Browse Source

Initial commit

master
lavenderguiar 3 years ago
parent
commit
054e1108e6
  1. 45
      defaults/main.yml
  2. 23
      handlers/main.yml
  3. 45
      tasks/configure.yml
  4. 58
      tasks/install.yml
  5. 10
      tasks/main.yml
  6. 79
      tasks/postgres.yml
  7. 4
      templates/etc/fail2ban/filter.d/gitea.conf.j2
  8. 8
      templates/etc/fail2ban/jail.d/gitea.conf.j2
  9. 65
      templates/etc/gitea/app.ini.j2
  10. 10
      templates/etc/logrotate.d/gitea.j2
  11. 29
      templates/etc/systemd/system/gitea.service.j2

45
defaults/main.yml

@ -0,0 +1,45 @@
---
gitea__version: '1.15.6'
gitea__checksum: '1b7473b5993e07b33fec58edbc1a90f15f040759ca4647e97317c33d5dfe58be'
gitea__user: gitea
gitea__group: gitea
# If no database installed, default to postgresql here. Otherwise set to false.
gitea__install_and_prepare_postgres: true
postgresql__version: '12'
gitea__internal_token: 'qwerwertertyrtyu' # Random 48 character string (or acquire after initial installation).
gitea__secret_key: 'qwerwertertyrtyu' # Random password string.
gitea__lfs_jwt_secret: 'qwerwertertyrtyu' # Random password string.
gitea__postgres_username: gitea
gitea__postgres_db_name: giteadb
gitea__postgres_db_password: qwerwertertyrtyu # Default. Change and encrypt using ansible-vault.
# Gitea Settings
gitea__name: gitea # App name
gitea__repo_dir: /home/{{ gitea__user }}/gitea-repositories # Directory where Gitea stores repos.
gitea__install_lock: 'true' # Lock the installation page.
gitea__domain_name: git.example.com # FQDN of page to serve Gitea
gitea__ssh_port: 8822 # SSH port for Gitea to use (set sshd configs appropriately)
gitea__disable_registration: 'true' # Disable registration (Leave false until after initial install and admin creation).
gitea__http_port: 3000
gitea__disable_ssh: 'false'
gitea__email_confirm_registration: 'false'
gitea__enable_notify_mail: 'true'
gitea__enable_captcha: 'true'
gitea__keep_email_private: 'true'
gitea__allow_org_creation: 'true'
gitea__no_reply_address: noreply.{{ gitea__domain_name }}
gitea__log_path: /var/lib/gitea/log
gitea__log_rotate_retention: '3' # Number of days to keep log files.
gitea__dependent_directories:
- { path: /var/lib/gitea/custom, owner: root, group: root, mode: 755}
- { path: /var/lib/gitea/public, owner: root, group: root, mode: 755}
- { path: /var/lib/gitea/data, owner: "{{ gitea__user }}", group: "{{ gitea__group }}", mode: 750}
- { path: /var/lib/gitea/indexers, owner: "{{ gitea__user }}", group: "{{ gitea__group }}", mode: 750}
- { path: /var/lib/gitea/log, owner: "{{ gitea__user }}", group: "{{ gitea__group }}", mode: 750}
- { path: /etc/gitea, owner: root, group: "{{ gitea__group }}", mode: 770}

23
handlers/main.yml

@ -0,0 +1,23 @@
---
- name: Reload daemon
systemd:
daemon_reload: true
become: yes
- name: Restart gitea
systemd:
name: gitea
state: restarted
become: yes
- name: Restart postgres
systemd:
name: postgresql
state: restarted
become: yes
- name: Restart fail2ban
systemd:
name: fail2ban
state: restarted
become: yes

45
tasks/configure.yml

@ -0,0 +1,45 @@
---
# - name: gitea | configure | daemonize gitea
# template:
# src: "etc/systemd/system/gitea.service.j2"
# dest: "/etc/systemd/system/gitea.service"
# owner: root
# group: root
# mode: 0644
# become: yes
# notify:
# - Reload daemon
# - name: gitea | configure | write gitea app.ini
# template:
# src: "etc/gitea/app.ini.j2"
# dest: "/etc/gitea/app.ini"
# owner: root
# group: "{{ gitea__group }}"
# mode: 0770
# become: yes
# notify:
# - Restart gitea
# - name: gitea | configure | write fail2ban filter config
# template:
# src: "etc/fail2ban/filter.d/gitea.conf.j2"
# dest: "/etc/fail2ban/filter.d/gitea.conf"
# become: yes
# notify:
# - Restart fail2ban
# - name: gitea | configure | write fail2ban jail config
# template:
# src: "etc/fail2ban/jail.d/gitea.conf.j2"
# dest: "/etc/fail2ban/jail.d/gitea.conf"
# become: yes
# notify:
# - Restart fail2ban
- name: gitea | configure | write Gitea logrotate config
template:
src: "etc/logrotate.d/gitea.j2"
dest: "/etc/logrotate.d/gitea"
mode: 0644
become: yes

