brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(gitea): run on lxc on turris omnia

Browse Source
This commit is contained in:
Michele Cereda
2024-09-22 21:14:59 +02:00
parent 89a8d5e979
commit 39e8232b93
13 changed files with 234 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
.vscode/settings.json vendored
View File

@@ -161,6 +161,7 @@
"firewalld",
"flatpak",
"fluentd",
"foris",
"freshclam",
"gbps",
"gcloud",
@@ -198,6 +199,7 @@
"keygrip",
"killall",
"kivi",
"kmod",
"knockd",
"kubeconfig",
"kubeconform",
@@ -239,9 +241,11 @@
"ocsp",
"odhcpd",
"oidc",
"omnia",
"ondemand",
"openmediavault",
"openpgp",
"openrc",
"opensearch",
"opentofu",
"openwrt",
@@ -277,6 +281,7 @@
"radeon",
"radicale",
"rdsadmin",
"reflog",
"rego",
"replicatedctl",
"resolv",
@@ -288,6 +293,7 @@
"roff",
"rootlv",
"rootvg",
"routable",
"ruleset",
"runbook",
"runc",
@@ -337,6 +343,8 @@
"twrp",
"uncordon",
"unlogged",
"unshallow",
"unstaged",
"urandom",
"userdata",
"userdel",

3
knowledge base/acronyms and abbreviations.md
View File

@@ -74,7 +74,7 @@
| KISS | Keep It Simple Stupid | Also see [KISS principle is not that simple] |
| KMS | Key Management Service | |
| KMS | Knowledge Management System | |
| KPI | Key performance indicator | Quantitative success metrics that track business goals or projects |
| KPI | Key Performance Indicator | Quantitative success metrics that track business goals or projects |
| LAN | Local Area Network | |
| LED | Light Emitting Diode | |
| LIFO | Last In First Out | |
@@ -84,6 +84,7 @@
| OAM | Operations, Administration and Management | |
| OIDC | OpenID Connect | |
| OKR | Objectives and Key Results | Framework helping teams set and track measurable goals |
| OOM | Out Of Memory | |
| PDF | Portable Document Format | |
| PEBCAK | Problem Exists Between Chair And Keyboard | |
| PGP | Pretty Good Privacy | |

