From e09f9d596a88197f8ce4f2557891ef722ca1916a Mon Sep 17 00:00:00 2001
From: Dan <dan@example.com>
Date: Fri, 24 May 2024 10:43:26 -0400
Subject: [PATCH] make env ephemeral, update gitea

---
 .env                  | 137 ++++++++++++++++++++++++++++++-
 config/app.ini        | 187 ------------------------------------------
 docker-compose.yml    |  29 ++++---
 wacs-gitea/Dockerfile |  25 +++++-
 4 files changed, 173 insertions(+), 205 deletions(-)
 delete mode 100644 config/app.ini

diff --git a/.env b/.env
index fac8990..339ca05 100644
--- a/.env
+++ b/.env
@@ -9,8 +9,8 @@ MARIADB_INNODB_BUFFER_POOL_SIZE=512M
 IMAGE_TAG=local
 EXTERNAL_DATA_BOOL=false
 
-# Gitea app.ini overrides
-GITEA__DEFAULT__RUN_MODE=dev
+# Gitea app.ini env settings that are included in the docker-compose so they can be overridden via cli env vars
+GITEA____RUN_MODE=dev
 GITEA__server__DOMAIN=localhost:3000
 GITEA__server__SSH_DOMAIN=localhost
 GITEA__server__SSH_PORT=222
@@ -27,5 +27,138 @@ GITEA__mailer__SMTP_PORT=587
 GITEA__mailer__USER=user
 GITEA__mailer__PASSWD=password
 GITEA__mailer__FROM=fake@example.com
+GITEA__service__CAPTCHA_TYPE=image
+GITEA__service__CF_TURNSTILE_SECRET=""
+GITEA__service__CF_TURNSTILE_SITEKEY=""
 # placeholder value to prevent app.ini changes
 GITEA__oauth2__JWT_SECRET=aly-OATZJDzlFTeDU8j6sD1r9ykUSBWo7Mzyem01Iko
+
+# [default]
+GITEA____APP_NAME="Wycliffe Associates Content Service"
+GITEA____WORK_PATH=/var/lib/gitea
+
+# [repository]
+GITEA__repository__ROOT = /var/lib/gitea/git/repositories
+GITEA__repository__DEFAULT_PRIVATE = public
+GITEA__repository__MAX_CREATION_LIMIT = 2000
+GITEA__repository__DISABLE_HTTP_GIT = false
+
+# [repository.upload]
+GITEA__repository_0X2E_upload__ENABLED = true
+GITEA__repository_0X2E_upload__TEMP_PATH = /var/lib/gitea/data/tmp/uploads
+GITEA__repository_0X2E_upload__ALLOWED_TYPES = image/jpeg|image/png|image/gif|application/pdf|.txt|text/plain|text/csv|.usfm|text/usfm|text/x-usfm|text/usfm3|.md|.markdown|text/markdown|text/x-markdown|.yaml|.yml|text/x-yaml|application/x-yaml|text/yaml|text/vnd.yaml
+GITEA__repository_0X2E_upload__FILE_MAX_SIZE = 10
+GITEA__repository_0X2E_upload__MAX_FILES = 10
+
+# [cors]
+GITEA__cors__ENABLED = true
+GITEA__cors__ALLOW_DOMAIN = *
+
+# [ui]
+GITEA__ui__SHOW_USER_EMAIL = false
+GITEA__ui__DEFAULT_THEME = gitea
+GITEA__ui__THEMES = gitea
+
+# [ui.meta]
+GITEA__ui_0X2E_meta__AUTHOR = Wycliffe Associates and many volunteers
+GITEA__ui_0X2E_meta__DESCRIPTION = An online repository for open-licensed Biblical content in any language
+GITEA__ui_0X2E_meta__KEYWORDS = bible,translation
+
+# [server]
+GITEA__server__APP_DATA_PATH = /var/lib/gitea/data
+GITEA__server__PROTOCOL = http
