ansible/ansible_role_gitea
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

.

Browse Source
This commit is contained in:
Bastian Epting 2023-12-08 12:38:53 +01:00
commit a986b486ca
34 changed files with 1999 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
LICENSE Normal file
View File

@ -0,0 +1,31 @@
BSD 3-Clause License
Copyright (c) 2019 - today L3D <l3d@c3woc.de>
Copyright (c) 2019 - 2021 Thomas Maurice
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

401
README.md Normal file
View File

@ -0,0 +1,401 @@
[![Ansible Galaxy](https://ansible.l3d.space/svg/l3d.gitea.svg)](https://galaxy.ansible.com/ui/standalone/roles/l3d/gitea/)
[![BSD-3 Clause](https://ansible.l3d.space/svg/l3d.gitea_license.svg)](LICENSE)
[![Maintainance](https://ansible.l3d.space/svg/l3d.gitea_maintainance.svg)](https://ansible.l3d.space/#l3d.gitea)
ansible role gitea/forgejo
============================
This role installs and manages [gitea](https://gitea.io) or [forgejo](https://forgejo.org). A painless self-hosted Git service. Gitea is a community managed lightweight code hosting solution written in Go. Forgejo is a fork of it.
[Source code & screenshots gitea](https://github.com/go-gitea/gitea).
[Source code forgejo](https://codeberg.org/forgejo/forgejo).
This role is also Part of the Ansible-Collection [l3d.git](https://galaxy.ansible.com/l3d/git). [![l3d.git](https://ansible.l3d.space/svg/l3d.git_ansible-collection_collection.svg)](https://github.com/roles-ansible/ansible_collection_git.git).
## Sample Usage in a playbook
The following code has been tested with the latest Debian Stable, it should work on Ubuntu and RedHat as well.
```yaml
# ansible-galaxy role install l3d.gitea
- name: "Install gitea"
hosts: git.example.com
roles:
- {role: l3d.gitea, tags: gitea}
vars:
# Here we assume we are behind a reverse proxy that will
# handle https for us, so we bind on localhost:3000 using HTTP
# see https://docs.gitea.io/en-us/reverse-proxies/#nginx
gitea_fqdn: 'git.example.com'
gitea_root_url: 'https://git.example.com'
gitea_protocol: http
gitea_start_ssh: true
```
Variables
-----------
Here is a deeper insight into the variables of this gitea role. For the exact function of some variables and the possibility to add more options we recommend a look at this [config cheat sheet](https://docs.gitea.com/administration/config-cheat-sheet).
### Chose between gitea and forgejo
There is a fork of gitea called forgejo. Why? Read the [forgejo FAQ](https://forgejo.org/faq/).
You have the option to choose between [gitea](https://gitea.io) and [forgejo](https://forgejo.org) by modifying the ``gitea_fork`` variable.
| variable name | default value | description |
| ------------- | ------------- | ----------- |
| `gitea_fork` | `gitea` | optional choose to install forgejo instead of gitea by setting this value to `forgejo`. |
### gitea update mechanism
To determine which gitea version to install, you can choose between two variants.
Either you define exactly which release you install. Or you use the option ``latest`` to always install the latest release from the [gitea releases](https://github.com/go-gitea/gitea/releases/latest).
### gitea update
| variable name | default value | description |
| ------------- | ------------- | ----------- |
| `gitea_version` | `latest` | Define either the exact release to install *(eg. `1.16.0`)* or use ``latest`` *(default)* to install the latest release. |
| `gitea_version_check` | `true` | Check if installed version != `gitea_version` before initiating binary download |
| `gitea_gpg_key` | `7C9E68152594688862D62AF62D9AE806EC1592E2` | the gpg key the gitea binary is signed with |
| `gitea_forgejo_gpg_key` | `EB114F5E6C0DC2BCDD183550A4B61A2DC5923710` | the gpg key the forgejo binary is signed with |
| `gitea_gpg_server` | `hkps://keys.openpgp.org` | A gpg key server where this role can download the gpg key |
| `gitea_backup_on_upgrade` | `false` | Optionally a backup can be created with every update of gitea. |
| `gitea_backup_location` | `{{ gitea_home }}/backups/` | Where to store the gitea backup if one is created with this role. |
| `submodules_versioncheck` | `false` | a simple version check that can prevent you from accidentally running an older version of this role. *(recomended)* |
### gitea in the linux world
| variable name | default value | description |
| ------------- | ------------- | ----------- |
| `gitea_group` | `gitea` | Primary UNIX group used by Gitea |
| `gitea_groups` | null | Optionally a list of secondary UNIX groups used by Gitea |
| `gitea_home` | `/var/lib/gitea` | Base directory to work |
| `gitea_user_home` | `{{ gitea_home }}` | home of gitea user |
| `gitea_executable_path` | `/usr/local/bin/gitea` | Path for gitea executable |
| `gitea_forgejo_executable_path` | `/usr/local/bin/forgejo` | Path for forgejo executable |
| `gitea_configuration_path` | `/etc/gitea` | Where to put the gitea.ini config |
| `gitea_shell` | `/bin/false` | UNIX shell used by gitea. Set it to `/bin/bash` if you don't use the gitea built-in ssh server. |
| `gitea_systemd_cap_net_bind_service` | `false` | Adds `AmbientCapabilities=CAP_NET_BIND_SERVICE` to systemd service file |
### Overall ([DEFAULT](https://docs.gitea.com/administration/config-cheat-sheet#overall-default))
| variable name | default value | description |
| ------------- | ------------- | ----------- |
| `gitea_app_name` | `Gitea` | Displayed application name |
| `gitea_user` | `gitea ` | UNIX user used by Gitea |
| `gitea_run_mode`| `prod`| Application run mode, affects performance and debugging. Either “dev”, “prod” or “test”. |
| `gitea_fqdn` | `localhost` | Base FQDN for the installation, used as default for other variables. Set it to the FQDN where you can reach your gitea server |
### Repository ([repository](https://docs.gitea.com/administration/config-cheat-sheet#repository-repository))
| variable name | default value | description |
| ------------- | ------------- | ----------- |
| `gitea_default_branch` | `main` | Default branch name of all repositories. |
| `gitea_default_private` | `last` | Default private when creating a new repository. [`last`, `private`, `public`] |
| `gitea_default_repo_units` | *(see defaults)* | Comma separated list of default repo units. See official docs for more |
| `gitea_disabled_repo_units` | | Comma separated list of globally disabled repo units. |
| `gitea_disable_http_git` | `false` | Disable the ability to interact with repositories over the HTTP protocol. (true/false) |
| `gitea_disable_stars` | `false` | Disable stars feature. |
| `gitea_enable_push_create_org` | `false` | Allow users to push local repositories to Gitea and have them automatically created for an org. |
| `gitea_enable_push_create_user` | `false` | Allow users to push local repositories to Gitea and have them automatically created for an user. |
| `gitea_force_private` | `false` | Force every new repository to be private. |
| `gitea_user_repo_limit` | `-1` | Limit how many repos a user can have *(`-1` for unlimited)* |
| `gitea_repository_root` | `{{ gitea_home }}/repos` | Root path for storing all repository data. It must be an absolute path. |
| `gitea_repository_extra_config` | | you can use this variable to pass additional config parameters in the `[repository]` section of the config. |
### Repository - Upload ([repository.upload](https://docs.gitea.io/en-us/administration/config-cheat-sheet#repository---upload-repositoryupload))
| variable name | default value | description |
| ------------- | ------------- | ----------- |
| `gitea_repository_upload_enabled` | `true` | Whether repository file uploads are enabled |
| `gitea_repository_upload_max_size` | `4` | Max size of each file in megabytes. |
| `gitea_repository_upload_extra_config` | | you can use this variable to pass additional config parameters in the `[repository.upload]` section of the config. |
### Repository - Signing ([repository.signing](https://docs.gitea.com/administration/config-cheat-sheet#repository---signing-repositorysigning))
| variable name | default value | description |
| ------------- | ------------- | ----------- |
| `gitea_enable_repo_signing_options` | `false` | Allow to configure repo signing options |
| `gitea_repo_signing_key` | `default` | Key to sign with. |
| `gitea_repo_signing_name` | | if a KEYID is provided as the `gitea_repo_signing_key`, use these as the Name and Email address of the signer. |
| `gitea_repo_signing_email` | | if a KEYID is provided as the `gitea_repo_signing_key`, use these as the Name and Email address of the signer. |
| `gitea_repo_initial_commit` | `always` | Sign initial commit. |
| `gitea_repo_default_trust_model` | `collaborator` | The default trust model used for verifying commits. |
| `gitea_repo_wiki` | `never` | Sign commits to wiki. |
| `gitea_repo_crud_actions` | *(see defaults)* | Sign CRUD actions. |
| `gitea_repo_merges` | *(see defaults)* | Sign merges. |
| `gitea_enable_repo_signing_extra` | | you can use this variable to pass additional config parameters in the `[repository.signing]` section of the config. |
### CORS ([cors](https://docs.gitea.com/administration/config-cheat-sheet#cors-cors))
| variable name | default value | description |
| ------------- | ------------- | ----------- |
| `gitea_enable_cors` | `false` | enable cors headers (disabled by default) |
| `gitea_cors_scheme` | `http` | scheme of allowed requests |
| `gitea_cors_allow_domain` | `*` | list of requesting domains that are allowed |
| `gitea_cors_allow_subdomain` | `false` |allow subdomains of headers listed above to request |
| `gitea_cors_methods` | *(see defaults)* | list of methods allowed to request |
| `gitea_cors_max_age` | `10m` | max time to cache response |
| `gitea_cors_allow_credentials` | `false` | allow request with credentials |
| `gitea_cors_headers` | `Content-Type,User-Agent` | additional headers that are permitted in requests |
| `gitea_cors_x_frame_options` | `SAMEORIGIN` | Set the `X-Frame-Options` header value. |
| `gitea_cors_extra` | | you can use this variable to pass additional config parameters in the `[cors]` section of the config. |
### UI ([ui](https://docs.gitea.com/administration/config-cheat-sheet#ui-ui))
| variable name | default value | description |
| ------------- | ------------- | ----------- |
| `gitea_show_user_email` | `false` | Do you want to display email addresses ? (true/false) |
| `gitea_theme_default` | `auto` | Default theme |
