From 651164f26f44c71a334ac93fdc999fe10557b033 Mon Sep 17 00:00:00 2001 From: mg Date: Mon, 10 Jan 2022 09:01:52 +0100 Subject: [PATCH] Update tmaurice.gitea (#294) Co-authored-by: Michael Grote Reviewed-on: https://git.mgrote.net/mg/ansible/pulls/294 Co-authored-by: mg Co-committed-by: mg --- .../workflows/ansible-linting-check.yml | 22 +++ roles/tmaurice.gitea/.travis.yml | 3 +- roles/tmaurice.gitea/README.md | 17 +- roles/tmaurice.gitea/defaults/main.yml | 21 ++- roles/tmaurice.gitea/handlers/main.yml | 6 +- roles/tmaurice.gitea/meta/main.yml | 15 +- .../molecule/default/prepare.yml | 13 +- roles/tmaurice.gitea/requirements-travis.txt | 39 ++-- roles/tmaurice.gitea/tasks/backup.yml | 30 ++++ roles/tmaurice.gitea/tasks/create_user.yml | 9 +- roles/tmaurice.gitea/tasks/fail2ban.yml | 12 +- roles/tmaurice.gitea/tasks/install.yml | 71 ++++++++ .../tmaurice.gitea/tasks/install_systemd.yml | 7 +- roles/tmaurice.gitea/tasks/jwt_secrets.yml | 38 ++++ roles/tmaurice.gitea/tasks/main.yml | 40 ++++- roles/tmaurice.gitea/templates/gitea.ini.j2 | 167 +++++++++--------- .../tmaurice.gitea/templates/gitea.service.j2 | 1 + roles/tmaurice.gitea/vars/debian.yml | 5 + roles/tmaurice.gitea/vars/main.yml | 10 +- roles/tmaurice.gitea/vars/redhat.yml | 5 + 20 files changed, 394 insertions(+), 137 deletions(-) create mode 100644 roles/tmaurice.gitea/.github/workflows/ansible-linting-check.yml create mode 100644 roles/tmaurice.gitea/tasks/backup.yml create mode 100644 roles/tmaurice.gitea/tasks/install.yml create mode 100644 roles/tmaurice.gitea/tasks/jwt_secrets.yml create mode 100644 roles/tmaurice.gitea/vars/debian.yml create mode 100644 roles/tmaurice.gitea/vars/redhat.yml diff --git a/roles/tmaurice.gitea/.github/workflows/ansible-linting-check.yml b/roles/tmaurice.gitea/.github/workflows/ansible-linting-check.yml new file mode 100644 index 00000000..41dcb97c --- /dev/null +++ b/roles/tmaurice.gitea/.github/workflows/ansible-linting-check.yml @@ -0,0 +1,22 @@ +--- +name: Ansible Lint check + +# yamllint disable-line rule:truthy +on: [push, pull_request] + +jobs: + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Lint Ansible Playbook + uses: ansible/ansible-lint-action@master + with: + targets: "." + # [required] + # Paths to ansible files (i.e., playbooks, tasks, handlers etc..) + args: "" + # [optional] diff --git a/roles/tmaurice.gitea/.travis.yml b/roles/tmaurice.gitea/.travis.yml index 524837b2..62da97ca 100644 --- a/roles/tmaurice.gitea/.travis.yml +++ b/roles/tmaurice.gitea/.travis.yml @@ -7,11 +7,12 @@ env: matrix: - MOLECULE_DISTRO: centos8 - MOLECULE_DISTRO: centos7 + - MOLECULE_DISTRO: ubuntu2004 - MOLECULE_DISTRO: ubuntu1804 - MOLECULE_DISTRO: ubuntu1604 - MOLECULE_DISTRO: debian10 - MOLECULE_DISTRO: debian9 - - MOLECULE_DISTRO: fedora31 + - MOLECULE_DISTRO: fedora33 services: - docker diff --git a/roles/tmaurice.gitea/README.md b/roles/tmaurice.gitea/README.md index 909d1b62..d28a54ef 100644 --- a/roles/tmaurice.gitea/README.md +++ b/roles/tmaurice.gitea/README.md @@ -58,6 +58,7 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we * `gitea_version_check`: Check if installed version != `gitea_version` before initiating binary download * `gitea_user`: UNIX user used by Gitea +* `gitea_group`: UNIX group used by Gitea * `gitea_home`: Base directory to work * `gitea_dl_url`: The URL, the compiled gitea-binary will be downloaded from * `gitea_systemd_cap_net_bind_service`: Adds `AmbientCapabilities=CAP_NET_BIND_SERVICE` to systemd service file @@ -109,7 +110,7 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we * `gitea_db_name`: Database name * `gitea_db_user`: Database username * `gitea_db_password`: Database password -* `gitea_db_ssl`: Use SSL ? (postgres only!). Can be `required`, `disable`, `verify-full` +* `gitea_db_ssl`: Use SSL ? (postgres only!). Can be `require`, `disable`, `verify-ca` or `verify-full` * `gitea_db_path`: DB path, if you use `sqlite3`. The default is good enough to work though. ### Mailer configuration @@ -122,6 +123,10 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we * `gitea_mailer_password`: SMTP server password * `gitea_mailer_from`: Sender mail address * `gitea_enable_notify_mail`: Whether e-mail should be send to watchers of a repository