Added reverse proxy support.

2026-02-10 12:13:24 +01:00
parent 007ae9a90a
commit e23f9b1901
4 changed files with 141 additions and 21 deletions
--- a/README.org
+++ b/README.org
@@ -8,9 +8,11 @@ This role installs and configures a [[https://docs.gitea.com/][Gitea]] server.

 It uses SQLite as its default database service - with optional PostgreSQL support.

-Use the =ds-ufw= role to configure the firewall.
+The role can set up a reverse proxy with SSL.

-Use the =ds-posgresql= to configure the database.
+- Use the =ds-ufw= role to configure the firewall.
+- Use the =ds-posgresql= role to configure the database.
+- Use the =ds-nginx= role to install the proxy server.

 * Role Workflow

@@ -21,7 +23,8 @@ Use the =ds-posgresql= to configure the database.
 5. Wait for the secret creation and storage in SOPS - if secrets are not present
 6. Deploy the Gitea configuration
 7. Deploy the Gitea systemd service file (With Postgresql support if the backend is used)
-8. Enable and start the service
+8. Set up the reverse proxy with optional SSL
+9. Enable and start the service

 * Defaults

@@ -30,6 +33,8 @@ gitea_user: git
 gitea_group: git
 gitea_http_port: 3000
 gitea_ssh_port: 22
+gitea_database_server: ''
+gitea_reverse_proxy: ''
 #+end_src

 * Requirements
@@ -40,26 +45,33 @@ gitea_ssh_port: 22
 - sudo
 - ca-certificates
 - (optional) PosgreSQL database
+- (optional) Nginx server

 * Variables

-| Variable              | Type   | Comment                                      |
-|-----------------------+--------+----------------------------------------------|
-| gitea_user            | string | Gitea user                                   |
-| gitea_group           | string | Gitea group                                  |
-| gitea_binary_url      | string | Download URL of Gitea                        |
-| gitea_checksum_url    | string | Checksum URL of the binary                   |
-| gitea_app_name        | string | Gitea server title                           |
-| gitea_ssh_domain      | string | SSH domain                                   |
-| gitea_domain          | string | Domain to reach Gitea                        |
-| gitea_http_port       | int    | HTTP port                                    |
-| gitea_ssh_port        | int    | SSH port                                     |
-| gitea_root_url        | string | Protocol + FQDN + port                       |
-| gitea_lfs_jwt_secret  | string | LFS storage secret                           |
-| gitea_internal_token  | string | Internal token                               |
-| gitea_jwt_secret      | string | JWT secret                                   |
-| gitea_database_server | string | DB server - 'postgresql' or empty for sqlite |
-| gitea_db_password     | string | PosgreSQL db password (if pgsql is used)     |
+| Variable                   | Type    | Comment                                      |
+|----------------------------+---------+----------------------------------------------|
+| gitea_user                 | string  | Gitea user                                   |
+| gitea_group                | string  | Gitea group                                  |
+| gitea_binary_url           | string  | Download URL of Gitea                        |
+| gitea_checksum_url         | string  | Checksum URL of the binary                   |
+| gitea_app_name             | string  | Gitea server title                           |
+| gitea_ssh_domain           | string  | SSH domain                                   |
+| gitea_domain               | string  | Domain to reach Gitea                        |
+| gitea_http_port            | int     | HTTP port                                    |
+| gitea_ssh_port             | int     | SSH port                                     |
+| gitea_root_url             | string  | Protocol + FQDN + port                       |
+| gitea_lfs_jwt_secret       | string  | LFS storage secret                           |
+| gitea_internal_token       | string  | Internal token                               |
+| gitea_jwt_secret           | string  | JWT secret                                   |
+| gitea_database_server      | string  | DB server - 'postgresql' or empty for sqlite |
+| gitea_db_password          | string  | PosgreSQL db password (if pgsql is used)     |
+| gitea_reverse_proxy        | string  | Reverse proxy to use or not set for no proxy |
+| gitea_enable_https         | boolean | Configure HTTPS in the proxy                 |
+| gitea_ssl_cert             | string  | SSL certificate                              |
+| gitea_ssl_key              | string  | SSL key                                      |
+| gitea_enable_http_redirect | boolean | Redirect HTTP to HTTPS                       |
+| gitea_self_signed          | boolean | Generate a self-signed cert and key          |

 * Handlers

@@ -99,9 +111,17 @@ Then re-run the playbook to finish the installation.
    gitea_http_port: 3000
    gitea_root_url: http://gitea.tomsitcafe.com:3000

-    # Optional
+    # Optional Postgresql database backend
    gitea_database_server: postgresql

+    # Optional Nginx reverse proxy configuration
+    gitea_reverse_proxy: nginx
+    gitea_enable_https: true
+    gitea_self_signed: true
+    gitea_ssl_cert: /var/lib/gitea/certs/cert.pem
+    gitea_ssl_key: /var/lib/gitea/certs/key.pem
+    gitea_enable_http_redirect: true
+
    # In prod put these secrets in SOPS:
    gitea_lfs_jwt_secret: G9bZrRHMhRQ8w4R0KkH2VLnx2rzq81ROQ951IQjlMs4 
    gitea_internal_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3NzA2Mzk1Njh9.ybbaeNLFiLbyvxfj4vkqhXSAXKRGpwvP8jIm9YLPgXw