.

2023-12-08 12:44:32 +01:00
commit 14409872b6
24 changed files with 1071 additions and 0 deletions
--- a/tasks/backup.yml
+++ b/tasks/backup.yml
@@ -0,0 +1,30 @@
+---
+- name: Get service facts
+  service_facts:
+
+- block:
+    - name: Stopping gitea before upgrade
+      service:
+        name: gitea
+        state: stopped
+
+    - name: "Create backup directory"
+      file:
+        path: "{{ item }}"
+        state: directory
+        owner: "{{ gitea_user }}"
+        group: "{{ gitea_group }}"
+        mode: 'u=rwx,g=rx,o='
+      with_items:
+        - "{{ gitea_backup_location }}"
+
+    - name: Backing up gitea before upgrade
+      command:
+        cmd: "/usr/local/bin/gitea dump -c /etc/gitea/gitea.ini"
+        chdir: "{{ gitea_backup_location }}"
+      become: true
+      become_user: "{{ gitea_user }}"
+  when:
+    - ansible_facts.services["gitea.service"] is defined
+    - ansible_facts.services["gitea.service"].state == "running"
+    - gitea_active_version.stdout != gitea_version
--- a/tasks/create_user.yml
+++ b/tasks/create_user.yml
@@ -0,0 +1,14 @@
+---
+- name: "Create Gitea Group"
+  group:
+    name: "{{ gitea_group }}"
+    system: true
+    state: "present"
+
+- name: "Create Gitea user"
+  ansible.builtin.user:
+    name: "{{ gitea_user }}"
+    comment: "Gitea user"
+    home: "{{ gitea_home }}"
+    shell: "{{ gitea_shell }}"
+    system: true
--- a/tasks/fail2ban.yml
+++ b/tasks/fail2ban.yml
@@ -0,0 +1,26 @@
+---
+- name: Install fail2ban filter
+  ansible.builtin.template:
+    src: fail2ban/filter.conf.j2
+    dest: /etc/fail2ban/filter.d/gitea.conf
+    owner: root
+    group: root
+    mode: 0444
+  notify: Restart fail2ban
+  when: "'fail2ban' in ansible_facts.packages"
+
+- name: Install fail2ban jail
+  ansible.builtin.template:
+    src: fail2ban/jail.conf.j2
+    dest: /etc/fail2ban/jail.d/gitea.conf
+    owner: root
+    group: root
+    mode: 0444
+  notify: Restart fail2ban
+  when: "'fail2ban' in ansible_facts.packages"
+
+- name: warn if fail2ban is not installed
+  ansible.builtin.fail:
+    msg: "the package fail2ban is not installed. no fail2ban filters deployed."
+  when: "'fail2ban' not in ansible_facts.packages"
+  ignore_errors: true
--- a/tasks/install.yml
+++ b/tasks/install.yml
@@ -0,0 +1,71 @@
+---
+- block:
+    - name: Update apt cache
+      apt:
+        cache_valid_time: 3600
+        update_cache: true
+      register: _pre_update_apt_cache
+      until: _pre_update_apt_cache is succeeded
+      when:
+        - ansible_pkg_mgr == "apt"
+
+    - name: Install dependencies
+      package:
+        name: "{{ gitea_dependencies }}"
+        state: present
+      register: _install_dep_packages
+      until: _install_dep_packages is succeeded
+      retries: 5
+      delay: 2
+
+- block:
+    - name: Download gitea archive
+      get_url:
+        url: "{{ gitea_dl_url }}.xz"
+        dest: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz"
+        checksum: "sha256:{{ gitea_dl_url }}.xz.sha256"
+      register: _download_archive
+      until: _download_archive is succeeded
+      retries: 5
+      delay: 2
+
+    - name: Download gitea asc file
+      get_url:
+        url: "{{ gitea_dl_url }}.xz.asc"
+        dest: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz.asc"
+      register: _download_asc
+      until: _download_asc is succeeded
+      retries: 5
+      delay: 2
+
+    - name: Check gitea gpg key
+      command: "gpg --list-keys 0x{{ gitea_gpg_key }}"
+      register: _gitea_gpg_key_status
+      changed_when: false
+      failed_when: _gitea_gpg_key_status.rc not in (0, 2)
+
+    - name: Import gitea gpg key
+      command: "gpg --keyserver {{ gitea_gpg_server }} --recv {{ gitea_gpg_key }}"
+      register: _gitea_import_key
+      changed_when: '"imported: 1" in _gitea_import_key.stderr'
+      when: _gitea_gpg_key_status.rc != 0
+
+    - name: Check archive signature
+      command: "gpg --verify /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz.asc /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz"
+      changed_when: false
+
+    - name: Unpack gitea binary
+      command:
+        cmd: "xz -k -d /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz"
+        creates: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}"
+
+    - name: Propagate gitea binary
+      copy:
+        src: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}"
+        remote_src: true
+        dest: "/usr/local/bin/gitea"
+        mode: 0755
+        owner: root
+        group: root
+      notify: "Restart gitea"
+  when: (not gitea_version_check|bool) or (not ansible_check_mode and (gitea_active_version.stdout != gitea_version))
--- a/tasks/install_systemd.yml
+++ b/tasks/install_systemd.yml
@@ -0,0 +1,17 @@
+---
+- name: "Setup systemd service"
+  ansible.builtin.template:
+    src: gitea.service.j2
+    dest: /lib/systemd/system/gitea.service
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - "Reload systemd"
+    - "Restart gitea"
+
+# systemd to be reloaded the first time because
+#  it is the only way Systemd is going to be aware of the new unit file.
