Update tmaurice.gitea (#294)

Co-authored-by: Michael Grote <michael.grote@posteo.de>
Reviewed-on: mg/ansible#294
Co-authored-by: mg <michael.grote@posteo.de>
Co-committed-by: mg <michael.grote@posteo.de>

roles/tmaurice.gitea/.github/workflows/ansible-linting-check.yml

@@ -0,0 +1,22 @@
+---
+name: Ansible Lint check
+
+# yamllint disable-line rule:truthy
+on: [push, pull_request]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Lint Ansible Playbook
+        uses: ansible/ansible-lint-action@master
+        with:
+          targets: "."
+          # [required]
+          # Paths to ansible files (i.e., playbooks, tasks, handlers etc..)
+          args: ""
+          # [optional]

roles/tmaurice.gitea/.travis.yml

@@ -7,11 +7,12 @@ env:
   matrix:
     - MOLECULE_DISTRO: centos8
     - MOLECULE_DISTRO: centos7
+    - MOLECULE_DISTRO: ubuntu2004
     - MOLECULE_DISTRO: ubuntu1804
     - MOLECULE_DISTRO: ubuntu1604
     - MOLECULE_DISTRO: debian10
     - MOLECULE_DISTRO: debian9
-    - MOLECULE_DISTRO: fedora31
+    - MOLECULE_DISTRO: fedora33
 
 services:
   - docker

roles/tmaurice.gitea/README.md

@@ -58,6 +58,7 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we
 
 * `gitea_version_check`: Check if installed version != `gitea_version` before initiating binary download
 * `gitea_user`: UNIX user used by Gitea
+* `gitea_group`: UNIX group used by Gitea
 * `gitea_home`: Base directory to work
 * `gitea_dl_url`: The URL, the compiled gitea-binary will be downloaded from
 * `gitea_systemd_cap_net_bind_service`: Adds `AmbientCapabilities=CAP_NET_BIND_SERVICE` to systemd service file
@@ -109,7 +110,7 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we
 * `gitea_db_name`: Database name
 * `gitea_db_user`: Database username
 * `gitea_db_password`: Database password
-* `gitea_db_ssl`: Use SSL ? (postgres only!). Can be `required`, `disable`, `verify-full`
+* `gitea_db_ssl`: Use SSL ? (postgres only!). Can be `require`, `disable`, `verify-ca` or `verify-full`
 * `gitea_db_path`: DB path, if you use `sqlite3`. The default is good enough to work though.
 
 ### Mailer configuration
@@ -122,6 +123,10 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we
 * `gitea_mailer_password`: SMTP server password
 * `gitea_mailer_from`: Sender mail address
 * `gitea_enable_notify_mail`:  Whether e-mail should be send to watchers of a repository when something happens. Default: `false`
+* `gitea_mail_default`: Default configuration for email notifications for users (user configurable). Options: enabled, onmention, disable  (Default: `onmention` )
+* `gitea_autowatch_new_repo`: Enable this to let all organisation users watch new repos when they are created (Default: `false`)
+* `gitea_autowatch_on_change`: Enable this to make users watch a repository after their first commit to it (Default: `true`)
+* `gitea_show_mailstones_dashboard`: Enable this to show the milestones dashboard page - a view of all the user’s milestones (Default: `true`)
 
 ### Fail2Ban configuration
 
@@ -138,8 +143,12 @@ As this will only deploy config files, fail2ban already has to be installed or o
 ### Oauth2 provider configuration
 
 * `gitea_oauth2_enabled`: Enable the Oauth2 provider (true/false)
-* `gitea_oauth2_jwt_secret`: JWT secret, cannot be longer than 32 characters
+* `gitea_oauth2_jwt_secret`: Oauth2 JWT secret. Can be generated with ``gitea generate secret JWT_SECRET``
 
+### GIT LFS configuration
+* `gitea_lfs_enabled`: Enable GIT LFS (large filesystem)
+* `gitea_lfs_mode`: should lfs be in offline mode (true/false)
+* `gitea_lfs_secret`: JWT secret for remote LFS usage 
 