27
knowledge base/git.md
View File

@@ -1,7 +1,5 @@
# Git
## Table of contents <!-- omit in toc -->
1. [TL;DR](#tldr)
1. [Authentication](#authentication)
1. [Configuration](#configuration)
@@ -78,7 +76,7 @@ git --list-cmds='main,alias'
git clone 'https://github.com:user/repo.git'
git clone --bare 'git@github.com:user/repo.git' 'path/to/clone'
git clone --recurse-submodules 'ssh@git.server:user/repo.git'
git clone --depth 1 'ssh@git.server:user/repo.git'
git clone --depth '1' 'ssh@git.server:user/repo.git' --branch 'release/v1.2'
git clone 'https://token@github.com/user/repo'
git \
-c http.extraHeader="Authorization: Basic $(echo -n "user:pat" | base64)" \
@@ -418,7 +416,8 @@ git config --list --show-scope
git config --list --global --show-origin
```
The configuration is shown in full for the requested scope (or all if not specified), but it might include the same setting multiple times if it shows up in multiple scopes.<br/>
The configuration is shown in full for the requested scope (or all if not specified), but it might include the same
setting multiple times if it shows up in multiple scopes.<br/>
Render the current value of a setting using the `--get` option:
```sh
@@ -440,7 +439,7 @@ Paths can be relative or absolute, and one can use `~` as shortcut for the user'
[include]
path = /path/to/file.inc
path = path/to/inc.file
path = ~/path/to/incfile
path = ~/path/to/included/file
```
#### Conditional inclusions
@@ -476,7 +475,8 @@ git remote set-url 'origin' 'git@github.com:user/new-repo-name.git'
#### Push to multiple git remotes with the one command
To always push to `repo1`, `repo2`, and `repo3`, but always pull only from `repo1`, set up the remote 'origin' as follows:
To always push to `repo1`, `repo2`, and `repo3`, but always pull only from `repo1`, set up the remote 'origin' as
follows:
```sh
git remote add origin https://exampleuser@example.com/path/to/repo1
@@ -621,7 +621,8 @@ git diff > 'file.patch'
git diff --output 'file.patch' --cached
```
The output from `git diff` just shows changes to **text** files by default, no metadata or other information about commits or branches.<br/>
The output from `git diff` just shows changes to **text** files by default, no metadata or other information about
commits or branches.<br/>
To get a whole commit with all its metadata and binary changes, use `git format-patch`:
```sh
@@ -659,7 +660,8 @@ The commits are applied one after the other and registered in the repository's l
## The stash stack
The _stash_ is a changelist separated from the one in the current working directory.<br/>
`git stash` will save the current changes there and cleans the working directory. You can (re-)apply changes from the stash at any time:
`git stash` will save the current changes there and cleans the working directory. You can (re-)apply changes from the
stash at any time:
```sh
# Stash changes locally.
@@ -739,7 +741,8 @@ git pull 'origin' 'master'
### Rebase a branch on top of another
`git rebase` takes the commits in a branch and appends them on top of the commits in a different branch.
The commits to rebase are previously saved into a temporary area and then reapplied to the new branch, one by one, in order.
The commits to rebase are previously saved into a temporary area and then reapplied to the new branch, one by one, in
order.
```sh
# Rebase main on top of the current branch.
@@ -964,7 +967,8 @@ export GIT_TRACE=1
> fatal: failed to write commit object
> ```
If `gnupg2` and `gpg-agent` 2.x are used, be sure to set the environment variable `GPG_TTY`, specially `zsh` users using `Powerlevel10k` with Instant Prompt enabled.
If `gnupg2` and `gpg-agent` 2.x are used, be sure to set the environment variable `GPG_TTY`, specially `zsh` users using
`Powerlevel10k` with Instant Prompt enabled.
```sh
export GPG_TTY=$(tty)
@@ -1026,7 +1030,8 @@ git -c http.sslVerify=false …
- [cheat.sh]
<!--
References
Reference
═╬═Time══
-->
<!-- Files -->

34
knowledge base/gitea.md
View File

@@ -11,13 +11,43 @@
## TL;DR
<details>
<summary>Setup</summary>
```sh
# Install from source.
git clone 'https://github.com/go-gitea/gitea' -b 'release/v1.22' && cd 'gitea' \
&& TAGS='bindata sqlite sqlite_unlock_notify' make build
# Install as package.
apk add 'gitea'
brew install 'gitea'
emerge -aqv 'gitea'
pacman -S 'gitea'
pkg install 'gitea'
# Kubernetes
helm repo add 'gitea-charts' 'https://dl.gitea.com/charts/'
helm upgrade --install 'gitea' 'gitea-charts/gitea'
```
</details>
<details>
<summary>Usage</summary>
```sh
# Start after installation from source.
./gitea web
```
</details>
## Installation
<details>
<summary>Container</summary>
Docker [compose file].
The `git` user has UID and GID set to 1000 by default.<br/>
