ansible/ansible-role-gitea
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

.

Browse Source
This commit is contained in:
Bastian Epting 2023-12-08 12:44:32 +01:00
commit 14409872b6
24 changed files with 1071 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
LICENSE Normal file
View File

@ -0,0 +1,11 @@
Copyright 2019-present Thomas Maurice
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

207
README.md Normal file
View File

@ -0,0 +1,207 @@
# Ansible role gitea - Install a gitea server
[![Build Status](https://travis-ci.org/thomas-maurice/ansible-role-gitea.svg?branch=master)](https://travis-ci.org/thomas-maurice/ansible-role-gitea)
![Ansible Role](https://img.shields.io/ansible/role/38779)
![Ansible Role](https://img.shields.io/ansible/role/d/38779)
![Ansible Quality Score](https://img.shields.io/ansible/quality/38779)
This role installs and manages a [gitea](https://gitea.io) server -
[Source code & screenshots](https://github.com/go-gitea/gitea).
Gitea is a Golang Git repository webapp, having the same look and feel as GitHub.
## Sample example of use in a playbook
The following code has been tested with Debian 8, it should work on Ubuntu as well.
```yaml
- name: "Install gitea"
hosts: all
vars:
gitea_user: "gitea"
gitea_home: "/var/lib/gitea"
# To limit your users to 30 repos
gitea_user_repo_limit: 30
# Don't use a public CDN for frontend assets
gitea_offline_mode: true
# Some 'rendering' options for your URLs
gitea_http_domain: git.yourdomain.fr
gitea_root_url: https://git.yourdomain.fr
# Here we assume we are behind a reverse proxy that will
# handle https for us, so we bind on localhost:3000 using HTTP
gitea_protocol: http
gitea_http_listen: 127.0.0.1
gitea_http_port: 3000
# SSH server configuration
gitea_ssh_listen: 0.0.0.0
gitea_ssh_port: 2222
# For URLs rendering again
gitea_ssh_domain: git.yourdomain.fr
gitea_start_ssh: true
gitea_secret_key: 3sp00ky5me
gitea_disable_gravatar: true
# To make at least your first user register
gitea_disable_registration: false
gitea_require_signin: true
gitea_enable_captcha: true
gitea_show_user_email: false
roles:
- gitea
```
## More detailed options
### General
* `gitea_version_check`: Check if installed version != `gitea_version` before initiating binary download
* `gitea_user`: UNIX user used by Gitea
* `gitea_group`: UNIX group used by Gitea
* `gitea_home`: Base directory to work
* `gitea_dl_url`: The URL, the compiled gitea-binary will be downloaded from
* `gitea_systemd_cap_net_bind_service`: Adds `AmbientCapabilities=CAP_NET_BIND_SERVICE` to systemd service file
* `gitea_extra_config`: Additional configuration
### Look and feel
* `gitea_app_name`: Displayed application name
* `gitea_show_user_email`: Do you want to display email addresses ? (true/false)
* `gitea_disable_gravatar`: Do you want to disable Gravatar ? (privacy and so on) (true/false)
* `gitea_offline_mode`: Same but for disabling CDNs for frontend assets (true/false)
* `gitea_disable_registration`: Do you want to disable user registration ? (true/false)
* `gitea_only_allow_external_registration`: Do you want to force registration only using third-party services ? (true/false)
* `gitea_show_registration_button`: Do you want to show the registration button? (true/false)
* `gitea_require_signin`: Do you require a signin to see repo's (even public ones) ? (true/false)
* `gitea_enable_captcha`: Do you want to enable captcha's ? (true/false)
* `gitea_themes`: List of enabled themes
* `gitea_theme_default`: Default theme
### Security
* `gitea_secret_key`: Cookie secret key
* `gitea_internal_token`: Internal API token
* `gitea_disable_git_hooks`: Do you want to disable the interface to add git hooks? If enabled it could be a security bug as it can be used for RCE. Defaults to true (true/false)
### Limits
* `gitea_user_repo_limit`: Limit how many repos a user can have (-1 for unlimited)
### HTTP configuration
* `gitea_http_domain`: HTTP domain (displayed in your clone URLs, just the domain like git.foo.fr)
* `gitea_root_url`: Root URL used to access your web app (full URL)
* `gitea_protocol`: Listening protocol (http/https)
* `gitea_http_listen`: Bind address
* `gitea_http_port`: Bind port
* `gitea_disable_http_git`: Disable the use of Git over HTTP ? (true/false)
### SSH configuration
* `gitea_ssh_listen`: Bind address for the SSH server
* `gitea_ssh_domain`: SSH domain (displayed in your clone URLs)
* `gitea_start_ssh`: Do you want to start a built-in SSH server ? (true/false)
* `gitea_ssh_port`: SSH bind port
### Database configuration
* `gitea_db_type`: Database type, can be `mysql`, `postgres` or `sqlite3`
* `gitea_db_host`: Database host string `host:port` or `/run/postgresql/` when connectiong to postgres via local unix socket (peer authentication)
