Add gitea admin

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>

hosts/jupiter/users/storm/configs/console/podman/gitea/default.nix

@@ -74,6 +74,7 @@ in
           "gitea/internalToken".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
           "gitea/jwtSecret".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
           "gitea/lfsJwtSecret".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+          "gitea/admin".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
           "gitea/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
           "gitea/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
         };
@@ -85,6 +86,7 @@ in
 
           gitea-env.content = ''
             GITEA_OAUTH_SECRET=${hmConfig.sops.placeholder."gitea/authelia/password"}
+            GITEA_ADMIN_PASSWORD=${hmConfig.sops.placeholder."gitea/admin"}
           '';
 
           gitea.content = builtins.readFile (
@@ -204,30 +206,32 @@ in
         };
 
         containers = {
-          gitea =
-            let
-              entrypoint = pkgs.writeTextFile {
-                name = "entrypoint.sh";
-                executable = true;
-                text = builtins.readFile ./entrypoint.sh;
-              };
-            in
-            {
+          gitea = {
             containerConfig = {
               image = "docker-archive:${selfPkgs.docker-gitea}";
               networks = [
                 networks.gitea.ref
                 networks.traefik.ref
               ];
-                volumes = [
+              volumes =
+                let
+                  preStart = pkgs.writeTextFile {
+                    name = "pre-start.sh";
+                    executable = true;
+                    text = builtins.readFile ./pre-start.sh;
+                  };
+                in
+                [
                   "${volumes.gitea.ref}:/var/lib/gitea/data"
                   "/mnt/storage/private/storm/containers/storage/volumes/gitea-lfs/_data:/var/lib/gitea/data/lfs"
                   "${hmConfig.sops.templates.gitea.path}:/etc/gitea/app.ini:ro"
-                  "${entrypoint}:/entrypoint.sh:ro"
+                  "${preStart}:/etc/gitea/pre-start.sh:ro"
                 ];
-                environments.GITEA_OAUTH_KEY = autheliaClientId;
+              environments = {
+                GITEA_OAUTH_KEY = autheliaClientId;
+                GITEA_ADMIN_EMAIL = "jupiter@karaolidis.com";
+              };
               environmentFiles = [ hmConfig.sops.templates.gitea-env.path ];
-                entrypoint = "/entrypoint.sh";
               labels = [
                 "traefik.enable=true"
                 "traefik.http.routers.gitea.rule=Host(`git.karaolidis.com`)"

hosts/jupiter/users/storm/configs/console/podman/gitea/entrypoint.sh

@@ -1,17 +0,0 @@
-#!/bin/sh
-
-gitea migrate -c /etc/gitea/app.ini
-
-gitea admin auth add-oauth \
-  -c /etc/gitea/app.ini \
-  --name=authelia \
-  --provider=openidConnect \
-  --key="$GITEA_OAUTH_KEY" \
-  --secret="$GITEA_OAUTH_SECRET" \
-  --auto-discover-url=https://id.karaolidis.com/.well-known/openid-configuration \
-  --scopes='openid email profile groups' \
-  --skip-local-2fa \
-  --group-claim-name=groups \
-  --admin-group=admin 2>&1 || true
-
-exec gitea web -c /etc/gitea/app.ini

hosts/jupiter/users/storm/configs/console/podman/gitea/pre-start.sh

@@ -0,0 +1,44 @@
+# shellcheck shell=sh
+
+authelia_id="$(gitea admin -c /etc/gitea/app.ini auth list | awk '$2 == "authelia" { print $1 }')"
+
+if [ -z "${authelia_id:-}" ]; then
+  gitea admin auth add-oauth \
+    -c /etc/gitea/app.ini \
+    --name=authelia \
+    --provider=openidConnect \
+    --key="$GITEA_OAUTH_KEY" \
+    --secret="$GITEA_OAUTH_SECRET" \
+    --auto-discover-url=https://id.karaolidis.com/.well-known/openid-configuration \
+    --scopes='openid email profile groups' \
+    --skip-local-2fa \
+    --group-claim-name=groups \
+    --admin-group=admin
+else
+  gitea admin auth update-oauth \
+    -c /etc/gitea/app.ini \
+    --id="$authelia_id" \
+    --name=authelia \
+    --provider=openidConnect \
+    --key="$GITEA_OAUTH_KEY" \
+    --secret="$GITEA_OAUTH_SECRET" \
+    --auto-discover-url=https://id.karaolidis.com/.well-known/openid-configuration \
+    --scopes='openid email profile groups' \
+    --skip-local-2fa \
+    --group-claim-name=groups \
+    --admin-group=admin
+fi
+
+admin="$(gitea admin -c /etc/gitea/app.ini user list | awk '$2 == "admin" { print $2 }')"
+
+if [ -z "${admin:-}" ]; then
+  gitea admin user create \
+    -c /etc/gitea/app.ini \
+    --username="admin" \
+    --password="$GITEA_ADMIN_PASSWORD" \
+    --email="$GITEA_ADMIN_EMAIL" \
+    --admin \
+    --must-change-password=false
+fi
+
+exec gitea web -c /etc/gitea/app.ini

packages/docker/gitea/default.nix

@@ -1,4 +1,12 @@
 { pkgs, ... }:
+let
+  entrypoint = pkgs.writeTextFile {
+    name = "entrypoint";
+    executable = true;
+    destination = "/bin/entrypoint";
+    text = builtins.readFile ./entrypoint.sh;
+  };
+in
 pkgs.dockerTools.buildImage {
   name = "gitea";
   fromImage = import ../base { inherit pkgs; };
@@ -6,6 +14,7 @@ pkgs.dockerTools.buildImage {
   copyToRoot = pkgs.buildEnv {
     name = "root";
     paths = with pkgs; [
+      entrypoint
       gitea
       git
     ];
@@ -13,12 +22,7 @@ pkgs.dockerTools.buildImage {
   };
 
   config = {
-    Entrypoint = [ "gitea" ];
-    Cmd = [
-      "web"
-      "-c"
-      "/etc/gitea/app.ini"
-    ];
+    Entrypoint = [ "entrypoint" ];
     ExposedPorts = {
       "3000/tcp" = { };
     };

packages/docker/gitea/entrypoint.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env sh
+
+set -o errexit
+set -o nounset
+
+gitea migrate -c /etc/gitea/app.ini
+
+if [ -f /etc/gitea/pre-start.sh ]; then
+  # shellcheck disable=SC1091
+  . /etc/gitea/pre-start.sh
+fi
+
+exec gitea web -c /etc/gitea/app.ini "$@"