 ### Metrics endpoint configuration
 
@@ -154,6 +163,10 @@ As this will only deploy config files, fail2ban already has to be installed or o
 * `gitea_repo_exclude_vendored`: Exclude vendored files from the index. Default: `true`
 * `gitea_repo_indexer_max_file_size`: Maximum size of files to be indexed (in bytes). Default: `1048576` (1 MB)
 
+### backup on upgrade
+* `gitea_backup_on_upgrade`: Optionally a backup can be created with every update of gitea. Default: `false`
+* `gitea_backup_location`: Where to store the gitea backup if one is created with this role. Default: `{{ gitea_home }}/backups/`
+
 ## Contributing
 Don't hesitate to create a pull request, and when in doubt you can reach me on
 Twitter [@thomas_maurice](https://twitter.com/thomas_maurice).

roles/tmaurice.gitea/defaults/main.yml

@@ -1,10 +1,13 @@
 ---
-gitea_version: "1.13.0"
+gitea_version: "1.13.7"
 gitea_version_check: true
 gitea_dl_url: "https://github.com/go-gitea/gitea/releases/download/v{{ gitea_version }}/gitea-{{ gitea_version }}-linux-{{ gitea_arch }}"
+gitea_gpg_key: "7C9E68152594688862D62AF62D9AE806EC1592E2"
+gitea_gpg_server: "hkps://keys.openpgp.org"
 
 gitea_app_name: "Gitea"
 gitea_user: "gitea"
+gitea_group: "gitea"
 gitea_home: "/var/lib/gitea"
 gitea_shell: "/bin/false"
 gitea_systemd_cap_net_bind_service: false
@@ -21,7 +24,10 @@ gitea_disable_http_git: false
 gitea_offline_mode: true
 
 gitea_lfs_server_enabled: false
-gitea_lfs_content_path: "data/lfs"
+gitea_lfs_content_path: "{{ gitea_home }}/data/lfs"
+gitea_lfs_jwt_secret: ''
+gitea_lfs_secret: SomethingVeryLong
+gitea_lfs_mode: true
 
 gitea_db_type: sqlite3
 gitea_db_host: 127.0.0.0:3306
@@ -48,6 +54,10 @@ gitea_require_signin: true
 gitea_enable_captcha: true
 gitea_only_allow_external_registration: false
 gitea_enable_notify_mail: false
+gitea_mail_default: onmention
+gitea_autowatch_new_repo: false
+gitea_autowatch_on_change: true
+gitea_show_mailstones_dashboard: true
 
 gitea_force_private: false
 
@@ -67,7 +77,7 @@ gitea_fail2ban_jail_bantime: 900
 gitea_fail2ban_jail_action: iptables-allports
 
 gitea_oauth2_enabled: true
-gitea_oauth2_jwt_secret: ChangeMe
+gitea_oauth2_jwt_secret: ''
 
 gitea_metrics_enabled: false
 gitea_metrics_token: ~
@@ -81,4 +91,9 @@ gitea_repo_indexer_exclude: ""
 gitea_repo_exclude_vendored: true
 gitea_repo_indexer_max_file_size: 1048576
 
+gitea_log_level: Info
+
 gitea_extra_config: ""
+
+gitea_backup_on_upgrade: false
+gitea_backup_location: "{{ gitea_home }}/backups/"

roles/tmaurice.gitea/handlers/main.yml

@@ -1,17 +1,17 @@
 ---
 - name: "Restart gitea"
-  service:
+  ansible.builtin.service:
     name: gitea
     state: restarted
   when: ansible_service_mgr == "systemd"
 
 - name: "Reload systemd"
-  systemd:
+  ansible.builtin.systemd:
     daemon_reload: true
   when: ansible_service_mgr == "systemd"
 
 - name: "Restart fail2ban"
-  service:
+  ansible.builtin.service:
     name: fail2ban
     state: restarted
   when: ansible_service_mgr == "systemd"

roles/tmaurice.gitea/meta/main.yml

@@ -2,7 +2,7 @@
 galaxy_info:
   author: Thomas Maurice
   description: Ansible Role - Gitea
-  min_ansible_version: 2.7.9
+  min_ansible_version: 2.10
   license: BSD-3-Clause
   galaxy_tags:
     - git
@@ -16,12 +16,17 @@ galaxy_info:
   platforms:
     - name: Debian
       versions:
-        - jessie
         - stretch
-    - name: EL
+        - buster
-      versions:
-        - 7
     - name: Ubuntu
       versions:
         - xenial
         - bionic
+        - focal
+    - name: CentOS
+      versions:
+        - 7
+        - 8
+    - name: Fedora
+      versions:
+        - 33

