Add Gerrit behind reverse-proxy
diff --git a/.gitignore b/.gitignore
index 0f59be6..68973c5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,9 @@
+/gerrit/environment
+/gerrit/cache/
+/gerrit/db/
+/gerrit/etc/
+/gerrit/git/
+/gerrit/index/
+/logs/gerrit/
/logs/nginx/
/logs/simpleid/
diff --git a/TODO.on.site b/TODO.on.site
index e252513..3f1d935 100644
--- a/TODO.on.site
+++ b/TODO.on.site
@@ -9,3 +9,4 @@
* Set server_name in `nginx/sa.conf`
* Set SIMPLEID_BASE_URL in `simpleid/www/config.php`
* Make sure identities point to the right URL
+* Set CANONICAL_WEB_URL in `gerrit/environment`
diff --git a/gerrit/Dockerfile b/gerrit/Dockerfile
new file mode 100644
index 0000000..161f286
--- /dev/null
+++ b/gerrit/Dockerfile
@@ -0,0 +1,25 @@
+FROM gerritcodereview/gerrit:3.8.0
+
+COPY --from=sourcearcade-nginx /etc/ssl/certs/sa-selfsigned.crt /var/gerrit/etc/
+RUN \
+ keytool -importcert -alias sa-selfsigned -file /var/gerrit/etc/sa-selfsigned.crt \
+ -keystore /var/gerrit/truststore -storepass uiaeuiae -noprompt && \
+ rm /var/gerrit/etc/sa-selfsigned.crt
+RUN \
+ echo | keytool -importkeystore \
+ -srckeystore /usr/lib/jvm/java-*/lib/security/cacerts \
+ -destkeystore /var/gerrit/truststore \
+ -deststorepass uiaeuiae -noprompt
+
+USER root
+RUN \
+ printf 'JAVA_OPTIONS="%s %s"\n' \
+ -Djavax.net.ssl.trustStore=/var/gerrit/truststore \
+ -Djavax.net.ssl.trustStorePassword=uiaeuiae >>/etc/default/gerritcodereview
+
+COPY gerrit/Dockerfile.entrypoint /privileged.sh
+RUN chmod 544 /privileged.sh
+COPY gerrit/Dockerfile.entrypoint-unprivileged /unprivileged.sh
+RUN chmod 555 /unprivileged.sh
+
+ENTRYPOINT ["/bin/sh", "/privileged.sh"]
diff --git a/gerrit/Dockerfile.entrypoint b/gerrit/Dockerfile.entrypoint
new file mode 100644
index 0000000..6aa141b
--- /dev/null
+++ b/gerrit/Dockerfile.entrypoint
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+set -e
+
+# Allows us to bind mount arbitrary owned files
+chown -R gerrit:gerrit /var/gerrit/{logs,etc,db,git,index,cache}/
+
+# Drop privileges as we set `USER root` only to change file permissions
+exec setpriv --reuid=gerrit --regid=gerrit --init-groups --inh-caps=-all /unprivileged.sh "$@"
diff --git a/gerrit/Dockerfile.entrypoint-unprivileged b/gerrit/Dockerfile.entrypoint-unprivileged
new file mode 100644
index 0000000..78ca1f8
--- /dev/null
+++ b/gerrit/Dockerfile.entrypoint-unprivileged
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -e
+
+exec /entrypoint.sh "$@"
diff --git a/gerrit/environment.template b/gerrit/environment.template
new file mode 100644
index 0000000..f8975aa
--- /dev/null
+++ b/gerrit/environment.template
@@ -0,0 +1,2 @@
+# Set to publicly visible Gerrit URL
+# CANONICAL_WEB_URL=https://review.some.host/
diff --git a/nginx/sa.conf b/nginx/sa.conf
index de91126..2bef474 100644
--- a/nginx/sa.conf
+++ b/nginx/sa.conf
@@ -8,6 +8,24 @@
server {
listen 443 ssl;
listen [::]:443 ssl;
+
+ server_name id.miau.local;
+
+ root /var/www/html;
+ location / {
+ index index.php index.html;
+ }
+ location ~ \.php$ {
+ include fastcgi_params;
+ fastcgi_pass simpleid:9000;
+ fastcgi_index index.php;
+ fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
+ }
+}
+
+server {
+ listen 443 ssl default_server;
+ listen [::]:443 ssl default_server;
ssl_certificate /etc/ssl/certs/sa-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/sa-selfsigned.key;
ssl_protocols TLSv1.3;
@@ -29,16 +47,11 @@
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
- server_name id.miau.local;
+ server_name review.miau.local;
- root /var/www/html;
location / {
- index index.php index.html;
- }
- location ~ \.php$ {
- include fastcgi_params;
- fastcgi_pass simpleid:9000;
- fastcgi_index index.php;
- fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
+ proxy_pass http://gerrit:8080;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ proxy_set_header Host $host;
}
}
diff --git a/sourcearcade.yml b/sourcearcade.yml
index bff1826..2e3d279 100644
--- a/sourcearcade.yml
+++ b/sourcearcade.yml
@@ -9,6 +9,7 @@
- "443:443"
networks:
- simpleidnet
+ - gerritnet
volumes:
- ./simpleid/cache/:/var/cache/simpleid/:ro
- ./simpleid/identities/:/var/db/simpleid/:ro
@@ -29,6 +30,24 @@
- ./simpleid/store/:/var/lib/simpleid/:rw
- ./simpleid/www/:/var/www/html/:ro
- ./logs/simpleid/:/var/log/:rw
+ gerrit:
+ build:
+ context: .
+ dockerfile: gerrit/Dockerfile
+ env_file: gerrit/environment
+ environment:
+ - HTTPD_LISTEN_URL=proxy-https://*:8080/
+ networks:
+ - gerritnet
+ volumes:
+ - ./logs/gerrit/:/var/gerrit/logs/:rw
+ - ./gerrit/etc/:/var/gerrit/etc/:rw
+ - ./gerrit/db/:/var/gerrit/db/:rw
+ - ./gerrit/git/:/var/gerrit/git/:rw
+ - ./gerrit/index/:/var/gerrit/index/:rw
+ - ./gerrit/cache/:/var/gerrit/cache/:rw
networks:
simpleidnet:
driver: bridge
+ gerritnet:
+ driver: bridge