├── .editorconfig ├── .env.example ├── .github ├── CODE_OF_CONDUCT.md ├── ISSUE_TEMPLATE.md └── PULL_REQUEST_TEMPLATE.md ├── .gitignore ├── CHANGELOG.md ├── README.TLS.md ├── README.md ├── backup └── init │ ├── README.md │ ├── user.sh │ └── user.sql ├── ci ├── config ├── README.md ├── gitea │ ├── .gitignore │ ├── README.md │ ├── app.example.ini │ ├── app.kubernetes.example.ini │ └── kustomization.yaml ├── gogs │ ├── .gitignore │ ├── README.md │ ├── app.example.ini │ ├── app.kubernetes.example.ini │ └── kustomization.yaml ├── nginx │ ├── .gitignore │ ├── auth │ │ ├── README.md │ │ └── nginx.htpasswd │ ├── demo-docker-registry.config │ ├── demo-drone.config │ ├── demo-gogs.config │ └── ssl │ │ ├── .gitignore │ │ ├── t.khs1994.com.crt │ │ └── t.khs1994.com.key └── registry │ ├── .gitignore │ ├── README.md │ ├── config.example.yml │ └── default │ ├── .gitignore │ └── config.yml ├── docker-ci.yml ├── docs ├── SUMMARY.md ├── github.md ├── gogs.md └── secret.md ├── git-compose ├── github-compose.yaml ├── gitlab-compose.yaml ├── gogs-compose.yaml └── production-compose.yaml ├── kubernetes ├── .gitignore ├── README.md ├── drone-runner │ ├── README.md │ ├── docker │ │ ├── base │ │ │ ├── docker.yaml │ │ │ └── kustomization.yaml │ │ └── kustomization.yaml │ ├── kubernetes │ │ ├── base │ │ │ ├── kubernetes.yaml │ │ │ ├── kustomization.yaml │ │ │ └── rbac.yaml │ │ └── kustomization.yaml │ └── kustomization.yaml ├── drone │ ├── base │ │ ├── drone.yaml │ │ └── kustomization.yaml │ ├── kustomization.yaml │ └── providers │ │ ├── gitea │ │ ├── gitea.yaml │ │ └── kustomization.yaml │ │ └── github │ │ ├── github.yaml │ │ └── kustomization.yaml ├── gitea │ ├── base │ │ ├── gitea.yaml │ │ └── kustomization.yaml │ └── kustomization.yaml ├── gogs │ ├── base │ │ ├── gogs.yaml │ │ └── kustomization.yaml │ └── kustomization.yaml ├── ingress-nginx │ ├── base │ │ ├── ingress-nginx.yaml │ │ └── kustomization.yaml │ ├── ingress-tcp-8022 │ │ ├── README.md │ │ └── kustomization.yaml │ └── kustomization.yaml ├── minio │ ├── base │ │ ├── kustomization.yaml │ │ └── pvc.yaml │ └── kustomization.yaml ├── mysql │ ├── base │ │ ├── kustomization.yaml │ │ ├── pv.yaml │ │ └── pvc.yaml │ └── kustomization.yaml └── redis │ ├── base │ ├── kustomization.yaml │ ├── pv.yaml │ └── pvc.yaml │ └── kustomization.yaml ├── logs ├── .gitignore └── README.md ├── renovate.json ├── scripts └── docker-compose.bump.yml ├── secrets ├── README.md └── mysql.env └── server ├── .gitignore ├── README.md └── index.php /.editorconfig: -------------------------------------------------------------------------------- 1 | # EditorConfig is awesome: https://EditorConfig.org 2 | 3 | root = true 4 | 5 | [*] 6 | 7 | indent_style = space 8 | 9 | indent_size = 2 10 | 11 | end_of_line = lf 12 | 13 | charset = utf-8 14 | 15 | trim_trailing_whitespace = true 16 | 17 | insert_final_newline = true 18 | 19 | 20 | [*.md] 21 | 22 | trim_trailing_whitespace = false 23 | 24 | [*.py] 25 | 26 | indent_size = 4 27 | 28 | [Makefile] 29 | 30 | indent_style = tab 31 | -------------------------------------------------------------------------------- /.env.example: -------------------------------------------------------------------------------- 1 | # CI_INCLUDE="gogs registry mysql redis nginx" 2 | 3 | CI_INCLUDE="gogs registry mysql redis" 4 | 5 | CI_DEBUG=true 6 | # CI_DEBUG=false 7 | 8 | CI_GIT_TYPE=gogs 9 | 10 | # CI_GIT_TYPE=github 11 | # CI_GIT_TYPE=gitlab 12 | # CI_GIT_TYPE=production 13 | 14 | # 15 | # 使用外部的 MySQL Redis (高级选项) 16 | # 17 | 18 | CI_EXTERNAL_MYSQL_HOST= 19 | CI_EXTERNAL_MYSQL_PORT=3306 20 | CI_EXTERNAL_MYSQL_USERNAME= 21 | CI_EXTERNAL_MYSQL_PASSWORD= 22 | CI_EXTERNAL_MYSQL_DATABASE=gogs 23 | 24 | CI_EXTERNAL_REDIS_HOST= 25 | CI_EXTERNAL_REDIS_PORT=6379 26 | 27 | # 28 | # Port 29 | # 30 | 31 | CI_DRONE_PORT=8000 32 | 33 | CI_GOGS_PORT=3000 34 | 35 | CI_GOGS_SSH_PORT=8022 36 | 37 | CI_REGISTRY_PORT=5000 38 | 39 | # set open db and cache port 40 | 41 | CI_REDIS_PORT=16379 42 | 43 | CI_MYSQL_PORT=13306 44 | 45 | ################################################################################ 46 | 47 | # 48 | # 基于端口版 49 | # 50 | 51 | CI_HOST= 52 | # CI_HOST=192.168.199.100 53 | 54 | # TLS only 55 | CI_DOMAIN= 56 | # CI_DOMAIN=t.khs1994.com 57 | 58 | # Drone 网站将为 drone.CI_DOMAIN 59 | # gogs 网站将为 git.CI_DOMAIN 60 | ################################################################################ 61 | 62 | # 63 | # [Gogs] 64 | # 65 | 66 | CI_MAIL_HOST= 67 | CI_MAIL_FROM= 68 | CI_MAIL_USERNAME= 69 | CI_MAIL_PASSWORD= 70 | 71 | # 72 | # [Registry] 73 | # 74 | 75 | WEBHOOKS_HOST= 76 | REDIS_HOST=redis:6379 77 | 78 | ################################################################################ 79 | 80 | # 81 | # [Drone] https://docs.drone.io/server/reference/ 82 | # 83 | 84 | DRONE_RPC_SECRET=secret 85 | 86 | # 87 | # [Drone Gogs] https://docs.drone.io/server/provider/gogs/ 88 | # 89 | 90 | DRONE_GIT_ALWAYS_AUTH=false 91 | 92 | # 93 | # [Drone GitHub] https://docs.drone.io/server/provider/github/ 94 | # 95 | 96 | DRONE_GITHUB_SERVER=https://github.com 97 | DRONE_GITHUB_CLIENT_ID= 98 | DRONE_GITHUB_CLIENT_SECRET= 99 | 100 | # https://docs.drone.io/server/reference/drone-user-create/ 101 | # Drone 启动时创建的账户 102 | # 可以将此账户设置为 [管理员账户](https://docs.drone.io/server/user/admin/) 103 | # 只有管理员账户所属的仓库才可以启用 `Trusted` 选项(使用 volumes 等特权指令) 104 | # 设置此变量请将 USERNAME 替换为自己的 (github 用户名或 gogs 用户名) 105 | # 或者参考 https://docs.drone.io/server/user/admin/ 使用 CLI 设置管理员 106 | DRONE_USER_CREATE= 107 | # DRONE_USER_CREATE=username:USERNAME,admin:true 108 | # DRONE_USER_CREATE=username:khs1994,machine:false,admin:true,token:$(openssl rand -hex 16) 109 | 110 | # https://docs.drone.io/server/reference/drone-user-filter/ 111 | # https://docs.drone.io/server/user/registration/ 112 | # Drone 允许哪些用户注册 113 | # 值可以是用户名或组织名 114 | DRONE_USER_FILTER= 115 | # DRONE_USER_FILTER=khs1994,github 116 | 117 | # 118 | # [Drone GitLab] https://docs.drone.io/server/provider/gitlab/ 119 | # 120 | 121 | DRONE_GITLAB_CLIENT_ID= 122 | DRONE_GITLAB_CLIENT_SECRET= 123 | 124 | DRONE_GITLAB_SERVER= 125 | 126 | # 127 | # [Drone docker runner] 128 | # 129 | 130 | DRONE_RUNNER_NAME= 131 | DRONE_UI_DISABLED=true 132 | # DRONE_UI_DISABLED=false 133 | DRONE_UI_USERNAME=root 134 | DRONE_UI_PASSWORD=root 135 | 136 | ################################################################################ 137 | 138 | # Don't Edit 139 | 140 | # 141 | # TLS 142 | # 143 | 144 | # DRONE_SERVER_CERT=/etc/certs/drone.t.khs1994.com.crt 145 | # DRONE_SERVER_KEY=/etc/certs/drone.t.khs1994.com.key 146 | 147 | CI_DB_TYPE= 148 | 149 | CI_DRONE_VERSION=2.16.0 150 | CI_NGINX_VERSION=1.27.0 151 | CI_REDIS_VERSION=7.0.0 152 | CI_MYSQL_VERSION=8.0.33 153 | 154 | DRONE_GITHUB_CLIENT_ID_TEST= 155 | DRONE_GITHUB_CLIENT_SECRET_TEST= 156 | -------------------------------------------------------------------------------- /.github/CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation. 6 | 7 | ## Our Standards 8 | 9 | Examples of behavior that contributes to creating a positive environment include: 10 | 11 | * Using welcoming and inclusive language 12 | * Being respectful of differing viewpoints and experiences 13 | * Gracefully accepting constructive criticism 14 | * Focusing on what is best for the community 15 | * Showing empathy towards other community members 16 | 17 | Examples of unacceptable behavior by participants include: 18 | 19 | * The use of sexualized language or imagery and unwelcome sexual attention or advances 20 | * Trolling, insulting/derogatory comments, and personal or political attacks 21 | * Public or private harassment 22 | * Publishing others' private information, such as a physical or electronic address, without explicit permission 23 | * Other conduct which could reasonably be considered inappropriate in a professional setting 24 | 25 | ## Our Responsibilities 26 | 27 | Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior. 28 | 29 | Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful. 30 | 31 | ## Scope 32 | 33 | This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers. 34 | 35 | ## Enforcement 36 | 37 | Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at khs1994@khs1994.com. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately. 38 | 39 | Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership. 40 | 41 | ## Attribution 42 | 43 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [https://www.contributor-covenant.org/version/1/4/][version] 44 | 45 | [homepage]: https://www.contributor-covenant.org 46 | [version]: https://www.contributor-covenant.org/version/1/4/ 47 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ### 操作系统 4 | 5 | 6 | 7 | * [x] Linux 8 | * [x] Ubuntu 9 | * [x] Debian 10 | * [x] CentOS 11 | * [x] CoreOS 12 | * [x] Other 13 | * [x] macOS 14 | * [x] Raspberry Pi 15 | * [x] Windows 10 16 | 17 | ### Docker 版本 18 | 19 | 20 | 21 | * [x] Test (v20.10) 22 | * [x] Stable (v20.10) 23 | * [x] 其他 Docker 版本请升级到以上版本 24 | 25 | ### 部署环境 26 | 27 | 28 | 29 | * [x] 家庭网 30 | * [x] 云服务器(阿里云、腾讯云) 31 | 32 | ### 部署版本 33 | 34 | 35 | 36 | * [x] 基于端口 37 | * [x] TLS(HTTPS) 38 | 39 | ### GIT 服务商 40 | 41 | 42 | 43 | * [x] Gogs 44 | * [x] GitHub 45 | 46 | ### 使用场景 47 | 48 | 49 | 50 | * [x] 个人使用 51 | * [x] 公司使用 52 | 53 | ### 问题描述 54 | 55 | 56 | 57 | ```bash 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | ``` 68 | 69 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # 主要改变(贡献者选项) 4 | 5 | 6 | 7 | # 发布版本(开发者选项) 8 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | .env 3 | docker-compose.yml 4 | docker-ci.override.yml 5 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | * Drone `2.x` 2 | -------------------------------------------------------------------------------- /README.TLS.md: -------------------------------------------------------------------------------- 1 | # 私有化 CI/CD 解决方案 (TLS) 2 | 3 | [![GitHub stars](https://img.shields.io/github/stars/khs1994-docker/ci.svg?style=social&label=Stars)](https://github.com/khs1994-docker/ci) [![star](https://gitee.com/khs1994-docker/ci/badge/star.svg?theme=dark)](https://gitee.com/khs1994-docker/ci/stargazers) 4 | 5 | * [支持文档](docs) 6 | 7 | * [问题反馈](https://github.com/khs1994-docker/ci/issues) 8 | 9 | ## 重要提示 10 | 11 | 本项目基于 [Drone `2.x`](https://docs.drone.io/) 版本。 12 | 13 | ## 微信订阅号 14 | 15 |

16 | 17 |

18 | 19 |

关注项目作者微信订阅号,接收项目最新动态

20 | 21 | ## 内部端口 22 | 23 | * `Gogs` **3000** **22** 24 | 25 | * `Drone` **8000** 26 | 27 | * `Docker Registry` **5000** 28 | 29 | ## 准备 30 | 31 | * 域名 32 | 33 | * 公网 IP (推荐,但不是必须) 34 | 35 | * `*.CI_DOMAIN` 通配符 TLS 证书 (acme.sh 可以免费申请)或 `git.CI_DOMAIN` `drone.CI_DOMAIN` 网址的 TLS 证书。 36 | 37 | ## 快速开始 38 | 39 | ### 初始化 40 | 41 | 首次使用本项目时,务必执行以下命令完成初始化。 42 | 43 | ```bash 44 | $ ./ci 45 | ``` 46 | 47 | ### 编辑 `.env` 文件 48 | 49 | * `CI_HOST` 为主机 IP (建议使用内网 IP, 例如 `192.168.199.100`) 50 | 51 | * `CI_DOMAIN` 为服务主域名(例如 `t.khs1994.com`) 52 | 53 | ### 安全 54 | 55 | 在 `.env` 文件中配置如下两个变量 56 | 57 | * `DRONE_USER_CREATE` Drone 启动时创建的用户 58 | * `DRONE_USER_FILTER` Drone 允许哪些用户注册,留空即表示允许所有用户注册,将会造成资源浪费,**强烈建议** 配置该选项 59 | 60 | ### 使用 khs1994-docker/lnmp 的 MySQL Redis NGINX 服务(可选项) 61 | 62 | 修改 `.env` 中的 `CI_INCLUDE` 变量,若 git 使用 Gogs 则只保留 `gogs` 即可,若使用 GitHub,请留空 `CI_INCLUDE=""`。 63 | 64 | ```bash 65 | CI_INCLUDE="gogs" 66 | ``` 67 | 68 | 并按如下内容修改 `.env` 文件 69 | 70 | ```bash 71 | # CI_GIT_TYPE=gogs 72 | 73 | CI_GIT_TYPE=github 74 | ``` 75 | 76 | > 启动之前必须先启动 khs1994-docker/lnmp 77 | 78 | ```bash 79 | $ ./ci up-tls --config 80 | ``` 81 | 82 | 检查 `docker-compose.yml` 配置是否正确,之后启动 83 | 84 | ```bash 85 | $ ./ci up-tls 86 | ``` 87 | 88 | 将生成的 NGINX 配置移入 `khs1994-docker/lnmp` 项目的 NGINX 配置目录 89 | 90 | `config/nginx/drone.conf` `config/nginx/gogs.conf` 91 | 92 | 自行调整 SSL 相关配置。 93 | 94 | 将 SSL 证书移入 khs1994-docker/lnmp 项目的 NGINX 配置目录的 `ssl` 文件夹内。 95 | 96 | 注意 SSL 证书文件名必须与 NGINX 配置一致。 97 | 98 | NGINX 配置好之后,重启 `khs1994-docker/lnmp` 99 | 100 | ```bash 101 | $ ./lnmp-docker restart nginx 102 | ``` 103 | 104 | ### `443` 端口是否占用 105 | 106 | > 若使用 khs1994-docker/lnmp 的 NGINX 服务,请忽略此节。 107 | 108 | 根据 `443` 端口是否占用情况,使用下面的命令启动 CI `服务`。 109 | 110 | * 已占用->实体机运行 NGINX 111 | 112 | ```bash 113 | $ ./ci up-tls --use-external-nginx=/etc/nginx/conf.d 114 | ``` 115 | 116 | 重启 NGINX (`--use-external-nginx` 后边的路径为 NGINX 配置文件所在路径,必须为绝对路径) 117 | 118 | * 已占用->容器运行 NGINX 119 | 120 | ```bash 121 | $ ./ci up-tls --use-external-nginx=/etc/nginx/conf.d 122 | ``` 123 | 124 | 重启 NGINX 容器 125 | 126 | * 未占用 127 | 128 | 编辑 `.env` 文件 129 | 130 | ```bash 131 | CI_INCLUDE="gogs nginx redis mysql" 132 | ``` 133 | 134 | ```bash 135 | $ ./ci up-tls [-d] [--reset] 136 | ``` 137 | 138 | ## 访问测试 139 | 140 | 假设 `CI_DOMAIN` 设置为 `t.khs1994.com` 141 | 142 | 则 Drone 访问地址为 `https://drone.t.khs1994.com`,Gogs 访问地址为 `https://git.t.khs1994.com` 143 | 144 | ## 错误排查 145 | 146 | 进入 `logs` 文件夹内,查看日志文件排错。 147 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # 私有化 CI/CD 解决方案 2 | 3 | [![GitHub stars](https://img.shields.io/github/stars/khs1994-docker/ci.svg?style=social&label=Stars)](https://github.com/khs1994-docker/ci) [![star](https://gitee.com/khs1994-docker/ci/badge/star.svg?theme=dark)](https://gitee.com/khs1994-docker/ci/stargazers) 4 | 5 | * [支持文档](docs) 6 | 7 | * [问题反馈](https://github.com/khs1994-docker/ci/issues) 8 | 9 | ## 重要提示 10 | 11 | 本项目基于 [Drone `2.x`](https://docs.drone.io/) 版本。 12 | 13 | ## 微信订阅号 14 | 15 |

16 | 17 |

18 | 19 |

关注项目作者微信订阅号,接收项目最新动态

20 | 21 | ## CI & DevOps 工作流程 22 | 23 | **1.** 本地编写 Dockerfile,CI 构建镜像推送到私有仓库(Docker Registry) 24 | 25 | **2.** 本地开发项目,项目根目录编写 `.drone.yml` 文件,推送到 git (例如,GitHub,Gogs ...) 26 | 27 | **3** Drone 自动拉取代码完成编译,部署 (Drone 本质就是在指定的容器中运行指定的命令,通过项目根目录中的 `.drone.yml` 文件指定)。 28 | 29 | **4** 支持哪些编程语言?理论上支持所有的编程语言! 30 | 31 | ## With TLS ? 32 | 33 | 本教程通过 IP + 不同端口 来提供不同的服务,如果你想要通过域名(`TLS`)来提供不同的服务,请查看 [README.TLS.md](README.TLS.md)。 34 | 35 | ## 准备 36 | 37 | * 了解 CI(Drone 和大多数 CI 工具一样,不过 Drone 可以免费的进行私有部署) 38 | 39 | * 有公网 IP 的云服务器(推荐,但不是必须) 40 | 41 | * Docker CE v18.09 Stable + 42 | 43 | * docker compose v2 44 | 45 | * 知道如何注册 GitHub App (GitHub only) 46 | 47 | * `$ brew install gnu-sed` (macOS only) 48 | 49 | ## 快速开始 50 | 51 | ### 安装 52 | 53 | > 已经使用 khs1994-docker/lnmp?请直接执行 `$ cd ~/lnmp/drone` 54 | 55 | ```bash 56 | $ git clone https://github.com/khs1994-docker/ci.git ~/ci 57 | 58 | $ cd ci 59 | ``` 60 | 61 | #### Windows 用户使用 WSL 62 | 63 | ```bash 64 | $ wsl 65 | ``` 66 | 67 | ### 修改配置 68 | 69 | 执行以下命令完成初始化,然后修改配置。 70 | 71 | ```bash 72 | $ ./ci 73 | ``` 74 | 75 | ### 配置 hosts 76 | 77 | 修改 `.env` 中的 `CI_HOST` 变量值为 `你自己的 IP`(例如 `云服务器公网 IP`、`路由器分配给电脑的 IP`) 78 | 79 | ### 内置 MySQL 密码(可选) 80 | 81 | 修改 `secrets/mysql.env` 中的 `MYSQL_ROOT_PASSWORD` 变量值为 MySQL 密码。 82 | 83 | ### 安全 84 | 85 | 在 `.env` 文件中配置如下两个变量 86 | 87 | * `DRONE_USER_CREATE` Drone 启动时创建哪些用户 88 | * `DRONE_USER_FILTER` Drone 允许哪些用户注册,留空即表示允许所有用户注册,将会造成资源浪费,**强烈建议** 配置该选项 89 | 90 | ### 启用软件 91 | 92 | 修改 `.env` 中的 `CI_INCLUDE` 变量。 93 | 94 | ### 使用 khs1994-docker/lnmp 的 MySQL Redis 服务(可选项) 95 | 96 | 修改 `.env` 中的 `CI_INCLUDE` 变量,若 Git 使用 `Gogs` 则只保留 `gogs` 即可,若使用 `GitHub` 请留空 `CI_INCLUDE=""`。 97 | 98 | ```bash 99 | CI_INCLUDE="gogs" 100 | ``` 101 | 102 | 编辑 `docker-compose.override.yml`,将以下内容取消注释。 103 | 104 | ```yaml 105 | networks: 106 | backend: 107 | external: true 108 | name: lnmp_backend 109 | frontend: 110 | external: true 111 | name: lnmp_frontend 112 | ``` 113 | 114 | > 启动之前必须先启动 khs1994-docker/lnmp 115 | 116 | ### 使用外部服务(高级选项) 117 | 118 | 编辑 `.env` 文件,编辑 `CI_INCLUDE` 变量,去掉内置的软件名,之后填写外部服务的相关配置 119 | 120 | ```bash 121 | # CI_INCLUDE="gogs registry mysql redis" 122 | 123 | CI_INCLUDE="gogs registry" 124 | 125 | CI_EXTERNAL_MYSQL_HOST= 126 | CI_EXTERNAL_MYSQL_PORT= 127 | CI_EXTERNAL_MYSQL_USERNAME= 128 | CI_EXTERNAL_MYSQL_PASSWORD= 129 | CI_EXTERNAL_MYSQL_DATABASE= 130 | 131 | CI_EXTERNAL_REDIS_HOST= 132 | ``` 133 | 134 | ### 选择 Git 服务商 135 | 136 | 默认使用 `Gogs` ,如需使用 `GitHub` 按如下内容修改 `.env` 文件 137 | 138 | ```bash 139 | # CI_GIT_TYPE=gogs 140 | 141 | CI_GIT_TYPE=github 142 | ``` 143 | 144 | ## 启动 145 | 146 | ```bash 147 | $ ./ci up --config 148 | ``` 149 | 150 | 检查 `docker-compose.yml` 配置是否正确,之后启动 151 | 152 | ```bash 153 | $ ./ci up [-d] [--reset] 154 | ``` 155 | 156 | ## 访问服务 157 | 158 | > 能不开放端口尽量不开放(例如数据库、缓存)。 159 | 160 | * git HTTP **3000** 161 | 162 | * git SSH **8022** 163 | 164 | * drone **8000** 165 | 166 | * registry **5000** 167 | 168 | ## 启用构建 169 | 170 | 在 `Drone` 页面登录账号,点击右上角 `sync` 按钮,在项目列表点击项目,并启用。之后将项目推送到 Git,可以看到 Drone 开始构建项目。 171 | 172 | ## 使用示例 173 | 174 | * [PHP](https://github.com/khs1994-php/tencent-ai) 175 | 176 | ## More Information 177 | 178 | * [Gogs](https://github.com/gogs/gogs) 179 | 180 | * [Gogs Docker](https://github.com/gogs/gogs/tree/master/docker) 181 | 182 | * [Drone](https://github.com/drone) 183 | 184 | * [Drone Documents](https://docs.drone.io/) 185 | 186 | * [Drone Docker](https://hub.docker.com/u/drone) 187 | -------------------------------------------------------------------------------- /backup/init/README.md: -------------------------------------------------------------------------------- 1 | # MySQL 初始化脚本 2 | -------------------------------------------------------------------------------- /backup/init/user.sh: -------------------------------------------------------------------------------- 1 | mysql -uroot -p${MYSQL_ROOT_PASSWORD} -e "ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY '${MYSQL_ROOT_PASSWORD}'" 2 | -------------------------------------------------------------------------------- /backup/init/user.sql: -------------------------------------------------------------------------------- 1 | # ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'mytest' 2 | 3 | SELECT * from mysql.user\G; 4 | -------------------------------------------------------------------------------- /ci: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | print_help_info(){ 4 | exec echo " 5 | CI-CLI 2.16.0 6 | 7 | Donate WebSite https://zan.khs1994.com 8 | 9 | Usage: ./ci COMMAND options 10 | 11 | Debug: DEBUG=1 ./ci COMMAND options 12 | 13 | Options: 14 | -d 后台运行 15 | 16 | --use-external-nginx 使用外部 NGINX = 后边值为配置文件路径 (TLS Only) 17 | 18 | --config 生成 docker-compose.yml 文件 19 | 20 | Commands: 21 | up [-d] 22 | down 23 | 24 | up-tls [-d] [--use-external-nginx=/etc/nginx/conf.d] 25 | 26 | swarm-deploy [TODO] 27 | swarm-remove [TODO] 28 | 29 | k8s-create [TODO] 30 | k8s-delete [TODO] 31 | 32 | reset 重置,恢复原始状态 33 | 34 | Read './docs/*.md' for more information about CLI commands. 35 | 36 | You can open issue in [ https://github.com/khs1994-docker/ci/issues ] when you meet problems. 37 | 38 | You must Update .env file when update this project. 39 | " 40 | } 41 | 42 | _cp(){ 43 | if [ ! -f $2 ];then cp $1 $2; fi 44 | } 45 | 46 | _init(){ 47 | _cp .env.example .env 48 | _cp config/gitea/app.kubernetes.example.ini config/gitea/app.kubernetes.ini 49 | set +e 50 | docker compose version > /dev/null 2>&1 51 | 52 | if [ $? -ne 0 ];then exec echo "Error: docker compose v2 not install" ; fi 53 | set -e 54 | } 55 | 56 | _reset_(){ 57 | rm -rf config/gogs/app.ini \ 58 | config/registry/config.yml \ 59 | config/nginx/*.conf 60 | } 61 | 62 | _reset(){ 63 | _reset_ 64 | rm -rf .env docker-ci.override.yml 65 | } 66 | 67 | _sed_common(){ 68 | sed -e "s#{{ DB_TYPE }}#${CI_DB_TYPE:-mysql}#g" \ 69 | config/gogs/app.example.ini \ 70 | > config/gogs/app.ini 71 | 72 | if ! [ -f docker-ci.override.yml ];then 73 | sed -e "s#{{ DB_TYPE }}#${CI_DB_TYPE:-mysql}#g" \ 74 | git-compose/${CI_GIT_TYPE:-gogs}-compose.yaml \ 75 | > docker-ci.override.yml 76 | fi 77 | 78 | files="config/gogs/app.ini docker-ci.override.yml" 79 | 80 | for file in $files; 81 | do 82 | sed -i -e "s#{{ DB_HOST }}#${CI_EXTERNAL_MYSQL_HOST:-mysql}:${CI_EXTERNAL_MYSQL_PORT:-3306}#g" \ 83 | -e "s#{{ DB_DATABASE }}#${CI_EXTERNAL_MYSQL_DATABASE:-$MYSQL_DATABASE}#g" \ 84 | -e "s#{{ DB_USERNAME }}#${CI_EXTERNAL_MYSQL_USERNAME:-root}#g" \ 85 | -e "s#{{ DB_PASSWORD }}#${CI_EXTERNAL_MYSQL_PASSWORD:-$MYSQL_ROOT_PASSWORD}#g" \ 86 | $file 87 | done 88 | 89 | sed -i -e "s#{{ MAIL_HOST }}#${CI_MAIL_HOST}#g" \ 90 | -e "s#{{ MAIL_FROM }}#${CI_MAIL_FROM}#g" \ 91 | -e "s#{{ MAIL_USERNAME }}#${CI_MAIL_USERNAME}#g" \ 92 | -e "s#{{ MAIL_PASSWORD }}#${CI_MAIL_PASSWORD}#g" \ 93 | -e "s#{{ SSH_PORT }}#${CI_GOGS_SSH_PORT:-8022}#g" \ 94 | config/gogs/app.ini 95 | 96 | cp config/registry/config.example.yml config/registry/config.yml 97 | } 98 | 99 | _up_sed(){ 100 | sed -i -e "s#{{ DRONE_SERVER_HOST }}#${CI_HOST:-192.168.199.100}:${CI_DRONE_PORT:-8000}#g" \ 101 | -e "s#{{ DRONE_GOGS_SERVER }}#http://${CI_HOST:-192.168.199.100}:${CI_GOGS_PORT:-3000}#g" \ 102 | -e "s#{{ DRONE_SERVER_PROTO }}#http#g" \ 103 | docker-ci.override.yml 104 | } 105 | 106 | _up(){ 107 | _reset_ ; _init 108 | _sed_common 109 | 110 | sed -i -e "s#{{ CI_DOMAIN }}#${CI_HOST:-192.168.199.100}#g" \ 111 | -e "s#{{ CI_DOMAIN_FULL }}#${CI_HOST:-192.168.199.100}#g" \ 112 | -e "s#{{ CI_GOGS_PORT }}#${CI_GOGS_PORT:-3000}#g" \ 113 | -e "s#{{ PROTOCOL }}#http#g" \ 114 | -e "s!^CERT_FILE.*!#CERT_FILE!g" \ 115 | -e "s!^KEY_FILE.*!#KEY_FILE!g" \ 116 | -e "s!^TLS_MIN_VERSION.*!#TLS_MIN_VERSION!g" \ 117 | config/gogs/app.ini 118 | 119 | sed -i -e "s#{{ REDIS_HOST }}#${CI_EXTERNAL_REDIS_HOST:-$REDIS_HOST}#g" \ 120 | -e "s#{{ WEBHOOKS_HOST }}#${WEBHOOKS_HOST:-http://192.168.199.100}#g" \ 121 | config/registry/config.yml 122 | 123 | _up_sed 124 | 125 | CI_INCLUDE=${CI_INCLUDE-drone-server drone-docker-runner gogs registry} 126 | 127 | # based posrt don't up nginx 128 | 129 | for soft in $CI_INCLUDE 130 | do 131 | if [ $soft = 'nginx' ];then continue; fi 132 | CI_INCLUDE_TARGET+="$soft " 133 | done 134 | 135 | docker compose ${COMPOSE_FILE:?err} config > docker-compose.yml 136 | 137 | if [ -n "${CI_COMPOSE_CONFIG_ONLY}" ];then return;fi 138 | 139 | docker compose ${COMPOSE_FILE:?err} up ${CI_COMPOSE_OPT:-} \ 140 | ${CI_INCLUDE_TARGET} drone-server drone-docker-runner 141 | } 142 | 143 | _up-tls_sed(){ 144 | sed -i -e "s#{{ DRONE_SERVER_HOST }}#drone.${CI_DOMAIN:-t.khs1994.com}#g" \ 145 | -e "s#{{ DRONE_GOGS_SERVER }}#https://git.${CI_DOMAIN:-t.khs1994.com}#g" \ 146 | -e "s#{{ DRONE_SERVER_PROTO }}#https#g" \ 147 | docker-ci.override.yml 148 | } 149 | 150 | _up-tls(){ 151 | _reset_ ; _init 152 | _sed_common 153 | 154 | sed -i -e "s#{{ CI_DOMAIN }}#${CI_DOMAIN:-t.khs1994.com}#g" \ 155 | -e "s#{{ CI_DOMAIN_FULL }}#git.