From ac1dd4eedd8ea55a16298d805a379695bc510bf1 Mon Sep 17 00:00:00 2001
From: "James E. Blair" <jim@acmegating.com>
Date: Fri, 20 Aug 2021 14:32:27 -0700
Subject: [PATCH] Assume gitea reverse proxy

We now depend on the reverse proxy not only for abuse mitigation but
also for serving .well-known files with specific CORS headers.  To
reduce complexity and avoid traps in the future, make it non-optional.

Change-Id: I54760cb0907483eee6dd9707bfda88b205fa0fed
---
 inventory/service/group_vars/gitea.yaml           | 3 ---
 playbooks/roles/gitea/README.rst                  | 7 -------
 playbooks/roles/gitea/defaults/main.yaml          | 1 -
 playbooks/roles/gitea/tasks/main.yaml             | 1 -
 playbooks/zuul/templates/group_vars/gitea.yaml.j2 | 1 -
 5 files changed, 13 deletions(-)

diff --git a/inventory/service/group_vars/gitea.yaml b/inventory/service/group_vars/gitea.yaml
index 9ea384a3a3..16ca146016 100644
--- a/inventory/service/group_vars/gitea.yaml
+++ b/inventory/service/group_vars/gitea.yaml
@@ -1,8 +1,5 @@
 gitea_root_email: infra-root@openstack.org
 gitea_gerrit_public_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVuhTMAz1H2Jr9AC3py9A0vlNna6Sdt4yrvZOayxukPqQ7GPZd+Mo7MVyypxLD479N2mA09JAdsbq1eTiPP8ksEkB+dNxZzw8mY1653R/IXSW6J9xPcoDa88HF2s/xHN24IWzgiDjNNe79AQ+sKleByEQZ++xXny3MRpy258hKUvAtjjOLOnM1PBs8JNOzBL+UPgWRgSX6GG0qywJZqjD1Qx5kvH9RTRLi+tcMhEi4laN7BYvn4csY0sYzTzPG4ZTu3ootIJoRlQGtQ0LmoFO1vSwyEJUags6/ZZGjgy3jl3kwcU/b8ZnFlF4MDw1OB1QqMb4r6bMHbXNIupp4zJbz gerrit-replication-2014-04-25
-# NOTE(ianw) 2020-07-08 : turned on hopefully temporarily
-#  http://lists.opendev.org/pipermail/service-discuss/2020-July/000054.html
-gitea_reverse_proxy: true
 iptables_extra_public_tcp_ports:
   - 222
   - 3000
diff --git a/playbooks/roles/gitea/README.rst b/playbooks/roles/gitea/README.rst
index 30718c4195..f51ee4428a 100644
--- a/playbooks/roles/gitea/README.rst
+++ b/playbooks/roles/gitea/README.rst
@@ -2,13 +2,6 @@ Install, configure, and run Gitea.
 
 **Role Variables**
 
-.. zuul:rolevar:: gitea_reverse_proxy
-   :default: False
-
-   Create an Apache reverse proxy listening on port 3081.  This can be
-   useful for OSI layer 7 filtering; e.g. matching bad User-Agent
-   fields.
-
 .. zuul:rolevar:: gitea_reverse_proxy_hostname
    :default: inventory_hostname
 
diff --git a/playbooks/roles/gitea/defaults/main.yaml b/playbooks/roles/gitea/defaults/main.yaml
index aade2dce60..68c9eb44f0 100644
--- a/playbooks/roles/gitea/defaults/main.yaml
+++ b/playbooks/roles/gitea/defaults/main.yaml
@@ -1,3 +1,2 @@
 gitea_no_log: true
-gitea_reverse_proxy: false
 gitea_reverse_proxy_hostname: '{{ inventory_hostname }}'
diff --git a/playbooks/roles/gitea/tasks/main.yaml b/playbooks/roles/gitea/tasks/main.yaml
index edd17f8c20..5fc4b96a62 100644
--- a/playbooks/roles/gitea/tasks/main.yaml
+++ b/playbooks/roles/gitea/tasks/main.yaml
@@ -33,7 +33,6 @@
 
 - name: Install reverse proxy
   include_tasks: proxy.yaml
-  when: gitea_reverse_proxy
 
 - name: Run docker-compose pull
   shell:
diff --git a/playbooks/zuul/templates/group_vars/gitea.yaml.j2 b/playbooks/zuul/templates/group_vars/gitea.yaml.j2
index 02ddc66600..925e322496 100644
--- a/playbooks/zuul/templates/group_vars/gitea.yaml.j2
+++ b/playbooks/zuul/templates/group_vars/gitea.yaml.j2
@@ -7,7 +7,6 @@ gitea_db_password: 5bfuOBKtltff0XZX
 gitea_root_password: BUbBcpToMwR05ZCB
 gitea_no_log: false
 gitea_gerrit_password: yVpMWIUIvT7f6NwA
-gitea_reverse_proxy: true
 gitea_reverse_proxy_hostname: localhost
 iptables_extra_public_tcp_ports:
   - 3081