267 lines
9.0 KiB
YAML
267 lines
9.0 KiB
YAML
---
|
|
- name: 'gather os specific variables'
|
|
include_vars: "{{ vars_file }}"
|
|
loop:
|
|
- 'default.yml'
|
|
- "{{ ansible_facts['os_family'] | lower }}.yml"
|
|
- "{{ ansible_facts['distribution'] | lower }}.yml"
|
|
- "{{ ansible_facts['distribution'] | lower }}-{{ ansible_facts['distribution_major_version'] }}.yml"
|
|
- "{{ ansible_facts['distribution'] | lower }}-{{ ansible_facts['distribution_version'] }}.yml"
|
|
loop_control:
|
|
loop_var: vars_file
|
|
when: "(vars_file is abs and vars_file is file) or (vars_file is not abs and (role_path ~ '/vars/' ~ vars_file) is file)"
|
|
|
|
- name: 'check for bash'
|
|
stat:
|
|
path: '/bin/bash'
|
|
register: _bin_bash
|
|
|
|
- name: 'ensure configuration consistency'
|
|
set_fact:
|
|
gitea_use_pkg: "{{ gitea_has_pkg | bool and gitea_use_pkg | bool }}"
|
|
|
|
- name: 'set user name to distribution package value'
|
|
set_fact:
|
|
gitea_user: "{{ gitea_pkg_user }}"
|
|
gitea_group: "{{ gitea_pkg_group }}"
|
|
when: "gitea_use_pkg | bool"
|
|
|
|
- name: 'install Gitea using the package manager'
|
|
package:
|
|
name: "{{ gitea_pkg_name }}"
|
|
state: present
|
|
notify: 'restart gitea'
|
|
when: "gitea_use_pkg | bool"
|
|
|
|
- name: 'install Gitea from binary'
|
|
include_tasks: install_gitea_binary.yml
|
|
when: "not gitea_use_pkg | bool"
|
|
|
|
- name: 'install additional dependencies'
|
|
package:
|
|
name: "{{ pkg.pkg }}"
|
|
state: present
|
|
when: "pkg.when"
|
|
loop:
|
|
- pkg: 'git-lfs'
|
|
when: "{{ gitea_enable_lfs | bool }}"
|
|
- pkg: "{{ gitea_gnupg_package }}"
|
|
when: "{{ gitea_enable_signing | bool }}"
|
|
loop_control:
|
|
loop_var: 'pkg'
|
|
label: "{{ pkg.pkg }}"
|
|
|
|
- name: "add {{ gitea_user }} to extra groups"
|
|
user:
|
|
name: "{{ gitea_user }}"
|
|
groups: "{{ gitea_extra_groups }}"
|
|
append: true
|
|
notify: 'restart gitea'
|
|
when: "[gitea_extra_groups | default([])] | flatten | count"
|
|
|
|
- name: "harden gitea.service"
|
|
block:
|
|
- name: "create override directory for gitea.service"
|
|
file:
|
|
path: '/etc/systemd/system/gitea.service.d/'
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: 0755
|
|
|
|
- name: "install override file for gitea.service"
|
|
template:
|
|
dest: '/etc/systemd/system/gitea.service.d/override.conf'
|
|
src: 'gitea_override.conf.j2'
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
notify:
|
|
- 'gitea_reload_service_files'
|
|
- 'restart gitea'
|
|
|
|
when: "ansible_facts['service_mgr'] == 'systemd'"
|
|
|
|
- name: 'allow non-root users to bind to low ports'
|
|
sysctl:
|
|
name: 'net.ipv4.ip_unprivileged_port_start'
|
|
value: '0'
|
|
sysctl_file: '/etc/sysctl.d/unprivileged_ports.conf'
|
|
state: present
|
|
when: "ansible_facts['service_mgr'] != 'systemd' and gitea_port | int < 1024"
|
|
|
|
- name: 'check if Gitea is already configured'
|
|
stat:
|
|
path: '/etc/gitea/app.ini'
|
|
register: _stat_appini
|
|
|
|
- name: 'read current config file'
|
|
slurp:
|
|
src: '/etc/gitea/app.ini'
|
|
register: _slurp_appini
|
|
when: "_stat_appini.stat.exists"
|
|
|
|
- include_tasks: get_secrets.yml
|
|
loop:
|
|