@@ -26,6 +56,8 @@ Change those in the compose file or whatever.
One can optionally define the administrative user during the initial setup.<br/>
If no administrative user is defined in that moment, the first registered user becomes the administrator.
</details>
## Configuration
Refer the [Configuration cheat sheet].
@@ -138,7 +170,7 @@ Alternatives:
[gitlab]: gitlab/README.md
<!-- Files -->
[compose file]: /containers/gitea/docker-compose.yml
[compose file]: /docker%20compositions/gitea/docker-compose.yml
<!-- Upstream -->
[configuration cheat sheet]: https://docs.gitea.com/administration/config-cheat-sheet

15
knowledge base/linux/alpine.md
View File

@@ -6,6 +6,17 @@
## TL;DR
```sh
# Set the correct hostname.
echo 'gitea' > '/etc/hostname'
hostname -F '/etc/hostname'
# Configure DHCP.
cat <<EOF > '/etc/network/interfaces'
auto eth0
iface eth0 inet dhcp
iface eth0 inet6 dhcp
EOF
# Create users.
adduser 'somebody'
adduser -DHS -G 'docker' 'docker'
@@ -15,6 +26,10 @@ addgroup 'new-group'
# Add users to groups.
addgroup 'nobody' 'docker'
# Start services.
rc-update add 'gitea'
rc-service 'gitea' start
```
## Further readings

33
knowledge base/turris omnia.md
View File

@@ -1,18 +1,23 @@
# Turris Omnia
## Table of contents <!-- omit in toc -->
1. [Factory reset](#factory-reset)
1. [Hardware upgrades](#hardware-upgrades)
1. [Further readings](#further-readings)
## Factory reset
Keep pressed the reset button on the back panel and wait for LEDs to indicate the number of the desired mode, then release the reset button.
Keep pressed the reset button on the back panel and wait for LEDs to indicate the number of the desired mode, then
release the reset button.
The LEDs are used as a counter, with the number of lid LEDs (regardless of the color) indicating the reset mode the router will reboot into. The LEDs will transition from green to red, and when the last LED turns red the next LED will light up and the counter is incremented. When the counter reaches 12 (the total number of LEDs), it will start again from 1.
The LEDs are used as a counter, with the number of lid LEDs (regardless of the color) indicating the reset mode the
router will reboot into.<br/>
The LEDs will transition from green to red, and when the last LED turns red the next LED will light up and the counter
is incremented.<br/>
When the counter reaches 12 (the total number of LEDs), it will start again from 1.
When the reset button is released, the LED counter will blink three times to confirm the selected reset mode. If the selected mode is different from the required one, just press the reset button again and start the mode selection process again.
When the reset button is released, the LED counter will blink three times to confirm the selected reset mode.<br/>
If the selected mode is different from the required one, just press the reset button again and start the mode selection
process again.
Available reset modes are:
@@ -24,11 +29,20 @@ Available reset modes are:
- 6 LEDs: re-flash from the Internet (Omnia 2019 and newer)
- 7 LEDs: start a rescue shell
> **Tip:** release the reset button immediately after the required number of LEDs starts shining (regardless of the color). Do not unnecessarily prolong holding the reset button when the last LED is lit. By doing this you decrease a chance of accidentally transitioning to the next mode at the same moment when the button is released.
> **Tip:** release the reset button immediately after the required number of LEDs starts shining (regardless of the
> color).
>
> Do not unnecessarily prolong holding the reset button when the last LED is lit.<br/>
> By doing this you decrease a chance of accidentally transitioning to the next mode at the same moment when the button
> is released.
After the selected mode indication is performed, all LEDs will turn blue for a moment and then a light wave indicates the start the first stage boot during which LEDs turn green.
After the selected mode indication is performed, all LEDs will turn blue for a moment and then a light wave indicates
the start the first stage boot during which LEDs turn green.
> **Warning:** when LEDs turn red, it means that some highly sensitive operation is in process and data may be corrupted if it is interrupted. Try not to reset router during the process or you might end up with corrupted filesystem. That one can be fixed using mode 4 but with complete data loss.
> **Warning:** when LEDs turn red, it means that some highly sensitive operation is in process and data may be corrupted
> if it is interrupted.<br/>
> Try not to reset router during the process or you might end up with corrupted filesystem. That one can be fixed using
