fix: set binaries as ghost files

.gitea/workflows/cd.yaml

@@ -7,21 +7,15 @@ on:
 
 jobs:
   build_n_upload:
-    runs-on: linux
+    runs-on: self-hosted
     steps:
-      - name: Git checkout
+      - uses: actions/checkout@v6
-        uses: actions/checkout@v6
         with:
+          fetch-depth: 0
           fetch-tags: true
-      - name: Build tarball
+      - run: make tarball
-        run: make tarball
+      - run: rpmbuild -ba "$(make name).spec"
+      - run: make upload
         env:
-          GIT_REFERENCE: ${{ github.ref }}
+          PKG_TOKEN: ${{ secrets.PKG_TOKEN }}
-      - name: Build rpm package
-        run: rpmbuild -ba "$(make name).spec"
-      - name: Upload rpm package
-        run: make upload
-        env:
-          GIT_PACKAGES_USERNAME: ${{ vars.GIT_PACKAGES_USERNAME }}
-          GIT_PACKAGES_TOKEN: ${{ secrets.GIT_PACKAGES_TOKEN }}
 

.gitea/workflows/ci.yaml

@@ -7,7 +7,7 @@ on:
 
 jobs:
   lint_n_build:
-    runs-on: linux
+    runs-on: self-hosted 
     steps:
       - name: Git checkout
         uses: actions/checkout@v6
@@ -18,4 +18,3 @@ jobs:
         run: make tarball
       - name: Build rpm file
         run: rpmbuild -ba "$(make name).spec"
-

Makefile

@@ -1,53 +1,89 @@
 NAME = netoik-git
 VERSION = $(shell git describe --abbrev=0)
 RELEASE = $(shell git rev-parse --short HEAD)
-REFERENCE = $(if $(GIT_REFERENCE),$(GIT_REFERENCE),$(shell git branch --show-current))
+ARCH = noarch
-BUILD_ARCH = noarch
+OWNER = samuel
+SUMMARY = "Netoïk Git server"
+LICENSE = "MIT"
+URL = "https://git.netoik.io/$(OWNER)/$(NAME)"
+SOURCE0 = "$(NAME)-$(VERSION)-$(RELEASE).tar.gz"
 
 RPM_RPMDIR = $(shell rpm --eval '%{_rpmdir}')
 RPM_SBINDIR = $(shell rpm --eval '%{_sbindir}')
 RPM_SOURCEDIR = $(shell rpm --eval '%{_sourcedir}')
-RPM_SHAREDSTATEDIR = $(shell rpm --eval '%{_sharedstatedir}')
 RPM_SYSCONFDIR = $(shell rpm --eval '%{_sysconfdir}')
+RPM_TMPPATH = $(shell rpm --eval '%{_tmppath}')
 RPM_UNITDIR = $(shell rpm --eval '%{_unitdir}')
 
-RPM_TARBALL_PATH = $(RPM_SOURCEDIR)/$(NAME)-$(VERSION).tar.gz
+RPM_TARBALL_PATH = $(RPM_SOURCEDIR)/$(SOURCE0)
-RPM_BUILD_PATH = $(RPM_RPMDIR)/$(BUILD_ARCH)/$(NAME)-$(VERSION)-$(RELEASE).$(BUILD_ARCH).rpm
+RPM_BUILD_PATH = $(RPM_RPMDIR)/$(ARCH)/$(NAME)-$(VERSION)-$(RELEASE).$(ARCH).rpm
+
+.PHONY: help
+help:
+	@grep -E '^[a-zA-Z0-9_-]+:.*?## .*' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
 
 .PHONY: name
-name:
+name:  ## Show project name
 	@echo "$(NAME)"
 
 .PHONY: version
-version:
+version:  ## Show current project version
 	@echo "$(VERSION)"
 
 .PHONY: release
-release:
+release:  ## Show current project release
 	@echo "$(RELEASE)"
 
-.PHONY: build_arch
+.PHONY: arch
-build_arch:
+arch:  ## Show rpm arch target
-	@echo "$(BUILD_ARCH)"
+	@echo "$(ARCH)"
 