roles/tmaurice.gitea/molecule/default/prepare.yml

@@ -1,22 +1,27 @@
 ---
-- name: Perpare
+- name: Prepare
   hosts: all
   become: true
   tasks:
     - name: install dependencies for gitea (RedHat based systems)
       yum:
-        name: "{{ packages }}"
+        name: "{{ redhat_packages }}"
         state: present
         update_cache: true
       when: ansible_os_family == "RedHat"
     - name: install dependencies for gitea (Debian based systems)
       apt:
-        name: "{{ packages }}"
+        name: "{{ debian_packages }}"
         state: present
         update_cache: true
       when: ansible_os_family == "Debian"
 
   vars:
-    packages:
+    debian_packages:
       - git
       - curl
+      - xz-utils
+    redhat_packages:
+      - git
+      - curl
+      - xz

roles/tmaurice.gitea/requirements-travis.txt

@@ -1,24 +1,21 @@
-ansible==2.10.0
+ansible==2.10.7
 ansible-lint==4.2.0
 anyconfig==0.9.7
 arrow==0.15.5
 asn1crypto==0.24.0
-atomicwrites==1.3.0
-attrs==19.1.0
-autopep8==1.5.1
-bcrypt==3.1.7
 binaryornot==0.4.4
 Cerberus==1.3.2
-certifi==2020.4.5.1
+certifi==2020.12.5
-cffi==1.14.0
+cffi==1.14.4
-chardet==3.0.4
+chardet==4.0.0
-click==7.1.1
+click==7.1.2
 click-completion==0.5.2
-click-help-colors==0.8
+click-help-colors==0.9
-colorama==0.4.3
+colorama==0.4.4
-cookiecutter==1.7.0
+cookiecutter==1.7.2
+cryptography==3.3.1
 cryptography==3.3.2
-docker==4.2.0
+docker==4.4.1
 docker-pycreds==0.4.0
 entrypoints==0.3
 fasteners==0.15
@@ -33,10 +30,10 @@ MarkupSafe==1.1.1
 mccabe==0.6.1
 molecule==3.0.3
 monotonic==1.5
-more-itertools==6.0.0
+more-itertools==8.6.0
-paramiko==2.7.1
+paramiko==2.7.2
-pathspec==0.8.0
+pathspec==0.8.1
-pbr==5.1.1
+pbr==5.5.1
 pexpect==4.8.0
 pi==0.1.2
 pluggy==0.13.1
@@ -60,10 +57,10 @@ sh==1.12.14
 shellingham==1.3.2
 six==1.14.0
 tabulate==0.8.7
-testinfra==5.0.0
+testinfra==6.0.0
 tree-format==0.1.2
-urllib3==1.25.8
+urllib3==1.26.5
 websocket-client==0.57.0
 whichcraft==0.6.1
-yamllint==1.22.1
+yamllint==1.26.0
-zipp==3.1.0
+zipp==3.4.0

roles/tmaurice.gitea/tasks/backup.yml

@@ -0,0 +1,30 @@
+---
+- name: Get service facts
+  service_facts:
+
+- block:
+    - name: Stopping gitea before upgrade
+      service:
+        name: gitea
+        state: stopped
+
+    - name: "Create backup directory"
+      file:
+        path: "{{ item }}"
+        state: directory
+        owner: "{{ gitea_user }}"
+        group: "{{ gitea_group }}"
+        mode: 'u=rwx,g=rx,o='
+      with_items:
+        - "{{ gitea_backup_location }}"
+
+    - name: Backing up gitea before upgrade
+      command:
+        cmd: "/usr/local/bin/gitea dump -c /etc/gitea/gitea.ini"
+        chdir: "{{ gitea_backup_location }}"
+      become: true
+      become_user: "{{ gitea_user }}"
+  when:
+    - ansible_facts.services["gitea.service"] is defined
+    - ansible_facts.services["gitea.service"].state == "running"
+    - gitea_active_version.stdout != gitea_version

