diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..c1466fd --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,45 @@ +--- +gitea__version: '1.15.6' +gitea__checksum: '1b7473b5993e07b33fec58edbc1a90f15f040759ca4647e97317c33d5dfe58be' + +gitea__user: gitea +gitea__group: gitea + +# If no database installed, default to postgresql here. Otherwise set to false. +gitea__install_and_prepare_postgres: true +postgresql__version: '12' + +gitea__internal_token: 'qwerwertertyrtyu' # Random 48 character string (or acquire after initial installation). +gitea__secret_key: 'qwerwertertyrtyu' # Random password string. +gitea__lfs_jwt_secret: 'qwerwertertyrtyu' # Random password string. + +gitea__postgres_username: gitea +gitea__postgres_db_name: giteadb +gitea__postgres_db_password: qwerwertertyrtyu # Default. Change and encrypt using ansible-vault. + +# Gitea Settings +gitea__name: gitea # App name +gitea__repo_dir: /home/{{ gitea__user }}/gitea-repositories # Directory where Gitea stores repos. +gitea__install_lock: 'true' # Lock the installation page. +gitea__domain_name: git.example.com # FQDN of page to serve Gitea +gitea__ssh_port: 8822 # SSH port for Gitea to use (set sshd configs appropriately) +gitea__disable_registration: 'true' # Disable registration (Leave false until after initial install and admin creation). +gitea__http_port: 3000 +gitea__disable_ssh: 'false' +gitea__email_confirm_registration: 'false' +gitea__enable_notify_mail: 'true' +gitea__enable_captcha: 'true' +gitea__keep_email_private: 'true' +gitea__allow_org_creation: 'true' +gitea__no_reply_address: noreply.{{ gitea__domain_name }} + +gitea__log_path: /var/lib/gitea/log +gitea__log_rotate_retention: '3' # Number of days to keep log files. + +gitea__dependent_directories: + - { path: /var/lib/gitea/custom, owner: root, group: root, mode: 755} + - { path: /var/lib/gitea/public, owner: root, group: root, mode: 755} + - { path: /var/lib/gitea/data, owner: "{{ gitea__user }}", group: "{{ gitea__group }}", mode: 750} + - { path: /var/lib/gitea/indexers, owner: "{{ gitea__user }}", group: "{{ gitea__group }}", mode: 750} + - { path: /var/lib/gitea/log, owner: "{{ gitea__user }}", group: "{{ gitea__group }}", mode: 750} + - { path: /etc/gitea, owner: root, group: "{{ gitea__group }}", mode: 770} \ No newline at end of file diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..d15f57e --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,23 @@ +--- +- name: Reload daemon + systemd: + daemon_reload: true + become: yes + +- name: Restart gitea + systemd: + name: gitea + state: restarted + become: yes + +- name: Restart postgres + systemd: + name: postgresql + state: restarted + become: yes + +- name: Restart fail2ban + systemd: + name: fail2ban + state: restarted + become: yes \ No newline at end of file diff --git a/tasks/configure.yml b/tasks/configure.yml new file mode 100644 index 0000000..835e41f --- /dev/null +++ b/tasks/configure.yml @@ -0,0 +1,45 @@ +--- +# - name: gitea | configure | daemonize gitea +# template: +# src: "etc/systemd/system/gitea.service.j2" +# dest: "/etc/systemd/system/gitea.service" +# owner: root +# group: root +# mode: 0644 +# become: yes +# notify: +# - Reload daemon + +# - name: gitea | configure | write gitea app.ini +# template: +# src: "etc/gitea/app.ini.j2" +# dest: "/etc/gitea/app.ini" +# owner: root +# group: "{{ gitea__group }}" +# mode: 0770 +# become: yes +# notify: +# - Restart gitea + +# - name: gitea | configure | write fail2ban filter config +# template: +# src: "etc/fail2ban/filter.d/gitea.conf.j2" +# dest: "/etc/fail2ban/filter.d/gitea.conf" +# become: yes +# notify: +# - Restart fail2ban + +# - name: gitea | configure | write fail2ban jail config +# template: +# src: "etc/fail2ban/jail.d/gitea.conf.j2" +# dest: "/etc/fail2ban/jail.d/gitea.conf" +# become: yes +# notify: +# - Restart fail2ban + +- name: gitea | configure | write Gitea logrotate config + template: + src: "etc/logrotate.d/gitea.j2" + dest: "/etc/logrotate.d/gitea" + mode: 0644 + become: yes \ No newline at end of file diff --git a/tasks/install.yml b/tasks/install.yml new file mode 