ghost-automation/ds_gitea
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 3 Wiki Activity

Compare commits

base: ghost-automation:development
Branches Tags
ghost-automation:development ghost-automation:main
ghost-automation:v3.1.0 ghost-automation:v3.0.3 ghost-automation:v3.0.2 ghost-automation:v3.0.1 ghost-automation:v3.0.0 ghost-automation:v2.0.0 ghost-automation:v1.0.1 ghost-automation:v1.0.0 ghost-automation:v0.0.2 ghost-automation:v0.0.1
..
compare: ghost-automation:v0.0.2
Branches Tags
ghost-automation:development ghost-automation:main
ghost-automation:v3.1.0 ghost-automation:v3.0.3 ghost-automation:v3.0.2 ghost-automation:v3.0.1 ghost-automation:v3.0.0 ghost-automation:v2.0.0 ghost-automation:v1.0.1 ghost-automation:v1.0.0 ghost-automation:v0.0.2 ghost-automation:v0.0.1

2 Commits
developmen ... v0.0.2

Author SHA1 Message Date
DeadSwitch
d716fefb88 Merge pull request 'Fixed a typo in the readme.' (#3) from development into main 
Reviewed-on: http://gitea.tomsitcafe.com:3000/iron/ds-gitea/pulls/3
 2026-02-09 15:44:16 +01:00
DeadSwitch
764883f26d Gitea development v0.0.1 (#1) 
The first working version is tested against a Debian machine.

Reviewed-on: http://gitea.tomsitcafe.com:3000/iron/ds-gitea/pulls/1
Co-authored-by: DeadSwitch <deadswitch404@proton.me>
Co-committed-by: DeadSwitch <deadswitch404@proton.me>
 2026-02-09 15:08:11 +01:00
12 changed files with 61 additions and 435 deletions
Expand all files Collapse all files

10
.gitea/workflows/test.yml
View File

@@ -1,10 +0,0 @@
name: Test the role
on:
- push
jobs:
test-the-role:
runs-on: iron-runner
steps:
- uses: actions/checkout@v6
- run: ansible-lint --profile production .

