.

2023-12-08 12:38:53 +01:00
commit a986b486ca
34 changed files with 1999 additions and 0 deletions
--- a/tasks/backup.yml
+++ b/tasks/backup.yml
@@ -0,0 +1,43 @@
+---
+- name: Get service facts
+  ansible.builtin.service_facts:
+
+- name: Backup block
+  when:
+    - ansible_facts.services["gitea.service"] is defined
+    - ansible_facts.services["gitea.service"].state == "running"
+    - gitea_active_version.stdout != gitea_version_target
+  block:
+    - name: Stopping gitea before upgrade
+      become: true
+      ansible.builtin.systemd:
+        name: 'gitea.service'
+        state: 'stopped'
+      when: ansible_service_mgr == "systemd"
+
+    - name: "Create backup directory"
+      become: true
+      ansible.builtin.file:
+        path: "{{ gitea_backup_location }}"
+        state: 'directory'
+        owner: "{{ gitea_user }}"
+        group: "{{ gitea_group }}"
+        mode: 'u=rwx,g=rx,o='
+
+    - name: Backing up gitea before upgrade
+      become: true
+      ansible.builtin.command:
+        cmd: "sudo -u {{ gitea_user }} {{ gitea_full_executable_path }} dump -c {{ gitea_configuration_path }}/gitea.ini"
+        chdir: "{{ gitea_backup_location }}"
+      changed_when: true
+  rescue:
+    - name: Starting gitea because backup failed
+      become: true
+      ansible.builtin.systemd:
+        name: 'gitea.service'
+        state: 'started'
+      when: ansible_service_mgr == "systemd"
+
+    - name: Print updateing error and cancel
+      ansible.builtin.fail:
+        msg: "failed to backup gitea"
--- a/tasks/configure.yml
+++ b/tasks/configure.yml
@@ -0,0 +1,26 @@
+---
+- name: Make sure gitea_register_email_confirm is false when gitea_register_manual_confirm is true
+  ansible.builtin.fail:
+    msg: |
+      To manually confirm registrations,
+      gitea_register_email_confirm needs to be false
+      and gitea_register_manual_confirm should be true.
+  when: gitea_register_manual_confirm | bool and gitea_register_email_confirm | bool
+
+- name: "Configure gitea"
+  become: true
+  ansible.builtin.template:
+    src: gitea.ini.j2
+    dest: "{{ gitea_configuration_path }}/gitea.ini"
+    owner: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
+    mode: 0600
+  notify: "Restart gitea"
+
+- name: "Service gitea"
+  become: true
+  ansible.builtin.systemd:
+    name: gitea
+    state: started
+    enabled: true
+  when: ansible_service_mgr == "systemd"
--- a/tasks/create_user.yml
+++ b/tasks/create_user.yml
@@ -0,0 +1,23 @@
+---
+- name: "Create Gitea Group"
+  become: true
+  ansible.builtin.group:
+    name: "{{ gitea_group }}"
+    system: true
+    state: "present"
+
+- name: Switch shell when not using the builtin ssh server
+  ansible.builtin.set_fact:
+    gitea_shell: "/bin/bash"
+  when: "not gitea_start_ssh and gitea_shell == '/bin/false'"
+
+- name: "Create Gitea user"
+  become: true
+  ansible.builtin.user:
+    name: "{{ gitea_user }}"
+    comment: "Gitea user"
+    group: "{{ gitea_group }}"
+    groups: "{{ gitea_groups | default(omit) }}"
+    home: "{{ gitea_user_home }}"
+    shell: "{{ gitea_shell }}"
+    system: true
--- a/tasks/customize_footer.yml
+++ b/tasks/customize_footer.yml
@@ -0,0 +1,24 @@
+---
+- name: Create directory for custom footer
+  become: true
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
+    mode: 'u=rwX,g=rX,o='
+  loop:
+    - "{{ gitea_custom }}/templates"
+    - "{{ gitea_custom }}/templates/custom"
+
+- name: Transfer custom footer template
+  become: true
+  ansible.builtin.copy:
+    src: "{{ lookup('first_found', transfer_custom_footer) }}"
+    dest: "{{ gitea_custom }}/templates/custom/extra_links_footer.tmpl"
+    owner: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
+    mode: '0644'
+  failed_when: false