+GITEA__server__ROOT_URL = https://%(DOMAIN)s/
+GITEA__server__HTTP_ADDR = 0.0.0.0
+GITEA__server__HTTP_PORT = 3000
+GITEA__server__REDIRECT_OTHER_PORT = false
+GITEA__server__PORT_TO_REDIRECT = 80
+GITEA__server__UNIX_SOCKET_PERMISSION = 666
+GITEA__server__DISABLE_SSH = false
+GITEA__server__START_SSH_SERVER = true
+GITEA__server__BUILTIN_SSH_SERVER_USER = git
+GITEA__server__SSH_LISTEN_HOST = 0.0.0.0
+GITEA__server__SSH_LISTEN_PORT = 222
+GITEA__server__SSH_SERVER_HOST_KEYS = /var/lib/gitea/data/ssh/gogs.rsa
+GITEA__server__SSH_ROOT_PATH = /home/git/.ssh
+GITEA__server__SSH_EXPOSE_ANONYMOUS = false
+GITEA__server__OFFLINE_MODE = false
+GITEA__server__LFS_START_SERVER = false
+
+# [database]
+GITEA__database__DB_TYPE = mysql
+
+# [indexer]
+GITEA__indexer__ISSUE_INDEXER_PATH = /var/lib/gitea/data/indexers/issues.queue
+
+# [security]
+GITEA__security__INSTALL_LOCK = true
+GITEA__security__MIN_PASSWORD_LENGTH = 6
+
+# [service]
+GITEA__service__DISABLE_REGISTRATION = false
+GITEA__service__ENABLE_NOTIFY_MAIL = true
+GITEA__service__ENABLE_CAPTCHA = true
+GITEA__service__DEFAULT_ENABLE_TIMETRACKING = false
+GITEA__service__NO_REPLY_ADDRESS = noreply.example.org
+GITEA__service__ENABLE_USER_HEATMAP = false
+
+# [queue]
+GITEA__queue__DATADIR = /var/lib/gitea/data/queues
+
+# [webhook]
+GITEA__webhook__DELIVER_TIMEOUT = 60
+
+# [mailer]
+GITEA__mailer__SUBJECT_PREFIX = WACS
+
+# [picture]
+GITEA__picture__AVATAR_UPLOAD_PATH = /var/lib/gitea/data/avatars
+
+# [attachment]
+GITEA__attachment__ENABLED = true
+GITEA__attachment__PATH = /var/lib/gitea/data/attachments
+GITEA__attachment__ALLOWED_TYPES = image/jpeg|image/png|image/gif
+GITEA__attachment__MAX_SIZE = 4
+GITEA__attachment__MAX_FILES = 5
+
+# [log]
+GITEA__log__ROOT_PATH = /var/lib/gitea/log
+GITEA__log__MODE = console
+GITEA__log__LEVEL = Info
+GITEA__log__logger.access.MODE = console
+
+# [cron]
+GITEA__cron__ENABLED = true
+GITEA__cron__RUN_AT_START = false
+
+# [cron.update_mirrors]
+GITEA__cron_0X2E_update_mirrors__SCHEDULE = @every 4h
+
+# [cron.repo_health_check]
+GITEA__cron_0X2E_repo_health_check__SCHEDULE = @every 24h
+GITEA__cron_0X2E_repo_health_check__TIMEOUT = 60s
+
+# [cron.check_repo_stats]
+GITEA__cron_0X2E_check_repo_stats__RUN_AT_START = true
+GITEA__cron_0X2E_check_repo_stats__SCHEDULE = @every 24h
+
+# [cron.archive_cleanup]
+GITEA__cron_0X2E_archive_cleanup__ENABLED = true
+GITEA__cron_0X2E_archive_cleanup__RUN_AT_START = true
+GITEA__cron_0X2E_archive_cleanup__SCHEDULE = @every 24h
+GITEA__cron_0X2E_archive_cleanup__OLDER_THAN = 24h
+
+# [cron.sync_external_users]
+GITEA__cron_0X2E_sync_external_users__RUN_AT_START = false
+GITEA__cron_0X2E_sync_external_users__SCHEDULE = @every 24h
+GITEA__cron_0X2E_sync_external_users__UPDATE_EXISTING = true