roles/tmaurice.gitea/tasks/create_user.yml

@@ -1,7 +1,14 @@
 ---
+- name: "Create Gitea Group"
+  group:
+    name: "{{ gitea_group }}"
+    system: true
+    state: "present"
+
 - name: "Create Gitea user"
-  user:
+  ansible.builtin.user:
     name: "{{ gitea_user }}"
     comment: "Gitea user"
     home: "{{ gitea_home }}"
     shell: "{{ gitea_shell }}"
+    system: true

roles/tmaurice.gitea/tasks/fail2ban.yml

@@ -1,18 +1,26 @@
 ---
 - name: Install fail2ban filter
-  template:
+  ansible.builtin.template:
     src: fail2ban/filter.conf.j2
     dest: /etc/fail2ban/filter.d/gitea.conf
     owner: root
     group: root
     mode: 0444
   notify: Restart fail2ban
+  when: "'fail2ban' in ansible_facts.packages"
 
 - name: Install fail2ban jail
-  template:
+  ansible.builtin.template:
     src: fail2ban/jail.conf.j2
     dest: /etc/fail2ban/jail.d/gitea.conf
     owner: root
     group: root
     mode: 0444
   notify: Restart fail2ban
+  when: "'fail2ban' in ansible_facts.packages"
+
+- name: warn if fail2ban is not installed
+  ansible.builtin.fail:
+    msg: "the package fail2ban is not installed. no fail2ban filters deployed."
+  when: "'fail2ban' not in ansible_facts.packages"
+  ignore_errors: true

roles/tmaurice.gitea/tasks/install.yml

@@ -0,0 +1,71 @@
+---
+- block:
+    - name: Update apt cache
+      apt:
+        cache_valid_time: 3600
+        update_cache: true
+      register: _pre_update_apt_cache
+      until: _pre_update_apt_cache is succeeded
+      when:
+        - ansible_pkg_mgr == "apt"
+
+    - name: Install dependencies
+      package:
+        name: "{{ gitea_dependencies }}"
+        state: present
+      register: _install_dep_packages
+      until: _install_dep_packages is succeeded
+      retries: 5
+      delay: 2
+
+- block:
+    - name: Download gitea archive
+      get_url:
+        url: "{{ gitea_dl_url }}.xz"
+        dest: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz"
+        checksum: "sha256:{{ gitea_dl_url }}.xz.sha256"
+      register: _download_archive
+      until: _download_archive is succeeded
+      retries: 5
+      delay: 2
+
+    - name: Download gitea asc file
+      get_url:
+        url: "{{ gitea_dl_url }}.xz.asc"
+        dest: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz.asc"
+      register: _download_asc
+      until: _download_asc is succeeded
+      retries: 5
+      delay: 2
+
+    - name: Check gitea gpg key
+      command: "gpg --list-keys 0x{{ gitea_gpg_key }}"
+      register: _gitea_gpg_key_status
+      changed_when: false
+      failed_when: _gitea_gpg_key_status.rc not in (0, 2)
+
+    - name: Import gitea gpg key
+      command: "gpg --keyserver {{ gitea_gpg_server }} --recv {{ gitea_gpg_key }}"
+      register: _gitea_import_key
+      changed_when: '"imported: 1" in _gitea_import_key.stderr'
+      when: _gitea_gpg_key_status.rc != 0
+
+    - name: Check archive signature
+      command: "gpg --verify /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz.asc /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz"
+      changed_when: false
+
+    - name: Unpack gitea binary
+      command:
+        cmd: "xz -k -d /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz"
+        creates: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}"
+
+    - name: Propagate gitea binary
+      copy:
+        src: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}"
+        remote_src: true
+        dest: "/usr/local/bin/gitea"
+        mode: 0755
+        owner: root
+        group: root
+      notify: "Restart gitea"
+  when: (not gitea_version_check|bool) or (not ansible_check_mode and (gitea_active_version.stdout != gitea_version))

roles/tmaurice.gitea/tasks/install_systemd.yml

@@ -1,6 +1,6 @@
 ---
 - name: "Setup systemd service"
-  template:
+  ansible.builtin.template:
     src: gitea.service.j2
     dest: /lib/systemd/system/gitea.service
     owner: root
@@ -10,7 +10,8 @@
     - "Reload systemd"
     - "Restart gitea"
 
