commit 05d110b267c40fe3e6a87b43d6dde164faa8ec65 Author: Kaitlyn Parkhurst Date: Sun Aug 21 23:28:25 2022 -0700 Initial Commit. diff --git a/README.md b/README.md new file mode 100644 index 0000000..dc33683 --- /dev/null +++ b/README.md @@ -0,0 +1,5 @@ +# Gitea Ansible Role + +Check this out, cp example.yml to inventory.yml and edit + +Then run `ansible-playbook -i inventory.yml site.yml` to install Gitea diff --git a/example.yml b/example.yml new file mode 100644 index 0000000..ae7c5e6 --- /dev/null +++ b/example.yml @@ -0,0 +1,25 @@ +gitea: + hosts: + # This is the domain name for SSH connection from ansible + git.modfoss.com: + # This is the domain name for use in all configuration (nginx, gitea, etc) + domain_name: git.modfoss.com + # This database information will be used to create a PSQL database, + # and to configure gitea to connect to it. + database: + name: gitea + user: gitea + pass: ReallyLongDatabasePassword + # This admin account will be made on the web interface + gitea: + user: yourfirstuser + email: you@domain.com + pass: WhateverPasswordYouWant + # Add your SMTP credentials for email + smtp: + host: your.smtp.host.com + from: your@provider.com + user: auth_user + pass: auth_pass + + diff --git a/roles/gitea/files/gitea-1.17.1-linux-amd64 b/roles/gitea/files/gitea-1.17.1-linux-amd64 new file mode 100644 index 0000000..cf8ae68 Binary files /dev/null and b/roles/gitea/files/gitea-1.17.1-linux-amd64 differ diff --git a/roles/gitea/files/gitea.service b/roles/gitea/files/gitea.service new file mode 100644 index 0000000..79c3456 --- /dev/null +++ b/roles/gitea/files/gitea.service @@ -0,0 +1,90 @@ +[Unit] +Description=Gitea (Git with a cup of tea) +After=syslog.target +After=network.target +### +# Don't forget to add the database service dependencies +### +# +#Wants=mysql.service +#After=mysql.service +# +#Wants=mariadb.service +#After=mariadb.service +# +#Wants=postgresql.service +#After=postgresql.service +# +#Wants=memcached.service +#After=memcached.service +# +#Wants=redis.service +#After=redis.service +# +### +# If using socket activation for main http/s +### +# +#After=gitea.main.socket +#Requires=gitea.main.socket +# +### +# (You can also provide gitea an http fallback and/or ssh socket too) +# +# An example of /etc/systemd/system/gitea.main.socket +### +## +## [Unit] +## Description=Gitea Web Socket +## PartOf=gitea.service +## +## [Socket] +## Service=gitea.service +## ListenStream= +## NoDelay=true +## +## [Install] +## WantedBy=sockets.target +## +### + +[Service] +# Modify these two values and uncomment them if you have +# repos with lots of files and get an HTTP error 500 because +# of that +### +#LimitMEMLOCK=infinity +#LimitNOFILE=65535 +RestartSec=2s +Type=simple +User=git +Group=git +WorkingDirectory=/var/lib/gitea/ +# If using Unix socket: tells systemd to create the /run/gitea folder, which will contain the gitea.sock file +# (manually creating /run/gitea doesn't work, because it would not persist across reboots) +#RuntimeDirectory=gitea +ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini +Restart=always +Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea +# If you install Git to directory prefix other than default PATH (which happens +# for example if you install other versions of Git side-to-side with +# distribution version), uncomment below line and add that prefix to PATH +# Don't forget to place git-lfs binary on the PATH below if you want to enable +# Git LFS support +#Environment=PATH=/path/to/git/bin:/bin:/sbin:/usr/bin:/usr/sbin +# If you want to bind Gitea to a port below 1024, uncomment +# the two values below, or use socket activation to pass Gitea its ports as above +### +#CapabilityBoundingSet=CAP_NET_BIND_SERVICE +#AmbientCapabilities=CAP_NET_BIND_SERVICE +### +# In some cases, when using