| `gitea_themes` | `auto,gitea,arc-green` | List of enabled themes |
| `gitea_ui_extra_config` | | you can use this variable to pass additional config parameters in the `[ui]` section of the config. |
### UI - Meta ([ui.meta](https://docs.gitea.com/administration/config-cheat-sheet#ui---metadata-uimeta))
| variable name | default value | description |
| ------------- | ------------- | ----------- |
| `gitea_ui_author` | *(see defaults)* | Author meta tag of the homepage. |
| `gitea_ui_description` | *(see defaults)* | Description meta tag of the homepage. |
| `gitea_ui_keywords` | *(see defaults)* | Keywords meta tag of the homepage |
| `gitea_ui_meta_extra_config` | | you can use this variable to pass additional config parameters in the `[ui.meta]` section of the config. |
### Server ([server](https://docs.gitea.com/administration/config-cheat-sheet#server-server))
| variable name | default value | description |
| ------------- | ------------- | ----------- |
| `gitea_protocol`| `http` | Listening protocol [http, https, fcgi, unix, fcgi+unix] |
| `gitea_http_domain` | `{{ gitea_fqdn }}` which is `localhost` | Domain name of this server. |
| `gitea_root_url` | `http://{{ gitea_fqdn }}:3000` | Root URL used to access your web app (full URL) |
| `gitea_http_listen` | `127.0.0.1` | HTTP listen address |
| `gitea_http_port` | `3000` | Bind port *(redirect from `80` will be activated if value is `443`)* |
| `gitea_start_ssh` | `true` | When enabled, use the built-in SSH server. |
| `gitea_ssh_domain` | `{{ gitea_fqdn }} ` | Domain name of this server, used for displayed clone URL |
| `gitea_ssh_port` | `2222` | SSH port displayed in clone URL. |
| `gitea_ssh_listen` | `0.0.0.0` | Listen address for the built-in SSH server. |
| `gitea_offline_mode` | `true` | Disables use of CDN for static files and Gravatar for profile pictures. (true/false) |
| `gitea_landing_page` | `home` | Landing page for unauthenticated users |
| `gitea_lfs_server_enabled` | `false` | Enable GIT-LFS Support *(git large file storage: [git-lfs](https://git-lfs.github.com/))*. |
| `gitea_lfs_jwt_secret` | | LFS authentication secret. Can be generated with ``gitea generate secret JWT_SECRET``. Will be autogenerated if not defined |
| `gitea_redirect_other_port` | `false` | If true and `gitea_protocol` is https, allows redirecting http requests on `gitea_port_to_redirect` to the https port Gitea listens on. |
| `gitea_port_to_redirect` | `80` | Port for the http redirection service to listen on, if enabled |
| `gitea_enable_tls_certs` | `false` | Write TLS Cert and Key Path to config file |
| `gitea_tls_cert_file` | `https/cert.pem` | Cert file path used for HTTPS. |
| `gitea_tls_key_file` | `https/key.pem` | Key file path used for HTTPS. |
| `gitea_enable_acme` | `false` | Flag to enable automatic certificate management via an ACME capable CA Server. *(default is letsencrypt)* |
| `gitea_acme_url` | | The CAs ACME directory URL |
| `gitea_acme_accepttos` | `false` | This is an explicit check that you accept the terms of service of the ACME provider. |
| `gitea_acme_directory` | `https` | Directory that the certificate manager will use to cache information such as certs and private keys. |
| `gitea_acme_email` | | Email used for the ACME registration |
| `gitea_acme_ca_root` | | The CAs root certificate. If left empty, it defaults to using the systems trust chain. |
| `gitea_server_extra_config` | | you can use this variable to pass additional config parameters in the `[server]` section of the config. |
### Database ([database](https://docs.gitea.com/administration/config-cheat-sheet#database-database))
| variable name | default value | description |
| ------------- | ------------- | ----------- |
| `gitea_db_type` | `sqlite3` | The database type in use `[mysql, postgres, mssql, sqlite3]`. |
| `gitea_db_host` | `127.0.0.0:3306` | Database host address and port or absolute path for unix socket [mysql, postgres] (ex: `/var/run/mysqld/mysqld.sock`). |
| `gitea_db_name` | `root` | Database name |
| `gitea_db_user` | `gitea` | Database username |
| `gitea_db_password` | `lel` | Database password. **PLEASE CHANGE** |
| `gitea_db_ssl` | `disable` | Configure SSL only if your database type supports it. Have a look into the [config-cheat-sheet](https://docs.gitea.com/administration/config-cheat-sheet#database-database) for more detailed information |
| `gitea_db_path` | `{{ gitea_home }}/data/gitea.db` | DB path, if you use `sqlite3`. |
| `gitea_db_log_sql` | `false` | Log the executed SQL. |
| `gitea_database_extra_config` | | you can use this variable to pass additional config parameters in the `[database]` section of the config. |
### Indexer ([indexer](https://docs.gitea.com/administration/config-cheat-sheet#indexer-indexer))
| variable name | default value | description |
| ------------- | ------------- | ----------- |
| `gitea_repo_indexer_enabled` | `false` | Enables code search *(uses a lot of disk space, about 6 times more than the repository size).* |
| `gitea_repo_indexer_include` | |Glob patterns to include in the index *(comma-separated list)*. An empty list means include all files. |
| `gitea_repo_indexer_exclude` | | Glob patterns to exclude from the index (comma-separated list). |
| `gitea_repo_exclude_vendored` | `true` | Exclude vendored files from index. |
| `gitea_repo_indexer_max_file_size` | `1048576` | Maximum size in bytes of files to be indexed. |
| `gitea_indexer_extra_config` | | you can use this variable to pass additional config parameters in the `[indexer]` section of the config. |
| `gitea_queue_issue_indexer_extra_config` | | | you can use this variable to pass additional config parameters in the `[queue.issue_indexer]` section of the config. |
### Security ([security](https://docs.gitea.com/administration/config-cheat-sheet#security-security))
| variable name | default value | description |
| ------------- | ------------- | ----------- |
| `gitea_secret_key` | | Global secret key. Will be autogenerated if not defined. Should be unique. |
| `gitea_disable_git_hooks` | `true` | Set to false to enable users with git hook privilege to create custom git hooks. Can be dangerous. |
| `gitea_disable_webhooks` | `false` | Set to true to disable webhooks feature. |
| `gitea_internal_token` | | Internal API token. Will be autogenerated if not defined. Should be unique. |
| `gitea_password_check_pwn` | `false` | Check [HaveIBeenPwned](https://haveibeenpwned.com/Passwords) to see if a password has been exposed. |
| `gitea_security_extra_config` | | you can use this variable to pass additional config parameters in the `[security]` section of the config. |
### Service ([service](https://docs.gitea.com/administration/config-cheat-sheet#service-service))
| variable name | default value | description |
| ------------- | ------------- | ----------- |
| `gitea_disable_registration` | `false` | Do you want to disable user registration? (true/false) |
| `gitea_register_email_confirm` | `false` | Enable this to ask for mail confirmation of registration. Requires `gitea_mailer_enabled` to be enabled. |
| `gitea_require_signin` | `true` | Do you require a signin to see repo's (even public ones)? (true/false)|
| `gitea_default_keep_mail_private` | `true` | By default set users to keep their email address privat |
| `gitea_enable_captcha` | `true` | Do you want to enable captcha's ? (true/false)|
| `gitea_show_registration_button` | `true` | Here you can hide the registration button. This will not disable registration! (true/false)|
| `gitea_only_allow_external_registration` | `false` | Set to true to force registration only using third-party services (true/false) |
| `gitea_enable_notify_mail` | `false` | Enable this to send e-mail to watchers of a repository when something happens, like creating issues (true/false) |
| `gitea_auto_watch_new_repos` | `true` | Enable this to let all organisation users watch new repos when they are created (true/false) |
| `gitea_autowatch_on_change` | `true` | Enable this to make users watch a repository after their first commit to it (true/false) |
| `gitea_register_manual_confirm` | `false` | Enable this to manually confirm new registrations. Requires REGISTER_EMAIL_CONFIRM to be disabled. |
| `gitea_default_allow_create_organization` | `true` | Allow new users to create organizations by default (true/false) |
| `gitea_email_domain_allowlist` | | If non-empty, comma separated list of domain names that can only be used to register on this instance, wildcard is supported. |
| `gitea_default_user_visibility` | `public` | Set default visibility mode for users, either "public", "limited" or "private". |
| `gitea_default_org_visibility` | `public` | Set default visibility mode for organisations, either "public", "limited" or "private". |
| `gitea_allow_only_internal_registration` | `false` | Set to true to force registration only via Gitea. |
| `gitea_allow_only_external_registration` | `false` | Set to true to force registration only using third-party services. |
| `gitea_show_milestones_dashboard_page` | `true` | Enable this to show the milestones dashboard page - a view of all the user's milestones |
| `gitea_default_user_is_restricted` | `false` | Give new users restricted permissions by default (true/false) |
| `gitea_service_extra_config` | | you can use this variable to pass additional config parameters in the `[service]` section of the config. |
### Mailer ([mailer](https://docs.gitea.com/administration/config-cheat-sheet#mailer-mailer))
| variable name | default value | description |
| ------------- | ------------- | ----------- |
| `gitea_mailer_enabled` | `false` | Whether to enable the mailer. |
| `gitea_mailer_protocol` | `dummy` |Mail server protocol. One of “smtp”, “smtps”, “smtp+starttls”, “smtp+unix”, “sendmail”, “dummy”.|
| `gitea_mailer_smtp_addr` | | Mail server address. e.g. smtp.gmail.com. For smtp+unix, this should be a path to a unix socket instead. |
| `gitea_mailer_smtp_port` | | Mail server port |
| `gitea_mailer_use_client_cert` | `false` | Use client certificate for TLS/SSL. |
| `gitea_mailer_client_cert_file` | | Client certificate file. |
| `gitea_mailer_client_key_file` | | Client key file. |
| `gitea_mailer_force_trust_server_cert` | `false` | completely ignores server certificate validation errors. This option is unsafe. Consider adding the certificate to the system trust store instead. |
