Initial commit

defaults/main.yml

@@ -0,0 +1,45 @@
+---
+gitea__version: '1.15.6'
+gitea__checksum: '1b7473b5993e07b33fec58edbc1a90f15f040759ca4647e97317c33d5dfe58be'
+
+gitea__user: gitea
+gitea__group: gitea
+
+# If no database installed, default to postgresql here. Otherwise set to false.
+gitea__install_and_prepare_postgres: true
+postgresql__version: '12'
+
+gitea__internal_token: 'qwerwertertyrtyu' # Random 48 character string (or acquire after initial installation).
+gitea__secret_key: 'qwerwertertyrtyu' # Random password string.
+gitea__lfs_jwt_secret: 'qwerwertertyrtyu' # Random password string.
+
+gitea__postgres_username: gitea
+gitea__postgres_db_name: giteadb
+gitea__postgres_db_password: qwerwertertyrtyu # Default. Change and encrypt using ansible-vault.
+
+# Gitea Settings
+gitea__name: gitea # App name
+gitea__repo_dir: /home/{{ gitea__user }}/gitea-repositories # Directory where Gitea stores repos.
+gitea__install_lock: 'true' # Lock the installation page.
+gitea__domain_name: git.example.com # FQDN of page to serve Gitea
+gitea__ssh_port: 8822 # SSH port for Gitea to use (set sshd configs appropriately)
+gitea__disable_registration: 'true' # Disable registration (Leave false until after initial install and admin creation).
+gitea__http_port: 3000
+gitea__disable_ssh: 'false'
+gitea__email_confirm_registration: 'false'
+gitea__enable_notify_mail: 'true'
+gitea__enable_captcha: 'true'
+gitea__keep_email_private: 'true'
+gitea__allow_org_creation: 'true'
+gitea__no_reply_address: noreply.{{ gitea__domain_name }}
+
+gitea__log_path: /var/lib/gitea/log
+gitea__log_rotate_retention: '3' # Number of days to keep log files.
+
+gitea__dependent_directories:
+  - { path: /var/lib/gitea/custom, owner: root, group: root, mode: 755}
+  - { path: /var/lib/gitea/public, owner: root, group: root, mode: 755}
+  - { path: /var/lib/gitea/data, owner: "{{ gitea__user }}", group: "{{ gitea__group }}", mode: 750}
+  - { path: /var/lib/gitea/indexers, owner: "{{ gitea__user }}", group: "{{ gitea__group }}", mode: 750}
+  - { path: /var/lib/gitea/log, owner: "{{ gitea__user }}", group: "{{ gitea__group }}", mode: 750}
+  - { path: /etc/gitea, owner: root, group: "{{ gitea__group }}", mode: 770}

handlers/main.yml

@@ -0,0 +1,23 @@
+---
+- name: Reload daemon
+  systemd:
+    daemon_reload: true
+  become: yes
+
+- name: Restart gitea
+  systemd:
+    name: gitea
+    state: restarted
+  become: yes
+
+- name: Restart postgres
+  systemd:
+    name: postgresql
+    state: restarted
+  become: yes
+
+- name: Restart fail2ban
+  systemd:
+    name: fail2ban
+    state: restarted
+  become: yes

tasks/configure.yml

@@ -0,0 +1,45 @@
+---
+# - name: gitea | configure | daemonize gitea
+#   template:
+#     src: "etc/systemd/system/gitea.service.j2"
+#     dest: "/etc/systemd/system/gitea.service"
+#     owner: root
+#     group: root
+#     mode: 0644
+#   become: yes
+#   notify:
+#     - Reload daemon
+
+# - name: gitea | configure | write gitea app.ini
+#   template:
+#     src: "etc/gitea/app.ini.j2"
+#     dest: "/etc/gitea/app.ini"
+#     owner: root
+#     group: "{{ gitea__group }}"
+#     mode: 0770
+#   become: yes
+#   notify:
+#     - Restart gitea
+
+# - name: gitea | configure | write fail2ban filter config
+#   template:
+#     src: "etc/fail2ban/filter.d/gitea.conf.j2"
+#     dest: "/etc/fail2ban/filter.d/gitea.conf"
+#   become: yes
+#   notify:
+#    - Restart fail2ban
+
+# - name: gitea | configure | write fail2ban jail config
+#   template:
+#     src: "etc/fail2ban/jail.d/gitea.conf.j2"
+#     dest: "/etc/fail2ban/jail.d/gitea.conf"
+#   become: yes
+#   notify:
+#    - Restart fail2ban
+
+- name: gitea | configure | write Gitea logrotate config
+  template:
+    src: "etc/logrotate.d/gitea.j2"
+    dest: "/etc/logrotate.d/gitea"
+    mode: 0644
+  become: yes

