opendev/system-config
Code Issues Proposed changes
Files
master
system-config/playbooks/roles/gitea/templates/app.ini.j2
Jeremy Stanley 36e1de0d5c Block access to Gitea's archive feature 
Crawlers have been hitting the archive URLs in Gitea, which can
result in massive cached archive files filling the disk faster than
the daily cron clears them out. This feature is an attractive
nuisance anyway for many projects, particularly Python-based source
repositories for which users mistakenly assume that a tarball of the
worktree is a suitable substitute for an sdist package, which leads
to a lot of confusion if build backends like PBR or setuptools-scm
are relied on.

Fortunately, Gitea now has a way to turn off this functionality. Add
a test to make sure these URLs return a 404 in order to prevent any
accidental future regression. Disable the archive cleanup cron as
well, since it's just a no-op at this point.

Change-Id: I0912243f40f2101bf1f3133fbf306def10aa5f83
2025-06-05 19:51:02 +00:00

146 lines
3.8 KiB
Django/Jinja
Raw Permalink Blame History

APP_NAME = OpenDev: Free Software Needs Free Tools
RUN_MODE = prod
RUN_USER = git
; TODO determine if this is appropriate for our existing installation
WORK_PATH = /data/gitea
[server]
APP_DATA_PATH = /data/gitea
SSH_DOMAIN = localhost
PROTOCOL = https
HTTP_PORT = 3000
ROOT_URL = https://opendev.org/
DISABLE_SSH = false
SSH_PORT = 22
DOMAIN = localhost
LFS_START_SERVER = true
LFS_JWT_SECRET = {{ gitea_lfs_jwt_secret }}
OFFLINE_MODE = false
CERT_FILE = /certs/cert.pem
KEY_FILE = /certs/key.pem
REDIRECT_OTHER_PORT = true
PORT_TO_REDIRECT = 3080
[database]
DB_TYPE = mysql
HOST = localhost:3306
NAME = gitea
USER = {{ gitea_db_username }}
PASSWD = {{ gitea_db_password }}
SSL_MODE = disable
LOG_SQL = false
[cache]
ADAPTER = memcache
HOST = 127.0.0.1:11211
[repository]
ROOT = /data/git/repositories
DISABLED_REPO_UNITS = repo.issues,repo.pulls,repo.wiki,repo.projects,repo.actions
DISABLE_STARS = true
DISABLE_MIGRATIONS = true
DISABLE_DOWNLOAD_SOURCE_ARCHIVES = true
[git]
; Implemented in 1.16 but broke older git clients. Now expected to work
; but we keep explicit config in place should it need to be toggled back
; to true again.
DISABLE_PARTIAL_CLONE = false
[federation]
ENABLED = false
[packages]
ENABLED = false
[indexer]
ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
REPO_INDEXER_ENABLED = true
STARTUP_TIMEOUT = 300s
[session]
PROVIDER_CONFIG = /data/gitea/sessions
PROVIDER = file
[picture]
AVATAR_UPLOAD_PATH = /data/gitea/avatars
DISABLE_GRAVATAR = true
[attachment]
PATH = /data/gitea/attachments
[log]
ROOT_PATH = /logs
LEVEL = Info
STACKTRACE_LEVEL = Error
logger.access.MODE = file
{% raw -%}
ACCESS_LOG_TEMPLATE = {{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.URL.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}" "{{.Ctx.Req.UserAgent}}"
{% endraw %}
[security]
INSTALL_LOCK = true
SECRET_KEY = {{ gitea_secret_key }}
INTERNAL_TOKEN = {{ gitea_internal_token }}
PASSWORD_COMPLEXITY = lower,upper,digit
[service]
DISABLE_REGISTRATION = true
SHOW_REGISTRATION_BUTTON = false
REQUIRE_SIGNIN_VIEW = false
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = false
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
ENABLE_CAPTCHA = false
DEFAULT_KEEP_EMAIL_PRIVATE = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
ENABLE_TIMETRACKING = false
DEFAULT_ENABLE_TIMETRACKING = false
NO_REPLY_ADDRESS = noreply.example.org
[mailer]
ENABLED = false
[oauth2]
ENABLED = false
; TODO we don't do oauth2 do we need to set this value?
JWT_SECRET = {{ gitea_oauth2_jwt_secret }}
; TODO we don't do oauth2 do we need to set this value?
JWT_SIGNING_PRIVATE_KEY_FILE = /data/gitea/jwt/private.pem
[openid]
ENABLE_OPENID_SIGNIN = false
ENABLE_OPENID_SIGNUP = false
[markup.pandoc]
ENABLED = true
; List of file extensions that should be rendered by an external command
FILE_EXTENSIONS = .rst
; External command to render all matching extensions
RENDER_COMMAND = /usr/bin/pandoc -f rst
; Input is not a standard input but a file
IS_INPUT_FILE = false
[actions]
ENABLED = false
[lfs]
STORAGE_TYPE = local
PATH = /data/git/lfs
; This is an undocumented gitea cron job that will delete all
; repo archives periodically if enabled. Repo archives are
; tarballs/zips/etc of repository state generate for things like
; tags. We used to rely on it, but some crawlers are so aggressive
; they manage to fill up our filesystems between scheduled cleanups
; so instead we've blocked access to the feature entirely. This
; defaults to disabled, but keep it explicit in here as a reminder
; in case we ever revert the change and restore archive access.
[cron.delete_repo_archives]
ENABLED = false
; We don't need gitea phoning out to check versions. We stay on
; top of new releases using github release notifications over email.
[cron.update_checker]
ENABLED = false
View Git Blame Copy Permalink