| `gitea_mailer_user` | | Username of mailing user (usually the senders e-mail address). |
| `gitea_mailer_password ` | |Password of mailing user. Use `your password` for quoting if you use special characters in the password. |
| `gitea_mailer_enable_helo` | `true` |Enable HELO operation. |
| `gitea_mailer_from` | `noreply@{{ gitea_http_domain }}` | Mail from address, RFC 5322. |
| `gitea_subject_prefix` | |Prefix to be placed before e-mail subject lines. |
| `gitea_mailer_send_as_plaintext` | `false` | Send mails only in plain text, without HTML alternative. |
| `gitea_mailer_extra_config` | | you can use this variable to pass additional config parameters in the `[mailer]` section of the config. |
### Session ([session](https://docs.gitea.com/administration/config-cheat-sheet#session-session))
| variable name | default value | description |
| ------------- | ------------- | ----------- |
| `gitea_session_provider` | `file` | Session engine provider |
| `gitea_session_extra_config` | | you can use this variable to pass additional config parameters in the `[session]` section of the config. |
### Picture ([picture](https://docs.gitea.com/administration/config-cheat-sheet#picture-picture))
| variable name | default value | description |
| ------------- | ------------- | ----------- |
| `gitea_picture_extra_config` | | you can use this variable to pass additional config parameters in the `[picture]` section of the config. |
### Issue and pull request attachments ([attachment](https://docs.gitea.com/administration/config-cheat-sheet#issue-and-pull-request-attachments-attachment))
| variable name | default value | description |
| ------------- | ------------- | ----------- |
| `attachment_enabled` | `true` | Whether issue and pull request attachments are enabled. |
| `gitea_attachment_types` | see Docs | Comma-separated list of allowed file extensions (`.zip,.txt`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types. |
| `gitea_attachment_max_size` | `4` | Maximum size (MB). |
| `gitea_attachment_extra_config` | | you can use this variable to pass additional config parameters in the `[attachment]` section of the config. |
### Log ([log](https://docs.gitea.com/administration/config-cheat-sheet#log-log))
| variable name | default value | description |
| ------------- | ------------- | ----------- |
| `gitea_log_systemd` | `false` | Disable logging into `file`, use systemd-journald |
| `gitea_log_level` | `Warn` | General log level. `[Trace, Debug, Info, Warn, Error, Critical, Fatal, None]` |
| `gitea_log_extra_config` | | you can use this variable to pass additional config parameters in the `[log]` section of the config. |
### Metrics ([metrics](https://docs.gitea.com/administration/config-cheat-sheet#metrics-metrics))
| variable name | default value | description |
| ------------- | ------------- | ----------- |
| `gitea_metrics_enabled`| `false` | Enable the metrics endpoint |
| `gitea_metrics_token`| | Bearer token for the Prometheus scrape job |
| `gitea_metrics_extra` | | you can use this variable to pass additional config parameters in the `[metrics]` section of the config. |
### OAuth2 ([oauth2](https://docs.gitea.com/administration/config-cheat-sheet#oauth2-oauth2))
| variable name | default value | description |
| ------------- | ------------- | ----------- |
| `gitea_oauth2_enabled` | `true` | Enable the Oauth2 provider (true/false) |
| `gitea_oauth2_jwt_secret` | | Oauth2 JWT secret. Can be generated with ``gitea generate secret JWT_SECRET``. Will be autogenerated if not defined. |
| `gitea_oauth2_extra_config` | | you can use this variable to pass additional config parameters in the `[oauth2]` section of the config. |
### Federation ([federation](https://docs.gitea.com/administration/config-cheat-sheet#federation-federation))
| variable name | default value | description |
| ------------- | ------------- | ----------- |
| `gitea_federation_enabled` | `false` | Enable/Disable federation capabilities |
| `gitea_federation_share_user_stats` | `false` | Enable/Disable user statistics for nodeinfo if federation is enabled |
| `gitea_federation_extra` | | you can use this variable to pass additional config parameters in the `[federation]` section of the config. |
### Packages ([packages](https://docs.gitea.com/administration/config-cheat-sheet#packages-packages))
| variable name | default value | description |
| ------------- | ------------- | ----------- |
| `gitea_packages_enabled` | `true` | Enable/Disable package registry capabilities |
| `gitea_packages_extra` | |you can use this variable to pass additional config parameters in the `[packages]` section of the config. |
### LFS ([lfs](https://docs.gitea.com/administration/config-cheat-sheet#lfs-lfs))
| variable name | default value | description |
| ------------- | ------------- | ----------- |
| `gitea_lfs_storage_type` | `local` | Storage type for lfs |
| `gitea_lfs_serve_direct` | `false` | Allows the storage driver to redirect to authenticated URLs to serve files directly. *(only Minio/S3)* |
| `gitea_lfs_content_path` | `{{ gitea_home }}/data/lfs` | Where to store LFS files |
| `gitea_lfs_extra` | | you can use this variable to pass additional config parameters in the `[lfs]` section of the config. |
### Actions ([actions](https://docs.gitea.com/administration/config-cheat-sheet#actions-actions))
| variable name | default value | description |
| ------------- | ------------- | ----------- |
| `gitea_actions_enabled` | `false` | Enable/Disable actions capabilities globaly. You may want to add `repo.actions` to `gitea_default_repo_units` to enable actions on all new repositories |
| `gitea_actions_default_actions_url` | `https://gitea.com/` | Default address to get action plugins, e.g. the default value means downloading from `https://gitea.com/actions/checkout` for `uses: actions/checkout@v3` |
| `gitea_actions_extra` | | you can use this variable to pass additional config parameters in the `[actions]` section of the config. |
### Other ([other](https://docs.gitea.com/administration/config-cheat-sheet#other-other))
| variable name | default value | description |
| ------------- | ------------- | ----------- |
| `gitea_other_show_footer_version` | `true` | Show Gitea and Go version information in the footer. |
| `gitea_other_show_footer_template_load_time` | `true` | Show time of template execution in the footer. |
| `gitea_other_enable_sitemap` | `true` | Generate sitemap. |
| `gitea_other_enable_feed` | `true` | Enable/Disable RSS/Atom feed. |
### additional gitea config
| variable name | default value | description |
| ------------- | ------------- | ----------- |
| `gitea_extra_config` | | Additional gitea configuration. Have a look at the [config-cheat-sheet](https://docs.gitea.com/administration/config-cheat-sheet) before using it! |
### Fail2Ban configuration
If enabled, this will deploy a fail2ban filter and jail config for Gitea as described in the [Gitea Documentation](https://docs.gitea.io/en-us/fail2ban-setup/).
As this will only deploy config files, fail2ban already has to be installed or otherwise the role will fail.
| variable name | default value | description |
| ------------- | ------------- | ----------- |
| `gitea_fail2ban_enabled` | `false` | Whether to deploy the fail2ban config or not |
| `gitea_fail2ban_jail_maxretry` | `10` | fail2ban jail `maxretry` setting. |
| `gitea_fail2ban_jail_findtime` | `3600` | fail2ban jail `findtime` setting. |
| `gitea_fail2ban_jail_bantime` | `900` | fail2ban jail `bantime` setting. |
| `gitea_fail2ban_jail_action` | `iptables-allports` | fail2ban jail `action` setting. |
### optional customisation
You can optionally customize your gitea using this ansible role. We got our information about customisation from [docs.gitea.io/en-us/customizing-gitea](https://docs.gitea.io/en-us/customizing-gitea/).
To deploy multiple files we created the ``gitea_custom_search`` variable, that can point to the path where you put the custom gitea files *( default ``"files/host_files/{{ inventory_hostname }}/gitea"``)*.
+ **LOGO**:
- Set ``gitea_customize_logo`` to ``true``
- We search for:
* ``logo.svg`` - Used for favicon, site icon, app icon
* ``logo.png`` - Used for Open Graph
* ``favicon.png`` - Used as fallback for browsers that dont support SVG favicons
* ``apple-touch-icon.png`` - Used on iOS devices for bookmarks
- We search in *(using [first_found](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/first_found_lookup.html))*:
* ``{{ gitea_custom_search }}/gitea_logo/``
* ``files/{{ inventory_hostname }}/gitea_logo/``
* ``files/{{ gitea_http_domain }}/gitea_logo/``
* ``files/gitea_logo/``
+ **FOOTER**:
- Set ``gitea_customize_footer`` to ``true``
- We Search using first_found in:
* "{{ gitea_custom_search }}/gitea_footer/extra_links_footer.tmpl"
* "files/{{ inventory_hostname }}/gitea_footer/extra_links_footer.tmpl"
* "files/{{ gitea_http_domain }}/gitea_footer/extra_links_footer.tmpl"
* 'files/gitea_footer/extra_links_footer.tmpl'
* 'files/extra_links_footer.tmpl'
+ **CUSTOM FILES**:
- Set ``gitea_customize_files`` to ``true``
- Create a directory with the files you want to deploy.
- Point ``gitea_customize_files_path`` to this directory. *(Default ``{{ gitea_custom_search }}/gitea_files/``)*
## Requirements
This role uses the ``ansible.builtin`` and ``community.general`` ansible Collections. To download the latest forgejo/gitea release we use json_query. This requires ``jmespath`` to be available.
### Python packages
+ jmespath
### Galaxy Collections
+ community.general
### Example requirements Installation
```
ansible-galaxy collection install --update --role-file requirements.yml
pip3 install --update jmespath
```
## Contribute
Don't hesitate to create a pull request, and if in doubt you can reach me at
Mastodon [@l3d@chaos.social](https://chaos.social/@l3d).
I'll be happy to fix any issues you raise, or even better, review your pull requests :)
## History of this role
this ansible role was originally developed on [github.com/thomas-maurice/ansible-role-gitea](https://github.com/thomas-maurice/ansible-role-gitea.git). Since the role there has some problems like default values for the location of the gitea repositories and the merging of pull requests usually takes several months, a fork of the role was created that offers the same. Only tidier and with the claim to react faster to issues and pull requests. It is now Part of the [l3d.git](https://galaxy.ansible.com/l3d/git) Collection too.