+- name: "Reload systemd"
+  ansible.builtin.systemd:
+    daemon_reload: true
--- a/tasks/jwt_secrets.yml
+++ b/tasks/jwt_secrets.yml
@@ -0,0 +1,38 @@
+---
+- name: generate OAuth2 JWT_SECRET if not provided
+  become: true
+  shell: 'umask 077; /usr/local/bin/gitea generate secret JWT_SECRET > /etc/gitea/gitea_oauth_jwt_secret'
+  args:
+    creates: '/etc/gitea/gitea_oauth_jwt_secret'
+  when: gitea_oauth2_jwt_secret | length == 0
+
+- name: read OAuth2 JWT_SECRET from file
+  become: true
+  slurp:
+    src: '/etc/gitea/gitea_oauth_jwt_secret'
+  register: oauth_jwt_secret
+  when: gitea_oauth2_jwt_secret | length == 0
+
+- name: set fact gitea_oauth2_jwt_secret
+  set_fact:
+    gitea_oauth2_jwt_secret: "{{ oauth_jwt_secret['content'] | b64decode }}"
+  when: gitea_oauth2_jwt_secret | length == 0
+
+- name: generate LFS JWT_SECRET if not provided
+  become: true
+  shell: 'umask 077; /usr/local/bin/gitea generate secret JWT_SECRET > /etc/gitea/gitea_lfs_jwt_secret'
+  args:
+    creates: '/etc/gitea/gitea_lfs_jwt_secret'
+  when: gitea_lfs_jwt_secret | length == 0
+
+- name: read LFS JWT_SECRET from file
+  become: true
+  slurp:
+    src: '/etc/gitea/gitea_lfs_jwt_secret'
+  register: lfs_jwt_secret
+  when: gitea_lfs_jwt_secret | length == 0
+
+- name: set fact gitea_lfs_jwt_secret
+  set_fact:
+    gitea_lfs_jwt_secret: "{{ lfs_jwt_secret['content'] | b64decode }}"
+  when: gitea_lfs_jwt_secret | length == 0
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -0,0 +1,91 @@
+---
+- name: Gather variables for each operating system
+  include_vars: "{{ item }}"
+  with_first_found:
+    - "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml"
+    - "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
+    - "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
+    - "{{ ansible_distribution | lower }}.yml"
+    - "{{ ansible_os_family | lower }}.yml"
+
+- name: Gather installed packages for checks in the role (fail2ban)
+  ansible.builtin.package_facts:
+    manager: auto
+
+- name: "Check gitea version"
+  ansible.builtin.shell: "set -eo pipefail; /usr/local/bin/gitea -v | cut -d' ' -f 3"
+  args:
+    executable: /bin/bash
+  register: gitea_active_version
+  changed_when: false
+  failed_when: false
+  when: gitea_version_check|bool
+
+- name: "Download the binary"
+  ansible.builtin.get_url:
+    url: "{{ gitea_dl_url }}"
+    dest: /usr/local/bin/gitea
+    owner: root
+    group: root
+    mode: 0755
+    force: true
+  notify: "Restart gitea"
+  when: (not gitea_version_check|bool) or (not ansible_check_mode and (gitea_active_version.stdout != gitea_version))
+
+- include: create_user.yml
+
+- name: "Create config and data directory"
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
+    mode: '0755'
+  with_items:
+    - "/etc/gitea"
+
+- name: "Create data directory"
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
+    mode: 'u=rwX,g=rX,o='
+    recurse: true
+  with_items:
+    - "{{ gitea_home }}"
+    - "{{ gitea_home }}/data"
+    - "{{ gitea_home }}/custom"
+    - "{{ gitea_home }}/custom/https"
+    - "{{ gitea_home }}/custom/mailer"
+    - "{{ gitea_home }}/indexers"
+    - "{{ gitea_home }}/log"
+    - "{{ gitea_repository_root }}"
+
+- include: install_systemd.yml
+  when: ansible_service_mgr == "systemd"
+
+- include_tasks: jwt_secrets.yml
+- name: 'Install git'
+  ansible.builtin.package:
+    name: 'git'
+    state: 'present'
+
+- name: "Configure gitea"
+  ansible.builtin.template:
+    src: gitea.ini.j2
+    dest: /etc/gitea/gitea.ini
+    owner: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
+    mode: 0600
+  notify: "Restart gitea"
+
+- name: "Service gitea"
+  ansible.builtin.service:
+    name: gitea
+    state: started
+    enabled: true
+  when: ansible_service_mgr == "systemd"
+
+- include: fail2ban.yml
+  when: gitea_fail2ban_enabled|bool