-.PHONY: install
+.PHONY: owner
-install:
+owner:  ## Show project owner name
-	install --mode=755 --directory $(DESTDIR)$(RPM_SYSCONFDIR)/gitea $(DESTDIR)$(RPM_UNITDIR) $(DESTDIR)$(RPM_SHAREDSTATEDIR)/actrunners
+	@echo "$(OWNER)"
-	install --mode=644 --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/gitea files/gitea/app.ini
+
-	install --mode=644 --target-directory=$(DESTDIR)$(RPM_UNITDIR) files/systemd/gitea.service files/systemd/actrunner@.service
+.PHONY: summary
+summary:  ## Show project summary
+	@echo "$(SUMMARY)"
+
+.PHONY: license
+license:  ## Show project license
+	@echo "$(LICENSE)"
+
+.PHONY: url
+url:  ## Show project homepage URL
+	@echo "$(URL)"
+
+.PHONY: source0
+source0:  ## Show rpm source0 file name
+	@echo "$(SOURCE0)"
 
 $(RPM_TARBALL_PATH): *
 	git archive --format=tar.gz \
 	            --output="$@" \
 	            --prefix="$(NAME)-$(VERSION)/" \
 	            --verbose \
-	            "$(REFERENCE)"
+	            HEAD 
 
 .PHONY: tarball
-tarball: $(RPM_TARBALL_PATH)
+tarball: $(RPM_TARBALL_PATH)  ## Build rpm tarball
+
+.PHONY: install
+install:  ## Install files into rpm dest (requires env var DESTDIR)
+	@if [ -z "$(DESTDIR)" ]; then \
+		printf "[CRITICAL] Missing env var DESTDIR\n[CRITICAL] This command is designed to be called by rpmbuild only!\n" 1>&2; \
+		exit 1; \
+	fi
+	install --mode=755 --directory $(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d $(DESTDIR)$(RPM_SYSCONFDIR)/gitea $(DESTDIR)$(RPM_UNITDIR) $(DESTDIR)$(RPM_TMPPATH)/gitea_images
+	install --mode=644 --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d files/nginx/git.netoik.io.conf
+	install --mode=640 --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/gitea files/gitea/app.ini
+	install --mode=644 --target-directory=$(DESTDIR)$(RPM_UNITDIR) files/systemd/gitea.service files/systemd/actrunner@.service
+	install --mode=644 --target-directory=$(DESTDIR)$(RPM_TMPPATH)/gitea_images files/img/*
 
 .PHONY: upload
-upload:
+upload:  ## Upload rpm package to Gitea repository (requires env var PKG_TOKEN)
-	curl --fail-with-body --upload-file "$(RPM_BUILD_PATH)" --user "$(GIT_PACKAGES_USERNAME):$(GIT_PACKAGES_TOKEN)" https://git.netoik.io/api/packages/$(GIT_PACKAGES_USERNAME)/rpm/upload
+	@if [ -z "$(PKG_TOKEN)" ]; then \
-
+		printf "[CRITICAL] Missing env var PKG_TOKEN\n[CRITICAL] This command is designed to be called by Gitea Actions only!\n" 1>&2; \
-
+		exit 1; \
+	fi
+	curl --fail-with-body --upload-file "$(RPM_BUILD_PATH)" --user "$(OWNER):$(PKG_TOKEN)" https://git.netoik.io/api/packages/$(OWNER)/rpm/upload