277
defaults/main.yml Normal file
View File

@ -0,0 +1,277 @@
---
# Choose between https://forgejo.org/ and https://gitea.io/
gitea_fork: 'gitea' # 'gitea' and 'forgejo' are valid options
# gitea version
# Use 'latest' to auto-update; upgrading past role version may lead to errors.
gitea_version: 'latest'
gitea_version_check: true
gitea_gpg_key: '7C9E68152594688862D62AF62D9AE806EC1592E2'
gitea_forgejo_gpg_key: 'EB114F5E6C0DC2BCDD183550A4B61A2DC5923710'
gitea_gpg_server: 'hkps://keys.openpgp.org'
gitea_gpg_keyserver_option: ''
gitea_backup_on_upgrade: false
gitea_backup_location: "{{ gitea_home }}/backups/"
submodules_versioncheck: false
# gitea in the linux world
gitea_group: 'gitea'
# gitea_groups: [] # Optional a list of groups user gitea will be added to
gitea_home: '/var/lib/gitea'
gitea_user_home: '{{ gitea_home }}'
gitea_executable_path: '/usr/local/bin/gitea'
gitea_forgejo_executable_path: '/usr/local/bin/forgejo'
gitea_configuration_path: '/etc/gitea'
gitea_shell: '/bin/false'
gitea_systemd_cap_net_bind_service: false
# Overall (DEFAULT)
# -> https://docs.gitea.io/en-us/config-cheat-sheet/#overall-default
gitea_app_name: 'Gitea'
gitea_user: 'gitea'
gitea_run_mode: 'prod'
gitea_fqdn: 'localhost'
# Repository (repository)
# -> https://docs.gitea.io/en-us/config-cheat-sheet/#repository-repository
gitea_default_branch: 'main'
gitea_default_private: 'last'
gitea_default_repo_units: 'repo.code,repo.releases,repo.issues,repo.pulls,repo.wiki,repo.projects'
gitea_disabled_repo_units: ''
gitea_disable_http_git: false
gitea_disable_stars: false
gitea_enable_push_create_org: false
gitea_enable_push_create_user: false
gitea_force_private: false
gitea_user_repo_limit: '-1'
gitea_repository_root: "{{ gitea_home }}/repos"
gitea_repository_extra_config: ''
# Repository - Upload (repository.upload)
# -> https://docs.gitea.io/en-us/administration/config-cheat-sheet/#repository---upload-repositoryupload
gitea_repository_upload_enabled: true
gitea_repository_upload_max_size: 4
gitea_repository_upload_extra_config: ''
# Repository - Signing (repository.signing)
# -> https://docs.gitea.io/en-us/config-cheat-sheet/#repository---signing-repositorysigning
gitea_enable_repo_signing_options: false
gitea_repo_signing_key: 'default'
gitea_repo_signing_name: ''
gitea_repo_signing_email: ''
gitea_repo_initial_commit: 'always'
gitea_repo_default_trust_model: 'collaborator'
gitea_repo_wiki: 'never'
gitea_repo_crud_actions: 'pubkey, twofa, parentsigned'
gitea_repo_merges: ' pubkey, twofa, basesigned, commitssigned'
gitea_enable_repo_signing_extra: ''
# CORS (cors)
# -> https://docs.gitea.io/en-us/config-cheat-sheet/#cors-cors
gitea_enable_cors: false
gitea_cors_scheme: 'http'
gitea_cors_allow_domain: '*'
gitea_cors_allow_subdomain: false
gitea_cors_methods: 'GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS'
gitea_cors_max_age: '10m'
gitea_cors_allow_credentials: false
gitea_cors_headers: 'Content-Type,User-Agent'
gitea_cors_x_frame_options: 'SAMEORIGIN'
gitea_cors_extra: ''
# UI (ui)
# -> https://docs.gitea.io/en-us/config-cheat-sheet/#ui-ui
gitea_show_user_email: false
gitea_theme_default: 'auto'
gitea_themes: 'auto,gitea,arc-green'
gitea_ui_extra_config: ''
# UI - Metadata (ui.meta)
# -> https://docs.gitea.io/en-us/config-cheat-sheet/#ui---metadata-uimeta
gitea_ui_author: 'Gitea - Git with a cup of tea'
gitea_ui_description: 'Gitea (Git with a cup of tea) is a painless self-hosted Git service written in Go:'
gitea_ui_keywords: 'go,git,self-hosted,gitea,forgejo'
gitea_ui_meta_extra_config: ''
# Server (server)
# -> https://docs.gitea.io/en-us/config-cheat-sheet/#server-server
gitea_protocol: 'http'
gitea_http_domain: "{{ gitea_fqdn }}"
gitea_root_url: "http://{{ gitea_fqdn }}:3000"
gitea_http_listen: '127.0.0.1'
gitea_http_port: '3000'
gitea_start_ssh: true
gitea_ssh_domain: "{{ gitea_fqdn }}"
gitea_ssh_port: '2222'
gitea_ssh_listen: '0.0.0.0'
gitea_offline_mode: true
gitea_landing_page: 'home'
gitea_lfs_server_enabled: false
gitea_lfs_jwt_secret: ''
gitea_redirect_other_port: false
gitea_port_to_redirect: '80'
gitea_enable_tls_certs: false
gitea_tls_cert_file: 'https/cert.pem'
gitea_tls_key_file: 'https/key.pem'
gitea_enable_acme: false
gitea_acme_url: ''
gitea_acme_accepttos: false
gitea_acme_directory: 'https'
gitea_acme_email: ''
gitea_acme_ca_root: ''
gitea_server_extra_config: ''
# Database (database)
# -> https://docs.gitea.io/en-us/config-cheat-sheet/#database-database
gitea_db_type: 'sqlite3'
gitea_db_host: '127.0.0.0:3306'
gitea_db_name: 'root'
gitea_db_user: 'gitea'
gitea_db_password: 'lel'
gitea_db_ssl: 'disable'
gitea_db_path: "{{ gitea_home }}/data/gitea.db"
gitea_db_log_sql: false
gitea_database_extra_config: ''
# Indexer (indexer)
# -> https://docs.gitea.io/en-us/config-cheat-sheet/#indexer-indexer
gitea_repo_indexer_enabled: false
gitea_repo_indexer_include: ''
gitea_repo_indexer_exclude: ''
gitea_repo_exclude_vendored: true
gitea_repo_indexer_max_file_size: '1048576'
gitea_indexer_extra_config: ''
gitea_queue_issue_indexer_extra_config: ''
# Security (security)
# -> https://docs.gitea.io/en-us/config-cheat-sheet/#security-security
gitea_secret_key: ''
gitea_disable_git_hooks: true
gitea_disable_webhooks: false
gitea_internal_token: ''
gitea_password_check_pwn: false
gitea_security_extra_config: ''
# Service (service)
# -> https://docs.gitea.io/en-us/config-cheat-sheet/#service-service
gitea_disable_registration: false
gitea_register_email_confirm: false
gitea_register_manual_confirm: false
gitea_require_signin: true
gitea_default_keep_mail_private: true
gitea_enable_captcha: true
gitea_show_registration_button: true
gitea_only_allow_external_registration: false
gitea_enable_notify_mail: false
gitea_auto_watch_new_repos: true
gitea_autowatch_on_change: false
gitea_default_allow_create_organization: false
gitea_default_user_is_restricted: false
gitea_email_domain_allowlist: ""
gitea_default_user_visibility: public
gitea_default_org_visibility: public
gitea_allow_only_internal_registration: false
gitea_allow_only_external_registration: false
gitea_show_milestones_dashboard_page: true
gitea_service_extra_config: ''
# Mailer [mailer]
# -> https://docs.gitea.io/en-us/config-cheat-sheet/#mailer-mailer
gitea_mailer_enabled: false
gitea_mailer_protocol: 'dummy'
gitea_mailer_smtp_addr: ''
gitea_mailer_smtp_port: ''
gitea_mailer_use_client_cert: false
gitea_mailer_client_cert_file: ''
gitea_mailer_client_key_file: ''
gitea_mailer_force_trust_server_cert: false
gitea_mailer_user: ''
gitea_mailer_password: ''
gitea_mailer_enable_helo: true
gitea_mailer_from: "noreply@{{ gitea_http_domain }}"
gitea_subject_prefix: ''
gitea_mailer_send_as_plaintext: false
gitea_mailer_extra_config: ''
# Session (session)
# -> https://docs.gitea.io/en-us/config-cheat-sheet/#session-session
gitea_session_provider: 'file'
gitea_session_extra_config: ''
# Picture (picture)
# -> https://docs.gitea.io/en-us/config-cheat-sheet/#picture-picture
gitea_picture_extra_config: ''
# Issue and pull request attachments (attachment)
# -> https://docs.gitea.io/en-us/config-cheat-sheet/#issue-and-pull-request-attachments-attachment
gitea_attachment_enabled: true
gitea_attachment_types: '.csv,.docx,.fodg,.fodp,.fods,.fodt,.gif,.gz,.jpeg,.jpg,.log,.md,.mov,.mp4,.odf,.odg,.odp,.ods,.odt,.patch,.pdf,.png,.pptx,.svg,.tgz,.txt,.webm,.xls,.xlsx,.zip'
gitea_attachment_max_size: 4
gitea_attachment_extra_config: ''
# Log (log)
# -> https://docs.gitea.io/en-us/config-cheat-sheet/#log-log
gitea_log_systemd: false
gitea_log_level: 'Warn'
gitea_log_extra_config: ''
# Metrics (metrics)
# -> https://docs.gitea.io/en-us/config-cheat-sheet/#metrics-metrics
gitea_metrics_enabled: false
gitea_metrics_token: ''
gitea_metrics_extra: ''
# OAuth2 (oauth2)
# -> https://docs.gitea.io/en-us/config-cheat-sheet/#oauth2-oauth2
gitea_oauth2_enabled: true
gitea_oauth2_jwt_secret: ''
gitea_oauth2_extra_config: ''
# Federation (federation)
# -> https://docs.gitea.io/en-us/config-cheat-sheet/#federation-federation
gitea_federation_enabled: false
gitea_federation_share_user_stats: false
gitea_federation_extra: ''
# Packages (packages)
# -> https://docs.gitea.io/en-us/config-cheat-sheet/#packages-packages
gitea_packages_enabled: true
gitea_packages_extra: ''
# LFS (lfs)
# -> https://docs.gitea.io/en-us/config-cheat-sheet/#lfs-lfs
gitea_lfs_storage_type: 'local'
gitea_lfs_serve_direct: false
gitea_lfs_content_path: "{{ gitea_home }}/data/lfs"
gitea_lfs_extra: ''
# Actions (actions)
# -> https://docs.gitea.io/en-us/config-cheat-sheet/#actions-actions
gitea_actions_enabled: false
gitea_actions_default_actions_url: "https://gitea.com"
gitea_actions_extra: ''
# Other (other)
# -> https://docs.gitea.io/en-us/config-cheat-sheet/#other-other
gitea_other_show_footer_version: true
gitea_other_show_footer_template_load_time: true
gitea_other_enable_sitemap: true
gitea_other_enable_feed: true
# additional gitea config
gitea_extra_config: ""
# fail2ban
gitea_fail2ban_enabled: false
gitea_fail2ban_jail_maxretry: '10'
gitea_fail2ban_jail_findtime: '3600'
gitea_fail2ban_jail_bantime: '900'
gitea_fail2ban_jail_action: 'iptables-allports'
# gitea customisation
gitea_custom_search: "files/host_files/{{ inventory_hostname }}/gitea"
gitea_customize_logo: false
gitea_custom: "{{ gitea_home }}/custom"
gitea_customize_footer: false
gitea_customize_files: false
gitea_customize_files_path: "{{ gitea_custom_search }}/gitea_files"

2
files/extra_links_footer.tmpl Normal file
View File

@ -0,0 +1,2 @@
<a class="item" href="{{AppSubUrl}}/datenschutz.html">Datenschutz</a>
<a class="item" href="{{AppSubUrl}}/impressum.html">Impressum</a>

20
handlers/main.yml Normal file
View File

@ -0,0 +1,20 @@
---
- name: "Restart gitea"
become: true
ansible.builtin.service:
name: gitea
state: restarted
when: ansible_service_mgr == "systemd"
- name: "Reload systemd"
become: true
ansible.builtin.systemd:
daemon_reload: true
when: ansible_service_mgr == "systemd"
- name: "Systemctl restart fail2ban"
become: true
ansible.builtin.systemd:
name: fail2ban
state: restarted
when: ansible_service_mgr == "systemd"

32
meta/main.yml Normal file
View File

@ -0,0 +1,32 @@
---
galaxy_info:
role_name: gitea
author: l3d
description: Ansible role to configure and deploy gitea and forgejo, a painless self-hosted Git service.
license: "BSD-3-Clause"
min_ansible_version: "2.11"
platforms:
- name: Debian
versions:
- all
- name: Ubuntu
versions:
- all
- name: Fedora
versions:
- all
- name: EL
versions:
- all
galaxy_tags:
- gitea
- forgejo
- git
- system
- development
- sourcecontrol
- selfhosted
- gitserver
- gogs
- linux
dependencies: []

4
requirements.yml Normal file
View File

@ -0,0 +1,4 @@
---
collections:
- name: 'community.general'
version: ">=7.5.0,<=8.0.0"

43
tasks/backup.yml Normal file
View File

@ -0,0 +1,43 @@
---
- name: Get service facts
ansible.builtin.service_facts:
- name: Backup block
when:
- ansible_facts.services["gitea.service"] is defined
- ansible_facts.services["gitea.service"].state == "running"
- gitea_active_version.stdout != gitea_version_target
block:
- name: Stopping gitea before upgrade
become: true
ansible.builtin.systemd:
name: 'gitea.service'
state: 'stopped'
when: ansible_service_mgr == "systemd"
- name: "Create backup directory"
become: true
ansible.builtin.file:
path: "{{ gitea_backup_location }}"
state: 'directory'
owner: "{{ gitea_user }}"
group: "{{ gitea_group }}"
mode: 'u=rwx,g=rx,o='
- name: Backing up gitea before upgrade
become: true
ansible.builtin.command:
cmd: "sudo -u {{ gitea_user }} {{ gitea_full_executable_path }} dump -c {{ gitea_configuration_path }}/gitea.ini"
chdir: "{{ gitea_backup_location }}"
changed_when: true
rescue:
- name: Starting gitea because backup failed
become: true
ansible.builtin.systemd:
name: 'gitea.service'
state: 'started'
when: ansible_service_mgr == "systemd"
- name: Print updateing error and cancel
ansible.builtin.fail:
msg: "failed to backup gitea"

26
tasks/configure.yml Normal file
View File

@ -0,0 +1,26 @@
---
- name: Make sure gitea_register_email_confirm is false when gitea_register_manual_confirm is true
ansible.builtin.fail:
msg: |
To manually confirm registrations,
gitea_register_email_confirm needs to be false
and gitea_register_manual_confirm should be true.
when: gitea_register_manual_confirm | bool and gitea_register_email_confirm | bool
- name: "Configure gitea"
become: true
ansible.builtin.template:
src: gitea.ini.j2
dest: "{{ gitea_configuration_path }}/gitea.ini"
owner: "{{ gitea_user }}"
group: "{{ gitea_group }}"
mode: 0600
notify: "Restart gitea"
- name: "Service gitea"
become: true
ansible.builtin.systemd:
name: gitea
state: started
enabled: true
when: ansible_service_mgr == "systemd"

23
tasks/create_user.yml Normal file
View File

@ -0,0 +1,23 @@
---
- name: "Create Gitea Group"
become: true
ansible.builtin.group:
name: "{{ gitea_group }}"
system: true
state: "present"
- name: Switch shell when not using the builtin ssh server
ansible.builtin.set_fact:
gitea_shell: "/bin/bash"
when: "not gitea_start_ssh and gitea_shell == '/bin/false'"
- name: "Create Gitea user"
become: true
ansible.builtin.user:
name: "{{ gitea_user }}"
comment: "Gitea user"
group: "{{ gitea_group }}"
groups: "{{ gitea_groups | default(omit) }}"
home: "{{ gitea_user_home }}"
shell: "{{ gitea_shell }}"
system: true