${CI_DOMAIN:-t.khs1994.com}#g" \ 156 | -e "s#{{ CI_GOGS_PORT }}#${CI_GOGS_PORT:-443}#g" \ 157 | -e "s#{{ PROTOCOL }}#https#g" \ 158 | config/gogs/app.ini 159 | 160 | sed -i -e "s#{{ REDIS_HOST }}#${CI_EXTERNAL_REDIS_HOST:-$REDIS_HOST}#g" \ 161 | -e "s#{{ WEBHOOKS_HOST }}#${WEBHOOKS_HOST:-https://ci.t.khs1994.com/docker/webhooks}#g" \ 162 | config/registry/config.yml 163 | 164 | _up-tls_sed 165 | 166 | _sed_external_nginx(){ 167 | # 使用外部 NGINX 168 | cd config/nginx 169 | 170 | for file in $( ls *.config ) 171 | do 172 | sed -e "s#{{ CI_DOMAIN }}#${CI_DOMAIN:-t.khs1994.com}#g" \ 173 | -e "s#{{ REGISTRY_UPSTREAM }}#${CI_HOST:-192.168.199.100}#g" \ 174 | -e "s#{{ DRONE_UPSTREAM }}#${CI_HOST:-192.168.199.100}#g" \ 175 | -e "s#{{ GOGS_UPSTREAM }}#${CI_HOST:-192.168.199.100}#g" \ 176 | $file >> $(echo $file | cut -d '.' -f 1 | cut -d '-' -f 2).conf 177 | done 178 | 179 | if [ "$LNMP_NGINX_CONF" != '--use-external-nginx' ];then 180 | if ! [ -d "$LNMP_NGINX_CONF" ];then return ; fi 181 | 182 | cp -a $PWD/*.conf $LNMP_NGINX_CONF 183 | 184 | mkdir -p $LNMP_NGINX_CONF/ssl || echo 185 | 186 | if ! [ -f ssl/$CI_DOMAIN.crt ];then cp -a $PWD/ssl/* $LNMP_NGINX_CONF/ssl; fi 187 | fi 188 | 189 | cd - > /dev/null 190 | } 191 | 192 | _sed_nginx(){ 193 | # 使用内部 NGINX 194 | cd config/nginx 195 | 196 | for file in `ls *.config` 197 | do 198 | sed -e "s#{{ CI_DOMAIN }}#${CI_DOMAIN:-t.khs1994.com}#g" \ 199 | -e "s#{{ REGISTRY_UPSTREAM }}#registry#g" \ 200 | -e "s#{{ DRONE_UPSTREAM }}#drone-server#g" \ 201 | -e "s#{{ GOGS_UPSTREAM }}#gogs#g" \ 202 | $file >> $(echo $file | cut -d '.' -f 1 | cut -d '-' -f 2).conf 203 | done 204 | 205 | cd - > /dev/null 206 | } 207 | 208 | test "$ENABLE_NGINX" = 'FALSE' && _sed_external_nginx || _sed_nginx 209 | 210 | docker compose ${COMPOSE_FILE:?err} config > docker-compose.yml 211 | 212 | if [ -n "${CI_COMPOSE_CONFIG_ONLY}" ];then return;fi 213 | 214 | docker compose ${COMPOSE_FILE:?err} up ${CI_COMPOSE_OPT:-} \ 215 | ${CI_INCLUDE-gogs registry} drone-server drone-docker-runner 216 | } 217 | 218 | _down(){ 219 | docker compose down --remove-orphans 220 | } 221 | 222 | _logs(){ 223 | if ! [ -f logs/nginx/access.log ];then 224 | mkdir -p logs/nginx 225 | touch logs/nginx/access.log 226 | touch logs/nginx/error.log 227 | fi 228 | } 229 | 230 | set -e 231 | 232 | _logs 233 | 234 | if [ "$DEBUG" = 'true' ];then set -x; fi 235 | 236 | OS=`uname -s` 237 | 238 | # test $OS = 'Darwin' && export PATH=/usr/local/opt/gnu-sed/libexec/gnubin:$PATH 239 | 240 | if [ $OS = 'Darwin' -a ! -f /usr/local/opt/gnu-sed/libexec/gnubin/sed ];then 241 | print_info "please install gnu-sed by EXEC: 242 | 243 | \$ brew install gnu-sed" 244 | 245 | exit 1 246 | fi 247 | 248 | if [ $OS = 'Darwin' ];then 249 | alias sed=gsed 250 | fi 251 | 252 | _init 253 | 254 | . $PWD/.env 255 | . $PWD/secrets/mysql.env 256 | 257 | if [ -f $HOME/.bash_profile ];then . ~/.bash_profile; fi 258 | 259 | test "$#" = 0 && print_help_info || true 260 | 261 | command=$1 262 | 263 | shift 264 | 265 | if [ -z "$CI_HOST" -a "$command" = 'up' ];then exec echo "Error: CI_HOST not set";fi 266 | 267 | if [ -z "$CI_DOMAIN" -a "$command" = 'up-tls' ];then 268 | exec echo "Error: CI_DOMAIN not set" 269 | fi 270 | 271 | COMPOSE_FILE='-f docker-ci.yml -f docker-ci.override.yml' 272 | CI_COMPOSE_CONFIG_ONLY= 273 | CI_COMPOSE_OPT= 274 | 275 | for arg in "$@" 276 | do 277 | test $arg = '-d' && CI_COMPOSE_OPT='-d' || true 278 | test $arg = '--config' && CI_COMPOSE_CONFIG_ONLY=1 || true 279 | [[ $arg =~ --use-external-nginx=* ]] && \ 280 | ENABLE_NGINX=FALSE && LNMP_NGINX_CONF=$( echo $arg | cut -d '=' -f 2 ) || true 281 | done 282 | 283 | _$command "$@" 284 | -------------------------------------------------------------------------------- /config/README.md: -------------------------------------------------------------------------------- 1 | # 配置文件 2 | -------------------------------------------------------------------------------- /config/gitea/.gitignore: -------------------------------------------------------------------------------- 1 | app.kubernetes.ini 2 | app.ini 3 | -------------------------------------------------------------------------------- /config/gitea/README.md: -------------------------------------------------------------------------------- 1 | # Gitea 配置 2 | -------------------------------------------------------------------------------- /config/gitea/app.example.ini: -------------------------------------------------------------------------------- 1 | ; https://github.com/go-gitea/gitea/blob/master/custom/conf/app.ini.sample 2 | 3 | ; This file lists the default values used by Gitea 4 | ; Copy required sections to your own app.ini (default is custom/conf/app.ini) 5 | ; and modify as needed. 6 | 7 | ; see https://docs.gitea.io/en-us/config-cheat-sheet/ for additional documentation. 8 | 9 | ; App name that shows in every page title 10 | APP_NAME = Gitea: Git with a cup of tea 11 | ; Change it if you run locally 12 | RUN_USER = git 13 | ; Either "dev", "prod" or "test", default is "dev" 14 | RUN_MODE = dev 15 | 16 | [repository] 17 | ROOT = 18 | SCRIPT_TYPE = bash 19 | ; Default ANSI charset 20 | ANSI_CHARSET = 21 | ; Force every new repository to be private 22 | FORCE_PRIVATE = false 23 | ; Default privacy setting when creating a new repository, allowed values: last, private, public. Default is last which means the last setting used. 24 | DEFAULT_PRIVATE = last 25 | ; Global limit of repositories per user, applied at creation time. -1 means no limit 26 | MAX_CREATION_LIMIT = -1 27 | ; Mirror sync queue length, increase if mirror syncing starts hanging 28 | MIRROR_QUEUE_LENGTH = 1000 29 | ; Patch test queue length, increase if pull request patch testing starts hanging 30 | PULL_REQUEST_QUEUE_LENGTH = 1000 31 | ; Preferred Licenses to place at the top of the List 32 | ; The name here must match the filename in conf/license or custom/conf/license 33 | PREFERRED_LICENSES = Apache License 2.0,MIT License 34 | ; Disable the ability to interact with repositories using the HTTP protocol 35 | DISABLE_HTTP_GIT = false 36 | ; Value for Access-Control-Allow-Origin header, default is not to present 37 | ; WARNING: This maybe harmful to you website if you do not give it a right value. 38 | ACCESS_CONTROL_ALLOW_ORIGIN = 39 | ; Force ssh:// clone url instead of scp-style uri when default SSH port is used 40 | USE_COMPAT_SSH_URI = false 41 | ; Close issues as long as a commit on any branch marks it as fixed 42 | DEFAULT_CLOSE_ISSUES_VIA_COMMITS_IN_ANY_BRANCH = false 43 | ; Allow users to push local repositories to Gitea and have them automatically created for a user or an org 44 | ENABLE_PUSH_CREATE_USER = false 45 | ENABLE_PUSH_CREATE_ORG = false 46 | ; Comma separated list of globally disabled repo units. Allowed values: repo.issues, repo.ext_issues, repo.pulls, repo.wiki, repo.ext_wiki 47 | DISABLED_REPO_UNITS = 48 | ; Comma separated list of default repo units. Allowed values: repo.code, repo.releases, repo.issues, repo.pulls, repo.wiki. 49 | ; Note: Code and Releases can currently not be deactivated. If you specify default repo units you should still list them for future compatibility. 50 | ; External wiki and issue tracker can't be enabled by default as it requires additional settings. 51 | ; Disabled repo units will not be added to new repositories regardless if it is in the default list. 52 | DEFAULT_REPO_UNITS = repo.code,repo.releases,repo.issues,repo.pulls,repo.wiki 53 | ; Prefix archive files by placing them in a directory named after the repository 54 | PREFIX_ARCHIVE_FILES = true 55 | 56 | [repository.editor] 57 | ; List of file extensions for which lines should be wrapped in the CodeMirror editor 58 | ; Separate extensions with a comma. To line wrap files without an extension, just put a comma 59 | LINE_WRAP_EXTENSIONS = .txt,.md,.markdown,.mdown,.mkd, 60 | ; Valid file modes that have a preview API associated with them, such as api/v1/markdown 61 | ; Separate the values by commas. The preview tab in edit mode won't be displayed if the file extension doesn't match 62 | PREVIEWABLE_FILE_MODES = markdown 63 | 64 | [repository.local] 65 | ; Path for local repository copy. Defaults to `tmp/local-repo` 66 | LOCAL_COPY_PATH = tmp/local-repo 67 | ; Path for local wiki copy. Defaults to `tmp/local-wiki` 68 | LOCAL_WIKI_PATH = tmp/local-wiki 69 | 70 | [repository.upload] 71 | ; Whether repository file uploads are enabled. Defaults to `true` 72 | ENABLED = true 73 | ; Path for uploads. Defaults to `data/tmp/uploads` (tmp gets deleted on gitea restart) 74 | TEMP_PATH = data/tmp/uploads 75 | ; One or more allowed types, e.g. image/jpeg|image/png. Nothing means any file type 76 | ALLOWED_TYPES = 77 | ; Max size of each file in megabytes. Defaults to 3MB 78 | FILE_MAX_SIZE = 3 79 | ; Max number of files per upload. Defaults to 5 80 | MAX_FILES = 5 81 | 82 | [repository.pull-request] 83 | ; List of prefixes used in Pull Request title to mark them as Work In Progress 84 | WORK_IN_PROGRESS_PREFIXES=WIP:,[WIP] 85 | ; List of keywords used in Pull Request comments to automatically close a related issue 86 | CLOSE_KEYWORDS=close,closes,closed,fix,fixes,fixed,resolve,resolves,resolved 87 | ; List of keywords used in Pull Request comments to automatically reopen a related issue 88 | REOPEN_KEYWORDS=reopen,reopens,reopened 89 | ; In the default merge message for squash commits include at most this many commits 90 | DEFAULT_MERGE_MESSAGE_COMMITS_LIMIT=50 91 | ; In the default merge message for squash commits limit the size of the commit messages to this 92 | DEFAULT_MERGE_MESSAGE_SIZE=5120 93 | ; In the default merge message for squash commits walk all commits to include all authors in the Co-authored-by otherwise just use those in the limited list 94 | DEFAULT_MERGE_MESSAGE_ALL_AUTHORS=false 95 | ; In default merge messages limit the number of approvers listed as Reviewed-by: to this many 96 | DEFAULT_MERGE_MESSAGE_MAX_APPROVERS=10 97 | ; In default merge messages only include approvers who are official 98 | DEFAULT_MERGE_MESSAGE_OFFICIAL_APPROVERS_ONLY=true 99 | 100 | [repository.issue] 101 | ; List of reasons why a Pull Request or Issue can be locked 102 | LOCK_REASONS=Too heated,Off-topic,Resolved,Spam 103 | 104 | [repository.signing] 105 | ; GPG key to use to sign commits, Defaults to the default - that is the value of git config --get user.signingkey 106 | ; run in the context of the RUN_USER 107 | ; Switch to none to stop signing completely 108 | SIGNING_KEY = default 109 | ; If a SIGNING_KEY ID is provided and is not set to default, use the provided Name and Email address as the signer. 110 | ; These should match a publicized name and email address for the key. (When SIGNING_KEY is default these are set to 111 | ; the results of git config --get user.name and git config --get user.email respectively and can only be overrided 112 | ; by setting the SIGNING_KEY ID to the correct ID.) 113 | SIGNING_NAME = 114 | SIGNING_EMAIL = 115 | ; Determines when gitea should sign the initial commit when creating a repository 116 | ; Either: 117 | ; - never 118 | ; - pubkey: only sign if the user has a pubkey 119 | ; - twofa: only sign if the user has logged in with twofa 120 | ; - always 121 | ; options other than none and always can be combined as comma separated list 122 | INITIAL_COMMIT = always 123 | ; Determines when to sign for CRUD actions 124 | ; - as above 125 | ; - parentsigned: requires that the parent commit is signed. 126 | CRUD_ACTIONS = pubkey, twofa, parentsigned 127 | ; Determines when to sign Wiki commits 128 | ; - as above 129 | WIKI = never 130 | ; Determines when to sign on merges 131 | ; - basesigned: require that the parent of commit on the base repo is signed. 132 | ; - commitssigned: require that all the commits in the head branch are signed. 133 | ; - approved: only sign when merging an approved pr to a protected branch 134 | MERGES = pubkey, twofa, basesigned, commitssigned 135 | 136 | [cors] 137 | ; More information about CORS can be found here: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#The_HTTP_response_headers 138 | ; enable cors headers (disabled by default) 139 | ENABLED=false 140 | ; scheme of allowed requests 141 | SCHEME=http 142 | ; list of requesting domains that are allowed 143 | ALLOW_DOMAIN=* 144 | ; allow subdomains of headers listed above to request 145 | ALLOW_SUBDOMAIN=false 146 | ; list of methods allowed to request 147 | METHODS=GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS 148 | ; max time to cache response 149 | MAX_AGE=10m 150 | ; allow request with credentials 151 | ALLOW_CREDENTIALS=false 152 | 153 | [ui] 154 | ; Number of repositories that are displayed on one explore page 155 | EXPLORE_PAGING_NUM = 20 156 | ; Number of issues that are displayed on one page 157 | ISSUE_PAGING_NUM = 10 158 | ; Number of maximum commits displayed in one activity feed 159 | FEED_MAX_COMMIT_NUM = 5 160 | ; Number of maximum commits displayed in commit graph. 161 | GRAPH_MAX_COMMIT_NUM = 100 162 | ; Number of line of codes shown for a code comment 163 | CODE_COMMENT_LINES = 4 164 | ; Value of `theme-color` meta tag, used by Android >= 5.0 165 | ; An invalid color like "none" or "disable" will have the default style 166 | ; More info: https://developers.google.com/web/updates/2014/11/Support-for-theme-color-in-Chrome-39-for-Android 167 | THEME_COLOR_META_TAG = `#6cc644` 168 | ; Max size of files to be displayed (default is 8MiB) 169 | MAX_DISPLAY_FILE_SIZE = 8388608 170 | ; Whether the email of the user should be shown in the Explore Users page 171 | SHOW_USER_EMAIL = true 172 | ; Set the default theme for the Gitea install 173 | DEFAULT_THEME = gitea 174 | ; All available themes. Allow users select personalized themes regardless of the value of `DEFAULT_THEME`. 175 | THEMES = gitea,arc-green 176 | ; All available reactions. Allow users react with different emoji's 177 | ; For the whole list look at https://gitea.com/gitea/gitea.com/issues/8 178 | REACTIONS = +1, -1, laugh, hooray, confused, heart, rocket, eyes 179 | ; Whether the full name of the users should be shown where possible. If the full name isn't set, the username will be used. 180 | DEFAULT_SHOW_FULL_NAME = false 181 | ; Whether to search within description at repository search on explore page. 182 | SEARCH_REPO_DESCRIPTION = true 183 | ; Whether to enable a Service Worker to cache frontend assets 184 | USE_SERVICE_WORKER = true 185 | 186 | [ui.admin] 187 | ; Number of users that are displayed on one page 188 | USER_PAGING_NUM = 50 189 | ; Number of repos that are displayed on one page 190 | REPO_PAGING_NUM = 50 191 | ; Number of notices that are displayed on one page 192 | NOTICE_PAGING_NUM = 25 193 | ; Number of organizations that are displayed on one page 194 | ORG_PAGING_NUM = 50 195 | 196 | [ui.user] 197 | ; Number of repos that are displayed on one page 198 | REPO_PAGING_NUM = 15 199 | 200 | [ui.meta] 201 | AUTHOR = Gitea - Git with a cup of tea 202 | DESCRIPTION = Gitea (Git with a cup of tea) is a painless self-hosted Git service written in Go 203 | KEYWORDS = go,git,self-hosted,gitea 204 | 205 | [markdown] 206 | ; Enable hard line break extension 207 | ENABLE_HARD_LINE_BREAK = false 208 | ; Comma separated list of custom URL-Schemes that are allowed as links when rendering Markdown 209 | ; for example git,magnet,ftp (more at https://en.wikipedia.org/wiki/List_of_URI_schemes) 210 | ; URLs starting with http and https are always displayed, whatever is put in this entry. 211 | CUSTOM_URL_SCHEMES = 212 | ; List of file extensions that should be rendered/edited as Markdown 213 | ; Separate the extensions with a comma. To render files without any extension as markdown, just put a comma 214 | FILE_EXTENSIONS = .md,.markdown,.mdown,.mkd 215 | 216 | [server] 217 | ; The protocol the server listens on. One of 'http', 'https', 'unix' or 'fcgi'. 218 | PROTOCOL = http 219 | DOMAIN = localhost 220 | ROOT_URL = %(PROTOCOL)s://%(DOMAIN)s:%(HTTP_PORT)s/ 221 | ; when STATIC_URL_PREFIX is empty it will follow ROOT_URL 222 | STATIC_URL_PREFIX = 223 | ; The address to listen on. Either a IPv4/IPv6 address or the path to a unix socket. 224 | HTTP_ADDR = 0.0.0.0 225 | HTTP_PORT = 3000 226 | ; If REDIRECT_OTHER_PORT is true, and PROTOCOL is set to https an http server 227 | ; will be started on PORT_TO_REDIRECT and it will redirect plain, non-secure http requests to the main 228 | ; ROOT_URL. Defaults are false for REDIRECT_OTHER_PORT and 80 for 229 | ; PORT_TO_REDIRECT. 230 | REDIRECT_OTHER_PORT = false 231 | PORT_TO_REDIRECT = 80 232 | ; Permission for unix socket 233 | UNIX_SOCKET_PERMISSION = 666 234 | ; Local (DMZ) URL for Gitea workers (such as SSH update) accessing web service. 235 | ; In most cases you do not need to change the default value. 236 | ; Alter it only if your SSH server node is not the same as HTTP node. 237 | ; Do not set this variable if PROTOCOL is set to 'unix'. 238 | LOCAL_ROOT_URL = %(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/ 239 | ; Disable SSH feature when not available 240 | DISABLE_SSH = false 241 | ; Whether to use the builtin SSH server or not. 242 | START_SSH_SERVER = false 243 | ; Username to use for the builtin SSH server. If blank, then it is the value of RUN_USER. 244 | BUILTIN_SSH_SERVER_USER = 245 | ; Domain name to be exposed in clone URL 246 | SSH_DOMAIN = %(DOMAIN)s 247 | ; The network interface the builtin SSH server should listen on 248 | SSH_LISTEN_HOST = 249 | ; Port number to be exposed in clone URL 250 | SSH_PORT = 22 251 | ; The port number the builtin SSH server should listen on 252 | SSH_LISTEN_PORT = %(SSH_PORT)s 253 | ; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'. 254 | SSH_ROOT_PATH = 255 | ; Gitea will create a authorized_keys file by default when it is not using the internal ssh server 256 | ; If you intend to use the AuthorizedKeysCommand functionality then you should turn this off. 257 | SSH_CREATE_AUTHORIZED_KEYS_FILE = true 258 | ; For the built-in SSH server, choose the ciphers to support for SSH connections, 259 | ; for system SSH this setting has no effect 260 | SSH_SERVER_CIPHERS = aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, arcfour256, arcfour128 261 | ; For the built-in SSH server, choose the key exchange algorithms to support for SSH connections, 262 | ; for system SSH this setting has no effect 263 | SSH_SERVER_KEY_EXCHANGES = diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, curve25519-sha256@libssh.org 264 | ; For the built-in SSH server, choose the MACs to support for SSH connections, 265 | ; for system SSH this setting has no effect 266 | SSH_SERVER_MACS = hmac-sha2-256-etm@openssh.com, hmac-sha2-256, hmac-sha1, hmac-sha1-96 267 | ; Directory to create temporary files in when testing public keys using ssh-keygen, 268 | ; default is the system temporary directory. 269 | SSH_KEY_TEST_PATH = 270 | ; Path to ssh-keygen, default is 'ssh-keygen' which means the shell is responsible for finding out which one to call. 271 | SSH_KEYGEN_PATH = ssh-keygen 272 | ; Enable SSH Authorized Key Backup when rewriting all keys, default is true 273 | SSH_BACKUP_AUTHORIZED_KEYS = true 274 | ; Enable exposure of SSH clone URL to anonymous visitors, default is false 275 | SSH_EXPOSE_ANONYMOUS = false 276 | ; Indicate whether to check minimum key size with corresponding type 277 | MINIMUM_KEY_SIZE_CHECK = false 278 | ; Disable CDN even in "prod" mode 279 | OFFLINE_MODE = false 280 | DISABLE_ROUTER_LOG = false 281 | ; Generate steps: 282 | ; $ ./gitea cert -ca=true -duration=8760h0m0s -host=myhost.example.com 283 | ; 284 | ; Or from a .pfx file exported from the Windows certificate store (do 285 | ; not forget to export the private key): 286 | ; $ openssl pkcs12 -in cert.pfx -out cert.pem -nokeys 287 | ; $ openssl pkcs12 -in cert.pfx -out key.pem -nocerts -nodes 288 | ; Paths are relative to CUSTOM_PATH 289 | CERT_FILE = https/cert.pem 290 | KEY_FILE = https/key.pem 291 | ; Root directory containing templates and static files. 292 | ; default is the path where Gitea is executed 293 | STATIC_ROOT_PATH = 294 | ; Default path for App data 295 | APP_DATA_PATH = data 296 | ; Application level GZIP support 297 | ENABLE_GZIP = false 298 | ; Application profiling (memory and cpu) 299 | ; For "web" command it listens on localhost:6060 300 | ; For "serve" command it dumps to disk at PPROF_DATA_PATH as (cpuprofile|memprofile)__ 301 | ENABLE_PPROF = false 302 | ; PPROF_DATA_PATH, use an absolute path when you start gitea as service 303 | PPROF_DATA_PATH = data/tmp/pprof 304 | ; Landing page, can be "home", "explore", "organizations" or "login" 305 | ; The "login" choice is not a security measure but just a UI flow change, use REQUIRE_SIGNIN_VIEW to force users to log in. 306 | LANDING_PAGE = home 307 | ; Enables git-lfs support. true or false, default is false. 308 | LFS_START_SERVER = false 309 | ; Where your lfs files reside, default is data/lfs. 310 | LFS_CONTENT_PATH = data/lfs 311 | ; LFS authentication secret, change this yourself 312 | LFS_JWT_SECRET = 313 | ; LFS authentication validity period (in time.Duration), pushes taking longer than this may fail. 314 | LFS_HTTP_AUTH_EXPIRY = 20m 315 | ; Allow graceful restarts using SIGHUP to fork 316 | ALLOW_GRACEFUL_RESTARTS = true 317 | ; After a restart the parent will finish ongoing requests before 318 | ; shutting down. Force shutdown if this process takes longer than this delay. 319 | ; set to a negative value to disable 320 | GRACEFUL_HAMMER_TIME = 60s 321 | ; Allows the setting of a startup timeout and waithint for Windows as SVC service 322 | ; 0 disables this. 323 | STARTUP_TIMEOUT = 0 324 | ; Static resources, includes resources on custom/, public/ and all uploaded avatars web browser cache time, default is 6h 325 | STATIC_CACHE_TIME = 6h 326 | 327 | ; Define allowed algorithms and their minimum key length (use -1 to disable a type) 328 | [ssh.minimum_key_sizes] 329 | ED25519 = 256 330 | ECDSA = 256 331 | RSA = 2048 332 | DSA = 1024 333 | 334 | [database] 335 | ; Either "mysql", "postgres", "mssql" or "sqlite3", it's your choice 336 | DB_TYPE = mysql 337 | HOST = 127.0.0.1:3306 338 | NAME = gitea 339 | USER = root 340 | ; Use PASSWD = `your password` for quoting if you use special characters in the password. 341 | PASSWD = 342 | ; For Postgres, schema to use if different from "public". The schema must exist beforehand, 343 | ; the user must have creation privileges on it, and the user search path must be set 344 | ; to the look into the schema first. e.g.:ALTER USER user SET SEARCH_PATH = schema_name,"$user",public; 345 | SCHEMA = 346 | ; For Postgres, either "disable" (default), "require", or "verify-full" 347 | ; For MySQL, either "false" (default), "true", or "skip-verify" 348 | SSL_MODE = disable 349 | ; For MySQL only, either "utf8" or "utf8mb4", default is "utf8". 350 | ; NOTICE: for "utf8mb4" you must use MySQL InnoDB > 5.6. Gitea is unable to check this. 351 | CHARSET = utf8 352 | ; For "sqlite3" and "tidb", use an absolute path when you start gitea as service 353 | PATH = data/gitea.db 354 | ; For "sqlite3" only. Query timeout 355 | SQLITE_TIMEOUT = 500 356 | ; For iterate buffer, default is 50 357 | ITERATE_BUFFER_SIZE = 50 358 | ; Show the database generated SQL 359 | LOG_SQL = true 360 | ; Maximum number of DB Connect retries 361 | DB_RETRIES = 10 362 | ; Backoff time per DB retry (time.Duration) 363 | DB_RETRY_BACKOFF = 3s 364 | ; Max idle database connections on connnection pool, default is 2 365 | MAX_IDLE_CONNS = 2 366 | ; Database connection max life time, default is 0 or 3s mysql (See #6804 & #7071 for reasoning) 367 | CONN_MAX_LIFETIME = 3s 368 | ; Database maximum number of open connections, default is 0 meaning no maximum 369 | MAX_OPEN_CONNS = 0 370 | 371 | [indexer] 372 | ; Issue indexer type, currently support: bleve, db or elasticsearch, default is bleve 373 | ISSUE_INDEXER_TYPE = bleve 374 | ; Issue indexer connection string, available when ISSUE_INDEXER_TYPE is elasticsearch 375 | ISSUE_INDEXER_CONN_STR = http://elastic:changeme@localhost:9200 376 | ; Issue indexer name, available when ISSUE_INDEXER_TYPE is elasticsearch 377 | ISSUE_INDEXER_NAME = gitea_issues 378 | ; Issue indexer storage path, available when ISSUE_INDEXER_TYPE is bleve 379 | ISSUE_INDEXER_PATH = indexers/issues.bleve 380 | ; Issue indexer queue, currently support: channel, levelqueue or redis, default is levelqueue 381 | ISSUE_INDEXER_QUEUE_TYPE = levelqueue 382 | ; When ISSUE_INDEXER_QUEUE_TYPE is levelqueue, this will be the queue will be saved path, 383 | ; default is indexers/issues.queue 384 | ISSUE_INDEXER_QUEUE_DIR = indexers/issues.queue 385 | ; When `ISSUE_INDEXER_QUEUE_TYPE` is `redis`, this will store the redis connection string. 