+  tags: skip_ansible_lint
+  notify: "Restart gitea"
--- a/tasks/customize_logo.yml
+++ b/tasks/customize_logo.yml
@@ -0,0 +1,56 @@
+---
+- name: Create directory for custom logos
+  become: true
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
+    mode: 'u=rwX,g=rX,o='
+  loop:
+    - "{{ gitea_custom }}/public"
+    - "{{ gitea_custom }}/public/img"
+
+- name: Transfer custom logo.svg
+  become: true
+  ansible.builtin.copy:
+    src: "{{ lookup('first_found', transfer_custom_logo_logosvg) }}"
+    dest: "{{ gitea_custom }}/public/img/logo.svg"
+    owner: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
+    mode: '0644'
+  tags: skip_ansible_lint
+  failed_when: false
+
+- name: Transfer custom logo.png
+  become: true
+  ansible.builtin.copy:
+    src: "{{ lookup('first_found', transfer_custom_logo_logopng) }}"
+    dest: "{{ gitea_custom }}/public/img/logo.png"
+    owner: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
+    mode: '0644'
+  tags: skip_ansible_lint
+  failed_when: false
+
+- name: Transfer custom favicon.png
+  become: true
+  ansible.builtin.copy:
+    src: "{{ lookup('first_found', transfer_custom_logo_faviconpng) }}"
+    dest: "{{ gitea_custom }}/public/img/favicon.png"
+    owner: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
+    mode: '0644'
+  tags: skip_ansible_lint
+  failed_when: false
+
+- name: Transfer custom apple-touch-icon.png
+  become: true
+  ansible.builtin.copy:
+    src: "{{ lookup('first_found', transfer_custom_logo_appletouchiconpng) }}"
+    dest: "{{ gitea_custom }}/public/img/apple-touch-icon.png"
+    owner: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
+    mode: '0644'
+  tags: skip_ansible_lint
+  failed_when: false
--- a/tasks/customize_public_files.yml
+++ b/tasks/customize_public_files.yml
@@ -0,0 +1,24 @@
+---
+- name: Create public directory for custom public web files
+  become: true
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
+    mode: 'u=rwX,g=rX,o='
+  loop:
+    - "{{ gitea_custom }}/public"
+
+- name: Transfer custom public web data
+  become: true
+  ansible.builtin.copy:
+    src: "{{ gitea_customize_files_path }}"
+    dest: "{{ gitea_custom }}/public/"
+    owner: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
+    directory_mode: true
+    mode: 'u=rwX,g=rX,o='
+  failed_when: false
+  tags: skip_ansible_lint
+  notify: "Restart gitea"
--- a/tasks/directory.yml
+++ b/tasks/directory.yml
@@ -0,0 +1,20 @@
+---
+- name: "Create config and data directory"
+  become: true
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
+    mode: 'u=rwX,g=rX,o='
+  loop:
+    - "{{ gitea_configuration_path }}"
+    - "{{ gitea_user_home }}"
+    - "{{ gitea_home }}"
+    - "{{ gitea_home }}/data"
+    - "{{ gitea_custom }}"
+    - "{{ gitea_custom }}/https"
+    - "{{ gitea_custom }}/mailer"
+    - "{{ gitea_home }}/indexers"
+    - "{{ gitea_home }}/log"
+    - "{{ gitea_repository_root }}"
--- a/tasks/fail2ban.yml
+++ b/tasks/fail2ban.yml
@@ -0,0 +1,29 @@
+---
+- name: Install fail2ban filter
+  become: true
+  ansible.builtin.template:
+    src: fail2ban/filter.conf.j2
+    dest: /etc/fail2ban/filter.d/gitea.conf
+    owner: root
+    group: root
+    mode: 0444
+  notify: "Systemctl restart fail2ban"
+  when: "'fail2ban' in ansible_facts.packages"
+
+- name: Install fail2ban jail
+  become: true
+  ansible.builtin.template:
+    src: fail2ban/jail.conf.j2
+    dest: /etc/fail2ban/jail.d/gitea.conf
+    owner: root
+    group: root
+    mode: 0444
+  notify: "Systemctl restart fail2ban"
+  when: "'fail2ban' in ansible_facts.packages"
+
+- name: Warn if fail2ban is not installed
+  ansible.builtin.fail:
+    msg: "the package fail2ban is not installed. no fail2ban filters deployed."