README.md

@@ -1,3 +1,83 @@
-# Netoïk Git ![badge](https://git.netoik.io/samuel/netoik-git/actions/workflows/ci.yaml/badge.svg)
+# Netoïk Git Server ![badge](https://git.netoik.io/samuel/netoik-git/actions/workflows/ci.yaml/badge.svg)
+
+Build an RPM package which will install the Git server called Gitea with custom configuration.
+
+- listen on port 3000
+- reversed by nginx
+- rely on postgres for database
+- rely on valkey for cache
+
+
+# Development
+
+A `Makefile` is integrated to let you run some basic commands.
+
+- Display some information about the project
+  ```shell
+  make help
+  make name
+  make version
+  make release
+  make arch
+  ```
+
+- Build a tarball:
+  ```shell
+  make tarball
+  ```
+
+- Build an rpm package:
+  ```shell
+  rpmbuild -ba netoik-git.spec
+  ```
+
+- Upload rpm package to Gitea repository (env var `PKG_TOKEN` is required):
+  ```shell
+  make upload
+  ```
+
+
+# CI / CD
+
+Two workflows are set up.
+
+- Continuous Integration:
+  - triggered by each push event on branch `main`
+  - builds tarball
+  - builds rpm package
+
+- Continuous Delivery:
+  - triggered by each tag push event
+  - builds tarball
+  - builds rpm package
+  - uploads rpm package to repository
+
+
+# Deployment
+
+Some commands to deploy the RPM package on server
+
+- Add Gitea repo to your repo list:
+  ```shell
+  dnf config-manager --add-repo https://git.netoik.io/api/packages/samuel/rpm.repo
+  dnf repolist | grep gitea-samuel
+  ```
+
+- Show available versions:
+  ```shell
+  dnf --showduplicates netoik-git
+  ```
+
+- Install or upgrade package:
+  ```shell
+  dnf --nogpgcheck --refresh --assumeyes --best install netoik-git
+  ```
+
+
+# Security Notes
+
+For security reasons, act runners does not have sudo privileges and so there is:
+- **no** Continuous Deployment because act runners cannot use `dnf`
+- **no** GPG signing because act runners cannot use `gpg`
+
 
-Build an RPM package which will install the Git UI server called Gitea.

files/gitea/app.ini

@@ -1,11 +1,14 @@
 # Do not edit this file unless you are aware about what you are doing!
 # See official doc here: https://docs.gitea.com/next/administration/config-cheat-sheet
 
-APP_NAME = Netoïk Git Server
 RUN_USER = gitea 
 RUN_MODE = prod
 WORK_PATH = /var/lib/gitea
 
+[ui]
+THEMES=dark,light,auto
+DEFAULT_THEME=auto
+
 [server]
 DOMAIN = git.netoik.io
 ROOT_URL = https://git.netoik.io/
@@ -28,6 +31,13 @@ INTERNAL_TOKEN = $INTERNAL_TOKEN
 [service]
 DISABLE_REGISTRATION = true 
 
+[cache]
+ADAPTER = redis
+HOST = redis+socket:///run/valkey/valkey.sock
+
 [session]
 PROVIDER = redis
-PROVIDER_CONFIG = /run/valkey/valkey.sock
+PROVIDER_CONFIG = redis+socket:///run/valkey/valkey.sock
+
+[oauth2]
+JWT_SECRET = $JWT_SECRET

