From 88456218626c1482cb0e77c0b2cd676ac39d8f6b Mon Sep 17 00:00:00 2001
From: Denis Knauf <deac@denkn.at>
Date: Tue, 15 Sep 2020 16:43:53 +0200
Subject: [PATCH] init

---
 README.adoc            | 100 ++++++++++++++++++++++++
 defaults/main.yml      |   3 +
 files/gitea.service    |  19 +++++
 handlers/main.yml      |  20 +++++
 meta/main.yml          |  53 +++++++++++++
 tasks/main.yml         | 173 +++++++++++++++++++++++++++++++++++++++++
 templates/gitea.ini.j2 |  64 +++++++++++++++
 templates/nginx.j2     |  35 +++++++++
 tests/inventory        |   2 +
 tests/test.yml         |   5 ++
 vars/main.yml          |   4 +
 11 files changed, 478 insertions(+)
 create mode 100644 README.adoc
 create mode 100644 defaults/main.yml
 create mode 100644 files/gitea.service
 create mode 100644 handlers/main.yml
 create mode 100644 meta/main.yml
 create mode 100644 tasks/main.yml
 create mode 100644 templates/gitea.ini.j2
 create mode 100644 templates/nginx.j2
 create mode 100644 tests/inventory
 create mode 100644 tests/test.yml
 create mode 100644 vars/main.yml

diff --git a/README.adoc b/README.adoc
new file mode 100644
index 0000000..9e13b72
--- /dev/null
+++ b/README.adoc
@@ -0,0 +1,100 @@
+Role Name
+=========
+
+____
+Gitea - Git with a cup of tea
+A painless self-hosted Git service.
+Gitea is a community managed lightweight code hosting solution written in Go. It is published under the MIT license.
+____
+
+It installs nginx, postgresql and gitea for you git-service.
+
+Requirements
+------------
+
+You need to have debian (or compatible, like ubuntu) or alpine already installed.
+
+* sshd
+
+It will install all dependencies on host-machine:
+
+* Postgresql
+* nginx
+* gitea - itself
+
+It expects for TLS a PKI in `/etc/nginx/tls/`,
+where you have to place `**hostname**.key`, `**hostname**.crt`.
+
+Role Variables
+--------------
+
+gitea_version::
+You need to define it, it cannot determine newest version, yet.
+
+gitea_download_uri::
+The URI to the binary.
+You need to define it, it cannot determine newest version, yet.
+
+gitea_fqdn::
+Full qualified domain name for the webserver.
+
+gitea_root_uri::
+The Link to your gitea service.  Default `https://{{gitea_fqdn}}/`.
+
+Example Playbook
+----------------
+
+This determines the newest version of gitea automatically.
+So it defines `gitea_version` and `gitea_download_uri`.
+
+----
+---
+# vim: set expandtab tabstop=2 shiftwidth=2:
+
+- hosts: gitea
+  remote_user: root
+  become: false
+
+  tasks:
+  - delegate_to: local
+    run_once: true
+    remote_user: root
+    become: false
+    gem:
+      user_install: false
+      name: '{{item}}'
+    with_items:
+    - oga
+    - httpclient
+  - name: determine newest provided version
+    delegate_to: local
+    become: false
+    run_once: true
+    shell: |
+      ruby -roga -rhttpclient <<EOF
+      puts Oga.parse_html( HTTPClient.get_content( "https://dl.gitea.io/gitea/")).
+        css( "tr.file a[href] .name").
+        map {|a| a.text.chomp.split ?. }.
+        select {|v| v.grep( /\D/).empty? }.
+        map {|v| v.map &:to_i }.
+        max.
+        join( ?.)