+  when: "'fail2ban' not in ansible_facts.packages"
+  failed_when: false
+  tags: skip_ansible_lint_ignore-errors
--- a/tasks/gitea_secrets.yml
+++ b/tasks/gitea_secrets.yml
@@ -0,0 +1,38 @@
+---
+- name: Generate gitea SECRET_KEY if not provided
+  become: true
+  ansible.builtin.shell: 'umask 077; {{ gitea_full_executable_path }} generate secret SECRET_KEY > {{ gitea_configuration_path }}/gitea_secret_key'
+  args:
+    creates: '{{ gitea_configuration_path }}/gitea_secret_key'
+  when: gitea_secret_key | string | length == 0
+
+- name: Read gitea SECRET_KEY from file
+  become: true
+  ansible.builtin.slurp:
+    src: '{{ gitea_configuration_path }}/gitea_secret_key'
+  register: remote_secret_key
+  when: gitea_secret_key | string | length == 0
+
+- name: Set fact gitea_secret_key
+  ansible.builtin.set_fact:
+    gitea_secret_key: "{{ remote_secret_key['content'] | b64decode }}"
+  when: gitea_secret_key | string | length == 0
+
+- name: Generate gitea INTERNAL_TOKEN if not provided
+  become: true
+  ansible.builtin.shell: 'umask 077; {{ gitea_full_executable_path }} generate secret INTERNAL_TOKEN > {{ gitea_configuration_path }}/gitea_internal_token'
+  args:
+    creates: '{{ gitea_configuration_path }}/gitea_internal_token'
+  when: gitea_internal_token | string | length == 0
+
+- name: Read gitea INTERNAL_TOKEN from file
+  become: true
+  ansible.builtin.slurp:
+    src: '{{ gitea_configuration_path }}/gitea_internal_token'
+  register: remote_internal_token
+  when: gitea_internal_token | string | length == 0
+
+- name: Set fact gitea_internal_token
+  ansible.builtin.set_fact:
+    gitea_internal_token: "{{ remote_internal_token['content'] | b64decode }}"
+  when: gitea_internal_token | string | length == 0
--- a/tasks/install_forgejo.yml
+++ b/tasks/install_forgejo.yml
@@ -0,0 +1,83 @@
+---
+- name: Dependency block
+  block:
+    - name: Update apt cache
+      become: true
+      ansible.builtin.apt:
+        cache_valid_time: 3600
+        update_cache: true
+      register: _pre_update_apt_cache
+      until: _pre_update_apt_cache is succeeded
+      when:
+        - ansible_pkg_mgr == "apt"
+
+    - name: Install dependencies
+      become: true
+      ansible.builtin.package:
+        name: "{{ gitea_dependencies }}"
+        state: present
+      register: _install_dep_packages
+      until: _install_dep_packages is succeeded
+      retries: 5
+      delay: 2
+
+- name: Install forgejo block
+  when: (not gitea_version_check | bool) or (not ansible_check_mode and (gitea_active_version.stdout != gitea_version_target))
+  block:
+    - name: Download forgejo archive
+      ansible.builtin.get_url:
+        url: "{{ gitea_forgejo_dl_url | first }}"
+        dest: "/tmp/{{ gitea_filename }}"
+        checksum: "sha256:{{ gitea_forgejo_checksum }}"
+        mode: 0640
+      register: _download_archive
+      become: false
+      until: _download_archive is succeeded
+      retries: 5
+      delay: 2
+
+    - name: Download forgejo asc file
+      ansible.builtin.get_url:
+        url: "{{ gitea_forgejo_signed_url | first }}"
+        dest: "/tmp/{{ gitea_filename }}.asc"
+        mode: 0640
+      register: _download_asc
+      become: false
+      until: _download_asc is succeeded
+      retries: 5
+      delay: 2
+
+    - name: Check forgejo gpg key
+      ansible.builtin.command: "gpg --list-keys 0x{{ gitea_forgejo_gpg_key }}"
+      register: _gitea_gpg_key_status
+      changed_when: false
+      become: false
+      failed_when: _gitea_gpg_key_status.rc not in (0, 2)