files/img/favicon.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="180" zoomAndPan="magnify" viewBox="0 0 135 135.000003" height="180" preserveAspectRatio="xMidYMid meet" version="1.0"><defs><g/><clipPath id="c8284118b8"><path d="M 0.496094 0 L 134.503906 0 L 134.503906 134.007812 L 0.496094 134.007812 Z M 0.496094 0 " clip-rule="nonzero"/></clipPath><clipPath id="7a25ccad2a"><path d="M 0.496094 11 L 87 11 L 87 114 L 0.496094 114 Z M 0.496094 11 " clip-rule="nonzero"/></clipPath><clipPath id="b80303876e"><rect x="0" width="135" y="0" height="135"/></clipPath></defs><g clip-path="url(#c8284118b8)"><g transform="matrix(1, 0, 0, 1, 0.000000000000000056, -0.000000000000003367)"><g clip-path="url(#b80303876e)"><g clip-path="url(#7a25ccad2a)"><g fill="#a6c6f7" fill-opacity="1"><g transform="translate(-8.941766, 113.113191)"><g><path d="M 95.3125 -3.65625 C 95.3125 -2.726562 94.988281 -1.882812 94.34375 -1.125 C 93.707031 -0.375 92.925781 0 92 0 L 70.5625 0 C 69.632812 0 68.820312 -0.375 68.125 -1.125 C 67.425781 -1.882812 67.078125 -2.726562 67.078125 -3.65625 L 67.078125 -64.984375 C 67.078125 -68.816406 66.492188 -71.953125 65.328125 -74.390625 C 64.171875 -76.835938 61.328125 -78.0625 56.796875 -78.0625 L 48.09375 -78.0625 C 43.5625 -78.0625 40.710938 -76.835938 39.546875 -74.390625 C 38.390625 -71.953125 37.8125 -68.816406 37.8125 -64.984375 L 37.8125 -3.65625 C 37.8125 -2.726562 37.460938 -1.882812 36.765625 -1.125 C 36.066406 -0.375 35.253906 0 34.328125 0 L 12.890625 0 C 11.960938 0 11.175781 -0.375 10.53125 -1.125 C 9.894531 -1.882812 9.578125 -2.726562 9.578125 -3.65625 L 9.578125 -64.984375 C 9.578125 -77.066406 12.859375 -86.128906 19.421875 -92.171875 C 25.984375 -98.210938 35.539062 -101.234375 48.09375 -101.234375 L 56.796875 -101.234375 C 69.347656 -101.234375 78.90625 -98.210938 85.46875 -92.171875 C 92.03125 -86.128906 95.3125 -77.066406 95.3125 -64.984375 Z M 95.3125 -3.65625 "/></g></g></g></g><g fill="#a6c6f7" fill-opacity="1"><g transform="translate(95.940777, 113.113191)"><g><path d="M 37.640625 -3.484375 C 37.640625 -2.554688 37.289062 -1.742188 36.59375 -1.046875 C 35.894531 -0.347656 35.082031 0 34.15625 0 L 13.765625 0 C 12.835938 0 11.992188 -0.347656 11.234375 -1.046875 C 10.484375 -1.742188 10.109375 -2.554688 10.109375 -3.484375 L 10.109375 -25.4375 C 10.109375 -26.363281 10.484375 -27.144531 11.234375 -27.78125 C 11.992188 -28.425781 12.835938 -28.75 13.765625 -28.75 L 34.15625 -28.75 C 35.082031 -28.75 35.894531 -28.425781 36.59375 -27.78125 C 37.289062 -27.144531 37.640625 -26.363281 37.640625 -25.4375 Z M 37.640625 -3.484375 "/></g></g></g></g></g></g></svg>

files/nginx/git.netoik.io.conf

@@ -0,0 +1,9 @@
+server {
+  listen 443 ssl;
+  server_name git.netoik.io;
+
+  location / {
+    proxy_pass http://127.0.0.1:3000;
+  }
+}
+

files/systemd/actrunner@.service

@@ -1,13 +1,12 @@
 [Unit]
 Description=Gitea Actions runner #%i
 Documentation=https://gitea.com/gitea/act_runner
-After=network.target gitea.service
+After=gitea.service
 
 [Service]
-ExecStartPre=/usr/bin/rpmdev-setuptree
+ExecStart=/usr/sbin/act_runner daemon
-ExecStart=/usr/local/bin/act_runner daemon
 ExecReload=/bin/kill -s HUP $MAINPID
-WorkingDirectory=/opt/actrunners/actrunner%i
+WorkingDirectory=/var/lib/actrunner%i
 TimeoutSec=0
 RestartSec=10
 Restart=always

files/systemd/gitea.service

@@ -8,7 +8,7 @@ Type=simple
 User=gitea
 Group=gitea
 WorkingDirectory=/var/lib/gitea/
-ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini
+ExecStart=/usr/sbin/gitea web
 Restart=always
 
 [Install]

netoik-git.spec

@@ -3,17 +3,17 @@
 Name:           %(make name)
 Version:        %(make version)
 Release:        %(make release)
-Summary:        Netoik Reverse Proxy
+Summary:        %(make summary)
-License:        MIT
+License:        %(make license)
-URL:            https://git.netoik.io/samuel/%(make name)
+URL:            %(make url)
 
-Source0:        %{name}-%{version}.tar.gz
+Source0:        %(make source0)
-Buildarch:      %(make build_arch)
+Buildarch:      %(make arch)
 BuildRequires:  make
-Requires:       netoik-db netoik-cache git
+Requires:       netoik-rp netoik-db netoik-cache
 
 %description
-Install the Git UI server called Gitea.
+Install the Git server called Gitea.
 