* `gitea_db_name`: Database name
* `gitea_db_user`: Database username
* `gitea_db_password`: Database password
* `gitea_db_ssl`: Use SSL ? (postgres only!). Can be `require`, `disable`, `verify-ca` or `verify-full`
* `gitea_db_path`: DB path, if you use `sqlite3`. The default is good enough to work though.
### Mailer configuration
* `gitea_mailer_enabled`: Whether to enable the mailer. Default: `false`
* `gitea_mailer_skip_verify`: Skip SMTP TLS certificate verification (true/false)
* `gitea_mailer_tls_enabled`: Enable TLS for SMTP connections (true/false)
* `gitea_mailer_host`: SMTP server hostname and port
* `gitea_mailer_user`: SMTP server username
* `gitea_mailer_password`: SMTP server password
* `gitea_mailer_from`: Sender mail address
* `gitea_enable_notify_mail`: Whether e-mail should be send to watchers of a repository when something happens. Default: `false`
* `gitea_mail_default`: Default configuration for email notifications for users (user configurable). Options: enabled, onmention, disable (Default: `onmention` )
* `gitea_autowatch_new_repo`: Enable this to let all organisation users watch new repos when they are created (Default: `false`)
* `gitea_autowatch_on_change`: Enable this to make users watch a repository after their first commit to it (Default: `true`)
* `gitea_show_mailstones_dashboard`: Enable this to show the milestones dashboard page - a view of all the users milestones (Default: `true`)
### Fail2Ban configuration
If enabled, this will deploy a fail2ban filter and jail config for Gitea as described in the [Gitea Documentation](https://docs.gitea.io/en-us/fail2ban-setup/).
As this will only deploy config files, fail2ban already has to be installed or otherwise the role will fail.
* `gitea_fail2ban_enabled`: Whether to deploy the fail2ban config or not
* `gitea_fail2ban_jail_maxretry`: fail2ban jail `maxretry` setting. Default: `10`
* `gitea_fail2ban_jail_findtime`: fail2ban jail `findtime` setting. Default: `3600`
* `gitea_fail2ban_jail_bantime`: fail2ban jail `bantime` setting. Default: `900`
* `gitea_fail2ban_jail_action`: fail2ban jail `action` setting. Default: `iptables-allports`
### Oauth2 provider configuration
* `gitea_oauth2_enabled`: Enable the Oauth2 provider (true/false)
* `gitea_oauth2_jwt_secret`: Oauth2 JWT secret. Can be generated with ``gitea generate secret JWT_SECRET``
### GIT LFS configuration
* `gitea_lfs_enabled`: Enable GIT LFS (large filesystem)
* `gitea_lfs_mode`: should lfs be in offline mode (true/false)
* `gitea_lfs_secret`: JWT secret for remote LFS usage
### Metrics endpoint configuration
* `gitea_metrics_enabled`: Enable the metrics endpoint
* `gitea_metrics_token`: Bearer token for the Prometheus scrape job
### Repository Indexer configuration
* `gitea_repo_indexer_enabled`: Whether to enable the repository indexer (code search). Default: `false`
* `gitea_repo_indexer_include`: Glob patterns to include in the index (comma-separated list). Default: `""` (all files)
* `gitea_repo_indexer_exclude`: Glob patterns to exclude from the index (comma-separated list). Default: `""` (no files)
* `gitea_repo_exclude_vendored`: Exclude vendored files from the index. Default: `true`
* `gitea_repo_indexer_max_file_size`: Maximum size of files to be indexed (in bytes). Default: `1048576` (1 MB)
### backup on upgrade
* `gitea_backup_on_upgrade`: Optionally a backup can be created with every update of gitea. Default: `false`
* `gitea_backup_location`: Where to store the gitea backup if one is created with this role. Default: `{{ gitea_home }}/backups/`
## Contributing
Don't hesitate to create a pull request, and when in doubt you can reach me on
Twitter [@thomas_maurice](https://twitter.com/thomas_maurice).
I'm happy to fix any issue that's been opened, or even better, review your pull requests :)
## Testing
Testing uses [molecule](https://molecule.readthedocs.io/en/stable-1.22/usage.html). To start the
tests, install the dependencies first. I would recommend you use [a virtual env](https://virtualenv.pypa.io/en/latest/) for that but who am I to tell you what to do.
```
pip install pew # install pew to manage the venvs
pew new ansible # create the venv
pip install -r requirements-travis.txt # install the requirements
molecule test # Run the actual tests
```
Note: you need Docker installed
### Known testing limitations
Currently it's mainly validating that the playbook runs, the lint is ok, and that kind of things.
Since it runs in Docker, we currently have no way to check if the service is actually launched by systemd
and so on. This has to be worked on.
## License
```
Copyright 2019-present Thomas Maurice
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
```

