Merge "gitea: Add reverse proxy option"

2020-07-07 21:07:57 +00:00 · 2020-07-07 21:07:57 +00:00 · 466e14b5f7
commit 466e14b5f7
parent c2b2efdf5b 870f664648
7 changed files with 77 additions and 0 deletions
--- a/playbooks/roles/gitea/defaults/main.yaml
+++ b/playbooks/roles/gitea/defaults/main.yaml
@ -1 +1,2 @@
 gitea_no_log: true
+gitea_reverse_proxy: false
--- a/playbooks/roles/gitea/handlers/main.yaml
+++ b/playbooks/roles/gitea/handlers/main.yaml
@ -0,0 +1,4 @@
+- name: gitea Reload apache2
+  service:
+    name: apache2
+    state: reloaded
--- a/playbooks/roles/gitea/tasks/main.yaml
+++ b/playbooks/roles/gitea/tasks/main.yaml
@ -30,6 +30,11 @@
      - docker-compose
      - python3-requests
    state: present
+
+- name: Install reverse proxy
+  include_tasks: proxy.yaml
+  when: gitea_reverse_proxy
+
 - name: Run docker-compose pull
  shell:
    cmd: docker-compose pull
--- a/playbooks/roles/gitea/tasks/proxy.yaml
+++ b/playbooks/roles/gitea/tasks/proxy.yaml
@ -0,0 +1,26 @@
+- name: Install apache2
+  apt:
+    name:
+      - apache2
+      - apache2-utils
+    state: present
+
+- name: Apache modules
+  apache2_module:
+    state: present
+    name: "{{ item }}"
+  loop:
+    - rewrite
+    - proxy
+    - proxy_http
+    - ssl
+    - headers
+
+- name: Copy apache config
+  template:
+    src: gitea.vhost.j2
+    dest: /etc/apache2/sites-enabled/000-default.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: gitea Reload apache2
--- a/playbooks/roles/gitea/templates/gitea.vhost.j2
+++ b/playbooks/roles/gitea/templates/gitea.vhost.j2
@ -0,0 +1,30 @@
+Listen 3081
+
+<VirtualHost *:3081>
+  ServerName {{ inventory_hostname }}
+  ServerAdmin infra-root@opendev.org
+
+  AllowEncodedSlashes On
+
+  ErrorLog ${APACHE_LOG_DIR}/gitea-ssl-error.log
+
+  LogLevel warn
+
+  CustomLog ${APACHE_LOG_DIR}/gitea-ssl-access.log combined
+
+  SSLEngine on
+  SSLProtocol All -SSLv2 -SSLv3
+  # Note: this list should ensure ciphers that provide forward secrecy
+  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+  SSLHonorCipherOrder on
+
+  SSLCertificateFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.cer
+  SSLCertificateKeyFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key
+  SSLCertificateChainFile /etc/letsencrypt-certs/{{ inventory_hostname }}/ca.cer
+
+  SSLProxyEngine on
+
+  ProxyPass  / https://localhost:3000/ retry=0
+  ProxyPassReverse / https://localhost:3000/
+
+</VirtualHost>
--- a/playbooks/zuul/templates/group_vars/gitea.yaml.j2
+++ b/playbooks/zuul/templates/group_vars/gitea.yaml.j2
@ -7,3 +7,6 @@ gitea_db_password: 5bfuOBKtltff0XZX
 gitea_root_password: BUbBcpToMwR05ZCB
 gitea_no_log: false
 gitea_gerrit_password: yVpMWIUIvT7f6NwA
+gitea_reverse_proxy: true
+iptables_extra_public_tcp_ports:
+  - 3081
--- a/testinfra/test_gitea.py
+++ b/testinfra/test_gitea.py
@ -23,6 +23,8 @@ def test_gitea_listening(host):
    assert gitea_http.is_listening
    gitea_ssh = host.socket("tcp://0.0.0.0:222")
    assert gitea_ssh.is_listening
+    gitea_proxy = host.socket("tcp://0.0.0.0:3081")
+    assert gitea_proxy.is_listening

 def test_ulimit(host):
    cmd = host.run("docker exec gitea-docker_gitea-web_1 prlimit")
@ -39,3 +41,9 @@ def test_robots(host):
                   '--resolve gitea99.opendev.org:3000:127.0.0.1 '
                   'https://gitea99.opendev.org:3000/robots.txt')
    assert 'Disallow: /' in cmd.stdout
+
+def test_proxy(host):
+    cmd = host.run('curl --insecure '
+                   '--resolve gitea99.opendev.org:3081:127.0.0.1 '
+                   'https://gitea99.opendev.org:3081/')
+    assert 'Git with a cup of tea' in cmd.stdout