security: upgrade Gitea to 1.25.4, add security headers
Some checks failed
Build and Deploy GooSeek / build-and-deploy (push) Has been cancelled
Some checks failed
Build and Deploy GooSeek / build-and-deploy (push) Has been cancelled
- Update Gitea from 1.22.6 to 1.25.4 (fixes CVE-2026-20736, CVE-2026-20912) - Disable public registration - Disable Swagger API - Add nginx-ingress security headers: - X-Content-Type-Options: nosniff - X-XSS-Protection: 1; mode=block - Referrer-Policy: strict-origin-when-cross-origin - Permissions-Policy - Enable HSTS preload - Reorganize Gitea K8s manifests into gitea/ directory Made-with: Cursor
This commit is contained in:
home
184
backend/deploy/k8s/gitea/configmap.yaml
Normal file
184
backend/deploy/k8s/gitea/configmap.yaml
Normal file
@@ -0,0 +1,184 @@
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: gitea-config
|
||||
namespace: gitea
|
||||
data:
|
||||
app.ini: |
|
||||
APP_NAME = GitGooSeek
|
||||
RUN_MODE = prod
|
||||
RUN_USER = git
|
||||
|
||||
[repository]
|
||||
ROOT = /data/git/repositories
|
||||
DEFAULT_BRANCH = main
|
||||
|
||||
[repository.upload]
|
||||
ENABLED = true
|
||||
ALLOWED_TYPES =
|
||||
FILE_MAX_SIZE = 100
|
||||
MAX_FILES = 10
|
||||
|
||||
[server]
|
||||
DOMAIN = git.gooseek.ru
|
||||
ROOT_URL = https://git.gooseek.ru/
|
||||
HTTP_PORT = 3000
|
||||
SSH_DOMAIN = git.gooseek.ru
|
||||
SSH_PORT = 22
|
||||
SSH_LISTEN_PORT = 22
|
||||
LFS_START_SERVER = true
|
||||
LFS_JWT_SECRET =
|
||||
OFFLINE_MODE = false
|
||||
|
||||
[database]
|
||||
DB_TYPE = sqlite3
|
||||
PATH = /data/gitea/gitea.db
|
||||
|
||||
[security]
|
||||
INSTALL_LOCK = true
|
||||
SECRET_KEY =
|
||||
INTERNAL_TOKEN =
|
||||
PASSWORD_HASH_ALGO = pbkdf2
|
||||
MIN_PASSWORD_LENGTH = 12
|
||||
PASSWORD_COMPLEXITY = lower,upper,digit,spec
|
||||
PASSWORD_CHECK_PWN = true
|
||||
CSRF_COOKIE_HTTP_ONLY = true
|
||||
|
||||
[service]
|
||||
DISABLE_REGISTRATION = true
|
||||
REQUIRE_SIGNIN_VIEW = false
|
||||
REGISTER_EMAIL_CONFIRM = false
|
||||
ENABLE_NOTIFY_MAIL = false
|
||||
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
|
||||
ENABLE_CAPTCHA = true
|
||||
REQUIRE_CAPTCHA_FOR_LOGIN = true
|
||||
DEFAULT_KEEP_EMAIL_PRIVATE = true
|
||||
DEFAULT_ALLOW_CREATE_ORGANIZATION = false
|
||||
DEFAULT_ENABLE_DEPENDENCIES = true
|
||||
ALLOW_CROSS_REPOSITORY_DEPENDENCIES = true
|
||||
ENABLE_USER_HEATMAP = true
|
||||
ENABLE_TIMETRACKING = true
|
||||
DEFAULT_ENABLE_TIMETRACKING = true
|
||||
NO_REPLY_ADDRESS = noreply.git.gooseek.ru
|
||||
|
||||
[service.explore]
|
||||
REQUIRE_SIGNIN_VIEW = false
|
||||
DISABLE_USERS_PAGE = true
|
||||
|
||||
[openid]
|
||||
ENABLE_OPENID_SIGNIN = false
|
||||
ENABLE_OPENID_SIGNUP = false
|
||||
|
||||
[oauth2_client]
|
||||
ENABLE_AUTO_REGISTRATION = false
|
||||
REGISTER_EMAIL_CONFIRM = false
|
||||
|
||||