100
defaults/main.yml Normal file
View File

@ -0,0 +1,100 @@
---
gitea_version: "1.13.7"
gitea_version_check: true
gitea_dl_url: "https://github.com/go-gitea/gitea/releases/download/v{{ gitea_version }}/gitea-{{ gitea_version }}-linux-{{ gitea_arch }}"
gitea_gpg_key: "7C9E68152594688862D62AF62D9AE806EC1592E2"
gitea_gpg_server: "hkps://keys.openpgp.org"
gitea_app_name: "Gitea"
gitea_user: "gitea"
gitea_group: "gitea"
gitea_home: "/var/lib/gitea"
gitea_shell: "/bin/false"
gitea_systemd_cap_net_bind_service: false
gitea_repository_root: "{{ gitea_home }}"
gitea_user_repo_limit: -1
gitea_http_domain: localhost
gitea_root_url: http://localhost:3000
gitea_protocol: http
gitea_http_listen: 127.0.0.1
gitea_http_port: 3000
gitea_disable_http_git: false
gitea_offline_mode: true
gitea_lfs_server_enabled: false
gitea_lfs_content_path: "{{ gitea_home }}/data/lfs"
gitea_lfs_jwt_secret: ''
gitea_lfs_content_path: "data/lfs"
gitea_lfs_secret: SomethingVeryLong
gitea_lfs_mode: true
gitea_db_type: sqlite3
gitea_db_host: 127.0.0.0:3306
gitea_db_name: root
gitea_db_user: gitea
gitea_db_password: lel
gitea_db_ssl: disable
gitea_db_path: "{{ gitea_home }}/data/gitea.db"
gitea_ssh_listen: 0.0.0.0
gitea_ssh_domain: localhost
gitea_start_ssh: true
gitea_ssh_port: 2222
gitea_secret_key: T0pS3cr31
gitea_internal_token: SomethingVeryLong
gitea_disable_git_hooks: true
gitea_show_user_email: false
gitea_disable_gravatar: true
gitea_disable_registration: false
gitea_show_registration_button: true
gitea_require_signin: true
gitea_enable_captcha: true
gitea_only_allow_external_registration: false
gitea_enable_notify_mail: false
gitea_mail_default: onmention
gitea_autowatch_new_repo: false
gitea_autowatch_on_change: true
gitea_show_mailstones_dashboard: true
gitea_force_private: false
gitea_mailer_enabled: false
gitea_mailer_skip_verify: false
gitea_mailer_tls_enabled: true
gitea_mailer_host: localhost:25
gitea_mailer_from: noreply@your.domain
gitea_mailer_user: ""
gitea_mailer_password: ""
gitea_mailer_type: smtp
gitea_fail2ban_enabled: false
gitea_fail2ban_jail_maxretry: 10
gitea_fail2ban_jail_findtime: 3600
gitea_fail2ban_jail_bantime: 900
gitea_fail2ban_jail_action: iptables-allports
gitea_oauth2_enabled: true
gitea_oauth2_jwt_secret: ''
gitea_metrics_enabled: false
gitea_metrics_token: ~
gitea_themes: gitea,arc-green
gitea_theme_default: gitea
gitea_repo_indexer_enabled: false
gitea_repo_indexer_include: ""
gitea_repo_indexer_exclude: ""
gitea_repo_exclude_vendored: true
gitea_repo_indexer_max_file_size: 1048576
gitea_log_level: Info
gitea_extra_config: ""
gitea_backup_on_upgrade: false
gitea_backup_location: "{{ gitea_home }}/backups/"

17
handlers/main.yml Normal file
View File

@ -0,0 +1,17 @@
---
- name: "Restart gitea"
ansible.builtin.service:
name: gitea
state: restarted
when: ansible_service_mgr == "systemd"
- name: "Reload systemd"
ansible.builtin.systemd:
daemon_reload: true
when: ansible_service_mgr == "systemd"
- name: "Restart fail2ban"
ansible.builtin.service:
name: fail2ban
state: restarted
when: ansible_service_mgr == "systemd"

32
meta/main.yml Normal file
View File

@ -0,0 +1,32 @@
---
galaxy_info:
author: Thomas Maurice
description: Ansible Role - Gitea
min_ansible_version: 2.10
license: BSD-3-Clause
galaxy_tags:
- git
- gitea
- system
- development
- sourcecontrol
- selfhosted
- gitserver
- gogs
platforms:
- name: Debian
versions:
- stretch
- buster
- name: Ubuntu
versions:
- xenial
- bionic
- focal
- name: CentOS
versions:
- 7
- 8
- name: Fedora
versions:
- 33

9
molecule/default/converge.yml Normal file
View File

@ -0,0 +1,9 @@
---
- name: Converge
hosts: all
become: true
roles:
- ansible-role-gitea
vars:
gitea_http_domain: localhost
gitea_root_url: http://localhost

