Add gitea role

roles/gitea/defaults/main.yaml

@@ -0,0 +1,57 @@
+---
+gitea_service_name: gitea.service
+gitea_service_state: started
+gitea_service_enabled: yes
+
+gitea_arch: amd64
+gitea_version: 1.10.0
+gitea_url: "https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-{{ gitea_arch }}"
+gitea_checksum: sha256:cc781f33472966926d4336991926de13172e48c1962e25bfccbb3219537c3eb4
+gitea_bin_path: /usr/local/bin
+gitea_var_path: /var/lib/gitea
+gitea_log_path: /var/log/gitea
+gitea_etc_path: /etc/gitea
+gitea_path: "{{ gitea_bin_path }}/gitea"
+gitea_config_path: "{{ gitea_etc_path }}/app.ini"
+gitea_systemd_unit_path: /etc/systemd/system/gitea.service
+gitea_user: git
+gitea_group: git
+gitea_shell: /bin/bash
+gitea_gecos: Git Version Control
+gitea_password: !
+gitea_home_path: /home/git
+gitea_port: 3000
+
+gitea_config:
+  server:
+    domain: "{{ gitea_domain }}"
+    root_url: "{{ gitea_ssl_enabled | ternary('https', 'http') }}://{{ gitea_domain }}/"
+  oauth2:
+    jwt_secret: "{{ vault_gitea_jwt_secret }}"
+  security:
+    install_lock: true
+    internal_token: "{{ vault_gitea_internal_token }}"
+  database:
+    db_type: sqlite3
+  log:
+    root_path: /var/log/gitea
+    mode: file
+    access: file
+    macaron: file
+    router: file
+    redirect_macaron_log: true
+  log.console:
+    colorize: no
+  service:
+    disable_registration: yes
+
+gitea_var_tree:
+  - "{{ gitea_var_path }}"
+  - "{{ gitea_var_path }}/custom"
+  - "{{ gitea_var_path }}/data"
+  - "{{ gitea_var_path }}/log"
+
+gitea_ssl_enabled: yes
+gitea_ssl_certificate: "/etc/letsencrypt/live/{{ gitea_domain }}/fullchain.pem"
+gitea_ssl_certificate_key: "/etc/letsencrypt/live/{{ gitea_domain }}/privkey.pem"
+#gitea_ssl_dhparam: "/etc/letsencrypt/ssl-dhparams.pem"

roles/gitea/handlers/main.yaml

@@ -0,0 +1,11 @@
+---
+- name: gitea daemon-reload
+  systemd:
+    name: "{{ gitea_service_name }}"
+    daemon_reload: yes
+    state: restarted
+
+- name: restart gitea
+  service:
+    name: "{{ gitea_service_name }}"
+    state: restarted

roles/gitea/tasks/main.yaml

@@ -0,0 +1,89 @@
+---
+#- name: OS specific variables
+#  include_vars: "{{ item }}"
+#  with_first_found:
+#    - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml"
+#    - "{{ ansible_distribution }}.yml"
+#    - "{{ ansible_os_family }}.yml"
+#    - "default.yml"
+#
+- name: "download gitea {{ gitea_version }}"
+  get_url:
+    url: "{{ gitea_url }}"
+    checksum: "{{ gitea_checksum }}"
+    dest: "{{ gitea_path }}"
+    owner: root
+    group: root
+    mode: 0755
+
+- name: create group
+  user:
+    name: "{{ gitea_group }}"
+    system: yes
+
+- name: create user and group
+  user:
+    name: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
+    shell: "{{ gitea_shell }}"
+    comment: "{{ gitea_gecos }}"
+    system: yes
+    password: "{{ gitea_password }}"
+    home: "{{ gitea_home_path }}"
+
+- name: "create {{ gitea_etc_path }}"
+  file:
+    path: "{{ gitea_etc_path }}"
+    owner: root
+    group: "{{ gitea_group }}"
+    mode: 750
+    state: directory
+
+- name: configure
+  template:
+    src: app.ini.j2
+    dest: "{{ gitea_config_path }}"
+    owner: root
+    group: "{{ gitea_group }}"
+    mode: 0640
+  notify:
+    - restart gitea
+
+- name: "create {{ gitea_var_path }} tree"
+  file:
+    path: "{{ item }}"
+    owner: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
+    mode: 750
+    state: directory
+  with_items: "{{ gitea_var_tree }}"
+
+- name: "create {{ gitea_log_path }} path"
+  file:
+    path: "{{ gitea_log_path }}"
+    owner: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
+    mode: 755
+    state: directory
+
+- name: configure systemd unit
+  template:
+    src: gitea.service.j2
+    dest: "{{ gitea_systemd_unit_path }}"
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - gitea daemon-reload
+    - restart gitea
+  when: ansible_service_mgr == 'systemd'
+
+- name: manage service
+  service:
+    name: "{{ gitea_service_name }}"
+    state: "{{ gitea_service_state }}"
+    enabled: "{{ gitea_service_enabled }}"
+
+- name: configure nginx
+  include: nginx.yaml
+  when: "'nginx' in ansible_play_role_names"

