opendev/system-config
Code Issues Proposed changes

Assume gitea reverse proxy

Browse Source 
We now depend on the reverse proxy not only for abuse mitigation but
also for serving .well-known files with specific CORS headers.  To
reduce complexity and avoid traps in the future, make it non-optional.

Change-Id: I54760cb0907483eee6dd9707bfda88b205fa0fed
This commit is contained in:
James E. Blair 2021-08-20 14:32:27 -07:00
parent 2a697f8ecd
commit ac1dd4eedd
5 changed files with 0 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
inventory/service/group_vars/gitea.yaml
View File

@ -1,8 +1,5 @@
gitea_root_email: infra-root@openstack.org gitea_root_email: infra-root@openstack.org
gitea_gerrit_public_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVuhTMAz1H2Jr9AC3py9A0vlNna6Sdt4yrvZOayxukPqQ7GPZd+Mo7MVyypxLD479N2mA09JAdsbq1eTiPP8ksEkB+dNxZzw8mY1653R/IXSW6J9xPcoDa88HF2s/xHN24IWzgiDjNNe79AQ+sKleByEQZ++xXny3MRpy258hKUvAtjjOLOnM1PBs8JNOzBL+UPgWRgSX6GG0qywJZqjD1Qx5kvH9RTRLi+tcMhEi4laN7BYvn4csY0sYzTzPG4ZTu3ootIJoRlQGtQ0LmoFO1vSwyEJUags6/ZZGjgy3jl3kwcU/b8ZnFlF4MDw1OB1QqMb4r6bMHbXNIupp4zJbz gerrit-replication-2014-04-25 gitea_gerrit_public_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVuhTMAz1H2Jr9AC3py9A0vlNna6Sdt4yrvZOayxukPqQ7GPZd+Mo7MVyypxLD479N2mA09JAdsbq1eTiPP8ksEkB+dNxZzw8mY1653R/IXSW6J9xPcoDa88HF2s/xHN24IWzgiDjNNe79AQ+sKleByEQZ++xXny3MRpy258hKUvAtjjOLOnM1PBs8JNOzBL+UPgWRgSX6GG0qywJZqjD1Qx5kvH9RTRLi+tcMhEi4laN7BYvn4csY0sYzTzPG4ZTu3ootIJoRlQGtQ0LmoFO1vSwyEJUags6/ZZGjgy3jl3kwcU/b8ZnFlF4MDw1OB1QqMb4r6bMHbXNIupp4zJbz gerrit-replication-2014-04-25
# NOTE(ianw) 2020-07-08 : turned on hopefully temporarily
# http://lists.opendev.org/pipermail/service-discuss/2020-July/000054.html
gitea_reverse_proxy: true
iptables_extra_public_tcp_ports: iptables_extra_public_tcp_ports:
- 222 - 222
- 3000 - 3000

7
playbooks/roles/gitea/README.rst
View File

@ -2,13 +2,6 @@ Install, configure, and run Gitea.
**Role Variables** **Role Variables**
.. zuul:rolevar:: gitea_reverse_proxy
:default: False
Create an Apache reverse proxy listening on port 3081. This can be
useful for OSI layer 7 filtering; e.g. matching bad User-Agent
fields.
.. zuul:rolevar:: gitea_reverse_proxy_hostname .. zuul:rolevar:: gitea_reverse_proxy_hostname
:default: inventory_hostname :default: inventory_hostname

1
playbooks/roles/gitea/defaults/main.yaml
View File

@ -1,3 +1,2 @@
gitea_no_log: true gitea_no_log: true
gitea_reverse_proxy: false
gitea_reverse_proxy_hostname: '{{ inventory_hostname }}' gitea_reverse_proxy_hostname: '{{ inventory_hostname }}'

1
playbooks/roles/gitea/tasks/main.yaml
View File

@ -33,7 +33,6 @@
- name: Install reverse proxy - name: Install reverse proxy
include_tasks: proxy.yaml include_tasks: proxy.yaml
when: gitea_reverse_proxy
- name: Run docker-compose pull - name: Run docker-compose pull
shell: shell:

1
playbooks/zuul/templates/group_vars/gitea.yaml.j2
View File

@ -7,7 +7,6 @@ gitea_db_password: 5bfuOBKtltff0XZX
gitea_root_password: BUbBcpToMwR05ZCB gitea_root_password: BUbBcpToMwR05ZCB
gitea_no_log: false gitea_no_log: false
gitea_gerrit_password: yVpMWIUIvT7f6NwA gitea_gerrit_password: yVpMWIUIvT7f6NwA
gitea_reverse_proxy: true
gitea_reverse_proxy_hostname: localhost gitea_reverse_proxy_hostname: localhost
iptables_extra_public_tcp_ports: iptables_extra_public_tcp_ports:
- 3081 - 3081