386 | ISSUE_INDEXER_QUEUE_CONN_STR = "addrs=127.0.0.1:6379 db=0" 387 | ; Batch queue number, default is 20 388 | ISSUE_INDEXER_QUEUE_BATCH_NUMBER = 20 389 | ; Timeout the indexer if it takes longer than this to start. 390 | ; Set to zero to disable timeout. 391 | STARTUP_TIMEOUT=30s 392 | 393 | ; repo indexer by default disabled, since it uses a lot of disk space 394 | REPO_INDEXER_ENABLED = false 395 | REPO_INDEXER_PATH = indexers/repos.bleve 396 | UPDATE_BUFFER_LEN = 20 397 | MAX_FILE_SIZE = 1048576 398 | ; A comma separated list of glob patterns (see https://github.com/gobwas/glob) to include 399 | ; in the index; default is empty 400 | REPO_INDEXER_INCLUDE = 401 | ; A comma separated list of glob patterns to exclude from the index; ; default is empty 402 | REPO_INDEXER_EXCLUDE = 403 | 404 | [queue] 405 | ; Specific queues can be individually configured with [queue.name]. [queue] provides defaults 406 | ; 407 | ; General queue queue type, currently support: persistable-channel, channel, level, redis, dummy 408 | ; default to persistable-channel 409 | TYPE = persistable-channel 410 | ; data-dir for storing persistable queues and level queues, individual queues will be named by their type 411 | DATADIR = queues/ 412 | ; Default queue length before a channel queue will block 413 | LENGTH = 20 414 | ; Batch size to send for batched queues 415 | BATCH_LENGTH = 20 416 | ; Connection string for redis queues this will store the redis connection string. 417 | CONN_STR = "addrs=127.0.0.1:6379 db=0" 418 | ; Provide the suffix of the default redis queue name - specific queues can be overriden within in their [queue.name] sections. 419 | QUEUE_NAME = "_queue" 420 | ; If the queue cannot be created at startup - level queues may need a timeout at startup - wrap the queue: 421 | WRAP_IF_NECESSARY = true 422 | ; Attempt to create the wrapped queue at max 423 | MAX_ATTEMPTS = 10 424 | ; Timeout queue creation 425 | TIMEOUT = 15m30s 426 | ; Create a pool with this many workers 427 | WORKERS = 1 428 | ; Dynamically scale the worker pool to at this many workers 429 | MAX_WORKERS = 10 430 | ; Add boost workers when the queue blocks for BLOCK_TIMEOUT 431 | BLOCK_TIMEOUT = 1s 432 | ; Remove the boost workers after BOOST_TIMEOUT 433 | BOOST_TIMEOUT = 5m 434 | ; During a boost add BOOST_WORKERS 435 | BOOST_WORKERS = 5 436 | 437 | [admin] 438 | ; Disallow regular (non-admin) users from creating organizations. 439 | DISABLE_REGULAR_ORG_CREATION = false 440 | ; Default configuration for email notifications for users (user configurable). Options: enabled, onmention, disabled 441 | DEFAULT_EMAIL_NOTIFICATIONS = enabled 442 | 443 | [security] 444 | ; Whether the installer is disabled 445 | INSTALL_LOCK = false 446 | ; !!CHANGE THIS TO KEEP YOUR USER DATA SAFE!! 447 | SECRET_KEY = !#@FDEWREWR&*( 448 | ; How long to remember that a user is logged in before requiring relogin (in days) 449 | LOGIN_REMEMBER_DAYS = 7 450 | COOKIE_USERNAME = gitea_awesome 451 | COOKIE_REMEMBER_NAME = gitea_incredible 452 | ; Reverse proxy authentication header name of user name 453 | REVERSE_PROXY_AUTHENTICATION_USER = X-WEBAUTH-USER 454 | REVERSE_PROXY_AUTHENTICATION_EMAIL = X-WEBAUTH-EMAIL 455 | ; The minimum password length for new Users 456 | MIN_PASSWORD_LENGTH = 6 457 | ; Set to true to allow users to import local server paths 458 | IMPORT_LOCAL_PATHS = false 459 | ; Set to true to prevent all users (including admin) from creating custom git hooks 460 | DISABLE_GIT_HOOKS = false 461 | ; Set to false to allow pushes to gitea repositories despite having an incomplete environment - NOT RECOMMENDED 462 | ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET = true 463 | ;Comma separated list of character classes required to pass minimum complexity. 464 | ;If left empty or no valid values are specified, the default values ("lower,upper,digit,spec") will be used. 465 | ;Use "off" to disable checking. 466 | PASSWORD_COMPLEXITY = lower,upper,digit,spec 467 | ; Password Hash algorithm, either "pbkdf2", "argon2", "scrypt" or "bcrypt" 468 | PASSWORD_HASH_ALGO = pbkdf2 469 | ; Set false to allow JavaScript to read CSRF cookie 470 | CSRF_COOKIE_HTTP_ONLY = true 471 | 472 | [openid] 473 | ; 474 | ; OpenID is an open, standard and decentralized authentication protocol. 475 | ; Your identity is the address of a webpage you provide, which describes 476 | ; how to prove you are in control of that page. 477 | ; 478 | ; For more info: https://en.wikipedia.org/wiki/OpenID 479 | ; 480 | ; Current implementation supports OpenID-2.0 481 | ; 482 | ; Tested to work providers at the time of writing: 483 | ; - Any GNUSocial node (your.hostname.tld/username) 484 | ; - Any SimpleID provider (http://simpleid.koinic.net) 485 | ; - http://openid.org.cn/ 486 | ; - openid.stackexchange.com 487 | ; - login.launchpad.net 488 | ; - .livejournal.com 489 | ; 490 | ; Whether to allow signin in via OpenID 491 | ENABLE_OPENID_SIGNIN = true 492 | ; Whether to allow registering via OpenID 493 | ; Do not include to rely on rhw DISABLE_REGISTRATION setting 494 | ;ENABLE_OPENID_SIGNUP = true 495 | ; Allowed URI patterns (POSIX regexp). 496 | ; Space separated. 497 | ; Only these would be allowed if non-blank. 498 | ; Example value: trusted.domain.org trusted.domain.net 499 | WHITELISTED_URIS = 500 | ; Forbidden URI patterns (POSIX regexp). 501 | ; Space separated. 502 | ; Only used if WHITELISTED_URIS is blank. 503 | ; Example value: loadaverage.org/badguy stackexchange.com/.*spammer 504 | BLACKLISTED_URIS = 505 | 506 | [service] 507 | ; Time limit to confirm account/email registration 508 | ACTIVE_CODE_LIVE_MINUTES = 180 509 | ; Time limit to perform the reset of a forgotten password 510 | RESET_PASSWD_CODE_LIVE_MINUTES = 180 511 | ; Whether a new user needs to confirm their email when registering. 512 | REGISTER_EMAIL_CONFIRM = false 513 | ; List of domain names that are allowed to be used to register on a Gitea instance 514 | ; gitea.io,example.com 515 | EMAIL_DOMAIN_WHITELIST= 516 | ; Disallow registration, only allow admins to create accounts. 517 | DISABLE_REGISTRATION = false 518 | ; Allow registration only using third-party services, it works only when DISABLE_REGISTRATION is false 519 | ALLOW_ONLY_EXTERNAL_REGISTRATION = false 520 | ; User must sign in to view anything. 521 | REQUIRE_SIGNIN_VIEW = false 522 | ; Mail notification 523 | ENABLE_NOTIFY_MAIL = false 524 | ; This setting enables gitea to be signed in with HTTP BASIC Authentication using the user's password 525 | ; If you set this to false you will not be able to access the tokens endpoints on the API with your password 526 | ; Please note that setting this to false will not disable OAuth Basic or Basic authentication using a token 527 | ENABLE_BASIC_AUTHENTICATION = true 528 | ; More detail: https://github.com/gogs/gogs/issues/165 529 | ENABLE_REVERSE_PROXY_AUTHENTICATION = false 530 | ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false 531 | ENABLE_REVERSE_PROXY_EMAIL = false 532 | ; Enable captcha validation for registration 533 | ENABLE_CAPTCHA = false 534 | ; Type of captcha you want to use. Options: image, recaptcha 535 | CAPTCHA_TYPE = image 536 | ; Enable recaptcha to use Google's recaptcha service 537 | ; Go to https://www.google.com/recaptcha/admin to sign up for a key 538 | RECAPTCHA_SECRET = 539 | RECAPTCHA_SITEKEY = 540 | ; Change this to use recaptcha.net or other recaptcha service 541 | RECAPTCHA_URL = https://www.google.com/recaptcha/ 542 | ; Default value for KeepEmailPrivate 543 | ; Each new user will get the value of this setting copied into their profile 544 | DEFAULT_KEEP_EMAIL_PRIVATE = false 545 | ; Default value for AllowCreateOrganization 546 | ; Every new user will have rights set to create organizations depending on this setting 547 | DEFAULT_ALLOW_CREATE_ORGANIZATION = true 548 | ; Either "public", "limited" or "private", default is "public" 549 | ; Limited is for signed user only 550 | ; Private is only for member of the organization 551 | ; Public is for everyone 552 | DEFAULT_ORG_VISIBILITY = public 553 | ; Default value for DefaultOrgMemberVisible 554 | ; True will make the membership of the users visible when added to the organisation 555 | DEFAULT_ORG_MEMBER_VISIBLE = false 556 | ; Default value for EnableDependencies 557 | ; Repositories will use dependencies by default depending on this setting 558 | DEFAULT_ENABLE_DEPENDENCIES = true 559 | ; Dependencies can be added from any repository where the user is granted access or only from the current repository depending on this setting. 560 | ALLOW_CROSS_REPOSITORY_DEPENDENCIES = true 561 | ; Enable heatmap on users profiles. 562 | ENABLE_USER_HEATMAP = true 563 | ; Enable Timetracking 564 | ENABLE_TIMETRACKING = true 565 | ; Default value for EnableTimetracking 566 | ; Repositories will use timetracking by default depending on this setting 567 | DEFAULT_ENABLE_TIMETRACKING = true 568 | ; Default value for AllowOnlyContributorsToTrackTime 569 | ; Only users with write permissions can track time if this is true 570 | DEFAULT_ALLOW_ONLY_CONTRIBUTORS_TO_TRACK_TIME = true 571 | ; Default value for the domain part of the user's email address in the git log 572 | ; if he has set KeepEmailPrivate to true. The user's email will be replaced with a 573 | ; concatenation of the user name in lower case, "@" and NO_REPLY_ADDRESS. 574 | NO_REPLY_ADDRESS = noreply.%(DOMAIN)s 575 | ; Show Registration button 576 | SHOW_REGISTRATION_BUTTON = true 577 | ; Show milestones dashboard page - a view of all the user's milestones 578 | SHOW_MILESTONES_DASHBOARD_PAGE = true 579 | ; Default value for AutoWatchNewRepos 580 | ; When adding a repo to a team or creating a new repo all team members will watch the 581 | ; repo automatically if enabled 582 | AUTO_WATCH_NEW_REPOS = true 583 | ; Default value for AutoWatchOnChanges 584 | ; Make the user watch a repository When they commit for the first time 585 | AUTO_WATCH_ON_CHANGES = false 586 | 587 | [webhook] 588 | ; Hook task queue length, increase if webhook shooting starts hanging 589 | QUEUE_LENGTH = 1000 590 | ; Deliver timeout in seconds 591 | DELIVER_TIMEOUT = 5 592 | ; Allow insecure certification 593 | SKIP_TLS_VERIFY = false 594 | ; Number of history information in each page 595 | PAGING_NUM = 10 596 | ; Proxy server URL, support http://, https//, socks://, blank will follow environment http_proxy/https_proxy 597 | PROXY_URL = 598 | ; Comma separated list of host names requiring proxy. Glob patterns (*) are accepted; use ** to match all hosts. 599 | PROXY_HOSTS = 600 | 601 | [mailer] 602 | ENABLED = false 603 | ; Buffer length of channel, keep it as it is if you don't know what it is. 604 | SEND_BUFFER_LEN = 100 605 | ; Prefix displayed before subject in mail 606 | SUBJECT_PREFIX = 607 | ; Mail server 608 | ; Gmail: smtp.gmail.com:587 609 | ; QQ: smtp.qq.com:465 610 | ; Note, if the port ends with "465", SMTPS will be used. Using STARTTLS on port 587 is recommended per RFC 6409. If the server supports STARTTLS it will always be used. 611 | HOST = 612 | ; Disable HELO operation when hostnames are different. 613 | DISABLE_HELO = 614 | ; Custom hostname for HELO operation, if no value is provided, one is retrieved from system. 615 | HELO_HOSTNAME = 616 | ; Do not verify the certificate of the server. Only use this for self-signed certificates 617 | SKIP_VERIFY = 618 | ; Use client certificate 619 | USE_CERTIFICATE = false 620 | CERT_FILE = custom/mailer/cert.pem 621 | KEY_FILE = custom/mailer/key.pem 622 | ; Should SMTP connection use TLS 623 | IS_TLS_ENABLED = false 624 | ; Mail from address, RFC 5322. This can be just an email address, or the `"Name" ` format 625 | FROM = 626 | ; Mailer user name and password 627 | USER = 628 | ; Use PASSWD = `your password` for quoting if you use special characters in the password. 629 | PASSWD = 630 | ; Send mails as plain text 631 | SEND_AS_PLAIN_TEXT = false 632 | ; Set Mailer Type (either SMTP, sendmail or dummy to just send to the log) 633 | MAILER_TYPE = smtp 634 | ; Specify an alternative sendmail binary 635 | SENDMAIL_PATH = sendmail 636 | ; Specify any extra sendmail arguments 637 | SENDMAIL_ARGS = 638 | 639 | [cache] 640 | ; if the cache enabled 641 | ENABLED = true 642 | ; Either "memory", "redis", or "memcache", default is "memory" 643 | ADAPTER = memory 644 | ; For "memory" only, GC interval in seconds, default is 60 645 | INTERVAL = 60 646 | ; For "redis" and "memcache", connection host address 647 | ; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180 648 | ; memcache: `127.0.0.1:11211` 649 | HOST = 650 | ; Time to keep items in cache if not used, default is 16 hours. 651 | ; Setting it to 0 disables caching 652 | ITEM_TTL = 16h 653 | 654 | ; Last commit cache 655 | [cache.last_commit] 656 | ; if the cache enabled 657 | ENABLED = true 658 | ; Time to keep items in cache if not used, default is 8760 hours. 659 | ; Setting it to 0 disables caching 660 | ITEM_TTL = 8760h 661 | ; Only enable the cache when repository's commits count great than 662 | COMMITS_COUNT = 1000 663 | 664 | [session] 665 | ; Either "memory", "file", or "redis", default is "memory" 666 | PROVIDER = memory 667 | ; Provider config options 668 | ; memory: doesn't have any config yet 669 | ; file: session file path, e.g. `data/sessions` 670 | ; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180 671 | ; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table` 672 | PROVIDER_CONFIG = data/sessions 673 | ; Session cookie name 674 | COOKIE_NAME = i_like_gitea 675 | ; If you use session in https only, default is false 676 | COOKIE_SECURE = false 677 | ; Enable set cookie, default is true 678 | ENABLE_SET_COOKIE = true 679 | ; Session GC time interval in seconds, default is 86400 (1 day) 680 | GC_INTERVAL_TIME = 86400 681 | ; Session life time in seconds, default is 86400 (1 day) 682 | SESSION_LIFE_TIME = 86400 683 | 684 | [picture] 685 | AVATAR_UPLOAD_PATH = data/avatars 686 | REPOSITORY_AVATAR_UPLOAD_PATH = data/repo-avatars 687 | ; How Gitea deals with missing repository avatars 688 | ; none = no avatar will be displayed; random = random avatar will be displayed; image = default image will be used 689 | REPOSITORY_AVATAR_FALLBACK = none 690 | REPOSITORY_AVATAR_FALLBACK_IMAGE = /img/repo_default.png 691 | ; Max Width and Height of uploaded avatars. 692 | ; This is to limit the amount of RAM used when resizing the image. 693 | AVATAR_MAX_WIDTH = 4096 694 | AVATAR_MAX_HEIGHT = 3072 695 | ; Maximum alloved file size for uploaded avatars. 696 | ; This is to limit the amount of RAM used when resizing the image. 697 | AVATAR_MAX_FILE_SIZE = 1048576 698 | ; Chinese users can choose "duoshuo" 699 | ; or a custom avatar source, like: http://cn.gravatar.com/avatar/ 700 | GRAVATAR_SOURCE = gravatar 701 | ; This value will always be true in offline mode. 702 | DISABLE_GRAVATAR = false 703 | ; Federated avatar lookup uses DNS to discover avatar associated 704 | ; with emails, see https://www.libravatar.org 705 | ; This value will always be false in offline mode or when Gravatar is disabled. 706 | ENABLE_FEDERATED_AVATAR = false 707 | 708 | [attachment] 709 | ; Whether attachments are enabled. Defaults to `true` 710 | ENABLED = true 711 | ; Path for attachments. Defaults to `data/attachments` 712 | PATH = data/attachments 713 | ; One or more allowed types, e.g. image/jpeg|image/png 714 | ALLOWED_TYPES = image/jpeg|image/png|application/zip|application/gzip 715 | ; Max size of each file. Defaults to 4MB 716 | MAX_SIZE = 4 717 | ; Max number of files per upload. Defaults to 5 718 | MAX_FILES = 5 719 | 720 | [time] 721 | ; Specifies the format for fully outputted dates. Defaults to RFC1123 722 | ; Special supported values are ANSIC, UnixDate, RubyDate, RFC822, RFC822Z, RFC850, RFC1123, RFC1123Z, RFC3339, RFC3339Nano, Kitchen, Stamp, StampMilli, StampMicro and StampNano 723 | ; For more information about the format see http://golang.org/pkg/time/#pkg-constants 724 | FORMAT = 725 | ; Location the UI time display i.e. Asia/Shanghai 726 | ; Empty means server's location setting 727 | DEFAULT_UI_LOCATION = 728 | 729 | [log] 730 | ROOT_PATH = 731 | ; Either "console", "file", "conn", "smtp" or "database", default is "console" 732 | ; Use comma to separate multiple modes, e.g. "console, file" 733 | MODE = console 734 | ; Buffer length of the channel, keep it as it is if you don't know what it is. 735 | BUFFER_LEN = 10000 736 | REDIRECT_MACARON_LOG = false 737 | MACARON = file 738 | ; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Info" 739 | ROUTER_LOG_LEVEL = Info 740 | ROUTER = console 741 | ENABLE_ACCESS_LOG = false 742 | ACCESS_LOG_TEMPLATE = {{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}" 743 | ACCESS = file 744 | ; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Trace" 745 | LEVEL = Info 746 | ; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "None" 747 | STACKTRACE_LEVEL = None 748 | 749 | ; Generic log modes 750 | [log.x] 751 | FLAGS = stdflags 752 | EXPRESSION = 753 | PREFIX = 754 | COLORIZE = false 755 | 756 | ; For "console" mode only 757 | [log.console] 758 | LEVEL = 759 | STDERR = false 760 | 761 | ; For "file" mode only 762 | [log.file] 763 | LEVEL = 764 | ; Set the file_name for the logger. If this is a relative path this 765 | ; will be relative to ROOT_PATH 766 | FILE_NAME = 767 | ; This enables automated log rotate(switch of following options), default is true 768 | LOG_ROTATE = true 769 | ; Max number of lines in a single file, default is 1000000 770 | MAX_LINES = 1000000 771 | ; Max size shift of a single file, default is 28 means 1 << 28, 256MB 772 | MAX_SIZE_SHIFT = 28 773 | ; Segment log daily, default is true 774 | DAILY_ROTATE = true 775 | ; delete the log file after n days, default is 7 776 | MAX_DAYS = 7 777 | ; compress logs with gzip 778 | COMPRESS = true 779 | ; compression level see godoc for compress/gzip 780 | COMPRESSION_LEVEL = -1 781 | 782 | ; For "conn" mode only 783 | [log.conn] 784 | LEVEL = 785 | ; Reconnect host for every single message, default is false 786 | RECONNECT_ON_MSG = false 787 | ; Try to reconnect when connection is lost, default is false 788 | RECONNECT = false 789 | ; Either "tcp", "unix" or "udp", default is "tcp" 790 | PROTOCOL = tcp 791 | ; Host address 792 | ADDR = 793 | 794 | ; For "smtp" mode only 795 | [log.smtp] 796 | LEVEL = 797 | ; Name displayed in mail title, default is "Diagnostic message from server" 798 | SUBJECT = Diagnostic message from server 799 | ; Mail server 800 | HOST = 801 | ; Mailer user name and password 802 | USER = 803 | ; Use PASSWD = `your password` for quoting if you use special characters in the password. 804 | PASSWD = 805 | ; Receivers, can be one or more, e.g. 1@example.com,2@example.com 806 | RECEIVERS = 807 | 808 | [cron] 809 | ; Enable running cron tasks periodically. 810 | ENABLED = true 811 | ; Run cron tasks when Gitea starts. 812 | RUN_AT_START = false 813 | 814 | ; Update mirrors 815 | [cron.update_mirrors] 816 | SCHEDULE = @every 10m 817 | 818 | ; Repository health check 819 | [cron.repo_health_check] 820 | SCHEDULE = @every 24h 821 | TIMEOUT = 60s 822 | ; Arguments for command 'git fsck', e.g. "--unreachable --tags" 823 | ; see more on http://git-scm.com/docs/git-fsck 824 | ARGS = 825 | 826 | ; Check repository statistics 827 | [cron.check_repo_stats] 828 | RUN_AT_START = true 829 | SCHEDULE = @every 24h 830 | 831 | ; Clean up old repository archives 832 | [cron.archive_cleanup] 833 | ; Whether to enable the job 834 | ENABLED = true 835 | ; Whether to always run at least once at start up time (if ENABLED) 836 | RUN_AT_START = true 837 | ; Time interval for job to run 838 | SCHEDULE = @every 24h 839 | ; Archives created more than OLDER_THAN ago are subject to deletion 840 | OLDER_THAN = 24h 841 | 842 | ; Synchronize external user data (only LDAP user synchronization is supported) 843 | [cron.sync_external_users] 844 | ; Synchronize external user data when starting server (default false) 845 | RUN_AT_START = false 846 | ; Interval as a duration between each synchronization (default every 24h) 847 | SCHEDULE = @every 24h 848 | ; Create new users, update existing user data and disable users that are not in external source anymore (default) 849 | ; or only create new users if UPDATE_EXISTING is set to false 850 | UPDATE_EXISTING = true 851 | 852 | ; Update migrated repositories' issues and comments' posterid, it will always attempt synchronization when the instance starts. 853 | [cron.update_migration_post_id] 854 | ; Interval as a duration between each synchronization. (default every 24h) 855 | SCHEDULE = @every 24h 856 | 857 | [git] 858 | ; The path of git executable. If empty, Gitea searches through the PATH environment. 859 | PATH = 860 | ; Disables highlight of added and removed changes 861 | DISABLE_DIFF_HIGHLIGHT = false 862 | ; Max number of lines allowed in a single file in diff view 863 | MAX_GIT_DIFF_LINES = 1000 864 | ; Max number of allowed characters in a line in diff view 865 | MAX_GIT_DIFF_LINE_CHARACTERS = 5000 866 | ; Max number of files shown in diff view 867 | MAX_GIT_DIFF_FILES = 100 868 | ; Arguments for command 'git gc', e.g. "--aggressive --auto" 869 | ; see more on http://git-scm.com/docs/git-gc/ 870 | GC_ARGS = 871 | ; If use git wire protocol version 2 when git version >= 2.18, default is true, set to false when you always want git wire protocol version 1 872 | EnableAutoGitWireProtocol = true 873 | 874 | ; Operation timeout in seconds 875 | [git.timeout] 876 | DEFAULT = 360 877 | MIGRATE = 600 878 | MIRROR = 300 879 | CLONE = 300 880 | PULL = 300 881 | GC = 60 882 | 883 | [mirror] 884 | ; Default interval as a duration between each check 885 | DEFAULT_INTERVAL = 8h 886 | ; Min interval as a duration must be > 1m 887 | MIN_INTERVAL = 10m 888 | 889 | [api] 890 | ; Enables Swagger. True or false; default is true. 891 | ENABLE_SWAGGER = true 892 | ; Max number of items in a page 893 | MAX_RESPONSE_ITEMS = 50 894 | ; Default paging number of api 895 | DEFAULT_PAGING_NUM = 30 896 | ; Default and maximum number of items per page for git trees api 897 | DEFAULT_GIT_TREES_PER_PAGE = 1000 898 | ; Default size of a blob returned by the blobs API (default is 10MiB) 899 | DEFAULT_MAX_BLOB_SIZE = 10485760 900 | 901 | [oauth2] 902 | ; Enables OAuth2 provider 903 | ENABLE = true 904 | ; Lifetime of an OAuth2 access token in seconds 905 | ACCESS_TOKEN_EXPIRATION_TIME=3600 906 | ; Lifetime of an OAuth2 access token in hours 907 | REFRESH_TOKEN_EXPIRATION_TIME=730 908 | ; Check if refresh token got already used 909 | INVALIDATE_REFRESH_TOKENS=false 910 | ; OAuth2 authentication secret for access and refresh tokens, change this to a unique string. 911 | JWT_SECRET=Bk0yK7Y9g_p56v86KaHqjSbxvNvu3SbKoOdOt2ZcXvU 912 | 913 | [i18n] 914 | LANGS = en-US,zh-CN,zh-HK,zh-TW,de-DE,fr-FR,nl-NL,lv-LV,ru-RU,uk-UA,ja-JP,es-ES,pt-BR,pl-PL,bg-BG,it-IT,fi-FI,tr-TR,cs-CZ,sr-SP,sv-SE,ko-KR 915 | NAMES = English,简体中文,繁體中文(香港),繁體中文(台灣),Deutsch,français,Nederlands,latviešu,русский,Українська,日本語,español,português do Brasil,polski,български,italiano,suomi,Türkçe,čeština,српски,svenska,한국어 916 | 917 | ; Used for datetimepicker 918 | [i18n.datelang] 919 | en-US = en 920 | zh-CN = zh 921 | zh-HK = zh-HK 922 | zh-TW = zh-TW 923 | de-DE = de 924 | fr-FR = fr 925 | nl-NL = nl 926 | lv-LV = lv 927 | ru-RU = ru 928 | uk-UA = uk 929 | ja-JP = ja 930 | es-ES = es 931 | pt-BR = pt-BR 932 | pl-PL = pl 933 | bg-BG = bg 934 | it-IT = it 935 | fi-FI = fi 936 | tr-TR = tr 937 | cs-CZ = cs-CZ 938 | sr-SP = sr 939 | sv-SE = sv 940 | ko-KR = ko 941 | 942 | [U2F] 943 | ; NOTE: THE DEFAULT VALUES HERE WILL NEED TO BE CHANGED 944 | ; Two Factor authentication with security keys 945 | ; https://developers.yubico.com/U2F/App_ID.html 946 | ;APP_ID = http://localhost:3000/ 947 | ; Comma seperated list of trusted facets 948 | ;TRUSTED_FACETS = http://localhost:3000/ 949 | 950 | ; Extension mapping to highlight class 951 | ; e.g. .toml=ini 952 | [highlight.mapping] 953 | 954 | [other] 955 | SHOW_FOOTER_BRANDING = false 956 | ; Show version information about Gitea and Go in the footer 957 | SHOW_FOOTER_VERSION = true 958 | ; Show template execution time in the footer 959 | SHOW_FOOTER_TEMPLATE_LOAD_TIME = true 960 | 961 | [markup.sanitizer] 962 | ; The following keys can be used multiple times to define sanitation policy rules. 