43
molecule/default/molecule.yml Normal file
View File

@ -0,0 +1,43 @@
---
dependency:
name: galaxy
driver:
name: docker
lint: |
set -e
yamllint .
ansible-lint
platforms:
- name: instance
image: geerlingguy/docker-${MOLECULE_DISTRO:-ubuntu1804}-ansible:latest
pre_build_image: true
command: ${MOLECULE_DOCKER_COMMAND:-""}
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
provisioner:
name: ansible
playbooks:
prepare: prepare.yml
converge: converge.yml
scenario:
test_sequence:
- lint
- destroy
- syntax
- create
- prepare
- converge
- verify
- destroy
verifier:
name: testinfra
lint:
name: flake8

27
molecule/default/prepare.yml Normal file
View File

@ -0,0 +1,27 @@
---
- name: Prepare
hosts: all
become: true
tasks:
- name: install dependencies for gitea (RedHat based systems)
yum:
name: "{{ redhat_packages }}"
state: present
update_cache: true
when: ansible_os_family == "RedHat"
- name: install dependencies for gitea (Debian based systems)
apt:
name: "{{ debian_packages }}"
state: present
update_cache: true
when: ansible_os_family == "Debian"
vars:
debian_packages:
- git
- curl
- xz-utils
redhat_packages:
- git
- curl
- xz

25
molecule/default/tests/test_default.py Normal file
View File

@ -0,0 +1,25 @@
import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
def test_gitea_binary(host):
gitea_bin = host.file('/usr/local/bin/gitea')
assert gitea_bin.exists
assert gitea_bin.user == 'root'
assert gitea_bin.group == 'root'
def test_gitea_config_file(host):
gitea_config = host.file('/etc/gitea/gitea.ini')
assert gitea_config.exists
assert gitea_config.mode == 0o600
def test_gitea_service_running(host):
gitea = host.service('gitea')
assert gitea.is_running
def test_gitea_reachable(host):
gitea_http = host.run('curl http://localhost:3000')
assert gitea_http.rc == 0

66
requirements-travis.txt Normal file
View File

@ -0,0 +1,66 @@
ansible==2.10.7
ansible-lint==4.2.0
anyconfig==0.9.7
arrow==0.15.5
asn1crypto==0.24.0
binaryornot==0.4.4
Cerberus==1.3.2
certifi==2020.12.5
cffi==1.14.4
chardet==4.0.0
click==7.1.2
click-completion==0.5.2
click-help-colors==0.9
colorama==0.4.4
cookiecutter==1.7.2
cryptography==3.3.1
cryptography==3.3.2
docker==4.4.1
docker-pycreds==0.4.0
entrypoints==0.3
fasteners==0.15
flake8==3.7.7
future==0.18.2
git-url-parse==1.2.1
idna==2.9
importlib-metadata==1.6.0
Jinja2==2.11.3
jinja2-time==0.2.0
MarkupSafe==1.1.1
mccabe==0.6.1
molecule==3.0.3
monotonic==1.5
more-itertools==8.6.0
paramiko==2.7.2
pathspec==0.8.1
pbr==5.5.1
pexpect==4.8.0
pi==0.1.2
pluggy==0.13.1
poyo==0.5.0
psutil==5.6.6
ptyprocess==0.6.0
py==1.10.0
pyasn1==0.4.5
pycodestyle==2.5.0
pycparser==2.20
pyflakes==2.1.1
PyNaCl==1.3.0
pytest==4.3.1
python-dateutil==2.8.1
python-gilt==1.2.3
PyYAML==5.4
requests==2.23.0
ruamel.yaml==0.16.10
ruamel.yaml.clib==0.2.0
sh==1.12.14
shellingham==1.3.2
six==1.14.0
tabulate==0.8.7
testinfra==6.0.0
tree-format==0.1.2
urllib3==1.26.5
websocket-client==0.57.0
whichcraft==0.6.1
yamllint==1.26.0
zipp==3.4.0

30
tasks/backup.yml Normal file
View File

@ -0,0 +1,30 @@
---
- name: Get service facts
service_facts:
- block:
- name: Stopping gitea before upgrade
service:
name: gitea
state: stopped
- name: "Create backup directory"
file:
path: "{{ item }}"
state: directory
owner: "{{ gitea_user }}"
group: "{{ gitea_group }}"
mode: 'u=rwx,g=rx,o='
with_items:
- "{{ gitea_backup_location }}"
- name: Backing up gitea before upgrade
command:
cmd: "/usr/local/bin/gitea dump -c /etc/gitea/gitea.ini"
chdir: "{{ gitea_backup_location }}"
become: true
become_user: "{{ gitea_user }}"
when:
- ansible_facts.services["gitea.service"] is defined
- ansible_facts.services["gitea.service"].state == "running"
- gitea_active_version.stdout != gitea_version

14
tasks/create_user.yml Normal file
View File

@ -0,0 +1,14 @@
---
- name: "Create Gitea Group"
group:
name: "{{ gitea_group }}"
system: true
state: "present"
- name: "Create Gitea user"
ansible.builtin.user:
name: "{{ gitea_user }}"
comment: "Gitea user"
home: "{{ gitea_home }}"
shell: "{{ gitea_shell }}"
system: true