24
tasks/customize_footer.yml Normal file
View File

@ -0,0 +1,24 @@
---
- name: Create directory for custom footer
become: true
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: "{{ gitea_user }}"
group: "{{ gitea_group }}"
mode: 'u=rwX,g=rX,o='
loop:
- "{{ gitea_custom }}/templates"
- "{{ gitea_custom }}/templates/custom"
- name: Transfer custom footer template
become: true
ansible.builtin.copy:
src: "{{ lookup('first_found', transfer_custom_footer) }}"
dest: "{{ gitea_custom }}/templates/custom/extra_links_footer.tmpl"
owner: "{{ gitea_user }}"
group: "{{ gitea_group }}"
mode: '0644'
failed_when: false
tags: skip_ansible_lint
notify: "Restart gitea"

56
tasks/customize_logo.yml Normal file
View File

@ -0,0 +1,56 @@
---
- name: Create directory for custom logos
become: true
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: "{{ gitea_user }}"
group: "{{ gitea_group }}"
mode: 'u=rwX,g=rX,o='
loop:
- "{{ gitea_custom }}/public"
- "{{ gitea_custom }}/public/img"
- name: Transfer custom logo.svg
become: true
ansible.builtin.copy:
src: "{{ lookup('first_found', transfer_custom_logo_logosvg) }}"
dest: "{{ gitea_custom }}/public/img/logo.svg"
owner: "{{ gitea_user }}"
group: "{{ gitea_group }}"
mode: '0644'
tags: skip_ansible_lint
failed_when: false
- name: Transfer custom logo.png
become: true
ansible.builtin.copy:
src: "{{ lookup('first_found', transfer_custom_logo_logopng) }}"
dest: "{{ gitea_custom }}/public/img/logo.png"
owner: "{{ gitea_user }}"
group: "{{ gitea_group }}"
mode: '0644'
tags: skip_ansible_lint
failed_when: false
- name: Transfer custom favicon.png
become: true
ansible.builtin.copy:
src: "{{ lookup('first_found', transfer_custom_logo_faviconpng) }}"
dest: "{{ gitea_custom }}/public/img/favicon.png"
owner: "{{ gitea_user }}"
group: "{{ gitea_group }}"
mode: '0644'
tags: skip_ansible_lint
failed_when: false
- name: Transfer custom apple-touch-icon.png
become: true
ansible.builtin.copy:
src: "{{ lookup('first_found', transfer_custom_logo_appletouchiconpng) }}"
dest: "{{ gitea_custom }}/public/img/apple-touch-icon.png"
owner: "{{ gitea_user }}"
group: "{{ gitea_group }}"
mode: '0644'
tags: skip_ansible_lint
failed_when: false

24
tasks/customize_public_files.yml Normal file
View File

@ -0,0 +1,24 @@
---
- name: Create public directory for custom public web files
become: true
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: "{{ gitea_user }}"
group: "{{ gitea_group }}"
mode: 'u=rwX,g=rX,o='
loop:
- "{{ gitea_custom }}/public"
- name: Transfer custom public web data
become: true
ansible.builtin.copy:
src: "{{ gitea_customize_files_path }}"
dest: "{{ gitea_custom }}/public/"
owner: "{{ gitea_user }}"
group: "{{ gitea_group }}"
directory_mode: true
mode: 'u=rwX,g=rX,o='
failed_when: false
tags: skip_ansible_lint
notify: "Restart gitea"

20
tasks/directory.yml Normal file
View File

@ -0,0 +1,20 @@
---
- name: "Create config and data directory"
become: true
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: "{{ gitea_user }}"
group: "{{ gitea_group }}"
mode: 'u=rwX,g=rX,o='
loop:
- "{{ gitea_configuration_path }}"
- "{{ gitea_user_home }}"
- "{{ gitea_home }}"
- "{{ gitea_home }}/data"
- "{{ gitea_custom }}"
- "{{ gitea_custom }}/https"
- "{{ gitea_custom }}/mailer"
- "{{ gitea_home }}/indexers"
- "{{ gitea_home }}/log"
- "{{ gitea_repository_root }}"

29
tasks/fail2ban.yml Normal file
View File

@ -0,0 +1,29 @@
---
- name: Install fail2ban filter
become: true
ansible.builtin.template:
src: fail2ban/filter.conf.j2
dest: /etc/fail2ban/filter.d/gitea.conf
owner: root
group: root
mode: 0444
notify: "Systemctl restart fail2ban"
when: "'fail2ban' in ansible_facts.packages"
- name: Install fail2ban jail
become: true
ansible.builtin.template:
src: fail2ban/jail.conf.j2
dest: /etc/fail2ban/jail.d/gitea.conf
owner: root
group: root
mode: 0444
notify: "Systemctl restart fail2ban"
when: "'fail2ban' in ansible_facts.packages"
- name: Warn if fail2ban is not installed
ansible.builtin.fail:
msg: "the package fail2ban is not installed. no fail2ban filters deployed."
when: "'fail2ban' not in ansible_facts.packages"
failed_when: false
tags: skip_ansible_lint_ignore-errors

38
tasks/gitea_secrets.yml Normal file
View File

@ -0,0 +1,38 @@
---
- name: Generate gitea SECRET_KEY if not provided
become: true
ansible.builtin.shell: 'umask 077; {{ gitea_full_executable_path }} generate secret SECRET_KEY > {{ gitea_configuration_path }}/gitea_secret_key'
args:
creates: '{{ gitea_configuration_path }}/gitea_secret_key'
when: gitea_secret_key | string | length == 0
- name: Read gitea SECRET_KEY from file
become: true
ansible.builtin.slurp:
src: '{{ gitea_configuration_path }}/gitea_secret_key'
register: remote_secret_key
when: gitea_secret_key | string | length == 0
- name: Set fact gitea_secret_key
ansible.builtin.set_fact:
gitea_secret_key: "{{ remote_secret_key['content'] | b64decode }}"
when: gitea_secret_key | string | length == 0
- name: Generate gitea INTERNAL_TOKEN if not provided
become: true
ansible.builtin.shell: 'umask 077; {{ gitea_full_executable_path }} generate secret INTERNAL_TOKEN > {{ gitea_configuration_path }}/gitea_internal_token'
args:
creates: '{{ gitea_configuration_path }}/gitea_internal_token'
when: gitea_internal_token | string | length == 0
- name: Read gitea INTERNAL_TOKEN from file
become: true
ansible.builtin.slurp:
src: '{{ gitea_configuration_path }}/gitea_internal_token'
register: remote_internal_token
when: gitea_internal_token | string | length == 0
- name: Set fact gitea_internal_token
ansible.builtin.set_fact:
gitea_internal_token: "{{ remote_internal_token['content'] | b64decode }}"
when: gitea_internal_token | string | length == 0

83
tasks/install_forgejo.yml Normal file
View File

@ -0,0 +1,83 @@
---
- name: Dependency block
block:
- name: Update apt cache
become: true
ansible.builtin.apt:
cache_valid_time: 3600
update_cache: true
register: _pre_update_apt_cache
until: _pre_update_apt_cache is succeeded
when:
- ansible_pkg_mgr == "apt"
- name: Install dependencies
become: true
ansible.builtin.package:
name: "{{ gitea_dependencies }}"
state: present
register: _install_dep_packages
until: _install_dep_packages is succeeded
retries: 5
delay: 2
- name: Install forgejo block
when: (not gitea_version_check | bool) or (not ansible_check_mode and (gitea_active_version.stdout != gitea_version_target))
block:
- name: Download forgejo archive
ansible.builtin.get_url:
url: "{{ gitea_forgejo_dl_url | first }}"
dest: "/tmp/{{ gitea_filename }}"
checksum: "sha256:{{ gitea_forgejo_checksum }}"
mode: 0640
register: _download_archive
become: false
until: _download_archive is succeeded
retries: 5
delay: 2
- name: Download forgejo asc file
ansible.builtin.get_url:
url: "{{ gitea_forgejo_signed_url | first }}"
dest: "/tmp/{{ gitea_filename }}.asc"
mode: 0640
register: _download_asc
become: false
until: _download_asc is succeeded
retries: 5
delay: 2
- name: Check forgejo gpg key
ansible.builtin.command: "gpg --list-keys 0x{{ gitea_forgejo_gpg_key }}"
register: _gitea_gpg_key_status
changed_when: false
become: false
failed_when: _gitea_gpg_key_status.rc not in (0, 2)
- name: Print gpg key status on verbosity # noqa: H500
ansible.builtin.debug:
msg: "{{ _gitea_gpg_key_status.stdout }}"
verbosity: 1
- name: Import forgejo gpg key
ansible.builtin.command: "gpg --keyserver {{ gitea_gpg_server }} --recv {{ gitea_forgejo_gpg_key }}"
register: _gitea_import_key
become: false
changed_when: '"imported: 1" in _gitea_import_key.stderr'
when: '_gitea_gpg_key_status.rc != 0 or "expired" in _gitea_gpg_key_status.stdout'
- name: Check archive signature
become: false
ansible.builtin.command: "gpg --verify /tmp/{{ gitea_filename }}.asc /tmp/{{ gitea_filename }}"
changed_when: false
- name: Propagate gitea binary
become: true
ansible.builtin.copy:
src: "/tmp/{{ gitea_filename }}"
remote_src: true
dest: "{{ gitea_full_executable_path }}"
mode: 0755
owner: root
group: root
notify: "Restart gitea"

87
tasks/install_gitea.yml Normal file
View File

@ -0,0 +1,87 @@
---
- name: Dependency block
block:
- name: Update apt cache
become: true
ansible.builtin.apt:
cache_valid_time: 3600
update_cache: true
register: _pre_update_apt_cache
until: _pre_update_apt_cache is succeeded
when:
- ansible_pkg_mgr == "apt"
- name: Install dependencies
become: true
ansible.builtin.package:
name: "{{ gitea_dependencies }}"
state: present
register: _install_dep_packages
until: _install_dep_packages is succeeded
retries: 5
delay: 2
- name: Install gitea block
when: (not gitea_version_check | bool) or (not ansible_check_mode and (gitea_active_version.stdout != gitea_version_target))
block:
- name: Download gitea archive
ansible.builtin.get_url:
url: "{{ gitea_dl_url }}.xz"
dest: "/tmp/{{ gitea_filename }}.xz"
checksum: "sha256:{{ gitea_dl_url }}.xz.sha256"
mode: 0640
register: _download_archive
become: false
until: _download_archive is succeeded
retries: 5
delay: 2
- name: Download gitea asc file
ansible.builtin.get_url:
url: "{{ gitea_dl_url }}.xz.asc"
dest: "/tmp/{{ gitea_filename }}.xz.asc"
mode: 0640
register: _download_asc
become: false
until: _download_asc is succeeded
retries: 5
delay: 2
- name: Check gitea gpg key
ansible.builtin.command: "gpg --list-keys 0x{{ gitea_gpg_key }}"
register: _gitea_gpg_key_status
changed_when: false
failed_when: _gitea_gpg_key_status.rc not in (0, 2)
- name: Print gpg key status on verbosity # noqa: H500
ansible.builtin.debug:
msg: "{{ _gitea_gpg_key_status.stdout }}"
verbosity: 1
- name: Import gitea gpg key
ansible.builtin.command: "gpg --keyserver {{ gitea_gpg_server }} --keyserver-option '{{ gitea_gpg_keyserver_option }}' --recv {{ gitea_gpg_key }}"
register: _gitea_import_key
become: false
changed_when: '"imported: 1" in _gitea_import_key.stderr'
when: '_gitea_gpg_key_status.rc != 0 or "expired" in _gitea_gpg_key_status.stdout'
- name: Check archive signature
ansible.builtin.command: "gpg --verify /tmp/{{ gitea_filename }}.xz.asc /tmp/{{ gitea_filename }}.xz"
changed_when: false
become: false
- name: Unpack gitea binary
ansible.builtin.command:
cmd: "xz -k -d /tmp/{{ gitea_filename }}.xz"
creates: "/tmp/{{ gitea_filename }}"
- name: Propagate gitea binary
become: true
ansible.builtin.copy:
src: "/tmp/{{ gitea_filename }}"
remote_src: true
dest: "{{ gitea_full_executable_path }}"
mode: 0755
owner: root
group: root
notify: "Restart gitea"