-# systemd to be reloaded the first time because it is the only way Systemd is going to be aware of the new unit file.
+# systemd to be reloaded the first time because
+#  it is the only way Systemd is going to be aware of the new unit file.
 - name: "Reload systemd"
-  systemd:
+  ansible.builtin.systemd:
     daemon_reload: true

roles/tmaurice.gitea/tasks/jwt_secrets.yml

@@ -0,0 +1,38 @@
+---
+- name: generate OAuth2 JWT_SECRET if not provided
+  become: true
+  shell: 'umask 077; /usr/local/bin/gitea generate secret JWT_SECRET > /etc/gitea/gitea_oauth_jwt_secret'
+  args:
+    creates: '/etc/gitea/gitea_oauth_jwt_secret'
+  when: gitea_oauth2_jwt_secret | length == 0
+
+- name: read OAuth2 JWT_SECRET from file
+  become: true
+  slurp:
+    src: '/etc/gitea/gitea_oauth_jwt_secret'
+  register: oauth_jwt_secret
+  when: gitea_oauth2_jwt_secret | length == 0
+
+- name: set fact gitea_oauth2_jwt_secret
+  set_fact:
+    gitea_oauth2_jwt_secret: "{{ oauth_jwt_secret['content'] | b64decode }}"
+  when: gitea_oauth2_jwt_secret | length == 0
+
+- name: generate LFS JWT_SECRET if not provided
+  become: true
+  shell: 'umask 077; /usr/local/bin/gitea generate secret JWT_SECRET > /etc/gitea/gitea_lfs_jwt_secret'
+  args:
+    creates: '/etc/gitea/gitea_lfs_jwt_secret'
+  when: gitea_lfs_jwt_secret | length == 0
+
+- name: read LFS JWT_SECRET from file
+  become: true
+  slurp:
+    src: '/etc/gitea/gitea_lfs_jwt_secret'
+  register: lfs_jwt_secret
+  when: gitea_lfs_jwt_secret | length == 0
+
+- name: set fact gitea_lfs_jwt_secret
+  set_fact:
+    gitea_lfs_jwt_secret: "{{ lfs_jwt_secret['content'] | b64decode }}"
+  when: gitea_lfs_jwt_secret | length == 0

roles/tmaurice.gitea/tasks/main.yml

@@ -1,9 +1,19 @@
 ---
+- name: Gather variables for each operating system
+  include_vars: "{{ item }}"
+  with_first_found:
+    - "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml"
+    - "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
+    - "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
+    - "{{ ansible_distribution | lower }}.yml"
+    - "{{ ansible_os_family | lower }}.yml"
 
-- include: check-variables.yml
+- name: Gather installed packages for checks in the role (fail2ban)
+  ansible.builtin.package_facts:
+    manager: auto
 
 - name: "Check gitea version"
-  shell: "set -eo pipefail; /usr/local/bin/gitea -v | cut -d' ' -f 3"
+  ansible.builtin.shell: "set -eo pipefail; /usr/local/bin/gitea -v | cut -d' ' -f 3"
   args:
     executable: /bin/bash
   register: gitea_active_version
@@ -12,7 +22,7 @@
   when: gitea_version_check|bool
 
 - name: "Download the binary"
-  get_url:
+  ansible.builtin.get_url:
     url: "{{ gitea_dl_url }}"
     dest: /usr/local/bin/gitea
     owner: root
@@ -25,13 +35,24 @@
 - include: create_user.yml
 
 - name: "Create config and data directory"
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
+    mode: '0755'
+  with_items:
+    - "/etc/gitea"
+
+- name: "Create data directory"
   file:
     path: "{{ item }}"
     state: directory
     owner: "{{ gitea_user }}"
-    recurse: True
+    group: "{{ gitea_group }}"
+    mode: 'u=rwX,g=rX,o='
+    recurse: true
   with_items:
-    - "/etc/gitea"
     - "{{ gitea_home }}"
     - "{{ gitea_home }}/data"
     - "{{ gitea_home }}/custom"
@@ -39,25 +60,28 @@
     - "{{ gitea_home }}/custom/mailer"
     - "{{ gitea_home }}/indexers"
     - "{{ gitea_home }}/log"
+    - "{{ gitea_repository_root }}"
 