> mode 4 but with complete data loss.
## Hardware upgrades
@@ -47,7 +61,8 @@ Most compatible upgrades are available on [Discomp].
- [Turris OS]
<!--
References
Reference
═╬═Time══
-->
<!-- Upstream -->

96
knowledge base/turris os.md
View File

@@ -2,8 +2,6 @@
Linux distribution based on top of OpenWrt. Check the [website] for more information.
## Table of contents <!-- omit in toc -->
1. [TL;DR](#tldr)
1. [LED diodes settings](#led-diodes-settings)
1. [Automatic overnight dimming](#automatic-overnight-dimming)
@@ -16,7 +14,8 @@ Linux distribution based on top of OpenWrt. Check the [website] for more informa
1. [Execute a shell into containers](#execute-a-shell-into-containers)
1. [Start containers at boot](#start-containers-at-boot)
1. [Example: cfengine hub](#example-cfengine-hub)
1. [Example: git server](#example-git-server)
1. [Example: basic, stripped git server](#example-basic-stripped-git-server)
1. [Example: gitea](#example-gitea)
1. [Example: monitoring](#example-monitoring)
1. [Example: pi-hole](#example-pi-hole)
1. [Hardening](#hardening)
@@ -113,13 +112,16 @@ schnapps delete -t 'post'
Permanent changes can be set in `/etc/config/rainbow`, the UCI configuration file.
The `rainbow` utility allows to change the color and set the status of each diode individually.<br/>
The setting are `disable` (off), `enable` (on) or `auto`; `auto` leaves the control of the diodes to the hardware, like blinking during data transfer and so on.
The setting are `disable` (off), `enable` (on) or `auto`; `auto` leaves the control of the diodes to the hardware, like
blinking during data transfer and so on.
`rainbow`'s `brightness` subcommand uses numbers from 0 to 8, or from 0 to 255 if using the `-p` switch for higher precision.
`rainbow`'s `brightness` subcommand uses numbers from 0 to 8, or from 0 to 255 if using the `-p` switch for higher
precision.
### Automatic overnight dimming
Automatically adjust the intensity of LEDs using a cronjob to be able to see the state of individual devices during the day, but not to be dazzled by the diodes in the night.
Automatically adjust the intensity of LEDs using a cronjob to be able to see the state of individual devices during the
day, but not to be dazzled by the diodes in the night.
Create the cron file in the `/etc/cron.d` directory:
@@ -145,8 +147,10 @@ When assigning static DHCP leases LuCI **only requires** the IP and MAC addresse
- **require** a unique hostname for each entry
- set the lease time to _infinite_
Setting a hostname in an entry will make Turris OS resolve the IP address **only** with that given hostname (and **not** the name the host presents itself with).<br/>
Not setting a hostname in an entry will make Turris OS resolve the IP address with the name the host presents itself with.
Setting a hostname in an entry will make Turris OS resolve the IP address **only** with that given hostname (and **not**
the name the host presents itself with).<br/>
Not setting a hostname in an entry will make Turris OS resolve the IP address with the name the host presents itself
with.
CLI procedure:
@@ -165,10 +169,12 @@ luci-reload
Some packages are not available in `opkg`'s repository, but containers can replace them.<br/>
This is particularly useful to run services off the system which are not officially supported (like [Pi-hole]).
At the time of writing [LXC] is the only container runtime supported in Turris OS, and this guide will assume one is using it.<br/>
At the time of writing [LXC] is the only container runtime supported in Turris OS, and this guide will assume one is
using it.<br/>
This requires the `lxc` package to be installed.
> It is highly suggested to use an [expansion disk](#hardware-upgrades) to store any container, but specially any one I/O heavy.
> It is highly suggested to use an [expansion disk](turris%20omnia.md#hardware-upgrades) to store any container, but
> specially any one I/O heavy.
The procedure to have a working container is as follows:
@@ -177,7 +183,7 @@ The procedure to have a working container is as follows:
This is particularly suggested in case of services.
1. [Start the container](#start-containers).
1. [Execute a shell](#execute-a-shell-into-containers) to enter it and set it all up.<br/>
See the configuration [examples](#examples) below.
See the configuration examples below.
1. Check all is working as expected.
1. If you changed the container's hostname from inside if, restart it for good measure.
1. Set the container to [start at boot](#start-containers-at-boot) if required.
@@ -300,7 +306,7 @@ config container
</details>
### Example: git server
### Example: basic, stripped git server
> This procedure assumes you are using an LXC container based on the Debian Bullseye image.
