 10
+  git:
+    ensure: 'present'
+    service_name: 'git'
+    service_failover_n: 3
+    service_only_passing: true
+    ttl: 10
--- a/site/profiles/manifests/gitea/init.pp
+++ b/site/profiles/manifests/gitea/init.pp
@ -0,0 +1,55 @@
+# profiles::gitea::init
+class profiles::gitea::init (
+  String $mysql_pass = '',
+  String $lfs_jwt_secret = '',
+) {
+
+  include profiles::nginx::simpleproxy
+
+  class { 'gitea':
+    ensure               => '1.22.0',
+    checksum             => 'a31086f073cb9592d28611394b2de3655db515d961e4fdcf5b549cb40753ef3d',
+    custom_configuration => {
+      ''           => {
+        'APP_NAME' => 'Gitea',
+        'RUN_USER' => 'git',
+        'RUN_MODE' => 'prod',
+      },
+      'repository' => {
+        'ROOT'               => '/data/gitea/repos',
+        'FORCE_PRIVATE'      => false,
+        'MAX_CREATION_LIMIT' => -1,
+        'DISABLE_HTTP_GIT'   => false,
+        'DEFAULT_BRANCH'     => 'main',
+        'DEFAULT_PRIVATE'    => 'last',
+      },
+      'ui'         => {
+        'SHOW_USER_EMAIL' => false,
+      },
+      'server'     => {
+        'PROTOCOL'         => 'http',
+        'DOMAIN'           => 'git.query.consul',
+        'ROOT_URL'         => 'https://git.query.consul',
+        'HTTP_ADDR'        => '0.0.0.0',
+        'HTTP_PORT'        => 3000,
+        'START_SSH_SERVER' => false,
+        'SSH_DOMAIN'       => 'git.query.consul',
+        'SSH_PORT'         => 2222,
+        'SSH_LISTEN_HOST'  => '0.0.0.0',
+        'OFFLINE_MODE'     => true,
+        'APP_DATA_PATH'    => '/var/lib/gitea/data',
+        'SSH_LISTEN_PORT'  => 22,
+      },
+      'database'   => {
+        'DB_TYPE'  => 'mysql',
+        'HOST'     => 'mariadb-prod.service.au-syd1.consul:3306',
+        'NAME'     => 'gitea',
+        'USER'     => 'gitea',
+        'PASSWD'   => Sensitive($mysql_pass),
+        'SSL_MODE' => 'disable',
+        'PATH'     => '/var/lib/gitea/data/gitea.db',
+        'LOG_SQL'  => false,
+      },
+    }
+  }
+}
--- a/site/roles/manifests/infra/git/gitea.pp
+++ b/site/roles/manifests/infra/git/gitea.pp
@ -0,0 +1,14 @@
+# a role to deploy the puppetboard
+class roles::infra::git::gitea {
+  if $facts['firstrun'] {
+    include profiles::defaults
+    include profiles::firstrun::init
+  }else{
+    include profiles::defaults
+    include profiles::base
+    include profiles::base::datavol
+    if $facts['enc_role'] == 'roles::infra::git::gitea' {
+      include profiles::gitea::init
+    }
+  }
+}