 %prep
 %autosetup -v
@@ -22,62 +22,99 @@ Install the Git UI server called Gitea.
 %make_install
 
 %post
-# Download gitea bin and verify gpg signature
+# Download and install gitea binary
-wget --output-document %{_tmppath}/gitea "$GITEA_BIN_URL"
+export ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
-wget --output-document %{_tmppath}/gitea.asc "$GITEA_ASC_URL"
+export GITEA_BINARY=gitea-1.25.5-linux-$ARCH
-gpg --keyserver "$GITEA_GPG_KEYSERVER" --recv "$GITEA_GPG_RECV"
+wget --directory-prefix %{_tmppath} https://dl.gitea.com/gitea/1.25.5/$GITEA_BINARY
-gpg --verify %{_tmppath}/gitea.asc %{_tmppath}/gitea
+wget --directory-prefix %{_tmppath} https://dl.gitea.com/gitea/1.25.5/$GITEA_BINARY.asc
-mv %{_tmppath}/gitea %{_sbindir}
+gpg --keyserver hkps://keys.openpgp.org --recv 7C9E68152594688862D62AF62D9AE806EC1592E2
-chmod 755 %{_sbindir}/gitea
+gpg --verify %{_tmppath}/$GITEA_BINARY.asc %{_tmppath}/$GITEA_BINARY
-rm %{_tmppath}/gitea.asc
+rm %{_tmppath}/$GITEA_BINARY.asc
+chmod 755 %{_tmppath}/$GITEA_BINARY
+mv %{_tmppath}/$GITEA_BINARY.asc %{_sbindir}/gitea
+
+# Replace secrets in app.ini
+export INTERNAL_TOKEN=$(runuser --user=gitea -- gitea generate secret INTERNAL_TOKEN)
+export JWT_SECRET=$(runuser --user=gitea -- gitea generate secret JWT_SECRET)
+export SECRET_KEY=$(runuser --user=gitea -- gitea generate secret SECRET_TOKEN)
+envsubst < %{_sysconfdir}/gitea/app.ini > %{_sysconfdir}/gitea/.app.ini.new
+mv %{_sysconfdir}/gitea/.app.ini.new %{_sysconfdir}/gitea/app.ini
+chown root:gitea %{_sysconfdir}/gitea/app.ini
 
 # Create gitea user
-useradd --system --create-home --bade-dir %{_sharedstatedir} gitea
+if ! id gitea >/dev/null 2>&1; then
-runuser --user gitea -- mkdir --parents %{_sharedstatedir}/gitea/{data,custom}
+  useradd --base-dir %{_sharedstatedir} --create-home --shell $SHELL --system gitea
+fi
+runuser --user=gitea -- mkdir --parents %{_sharedstatedir}/gitea/{custom,data,log} %{_sharedstatedir}/gitea/custom/conf
+runuser --user=gitea -- ln --symbolic --force %{_sysconfdir}/gitea/app.ini %{_sharedstatedir}/gitea/custom/conf/app.ini
+usermod --groups postgres,valkey --append gitea
 
-# Generate internal token and secret key
+# Add lugit theme
-INTERNAL_TOKEN="$(gitea generate secret INTERNAL_TOKEN)"
+wget -O %{_tmppath}/gitea-lugit-theme.tar.gz https://github.com/lucas-labs/gitea-lugit-theme/releases/download/v1.0.1/gitea-lugit-theme.tar.gz
-SECRET_KEY="$(gitea generate secret SECRET_KEY)"
+runuser --user=gitea -- tar --extract --gzip --overwrite --directory=%{_sharedstatedir}/gitea/custom --file %{_tmppath}/gitea-lugit-theme.tar.gz
-envsubst < %{_sysconfdir}/gitea/app.ini > %{_sysconfdir}/gitea/app.ini.new
+runuser --user=gitea -- mv %{_tmppath}/gitea_images/* %{_sharedstatedir}/gitea/custom/public/assets/img
-mv %{_sysconfdir}/gitea/app.ini.new %{_sysconfdir}/gitea/app.ini
+rm --recursive %{_tmppath}/gitea_images
-chmod 600 %{_sysconfdir}/gitea/app.ini
 