@@ -338,6 +344,31 @@ chsh 'git' -s "$(which 'git-shell')"
exit
```
### Example: gitea
> This procedure assumes you are using an LXC container based on LinuxContainers' Alpine 3.20 image:
>
> ```sh
> lxc-create --name 'gitea' --template 'download' -- \
> --server 'images.linuxcontainers.org' --dist 'alpine' --release '3.20' --arch 'armhf'
> ```
```sh
# Set the correct hostname.
# Should be already set correctly.
echo 'gitea' > '/etc/hostname'
hostname -F '/etc/hostname'
# Install Gitea.
apk add 'gitea' 'gitea-openrc'
# Start Gitea.
rc-update add 'gitea'
rc-service 'gitea' start
# Connect to 'gitea:3000' to start the first-time installation wizard.
```
### Example: monitoring
> This procedure assumes you are using an LXC container based on the Debian Bullseye image.
@@ -436,15 +467,17 @@ uci commit 'dhcp' && reload_config && luci-reload
Suggestions:
- [SSH]:
- Change the SSH port from the default `22` value.
- Restrict login to specific IP addresses.
- Restrict authentication options to keys.
- Change the SSH port from the default `22` value.
- Restrict login to specific IP addresses.
- Restrict authentication options to keys.
## The SFP+ caged module
List of [supported SFP modules].
> The physical WAN port and the SFP module cage are wired to a single controller; when a SFP module is inserted, the physical WAN **port** **will be disabled**, and the virtual WAN interface will automatically be switched to the SFP module.
> The physical WAN port and the SFP module cage are wired to a single controller; when a SFP module is inserted, the
> physical WAN **port** **will be disabled**, and the virtual WAN interface will automatically be switched to the SFP
> module.
When the OS is installed, it will probably miss the SFP kernel modules.<br/>
Check the module is recognized by the system like so:
@@ -477,7 +510,8 @@ Check the module is recognized by the system like so:
### Use the SFP module as a LAN port
To use the SFP module as a LAN port, assign any other physical switch port to the virtual WAN interface to use that as the WAN connection and the SFP module in the LAN.
To use the SFP module as a LAN port, assign any other physical switch port to the virtual WAN interface to use that as
the WAN connection and the SFP module in the LAN.
In the Foris web interface:
@@ -492,7 +526,8 @@ In the LuCI web interface:
1. Go to _Network_ > _Interfaces_.
1. In the _Interfaces_ tab, edit the WAN interface and assign the _lan4_ port to it.
1. In the _Devices_ tab, edit the _br-lan_ bridge device to include the port used by the SFP module (on mine, it was `eth2`).
1. In the _Devices_ tab, edit the _br-lan_ bridge device to include the port used by the SFP module (on mine, it was
`eth2`).
1. Hit _Save & Apply_.
Using the CLI (yet to be tested):
@@ -530,19 +565,10 @@ All the references in the [further readings] section, plus the following:
- [Operating temperature]
<!--
References
Reference
═╬═Time══
-->
<!-- Upstream -->
[docs]: https://docs.turris.cz
[factory reset on turris omnia]: https://docs.turris.cz/hw/omnia/rescue-modes/
[home nas]: https://wiki.turris.cz/doc/en/howto/nas
[how to control led diodes]: https://wiki.turris.cz/doc/en/howto/led_settings
[operating temperature]: https://forum.turris.cz/t/operating-temperature/998
[supported sfp modules]: https://wiki.turris.cz/doc/en/public/sfp
[turris wiki]: https://wiki.turris.cz/doc/en/start
[website]: https://www.turris.com/turris-os/
<!-- In-article sections -->
[further readings]: #further-readings
@@ -554,9 +580,17 @@ All the references in the [further readings] section, plus the following:
[ssh]: ssh.md
[uci]: uci.md
<!-- Upstream -->
[docs]: https://docs.turris.cz
[factory reset on turris omnia]: https://docs.turris.cz/hw/omnia/rescue-modes/
[home nas]: https://wiki.turris.cz/doc/en/howto/nas
[how to control led diodes]: https://wiki.turris.cz/doc/en/howto/led_settings
[operating temperature]: https://forum.turris.cz/t/operating-temperature/998
[supported sfp modules]: https://wiki.turris.cz/doc/en/public/sfp
[turris wiki]: https://wiki.turris.cz/doc/en/start
[website]: https://www.turris.com/turris-os/
<!-- Others -->
[install pi-hole]: https://github.com/nminten/turris-omnia_documentation/blob/master/howtos/pihole.md
[installing pi-hole on turris omnia]: https://blog.weinreich.org/posts/2020/2020-05-02-turris-omnia-pihole/
[openwrt uci]: https://openwrt.org/docs/guide-user/base-system/uci
[pi-hole on turris omnia]: http://polster.github.io/2017/08/04/Pi-Hole-on-Turris.html
[pi-hole supported operating systems]: https://docs.pi-hole.net/main/prerequisites/#supported-operating-systems

