From a986b486caeaaa447009645348ce18af14768d4c Mon Sep 17 00:00:00 2001 From: bepting Date: Fri, 8 Dec 2023 12:38:53 +0100 Subject: [PATCH] . --- LICENSE | 31 +++ README.md | 401 ++++++++++++++++++++++++++++++ defaults/main.yml | 277 +++++++++++++++++++++ files/extra_links_footer.tmpl | 2 + handlers/main.yml | 20 ++ meta/main.yml | 32 +++ requirements.yml | 4 + tasks/backup.yml | 43 ++++ tasks/configure.yml | 26 ++ tasks/create_user.yml | 23 ++ tasks/customize_footer.yml | 24 ++ tasks/customize_logo.yml | 56 +++++ tasks/customize_public_files.yml | 24 ++ tasks/directory.yml | 20 ++ tasks/fail2ban.yml | 29 +++ tasks/gitea_secrets.yml | 38 +++ tasks/install_forgejo.yml | 83 +++++++ tasks/install_gitea.yml | 87 +++++++ tasks/install_systemd.yml | 31 +++ tasks/jwt_secrets.yml | 38 +++ tasks/main.yml | 81 ++++++ tasks/set_forgejo_version.yml | 107 ++++++++ tasks/set_gitea_version.yml | 45 ++++ tasks/versioncheck.yml | 44 ++++ templates/fail2ban/filter.conf.j2 | 4 + templates/fail2ban/jail.conf.j2 | 9 + templates/gitea.ini.j2 | 312 +++++++++++++++++++++++ templates/gitea.service.j2 | 16 ++ vars/debian.yml | 5 + vars/fork_forgejo.yml | 7 + vars/fork_gitea.yml | 4 + vars/main.yml | 66 +++++ vars/redhat.yml | 5 + vars/suse.yml | 5 + 34 files changed, 1999 insertions(+) create mode 100644 LICENSE create mode 100644 README.md create mode 100644 defaults/main.yml create mode 100644 files/extra_links_footer.tmpl create mode 100644 handlers/main.yml create mode 100644 meta/main.yml create mode 100644 requirements.yml create mode 100644 tasks/backup.yml create mode 100644 tasks/configure.yml create mode 100644 tasks/create_user.yml create mode 100644 tasks/customize_footer.yml create mode 100644 tasks/customize_logo.yml create mode 100644 tasks/customize_public_files.yml create mode 100644 tasks/directory.yml create mode 100644 tasks/fail2ban.yml create mode 100644 tasks/gitea_secrets.yml create mode 100644 tasks/install_forgejo.yml create mode 100644 tasks/install_gitea.yml create mode 100644 tasks/install_systemd.yml create mode 100644 tasks/jwt_secrets.yml create mode 100644 tasks/main.yml create mode 100644 tasks/set_forgejo_version.yml create mode 100644 tasks/set_gitea_version.yml create mode 100644 tasks/versioncheck.yml create mode 100644 templates/fail2ban/filter.conf.j2 create mode 100644 templates/fail2ban/jail.conf.j2 create mode 100644 templates/gitea.ini.j2 create mode 100644 templates/gitea.service.j2 create mode 100644 vars/debian.yml create mode 100644 vars/fork_forgejo.yml create mode 100644 vars/fork_gitea.yml create mode 100644 vars/main.yml create mode 100644 vars/redhat.yml create mode 100644 vars/suse.yml diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..1206eb8 --- /dev/null +++ b/LICENSE @@ -0,0 +1,31 @@ +BSD 3-Clause License + +Copyright (c) 2019 - today L3D +Copyright (c) 2019 - 2021 Thomas Maurice + +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +1. Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +3. Neither the name of the copyright holder nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..f00708a --- /dev/null +++ b/README.md @@ -0,0 +1,401 @@ +[![Ansible Galaxy](https://ansible.l3d.space/svg/l3d.gitea.svg)](https://galaxy.ansible.com/ui/standalone/roles/l3d/gitea/) +[![BSD-3 Clause](https://ansible.l3d.space/svg/l3d.gitea_license.svg)](LICENSE) +[![Maintainance](https://ansible.l3d.space/svg/l3d.gitea_maintainance.svg)](https://ansible.l3d.space/#l3d.gitea) + + ansible role gitea/forgejo +============================ + +This role installs and manages [gitea](https://gitea.io) or [forgejo](https://forgejo.org). A painless self-hosted Git service. Gitea is a community managed lightweight code hosting solution written in Go. Forgejo is a fork of it. +[Source code & screenshots gitea](https://github.com/go-gitea/gitea). +[Source code forgejo](https://codeberg.org/forgejo/forgejo). +This role is also Part of the Ansible-Collection [l3d.git](https://galaxy.ansible.com/l3d/git). [![l3d.git](https://ansible.l3d.space/svg/l3d.git_ansible-collection_collection.svg)](https://github.com/roles-ansible/ansible_collection_git.git). + +## Sample Usage in a playbook + +The following code has been tested with the latest Debian Stable, it should work on Ubuntu and RedHat as well. + +```yaml +# ansible-galaxy role install l3d.gitea + +- name: "Install gitea" + hosts: git.example.com + roles: + - {role: l3d.gitea, tags: gitea} + vars: + # Here we assume we are behind a reverse proxy that will + # handle https for us, so we bind on localhost:3000 using HTTP + # see https://docs.gitea.io/en-us/reverse-proxies/#nginx + gitea_fqdn: 'git.example.com' + gitea_root_url: 'https://git.example.com' + gitea_protocol: http + gitea_start_ssh: true +``` + + Variables +----------- +Here is a deeper insight into the variables of this gitea role. For the exact function of some variables and the possibility to add more options we recommend a look at this [config cheat sheet](https://docs.gitea.com/administration/config-cheat-sheet). + +### Chose between gitea and forgejo +There is a fork of gitea called forgejo. Why? Read the [forgejo FAQ](https://forgejo.org/faq/). +You have the option to choose between [gitea](https://gitea.io) and [forgejo](https://forgejo.org) by modifying the ``gitea_fork`` variable. +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_fork` | `gitea` | optional choose to install forgejo instead of gitea by setting this value to `forgejo`. | + +### gitea update mechanism +To determine which gitea version to install, you can choose between two variants. +Either you define exactly which release you install. Or you use the option ``latest`` to always install the latest release from the [gitea releases](https://github.com/go-gitea/gitea/releases/latest). + +### gitea update +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_version` | `latest` | Define either the exact release to install *(eg. `1.16.0`)* or use ``latest`` *(default)* to install the latest release. | +| `gitea_version_check` | `true` | Check if installed version != `gitea_version` before initiating binary download | +| `gitea_gpg_key` | `7C9E68152594688862D62AF62D9AE806EC1592E2` | the gpg key the gitea binary is signed with | +| `gitea_forgejo_gpg_key` | `EB114F5E6C0DC2BCDD183550A4B61A2DC5923710` | the gpg key the forgejo binary is signed with | +| `gitea_gpg_server` | `hkps://keys.openpgp.org` | A gpg key server where this role can download the gpg key | +| `gitea_backup_on_upgrade` | `false` | Optionally a backup can be created with every update of gitea. | +| `gitea_backup_location` | `{{ gitea_home }}/backups/` | Where to store the gitea backup if one is created with this role. | +| `submodules_versioncheck` | `false` | a simple version check that can prevent you from accidentally running an older version of this role. *(recomended)* | + +### gitea in the linux world +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_group` | `gitea` | Primary UNIX group used by Gitea | +| `gitea_groups` | null | Optionally a list of secondary UNIX groups used by Gitea | +| `gitea_home` | `/var/lib/gitea` | Base directory to work | +| `gitea_user_home` | `{{ gitea_home }}` | home of gitea user | +| `gitea_executable_path` | `/usr/local/bin/gitea` | Path for gitea executable | +| `gitea_forgejo_executable_path` | `/usr/local/bin/forgejo` | Path for forgejo executable | +| `gitea_configuration_path` | `/etc/gitea` | Where to put the gitea.ini config | +| `gitea_shell` | `/bin/false` | UNIX shell used by gitea. Set it to `/bin/bash` if you don't use the gitea built-in ssh server. | +| `gitea_systemd_cap_net_bind_service` | `false` | Adds `AmbientCapabilities=CAP_NET_BIND_SERVICE` to systemd service file | + +### Overall ([DEFAULT](https://docs.gitea.com/administration/config-cheat-sheet#overall-default)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_app_name` | `Gitea` | Displayed application name | +| `gitea_user` | `gitea ` | UNIX user used by Gitea | +| `gitea_run_mode`| `prod`| Application run mode, affects performance and debugging. Either “dev”, “prod” or “test”. | +| `gitea_fqdn` | `localhost` | Base FQDN for the installation, used as default for other variables. Set it to the FQDN where you can reach your gitea server | + +### Repository ([repository](https://docs.gitea.com/administration/config-cheat-sheet#repository-repository)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_default_branch` | `main` | Default branch name of all repositories. | +| `gitea_default_private` | `last` | Default private when creating a new repository. [`last`, `private`, `public`] | +| `gitea_default_repo_units` | *(see defaults)* | Comma separated list of default repo units. See official docs for more | +| `gitea_disabled_repo_units` | | Comma separated list of globally disabled repo units. | +| `gitea_disable_http_git` | `false` | Disable the ability to interact with repositories over the HTTP protocol. (true/false) | +| `gitea_disable_stars` | `false` | Disable stars feature. | +| `gitea_enable_push_create_org` | `false` | Allow users to push local repositories to Gitea and have them automatically created for an org. | +| `gitea_enable_push_create_user` | `false` | Allow users to push local repositories to Gitea and have them automatically created for an user. | +| `gitea_force_private` | `false` | Force every new repository to be private. | +| `gitea_user_repo_limit` | `-1` | Limit how many repos a user can have *(`-1` for unlimited)* | +| `gitea_repository_root` | `{{ gitea_home }}/repos` | Root path for storing all repository data. It must be an absolute path. | +| `gitea_repository_extra_config` | | you can use this variable to pass additional config parameters in the `[repository]` section of the config. | + +### Repository - Upload ([repository.upload](https://docs.gitea.io/en-us/administration/config-cheat-sheet#repository---upload-repositoryupload)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_repository_upload_enabled` | `true` | Whether repository file uploads are enabled | +| `gitea_repository_upload_max_size` | `4` | Max size of each file in megabytes. | +| `gitea_repository_upload_extra_config` | | you can use this variable to pass additional config parameters in the `[repository.upload]` section of the config. | + +### Repository - Signing ([repository.signing](https://docs.gitea.com/administration/config-cheat-sheet#repository---signing-repositorysigning)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_enable_repo_signing_options` | `false` | Allow to configure repo signing options | +| `gitea_repo_signing_key` | `default` | Key to sign with. | +| `gitea_repo_signing_name` | | if a KEYID is provided as the `gitea_repo_signing_key`, use these as the Name and Email address of the signer. | +| `gitea_repo_signing_email` | | if a KEYID is provided as the `gitea_repo_signing_key`, use these as the Name and Email address of the signer. | +| `gitea_repo_initial_commit` | `always` | Sign initial commit. | +| `gitea_repo_default_trust_model` | `collaborator` | The default trust model used for verifying commits. | +| `gitea_repo_wiki` | `never` | Sign commits to wiki. | +| `gitea_repo_crud_actions` | *(see defaults)* | Sign CRUD