tasks/install.yml

@@ -0,0 +1,58 @@
+---
+- include_tasks: postgres.yml
+  when: gitea__install_and_prepare_postgres == true
+
+- name: gitea | install | ensure package dependencies are installed
+  apt:
+    name: "{{ item }}"
+    state: present
+    update_cache: yes
+  loop:
+    - git
+    - gnupg2
+    - xz-utils
+    - fail2ban
+  become: yes
+
+- name: gitea | install | Ensure gitea group exists
+  group:
+    name: "{{ gitea__group }}"
+    state: present
+  become: yes
+
+- name: gitea | install | Add gitea user
+  user:
+    name: "{{ gitea__user }}"
+    group: "{{ gitea__group }}"
+    state: present
+    create_home: yes
+    shell: /bin/bash
+  become: yes
+
+- name: gitea | install | ensure gitea config directories exist before install
+  file:
+    path: "{{ item.path }}"
+    owner: "{{ item.owner }}"
+    group: "{{ item.group }}"
+    mode: "{{ item.mode }}"
+    state: directory
+  with_items: "{{ gitea__dependent_directories }}"
+  become: yes
+
+- name: gitea | install | retrieve checksum
+  get_url:
+    url: "https://dl.gitea.io/gitea/{{ gitea__version }}/gitea-{{ gitea__version }}-linux-amd64.sha256"
+    dest: "/tmp/"
+  become: yes
+
+- name: gitea | install | register checksum
+  shell: cat /tmp/gitea-1.15.6-linux-amd64.sha256
+  register: gitea__checksum
+
+- name: gitea | install | download gitea
+  get_url:
+    url: https://dl.gitea.io/gitea/{{ gitea__version }}/gitea-{{ gitea__version }}-linux-amd64
+    dest: "/usr/local/bin/gitea"
+    mode: +x
+    checksum: "sha256:{{ gitea__checksum }}"
+  become: yes

tasks/main.yml

@@ -0,0 +1,10 @@
+---
+# - include_tasks: install.yml
+- include_tasks: configure.yml
+
+# - name: gitea | Ensure gitea is running and enabled on boot.
+#   systemd:
+#     name: gitea
+#     enabled: yes
+#     state: started
+#   become: yes

tasks/postgres.yml

@@ -0,0 +1,79 @@
+---
+# - name: gitea | postgresql | install | ensure ansible postgres dependency is installed
+#   apt:
+#     name: "{{ item }}"
+#     state: present
+#     update_cache: yes
+#   loop:
+#    - python3-psycopg2
+#    - acl
+#   become: yes
+
+# - name: gitea | postgresql | install | add apt key
+#   apt_key:
+#     url: "https://www.postgresql.org/media/keys/ACCC4CF8.asc"
+#     state: present
+#   become: yes
+
+# - name: gitea | postgresql | install | add PG apt repo
+#   apt_repository:
+#     repo: "deb http://apt.postgresql.org/pub/repos/apt/ {{ ansible_distribution_release }}-pgdg main"
+#     state: present
+#   become: yes
+
+# - name: gitea | postgresql | install | install postgresql
+#   apt:
+#     name: "postgresql-{{ postgresql__version }}"
+#     state: present
+#     update_cache: yes
+#   become: yes
+
+# - name: gitea | postgresql | set postgres authentication method before start.
+#   postgresql_set:
+#     name: password_encryption
+#     value: scram-sha-256
+#   become: yes
+#   become_user: postgres
+
+# - name: gitea | postgresql | ensure PG is running and enabled on boot.
+#   service:
+#     name: postgresql
+#     state: started
+#     enabled: yes
+#   become: yes
+
+# - name: gitea | postgresql | create gitea postgresql database
+#   postgresql_db:
+#     name: "{{ gitea__postgres_db_name }}"
+#     state: present
+#     encoding: UTF8
+#     lc_collate: en_US.UTF-8
+#     lc_ctype: en_US.UTF-8
+#     template: template0
+#   become: yes
+#   become_user: postgres
+
+# - name: gitea | postgresql | add gitea postgres user
+#   postgresql_user:
+#     name: "{{ gitea__postgres_username }}"
+#     password: "{{ gitea__postgres_db_password }}"
+#     db: "{{ gitea__postgres_db_name }}"
+#     state: present
+#     priv: "ALL"
+#     encrypted: yes
+#     expires: infinity
+#   become: yes
+#   become_user: postgres
+
+# - name: gitea | postgresql | add gitea user to pg_hba
+#   postgresql_pg_hba:
+#     dest: /etc/postgresql/12/main/pg_hba.conf
+#     contype: local
+#     users: "{{ gitea__postgres_username }}"
+#     databases: "{{ gitea__postgres_db_name }}"
+#     method: scram-sha-256
+#     state: present
+#     dest: ""
+#   become: yes
+#   notify:
+#     - Restart postgres