58
tasks/install.yml

@ -0,0 +1,58 @@
---
- include_tasks: postgres.yml
when: gitea__install_and_prepare_postgres == true
- name: gitea | install | ensure package dependencies are installed
apt:
name: "{{ item }}"
state: present
update_cache: yes
loop:
- git
- gnupg2
- xz-utils
- fail2ban
become: yes
- name: gitea | install | Ensure gitea group exists
group:
name: "{{ gitea__group }}"
state: present
become: yes
- name: gitea | install | Add gitea user
user:
name: "{{ gitea__user }}"
group: "{{ gitea__group }}"
state: present
create_home: yes
shell: /bin/bash
become: yes
- name: gitea | install | ensure gitea config directories exist before install
file:
path: "{{ item.path }}"
owner: "{{ item.owner }}"
group: "{{ item.group }}"
mode: "{{ item.mode }}"
state: directory
with_items: "{{ gitea__dependent_directories }}"
become: yes
- name: gitea | install | retrieve checksum
get_url:
url: "https://dl.gitea.io/gitea/{{ gitea__version }}/gitea-{{ gitea__version }}-linux-amd64.sha256"
dest: "/tmp/"
become: yes
- name: gitea | install | register checksum
shell: cat /tmp/gitea-1.15.6-linux-amd64.sha256
register: gitea__checksum
- name: gitea | install | download gitea
get_url:
url: https://dl.gitea.io/gitea/{{ gitea__version }}/gitea-{{ gitea__version }}-linux-amd64
dest: "/usr/local/bin/gitea"
mode: +x
checksum: "sha256:{{ gitea__checksum }}"
become: yes

10
tasks/main.yml

@ -0,0 +1,10 @@
---
# - include_tasks: install.yml
- include_tasks: configure.yml
# - name: gitea | Ensure gitea is running and enabled on boot.
# systemd:
# name: gitea
# enabled: yes
# state: started
# become: yes

79
tasks/postgres.yml

@ -0,0 +1,79 @@
---
# - name: gitea | postgresql | install | ensure ansible postgres dependency is installed
# apt:
# name: "{{ item }}"
# state: present
# update_cache: yes
# loop:
# - python3-psycopg2
# - acl
# become: yes
# - name: gitea | postgresql | install | add apt key
# apt_key:
# url: "https://www.postgresql.org/media/keys/ACCC4CF8.asc"
# state: present
# become: yes
# - name: gitea | postgresql | install | add PG apt repo
# apt_repository:
# repo: "deb http://apt.postgresql.org/pub/repos/apt/ {{ ansible_distribution_release }}-pgdg main"
# state: present
# become: yes
# - name: gitea | postgresql | install | install postgresql
# apt:
# name: "postgresql-{{ postgresql__version }}"
# state: present
# update_cache: yes
# become: yes
# - name: gitea | postgresql | set postgres authentication method before start.
# postgresql_set:
# name: password_encryption
# value: scram-sha-256
# become: yes
# become_user: postgres
# - name: gitea | postgresql | ensure PG is running and enabled on boot.
# service:
# name: postgresql
# state: started
# enabled: yes
# become: yes
# - name: gitea | postgresql | create gitea postgresql database
# postgresql_db:
# name: "{{ gitea__postgres_db_name }}"
# state: present
# encoding: UTF8
# lc_collate: en_US.UTF-8
# lc_ctype: en_US.UTF-8
# template: template0
# become: yes
# become_user: postgres
# - name: gitea | postgresql | add gitea postgres user
# postgresql_user:
# name: "{{ gitea__postgres_username }}"
# password: "{{ gitea__postgres_db_password }}"
# db: "{{ gitea__postgres_db_name }}"
# state: present
# priv: "ALL"
# encrypted: yes
# expires: infinity
# become: yes
# become_user: postgres
# - name: gitea | postgresql | add gitea user to pg_hba
# postgresql_pg_hba:
# dest: /etc/postgresql/12/main/pg_hba.conf
# contype: local
# users: "{{ gitea__postgres_username }}"
# databases: "{{ gitea__postgres_db_name }}"
# method: scram-sha-256
# state: present
# dest: ""
# become: yes
# notify:
# - Restart postgres