26
tasks/fail2ban.yml Normal file
View File

@ -0,0 +1,26 @@
---
- name: Install fail2ban filter
ansible.builtin.template:
src: fail2ban/filter.conf.j2
dest: /etc/fail2ban/filter.d/gitea.conf
owner: root
group: root
mode: 0444
notify: Restart fail2ban
when: "'fail2ban' in ansible_facts.packages"
- name: Install fail2ban jail
ansible.builtin.template:
src: fail2ban/jail.conf.j2
dest: /etc/fail2ban/jail.d/gitea.conf
owner: root
group: root
mode: 0444
notify: Restart fail2ban
when: "'fail2ban' in ansible_facts.packages"
- name: warn if fail2ban is not installed
ansible.builtin.fail:
msg: "the package fail2ban is not installed. no fail2ban filters deployed."
when: "'fail2ban' not in ansible_facts.packages"
ignore_errors: true

71
tasks/install.yml Normal file
View File

@ -0,0 +1,71 @@
---
- block:
- name: Update apt cache
apt:
cache_valid_time: 3600
update_cache: true
register: _pre_update_apt_cache
until: _pre_update_apt_cache is succeeded
when:
- ansible_pkg_mgr == "apt"
- name: Install dependencies
package:
name: "{{ gitea_dependencies }}"
state: present
register: _install_dep_packages
until: _install_dep_packages is succeeded
retries: 5
delay: 2
- block:
- name: Download gitea archive
get_url:
url: "{{ gitea_dl_url }}.xz"
dest: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz"
checksum: "sha256:{{ gitea_dl_url }}.xz.sha256"
register: _download_archive
until: _download_archive is succeeded
retries: 5
delay: 2
- name: Download gitea asc file
get_url:
url: "{{ gitea_dl_url }}.xz.asc"
dest: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz.asc"
register: _download_asc
until: _download_asc is succeeded
retries: 5
delay: 2
- name: Check gitea gpg key
command: "gpg --list-keys 0x{{ gitea_gpg_key }}"
register: _gitea_gpg_key_status
changed_when: false
failed_when: _gitea_gpg_key_status.rc not in (0, 2)
- name: Import gitea gpg key
command: "gpg --keyserver {{ gitea_gpg_server }} --recv {{ gitea_gpg_key }}"
register: _gitea_import_key
changed_when: '"imported: 1" in _gitea_import_key.stderr'
when: _gitea_gpg_key_status.rc != 0
- name: Check archive signature
command: "gpg --verify /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz.asc /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz"
changed_when: false
- name: Unpack gitea binary
command:
cmd: "xz -k -d /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz"
creates: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}"
- name: Propagate gitea binary
copy:
src: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}"
remote_src: true
dest: "/usr/local/bin/gitea"
mode: 0755
owner: root
group: root
notify: "Restart gitea"
when: (not gitea_version_check|bool) or (not ansible_check_mode and (gitea_active_version.stdout != gitea_version))

17
tasks/install_systemd.yml Normal file
View File

@ -0,0 +1,17 @@
---
- name: "Setup systemd service"
ansible.builtin.template:
src: gitea.service.j2
dest: /lib/systemd/system/gitea.service
owner: root
group: root
mode: 0644
notify:
- "Reload systemd"
- "Restart gitea"
# systemd to be reloaded the first time because
# it is the only way Systemd is going to be aware of the new unit file.
- name: "Reload systemd"
ansible.builtin.systemd:
daemon_reload: true

38
tasks/jwt_secrets.yml Normal file
View File

@ -0,0 +1,38 @@
---
- name: generate OAuth2 JWT_SECRET if not provided
become: true
shell: 'umask 077; /usr/local/bin/gitea generate secret JWT_SECRET > /etc/gitea/gitea_oauth_jwt_secret'
args:
creates: '/etc/gitea/gitea_oauth_jwt_secret'
when: gitea_oauth2_jwt_secret | length == 0
- name: read OAuth2 JWT_SECRET from file
become: true
slurp:
src: '/etc/gitea/gitea_oauth_jwt_secret'
register: oauth_jwt_secret
when: gitea_oauth2_jwt_secret | length == 0
- name: set fact gitea_oauth2_jwt_secret
set_fact:
gitea_oauth2_jwt_secret: "{{ oauth_jwt_secret['content'] | b64decode }}"
when: gitea_oauth2_jwt_secret | length == 0
- name: generate LFS JWT_SECRET if not provided
become: true
shell: 'umask 077; /usr/local/bin/gitea generate secret JWT_SECRET > /etc/gitea/gitea_lfs_jwt_secret'
args:
creates: '/etc/gitea/gitea_lfs_jwt_secret'
when: gitea_lfs_jwt_secret | length == 0
- name: read LFS JWT_SECRET from file
become: true
slurp:
src: '/etc/gitea/gitea_lfs_jwt_secret'
register: lfs_jwt_secret
when: gitea_lfs_jwt_secret | length == 0
- name: set fact gitea_lfs_jwt_secret
set_fact:
gitea_lfs_jwt_secret: "{{ lfs_jwt_secret['content'] | b64decode }}"
when: gitea_lfs_jwt_secret | length == 0

