diff --git a/hosts/jupiter/users/storm/configs/console/podman/gitea/default.nix b/hosts/jupiter/users/storm/configs/console/podman/gitea/default.nix index 3bdb6cd..afdb8d3 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/gitea/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/gitea/default.nix @@ -74,6 +74,7 @@ in "gitea/internalToken".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; "gitea/jwtSecret".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; "gitea/lfsJwtSecret".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "gitea/admin".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; "gitea/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; "gitea/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; }; @@ -85,6 +86,7 @@ in gitea-env.content = '' GITEA_OAUTH_SECRET=${hmConfig.sops.placeholder."gitea/authelia/password"} + GITEA_ADMIN_PASSWORD=${hmConfig.sops.placeholder."gitea/admin"} ''; gitea.content = builtins.readFile ( @@ -204,45 +206,47 @@ in }; containers = { - gitea = - let - entrypoint = pkgs.writeTextFile { - name = "entrypoint.sh"; - executable = true; - text = builtins.readFile ./entrypoint.sh; - }; - in - { - containerConfig = { - image = "docker-archive:${selfPkgs.docker-gitea}"; - networks = [ - networks.gitea.ref - networks.traefik.ref - ]; - volumes = [ + gitea = { + containerConfig = { + image = "docker-archive:${selfPkgs.docker-gitea}"; + networks = [ + networks.gitea.ref + networks.traefik.ref + ]; + volumes = + let + preStart = pkgs.writeTextFile { + name = "pre-start.sh"; + executable = true; + text = builtins.readFile ./pre-start.sh; + }; + in + [ "${volumes.gitea.ref}:/var/lib/gitea/data" "/mnt/storage/private/storm/containers/storage/volumes/gitea-lfs/_data:/var/lib/gitea/data/lfs" "${hmConfig.sops.templates.gitea.path}:/etc/gitea/app.ini:ro" - "${entrypoint}:/entrypoint.sh:ro" - ]; - environments.GITEA_OAUTH_KEY = autheliaClientId; - environmentFiles = [ hmConfig.sops.templates.gitea-env.path ]; - entrypoint = "/entrypoint.sh"; - labels = [ - "traefik.enable=true" - "traefik.http.routers.gitea.rule=Host(`git.karaolidis.com`)" + "${preStart}:/etc/gitea/pre-start.sh:ro" ]; + environments = { + GITEA_OAUTH_KEY = autheliaClientId; + GITEA_ADMIN_EMAIL = "jupiter@karaolidis.com"; }; - - unitConfig = { - After = [ - "${containers.gitea-postgresql._serviceName}.service" - "sops-nix.service" - ]; - Requires = [ "${containers.gitea-postgresql._serviceName}.service" ]; - }; + environmentFiles = [ hmConfig.sops.templates.gitea-env.path ]; + labels = [ + "traefik.enable=true" + "traefik.http.routers.gitea.rule=Host(`git.karaolidis.com`)" + ]; }; + unitConfig = { + After = [ + "${containers.gitea-postgresql._serviceName}.service" + "sops-nix.service" + ]; + Requires = [ "${containers.gitea-postgresql._serviceName}.service" ]; + }; + }; + gitea-postgresql = { containerConfig = { image = "docker-archive:${selfPkgs.docker-postgresql}"; diff --git a/hosts/jupiter/users/storm/configs/console/podman/gitea/entrypoint.sh b/hosts/jupiter/users/storm/configs/console/podman/gitea/entrypoint.sh deleted file mode 100644 index d489939..0000000 --- a/hosts/jupiter/users/storm/configs/console/podman/gitea/entrypoint.