+
+    - name: Print gpg key status on verbosity  # noqa: H500
+      ansible.builtin.debug:
+        msg: "{{ _gitea_gpg_key_status.stdout }}"
+        verbosity: 1
+
+    - name: Import forgejo gpg key
+      ansible.builtin.command: "gpg --keyserver {{ gitea_gpg_server }} --recv {{ gitea_forgejo_gpg_key }}"
+      register: _gitea_import_key
+      become: false
+      changed_when: '"imported: 1" in _gitea_import_key.stderr'
+      when: '_gitea_gpg_key_status.rc != 0 or "expired" in _gitea_gpg_key_status.stdout'
+
+    - name: Check archive signature
+      become: false
+      ansible.builtin.command: "gpg --verify /tmp/{{ gitea_filename }}.asc /tmp/{{ gitea_filename }}"
+      changed_when: false
+
+    - name: Propagate gitea binary
+      become: true
+      ansible.builtin.copy:
+        src: "/tmp/{{ gitea_filename }}"
+        remote_src: true
+        dest: "{{ gitea_full_executable_path }}"
+        mode: 0755
+        owner: root
+        group: root
+      notify: "Restart gitea"
--- a/tasks/install_gitea.yml
+++ b/tasks/install_gitea.yml
@@ -0,0 +1,87 @@
+---
+- name: Dependency block
+  block:
+    - name: Update apt cache
+      become: true
+      ansible.builtin.apt:
+        cache_valid_time: 3600
+        update_cache: true
+      register: _pre_update_apt_cache
+      until: _pre_update_apt_cache is succeeded
+      when:
+        - ansible_pkg_mgr == "apt"
+
+    - name: Install dependencies
+      become: true
+      ansible.builtin.package:
+        name: "{{ gitea_dependencies }}"
+        state: present
+      register: _install_dep_packages
+      until: _install_dep_packages is succeeded
+      retries: 5
+      delay: 2
+
+- name: Install gitea block
+  when: (not gitea_version_check | bool) or (not ansible_check_mode and (gitea_active_version.stdout != gitea_version_target))
+  block:
+    - name: Download gitea archive
+      ansible.builtin.get_url:
+        url: "{{ gitea_dl_url }}.xz"
+        dest: "/tmp/{{ gitea_filename }}.xz"
+        checksum: "sha256:{{ gitea_dl_url }}.xz.sha256"
+        mode: 0640
+      register: _download_archive
+      become: false
+      until: _download_archive is succeeded
+      retries: 5
+      delay: 2
+
+    - name: Download gitea asc file
+      ansible.builtin.get_url:
+        url: "{{ gitea_dl_url }}.xz.asc"
+        dest: "/tmp/{{ gitea_filename }}.xz.asc"
+        mode: 0640
+      register: _download_asc
+      become: false
+      until: _download_asc is succeeded
+      retries: 5
+      delay: 2
+
+    - name: Check gitea gpg key
+      ansible.builtin.command: "gpg --list-keys 0x{{ gitea_gpg_key }}"
+      register: _gitea_gpg_key_status
+      changed_when: false
+      failed_when: _gitea_gpg_key_status.rc not in (0, 2)
+
+    - name: Print gpg key status on verbosity  # noqa: H500
+      ansible.builtin.debug:
+        msg: "{{ _gitea_gpg_key_status.stdout }}"
+        verbosity: 1
+
+    - name: Import gitea gpg key
+      ansible.builtin.command: "gpg --keyserver {{ gitea_gpg_server }} --keyserver-option '{{ gitea_gpg_keyserver_option }}' --recv {{ gitea_gpg_key }}"
+      register: _gitea_import_key
+      become: false
+      changed_when: '"imported: 1" in _gitea_import_key.stderr'
+      when: '_gitea_gpg_key_status.rc != 0 or "expired" in _gitea_gpg_key_status.stdout'
+
+    - name: Check archive signature
+      ansible.builtin.command: "gpg --verify /tmp/{{ gitea_filename }}.xz.asc /tmp/{{ gitea_filename }}.xz"
+      changed_when: false
