diff --git a/gitea.yml b/gitea.yml index 47bd14e..6887ca7 100644 --- a/gitea.yml +++ b/gitea.yml @@ -1,6 +1,297 @@ --- - hosts: gitea + vars: + gitea_version: "1.17.2" + gitea_internal_token: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 65396439373538656633396363313333663233343661643739633135306131613434353335353634 + 6430393533646166323531623939666330393538383334370a346632646666636239366431643763 + 37626331666364646665353639613532353362313531316561646462303261383064396635363962 + 3039646438316264350a653537626634643431343764653034643662393531626532653337636439 + 31663832663039356437656531666564653366383839656438353262393662393636303536663938 + 32623837346462613738663165356464656635326565616637653363376334353035316264303662 + 39346334353266613234363664643030303565313065313334333833383337623637366132663435 + 61386535353635386339383731323464323135366362613734393833386632393166393261373433 + 61363664376330343465656431316163396533326634643636326537383032323636 tasks: - name: Basic setup include_role: name=common + + - name: Create git group + group: + name: git + state: present + + - name: Create git-static group + group: + name: git-static + state: present + + - name: Gitea user + user: + system: true + password: '!' + home: /home/git + shell: /bin/bash + comment: "Git Version Control" + group: git + name: git + + - name: Gitea static user # To compile and own static content + user: + system: true + password: '!' + comment: "To compile and own static gitea content." + group: git-static + name: git-static + + - name: Download gitea + get_url: + dest: /usr/local/bin/gitea + url: "https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64" + mode: 0755 + owner: root + group: root + register: download_gitea + + - name: Install dependencies + package: + name: + - git + - postgresql + - python3-psycopg2 # For Ansible + # - rsync # for static file generation + # - nodejs # for static file generation + # - npm # for static file generation + # - make # for static file generation + - nginx + state: present + + - name: Ensure locale en_US.UTF-8 exists + locale_gen: + name: en_US.UTF-8 + state: present + + - name: Create psql git user + become: true + become_user: postgres + postgresql_user: + user: git + + - name: Create psql gitea DB + become: true + become_user: postgres + postgresql_db: + name: gitea + owner: git + encoding: UTF-8 + lc_collate: en_US.UTF-8 + lc_ctype: en_US.UTF-8 + template: template0 + + - name: Create gitea hierarchy + file: + state: directory + mode: 0750 + owner: git + group: git + path: "{{ item }}" + loop: + - /var/lib/gitea/custom + - /var/lib/gitea/data + - /var/lib/gitea/log + + - name: Create gitea config hierarchy + file: + state: directory + mode: 0750 + owner: root + group: git + path: /etc/gitea + + - name: Setup app.ini + copy: + path: /etc/gitea/app.ini + mode: 0640 + owner: root + group: git + content: | + APP_NAME = Gitea: Git with a cup of tea + RUN_USER = git + RUN_MODE = prod + + [database] + DB_TYPE = postgres + HOST = /run/postgresql/ + NAME = gitea + USER = + PASSWD = + SCHEMA = + SSL_MODE = disable + CHARSET = utf8 + PATH = /var/lib/gitea/data/gitea.db + LOG_SQL = false + + [repository] + ROOT = /var/lib/gitea/data/gitea-repositories + + [server] + SSH_DOMAIN = git.afpy.org + DOMAIN = git.afpy.org + HTTP_PORT = 3000 + ROOT_URL = https://git.afpy.org/ + DISABLE_SSH = false + SSH_PORT = 22 + LFS_START_SERVER = false + OFFLINE_MODE = false + + [lfs] + PATH = /var/lib/gitea/data/lfs + + [mailer] + ENABLED = false + + [service] + REGISTER_EMAIL_CONFIRM = false + ENABLE_NOTIFY_MAIL = false + DISABLE_REGISTRATION = true + ALLOW_ONLY_EXTERNAL_REGISTRATION = false + ENABLE_CAPTCHA = false + REQUIRE_SIGNIN_VIEW = false + DEFAULT_KEEP_EMAIL_PRIVATE = false + DEFAULT_ALLOW_CREATE_ORGANIZATION = true + DEFAULT_ENABLE_TIMETRACKING = true + NO_REPLY_ADDRESS = noreply.localhost + + [picture] + DISABLE_GRAVATAR = false + ENABLE_FEDERATED_AVATAR = true + + [openid] + ENABLE_OPENID_SIGNIN = true + ENABLE_OPENID_SIGNUP = true + + [session] + PROVIDER = file + + [log] + MODE = console + LEVEL = info + ROOT_PATH = /var/lib/gitea/log + ROUTER = console + + [repository.pull-request] + DEFAULT_MERGE_STYLE = merge + + [repository.signing] + DEFAULT_TRUST_MODEL = committer + + [security] + INSTALL_LOCK = true + INTERNAL_TOKEN = {{ gitea_internal_token }} + PASSWORD_HASH_ALGO = pbkdf2 + + + # Public asset generation (to allow nginx to serve them) needs nodejs>14. + + # - name: Create gitea static hierarchy + # file: + # state: directory + # mode: 0755 + # owner: git-static + # group: git-static + # path: "{{ item }}" + # loop: + # - /var/lib/gitea-static/source + # - /var/lib/gitea-static/public + # + # - name: Download gitea tarball # For the static content + # unarchive: + # src: "https://github.com/go-gitea/gitea/archive/refs/tags/v{{ gitea_version }}.tar.gz" + # dest: /var/lib/gitea-static/source/ + # remote_src: true + # owner: git-static + # group: git-static + # register: download_gitea_tarball + # + # - name: Compile static assets + # command: make frontend + # args: + # chdir: "/var/lib/gitea-static/source/gitea-{{ gitea_version }}" + # become: true + # become_user: git-static + # when: download_gitea_tarball is changed + # + # - name: Copy public assets + # synchronize: + # src: "/var/lib/gitea-static/source/gitea-{{ gitea_version }}/public/" + # dest: "/var/lib/gitea-static/public/" + + - name: Setup gitea systemd service + copy: + dest: /etc/systemd/system/gitea.service + owner: root + group: root + mode: 0644 + content: | + [Unit] + Description=Gitea (Git with a cup of tea) + After=syslog.target + After=network.target + Wants=postgresql.service + After=postgresql.service + + [Service] + RestartSec=2s + Type=simple + User=git + Group=git + WorkingDirectory=/var/lib/gitea/ + ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini + Restart=always + Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea + + [Install] + WantedBy=multi-user.target + + - name: Setup nginx + include_role: name=nginx + vars: + nginx_domain: git.afpy.org + nginx_certificates: ['git.afpy.org'] + nginx_conf: | + server + { + listen [::]:80; listen 80; + server_name git.afpy.org; + access_log /var/log/nginx/git.afpy.org-access.log; + error_log /var/log/nginx/git.afpy.org-error.log; + return 301 https://git.afpy.org$request_uri; + } + + server + { + listen [::]:443 ssl; listen 443 ssl; + server_name git.afpy.org; + access_log /var/log/nginx/git.afpy.org-access.log; + error_log /var/log/nginx/git.afpy.org-error.log; + include snippets/letsencrypt-git.afpy.org.conf; + client_max_body_size 16M; + + # location /_/static/assets/ { + # alias /var/lib/gitea-static/public/; + # } + + location / { + proxy_pass http://localhost:3000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + } + + - name: Start gitea + service: name=gitea enabled=yes state=started daemon_reload=yes