4
templates/etc/fail2ban/filter.d/gitea.conf.j2

@ -0,0 +1,4 @@
# gitea.conf
[Definition]
failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
ignoreregex =

8
templates/etc/fail2ban/jail.d/gitea.conf.j2

@ -0,0 +1,8 @@
[gitea]
enabled = true
filter = gitea
logpath = /var/lib/gitea/log/gitea.log
maxretry = 10
findtime = 3600
bantime = 900
action = iptables-allports

65
templates/etc/gitea/app.ini.j2

@ -0,0 +1,65 @@
APP_NAME = {{ gitea__name }}
RUN_USER = {{ gitea__user }}
RUN_MODE = prod
[ui]
DEFAULT_THEME = gitea
THEMES = gitea,github-dark,earl-grey
[security]
INTERNAL_TOKEN = {{ gitea__internal_token }}
INSTALL_LOCK = {{ gitea__install_lock }}
SECRET_KEY = {{ gitea__secret_key }}
[database]
DB_TYPE = postgres
HOST = 127.0.0.1:5432
NAME = {{ gitea__postgres_db_name }}
USER = {{ gitea__postgres_username }}
PASSWD = {{ gitea__postgres_db_password }}
SSL_MODE = disable
[repository]
ROOT = {{ gitea__repo_dir }}
[server]
SSH_DOMAIN = {{ gitea__domain_name }}
DOMAIN = {{ gitea__domain_name }}
HTTP_PORT = {{ gitea__http_port }}
ROOT_URL = https://{{ gitea__domain_name }}/
DISABLE_SSH = {{ gitea__disable_ssh }}
SSH_PORT = {{ gitea__ssh_port }}
LFS_START_SERVER = true
LFS_CONTENT_PATH = /var/lib/gitea/data/lfs
LFS_JWT_SECRET = {{ gitea__lfs_jwt_secret }}
OFFLINE_MODE = false
[mailer]
ENABLED = false
[service]
REGISTER_EMAIL_CONFIRM = {{ gitea__email_confirm_registration }}
ENABLE_NOTIFY_MAIL = {{ gitea__enable_notify_mail }}
DISABLE_REGISTRATION = {{ gitea__disable_registration }}
ENABLE_CAPTCHA = {{ gitea__enable_captcha }}
REQUIRE_SIGNIN_VIEW = false
DEFAULT_KEEP_EMAIL_PRIVATE = {{ gitea__keep_email_private }}
DEFAULT_ALLOW_CREATE_ORGANIZATION = {{ gitea__allow_org_creation }}
DEFAULT_ENABLE_TIMETRACKING = true
NO_REPLY_ADDRESS = {{ gitea__no_reply_address }}
[picture]
DISABLE_GRAVATAR = false
ENABLE_FEDERATED_AVATAR = true
[openid]
ENABLE_OPENID_SIGNIN = false
ENABLE_OPENID_SIGNUP = false
[session]
PROVIDER = file
[log]
MODE = file
LEVEL = Info
ROOT_PATH = {{ gitea__log_path }}

10
templates/etc/logrotate.d/gitea.j2

@ -0,0 +1,10 @@
# Ansible-Managed
{{ gitea__log_path }}/*.log {
su {{ gitea__user }} {{ gitea__group }}
daily
rotate {{ gitea__log_rotate_retention }}
missingok
compress
copytruncate
}

29
templates/etc/systemd/system/gitea.service.j2

@ -0,0 +1,29 @@
[Unit]
Description=Gitea (Git with a cup of tea)
After=syslog.target
After=network.target
After=postgresql.service
[Service]
# Modify these two values and uncomment them if you have
# repos with lots of files and get an HTTP error 500 because
# of that
###
#LimitMEMLOCK=infinity
#LimitNOFILE=65535
RestartSec=2s
Type=simple
User={{ gitea__user }}
Group={{ gitea__group }}
WorkingDirectory=/var/lib/gitea/
ExecStart=/usr/local/bin/gitea web -c /etc/gitea/app.ini
Restart=always
Environment=USER={{ gitea__user }} HOME=/home/{{ gitea__user }} GITEA_WORK_DIR=/var/lib/gitea
# If you want to bind Gitea to a port below 1024 uncomment
# the two values below
###
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
#AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
Loading…
Cancel
Save