when something happens. Default: `false` +* `gitea_mail_default`: Default configuration for email notifications for users (user configurable). Options: enabled, onmention, disable (Default: `onmention` ) +* `gitea_autowatch_new_repo`: Enable this to let all organisation users watch new repos when they are created (Default: `false`) +* `gitea_autowatch_on_change`: Enable this to make users watch a repository after their first commit to it (Default: `true`) +* `gitea_show_mailstones_dashboard`: Enable this to show the milestones dashboard page - a view of all the user’s milestones (Default: `true`) ### Fail2Ban configuration @@ -138,8 +143,12 @@ As this will only deploy config files, fail2ban already has to be installed or o ### Oauth2 provider configuration * `gitea_oauth2_enabled`: Enable the Oauth2 provider (true/false) -* `gitea_oauth2_jwt_secret`: JWT secret, cannot be longer than 32 characters +* `gitea_oauth2_jwt_secret`: Oauth2 JWT secret. Can be generated with ``gitea generate secret JWT_SECRET`` +### GIT LFS configuration +* `gitea_lfs_enabled`: Enable GIT LFS (large filesystem) +* `gitea_lfs_mode`: should lfs be in offline mode (true/false) +* `gitea_lfs_secret`: JWT secret for remote LFS usage ### Metrics endpoint configuration @@ -154,6 +163,10 @@ As this will only deploy config files, fail2ban already has to be installed or o * `gitea_repo_exclude_vendored`: Exclude vendored files from the index. Default: `true` * `gitea_repo_indexer_max_file_size`: Maximum size of files to be indexed (in bytes). Default: `1048576` (1 MB) +### backup on upgrade +* `gitea_backup_on_upgrade`: Optionally a backup can be created with every update of gitea. Default: `false` +* `gitea_backup_location`: Where to store the gitea backup if one is created with this role. Default: `{{ gitea_home }}/backups/` + ## Contributing Don't hesitate to create a pull request, and when in doubt you can reach me on Twitter [@thomas_maurice](https://twitter.com/thomas_maurice). diff --git a/roles/tmaurice.gitea/defaults/main.yml b/roles/tmaurice.gitea/defaults/main.yml index 7b4abfe5..4a1e0361 100644 --- a/roles/tmaurice.gitea/defaults/main.yml +++ b/roles/tmaurice.gitea/defaults/main.yml @@ -1,10 +1,13 @@ --- -gitea_version: "1.13.0" +gitea_version: "1.13.7" gitea_version_check: true gitea_dl_url: "https://github.com/go-gitea/gitea/releases/download/v{{ gitea_version }}/gitea-{{ gitea_version }}-linux-{{ gitea_arch }}" +gitea_gpg_key: "7C9E68152594688862D62AF62D9AE806EC1592E2" +gitea_gpg_server: "hkps://keys.openpgp.org" gitea_app_name: "Gitea" gitea_user: "gitea" +gitea_group: "gitea" gitea_home: "/var/lib/gitea" gitea_shell: "/bin/false" gitea_systemd_cap_net_bind_service: false @@ -21,7 +24,10 @@ gitea_disable_http_git: false gitea_offline_mode: true gitea_lfs_server_enabled: false -gitea_lfs_content_path: "data/lfs" +gitea_lfs_content_path: "{{ gitea_home }}/data/lfs" +gitea_lfs_jwt_secret: '' +gitea_lfs_secret: SomethingVeryLong +gitea_lfs_mode: true gitea_db_type: sqlite3 gitea_db_host: 127.0.0.0:3306 @@ -48,6 +54,10 @@ gitea_require_signin: true gitea_enable_captcha: true gitea_only_allow_external_registration: false gitea_enable_notify_mail: false +gitea_mail_default: onmention +gitea_autowatch_new_repo: false +gitea_autowatch_on_change: true +gitea_show_mailstones_dashboard: true gitea_force_private: false @@ -67,7 +77,7 @@ gitea_fail2ban_jail_bantime: 900 gitea_fail2ban_jail_action: iptables-allports gitea_oauth2_enabled: true -gitea_oauth2_jwt_secret: ChangeMe +gitea_oauth2_jwt_secret: '' gitea_metrics_enabled: false gitea_metrics_token: ~ @@ -81,4 +91,9 @@ gitea_repo_indexer_exclude: "" gitea_repo_exclude_vendored: true gitea_repo_indexer_max_file_size: 1048576 +gitea_log_level: Info + gitea_extra_config: "" + +gitea_backup_on_upgrade: false +gitea_backup_location: "{{ gitea_home }}/backups/" diff --git a/roles/tmaurice.gitea/handlers/main.yml b/roles/tmaurice.gitea/handlers/main.yml index eade7a3d..7ca4bd84 100644 --- a/roles/tmaurice.gitea/handlers/main.yml +++ b/roles/tmaurice.gitea/handlers/main.yml @@ -1,17 +1,17 @@ --- - name: "Restart gitea" - service: + ansible.builtin.service: name: gitea state: restarted when: ansible_service_mgr == "systemd" - name: "Reload systemd" - systemd: + ansible.builtin.systemd: daemon_reload: true when: ansible_service_mgr == "systemd" - name: "Restart fail2ban" - service: + ansible.builtin.service: name: fail2ban state: restarted when: ansible_service_mgr == "systemd" diff --git a/roles/tmaurice.gitea/meta/main.yml b/roles/tmaurice.gitea/meta/main.yml index 27b78846..efe1a1ee 100644 --- a/roles/tmaurice.gitea/meta/main.yml +++ b/roles/tmaurice.gitea/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Thomas Maurice description: Ansible Role - Gitea - min_ansible_version: 2.7.9 + min_ansible_version: 2.10 license: BSD-3-Clause galaxy_tags: - git @@ -16,12 +16,17 @@ galaxy_info: platforms: - name: Debian versions: - - jessie - stretch - - name: EL - versions: - - 7 + - buster - name: Ubuntu versions: - xenial - bionic + - focal + - name: CentOS + versions: + - 7 + - 8 + - name: Fedora + versions: + - 33 diff --git a/roles/tmaurice.gitea/molecule/default/prepare.yml b/roles/tmaurice.gitea/molecule/default/prepare.yml index 54efeee9..4c3c05aa 100644 --- a/roles/tmaurice.gitea/molecule/default/prepare.yml +++ b/roles/tmaurice.gitea/molecule/default/prepare.yml @@ -1,22 +1,27 @@ --- -- name: Perpare +- name: Prepare hosts: all become: true tasks: - name: install dependencies for gitea (RedHat based systems) yum: - name: "{{ packages }}" + name: "{{ redhat_packages }}" state: present update_cache: true when: ansible_os_family == "RedHat" - name: install dependencies for gitea (Debian based systems) apt: - name: "{{ packages }}" + name: "{{ debian_packages }}" state: present update_cache: true when: ansible_os_family == "Debian" vars: - packages: + debian_packages: - git - curl + - xz-utils + redhat_packages: + - git + - curl + - xz diff --git a/roles/tmaurice.gitea/requirements-travis.txt b/roles/tmaurice.gitea/requirements-travis.txt index f22ca848..ec56812e 100644 --- a/roles/tmaurice.gitea/requirements-travis.txt +++ b/roles/tmaurice.gitea/requirements-travis.txt @@ -1,24 +1,21 @@ -ansible==2.10.0 +ansible==2.10.7 ansible-lint==4.2.0 anyconfig==0.9.7 arrow==0.15.5 asn1crypto==0.24.0 -atomicwrites==1.3.0 -attrs==19.1.0 -autopep8==1.5.1 -bcrypt==3.1.7 binaryornot==0.4.4 Cerberus==1.3.2 -certifi==2020.4.5.1 -cffi==1.14.0 -chardet==3.0.4 -click==7.1.1 +certifi==2020.12.5 +cffi==1.14.4 +chardet==4.0.0 +click==7.1.2 click-completion==0.5.2 -click-help-colors==0.8 -colorama==0.4.3 -cookiecutter==1.7.0 +click-help-colors==0.9 +colorama==0.4.4 +cookiecutter==1.7.2 +cryptography==3.3.1 cryptography==3.3.2 -docker==4.2.0 +docker==4.4.1 docker-pycreds==0.4.0 entrypoints==0.3 fasteners==0.15 @@ -33,10 +30,10 @@ MarkupSafe==1.1.1 mccabe==0.6.1 molecule==3.0.3 monotonic==1.5 -more-itertools==6.0.0 -paramiko==2.7.1 -pathspec==0.8.0 -pbr==5.1.1 +more-itertools==8.6.0 +paramiko==2.7.2 +pathspec==0.8.1 +pbr==5.5.1 pexpect==4.8.0 pi==0.1.2 pluggy==0.13.1 @@ -60,10 +57,10 @@ sh==1.12.14 shellingham==1.3.2 six==1.14.0 tabulate==0.8.7 -testinfra==5.0.0 +testinfra==6.0.0 tree-format==0.1.2 -urllib3==1.25.8 +urllib3==1.26.5 websocket-client==0.57.0 whichcraft==0.6.1 -yamllint==1.22.1 -zipp==3.1.0 +yamllint==1.26.0 +zipp==3.4.0 diff --git a/roles/tmaurice.gitea/tasks/backup.yml b/roles/tmaurice.gitea/tasks/backup.yml new file mode 100644 index 00000000..fa8e9abc --- /dev/null +++ b/roles/tmaurice.gitea/tasks/backup.yml @@ -0,0 +1,30 @@ +--- +- name: Get service facts + service_facts: + +- block: + - name: Stopping gitea before upgrade + service: + name: gitea + state: stopped + + - name: "Create backup directory" + file: + path: "{{ item }}" + state: directory + owner: "{{ gitea_user }}" + group: "{{ gitea_group }}" + mode: 'u=rwx,g=rx,o=' + with_items: + - "{{ gitea_backup_location }}" + + - name: Backing up gitea before upgrade + command: + cmd: "/usr/local/bin/gitea dump -c /etc/gitea/gitea.ini" + chdir: "{{ gitea_backup_location }}" + become: true + become_user: "{{ gitea_user }}" + when: + - ansible_facts.services["gitea.service"] is defined + - ansible_facts.services["gitea.service"].state == "running" + - gitea_active_version.stdout != gitea_version diff --git a/roles/tmaurice.gitea/tasks/create_user.yml b/roles/tmaurice.gitea/tasks/create_user.yml index 306c2d6d..f962229d 100644 --- a/roles/tmaurice.gitea/tasks/create_user.yml +++ b/roles/tmaurice.gitea/tasks/create_user.yml @@ -1,7 +1,14 @@ --- +- name: "Create Gitea Group" + group: + name: "{{ gitea_group }}" + system: true + state: "present" + - name: "Create Gitea user" - user: + ansible.builtin.user: name: "{{ gitea_user }}" comment: "Gitea user" home: "{{ gitea_home }}" shell: "{{ gitea_shell }}" + system: true diff --git a/roles/tmaurice.gitea/tasks/fail2ban.yml b/roles/tmaurice.gitea/tasks/fail2ban.yml index 5a9837e0..ce7025c9 100644 --- a/roles/tmaurice.gitea/tasks/fail2ban.yml +++ b/roles/tmaurice.gitea/tasks/fail2ban.yml @@ -1,18 +1,26 @@ --- - name: Install fail2ban filter - template: + ansible.builtin.template: src: fail2ban/filter.conf.j2 dest: /etc/fail2ban/filter.d/gitea.conf owner: root group: root mode: 0444 notify: Restart fail2ban + when: "'fail2ban' in ansible_facts.packages" - name: Install fail2ban jail - template: + ansible.builtin.template: src: fail2ban/jail.conf.j2 dest: /etc/fail2ban/jail.d/gitea.conf owner: root group: root mode: 0444 notify: Restart fail2ban + when: "'fail2ban' in ansible_facts.packages" + +- name: warn if fail2ban is not installed + ansible.builtin.fail: + msg: "the package fail2ban is not installed. no fail2ban filters deployed." + when: "'fail2ban' not in ansible_facts.packages" + ignore_errors: true diff --git a/roles/tmaurice.gitea/tasks/install.yml b/roles/tmaurice.gitea/tasks/install.yml new file mode 100644 index 00000000..474df904 --- /dev/null +++ b/roles/tmaurice.gitea/tasks/install.yml @@ -0,0 +1,71 @@ +--- +- block: + - name: Update apt cache + apt: + cache_valid_time: 3600 + update_cache: true + register: _pre_update_apt_cache + until: _pre_update_apt_cache is succeeded + when: + - ansible_pkg_mgr == "apt" + + - name: Install dependencies + package: + name: "{{ gitea_dependencies }}" + state: present + register: _install_dep_packages + until: _install_dep_packages is succeeded + retries: 5 + delay: 2 + +- block: + - name: Download gitea archive + get_url: + url: "{{ gitea_dl_url }}.xz" + dest: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz" + checksum: "sha256:{{ gitea_dl_url }}.xz.sha256" + register: _download_archive + until: _download_archive is succeeded + retries: 5 + delay: 2 + + - name: Download gitea asc file + get_url: + url: "{{ gitea_dl_url }}.xz.asc" + dest: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz.asc" + register: _download_asc + until: _download_asc is succeeded + retries: 5 + delay: 2 + + - name: Check gitea gpg key + command: "gpg --list-keys 0x{{ gitea_gpg_key }}" + register: _gitea_gpg_key_status + changed_when: false + failed_when: _gitea_gpg_key_status.rc not in (0, 2) + + - name: Import gitea gpg key + command: "gpg --keyserver {{ gitea_gpg_server }} --recv {{ gitea_gpg_key }}" + register: _gitea_import_key + changed_when: '"imported: 1" in _gitea_import_key.stderr' + when: _gitea_gpg_key_status.rc != 0 + + - name: Check archive signature + command: "gpg --verify /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz.asc /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz" + changed_when: false + + - name: Unpack gitea binary + command: + cmd: "xz -k -d /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz" + creates: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}" + + - name: Propagate gitea binary + copy: + src: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}" + remote_src: true + dest: "/usr/local/bin/gitea" + mode: 0755 + owner: root + group: root + notify: "Restart gitea" + when: (not gitea_version_check|bool) or (not ansible_check_mode and (gitea_active_version.stdout != gitea_version)) diff --git a/roles/tmaurice.gitea/tasks/install_systemd.yml b/roles/tmaurice.gitea/tasks/install_systemd.yml index 6607472b..a058d6f6 100644 --- a/roles/tmaurice.gitea/tasks/install_systemd.yml +++ b/roles/tmaurice.gitea/tasks/install_systemd.yml @@ -1,6 +1,6 @@ --- - name: "Setup systemd service" - template: + ansible.builtin.template: src: gitea.service.j2 dest: /lib/systemd/system/gitea.service owner: root @@ -10,7 +10,8 @@ - "Reload systemd" - "Restart gitea" -# systemd to be reloaded the first time because it is the only way Systemd is going to be aware of the new unit file. +# systemd to be reloaded the first time because +# it is the only way Systemd is