actions. | +| `gitea_repo_merges` | *(see defaults)* | Sign merges. | +| `gitea_enable_repo_signing_extra` | | you can use this variable to pass additional config parameters in the `[repository.signing]` section of the config. | + +### CORS ([cors](https://docs.gitea.com/administration/config-cheat-sheet#cors-cors)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_enable_cors` | `false` | enable cors headers (disabled by default) | +| `gitea_cors_scheme` | `http` | scheme of allowed requests | +| `gitea_cors_allow_domain` | `*` | list of requesting domains that are allowed | +| `gitea_cors_allow_subdomain` | `false` |allow subdomains of headers listed above to request | +| `gitea_cors_methods` | *(see defaults)* | list of methods allowed to request | +| `gitea_cors_max_age` | `10m` | max time to cache response | +| `gitea_cors_allow_credentials` | `false` | allow request with credentials | +| `gitea_cors_headers` | `Content-Type,User-Agent` | additional headers that are permitted in requests | +| `gitea_cors_x_frame_options` | `SAMEORIGIN` | Set the `X-Frame-Options` header value. | +| `gitea_cors_extra` | | you can use this variable to pass additional config parameters in the `[cors]` section of the config. | + +### UI ([ui](https://docs.gitea.com/administration/config-cheat-sheet#ui-ui)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_show_user_email` | `false` | Do you want to display email addresses ? (true/false) | +| `gitea_theme_default` | `auto` | Default theme | +| `gitea_themes` | `auto,gitea,arc-green` | List of enabled themes | +| `gitea_ui_extra_config` | | you can use this variable to pass additional config parameters in the `[ui]` section of the config. | + +### UI - Meta ([ui.meta](https://docs.gitea.com/administration/config-cheat-sheet#ui---metadata-uimeta)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_ui_author` | *(see defaults)* | Author meta tag of the homepage. | +| `gitea_ui_description` | *(see defaults)* | Description meta tag of the homepage. | +| `gitea_ui_keywords` | *(see defaults)* | Keywords meta tag of the homepage | +| `gitea_ui_meta_extra_config` | | you can use this variable to pass additional config parameters in the `[ui.meta]` section of the config. | + +### Server ([server](https://docs.gitea.com/administration/config-cheat-sheet#server-server)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_protocol`| `http` | Listening protocol [http, https, fcgi, unix, fcgi+unix] | +| `gitea_http_domain` | `{{ gitea_fqdn }}` which is `localhost` | Domain name of this server. | +| `gitea_root_url` | `http://{{ gitea_fqdn }}:3000` | Root URL used to access your web app (full URL) | +| `gitea_http_listen` | `127.0.0.1` | HTTP listen address | +| `gitea_http_port` | `3000` | Bind port *(redirect from `80` will be activated if value is `443`)* | +| `gitea_start_ssh` | `true` | When enabled, use the built-in SSH server. | +| `gitea_ssh_domain` | `{{ gitea_fqdn }} ` | Domain name of this server, used for displayed clone URL | +| `gitea_ssh_port` | `2222` | SSH port displayed in clone URL. | +| `gitea_ssh_listen` | `0.0.0.0` | Listen address for the built-in SSH server. | +| `gitea_offline_mode` | `true` | Disables use of CDN for static files and Gravatar for profile pictures. (true/false) | +| `gitea_landing_page` | `home` | Landing page for unauthenticated users | +| `gitea_lfs_server_enabled` | `false` | Enable GIT-LFS Support *(git large file storage: [git-lfs](https://git-lfs.github.com/))*. | +| `gitea_lfs_jwt_secret` | | LFS authentication secret. Can be generated with ``gitea generate secret JWT_SECRET``. Will be autogenerated if not defined | +| `gitea_redirect_other_port` | `false` | If true and `gitea_protocol` is https, allows redirecting http requests on `gitea_port_to_redirect` to the https port Gitea listens on. | +| `gitea_port_to_redirect` | `80` | Port for the http redirection service to listen on, if enabled | +| `gitea_enable_tls_certs` | `false` | Write TLS Cert and Key Path to config file | +| `gitea_tls_cert_file` | `https/cert.pem` | Cert file path used for HTTPS. | +| `gitea_tls_key_file` | `https/key.pem` | Key file path used for HTTPS. | +| `gitea_enable_acme` | `false` | Flag to enable automatic certificate management via an ACME capable CA Server. *(default is letsencrypt)* | +| `gitea_acme_url` | | The CA’s ACME directory URL | +| `gitea_acme_accepttos` | `false` | This is an explicit check that you accept the terms of service of the ACME provider. | +| `gitea_acme_directory` | `https` | Directory that the certificate manager will use to cache information such as certs and private keys. | +| `gitea_acme_email` | | Email used for the ACME registration | +| `gitea_acme_ca_root` | | The CA’s root certificate. If left empty, it defaults to using the system’s trust chain. | +| `gitea_server_extra_config` | | you can use this variable to pass additional config parameters in the `[server]` section of the config. | + +### Database ([database](https://docs.gitea.com/administration/config-cheat-sheet#database-database)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_db_type` | `sqlite3` | The database type in use `[mysql, postgres, mssql, sqlite3]`. | +| `gitea_db_host` | `127.0.0.0:3306` | Database host address and port or absolute path for unix socket [mysql, postgres] (ex: `/var/run/mysqld/mysqld.sock`). | +| `gitea_db_name` | `root` | Database name | +| `gitea_db_user` | `gitea` | Database username | +| `gitea_db_password` | `lel` | Database password. **PLEASE CHANGE** | +| `gitea_db_ssl` | `disable` | Configure SSL only if your database type supports it. Have a look into the [config-cheat-sheet](https://docs.gitea.com/administration/config-cheat-sheet#database-database) for more detailed information | +| `gitea_db_path` | `{{ gitea_home }}/data/gitea.db` | DB path, if you use `sqlite3`. | +| `gitea_db_log_sql` | `false` | Log the executed SQL. | +| `gitea_database_extra_config` | | you can use this variable to pass additional config parameters in the `[database]` section of the config. | + +### Indexer ([indexer](https://docs.gitea.com/administration/config-cheat-sheet#indexer-indexer)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_repo_indexer_enabled` | `false` | Enables code search *(uses a lot of disk space, about 6 times more than the repository size).* | +| `gitea_repo_indexer_include` | |Glob patterns to include in the index *(comma-separated list)*. An empty list means include all files. | +| `gitea_repo_indexer_exclude` | | Glob patterns to exclude from the index (comma-separated list). | +| `gitea_repo_exclude_vendored` | `true` | Exclude vendored files from index. | +| `gitea_repo_indexer_max_file_size` | `1048576` | Maximum size in bytes of files to be indexed. | +| `gitea_indexer_extra_config` | | you can use this variable to pass additional config parameters in the `[indexer]` section of the config. | +| `gitea_queue_issue_indexer_extra_config` | | | you can use this variable to pass additional config parameters in the `[queue.issue_indexer]` section of the config. | + +### Security ([security](https://docs.gitea.com/administration/config-cheat-sheet#security-security)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_secret_key` | | Global secret key. Will be autogenerated if not defined. Should be unique. | +| `gitea_disable_git_hooks` | `true` | Set to false to enable users with git hook privilege to create custom git hooks. Can be dangerous. | +| `gitea_disable_webhooks` | `false` | Set to true to disable webhooks feature. | +| `gitea_internal_token` | | Internal API token. Will be autogenerated if not defined. Should be unique. | +| `gitea_password_check_pwn` | `false` | Check [HaveIBeenPwned](https://haveibeenpwned.com/Passwords) to see if a password has been exposed. | +| `gitea_security_extra_config` | | you can use this variable to pass additional config parameters in the `[security]` section of the config. | + +### Service ([service](https://docs.gitea.com/administration/config-cheat-sheet#service-service)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_disable_registration` | `false` | Do you want to disable user registration? (true/false) | +| `gitea_register_email_confirm` | `false` | Enable this to ask for mail confirmation of registration. Requires `gitea_mailer_enabled` to be enabled. | +| `gitea_require_signin` | `true` | Do you require a signin to see repo's (even public ones)? (true/false)| +| `gitea_default_keep_mail_private` | `true` | By default set users to keep their email address privat | +| `gitea_enable_captcha` | `true` | Do you want to enable captcha's ? (true/false)| +| `gitea_show_registration_button` | `true` | Here you can hide the registration button. This will not disable registration! (true/false)| +| `gitea_only_allow_external_registration` | `false` | Set to true to force registration only using third-party services (true/false) | +| `gitea_enable_notify_mail` | `false` | Enable this to send e-mail to watchers of a repository when something happens, like creating issues (true/false) | +| `gitea_auto_watch_new_repos` | `true` | Enable this to let all organisation users watch new repos when they are created (true/false) | +| `gitea_autowatch_on_change` | `true` | Enable this to make users watch a repository after their first commit to it (true/false) | +| `gitea_register_manual_confirm` | `false` | Enable this to manually confirm new registrations. Requires REGISTER_EMAIL_CONFIRM to be disabled. | +| `gitea_default_allow_create_organization` | `true` | Allow new users to create organizations by default (true/false) | +| `gitea_email_domain_allowlist` | | If non-empty, comma separated list of domain names that can only be used to register on this instance, wildcard is supported. | +| `gitea_default_user_visibility` | `public` | Set default visibility mode for users, either "public", "limited" or "private". | +| `gitea_default_org_visibility` | `public` | Set default visibility mode for organisations, either "public", "limited" or "private". | +| `gitea_allow_only_internal_registration` | `false` | Set to true to force registration only via Gitea. | +| `gitea_allow_only_external_registration` | `false` | Set to true to force registration only using third-party services. | +| `gitea_show_milestones_dashboard_page` | `true` | Enable this to show the milestones dashboard page - a view of all the user's milestones | +| `gitea_default_user_is_restricted` | `false` | Give new users restricted permissions by default (true/false) | +| `gitea_service_extra_config` | | you can use this variable to pass additional config parameters in the `[service]` section of the config. | + +### Mailer ([mailer](https://docs.gitea.com/administration/config-cheat-sheet#mailer-mailer)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_mailer_enabled` | `false` | Whether to enable the mailer. | +| `gitea_mailer_protocol` | `dummy` |Mail server protocol. One of “smtp”, “smtps”, “smtp+starttls”, “smtp+unix”, “sendmail”, “dummy”.