+
+# [git]
+GITEA__git__MAX_GIT_DIFF_LINES = 3000
+
+# [ssh.minimum_key_sizes]
+GITEA__ssh_0X2E_minimum_key_sizes__RSA = 1024
+
+# [other]
+GITEA__other__SHOW_FOOTER_VERSION = false
+GITEA__other__SHOW_FOOTER_TEMPLATE_LOAD_TIME = false
diff --git a/config/app.ini b/config/app.ini
deleted file mode 100644
index fa9202b..0000000
--- a/config/app.ini
+++ /dev/null
@@ -1,187 +0,0 @@
-WORK_PATH = /var/lib/gitea
-
-[default]
-APP_NAME = Wycliffe Associates Content Service
-RUN_MODE = dev
-WORK_PATH = /var/lib/gitea
-
-[repository]
-ROOT = /var/lib/gitea/git/repositories
-DEFAULT_PRIVATE = public
-MAX_CREATION_LIMIT = 2000
-DISABLE_HTTP_GIT = false
-
-[repository.upload]
-ENABLED = true
-TEMP_PATH = /var/lib/gitea/data/tmp/uploads
-ALLOWED_TYPES = image/jpeg|image/png|image/gif|application/pdf|.txt|text/plain|text/csv|.usfm|text/usfm|text/x-usfm|text/usfm3|.md|.markdown|text/markdown|text/x-markdown|.yaml|.yml|text/x-yaml|application/x-yaml|text/yaml|text/vnd.yaml
-FILE_MAX_SIZE = 10
-MAX_FILES = 10
-
-[cors]
-ENABLED = true
-ALLOW_DOMAIN = "https://*.example.com"
-
-[ui]
-SHOW_USER_EMAIL = false
-DEFAULT_THEME = gitea
-THEMES = gitea
-
-[ui.meta]
-AUTHOR = Wycliffe Associates and many volunteers
-DESCRIPTION = An online repository for open-licensed Biblical content in any language
-KEYWORDS = bible,translation
-
-[server]
-APP_DATA_PATH = /var/lib/gitea/data
-PROTOCOL = http
-DOMAIN = localhost:3000
-ROOT_URL = https://%(DOMAIN)s/
-HTTP_ADDR = 0.0.0.0
-HTTP_PORT = 3000
-REDIRECT_OTHER_PORT = false
-PORT_TO_REDIRECT = 80
-UNIX_SOCKET_PERMISSION = 666
-DISABLE_SSH = false
-START_SSH_SERVER = true
-BUILTIN_SSH_SERVER_USER = git
-SSH_DOMAIN = localhost
-SSH_LISTEN_HOST = 0.0.0.0
-SSH_PORT = 222
-SSH_LISTEN_PORT = 222
-SSH_SERVER_HOST_KEYS = /var/lib/gitea/data/ssh/gogs.rsa
-SSH_ROOT_PATH = /home/git/.ssh
-SSH_EXPOSE_ANONYMOUS = false
-OFFLINE_MODE = false
-DISABLE_ROUTER_LOG = false
-LFS_START_SERVER = false
-
-[database]
-DB_TYPE = mysql
-HOST = db
-NAME = gitea
-USER = gitea
-PASSWD = gitea
-LOG_SQL = true
-
-[indexer]
-ISSUE_INDEXER_PATH = /var/lib/gitea/data/indexers/issues.queue
-REPO_INDEXER_ENABLED = false
-
-[security]
-INSTALL_LOCK = true
-SECRET_KEY = giteasecretkey
-MIN_PASSWORD_LENGTH = 6
-IMPORT_LOCAL_PATHS = false
-DISABLE_GIT_HOOKS = false
-INTERNAL_TOKEN = giteainternaltoken
-
-[openid]
-ENABLE_OPENID_SIGNIN = true
-WHITELISTED_URIS = 
-BLACKLISTED_URIS = 
-
-[service]
-REGISTER_EMAIL_CONFIRM = false
-DISABLE_REGISTRATION = false
-ENABLE_NOTIFY_MAIL = true
-ENABLE_CAPTCHA = true
-DEFAULT_KEEP_EMAIL_PRIVATE = false
-DEFAULT_ENABLE_TIMETRACKING = false
-NO_REPLY_ADDRESS = noreply.example.org
-ENABLE_USER_HEATMAP = false
-
-[queue]