- 'SECRET_KEY'
|
|
- 'INTERNAL_TOKEN'
|
|
- 'JWT_SECRET'
|
|
- 'LFS_JWT_SECRET'
|
|
loop_control:
|
|
loop_var: secret
|
|
|
|
- name: 'combine default and custom options'
|
|
set_fact:
|
|
_gitea_options: "{{ gitea_default_options | combine(gitea_extra_options, recursive=True) }}"
|
|
|
|
- name: 'create required directories'
|
|
file:
|
|
path: "{{ directory.path }}"
|
|
state: directory
|
|
owner: "{{ directory.owner | default(gitea_user) }}"
|
|
group: "{{ directory.group | default(gitea_group) }}"
|
|
mode: "{{ directory.mode | default('0750') }}"
|
|
loop:
|
|
- path: '/etc/gitea'
|
|
owner: root
|
|
- path: "{{ gitea_data_path }}"
|
|
- path: "{{ _gitea_options['git']['HOME_PATH'] }}"
|
|
- path: "{{ gitea_custom_path }}"
|
|
owner: root
|
|
- path: "{{ gitea_log_path }}"
|
|
loop_control:
|
|
loop_var: directory
|
|
label: "{{ directory.path }}"
|
|
|
|
- name: 'configure Gitea'
|
|
template:
|
|
dest: '/etc/gitea/app.ini'
|
|
src: 'app.ini.j2'
|
|
owner: root
|
|
group: "{{ gitea_group }}"
|
|
mode: 0640
|
|
no_log: true
|
|
notify: 'restart gitea'
|
|
|
|
- name: 'unset secrets'
|
|
set_fact:
|
|
_slurp_appini:
|
|
_secret_value:
|
|
_generate_secret:
|
|
_SECRET_KEY:
|
|
_INTERNAL_TOKEN:
|
|
_JWT_SECRET:
|
|
_LFS_JWT_SECRET:
|
|
|
|
- name: 'create server-side commit signing key'
|
|
command: "su {{ gitea_user }} -c 'gpg --batch --generate-key'"
|
|
args:
|
|
warn: false # su is needed, otherwise Ansible might require a password to become the gitea user
|
|
creates: "{{ _gitea_options['git']['HOME_PATH'] }}/.gnupg/private-keys-v1.d/"
|
|
stdin: |
|
|
%no-protection
|
|
Key-Type: {{ gitea_signing_key_type }}
|
|
Key-Length: {{ gitea_signing_key_length }}
|
|
Key-Usage: sign
|
|
Name-Real: {{ gitea_committer_name }}
|
|
Name-Email: {{ gitea_committer_email }}
|
|
# Discard the time, use only the date as the creation timestamp
|
|
Creation-Date: {{ lookup('pipe', 'date +%Y-%m-%d') }}
|
|
when: "gitea_enable_signing | bool"
|
|
|
|
- name: 'configure git command line client'
|
|
ini_file:
|
|
path: "{{ _gitea_options['git']['HOME_PATH'] }}/.gitconfig"
|
|
section: "{{ item.section }}"
|
|
option: "{{ item.option }}"
|
|
value: "{{ item.value }}"
|
|
state: present
|
|
loop:
|
|
- section: 'commit'
|
|
option: 'gpgsign'
|
|
value: "{{ gitea_enable_signing | bool | string | lower }}"
|
|
- section: 'user'
|
|
option: 'name'
|
|
value: "{{ gitea_committer_name }}"
|
|
- section: 'user'
|
|
option: 'email'
|
|
value: "{{ gitea_committer_email }}"
|
|
loop_control:
|
|
label: "{{ item.section }}.{{ item.option }} = {{ item.value }}"
|
|
|
|
- name: 'initialise gitea database (this may take a long time)'
|
|
command: "su {{ gitea_user }} -c 'PATH=\"{{ ansible_facts['env']['PATH'] }}:/usr/local/bin\" gitea -c /etc/gitea/app.ini migrate'"
|
|
args:
|
|
chdir: "{{ gitea_data_path }}"
|
|
warn: false # su is needed, otherwise Ansible might require a password to become the gitea user
|
|
|
|
- name: 'create initial local user accounts'
|
|
command: "su {{ gitea_user }} -c 'PATH=\"{{ ansible_facts['env']['PATH'] }}:/usr/local/bin\" gitea -c /etc/gitea/app.ini admin user create --username {{ user.name | quote }} --password {{ user.password | quote }} --email {{ user.email | quote }} {{ user.admin | default(false) | bool | ternary('--admin', '') }}'"
