From a1a19c553b73ea9dbff81a6880aa4c2e9172d36a Mon Sep 17 00:00:00 2001 From: Raven Date: Wed, 21 Feb 2024 13:47:54 +0600 Subject: [PATCH] gitea: add systemd scriptlets --- base/gitea/app-gitea.ini | 33 ++++++++++++++++----------------- base/gitea/gitea.service.d.conf | 16 ++++++++++++---- base/gitea/gitea.spec | 13 ++++++++++--- 3 files changed, 38 insertions(+), 24 deletions(-) diff --git a/base/gitea/app-gitea.ini b/base/gitea/app-gitea.ini index b661bae..2a9b8fd 100644 --- a/base/gitea/app-gitea.ini +++ b/base/gitea/app-gitea.ini @@ -117,7 +117,7 @@ HTTP_PORT = 3000 ;PER_WRITE_PER_KB_TIMEOUT = 30s ;; ;; Permission for unix socket -;UNIX_SOCKET_PERMISSION = 666 +UNIX_SOCKET_PERMISSION = 660 ;; ;; Local (DMZ) URL for Gitea workers (such as SSH update) accessing web service. In ;; most cases you do not need to change the default value. Alter it only if @@ -159,7 +159,7 @@ HTTP_PORT = 3000 ;SSH_LISTEN_PORT = %(SSH_PORT)s ;; ;; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'. -;SSH_ROOT_PATH = +SSH_ROOT_PATH = /var/lib/gitea/.ssh ;; ;; Gitea will create a authorized_keys file by default when it is not using the internal ssh server ;; If you intend to use the AuthorizedKeysCommand functionality then you should turn this off. @@ -283,7 +283,6 @@ STATIC_ROOT_PATH = /usr/share/gitea/web ;; ;; Default path for App data ;APP_DATA_PATH = data ; relative paths will be made absolute with _`AppWorkPath`_ -APP_DATA_PATH = /var/lib/gitea/data ;; ;; Enable gzip compression for runtime-generated content, static resources excluded ;ENABLE_GZIP = false @@ -370,7 +369,7 @@ APP_DATA_PATH = /var/lib/gitea/data ;; SQLite Configuration ;; DB_TYPE = sqlite3 -;PATH= ; defaults to data/gitea.db +PATH = /var/lib/gitea/data/gitea.db ;SQLITE_TIMEOUT = ; Query timeout defaults to: 500 ;SQLITE_JOURNAL_MODE = ; defaults to sqlite database default (often DELETE), can be used to enable WAL mode. https://www.sqlite.org/pragma.html#pragma_journal_mode ;; @@ -563,7 +562,7 @@ ENABLE = true ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;; Root path for the log files - defaults to %(GITEA_WORK_DIR)/log -;ROOT_PATH = +ROOT_PATH = /var/log/gitea ;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;; Main Logger @@ -902,11 +901,11 @@ LEVEL = Info ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; -;[repository] +[repository] ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;; Root path for storing all repository data. By default, it is set to %(APP_DATA_PATH)s/gitea-repositories. ;; A relative path is interpreted as _`AppWorkPath`_/%(ROOT)s -;ROOT = +ROOT = /var/lib/gitea/repositories ;; ;; The script type this server supports. Usually this is `bash`, but some users report that only `sh` is available. ;SCRIPT_TYPE = bash @@ -999,16 +998,16 @@ LEVEL = Info ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; -;[repository.local] +[repository.local] ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;; ;; Path for local repository copy. Defaults to `tmp/local-repo` (content gets deleted on gitea restart) -;LOCAL_COPY_PATH = tmp/local-repo +LOCAL_COPY_PATH = /var/lib/gitea/tmp/local-repo ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; -;[repository.upload] +[repository.upload] ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;; @@ -1016,7 +1015,7 @@ LEVEL = Info ;ENABLED = true ;; ;; Path for uploads. Defaults to `data/tmp/uploads` (content gets deleted on gitea restart) -;TEMP_PATH = data/tmp/uploads +TEMP_PATH = /var/lib/gitea/uploads ;; ;; Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types. ;ALLOWED_TYPES = @@ -1353,7 +1352,7 @@ LEVEL = Info ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; -;[indexer] +[indexer] ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;; @@ -1364,7 +1363,7 @@ LEVEL = Info ;ISSUE_INDEXER_TYPE = bleve ;; ;; Issue indexer storage path, available when ISSUE_INDEXER_TYPE is bleve -;ISSUE_INDEXER_PATH = indexers/issues.bleve ; Relative paths will be made absolute against _`AppWorkPath`_. +ISSUE_INDEXER_PATH = /var/lib/gitea/indexers/issues.bleve ;; ;; Issue indexer connection string, available when ISSUE_INDEXER_TYPE is elasticsearch (e.g. http://elastic:password@localhost:9200) or meilisearch (e.g. http://:apikey@localhost:7700) ;ISSUE_INDEXER_CONN_STR = @@ -1767,11 +1766,11 @@ LEVEL = Info ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; -;[picture] +[picture] ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;; -;AVATAR_UPLOAD_PATH = data/avatars +AVATAR_UPLOAD_PATH = /var/lib/gitea/data/avatars ;REPOSITORY_AVATAR_UPLOAD_PATH = data/repo-avatars ;; ;; How Gitea deals with missing repository avatars @@ -2513,11 +2512,11 @@ LEVEL = Info ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;; lfs storage will override storage ;; -;[lfs] +[lfs] ;STORAGE_TYPE = local ;; ;; Where your lfs files reside, default is data/lfs. -;PATH = data/lfs +PATH = /var/lib/gitea/lfs ;; ;; override the minio base path if storage type is minio ;MINIO_BASE_PATH = lfs/ diff --git a/base/gitea/gitea.service.d.conf b/base/gitea/gitea.service.d.conf index 06cadfe..ef2de8a 100644 --- a/base/gitea/gitea.service.d.conf +++ b/base/gitea/gitea.service.d.conf @@ -1,6 +1,14 @@ [Service] -# If you don't want Gitea to be able to run on a port below 1024, -# comment out the two values below +# If you want to bind Gitea to a port below 1024, uncomment +# the two values below, or use socket activation to pass Gitea its ports as above +### +#CapabilityBoundingSet=CAP_NET_BIND_SERVICE +#AmbientCapabilities=CAP_NET_BIND_SERVICE +### +# In some cases, when using CapabilityBoundingSet and AmbientCapabilities option, you may want to +# set the following value to false to allow capabilities to be applied on gitea process. The following +# value if set to true sandboxes gitea service and prevent any processes from running with privileges +# in the host user namespace. +### +#PrivateUsers=false ### -CapabilityBoundingSet=CAP_NET_BIND_SERVICE -AmbientCapabilities=CAP_NET_BIND_SERVICE diff --git a/base/gitea/gitea.spec b/base/gitea/gitea.spec index c5d2048..ee6b07a 100644 --- a/base/gitea/gitea.spec +++ b/base/gitea/gitea.spec @@ -3,7 +3,7 @@ Name: gitea Version: 1.21.5 -Release: 4 +Release: 5%{dist} Summary: Git with a cup of tea, painless self-hosted git service License: MIT Group: Development/Other @@ -45,7 +45,7 @@ mkdir -p %{buildroot}%{_localstatedir}/log/%{name} mkdir -p %{buildroot}%{_sysconfdir}/systemd/system/%{name}.service.d/ install -Dm 0755 %{name} %{buildroot}%{_bindir}/%{name} install -Dm 0640 %{SOURCE10} %{buildroot}%{_unitdir}/%{name}.service -install -Dm 0640 %{SOURCE10} %{buildroot}%{_sysconfdir}/systemd/system/%{name}.service.d/port.conf +install -Dm 0640 %{SOURCE11} %{buildroot}%{_sysconfdir}/systemd/system/%{name}.service.d/port.conf install -Dm 0660 %{SOURCE12} %{buildroot}%{_sysconfdir}/%{name}/app.ini install -p -D -m 0644 %{SOURCE6} \ @@ -64,9 +64,13 @@ cp -r options public templates %{buildroot}%{_datadir}/%{name}/web %post %tmpfiles_create %{_tmpfilesdir}/%{name}.conf +%systemd_post gitea.service + +%preun +%systemd_preun gitea.service %postun -userdel gitea +%systemd_postun gitea.service %files %doc custom/conf/app.example.ini @@ -83,6 +87,9 @@ userdel gitea %{_sysusersdir}/%{name}.conf %changelog +* Wed Feb 21 2024 Raven - 1.21.5-5 +- add systemd scriptlets + * Wed Feb 21 2024 Raven - 1.21.5-4 - add CAP_NET_BIND_SERVICE