| +| `gitea_mailer_smtp_addr` | | Mail server address. e.g. smtp.gmail.com. For smtp+unix, this should be a path to a unix socket instead. | +| `gitea_mailer_smtp_port` | | Mail server port | +| `gitea_mailer_use_client_cert` | `false` | Use client certificate for TLS/SSL. | +| `gitea_mailer_client_cert_file` | | Client certificate file. | +| `gitea_mailer_client_key_file` | | Client key file. | +| `gitea_mailer_force_trust_server_cert` | `false` | completely ignores server certificate validation errors. This option is unsafe. Consider adding the certificate to the system trust store instead. | +| `gitea_mailer_user` | | Username of mailing user (usually the sender’s e-mail address). | +| `gitea_mailer_password ` | |Password of mailing user. Use `your password` for quoting if you use special characters in the password. | +| `gitea_mailer_enable_helo` | `true` |Enable HELO operation. | +| `gitea_mailer_from` | `noreply@{{ gitea_http_domain }}` | Mail from address, RFC 5322. | +| `gitea_subject_prefix` | |Prefix to be placed before e-mail subject lines. | +| `gitea_mailer_send_as_plaintext` | `false` | Send mails only in plain text, without HTML alternative. | +| `gitea_mailer_extra_config` | | you can use this variable to pass additional config parameters in the `[mailer]` section of the config. | + +### Session ([session](https://docs.gitea.com/administration/config-cheat-sheet#session-session)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_session_provider` | `file` | Session engine provider | +| `gitea_session_extra_config` | | you can use this variable to pass additional config parameters in the `[session]` section of the config. | + +### Picture ([picture](https://docs.gitea.com/administration/config-cheat-sheet#picture-picture)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_picture_extra_config` | | you can use this variable to pass additional config parameters in the `[picture]` section of the config. | + +### Issue and pull request attachments ([attachment](https://docs.gitea.com/administration/config-cheat-sheet#issue-and-pull-request-attachments-attachment)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `attachment_enabled` | `true` | Whether issue and pull request attachments are enabled. | +| `gitea_attachment_types` | see Docs | Comma-separated list of allowed file extensions (`.zip,.txt`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types. | +| `gitea_attachment_max_size` | `4` | Maximum size (MB). | +| `gitea_attachment_extra_config` | | you can use this variable to pass additional config parameters in the `[attachment]` section of the config. | + +### Log ([log](https://docs.gitea.com/administration/config-cheat-sheet#log-log)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_log_systemd` | `false` | Disable logging into `file`, use systemd-journald | +| `gitea_log_level` | `Warn` | General log level. `[Trace, Debug, Info, Warn, Error, Critical, Fatal, None]` | +| `gitea_log_extra_config` | | you can use this variable to pass additional config parameters in the `[log]` section of the config. | + +### Metrics ([metrics](https://docs.gitea.com/administration/config-cheat-sheet#metrics-metrics)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_metrics_enabled`| `false` | Enable the metrics endpoint | +| `gitea_metrics_token`| | Bearer token for the Prometheus scrape job | +| `gitea_metrics_extra` | | you can use this variable to pass additional config parameters in the `[metrics]` section of the config. | + +### OAuth2 ([oauth2](https://docs.gitea.com/administration/config-cheat-sheet#oauth2-oauth2)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_oauth2_enabled` | `true` | Enable the Oauth2 provider (true/false) | +| `gitea_oauth2_jwt_secret` | | Oauth2 JWT secret. Can be generated with ``gitea generate secret JWT_SECRET``. Will be autogenerated if not defined. | +| `gitea_oauth2_extra_config` | | you can use this variable to pass additional config parameters in the `[oauth2]` section of the config. | + +### Federation ([federation](https://docs.gitea.com/administration/config-cheat-sheet#federation-federation)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_federation_enabled` | `false` | Enable/Disable federation capabilities | +| `gitea_federation_share_user_stats` | `false` | Enable/Disable user statistics for nodeinfo if federation is enabled | +| `gitea_federation_extra` | | you can use this variable to pass additional config parameters in the `[federation]` section of the config. | + +### Packages ([packages](https://docs.gitea.com/administration/config-cheat-sheet#packages-packages)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_packages_enabled` | `true` | Enable/Disable package registry capabilities | +| `gitea_packages_extra` | |you can use this variable to pass additional config parameters in the `[packages]` section of the config. | + +### LFS ([lfs](https://docs.gitea.com/administration/config-cheat-sheet#lfs-lfs)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_lfs_storage_type` | `local` | Storage type for lfs | +| `gitea_lfs_serve_direct` | `false` | Allows the storage driver to redirect to authenticated URLs to serve files directly. *(only Minio/S3)* | +| `gitea_lfs_content_path` | `{{ gitea_home }}/data/lfs` | Where to store LFS files | +| `gitea_lfs_extra` | | you can use this variable to pass additional config parameters in the `[lfs]` section of the config. | + +### Actions ([actions](https://docs.gitea.com/administration/config-cheat-sheet#actions-actions)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_actions_enabled` | `false` | Enable/Disable actions capabilities globaly. You may want to add `repo.actions` to `gitea_default_repo_units` to enable actions on all new repositories | +| `gitea_actions_default_actions_url` | `https://gitea.com/` | Default address to get action plugins, e.g. the default value means downloading from `https://gitea.com/actions/checkout` for `uses: actions/checkout@v3` | +| `gitea_actions_extra` | | you can use this variable to pass additional config parameters in the `[actions]` section of the config. | + +### Other ([other](https://docs.gitea.com/administration/config-cheat-sheet#other-other)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_other_show_footer_version` | `true` | Show Gitea and Go version information in the footer. | +| `gitea_other_show_footer_template_load_time` | `true` | Show time of template execution in the footer. | +| `gitea_other_enable_sitemap` | `true` | Generate sitemap. | +| `gitea_other_enable_feed` | `true` | Enable/Disable RSS/Atom feed. | + +### additional gitea config +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_extra_config` | | Additional gitea configuration. Have a look at the [config-cheat-sheet](https://docs.gitea.com/administration/config-cheat-sheet) before using it! | + +### Fail2Ban configuration + +If enabled, this will deploy a fail2ban filter and jail config for Gitea as described in the [Gitea Documentation](https://docs.gitea.io/en-us/fail2ban-setup/). + +As this will only deploy config files, fail2ban already has to be installed or otherwise the role will fail. + +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_fail2ban_enabled` | `false` | Whether to deploy the fail2ban config or not | +| `gitea_fail2ban_jail_maxretry` | `10` | fail2ban jail `maxretry` setting. | +| `gitea_fail2ban_jail_findtime` | `3600` | fail2ban jail `findtime` setting. | +| `gitea_fail2ban_jail_bantime` | `900` | fail2ban jail `bantime` setting. | +| `gitea_fail2ban_jail_action` | `iptables-allports` | fail2ban jail `action` setting. | + +### optional customisation +You can optionally customize your gitea using this ansible role. We got our information about customisation from [docs.gitea.io/en-us/customizing-gitea](https://docs.gitea.io/en-us/customizing-gitea/). +To deploy multiple files we created the ``gitea_custom_search`` variable, that can point to the path where you put the custom gitea files *( default ``"files/host_files/{{ inventory_hostname }}/gitea"``)*. + ++ **LOGO**: + - Set ``gitea_customize_logo`` to ``true`` + - We search for: + * ``logo.svg`` - Used for favicon, site icon, app icon + * ``logo.png`` - Used for Open Graph + * ``favicon.png`` - Used as fallback for browsers that don’t support SVG favicons + * ``apple-touch-icon.png`` - Used on iOS devices for bookmarks + - We search in *(using [first_found](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/first_found_lookup.html))*: + * ``{{ gitea_custom_search }}/gitea_logo/`` + * ``files/{{ inventory_hostname }}/gitea_logo/`` + * ``files/{{ gitea_http_domain }}/gitea_logo/`` + * ``files/gitea_logo/`` ++ **FOOTER**: + - Set ``gitea_customize_footer`` to ``true`` + - We Search using first_found in: + * "{{ gitea_custom_search }}/gitea_footer/extra_links_footer.tmpl" + * "files/{{ inventory_hostname }}/gitea_footer/extra_links_footer.tmpl" + * "files/{{ gitea_http_domain }}/gitea_footer/extra_links_footer.tmpl" + * 'files/gitea_footer/extra_links_footer.tmpl' + * 'files/extra_links_footer.tmpl' ++ **CUSTOM FILES**: + - Set ``gitea_customize_files`` to ``true`` + - Create a directory with the files you want to deploy. + - Point ``gitea_customize_files_path`` to this directory. *(Default ``{{ gitea_custom_search }}/gitea_files/``)* + +## Requirements +This role uses the ``ansible.builtin`` and ``community.general`` ansible Collections. To download the latest forgejo/gitea release we use json_query. This requires ``jmespath`` to be available. + +### Python packages ++ jmespath + +### Galaxy Collections ++ community.general + +### Example requirements Installation +``` +ansible-galaxy collection install --update --role-file requirements.yml +pip3 install --update jmespath +``` + +## Contribute +Don't hesitate to create a pull request, and if in doubt you can reach me at +Mastodon [@l3d@chaos.social](https://chaos.social/@l3d). + +I'll be happy to fix any issues you raise, or even better, review your pull requests :) + +## History of this role +this ansible role was originally developed on [github.com/thomas-maurice/ansible-role-gitea](https://github.com/thomas-maurice/ansible-role-gitea.git). Since the role there has some problems like default values for the location of the gitea repositories and the merging of pull requests usually takes several months, a fork of the role was created that offers the same. Only tidier and with the claim to react faster to issues and pull requests. It is now Part of the [l3d.git](https://galaxy.ansible.com/l3d/git) Collection too. diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..62c2fa4 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,277 @@ +--- +# Choose between https://forgejo.org/ and https://gitea.io/ +gitea_fork: 'gitea' # 'gitea' and 'forgejo' are valid options + +# gitea version +# Use 'latest' to auto-update; upgrading past role version may lead to errors. +gitea_version: 'latest' +gitea_version_check: true +gitea_gpg_key: '7C9E68152594688862D62AF62D9AE806EC1592E2' +gitea_forgejo_gpg_key: 'EB114F5E6C0DC2BCDD183550A4B61A2DC5923710' +gitea_gpg_server: 'hkps://keys.openpgp.org' +gitea_gpg_keyserver_option: '' +gitea_backup_on_upgrade: false +gitea_backup_location: "{{ gitea_home }}/backups/" +submodules_versioncheck: false + +# gitea in the linux world +gitea_group: 'gitea' +# gitea_groups: [] # Optional a list of groups user gitea will be added to +gitea_home: '/var/lib/gitea' +gitea_user_home: '{{ gitea_home }}' +gitea_executable_path: '/usr/local/bin/gitea' +gitea_forgejo_executable_path: '/usr/local/bin/forgejo' +gitea_configuration_path: '/etc/gitea' +gitea_shell: '/bin/false' +gitea_systemd_cap_net_bind_service: false + +# Overall (DEFAULT) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#overall-default +gitea_app_name: 'Gitea' +gitea_user: 'gitea' +gitea_run_mode: 'prod' +gitea_fqdn: 'localhost' + +# Repository (repository) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#repository-repository +gitea_default_branch: 'main' +gitea_default_private: 'last' +gitea_default_repo_units: 'repo.code,repo.releases,repo.issues,repo.pulls,repo.wiki,repo.projects' +gitea_disabled_repo_units: '' +gitea_disable_http_git: false +gitea_disable_stars: false +gitea_enable_push_create_org: false +gitea_enable_push_create_user: false +gitea_force_private: false +gitea_user_repo_limit: '-1' +gitea_repository_root: "{{ gitea_home }}/repos" +gitea_repository_extra_config: '' + +# Repository - Upload (repository.upload) +# -> https://docs.gitea.io/en-us/administration/config-cheat-sheet/#repository---upload-repositoryupload +gitea_repository_upload_enabled: true +gitea_repository_upload_max_size: 4 +gitea_repository_upload_extra_config: '' + +# Repository - Signing (repository.signing) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#repository---signing-repositorysigning +gitea_enable_repo_signing_options: false +gitea_repo_signing_key: 'default' +gitea_repo_signing_name: '' +gitea_repo_signing_email: '' +gitea_repo_initial_commit: 'always' +gitea_repo_default_trust_model: 'collaborator' +gitea_repo_wiki: 'never' +gitea_repo_crud_actions: 'pubkey, twofa, parentsigned' +gitea_repo_merges: ' pubkey, twofa, basesigned, commitssigned' +gitea_enable_repo_signing_extra: '' + +# CORS (cors) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#cors-cors +gitea_enable_cors: false +gitea_cors_scheme: 'http' +gitea_cors_allow_domain: '*' +gitea_cors_allow_subdomain: false +gitea_cors_methods: 'GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS' +gitea_cors_max_age: '10m' +gitea_cors_allow_credentials: false +gitea_cors_headers: 'Content-Type,User-Agent' +gitea_cors_x_frame_options: 'SAMEORIGIN' +gitea_cors_extra: '' + +# UI (ui) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#ui-ui +gitea_show_user_email: false +gitea_theme_default: 'auto' +gitea_themes: 'auto,gitea,arc-green' +gitea_ui_extra_config: '' + +# UI - Metadata (ui.meta) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#ui---metadata-uimeta +gitea_ui_author: 'Gitea - Git with a cup of tea' +gitea_ui_description: 'Gitea (Git with a cup of tea) is a painless self-hosted Git service written in Go:' +gitea_ui_keywords: 'go,git,self-hosted,gitea,forgejo' +gitea_ui_meta_extra_config: '' + +# Server (server) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#server-server +gitea_protocol: 'http' +gitea_http_domain: "{{ gitea_fqdn }}" +gitea_root_url: "http://{{ gitea_fqdn }}:3000" +gitea_http_listen: '127.0.0.1' +gitea_http_port: '3000' +gitea_start_ssh: true +gitea_ssh_domain: "{{ gitea_fqdn }}" +gitea_ssh_port: '2222' +gitea_ssh_listen: '0.0.0.0' +gitea_offline_mode: true +gitea_landing_page: 'home' +gitea_lfs_server_enabled: false +gitea_lfs_jwt_secret: '' +gitea_redirect_other_port: false +gitea_port_to_redirect: '80' +gitea_enable_tls_certs: false +gitea_tls_cert_file: 'https/cert.pem' +gitea_tls_key_file: 'https/key.pem' +gitea_enable_acme: false +gitea_acme_url: '' +gitea_acme_accepttos: false +gitea_acme_directory: 'https' +gitea_acme_email: '' +gitea_acme_ca_root: '' +gitea_server_extra_config: '' + +# Database (database) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#database-database +gitea_db_type: 'sqlite3' +gitea_db_host: '127.0.0.0:3306' +gitea_db_name: 'root' +gitea_db_user: 'gitea' +gitea_db_password: 'lel' +gitea_db_ssl: 'disable' +gitea_db_path: "{{ gitea_home }}/data/gitea.db" +gitea_db_log_sql: false +gitea_database_extra_config: '' + +# Indexer (indexer) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#indexer-indexer +gitea_repo_indexer_enabled: false +gitea_repo_indexer_include: '' +gitea_repo_indexer_exclude: '' +gitea_repo_exclude_vendored: true +gitea_repo_indexer_max_file_size: '1048576' +gitea_indexer_extra_config: '' +gitea_queue_issue_indexer_extra_config: '' + +# Security (security) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#security-security +gitea_secret_key: '' +gitea_disable_git_hooks: true +gitea_disable_webhooks: false +gitea_internal_token: '' +gitea_password_check_pwn: false +gitea_security_extra_config: '' + +# Service (service) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#service-service +gitea_disable_registration: false +gitea_register_email_confirm: false +gitea_register_manual_confirm: false +gitea_require_signin: true +gitea_default_keep_mail_private: true +gitea_enable_captcha: true +gitea_show_registration_button: true +gitea_only_allow_external_registration: false +gitea_enable_notify_mail: false +gitea_auto_watch_new_repos: true +gitea_autowatch_on_change: false +gitea_default_allow_create_organization: false +gitea_default_user_is_restricted: false +gitea_email_domain_allowlist: "" +gitea_default_user_visibility: public +gitea_default_org_visibility: public +gitea_allow_only_internal_registration: false +gitea_allow_only_external_registration: false +gitea_show_milestones_dashboard_page: true +gitea_service_extra_config: '' + +# Mailer [mailer] +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#mailer-mailer +gitea_mailer_enabled: false +gitea_mailer_protocol: 'dummy' +gitea_mailer_smtp_addr: '' +gitea_mailer_smtp_port: '' +gitea_mailer_use_client_cert: false +gitea_mailer_client_cert_file: '' +gitea_mailer_client_key_file: '' +gitea_mailer_force_trust_server_cert: false +gitea_mailer_user: '' +gitea_mailer_password: '' +gitea_mailer_enable_helo: true +gitea_mailer_from: "noreply@{{ gitea_http_domain }}" +gitea_subject_prefix: '' +gitea_mailer_send_as_plaintext: false +gitea_mailer_extra_config: '' + +# Session (session) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#session-session +gitea_session_provider: 'file' +gitea_session_extra_config: '' + +# Picture (picture) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#picture-picture +gitea_picture_extra_config: '' + +# Issue and pull request attachments (attachment) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#issue-and-pull-request-attachments-attachment +gitea_attachment_enabled: true +gitea_attachment_types: '.csv,.docx,.fodg,.fodp,.fods,.fodt,.gif,.gz,.jpeg,.jpg,.log,.md,.mov,.mp4,.odf,.odg,.odp,.ods,.odt,.patch,.pdf,.png,.pptx,.svg,.tgz,.txt,.webm,.xls,.xlsx,.zip' +gitea_attachment_max_size: 4 +gitea_attachment_extra_config: '' + +# Log (log) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#log-log +gitea_log_systemd: false +gitea_log_level: 'Warn' +gitea_log_extra_config: '' + +# Metrics (metrics) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#metrics-metrics +gitea_metrics_enabled: false +gitea_metrics_token: '' +gitea_metrics_extra: '' + +# OAuth2 (oauth2) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#oauth2-oauth2 +gitea_oauth2_enabled: true +gitea_oauth2_jwt_secret: '' +gitea_oauth2_extra_config: '' + +# Federation (federation) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#federation-federation +gitea_federation_enabled: false +gitea_federation_share_user_stats: false +gitea_federation_extra: '' + +# Packages (packages) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#packages-packages +gitea_packages_enabled: true +gitea_packages_extra: '' + +# LFS (lfs) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#lfs-lfs +gitea_lfs_storage_type: 'local' +gitea_lfs_serve_direct: false +gitea_lfs_content_path: "{{ gitea_home }}/data/lfs" +gitea_lfs_extra: '' + +# Actions (actions) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#actions-actions +gitea_actions_enabled: false +gitea_actions_default_actions_url: "https://gitea.com" +gitea_actions_extra: '' + +# Other (other) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#other-other +gitea_other_show_footer_version: true +gitea_other_show_footer_template_load_time: true +gitea_other_enable_sitemap: true +gitea_other_enable_feed: true + +# additional gitea config +gitea_extra_config: "" + +# fail2ban +gitea_fail2ban_enabled: false +gitea_fail2ban_jail_maxretry: '10' +gitea_fail2ban_jail_findtime: '3600' +gitea_fail2ban_jail_bantime: '900' +gitea_fail2ban_jail_action: 'iptables-allports' + +# gitea customisation +gitea_custom_search: "files/host_files/{{ inventory_hostname }}/gitea" +gitea_customize_logo: false +gitea_custom: "{{ gitea_home }}/custom" +gitea_customize_footer: false +gitea_customize_files: false +gitea_customize_files_path: "{{ gitea_custom_search }}/gitea_files" diff --git a/files/extra_links_footer.tmpl b/files/extra_links_footer.tmpl new file mode 100644 index 0000000..ac1a2cb --- /dev/null +++ b/files/extra_links_footer.tmpl @@ -0,0 +1,2 @@ +Datenschutz +Impressum diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..ebc1716 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,20 @@ +--- +- name: "Restart gitea" + become: true + ansible.builtin.service: + name: gitea + state: restarted + when: ansible_service_mgr == "systemd" + +- name: "Reload systemd" + become: true + ansible.builtin.systemd: + daemon_reload: true + when: ansible_service_mgr == "systemd" + +- name: "Systemctl restart fail2ban" + become: true + ansible.builtin.systemd: + name: fail2ban + state: restarted + when: ansible_service_mgr == "systemd" diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..ad117d7 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,32 @@ +--- +galaxy_info: + role_name: gitea + author: l3d + description: Ansible role to configure and deploy gitea and forgejo, a painless self-hosted Git service. + license: "BSD-3-Clause" + min_ansible_version: "2.11" + platforms: + - name: Debian + versions: + - all + - name: Ubuntu + versions: + - all + - name: Fedora + versions: + - all + - name: EL + versions: + - all + galaxy_tags: + - gitea + - forgejo + - git + - system + - development + - sourcecontrol + - selfhosted + - gitserver + - gogs + - linux +dependencies: [] diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 0000000..a5a1e10 --- /dev/null +++ b/requirements.yml @@ -0,0 +1,4 @@ +--- +collections: + - name: 'community.general' + version: ">=7.5.0,<=8.0.0" diff --git a/tasks/backup.yml b/tasks/backup.yml new file mode 100644 index 0000000..6a9fc56 --- /dev/null +++ b/tasks/backup.yml @@ -0,0 +1,43 @@ +--- +- name: Get service facts + ansible.builtin.service_facts: + +- name: Backup block + when: + - ansible_facts.services["gitea.service"] is defined + - ansible_facts.services["gitea.service"].state == "running" + - gitea_active_version.stdout != gitea_version_target + block: + - name: Stopping gitea before upgrade + become: true + ansible.builtin.systemd: + name: 'gitea.service' + state: 'stopped' + when: ansible_service_mgr == "systemd" + + - name: "Create backup directory" + become: true + ansible.builtin.file: + path: "{{ gitea_backup_location }}" + state: 