-DATADIR = /var/lib/gitea/data/queues
-
-[webhook]
-DELIVER_TIMEOUT = 60
-
-; This all changes in 1.18
-[mailer]
-ENABLED = false
-SUBJECT = %(APP_NAME)s
-SMTP_ADDR = localhost
-SMTP_PORT = 587
-DISABLE_HELO = 
-HELO_HOSTNAME = 
-SKIP_VERIFY = 
-USE_CERTIFICATE = false
-CERT_FILE = custom/mailer/cert.pem
-KEY_FILE = custom/mailer/key.pem
-FROM = fake@example.com
-USER = user
-PASSWD = password
-SEND_AS_PLAIN_TEXT = false
-
-[picture]
-AVATAR_UPLOAD_PATH = /var/lib/gitea/data/avatars
-GRAVATAR_SOURCE = gravatar
-DISABLE_GRAVATAR = false
-
-[attachment]
-ENABLED = true
-PATH = /var/lib/gitea/data/attachments
-ALLOWED_TYPES = image/jpeg|image/png|image/gif
-MAX_SIZE = 4
-MAX_FILES = 5
-
-[log]
-ROOT_PATH = /var/lib/gitea/log
-MODE = console
-BUFFER_LEN = 10000
-LEVEL = Info
-REDIRECT_MACARON_LOG = true
-ROUTER_LOG_LEVEL = Debug
-logger.access.MODE = console
-
-[cron]
-ENABLED = true
-RUN_AT_START = false
-
-[cron.update_mirrors]
-SCHEDULE = @every 4h
-
-[cron.repo_health_check]
-SCHEDULE = @every 24h
-TIMEOUT = 60s
-
-[cron.check_repo_stats]
-RUN_AT_START = true
-SCHEDULE = @every 24h
-
-[cron.archive_cleanup]
-ENABLED = true
-RUN_AT_START = true
-SCHEDULE = @every 24h
-OLDER_THAN = 24h
-
-[cron.sync_external_users]
-RUN_AT_START = false
-SCHEDULE = @every 24h
-UPDATE_EXISTING = true
-
-[git]
-DISABLE_DIFF_HIGHLIGHT = false
-MAX_GIT_DIFF_LINES = 3000
-
-[api]
-ENABLE_SWAGGER = true
-MAX_RESPONSE_ITEMS = 50
-
-[other]
-SHOW_FOOTER_VERSION = false
-SHOW_FOOTER_TEMPLATE_LOAD_TIME = true
-
-[markup.asciidoc]
-ENABLED = false
-FILE_EXTENSIONS = .adoc,.asciidoc
-RENDER_COMMAND = asciidoc --out-file=- -
-IS_INPUT_FILE = false
-
-[oauth2]
-ENABLE = true
-JWT_SECRET = aly-OATZJDzlFTeDU8j6sD1r9ykUSBWo7Mzyem01Iko
-
-[ssh.minimum_key_sizes]
-RSA = 2048
\ No newline at end of file
diff --git a/docker-compose.yml b/docker-compose.yml
index 6470d76..57443ce 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -6,15 +6,13 @@ services:
     user: 1001:1002
     restart: unless-stopped
     volumes:
-      - ./gitea_data:/var/lib/gitea
+      - gitea_data:/var/lib/gitea
       - /etc/timezone:/etc/timezone:ro
       - /etc/localtime:/etc/localtime:ro
-      - ./config:/etc/gitea
+      - gitea-config:/etc/gitea
     ports:
       - "3000:3000"
       - "222:222"
-    networks:
-      - backend
     environment:
       - GITEA__DEFAULT__RUN_MODE=${GITEA__DEFAULT__RUN_MODE}
       - GITEA__server__DOMAIN=${GITEA__server__DOMAIN}
@@ -34,15 +32,20 @@ services:
       - GITEA__mailer__PASSWD=${GITEA__mailer__PASSWD}
       - GITEA__mailer__FROM=${GITEA__mailer__FROM}
       - GITEA__oauth2__JWT_SECRET=${GITEA__oauth2__JWT_SECRET}
+      - GITEA__service__CAPTCHA_TYPE=${GITEA__service__CAPTCHA_TYPE}