100644 index 0000000..7168bb5 --- /dev/null +++ b/tasks/install.yml @@ -0,0 +1,58 @@ +--- +- include_tasks: postgres.yml + when: gitea__install_and_prepare_postgres == true + +- name: gitea | install | ensure package dependencies are installed + apt: + name: "{{ item }}" + state: present + update_cache: yes + loop: + - git + - gnupg2 + - xz-utils + - fail2ban + become: yes + +- name: gitea | install | Ensure gitea group exists + group: + name: "{{ gitea__group }}" + state: present + become: yes + +- name: gitea | install | Add gitea user + user: + name: "{{ gitea__user }}" + group: "{{ gitea__group }}" + state: present + create_home: yes + shell: /bin/bash + become: yes + +- name: gitea | install | ensure gitea config directories exist before install + file: + path: "{{ item.path }}" + owner: "{{ item.owner }}" + group: "{{ item.group }}" + mode: "{{ item.mode }}" + state: directory + with_items: "{{ gitea__dependent_directories }}" + become: yes + +- name: gitea | install | retrieve checksum + get_url: + url: "https://dl.gitea.io/gitea/{{ gitea__version }}/gitea-{{ gitea__version }}-linux-amd64.sha256" + dest: "/tmp/" + become: yes + +- name: gitea | install | register checksum + shell: cat /tmp/gitea-1.15.6-linux-amd64.sha256 + register: gitea__checksum + +- name: gitea | install | download gitea + get_url: + url: https://dl.gitea.io/gitea/{{ gitea__version }}/gitea-{{ gitea__version }}-linux-amd64 + dest: "/usr/local/bin/gitea" + mode: +x + checksum: "sha256:{{ gitea__checksum }}" + become: yes \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..9abdbfd --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,10 @@ +--- +# - include_tasks: install.yml +- include_tasks: configure.yml + +# - name: gitea | Ensure gitea is running and enabled on boot. +# systemd: +# name: gitea +# enabled: yes +# state: started +# become: yes \ No newline at end of file diff --git a/tasks/postgres.yml b/tasks/postgres.yml new file mode 100644 index 0000000..1bc6bcc --- /dev/null +++ b/tasks/postgres.yml @@ -0,0 +1,79 @@ +--- +# - name: gitea | postgresql | install | ensure ansible postgres dependency is installed +# apt: +# name: "{{ item }}" +# state: present +# update_cache: yes +# loop: +# - python3-psycopg2 +# - acl +# become: yes + +# - name: gitea | postgresql | install | add apt key +# apt_key: +# url: "https://www.postgresql.org/media/keys/ACCC4CF8.asc" +# state: present +# become: yes + +# - name: gitea | postgresql | install | add PG apt repo +# apt_repository: +# repo: "deb http://apt.postgresql.org/pub/repos/apt/ {{ ansible_distribution_release }}-pgdg main" +# state: present +# become: yes + +# - name: gitea | postgresql | install | install postgresql +# apt: +# name: "postgresql-{{ postgresql__version }}" +# state: present +# update_cache: yes +# become: yes + +# - name: gitea | postgresql | set postgres authentication method before start. +# postgresql_set: +# name: password_encryption +# value: scram-sha-256 +# become: yes +# become_user: postgres + +# - name: gitea | postgresql | ensure PG is running and enabled on boot. +# service: +# name: postgresql +# state: started +# enabled: yes +# become: yes + +# - name: gitea | postgresql | create gitea postgresql database +# postgresql_db: +# name: "{{ gitea__postgres_db_name }}" +# state: present +# encoding: UTF8 +# lc_collate: en_US.UTF-8 +# lc_ctype: en_US.UTF-8 +# template: template0 +# become: yes +# become_user: postgres + +# - name: gitea | postgresql | add gitea postgres user +# postgresql_user: +# name: "{{ gitea__postgres_username }}" +# password: "{{ gitea__postgres_db_password }}" +# db: "{{ gitea__postgres_db_name }}" +# state: present +# priv: "ALL" +# encrypted: yes +# expires: infinity +# become: yes +# become_user: postgres + +# - name: gitea | postgresql | add gitea user to pg_hba +# postgresql_pg_hba: +# dest: /etc/postgresql/12/main/pg_hba.conf +# contype: local +# users: "{{ gitea__postgres_username }}" +# databases: "{{ gitea__postgres_db_name }}" +# method: scram-sha-256 +# state: present +# dest: "" +# become: yes +# notify: +# - Restart postgres \ No newline at end of file diff --git