templates/etc/fail2ban/filter.d/gitea.conf.j2

@@ -0,0 +1,4 @@
+# gitea.conf
+[Definition]
+failregex =  .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+ignoreregex =

templates/etc/fail2ban/jail.d/gitea.conf.j2

@@ -0,0 +1,8 @@
+[gitea]
+enabled = true
+filter = gitea
+logpath = /var/lib/gitea/log/gitea.log
+maxretry = 10
+findtime = 3600
+bantime = 900
+action = iptables-allports

templates/etc/gitea/app.ini.j2

@@ -0,0 +1,65 @@
+APP_NAME = {{ gitea__name }}
+RUN_USER = {{ gitea__user }}
+RUN_MODE = prod
+
+[ui]
+DEFAULT_THEME  = gitea
+THEMES         = gitea,github-dark,earl-grey
+
+[security]
+INTERNAL_TOKEN = {{ gitea__internal_token }}
+INSTALL_LOCK   = {{ gitea__install_lock }}
+SECRET_KEY     = {{ gitea__secret_key }}
+
+[database]
+DB_TYPE  = postgres
+HOST     = 127.0.0.1:5432
+NAME     = {{ gitea__postgres_db_name }}
+USER     = {{ gitea__postgres_username }}
+PASSWD   = {{ gitea__postgres_db_password }}
+SSL_MODE = disable
+
+[repository]
+ROOT = {{ gitea__repo_dir }}
+
+[server]
+SSH_DOMAIN       = {{ gitea__domain_name }}
+DOMAIN           = {{ gitea__domain_name }}
+HTTP_PORT        = {{ gitea__http_port }}
+ROOT_URL         = https://{{ gitea__domain_name }}/
+DISABLE_SSH      = {{ gitea__disable_ssh }}
+SSH_PORT         = {{ gitea__ssh_port }}
+LFS_START_SERVER = true
+LFS_CONTENT_PATH = /var/lib/gitea/data/lfs
+LFS_JWT_SECRET   = {{ gitea__lfs_jwt_secret }}
+OFFLINE_MODE     = false
+
+[mailer]
+ENABLED = false
+
+[service]
+REGISTER_EMAIL_CONFIRM            = {{ gitea__email_confirm_registration }}
+ENABLE_NOTIFY_MAIL                = {{ gitea__enable_notify_mail }}
+DISABLE_REGISTRATION              = {{ gitea__disable_registration }}
+ENABLE_CAPTCHA                    = {{ gitea__enable_captcha }}
+REQUIRE_SIGNIN_VIEW               = false
+DEFAULT_KEEP_EMAIL_PRIVATE        = {{ gitea__keep_email_private }}
+DEFAULT_ALLOW_CREATE_ORGANIZATION = {{ gitea__allow_org_creation }}
+DEFAULT_ENABLE_TIMETRACKING       = true
+NO_REPLY_ADDRESS                  = {{ gitea__no_reply_address }}
+
+[picture]
+DISABLE_GRAVATAR        = false
+ENABLE_FEDERATED_AVATAR = true
+
+[openid]
+ENABLE_OPENID_SIGNIN = false
+ENABLE_OPENID_SIGNUP = false
+
+[session]
+PROVIDER = file
+
+[log]
+MODE      = file
+LEVEL     = Info
+ROOT_PATH = {{ gitea__log_path }}

templates/etc/logrotate.d/gitea.j2

@@ -0,0 +1,10 @@
+# Ansible-Managed
+
+{{ gitea__log_path }}/*.log {
+    su {{ gitea__user }} {{ gitea__group }}
+    daily
+    rotate {{ gitea__log_rotate_retention }}
+    missingok
+    compress
+    copytruncate
+}

templates/etc/systemd/system/gitea.service.j2

@@ -0,0 +1,29 @@
+[Unit]
+Description=Gitea (Git with a cup of tea)
+After=syslog.target
+After=network.target
+After=postgresql.service
+
+[Service]
+# Modify these two values and uncomment them if you have
+# repos with lots of files and get an HTTP error 500 because
+# of that
+###
+#LimitMEMLOCK=infinity
+#LimitNOFILE=65535
+RestartSec=2s
+Type=simple
+User={{ gitea__user }}
+Group={{ gitea__group }}
+WorkingDirectory=/var/lib/gitea/
+ExecStart=/usr/local/bin/gitea web -c /etc/gitea/app.ini
+Restart=always
+Environment=USER={{ gitea__user }} HOME=/home/{{ gitea__user }} GITEA_WORK_DIR=/var/lib/gitea
+# If you want to bind Gitea to a port below 1024 uncomment
+# the two values below
+###
+#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+#AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target