.

templates/app.ini.j2

@@ -0,0 +1,10 @@
+{# vim: filetype=ini.jinja2 #}
+{{ ansible_managed | comment }}
+
+{% for key, options in _gitea_options.items() %}
+[{{ key }}]
+{% for k, v in options.items() if v != omit %}
+{{ k }} = {{ v }}
+{% endfor %}
+
+{% endfor %}

templates/gitea.openrc.j2

@@ -0,0 +1,45 @@
+{# vim: filetype=gentoo-init-d.jinja2 #}
+#!/sbin/openrc-run
+
+name=gitea
+description="Gitea, a self-hosted Git service"
+
+: ${GITEA_CONF:=/etc/gitea/app.ini}
+: ${GITEA_USER:={{ gitea_user }}}
+: ${GITEA_GROUP:={{ gitea_group }}}
+: ${GITEA_WORK_DIR:={{ gitea_data_path }}}
+: ${GITEA_CUSTOM:={{ gitea_custom_path }}}
+: ${GITEA_LOG_FILE:={{ gitea_log_path }}/http.log}
+
+supervisor=supervise-daemon
+command="/usr/local/bin/gitea"
+command_args="--config '${GITEA_CONF}' web"
+command_background="true"
+command_user="${GITEA_USER}:${GITEA_GROUP}"
+error_log="/var/log/${RC_SVCNAME}/${RC_SVCNAME}.err"
+pidfile="/run/${RC_SVCNAME}.pid"
+required_files="${GITEA_CONF}"
+supervise_daemon_args="--env GITEA_WORK_DIR='${GITEA_WORK_DIR}' \
+    --chdir '${GITEA_WORK_DIR}' \
+    --stdout '${GITEA_LOG_FILE}' --stderr '${GITEA_LOG_FILE}'"
+
+depend() {
+        use logger dns
+        need net
+{%- if gitea_database_host.startswith('127.') or gitea_database_host.startswith('localhost') or gitea_database_host.startswith('/') %}
+{% if gitea_database_type == 'postgres' %}
+ postgresql
+{% elif gitea_database_type == 'mysql' %}
+{% if _initd_mariadb.stat.exists %}
+ mariadb
+{% else %}
+ mysql
+{% endif %}
+{% else %}
+
+{% endif %}
+{% else %}
+
+{% endif %}
+        after firewall
+}

templates/gitea.service.j2

@@ -0,0 +1,32 @@
+{# vim: filetype=systemd.jinja2 #}
+[Unit]
+Description=Gitea (Git with a cup of tea)
+After=network.target
+Requires=network.target
+{% if gitea_database_host.startswith('127.') or gitea_database_host.startswith('localhost') or gitea_database_host.startswith('/') %}
+{% if gitea_database_type == 'postgres' %}
+Requires=postgresql.service
+{% elif gitea_database_type == 'mysql' %}
+{% if _mariadb_service.stat.exists %}
+Requires=mariadb.service
+{% else %}
+Requires=mysql.service
+{% endif %}
+{% endif %}
+{% endif %}
+
+[Service]
+Type=simple
+Restart=always
+RestartSec=2s
+
+User={{ gitea_user }}
+Group={{ gitea_group }}
+
+ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini
+WorkingDirectory={{ gitea_data_path | quote }}
+RuntimeDirectory=gitea
+Environment="GITEA_WORK_DIR={{ gitea_data_path }}" "GITEA_CUSTOM={{ gitea_custom_path }}"
+
+[Install]
+WantedBy=multi-user.target

templates/gitea_override.conf.j2

@@ -0,0 +1,38 @@
+{# vim: filetype=systemd.jinja2 #}
+[Service]
+# Apply principle of least privilege
+NoNewPrivileges=true
+CapabilityBoundingSet=
+{% if gitea_port | int < 1024 %}
+# Allow binding to low ports
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+{% endif %}
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths={{ [gitea_data_path, gitea_log_path] | map('quote') | join(' ') }}
+{% if gitea_inaccessible_paths | count %}
+InaccessiblePaths={{ [gitea_inaccessible_paths] | flatten | unique | map('quote') | join(' ') }}
+{% endif %}
+PrivateTmp=true
+PrivateDevices=true
+{% if [gitea_extra_groups | default([])] | flatten | count == 0 %}
+PrivateUsers=true
+{% endif %}
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+ProtectProc=invisible
+ProtectClock=true
+ProtectHostname=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallFilter=@system-service @basic-io @io-event @network-io madvise
+SystemCallFilter=~@aio @chown @keyring @memlock @privileged @resources @setuid
+SystemCallArchitectures=native
+RemoveIPC=true