Writing the Gitea role.

README.org

@@ -0,0 +1,63 @@
+#+TITLE: Gitea Server Installer Role
+#+AUTHOR: DeadSwitch | The Silent Architect
+#+OPTIONS: toc:nil num:nil \n:t
+
+* ds-gitea
+
+This role installs and configures a basic [[https://docs.gitea.com/][Gitea]] server.
+
+* Features
+
+- Download and install the Gitea binary
+- Set up the user and group for the service
+- Create the required directory structure
+- Deploy the Gitea configuration
+- Deploy the Gitea service file
+- Enable and start the service
+
+* Defaults
+
+#+begin_src yaml
+gitea_user: git
+gitea_group: git
+#+end_src
+
+Remaining variables must be declared in the inventory.
+
+* Requirements
+
+- Ansible >= 2.12
+- Debian-based OS (Bookworm, Trixie)
+- git
+- sudo
+- ca-certificates
+
+* Variables
+
+| Variable             | Type   | Comment                    |
+|----------------------+--------+----------------------------|
+| gitea_user           | string | Gitea user                 |
+| gitea_group          | string | Gitea group                |
+| gitea_binary_url     | string | Download URL of Gitea      |
+| gitea_checksum_url   | string | Checksum URL of the binary |
+| gitea_app_name       | string | Gitea application title    |
+| gitea_ssh_domain     | string | SSH domain                 |
+| gitea_domain         | string | Domain to reach Gitea      |
+| gitea_http_port      | int    | Gitea HTTP port            |
+| gitea_root_url       | string | Protocoll + FQDN           |
+| gitea_lfs_jwt_secret | string | LFS storage secret         |
+| gitea_internal_token | string | Internal token             |
+| gitea_jwt_secret     | string | JWT secret                 |
+
+* Handlers
+
+- =Reload_systemd=: It runs a =daemon-reload=
+- =Restart_gitea=: It restarts the Gitea service
+
+* Example Playbook
+
+* License
+
+MIT
+
+=[ Fear the Silence. Fear the Switch. ]=

defaults/main.yml

@@ -0,0 +1,3 @@
+---
+gitea_user: git
+gitea_group: git

handlers/main.yml

@@ -0,0 +1,9 @@
+---
+- name: Reload_systemd
+  ansible.builtin.systemd_service:
+    daemon_reload: true
+
+- name: Restart_gitea
+  ansible.builtin.systemd_service:
+    name: gitea.service
+    state: restarted

tasks/main.yml

@@ -0,0 +1,102 @@
+---
+- name: Make sure dependencies are installed
+  ansible.builtin.apt:
+    name:
+      - git
+      - sudo
+      - ca-certificates
+    update_cache: true
+    state: present
+
+- name: Create the gitea group
+  ansible.builtin.group:
+    name: "{{ gitea_group }}"
+    system: true
+
+- name: Create the gitea user
+  ansible.builtin.user:
+    name: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
+    home: /home/{{ gitea_user }}
+    shell: /usr/sbin/nologin
+    system: true
+    create_home: true
+    
+- name: Download the Gitea binary
+  ansible.builtin.get_url:
+    url: "{{ gitea_binary_url }}"
+    dest: /usr/local/bin/gitea
+    checksum: "sha256:{{ gitea_checksum_url }}"
+
+- name: Pause to save the generated secrets in SOPS
+  ansible.builtin.pause:
+    prompt: |
+      [SECURITY NOTICE]
+      If this is a fresh install, generate these secrets:
+      1. gitea generate secret INTERNAL_TOKEN
+      2. gitea generate secret JWT_SECRET
+      3. gitea generate secret LFS_JWT_SECRET
+      Copy the following keys into SOPS:
+        - gitea_lfs_jwt_secret
+        - gitea_internal_token
+        - gitea_jwt_secret
+      Press ENTER once done to continue.
+  when: gitea_internal_token is not defined
+
+- name: Stop play until SOPS secrets are added
+  ansible.builtin.meta: end_play
+  when: gitea_internal_token is not defined
+
+- name: Create the data dir base
+  ansible.builtin.file:
+    path: /var/lib/gitea
+    owner: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
+    mode: '0750'
+    state: directory
+
+- name: Create the data dirs
+  ansible.builtin.file:
+    path: "{{ item }}"
+    owner: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
+    mode: '0750'
+    state: directory
+  loop:
+    - /var/lib/gitea/custom
+    - /var/lib/gitea/data
+    - /var/lib/gitea/log
+
+- name: Create the config dir
+  ansible.builtin.file:
+    path: /etc/gitea
+    owner: root
+    group: "{{ gitea_group }}"
+    mode: '0750'
+    state: directory
+
+- name: Deploy the systemd service unit
+  ansible.builtin.template:
+    src: gitea.service.j2
+    dest: /etc/systemd/system/gitea.service
+    owner: root
+    group: root
+    mode: '0644'
+  notify:
+    - Reload_systemd
+
+- name: Deploy the Gitea configuration
+  ansible.builtin.template:
+    src: app.ini.j2
+    dest: /etc/gitea/app.ini
+    owner: root
+    group: "{{ gitea_group }}"
+    mode: '0640'
+  notify:
+    - Restart_gitea
+    
+- name: Start and enable Gitea
+  ansible.builtin.systemd_service:
+    name: gitea.service
+    state: started
+    enabled: true