CapabilityBoundingSet and AmbientCapabilities option, you may want to +# set the following value to false to allow capabilities to be applied on gitea process. The following +# value if set to true sandboxes gitea service and prevent any processes from running with privileges +# in the host user namespace. +### +#PrivateUsers=false +### + +[Install] +WantedBy=multi-user.target diff --git a/roles/gitea/handlers/main.yml b/roles/gitea/handlers/main.yml new file mode 100644 index 0000000..1fff601 --- /dev/null +++ b/roles/gitea/handlers/main.yml @@ -0,0 +1,4 @@ +- name: Restart nginx + service: + name: nginx + state: restarted diff --git a/roles/gitea/tasks/database.yml b/roles/gitea/tasks/database.yml new file mode 100644 index 0000000..2894f43 --- /dev/null +++ b/roles/gitea/tasks/database.yml @@ -0,0 +1,35 @@ +- name: Install packages to support postgres + apt: + name: [ + 'libssl-dev', + 'libpq-dev', + 'libz-dev', + 'libexpat1-dev', + 'postgresql-client', + 'postgresql-contrib', + 'postgresql', + 'python3-psycopg2', + ] + state: present + +- name: Start & enable postgres + service: + name: postgresql + state: started + enabled: true + +- name: Create db user account for gitea + postgresql_user: + name: "{{ database.user }}" + password: "{{ database.pass }}" + state: present + become_user: postgres + become: true + +- name: Create gitea database + postgresql_db: + name: "{{ database.name }}" + owner: "{{ database.user }}" + state: present + become_user: postgres + become: true diff --git a/roles/gitea/tasks/gitea.yml b/roles/gitea/tasks/gitea.yml new file mode 100644 index 0000000..8a47caa --- /dev/null +++ b/roles/gitea/tasks/gitea.yml @@ -0,0 +1,96 @@ +- name: Create gitea user + user: + name: git + shell: /bin/bash + password_lock: yes + comment: Git Version Control + +- name: Create /var/lib/gitea + file: + state: directory + path: /var/lib/gitea + owner: git + group: git + mode: 0750 + +- name: Create /var/lib/gitea/custom + file: + state: directory + path: /var/lib/gitea/custom + owner: git + group: git + mode: 0750 + +- name: Create /var/lib/gitea/data + file: + state: directory + path: /var/lib/gitea/data + owner: git + group: git + mode: 0750 + +- name: Create /var/lib/gitea/log + file: + state: directory + path: /var/lib/gitea + owner: git + group: git + mode: 0750 + +- name: Create /etc/gitea + file: + state: directory + path: /etc/gitea + owner: root + group: git + mode: 0770 + +- name: Install /usr/local/bin/gitea + copy: + dest: /usr/local/bin/gitea + src: "{{ role_path }}/files/gitea-1.17.1-linux-amd64" + owner: root + group: root + mode: 0755 + +- name: Install /etc/systemd/system/gitea.service + copy: + dest: /etc/systemd/system/gitea.service + src: "{{ role_path }}/files/gitea.service" + owner: root + group: root + mode: 0744 + +- name: Generate internal token secret for gitea + shell: /usr/local/bin/gitea generate secret INTERNAL_TOKEN + register: internal_token + +- name: Generate jwt token secret for gitea + shell: /usr/local/bin/gitea generate secret JWT_SECRET + register: jwt_token + +- name: "Install /etc/gitea/app.ini" + template: + src: "{{ role_path }}/templates/app.ini.j2" + dest: "/etc/gitea/app.ini" + force: no + owner: root + group: git + mode: 0640 + +- name: Enable Gitea + service: + name: gitea + state: started + enabled: true + +- name: Create admin user for gitea + shell: gitea -c /etc/gitea/app.ini admin user create --admin --username {{ gitea.user }} --password {{ gitea.pass }} --email {{ gitea.email }} > /home/git/.first + environment: + GITEA_WORK_DIR: /var/lib/gitea/ + args: + creates: /home/git/.first + become: true + become_user: git + + diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml new file mode 100644 index 0000000..70fade2 --- /dev/null +++ b/roles/gitea/tasks/main.yml @@ -0,0 +1,22 @@ +--- +- name: Update all packages to their latest version + apt: + name: "*" + state: latest + update_cache: yes + +- name: Install packages + apt: + name: [ + 'git', + ] + state: present + +- name: Setup the database + include_tasks: database.yml + +- name: Setup the webserver + include_tasks: webserver.yml + +- name: Setup the gitea service + include_tasks: gitea.yml diff --git a/roles/gitea/tasks/webserver.yml b/roles/gitea/tasks/webserver.yml new file mode 100644 index 0000000..f9098ed --- /dev/null +++ b/roles/gitea/tasks/webserver.yml @@ -0,0 +1,32 @@ +- name: Install packages for webserver support + apt: + name: [ + 'nginx', + 'certbot', + 'python3-certbot-nginx', + ] + state: present + +- name: Start & enable nginx + service: + name: nginx + state: started + enabled: true + +- name: "Install /etc/nginx/sites-enabled/{{ domain_name }}" + template: + src: "{{ role_path }}/templates/nginx-domain.j2" + dest: "/etc/nginx/sites-enabled/{{ domain_name }}" + force: no + owner: root + group: root + mode: 0644 + notify: + - Restart nginx + +- name: Setup SSL Certificates + shell: certbot run --nginx -d {{ domain_name }} --agree-tos --register-unsafely-without-email + args: + creates: /etc/letsencrypt/live/{{ domain_name }}/cert.pem + notify: + - Restart nginx diff --git a/roles/gitea/templates/app.ini.j2 b/roles/gitea/templates/app.ini.j2 new file mode 100644 index 0000000..790c204 --- /dev/null +++ b/roles/gitea/templates/app.ini.j2 @@ -0,0 +1,79 @@ +APP_NAME = Gitea: Git with a cup of tea +RUN_USER = git +RUN_MODE = prod + +[database] +DB_TYPE = postgres +HOST = 127.0.0.1:5432 +NAME = {{ database.name }} +USER = {{ database.user }} +PASSWD = {{ database.pass }} +SCHEMA = +SSL_MODE = disable +CHARSET = utf8 +PATH = /var/lib/gitea/data/gitea.db +LOG_SQL = false + +[repository] +ROOT = /var/lib/gitea/data/gitea-repositories + +[server] +SSH_DOMAIN = {{ domain_name }} +DOMAIN = {{ domain_name }} +HTTP_PORT = 3000 +ROOT_URL = https://{{ domain_name }}/ +DISABLE_SSH = false +SSH_PORT = 22 +LFS_START_SERVER = true +LFS_JWT_SECRET = {{ jwt_token.stdout }} +OFFLINE_MODE = true + +[lfs] +PATH = /var/lib/gitea/data/lfs + +[mailer] +ENABLED = true +HOST = {{ smtp.host }} +FROM = {{ smtp.from }} +USER = {{ smtp.user }} +PASSWD = {{ smtp.pass }} + +[service] +REGISTER_EMAIL_CONFIRM = false +ENABLE_NOTIFY_MAIL = true +DISABLE_REGISTRATION = true +ALLOW_ONLY_EXTERNAL_REGISTRATION = false +ENABLE_CAPTCHA = false +REQUIRE_SIGNIN_VIEW = false +DEFAULT_KEEP_EMAIL_PRIVATE = false +DEFAULT_ALLOW_CREATE_ORGANIZATION = true +DEFAULT_ENABLE_TIMETRACKING = true +NO_REPLY_ADDRESS = {{ domain_name }} + +[picture] +DISABLE_GRAVATAR = true +ENABLE_FEDERATED_AVATAR = false + +[openid] +ENABLE_OPENID_SIGNIN = false +ENABLE_OPENID_SIGNUP = true + +[session] +PROVIDER = file + +[log] +MODE = console +LEVEL = info +ROOT_PATH = /var/lib/gitea/log +ROUTER = console + +[repository.pull-request] +DEFAULT_MERGE_STYLE = merge + +[repository.signing] +DEFAULT_TRUST_MODEL = committer + +[security] +INSTALL_LOCK = true +INTERNAL_TOKEN = {{ internal_token.stdout }} +PASSWORD_HASH_ALGO = pbkdf2 diff --git a/roles/gitea/templates/nginx-domain.j2 b/roles/gitea/templates/nginx-domain.j2 new file mode 100644 index 0000000..30e61d5 --- /dev/null +++ b/roles/gitea/templates/nginx-domain.j2 @@ -0,0 +1,12 @@ +server { + listen 80; + server_name {{ domain_name }}; + + location / { + proxy_pass http://localhost:3000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} diff --git a/site.yml b/site.yml new file mode 100644 index 0000000..5264536 --- /dev/null +++ b/site.yml @@ -0,0 +1,7 @@ +- name: Install & Configure Gitea + remote_user: root + hosts: all + vars: + ansible_ssh_common_args: -A -oControlMaster=auto -oControlPersist=60s -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no + roles: + - gitea