deac/ansible-role-gitea
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

init

Browse source
This commit is contained in:
Denis Knauf 2020-09-15 16:43:53 +02:00
commit 8845621862
11 changed files with 478 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

100
README.adoc Normal file
View file

@ -0,0 +1,100 @@
Role Name
=========
____
Gitea - Git with a cup of tea
A painless self-hosted Git service.
Gitea is a community managed lightweight code hosting solution written in Go. It is published under the MIT license.
____
It installs nginx, postgresql and gitea for you git-service.
Requirements
------------
You need to have debian (or compatible, like ubuntu) or alpine already installed.
* sshd
It will install all dependencies on host-machine:
* Postgresql
* nginx
* gitea - itself
It expects for TLS a PKI in `/etc/nginx/tls/`,
where you have to place `**hostname**.key`, `**hostname**.crt`.
Role Variables
--------------
gitea_version::
You need to define it, it cannot determine newest version, yet.
gitea_download_uri::
The URI to the binary.
You need to define it, it cannot determine newest version, yet.
gitea_fqdn::
Full qualified domain name for the webserver.
gitea_root_uri::
The Link to your gitea service. Default `https://{{gitea_fqdn}}/`.
Example Playbook
----------------
This determines the newest version of gitea automatically.
So it defines `gitea_version` and `gitea_download_uri`.
----
---
# vim: set expandtab tabstop=2 shiftwidth=2:
- hosts: gitea
remote_user: root
become: false
tasks:
- delegate_to: local
run_once: true
remote_user: root
become: false
gem:
user_install: false
name: '{{item}}'
with_items:
- oga
- httpclient
- name: determine newest provided version
delegate_to: local
become: false
run_once: true
shell: |
ruby -roga -rhttpclient <<EOF
puts Oga.parse_html( HTTPClient.get_content( "https://dl.gitea.io/gitea/")).
css( "tr.file a[href] .name").
map {|a| a.text.chomp.split ?. }.
select {|v| v.grep( /\D/).empty? }.
map {|v| v.map &:to_i }.
max.
join( ?.)
EOF
register: det_gitea_ver
- set_fact:
gitea_version: '{{gitea.version | default(det_gitea_ver.stdout)}}'
- set_fact:
gitea_download_uri: '{{gitea.uri | default("https://dl.gitea.io/gitea/"+gitea_version+"/gitea-"+gitea_version+"-linux-"+gitea_architectures_map[ansible_architecture])}}'
- import_role:
name: gitea
----
License
-------
AGPLv3
Author Information
------------------
Denis Knauf - https://git.denkn.at/deac/ansible-role-gitea

3
defaults/main.yml Normal file
View file

@ -0,0 +1,3 @@
---
# defaults file for gitea
gitea_root_uri: 'https://{{gitea_fqdn}}/'

19
files/gitea.service Normal file
View file

@ -0,0 +1,19 @@
[Unit]
Description=Gitea
After=syslog.target
After=network.target
After=mariadb.service mysqld.service postgresql.service memcached.service redis.service
[Install]
WantedBy=multi-user.target
[Service]
PIDFile=/run/gitea/gitea.pid
User=git
Group=git
PermissionsStartOnly=true
WorkingDirectory=/srv/gitea
ExecStartPre=/usr/bin/install -o git -g git -d /run/gitea/
ExecStart=/srv/gitea/gitea web
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true

20
handlers/main.yml Normal file
View file

@ -0,0 +1,20 @@
---
# vim: set expandtab tabstop=2 shiftwidth=2:
- name: restart gitea
shell: |
service=gitea.service
case `systemctl show $service | sed -ne 's/^ActiveState=//p'` in
active) systemctl restart $service ;;
failed) systemctl restart $service ;;
*) systemctl start $service ;;
esac
- name: restart postgresql
service:
state: restarted
name: postgresql
daemon-reload: yes
- name: restart nginx
service:
state: restarted
name: nginx
daemon-reload: yes

53
meta/main.yml Normal file
View file

@ -0,0 +1,53 @@
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.9
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