templates/app.ini.j2

@@ -0,0 +1,85 @@
+# {{ ansible_managed }}
+
+APP_NAME = {{ gitea_app_name }}
+RUN_USER = {{ gitea_user }}
+WORK_PATH = /var/lib/gitea
+RUN_MODE = prod
+
+[database]
+DB_TYPE = sqlite3
+HOST = 127.0.0.1:3306
+NAME = {{ gitea_user }}
+USER = {{ gitea_user }}
+PASSWD = 
+SCHEMA = 
+SSL_MODE = disable
+PATH = /var/lib/gitea/data/gitea.db
+LOG_SQL = false
+
+[repository]
+ROOT = /var/lib/gitea/data/gitea-repositories
+
+[server]
+SSH_DOMAIN = {{ gitea_ssh_domain }}
+DOMAIN = {{ gitea_domain }}
+HTTP_PORT = {{ gitea_http_port }}
+ROOT_URL = {{ gitea_root_url }}
+APP_DATA_PATH = /var/lib/gitea/data
+DISABLE_SSH = false
+SSH_PORT = 22
+LFS_START_SERVER = true
+LFS_JWT_SECRET = {{ gitea_lfs_jwt_secret }}
+OFFLINE_MODE = true
+
+[lfs]
+PATH = /var/lib/gitea/data/lfs
+
+[mailer]
+ENABLED = false
+
+[service]
+REGISTER_EMAIL_CONFIRM = false
+ENABLE_NOTIFY_MAIL = false
+DISABLE_REGISTRATION = false
+ALLOW_ONLY_EXTERNAL_REGISTRATION = false
+ENABLE_CAPTCHA = false
+REQUIRE_SIGNIN_VIEW = false
+DEFAULT_KEEP_EMAIL_PRIVATE = false
+DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+DEFAULT_ENABLE_TIMETRACKING = true
+NO_REPLY_ADDRESS = noreply.localhost
+
+[openid]
+ENABLE_OPENID_SIGNIN = false
+ENABLE_OPENID_SIGNUP = false
+
+[cron.update_checker]
+ENABLED = false
+
+[session]
+PROVIDER = file
+
+[log]
+MODE = console
+LEVEL = info
+ROOT_PATH = /var/lib/gitea/log
+
+[repository.pull-request]
+DEFAULT_MERGE_STYLE = merge
+
+[repository.signing]
+DEFAULT_TRUST_MODEL = committer
+
+[security]
+INSTALL_LOCK = true
+INTERNAL_TOKEN = {{ gitea_internal_token }}
+PASSWORD_HASH_ALGO = pbkdf2
+
+[oauth2]
+JWT_SECRET = {{ gitea_jwt_secret }}
+
+[other]
+SHOW_FOOTER_BRANDING = false
+SHOW_FOOTER_TEMPLATE_LOAD_TIME = false
+SHOW_FOOTER_POWERED_BY = false
+ENABLE_SITEMAP = false

templates/gitea.service.j2

@@ -0,0 +1,18 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description=Gitea (Git with a cup of tea)
+After=network.target
+
+[Service]
+RestartSec=2s
+Type=simple
+User={{ gitea_user }}
+Group={{ gitea_group }}
+WorkingDirectory=/var/lib/gitea/
+ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini
+Restart=always
+Environment=USER={{ gitea_user }} HOME=/home/{{ gitea_user }} GITEA_WORK_DIR=/var/lib/gitea
+
+[Install]
+WantedBy=multi-user.target