+      become: false
+
+    - name: Unpack gitea binary
+      ansible.builtin.command:
+        cmd: "xz -k -d /tmp/{{ gitea_filename }}.xz"
+        creates: "/tmp/{{ gitea_filename }}"
+
+    - name: Propagate gitea binary
+      become: true
+      ansible.builtin.copy:
+        src: "/tmp/{{ gitea_filename }}"
+        remote_src: true
+        dest: "{{ gitea_full_executable_path }}"
+        mode: 0755
+        owner: root
+        group: root
+      notify: "Restart gitea"
--- a/tasks/install_systemd.yml
+++ b/tasks/install_systemd.yml
@@ -0,0 +1,31 @@
+---
+- name: "Setup systemd service"
+  become: true
+  when: ansible_os_family == "Debian"
+  ansible.builtin.template:
+    src: gitea.service.j2
+    dest: /lib/systemd/system/gitea.service
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - "Reload systemd"
+    - "Restart gitea"
+
+- name: "Setup systemd service"
+  become: true
+  when: ansible_os_family == "Suse"
+  ansible.builtin.template:
+    src: gitea.service.j2
+    dest: /etc/systemd/system/gitea.service
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - "Reload systemd"
+    - "Restart gitea"
+
+- name: "Reload systemd"
+  become: true
+  ansible.builtin.systemd:
+    daemon_reload: true
--- a/tasks/jwt_secrets.yml
+++ b/tasks/jwt_secrets.yml
@@ -0,0 +1,38 @@
+---
+- name: Generate OAuth2 JWT_SECRET if not provided
+  become: true
+  ansible.builtin.shell: 'umask 077; {{ gitea_full_executable_path }} generate secret JWT_SECRET > {{ gitea_configuration_path }}/gitea_oauth_jwt_secret'
+  args:
+    creates: '{{ gitea_configuration_path }}/gitea_oauth_jwt_secret'
+  when: gitea_oauth2_jwt_secret | length == 0
+
+- name: Read OAuth2 JWT_SECRET from file
+  become: true
+  ansible.builtin.slurp:
+    src: '{{ gitea_configuration_path }}/gitea_oauth_jwt_secret'
+  register: oauth_jwt_secret
+  when: gitea_oauth2_jwt_secret | length == 0
+
+- name: Set fact gitea_oauth2_jwt_secret
+  ansible.builtin.set_fact:
+    gitea_oauth2_jwt_secret: "{{ oauth_jwt_secret['content'] | b64decode }}"
+  when: gitea_oauth2_jwt_secret | length == 0
+
+- name: Generate LFS JWT_SECRET if not provided
+  become: true
+  ansible.builtin.shell: 'umask 077; {{ gitea_full_executable_path }} generate secret JWT_SECRET > {{ gitea_configuration_path }}/gitea_lfs_jwt_secret'
+  args:
+    creates: '{{ gitea_configuration_path }}/gitea_lfs_jwt_secret'
+  when: gitea_lfs_jwt_secret | length == 0
+
+- name: Read LFS JWT_SECRET from file
+  become: true
+  ansible.builtin.slurp:
+    src: '{{ gitea_configuration_path }}/gitea_lfs_jwt_secret'
+  register: lfs_jwt_secret
+  when: gitea_lfs_jwt_secret | length == 0
+
+- name: Set fact gitea_lfs_jwt_secret
+  ansible.builtin.set_fact:
+    gitea_lfs_jwt_secret: "{{ lfs_jwt_secret['content'] | b64decode }}"
+  when: gitea_lfs_jwt_secret | length == 0
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -0,0 +1,81 @@
+---
+- name: Perform optional versionscheck
+  ansible.builtin.include_tasks:
+    file: 'versioncheck.yml'
+  when: submodules_versioncheck|bool
+
+- name: Gather installed packages for checks later on
+  ansible.builtin.package_facts:
+    manager: 'auto'
+
+- name: Prepare gitea/forgejo variable import
+  block:
+    - name: Gather variables for gitea or forgejo
+      ansible.builtin.include_vars:
+        file: "{{ lookup('first_found', gitea_fork_variables) }}"
+  rescue:
+    - name: Gitea/Forejo import info
+      ansible.builtin.fail:
+        msg: "Currently only {{ gitea_supported_forks }} are supported."