+      EOF
+    register: det_gitea_ver
+  - set_fact:
+      gitea_version: '{{gitea.version | default(det_gitea_ver.stdout)}}'
+  - set_fact:
+      gitea_download_uri: '{{gitea.uri | default("https://dl.gitea.io/gitea/"+gitea_version+"/gitea-"+gitea_version+"-linux-"+gitea_architectures_map[ansible_architecture])}}'                
+  - import_role:
+      name: gitea
+----
+
+License
+-------
+
+AGPLv3
+
+Author Information
+------------------
+
+Denis Knauf - https://git.denkn.at/deac/ansible-role-gitea
diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..7542a08
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+# defaults file for gitea
+gitea_root_uri: 'https://{{gitea_fqdn}}/'
diff --git a/files/gitea.service b/files/gitea.service
new file mode 100644
index 0000000..ad986cd
--- /dev/null
+++ b/files/gitea.service
@@ -0,0 +1,19 @@
+[Unit]
+Description=Gitea
+After=syslog.target
+After=network.target
+After=mariadb.service mysqld.service postgresql.service memcached.service redis.service
+
+[Install]
+WantedBy=multi-user.target
+
+[Service]
+PIDFile=/run/gitea/gitea.pid
+User=git
+Group=git
+PermissionsStartOnly=true
+WorkingDirectory=/srv/gitea
+ExecStartPre=/usr/bin/install -o git -g git -d /run/gitea/
+ExecStart=/srv/gitea/gitea web
+ExecStop=/bin/kill -s QUIT $MAINPID
+PrivateTmp=true
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..f726093
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,20 @@
+---
+# vim: set expandtab tabstop=2 shiftwidth=2:
+- name: restart gitea
+  shell: |
+    service=gitea.service
+    case `systemctl show $service | sed -ne 's/^ActiveState=//p'` in
+    active) systemctl restart $service ;;
+    failed) systemctl restart $service ;;
+    *) systemctl start $service ;;
+    esac
+- name: restart postgresql
+  service:
+    state: restarted
+    name: postgresql
+    daemon-reload: yes
+- name: restart nginx
+  service:
+    state: restarted
+    name: nginx
+    daemon-reload: yes
diff --git a/meta/main.yml b/meta/main.yml
new file mode 100644
index 0000000..227ad9c
--- /dev/null
+++ b/meta/main.yml
@@ -0,0 +1,53 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.9
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.
+  
\ No newline at end of file
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..584124e
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,173 @@
+---
+# vim: set expandtab tabstop=2 shiftwidth=2:
+- name: install dependencies
+  when: '"apk" == ansible_pkg_mgr|lower'
+  apk:
+    name:
+    - postgresql
+    - postgresql-client
+    - py3-psycopg2
+    - nginx
+    - gnutls-utils
+    - py3-openssl
+    - gitea
+
+- name: apt-based
+  when: '"apt" == ansible_pkg_mgr|lower'
+  block:
+    - name: install dependencies
+      apt:
+        name:
+        - postgresql
+        - postgresql-client
+        - python-psycopg2
+        - nginx
+        - gnutls-bin
+        - python-openssl
+    - name: create git-group
+      when: '"apt" == ansible_pkg_mgr|lower'
+      group:
+        name: git
+    - name: create git-user
+      when: '"apt" == ansible_pkg_mgr|lower'
+      user:
+        name: git
+        comment: git & gitea
+        group: git
+        shell: /bin/bash
+        createhome: yes
+        home: /home/git
+        move_home: no
+        skeleton: no
+    - name: create gitea-dirs
+      when: '"apt" == ansible_pkg_mgr|lower'
+      file:
+        dest: '{{item}}'
+        state: directory
+        force: yes
+        owner: git
+        mode: 0755
+      with_items:
+      - /var/lib/gitea