91
tasks/main.yml Normal file
View File

@ -0,0 +1,91 @@
---
- name: Gather variables for each operating system
include_vars: "{{ item }}"
with_first_found:
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml"
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
- "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
- "{{ ansible_distribution | lower }}.yml"
- "{{ ansible_os_family | lower }}.yml"
- name: Gather installed packages for checks in the role (fail2ban)
ansible.builtin.package_facts:
manager: auto
- name: "Check gitea version"
ansible.builtin.shell: "set -eo pipefail; /usr/local/bin/gitea -v | cut -d' ' -f 3"
args:
executable: /bin/bash
register: gitea_active_version
changed_when: false
failed_when: false
when: gitea_version_check|bool
- name: "Download the binary"
ansible.builtin.get_url:
url: "{{ gitea_dl_url }}"
dest: /usr/local/bin/gitea
owner: root
group: root
mode: 0755
force: true
notify: "Restart gitea"
when: (not gitea_version_check|bool) or (not ansible_check_mode and (gitea_active_version.stdout != gitea_version))
- include: create_user.yml
- name: "Create config and data directory"
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: "{{ gitea_user }}"
group: "{{ gitea_group }}"
mode: '0755'
with_items:
- "/etc/gitea"
- name: "Create data directory"
file:
path: "{{ item }}"
state: directory
owner: "{{ gitea_user }}"
group: "{{ gitea_group }}"
mode: 'u=rwX,g=rX,o='
recurse: true
with_items:
- "{{ gitea_home }}"
- "{{ gitea_home }}/data"
- "{{ gitea_home }}/custom"
- "{{ gitea_home }}/custom/https"
- "{{ gitea_home }}/custom/mailer"
- "{{ gitea_home }}/indexers"
- "{{ gitea_home }}/log"
- "{{ gitea_repository_root }}"
- include: install_systemd.yml
when: ansible_service_mgr == "systemd"
- include_tasks: jwt_secrets.yml
- name: 'Install git'
ansible.builtin.package:
name: 'git'
state: 'present'
- name: "Configure gitea"
ansible.builtin.template:
src: gitea.ini.j2
dest: /etc/gitea/gitea.ini
owner: "{{ gitea_user }}"
group: "{{ gitea_group }}"
mode: 0600
notify: "Restart gitea"
- name: "Service gitea"
ansible.builtin.service:
name: gitea
state: started
enabled: true
when: ansible_service_mgr == "systemd"
- include: fail2ban.yml
when: gitea_fail2ban_enabled|bool

4
templates/fail2ban/filter.conf.j2 Normal file
View File

@ -0,0 +1,4 @@
# Managed by Ansible
[Definition]
failregex = .*Failed authentication attempt for .* from <HOST>
ignoreregex =

9
templates/fail2ban/jail.conf.j2 Normal file
View File

@ -0,0 +1,9 @@
[gitea]
enabled = true
port = http,https
filter = gitea
logpath = {{ gitea_home }}/log/gitea.log
maxretry = {{ gitea_fail2ban_jail_maxretry }}
findtime = {{ gitea_fail2ban_jail_findtime }}
bantime = {{ gitea_fail2ban_jail_bantime }}
action = {{ gitea_fail2ban_jail_action }}