963 | ;ELEMENT = span 964 | ;ALLOW_ATTR = class 965 | ;REGEXP = ^(info|warning|error)$ 966 | 967 | [markup.asciidoc] 968 | ENABLED = false 969 | ; List of file extensions that should be rendered by an external command 970 | FILE_EXTENSIONS = .adoc,.asciidoc 971 | ; External command to render all matching extensions 972 | RENDER_COMMAND = "asciidoc --out-file=- -" 973 | ; Don't pass the file on STDIN, pass the filename as argument instead. 974 | IS_INPUT_FILE = false 975 | 976 | [metrics] 977 | ; Enables metrics endpoint. True or false; default is false. 978 | ENABLED = false 979 | ; If you want to add authorization, specify a token here 980 | TOKEN = 981 | 982 | [task] 983 | ; Task queue type, could be `channel` or `redis`. 984 | QUEUE_TYPE = channel 985 | ; Task queue length, available only when `QUEUE_TYPE` is `channel`. 986 | QUEUE_LENGTH = 1000 987 | ; Task queue connection string, available only when `QUEUE_TYPE` is `redis`. 988 | ; If there is a password of redis, use `addrs=127.0.0.1:6379 password=123 db=0`. 989 | QUEUE_CONN_STR = "addrs=127.0.0.1:6379 db=0" 990 | 991 | [migrations] 992 | ; Max attempts per http/https request on migrations. 993 | MAX_ATTEMPTS = 3 994 | ; Backoff time per http/https request retry (seconds) 995 | RETRY_BACKOFF = 3 996 | -------------------------------------------------------------------------------- /config/gitea/app.kubernetes.example.ini: -------------------------------------------------------------------------------- 1 | ; https://github.com/go-gitea/gitea/blob/master/custom/conf/app.ini.sample 2 | 3 | ; This file lists the default values used by Gitea 4 | ; Copy required sections to your own app.ini (default is custom/conf/app.ini) 5 | ; and modify as needed. 6 | 7 | ; see https://docs.gitea.io/en-us/config-cheat-sheet/ for additional documentation. 8 | 9 | ; App name that shows in every page title 10 | APP_NAME = Gitea: Git with a cup of tea 11 | ; Change it if you run locally 12 | RUN_USER = git 13 | ; Either "dev", "prod" or "test", default is "dev" 14 | RUN_MODE = dev 15 | 16 | [repository] 17 | ROOT = 18 | SCRIPT_TYPE = bash 19 | ; Default ANSI charset 20 | ANSI_CHARSET = 21 | ; Force every new repository to be private 22 | FORCE_PRIVATE = false 23 | ; Default privacy setting when creating a new repository, allowed values: last, private, public. Default is last which means the last setting used. 24 | DEFAULT_PRIVATE = last 25 | ; Global limit of repositories per user, applied at creation time. -1 means no limit 26 | MAX_CREATION_LIMIT = -1 27 | ; Mirror sync queue length, increase if mirror syncing starts hanging 28 | MIRROR_QUEUE_LENGTH = 1000 29 | ; Patch test queue length, increase if pull request patch testing starts hanging 30 | PULL_REQUEST_QUEUE_LENGTH = 1000 31 | ; Preferred Licenses to place at the top of the List 32 | ; The name here must match the filename in conf/license or custom/conf/license 33 | PREFERRED_LICENSES = Apache License 2.0,MIT License 34 | ; Disable the ability to interact with repositories using the HTTP protocol 35 | DISABLE_HTTP_GIT = false 36 | ; Value for Access-Control-Allow-Origin header, default is not to present 37 | ; WARNING: This maybe harmful to you website if you do not give it a right value. 38 | ACCESS_CONTROL_ALLOW_ORIGIN = 39 | ; Force ssh:// clone url instead of scp-style uri when default SSH port is used 40 | USE_COMPAT_SSH_URI = false 41 | ; Close issues as long as a commit on any branch marks it as fixed 42 | DEFAULT_CLOSE_ISSUES_VIA_COMMITS_IN_ANY_BRANCH = false 43 | ; Allow users to push local repositories to Gitea and have them automatically created for a user or an org 44 | ENABLE_PUSH_CREATE_USER = false 45 | ENABLE_PUSH_CREATE_ORG = false 46 | ; Comma separated list of globally disabled repo units. Allowed values: repo.issues, repo.ext_issues, repo.pulls, repo.wiki, repo.ext_wiki 47 | DISABLED_REPO_UNITS = 48 | ; Comma separated list of default repo units. Allowed values: repo.code, repo.releases, repo.issues, repo.pulls, repo.wiki. 49 | ; Note: Code and Releases can currently not be deactivated. If you specify default repo units you should still list them for future compatibility. 50 | ; External wiki and issue tracker can't be enabled by default as it requires additional settings. 51 | ; Disabled repo units will not be added to new repositories regardless if it is in the default list. 52 | DEFAULT_REPO_UNITS = repo.code,repo.releases,repo.issues,repo.pulls,repo.wiki 53 | ; Prefix archive files by placing them in a directory named after the repository 54 | PREFIX_ARCHIVE_FILES = true 55 | 56 | [repository.editor] 57 | ; List of file extensions for which lines should be wrapped in the CodeMirror editor 58 | ; Separate extensions with a comma. To line wrap files without an extension, just put a comma 59 | LINE_WRAP_EXTENSIONS = .txt,.md,.markdown,.mdown,.mkd, 60 | ; Valid file modes that have a preview API associated with them, such as api/v1/markdown 61 | ; Separate the values by commas. The preview tab in edit mode won't be displayed if the file extension doesn't match 62 | PREVIEWABLE_FILE_MODES = markdown 63 | 64 | [repository.local] 65 | ; Path for local repository copy. Defaults to `tmp/local-repo` 66 | LOCAL_COPY_PATH = tmp/local-repo 67 | ; Path for local wiki copy. Defaults to `tmp/local-wiki` 68 | LOCAL_WIKI_PATH = tmp/local-wiki 69 | 70 | [repository.upload] 71 | ; Whether repository file uploads are enabled. Defaults to `true` 72 | ENABLED = true 73 | ; Path for uploads. Defaults to `data/tmp/uploads` (tmp gets deleted on gitea restart) 74 | TEMP_PATH = data/tmp/uploads 75 | ; One or more allowed types, e.g. image/jpeg|image/png. Nothing means any file type 76 | ALLOWED_TYPES = 77 | ; Max size of each file in megabytes. Defaults to 3MB 78 | FILE_MAX_SIZE = 3 79 | ; Max number of files per upload. Defaults to 5 80 | MAX_FILES = 5 81 | 82 | [repository.pull-request] 83 | ; List of prefixes used in Pull Request title to mark them as Work In Progress 84 | WORK_IN_PROGRESS_PREFIXES=WIP:,[WIP] 85 | ; List of keywords used in Pull Request comments to automatically close a related issue 86 | CLOSE_KEYWORDS=close,closes,closed,fix,fixes,fixed,resolve,resolves,resolved 87 | ; List of keywords used in Pull Request comments to automatically reopen a related issue 88 | REOPEN_KEYWORDS=reopen,reopens,reopened 89 | ; In the default merge message for squash commits include at most this many commits 90 | DEFAULT_MERGE_MESSAGE_COMMITS_LIMIT=50 91 | ; In the default merge message for squash commits limit the size of the commit messages to this 92 | DEFAULT_MERGE_MESSAGE_SIZE=5120 93 | ; In the default merge message for squash commits walk all commits to include all authors in the Co-authored-by otherwise just use those in the limited list 94 | DEFAULT_MERGE_MESSAGE_ALL_AUTHORS=false 95 | ; In default merge messages limit the number of approvers listed as Reviewed-by: to this many 96 | DEFAULT_MERGE_MESSAGE_MAX_APPROVERS=10 97 | ; In default merge messages only include approvers who are official 98 | DEFAULT_MERGE_MESSAGE_OFFICIAL_APPROVERS_ONLY=true 99 | 100 | [repository.issue] 101 | ; List of reasons why a Pull Request or Issue can be locked 102 | LOCK_REASONS=Too heated,Off-topic,Resolved,Spam 103 | 104 | [repository.signing] 105 | ; GPG key to use to sign commits, Defaults to the default - that is the value of git config --get user.signingkey 106 | ; run in the context of the RUN_USER 107 | ; Switch to none to stop signing completely 108 | SIGNING_KEY = default 109 | ; If a SIGNING_KEY ID is provided and is not set to default, use the provided Name and Email address as the signer. 110 | ; These should match a publicized name and email address for the key. (When SIGNING_KEY is default these are set to 111 | ; the results of git config --get user.name and git config --get user.email respectively and can only be overrided 112 | ; by setting the SIGNING_KEY ID to the correct ID.) 113 | SIGNING_NAME = 114 | SIGNING_EMAIL = 115 | ; Determines when gitea should sign the initial commit when creating a repository 116 | ; Either: 117 | ; - never 118 | ; - pubkey: only sign if the user has a pubkey 119 | ; - twofa: only sign if the user has logged in with twofa 120 | ; - always 121 | ; options other than none and always can be combined as comma separated list 122 | INITIAL_COMMIT = always 123 | ; Determines when to sign for CRUD actions 124 | ; - as above 125 | ; - parentsigned: requires that the parent commit is signed. 126 | CRUD_ACTIONS = pubkey, twofa, parentsigned 127 | ; Determines when to sign Wiki commits 128 | ; - as above 129 | WIKI = never 130 | ; Determines when to sign on merges 131 | ; - basesigned: require that the parent of commit on the base repo is signed. 132 | ; - commitssigned: require that all the commits in the head branch are signed. 133 | ; - approved: only sign when merging an approved pr to a protected branch 134 | MERGES = pubkey, twofa, basesigned, commitssigned 135 | 136 | [cors] 137 | ; More information about CORS can be found here: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#The_HTTP_response_headers 138 | ; enable cors headers (disabled by default) 139 | ENABLED=false 140 | ; scheme of allowed requests 141 | SCHEME=http 142 | ; list of requesting domains that are allowed 143 | ALLOW_DOMAIN=* 144 | ; allow subdomains of headers listed above to request 145 | ALLOW_SUBDOMAIN=false 146 | ; list of methods allowed to request 147 | METHODS=GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS 148 | ; max time to cache response 149 | MAX_AGE=10m 150 | ; allow request with credentials 151 | ALLOW_CREDENTIALS=false 152 | 153 | [ui] 154 | ; Number of repositories that are displayed on one explore page 155 | EXPLORE_PAGING_NUM = 20 156 | ; Number of issues that are displayed on one page 157 | ISSUE_PAGING_NUM = 10 158 | ; Number of maximum commits displayed in one activity feed 159 | FEED_MAX_COMMIT_NUM = 5 160 | ; Number of maximum commits displayed in commit graph. 161 | GRAPH_MAX_COMMIT_NUM = 100 162 | ; Number of line of codes shown for a code comment 163 | CODE_COMMENT_LINES = 4 164 | ; Value of `theme-color` meta tag, used by Android >= 5.0 165 | ; An invalid color like "none" or "disable" will have the default style 166 | ; More info: https://developers.google.com/web/updates/2014/11/Support-for-theme-color-in-Chrome-39-for-Android 167 | THEME_COLOR_META_TAG = `#6cc644` 168 | ; Max size of files to be displayed (default is 8MiB) 169 | MAX_DISPLAY_FILE_SIZE = 8388608 170 | ; Whether the email of the user should be shown in the Explore Users page 171 | SHOW_USER_EMAIL = true 172 | ; Set the default theme for the Gitea install 173 | DEFAULT_THEME = gitea 174 | ; All available themes. Allow users select personalized themes regardless of the value of `DEFAULT_THEME`. 175 | THEMES = gitea,arc-green 176 | ; All available reactions. Allow users react with different emoji's 177 | ; For the whole list look at https://gitea.com/gitea/gitea.com/issues/8 178 | REACTIONS = +1, -1, laugh, hooray, confused, heart, rocket, eyes 179 | ; Whether the full name of the users should be shown where possible. If the full name isn't set, the username will be used. 180 | DEFAULT_SHOW_FULL_NAME = false 181 | ; Whether to search within description at repository search on explore page. 182 | SEARCH_REPO_DESCRIPTION = true 183 | ; Whether to enable a Service Worker to cache frontend assets 184 | USE_SERVICE_WORKER = true 185 | 186 | [ui.admin] 187 | ; Number of users that are displayed on one page 188 | USER_PAGING_NUM = 50 189 | ; Number of repos that are displayed on one page 190 | REPO_PAGING_NUM = 50 191 | ; Number of notices that are displayed on one page 192 | NOTICE_PAGING_NUM = 25 193 | ; Number of organizations that are displayed on one page 194 | ORG_PAGING_NUM = 50 195 | 196 | [ui.user] 197 | ; Number of repos that are displayed on one page 198 | REPO_PAGING_NUM = 15 199 | 200 | [ui.meta] 201 | AUTHOR = Gitea - Git with a cup of tea 202 | DESCRIPTION = Gitea (Git with a cup of tea) is a painless self-hosted Git service written in Go 203 | KEYWORDS = go,git,self-hosted,gitea 204 | 205 | [markdown] 206 | ; Enable hard line break extension 207 | ENABLE_HARD_LINE_BREAK = false 208 | ; Comma separated list of custom URL-Schemes that are allowed as links when rendering Markdown 209 | ; for example git,magnet,ftp (more at https://en.wikipedia.org/wiki/List_of_URI_schemes) 210 | ; URLs starting with http and https are always displayed, whatever is put in this entry. 211 | CUSTOM_URL_SCHEMES = 212 | ; List of file extensions that should be rendered/edited as Markdown 213 | ; Separate the extensions with a comma. To render files without any extension as markdown, just put a comma 214 | FILE_EXTENSIONS = .md,.markdown,.mdown,.mkd 215 | 216 | [server] 217 | ; The protocol the server listens on. One of 'http', 'https', 'unix' or 'fcgi'. 218 | ; fix me 219 | PROTOCOL = http 220 | ; fix me 221 | DOMAIN = gitea.t.khs1994.com 222 | ; ROOT_URL = %(PROTOCOL)s://%(DOMAIN)s:%(HTTP_PORT)s/ 223 | ; fix me 224 | ROOT_URL= https://gitea.t.khs1994.com:28443 225 | ; when STATIC_URL_PREFIX is empty it will follow ROOT_URL 226 | STATIC_URL_PREFIX = 227 | ; The address to listen on. Either a IPv4/IPv6 address or the path to a unix socket. 228 | HTTP_ADDR = 0.0.0.0 229 | HTTP_PORT = 3000 230 | ; If REDIRECT_OTHER_PORT is true, and PROTOCOL is set to https an http server 231 | ; will be started on PORT_TO_REDIRECT and it will redirect plain, non-secure http requests to the main 232 | ; ROOT_URL. Defaults are false for REDIRECT_OTHER_PORT and 80 for 233 | ; PORT_TO_REDIRECT. 234 | REDIRECT_OTHER_PORT = false 235 | PORT_TO_REDIRECT = 80 236 | ; Permission for unix socket 237 | UNIX_SOCKET_PERMISSION = 666 238 | ; Local (DMZ) URL for Gitea workers (such as SSH update) accessing web service. 239 | ; In most cases you do not need to change the default value. 240 | ; Alter it only if your SSH server node is not the same as HTTP node. 241 | ; Do not set this variable if PROTOCOL is set to 'unix'. 242 | LOCAL_ROOT_URL = %(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/ 243 | ; Disable SSH feature when not available 244 | DISABLE_SSH = false 245 | ; Whether to use the builtin SSH server or not. 246 | START_SSH_SERVER = false 247 | ; Username to use for the builtin SSH server. If blank, then it is the value of RUN_USER. 248 | BUILTIN_SSH_SERVER_USER = 249 | ; Domain name to be exposed in clone URL 250 | SSH_DOMAIN = %(DOMAIN)s 251 | ; The network interface the builtin SSH server should listen on 252 | SSH_LISTEN_HOST = 253 | ; Port number to be exposed in clone URL 254 | SSH_PORT = 22 255 | ; The port number the builtin SSH server should listen on 256 | SSH_LISTEN_PORT = %(SSH_PORT)s 257 | ; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'. 258 | SSH_ROOT_PATH = 259 | ; Gitea will create a authorized_keys file by default when it is not using the internal ssh server 260 | ; If you intend to use the AuthorizedKeysCommand functionality then you should turn this off. 261 | SSH_CREATE_AUTHORIZED_KEYS_FILE = true 262 | ; For the built-in SSH server, choose the ciphers to support for SSH connections, 263 | ; for system SSH this setting has no effect 264 | SSH_SERVER_CIPHERS = aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, arcfour256, arcfour128 265 | ; For the built-in SSH server, choose the key exchange algorithms to support for SSH connections, 266 | ; for system SSH this setting has no effect 267 | SSH_SERVER_KEY_EXCHANGES = diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, curve25519-sha256@libssh.org 268 | ; For the built-in SSH server, choose the MACs to support for SSH connections, 269 | ; for system SSH this setting has no effect 270 | SSH_SERVER_MACS = hmac-sha2-256-etm@openssh.com, hmac-sha2-256, hmac-sha1, hmac-sha1-96 271 | ; Directory to create temporary files in when testing public keys using ssh-keygen, 272 | ; default is the system temporary directory. 273 | SSH_KEY_TEST_PATH = 274 | ; Path to ssh-keygen, default is 'ssh-keygen' which means the shell is responsible for finding out which one to call. 275 | SSH_KEYGEN_PATH = ssh-keygen 276 | ; Enable SSH Authorized Key Backup when rewriting all keys, default is true 277 | SSH_BACKUP_AUTHORIZED_KEYS = true 278 | ; Enable exposure of SSH clone URL to anonymous visitors, default is false 279 | SSH_EXPOSE_ANONYMOUS = false 280 | ; Indicate whether to check minimum key size with corresponding type 281 | MINIMUM_KEY_SIZE_CHECK = false 282 | ; Disable CDN even in "prod" mode 283 | OFFLINE_MODE = false 284 | DISABLE_ROUTER_LOG = false 285 | ; Generate steps: 286 | ; $ ./gitea cert -ca=true -duration=8760h0m0s -host=myhost.example.com 287 | ; 288 | ; Or from a .pfx file exported from the Windows certificate store (do 289 | ; not forget to export the private key): 290 | ; $ openssl pkcs12 -in cert.pfx -out cert.pem -nokeys 291 | ; $ openssl pkcs12 -in cert.pfx -out key.pem -nocerts -nodes 292 | ; Paths are relative to CUSTOM_PATH 293 | CERT_FILE = https/cert.pem 294 | KEY_FILE = https/key.pem 295 | ; Root directory containing templates and static files. 296 | ; default is the path where Gitea is executed 297 | STATIC_ROOT_PATH = 298 | ; Default path for App data 299 | APP_DATA_PATH = data 300 | ; Application level GZIP support 301 | ENABLE_GZIP = false 302 | ; Application profiling (memory and cpu) 303 | ; For "web" command it listens on localhost:6060 304 | ; For "serve" command it dumps to disk at PPROF_DATA_PATH as (cpuprofile|memprofile)__ 305 | ENABLE_PPROF = false 306 | ; PPROF_DATA_PATH, use an absolute path when you start gitea as service 307 | PPROF_DATA_PATH = data/tmp/pprof 308 | ; Landing page, can be "home", "explore", "organizations" or "login" 309 | ; The "login" choice is not a security measure but just a UI flow change, use REQUIRE_SIGNIN_VIEW to force users to log in. 310 | LANDING_PAGE = home 311 | ; Enables git-lfs support. true or false, default is false. 312 | LFS_START_SERVER = false 313 | ; Where your lfs files reside, default is data/lfs. 314 | LFS_CONTENT_PATH = data/lfs 315 | ; LFS authentication secret, change this yourself 316 | LFS_JWT_SECRET = 317 | ; LFS authentication validity period (in time.Duration), pushes taking longer than this may fail. 318 | LFS_HTTP_AUTH_EXPIRY = 20m 319 | ; Allow graceful restarts using SIGHUP to fork 320 | ALLOW_GRACEFUL_RESTARTS = true 321 | ; After a restart the parent will finish ongoing requests before 322 | ; shutting down. Force shutdown if this process takes longer than this delay. 323 | ; set to a negative value to disable 324 | GRACEFUL_HAMMER_TIME = 60s 325 | ; Allows the setting of a startup timeout and waithint for Windows as SVC service 326 | ; 0 disables this. 327 | STARTUP_TIMEOUT = 0 328 | ; Static resources, includes resources on custom/, public/ and all uploaded avatars web browser cache time, default is 6h 329 | STATIC_CACHE_TIME = 6h 330 | 331 | ; Define allowed algorithms and their minimum key length (use -1 to disable a type) 332 | [ssh.minimum_key_sizes] 333 | ED25519 = 256 334 | ECDSA = 256 335 | RSA = 2048 336 | DSA = 1024 337 | 338 | [database] 339 | ; Either "mysql", "postgres", "mssql" or "sqlite3", it's your choice 340 | ; fix me 341 | DB_TYPE = mysql 342 | HOST = mysql:3306 343 | NAME = gitea 344 | USER = root 345 | ; Use PASSWD = `your password` for quoting if you use special characters in the password. 346 | PASSWD = mytest 347 | ; For Postgres, schema to use if different from "public". The schema must exist beforehand, 348 | ; the user must have creation privileges on it, and the user search path must be set 349 | ; to the look into the schema first. e.g.:ALTER USER user SET SEARCH_PATH = schema_name,"$user",public; 350 | SCHEMA = 351 | ; For Postgres, either "disable" (default), "require", or "verify-full" 352 | ; For MySQL, either "false" (default), "true", or "skip-verify" 353 | SSL_MODE = disable 354 | ; For MySQL only, either "utf8" or "utf8mb4", default is "utf8". 355 | ; NOTICE: for "utf8mb4" you must use MySQL InnoDB > 5.6. Gitea is unable to check this. 356 | CHARSET = utf8 357 | ; For "sqlite3" and "tidb", use an absolute path when you start gitea as service 358 | PATH = data/gitea.db 359 | ; For "sqlite3" only. Query timeout 360 | SQLITE_TIMEOUT = 500 361 | ; For iterate buffer, default is 50 362 | ITERATE_BUFFER_SIZE = 50 363 | ; Show the database generated SQL 364 | LOG_SQL = true 365 | ; Maximum number of DB Connect retries 366 | DB_RETRIES = 10 367 | ; Backoff time per DB retry (time.Duration) 368 | DB_RETRY_BACKOFF = 3s 369 | ; Max idle database connections on connnection pool, default is 2 370 | MAX_IDLE_CONNS = 2 371 | ; Database connection max life time, default is 0 or 3s mysql (See #6804 & #7071 for reasoning) 372 | CONN_MAX_LIFETIME = 3s 373 | ; Database maximum number of open connections, default is 0 meaning no maximum 374 | MAX_OPEN_CONNS = 0 375 | 376 | [indexer] 377 | ; Issue indexer type, currently support: bleve, db or elasticsearch, default is bleve 378 | ISSUE_INDEXER_TYPE = bleve 379 | ; Issue indexer connection string, available when ISSUE_INDEXER_TYPE is elasticsearch 380 | ISSUE_INDEXER_CONN_STR = http://elastic:changeme@localhost:9200 381 | ; Issue indexer name, available when ISSUE_INDEXER_TYPE is elasticsearch 382 | ISSUE_INDEXER_NAME = gitea_issues 383 | ; Issue indexer storage path, available when ISSUE_INDEXER_TYPE is bleve 384 | ISSUE_INDEXER_PATH = indexers/issues.bleve 385 | ; Issue indexer queue, currently support: channel, levelqueue or redis, default is levelqueue 386 | ISSUE_INDEXER_QUEUE_TYPE = levelqueue 387 | ; When ISSUE_INDEXER_QUEUE_TYPE is levelqueue, this will be the queue will be saved path, 388 | ; default is indexers/issues.queue 389 | ISSUE_INDEXER_QUEUE_DIR = indexers/issues.queue 390 | ; When `ISSUE_INDEXER_QUEUE_TYPE` is `redis`, this will store the redis connection string. 391 | ISSUE_INDEXER_QUEUE_CONN_STR = "addrs=127.0.0.1:6379 db=0" 392 | ; Batch queue number, default is 20 393 | ISSUE_INDEXER_QUEUE_BATCH_NUMBER = 20 394 | ; Timeout the indexer if it takes longer than this to start. 395 | ; Set to zero to disable timeout. 