Match environment input to mirror Gitea's #6
Conversation
|
I like the names If we allow configuring On the other hand, maybe we don't need to allow configuring EDIT: I went with adding |
This shortens the code, but requires upgrading to go1.19, which Gitea itself upgraded to recently.
This is easier to get right, since it mirrors Gitea's app.ini. Gitea also has a STATIC_URL_PREFIX which is similar to what GITEA_PUBLIC_URL was; but we have little motivation to use it, since we are designing that bids-hook runs _on the same server_ as gitea. Also, if we did keep it, I would want to more closely mirror app.ini's config behaviour.
This is an environment variable Gitea also can use.
This isn't an environment variable Gitea uses, but it is close to a name in its config file: [repository].ROOT. The worker will need this to find its input. This mirrors the rules for that's default value.
kousu
changed the title
|
|
||
| # this replicates the default location logic from https://docs.gitea.io/en-us/config-cheat-sheet/ | ||
| # any setting can be overridden just by setting its variable before calling this script | ||
| : ${GITEA_APP_PATH:=../gitea/gitea} |
There was a problem hiding this comment.
This is awkward!
In our deployments, this will be /srv/gitea/gitea. On my dev machine I have ~/src/gitea/ and ~/src/bids-hook.
I don't know. Maybe this should be a mandatory input? But then again, if you on a server where you're explicitly setting GITEA_CUSTOM for gitea, you can also set it for bids-hook and then GITEA_APP_PATH is irrelevant.
There was a problem hiding this comment.
I realize now that I didn't mention this before, but: the start script is meant to disappear from the repo at some point! It's just scaffolding for manual, local testing on my own machine (or yours!) while we develop a v1. Hence all the hardcoded values and dummy secret and token.
So actual deployment situations are out of scope for this file.
There was a problem hiding this comment.
That makes sense. In that case, the part that mirrors Gitea's defaults logic should probably make its way into Go instead of shell. I could probably copy it straight out of their codebase.
And the environment variables that remain would migrate to a systemd .service file? Is it weird to put credentials in a .service file?
There was a problem hiding this comment.
It looks like systemd has a whole system in place for credentials. According to System and Service Credentials:
Within unit files, there are four settings to configure service credentials.
LoadCredential=may be used to load a credential from disk, from anAF_UNIXsocket, or propagate them from a system credential.SetCredential=may be used to set a credential to a literal string encoded in the unit file. Because unit files are world-readable (both on disk and via D-Bus), this should only be used for credentials that aren’t sensitive, i.e. public keys/certificates – but not private keys.LoadCredentialEncrypted=is similar toLoadCredential=but will load an encrypted credential, and decrypt it before passing it to the service. For details on credential encryption, see below.SetCredentialEncrypted=is similar toSetCredential=but expects an encrypted credential to be specified literally. UnlikeSetCredential=it is thus safe to be used even for sensitive information, because even though unit files are world readable, the ciphertext included in them cannot be decoded unless access to TPM2/encryption key is available.
So, systemd wants to make credentials available as files, and currently bids-hook wants to accept credentials as environment variables. I guess I can change the environment variable to contain a path to the secret, rather than the secret itself, and that should be sufficiently flexible for manual testing and also for systemd-controlled execution.
Gitea is now testing against this, so I think we should too, as in #6.
Gitea is now testing against this, so I think we should too, as in #6.
See the individual commits!
And probably rebase not squash this!