 - include: install_systemd.yml
   when: ansible_service_mgr == "systemd"
 
+- include_tasks: jwt_secrets.yml
 - name: 'Install git'
-  package:
+  ansible.builtin.package:
     name: 'git'
     state: 'present'
 
 - name: "Configure gitea"
-  template:
+  ansible.builtin.template:
     src: gitea.ini.j2
     dest: /etc/gitea/gitea.ini
     owner: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
     mode: 0600
   notify: "Restart gitea"
 
 - name: "Service gitea"
-  service:
+  ansible.builtin.service:
     name: gitea
     state: started
     enabled: true

roles/tmaurice.gitea/templates/gitea.ini.j2

@@ -6,7 +6,7 @@
 ; Cheat Sheet: https://docs.gitea.io/en-us/config-cheat-sheet/
 ;
 ; App name that shows on every page title
-APP_NAME = {{ gitea_app_name }}
+APP_NAME = {{ gitea_app_name }}
 ; Change it if you run locally
 RUN_USER = {{ gitea_user }}
 ; Either "dev", "prod" or "test", default is "dev"
@@ -15,17 +15,17 @@ RUN_MODE = prod
 [repository]
 ROOT                = {{ gitea_repository_root }}
 ; Force every new repository to be private
-FORCE_PRIVATE         = {{ gitea_force_private }}
+FORCE_PRIVATE       = {{ gitea_force_private | ternary('true', 'false') }}
 ; Global limit of repositories per user, applied at creation time. -1 means no limit
 MAX_CREATION_LIMIT  = {{ gitea_user_repo_limit }}
 ; Mirror sync queue length, increase if mirror syncing starts hanging
 MIRROR_QUEUE_LENGTH = 1000
 ; Disable the ability to interact with repositories using the HTTP protocol
-DISABLE_HTTP_GIT      = {{ gitea_disable_http_git }}
+DISABLE_HTTP_GIT    = {{ gitea_disable_http_git | ternary('true', 'false') }}
 
 [ui]
 ; Whether the email of the user should be shown in the Explore Users page
-SHOW_USER_EMAIL       = {{ gitea_show_user_email }}
+SHOW_USER_EMAIL = {{ gitea_show_user_email | ternary('true', 'false') }}
 THEMES          = {{ gitea_themes }}
 DEFAULT_THEME   = {{ gitea_theme_default }}
 