a/templates/etc/fail2ban/filter.d/gitea.conf.j2 b/templates/etc/fail2ban/filter.d/gitea.conf.j2 new file mode 100644 index 0000000..7e240fc --- /dev/null +++ b/templates/etc/fail2ban/filter.d/gitea.conf.j2 @@ -0,0 +1,4 @@ +# gitea.conf +[Definition] +failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from +ignoreregex = \ No newline at end of file diff --git a/templates/etc/fail2ban/jail.d/gitea.conf.j2 b/templates/etc/fail2ban/jail.d/gitea.conf.j2 new file mode 100644 index 0000000..7d745ed --- /dev/null +++ b/templates/etc/fail2ban/jail.d/gitea.conf.j2 @@ -0,0 +1,8 @@ +[gitea] +enabled = true +filter = gitea +logpath = /var/lib/gitea/log/gitea.log +maxretry = 10 +findtime = 3600 +bantime = 900 +action = iptables-allports \ No newline at end of file diff --git a/templates/etc/gitea/app.ini.j2 b/templates/etc/gitea/app.ini.j2 new file mode 100644 index 0000000..34fe08a --- /dev/null +++ b/templates/etc/gitea/app.ini.j2 @@ -0,0 +1,65 @@ +APP_NAME = {{ gitea__name }} +RUN_USER = {{ gitea__user }} +RUN_MODE = prod + +[ui] +DEFAULT_THEME = gitea +THEMES = gitea,github-dark,earl-grey + +[security] +INTERNAL_TOKEN = {{ gitea__internal_token }} +INSTALL_LOCK = {{ gitea__install_lock }} +SECRET_KEY = {{ gitea__secret_key }} + +[database] +DB_TYPE = postgres +HOST = 127.0.0.1:5432 +NAME = {{ gitea__postgres_db_name }} +USER = {{ gitea__postgres_username }} +PASSWD = {{ gitea__postgres_db_password }} +SSL_MODE = disable + +[repository] +ROOT = {{ gitea__repo_dir }} + +[server] +SSH_DOMAIN = {{ gitea__domain_name }} +DOMAIN = {{ gitea__domain_name }} +HTTP_PORT = {{ gitea__http_port }} +ROOT_URL = https://{{ gitea__domain_name }}/ +DISABLE_SSH = {{ gitea__disable_ssh }} +SSH_PORT = {{ gitea__ssh_port }} +LFS_START_SERVER = true +LFS_CONTENT_PATH = /var/lib/gitea/data/lfs +LFS_JWT_SECRET = {{ gitea__lfs_jwt_secret }} +OFFLINE_MODE = false + +[mailer] +ENABLED = false + +[service] +REGISTER_EMAIL_CONFIRM = {{ gitea__email_confirm_registration }} +ENABLE_NOTIFY_MAIL = {{ gitea__enable_notify_mail }} +DISABLE_REGISTRATION = {{ gitea__disable_registration }} +ENABLE_CAPTCHA = {{ gitea__enable_captcha }} +REQUIRE_SIGNIN_VIEW = false +DEFAULT_KEEP_EMAIL_PRIVATE = {{ gitea__keep_email_private }} +DEFAULT_ALLOW_CREATE_ORGANIZATION = {{ gitea__allow_org_creation }} +DEFAULT_ENABLE_TIMETRACKING = true +NO_REPLY_ADDRESS = {{ gitea__no_reply_address }} + +[picture] +DISABLE_GRAVATAR = false +ENABLE_FEDERATED_AVATAR = true + +[openid] +ENABLE_OPENID_SIGNIN = false +ENABLE_OPENID_SIGNUP = false + +[session] +PROVIDER = file + +[log] +MODE = file +LEVEL = Info +ROOT_PATH = {{ gitea__log_path }} \ No newline at end of file diff --git a/templates/etc/logrotate.d/gitea.j2 b/templates/etc/logrotate.d/gitea.j2 new file mode 100644 index 0000000..76448c0 --- /dev/null +++ b/templates/etc/logrotate.d/gitea.j2 @@ -0,0 +1,10 @@ +# Ansible-Managed + +{{ gitea__log_path }}/*.log { + su {{ gitea__user }} {{ gitea__group }} + daily + rotate {{ gitea__log_rotate_retention }} + missingok + compress + copytruncate +} \ No newline at end of file diff --git a/templates/etc/systemd/system/gitea.service.j2 b/templates/etc/systemd/system/gitea.service.j2 new file mode 100644 index 0000000..fe37904 --- /dev/null +++ b/templates/etc/systemd/system/gitea.service.j2 @@ -0,0 +1,29 @@ +[Unit] +Description=Gitea (Git with a cup of tea) +After=syslog.target +After=network.target +After=postgresql.service + +[Service] +# Modify these two values and uncomment them if you have +# repos with lots of files and get an HTTP error 500 because +# of that +### +#LimitMEMLOCK=infinity +#LimitNOFILE=65535 +RestartSec=2s +Type=simple +User={{ gitea__user }} +Group={{ gitea__group }} +WorkingDirectory=/var/lib/gitea/ +ExecStart=/usr/local/bin/gitea web -c /etc/gitea/app.ini +Restart=always +Environment=USER={{ gitea__user }} HOME=/home/{{ gitea__user }} GITEA_WORK_DIR=/var/lib/gitea +# If you want to bind Gitea to a port below 1024 uncomment +# the two values below +### +#CapabilityBoundingSet=CAP_NET_BIND_SERVICE +#AmbientCapabilities=CAP_NET_BIND_SERVICE + +[Install] +WantedBy=multi-user.target \ No newline at end of file