'directory' + owner: "{{ gitea_user }}" + group: "{{ gitea_group }}" + mode: 'u=rwx,g=rx,o=' + + - name: Backing up gitea before upgrade + become: true + ansible.builtin.command: + cmd: "sudo -u {{ gitea_user }} {{ gitea_full_executable_path }} dump -c {{ gitea_configuration_path }}/gitea.ini" + chdir: "{{ gitea_backup_location }}" + changed_when: true + rescue: + - name: Starting gitea because backup failed + become: true + ansible.builtin.systemd: + name: 'gitea.service' + state: 'started' + when: ansible_service_mgr == "systemd" + + - name: Print updateing error and cancel + ansible.builtin.fail: + msg: "failed to backup gitea" diff --git a/tasks/configure.yml b/tasks/configure.yml new file mode 100644 index 0000000..a5f5f30 --- /dev/null +++ b/tasks/configure.yml @@ -0,0 +1,26 @@ +--- +- name: Make sure gitea_register_email_confirm is false when gitea_register_manual_confirm is true + ansible.builtin.fail: + msg: | + To manually confirm registrations, + gitea_register_email_confirm needs to be false + and gitea_register_manual_confirm should be true. + when: gitea_register_manual_confirm | bool and gitea_register_email_confirm | bool + +- name: "Configure gitea" + become: true + ansible.builtin.template: + src: gitea.ini.j2 + dest: "{{ gitea_configuration_path }}/gitea.ini" + owner: "{{ gitea_user }}" + group: "{{ gitea_group }}" + mode: 0600 + notify: "Restart gitea" + +- name: "Service gitea" + become: true + ansible.builtin.systemd: + name: gitea + state: started + enabled: true + when: ansible_service_mgr == "systemd" diff --git a/tasks/create_user.yml b/tasks/create_user.yml new file mode 100644 index 0000000..3f2aa38 --- /dev/null +++ b/tasks/create_user.yml @@ -0,0 +1,23 @@ +--- +- name: "Create Gitea Group" + become: true + ansible.builtin.group: + name: "{{ gitea_group }}" + system: true + state: "present" + +- name: Switch shell when not using the builtin ssh server + ansible.builtin.set_fact: + gitea_shell: "/bin/bash" + when: "not gitea_start_ssh and gitea_shell == '/bin/false'" + +- name: "Create Gitea user" + become: true + ansible.builtin.user: + name: "{{ gitea_user }}" + comment: "Gitea user" + group: "{{ gitea_group }}" + groups: "{{ gitea_groups | default(omit) }}" + home: "{{ gitea_user_home }}" + shell: "{{ gitea_shell }}" + system: true diff --git a/tasks/customize_footer.yml b/tasks/customize_footer.yml new file mode 100644 index 0000000..1f14080 --- /dev/null +++ b/tasks/customize_footer.yml @@ -0,0 +1,24 @@ +--- +- name: Create directory for custom footer + become: true + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: "{{ gitea_user }}" + group: "{{ gitea_group }}" + mode: 'u=rwX,g=rX,o=' + loop: + - "{{ gitea_custom }}/templates" + - "{{ gitea_custom }}/templates/custom" + +- name: Transfer custom footer template + become: true + ansible.builtin.copy: + src: "{{ lookup('first_found', transfer_custom_footer) }}" + dest: "{{ gitea_custom }}/templates/custom/extra_links_footer.tmpl" + owner: "{{ gitea_user }}" + group: "{{ gitea_group }}" + mode: '0644' + failed_when: false + tags: skip_ansible_lint + notify: "Restart gitea" diff --git a/tasks/customize_logo.yml b/tasks/customize_logo.yml new file mode 100644 index 0000000..c3e8ae7 --- /dev/null +++ b/tasks/customize_logo.yml @@ -0,0 +1,56 @@ +--- +- name: Create directory for custom logos + become: true + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: "{{ gitea_user }}" + group: "{{ gitea_group }}" + mode: 'u=rwX,g=rX,o=' + loop: + - "{{ gitea_custom }}/public" + - "{{ gitea_custom }}/public/img" + +- name: Transfer custom logo.svg + become: true + ansible.builtin.copy: + src: "{{ lookup('first_found', transfer_custom_logo_logosvg) }}" + dest: "{{ gitea_custom }}/public/img/logo.svg" + owner: "{{ gitea_user }}" + group: "{{ gitea_group }}" + mode: '0644' + tags: skip_ansible_lint + failed_when: false + +- name: Transfer custom logo.png + become: true + ansible.builtin.copy: + src: "{{ lookup('first_found', transfer_custom_logo_logopng) }}" + dest: "{{ gitea_custom }}/public/img/logo.png" + owner: "{{ gitea_user }}" + group: "{{ gitea_group }}" + mode: '0644' + tags: skip_ansible_lint + failed_when: false + +- name: Transfer custom favicon.png + become: true + ansible.builtin.copy: + src: "{{ lookup('first_found', transfer_custom_logo_faviconpng) }}" + dest: "{{ gitea_custom }}/public/img/favicon.png" + owner: "{{ gitea_user }}" + group: "{{ gitea_group }}" + mode: '0644' + tags: skip_ansible_lint + failed_when: false + +- name: Transfer custom apple-touch-icon.png + become: true + ansible.builtin.copy: + src: "{{ lookup('first_found', transfer_custom_logo_appletouchiconpng) }}" + dest: "{{ gitea_custom }}/public/img/apple-touch-icon.png" + owner: "{{ gitea_user }}" + group: "{{ gitea_group }}" + mode: '0644' + tags: skip_ansible_lint + failed_when: false diff --git a/tasks/customize_public_files.yml b/tasks/customize_public_files.yml new file mode 100644 index 0000000..747a103 --- /dev/null +++ b/tasks/customize_public_files.yml @@ -0,0 +1,24 @@ +--- +- name: Create public directory for custom public web files + become: true + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: "{{ gitea_user }}" + group: "{{ gitea_group }}" + mode: 'u=rwX,g=rX,o=' + loop: + - "{{ gitea_custom }}/public" + +- name: Transfer custom public web data + become: true + ansible.builtin.copy: + src: "{{ gitea_customize_files_path }}" + dest: "{{ gitea_custom }}/public/" + owner: "{{ gitea_user }}" + group: "{{ gitea_group }}" + directory_mode: true + mode: 'u=rwX,g=rX,o=' + failed_when: false + tags: skip_ansible_lint + notify: "Restart gitea" diff --git a/tasks/directory.yml b/tasks/directory.yml new file mode 100644 index 0000000..5154b40 --- /dev/null +++ b/tasks/directory.yml @@ -0,0 +1,20 @@ +--- +- name: "Create config and data directory" + become: true + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: "{{ gitea_user }}" + group: "{{ gitea_group }}" + mode: 'u=rwX,g=rX,o=' + loop: + - "{{ gitea_configuration_path }}" + - "{{ gitea_user_home }}" + - "{{ gitea_home }}" + - "{{ gitea_home }}/data" + - "{{ gitea_custom }}" + - "{{ gitea_custom }}/https" + - "{{ gitea_custom }}/mailer" + - "{{ gitea_home }}/indexers" + - "{{ gitea_home }}/log" + - "{{ gitea_repository_root }}" diff --git a/tasks/fail2ban.yml b/tasks/fail2ban.yml new file mode 100644 index 0000000..af439e3 --- /dev/null +++ b/tasks/fail2ban.yml @@ -0,0 +1,29 @@ +--- +- name: Install fail2ban filter + become: true + ansible.builtin.template: + src: fail2ban/filter.conf.j2 + dest: /etc/fail2ban/filter.d/gitea.conf + owner: root + group: root + mode: 0444 + notify: "Systemctl restart fail2ban" + when: "'fail2ban' in ansible_facts.packages" + +- name: Install fail2ban jail + become: true + ansible.builtin.template: + src: fail2ban/jail.conf.j2 + dest: /etc/fail2ban/jail.d/gitea.conf + owner: root + group: root + mode: 0444 + notify: "Systemctl restart fail2ban" + when: "'fail2ban' in ansible_facts.packages" + +- name: Warn if fail2ban is not installed + ansible.builtin.fail: + msg: "the package fail2ban is not installed. no fail2ban filters deployed." + when: "'fail2ban' not in ansible_facts.packages" + failed_when: false + tags: skip_ansible_lint_ignore-errors diff --git a/tasks/gitea_secrets.yml b/tasks/gitea_secrets.yml new file mode 100644 index 0000000..8f61d3f --- /dev/null +++ b/tasks/gitea_secrets.yml @@ -0,0 +1,38 @@ +--- +- name: Generate gitea SECRET_KEY if not provided + become: true + ansible.builtin.shell: 'umask 077; {{ gitea_full_executable_path }} generate secret SECRET_KEY > {{ gitea_configuration_path }}/gitea_secret_key' + args: + creates: '{{ gitea_configuration_path }}/gitea_secret_key' + when: gitea_secret_key | string | length == 0 + +- name: Read gitea SECRET_KEY from file + become: true + ansible.builtin.slurp: + src: '{{ gitea_configuration_path }}/gitea_secret_key' + register: remote_secret_key + when: gitea_secret_key | string | length == 0 + +- name: Set fact gitea_secret_key + ansible.builtin.set_fact: + gitea_secret_key: "{{ remote_secret_key['content'] | b64decode }}" + when: gitea_secret_key | string | length == 0 + +- name: Generate gitea INTERNAL_TOKEN if not provided + become: true + ansible.builtin.shell: 'umask 077; {{ gitea_full_executable_path }} generate secret INTERNAL_TOKEN > {{ gitea_configuration_path }}/gitea_internal_token' + args: + creates: '{{ gitea_configuration_path }}/gitea_internal_token' + when: gitea_internal_token | string | length == 0 + +- name: Read gitea INTERNAL_TOKEN from file + become: true + ansible.builtin.slurp: + src: '{{ gitea_configuration_path }}/gitea_internal_token' + register: remote_internal_token + when: gitea_internal_token | string | length == 0 + +- name: Set fact gitea_internal_token + ansible.builtin.set_fact: + gitea_internal_token: "{{ remote_internal_token['content'] | b64decode }}" + when: gitea_internal_token | string | length == 0 diff --git a/tasks/install_forgejo.yml b/tasks/install_forgejo.yml new file mode 100644 index 0000000..6cbb79e --- /dev/null +++ b/tasks/install_forgejo.yml @@ -0,0 +1,83 @@ +--- +- name: Dependency block + block: + - name: Update apt cache + become: true + ansible.builtin.apt: + cache_valid_time: 3600 + update_cache: true + register: _pre_update_apt_cache + until: _pre_update_apt_cache is succeeded + when: + - ansible_pkg_mgr == "apt" + + - name: Install dependencies + become: true + ansible.builtin.package: + name: "{{ gitea_dependencies }}" + state: present + register: _install_dep_packages + until: _install_dep_packages is succeeded + retries: 5 + delay: 2 + +- name: Install forgejo block + when: (not gitea_version_check | bool) or (not ansible_check_mode and (gitea_active_version.stdout != gitea_version_target)) + block: + - name: Download forgejo archive + ansible.builtin.get_url: + url: "{{ gitea_forgejo_dl_url | first }}" + dest: "/tmp/{{ gitea_filename }}" + checksum: "sha256:{{ gitea_forgejo_checksum }}" + mode: 0640 + register: _download_archive + become: false + until: _download_archive is succeeded + retries: 5 + delay: 2 + + - name: Download forgejo asc file + ansible.builtin.get_url: + url: "{{ gitea_forgejo_signed_url | first }}" + dest: "/tmp/{{ gitea_filename }}.asc" + mode: 0640 + register: _download_asc + become: false + until: _download_asc is succeeded + retries: 5 + delay: 2 + + - name: Check forgejo gpg key + ansible.builtin.command: "gpg --list-keys 0x{{ gitea_forgejo_gpg_key }}" + register: _gitea_gpg_key_status + changed_when: false + become: false + failed_when: _gitea_gpg_key_status.rc not in (0, 2) + + - name: Print gpg key status on verbosity # noqa: H500 + ansible.builtin.debug: + msg: "{{ _gitea_gpg_key_status.stdout }}" + verbosity: 1 + + - name: Import forgejo gpg key + ansible.builtin.command: "gpg --keyserver {{ gitea_gpg_server }} --recv {{ gitea_forgejo_gpg_key }}" + register: _gitea_import_key + become: false + changed_when: '"imported: 1" in _gitea_import_key.stderr' + when: '_gitea_gpg_key_status.rc != 0 or "expired" in _gitea_gpg_key_status.stdout' + + - name: Check archive signature + become: false + ansible.builtin.command: "gpg --verify /tmp/{{ gitea_filename }}.asc /tmp/{{ gitea_filename }}" + changed_when: false + + - name: Propagate gitea binary + become: true + ansible.builtin.copy: + src: "/tmp/{{ gitea_filename }}" + remote_src: true + dest: "{{ gitea_full_executable_path }}" + mode: 0755 + owner: root + group: root + notify: "Restart gitea" diff --git a/tasks/install_gitea.yml b/tasks/install_gitea.yml new file mode 100644 index 0000000..4a7f5c4 --- /dev/null +++ b/tasks/install_gitea.yml @@ -0,0 +1,87 @@ +--- +- name: Dependency block + block: + - name: Update apt cache + become: true + ansible.builtin.apt: + cache_valid_time: 3600 + update_cache: true + register: _pre_update_apt_cache + until: _pre_update_apt_cache is succeeded + when: + - ansible_pkg_mgr == "apt" + + - name: Install dependencies + become: true + ansible.builtin.package: + name: "{{ gitea_dependencies }}" + state: present + register: _install_dep_packages + until: _install_dep_packages is succeeded + retries: 5 + delay: 2 + +- name: Install gitea block + when: (not gitea_version_check | bool) or (not ansible_check_mode and (gitea_active_version.stdout != gitea_version_target)) + block: + - name: Download gitea archive + ansible.builtin.get_url: + url: "{{ gitea_dl_url }}.xz" + dest: "/tmp/{{ gitea_filename }}.xz" + checksum: "sha256:{{ gitea_dl_url }}.xz.sha256" + mode: 0640 + register: _download_archive + become: false + until: _download_archive is succeeded + retries: 5 + delay: 2 + + - name: Download gitea asc file + ansible.builtin.get_url: + url: "{{ gitea_dl_url }}.xz.asc" + dest: "/tmp/{{ gitea_filename }}.xz.asc" + mode: 0640 + register: _download_asc + become: false + until: _download_asc is succeeded + retries: 5 + delay: 2 + + - name: Check gitea gpg key + ansible.builtin.command: "gpg --list-keys 0x{{ gitea_gpg_key }}" + register: _gitea_gpg_key_status + changed_when: false + failed_when: _gitea_gpg_key_status.rc not in (0, 2) + + - name: Print gpg key status on verbosity # noqa: H500 + ansible.builtin.debug: + msg: "{{ _gitea_gpg_key_status.stdout }}" + verbosity: 1 + + - name: Import gitea gpg key + ansible.builtin.command: "gpg --keyserver {{ gitea_gpg_server }} --keyserver-option '{{ gitea_gpg_keyserver_option }}' --recv {{ gitea_gpg_key }}" + register: _gitea_import_key + become: false + changed_when: '"imported: 1" in _gitea_import_key.stderr' + when: '_gitea_gpg_key_status.rc != 0 or "expired" in _gitea_gpg_key_status.stdout' + + - name: Check archive signature + ansible.builtin.command: "gpg --verify /tmp/{{ gitea_filename }}.xz.asc /tmp/{{ gitea_filename }}.xz" + changed_when: false + become: false + + - name: Unpack gitea binary + ansible.builtin.command: + cmd: "xz -k -d /tmp/{{ gitea_filename }}.xz" + creates: "/tmp/{{ gitea_filename }}" + + - name: Propagate gitea binary + become: true + ansible.builtin.copy: + src: "/tmp/{{ gitea_filename }}" + remote_src: true + dest: "{{ gitea_full_executable_path }}" + mode: 0755 + owner: root + group: root + notify: "Restart gitea" diff --git a/tasks/install_systemd.yml b/tasks/install_systemd.yml new file mode 100644 index 0000000..1d0084a --- /dev/null +++ b/tasks/install_systemd.yml @@ -0,0 +1,31 @@ +--- +- name: "Setup systemd service" + become: true + when: ansible_os_family == "Debian" + ansible.builtin.template: + src: gitea.service.j2 + dest: /lib/systemd/system/gitea.service + owner: root + group: root + mode: 0644 + notify: + - "Reload systemd" + - "Restart gitea" + +- name: "Setup systemd service" + become: true + when: ansible_os_family == "Suse" + ansible.builtin.template: + src: gitea.service.j2 + dest: /etc/systemd/system/gitea.service + owner: root + group: root + mode: 0644 + notify: + - "Reload systemd" + - "Restart gitea" + +- name: "Reload systemd" + become: true + ansible.builtin.systemd: + daemon_reload: true diff --git a/tasks/jwt_secrets.yml b/tasks/jwt_secrets.yml new file mode 100644 index 0000000..5700a3b --- /dev/null +++ b/tasks/jwt_secrets.yml @@ -0,0 +1,38 @@ +--- +- name: Generate OAuth2 JWT_SECRET if not provided + become: true + ansible.builtin.shell: 'umask 077; {{ gitea_full_executable_path }} generate secret JWT_SECRET > {{ gitea_configuration_path }}/gitea_oauth_jwt_secret' + args: + creates: '{{ gitea_configuration_path }}/gitea_oauth_jwt_secret' + when: gitea_oauth2_jwt_secret | length == 0 + +- name: Read OAuth2 JWT_SECRET from file + become: true + ansible.builtin.slurp: + src: '{{ gitea_configuration_path }}/gitea_oauth_jwt_secret' + register: oauth_jwt_secret + when: gitea_oauth2_jwt_secret | length == 0 + +- name: Set fact gitea_oauth2_jwt_secret + ansible.builtin.set_fact: + gitea_oauth2_jwt_secret: "{{ oauth_jwt_secret['content'] | b64decode }}" + when: gitea_oauth2_jwt_secret | length == 0 + +- name: Generate LFS JWT_SECRET if not provided + become: true + ansible.builtin.shell: 'umask 077; {{ gitea_full_executable_path }} generate secret JWT_SECRET > {{ gitea_configuration_path }}/gitea_lfs_jwt_secret' + args: + creates: '{{ gitea_configuration_path }}/gitea_lfs_jwt_secret' + when: gitea_lfs_jwt_secret | length == 0 + +- name: Read LFS JWT_SECRET from file + become: true + ansible.builtin.slurp: + src: '{{ gitea_configuration_path }}/gitea_lfs_jwt_secret' + register: lfs_jwt_secret + when: gitea_lfs_jwt_secret | length == 0 + +- name: Set fact gitea_lfs_jwt_secret + ansible.builtin.set_fact: + gitea_lfs_jwt_secret: "{{ lfs_jwt_secret['content'] | b64decode }}" + when: gitea_lfs_jwt_secret | length == 0 diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..c1862f4 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,81 @@ +--- +- name: Perform optional versionscheck + ansible.builtin.include_tasks: + file: 'versioncheck.yml' + when: submodules_versioncheck|bool + +- name: Gather installed packages for checks later on + ansible.builtin.package_facts: + manager: 'auto' + +- name: Prepare gitea/forgejo variable import + block: + - name: Gather variables for gitea or forgejo + ansible.builtin.include_vars: + file: "{{ lookup('first_found', gitea_fork_variables) }}" + rescue: + - name: Gitea/Forejo import info + ansible.builtin.fail: + msg: "Currently only {{ gitea_supported_forks }} are supported." + +- name: Gather variables for each operating system + ansible.builtin.include_vars: + file: "{{ lookup('first_found', gitea_variables) }}" + +- name: Gather versioning information + ansible.builtin.include_tasks: + file: "set_{{ gitea_fork | lower }}_version.yml" + +- name: Backup gitea before update + ansible.builtin.include_tasks: + file: 'backup.yml' + when: gitea_backup_on_upgrade|bool + +- name: Create gitea user and role + ansible.builtin.include_tasks: + file: 'create_user.yml' + +- name: "Install or update {{ gitea_fork }}" + ansible.builtin.include_tasks: + file: "install_{{ gitea_fork | lower }}.yml" + +- name: Create directories + ansible.builtin.include_tasks: + file: 'directory.yml' + +- name: Setup gitea systemd service + ansible.builtin.include_tasks: + file: 'install_systemd.yml' + when: ansible_service_mgr == "systemd" + +- name: Generate JWT Secrets if undefined + ansible.builtin.include_tasks: + file: 'jwt_secrets.yml' + +- name: Generate gitea secrets if undefined + ansible.builtin.include_tasks: + file: 'gitea_secrets.yml' + +- name: Configure gitea + ansible.builtin.include_tasks: + file: 'configure.yml' + +- name: Deploy optional fail2ban rules + ansible.builtin.include_tasks: + file: 'fail2ban.yml' + when: gitea_fail2ban_enabled | bool + +- name: Optionally customize gitea + ansible.builtin.include_tasks: + file: 'customize_logo.yml' + when: gitea_customize_logo | bool + +- name: Optionally customize footer + ansible.builtin.include_tasks: + file: 'customize_footer.yml' + when: gitea_customize_footer | bool + +- name: Optionally deploy public files + ansible.builtin.include_tasks: + file: 'customize_public_files.yml' + when: gitea_customize_files | bool diff --git a/tasks/set_forgejo_version.yml b/tasks/set_forgejo_version.yml new file mode 100644 index 0000000..2c746eb --- /dev/null +++ b/tasks/set_forgejo_version.yml @@ -0,0 +1,107 @@ +--- +- name: "Check forgejo installed version" + ansible.builtin.shell: "set -eo pipefail; {{ gitea_full_executable_path }} -v | cut -d' ' -f 3" + args: + executable: '/bin/bash' + register: gitea_active_version + changed_when: false + failed_when: false + +- name: "Determine 'latest' version release" + when: gitea_version == "latest" + block: + - name: "Get latest forgejo release metadata" + ansible.builtin.uri: + url: 'https://codeberg.org/api/v1/repos/forgejo/forgejo/releases?limit=1' + return_content: true + register: gitea_forgejo_remote_metadata + become: false + when: not ansible_check_mode + + - name: "Fail if running in check mode without versions set." + ansible.builtin.fail: + msg: | + "You are running this playbook in check mode: + Please set the Gitea version with the variable 'gitea_version', because the URI module cannot detect the latest version in this mode." + when: ansible_check_mode and (gitea_version == 'latest' or gitea_version == 'present') + + - name: "Set fact latest forgejo release" + ansible.builtin.set_fact: + gitea_remote_version: "{{ gitea_forgejo_remote_metadata.json.0.tag_name[1:] }}" + when: not ansible_check_mode + + - name: "Set forgejo version target (latest)" + ansible.builtin.set_fact: + gitea_version_target: "{{ gitea_remote_version }}" + when: not ansible_check_mode + +- name: "Set forgejo version target {{ gitea_version }}" + ansible.builtin.set_fact: + gitea_version_target: "{{ gitea_version }}" + when: gitea_version != "latest" + +- name: "Download forgejo version {{ gitea_version_target }}" + when: not ansible_check_mode + block: + - name: "Get specific forgejo release metadata" + ansible.builtin.uri: + url: 'https://codeberg.org/api/v1/repos/forgejo/forgejo/releases/tags/v{{ gitea_version_target }}' + return_content: true + register: gitea_forgejo_remote_tags_metadata + become: false + rescue: + - name: "Error Downloading https://codeberg.org/api/v1/repos/forgejo/forgejo/releases/tags/v{{ gitea_version_target }}" + ansible.builtin.fail: + msg: "We did not find the forgejo version you specified. Are you sure that '{{ gitea_version_target }}' is a valid forgejo version?" + +- name: "Generate forgejo download url" + ansible.builtin.set_fact: + gitea_forgejo_dl_url: "{{ gitea_forgejo_remote_tags_metadata.json | community.general.json_query(gitea_forgejo_query_download) }}" + when: not ansible_check_mode + +- name: "Generate forgejo download checksum url" + ansible.builtin.set_fact: + gitea_forgejo_checksum_url: "{{ gitea_forgejo_remote_tags_metadata.json | community.general.json_query(gitea_forgejo_query_checksum) }}" + when: not ansible_check_mode + +- name: Get forgejo checksum + ansible.builtin.uri: + url: "{{ gitea_forgejo_checksum_url | first }}" + return_content: true + register: _gitea_forgejo_dl_checksum + become: false + when: not ansible_check_mode + +- name: Set forjeo checksum + ansible.builtin.set_fact: + gitea_forgejo_checksum: "{{ _gitea_forgejo_dl_checksum.content.split(' ')[0] }}" + when: not ansible_check_mode + +- name: "Generate forgejo download signed url" + ansible.builtin.set_fact: + gitea_forgejo_signed_url: "{{ gitea_forgejo_remote_tags_metadata.json | community.general.json_query(gitea_forgejo_query_signed) }}" + when: not ansible_check_mode + +- name: "Set a example forgejo download link if in check mode" + ansible.builtin.set_fact: + gitea_forgejo_dl_url: ['https://codeberg.org/attachments/a00333ad-250a-4d30-a764-9a37fb24f419'] + when: ansible_check_mode + +- name: "Set a example forgejo checksum link if in check mode" + ansible.builtin.set_fact: + gitea_forgejo_checksum: 'f8c71464d1b250bf022eaa3df270c810950904ceb71da5cefc7ec24a034a4c87' + when: ansible_check_mode + +- name: "Set a example forgejo checksum link if in check mode" + ansible.builtin.set_fact: + gitea_forgejo_signed_url: ['https://codeberg.org/attachments/ae5e50c6-e86e-4202-b95f-f142e8138e2f'] + when: ansible_check_mode + +- name: Show Download URLs # noqa: H500 + ansible.builtin.debug: + msg: "{{ item }}" + verbosity: 1 + loop: + - "gitea_forgejo_dl_url: {{ gitea_forgejo_dl_url | first }}" + - "gitea_forgejo_checksum: {{ gitea_forgejo_checksum }}" + - "gitea_forgejo_signed_url: {{ gitea_forgejo_signed_url | first }}" diff --git a/tasks/set_gitea_version.yml b/tasks/set_gitea_version.yml new file mode 100644 index 0000000..c01a674 --- /dev/null +++ b/tasks/set_gitea_version.yml @@ -0,0 +1,45 @@ +--- +- name: "Check gitea installed version" + ansible.builtin.shell: "set -eo pipefail; {{ gitea_full_executable_path }} -v | cut -d' ' -f 3" + args: + executable: /bin/bash + register: gitea_active_version + changed_when: false + failed_when: false + +- name: "Determine 'latest' version release" + when: gitea_version == "latest" + block: + - name: "Get latest gitea release metadata" + ansible.builtin.uri: + url: https://api.github.com/repos/go-gitea/gitea/releases/latest + return_content: true + register: gitea_remote_metadata + become: false + when: not ansible_check_mode + + - name: "Fail if running in check mode without versions set." + ansible.builtin.fail: + msg: | + "You are running this playbook in check mode: + Please set the Gitea version with the variable 'gitea_version', because the URI module cannot detect the latest version in this mode." + when: ansible_check_mode and (gitea_version == 'latest' or gitea_version == 'present') + + - name: "Set fact latest gitea release" + ansible.builtin.set_fact: + gitea_remote_version: "{{ gitea_remote_metadata.json.tag_name[1:] }}" + when: not ansible_check_mode + + - name: "Set gitea version target (latest)" + ansible.builtin.set_fact: + gitea_version_target: "{{ gitea_remote_version }}" + when: not ansible_check_mode + +- name: "Set gitea version target {{ gitea_version }}" + ansible.builtin.set_fact: + gitea_version_target: "{{ gitea_version }}" + when: gitea_version != "latest" + +- name: "Generate gitea download URL" + ansible.builtin.set_fact: + gitea_dl_url: "https://github.com/go-gitea/gitea/releases/download/v{{ gitea_version_target }}/gitea-{{ gitea_version_target }}-linux-{{ gitea_arch }}" diff --git a/tasks/versioncheck.yml b/tasks/versioncheck.yml new file mode 100644 index 0000000..7dd80c5 --- /dev/null +++ b/tasks/versioncheck.yml @@ -0,0 +1,44 @@ +--- +# Copyright (c) 2021 L3D +# this file is released with the MIT license. +# License: https://github.com/roles-ansible/ansible_role_template/blob/main/LICENSE +- name: Create directory for versionscheck + become: true + ansible.builtin.file: + path: '/etc/.ansible-version' + state: directory + mode: '0755' + when: submodules_versioncheck | bool + +- name: Check playbook version + become: true + ansible.builtin.slurp: + src: "/etc/.ansible-version/{{ playbook_version_path }}" + register: playbook_version + when: submodules_versioncheck | bool + failed_when: false + +- name: Print remote role version # noqa: H500 + ansible.builtin.debug: + msg: "Remote role version: {{ playbook_version.content | default('Y3VycmVudGx5IG5vdCBkZXBsb3llZAo=') | b64decode | string }}" + when: submodules_versioncheck | bool + +- name: Print locale role version # noqa: H500 + ansible.builtin.debug: + msg: "Local role version: '{{ playbook_version_number | string }}'." + when: submodules_versioncheck | bool + +- name: Check if your version is outdated + ansible.builtin.fail: + msg: "Your ansible module has the version '{{ playbook_version_number }}' and is outdated. You need to update it!" + when: + - playbook_version.content|default("Mgo=")|b64decode|int - 1 >= playbook_version_number|int and submodules_versioncheck | bool + +- name: Write new version to remote disk + become: true + ansible.builtin.copy: + content: "{{ playbook_version_number }}" + dest: "/etc/.ansible-version/{{ playbook_version_path }}" + mode: '0644' + when: submodules_versioncheck | bool + tags: skip_ansible_lint_template-instead-of-copy diff --git a/templates/fail2ban/filter.conf.j2 b/templates/fail2ban/filter.conf.j2 new file mode 100644 index 0000000..b6b408e --- /dev/null +++ b/templates/fail2ban/filter.conf.j2 @@ -0,0 +1,4 @@ +# Managed by Ansible +[Definition] +failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from +ignoreregex = diff --git a/templates/fail2ban/jail.conf.j2 b/templates/fail2ban/jail.conf.j2 new file mode 100644 index 0000000..92d5fc9 --- /dev/null +++ b/templates/fail2ban/jail.conf.j2 @@ -0,0 +1,9 @@ +[gitea] +enabled = true +port = http,https +filter = gitea +logpath = {{ gitea_home }}/log/gitea.log +maxretry = {{ gitea_fail2ban_jail_maxretry }} +findtime = {{ gitea_fail2ban_jail_findtime }} +bantime = {{ gitea_fail2ban_jail_bantime }} +action = {{ gitea_fail2ban_jail_action }} diff --git a/templates/gitea.ini.j2 b/templates/gitea.ini.j2 new file mode 100644 index 0000000..e4bea98 --- /dev/null +++ b/templates/gitea.ini.j2 @@ -0,0 +1,312 @@ +; this file is the configuration of your local Gitea instance +; {{ ansible_managed }} +; +; This file overwrites the default values from Gitea. +; undefined variables will use the default value from Gitea. +; Cheat Sheet: https://docs.gitea.com/next/administration/config-cheat-sheet/ +; +; -> https://docs.gitea.com/next/administration/config-cheat-sheet#overall-default +APP_NAME = {{ gitea_app_name }} +RUN_USER = {{ gitea_user }} +RUN_MODE = {{ gitea_run_mode }} +WORK_PATH = {{ gitea_home }} +; +; +; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#repository-repository +[repository] +ROOT = {{ gitea_repository_root }} +FORCE_PRIVATE = {{ gitea_force_private | ternary('true', 'false') }} +DEFAULT_PRIVATE = {{ gitea_default_private }} +MAX_CREATION_LIMIT = {{ gitea_user_repo_limit }} +DISABLE_HTTP_GIT = {{ gitea_disable_http_git | ternary('true', 'false') }} +ENABLE_PUSH_CREATE_USER = {{ gitea_enable_push_create_user | ternary('true', 'false') }} +ENABLE_PUSH_CREATE_ORG = {{ gitea_enable_push_create_org | ternary('true', 'false') }} +DISABLED_REPO_UNITS = {{ gitea_disabled_repo_units }} +DEFAULT_REPO_UNITS = {{ gitea_default_repo_units }} +DISABLE_STARS = {{ gitea_disable_stars | ternary('true', 'false') }} +DEFAULT_BRANCH = {{ gitea_default_branch }} +{{ gitea_repository_extra_config }} +; +; +; -> https://docs.gitea.com/next/administration/administration/config-cheat-sheet/#repository---upload-repositoryupload +[repository.upload] +ENABLED = {{ gitea_repository_upload_enabled | ternary('true', 'false') }} +TEMP_PATH = {{ gitea_home }}/data/tmp/uploads +FILE_MAX_SIZE = {{ gitea_repository_upload_max_size }} +{{ gitea_repository_upload_extra_config }} +; +; +{% if gitea_enable_repo_signing_options | bool %} +; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#repository---signing-repositorysigning +[repository.signing] +SIGNING_KEY = {{ gitea_repo_signing_key }} +SIGNING_NAME = {{ gitea_repo_signing_name }} +SIGNING_EMAIL = {{ gitea_repo_signing_email }} +INITIAL_COMMIT = {{ gitea_repo_initial_commit }} +DEFAULT_TRUST_MODEL = {{ gitea_repo_default_trust_model }} +WIKI = {{ gitea_repo_wiki }} +CRUD_ACTIONS = {{ gitea_repo_crud_actions }} +MERGES = {{ gitea_repo_merges }} +{{ gitea_enable_repo_signing_extra }} +; +{% endif %} +; +{% if gitea_enable_cors | bool %} +; +; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#cors-cors +[cors] +ENABLED = {{ gitea_enable_cors | ternary('true', 'false') }} +SCHEME = {{ gitea_cors_scheme }} +ALLOW_DOMAIN = {{ gitea_cors_allow_domain }} +ALLOW_SUBDOMAIN = {{ gitea_cors_allow_subdomain | ternary('true', 'false') }} +METHODS = {{ gitea_cors_methods }} +MAX_AGE = {{ gitea_cors_max_age }} +ALLOW_CREDENTIALS = {{ gitea_cors_allow_credentials | ternary('true', 'false') }} +HEADERS = {{ gitea_cors_headers }} +X_FRAME_OPTIONS = {{ gitea_cors_x_frame_options }} +{{ gitea_cors_extra }} +; +{% endif %} +; +; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#ui-ui +[ui] +THEMES = {{ gitea_themes }} +DEFAULT_THEME = {{ gitea_theme_default }} +SHOW_USER_EMAIL = {{ gitea_show_user_email | ternary('true', 'false') }} +{{ gitea_ui_extra_config }} +; +; +; +[ui.meta] +AUTHOR = {{ gitea_ui_author }} +DESCRIPTION = {{ gitea_ui_description }} +KEYWORDS = {{ gitea_ui_keywords }} +{{ gitea_ui_meta_extra_config }} +; +; +; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#server-server +[server] +APP_DATA_PATH = {{ gitea_home }}/data +PROTOCOL = {{ gitea_protocol }} +DOMAIN = {{ gitea_http_domain }} +ROOT_URL = {{ gitea_root_url }} +HTTP_ADDR = {{ gitea_http_listen }} +HTTP_PORT = {{ gitea_http_port }} +START_SSH_SERVER = {{ gitea_start_ssh | ternary('true', 'false') }} +SSH_DOMAIN = {{ gitea_ssh_domain }} +SSH_PORT = {{ gitea_ssh_port }} +SSH_LISTEN_HOST = {{ gitea_ssh_listen }} +OFFLINE_MODE = {{ gitea_offline_mode | ternary('true', 'false') }} +{% if gitea_enable_tls_certs | bool %} +CERT_FILE = {{ gitea_tls_cert_file }} +KEY_FILE = {{ gitea_tls_key_file }} +{% endif %} +LANDING_PAGE = {{ gitea_landing_page }} +{% if gitea_lfs_server_enabled | bool %} +LFS_START_SERVER = true +LFS_JWT_SECRET = {{ gitea_lfs_jwt_secret }} +{% endif %} +REDIRECT_OTHER_PORT = {{ gitea_redirect_other_port | ternary('true', 'false') }} +PORT_TO_REDIRECT = {{ gitea_port_to_redirect }} +ENABLE_ACME = {{ gitea_enable_acme | ternary('true', 'false') }} +{% if gitea_enable_acme | bool %} +{% if gitea_acme_url != '' %} +ACME_URL = {{ gitea_acme_url }} +{% endif %} +ACME_ACCEPTTOS = {{ gitea_acme_accepttos | ternary('true', 'false') }} +ACME_DIRECTORY = {{ gitea_acme_directory }} +ACME_EMAIL = {{ gitea_acme_email }} +ACME_CA_ROOT = {{ gitea_acme_ca_root }} +{% endif %} +{{ gitea_server_extra_config }} +; +; +; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#database-database +[database] +DB_TYPE = {{ gitea_db_type }} +HOST = {{ gitea_db_host }} +NAME = {{ gitea_db_name }} +USER = {{ gitea_db_user }} +PASSWD = {{ gitea_db_password }} +SSL_MODE = {{ gitea_db_ssl }} +PATH = {{ gitea_db_path }} +LOG_SQL = {{ gitea_db_log_sql | ternary('true', 'false') }} +{{ gitea_database_extra_config }} +; +; +; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#indexer-indexer +[indexer] +ISSUE_INDEXER_PATH = {{ gitea_home }}/indexers/issues.bleve +REPO_INDEXER_ENABLED = {{ gitea_repo_indexer_enabled | ternary('true', 'false') }} +REPO_INDEXER_PATH = {{ gitea_home }}/indexers/repos.bleve +REPO_INDEXER_INCLUDE = {{ gitea_repo_indexer_include }} +REPO_INDEXER_EXCLUDE = {{ gitea_repo_indexer_exclude }} +REPO_INDEXER_EXCLUDE_VENDORED = {{ gitea_repo_exclude_vendored | ternary('true', 'false') }} +MAX_FILE_SIZE = {{ gitea_repo_indexer_max_file_size }} +{{ gitea_indexer_extra_config }} +; +; +; Queue (queue and queue.