198
templates/gitea.ini.j2 Normal file
View File

@ -0,0 +1,198 @@
; this file is the configuration of your local gitea instance
; {{ ansible_managed }}
;
; This file overwrites the default values from gitea.
; undefined variables will use the default value from gitea.
; Cheat Sheet: https://docs.gitea.io/en-us/config-cheat-sheet/
;
; App name that shows on every page title
APP_NAME = {{ gitea_app_name }}
; Change it if you run locally
RUN_USER = {{ gitea_user }}
; Either "dev", "prod" or "test", default is "dev"
RUN_MODE = prod
[repository]
ROOT = {{ gitea_repository_root }}
; Force every new repository to be private
FORCE_PRIVATE = {{ gitea_force_private | ternary('true', 'false') }}
; Global limit of repositories per user, applied at creation time. -1 means no limit
MAX_CREATION_LIMIT = {{ gitea_user_repo_limit }}
; Mirror sync queue length, increase if mirror syncing starts hanging
MIRROR_QUEUE_LENGTH = 1000
; Disable the ability to interact with repositories using the HTTP protocol
DISABLE_HTTP_GIT = {{ gitea_disable_http_git | ternary('true', 'false') }}
[ui]
; Whether the email of the user should be shown in the Explore Users page
SHOW_USER_EMAIL = {{ gitea_show_user_email | ternary('true', 'false') }}
THEMES = {{ gitea_themes }}
DEFAULT_THEME = {{ gitea_theme_default }}
[server]
; The protocol the server listens on. One of 'http', 'https', 'unix' or 'fcgi'.
PROTOCOL = {{ gitea_protocol }}
DOMAIN = {{ gitea_http_domain }}
ROOT_URL = {{ gitea_root_url }}
; The address to listen on. Either a IPv4/IPv6 address or the path to a unix socket.
HTTP_ADDR = {{ gitea_http_listen }}
HTTP_PORT = {{ gitea_http_port }}
; Disable SSH feature when not available
DISABLE_SSH = false
; Whether to use the builtin SSH server or not.
START_SSH_SERVER = {{ gitea_start_ssh | ternary('true', 'false') }}
; Domain name to be exposed in clone URL
SSH_DOMAIN = {{ gitea_ssh_domain }}
; The network interface the builtin SSH server should listen on
SSH_LISTEN_HOST = {{ gitea_ssh_listen }}
; Port number to be exposed in clone URL
SSH_PORT = {{ gitea_ssh_port }}
; The port number the builtin SSH server should listen on
SSH_LISTEN_PORT = %(SSH_PORT)s
; Disable CDN even in "prod" mode
OFFLINE_MODE = {{ gitea_offline_mode | ternary('true', 'false') }}
; Default path for App data
APP_DATA_PATH = {{ gitea_home }}/data
{% if gitea_lfs_server_enabled | bool -%}
;Enables git-lfs support.
LFS_START_SERVER = true
; Where to store LFS files.
LFS_CONTENT_PATH = {{ gitea_lfs_content_path }}
; LFS authentication secret
LFS_JWT_SECRET = {{ gitea_lfs_jwt_secret }}
LFS_CONTENT_PATH = {{ gitea_lfs_content_path }}
; if the LFS sotre is not offline/local
LFS_JWT_SECRET = {{ gitea_lfs_secret }}
OFFLINE_MODE = {{ gitea_lfs_mode }}
{% endif %}
[database]
; Either "mysql", "postgres", "mssql" or "sqlite3", it's your choice
DB_TYPE = {{ gitea_db_type }}
HOST = {{ gitea_db_host }}
NAME = {{ gitea_db_name }}
USER = {{ gitea_db_user }}
; Use PASSWD = `your password` for quoting if you use special characters in the password.
PASSWD = {{ gitea_db_password }}
; For Postgres, either "disable" (default), "require", "verify-ca" or "verify-full"
; For MySQL, either "false" (default), "true", or "skip-verify"
SSL_MODE = {{ gitea_db_ssl }}
; For "sqlite3" and "tidb", use an absolute path when you start gitea as service
PATH = {{ gitea_db_path }}
[indexer]
; Issue indexer storage path, available when ISSUE_INDEXER_TYPE is bleve
ISSUE_INDEXER_PATH = {{ gitea_home }}/indexers/issues.bleve
; Issue indexer queue, currently support: channel or levelqueue, default is levelqueue
ISSUE_INDEXER_QUEUE_TYPE = levelqueue
; When ISSUE_INDEXER_QUEUE_TYPE is levelqueue, this will be the queue will be saved path,
; default is indexers/issues.queue
ISSUE_INDEXER_QUEUE_DIR = {{ gitea_home }}/indexers/issues.queue
; repo indexer by default disabled, since it uses a lot of disk space
REPO_INDEXER_ENABLED = {{ gitea_repo_indexer_enabled }}
REPO_INDEXER_PATH = {{ gitea_home }}/indexers/repos.bleve
REPO_INDEXER_INCLUDE = {{ gitea_repo_indexer_include }}
REPO_INDEXER_EXCLUDE = {{ gitea_repo_indexer_exclude }}
REPO_INDEXER_EXCLUDE_VENDORED = {{ gitea_repo_exclude_vendored }}
MAX_FILE_SIZE = {{ gitea_repo_indexer_max_file_size }}
[security]
; Whether the installer is disabled
INSTALL_LOCK = true
; !!CHANGE THIS TO KEEP YOUR USER DATA SAFE!!
SECRET_KEY = {{ gitea_secret_key }}
INTERNAL_TOKEN = {{ gitea_internal_token }}
; How long to remember that an user is logged in before requiring relogin (in days)
LOGIN_REMEMBER_DAYS = 7
DISABLE_GIT_HOOKS = {{ gitea_disable_git_hooks | ternary('true', 'false') }}