173
tasks/main.yml Normal file
View file

@ -0,0 +1,173 @@
---
# vim: set expandtab tabstop=2 shiftwidth=2:
- name: install dependencies
when: '"apk" == ansible_pkg_mgr|lower'
apk:
name:
- postgresql
- postgresql-client
- py3-psycopg2
- nginx
- gnutls-utils
- py3-openssl
- gitea
- name: apt-based
when: '"apt" == ansible_pkg_mgr|lower'
block:
- name: install dependencies
apt:
name:
- postgresql
- postgresql-client
- python-psycopg2
- nginx
- gnutls-bin
- python-openssl
- name: create git-group
when: '"apt" == ansible_pkg_mgr|lower'
group:
name: git
- name: create git-user
when: '"apt" == ansible_pkg_mgr|lower'
user:
name: git
comment: git & gitea
group: git
shell: /bin/bash
createhome: yes
home: /home/git
move_home: no
skeleton: no
- name: create gitea-dirs
when: '"apt" == ansible_pkg_mgr|lower'
file:
dest: '{{item}}'
state: directory
force: yes
owner: git
mode: 0755
with_items:
- /var/lib/gitea
- /var/log/gitea
- /srv/gitea
- /srv/gitea/custom
- /etc/gitea
- name: create links
when: '"apt" == ansible_pkg_mgr|lower'
file:
dest: '{{item.key}}'
src: '{{item.value}}'
state: link
force: yes
with_dict:
/srv/gitea/data: /var/lib/gitea
/srv/gitea/custom/conf: /etc/gitea
- name: "download gitea-{{ gitea_version }}-{{ ansible_architecture }}"
when: '"apt" == ansible_pkg_mgr|lower'
get_url:
url: "{{ gitea_download_uri }}"
dest: "/srv/gitea/gitea-{{ gitea_version }}-{{ ansible_architecture }}"
mode: 0600
- name: "link gitea to gitea-{{ gitea_version }}-{{ ansible_architecture }}"
when: '"apt" == ansible_pkg_mgr|lower'
copy:
src: "/srv/gitea/gitea-{{ gitea_version }}-{{ ansible_architecture }}"
dest: /srv/gitea/gitea
remote_src: yes
mode: 0755
- name: install gitea-service for systemd
when: ansible_service_mgr == "systemd"
copy:
src: gitea.service
dest: /etc/systemd/system/
owner: root
group: root
mode: 0644
- name: systemctl daemon-reload
when: ansible_service_mgr == "systemd"
systemd:
daemon-reload: yes
- name: started postgresql
service:
state: started
name: postgresql
- name: create db gitea
become_user: postgres
become: true
postgresql_db:
name: gitea
encoding: UTF-8
template: template0
- name: create db-user git
become_user: postgres
become: true
no_log: true
postgresql_user:
db: gitea
name: git
password: NULL
#- name: create ldap-auth
# become: yes
# become_user: git
# shell: psql gitea
# args:
# stdin: |
# PREPARE upsert_login_source (varchar, int, bool, text) AS -- name, type, is_actived, cfg
# INSERT INTO login_source (name, type, is_actived, cfg) VALUES ($1, $2, $3, $4)
# ON CONFLICT (name) DO UPDATE SET type = $2, is_actived = $3, cfg = $4
# WHERE login_source.type <> $2 OR login_source.is_actived <> $3 OR login_source.cfg <> $4;
# EXECUTE upsert_login_source ('ldap', 5, 'true', '{"Name":"ldap","Host":"ldap.technikum-wien.at","Port":389,"SecurityProtocol":2,"SkipVerify":false,"BindDN":"ou=People,dc=technikum-wien,dc=at","BindPassword":"","UserBase":"","UserDN":"uid=%s,ou=People,dc=technikum-wien,dc=at","AttributeUsername":"uid","AttributeName":"givenName","AttributeSurname":"sn","AttributeMail":"mail","AttributesInBind":false,"Filter":"(\u0026(objectClass=posixAccount)(uid=%s))","AdminFilter":"","GroupEnabled":false,"GroupDN":"","GroupFilter":"","GroupMemberUID":"","UserUID":"","Enabled":true}');
# failed_when: "'ERROR:' in ldap_auth_sql.stderr"
# changed_when: "'INSERT 0 0' not in ldap_auth_sql.stdout"
# register: ldap_auth_sql
- name: create gitea-config
template:
src: gitea.ini.j2
dest: /etc/gitea/app.ini
owner: git
#- name: create tls-dir
# file:
# dest: '{{item}}'
# state: directory
# force: yes
# owner: root
# mode: 0700
# with_items:
# - /etc/nginx/tls
- name: copy nginx-sites
when: '"apt" == ansible_pkg_mgr|lower'
template:
src: "nginx.j2"
dest: "/etc/nginx/sites-available/gitea"
- name: enable nginx-sites
when: '"apt" == ansible_pkg_mgr|lower'
file:
state: link
src: "../sites-available/gitea"
dest: "/etc/nginx/sites-enabled/gitea"
- name: copy nginx-sites
when: '"apk" == ansible_pkg_mgr|lower'
template:
src: "nginx.j2"
dest: "/etc/nginx/conf.d/gitea.conf"
- name: systemctl daemon-reload
when: ansible_service_mgr == "systemd"
systemd:
daemon-reload: yes
- name: enable services
service:
name: '{{item}}'
enabled: true
state: restarted
with_items:
- nginx
- gitea