*) +; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#queue-queue-and-queue +[queue.issue_indexer] +DATADIR = {{ gitea_home }}/indexers/issues.queue +{{ gitea_queue_issue_indexer_extra_config }} +; +; +; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#security-security +[security] +INSTALL_LOCK = true +SECRET_KEY = {{ gitea_secret_key }} +DISABLE_GIT_HOOKS = {{ gitea_disable_git_hooks | ternary('true', 'false') }} +DISABLE_WEBHOOKS = {{ gitea_disable_webhooks | ternary('true', 'false') }} +INTERNAL_TOKEN = {{ gitea_internal_token }} +PASSWORD_CHECK_PWN = {{ gitea_password_check_pwn | ternary('true', 'false') }} +{{ gitea_security_extra_config }} +; +; +; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#service-service +[service] +REGISTER_EMAIL_CONFIRM = {{ gitea_register_email_confirm | ternary('true', 'false') }} +DISABLE_REGISTRATION = {{ gitea_disable_registration | ternary('true', 'false') }} +REQUIRE_SIGNIN_VIEW = {{ gitea_require_signin | ternary('true', 'false') }} +ENABLE_NOTIFY_MAIL = {{ gitea_enable_notify_mail | ternary('true', 'false') }} +ENABLE_CAPTCHA = {{ gitea_enable_captcha | ternary('true', 'false') }} +DEFAULT_KEEP_EMAIL_PRIVATE = {{ gitea_default_keep_mail_private | ternary('true', 'false') }} +SHOW_REGISTRATION_BUTTON = {{ gitea_show_registration_button | ternary('true', 'false') }} +AUTO_WATCH_NEW_REPOS = {{ gitea_auto_watch_new_repos | ternary('true', 'false') }} +ALLOW_ONLY_EXTERNAL_REGISTRATION = {{ gitea_only_allow_external_registration | ternary('true', 'false') }} +AUTO_WATCH_ON_CHANGES = {{ gitea_autowatch_on_change | ternary('true', 'false') }} +SHOW_MILESTONES_DASHBOARD_PAGE = {{ gitea_show_milestones_dashboard_page | ternary('true', 'false') }} +REGISTER_MANUAL_CONFIRM = {{ gitea_register_manual_confirm | ternary('true', 'false') }} +DEFAULT_ALLOW_CREATE_ORGANIZATION = {{ gitea_default_allow_create_organization | ternary('true', 'false') }} +DEFAULT_USER_IS_RESTRICTED = {{ gitea_default_user_is_restricted | ternary('true', 'false') }} +{% if gitea_email_domain_allowlist is defined and gitea_email_domain_allowlist | length %} +EMAIL_DOMAIN_ALLOWLIST = {{ gitea_email_domain_allowlist }} +{% endif %} +DEFAULT_USER_VISIBILITY = {{ gitea_default_user_visibility }} +DEFAULT_ORG_VISIBILITY = {{ gitea_default_org_visibility }} +ALLOW_ONLY_INTERNAL_REGISTRATION = {{ gitea_allow_only_internal_registration | ternary('true', 'false') }} +ALLOW_ONLY_EXTERNAL_REGISTRATION = {{ gitea_allow_only_external_registration | ternary('true', 'false') }} +{{ gitea_service_extra_config }} +; +; +; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#mailer-mailer +[mailer] +ENABLED = {{ gitea_mailer_enabled | ternary('true', 'false') }} +{% if gitea_mailer_enabled | bool %} +{% if gitea_mailer_use_client_cert | bool %} +CLIENT_CERT_FILE = {{ gitea_mailer_client_cert_file }} +CLIENT_KEY_FILE = {{ gitea_mailer_client_key_file }} +{% endif %} +PROTOCOL = {{ gitea_mailer_protocol }} +SMTP_ADDR = {{ gitea_mailer_smtp_addr }} +SMTP_PORT = {{ gitea_mailer_smtp_port }} +USE_CLIENT_CERT = {{ gitea_mailer_use_client_cert | ternary('true', 'false') }} +FORCE_TRUST_SERVER_CERT = {{ gitea_mailer_force_trust_server_cert | ternary('true', 'false') }} +USER = {{ gitea_mailer_user }} +PASSWD = {{ gitea_mailer_password }} +ENABLE_HELO = {{ gitea_mailer_enable_helo | ternary('true', 'false') }} +FROM = {{ gitea_mailer_from }} +SUBJECT_PREFIX = {{ gitea_subject_prefix }} +SEND_AS_PLAIN_TEXT = {{ gitea_mailer_send_as_plaintext | ternary('true', 'false') }} +{{ gitea_mailer_extra_config }} +; +{% endif %} +; +; +; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#session-session +[session] +PROVIDER = {{ gitea_session_provider }} +PROVIDER_CONFIG = {{ gitea_home }}/data/sessions +{{ gitea_session_extra_config }} +; +; +; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#picture-picture +[picture] +AVATAR_UPLOAD_PATH = {{ gitea_home }}/data/avatars +{{ gitea_picture_extra_config }} +; +; +; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#issue-and-pull-request-attachments-attachment +[attachment] +ENABLED = {{ gitea_attachment_enabled | ternary('true', 'false') }} +ALLOWED_TYPES = {{ gitea_attachment_types }} +MAX_SIZE = {{ gitea_attachment_max_size }} +PATH = {{ gitea_home }}/data/attachments +{{ gitea_attachment_extra_config }} +; +; +; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#log-log +[log] +ROOT_PATH = {{ gitea_home }}/log +{% if gitea_log_systemd %} +MODE = console +{% else %} +MODE = file +{% endif %} +LEVEL = {{ gitea_log_level }} +{{ gitea_log_extra_config }} +; +; +; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#metrics-metrics +[metrics] +ENABLED = {{ gitea_metrics_enabled | ternary('true', 'false') }} +TOKEN = {{ gitea_metrics_token }} +{{ gitea_metrics_extra }} +; +; +; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#oauth2-oauth2 +[oauth2] +ENABLE = {{ gitea_oauth2_enabled | ternary('true', 'false') }} +JWT_SECRET = {{ gitea_oauth2_jwt_secret }} +{{ gitea_oauth2_extra_config }} +; +; +; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#federation-federation +[federation] +ENABLED = {{ gitea_federation_enabled | ternary('true', 'false') }} +SHARE_USER_STATISTICS = {{ gitea_federation_share_user_stats | ternary('true', 'false') }} +{{ gitea_federation_extra }} +; +; +; Packages (packages) +; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#packages-packages +[packages] +ENABLED = {{ gitea_packages_enabled | ternary('true', 'false') }} +{% if gitea_packages_enabled | bool %} +CHUNKED_UPLOAD_PATH = {{ gitea_home }}/data/tmp/package-upload +{{ gitea_packages_extra }} +{% endif %} +; +; +{% if gitea_lfs_server_enabled | bool %} +; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#lfs-lfs +[lfs] +STORAGE_TYPE = {{ gitea_lfs_storage_type }} +SERVE_DIRECT = {{ gitea_lfs_serve_direct | ternary('true', 'false') }} +PATH = {{ gitea_lfs_content_path }} +{{ gitea_lfs_extra }} +{% endif %} +; +; +{% if gitea_actions_enabled | bool %} +; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#actions-actions +[actions] +ENABLED = {{ gitea_actions_enabled }} +DEFAULT_ACTIONS_URL = {{ gitea_actions_default_actions_url }} +{{ gitea_actions_extra }} +{% endif %} +; +; +; Other (other) +; -> https://docs.gitea.com/next/administration/config-cheat-sheet/#other-other +[other] +SHOW_FOOTER_VERSION = {{ gitea_other_show_footer_version | ternary('true', 'false') }} +SHOW_FOOTER_TEMPLATE_LOAD_TIME = {{ gitea_other_show_footer_template_load_time | ternary('true', 'false') }} +ENABLE_SITEMAP = {{ gitea_other_enable_sitemap | ternary('true', 'false') }} +ENABLE_FEED = {{ gitea_other_enable_feed | ternary('true', 'false') }} +; +; +; +; Optional additional config +{{ gitea_extra_config }} diff --git a/templates/gitea.service.j2 b/templates/gitea.service.j2 new file mode 100644 index 0000000..e47ee6d --- /dev/null +++ b/templates/gitea.service.j2 @@ -0,0 +1,16 @@ +[Unit] +Description={{ gitea_fork }} git server +After=network.target + +[Service] +User={{ gitea_user }} +Group={{ gitea_group }} +ExecStart={{ gitea_full_executable_path }} web --config {{ gitea_configuration_path }}/gitea.ini --custom-path {{ gitea_custom }}/ --work-path {{ gitea_home }} +Restart=on-failure +WorkingDirectory={{ gitea_home }} +{% if gitea_systemd_cap_net_bind_service %} +AmbientCapabilities=CAP_NET_BIND_SERVICE +{% endif %} + +[Install] +WantedBy=multi-user.target diff --git a/vars/debian.yml b/vars/debian.yml new file mode 100644 index 0000000..dc164f6 --- /dev/null +++ b/vars/debian.yml @@ -0,0 +1,5 @@ +--- +gitea_dependencies: + - git + - gnupg2 + - xz-utils diff --git a/vars/fork_forgejo.yml b/vars/fork_forgejo.yml new file mode 100644 index 0000000..2ac6803 --- /dev/null +++ b/vars/fork_forgejo.yml @@ -0,0 +1,7 @@ +--- +# set filenames for forgejo +gitea_full_executable_path: "{{ gitea_forgejo_executable_path }}" +gitea_filename: "forgejo-{{ gitea_version_target }}-linux-{{ gitea_arch }}" +gitea_forgejo_query_download: "assets[?name==`{{ gitea_filename }}`].browser_download_url" +gitea_forgejo_query_checksum: "assets[?name==`{{ gitea_filename }}.sha256`].browser_download_url" +gitea_forgejo_query_signed: "assets[?name==`{{ gitea_filename }}.asc`].browser_download_url" diff --git a/vars/fork_gitea.yml b/vars/fork_gitea.yml new file mode 100644 index 0000000..607bfd8 --- /dev/null +++ b/vars/fork_gitea.yml @@ -0,0 +1,4 @@ +--- +# set filenames for gitea +gitea_full_executable_path: "{{ gitea_executable_path }}" +gitea_filename: "gitea-{{ gitea_version_target }}.linux-{{ gitea_arch }}" diff --git a/vars/main.yml b/vars/main.yml new file mode 100644 index 0000000..c3a116d --- /dev/null +++ b/vars/main.yml @@ -0,0 +1,66 @@ +--- +gitea_go_arch_map: + i386: '386' + x86_64: 'amd64' + aarch64: 'arm64' + armv7l: 'arm-6' + armv6l: 'arm-6' + armv5l: 'arm-5' + +gitea_arch: "{{ gitea_go_arch_map[ansible_architecture] | default(ansible_architecture) }}" +gitea_supported_forks: 'gitea and forgejo' + +gitea_fork_variables: + files: + - "fork_{{ gitea_fork | lower }}.yml" + paths: + - 'vars' + +gitea_variables: + files: + - "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml" + - "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml" + - "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml" + - "{{ ansible_distribution | lower }}.yml" + - "{{ ansible_os_family | lower }}.yml" + paths: + - 'vars' + +transfer_custom_logo_logosvg: + files: + - "{{ gitea_custom_search }}/gitea_logo/logo.svg" + - "files/{{ inventory_hostname }}/gitea_logo/logo.svg" + - "files/{{ gitea_http_domain }}/gitea_logo/logo.svg" + - 'files/gitea_logo/logo.svg' + +transfer_custom_logo_logopng: + files: + - "{{ gitea_custom_search }}/gitea_logo/logo.png" + - "files/{{ inventory_hostname }}/gitea_logo/logo.png" + - "files/{{ gitea_http_domain }}/gitea_logo/logo.png" + - 'files/gitea_logo/logo.png' + +transfer_custom_logo_faviconpng: + files: + - "{{ gitea_custom_search }}/gitea_logo/favicon.png" + - "files/{{ inventory_hostname }}/gitea_logo/favicon.png" + - "files/{{ gitea_http_domain }}/gitea_logo/favicon.png" + - 'files/gitea_logo/favicon.png' + +transfer_custom_logo_appletouchiconpng: + files: + - "{{ gitea_custom_search }}/gitea_logo/apple-touch-icon.png" + - "files/{{ inventory_hostname }}/gitea_logo/apple-touch-icon.png" + - "files/{{ gitea_http_domain }}/gitea_logo/apple-touch-icon.png" + - 'files/gitea_logo/apple-touch-icon.png' + +transfer_custom_footer: + files: + - "{{ gitea_custom_search }}/gitea_footer/extra_links_footer.tmpl" + - "files/{{ inventory_hostname }}/gitea_footer/extra_links_footer.tmpl" + - "files/{{ gitea_http_domain }}/gitea_footer/extra_links_footer.tmpl" + - 'files/gitea_footer/extra_links_footer.tmpl' + - 'files/extra_links_footer.tmpl' + +playbook_version_number: 53 # should be int +playbook_version_path: 'do1jlr.gitea.version' diff --git a/vars/redhat.yml b/vars/redhat.yml new file mode 100644 index 0000000..7c96415 --- /dev/null +++ b/vars/redhat.yml @@ -0,0 +1,5 @@ +--- +gitea_dependencies: + - git + - gnupg2 + - xz diff --git a/vars/suse.yml b/vars/suse.yml new file mode 100644 index 0000000..027026e --- /dev/null +++ b/vars/suse.yml @@ -0,0 +1,5 @@ +--- +gitea_dependencies: + - git + - gpg2 + - xz