396 | STARTUP_TIMEOUT=30s 397 | 398 | ; repo indexer by default disabled, since it uses a lot of disk space 399 | REPO_INDEXER_ENABLED = false 400 | REPO_INDEXER_PATH = indexers/repos.bleve 401 | UPDATE_BUFFER_LEN = 20 402 | MAX_FILE_SIZE = 1048576 403 | ; A comma separated list of glob patterns (see https://github.com/gobwas/glob) to include 404 | ; in the index; default is empty 405 | REPO_INDEXER_INCLUDE = 406 | ; A comma separated list of glob patterns to exclude from the index; ; default is empty 407 | REPO_INDEXER_EXCLUDE = 408 | 409 | [queue] 410 | ; Specific queues can be individually configured with [queue.name]. [queue] provides defaults 411 | ; 412 | ; General queue queue type, currently support: persistable-channel, channel, level, redis, dummy 413 | ; default to persistable-channel 414 | TYPE = persistable-channel 415 | ; data-dir for storing persistable queues and level queues, individual queues will be named by their type 416 | DATADIR = queues/ 417 | ; Default queue length before a channel queue will block 418 | LENGTH = 20 419 | ; Batch size to send for batched queues 420 | BATCH_LENGTH = 20 421 | ; Connection string for redis queues this will store the redis connection string. 422 | CONN_STR = "addrs=127.0.0.1:6379 db=0" 423 | ; Provide the suffix of the default redis queue name - specific queues can be overriden within in their [queue.name] sections. 424 | QUEUE_NAME = "_queue" 425 | ; If the queue cannot be created at startup - level queues may need a timeout at startup - wrap the queue: 426 | WRAP_IF_NECESSARY = true 427 | ; Attempt to create the wrapped queue at max 428 | MAX_ATTEMPTS = 10 429 | ; Timeout queue creation 430 | TIMEOUT = 15m30s 431 | ; Create a pool with this many workers 432 | WORKERS = 1 433 | ; Dynamically scale the worker pool to at this many workers 434 | MAX_WORKERS = 10 435 | ; Add boost workers when the queue blocks for BLOCK_TIMEOUT 436 | BLOCK_TIMEOUT = 1s 437 | ; Remove the boost workers after BOOST_TIMEOUT 438 | BOOST_TIMEOUT = 5m 439 | ; During a boost add BOOST_WORKERS 440 | BOOST_WORKERS = 5 441 | 442 | [admin] 443 | ; Disallow regular (non-admin) users from creating organizations. 444 | DISABLE_REGULAR_ORG_CREATION = false 445 | ; Default configuration for email notifications for users (user configurable). Options: enabled, onmention, disabled 446 | DEFAULT_EMAIL_NOTIFICATIONS = enabled 447 | 448 | [security] 449 | ; Whether the installer is disabled 450 | INSTALL_LOCK = false 451 | ; !!CHANGE THIS TO KEEP YOUR USER DATA SAFE!! 452 | SECRET_KEY = !#@FDEWREWR&*( 453 | ; How long to remember that a user is logged in before requiring relogin (in days) 454 | LOGIN_REMEMBER_DAYS = 7 455 | COOKIE_USERNAME = gitea_awesome 456 | COOKIE_REMEMBER_NAME = gitea_incredible 457 | ; Reverse proxy authentication header name of user name 458 | REVERSE_PROXY_AUTHENTICATION_USER = X-WEBAUTH-USER 459 | REVERSE_PROXY_AUTHENTICATION_EMAIL = X-WEBAUTH-EMAIL 460 | ; The minimum password length for new Users 461 | MIN_PASSWORD_LENGTH = 6 462 | ; Set to true to allow users to import local server paths 463 | IMPORT_LOCAL_PATHS = false 464 | ; Set to true to prevent all users (including admin) from creating custom git hooks 465 | DISABLE_GIT_HOOKS = false 466 | ; Set to false to allow pushes to gitea repositories despite having an incomplete environment - NOT RECOMMENDED 467 | ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET = true 468 | ;Comma separated list of character classes required to pass minimum complexity. 469 | ;If left empty or no valid values are specified, the default values ("lower,upper,digit,spec") will be used. 470 | ;Use "off" to disable checking. 471 | PASSWORD_COMPLEXITY = lower,upper,digit,spec 472 | ; Password Hash algorithm, either "pbkdf2", "argon2", "scrypt" or "bcrypt" 473 | PASSWORD_HASH_ALGO = pbkdf2 474 | ; Set false to allow JavaScript to read CSRF cookie 475 | CSRF_COOKIE_HTTP_ONLY = true 476 | 477 | [openid] 478 | ; 479 | ; OpenID is an open, standard and decentralized authentication protocol. 480 | ; Your identity is the address of a webpage you provide, which describes 481 | ; how to prove you are in control of that page. 482 | ; 483 | ; For more info: https://en.wikipedia.org/wiki/OpenID 484 | ; 485 | ; Current implementation supports OpenID-2.0 486 | ; 487 | ; Tested to work providers at the time of writing: 488 | ; - Any GNUSocial node (your.hostname.tld/username) 489 | ; - Any SimpleID provider (http://simpleid.koinic.net) 490 | ; - http://openid.org.cn/ 491 | ; - openid.stackexchange.com 492 | ; - login.launchpad.net 493 | ; - .livejournal.com 494 | ; 495 | ; Whether to allow signin in via OpenID 496 | ENABLE_OPENID_SIGNIN = true 497 | ; Whether to allow registering via OpenID 498 | ; Do not include to rely on rhw DISABLE_REGISTRATION setting 499 | ;ENABLE_OPENID_SIGNUP = true 500 | ; Allowed URI patterns (POSIX regexp). 501 | ; Space separated. 502 | ; Only these would be allowed if non-blank. 503 | ; Example value: trusted.domain.org trusted.domain.net 504 | WHITELISTED_URIS = 505 | ; Forbidden URI patterns (POSIX regexp). 506 | ; Space separated. 507 | ; Only used if WHITELISTED_URIS is blank. 508 | ; Example value: loadaverage.org/badguy stackexchange.com/.*spammer 509 | BLACKLISTED_URIS = 510 | 511 | [service] 512 | ; Time limit to confirm account/email registration 513 | ACTIVE_CODE_LIVE_MINUTES = 180 514 | ; Time limit to perform the reset of a forgotten password 515 | RESET_PASSWD_CODE_LIVE_MINUTES = 180 516 | ; Whether a new user needs to confirm their email when registering. 517 | REGISTER_EMAIL_CONFIRM = false 518 | ; List of domain names that are allowed to be used to register on a Gitea instance 519 | ; gitea.io,example.com 520 | EMAIL_DOMAIN_WHITELIST= 521 | ; Disallow registration, only allow admins to create accounts. 522 | DISABLE_REGISTRATION = false 523 | ; Allow registration only using third-party services, it works only when DISABLE_REGISTRATION is false 524 | ALLOW_ONLY_EXTERNAL_REGISTRATION = false 525 | ; User must sign in to view anything. 526 | REQUIRE_SIGNIN_VIEW = false 527 | ; Mail notification 528 | ENABLE_NOTIFY_MAIL = false 529 | ; This setting enables gitea to be signed in with HTTP BASIC Authentication using the user's password 530 | ; If you set this to false you will not be able to access the tokens endpoints on the API with your password 531 | ; Please note that setting this to false will not disable OAuth Basic or Basic authentication using a token 532 | ENABLE_BASIC_AUTHENTICATION = true 533 | ; More detail: https://github.com/gogs/gogs/issues/165 534 | ENABLE_REVERSE_PROXY_AUTHENTICATION = false 535 | ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false 536 | ENABLE_REVERSE_PROXY_EMAIL = false 537 | ; Enable captcha validation for registration 538 | ENABLE_CAPTCHA = false 539 | ; Type of captcha you want to use. Options: image, recaptcha 540 | CAPTCHA_TYPE = image 541 | ; Enable recaptcha to use Google's recaptcha service 542 | ; Go to https://www.google.com/recaptcha/admin to sign up for a key 543 | RECAPTCHA_SECRET = 544 | RECAPTCHA_SITEKEY = 545 | ; Change this to use recaptcha.net or other recaptcha service 546 | RECAPTCHA_URL = https://www.google.com/recaptcha/ 547 | ; Default value for KeepEmailPrivate 548 | ; Each new user will get the value of this setting copied into their profile 549 | DEFAULT_KEEP_EMAIL_PRIVATE = false 550 | ; Default value for AllowCreateOrganization 551 | ; Every new user will have rights set to create organizations depending on this setting 552 | DEFAULT_ALLOW_CREATE_ORGANIZATION = true 553 | ; Either "public", "limited" or "private", default is "public" 554 | ; Limited is for signed user only 555 | ; Private is only for member of the organization 556 | ; Public is for everyone 557 | DEFAULT_ORG_VISIBILITY = public 558 | ; Default value for DefaultOrgMemberVisible 559 | ; True will make the membership of the users visible when added to the organisation 560 | DEFAULT_ORG_MEMBER_VISIBLE = false 561 | ; Default value for EnableDependencies 562 | ; Repositories will use dependencies by default depending on this setting 563 | DEFAULT_ENABLE_DEPENDENCIES = true 564 | ; Dependencies can be added from any repository where the user is granted access or only from the current repository depending on this setting. 565 | ALLOW_CROSS_REPOSITORY_DEPENDENCIES = true 566 | ; Enable heatmap on users profiles. 567 | ENABLE_USER_HEATMAP = true 568 | ; Enable Timetracking 569 | ENABLE_TIMETRACKING = true 570 | ; Default value for EnableTimetracking 571 | ; Repositories will use timetracking by default depending on this setting 572 | DEFAULT_ENABLE_TIMETRACKING = true 573 | ; Default value for AllowOnlyContributorsToTrackTime 574 | ; Only users with write permissions can track time if this is true 575 | DEFAULT_ALLOW_ONLY_CONTRIBUTORS_TO_TRACK_TIME = true 576 | ; Default value for the domain part of the user's email address in the git log 577 | ; if he has set KeepEmailPrivate to true. The user's email will be replaced with a 578 | ; concatenation of the user name in lower case, "@" and NO_REPLY_ADDRESS. 579 | NO_REPLY_ADDRESS = noreply.%(DOMAIN)s 580 | ; Show Registration button 581 | SHOW_REGISTRATION_BUTTON = true 582 | ; Show milestones dashboard page - a view of all the user's milestones 583 | SHOW_MILESTONES_DASHBOARD_PAGE = true 584 | ; Default value for AutoWatchNewRepos 585 | ; When adding a repo to a team or creating a new repo all team members will watch the 586 | ; repo automatically if enabled 587 | AUTO_WATCH_NEW_REPOS = true 588 | ; Default value for AutoWatchOnChanges 589 | ; Make the user watch a repository When they commit for the first time 590 | AUTO_WATCH_ON_CHANGES = false 591 | 592 | [webhook] 593 | ; Hook task queue length, increase if webhook shooting starts hanging 594 | QUEUE_LENGTH = 1000 595 | ; Deliver timeout in seconds 596 | DELIVER_TIMEOUT = 5 597 | ; Allow insecure certification 598 | SKIP_TLS_VERIFY = false 599 | ; Number of history information in each page 600 | PAGING_NUM = 10 601 | ; Proxy server URL, support http://, https//, socks://, blank will follow environment http_proxy/https_proxy 602 | PROXY_URL = 603 | ; Comma separated list of host names requiring proxy. Glob patterns (*) are accepted; use ** to match all hosts. 604 | PROXY_HOSTS = 605 | 606 | [mailer] 607 | ENABLED = false 608 | ; Buffer length of channel, keep it as it is if you don't know what it is. 609 | SEND_BUFFER_LEN = 100 610 | ; Prefix displayed before subject in mail 611 | SUBJECT_PREFIX = 612 | ; Mail server 613 | ; Gmail: smtp.gmail.com:587 614 | ; QQ: smtp.qq.com:465 615 | ; Note, if the port ends with "465", SMTPS will be used. Using STARTTLS on port 587 is recommended per RFC 6409. If the server supports STARTTLS it will always be used. 616 | HOST = 617 | ; Disable HELO operation when hostnames are different. 618 | DISABLE_HELO = 619 | ; Custom hostname for HELO operation, if no value is provided, one is retrieved from system. 620 | HELO_HOSTNAME = 621 | ; Do not verify the certificate of the server. Only use this for self-signed certificates 622 | SKIP_VERIFY = 623 | ; Use client certificate 624 | USE_CERTIFICATE = false 625 | CERT_FILE = custom/mailer/cert.pem 626 | KEY_FILE = custom/mailer/key.pem 627 | ; Should SMTP connection use TLS 628 | IS_TLS_ENABLED = false 629 | ; Mail from address, RFC 5322. This can be just an email address, or the `"Name" ` format 630 | FROM = 631 | ; Mailer user name and password 632 | USER = 633 | ; Use PASSWD = `your password` for quoting if you use special characters in the password. 634 | PASSWD = 635 | ; Send mails as plain text 636 | SEND_AS_PLAIN_TEXT = false 637 | ; Set Mailer Type (either SMTP, sendmail or dummy to just send to the log) 638 | MAILER_TYPE = smtp 639 | ; Specify an alternative sendmail binary 640 | SENDMAIL_PATH = sendmail 641 | ; Specify any extra sendmail arguments 642 | SENDMAIL_ARGS = 643 | 644 | [cache] 645 | ; if the cache enabled 646 | ENABLED = true 647 | ; Either "memory", "redis", or "memcache", default is "memory" 648 | ADAPTER = memory 649 | ; For "memory" only, GC interval in seconds, default is 60 650 | INTERVAL = 60 651 | ; For "redis" and "memcache", connection host address 652 | ; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180 653 | ; memcache: `127.0.0.1:11211` 654 | HOST = 655 | ; Time to keep items in cache if not used, default is 16 hours. 656 | ; Setting it to 0 disables caching 657 | ITEM_TTL = 16h 658 | 659 | ; Last commit cache 660 | [cache.last_commit] 661 | ; if the cache enabled 662 | ENABLED = true 663 | ; Time to keep items in cache if not used, default is 8760 hours. 664 | ; Setting it to 0 disables caching 665 | ITEM_TTL = 8760h 666 | ; Only enable the cache when repository's commits count great than 667 | COMMITS_COUNT = 1000 668 | 669 | [session] 670 | ; Either "memory", "file", or "redis", default is "memory" 671 | PROVIDER = memory 672 | ; Provider config options 673 | ; memory: doesn't have any config yet 674 | ; file: session file path, e.g. `data/sessions` 675 | ; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180 676 | ; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table` 677 | PROVIDER_CONFIG = data/sessions 678 | ; Session cookie name 679 | COOKIE_NAME = i_like_gitea 680 | ; If you use session in https only, default is false 681 | COOKIE_SECURE = false 682 | ; Enable set cookie, default is true 683 | ENABLE_SET_COOKIE = true 684 | ; Session GC time interval in seconds, default is 86400 (1 day) 685 | GC_INTERVAL_TIME = 86400 686 | ; Session life time in seconds, default is 86400 (1 day) 687 | SESSION_LIFE_TIME = 86400 688 | 689 | [picture] 690 | AVATAR_UPLOAD_PATH = data/avatars 691 | REPOSITORY_AVATAR_UPLOAD_PATH = data/repo-avatars 692 | ; How Gitea deals with missing repository avatars 693 | ; none = no avatar will be displayed; random = random avatar will be displayed; image = default image will be used 694 | REPOSITORY_AVATAR_FALLBACK = none 695 | REPOSITORY_AVATAR_FALLBACK_IMAGE = /img/repo_default.png 696 | ; Max Width and Height of uploaded avatars. 697 | ; This is to limit the amount of RAM used when resizing the image. 698 | AVATAR_MAX_WIDTH = 4096 699 | AVATAR_MAX_HEIGHT = 3072 700 | ; Maximum alloved file size for uploaded avatars. 701 | ; This is to limit the amount of RAM used when resizing the image. 702 | AVATAR_MAX_FILE_SIZE = 1048576 703 | ; Chinese users can choose "duoshuo" 704 | ; or a custom avatar source, like: http://cn.gravatar.com/avatar/ 705 | GRAVATAR_SOURCE = gravatar 706 | ; This value will always be true in offline mode. 707 | DISABLE_GRAVATAR = false 708 | ; Federated avatar lookup uses DNS to discover avatar associated 709 | ; with emails, see https://www.libravatar.org 710 | ; This value will always be false in offline mode or when Gravatar is disabled. 711 | ENABLE_FEDERATED_AVATAR = false 712 | 713 | [attachment] 714 | ; Whether attachments are enabled. Defaults to `true` 715 | ENABLED = true 716 | ; Path for attachments. Defaults to `data/attachments` 717 | PATH = data/attachments 718 | ; One or more allowed types, e.g. image/jpeg|image/png 719 | ALLOWED_TYPES = image/jpeg|image/png|application/zip|application/gzip 720 | ; Max size of each file. Defaults to 4MB 721 | MAX_SIZE = 4 722 | ; Max number of files per upload. Defaults to 5 723 | MAX_FILES = 5 724 | 725 | [time] 726 | ; Specifies the format for fully outputted dates. Defaults to RFC1123 727 | ; Special supported values are ANSIC, UnixDate, RubyDate, RFC822, RFC822Z, RFC850, RFC1123, RFC1123Z, RFC3339, RFC3339Nano, Kitchen, Stamp, StampMilli, StampMicro and StampNano 728 | ; For more information about the format see http://golang.org/pkg/time/#pkg-constants 729 | FORMAT = 730 | ; Location the UI time display i.e. Asia/Shanghai 731 | ; Empty means server's location setting 732 | DEFAULT_UI_LOCATION = 733 | 734 | [log] 735 | ROOT_PATH = 736 | ; Either "console", "file", "conn", "smtp" or "database", default is "console" 737 | ; Use comma to separate multiple modes, e.g. "console, file" 738 | MODE = console 739 | ; Buffer length of the channel, keep it as it is if you don't know what it is. 740 | BUFFER_LEN = 10000 741 | REDIRECT_MACARON_LOG = false 742 | MACARON = file 743 | ; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Info" 744 | ROUTER_LOG_LEVEL = Info 745 | ROUTER = console 746 | ENABLE_ACCESS_LOG = false 747 | ACCESS_LOG_TEMPLATE = {{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}" 748 | ACCESS = file 749 | ; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Trace" 750 | LEVEL = Info 751 | ; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "None" 752 | STACKTRACE_LEVEL = None 753 | 754 | ; Generic log modes 755 | [log.x] 756 | FLAGS = stdflags 757 | EXPRESSION = 758 | PREFIX = 759 | COLORIZE = false 760 | 761 | ; For "console" mode only 762 | [log.console] 763 | LEVEL = 764 | STDERR = false 765 | 766 | ; For "file" mode only 767 | [log.file] 768 | LEVEL = 769 | ; Set the file_name for the logger. If this is a relative path this 770 | ; will be relative to ROOT_PATH 771 | FILE_NAME = 772 | ; This enables automated log rotate(switch of following options), default is true 773 | LOG_ROTATE = true 774 | ; Max number of lines in a single file, default is 1000000 775 | MAX_LINES = 1000000 776 | ; Max size shift of a single file, default is 28 means 1 << 28, 256MB 777 | MAX_SIZE_SHIFT = 28 778 | ; Segment log daily, default is true 779 | DAILY_ROTATE = true 780 | ; delete the log file after n days, default is 7 781 | MAX_DAYS = 7 782 | ; compress logs with gzip 783 | COMPRESS = true 784 | ; compression level see godoc for compress/gzip 785 | COMPRESSION_LEVEL = -1 786 | 787 | ; For "conn" mode only 788 | [log.conn] 789 | LEVEL = 790 | ; Reconnect host for every single message, default is false 791 | RECONNECT_ON_MSG = false 792 | ; Try to reconnect when connection is lost, default is false 793 | RECONNECT = false 794 | ; Either "tcp", "unix" or "udp", default is "tcp" 795 | PROTOCOL = tcp 796 | ; Host address 797 | ADDR = 798 | 799 | ; For "smtp" mode only 800 | [log.smtp] 801 | LEVEL = 802 | ; Name displayed in mail title, default is "Diagnostic message from server" 803 | SUBJECT = Diagnostic message from server 804 | ; Mail server 805 | HOST = 806 | ; Mailer user name and password 807 | USER = 808 | ; Use PASSWD = `your password` for quoting if you use special characters in the password. 809 | PASSWD = 810 | ; Receivers, can be one or more, e.g. 1@example.com,2@example.com 811 | RECEIVERS = 812 | 813 | [cron] 814 | ; Enable running cron tasks periodically. 815 | ENABLED = true 816 | ; Run cron tasks when Gitea starts. 817 | RUN_AT_START = false 818 | 819 | ; Update mirrors 820 | [cron.update_mirrors] 821 | SCHEDULE = @every 10m 822 | 823 | ; Repository health check 824 | [cron.repo_health_check] 825 | SCHEDULE = @every 24h 826 | TIMEOUT = 60s 827 | ; Arguments for command 'git fsck', e.g. "--unreachable --tags" 828 | ; see more on http://git-scm.com/docs/git-fsck 829 | ARGS = 830 | 831 | ; Check repository statistics 832 | [cron.check_repo_stats] 833 | RUN_AT_START = true 834 | SCHEDULE = @every 24h 835 | 836 | ; Clean up old repository archives 837 | [cron.archive_cleanup] 838 | ; Whether to enable the job 839 | ENABLED = true 840 | ; Whether to always run at least once at start up time (if ENABLED) 841 | RUN_AT_START = true 842 | ; Time interval for job to run 843 | SCHEDULE = @every 24h 844 | ; Archives created more than OLDER_THAN ago are subject to deletion 845 | OLDER_THAN = 24h 846 | 847 | ; Synchronize external user data (only LDAP user synchronization is supported) 848 | [cron.sync_external_users] 849 | ; Synchronize external user data when starting server (default false) 850 | RUN_AT_START = false 851 | ; Interval as a duration between each synchronization (default every 24h) 852 | SCHEDULE = @every 24h 853 | ; Create new users, update existing user data and disable users that are not in external source anymore (default) 854 | ; or only create new users if UPDATE_EXISTING is set to false 855 | UPDATE_EXISTING = true 856 | 857 | ; Update migrated repositories' issues and comments' posterid, it will always attempt synchronization when the instance starts. 858 | [cron.update_migration_post_id] 859 | ; Interval as a duration between each synchronization. (default every 24h) 860 | SCHEDULE = @every 24h 861 | 862 | [git] 863 | ; The path of git executable. If empty, Gitea searches through the PATH environment. 864 | PATH = 865 | ; Disables highlight of added and removed changes 866 | DISABLE_DIFF_HIGHLIGHT = false 867 | ; Max number of lines allowed in a single file in diff view 868 | MAX_GIT_DIFF_LINES = 1000 869 | ; Max number of allowed characters in a line in diff view 870 | MAX_GIT_DIFF_LINE_CHARACTERS = 5000 871 | ; Max number of files shown in diff view 872 | MAX_GIT_DIFF_FILES = 100 873 | ; Arguments for command 'git gc', e.g. "--aggressive --auto" 874 | ; see more on http://git-scm.com/docs/git-gc/ 875 | GC_ARGS = 876 | ; If use git wire protocol version 2 when git version >= 2.18, default is true, set to false when you always want git wire protocol version 1 877 | EnableAutoGitWireProtocol = true 878 | 879 | ; Operation timeout in seconds 880 | [git.timeout] 881 | DEFAULT = 360 882 | MIGRATE = 600 883 | MIRROR = 300 884 | CLONE = 300 885 | PULL = 300 886 | GC = 60 887 | 888 | [mirror] 889 | ; Default interval as a duration between each check 890 | DEFAULT_INTERVAL = 8h 891 | ; Min interval as a duration must be > 1m 892 | MIN_INTERVAL = 10m 893 | 894 | [api] 895 | ; Enables Swagger. True or false; default is true. 896 | ENABLE_SWAGGER = true 897 | ; Max number of items in a page 898 | MAX_RESPONSE_ITEMS = 50 899 | ; Default paging number of api 900 | DEFAULT_PAGING_NUM = 30 901 | ; Default and maximum number of items per page for git trees api 902 | DEFAULT_GIT_TREES_PER_PAGE = 1000 903 | ; Default size of a blob returned by the blobs API (default is 10MiB) 904 | DEFAULT_MAX_BLOB_SIZE = 10485760 905 | 906 | [oauth2] 907 | ; Enables OAuth2 provider 908 | ENABLE = true 909 | ; Lifetime of an OAuth2 access token in seconds 910 | ACCESS_TOKEN_EXPIRATION_TIME=3600 911 | ; Lifetime of an OAuth2 access token in hours 912 | REFRESH_TOKEN_EXPIRATION_TIME=730 913 | ; Check if refresh token got already used 914 | INVALIDATE_REFRESH_TOKENS=false 915 | ; OAuth2 authentication secret for access and refresh tokens, change this to a unique string. 916 | JWT_SECRET=Bk0yK7Y9g_p56v86KaHqjSbxvNvu3SbKoOdOt2ZcXvU 917 | 918 | [i18n] 919 | ; LANGS = en-US,zh-CN,zh-HK,zh-TW,de-DE,fr-FR,nl-NL,lv-LV,ru-RU,uk-UA,ja-JP,es-ES,pt-BR,pl-PL,bg-BG,it-IT,fi-FI,tr-TR,cs-CZ,sr-SP,sv-SE,ko-KR 920 | LANGS = en-US,zh-CN 921 | ; NAMES = English,简体中文,繁體中文(香港),繁體中文(台灣),Deutsch,français,Nederlands,latviešu,русский,Українська,日本語,español,português do Brasil,polski,български,italiano,suomi,Türkçe,čeština,српски,svenska,한국어 922 | NAMES = English,简体中文 923 | 924 | ; Used for datetimepicker 925 | [i18n.datelang] 926 | en-US = en 927 | zh-CN = zh 928 | ; zh-HK = zh-HK 929 | ; zh-TW = zh-TW 930 | ; de-DE = de 931 | ; fr-FR = fr 932 | ; nl-NL = nl 933 | ; lv-LV = lv 934 | ; ru-RU = ru 935 | ; uk-UA = uk 936 | ; ja-JP = ja 937 | ; es-ES = es 938 | ; pt-BR = pt-BR 939 | ; pl-PL = pl 940 | ; bg-BG = bg 941 | ; it-IT = it 942 | ; fi-FI = fi 943 | ; tr-TR = tr 944 | ; cs-CZ = cs-CZ 945 | ; sr-SP = sr 946 | ; sv-SE = sv 947 | ; ko-KR = ko 948 | 949 | [U2F] 950 | ; NOTE: THE DEFAULT VALUES HERE WILL NEED TO BE CHANGED 951 | ; Two Factor authentication with security keys 952 | ; https://developers.yubico.com/U2F/App_ID.html 953 | ;APP_ID = http://localhost:3000/ 954 | ; Comma seperated list of trusted facets 955 | ;TRUSTED_FACETS = http://localhost:3000/ 956 | 957 | ; Extension mapping to highlight class 958 | ; e.g. .toml=ini 959 | [highlight.mapping] 960 | 961 | [other] 962 | SHOW_FOOTER_BRANDING = false 963 | ; Show version information about Gitea and Go in the footer 964 | SHOW_FOOTER_VERSION = true 965 | ; Show template execution time in the footer 966 | SHOW_FOOTER_TEMPLATE_LOAD_TIME = true 967 | 968 | [markup.sanitizer] 969 | ; The following keys can be used multiple times to define sanitation policy rules. 