+      - /var/log/gitea
+      - /srv/gitea
+      - /srv/gitea/custom
+      - /etc/gitea
+    - name: create links
+      when: '"apt" == ansible_pkg_mgr|lower'
+      file:
+        dest: '{{item.key}}'
+        src: '{{item.value}}'
+        state: link
+        force: yes
+      with_dict:
+        /srv/gitea/data: /var/lib/gitea
+        /srv/gitea/custom/conf: /etc/gitea
+
+    - name: "download gitea-{{ gitea_version }}-{{ ansible_architecture }}"
+      when: '"apt" == ansible_pkg_mgr|lower'
+      get_url:
+        url: "{{ gitea_download_uri }}"
+        dest: "/srv/gitea/gitea-{{ gitea_version }}-{{ ansible_architecture }}"
+        mode: 0600
+    - name: "link gitea to gitea-{{ gitea_version }}-{{ ansible_architecture }}"
+      when: '"apt" == ansible_pkg_mgr|lower'
+      copy:
+        src: "/srv/gitea/gitea-{{ gitea_version }}-{{ ansible_architecture }}"
+        dest: /srv/gitea/gitea
+        remote_src: yes
+        mode: 0755
+
+- name: install gitea-service for systemd
+  when: ansible_service_mgr == "systemd"
+  copy:
+    src: gitea.service
+    dest: /etc/systemd/system/
+    owner: root
+    group: root
+    mode: 0644
+- name: systemctl daemon-reload
+  when: ansible_service_mgr == "systemd"
+  systemd:
+    daemon-reload: yes
+
+- name: started postgresql
+  service:
+    state: started
+    name: postgresql
+
+- name: create db gitea
+  become_user: postgres
+  become: true
+  postgresql_db:
+    name: gitea
+    encoding: UTF-8
+    template: template0
+- name: create db-user git
+  become_user: postgres
+  become: true
+  no_log: true
+  postgresql_user:
+    db: gitea
+    name: git
+    password: NULL
+#- name: create ldap-auth
+#  become: yes
+#  become_user: git
+#  shell: psql gitea
+#  args:
+#    stdin: |
+#      PREPARE upsert_login_source (varchar, int, bool, text) AS -- name, type, is_actived, cfg
+#        INSERT INTO login_source (name, type, is_actived, cfg) VALUES ($1, $2, $3, $4)
+#          ON CONFLICT (name) DO UPDATE SET type = $2, is_actived = $3, cfg = $4
+#            WHERE login_source.type <> $2 OR login_source.is_actived <> $3 OR login_source.cfg <> $4;
+
+#      EXECUTE upsert_login_source ('ldap', 5, 'true', '{"Name":"ldap","Host":"ldap.technikum-wien.at","Port":389,"SecurityProtocol":2,"SkipVerify":false,"BindDN":"ou=People,dc=technikum-wien,dc=at","BindPassword":"","UserBase":"","UserDN":"uid=%s,ou=People,dc=technikum-wien,dc=at","AttributeUsername":"uid","AttributeName":"givenName","AttributeSurname":"sn","AttributeMail":"mail","AttributesInBind":false,"Filter":"(\u0026(objectClass=posixAccount)(uid=%s))","AdminFilter":"","GroupEnabled":false,"GroupDN":"","GroupFilter":"","GroupMemberUID":"","UserUID":"","Enabled":true}');
+#  failed_when: "'ERROR:' in ldap_auth_sql.stderr"
+#  changed_when: "'INSERT 0 0' not in ldap_auth_sql.stdout"
+#  register: ldap_auth_sql
+
+- name: create gitea-config
+  template:
+    src: gitea.ini.j2
+    dest: /etc/gitea/app.ini
+    owner: git
+
+#- name: create tls-dir
+#  file:
+#    dest: '{{item}}'
+#    state: directory
+#    force: yes
+#    owner: root
+#    mode: 0700
+#  with_items:
+#  - /etc/nginx/tls
+- name: copy nginx-sites
+  when: '"apt" == ansible_pkg_mgr|lower'
+  template:
+    src: "nginx.j2"
+    dest: "/etc/nginx/sites-available/gitea"
+- name: enable nginx-sites
+  when: '"apt" == ansible_pkg_mgr|lower'
+  file:
+    state: link
+    src: "../sites-available/gitea"
+    dest: "/etc/nginx/sites-enabled/gitea"
+- name: copy nginx-sites
+  when: '"apk" == ansible_pkg_mgr|lower'
+  template:
+    src: "nginx.j2"
+    dest: "/etc/nginx/conf.d/gitea.conf"
+
+- name: systemctl daemon-reload
+  when: ansible_service_mgr == "systemd"
+  systemd: 
+    daemon-reload: yes
+- name: enable services
+  service:
+    name: '{{item}}'
+    enabled: true
+    state: restarted
+  with_items:
+  - nginx
+  - gitea
diff --git a/templates/gitea.ini.j2 b/templates/gitea.ini.j2
new file mode 100644
index 0000000..63843e3
--- /dev/null
+++ b/templates/gitea.ini.j2
@@ -0,0 +1,64 @@
+APP_NAME = Gitea
+RUN_USER = git
+RUN_MODE = prod
+
+[database]
+DB_TYPE  = postgres
+HOST     = /var/run/postgresql/
+NAME     = gitea
+USER     = git
+PASSWD   = 
+SSL_MODE = disable
+PATH     = ../gitea.db
+
+[repository]
+ROOT = /home/git/gitea-repositories
+
+[server]
+DOMAIN             = {{gitea_fqdn}}
+# HTTP_ADDR        = 127.0.0.1
+# HTTP_PORT        = 1025
+PROTOCOL           = unix
+HTTP_ADDR          = /run/gitea/sock
+ROOT_URL           = {{gitea_root_uri}}
+DISABLE_SSH        = false
+SSH_PORT           = 22
+START_SSH_SERVER   = false
+OFFLINE_MODE       = false
+DISABLE_ROUTER_LOG = true
+
+[mailer]
+ENABLED = false
+
+[service]
+REGISTER_EMAIL_CONFIRM = false
+ENABLE_NOTIFY_MAIL     = false
+DISABLE_REGISTRATION   = true
+ENABLE_CAPTCHA         = true
+REQUIRE_SIGNIN_VIEW    = false
+
+[picture]
+DISABLE_GRAVATAR        = true
+ENABLE_FEDERATED_AVATAR = false
+
+[session]
+PROVIDER = file
+
+[log]
+MODE      = file
+LEVEL     = Info
+ROOT_PATH = /var/log/gitea
+
+[security]
+INSTALL_LOCK   = true
+SECRET_KEY     = UqhGAUYCwUAUfJKwHDaBgJ9GysNysL8wHeUqdKSxFbwljRaVUgFqOPkBV3AXcbL8
+INTERNAL_TOKEN = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE1ODkxOTc0MDl9.eg5ukVv6gmDymYbysWXzjZeVK6-7lT2rGNZdqBMG1w0
+
+[markup.asciidoc]
+ENABLED = true
+FILE_EXTENSIONS = .adoc,.asciidoc
+RENDER_COMMAND = "asciidoctor --out-file=- --safe-mode secure --no-header-footer --backend xhtml5 -"
+IS_INPUT_FILE = false
+
+[oauth2]
+JWT_SECRET = hiNsZNEuDQGcgz68cjtGdG7ylkuuMWFXwwCg_1oICzA
diff --git a/templates/nginx.j2 b/templates/nginx.j2
new file mode 100644
index 0000000..d6230c0
--- /dev/null
+++ b/templates/nginx.j2
@@ -0,0 +1,35 @@
+upstream gitea {
+	server unix:/run/gitea/sock;
+}
+
+server {
+	listen 443 ssl http2;
+	server_name {{ gitea_fqdn }};
+
+	ssl_prefer_server_ciphers on;
+	ssl_protocols TLSv1.2 TLSv1.3;
+	ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
+	ssl_certificate /etc/nginx/tls/{{ansible_fqdn}}.crt;
+	ssl_certificate_key /etc/nginx/tls/{{ansible_fqdn}}.key;
+	ssl_dhparam /etc/nginx/tls/{{ansible_fqdn}}.dh;
+	ssl_session_timeout 5m;
+	add_header Strict-Transport-Security max-age=15768000;
+	gzip off;
+
+	root /srv/gitea/public;
+
+	index index.html;
+	location / {
+		proxy_pass http://gitea/;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header Host $http_host;
+		proxy_redirect off;
+	}
+
+	error_page 500 502 503 504 /500.html;
+	error_page 404 /404.html;
+	error_page 422 /422.html;
+
+	#log_not_found on;
+	#log_subrequest on;
+}
diff --git a/tests/inventory b/tests/inventory
new file mode 100644
index 0000000..878877b
--- /dev/null
+++ b/tests/inventory
@@ -0,0 +1,2 @@
+localhost
+
diff --git a/tests/test.yml b/tests/test.yml
new file mode 100644
index 0000000..9e83d64
--- /dev/null
+++ b/tests/test.yml
@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - gitea
\ No newline at end of file
diff --git a/vars/main.yml b/vars/main.yml
new file mode 100644
index 0000000..acf5b95
--- /dev/null
+++ b/vars/main.yml
@@ -0,0 +1,4 @@
+---
+gitea_architectures_map:
+  x86_64: 'amd64'
+  i386: '386'