64
templates/gitea.ini.j2 Normal file
View file

@ -0,0 +1,64 @@
APP_NAME = Gitea
RUN_USER = git
RUN_MODE = prod
[database]
DB_TYPE = postgres
HOST = /var/run/postgresql/
NAME = gitea
USER = git
PASSWD =
SSL_MODE = disable
PATH = ../gitea.db
[repository]
ROOT = /home/git/gitea-repositories
[server]
DOMAIN = {{gitea_fqdn}}
# HTTP_ADDR = 127.0.0.1
# HTTP_PORT = 1025
PROTOCOL = unix
HTTP_ADDR = /run/gitea/sock
ROOT_URL = {{gitea_root_uri}}
DISABLE_SSH = false
SSH_PORT = 22
START_SSH_SERVER = false
OFFLINE_MODE = false
DISABLE_ROUTER_LOG = true
[mailer]
ENABLED = false
[service]
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = false
DISABLE_REGISTRATION = true
ENABLE_CAPTCHA = true
REQUIRE_SIGNIN_VIEW = false
[picture]
DISABLE_GRAVATAR = true
ENABLE_FEDERATED_AVATAR = false
[session]
PROVIDER = file
[log]
MODE = file
LEVEL = Info
ROOT_PATH = /var/log/gitea
[security]
INSTALL_LOCK = true
SECRET_KEY = UqhGAUYCwUAUfJKwHDaBgJ9GysNysL8wHeUqdKSxFbwljRaVUgFqOPkBV3AXcbL8
INTERNAL_TOKEN = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE1ODkxOTc0MDl9.eg5ukVv6gmDymYbysWXzjZeVK6-7lT2rGNZdqBMG1w0
[markup.asciidoc]
ENABLED = true
FILE_EXTENSIONS = .adoc,.asciidoc
RENDER_COMMAND = "asciidoctor --out-file=- --safe-mode secure --no-header-footer --backend xhtml5 -"
IS_INPUT_FILE = false
[oauth2]
JWT_SECRET = hiNsZNEuDQGcgz68cjtGdG7ylkuuMWFXwwCg_1oICzA

35
templates/nginx.j2 Normal file
View file

@ -0,0 +1,35 @@
upstream gitea {
server unix:/run/gitea/sock;
}
server {
listen 443 ssl http2;
server_name {{ gitea_fqdn }};
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
ssl_certificate /etc/nginx/tls/{{ansible_fqdn}}.crt;
ssl_certificate_key /etc/nginx/tls/{{ansible_fqdn}}.key;
ssl_dhparam /etc/nginx/tls/{{ansible_fqdn}}.dh;
ssl_session_timeout 5m;
add_header Strict-Transport-Security max-age=15768000;
gzip off;
root /srv/gitea/public;
index index.html;
location / {
proxy_pass http://gitea/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
}
error_page 500 502 503 504 /500.html;
error_page 404 /404.html;
error_page 422 /422.html;
#log_not_found on;
#log_subrequest on;
}

2
tests/inventory Normal file
View file

@ -0,0 +1,2 @@
localhost

5
tests/test.yml Normal file
View file

@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- gitea

4
vars/main.yml Normal file
View file

@ -0,0 +1,4 @@
---
gitea_architectures_map:
x86_64: 'amd64'
i386: '386'