31
tasks/install_systemd.yml Normal file
View File

@ -0,0 +1,31 @@
---
- name: "Setup systemd service"
become: true
when: ansible_os_family == "Debian"
ansible.builtin.template:
src: gitea.service.j2
dest: /lib/systemd/system/gitea.service
owner: root
group: root
mode: 0644
notify:
- "Reload systemd"
- "Restart gitea"
- name: "Setup systemd service"
become: true
when: ansible_os_family == "Suse"
ansible.builtin.template:
src: gitea.service.j2
dest: /etc/systemd/system/gitea.service
owner: root
group: root
mode: 0644
notify:
- "Reload systemd"
- "Restart gitea"
- name: "Reload systemd"
become: true
ansible.builtin.systemd:
daemon_reload: true

38
tasks/jwt_secrets.yml Normal file
View File

@ -0,0 +1,38 @@
---
- name: Generate OAuth2 JWT_SECRET if not provided
become: true
ansible.builtin.shell: 'umask 077; {{ gitea_full_executable_path }} generate secret JWT_SECRET > {{ gitea_configuration_path }}/gitea_oauth_jwt_secret'
args:
creates: '{{ gitea_configuration_path }}/gitea_oauth_jwt_secret'
when: gitea_oauth2_jwt_secret | length == 0
- name: Read OAuth2 JWT_SECRET from file
become: true
ansible.builtin.slurp:
src: '{{ gitea_configuration_path }}/gitea_oauth_jwt_secret'
register: oauth_jwt_secret
when: gitea_oauth2_jwt_secret | length == 0
- name: Set fact gitea_oauth2_jwt_secret
ansible.builtin.set_fact:
gitea_oauth2_jwt_secret: "{{ oauth_jwt_secret['content'] | b64decode }}"
when: gitea_oauth2_jwt_secret | length == 0
- name: Generate LFS JWT_SECRET if not provided
become: true
ansible.builtin.shell: 'umask 077; {{ gitea_full_executable_path }} generate secret JWT_SECRET > {{ gitea_configuration_path }}/gitea_lfs_jwt_secret'
args:
creates: '{{ gitea_configuration_path }}/gitea_lfs_jwt_secret'
when: gitea_lfs_jwt_secret | length == 0
- name: Read LFS JWT_SECRET from file
become: true
ansible.builtin.slurp:
src: '{{ gitea_configuration_path }}/gitea_lfs_jwt_secret'
register: lfs_jwt_secret
when: gitea_lfs_jwt_secret | length == 0
- name: Set fact gitea_lfs_jwt_secret
ansible.builtin.set_fact:
gitea_lfs_jwt_secret: "{{ lfs_jwt_secret['content'] | b64decode }}"
when: gitea_lfs_jwt_secret | length == 0

81
tasks/main.yml Normal file
View File

@ -0,0 +1,81 @@
---
- name: Perform optional versionscheck
ansible.builtin.include_tasks:
file: 'versioncheck.yml'
when: submodules_versioncheck|bool
- name: Gather installed packages for checks later on
ansible.builtin.package_facts:
manager: 'auto'
- name: Prepare gitea/forgejo variable import
block:
- name: Gather variables for gitea or forgejo
ansible.builtin.include_vars:
file: "{{ lookup('first_found', gitea_fork_variables) }}"
rescue:
- name: Gitea/Forejo import info
ansible.builtin.fail:
msg: "Currently only {{ gitea_supported_forks }} are supported."
- name: Gather variables for each operating system
ansible.builtin.include_vars:
file: "{{ lookup('first_found', gitea_variables) }}"
- name: Gather versioning information
ansible.builtin.include_tasks:
file: "set_{{ gitea_fork | lower }}_version.yml"
- name: Backup gitea before update
ansible.builtin.include_tasks:
file: 'backup.yml'
when: gitea_backup_on_upgrade|bool
- name: Create gitea user and role
ansible.builtin.include_tasks:
file: 'create_user.yml'
- name: "Install or update {{ gitea_fork }}"
ansible.builtin.include_tasks:
file: "install_{{ gitea_fork | lower }}.yml"
- name: Create directories
ansible.builtin.include_tasks:
file: 'directory.yml'
- name: Setup gitea systemd service
ansible.builtin.include_tasks:
file: 'install_systemd.yml'
when: ansible_service_mgr == "systemd"
- name: Generate JWT Secrets if undefined
ansible.builtin.include_tasks:
file: 'jwt_secrets.yml'
- name: Generate gitea secrets if undefined
ansible.builtin.include_tasks:
file: 'gitea_secrets.yml'
- name: Configure gitea
ansible.builtin.include_tasks:
file: 'configure.yml'
- name: Deploy optional fail2ban rules
ansible.builtin.include_tasks:
file: 'fail2ban.yml'
when: gitea_fail2ban_enabled | bool
- name: Optionally customize gitea
ansible.builtin.include_tasks:
file: 'customize_logo.yml'
when: gitea_customize_logo | bool
- name: Optionally customize footer
ansible.builtin.include_tasks:
file: 'customize_footer.yml'
when: gitea_customize_footer | bool
- name: Optionally deploy public files
ansible.builtin.include_tasks:
file: 'customize_public_files.yml'
when: gitea_customize_files | bool

107
tasks/set_forgejo_version.yml Normal file
View File

@ -0,0 +1,107 @@
---
- name: "Check forgejo installed version"
ansible.builtin.shell: "set -eo pipefail; {{ gitea_full_executable_path }} -v | cut -d' ' -f 3"
args:
executable: '/bin/bash'
register: gitea_active_version
changed_when: false
failed_when: false
- name: "Determine 'latest' version release"
when: gitea_version == "latest"
block:
- name: "Get latest forgejo release metadata"
ansible.builtin.uri:
url: 'https://codeberg.org/api/v1/repos/forgejo/forgejo/releases?limit=1'
return_content: true
register: gitea_forgejo_remote_metadata
become: false
when: not ansible_check_mode
- name: "Fail if running in check mode without versions set."
ansible.builtin.fail:
msg: |
"You are running this playbook in check mode:
Please set the Gitea version with the variable 'gitea_version', because the URI module cannot detect the latest version in this mode."
when: ansible_check_mode and (gitea_version == 'latest' or gitea_version == 'present')
- name: "Set fact latest forgejo release"
ansible.builtin.set_fact:
gitea_remote_version: "{{ gitea_forgejo_remote_metadata.json.0.tag_name[1:] }}"
when: not ansible_check_mode
- name: "Set forgejo version target (latest)"
ansible.builtin.set_fact:
gitea_version_target: "{{ gitea_remote_version }}"
when: not ansible_check_mode
- name: "Set forgejo version target {{ gitea_version }}"
ansible.builtin.set_fact:
gitea_version_target: "{{ gitea_version }}"
when: gitea_version != "latest"
- name: "Download forgejo version {{ gitea_version_target }}"
when: not ansible_check_mode
block:
- name: "Get specific forgejo release metadata"
ansible.builtin.uri:
url: 'https://codeberg.org/api/v1/repos/forgejo/forgejo/releases/tags/v{{ gitea_version_target }}'
return_content: true
register: gitea_forgejo_remote_tags_metadata
become: false
rescue:
- name: "Error Downloading https://codeberg.org/api/v1/repos/forgejo/forgejo/releases/tags/v{{ gitea_version_target }}"
ansible.builtin.fail:
msg: "We did not find the forgejo version you specified. Are you sure that '{{ gitea_version_target }}' is a valid forgejo version?"
- name: "Generate forgejo download url"
ansible.builtin.set_fact:
gitea_forgejo_dl_url: "{{ gitea_forgejo_remote_tags_metadata.json | community.general.json_query(gitea_forgejo_query_download) }}"
when: not ansible_check_mode
- name: "Generate forgejo download checksum url"
ansible.builtin.set_fact:
gitea_forgejo_checksum_url: "{{ gitea_forgejo_remote_tags_metadata.json | community.general.json_query(gitea_forgejo_query_checksum) }}"
when: not ansible_check_mode
- name: Get forgejo checksum
ansible.builtin.uri:
url: "{{ gitea_forgejo_checksum_url | first }}"
return_content: true
register: _gitea_forgejo_dl_checksum
become: false
when: not ansible_check_mode
- name: Set forjeo checksum
ansible.builtin.set_fact:
gitea_forgejo_checksum: "{{ _gitea_forgejo_dl_checksum.content.split(' ')[0] }}"
when: not ansible_check_mode
- name: "Generate forgejo download signed url"
ansible.builtin.set_fact:
gitea_forgejo_signed_url: "{{ gitea_forgejo_remote_tags_metadata.json | community.general.json_query(gitea_forgejo_query_signed) }}"
when: not ansible_check_mode
- name: "Set a example forgejo download link if in check mode"
ansible.builtin.set_fact:
gitea_forgejo_dl_url: ['https://codeberg.org/attachments/a00333ad-250a-4d30-a764-9a37fb24f419']
when: ansible_check_mode
- name: "Set a example forgejo checksum link if in check mode"
ansible.builtin.set_fact:
gitea_forgejo_checksum: 'f8c71464d1b250bf022eaa3df270c810950904ceb71da5cefc7ec24a034a4c87'
when: ansible_check_mode
- name: "Set a example forgejo checksum link if in check mode"
ansible.builtin.set_fact:
gitea_forgejo_signed_url: ['https://codeberg.org/attachments/ae5e50c6-e86e-4202-b95f-f142e8138e2f']
when: ansible_check_mode
- name: Show Download URLs # noqa: H500
ansible.builtin.debug:
msg: "{{ item }}"
verbosity: 1
loop:
- "gitea_forgejo_dl_url: {{ gitea_forgejo_dl_url | first }}"
- "gitea_forgejo_checksum: {{ gitea_forgejo_checksum }}"
- "gitea_forgejo_signed_url: {{ gitea_forgejo_signed_url | first }}"

45
tasks/set_gitea_version.yml Normal file
View File

@ -0,0 +1,45 @@
---
- name: "Check gitea installed version"
ansible.builtin.shell: "set -eo pipefail; {{ gitea_full_executable_path }} -v | cut -d' ' -f 3"
args:
executable: /bin/bash
register: gitea_active_version
changed_when: false
failed_when: false
- name: "Determine 'latest' version release"
when: gitea_version == "latest"
block:
- name: "Get latest gitea release metadata"
ansible.builtin.uri:
url: https://api.github.com/repos/go-gitea/gitea/releases/latest
return_content: true
register: gitea_remote_metadata
become: false
when: not ansible_check_mode
- name: "Fail if running in check mode without versions set."
ansible.builtin.fail:
msg: |
"You are running this playbook in check mode:
Please set the Gitea version with the variable 'gitea_version', because the URI module cannot detect the latest version in this mode."
when: ansible_check_mode and (gitea_version == 'latest' or gitea_version == 'present')
- name: "Set fact latest gitea release"
ansible.builtin.set_fact:
gitea_remote_version: "{{ gitea_remote_metadata.json.tag_name[1:] }}"
when: not ansible_check_mode
- name: "Set gitea version target (latest)"
ansible.builtin.set_fact:
gitea_version_target: "{{ gitea_remote_version }}"
when: not ansible_check_mode
- name: "Set gitea version target {{ gitea_version }}"
ansible.builtin.set_fact:
gitea_version_target: "{{ gitea_version }}"
when: gitea_version != "latest"
- name: "Generate gitea download URL"
ansible.builtin.set_fact:
gitea_dl_url: "https://github.com/go-gitea/gitea/releases/download/v{{ gitea_version_target }}/gitea-{{ gitea_version_target }}-linux-{{ gitea_arch }}"