going to be aware of the new unit file. - name: "Reload systemd" - systemd: + ansible.builtin.systemd: daemon_reload: true diff --git a/roles/tmaurice.gitea/tasks/jwt_secrets.yml b/roles/tmaurice.gitea/tasks/jwt_secrets.yml new file mode 100644 index 00000000..ca334c73 --- /dev/null +++ b/roles/tmaurice.gitea/tasks/jwt_secrets.yml @@ -0,0 +1,38 @@ +--- +- name: generate OAuth2 JWT_SECRET if not provided + become: true + shell: 'umask 077; /usr/local/bin/gitea generate secret JWT_SECRET > /etc/gitea/gitea_oauth_jwt_secret' + args: + creates: '/etc/gitea/gitea_oauth_jwt_secret' + when: gitea_oauth2_jwt_secret | length == 0 + +- name: read OAuth2 JWT_SECRET from file + become: true + slurp: + src: '/etc/gitea/gitea_oauth_jwt_secret' + register: oauth_jwt_secret + when: gitea_oauth2_jwt_secret | length == 0 + +- name: set fact gitea_oauth2_jwt_secret + set_fact: + gitea_oauth2_jwt_secret: "{{ oauth_jwt_secret['content'] | b64decode }}" + when: gitea_oauth2_jwt_secret | length == 0 + +- name: generate LFS JWT_SECRET if not provided + become: true + shell: 'umask 077; /usr/local/bin/gitea generate secret JWT_SECRET > /etc/gitea/gitea_lfs_jwt_secret' + args: + creates: '/etc/gitea/gitea_lfs_jwt_secret' + when: gitea_lfs_jwt_secret | length == 0 + +- name: read LFS JWT_SECRET from file + become: true + slurp: + src: '/etc/gitea/gitea_lfs_jwt_secret' + register: lfs_jwt_secret + when: gitea_lfs_jwt_secret | length == 0 + +- name: set fact gitea_lfs_jwt_secret + set_fact: + gitea_lfs_jwt_secret: "{{ lfs_jwt_secret['content'] | b64decode }}" + when: gitea_lfs_jwt_secret | length == 0 diff --git a/roles/tmaurice.gitea/tasks/main.yml b/roles/tmaurice.gitea/tasks/main.yml index 78e8ed5e..0a698da0 100644 --- a/roles/tmaurice.gitea/tasks/main.yml +++ b/roles/tmaurice.gitea/tasks/main.yml @@ -1,9 +1,19 @@ --- +- name: Gather variables for each operating system + include_vars: "{{ item }}" + with_first_found: + - "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml" + - "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml" + - "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml" + - "{{ ansible_distribution | lower }}.yml" + - "{{ ansible_os_family | lower }}.yml" -- include: check-variables.yml +- name: Gather installed packages for checks in the role (fail2ban) + ansible.builtin.package_facts: + manager: auto - name: "Check gitea version" - shell: "set -eo pipefail; /usr/local/bin/gitea -v | cut -d' ' -f 3" + ansible.builtin.shell: "set -eo pipefail; /usr/local/bin/gitea -v | cut -d' ' -f 3" args: executable: /bin/bash register: gitea_active_version @@ -12,7 +22,7 @@ when: gitea_version_check|bool - name: "Download the binary" - get_url: + ansible.builtin.get_url: url: "{{ gitea_dl_url }}" dest: /usr/local/bin/gitea owner: root @@ -25,13 +35,24 @@ - include: create_user.yml - name: "Create config and data directory" + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: "{{ gitea_user }}" + group: "{{ gitea_group }}" + mode: '0755' + with_items: + - "/etc/gitea" + +- name: "Create data directory" file: path: "{{ item }}" state: directory owner: "{{ gitea_user }}" - recurse: True + group: "{{ gitea_group }}" + mode: 'u=rwX,g=rX,o=' + recurse: true with_items: - - "/etc/gitea" - "{{ gitea_home }}" - "{{ gitea_home }}/data" - "{{ gitea_home }}/custom" @@ -39,25 +60,28 @@ - "{{ gitea_home }}/custom/mailer" - "{{ gitea_home }}/indexers" - "{{ gitea_home }}/log" + - "{{ gitea_repository_root }}" - include: install_systemd.yml when: ansible_service_mgr == "systemd" +- include_tasks: jwt_secrets.yml - name: 'Install git' - package: + ansible.builtin.package: name: 'git' state: 'present' - name: "Configure gitea" - template: + ansible.builtin.template: src: gitea.ini.j2 dest: /etc/gitea/gitea.ini owner: "{{ gitea_user }}" + group: "{{ gitea_group }}" mode: 0600 notify: "Restart gitea" - name: "Service gitea" - service: + ansible.builtin.service: name: gitea state: started enabled: true diff --git a/roles/tmaurice.gitea/templates/gitea.ini.j2 b/roles/tmaurice.gitea/templates/gitea.ini.j2 index 22d8c506..11e06c03 100644 --- a/roles/tmaurice.gitea/templates/gitea.ini.j2 +++ b/roles/tmaurice.gitea/templates/gitea.ini.j2 @@ -3,195 +3,196 @@ ; ; This file overwrites the default values from