[api]
|
||||
ENABLE_SWAGGER = false
|
||||
MAX_RESPONSE_ITEMS = 50
|
||||
DEFAULT_PAGING_NUM = 30
|
||||
|
||||
[session]
|
||||
PROVIDER = file
|
||||
PROVIDER_CONFIG = /data/gitea/sessions
|
||||
COOKIE_NAME = i_like_gitea
|
||||
COOKIE_SECURE = true
|
||||
GC_INTERVAL_TIME = 86400
|
||||
SESSION_LIFE_TIME = 86400
|
||||
SAME_SITE = lax
|
||||
|
||||
[picture]
|
||||
AVATAR_UPLOAD_PATH = /data/gitea/avatars
|
||||
REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
|
||||
DISABLE_GRAVATAR = true
|
||||
ENABLE_FEDERATED_AVATAR = false
|
||||
|
||||
[attachment]
|
||||
ENABLED = true
|
||||
PATH = /data/gitea/attachments
|
||||
ALLOWED_TYPES = .csv,.docx,.fodg,.fodp,.fods,.fodt,.gif,.gz,.jpeg,.jpg,.log,.md,.mov,.mp4,.odf,.odg,.odp,.ods,.odt,.patch,.pdf,.png,.pptx,.svg,.tgz,.txt,.webm,.xls,.xlsx,.zip
|
||||
MAX_SIZE = 100
|
||||
MAX_FILES = 10
|
||||
|
||||
[log]
|
||||
MODE = console
|
||||
LEVEL = Info
|
||||
ROOT_PATH = /data/gitea/log
|
||||
|
||||
[log.console]
|
||||
STDERR = true
|
||||
|
||||
[cron]
|
||||
ENABLED = true
|
||||
|
||||
[cron.archive_cleanup]
|
||||
ENABLED = true
|
||||
RUN_AT_START = true
|
||||
SCHEDULE = @every 24h
|
||||
OLDER_THAN = 24h
|
||||
|
||||
[cron.sync_external_users]
|
||||
ENABLED = false
|
||||
|
||||
[cron.deleted_branches_cleanup]
|
||||
ENABLED = true
|
||||
RUN_AT_START = true
|
||||
SCHEDULE = @every 24h
|
||||
|
||||
[git]
|
||||
MAX_GIT_DIFF_LINES = 1000
|
||||
MAX_GIT_DIFF_LINE_CHARACTERS = 5000
|
||||
MAX_GIT_DIFF_FILES = 100
|
||||
GC_ARGS =
|
||||
|
||||
[markup.sanitizer.1]
|
||||
ELEMENT = span
|
||||
ALLOW_ATTR = class
|
||||
REGEXP = ^(color[0-9]?|text-white|text-black|text-green|text-red|text-blue)$
|
||||
|
||||
[actions]
|
||||
ENABLED = true
|
||||
DEFAULT_ACTIONS_URL = github
|
||||
|
||||
[packages]
|
||||
ENABLED = true
|
||||
CHUNKED_UPLOAD_PATH = /data/gitea/tmp/package-upload
|
||||
|
||||
[mirror]
|
||||
ENABLED = true
|
||||
DISABLE_NEW_PULL = false
|
||||
DISABLE_NEW_PUSH = false
|
||||
DEFAULT_INTERVAL = 8h
|
||||
MIN_INTERVAL = 10m
|
||||
|
||||
[lfs]
|
||||
PATH = /data/git/lfs
|
||||
|
||||
[mailer]
|
||||
ENABLED = false
|
||||
|
||||
[cache]
|
||||
ENABLED = true
|
||||
ADAPTER = memory
|
||||
INTERVAL = 60
|
||||
HOST =
|
||||
|
||||
[queue]
|
||||
TYPE = level
|
||||
DATADIR = /data/gitea/queues
|
||||
|
||||
[indexer]
|
||||
ISSUE_INDEXER_TYPE = bleve
|
||||
ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
|
||||
REPO_INDEXER_ENABLED = true
|
||||
REPO_INDEXER_PATH = /data/gitea/indexers/repos.bleve
|
||||
REPO_INDEXER_INCLUDE =
|
||||
REPO_INDEXER_EXCLUDE =
|
||||
MAX_FILE_SIZE = 1048576
|
||||
|
||||
[admin]
|
||||
DISABLE_REGULAR_ORG_CREATION = true
|
||||
|
||||
[webhook]
|
||||
ALLOWED_HOST_LIST = external,loopback
|
||||
SKIP_TLS_VERIFY = false
|
||||
Reference in New Issue
Block a user