+
+- name: Gather variables for each operating system
+  ansible.builtin.include_vars:
+    file: "{{ lookup('first_found', gitea_variables) }}"
+
+- name: Gather versioning information
+  ansible.builtin.include_tasks:
+    file: "set_{{ gitea_fork | lower }}_version.yml"
+
+- name: Backup gitea before update
+  ansible.builtin.include_tasks:
+    file: 'backup.yml'
+  when: gitea_backup_on_upgrade|bool
+
+- name: Create gitea user and role
+  ansible.builtin.include_tasks:
+    file: 'create_user.yml'
+
+- name: "Install or update {{ gitea_fork }}"
+  ansible.builtin.include_tasks:
+    file: "install_{{ gitea_fork | lower }}.yml"
+
+- name: Create directories
+  ansible.builtin.include_tasks:
+    file: 'directory.yml'
+
+- name: Setup gitea systemd service
+  ansible.builtin.include_tasks:
+    file: 'install_systemd.yml'
+  when: ansible_service_mgr == "systemd"
+
+- name: Generate JWT Secrets if undefined
+  ansible.builtin.include_tasks:
+    file: 'jwt_secrets.yml'
+
+- name: Generate gitea secrets if undefined
+  ansible.builtin.include_tasks:
+    file: 'gitea_secrets.yml'
+
+- name: Configure gitea
+  ansible.builtin.include_tasks:
+    file: 'configure.yml'
+
+- name: Deploy optional fail2ban rules
+  ansible.builtin.include_tasks:
+    file: 'fail2ban.yml'
+  when: gitea_fail2ban_enabled | bool
+
+- name: Optionally customize gitea
+  ansible.builtin.include_tasks:
+    file: 'customize_logo.yml'
+  when: gitea_customize_logo | bool
+
+- name: Optionally customize footer
+  ansible.builtin.include_tasks:
+    file: 'customize_footer.yml'
+  when: gitea_customize_footer | bool
+
+- name: Optionally deploy public files
+  ansible.builtin.include_tasks:
+    file: 'customize_public_files.yml'
+  when: gitea_customize_files | bool
--- a/tasks/set_forgejo_version.yml
+++ b/tasks/set_forgejo_version.yml
@@ -0,0 +1,107 @@
+---
+- name: "Check forgejo installed version"
+  ansible.builtin.shell: "set -eo pipefail; {{ gitea_full_executable_path }} -v | cut -d' ' -f 3"
+  args:
+    executable: '/bin/bash'
+  register: gitea_active_version
+  changed_when: false
+  failed_when: false
+
+- name: "Determine 'latest' version release"
+  when: gitea_version == "latest"
+  block:
+    - name: "Get latest forgejo release metadata"
+      ansible.builtin.uri:
+        url: 'https://codeberg.org/api/v1/repos/forgejo/forgejo/releases?limit=1'
+        return_content: true
+      register: gitea_forgejo_remote_metadata
+      become: false
+      when: not ansible_check_mode
+
+    - name: "Fail if running in check mode without versions set."
+      ansible.builtin.fail:
+        msg: |
+          "You are running this playbook in check mode:
+          Please set the Gitea version with the variable 'gitea_version', because the URI module cannot detect the latest version in this mode."