44
tasks/versioncheck.yml Normal file
View File

@ -0,0 +1,44 @@
---
# Copyright (c) 2021 L3D <l3d@c3woc.de>
# this file is released with the MIT license.
# License: https://github.com/roles-ansible/ansible_role_template/blob/main/LICENSE
- name: Create directory for versionscheck
become: true
ansible.builtin.file:
path: '/etc/.ansible-version'
state: directory
mode: '0755'
when: submodules_versioncheck | bool
- name: Check playbook version
become: true
ansible.builtin.slurp:
src: "/etc/.ansible-version/{{ playbook_version_path }}"
register: playbook_version
when: submodules_versioncheck | bool
failed_when: false
- name: Print remote role version # noqa: H500
ansible.builtin.debug:
msg: "Remote role version: {{ playbook_version.content | default('Y3VycmVudGx5IG5vdCBkZXBsb3llZAo=') | b64decode | string }}"
when: submodules_versioncheck | bool
- name: Print locale role version # noqa: H500
ansible.builtin.debug:
msg: "Local role version: '{{ playbook_version_number | string }}'."
when: submodules_versioncheck | bool
- name: Check if your version is outdated
ansible.builtin.fail:
msg: "Your ansible module has the version '{{ playbook_version_number }}' and is outdated. You need to update it!"
when:
- playbook_version.content|default("Mgo=")|b64decode|int - 1 >= playbook_version_number|int and submodules_versioncheck | bool
- name: Write new version to remote disk
become: true
ansible.builtin.copy:
content: "{{ playbook_version_number }}"
dest: "/etc/.ansible-version/{{ playbook_version_path }}"
mode: '0644'
when: submodules_versioncheck | bool
tags: skip_ansible_lint_template-instead-of-copy

4
templates/fail2ban/filter.conf.j2 Normal file
View File

@ -0,0 +1,4 @@
# Managed by Ansible
[Definition]
failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
ignoreregex =

9
templates/fail2ban/jail.conf.j2 Normal file
View File

@ -0,0 +1,9 @@
[gitea]
enabled = true
port = http,https
filter = gitea
logpath = {{ gitea_home }}/log/gitea.log
maxretry = {{ gitea_fail2ban_jail_maxretry }}
findtime = {{ gitea_fail2ban_jail_findtime }}
bantime = {{ gitea_fail2ban_jail_bantime }}
action = {{ gitea_fail2ban_jail_action }}

312
templates/gitea.ini.j2 Normal file
View File

@ -0,0 +1,312 @@
; this file is the configuration of your local Gitea instance
; {{ ansible_managed }}
;
; This file overwrites the default values from Gitea.
; undefined variables will use the default value from Gitea.
; Cheat Sheet: https://docs.gitea.com/next/administration/config-cheat-sheet/
;
; -> https://docs.gitea.com/next/administration/config-cheat-sheet#overall-default
APP_NAME = {{ gitea_app_name }}
RUN_USER = {{ gitea_user }}
RUN_MODE = {{ gitea_run_mode }}
WORK_PATH = {{ gitea_home }}
;
;
; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#repository-repository
[repository]
ROOT = {{ gitea_repository_root }}
FORCE_PRIVATE = {{ gitea_force_private | ternary('true', 'false') }}
DEFAULT_PRIVATE = {{ gitea_default_private }}
MAX_CREATION_LIMIT = {{ gitea_user_repo_limit }}
DISABLE_HTTP_GIT = {{ gitea_disable_http_git | ternary('true', 'false') }}
ENABLE_PUSH_CREATE_USER = {{ gitea_enable_push_create_user | ternary('true', 'false') }}
ENABLE_PUSH_CREATE_ORG = {{ gitea_enable_push_create_org | ternary('true', 'false') }}
DISABLED_REPO_UNITS = {{ gitea_disabled_repo_units }}
DEFAULT_REPO_UNITS = {{ gitea_default_repo_units }}
DISABLE_STARS = {{ gitea_disable_stars | ternary('true', 'false') }}
DEFAULT_BRANCH = {{ gitea_default_branch }}
{{ gitea_repository_extra_config }}
;
;
; -> https://docs.gitea.com/next/administration/administration/config-cheat-sheet/#repository---upload-repositoryupload
[repository.upload]
ENABLED = {{ gitea_repository_upload_enabled | ternary('true', 'false') }}
TEMP_PATH = {{ gitea_home }}/data/tmp/uploads
FILE_MAX_SIZE = {{ gitea_repository_upload_max_size }}
{{ gitea_repository_upload_extra_config }}
;
;
{% if gitea_enable_repo_signing_options | bool %}
; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#repository---signing-repositorysigning
[repository.signing]
SIGNING_KEY = {{ gitea_repo_signing_key }}
SIGNING_NAME = {{ gitea_repo_signing_name }}
SIGNING_EMAIL = {{ gitea_repo_signing_email }}
INITIAL_COMMIT = {{ gitea_repo_initial_commit }}
DEFAULT_TRUST_MODEL = {{ gitea_repo_default_trust_model }}
WIKI = {{ gitea_repo_wiki }}
CRUD_ACTIONS = {{ gitea_repo_crud_actions }}
MERGES = {{ gitea_repo_merges }}
{{ gitea_enable_repo_signing_extra }}
;
{% endif %}
;
{% if gitea_enable_cors | bool %}
;
; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#cors-cors
[cors]
ENABLED = {{ gitea_enable_cors | ternary('true', 'false') }}
SCHEME = {{ gitea_cors_scheme }}
ALLOW_DOMAIN = {{ gitea_cors_allow_domain }}
ALLOW_SUBDOMAIN = {{ gitea_cors_allow_subdomain | ternary('true', 'false') }}
METHODS = {{ gitea_cors_methods }}
MAX_AGE = {{ gitea_cors_max_age }}
ALLOW_CREDENTIALS = {{ gitea_cors_allow_credentials | ternary('true', 'false') }}
HEADERS = {{ gitea_cors_headers }}
X_FRAME_OPTIONS = {{ gitea_cors_x_frame_options }}
{{ gitea_cors_extra }}
;
{% endif %}
;
; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#ui-ui
[ui]
THEMES = {{ gitea_themes }}
DEFAULT_THEME = {{ gitea_theme_default }}
SHOW_USER_EMAIL = {{ gitea_show_user_email | ternary('true', 'false') }}
{{ gitea_ui_extra_config }}
;
;
;
[ui.meta]
AUTHOR = {{ gitea_ui_author }}
DESCRIPTION = {{ gitea_ui_description }}
KEYWORDS = {{ gitea_ui_keywords }}
{{ gitea_ui_meta_extra_config }}
;
;
; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#server-server
[server]
APP_DATA_PATH = {{ gitea_home }}/data
PROTOCOL = {{ gitea_protocol }}
DOMAIN = {{ gitea_http_domain }}
ROOT_URL = {{ gitea_root_url }}
HTTP_ADDR = {{ gitea_http_listen }}
HTTP_PORT = {{ gitea_http_port }}
START_SSH_SERVER = {{ gitea_start_ssh | ternary('true', 'false') }}
SSH_DOMAIN = {{ gitea_ssh_domain }}
SSH_PORT = {{ gitea_ssh_port }}
SSH_LISTEN_HOST = {{ gitea_ssh_listen }}
OFFLINE_MODE = {{ gitea_offline_mode | ternary('true', 'false') }}
{% if gitea_enable_tls_certs | bool %}
CERT_FILE = {{ gitea_tls_cert_file }}
KEY_FILE = {{ gitea_tls_key_file }}
{% endif %}
LANDING_PAGE = {{ gitea_landing_page }}
{% if gitea_lfs_server_enabled | bool %}
LFS_START_SERVER = true
LFS_JWT_SECRET = {{ gitea_lfs_jwt_secret }}
{% endif %}
REDIRECT_OTHER_PORT = {{ gitea_redirect_other_port | ternary('true', 'false') }}
PORT_TO_REDIRECT = {{ gitea_port_to_redirect }}
ENABLE_ACME = {{ gitea_enable_acme | ternary('true', 'false') }}
{% if gitea_enable_acme | bool %}
{% if gitea_acme_url != '' %}
ACME_URL = {{ gitea_acme_url }}
{% endif %}
ACME_ACCEPTTOS = {{ gitea_acme_accepttos | ternary('true', 'false') }}
ACME_DIRECTORY = {{ gitea_acme_directory }}
ACME_EMAIL = {{ gitea_acme_email }}
ACME_CA_ROOT = {{ gitea_acme_ca_root }}
{% endif %}
{{ gitea_server_extra_config }}
;
;
; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#database-database
[database]
DB_TYPE = {{ gitea_db_type }}
HOST = {{ gitea_db_host }}
NAME = {{ gitea_db_name }}
USER = {{ gitea_db_user }}
PASSWD = {{ gitea_db_password }}
SSL_MODE = {{ gitea_db_ssl }}
PATH = {{ gitea_db_path }}
LOG_SQL = {{ gitea_db_log_sql | ternary('true', 'false') }}
{{ gitea_database_extra_config }}
;
;
; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#indexer-indexer
[indexer]
ISSUE_INDEXER_PATH = {{ gitea_home }}/indexers/issues.bleve
REPO_INDEXER_ENABLED = {{ gitea_repo_indexer_enabled | ternary('true', 'false') }}
REPO_INDEXER_PATH = {{ gitea_home }}/indexers/repos.bleve
REPO_INDEXER_INCLUDE = {{ gitea_repo_indexer_include }}
REPO_INDEXER_EXCLUDE = {{ gitea_repo_indexer_exclude }}
REPO_INDEXER_EXCLUDE_VENDORED = {{ gitea_repo_exclude_vendored | ternary('true', 'false') }}
MAX_FILE_SIZE = {{ gitea_repo_indexer_max_file_size }}
{{ gitea_indexer_extra_config }}
;
;
; Queue (queue and queue.*)
; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#queue-queue-and-queue
[queue.issue_indexer]
DATADIR = {{ gitea_home }}/indexers/issues.queue
{{ gitea_queue_issue_indexer_extra_config }}
;
;
; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#security-security
[security]
INSTALL_LOCK = true
SECRET_KEY = {{ gitea_secret_key }}
DISABLE_GIT_HOOKS = {{ gitea_disable_git_hooks | ternary('true', 'false') }}
DISABLE_WEBHOOKS = {{ gitea_disable_webhooks | ternary('true', 'false') }}
INTERNAL_TOKEN = {{ gitea_internal_token }}
PASSWORD_CHECK_PWN = {{ gitea_password_check_pwn | ternary('true', 'false') }}
{{ gitea_security_extra_config }}
;
;
; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#service-service
[service]
REGISTER_EMAIL_CONFIRM = {{ gitea_register_email_confirm | ternary('true', 'false') }}
DISABLE_REGISTRATION = {{ gitea_disable_registration | ternary('true', 'false') }}
REQUIRE_SIGNIN_VIEW = {{ gitea_require_signin | ternary('true', 'false') }}
ENABLE_NOTIFY_MAIL = {{ gitea_enable_notify_mail | ternary('true', 'false') }}
ENABLE_CAPTCHA = {{ gitea_enable_captcha | ternary('true', 'false') }}
DEFAULT_KEEP_EMAIL_PRIVATE = {{ gitea_default_keep_mail_private | ternary('true', 'false') }}
SHOW_REGISTRATION_BUTTON = {{ gitea_show_registration_button | ternary('true', 'false') }}
AUTO_WATCH_NEW_REPOS = {{ gitea_auto_watch_new_repos | ternary('true', 'false') }}
ALLOW_ONLY_EXTERNAL_REGISTRATION = {{ gitea_only_allow_external_registration | ternary('true', 'false') }}
AUTO_WATCH_ON_CHANGES = {{ gitea_autowatch_on_change | ternary('true', 'false') }}
SHOW_MILESTONES_DASHBOARD_PAGE = {{ gitea_show_milestones_dashboard_page | ternary('true', 'false') }}
REGISTER_MANUAL_CONFIRM = {{ gitea_register_manual_confirm | ternary('true', 'false') }}
DEFAULT_ALLOW_CREATE_ORGANIZATION = {{ gitea_default_allow_create_organization | ternary('true', 'false') }}
DEFAULT_USER_IS_RESTRICTED = {{ gitea_default_user_is_restricted | ternary('true', 'false') }}
{% if gitea_email_domain_allowlist is defined and gitea_email_domain_allowlist | length %}
EMAIL_DOMAIN_ALLOWLIST = {{ gitea_email_domain_allowlist }}
{% endif %}
DEFAULT_USER_VISIBILITY = {{ gitea_default_user_visibility }}
DEFAULT_ORG_VISIBILITY = {{ gitea_default_org_visibility }}
ALLOW_ONLY_INTERNAL_REGISTRATION = {{ gitea_allow_only_internal_registration | ternary('true', 'false') }}
ALLOW_ONLY_EXTERNAL_REGISTRATION = {{ gitea_allow_only_external_registration | ternary('true', 'false') }}
{{ gitea_service_extra_config }}
;
;
; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#mailer-mailer
[mailer]
ENABLED = {{ gitea_mailer_enabled | ternary('true', 'false') }}
{% if gitea_mailer_enabled | bool %}
{% if gitea_mailer_use_client_cert | bool %}
CLIENT_CERT_FILE = {{ gitea_mailer_client_cert_file }}
CLIENT_KEY_FILE = {{ gitea_mailer_client_key_file }}
{% endif %}
PROTOCOL = {{ gitea_mailer_protocol }}
SMTP_ADDR = {{ gitea_mailer_smtp_addr }}
SMTP_PORT = {{ gitea_mailer_smtp_port }}
USE_CLIENT_CERT = {{ gitea_mailer_use_client_cert | ternary('true', 'false') }}
FORCE_TRUST_SERVER_CERT = {{ gitea_mailer_force_trust_server_cert | ternary('true', 'false') }}
USER = {{ gitea_mailer_user }}
PASSWD = {{ gitea_mailer_password }}
ENABLE_HELO = {{ gitea_mailer_enable_helo | ternary('true', 'false') }}
FROM = {{ gitea_mailer_from }}
SUBJECT_PREFIX = {{ gitea_subject_prefix }}
SEND_AS_PLAIN_TEXT = {{ gitea_mailer_send_as_plaintext | ternary('true', 'false') }}
{{ gitea_mailer_extra_config }}
;
{% endif %}
;
;
; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#session-session
[session]
PROVIDER = {{ gitea_session_provider }}
PROVIDER_CONFIG = {{ gitea_home }}/data/sessions
{{ gitea_session_extra_config }}
;
;
; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#picture-picture
[picture]
AVATAR_UPLOAD_PATH = {{ gitea_home }}/data/avatars
{{ gitea_picture_extra_config }}
;
;
; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#issue-and-pull-request-attachments-attachment
[attachment]
ENABLED = {{ gitea_attachment_enabled | ternary('true', 'false') }}
ALLOWED_TYPES = {{ gitea_attachment_types }}
MAX_SIZE = {{ gitea_attachment_max_size }}
PATH = {{ gitea_home }}/data/attachments
{{ gitea_attachment_extra_config }}
;
;
; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#log-log
[log]
ROOT_PATH = {{ gitea_home }}/log
{% if gitea_log_systemd %}
MODE = console
{% else %}
MODE = file
{% endif %}
LEVEL = {{ gitea_log_level }}
{{ gitea_log_extra_config }}
;
;
; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#metrics-metrics
[metrics]
ENABLED = {{ gitea_metrics_enabled | ternary('true', 'false') }}
TOKEN = {{ gitea_metrics_token }}
{{ gitea_metrics_extra }}
;
;
; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#oauth2-oauth2
[oauth2]
ENABLE = {{ gitea_oauth2_enabled | ternary('true', 'false') }}
JWT_SECRET = {{ gitea_oauth2_jwt_secret }}
{{ gitea_oauth2_extra_config }}
;
;
; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#federation-federation
[federation]
ENABLED = {{ gitea_federation_enabled | ternary('true', 'false') }}
SHARE_USER_STATISTICS = {{ gitea_federation_share_user_stats | ternary('true', 'false') }}
{{ gitea_federation_extra }}
;
;
; Packages (packages)
; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#packages-packages
[packages]
ENABLED = {{ gitea_packages_enabled | ternary('true', 'false') }}
{% if gitea_packages_enabled | bool %}
CHUNKED_UPLOAD_PATH = {{ gitea_home }}/data/tmp/package-upload
{{ gitea_packages_extra }}
{% endif %}
;
;
{% if gitea_lfs_server_enabled | bool %}
; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#lfs-lfs
[lfs]
STORAGE_TYPE = {{ gitea_lfs_storage_type }}
SERVE_DIRECT = {{ gitea_lfs_serve_direct | ternary('true', 'false') }}
PATH = {{ gitea_lfs_content_path }}
{{ gitea_lfs_extra }}
{% endif %}
;
;
{% if gitea_actions_enabled | bool %}
; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#actions-actions
[actions]
ENABLED = {{ gitea_actions_enabled }}
DEFAULT_ACTIONS_URL = {{ gitea_actions_default_actions_url }}
{{ gitea_actions_extra }}
{% endif %}
;
;
; Other (other)
; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#other-other
[other]
SHOW_FOOTER_VERSION = {{ gitea_other_show_footer_version | ternary('true', 'false') }}
SHOW_FOOTER_TEMPLATE_LOAD_TIME = {{ gitea_other_show_footer_template_load_time | ternary('true', 'false') }}
ENABLE_SITEMAP = {{ gitea_other_enable_sitemap | ternary('true', 'false') }}
ENABLE_FEED = {{ gitea_other_enable_feed | ternary('true', 'false') }}
;
;
;
; Optional additional config
{{ gitea_extra_config }}

