diff --git a/.gitea/workflows/ansible.yml b/.gitea/workflows/ansible.yml index 20b2b9e..0091c8b 100644 --- a/.gitea/workflows/ansible.yml +++ b/.gitea/workflows/ansible.yml @@ -18,7 +18,7 @@ on: jobs: ansible: runs-on: ubuntu-latest - container: git.lunarfront.tech/ryan/ci-runner:latest + container: registry.lunarfront.tech/ryan/ci-runner:latest defaults: run: working-directory: ansible diff --git a/.gitea/workflows/build-runner.yml b/.gitea/workflows/build-runner.yml index 70a62e3..154e984 100644 --- a/.gitea/workflows/build-runner.yml +++ b/.gitea/workflows/build-runner.yml @@ -25,13 +25,13 @@ jobs: apt-get install -y docker-ce-cli - name: Login to Gitea registry - run: echo "${{ secrets.REGISTRY_TOKEN }}" | docker login git.lunarfront.tech -u ryan --password-stdin + run: echo "${{ secrets.REGISTRY_TOKEN }}" | docker login registry.lunarfront.tech -u ryan --password-stdin - name: Build and push run: | - docker build -t git.lunarfront.tech/ryan/ci-runner:latest runner/ - docker push git.lunarfront.tech/ryan/ci-runner:latest + docker build -t registry.lunarfront.tech/ryan/ci-runner:latest runner/ + docker push registry.lunarfront.tech/ryan/ci-runner:latest - name: Logout if: always() - run: docker logout git.lunarfront.tech + run: docker logout registry.lunarfront.tech diff --git a/.gitea/workflows/terraform.yml b/.gitea/workflows/terraform.yml index 3eed12c..9d05a4e 100644 --- a/.gitea/workflows/terraform.yml +++ b/.gitea/workflows/terraform.yml @@ -20,7 +20,7 @@ on: jobs: terraform: runs-on: ubuntu-latest - container: git.lunarfront.tech/ryan/ci-runner:latest + container: registry.lunarfront.tech/ryan/ci-runner:latest defaults: run: working-directory: terraform diff --git a/ansible/roles/gitea/defaults/main.yml b/ansible/roles/gitea/defaults/main.yml index 1b77ff6..0994a17 100644 --- a/ansible/roles/gitea/defaults/main.yml +++ b/ansible/roles/gitea/defaults/main.yml @@ -5,6 +5,9 @@ gitea_http_port: 3000 gitea_ssh_port: 2222 gitea_data_dir: /var/lib/gitea +gitea_registry_domain: "registry.example.com" +letsencrypt_email: "" + # Cloudflare Origin Certificate cf_origin_cert: "" cf_origin_key: "" diff --git a/ansible/roles/gitea/tasks/main.yml b/ansible/roles/gitea/tasks/main.yml index dd7c32f..d42fbc2 100644 --- a/ansible/roles/gitea/tasks/main.yml +++ b/ansible/roles/gitea/tasks/main.yml @@ -86,3 +86,51 @@ name: nginx enabled: true state: started + +# ─── Registry (Let's Encrypt cert, DNS-only / no Cloudflare proxy) ──────────── + +- name: Install certbot and Cloudflare DNS plugin + apt: + name: [certbot, python3-certbot-dns-cloudflare] + state: present + +- name: Write Cloudflare credentials for certbot + copy: + content: | + dns_cloudflare_api_token = {{ cloudflare_api_token }} + dest: /etc/letsencrypt/cloudflare.ini + owner: root + group: root + mode: "0600" + +- name: Obtain Let's Encrypt cert for registry domain + command: > + certbot certonly + --dns-cloudflare + --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini + --non-interactive + --agree-tos + --email {{ letsencrypt_email }} + -d {{ gitea_registry_domain }} + args: + creates: /etc/letsencrypt/live/{{ gitea_registry_domain }}/fullchain.pem + +- name: Deploy registry nginx config + template: + src: nginx-registry.conf.j2 + dest: /etc/nginx/sites-available/registry + mode: "0644" + notify: Reload nginx + +- name: Enable registry nginx site + file: + src: /etc/nginx/sites-available/registry + dest: /etc/nginx/sites-enabled/registry + state: link + notify: Reload nginx + +- name: Enable certbot renewal timer + systemd: + name: certbot.timer + enabled: true + state: started diff --git a/ansible/roles/gitea/templates/nginx-registry.conf.j2 b/ansible/roles/gitea/templates/nginx-registry.conf.j2 new file mode 100644 index 0000000..ebc9ff5 --- /dev/null +++ b/ansible/roles/gitea/templates/nginx-registry.conf.j2 @@ -0,0 +1,26 @@ +server { + listen 80; + server_name {{ gitea_registry_domain }}; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; + server_name {{ gitea_registry_domain }}; + + ssl_certificate /etc/letsencrypt/live/{{ gitea_registry_domain }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ gitea_registry_domain }}/privkey.pem; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + + client_max_body_size 0; + + location / { + proxy_pass http://127.0.0.1:{{ gitea_http_port }}; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} diff --git a/terraform/main.tf b/terraform/main.tf index c02cf75..dbd24c7 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -98,17 +98,18 @@ resource "digitalocean_firewall" "gitea" { source_addresses = ["${var.admin_ip}/32"] } - # HTTP/HTTPS — Cloudflare IPs only + # HTTP — Cloudflare IPs only (web UI) inbound_rule { protocol = "tcp" port_range = "80" source_addresses = concat(local.cloudflare_ipv4, local.cloudflare_ipv6) } + # HTTPS — Cloudflare IPs for proxied domains + all IPs for registry (DNS-only) inbound_rule { protocol = "tcp" port_range = "443" - source_addresses = concat(local.cloudflare_ipv4, local.cloudflare_ipv6) + source_addresses = ["0.0.0.0/0", "::/0"] } # Gitea SSH for git push/pull — your IP only @@ -161,3 +162,13 @@ resource "cloudflare_record" "git_ssh" { ttl = 3600 } +# DNS only — no Cloudflare proxy, for container registry (no 100MB upload limit) +resource "cloudflare_record" "registry" { + zone_id = data.cloudflare_zone.main.id + name = "registry" + type = "A" + value = digitalocean_droplet.gitea.ipv4_address + proxied = false + ttl = 3600 +} +