+      when: ansible_check_mode and (gitea_version == 'latest' or gitea_version == 'present')
+
+    - name: "Set fact latest forgejo release"
+      ansible.builtin.set_fact:
+        gitea_remote_version: "{{ gitea_forgejo_remote_metadata.json.0.tag_name[1:] }}"
+      when: not ansible_check_mode
+
+    - name: "Set forgejo version target (latest)"
+      ansible.builtin.set_fact:
+        gitea_version_target: "{{ gitea_remote_version }}"
+      when: not ansible_check_mode
+
+- name: "Set forgejo version target {{ gitea_version }}"
+  ansible.builtin.set_fact:
+    gitea_version_target: "{{ gitea_version }}"
+  when: gitea_version != "latest"
+
+- name: "Download forgejo version {{ gitea_version_target }}"
+  when: not ansible_check_mode
+  block:
+    - name: "Get specific forgejo release metadata"
+      ansible.builtin.uri:
+        url: 'https://codeberg.org/api/v1/repos/forgejo/forgejo/releases/tags/v{{ gitea_version_target }}'
+        return_content: true
+      register: gitea_forgejo_remote_tags_metadata
+      become: false
+  rescue:
+    - name: "Error Downloading https://codeberg.org/api/v1/repos/forgejo/forgejo/releases/tags/v{{ gitea_version_target }}"
+      ansible.builtin.fail:
+        msg: "We did not find the forgejo version you specified. Are you sure that '{{ gitea_version_target }}' is a valid forgejo version?"
+
+- name: "Generate forgejo download url"
+  ansible.builtin.set_fact:
+    gitea_forgejo_dl_url: "{{ gitea_forgejo_remote_tags_metadata.json | community.general.json_query(gitea_forgejo_query_download) }}"
+  when: not ansible_check_mode
+
+- name: "Generate forgejo download checksum url"
+  ansible.builtin.set_fact:
+    gitea_forgejo_checksum_url: "{{ gitea_forgejo_remote_tags_metadata.json | community.general.json_query(gitea_forgejo_query_checksum) }}"
+  when: not ansible_check_mode
+
+- name: Get forgejo checksum
+  ansible.builtin.uri:
+    url: "{{ gitea_forgejo_checksum_url | first }}"
+    return_content: true
+  register: _gitea_forgejo_dl_checksum
+  become: false
+  when: not ansible_check_mode
+
+- name: Set forjeo checksum
+  ansible.builtin.set_fact:
+    gitea_forgejo_checksum: "{{ _gitea_forgejo_dl_checksum.content.split('  ')[0] }}"
+  when: not ansible_check_mode
+
+- name: "Generate forgejo download signed url"
+  ansible.builtin.set_fact:
+    gitea_forgejo_signed_url: "{{ gitea_forgejo_remote_tags_metadata.json | community.general.json_query(gitea_forgejo_query_signed) }}"
+  when: not ansible_check_mode
+
+- name: "Set a example forgejo download link if in check mode"
+  ansible.builtin.set_fact:
+    gitea_forgejo_dl_url: ['https://codeberg.org/attachments/a00333ad-250a-4d30-a764-9a37fb24f419']
+  when: ansible_check_mode
+
+- name: "Set a example forgejo checksum link if in check mode"
+  ansible.builtin.set_fact:
+    gitea_forgejo_checksum: 'f8c71464d1b250bf022eaa3df270c810950904ceb71da5cefc7ec24a034a4c87'
+  when: ansible_check_mode
+
+- name: "Set a example forgejo checksum link if in check mode"
+  ansible.builtin.set_fact:
+    gitea_forgejo_signed_url: ['https://codeberg.org/attachments/ae5e50c6-e86e-4202-b95f-f142e8138e2f']
+  when: ansible_check_mode
+
+- name: Show Download URLs  # noqa: H500
+  ansible.builtin.debug:
+    msg: "{{ item }}"
+    verbosity: 1
+  loop:
+    - "gitea_forgejo_dl_url: {{ gitea_forgejo_dl_url | first }}"
+    - "gitea_forgejo_checksum: {{ gitea_forgejo_checksum }}"
+    - "gitea_forgejo_signed_url: {{ gitea_forgejo_signed_url | first }}"
--- a/tasks/set_gitea_version.yml
+++ b/tasks/set_gitea_version.yml
@@ -0,0 +1,45 @@
+---
+- name: "Check gitea installed version"
+  ansible.builtin.shell: "set -eo pipefail; {{ gitea_full_executable_path }} -v | cut -d' ' -f 3"
+  args:
+    executable: /bin/bash
+  register: gitea_active_version
+  changed_when: false
+  failed_when: false
+
+- name: "Determine 'latest' version release"
+  when: gitea_version == "latest"
+  block:
+    - name: "Get latest gitea release metadata"
+      ansible.builtin.uri:
+        url: https://api.github.com/repos/go-gitea/gitea/releases/latest
+        return_content: true
+      register: gitea_remote_metadata
+      become: false
+      when: not ansible_check_mode
+
+    - name: "Fail if running in check mode without versions set."