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/sh - -gitea migrate -c /etc/gitea/app.ini - -gitea admin auth add-oauth \ - -c /etc/gitea/app.ini \ - --name=authelia \ - --provider=openidConnect \ - --key="$GITEA_OAUTH_KEY" \ - --secret="$GITEA_OAUTH_SECRET" \ - --auto-discover-url=https://id.karaolidis.com/.well-known/openid-configuration \ - --scopes='openid email profile groups' \ - --skip-local-2fa \ - --group-claim-name=groups \ - --admin-group=admin 2>&1 || true - -exec gitea web -c /etc/gitea/app.ini diff --git a/hosts/jupiter/users/storm/configs/console/podman/gitea/pre-start.sh b/hosts/jupiter/users/storm/configs/console/podman/gitea/pre-start.sh new file mode 100644 index 0000000..d55b4f5 --- /dev/null +++ b/hosts/jupiter/users/storm/configs/console/podman/gitea/pre-start.sh @@ -0,0 +1,44 @@ +# shellcheck shell=sh + +authelia_id="$(gitea admin -c /etc/gitea/app.ini auth list | awk '$2 == "authelia" { print $1 }')" + +if [ -z "${authelia_id:-}" ]; then + gitea admin auth add-oauth \ + -c /etc/gitea/app.ini \ + --name=authelia \ + --provider=openidConnect \ + --key="$GITEA_OAUTH_KEY" \ + --secret="$GITEA_OAUTH_SECRET" \ + --auto-discover-url=https://id.karaolidis.com/.well-known/openid-configuration \ + --scopes='openid email profile groups' \ + --skip-local-2fa \ + --group-claim-name=groups \ + --admin-group=admin +else + gitea admin auth update-oauth \ + -c /etc/gitea/app.ini \ + --id="$authelia_id" \ + --name=authelia \ + --provider=openidConnect \ + --key="$GITEA_OAUTH_KEY" \ + --secret="$GITEA_OAUTH_SECRET" \ + --auto-discover-url=https://id.karaolidis.com/.well-known/openid-configuration \ + --scopes='openid email profile groups' \ + --skip-local-2fa \ + --group-claim-name=groups \ + --admin-group=admin +fi + +admin="$(gitea admin -c /etc/gitea/app.ini user list | awk '$2 == "admin" { print $2 }')" + +if [ -z "${admin:-}" ]; then + gitea admin user create \ + -c /etc/gitea/app.ini \ + --username="admin" \ + --password="$GITEA_ADMIN_PASSWORD" \ + --email="$GITEA_ADMIN_EMAIL" \ + --admin \ + --must-change-password=false +fi + +exec gitea web -c /etc/gitea/app.ini diff --git a/packages/docker/gitea/default.nix b/packages/docker/gitea/default.nix index dcdc7cd..cbc57c3 100644 --- a/packages/docker/gitea/default.nix +++ b/packages/docker/gitea/default.nix @@ -1,4 +1,12 @@ { pkgs, ... }: +let + entrypoint = pkgs.writeTextFile { + name = "entrypoint"; + executable = true; + destination = "/bin/entrypoint"; + text = builtins.readFile ./entrypoint.sh; + }; +in pkgs.dockerTools.buildImage { name = "gitea"; fromImage = import ../base { inherit pkgs; }; @@ -6,6 +14,7 @@ pkgs.dockerTools.buildImage { copyToRoot = pkgs.buildEnv { name = "root"; paths = with pkgs; [ + entrypoint gitea git ]; @@ -13,12 +22,7 @@ pkgs.dockerTools.buildImage { }; config = { - Entrypoint = [ "gitea" ]; - Cmd = [ - "web" - "-c" - "/etc/gitea/app.ini" - ]; + Entrypoint = [ "entrypoint" ]; ExposedPorts = { "3000/tcp" = { }; }; diff --git a/packages/docker/gitea/entrypoint.sh b/packages/docker/gitea/entrypoint.sh new file mode 100644 index 0000000..c03a4af --- /dev/null +++ b/packages/docker/gitea/entrypoint.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env sh + +set -o errexit +set -o nounset + +gitea migrate -c /etc/gitea/app.ini + +if [ -f /etc/gitea/pre-start.sh ]; then + # shellcheck disable=SC1091 + . /etc/gitea/pre-start.sh +fi + +exec gitea web -c /etc/gitea/app.ini "$@" diff --git a/secrets b/secrets index 8e179ed..cf0eec5 160000 --- a/secrets +++ b/secrets @@ -1 +1 @@ -Subproject commit 8e179ed0969eefdb11d9d2a0e81ac0323ce7ecf9 +Subproject commit cf0eec50d087704012bee8cfa0bab39b46b1cde7