[service]
; Disallow registration, only allow admins to create accounts.
DISABLE_REGISTRATION = {{ gitea_disable_registration }}
; User must sign in to view anything.
REQUIRE_SIGNIN_VIEW = {{ gitea_require_signin | ternary('true', 'false') }}
; Enable captcha validation for registration
ENABLE_CAPTCHA = {{ gitea_enable_captcha | ternary('true', 'false') }}
; Type of captcha you want to use. Options: image, recaptcha
CAPTCHA_TYPE = image
; Enable recaptcha to use Google's recaptcha service
; Go to https://www.google.com/recaptcha/admin to sign up for a key
RECAPTCHA_SECRET =
RECAPTCHA_SITEKEY =
; Show Registration button
SHOW_REGISTRATION_BUTTON = {{ gitea_show_registration_button }}
ALLOW_ONLY_EXTERNAL_REGISTRATION = {{ gitea_only_allow_external_registration }}
ENABLE_NOTIFY_MAIL = {{ gitea_enable_notify_mail }}
DEFAULT_EMAIL_NOTIFICATIONS = {{ gitea_mail_default }}
AUTO_WATCH_NEW_REPOS = {{ gitea_autowatch_new_repo }}
AUTO_WATCH_ON_CHANGES = {{ gitea_autowatch_on_change }}
SHOW_MILESTONES_DASHBOARD_PAGE = {{ gitea_show_mailstones_dashboard }}
[mailer]
ENABLED = {{ gitea_mailer_enabled | ternary('true', 'false') }}
; Mail server
; Gmail: smtp.gmail.com:587
; QQ: smtp.qq.com:465
; Note, if the port ends with "465", SMTPS will be used. Using STARTTLS on port 587 is recommended per RFC 6409. If the server supports STARTTLS it will always be used.
HOST = {{ gitea_mailer_host }}
; Do not verify the certificate of the server. Only use this for self-signed certificates
SKIP_VERIFY = {{ gitea_mailer_skip_verify }}
; Use client certificate
USE_CERTIFICATE = false
CERT_FILE = {{ gitea_home }}/custom/mailer/cert.pem
KEY_FILE = {{ gitea_home }}/custom/mailer/key.pem
; Should SMTP connection use TLS
IS_TLS_ENABLED = {{ gitea_mailer_tls_enabled | ternary('true', 'false') }}
; Mail from address, RFC 5322. This can be just an email address, or the `"Name" <email@example.com>` format
FROM = {{ gitea_mailer_from }}
; Mailer user name and password
USER = {{ gitea_mailer_user }}
; Use PASSWD = `your password` for quoting if you use special characters in the password.
PASSWD = {{ gitea_mailer_password }}
; Send mails as plain text
SEND_AS_PLAIN_TEXT = false
; Set Mailer Type (either SMTP, sendmail or dummy to just send to the log)
MAILER_TYPE = {{ gitea_mailer_type }}
; Specify an alternative sendmail binary
SENDMAIL_PATH = sendmail
[session]
; Either "memory", "file", or "redis", default is "memory"
PROVIDER = file
; Provider config options
; memory: doesn't have any config yet
; file: session file path, e.g. `data/sessions`
; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180
; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table`
PROVIDER_CONFIG = {{ gitea_home }}/data/sessions
[picture]
AVATAR_UPLOAD_PATH = {{ gitea_home }}/data/avatars
; This value will always be true in offline mode.
DISABLE_GRAVATAR = {{ gitea_disable_gravatar | ternary('true', 'false') }}
[attachment]
; Whether attachments are enabled. Defaults to `true`
ENABLED = true
; Path for attachments. Defaults to `data/attachments`
PATH = {{ gitea_home }}/data/attachments
[log]
ROOT_PATH = {{ gitea_home }}/log
; Either "console", "file", "conn", "smtp" or "database", default is "console"
; Use comma to separate multiple modes, e.g. "console, file"
MODE = file
; Buffer length of the channel, keep it as it is if you don't know what it is.
BUFFER_LEN = 10000
; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Trace"
LEVEL = {{ gitea_log_level }}
REDIRECT_MACARON_LOG = false
[oauth2]
ENABLE = {{ gitea_oauth2_enabled }}
JWT_SECRET = {{ gitea_oauth2_jwt_secret }}
[metrics]
ENABLED = {{ gitea_metrics_enabled }}
TOKEN = {{ gitea_metrics_token }}
{{ gitea_extra_config }}

16
templates/gitea.service.j2 Normal file
View File

@ -0,0 +1,16 @@
[Unit]
Description=Gitea git server
After=network.target
[Service]
User={{ gitea_user }}
Group={{ gitea_group }}
ExecStart=/usr/local/bin/gitea web -c /etc/gitea/gitea.ini
Restart=on-failure
WorkingDirectory={{ gitea_home }}
{% if gitea_systemd_cap_net_bind_service %}
AmbientCapabilities=CAP_NET_BIND_SERVICE
{% endif %}
[Install]
WantedBy=multi-user.target

5
vars/debian.yml Normal file
View File

@ -0,0 +1,5 @@
---
gitea_dependencies:
- git
- gnupg2
- xz-utils

10
vars/main.yml Normal file
View File

@ -0,0 +1,10 @@
---
gitea_go_arch_map:
i386: '386'
x86_64: 'amd64'
aarch64: 'arm64'
armv7l: 'arm-6'
armv6l: 'arm-6'
armv5l: 'arm-5'
gitea_arch: "{{ gitea_go_arch_map[ansible_architecture] | default(ansible_architecture) }}"

5
vars/redhat.yml Normal file
View File

@ -0,0 +1,5 @@
---
gitea_dependencies:
- git
- gnupg2
- xz