diff --git a/roles/gitea/defaults/main.yaml b/roles/gitea/defaults/main.yaml new file mode 100644 index 0000000..479a6e9 --- /dev/null +++ b/roles/gitea/defaults/main.yaml @@ -0,0 +1,57 @@ +--- +gitea_service_name: gitea.service +gitea_service_state: started +gitea_service_enabled: yes + +gitea_arch: amd64 +gitea_version: 1.10.0 +gitea_url: "https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-{{ gitea_arch }}" +gitea_checksum: sha256:cc781f33472966926d4336991926de13172e48c1962e25bfccbb3219537c3eb4 +gitea_bin_path: /usr/local/bin +gitea_var_path: /var/lib/gitea +gitea_log_path: /var/log/gitea +gitea_etc_path: /etc/gitea +gitea_path: "{{ gitea_bin_path }}/gitea" +gitea_config_path: "{{ gitea_etc_path }}/app.ini" +gitea_systemd_unit_path: /etc/systemd/system/gitea.service +gitea_user: git +gitea_group: git +gitea_shell: /bin/bash +gitea_gecos: Git Version Control +gitea_password: ! +gitea_home_path: /home/git +gitea_port: 3000 + +gitea_config: + server: + domain: "{{ gitea_domain }}" + root_url: "{{ gitea_ssl_enabled | ternary('https', 'http') }}://{{ gitea_domain }}/" + oauth2: + jwt_secret: "{{ vault_gitea_jwt_secret }}" + security: + install_lock: true + internal_token: "{{ vault_gitea_internal_token }}" + database: + db_type: sqlite3 + log: + root_path: /var/log/gitea + mode: file + access: file + macaron: file + router: file + redirect_macaron_log: true + log.console: + colorize: no + service: + disable_registration: yes + +gitea_var_tree: + - "{{ gitea_var_path }}" + - "{{ gitea_var_path }}/custom" + - "{{ gitea_var_path }}/data" + - "{{ gitea_var_path }}/log" + +gitea_ssl_enabled: yes +gitea_ssl_certificate: "/etc/letsencrypt/live/{{ gitea_domain }}/fullchain.pem" +gitea_ssl_certificate_key: "/etc/letsencrypt/live/{{ gitea_domain }}/privkey.pem" +#gitea_ssl_dhparam: "/etc/letsencrypt/ssl-dhparams.pem" diff --git a/roles/gitea/handlers/main.yaml b/roles/gitea/handlers/main.yaml new file mode 100644 index 0000000..cf2f733 --- /dev/null +++ b/roles/gitea/handlers/main.yaml @@ -0,0 +1,11 @@ +--- +- name: gitea daemon-reload + systemd: + name: "{{ gitea_service_name }}" + daemon_reload: yes + state: restarted + +- name: restart gitea + service: + name: "{{ gitea_service_name }}" + state: restarted diff --git a/roles/gitea/tasks/main.yaml b/roles/gitea/tasks/main.yaml new file mode 100644 index 0000000..c0acf64 --- /dev/null +++ b/roles/gitea/tasks/main.yaml @@ -0,0 +1,89 @@ +--- +#- name: OS specific variables +# include_vars: "{{ item }}" +# with_first_found: +# - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml" +# - "{{ ansible_distribution }}.yml" +# - "{{ ansible_os_family }}.yml" +# - "default.yml" +# +- name: "download gitea {{ gitea_version }}" + get_url: + url: "{{ gitea_url }}" + checksum: "{{ gitea_checksum }}" + dest: "{{ gitea_path }}" + owner: root + group: root + mode: 0755 + +- name: create group + user: + name: "{{ gitea_group }}" + system: yes + +- name: create user and group + user: + name: "{{ gitea_user }}" + group: "{{ gitea_group }}" + shell: "{{ gitea_shell }}" + comment: "{{ gitea_gecos }}" + system: yes + password: "{{ gitea_password }}" + home: "{{ gitea_home_path }}" + +- name: "create {{ gitea_etc_path }}" + file: + path: "{{ gitea_etc_path }}" + owner: root + group: "{{ gitea_group }}" + mode: 750 + state: directory + +- name: configure + template: + src: app.ini.j2 + dest: "{{ gitea_config_path }}" + owner: root + group: "{{ gitea_group }}" + mode: 0640 + notify: + - restart gitea + +- name: "create {{ gitea_var_path }} tree" + file: + path: "{{ item }}" + owner: "{{ gitea_user }}" + group: "{{ gitea_group }}" + mode: 750 + state: directory + with_items: "{{ gitea_var_tree }}" + +- name: "create {{ gitea_log_path }} path" + file: + path: "{{ gitea_log_path }}" + owner: "{{ gitea_user }}" + group: "{{ gitea_group }}" + mode: 755 + state: directory + +- name: configure systemd unit + template: + src: gitea.service.j2 + dest: "{{ gitea_systemd_unit_path }}" + owner: root + group: root + mode: 0644 + notify: + - gitea daemon-reload + - restart gitea + when: ansible_service_mgr == 'systemd' + +- name: manage service + service: + name: "{{ gitea_service_name }}" + state: "{{ gitea_service_state }}" + enabled: "{{ gitea_service_enabled }}" + +- name: configure nginx + include: nginx.yaml + when: "'nginx' in ansible_play_role_names" diff --git a/roles/gitea/tasks/nginx.yaml b/roles/gitea/tasks/nginx.yaml new file mode 100644 index 0000000..6873ad9 --- /dev/null +++ b/roles/gitea/tasks/nginx.yaml @@ -0,0 +1,17 @@ +- name: configure nginx + template: + src: nginx.conf.j2 + dest: /etc/nginx/sites-available/gitea + owner: root + group: root + mode: 0644 + notify: reload nginx + +- name: activate site + file: + src: /etc/nginx/sites-available/gitea + dest: /etc/nginx/sites-enabled/gitea + owner: root + group: root + state: link + notify: reload nginx diff --git a/roles/gitea/templates/app.ini.j2 b/roles/gitea/templates/app.ini.j2 new file mode 100644 index 0000000..4a431d0 --- /dev/null +++ b/roles/gitea/templates/app.ini.j2 @@ -0,0 +1,14 @@ +# {{ ansible_managed }} + +{% for section, body in gitea_config | dictsort %} +[{{ section }}] +{% for k, v in body | dictsort %} +{% if v is sameas true %} +{{ k | upper }} = true +{% elif v is sameas false %} +{{ k | upper }} = false +{% else %} +{{ k | upper }} = {{ v }} +{% endif %} +{% endfor %} +{% endfor %} diff --git a/roles/gitea/templates/gitea.service.j2 b/roles/gitea/templates/gitea.service.j2 new file mode 100644 index 0000000..a8083d9 --- /dev/null +++ b/roles/gitea/templates/gitea.service.j2 @@ -0,0 +1,70 @@ +# {{ ansible_managed }} + +[Unit] +Description=Gitea (Git with a cup of tea) +After=syslog.target +After=network.target +### +# Don't forget to add the database service requirements +### +# +#Requires=mysql.service +#Requires=mariadb.service +#Requires=postgresql.service +#Requires=memcached.service +#Requires=redis.service +# +### +# If using socket activation for main http/s +### +# +#After=gitea.main.socket +#Requires=gitea.main.socket +# +### +# (You can also provide gitea an http fallback and/or ssh socket too) +# +# An example of /etc/systemd/system/gitea.main.socket +### +## +## [Unit] +## Description=Gitea Web Socket +## PartOf=gitea.service +## +## [Socket] +## Service=gitea.service +## ListenStream= +## NoDelay=true +## +## [Install] +## WantedBy=sockets.target +## +### + +[Service] +# Modify these two values and uncomment them if you have +# repos with lots of files and get an HTTP error 500 because +# of that +### +#LimitMEMLOCK=infinity +#LimitNOFILE=65535 +RestartSec=2s +Type=simple +User={{ gitea_user }} +Group={{ gitea_group }} +WorkingDirectory={{ gitea_var_path }} +# If using Unix socket: tells systemd to create the /run/gitea folder, which will contain the gitea.sock file +# (manually creating /run/gitea doesn't work, because it would not persist across reboots) +#RuntimeDirectory=gitea +ExecStart={{ gitea_path }} web --config {{ gitea_config_path }} +Restart=always +Environment=USER={{ gitea_user }} HOME={{ gitea_home_path }} GITEA_WORK_DIR={{ gitea_var_path }} +# If you want to bind Gitea to a port below 1024, uncomment +# the two values below, or use socket activation to pass Gitea its ports as above +### +#CapabilityBoundingSet=CAP_NET_BIND_SERVICE +#AmbientCapabilities=CAP_NET_BIND_SERVICE +### + +[Install] +WantedBy=multi-user.target diff --git a/roles/gitea/templates/nginx.conf.j2 b/roles/gitea/templates/nginx.conf.j2 new file mode 100644 index 0000000..9ad9151 --- /dev/null +++ b/roles/gitea/templates/nginx.conf.j2 @@ -0,0 +1,42 @@ +server { + listen 80; +{% if ansible_all_ipv6_addresses | length %} + listen [::]:80; +{% endif %} + server_name {{ gitea_domain }}; + + location /.well-known/acme-challenge/ { + root /var/www/.acme-challenge; + try_files $uri =404; + } + +{% if gitea_ssl_enabled %} + location / { + return 301 https://$server_name$request_uri; + } +{% endif %} +} + +{% if gitea_ssl_enabled %} +server { + listen 443 ssl; +{% if ansible_all_ipv6_addresses | length %} + listen [::]:443 ssl; +{% endif %} + server_name {{ gitea_domain }}; + +{% if gitea_ssl_certificate is defined %} + ssl_certificate {{ gitea_ssl_certificate }}; +{% endif %} +{% if gitea_ssl_certificate_key is defined %} + ssl_certificate_key {{ gitea_ssl_certificate_key }}; +{% endif %} +{% if gitea_ssl_dhparam is defined %} + ssl_dhparam {{ gitea_ssl_dhparam }}; +{% endif %} + + location / { + proxy_pass http://localhost:{{ gitea_port }}; + } +} +{% endif %}