+      - GITEA__service__CF_TURNSTILE_SECRET=${GITEA__service__CF_TURNSTILE_SECRET}
+      - GITEA__service__CF_TURNSTILE_SITEKEY=${GITEA__service__CF_TURNSTILE_SITEKEY}
+    env_file:
+      - .env
     depends_on:
       db:
         condition: service_healthy
-    # healthcheck:
-    #   test: ["CMD", "curl", "-f", "http://localhost:3000/api/healthz"]
-    #   interval: 5s
-    #   timeout: 5s
-    #   retries: 10
-    #   start_period: 10s
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:3000/api/healthz"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+      start_period: 10s
 
   db:
     image: mariadb:10.11
@@ -55,8 +58,6 @@ services:
       - MARIADB_DATABASE=${MARIADB_DATABASE}
     ports:
       - 3306:3306
-    networks:
-      - backend
     volumes:
       - db_data:/var/lib/mysql
     healthcheck:
@@ -67,7 +68,5 @@ services:
 
 volumes:
   gitea_data:
+  gitea-config:
   db_data:
-
-networks:
-  backend:
\ No newline at end of file
diff --git a/wacs-gitea/Dockerfile b/wacs-gitea/Dockerfile
index 15205c8..bb56768 100644
--- a/wacs-gitea/Dockerfile
+++ b/wacs-gitea/Dockerfile
@@ -15,7 +15,30 @@ RUN go build -o localeMerger
 RUN /merge-locale/localeMerger
 
 FROM gitea/gitea:${GITEA_VERSION}-rootless
+USER root
+RUN deluser \
+        git && \
+    addgroup \
+        -S -g 1002 \
+        git && \
+    adduser \
+        -S -H -D \
+        -h /var/lib/gitea/git \
+        -s /bin/bash \
+        -u 1001 \
+        -G git \
+        git
 
+# create the dirs that gitea needs and make our user owner. /config is where the gitea config file will live.
+RUN mkdir -p /var/lib/gitea /etc/gitea /config
+RUN chown git:git /var/lib/gitea /etc/gitea /config
+
+# git:git
+USER 1001:1002
+
+# The parent image makes /etc/gitea a volume. We don't want to store the config in a volume, so we put it in /config
+# The docker-compose.yml should have a gitea-config volume mapped to /etc/gitea, but there won't be anything in it.
+ENV GITEA_APP_INI /config/app.ini
 ENV GITEA_CUSTOM=/custom
 # This ENV is functional, but it is here as an example of what the value should be at runtime
 ENV READER_BASE_LINK=https://read-dev.bibleineverylanguage.org/
@@ -26,7 +49,7 @@ COPY --chown=1001:1002 ./custom/templates /custom/templates
 COPY --chown=1001:1002 ./custom/public /custom/public
 
 # dumb-init for clean startup and shutdown as per the parent image.
-# Startup is done this way to still use dumb-init like the partent image; this is how dumb-init suggests to do it.
+# Startup is done this way to still use dumb-init like the parent image; this is how dumb-init suggests to do it.
 ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 
 # Cat feeds the extra_tabs.tmpl file into envsubst