@@ -35,12 +35,12 @@ PROTOCOL              = {{ gitea_protocol }}
 DOMAIN           = {{ gitea_http_domain }}
 ROOT_URL         = {{ gitea_root_url }}
 ; The address to listen on. Either a IPv4/IPv6 address or the path to a unix socket.
-HTTP_ADDR             = {{ gitea_http_listen }}
+HTTP_ADDR        = {{ gitea_http_listen }}
 HTTP_PORT        = {{ gitea_http_port }}
 ; Disable SSH feature when not available
 DISABLE_SSH      = false
 ; Whether to use the builtin SSH server or not.
-START_SSH_SERVER      = {{ gitea_start_ssh }}
+START_SSH_SERVER = {{ gitea_start_ssh | ternary('true', 'false') }}
 ; Domain name to be exposed in clone URL
 SSH_DOMAIN       = {{ gitea_ssh_domain }}
 ; The network interface the builtin SSH server should listen on
@@ -50,16 +50,21 @@ SSH_PORT              = {{ gitea_ssh_port }}
 ; The port number the builtin SSH server should listen on
 SSH_LISTEN_PORT  = %(SSH_PORT)s
 ; Disable CDN even in "prod" mode
-OFFLINE_MODE          = {{ gitea_offline_mode }}
+OFFLINE_MODE     = {{ gitea_offline_mode | ternary('true', 'false') }}
 ; Default path for App data
 APP_DATA_PATH    = {{ gitea_home }}/data
-{%- if gitea_lfs_server_enabled | bool %}
+{% if gitea_lfs_server_enabled | bool -%}
 ;Enables git-lfs support.
 LFS_START_SERVER = true
 ; Where to store LFS files.
 LFS_CONTENT_PATH = {{ gitea_lfs_content_path }}
-{%- endif %}
+; LFS authentication secret
-
+LFS_JWT_SECRET   = {{ gitea_lfs_jwt_secret }}
+LFS_CONTENT_PATH      = {{ gitea_lfs_content_path }}
+; if the LFS sotre is not offline/local
+LFS_JWT_SECRET       = {{ gitea_lfs_secret }} 
+OFFLINE_MODE         = {{ gitea_lfs_mode }}
+{% endif %}
 [database]
 ; Either "mysql", "postgres", "mssql" or "sqlite3", it's your choice
 DB_TYPE  = {{ gitea_db_type }}
@@ -68,7 +73,7 @@ NAME                  = {{ gitea_db_name }}
 USER     = {{ gitea_db_user }}
 ; Use PASSWD = `your password` for quoting if you use special characters in the password.
 PASSWD   = {{ gitea_db_password }}
-; For Postgres, either "disable" (default), "require", or "verify-full"
+; For Postgres, either "disable" (default), "require", "verify-ca" or "verify-full"
 ; For MySQL, either "false" (default), "true", or "skip-verify"
 SSL_MODE = {{ gitea_db_ssl }}
 ; For "sqlite3" and "tidb", use an absolute path when you start gitea as service
@@ -82,7 +87,6 @@ ISSUE_INDEXER_QUEUE_TYPE = levelqueue
 ; When ISSUE_INDEXER_QUEUE_TYPE is levelqueue, this will be the queue will be saved path,
 ; default is indexers/issues.queue
 ISSUE_INDEXER_QUEUE_DIR       = {{ gitea_home }}/indexers/issues.queue
-
 ; repo indexer by default disabled, since it uses a lot of disk space
 REPO_INDEXER_ENABLED          = {{ gitea_repo_indexer_enabled }}
 REPO_INDEXER_PATH             = {{ gitea_home }}/indexers/repos.bleve
@@ -99,15 +103,15 @@ SECRET_KEY              = {{ gitea_secret_key }}
 INTERNAL_TOKEN      = {{ gitea_internal_token }}
 ; How long to remember that an user is logged in before requiring relogin (in days)
 LOGIN_REMEMBER_DAYS = 7
-DISABLE_GIT_HOOKS       = {{ gitea_disable_git_hooks }}
+DISABLE_GIT_HOOKS   = {{ gitea_disable_git_hooks | ternary('true', 'false') }}
 
 [service]
 ; Disallow registration, only allow admins to create accounts.
 DISABLE_REGISTRATION             = {{ gitea_disable_registration }}
 ; User must sign in to view anything.
-REQUIRE_SIGNIN_VIEW     = {{ gitea_require_signin }}
+REQUIRE_SIGNIN_VIEW              = {{ gitea_require_signin | ternary('true', 'false') }}
 ; Enable captcha validation for registration
-ENABLE_CAPTCHA          = {{ gitea_enable_captcha }}
+ENABLE_CAPTCHA                   = {{ gitea_enable_captcha | ternary('true', 'false') }}
 ; Type of captcha you want to use. Options: image, recaptcha
 CAPTCHA_TYPE                     = image
 ; Enable recaptcha to use Google's recaptcha service
@@ -118,18 +122,18 @@ RECAPTCHA_SITEKEY =
 SHOW_REGISTRATION_BUTTON = {{ gitea_show_registration_button }}
 ALLOW_ONLY_EXTERNAL_REGISTRATION = {{ gitea_only_allow_external_registration }}
 ENABLE_NOTIFY_MAIL = {{ gitea_enable_notify_mail }}
+DEFAULT_EMAIL_NOTIFICATIONS       = {{ gitea_mail_default }} 
+AUTO_WATCH_NEW_REPOS              = {{ gitea_autowatch_new_repo }} 
+AUTO_WATCH_ON_CHANGES             = {{ gitea_autowatch_on_change }} 
+SHOW_MILESTONES_DASHBOARD_PAGE    = {{ gitea_show_mailstones_dashboard }} 
 