16
templates/gitea.service.j2 Normal file
View File

@ -0,0 +1,16 @@
[Unit]
Description={{ gitea_fork }} git server
After=network.target
[Service]
User={{ gitea_user }}
Group={{ gitea_group }}
ExecStart={{ gitea_full_executable_path }} web --config {{ gitea_configuration_path }}/gitea.ini --custom-path {{ gitea_custom }}/ --work-path {{ gitea_home }}
Restart=on-failure
WorkingDirectory={{ gitea_home }}
{% if gitea_systemd_cap_net_bind_service %}
AmbientCapabilities=CAP_NET_BIND_SERVICE
{% endif %}
[Install]
WantedBy=multi-user.target

5
vars/debian.yml Normal file
View File

@ -0,0 +1,5 @@
---
gitea_dependencies:
- git
- gnupg2
- xz-utils

7
vars/fork_forgejo.yml Normal file
View File

@ -0,0 +1,7 @@
---
# set filenames for forgejo
gitea_full_executable_path: "{{ gitea_forgejo_executable_path }}"
gitea_filename: "forgejo-{{ gitea_version_target }}-linux-{{ gitea_arch }}"
gitea_forgejo_query_download: "assets[?name==`{{ gitea_filename }}`].browser_download_url"
gitea_forgejo_query_checksum: "assets[?name==`{{ gitea_filename }}.sha256`].browser_download_url"
gitea_forgejo_query_signed: "assets[?name==`{{ gitea_filename }}.asc`].browser_download_url"

4
vars/fork_gitea.yml Normal file
View File

@ -0,0 +1,4 @@
---
# set filenames for gitea
gitea_full_executable_path: "{{ gitea_executable_path }}"
gitea_filename: "gitea-{{ gitea_version_target }}.linux-{{ gitea_arch }}"

66
vars/main.yml Normal file
View File

@ -0,0 +1,66 @@
---
gitea_go_arch_map:
i386: '386'
x86_64: 'amd64'
aarch64: 'arm64'
armv7l: 'arm-6'
armv6l: 'arm-6'
armv5l: 'arm-5'
gitea_arch: "{{ gitea_go_arch_map[ansible_architecture] | default(ansible_architecture) }}"
gitea_supported_forks: 'gitea and forgejo'
gitea_fork_variables:
files:
- "fork_{{ gitea_fork | lower }}.yml"
paths:
- 'vars'
gitea_variables:
files:
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml"
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
- "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
- "{{ ansible_distribution | lower }}.yml"
- "{{ ansible_os_family | lower }}.yml"
paths:
- 'vars'
transfer_custom_logo_logosvg:
files:
- "{{ gitea_custom_search }}/gitea_logo/logo.svg"
- "files/{{ inventory_hostname }}/gitea_logo/logo.svg"
- "files/{{ gitea_http_domain }}/gitea_logo/logo.svg"
- 'files/gitea_logo/logo.svg'
transfer_custom_logo_logopng:
files:
- "{{ gitea_custom_search }}/gitea_logo/logo.png"
- "files/{{ inventory_hostname }}/gitea_logo/logo.png"
- "files/{{ gitea_http_domain }}/gitea_logo/logo.png"
- 'files/gitea_logo/logo.png'
transfer_custom_logo_faviconpng:
files:
- "{{ gitea_custom_search }}/gitea_logo/favicon.png"
- "files/{{ inventory_hostname }}/gitea_logo/favicon.png"
- "files/{{ gitea_http_domain }}/gitea_logo/favicon.png"
- 'files/gitea_logo/favicon.png'
transfer_custom_logo_appletouchiconpng:
files:
- "{{ gitea_custom_search }}/gitea_logo/apple-touch-icon.png"
- "files/{{ inventory_hostname }}/gitea_logo/apple-touch-icon.png"
- "files/{{ gitea_http_domain }}/gitea_logo/apple-touch-icon.png"
- 'files/gitea_logo/apple-touch-icon.png'
transfer_custom_footer:
files:
- "{{ gitea_custom_search }}/gitea_footer/extra_links_footer.tmpl"
- "files/{{ inventory_hostname }}/gitea_footer/extra_links_footer.tmpl"
- "files/{{ gitea_http_domain }}/gitea_footer/extra_links_footer.tmpl"
- 'files/gitea_footer/extra_links_footer.tmpl'
- 'files/extra_links_footer.tmpl'
playbook_version_number: 53 # should be int
playbook_version_path: 'do1jlr.gitea.version'

5
vars/redhat.yml Normal file
View File

@ -0,0 +1,5 @@
---
gitea_dependencies:
- git
- gnupg2
- xz

5
vars/suse.yml Normal file
View File

@ -0,0 +1,5 @@
---
gitea_dependencies:
- git
- gpg2
- xz