|
|
args:
|
|
chdir: "{{ gitea_data_path }}"
|
|
warn: false # su is needed, otherwise Ansible might require a password to become the gitea user
|
|
register: _create_user
|
|
failed_when: "_create_user.rc > 0 and 'user already exists' not in _create_user.stdout"
|
|
changed_when: "'New user ''' ~ user.name ~ ''' has been successfully created' in _create_user.stdout"
|
|
no_log: true
|
|
loop: "{{ gitea_users }}"
|
|
loop_control:
|
|
loop_var: user
|
|
label: "{{ user.name }}"
|
|
|
|
- name: 'configure external authentication sources'
|
|
gitea_auth:
|
|
name: "{{ provider.name }}"
|
|
type: "{{ provider.type }}"
|
|
host: "{{ provider.host | default(omit) }}"
|
|
port: "{{ provider.port | default(omit) }}"
|
|
encryption: "{{ provider.encryption | default(omit) }}"
|
|
bind_dn: "{{ provider.bind_dn | default(omit) }}"
|
|
bind_password: "{{ provider.bind_password | default(omit) }}"
|
|
user_search_base: "{{ provider.user_search_base | default(omit) }}"
|
|
user_filter: "{{ provider.user_filter | default(omit) }}"
|
|
admin_filter: "{{ provider.admin_filter | default(omit) }}"
|
|
username_attribute: "{{ provider.username_attribute | default(omit) }}"
|
|
email_attribute: "{{ provider.email_attribute | default(omit) }}"
|
|
firstname_attribute: "{{ provider.firstname_attribute | default(omit) }}"
|
|
surname_attribute: "{{ provider.surname_attribute | default(omit) }}"
|
|
sshkey_attribute: "{{ provider.sshkey_attribute | default(omit) }}"
|
|
sync_users: "{{ provider.sync_users | default(omit) }}"
|
|
provider: "{{ provider.provider | default(omit) }}"
|
|
client_id: "{{ provider.client_id | default(omit) }}"
|
|
client_secret: "{{ provider.client_secret | default(omit) }}"
|
|
auto_discover_url: "{{ provider.auto_discover_url | default(omit) }}"
|
|
use_custom_urls: "{{ provider.use_custom_urls | default(omit) }}"
|
|
custom_tenant_id: "{{ provider.custom_tenant_id | default(omit) }}"
|
|
custom_auth_url: "{{ provider.custom_auth_url | default(omit) }}"
|
|
custom_email_url: "{{ provider.custom_email_url | default(omit) }}"
|
|
custom_profile_url: "{{ provider.custom_profile_url | default(omit) }}"
|
|
custom_token_url: "{{ provider.custom_token_url | default(omit) }}"
|
|
state: present
|
|
environment:
|
|
PATH: "{{ ansible_facts['env']['PATH'] }}:/usr/local/bin"
|
|
loop: "{{ gitea_auth_providers }}"
|
|
loop_control:
|
|
loop_var: provider
|
|
label: "{{ provider.name }}"
|
|
no_log: "{{ provider.bind_password is defined or provider.client_secret is defined }}"
|
|
|
|
- name: 'install custom files'
|
|
copy:
|
|
src: "{{ gitea_custom_files }}/"
|
|
dest: "{{ gitea_custom_path }}"
|
|
owner: root
|
|
group: root
|
|
directory_mode: 0755
|
|
when: "gitea_custom_files is defined"
|
|
notify: 'restart gitea'
|
|
|
|
# If the unit file changed, reload it now.
|
|
- meta: flush_handlers
|
|
|
|
- name: 'enable and start Gitea'
|
|
service:
|
|
name: 'gitea'
|
|
enabled: true
|
|
state: "{{ ansible_facts['is_chroot'] | ternary(omit, 'started') }}"
|