 [mailer]
-ENABLED                 = {{ gitea_mailer_enabled }}
+ENABLED            = {{ gitea_mailer_enabled | ternary('true', 'false') }}
 ; Mail server
 ; Gmail: smtp.gmail.com:587
 ; QQ: smtp.qq.com:465
 ; Note, if the port ends with "465", SMTPS will be used. Using STARTTLS on port 587 is recommended per RFC 6409. If the server supports STARTTLS it will always be used.
 HOST               = {{ gitea_mailer_host }}
-; Disable HELO operation when hostnames are different.
-DISABLE_HELO =
-; Custom hostname for HELO operation, if no value is provided, one is retrieved from system.
-HELO_HOSTNAME =
 ; Do not verify the certificate of the server. Only use this for self-signed certificates
 SKIP_VERIFY        = {{ gitea_mailer_skip_verify }}
 ; Use client certificate
@@ -137,22 +141,19 @@ USE_CERTIFICATE = false
 CERT_FILE          = {{ gitea_home }}/custom/mailer/cert.pem
 KEY_FILE           = {{ gitea_home }}/custom/mailer/key.pem
 ; Should SMTP connection use TLS
-IS_TLS_ENABLED = {{ gitea_mailer_tls_enabled }}
+IS_TLS_ENABLED     = {{ gitea_mailer_tls_enabled | ternary('true', 'false') }}
 ; Mail from address, RFC 5322. This can be just an email address, or the `"Name" <email@example.com>` format
 FROM               = {{ gitea_mailer_from }}
 ; Mailer user name and password
 USER               = {{ gitea_mailer_user }}
 ; Use PASSWD = `your password` for quoting if you use special characters in the password.
-PASSWD                  = `{{ gitea_mailer_password }}`
+PASSWD             = {{ gitea_mailer_password }}
 ; Send mails as plain text
 SEND_AS_PLAIN_TEXT = false
 ; Set Mailer Type (either SMTP, sendmail or dummy to just send to the log)
 MAILER_TYPE        = {{ gitea_mailer_type }}
 ; Specify an alternative sendmail binary
 SENDMAIL_PATH      = sendmail
-; Specify any extra sendmail arguments
-SENDMAIL_ARGS =
-
 
 [session]
 ; Either "memory", "file", or "redis", default is "memory"
@@ -167,7 +168,7 @@ PROVIDER_CONFIG         = {{ gitea_home }}/data/sessions
 [picture]
 AVATAR_UPLOAD_PATH = {{ gitea_home }}/data/avatars
 ; This value will always be true in offline mode.
-DISABLE_GRAVATAR        = {{ gitea_disable_gravatar }}
+DISABLE_GRAVATAR   = {{ gitea_disable_gravatar | ternary('true', 'false') }}
 
 [attachment]
 ; Whether attachments are enabled. Defaults to `true`
@@ -183,7 +184,7 @@ MODE       = file
 ; Buffer length of the channel, keep it as it is if you don't know what it is.
 BUFFER_LEN           = 10000
 ; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Trace"
-LEVEL      = Info
+LEVEL                = {{ gitea_log_level }}
 REDIRECT_MACARON_LOG = false
 
 [oauth2]

roles/tmaurice.gitea/templates/gitea.service.j2

@@ -4,6 +4,7 @@ After=network.target
 
 [Service]
 User={{ gitea_user }}
+Group={{ gitea_group }}
 ExecStart=/usr/local/bin/gitea web -c /etc/gitea/gitea.ini
 Restart=on-failure
 WorkingDirectory={{ gitea_home }}

roles/tmaurice.gitea/vars/debian.yml

@@ -0,0 +1,5 @@
+---
+gitea_dependencies:
+  - git
+  - gnupg2
+  - xz-utils

roles/tmaurice.gitea/vars/main.yml

@@ -1,2 +1,10 @@
 ---
-gitea_arch: "{{ 'amd64' if ansible_architecture == 'x86_64' else ansible_architecture }}"
+gitea_go_arch_map:
+  i386: '386'
+  x86_64: 'amd64'
+  aarch64: 'arm64'
+  armv7l: 'arm-6'
+  armv6l: 'arm-6'
+  armv5l: 'arm-5'
+
+gitea_arch: "{{ gitea_go_arch_map[ansible_architecture] | default(ansible_architecture) }}"

roles/tmaurice.gitea/vars/redhat.yml

@@ -0,0 +1,5 @@
+---
+gitea_dependencies:
+  - git
+  - gnupg2
+  - xz