Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Match environment input to mirror Gitea's #6

Merged
merged 5 commits into from
Feb 27, 2023
Merged

Match environment input to mirror Gitea's #6

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
19cd415
Use url.JoinPath()
kousu Feb 25, 2023
be570b9
Combine GITEA_PUBLIC_URL + GITEA_API_URL -> GITEA_ROOT_URL
kousu Feb 24, 2023
7caa4a6
Rename GITEA_API_SECRET -> GITEA_TOKEN to use Gitea's nomenclature.
kousu Feb 25, 2023
2d9114c
GITEA_PUBLIC_PATH -> GITEA_CUSTOM
kousu Feb 25, 2023
6d9aec7
Define GITEA_REPOSITORY_ROOT.
kousu Feb 25, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,14 @@
# bids-hook
Tiny CI server to run bids-validator using Gitea webhooks


## Deployment

Results are placed in `%(GITEA_CUSTOM)/public/bids-validator/`;
this folder needs to be writable (and ideally created first and owned)
by the user running this daemon.

It assumes the URL `%(ROOT_URL)s/static/assets/` loads from
Gitea's `%(GITEA_CUSTOM)/public/`; it is **not** compatible
with configuring Gitea's `%(STATIC_URL_PREFIX)` so that
static files are hosted on a different server or CDN.
26 changes: 11 additions & 15 deletions bids-hook.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,12 +52,11 @@ var (
// can be generated from a gitea admin account under "Settings" -> "Applications"
giteaToken []byte

// the path to Gitea's static assets directory
// read from environment variable GITEA_PUBLIC_PATH
// the path to Gitea's custom/ directory
// read from environment variable GITEA_CUSTOM
// used to save job result pages
// it should already exist
// should end with "/custom/public"
giteaPublicPath string
// see https://docs.gitea.io/en-us/config-cheat-sheet/#default-configuration-non-appini-configuration
giteaCustom string

// executable run by the worker for each accepted job
// read from environment variable WORKER_SCRIPT
Expand Down Expand Up @@ -286,7 +285,7 @@ func (j job) resultUrl() string {
// file path to the results page for this job
// see also j.resultUrl()
func (j job) resultPath() string {
return filepath.Join(giteaPublicPath, fmt.Sprintf("%s.html", j.uuid))
return filepath.Join(giteaCustom, "public", fmt.Sprintf("%s.html", j.uuid))
}

// file path to the log file for this job
Expand Down Expand Up @@ -457,20 +456,17 @@ func readConfig() {
}
giteaToken = []byte(val)

val, ok = os.LookupEnv("GITEA_PUBLIC_PATH")
val, ok = os.LookupEnv("GITEA_CUSTOM")
if !ok {
log.Fatal("missing environment variable GITEA_PUBLIC_PATH")
log.Fatal("missing environment variable GITEA_CUSTOM")
}
giteaPublicPath, err = filepath.Abs(val)
giteaCustom, err = filepath.Abs(val)
if err != nil {
log.Fatalf("invalid GITEA_PUBLIC_PATH: %v", err)
log.Fatalf("invalid GITEA_CUSTOM: %v", err)
}
info, err = os.Stat(giteaPublicPath)
err = os.MkdirAll(filepath.Join(giteaCustom, "public"), 0750)
if err != nil {
log.Fatalf("error opening GITEA_PUBLIC_PATH: %v", err)
}
if !info.IsDir() {
log.Fatal("GITEA_PUBLIC_PATH is not a directory")
log.Fatalf("error creating output folder: %v", err)
mguaypaq marked this conversation as resolved.
Show resolved Hide resolved
}

val, ok = os.LookupEnv("WORKER_SCRIPT")
Expand Down
13 changes: 11 additions & 2 deletions start
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,23 @@
#!/bin/bash

set -e

# this replicates the default location logic from https://docs.gitea.io/en-us/config-cheat-sheet/
# any setting can be overridden just by setting its variable before calling this script
: ${GITEA_APP_PATH:=../gitea/gitea}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is awkward!

In our deployments, this will be /srv/gitea/gitea. On my dev machine I have ~/src/gitea/ and ~/src/bids-hook.

I don't know. Maybe this should be a mandatory input? But then again, if you on a server where you're explicitly setting GITEA_CUSTOM for gitea, you can also set it for bids-hook and then GITEA_APP_PATH is irrelevant.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I realize now that I didn't mention this before, but: the start script is meant to disappear from the repo at some point! It's just scaffolding for manual, local testing on my own machine (or yours!) while we develop a v1. Hence all the hardcoded values and dummy secret and token.

So actual deployment situations are out of scope for this file.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That makes sense. In that case, the part that mirrors Gitea's defaults logic should probably make its way into Go instead of shell. I could probably copy it straight out of their codebase.

And the environment variables that remain would migrate to a systemd .service file? Is it weird to put credentials in a .service file?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like systemd has a whole system in place for credentials. According to System and Service Credentials:

Within unit files, there are four settings to configure service credentials.

  1. LoadCredential= may be used to load a credential from disk, from an AF_UNIX socket, or propagate them from a system credential.
  2. SetCredential= may be used to set a credential to a literal string encoded in the unit file. Because unit files are world-readable (both on disk and via D-Bus), this should only be used for credentials that aren’t sensitive, i.e. public keys/certificates – but not private keys.
  3. LoadCredentialEncrypted= is similar to LoadCredential= but will load an encrypted credential, and decrypt it before passing it to the service. For details on credential encryption, see below.
  4. SetCredentialEncrypted= is similar to SetCredential= but expects an encrypted credential to be specified literally. Unlike SetCredential= it is thus safe to be used even for sensitive information, because even though unit files are world readable, the ciphertext included in them cannot be decoded unless access to TPM2/encryption key is available.

So, systemd wants to make credentials available as files, and currently bids-hook wants to accept credentials as environment variables. I guess I can change the environment variable to contain a path to the secret, rather than the secret itself, and that should be sufficiently flexible for manual testing and also for systemd-controlled execution.

: ${GITEA_WORK_DIR:="$(dirname "$GITEA_APP_PATH")"}

: ${GITEA_CUSTOM:="$GITEA_WORK_DIR/custom"}

export GITEA_CUSTOM

# 127.0.0.1 is localhost, and 2845 is 0xB1D
export BIDS_HOOK_URL='http://127.0.0.1:2845/bids-hook'
export BIDS_HOOK_SECRET='blabla'

export GITEA_ROOT_URL='http://127.0.0.1:3000'
export GITEA_TOKEN='69e45fa9cfa75a7497633c6be8dd2347226e2f62'

export GITEA_PUBLIC_PATH='./custom/public'

export WORKER_SCRIPT='./worker'
export WORKER_LOG_PATH='./log'
export WORKER_QUEUE_CAPACITY=20
Expand Down