970 | ;ELEMENT = span 971 | ;ALLOW_ATTR = class 972 | ;REGEXP = ^(info|warning|error)$ 973 | 974 | [markup.asciidoc] 975 | ENABLED = false 976 | ; List of file extensions that should be rendered by an external command 977 | FILE_EXTENSIONS = .adoc,.asciidoc 978 | ; External command to render all matching extensions 979 | RENDER_COMMAND = "asciidoc --out-file=- -" 980 | ; Don't pass the file on STDIN, pass the filename as argument instead. 981 | IS_INPUT_FILE = false 982 | 983 | [metrics] 984 | ; Enables metrics endpoint. True or false; default is false. 985 | ENABLED = true 986 | ; If you want to add authorization, specify a token here 987 | TOKEN = 988 | 989 | [task] 990 | ; Task queue type, could be `channel` or `redis`. 991 | QUEUE_TYPE = channel 992 | ; Task queue length, available only when `QUEUE_TYPE` is `channel`. 993 | QUEUE_LENGTH = 1000 994 | ; Task queue connection string, available only when `QUEUE_TYPE` is `redis`. 995 | ; If there is a password of redis, use `addrs=127.0.0.1:6379 password=123 db=0`. 996 | QUEUE_CONN_STR = "addrs=127.0.0.1:6379 db=0" 997 | 998 | [migrations] 999 | ; Max attempts per http/https request on migrations. 1000 | MAX_ATTEMPTS = 3 1001 | ; Backoff time per http/https request retry (seconds) 1002 | RETRY_BACKOFF = 3 1003 | -------------------------------------------------------------------------------- /config/gitea/kustomization.yaml: -------------------------------------------------------------------------------- 1 | configMapGenerator: 2 | - name: gitea-config 3 | files: 4 | - app.ini=app.kubernetes.ini 5 | generatorOptions: 6 | disableNameSuffixHash: true 7 | -------------------------------------------------------------------------------- /config/gogs/.gitignore: -------------------------------------------------------------------------------- 1 | app.ini* 2 | app.kubernetes.ini* 3 | -------------------------------------------------------------------------------- /config/gogs/README.md: -------------------------------------------------------------------------------- 1 | # Goos 配置 2 | 3 | * https://github.com/gogs/gogs/blob/main/conf/app.ini 4 | -------------------------------------------------------------------------------- /config/gogs/app.example.ini: -------------------------------------------------------------------------------- 1 | ; https://gogs.io/docs/advanced/configuration_cheat_sheet 2 | ; https://github.com/gogs/gogs/blob/main/conf/app.ini 3 | 4 | ; 网页标题 5 | BRAND_NAME = {{ CI_DOMAIN }} Git 6 | RUN_USER = git 7 | RUN_MODE = prod 8 | 9 | [database] 10 | TYPE = {{ DB_TYPE }} 11 | HOST = {{ DB_HOST }} 12 | NAME = {{ DB_DATABASE }} 13 | USER = {{ DB_USERNAME }} 14 | PASSWORD = {{ DB_PASSWORD }} 15 | ; SSL_MODE = disable 16 | ; PATH = data/gogs.db 17 | 18 | [repository] 19 | ROOT = /data/git/gogs-repositories 20 | 21 | [server] 22 | ; 这里若配置为 https,nginx 配置项 "proxy_pass" 必须以 https 开头,例如 `proxy_pass https://git` 23 | PROTOCOL = {{ PROTOCOL }} 24 | DOMAIN = {{ CI_DOMAIN_FULL }} 25 | HTTP_PORT = {{ CI_GOGS_PORT }} 26 | EXTERNAL_URL = {{ PROTOCOL }}://{{ CI_DOMAIN_FULL }}:{{ CI_GOGS_PORT }} 27 | DISABLE_SSH = false 28 | SSH_PORT = {{ SSH_PORT }} 29 | START_SSH_SERVER = false 30 | OFFLINE_MODE = true 31 | 32 | CERT_FILE = /etc/nginx/conf.d/ssl/{{ CI_DOMAIN }}.crt 33 | KEY_FILE = /etc/nginx/conf.d/ssl/{{ CI_DOMAIN }}.key 34 | TLS_MIN_VERSION = TLS12 35 | LANDING_URL = / 36 | 37 | LOAD_ASSETS_FROM_DISK = false 38 | 39 | [email] 40 | ENABLED = false 41 | ; smtp.exmail.qq.com:465 42 | HOST = {{ MAIL_HOST }} 43 | ; "khs1994.com Git" 44 | FROM = {{ MAIL_FROM }} 45 | ; git@khs1994.com 46 | USER = {{ MAIL_USERNAME }} 47 | PASSWD = {{ MAIL_PASSWORD }} 48 | 49 | [auth] 50 | REGISTER_EMAIL_CONFIRM = false 51 | DISABLE_REGISTRATION = false 52 | SHOW_REGISTRATION_BUTTON = true 53 | ENABLE_EMAIL_NOTIFICATION = true 54 | ENABLE_REGISTRATION_CAPTCHA = true 55 | REQUIRE_SIGNIN_VIEW = false 56 | 57 | [picture] 58 | DISABLE_GRAVATAR = true 59 | ENABLE_FEDERATED_AVATAR = false 60 | 61 | [session] 62 | ; memory | file | redis | mysql 63 | PROVIDER = memory 64 | ; PROVIDER_CONFIG = 65 | ; COOKIE_SECURE = 66 | ; GC_INTERVAL = 67 | 68 | [log] 69 | MODE = console 70 | LEVEL = Info 71 | ROOT_PATH = 72 | 73 | [security] 74 | INSTALL_LOCK = true 75 | SECRET_KEY = d1jHFVzT7I4atZw 76 | ; Use "*" to allow all hostnames. 77 | LOCAL_NETWORK_ALLOWLIST = * 78 | 79 | [i18n] 80 | LANGS = en-US,zh-CN 81 | NAMES = English,简体中文 82 | 83 | [i18n.datelang] 84 | en-US = en 85 | zh-CN = zh 86 | 87 | ; [cache] 88 | ; momery | redis | memcache 89 | ; ADAPTER = momery 90 | ; INTERVAL = 91 | ; HOST = network=tcp,addr=127.0.0.1:6379,db=0,pool_size=100,idle_timeout=180,password=macaron 92 | ; HOST = 127.0.0.1:9090;127.0.0.1:9091 93 | -------------------------------------------------------------------------------- /config/gogs/app.kubernetes.example.ini: -------------------------------------------------------------------------------- 1 | ; https://gogs.io/docs/advanced/configuration_cheat_sheet 2 | ; https://github.com/gogs/gogs/blob/main/conf/app.ini 3 | 4 | ; 网页标题 5 | BRAND_NAME = Gogs Git 6 | RUN_USER = git 7 | RUN_MODE = prod 8 | 9 | [database] 10 | TYPE = mysql 11 | HOST = mysql:3306 12 | NAME = gogs 13 | USER = root 14 | ; fix me 15 | PASSWORD = mytest 16 | ; For "postgres" only, either "disable", "require" or "verify-full" 17 | ; SSL_MODE = disable 18 | ; For "sqlite3" and "tidb", use absolute path when you start as service 19 | ; PATH = data/gogs.db 20 | 21 | [repository] 22 | ROOT = /data/git/gogs-repositories 23 | 24 | [server] 25 | ; 这里若配置为 https,nginx 配置项 "proxy_pass" 必须以 https 开头,例如 `proxy_pass https://git` 26 | ; http https 27 | ; fix me 28 | PROTOCOL = http 29 | ; git.t.khs1994.com 30 | ; fix me 31 | DOMAIN = {{ CI_DOMAIN_FULL }} 32 | HTTP_PORT = 3000 33 | ; 最终的 git 地址 34 | ; fix me 35 | EXTERNAL_URL = https://{{ CI_DOMAIN_FULL }}:{{ CI_GOGS_PORT }} 36 | DISABLE_SSH = false 37 | SSH_PORT = 8022 38 | START_SSH_SERVER = false 39 | OFFLINE_MODE = true 40 | 41 | ; CERT_FILE = /etc/nginx/conf.d/ssl/{{ CI_DOMAIN }}.crt 42 | ; KEY_FILE = /etc/nginx/conf.d/ssl/{{ CI_DOMAIN }}.key 43 | TLS_MIN_VERSION = TLS12 44 | LANDING_URL = / 45 | 46 | [email] 47 | ENABLED = false 48 | ; smtp.exmail.qq.com:465 49 | ; HOST = {{ MAIL_HOST }} 50 | ; "khs1994.com Git" 51 | ; FROM = {{ MAIL_FROM }} 52 | ; git@khs1994.com 53 | ; USER = {{ MAIL_USERNAME }} 54 | ; PASSWD = {{ MAIL_PASSWORD }} 55 | 56 | [auth] 57 | REGISTER_EMAIL_CONFIRM = false 58 | DISABLE_REGISTRATION = false 59 | SHOW_REGISTRATION_BUTTON = true 60 | ENABLE_EMAIL_NOTIFICATION = true 61 | ENABLE_REGISTRATION_CAPTCHA = true 62 | REQUIRE_SIGNIN_VIEW = false 63 | 64 | [webhook] 65 | ; Types are enabled for users to use, can be "gogs", "slack", "discord", "dingtalk" 66 | TYPES = gogs, slack, discord, dingtalk 67 | ; Hook task queue length, increase if webhook shooting starts hanging 68 | QUEUE_LENGTH = 1000 69 | ; Deliver timeout in seconds 70 | DELIVER_TIMEOUT = 15 71 | ; Allow insecure certification 72 | SKIP_TLS_VERIFY = false 73 | ; Number of history information in each page 74 | PAGING_NUM = 10 75 | 76 | [picture] 77 | DISABLE_GRAVATAR = true 78 | ENABLE_FEDERATED_AVATAR = false 79 | 80 | [session] 81 | PROVIDER = memory 82 | ; PROVIDER = memory | file | redis | mysql 83 | ; PROVIDER_CONFIG = 84 | ; COOKIE_SECURE = 85 | ; GC_INTERVAL = 86 | 87 | [log] 88 | MODE = console 89 | ; Either "Trace", "Info", "Warn", "Error", "Fatal", default is "Trace" 90 | LEVEL = Info 91 | ROOT_PATH = 92 | 93 | [security] 94 | INSTALL_LOCK = true 95 | SECRET_KEY = d1jHFVzT7I4atZw 96 | ; Use "*" to allow all hostnames. 97 | LOCAL_NETWORK_ALLOWLIST = * 98 | 99 | ; Operation timeout in seconds 100 | [git.timeout] 101 | MIGRATE = 6000 102 | MIRROR = 3000 103 | CLONE = 3000 104 | PULL = 3000 105 | GC = 60 106 | 107 | [mirror] 108 | ; Default interval in hours between each check 109 | DEFAULT_INTERVAL = 8 110 | 111 | [i18n] 112 | LANGS = en-US,zh-CN 113 | NAMES = English,简体中文 114 | 115 | [i18n.datelang] 116 | en-US = en 117 | zh-CN = zh 118 | 119 | [cache] 120 | ; momery | redis | memcache 121 | ADAPTER = redis 122 | ; INTERVAL = 123 | ; HOST = network=tcp,addr=redis:6379,db=0,pool_size=100,idle_timeout=180,password=macaron 124 | ; HOST = 127.0.0.1:9090;127.0.0.1:9091 125 | HOST = network=tcp,addr=redis:6379,db=0,pool_size=100,idle_timeout=180 126 | 127 | [prometheus] 128 | ENABLED = true 129 | ENABLE_BASIC_AUTH = false 130 | BASIC_AUTH_USERNAME = 131 | BASIC_AUTH_PASSWORD = 132 | -------------------------------------------------------------------------------- /config/gogs/kustomization.yaml: -------------------------------------------------------------------------------- 1 | configMapGenerator: 2 | - name: gogs-config 3 | files: 4 | - app.ini=app.kubernetes.ini 5 | generatorOptions: 6 | disableNameSuffixHash: true 7 | -------------------------------------------------------------------------------- /config/nginx/.gitignore: -------------------------------------------------------------------------------- 1 | /* 2 | !.gitignore 3 | !auth 4 | !ssl 5 | !demo-* 6 | -------------------------------------------------------------------------------- /config/nginx/auth/README.md: -------------------------------------------------------------------------------- 1 | # 私有仓库登录密码 2 | 3 | 执行以下命令 4 | 5 | ``` 6 | $ docker run --rm --entrypoint htpasswd \ 7 | httpd:alpine -mbn username password > nginx.htpasswd 8 | ``` 9 | -------------------------------------------------------------------------------- /config/nginx/auth/nginx.htpasswd: -------------------------------------------------------------------------------- 1 | username:$apr1$p/l54pu0$NHmtkZ.v9T29b.7rxaMEZ1 2 | 3 | -------------------------------------------------------------------------------- /config/nginx/demo-docker-registry.config: -------------------------------------------------------------------------------- 1 | upstream docker-registry { 2 | server {{ REGISTRY_UPSTREAM }}:5000; 3 | } 4 | 5 | ## Set a variable to help us decide if we need to add the 6 | ## 'Docker-Distribution-Api-Version' header. 7 | ## The registry always sets this header. 8 | ## In the case of nginx performing auth, the header will be unset 9 | ## since nginx is auth-ing before proxying. 10 | map $upstream_http_docker_distribution_api_version $docker_distribution_api_version { 11 | '' 'registry/2.0'; 12 | } 13 | 14 | server { 15 | listen 443 ssl; 16 | server_name docker.{{ CI_DOMAIN }}; 17 | 18 | # SSL 19 | ssl_certificate conf.d/ssl/{{ CI_DOMAIN }}.crt; 20 | ssl_certificate_key conf.d/ssl/{{ CI_DOMAIN }}.key; 21 | 22 | # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html 23 | ssl_protocols TLSv1.2; 24 | ssl_prefer_server_ciphers on; 25 | ssl_session_cache shared:SSL:1m; 26 | 27 | # disable any limits to avoid HTTP 413 for large image uploads 28 | client_max_body_size 0; 29 | 30 | # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486) 31 | chunked_transfer_encoding on; 32 | 33 | location /v2/ { 34 | # Do not allow connections from docker 1.5 and earlier 35 | # docker pre-1.6.1 did not properly set the user agent on ping, catch "Go *" user agents 36 | if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) { 37 | return 404; 38 | } 39 | 40 | # To add basic authentication to v2 use auth_basic setting. 41 | # nginx not support bcrypt. 42 | auth_basic "Registry realm"; 43 | auth_basic_user_file conf.d/auth/nginx.htpasswd; 44 | 45 | ## If $docker_distribution_api_version is empty, the header will not be added. 46 | ## See the map directive above where this variable is defined. 47 | add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always; 48 | 49 | proxy_pass http://docker-registry; 50 | proxy_set_header Host $http_host; # required for docker client's sake 51 | proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP 52 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 53 | proxy_set_header X-Forwarded-Proto $scheme; 54 | proxy_read_timeout 900; 55 | } 56 | } 57 | -------------------------------------------------------------------------------- /config/nginx/demo-drone.config: -------------------------------------------------------------------------------- 1 | upstream drone { 2 | server {{ DRONE_UPSTREAM }}:8000; 3 | } 4 | 5 | server { 6 | listen 80; 7 | server_name drone.t.khs1994.com docker.t.khs1994.com git.t.khs1994.com; 8 | return 301 https://$server_name$request_uri; 9 | } 10 | 11 | server { 12 | listen 443 ssl; 13 | server_name drone.{{ CI_DOMAIN }}; 14 | ssl_certificate conf.d/ssl/{{ CI_DOMAIN }}.crt; 15 | ssl_certificate_key conf.d/ssl/{{ CI_DOMAIN }}.key; 16 | ssl_session_cache shared:SSL:1m; 17 | ssl_session_timeout 5m; 18 | ssl_protocols TLSv1.2; 19 | ssl_prefer_server_ciphers on; 20 | 21 | location / { 22 | proxy_set_header X-Forwarded-For $remote_addr; 23 | proxy_set_header X-Forwarded-Proto $scheme; 24 | proxy_set_header Host $http_host; 25 | proxy_pass http://drone; 26 | proxy_redirect off; 27 | proxy_http_version 1.1; 28 | proxy_buffering off; 29 | 30 | chunked_transfer_encoding off; 31 | } 32 | 33 | location /stream { 34 | proxy_pass http://drone; 35 | proxy_redirect off; 36 | proxy_http_version 1.1; 37 | proxy_read_timeout 24h; 38 | 39 | proxy_buffering off; 40 | proxy_cache off; 41 | 42 | proxy_set_header Connection ""; 43 | 44 | chunked_transfer_encoding off; 45 | error_page 504 =200 @eventsource-close-graceful; 46 | } 47 | 48 | location @eventsource-close-graceful { 49 | add_header Content-Type text/event-stream; 50 | return 200; 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /config/nginx/demo-gogs.config: -------------------------------------------------------------------------------- 1 | upstream git { 2 | server {{ GOGS_UPSTREAM }}:3000; 3 | } 4 | 5 | server { 6 | listen 443 ssl; 7 | server_name git.{{ CI_DOMAIN }}; 8 | ssl_certificate conf.d/ssl/{{ CI_DOMAIN }}.crt; 9 | ssl_certificate_key conf.d/ssl/{{ CI_DOMAIN }}.key; 10 | ssl_protocols TLSv1.2; 11 | ssl_session_cache shared:SSL:1m; 12 | ssl_session_timeout 5m; 13 | ssl_prefer_server_ciphers on; 14 | 15 | location / { 16 | proxy_pass https://git; 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /config/nginx/ssl/.gitignore: -------------------------------------------------------------------------------- 1 | /* 2 | !.gitignore 3 | !*.khs1994.com* 4 | -------------------------------------------------------------------------------- /config/nginx/ssl/t.khs1994.com.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIGPDCCBCSgAwIBAgIJAKRMfSFnpQRfMA0GCSqGSIb3DQEBCwUAMIGCMQswCQYD 3 | VQQGEwJDTjEPMA0GA1UECAwGU2hhbnhpMQ8wDQYDVQQHDAZEYXRvbmcxGTAXBgNV 4 | BAoMEEFBQUEta2hzMTk5NC5jb20xHDAaBgNVBAMME2toczE5OTQuY29tIFJPT1Qg 5 | Q0ExGDAWBgNVBAsMD3d3dy5raHMxOTk0LmNvbTAeFw0yMjA2MTEwMzA3MDFaFw0y 6 | NDA2MzAwMzA3MDFaMGExCzAJBgNVBAYTAkNOMQ8wDQYDVQQIDAZTaGFueGkxDzAN 7 | BgNVBAcMBkRhdG9uZzEaMBgGA1UECgwRWW91ciBDb21wYW55IE5hbWUxFDASBgNV 8 | BAMMC2toczE5OTQuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA 9 | tfWwbsk6B6Z4+Ih5C5SSZLMHM6mqzrhS6UNtJ0bdB2D+ff8NIvOmXmmF0UkJYLKG 10 | EpPrGcH/HIVOfF2hiytNvYKZDtf0ywM1JBWQlXd750dbuTdFL1p/Q7CTObnMQexL 11 | qQ9J3sqzGTqE81YlgsItktQ3EvhNVwHqOCkguQN8wFhN4gPdafOKoHzo3mv7XhcH 12 | KvdYUKWBm9sn7GkoyQMYHlp4mO10pJsuv9psUEsYnsDOBGPedqOH8saPR88Cdiaz 13 | S5fK7/aS42jHWj8j3JSl8NT9GlPWvzqIx4birVm5QrSNOWKN3YTisNekB0J8v910 14 | sD8Fr8WeO7G2oOdHliM3HkY/kKBdlvhmXrChnNZHtIjuJcowhtm2qFXBTzTNhoCG 15 | b37/YclTSw03j2bCaNnHrYC/gZwt1M4QXQSb+W0DmqeLXLgvHFnCioWbvp4yqaKN 16 | HZdMJZLjteSE3u/oXfIaoX3z1sw5ioPXoHk59uSbPH/9kjs6UdaPfeml3+ZIBi62 17 | L8aK7qPH9k9JwmdcwUVXJ8KlXso0aKutIA9D2mvE2FClNBU81XbDEn5GdFhk5g7q 18 | jw4Ji5cwvWgawLZ9rQm3hga8pA/1MpVoJ3ICRbMzDr0heOC/1j/I9PF7hvAdRMY3 19 | eC3NuF5nJEpx4Jg7jgD5cfUzFhLds/QVracoOBZMvJMCAwEAAaOB1DCB0TAfBgNV 20 | HSMEGDAWgBRD0nWMNNyk66DkzBk1eyB4Ad4vkTAMBgNVHRMBAf8EAjAAMBMGA1Ud 21 | JQQMMAoGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIFoDAdBgNVHQ4EFgQUE+CznTbZ 22 | OzAxl+dlUmdPPuarRvwwXAYDVR0RBFUwU4ILa2hzMTk5NC5jb22CDSoua2hzMTk5 23 | NC5jb22CDXQua2hzMTk5NC5jb22CDyoudC5raHMxOTk0LmNvbYcEwKjHZIcEfwAA 24 | AYIJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4ICAQAtcEcr2LCDHOhQyYwf/s1e 25 | VhRJIXI33luWl/7XyBscbPqY6xuLIt1lmobBO+oKh/Q4a/MYJb3s+KHgi91k70C1 26 | glGpj5tjDQcdA6vsXM1h+HFisTR6CORghWJWrEKzzOHF1RqH81QEssOkMU9xJZaY 27 | aGzvwq62AzFNPL3qYcWonWhdLIArFNdJbQFRH/V4N8qvuDe2RVY+Gyb1rRY34W2i 28 | fYkx50lNDG15tNmZUleukKpYEjkEeQY0Vih7fm7ZaXzqiWb/1b9Qy7+NMwk18isb 29 | +GXvmJlz+rBuCtUWngVHe3muSO1/olnqRif37Y2OjBQjbggkFUkm3wTVC1Hotqlz 30 | VwJLnAOxS66CNHDB7165j/Age/Tv0RZO/EYuzvO0OeteZfNTbS8L+eHkeBktndtf 31 | I/C2fmJlbIlAx7VTdAkJt/e3guUzzC58sgXb0g6/2PmKqRtD+df1pb1SVZkwMVd/ 32 | FEeD1X1lbWJhYrE9FH23PodvbZVDL08rjBJhLJ+M6zGxFJmkuHp1V6/E/9Q2ozCn 33 | iSN32Mp7W2sQc8DXpCY4c8JQ2tfzLA2K8x7NYGFp42jRpVMQzOFgtAgH+jA5ZnFD 34 | 6l373Sq27bHREpDKaD+knXBtAunYT0dnu3PRDW4T9x/9A1P7adBQV+8q5VdZCEV2 35 | 9/E3Fhdn00MwupRZZ3dMhg== 36 | -----END CERTIFICATE----- 37 | -------------------------------------------------------------------------------- /config/nginx/ssl/t.khs1994.com.key: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIJKQIBAAKCAgEAtfWwbsk6B6Z4+Ih5C5SSZLMHM6mqzrhS6UNtJ0bdB2D+ff8N 3 | IvOmXmmF0UkJYLKGEpPrGcH/HIVOfF2hiytNvYKZDtf0ywM1JBWQlXd750dbuTdF 4 | L1p/Q7CTObnMQexLqQ9J3sqzGTqE81YlgsItktQ3EvhNVwHqOCkguQN8wFhN4gPd 5 | afOKoHzo3mv7XhcHKvdYUKWBm9sn7GkoyQMYHlp4mO10pJsuv9psUEsYnsDOBGPe 6 | dqOH8saPR88CdiazS5fK7/aS42jHWj8j3JSl8NT9GlPWvzqIx4birVm5QrSNOWKN 7 | 3YTisNekB0J8v910sD8Fr8WeO7G2oOdHliM3HkY/kKBdlvhmXrChnNZHtIjuJcow 8 | htm2qFXBTzTNhoCGb37/YclTSw03j2bCaNnHrYC/gZwt1M4QXQSb+W0DmqeLXLgv 9 | HFnCioWbvp4yqaKNHZdMJZLjteSE3u/oXfIaoX3z1sw5ioPXoHk59uSbPH/9kjs6 10 | UdaPfeml3+ZIBi62L8aK7qPH9k9JwmdcwUVXJ8KlXso0aKutIA9D2mvE2FClNBU8 11 | 1XbDEn5GdFhk5g7qjw4Ji5cwvWgawLZ9rQm3hga8pA/1MpVoJ3ICRbMzDr0heOC/ 12 | 1j/I9PF7hvAdRMY3eC3NuF5nJEpx4Jg7jgD5cfUzFhLds/QVracoOBZMvJMCAwEA 13 | AQKCAgEAsoq7blmA2VTdynCO5XAJHUoVvPm0olZ29G+2wR1lcAIadSM4jp0pF+bO 14 | 6YaS7xD9QWlm/MVAP4oGcz2kb1w0Ucm9ybTZfAJPuHJ4hlDRgSShueGjv007Jv4x 15 | 2CiZZe4oZ2CbCUM37X9gSSy0bdN+yF33FGQT71Xvrt+cPi5P0KRU93r3XSkdU1B9 16 | ZxHpem96FwzQ2YEs5fNq/yxIWsTwe4gmYVhOZd3nR1VZhofJRqzE+cXM2fioQu3W 17 | VY2oSqq6r2foNwFpLD75rXHbDGvHT8KN/7FYPBeBctbFwXcSs4NaN36e2Ue07/UH 18 | /B+fLNxtzSppuAletBAytTt7ILS5NRIBu3opJe6omkvCL4twsy2M8yTvu+2ADPSq 19 | H/49EM0JvdESXy2G2/F5eFaU3VDvRvgVqa2RIfB2N93cu0tlBS0Vwfdv2KJSd30z 20 | +Lz0obfO6D/rMEpg+nPS8F5p7Q2INii5k8e+/WfDXDF46uID9qfBAOEb+v76++jT 21 | PR3GybrGUrGSIAhaYXKQrV7YNdfwB0WZUlzkBRDJg5sl+/mgjoqq+LAztjDIKdSO 22 | WQvhqCWOQBJC06LlJHPvnzdVE6Xlwe5yumwoxB1ejx5MqqLvB7uW6DAJ2V4mTs1m 23 | n/qHnh8d8mVFYylhc8lVRpn0jJays+c+i78VBhaR5jOuLZbFaPECggEBANn5+JIE 24 | uWQyfdsz/QIVTw5ePApsuT53sUHgUd8TFRq41l67t3PsCJ0ez64RbUUSdLSD2Fmy 25 | mTSXog8hLupRpsIADHSE0ZXykhMMRfmkOXJmkR1u5AMwtAsKnKabWol0AWA11ptP 26 | v/b/GmpIE5EnFX6pYF5PSWs5uD2FJCSmlhBF3N6POWGUn2WoB4Y67IUmWW5o0x89 27 | Dz3Nc0uIrNZYrjoz3TdnCr7EUIG5gKmbdiX/fGDKL186IpvYiQRoceYhSfIfFcAd 28 | LAR5RukljAeo0FyZjkKx6Ezxf0ncpQCa6aPmvbZw8ALKStMkuy9eMBZQ7LFlwu3r 29 | AYkIJFG3zR3ogfUCggEBANWzV+Ifwx9HkHbrDSnj4Z7Fw8uFaPZzMZArFKlxnGxs 30 | 34nCWL+DCnLAFei+qWgWPQcyVKrPsehPXeQ9XDKMj6vjXEAPJ01BPNmKzkkdufg1 31 | In/amJIvsBG/OXN/dlVeuPQkY6FdUHNxth8KG1Wfu7osqUiVeTpimm6Px1pVOGk3 32 | jrFYXt6mnwEQL6apUQcn5lPqaRKIkzzRZcX6YiRWStSJKfr/gsXS2GN3P85OK5+c 33 | dVS9NPmwnzRaSCpCWO2+H+kPoYlTAzSm0dVeiGtN8f7sTSiRaEB4xcLMB3iz7q6A 34 | NRM988uMC48y52OlIzVWCFWaZ38bG2fkXLuQuOnvx2cCggEAXciMJx77ON30gmyC 35 | zfOnGPJ4eK/An9zVmhdOgmDucpnWOdogGzMRnbBVAHqk/dPr/ILBgg4ylosrAcFw 36 | MwbAbbWhpjxDBHXiXWmpbbg3sz3n77b3SVwaCqodLh2nPX543REs7ZPJbxbhIZsz 37 | N/+N4voy6UDJwOWLnIR9QXufEw9L8UHEGXTdg9pgqmMNwlf2oGdfdpBJz3hmw7fh 38 | TTPIemg4JI8j82H5lWbfsZmeosiile5HpXwYyd7HTOs3HiFydEblj8u9VYtsdAFg 39 | lycNxtmWeKGc5gX9kyTopTMBlTBArY835KtuuBuUodOvctqMi+LRlJXJClFDdxlS 40 | miygRQKCAQBfenaciDZkplPMXe6OtcsbZh65ssyXuBX/5M+heSo7Y1VotlVyk3i6 41 | lknzqCQGZlE0Au/DNXK2aad4j1W/HAAg+z8/O8YChVBLnfHWxxpM5GiamS8ruXTA 42 | KSDhEqTrNZwLMKr28Ls+KSMGsTxPQEPexY+I54e3Z1C6bzDRklvW3sS5RdN1RRqr 43 | nfC8VM/oE5KcEZKKfkzSkngXQWxR8eATH4mLJFfoTPDzV9dBNLnW4U+m4bZmjNxE 44 | xsWRY/1Zk2Wsephgw58eCh6cZ1UqJDQoAqniozzh+VPaWdBIxJOykYOlKjvfyJ1t 45 | iH/LjH+zl9G3dXoiVxkijOxFvT5w/vmnAoIBAQDPs9Ea3XVaCbGHZT9U7GsfX3sP 46 | fs7IxelDdSeFVmtZ7ntdXA2gUH1Q4bXUuRXoKiruXqt/bIgUwBRuKCtktKe3AQCY 47 | kz5fysoZqY6BI4Ub0p7LwDEt9VEDdZN/GbxrjVpSSk3iTVR43LG2KvEI6F0WBHV4 48 | 4dWyA5nmRp4ppadCN9pv6rldjPkn7luIE128ClS/PW2+PpB9fAZRJQzxtrpHn5n9 49 | 6GKSPdnxzcgfoQJhJ5K6IXRzgoZTEFbRZCsushyZpgLHHyGxj6qKdq6lzSX95FJw 50 | ja0fLGx64jlW49fXdmJbZKqwIIJ8Pjfqfo9MUkuxvHqNq4OiLQS+lwyQhlSa 51 | -----END RSA PRIVATE KEY----- 52 | -------------------------------------------------------------------------------- /config/registry/.gitignore: -------------------------------------------------------------------------------- 1 | config.yml* 2 | -------------------------------------------------------------------------------- /config/registry/README.md: -------------------------------------------------------------------------------- 1 | # Registry 配置 2 | -------------------------------------------------------------------------------- /config/registry/config.example.yml: -------------------------------------------------------------------------------- 1 | version: 0.1 2 | # 3 | # https://docs.docker.com/registry/configuration/#list-of-configuration-options 4 | # 5 | log: 6 | accesslog: 7 | disabled: true 8 | level: info 9 | formatter: json 10 | fields: 11 | service: registry 12 | environment: staging 13 | storage: 14 | delete: 15 | enabled: true 16 | cache: 17 | blobdescriptor: inmemory 18 | filesystem: 19 | rootdirectory: /var/lib/registry 20 | # auth: 21 | # htpasswd: 22 | # realm: basic-realm 23 | # path: /etc/docker/registry/auth/nginx.htpasswd 24 | http: 25 | addr: :5000 26 | # host: https://docker.t.khs1994.com 27 | headers: 28 | X-Content-Type-Options: [nosniff] 29 | # http2: 30 | # disabled: false 31 | # tls: 32 | # certificate: /etc/docker/registry/ssl/docker.t.khs194.com.crt 33 | # key: /etc/docker/registry/ssl/docker.t.khs1994.com.key 34 | health: 35 | storagedriver: 36 | enabled: true 37 | interval: 10s 38 | threshold: 3 39 | tcp: 40 | - addr: {{ REDIS_HOST }} 41 | timeout: 3s 42 | interval: 10s 43 | threshold: 3 44 | notifications: 45 | endpoints: 46 | - name: alistener 47 | disabled: false 48 | url: {{ WEBHOOKS_HOST }} 49 | # headers: 50 | # Authorization: [Bearer ] 51 | timeout: 500ms 52 | threshold: 5 53 | backoff: 1s 54 | # proxy: 55 | # remoteurl: https://registry-1.docker.io 56 | # username: khs1994 57 | # password: **** 58 | 59 | redis: 60 | addr: {{ REDIS_HOST }} 61 | db: 0 62 | dialtimeout: 10ms 63 | readtimeout: 10ms 64 | writetimeout: 10ms 65 | pool: 66 | maxidle: 16 67 | maxactive: 64 68 | idletimeout: 300s 69 | -------------------------------------------------------------------------------- /config/registry/default/.gitignore: -------------------------------------------------------------------------------- 1 | /* 2 | !.gitignore 3 | !config.yml 4 | -------------------------------------------------------------------------------- /config/registry/default/config.yml: -------------------------------------------------------------------------------- 1 | version: 0.1 2 | # 3 | # https://docs.docker.com/registry/configuration/#list-of-configuration-options 4 | # 5 | log: 6 | fields: 7 | service: registry 8 | storage: 9 | cache: 10 | blobdescriptor: inmemory 11 | filesystem: 12 | rootdirectory: /var/lib/registry 13 | http: 14 | addr: :5000 15 | headers: 16 | X-Content-Type-Options: [nosniff] 17 | health: 18 | storagedriver: 19 | enabled: true 20 | interval: 