gitea. ; undefined variables will use the default value from gitea. -; Cheat Sheet: https://docs.gitea.io/en-us/config-cheat-sheet/ +; Cheat Sheet: https://docs.gitea.io/en-us/config-cheat-sheet/ ; ; App name that shows on every page title -APP_NAME = {{ gitea_app_name }} +APP_NAME = {{ gitea_app_name }} ; Change it if you run locally RUN_USER = {{ gitea_user }} ; Either "dev", "prod" or "test", default is "dev" RUN_MODE = prod [repository] -ROOT = {{ gitea_repository_root }} +ROOT = {{ gitea_repository_root }} ; Force every new repository to be private -FORCE_PRIVATE = {{ gitea_force_private }} +FORCE_PRIVATE = {{ gitea_force_private | ternary('true', 'false') }} ; Global limit of repositories per user, applied at creation time. -1 means no limit -MAX_CREATION_LIMIT = {{ gitea_user_repo_limit }} +MAX_CREATION_LIMIT = {{ gitea_user_repo_limit }} ; Mirror sync queue length, increase if mirror syncing starts hanging MIRROR_QUEUE_LENGTH = 1000 ; Disable the ability to interact with repositories using the HTTP protocol -DISABLE_HTTP_GIT = {{ gitea_disable_http_git }} +DISABLE_HTTP_GIT = {{ gitea_disable_http_git | ternary('true', 'false') }} [ui] ; Whether the email of the user should be shown in the Explore Users page -SHOW_USER_EMAIL = {{ gitea_show_user_email }} -THEMES = {{ gitea_themes }} -DEFAULT_THEME = {{ gitea_theme_default }} +SHOW_USER_EMAIL = {{ gitea_show_user_email | ternary('true', 'false') }} +THEMES = {{ gitea_themes }} +DEFAULT_THEME = {{ gitea_theme_default }} [server] ; The protocol the server listens on. One of 'http', 'https', 'unix' or 'fcgi'. -PROTOCOL = {{ gitea_protocol }} -DOMAIN = {{ gitea_http_domain }} -ROOT_URL = {{ gitea_root_url }} +PROTOCOL = {{ gitea_protocol }} +DOMAIN = {{ gitea_http_domain }} +ROOT_URL = {{ gitea_root_url }} ; The address to listen on. Either a IPv4/IPv6 address or the path to a unix socket. -HTTP_ADDR = {{ gitea_http_listen }} -HTTP_PORT = {{ gitea_http_port }} +HTTP_ADDR = {{ gitea_http_listen }} +HTTP_PORT = {{ gitea_http_port }} ; Disable SSH feature when not available -DISABLE_SSH = false +DISABLE_SSH = false ; Whether to use the builtin SSH server or not. -START_SSH_SERVER = {{ gitea_start_ssh }} +START_SSH_SERVER = {{ gitea_start_ssh | ternary('true', 'false') }} ; Domain name to be exposed in clone URL -SSH_DOMAIN = {{ gitea_ssh_domain }} +SSH_DOMAIN = {{ gitea_ssh_domain }} ; The network interface the builtin SSH server should listen on -SSH_LISTEN_HOST = {{ gitea_ssh_listen }} +SSH_LISTEN_HOST = {{ gitea_ssh_listen }} ; Port number to be exposed in clone URL -SSH_PORT = {{ gitea_ssh_port }} +SSH_PORT = {{ gitea_ssh_port }} ; The port number the builtin SSH server should listen on -SSH_LISTEN_PORT = %(SSH_PORT)s +SSH_LISTEN_PORT = %(SSH_PORT)s ; Disable CDN even in "prod" mode -OFFLINE_MODE = {{ gitea_offline_mode }} +OFFLINE_MODE = {{ gitea_offline_mode | ternary('true', 'false') }} ; Default path for App data -APP_DATA_PATH = {{ gitea_home }}/data -{%- if gitea_lfs_server_enabled | bool %} +APP_DATA_PATH = {{ gitea_home }}/data +{% if gitea_lfs_server_enabled | bool -%} ;Enables git-lfs support. -LFS_START_SERVER = true +LFS_START_SERVER = true ; Where to store LFS files. +LFS_CONTENT_PATH = {{ gitea_lfs_content_path }} +; LFS authentication secret +LFS_JWT_SECRET = {{ gitea_lfs_jwt_secret }} LFS_CONTENT_PATH = {{ gitea_lfs_content_path }} -{%- endif %} - +; if the LFS sotre is not offline/local +LFS_JWT_SECRET = {{ gitea_lfs_secret }} +OFFLINE_MODE = {{ gitea_lfs_mode }} +{% endif %} [database] ; Either "mysql", "postgres", "mssql" or "sqlite3", it's your choice -DB_TYPE = {{ gitea_db_type }} -HOST = {{ gitea_db_host }} -NAME = {{ gitea_db_name }} -USER = {{ gitea_db_user }} +DB_TYPE = {{ gitea_db_type }} +HOST = {{ gitea_db_host }} +NAME = {{ gitea_db_name }} +USER = {{ gitea_db_user }} ; Use PASSWD = `your password` for quoting if you use special characters in the password. -PASSWD = {{ gitea_db_password }} -; For Postgres, either "disable" (default), "require", or "verify-full" +PASSWD = {{ gitea_db_password }} +; For Postgres, either "disable" (default), "require", "verify-ca" or "verify-full" ; For MySQL, either "false" (default), "true", or "skip-verify" -SSL_MODE = {{ gitea_db_ssl }} +SSL_MODE = {{ gitea_db_ssl }} ; For "sqlite3" and "tidb", use an absolute path when you start gitea as service -PATH = {{ gitea_db_path }} +PATH = {{ gitea_db_path }} [indexer] ; Issue indexer storage path, available when ISSUE_INDEXER_TYPE is bleve -ISSUE_INDEXER_PATH = {{ gitea_home }}/indexers/issues.bleve +ISSUE_INDEXER_PATH = {{ gitea_home }}/indexers/issues.bleve ; Issue indexer queue, currently support: channel or levelqueue, default is levelqueue -ISSUE_INDEXER_QUEUE_TYPE = levelqueue +ISSUE_INDEXER_QUEUE_TYPE = levelqueue ; When ISSUE_INDEXER_QUEUE_TYPE is levelqueue, this will be the queue will be saved path, ; default is indexers/issues.queue -ISSUE_INDEXER_QUEUE_DIR = {{ gitea_home }}/indexers/issues.queue - +ISSUE_INDEXER_QUEUE_DIR = {{ gitea_home }}/indexers/issues.queue ; repo indexer by default disabled, since it uses a lot of disk space -REPO_INDEXER_ENABLED = {{ gitea_repo_indexer_enabled }} -REPO_INDEXER_PATH = {{ gitea_home }}/indexers/repos.bleve -REPO_INDEXER_INCLUDE = {{ gitea_repo_indexer_include }} -REPO_INDEXER_EXCLUDE = {{ gitea_repo_indexer_exclude }} +REPO_INDEXER_ENABLED = {{ gitea_repo_indexer_enabled }} +REPO_INDEXER_PATH = {{ gitea_home }}/indexers/repos.bleve +REPO_INDEXER_INCLUDE = {{ gitea_repo_indexer_include }} +REPO_INDEXER_EXCLUDE = {{ gitea_repo_indexer_exclude }} REPO_INDEXER_EXCLUDE_VENDORED = {{ gitea_repo_exclude_vendored }} -MAX_FILE_SIZE = {{ gitea_repo_indexer_max_file_size }} +MAX_FILE_SIZE = {{ gitea_repo_indexer_max_file_size }} [security] ; Whether the installer is disabled -INSTALL_LOCK = true +INSTALL_LOCK = true ; !!CHANGE THIS TO KEEP YOUR USER DATA SAFE!! -SECRET_KEY = {{ gitea_secret_key }} -INTERNAL_TOKEN = {{ gitea_internal_token }} +SECRET_KEY = {{ gitea_secret_key }} +INTERNAL_TOKEN = {{ gitea_internal_token }} ; How long to remember that an user is logged in before requiring relogin (in days) LOGIN_REMEMBER_DAYS = 7 -DISABLE_GIT_HOOKS = {{ gitea_disable_git_hooks }} +DISABLE_GIT_HOOKS = {{ gitea_disable_git_hooks | ternary('true', 'false') }} [service] ; Disallow registration, only allow admins to create accounts. -DISABLE_REGISTRATION = {{ gitea_disable_registration }} +DISABLE_REGISTRATION = {{ gitea_disable_registration }} ; User must sign in to view anything. -REQUIRE_SIGNIN_VIEW = {{ gitea_require_signin }} +REQUIRE_SIGNIN_VIEW = {{ gitea_require_signin | ternary('true', 'false') }} ; Enable captcha validation for registration -ENABLE_CAPTCHA = {{ gitea_enable_captcha }} +ENABLE_CAPTCHA = {{ gitea_enable_captcha | ternary('true', 'false') }} ; Type of captcha you want to use. Options: image, recaptcha -CAPTCHA_TYPE = image +CAPTCHA_TYPE = image ; Enable recaptcha to use Google's recaptcha service ; Go to https://www.google.com/recaptcha/admin to sign up for a key -RECAPTCHA_SECRET = -RECAPTCHA_SITEKEY = +RECAPTCHA_SECRET = +RECAPTCHA_SITEKEY = ; Show Registration button SHOW_REGISTRATION_BUTTON = {{ gitea_show_registration_button }} ALLOW_ONLY_EXTERNAL_REGISTRATION = {{ gitea_only_allow_external_registration }} ENABLE_NOTIFY_MAIL = {{ gitea_enable_notify_mail }} +DEFAULT_EMAIL_NOTIFICATIONS = {{ gitea_mail_default }} +AUTO_WATCH_NEW_REPOS = {{ gitea_autowatch_new_repo }} +AUTO_WATCH_ON_CHANGES = {{ gitea_autowatch_on_change }} +SHOW_MILESTONES_DASHBOARD_PAGE = {{ gitea_show_mailstones_dashboard }} [mailer] -ENABLED = {{ gitea_mailer_enabled }} +ENABLED = {{ gitea_mailer_enabled | ternary('true', 'false') }} ; Mail server ; Gmail: smtp.gmail.com:587 ; QQ: smtp.qq.com:465 ; Note, if the port ends with "465", SMTPS will be used. Using STARTTLS on port 587 is recommended per RFC 6409. If the server supports STARTTLS it will always be used. -HOST = {{ gitea_mailer_host }} -; Disable HELO operation when hostnames are different. -DISABLE_HELO = -; Custom hostname for HELO operation, if no value is provided, one is retrieved from system. -HELO_HOSTNAME = +HOST = {{ gitea_mailer_host }} ; Do not verify the certificate of the server. Only use this for self-signed certificates -SKIP_VERIFY = {{ gitea_mailer_skip_verify }} +SKIP_VERIFY = {{ gitea_mailer_skip_verify }} ; Use client certificate -USE_CERTIFICATE = false -CERT_FILE = {{ gitea_home }}/custom/mailer/cert.pem -KEY_FILE = {{ gitea_home }}/custom/mailer/key.pem +USE_CERTIFICATE = false +CERT_FILE = {{ gitea_home }}/custom/mailer/cert.pem +KEY_FILE = {{ gitea_home }}/custom/mailer/key.pem ; Should SMTP connection use TLS -IS_TLS_ENABLED = {{ gitea_mailer_tls_enabled }} +IS_TLS_ENABLED = {{ gitea_mailer_tls_enabled | ternary('true', 'false') }} ; Mail from address, RFC 5322. This can be just an email address, or the `"Name" ` format -FROM = {{ gitea_mailer_from }} +FROM = {{ gitea_mailer_from }} ; Mailer user name and password -USER = {{ gitea_mailer_user }} +USER = {{ gitea_mailer_user }} ; Use PASSWD = `your password` for quoting if you use special characters in the password. -PASSWD = `{{ gitea_mailer_password }}` +PASSWD = {{ gitea_mailer_password }} ; Send mails as plain text SEND_AS_PLAIN_TEXT = false ; Set Mailer Type (either SMTP, sendmail or dummy to just send to the log) -MAILER_TYPE = {{ gitea_mailer_type }} +MAILER_TYPE = {{ gitea_mailer_type }} ; Specify an alternative sendmail binary -SENDMAIL_PATH = sendmail -; Specify any extra sendmail arguments -SENDMAIL_ARGS = - +SENDMAIL_PATH = sendmail [session] ; Either "memory", "file", or "redis", default is "memory" -PROVIDER = file +PROVIDER = file ; Provider config options ; memory: doesn't have any config yet ; file: session file path, e.g. `data/sessions` ; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180 ; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table` -PROVIDER_CONFIG = {{ gitea_home }}/data/sessions +PROVIDER_CONFIG = {{ gitea_home }}/data/sessions [picture] -AVATAR_UPLOAD_PATH = {{ gitea_home }}/data/avatars +AVATAR_UPLOAD_PATH = {{ gitea_home }}/data/avatars ; This value will always be true in offline mode. -DISABLE_GRAVATAR = {{ gitea_disable_gravatar }} +DISABLE_GRAVATAR = {{ gitea_disable_gravatar | ternary('true', 'false') }} [attachment] ; Whether attachments are enabled. Defaults to `true` ENABLED = true ; Path for attachments. Defaults to `data/attachments` -PATH = {{ gitea_home }}/data/attachments +PATH = {{ gitea_home }}/data/attachments [log] -ROOT_PATH = {{ gitea_home }}/log +ROOT_PATH = {{ gitea_home }}/log ; Either "console", "file", "conn", "smtp" or "database", default is "console" ; Use comma to separate multiple modes, e.g. "console, file" -MODE = file +MODE = file ; Buffer length of the channel, keep it as it is if you don't know what it is. -BUFFER_LEN = 10000 +BUFFER_LEN = 10000 ; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Trace" -LEVEL = Info +LEVEL = {{ gitea_log_level }} REDIRECT_MACARON_LOG = false [oauth2] -ENABLE = {{ gitea_oauth2_enabled }} +ENABLE = {{ gitea_oauth2_enabled }} JWT_SECRET = {{ gitea_oauth2_jwt_secret }} [metrics] ENABLED = {{ gitea_metrics_enabled }} -TOKEN = {{ gitea_metrics_token }} +TOKEN = {{ gitea_metrics_token }} {{ gitea_extra_config }} diff --git a/roles/tmaurice.gitea/templates/gitea.service.j2 b/roles/tmaurice.gitea/templates/gitea.service.j2 index f7c004d8..0dd69a50 100644 --- a/roles/tmaurice.gitea/templates/gitea.service.j2 +++ b/roles/tmaurice.gitea/templates/gitea.service.j2 @@ -4,6 +4,7 @@ After=network.target [Service] User={{ gitea_user }} +Group={{ gitea_group }} ExecStart=/usr/local/bin/gitea web -c /etc/gitea/gitea.ini Restart=on-failure WorkingDirectory={{ gitea_home }} diff --git a/roles/tmaurice.gitea/vars/debian.yml b/roles/tmaurice.gitea/vars/debian.yml new file mode 100644 index 00000000..dc164f62 --- /dev/null +++ b/roles/tmaurice.gitea/vars/debian.yml @@ -0,0 +1,5 @@ +--- +gitea_dependencies: + - git + - gnupg2 + - xz-utils diff --git a/roles/tmaurice.gitea/vars/main.yml b/roles/tmaurice.gitea/vars/main.yml index 9ec51139..b473a405 100644 --- a/roles/tmaurice.gitea/vars/main.yml +++ b/roles/tmaurice.gitea/vars/main.yml @@ -1,2 +1,10 @@ --- -gitea_arch: "{{ 'amd64' if ansible_architecture == 'x86_64' else ansible_architecture }}" +gitea_go_arch_map: + i386: '386' + x86_64: 'amd64' + aarch64: 'arm64' + armv7l: 'arm-6' + armv6l: 'arm-6' + armv5l: 'arm-5' + +gitea_arch: "{{ gitea_go_arch_map[ansible_architecture] | default(ansible_architecture) }}" diff --git a/roles/tmaurice.gitea/vars/redhat.yml b/roles/tmaurice.gitea/vars/redhat.yml new file mode 100644 index 00000000..7c964152 --- /dev/null +++ b/roles/tmaurice.gitea/vars/redhat.yml @@ -0,0 +1,5 @@ +--- +gitea_dependencies: + - git + - gnupg2 + - xz