roles/gitea/tasks/nginx.yaml

@@ -0,0 +1,17 @@
+- name: configure nginx
+  template:
+    src: nginx.conf.j2
+    dest: /etc/nginx/sites-available/gitea
+    owner: root
+    group: root
+    mode: 0644
+  notify: reload nginx
+
+- name: activate site
+  file:
+    src: /etc/nginx/sites-available/gitea
+    dest: /etc/nginx/sites-enabled/gitea
+    owner: root
+    group: root
+    state: link
+  notify: reload nginx

roles/gitea/templates/app.ini.j2

@@ -0,0 +1,14 @@
+# {{ ansible_managed }}
+
+{% for section, body in gitea_config | dictsort %}
+[{{ section }}]
+{% for k, v in body | dictsort %}
+{% if v is sameas true %}
+{{ k | upper }} = true
+{% elif v is sameas false %}
+{{ k | upper }} = false
+{% else %}
+{{ k | upper }} = {{ v }}
+{% endif %}
+{% endfor %}
+{% endfor %}

roles/gitea/templates/gitea.service.j2

@@ -0,0 +1,70 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description=Gitea (Git with a cup of tea)
+After=syslog.target
+After=network.target
+###
+# Don't forget to add the database service requirements
+###
+#
+#Requires=mysql.service
+#Requires=mariadb.service
+#Requires=postgresql.service
+#Requires=memcached.service
+#Requires=redis.service
+#
+###
+# If using socket activation for main http/s
+###
+#
+#After=gitea.main.socket
+#Requires=gitea.main.socket
+#
+###
+# (You can also provide gitea an http fallback and/or ssh socket too)
+#
+# An example of /etc/systemd/system/gitea.main.socket
+###
+##
+## [Unit]
+## Description=Gitea Web Socket
+## PartOf=gitea.service
+##
+## [Socket]
+## Service=gitea.service
+## ListenStream=<some_port>
+## NoDelay=true
+##
+## [Install]
+## WantedBy=sockets.target
+##
+###
+
+[Service]
+# Modify these two values and uncomment them if you have
+# repos with lots of files and get an HTTP error 500 because
+# of that
+###
+#LimitMEMLOCK=infinity
+#LimitNOFILE=65535
+RestartSec=2s
+Type=simple
+User={{ gitea_user }}
+Group={{ gitea_group }}
+WorkingDirectory={{ gitea_var_path }}
+# If using Unix socket: tells systemd to create the /run/gitea folder, which will contain the gitea.sock file
+# (manually creating /run/gitea doesn't work, because it would not persist across reboots)
+#RuntimeDirectory=gitea
+ExecStart={{ gitea_path }} web --config {{ gitea_config_path }}
+Restart=always
+Environment=USER={{ gitea_user }} HOME={{ gitea_home_path }} GITEA_WORK_DIR={{ gitea_var_path }}
+# If you want to bind Gitea to a port below 1024, uncomment
+# the two values below, or use socket activation to pass Gitea its ports as above
+###
+#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+#AmbientCapabilities=CAP_NET_BIND_SERVICE
+###
+
+[Install]
+WantedBy=multi-user.target

roles/gitea/templates/nginx.conf.j2

@@ -0,0 +1,42 @@
+server {
+    listen 80;
+{% if ansible_all_ipv6_addresses | length %}
+    listen [::]:80;
+{% endif %}
+    server_name {{ gitea_domain }};
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/.acme-challenge;
+        try_files $uri =404;
+    }
+
+{% if gitea_ssl_enabled %}
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+{% endif %}
+}
+
+{% if gitea_ssl_enabled %}
+server {
+    listen 443 ssl;
+{% if ansible_all_ipv6_addresses | length %}
+    listen [::]:443 ssl;
+{% endif %}
+    server_name {{ gitea_domain }};
+
+{% if gitea_ssl_certificate is defined %}
+    ssl_certificate {{ gitea_ssl_certificate }};
+{% endif %}
+{% if gitea_ssl_certificate_key is defined %}
+    ssl_certificate_key {{ gitea_ssl_certificate_key }};
+{% endif %}
+{% if gitea_ssl_dhparam is defined %}
+    ssl_dhparam {{ gitea_ssl_dhparam }};
+{% endif %}
+
+    location / {
+        proxy_pass http://localhost:{{ gitea_port }};
+    }
+}
+{% endif %}