+      ansible.builtin.fail:
+        msg: |
+          "You are running this playbook in check mode:
+          Please set the Gitea version with the variable 'gitea_version', because the URI module cannot detect the latest version in this mode."
+      when: ansible_check_mode and (gitea_version == 'latest' or gitea_version == 'present')
+
+    - name: "Set fact latest gitea release"
+      ansible.builtin.set_fact:
+        gitea_remote_version: "{{ gitea_remote_metadata.json.tag_name[1:] }}"
+      when: not ansible_check_mode
+
+    - name: "Set gitea version target (latest)"
+      ansible.builtin.set_fact:
+        gitea_version_target: "{{ gitea_remote_version }}"
+      when: not ansible_check_mode
+
+- name: "Set gitea version target {{ gitea_version }}"
+  ansible.builtin.set_fact:
+    gitea_version_target: "{{ gitea_version }}"
+  when: gitea_version != "latest"
+
+- name: "Generate gitea download URL"
+  ansible.builtin.set_fact:
+    gitea_dl_url: "https://github.com/go-gitea/gitea/releases/download/v{{ gitea_version_target }}/gitea-{{ gitea_version_target }}-linux-{{ gitea_arch }}"
--- a/tasks/versioncheck.yml
+++ b/tasks/versioncheck.yml
@@ -0,0 +1,44 @@
+---
+# Copyright (c) 2021 L3D <l3d@c3woc.de>
+# this file is released with the MIT license.
+# License: https://github.com/roles-ansible/ansible_role_template/blob/main/LICENSE
+- name: Create directory for versionscheck
+  become: true
+  ansible.builtin.file:
+    path: '/etc/.ansible-version'
+    state: directory
+    mode: '0755'
+  when: submodules_versioncheck | bool
+
+- name: Check playbook version
+  become: true
+  ansible.builtin.slurp:
+    src: "/etc/.ansible-version/{{ playbook_version_path }}"
+  register: playbook_version
+  when: submodules_versioncheck | bool
+  failed_when: false
+
+- name: Print remote role version  # noqa: H500
+  ansible.builtin.debug:
+    msg: "Remote role version: {{ playbook_version.content | default('Y3VycmVudGx5IG5vdCBkZXBsb3llZAo=') | b64decode | string }}"
+  when: submodules_versioncheck | bool
+
+- name: Print locale role version  # noqa: H500
+  ansible.builtin.debug:
+    msg: "Local role version: '{{ playbook_version_number | string }}'."
+  when: submodules_versioncheck | bool
+
+- name: Check if your version is outdated
+  ansible.builtin.fail:
+    msg: "Your ansible module has the version '{{ playbook_version_number }}' and is outdated. You need to update it!"
+  when:
+    - playbook_version.content|default("Mgo=")|b64decode|int - 1 >= playbook_version_number|int and submodules_versioncheck | bool
+
+- name: Write new version to remote disk
+  become: true
+  ansible.builtin.copy:
+    content: "{{ playbook_version_number }}"
+    dest: "/etc/.ansible-version/{{ playbook_version_path }}"
+    mode: '0644'
+  when: submodules_versioncheck | bool
+  tags: skip_ansible_lint_template-instead-of-copy