10s 21 | threshold: 3 22 | -------------------------------------------------------------------------------- /docker-ci.yml: -------------------------------------------------------------------------------- 1 | 2 | 3 | x-common: 4 | &common 5 | restart: always 6 | networks: 7 | - backend 8 | 9 | services: 10 | 11 | drone-server: 12 | << : *common 13 | image: drone/drone:${CI_DRONE_VERSION:-2.16.0} 14 | volumes: 15 | - drone-data-v1:/data:rw 16 | networks: 17 | - frontend 18 | - backend 19 | environment: 20 | - DRONE_LOGS_DEBUG=${CI_DEBUG:-true} 21 | # volumes: 22 | # - type: bind 23 | # source: /var/run/docker.sock 24 | # target: /var/run/docker.sock 25 | 26 | drone-docker-runner: 27 | << : *common 28 | image: drone/drone-runner-docker:1 29 | depends_on: 30 | - drone-server 31 | volumes: 32 | - type: bind 33 | source: /var/run/docker.sock 34 | target: /var/run/docker.sock 35 | # https://docs.drone.io/runner/docker/configuration/ 36 | environment: 37 | - DRONE_RPC_SECRET=${DRONE_RPC_SECRET:-secret} 38 | - DRONE_RPC_HOST=drone-server 39 | - DRONE_RPC_PROTO=http 40 | - DRONE_RUNNER_NAME=${DRONE_RUNNER_NAME} 41 | - DRONE_RUNNER_CAPACITY=2 42 | - DRONE_UI_DISABLED=${DRONE_UI_DISABLED:-true} 43 | - DRONE_UI_USERNAME=${DRONE_UI_USERNAME:-root} 44 | - DRONE_UI_PASSWORD=${DRONE_UI_PASSWORD:-root} 45 | - DRONE_DEBUG=${CI_DEBUG:-true} 46 | # - DRONE_HTTP_HOST=127.0.0.1 47 | # - DRONE_HTTP_PROTO=http 48 | 49 | gogs: 50 | << : *common 51 | image: gogs/gogs:0.13 52 | ports: 53 | - "${CI_HOST:?CI_HOST}:${CI_GOGS_SSH_PORT}:22" 54 | - "${CI_HOST:?CI_HOST}:${CI_GOGS_PORT}:3000" 55 | networks: 56 | - frontend 57 | - backend 58 | volumes: 59 | - gogs-data:/data:rw 60 | - ./config/nginx/ssl:/etc/nginx/conf.d/ssl:rw 61 | - ./config/gogs/app.ini:/data/gogs/conf/app.ini:rw 62 | 63 | registry: 64 | << : *common 65 | image: registry:latest 66 | ports: 67 | - "${CI_HOST:?CI_HOST}:${CI_REGISTRY_PORT:-5000}:5000" 68 | networks: 69 | - frontend 70 | - backend 71 | volumes: 72 | - ./config/registry/config.yml:/etc/docker/registry/config.yml:ro 73 | - registry-data:/var/lib/registry:rw 74 | 75 | mysql: 76 | << : *common 77 | image: mysql:${CI_MYSQL_VERSION:-8.0.33} 78 | env_file: secrets/mysql.env 79 | volumes: 80 | - mysql-data:/var/lib/mysql:rw 81 | - ./backup/init:/docker-entrypoint-initdb.d:ro 82 | command: ["mysqld","--character-set-server=utf8mb4","--default-authentication-plugin=mysql_native_password"] 83 | 84 | redis: 85 | << : *common 86 | image: redis:${CI_REDIS_VERSION:-7.0.0}-alpine 87 | volumes: 88 | - redis-data:/data 89 | 90 | nginx: 91 | << : *common 92 | # image: khs1994/nginx:${CI_NGINX_VERSION:-1.27.0}-alpine 93 | image: nginx:${CI_NGINX_VERSION:-1.27.0}-alpine 94 | networks: 95 | - frontend 96 | ports: 97 | - "443:443" 98 | volumes: 99 | - ./config/nginx:/etc/nginx/conf.d 100 | - ./logs/nginx:/var/log/nginx 101 | 102 | volumes: 103 | gogs-data: 104 | redis-data: 105 | mysql-data: 106 | drone-data-v1: 107 | registry-data: 108 | 109 | networks: 110 | backend: 111 | frontend: 112 | -------------------------------------------------------------------------------- /docs/SUMMARY.md: -------------------------------------------------------------------------------- 1 | * 配置 2 | * [GitHub](github.md) 3 | * [Gogs](gogs.md) 4 | -------------------------------------------------------------------------------- /docs/github.md: -------------------------------------------------------------------------------- 1 | # GitHub 2 | 3 | * https://docs.drone.io/installation/providers/github/ 4 | 5 | ## 用户管理 6 | 7 | * 默认封闭注册,只能通过管理员账号登录 8 | 9 | * 在 `.env` 变量编辑 `DRONE_USER_FILTER=khs1994,khs1994-merge-robot` 变量,值为 Github 用户名,用逗号分隔 10 | -------------------------------------------------------------------------------- /docs/gogs.md: -------------------------------------------------------------------------------- 1 | # Gogs 2 | 3 | * https://docs.drone.io/installation/providers/gogs/ 4 | * https://github.com/gogs/gogs 5 | 6 | 第一个创建的账户即为 **管理员** 7 | -------------------------------------------------------------------------------- /docs/secret.md: -------------------------------------------------------------------------------- 1 | # secret 2 | 3 | * https://docs.drone.io/secret/ 4 | -------------------------------------------------------------------------------- /git-compose/github-compose.yaml: -------------------------------------------------------------------------------- 1 | x-github: 2 | &github 3 | environment: 4 | - DRONE_GITHUB_SERVER=${DRONE_GITHUB_SERVER:-https://github.com} 5 | - DRONE_SERVER_HOST={{ DRONE_SERVER_HOST }} 6 | - DRONE_SERVER_PROTO={{ DRONE_SERVER_PROTO }} 7 | - DRONE_RPC_SECRET=${DRONE_RPC_SECRET:-secret} 8 | # 9 | - DRONE_USER_CREATE=${DRONE_USER_CREATE} 10 | - DRONE_USER_FILTER=${DRONE_USER_FILTER:?DRONE_USER_FILTER} 11 | - DRONE_GITHUB_CLIENT_ID=${DRONE_GITHUB_CLIENT_ID:?DRONE_GITHUB_CLIENT_ID} 12 | - DRONE_GITHUB_CLIENT_SECRET=${DRONE_GITHUB_CLIENT_SECRET:?DRONE_GITHUB_CLIENT_SECRET} 13 | # 14 | - DRONE_DATABASE_DRIVER={{ DB_TYPE }} 15 | - DRONE_DATABASE_DATASOURCE={{ DB_USERNAME }}:{{ DB_PASSWORD }}@tcp({{ DB_HOST }})/drone?parseTime=true 16 | # - DRONE_TLS_KEY=/etc/drone/ssl/${CI_DOMAIN}.key 17 | # - DRONE_TLS_CERT=/etc/drone/ssl/${CI_DOMAIN}.crt 18 | 19 | services: 20 | drone-server: 21 | << : *github 22 | volumes: 23 | - ./config/nginx/ssl:/etc/drone/ssl 24 | ports: 25 | # - 80:80 26 | # - 443:443 27 | - "${CI_HOST:?CI_HOST}:${CI_DRONE_PORT:-8000}:80" 28 | # - 9000:9000 29 | 30 | # drone-docker-runner: 31 | # ports: 32 | # # runner dashboard 33 | # - 3001:3000 34 | 35 | # mysql: 36 | # ports: 37 | # - "${CI_HOST:-127.0.0.1}:${CI_MYSQL_PORT:-13306}:3306" 38 | # redis: 39 | # ports: 40 | # - "${CI_HOST:-127.0.0.1}:${CI_REDIS_PORT:-16379}:6379" 41 | 42 | # networks: 43 | # backend: 44 | # external: true 45 | # name: lnmp_backend 46 | # frontend: 47 | # external: true 48 | # name: lnmp_frontend 49 | -------------------------------------------------------------------------------- /git-compose/gitlab-compose.yaml: -------------------------------------------------------------------------------- 1 | x-gitlab: 2 | &gitlab 3 | environment: 4 | - DRONE_SERVER_HOST={{ DRONE_SERVER_HOST }} 5 | - DRONE_SERVER_PROTO={{ DRONE_SERVER_PROTO }} 6 | - DRONE_RPC_SECRET=${DRONE_RPC_SECRET:-secret} 7 | # 8 | - DRONE_GITLAB_CLIENT_ID=${DRONE_GITLAB_CLIENT_ID} 9 | - DRONE_GITLAB_CLIENT_SECRET=${DRONE_GITLAB_CLIENT_SECRET} 10 | - DRONE_GITLAB_SERVER={{ DRONE_GITLAB_SERVER }} 11 | # 12 | - DRONE_DATABASE_DRIVER={{ DB_TYPE }} 13 | - DRONE_DATABASE_DATASOURCE={{ DB_USERNAME }}:{{ DB_PASSWORD }}@tcp({{ DB_HOST }})/drone?parseTime=true 14 | # - DRONE_TLS_KEY=/etc/drone/ssl/${CI_DOMAIN}.key 15 | # - DRONE_TLS_CERT=/etc/drone/ssl/${CI_DOMAIN}.crt 16 | - DRONE_USER_CREATE=${DRONE_USER_CREATE} 17 | - DRONE_USER_FILTER=${DRONE_USER_FILTER:?DRONE_USER_FILTER} 18 | 19 | services: 20 | drone-server: 21 | << : *gitlab 22 | volumes: 23 | - ./config/nginx/ssl:/etc/drone/ssl 24 | ports: 25 | # - 80:80 26 | # - 443:443 27 | - "${CI_HOST:?CI_HOST}:${CI_DRONE_PORT:-8000}:80" 28 | # - 9000:9000 29 | 30 | # drone-docker-runner: 31 | # ports: 32 | # # runner dashboard 33 | # - 3001:3000 34 | 35 | # mysql: 36 | # ports: 37 | # - "${CI_HOST:-127.0.0.1}:${CI_MYSQL_PORT:-13306}:3306" 38 | # redis: 39 | # ports: 40 | # - "${CI_HOST:-127.0.0.1}:${CI_REDIS_PORT:-16379}:6379" 41 | 42 | # networks: 43 | # backend: 44 | # external: true 45 | # name: lnmp_backend 46 | # frontend: 47 | # external: true 48 | # name: lnmp_frontend 49 | -------------------------------------------------------------------------------- /git-compose/gogs-compose.yaml: -------------------------------------------------------------------------------- 1 | x-gogs: 2 | &gogs 3 | environment: 4 | - DRONE_SERVER_HOST={{ DRONE_SERVER_HOST }} 5 | - DRONE_SERVER_PROTO={{ DRONE_SERVER_PROTO }} 6 | - DRONE_RPC_SECRET=${DRONE_RPC_SECRET} 7 | # 8 | - DRONE_GOGS_SERVER={{ DRONE_GOGS_SERVER }} 9 | - DRONE_GOGS_SKIP_VERIFY=false 10 | - DRONE_TLS_AUTOCERT=false 11 | # 12 | - DRONE_DATABASE_DRIVER={{ DB_TYPE }} 13 | - DRONE_DATABASE_DATASOURCE={{ DB_USERNAME }}:{{ DB_PASSWORD }}@tcp({{ DB_HOST }})/drone?parseTime=true 14 | # - DRONE_TLS_KEY=/etc/drone/ssl/${CI_DOMAIN}.key 15 | # - DRONE_TLS_CERT=/etc/drone/ssl/${CI_DOMAIN}.crt 16 | - DRONE_USER_CREATE=${DRONE_USER_CREATE} 17 | - DRONE_USER_FILTER=${DRONE_USER_FILTER:?DRONE_USER_FILTER} 18 | 19 | services: 20 | drone-server: 21 | << : *gogs 22 | volumes: 23 | - ./config/nginx/ssl:/etc/drone/ssl 24 | ports: 25 | # - 80:80 26 | # - 443:443 27 | - "${CI_HOST:?CI_HOST}:${CI_DRONE_PORT:-8000}:80" 28 | # - 9000:9000 29 | 30 | # drone-docker-runner: 31 | # ports: 32 | # # runner dashboard 33 | # - 3001:3000 34 | 35 | # mysql: 36 | # ports: 37 | # - "${CI_HOST:-127.0.0.1}:${CI_MYSQL_PORT:-13306}:3306" 38 | # redis: 39 | # ports: 40 | # - "${CI_HOST:-127.0.0.1}:${CI_REDIS_PORT:-16379}:6379" 41 | 42 | # networks: 43 | # backend: 44 | # external: true 45 | # name: lnmp_backend 46 | # frontend: 47 | # external: true 48 | # name: lnmp_frontend 49 | -------------------------------------------------------------------------------- /git-compose/production-compose.yaml: -------------------------------------------------------------------------------- 1 | x-production: 2 | &production 3 | environment: 4 | - DRONE_SERVER_HOST=khs1994.jios.org:18000 5 | - DRONE_SERVER_PROTO={{ DRONE_SERVER_PROTO }} 6 | - DRONE_RPC_SECRET=${DRONE_RPC_SECRET:-secret} 7 | - DRONE_USER_CREATE=${DRONE_USER_CREATE} 8 | - DRONE_USER_FILTER=${DRONE_USER_FILTER:?DRONE_USER_FILTER} 9 | # 10 | - DRONE_GITHUB_CLIENT_ID=${DRONE_GITHUB_CLIENT_ID_TEST:?DRONE_GITHUB_CLIENT_ID_TEST} 11 | - DRONE_GITHUB_CLIENT_SECRET=${DRONE_GITHUB_CLIENT_SECRET_TEST:?DRONE_GITHUB_CLIENT_SECRET_TEST} 12 | # 13 | # - DRONE_DATABASE_DRIVER={{ DB_TYPE }} 14 | # - DRONE_DATABASE_DATASOURCE={{ DB_USERNAME }}:{{ DB_PASSWORD }}@tcp({{ DB_HOST }})/drone?parseTime=true 15 | # - DRONE_GITHUB_SERVER=https://github.com 16 | # - DRONE_TLS_KEY=/etc/drone/ssl/${CI_DOMAIN}.key 17 | # - DRONE_TLS_CERT=/etc/drone/ssl/${CI_DOMAIN}.crt 18 | 19 | services: 20 | drone-server: 21 | << : *production 22 | volumes: 23 | - ./config/nginx/ssl:/etc/drone/ssl 24 | ports: 25 | # - 80:80 26 | # - 443:443 27 | - "${CI_HOST:?CI_HOST}:${CI_DRONE_PORT:-8000}:80" 28 | # - 9000:9000 29 | 30 | # drone-docker-runner: 31 | # ports: 32 | # # runner dashboard 33 | # - 3001:3000 34 | 35 | # mysql: 36 | # ports: 37 | # - "${CI_HOST:-127.0.0.1}:${CI_MYSQL_PORT:-13306}:3306" 38 | # redis: 39 | # ports: 40 | # - "${CI_HOST:-127.0.0.1}:${CI_REDIS_PORT:-16379}:6379" 41 | 42 | # networks: 43 | # backend: 44 | # external: true 45 | # name: lnmp_backend 46 | # frontend: 47 | # external: true 48 | # name: lnmp_frontend 49 | -------------------------------------------------------------------------------- /kubernetes/.gitignore: -------------------------------------------------------------------------------- 1 | my-custom 2 | -------------------------------------------------------------------------------- /kubernetes/README.md: -------------------------------------------------------------------------------- 1 | # Drone + Gogs On Kubernetes 2 | 3 | ## 数据 4 | 5 | 数据存放于 hostPath `/var/lib/k8s/ci/XXX`,根据实际自行更改。 6 | 7 | ## 创建 k8s namespace 8 | 9 | ```bash 10 | $ kubectl create ns ci 11 | ``` 12 | 13 | ## MySQL 14 | 15 | ```bash 16 | $ kubectl apply -n ci -k mysql 17 | ``` 18 | 19 | 默认密码 `mytest`,手动进入创建 `gogs` `drone` 数据库 20 | 21 | ```bash 22 | $ kubectl get pod -n ci 23 | # 保证处于 Running 状态,再执行以下命令 24 | $ kubectl -n ci exec -it mysql-xxxx -- sh 25 | 26 | $ mysql -uroot -pmytest 27 | 28 | # mysql> create database db-name; 29 | mysql> create database gogs; 30 | mysql> create database drone; 31 | ``` 32 | 33 | ## Redis 34 | 35 | ```bash 36 | $ kubectl apply -n ci -k redis 37 | ``` 38 | 39 | ## [Minio](https://github.com/helm/charts/tree/master/stable/minio) 40 | 41 | ```bash 42 | $ kubectl apply -n ci -k minio 43 | ``` 44 | 45 | 手动创建 `drone` bucket 46 | 47 | ## Gogs 48 | 49 | 编辑 `config/gogs/app.kubernetes.ini` (内容从 `app.kubernetes.example.ini` 复制) 50 | 51 | ```bash 52 | $ kubectl apply -n ci -k gogs 53 | ``` 54 | 55 | ## 部署 [Drone](https://github.com/helm/charts/tree/master/stable/drone) + [Runner](https://docs.drone.io/runner/overview/) 56 | 57 | ```bash 58 | $ kubectl apply -n ci -k drone 59 | 60 | # $ kubectl apply -n ci -k drone/providers/github 61 | ``` 62 | 63 | ### 1.1 [Docker runner](https://docs.drone.io/runner/docker/installation/linux/) 64 | 65 | ```bash 66 | $ kubectl apply -n ci -k drone-runner/docker 67 | ``` 68 | 69 | ### 1.2 [Kubernetes runner](https://docs.drone.io/runner/kubernetes/installation/) 70 | 71 | ``` 72 | $ kubectl apply -n ci -k drone-runner/kubernetes 73 | ``` 74 | 75 | > 任务 pod 运行在 `drone-runner` 命名空间 76 | 77 | ## ingress-nginx 78 | 79 | 后端 `gogs` `drone` `s3(minio)` 均为 http, 统一通过 ingress (https) 代理访问(具体地址请到 `ingress-nginx/base/ingress-nginx.yaml` 查看) 80 | 81 | ```bash 82 | $ kubectl apply -n ci -k ingress-nginx 83 | 84 | $ kubectl apply -k ingress-nginx/ingress-tcp-22 85 | ``` 86 | 87 | ## docker registry 88 | 89 | `Registry` 自行在 Kubernetes 进行部署。 90 | 91 | ## 组件自定义 92 | 93 | 新建 `XXX/my-custom` 文件夹,基于 `base` 自定义(`$ kubectl kustomize`)。 94 | 95 | ```bash 96 | $ kubectl apply -k XXX/my-custom 97 | 98 | # $ kubectl apply -k drone/my-custom 99 | ``` 100 | 101 | ## Drone 其他 provider 102 | 103 | 除了 `gogs` provider 外,还支持以下 provider: 104 | 105 | * github 106 | * gitea 107 | 108 | `drone/providers/` 109 | 110 | 同时只能运行一个 111 | 112 | ### gitea 113 | 114 | 1. 参考 `MySQL` 一节,创建 `gitea` 数据库 115 | 116 | 2. 调整 `config/gitea/app.kubernetes.ini` 配置文件 (从 `app.kubernetes.example.ini` 复制) 117 | 118 | 3. 部署 119 | 120 | ```bash 121 | $ kubectl apply -n ci -k gitea 122 | ``` 123 | 124 | ## ingress 证书为自签名证书 125 | 126 | ### Drone git 克隆时跳过证书(SSL)验证 127 | 128 | ```diff 129 | # .drone.yml 130 | kind: pipeline 131 | name: default2 132 | type: kubernetes 133 | 134 | # git 克隆时跳过证书验证 135 | + clone: 136 | + skip_verify: true 137 | ``` 138 | 139 | ## 参考 140 | 141 | * https://github.com/drone/charts 142 | -------------------------------------------------------------------------------- /kubernetes/drone-runner/README.md: -------------------------------------------------------------------------------- 1 | * https://docs.drone.io/runner/overview/ 2 | -------------------------------------------------------------------------------- /kubernetes/drone-runner/docker/base/docker.yaml: -------------------------------------------------------------------------------- 1 | kind: Service 2 | apiVersion: v1 3 | metadata: 4 | name: drone-runner-docker-dashboard 5 | spec: 6 | selector: 7 | app: drone-runner 8 | tier: docker 9 | ports: 10 | - port: 3000 11 | targetPort: 3000 12 | name: dashboard 13 | --- 14 | 15 | kind: Deployment 16 | apiVersion: apps/v1 17 | metadata: 18 | name: drone-runner-docker 19 | labels: 20 | app: drone-runner 21 | tier: docker 22 | spec: 23 | selector: 24 | matchLabels: 25 | app: drone-runner 26 | tier: docker 27 | template: 28 | metadata: 29 | labels: 30 | app: drone-runner 31 | tier: docker 32 | spec: 33 | nodeSelector: 34 | kubernetes.io/os: linux 35 | containers: 36 | - name: drone-runner-docker 37 | image: drone/drone-runner-docker:1 38 | env: 39 | # https://docs.drone.io/runner/docker/configuration/ 40 | - name: DRONE_RPC_SECRET 41 | value: secret 42 | - name: DRONE_RPC_HOST 43 | value: drone 44 | - name: DRONE_RPC_PROTO 45 | value: http 46 | - name: DRONE_RUNNER_NAME 47 | value: docker 48 | - name: DRONE_RUNNER_CAPACITY 49 | value: "2" 50 | - name: DRONE_DEBUG 51 | value: "true" 52 | - name: DRONE_UI_USERNAME 53 | value: root 54 | - name: DRONE_UI_PASSWORD 55 | value: root 56 | volumeMounts: 57 | - name: docker-sock 58 | mountPath: /var/run/docker.sock 59 | ports: 60 | - containerPort: 3000 61 | name: dashboard 62 | volumes: 63 | - name: docker-sock 64 | hostPath: 65 | path: /var/run/docker.sock 66 | type: Socket 67 | -------------------------------------------------------------------------------- /kubernetes/drone-runner/docker/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - docker.yaml 3 | namespace: ci 4 | -------------------------------------------------------------------------------- /kubernetes/drone-runner/docker/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - base 3 | -------------------------------------------------------------------------------- /kubernetes/drone-runner/kubernetes/base/kubernetes.yaml: -------------------------------------------------------------------------------- 1 | kind: Service 2 | apiVersion: v1 3 | metadata: 4 | name: drone-runner-kubernetes-dashboard 5 | spec: 6 | selector: 7 | app: drone-runner 8 | tier: kubernetes 9 | ports: 10 | - port: 3000 11 | targetPort: dashboard 12 | name: dashboard 13 | 14 | --- 15 | 16 | kind: Deployment 17 | apiVersion: apps/v1 18 | metadata: 19 | name: drone-runner-kubernetes 20 | labels: 21 | app: drone-runner 22 | tier: kubernetes 23 | spec: 24 | selector: 25 | matchLabels: 26 | app: drone-runner 27 | tier: kubernetes 28 | template: 29 | metadata: 30 | name: drone-runner-kubernetes 31 | labels: 32 | app: drone-runner 33 | tier: kubernetes 34 | spec: 35 | nodeSelector: 36 | kubernetes.io/os: linux 37 | containers: 38 | - name: drone-runner-kubernetes 39 | image: drone/drone-runner-kube:latest 40 | ports: 41 | - containerPort: 3000 42 | name: dashboard 43 | env: 44 | # https://docs.drone.io/runner/docker/configuration/ 45 | - name: DRONE_RPC_HOST 46 | value: drone 47 | - name: DRONE_RPC_PROTO 48 | value: http 49 | - name: DRONE_RPC_SECRET 50 | value: secret 51 | - name: DRONE_NAMESPACE_DEFAULT 52 | value: drone-runner 53 | - name: DRONE_UI_USERNAME 54 | value: root 55 | - name: DRONE_UI_PASSWORD 56 | value: root 57 | -------------------------------------------------------------------------------- /kubernetes/drone-runner/kubernetes/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - kubernetes.yaml 3 | - rbac.yaml 4 | namespace: ci 5 | -------------------------------------------------------------------------------- /kubernetes/drone-runner/kubernetes/base/rbac.yaml: -------------------------------------------------------------------------------- 1 | kind: Namespace 2 | apiVersion: v1 3 | metadata: 4 | name: drone-runner 5 | labels: 6 | app: drone-runner 7 | tier: kubernetes 8 | 9 | --- 10 | 11 | # runner 的 pod 12 | # sa 为 default 13 | # ns 为 ci 14 | kind: ServiceAccount 15 | apiVersion: v1 16 | metadata: 17 | name: default 18 | labels: 19 | app: drone-runner 20 | tier: kubernetes 21 | 22 | --- 23 | 24 | # runner 需要的权限 25 | kind: ClusterRole 26 | apiVersion: rbac.authorization.k8s.io/v1 27 | metadata: 28 | labels: 29 | app: drone-runner 30 | tier: kubernetes 31 | name: drone:drone-runner-kubernetes 32 | rules: 33 | - apiGroups: [""] 34 | resources: ["secrets","pods","configmaps","namespaces","services"] 35 | verbs: ["create","delete","update","get","list","watch"] 36 | - apiGroups: [""] 37 | resources: ["pods/log"] 38 | verbs: ["get"] 39 | - apiGroups: ["extensions"] 40 | resources: ["deployments"] 41 | verbs: ["get","list","watch","patch","update"] 42 | 43 | --- 44 | 45 | kind: ClusterRoleBinding 46 | apiVersion: rbac.authorization.k8s.io/v1 47 | metadata: 48 | name: drone:drone-runner-kubernetes 49 | labels: 50 | app: drone-runner 51 | tier: kubernetes 52 | subjects: 53 | - kind: ServiceAccount 54 | name: default 55 | namespace: ci 56 | roleRef: 57 | kind: ClusterRole 58 | name: drone:drone-runner-kubernetes 59 | apiGroup: "" 60 | -------------------------------------------------------------------------------- /kubernetes/drone-runner/kubernetes/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - base 3 | -------------------------------------------------------------------------------- /kubernetes/drone-runner/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - docker 3 | - kubernetes 4 | -------------------------------------------------------------------------------- /kubernetes/drone/base/drone.yaml: -------------------------------------------------------------------------------- 1 | kind: Service 2 | apiVersion: v1 3 | metadata: 4 | name: drone 5 | labels: 6 | app: drone 7 | spec: 8 | selector: 9 | app: drone 10 | ports: 11 | - port: 80 12 | targetPort: 80 13 | name: http 14 | 15 | --- 16 | 17 | kind: Deployment 18 | apiVersion: apps/v1 19 | metadata: 20 | name: drone 21 | labels: 22 | app: drone 23 | spec: 24 | selector: 25 | matchLabels: 26 | app: drone 27 | template: 28 | metadata: 29 | labels: 30 | app: drone 31 | spec: 32 | nodeSelector: 33 | kubernetes.io/os: linux 34 | containers: 35 | - name: drone 36 | image: drone/drone:2.16.0 37 | ports: 38 | - name: http 39 | containerPort: 80 40 | volumeMounts: 41 | - name: data 42 | mountPath: /data 43 | env: 44 | - name: DRONE_GOGS_SERVER 45 | value: http://gogs 46 | 47 | - name: DRONE_LOGS_DEBUG 48 | value: "true" 49 | - name: DRONE_SERVER_HOST 50 | value: drone 51 | - name: DRONE_SERVER_PROTO 52 | value: http 53 | - name: DRONE_RPC_SECRET 54 | value: secret 55 | - name: DRONE_TLS_AUTOCERT 56 | value: "false" 57 | - name: DRONE_DATABASE_DRIVER 58 | value: mysql 59 | - name: DRONE_DATABASE_DATASOURCE 60 | value: root:mytest@tcp(mysql)/drone?parseTime=true 61 | 62 | # s3 63 | - name: AWS_ACCESS_KEY_ID 64 | valueFrom: 65 | secretKeyRef: 66 | key: minio-access-key 67 | name: minio-secret 68 | - name: AWS_SECRET_ACCESS_KEY 69 | valueFrom: 70 | secretKeyRef: 71 | key: minio-secret-key 72 | name: minio-secret 73 | - name: AWS_DEFAULT_REGION 74 | value: us-east-1 75 | - name: AWS_REGION 76 | value: us-east-1 77 | - name: DRONE_S3_BUCKET 78 | value: drone 79 | - name: DRONE_S3_ENDPOINT 80 | value: http://minio:9000 81 | - name: DRONE_S3_PATH_STYLE 82 | value: "true" 83 | 84 | # DRONE_SERVER_PROXY_HOST 将作为 webhooks 地址 85 | # 适用于 drone 运行于内网,DRONE_SERVER_PROXY_HOST 的值设为公网地址 86 | # 如果不设置此值,webhooks 将使用 DRONE_SERVER_HOST 作为 webhooks 地址 87 | # 外部将访问不到 88 | # - name: DRONE_SERVER_PROXY_HOST 89 | # value: "" 90 | # - name: DRONE_SERVER_PROXY_PROTO 91 | # value: https 92 | 93 | # 服务端地址,接收 drone webhooks 94 | # - name: DRONE_WEBHOOK_ENDPOINT 95 | # value: "" 96 | # - name: DRONE_WEBHOOK_EVENTS 97 | # value: "" 98 | # - name: DRONE_WEBHOOK_SECRET 99 | # value: "" 100 | # - name: DRONE_WEBHOOK_SKIP_VERIFY 101 | # value: "" 102 | livenessProbe: 103 | httpGet: 104 | path: /healthz 105 | port: http 106 | scheme: HTTP 107 | volumes: 108 | - name: data 109 | hostPath: 110 | path: /var/lib/k8s/ci/drone 111 | type: DirectoryOrCreate 112 | -------------------------------------------------------------------------------- /kubernetes/drone/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - drone.yaml 3 | namespace: ci 4 | -------------------------------------------------------------------------------- /kubernetes/drone/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - base 3 | # - ../drone-runner/docker 4 | # - ../drone-runner/kubernetes 5 | namespace: ci 6 | -------------------------------------------------------------------------------- /kubernetes/drone/providers/gitea/gitea.yaml: -------------------------------------------------------------------------------- 1 | kind: Deployment 2 | apiVersion: apps/v1 3 | metadata: 4 | name: drone 5 | spec: 6 | template: 7 | spec: 8 | containers: 9 | - name: drone 10 | env: 11 | - name: DRONE_GOGS_SERVER 12 | $patch: delete 13 | - name: DRONE_GITEA_CLIENT_ID 14 | valueFrom: 15 | secretKeyRef: 16 | key: gitea-client-id 17 | name: drone-provider-gitea-id 18 | - name: DRONE_GITEA_CLIENT_SECRET 19 | valueFrom: 20 | secretKeyRef: 