Clarifications.

README.org

@@ -6,6 +6,10 @@
 
 This role installs and configures a basic [[https://docs.gitea.com/][Gitea]] server.
 
+Currently it uses SQLite as its database service.
+
+Use the =ds-ufw= role to set up the firewall.
+
 * Features
 
 - Download and install the Gitea binary
@@ -22,7 +26,7 @@ gitea_user: git
 gitea_group: git
 #+end_src
 
-Remaining variables must be declared in the inventory.
+The remaining variables must be declared in the inventory.
 
 * Requirements
 
@@ -56,7 +60,7 @@ Remaining variables must be declared in the inventory.
 
 * Secrets
 
-Always store the production secrets in SOPS, or in Vault.
+Always store the production secrets in SOPS, or in Ansible Vault.
 
 Generate the secrets manually when the playbook stops:
 
@@ -67,6 +71,8 @@ gitea generate secret JWT_SECRET
 
 Use the =JWT_SECRET= command to generate the =gitea_lfs_jwt_secret= as well. It's an alias.
 
+Then re-run the playbook to finish the installation.
+
 * Example Playbook
 
 #+begin_src yaml

tasks/main.yml

@@ -31,18 +31,18 @@
 - name: Set the permissions of the Gitea binary
   ansible.builtin.file:
     path: /usr/local/bin/gitea
-    owner: root
+    owner: "{{ gitea_user }}"
     group: "{{ gitea_group }}"
-    mode: '0770'
+    mode: '0750'
 
 - name: Pause to generate and save the secrets in SOPS
   ansible.builtin.pause:
     prompt: |
       [SECURITY NOTICE]
       If this is a fresh install, generate these secrets:
-      1. gitea generate secret INTERNAL_TOKEN
-      2. gitea generate secret JWT_SECRET
-      3. gitea generate secret JWT_SECRET
+      1. gitea generate secret INTERNAL_TOKEN - for gitea_internal_token
+      2. gitea generate secret JWT_SECRET - for gitea_lfs_jwt_secret
+      3. gitea generate secret JWT_SECRET - for gitea_jwt_secret
       Copy the following keys into SOPS:
         - gitea_internal_token
         - gitea_lfs_jwt_secret