-# Create actrunners
+# Create postgres user and db
-for i in $(seq 1 $ACT_RUNNERS); do
+if ! runuser --user=postgres -- psql --quiet --tuples-only --command='\du' | grep --quiet gitea; then
-  if ! id "actrunner$i"; then
+  runuser --user=postgres -- createuser gitea
-    useradd --system --create-home --base-dir %{_sharedstatedir}/actrunners "actrunner$i"
+  runuser --user=postgres -- createdb --owner=gitea gitea
-    systemctl daemon-reload
+fi
-    systemctl reenable "actrunner@$i"
+
-    systemctl restart "actrunner@$i"
+# Create admin user
+if ! runuser --user=gitea -- gitea admin user list | grep --quiet samuel; then
+  runuser --user=gitea -- gitea admin user create --username samuel --email "samuel.campos@netoik.io" --admin --random-password --random-password-length 30 --fullname "Samuel Campos"
+  runuser --user=gitea -- gitea admin user must-change-password samuel
+fi
+
+# Download and install act_runner binary
+export ACTRUNNER_BINARY=act_runner-0.3.0-linux-$ARCH
+wget --directory-prefix %{_tmppath} https://gitea.com/gitea/act_runner/releases/download/v0.3.0/$ACTRUNNER_BINARY.xz
+wget --directory-prefix %{_tmppath} https://gitea.com/gitea/act_runner/releases/download/v0.3.0/$ACTRUNNER_BINARY.xz.sha256
+cat %{_tmppath}/$ACTRUNNER_BINARY.xz.sha256 | sha256sum --check --status
+unxz %{_tmppath}/$ACTRUNNER_BINARY.xz
+chmod 755 $ACTRUNNER_BINARY
+mv $ACTRUNNER_BINARY %{_sbindir}/act_runner
+rm %{_tmppath}/$ACTRUNNER_BINARY.*
+
+# Create 4 actrunner users
+export ACTRUNNER_TOKEN=$(runuser --user=gitea -- gitea actions generate-token-runner --scope samuel)
+for i in $(seq 1 4); do
+  if ! id actrunner$i >/dev/null 2>&1; then
+    useradd --base-dir %{_sharedstatedir} --create-home --shell $SHELL --system actrunner$i
   fi
+  runuser --user=actrunner$i -- rpmdev-setuptree
+  runuser --user=actrunner$i -- act_runner register --instance https://git.netoik.io --labels self-hosted --name actrunner$i --no-interactive --token $ACTRUNNER_TOKEN
+  systemctl reenable actrunner@$i.service
+  systemctl restart actrunner@$i.service
 done
 
-# Start gitea service
+# Restart gitea and nginx services
 systemctl daemon-reload
 systemctl reenable gitea.service
-systemctl restart gitea.service
+systemctl restart gitea.service nginx.service
-
-%preun
-# Backup gitea data in case of problem
-gitea dump --config %{_sysconfdir}/gitea/app.ini --tempdir %{_tmppath}
 
 %postun
-# Remove gitea user after uninstall
+# If removing, delete users and db
-if [ %1 == 0 ]; then
+if [ $1 == 0 ]; then
-	systemctl stop gitea.service
   userdel --force --remove gitea
+  runuser --user=postgres -- psql --command='DROP DATABASE gitea; DROP USER gitea;'
+  for i in $(seq 1 4); then
+    userdel --force --remove actrunner$i
+  fi
 fi
 
 %files
 %dir %attr(755, root, root) %{_sysconfdir}/gitea
-%attr(600, root, root) %{_sysconfdir}/gitea/app.ini
+%attr(640, root, -) %{_sysconfdir}/gitea/app.ini
+
+%attr(644, root, root) %{_sysconfdir}/nginx/conf.d/git.netoik.io.conf
 
 %attr(644, root, root) %{_unitdir}/gitea.service
 %attr(644, root, root) %{_unitdir}/actrunner@.service
 
-%dir %attr(755, root, root) %{_sharedstatedir}/actrunners
+%ghost %attr(755, root, root) %{_sbindir}/gitea
+%ghost %attr(755, root, root) %{_sbindir}/act_runner
 
 %changelog
 %autochangelog
-
-