diff --git a/README.org b/README.org index 527cb42..36e15b7 100644 --- a/README.org +++ b/README.org @@ -2,17 +2,17 @@ #+AUTHOR: DeadSwitch | The Silent Architect #+OPTIONS: toc:nil num:nil \n:t -[[https://opensource.org/licenses/MIT][https://img.shields.io/badge/license-MIT-blue.svg]] [[https://img.shields.io/badge/version-3.0.3-green.svg]] +[[https://opensource.org/licenses/MIT][https://img.shields.io/badge/license-MIT-blue.svg]] [[https://img.shields.io/badge/version-3.1.0-green.svg]] * ds_gitea This role can install and configures a [[https://docs.gitea.com/][Gitea]] server. -- It uses SQLite as its default database service - with optional PostgreSQL support (=ds-posgresql=). -- The role can set up a reverse proxy with SSL using Nginx (=ds-nginx=). -- Self-signed certificates and Let's Encrypt with =certbot= are supported. -- The =ds-ufw= role can configure the firewall. -- The =ds-act_runner= role can configure and register Actions runners. +- Defaults to SQLite backend with optional PostgreSQL support (Install it with =ds_posgresql=). +- It can set up a reverse proxy with SSL using Nginx (Install it with =ds_nginx=). +- The role supports self-signed certificates and /Let's Encrypt/ with =certbot=. +- The =ds_ufw= role can configure the host firewall. +- The =ds_act_runner= role can configure and register /Gitea Actions/ runners. * Role Behavior @@ -21,7 +21,7 @@ This role can install and configures a [[https://docs.gitea.com/][Gitea]] server 3. (Optionally) Set up an =nginx= reverse proxy with SSL support 4. Create a user and group for the service 5. Create the required directory structure -6. Wait to save the secrets in SOPS (only if secrets are not present) +6. Wait for the operator to save the secrets in SOPS or Ansible Vault (only if secrets are not present) 7. Deploy the Gitea =app.ini= configuration 8. Deploy the Gitea systemd service 9. Enable and start the services @@ -58,50 +58,46 @@ gitea_default_keep_email_private: true * Variables -| Variable | Type | Comment | -|----------------------------------+---------+--------------------------------------------------| -| gitea_user | string | Gitea user | -| gitea_group | string | Gitea group | -| gitea_binary_url | string | Download URL of Gitea | -| gitea_checksum_url | string | Checksum URL of the binary | -| gitea_app_name | string | Gitea server title | -| gitea_ssh_domain | string | SSH domain | -| gitea_domain | string | Domain to reach Gitea | -| gitea_http_port | int | HTTP port | -| gitea_ssh_port | int | SSH port | -| gitea_work_path | string | Workdir | -| gitea_app_data_path | string | Application data path | -| gitea_repo_root | string | Repo root path | -| gitea_lfs_path | string | LFS path | -| gitea_log_path | string | Log path | -| gitea_root_url | string | Protocol + FQDN + port | -| gitea_lfs_jwt_secret | string | LFS storage secret | -| gitea_internal_token | string | Internal token | -| gitea_jwt_secret | string | JWT secret | -| gitea_database_server | string | DB server - 'postgresql' or empty for sqlite | -| gitea_db_password | string | PosgreSQL db password (if pgsql is used) | -| gitea_reverse_proxy | string | Reverse proxy to use or not set for no proxy | -| gitea_enable_https | boolean | Configure HTTPS in the proxy | -| gitea_ssl_cert | string | SSL certificate | -| gitea_ssl_key | string | SSL key | -| gitea_enable_http_redirect | boolean | Redirect HTTP to HTTPS | -| gitea_self_signed | boolean | Generate a self-signed cert and key | -| gitea_lets_encrypt | boolean | Use certbot to configure the SSL | -| gitea_certbot_email | string | Email to register the certificates | -| gitea_require_signin_view | boolean | If false, public repos are visible without login | -| gitea_disable_registration | boolean | Turn off the user registration feature | -| gitea_register_manual_confirm | boolean | Registration requires admin verification | -| gitea_enable_captcha | boolean | Enable captcha for registration | -| gitea_default_keep_email_private | boolean | Default email policy: private | - -* Handlers - -- =Reload_systemd=: It runs a =daemon-reload= -- =Restart_gitea=: It restarts the Gitea service +| Variable | Type | Comment | +|----------------------------------+---------+---------------------------------------------------------| +| gitea_user | string | Gitea user | +| gitea_group | string | Gitea group | +| gitea_binary_url | string | Download URL of Gitea | +| gitea_checksum_url | string | Checksum URL of the binary | +| gitea_app_name | string | Gitea server title | +| gitea_ssh_domain | string | SSH domain | +| gitea_domain | string | Domain to reach Gitea | +| gitea_http_port | int | HTTP port | +| gitea_ssh_port | int | SSH port | +| gitea_work_path | string | Workdir | +| gitea_app_data_path | string | Application data path | +| gitea_repo_root | string | Repo root path | +| gitea_lfs_path | string | LFS path | +| gitea_log_path | string | Log path | +| gitea_root_url | string | Protocol + FQDN + port | +| gitea_lfs_jwt_secret | string | LFS storage secret | +| gitea_internal_token | string | Internal token | +| gitea_jwt_secret | string | JWT secret | +| gitea_database_server | string | DB server - 'postgresql' or empty for sqlite | +| gitea_db_password | string | PosgreSQL db password (if pgsql is used) | +| gitea_reverse_proxy | string | 'nginx' to set up a reverse proxy or empty for no proxy | +| gitea_enable_https | boolean | Configure HTTPS in the proxy | +| gitea_ssl_cert | string | Path to the SSL certificate | +| gitea_ssl_key | string | Path to the SSL key | +| gitea_ssl_trusted_certificate | string | Path to the SSL certificate chain | +| gitea_enable_http_redirect | boolean | Redirect HTTP traffic to HTTPS | +| gitea_self_signed | boolean | Generate a self-signed certificate and key | +| gitea_lets_encrypt | boolean | Use certbot to configure HTTPS | +| gitea_certbot_email | string | Email to register the certificates | +| gitea_require_signin_view | boolean | If false, public repos are visible without login | +| gitea_disable_registration | boolean | Turn off the user registration feature | +| gitea_register_manual_confirm | boolean | Registration requires admin verification | +| gitea_enable_captcha | boolean | Enable captcha for registration | +| gitea_default_keep_email_private | boolean | Default email policy: private | * Secrets -Always save the production secrets in SOPS, or in Ansible Vault. +Always save the production secrets in SOPS or in Ansible Vault. You can generate the secrets manually when the playbook stops: @@ -110,7 +106,7 @@ gitea generate secret INTERNAL_TOKEN gitea generate secret JWT_SECRET #+end_src -Use the =JWT_SECRET= command to generate the =gitea_lfs_jwt_secret= as well. It's an alias. +Use the =JWT_SECRET= option to generate the =gitea_lfs_jwt_secret= as well. Then re-run the playbook to finish the installation.