21 | key: gitea-client-secret 22 | name: drone-provider-gitea-secret 23 | - name: DRONE_GITEA_SERVER 24 | value: http://gitea 25 | -------------------------------------------------------------------------------- /kubernetes/drone/providers/gitea/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - ../../base 3 | patchesStrategicMerge: 4 | - gitea.yaml 5 | secretGenerator: 6 | - name: drone-provider-gitea-secret 7 | literals: 8 | - gitea-client-id="" 9 | - gitea-client-secret="" 10 | generatorOptions: 11 | disableNameSuffixHash: true 12 | -------------------------------------------------------------------------------- /kubernetes/drone/providers/github/github.yaml: -------------------------------------------------------------------------------- 1 | kind: Deployment 2 | apiVersion: apps/v1 3 | metadata: 4 | name: drone 5 | spec: 6 | template: 7 | spec: 8 | containers: 9 | - name: drone 10 | env: 11 | - name: DRONE_GOGS_SERVER 12 | $patch: delete 13 | - name: DRONE_GITHUB_CLIENT_ID 14 | valueFrom: 15 | secretKeyRef: 16 | key: github-client-id 17 | name: drone-provider-github-secret 18 | - name: DRONE_GITHUB_CLIENT_SECRET 19 | valueFrom: 20 | secretKeyRef: 21 | key: github-client-secret 22 | name: drone-provider-github-secret 23 | -------------------------------------------------------------------------------- /kubernetes/drone/providers/github/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - ../../base 3 | patchesStrategicMerge: 4 | - github.yaml 5 | secretGenerator: 6 | - name: drone-provider-github-secret 7 | literals: 8 | - github-client-id="" 9 | - github-client-secret="" 10 | generatorOptions: 11 | disableNameSuffixHash: true 12 | -------------------------------------------------------------------------------- /kubernetes/gitea/base/gitea.yaml: -------------------------------------------------------------------------------- 1 | kind: Service 2 | apiVersion: v1 3 | metadata: 4 | name: gitea 5 | labels: 6 | app: gitea 7 | spec: 8 | selector: 9 | app: gitea 10 | ports: 11 | - name: http 12 | port: 3000 13 | targetPort: http 14 | - name: ssh 15 | port: 22 16 | targetPort: ssh 17 | 18 | --- 19 | 20 | kind: Deployment 21 | apiVersion: apps/v1 22 | metadata: 23 | name: gitea 24 | labels: 25 | app: gitea 26 | spec: 27 | selector: 28 | matchLabels: 29 | app: gitea 30 | template: 31 | metadata: 32 | labels: 33 | app: gitea 34 | spec: 35 | nodeSelector: 36 | kubernetes.io/os: linux 37 | initContainers: 38 | - name: gitea-init 39 | image: alpine 40 | args: 41 | - sh 42 | - -c 43 | - | 44 | mkdir -p /data/gitea/conf \ 45 | && cat /tmp/conf/app.ini \ 46 | && if ! [ -f /data/gitea/conf/app.ini ];then \ 47 | cp /tmp/conf/app.ini /data/gitea/conf/ ; \ 48 | fi \ 49 | && chown -R 1000:1000 /data/gitea/conf \ 50 | && cat /data/gitea/conf/app.ini 51 | volumeMounts: 52 | - mountPath: /tmp/conf 53 | name: config 54 | - mountPath: /data 55 | name: data 56 | containers: 57 | - name: gitea 58 | image: gitea/gitea:latest 59 | volumeMounts: 60 | - mountPath: /data 61 | name: data 62 | ports: 63 | - name: http 64 | containerPort: 3000 65 | - name: ssh 66 | containerPort: 22 67 | livenessProbe: 68 | httpGet: 69 | path: /healthcheck 70 | port: http 71 | scheme: HTTP 72 | volumes: 73 | - name: data 74 | hostPath: 75 | path: /var/lib/k8s/ci/gitea 76 | type: DirectoryOrCreate 77 | - name: config 78 | configMap: 79 | name: gitea-config 80 | -------------------------------------------------------------------------------- /kubernetes/gitea/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - ../../../config/gitea 3 | - gitea.yaml 4 | namespace: ci 5 | -------------------------------------------------------------------------------- /kubernetes/gitea/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - base 3 | -------------------------------------------------------------------------------- /kubernetes/gogs/base/gogs.yaml: -------------------------------------------------------------------------------- 1 | kind: Service 2 | apiVersion: v1 3 | metadata: 4 | name: gogs 5 | labels: 6 | app: gogs 7 | spec: 8 | selector: 9 | app: gogs 10 | ports: 11 | - port: 80 12 | name: http 13 | targetPort: http 14 | - port: 22 15 | name: ssh 16 | targetPort: ssh 17 | 18 | --- 19 | 20 | kind: Deployment 21 | apiVersion: apps/v1 22 | metadata: 23 | name: gogs 24 | labels: 25 | app: gogs 26 | spec: 27 | selector: 28 | matchLabels: 29 | app: gogs 30 | template: 31 | metadata: 32 | labels: 33 | app: gogs 34 | spec: 35 | nodeSelector: 36 | kubernetes.io/os: linux 37 | containers: 38 | - name: gogs 39 | image: gogs/gogs:0.13 40 | livenessProbe: 41 | httpGet: 42 | path: /healthcheck 43 | port: http 44 | scheme: HTTP 45 | ports: 46 | - containerPort: 3000 47 | name: http 48 | - containerPort: 22 49 | name: ssh 50 | volumeMounts: 51 | - name: config 52 | mountPath: /data/gogs/conf 53 | - name: data 54 | mountPath: /data 55 | - name: run 56 | mountPath: /run 57 | volumes: 58 | - name: config 59 | configMap: 60 | name: gogs-config 61 | - name: data 62 | hostPath: 63 | path: /var/lib/k8s/ci/gogs 64 | type: DirectoryOrCreate 65 | - name: run 66 | emptyDir: 67 | medium: Memory 68 | -------------------------------------------------------------------------------- /kubernetes/gogs/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - ../../../config/gogs/ 3 | - gogs.yaml 4 | namespace: ci 5 | -------------------------------------------------------------------------------- /kubernetes/gogs/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - base 3 | -------------------------------------------------------------------------------- /kubernetes/ingress-nginx/base/ingress-nginx.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | type: Opaque 4 | metadata: 5 | name: ingress-nginx-tls-0.0.1 6 | labels: 7 | app: ci 8 | data: 9 | tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUhGekNDQlArZ0F3SUJBZ0lKQU8yQjV4WTZEMTRmTUEwR0NTcUdTSWIzRFFFQkN3VUFNSUdDTVFzd0NRWUQKVlFRR0V3SkRUakVQTUEwR0ExVUVDQXdHVTJoaGJuaHBNUTh3RFFZRFZRUUhEQVpFWVhSdmJtY3hHVEFYQmdOVgpCQW9NRUVGQlFVRXRhMmh6TVRrNU5DNWpiMjB4SERBYUJnTlZCQU1NRTJ0b2N6RTVPVFF1WTI5dElGSlBUMVFnClEwRXhHREFXQmdOVkJBc01EM2QzZHk1cmFITXhPVGswTG1OdmJUQWVGdzB5TURBME1EZ3dNakl5TkRaYUZ3MHkKTWpBME1qZ3dNakl5TkRaYU1HTXhDekFKQmdOVkJBWVRBa05PTVE4d0RRWURWUVFJREFaVGFHRnVlR2t4RHpBTgpCZ05WQkFjTUJrUmhkRzl1WnpFYU1CZ0dBMVVFQ2d3UldXOTFjaUJEYjIxd1lXNTVJRTVoYldVeEZqQVVCZ05WCkJBTU1EWFF1YTJoek1UazVOQzVqYjIwd2dnSWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUNEd0F3Z2dJS0FvSUMKQVFDNjV3RGhpUEdhbUJuMDFPMVFReFJYQ0VJUzZoQTlGRkp1NjBWcW05ZWxZZkpMdmY5SnlNRUFqRmFhaFNuTwpGZklRWlJkeW1KVS9wSWYwcGx1Zm9pTnhEbUZtSkxVQVpWYW5LNkJtMUR1ZUExWkVsamFwRW9lYTBzZXNYYjRjCkg4a0xUUDQwMHRTNW14aDE3c1RJcFFPVU5KcXJ2b1loRU9xbm40ZmR2OFNWb00weVdRM1RzM0JWejdUTkRuSDMKQ1orMnhFN3ppd1FOMzBJanNHU2krSjZPeWlnc1JSV0YrcmE2b2E3bUdybmtGZWlRVmdjcDgvYkdnbXNBenE0WQpLMEhoaVdaWmQvVUNNWC9laXlzcVRoYUFDRmRLaVh3WkxKRythbndxRkNrdW14aFFObXhzaS93YlU0UkpmUVpQCnlhLzVTRklYbW0wT0t4dVhZY3N3aTNXSFV1dDQydmthT1pWdEJUK2pOTmFTcE1vWG9lU3M5V0pVVGV2c0luakcKSW5tVG5oVWZRQnhJVVJHOXI4b1BISWJ4OWlYbGxTR0JnUE9kNURqcVEwSWFMRWNsRVVYL1R2RXo5eHhpZmxLdQpvN2s0ZHFiZ1lKeXo1VEZyMGNReWhpeENud0tUaU9RZEJKT1lEWkR3UHExNU5mOW9Kc2pGbHR2T1FDaE0vTzk2CkRjZDB2amZtQ1BhM0NIQVZPQ2xKTWhIVU9iVXdFK3JCdzlYQ0NhUGlDVHQ2WUxRU2dGcUJCdDVad2FEUnl0MUYKdlFPZzNCTWl5Z0xkelhKS1dpNkEyOFhyVjZ1MHk1R2E2WTFnSFBIWkV2bFMxZ3hkL2NiWVlYRkFja1phTUxVYgpnVS9xWlJhK2tuL2h3V1VOZGdzSlFGZUdON1RiT3hPNEdmQkJCU3c1VzBkWlp3SURBUUFCbzRJQnJEQ0NBYWd3Ckh3WURWUjBqQkJnd0ZvQVVROUoxakRUY3BPdWc1TXdaTlhzZ2VBSGVMNUV3REFZRFZSMFRBUUgvQkFJd0FEQVQKQmdOVkhTVUVEREFLQmdnckJnRUZCUWNEQVRBT0JnTlZIUThCQWY4RUJBTUNCYUF3SFFZRFZSME9CQllFRkxkegpsdktJNS9WazBrUE81QW1Ma3VCTXFkYjdNSUlCTVFZRFZSMFJCSUlCS0RDQ0FTU0NEWFF1YTJoek1UazVOQzVqCmIyMkNEeW91ZEM1cmFITXhPVGswTG1OdmJZSVJjR2h3TG5RdWEyaHpNVGs1TkM1amIyMkNFeW91Y0dod0xuUXUKYTJoek1UazVOQzVqYjIySEJIOEFBQUdDQ1d4dlkyRnNhRzl6ZElJWFpHVjJaV3h2Y0dWeUxuUXVhMmh6TVRrNQpOQzVqYjIyQ0dTb3VaR1YyWld4dmNHVnlMblF1YTJoek1UazVOQzVqYjIyQ0JTb3VaR1YyZ2djcUxteHZZMkZzCmdnWXFMblJsYzNTQ0NtdG9jekU1T1RRdWFXK0NEQ291YTJoek1UazVOQzVwYjRJSktpNXJhSE14T1RrMGdndHIKYUhNeE9UazBMbVJsZG9JTktpNXJhSE14T1RrMExtUmxkb0lNYTJoek1UazVOQzUwWlhOMGdnNHFMbXRvY3pFNQpPVFF1ZEdWemRJSU5hMmh6TVRrNU5DNXNiMk5oYklJUEtpNXJhSE14T1RrMExteHZZMkZzTUEwR0NTcUdTSWIzCkRRRUJDd1VBQTRJQ0FRQ0NBUTVZNFJsKzFqMVJhWXRKY25BdGtWUzJhc3VMdjQ1bFBacWY3c21aV28rVUpkK1QKZXhMWlkrbCtJaWV0MUlHRU9yVHdaNEZ4MVI2WHFScnNVdGFPbkdPU1dyQytFdzNreHdsREIzcUlESTdhaWM1ZApLNTdxazVXYTZFOGx3bitJODg0dHhOUnNNYTRvRzlZb1NoRzZkcngyb2tHRDgrdmpWUGVCZFRUQkY1cFZNVTVnClE0dkFPR1NXdG1mK1RETlhqUGx4YXB5NDBQMS8vQ3RIZWk5RHhYWVVydWE1TXFvVmZIclphbnBCTlRtR2pNT1cKVm12aHNzY0NscURGcmdMU01DN0oxNUdSRkN1MFN0SGFhamNVbTVERzd5THNGVUlVb0FrY0VKVFVZbFNPUjJYMgpNeVhOajRBODJyZFVsTW4raUZnWWJDbE1OTmN1aEQ5eGNMb1ZEcDhFNmpjUkxwYnMrajlYSmlGRzliTTQyMFk4CkdVVTlFN3pnRnROYzJjYkJSWk5nTWdqREtXTE03WmlDU2xaY1lja1Fjcll6S0t6NkZ2WW04Qzh6dGh2LzBmNkYKeHJNaUlvVUpUUUdPbEFYampFRzhrZSs0Q3pOeEZYUEZlTXlYTFhYNjlJUFdJTTg4NlFQeGdYUmdzUi81em5zVApxZVpKbk52eGZxdHl4NjJVQXlZWjZJeFVxWWlqemdpbzZDdkxYYmw4dExVYzBQVlFqQ2VmY0FMeGhFYWs2K1JWCkNsWFhPVUNCL1hjazl3dGNmNlJCWlE0aitIMmNTaVFiOTV2UHNqbVAwWUpvSUplM3owYkJSd0xSMEdNQWdJVXcKQzFnTFJLOVZuT2M1ZTcvdWJaN2dkeW1lbVlyc1ZDc1lrTk1aZ1A4cWt5MkFMdExjU2dCUlUyNXpuQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K 10 | tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS2dJQkFBS0NBZ0VBdXVjQTRZanhtcGdaOU5UdFVFTVVWd2hDRXVvUVBSUlNidXRGYXB2WHBXSHlTNzMvClNjakJBSXhXbW9VcHpoWHlFR1VYY3BpVlA2U0g5S1pibjZJamNRNWhaaVMxQUdWV3B5dWdadFE3bmdOV1JKWTIKcVJLSG10TEhyRjIrSEIvSkMweitOTkxVdVpzWWRlN0V5S1VEbERTYXE3NkdJUkRxcDUrSDNiL0VsYUROTWxrTgowN053VmMrMHpRNXg5d21mdHNSTzg0c0VEZDlDSTdCa292aWVqc29vTEVVVmhmcTJ1cUd1NWhxNTVCWG9rRllICktmUDJ4b0pyQU02dUdDdEI0WWxtV1hmMUFqRi8zb3NyS2s0V2dBaFhTb2w4R1N5UnZtcDhLaFFwTHBzWVVEWnMKYkl2OEcxT0VTWDBHVDhtditVaFNGNXB0RGlzYmwySExNSXQxaDFMcmVOcjVHam1WYlFVL296VFdrcVRLRjZIawpyUFZpVkUzcjdDSjR4aUo1azU0VkgwQWNTRkVSdmEvS0R4eUc4ZllsNVpVaGdZRHpuZVE0NmtOQ0dpeEhKUkZGCi8wN3hNL2NjWW41U3JxTzVPSGFtNEdDY3MrVXhhOUhFTW9Zc1FwOENrNGprSFFTVG1BMlE4RDZ0ZVRYL2FDYkkKeFpiYnprQW9UUHp2ZWczSGRMNDM1Z2oydHdod0ZUZ3BTVElSMURtMU1CUHF3Y1BWd2dtajRnazdlbUMwRW9CYQpnUWJlV2NHZzBjcmRSYjBEb053VElzb0MzYzF5U2xvdWdOdkY2MWVydE11Um11bU5ZQnp4MlJMNVV0WU1YZjNHCjJHRnhRSEpHV2pDMUc0RlA2bVVXdnBKLzRjRmxEWFlMQ1VCWGhqZTAyenNUdUJud1FRVXNPVnRIV1djQ0F3RUEKQVFLQ0FnRUFwZVNJT2FkTm00Uko5YkJRKzU2dW5SbHRYRkI1SFYyK1ZVbHFrZGZGcnJ1alRtdFQvdSs3cjNyaApHOEg2ZXp1clliWDQrL1JHOVBoYTNHSVVqVHBpN3VSdXV6VDFtMlpYWllZcGwxdmxscmtyaHpFMVR4aHRXSlNpCk9uSHlYaEF3YUdGc2VRSnhZbFV4ZnV2eHFvNGRBUjAzOUJ6bC9NK0JHRXRYVXhIMXNVSExJRmMvR0pyNnFJLzEKME5SemYyd0JZVDRaUGI0MFdRUEROdDVJVlFjTDVYMjE3cVZiRjFLVGdsQWtaNFZ0WGUrOFB2Qzg1eFh1QWdDYwpiVmtGMmRuN1hlNlE4L1N2ZWNUcDFHUCtha3hwV0RjUEU4KzRZTGZZblFUek5INDBsM04rUHlRdlZLRmpvZldkClE0VS9adTZEeldYTng3bC85c1Y0ZGdPTlVJZFlSc0hxa1hvd1Z6RUFxR3FDVnlQK0hoWnRXZExTUlRoYk1Ld2YKeE5Qa2Z1NEQ1UTUycFNiQXN1Tk1QRHRVNktBTXlXd3YzMitkSlVUTDRZQjBVOUJzTlZDM0c5enhvcGlsYmdSegpDdHpKWWtWTnY1YmNPYTVsendLNnl6bERFYXc4dk80MDgwNkZJamhRTVFYU2xnMFlYQ0tLRUdhcXF0ZVVYaGRJCkxiRmVoUmIvRHVNcTRuRFJzWllSM3ZEbG1Nc0piVzB5MnczMCt0a0ovb2ZWUzNFOG5vNlVFZG82aStkUTkvR1UKQ0dVWmJsdTZoLzJmOXZscFVtbkNlRVlsbzNpeUNqQXVHWEdJV2pKTE1sVnUyL00yNmt5Qm5qRCt4cW14WFFyVwo5MEh6UkdkQXhIYUhqQjFqSmZMT0tBUVA4YWk5UGx0R29MZ0xoaEJCeCtWNWZjeGNjb0VDZ2dFQkFPZ2YyQUZ5CldpY2hIMFcxSnFod1d0QlVENXRsVDltVVBXMHB5STZGZnFKQVVKQitNSVFqTHJvd0NSQXNnNURMK08xaE5sSmwKSGJvczVxYmdIemxFMkk3cFljY3pFc204RWVDd3ZpZmJuM3pHWlJBTm1IM0M3N1BPUWhNZ2luS25VTHg4WTZtMgpqb2ZDWHBiU0lVeVlqL3RGNnhuUzBxOHVJZXpiczRyQUNSbjh2N05FNVZEY3VNRjloZmpLZ0dzT0NKOStzYmtwCk43cVhZTCtkWHR1WVFxYzVqRFNSUUVmODlvSnZpV1BsWnZaVVJkM2tyNXh0NmtJYWVkN0c0ZGlTRGt4QU1pSjkKMWRRRzZNUHUzL1JBSlE1cTg0SUJpUmlidFpRWEkxMFQxSUNhdkhIdWxXZk0vcTNycXQyNkhqK0R3MC9oajhDdApLSm1DS1ljWXRNZ2dkc2NDZ2dFQkFNNGdacWhqQkl0Sk1mSndPVGpiSWNMdUxMWGhxN0p2NFJvZ1lDSytwQmZyCk9yZFoyWTlRUFQ3VkduME4rSFIyQlp1VGtFRVdZQmE2QTNQdGI4Q2IwbGpsTVlPUGcrYXJiUitVRnRVSW9KY0IKQnljUmVjTmNMMkR6L09ZNmV0alBRTkx0akd6SGVGOEEraUtLVlNwZUIraVJXMk91Rjl6VVMvM0o1Ymx0RWI3WgpNZ2sxSFdFSzNybEkvUmxxSVpOcTgwS3Z4L1hWcGRMQnhDYlBiTnJHK3ZGaWd1eHp4UFU0QktTUUZBU09aRmpSCk1OVG11TFRFWnczZzRtMGFMUWNqbnNuaGJmcFdFeTN6OEtqeitBSzYyREdhdTNtT3B2Qi8wWkFmRC8wNWxQbTcKUjhjQnp2OUdKTk5jaWI2UFhpNHdDTk1laGhQVkUwaHpqRmJwTmZ2NjZHRUNnZ0VCQU5rTEJXOTgzQjBnVkZ4YQpvUFg0Y0lIQlNBS1dQWTZGbE5ZZ3JwM001dmFSU29PQTZwNXpRenJtdFdMQkxKZlVrVUpzbGwxK25NZzdPY1FwClppaW5YaEpxMkhscElSVXVYRTBMRmhLd3diVHEwUTZzbDd4bjdMZmtrVlhQSklWR096Q3k0b0dLNkVTNmtyVlYKYjd0dUg1cms2b3B2M1gzZGxlMGlGUVFVd2EzaDdlR1M5eFNmL2NVMk9ISEQ3MFdxanBlTDRHUHd6V0lVTDJ1YgptMW1iU2grUXFLOXliWGVpYVdEWEo5RVhiQ25CN0w0cEdhY2NBMkdoM2ZoWFlFK2ZhZTBVVFl5QXV0S1JUMDM5CmFyeTR5YTFzaFpvM0UxakdKNGQ4QngzOTc4SDhiVjNlcHlheXdDUWhhdGYrTWxCVFJPbkpVQi9xQ1Q5WVBMcE0KZUtWejdYc0NnZ0VBZi9Dd2gzZmVUQzRFYUh5cnA5U3I0ZmcvbkMwVWkwN1NJNHRRNElBQURqQ2RZMHpMc3g2VQp4VGswbGNaa0hyVmF5YlFQNTdaaHNmbUhSeDlySzl3TDljMWNyRklhQnNVRW1JTXNvTklZQzJKQjlFZnVrZ25ZCkJvK3F1NlEwdC9uOFBHL2hwMnN3RlpmZnFpeStxK3R0Y1RjM3lHazR1b0t6SURWKzkxYnhtc25wT3JuVElIYkUKdzdEQUdGUTl2dWkxVVFFV1ZrcGtBS3J3ZXo1b1RHc1JPMTV2OFIveWNscHcxMHZ1Z04xNC8zL29sVjBYN0d1egpvM09nVnlQV0t3WTYrd2VIWWNpbll2QjB3Z21jT09XTVowMnBhOHZWWnBXUGw2c1FHNWJ3RnduZGhYSmo3eUswCm5OUmxVdmhkOXNFdDJReXJJQWd6VGRjYWxwOXVPSmNHUVFLQ0FRRUFvWDNSUmc5WldkcXhlaFp3V0c0R1hMeHQKS3ZMTjdhb2xOYjhEMy9NVHF5L1BCY3BxZ3BzOUU2dFpjajVjK2J3dHdBVUNjM3RueWh3eFpUZkdmRVBkY1Z6Ugo0amZFa01Ua0QrSlcxUTFHdWw1eG1FY1ZzOUZZcWdoNW9iNjk0aE1FZUpBYnNSeSs3SGRkK3l1ZVRrSUE3bFZUClNzYTFqcjdGUTM5ZlZsaVJkamllWkU4V3dpQzJXSWpEMnZBT09EMlJOSFhzdmZHVDFDOEZSdHhQRW5Tb2V2Rm4KVTd6OTYyVHBoWG9CUkR0bGJ1eVBVV1Mwbm82Tmxud3FVc2doLy9hMTc1S3B2VHhDS3ZFMDd6NXNEemFxOXFMMAo4eVRUVEpHdDl6elAvZWRRVHJEVTJ6T0daNUFlQnEvRzM2MUkzWW9ZcVFmbkhwVGZqbjNhcGpUckNqaWNJZz09Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== 11 | 12 | --- 13 | 14 | kind: Ingress 15 | apiVersion: networking.k8s.io/v1 16 | metadata: 17 | name: ci 18 | labels: 19 | app: ci 20 | # annotations: 21 | spec: 22 | # k8s v1.18.0+ 23 | ingressClassName: nginx 24 | tls: 25 | - hosts: 26 | - git.t.khs1994.com 27 | - drone.t.khs1994.com 28 | - drone-runner-kubernetes.t.khs1994.com 29 | - drone-runner-docker.t.khs1994.com 30 | - s3.t.khs1994.com 31 | secretName: ingress-nginx-tls-0.0.1 32 | rules: 33 | - host: git.t.khs1994.com 34 | http: 35 | paths: 36 | - path: / 37 | pathType: Prefix 38 | backend: 39 | service: 40 | name: gogs 41 | port: 42 | name: http 43 | - host: gitea.t.khs1994.com 44 | http: 45 | paths: 46 | - path: / 47 | pathType: Prefix 48 | backend: 49 | service: 50 | name: gitea 51 | port: 52 | name: http 53 | - host: drone.t.khs1994.com 54 | http: 55 | paths: 56 | - path: / 57 | pathType: Prefix 58 | backend: 59 | service: 60 | name: drone 61 | port: 62 | name: http 63 | - host: drone-runner-kubernetes.t.khs1994.com 64 | http: 65 | paths: 66 | - path: / 67 | pathType: Prefix 68 | backend: 69 | service: 70 | name: drone-runner-kubernetes-dashboard 71 | port: 72 | name: dashboard 73 | - host: drone-runner-docker.t.khs1994.com 74 | http: 75 | paths: 76 | - path: / 77 | pathType: Prefix 78 | backend: 79 | service: 80 | name: drone-runner-docker-dashboard 81 | port: 82 | name: dashboard 83 | - host: s3.t.khs1994.com 84 | http: 85 | paths: 86 | - path: / 87 | pathType: Prefix 88 | backend: 89 | service: 90 | name: minio 91 | port: 92 | name: console 93 | -------------------------------------------------------------------------------- /kubernetes/ingress-nginx/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - ingress-nginx.yaml 3 | namespace: ci 4 | -------------------------------------------------------------------------------- /kubernetes/ingress-nginx/ingress-tcp-8022/README.md: -------------------------------------------------------------------------------- 1 | # 通过 ingress 暴露 SSH 8022 端口 2 | 3 | INGRESS 暴露 tcp 端口需要[对 ingress 进行配置](https://kubernetes.github.io/ingress-nginx/user-guide/exposing-tcp-udp-services/) 4 | -------------------------------------------------------------------------------- /kubernetes/ingress-nginx/ingress-tcp-8022/kustomization.yaml: -------------------------------------------------------------------------------- 1 | configMapGenerator: 2 | - name: tcp-services 3 | literals: 4 | - 8022=ci/gogs:22 5 | namespace: ingress-nginx 6 | commonLabels: 7 | app.kubernetes.io/name: ingress-nginx 8 | app.kubernetes.io/part-of: ingress-nginx 9 | generatorOptions: 10 | disableNameSuffixHash: true 11 | -------------------------------------------------------------------------------- /kubernetes/ingress-nginx/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - base 3 | -------------------------------------------------------------------------------- /kubernetes/minio/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - ../../../../kubernetes/deploy/minio/base 3 | - pvc.yaml 4 | namespace: ci 5 | -------------------------------------------------------------------------------- /kubernetes/minio/base/pvc.yaml: -------------------------------------------------------------------------------- 1 | kind: PersistentVolume 2 | apiVersion: v1 3 | metadata: 4 | name: ci-minio 5 | labels: 6 | app: minio 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | capacity: 11 | storage: 20Gi 12 | volumeMode: Filesystem 13 | persistentVolumeReclaimPolicy: Retain 14 | storageClassName: hostpath 15 | hostPath: 16 | path: /var/lib/k8s/ci/minio 17 | type: DirectoryOrCreate 18 | 19 | --- 20 | 21 | kind: PersistentVolumeClaim 22 | apiVersion: v1 23 | metadata: 24 | name: minio 25 | labels: 26 | app: minio 27 | spec: 28 | accessModes: 29 | - ReadWriteOnce 30 | resources: 31 | requests: 32 | storage: 20Gi 33 | selector: 34 | matchLabels: 35 | app: minio 36 | storageClassName: hostpath 37 | -------------------------------------------------------------------------------- /kubernetes/minio/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - base 3 | -------------------------------------------------------------------------------- /kubernetes/mysql/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - ../../../../kubernetes/lnmp/mysql/overlays/production 3 | - pv.yaml 4 | - pvc.yaml 5 | namespace: ci 6 | -------------------------------------------------------------------------------- /kubernetes/mysql/base/pv.yaml: -------------------------------------------------------------------------------- 1 | kind: PersistentVolume 2 | apiVersion: v1 3 | metadata: 4 | name: ci-mysql-data-pv 5 | labels: 6 | app: ci 7 | tier: mysql 8 | spec: 9 | capacity: 10 | storage: 20Gi 11 | volumeMode: Filesystem 12 | accessModes: 13 | - ReadWriteOnce 14 | persistentVolumeReclaimPolicy: Retain 15 | hostPath: 16 | path: /var/lib/k8s/ci/mysql 17 | type: DirectoryOrCreate 18 | storageClassName: hostpath 19 | 20 | --- 21 | 22 | kind: PersistentVolume 23 | apiVersion: v1 24 | metadata: 25 | name: ci-log-pv 26 | labels: 27 | app: ci 28 | tier: log 29 | spec: 30 | capacity: 31 | storage: 20Gi 32 | volumeMode: Filesystem 33 | accessModes: 34 | - ReadWriteOnce 35 | persistentVolumeReclaimPolicy: Retain 36 | hostPath: 37 | path: /var/lib/k8s/ci/log 38 | type: DirectoryOrCreate 39 | storageClassName: hostpath 40 | -------------------------------------------------------------------------------- /kubernetes/mysql/base/pvc.yaml: -------------------------------------------------------------------------------- 1 | kind: PersistentVolumeClaim 2 | apiVersion: v1 3 | metadata: 4 | name: lnmp-mysql-data 5 | spec: 6 | accessModes: 7 | - ReadWriteOnce 8 | storageClassName: hostpath 9 | selector: 10 | matchLabels: 11 | app: ci 12 | tier: mysql 13 | resources: 14 | requests: 15 | storage: 20Gi 16 | --- 17 | 18 | kind: PersistentVolumeClaim 19 | apiVersion: v1 20 | metadata: 21 | name: lnmp-log 22 | spec: 23 | accessModes: 24 | - ReadWriteOnce 25 | storageClassName: hostpath 26 | selector: 27 | matchLabels: 28 | app: ci 29 | tier: log 30 | resources: 31 | requests: 32 | storage: 20Gi 33 | -------------------------------------------------------------------------------- /kubernetes/mysql/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - base 3 | -------------------------------------------------------------------------------- /kubernetes/redis/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - ../../../../kubernetes/lnmp/redis/overlays/production 3 | - pv.yaml 4 | - pvc.yaml 5 | namespace: ci 6 | -------------------------------------------------------------------------------- /kubernetes/redis/base/pv.yaml: -------------------------------------------------------------------------------- 1 | kind: PersistentVolume 2 | apiVersion: v1 3 | metadata: 4 | name: ci-redis-data-pv 5 | labels: 6 | app: ci 7 | tier: redis 8 | spec: 9 | capacity: 10 | storage: 20Gi 11 | volumeMode: Filesystem 12 | accessModes: 13 | - ReadWriteOnce 14 | persistentVolumeReclaimPolicy: Retain 15 | hostPath: 16 | path: /var/lib/k8s/ci/redis 17 | type: DirectoryOrCreate 18 | storageClassName: hostpath 19 | -------------------------------------------------------------------------------- /kubernetes/redis/base/pvc.yaml: -------------------------------------------------------------------------------- 1 | kind: PersistentVolumeClaim 2 | apiVersion: v1 3 | metadata: 4 | name: lnmp-redis-data 5 | spec: 6 | accessModes: 7 | - ReadWriteOnce 8 | storageClassName: hostpath 9 | selector: 10 | matchLabels: 11 | app: ci 12 | tier: redis 13 | resources: 14 | requests: 15 | storage: 20Gi 16 | -------------------------------------------------------------------------------- /kubernetes/redis/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - base 3 | -------------------------------------------------------------------------------- /logs/.gitignore: -------------------------------------------------------------------------------- 1 | /* 2 | !.gitignore 3 | !README.md 4 | -------------------------------------------------------------------------------- /logs/README.md: -------------------------------------------------------------------------------- 1 | # 日志文件夹 2 | -------------------------------------------------------------------------------- /renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "assignees": ["khs1994"], 3 | "reviewers": ["khs1994"], 4 | "baseBranches": ["dev"], 5 | "commitBody": "[skip ci]", 6 | "labels": ["renovateapp"], 7 | "timezone": "Asia/Shanghai", 8 | "extends": [ 9 | "config:base", 10 | "docker:enableMajor" 11 | ] 12 | } 13 | -------------------------------------------------------------------------------- /scripts/docker-compose.bump.yml: -------------------------------------------------------------------------------- 1 | 2 | 3 | services: 4 | drone: 5 | image: drone/drone:2.16.0 6 | -------------------------------------------------------------------------------- /secrets/README.md: -------------------------------------------------------------------------------- 1 | # secrets 2 | -------------------------------------------------------------------------------- /secrets/mysql.env: -------------------------------------------------------------------------------- 1 | # 2 | # [MySQL] 3 | # 4 | 5 | MYSQL_ROOT_PASSWORD=mytest 6 | 7 | MYSQL_DATABASE=gogs 8 | -------------------------------------------------------------------------------- /server/.gitignore: -------------------------------------------------------------------------------- 1 | /* 2 | !.gitignore 3 | !index.php 4 | !README.md 5 | -------------------------------------------------------------------------------- /server/README.md: -------------------------------------------------------------------------------- 1 | # Registry WebHooks 2 | 3 | ```bash 4 | $ sudo php -S 0.0.0.0:80 5 | ``` 6 | -------------------------------------------------------------------------------- /server/index.php: -------------------------------------------------------------------------------- 1 |