From dd3ea726dba7b5c8eebc772355949303d70018dc Mon Sep 17 00:00:00 2001 From: Amar Saljic Date: Sun, 2 Nov 2025 11:45:24 +0100 Subject: [PATCH] made changes in order to make gitea work --- homelab/applications/README.md | 9 +++++ homelab/applications/gitea/README.md | 34 +++++++++++++++++++ homelab/applications/gitea/compose.yml | 40 +++++++++++++++-------- homelab/applications/gitea/start.sh | 12 +++++++ homelab/applications/postgres/compose.yml | 37 ++++++++++++--------- 5 files changed, 102 insertions(+), 30 deletions(-) create mode 100644 homelab/applications/README.md create mode 100644 homelab/applications/gitea/README.md create mode 100644 homelab/applications/gitea/start.sh diff --git a/homelab/applications/README.md b/homelab/applications/README.md new file mode 100644 index 0000000..4a248e5 --- /dev/null +++ b/homelab/applications/README.md @@ -0,0 +1,9 @@ +# NAxS Homelab +Prerequisites: +- Create a default network called homelab +``` +docker network create homelab +``` + +// TODO: Create template script +Template script which helps with setting up new applications (asks for potential secrets needs, adds default network to compose file, creates new users/groups to run containers rootless) \ No newline at end of file diff --git a/homelab/applications/gitea/README.md b/homelab/applications/gitea/README.md new file mode 100644 index 0000000..b94e610 --- /dev/null +++ b/homelab/applications/gitea/README.md @@ -0,0 +1,34 @@ +// TODO: refactor for gitea +# Gitea +## Set up database +- Create database called `gitea` +- Create database user called `gitea` incl. password +- Store database credentials in 1Password + +## Set up non-root user for container +We are providing a non-root user to the container to limit the attack surface for privilege escalations. In order for this to work in our setup, please make sure to check if you have a user called `gitea-user` & group called `gitea-group` set up. + +1. Check if user `postgres` exists and if the UID is 1002 + +``` +cat /etc/passwd | grep gitea +``` + +In case the `postgres` user exists but the UID is not 1002, please adjust it via +``` +sudo usermod -u 1002 postgres +``` + +In case the `postgres` user doesn't exist at all, please create the user incl. the right UID by running +``` +sudo useradd -u 1002 postgres +``` + +## About secrets +In order to manage secrets centrally in 1Password and due to the need for secrets in Postgres, using `docker compose` directly in the terminal does not work. + +## Bring up/tear down container +Please use the `start.sh` to spin up the container +### Prerequisites start.sh +- User executing the script is part of the `docker` group +- Env variable `OP_SERVICE_ACCOUNT_TOKEN` is set up \[check out top-level README.md for more information on how to set this up\] \ No newline at end of file diff --git a/homelab/applications/gitea/compose.yml b/homelab/applications/gitea/compose.yml index 46dc1f7..6855008 100644 --- a/homelab/applications/gitea/compose.yml +++ b/homelab/applications/gitea/compose.yml @@ -1,14 +1,26 @@ - services: - server: - image: docker.gitea.com/gitea:latest - container_name: gitea - environment: - - USER_UID=1000 - - USER_GID=1000 - - DISABLE_REGISTRATION=true - restart: always - volumes: - - ./data:/data - ports: - - "8030:3000" - - "222:22" \ No newline at end of file +secrets: + gitea_postgres_password: + environment: GITEA_POSTGRES_PASSWORD +services: + gitea: + image: docker.gitea.com/gitea:1-rootless + container_name: gitea + user: "1003:1003" + environment: + USER_UID: "1003" + USER_GID: "1003" + DISABLE_REGISTRATION: true + GITEA__database__DB_TYPE: postgres + GITEA__database__HOST: postgres:5432 + GITEA__database__NAME: gitea + GITEA__database__USER: gitea + GITEA__database__PASSWD_FILE: /run/secrets/gitea_postgres_password + restart: always + volumes: ['./data:/var/lib/gitea', './config:/etc/gitea'] + ports: ['8030:3000', '2222:2222'] + secrets: ['gitea_postgres_password'] + networks: ['homelab'] + +networks: + homelab: + external: true \ No newline at end of file diff --git a/homelab/applications/gitea/start.sh b/homelab/applications/gitea/start.sh new file mode 100644 index 0000000..177f56c --- /dev/null +++ b/homelab/applications/gitea/start.sh @@ -0,0 +1,12 @@ +#!/bin/zsh +# Exit immediately if a command exits with a non-zero status. +set -e + +echo "--- Starting Docker Secret Management ---" +# Mount secrets +export GITEA_POSTGRES_PASSWORD="$(op read 'op://NAxS Homelab/Gitea Postgres credentials/password')" + +# Bring up container +docker compose up -d + +echo "--- Docker Secret Management Complete ---" \ No newline at end of file diff --git a/homelab/applications/postgres/compose.yml b/homelab/applications/postgres/compose.yml index ec0f5ae..3067cc3 100644 --- a/homelab/applications/postgres/compose.yml +++ b/homelab/applications/postgres/compose.yml @@ -1,18 +1,23 @@ secrets: - postgres_password: - environment: POSTGRES_PASSWORD - postgres_user: - environment: POSTGRES_USER + postgres_password: + environment: POSTGRES_PASSWORD + postgres_user: + environment: POSTGRES_USER services: - postgres: - image: postgres:18 - container_name: postgres - user: "1002" - restart: always - shm_size: 1024mb - environment: - POSTGRES_USER_FILE: /run/secrets/postgres_user - POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password - secrets: ['postgres_password', 'postgres_user'] - ports: ['5432:5432'] - volumes: ['./data:/var/lib/postgresql'] + postgres: + image: postgres:18 + container_name: postgres + user: "1002" + restart: always + shm_size: 1024mb + environment: + POSTGRES_USER_FILE: /run/secrets/postgres_user + POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password + secrets: ['postgres_password', 'postgres_user'] + ports: ['5432:5432'] + volumes: ['./data:/var/lib/postgresql'] + networks: ['homelab'] + +networks: + homelab: + external: true