18
knowledge base/uci.md
View File

@@ -2,11 +2,9 @@
Command line utility for OpenWrt's UCI system.
## Table of contents <!-- omit in toc -->
1. [TL;DR](#tldr)
1. [Further readings](#further-readings)
1. [Sources](#sources)
1. [Sources](#sources)
## TL;DR
@@ -57,17 +55,19 @@ reload_config
- [The UCI system]
## Sources
### Sources
- [The UCI system]
- [DHCP and DNS examples]
- [Turris Omnia]
<!--
References
Reference
═╬═Time══
-->
<!-- Upstream -->
[the uci system]: https://openwrt.org/docs/guide-user/base-system/uci
<!-- Knowledge base -->
[Turris Omnia]: turris%20os.md
<!-- Upstream -->
[the uci system]: https://openwrt.org/docs/guide-user/base-system/uci
[dhcp and dns examples]: https://openwrt.org/docs/guide-user/base-system/dhcp_configuration

1
snippets/git.sh
View File

@@ -13,6 +13,7 @@ git config --local 'pull.rebase' false
git clone --recurse-submodules 'git@github.com:example/ansible-role-keychron-capable.git'
git clone 'https://gitlab-ci-token:glpat-01234567ABCDEFGHijkl@gitlab.example.org/testProj/myRepo.git'
git clone 'https://github.com/go-gitea/gitea' -b 'release/v1.22'
git branch --list --remote 'origin/*' | cut -d/ -f2

9
snippets/gitea.sh
View File

@@ -1,7 +1,12 @@
#!/usr/bin/env sh
docker exec -ti 'gitea-server-1' sh
# Set Gitea up in Kubernetes
kubectl --namespace 'gitea' create secret generic 'gitea-admin-secret' \
--from-literal 'username=gitea_admin' --from-literal "password=Scribble0-Tray1-Finisher4"
helm upgrade -i -n 'gitea' --create-namespace --repo 'https://dl.gitea.com/charts/' 'gitea' 'gitea' -f 'values.yaml'
# Access the container when using docker compose
docker exec -ti 'gitea-server-1' sh
# Generate self-signed certificates
gitea cert --host 'gitea.lan'

4
snippets/gnupg.fish
View File

@@ -23,6 +23,10 @@ gpg --list-keys --keyid-format 'short' 'key.identifier@email.com' \
gpg --armor --export 'E455…50AB' | pbcopy
gpg --export-ssh-key 'E455…50AB' | pbcopy
# Sign a string
# Used by Gitea to prove one had the private key associated to a GPG public key
echo '1d64…9920' | gpg -a --default-key 'E455…50AB' --detach-sig
# Load identities in SSH
gpgconf --launch gpg-agent

6
snippets/ip.sh Normal file
View File

@@ -0,0 +1,6 @@
#!/usr/bin/env sh
ip addr
ip link set eth0 down
ip link set eth0 up

44
snippets/uci.sh Normal file
View File

@@ -0,0 +1,44 @@
#!/usr/bin/env sh
# Show pieces of configuration
uci show
uci show 'dhcp'
# Show pending changes to the settings.
uci changes
uci changes 'dhcp'
# Configure static IPv4 address leases
uci add dhcp host \
&& uci set dhcp.@host[-1].mac='11:22:33:44:55:66' \
&& uci set dhcp.@host[-1].ip='192.168.1.2' \
&& uci commit 'dhcp' \
&& service dnsmasq restart
# Configure static IPv6 address leases
uci add dhcp host \
&& uci set dhcp.@host[-1].duid='0000111122223333444455556666' \
&& uci set dhcp.@host[-1].hostid='42' \
&& uci commit 'dhcp' \
&& service dnsmasq restart
# Ignore DHCP requests from specified clients
uci add dhcp host \
&& uci set dhcp.@host[-1].mac='11:22:33:44:55:66' \
&& uci set dhcp.@host[-1].ip='ignore' \
&& uci commit 'dhcp' \
&& service dnsmasq restart
# Ignore all DHCP requests except those from known clients
# Known clients are those with static leases or listed in '/etc/ethers'
uci set dhcp.lan.dynamicdhcp='0' \
&& uci commit 'dhcp' \
&& service dnsmasq restart
# Change elements in lists.
uci set 'dhcp.@host[11].ip=192.168.1.5' \
&& uci commit 'dhcp' \
&& service dnsmasq restart
# Delete elements in lists.
uci del 'dhcp.@host[12]' \
&& uci commit 'dhcp' \
&& service dnsmasq restart