138
README.org
View File

@@ -1,119 +1,81 @@
#+TITLE: Gitea Server Role
#+TITLE: Gitea Server Installer Role
#+AUTHOR: DeadSwitch | The Silent Architect
#+OPTIONS: toc:nil num:nil \n:t
[[https://opensource.org/licenses/MIT][https://img.shields.io/badge/license-MIT-blue.svg]] [[https://img.shields.io/badge/version-3.1.0-green.svg]]
* ds-gitea
* ds_gitea
This role installs and configures a basic [[https://docs.gitea.com/][Gitea]] server.
This role can install and configures a [[https://docs.gitea.com/][Gitea]] server.
Currently it uses SQLite as its database service.
- Defaults to SQLite backend with optional PostgreSQL support (Install it with =ds_posgresql=).
- It can set up a reverse proxy with SSL using Nginx (Install it with =ds_nginx=).
- The role supports self-signed certificates and /Let's Encrypt/ with =certbot=.
- The =ds_ufw= role can configure the host firewall.
- The =ds_act_runner= role can configure and register /Gitea Actions/ runners.
Use the =ds-ufw= role to set up the firewall.
* Role Behavior
* Features
1. Download and install the Gitea binary
2. (Optionally) Set up the PostgreSQL user and database
3. (Optionally) Set up an =nginx= reverse proxy with SSL support
4. Create a user and group for the service
5. Create the required directory structure
6. Wait for the operator to save the secrets in SOPS or Ansible Vault (only if secrets are not present)
7. Deploy the Gitea =app.ini= configuration
8. Deploy the Gitea systemd service
9. Enable and start the services
- Download and install the Gitea binary
- Set up the user and group for the service
- Create the required directory structure
- Deploy the Gitea configuration
- Deploy the Gitea service file
- Enable and start the service
* Defaults
#+begin_src yaml
gitea_user: git
gitea_group: git
gitea_http_port: 3000
gitea_ssh_port: 22
gitea_work_path: /var/lib/gitea
gitea_app_data_path: /var/lib/gitea/data
gitea_repo_root: /var/lib/gitea/data/gitea-repositories
gitea_lfs_path: /var/lib/gitea/data/lfs
gitea_log_path: /var/lib/gitea/log
gitea_require_signin_view: true
gitea_disable_registration: true
gitea_register_manual_confirm: false
gitea_enable_captcha: false
gitea_default_keep_email_private: true
#+end_src
The remaining variables must be declared in the inventory.
* Requirements
- Ansible >= 2.12
- Debian 12+ or compatible
- Debian-based OS (Bookworm, Trixie)
- git
- sudo
- ca-certificates
- (optional) PosgreSQL database
- (optional) Nginx server
- (optional) certbot for Let's Encrypt
* Variables
| Variable | Type | Comment |
|----------------------------------+---------+---------------------------------------------------------|
| gitea_user | string | Gitea user |
| gitea_group | string | Gitea group |
| gitea_binary_url | string | Download URL of Gitea |
| gitea_checksum_url | string | Checksum URL of the binary |
| gitea_app_name | string | Gitea server title |
| gitea_ssh_domain | string | SSH domain |
| gitea_domain | string | Domain to reach Gitea |
| gitea_http_port | int | HTTP port |
| gitea_ssh_port | int | SSH port |
| gitea_work_path | string | Workdir |
| gitea_app_data_path | string | Application data path |
| gitea_repo_root | string | Repo root path |
| gitea_lfs_path | string | LFS path |
| gitea_log_path | string | Log path |
| gitea_root_url | string | Protocol + FQDN + port |
| gitea_lfs_jwt_secret | string | LFS storage secret |
| gitea_internal_token | string | Internal token |
| gitea_jwt_secret | string | JWT secret |
| gitea_database_server | string | DB server - 'postgresql' or empty for sqlite |
| gitea_db_password | string | PosgreSQL db password (if pgsql is used) |
| gitea_reverse_proxy | string | 'nginx' to set up a reverse proxy or empty for no proxy |
| gitea_enable_https | boolean | Configure HTTPS in the proxy |
| gitea_ssl_cert | string | Path to the SSL certificate |
| gitea_ssl_key | string | Path to the SSL key |
| gitea_ssl_trusted_certificate | string | Path to the SSL certificate chain |
| gitea_enable_http_redirect | boolean | Redirect HTTP traffic to HTTPS |
| gitea_self_signed | boolean | Generate a self-signed certificate and key |
| gitea_lets_encrypt | boolean | Use certbot to configure HTTPS |
| gitea_certbot_email | string | Email to register the certificates |
| gitea_require_signin_view | boolean | If false, public repos are visible without login |
| gitea_disable_registration | boolean | Turn off the user registration feature |
| gitea_register_manual_confirm | boolean | Registration requires admin verification |
| gitea_enable_captcha | boolean | Enable captcha for registration |
| gitea_default_keep_email_private | boolean | Default email policy: private |
| Variable | Type | Comment |
|----------------------+--------+----------------------------|
| gitea_user | string | Gitea user |
| gitea_group | string | Gitea group |
| gitea_binary_url | string | Download URL of Gitea |
| gitea_checksum_url | string | Checksum URL of the binary |
| gitea_app_name | string | Gitea application title |
| gitea_ssh_domain | string | SSH domain |
| gitea_domain | string | Domain to reach Gitea |
| gitea_http_port | int | Gitea HTTP port |
| gitea_ssh_port | int | Gitea SSH port |
| gitea_root_url | string | Protocol + FQDN |
| gitea_lfs_jwt_secret | string | LFS storage secret |
| gitea_internal_token | string | Internal token |
| gitea_jwt_secret | string | JWT secret |
* Handlers
- =Reload_systemd=: It runs a =daemon-reload=
- =Restart_gitea=: It restarts the Gitea service
* Secrets
Always save the production secrets in SOPS or in Ansible Vault.
Always store the production secrets in SOPS, or in Ansible Vault.
You can generate the secrets manually when the playbook stops:
Generate the secrets manually when the playbook stops:
#+begin_src shell
gitea generate secret INTERNAL_TOKEN
gitea generate secret JWT_SECRET
#+end_src
Use the =JWT_SECRET= option to generate the =gitea_lfs_jwt_secret= as well.
Use the =JWT_SECRET= command to generate the =gitea_lfs_jwt_secret= as well. It's an alias.
Then re-run the playbook to finish the installation.
* Example Playbook
You can find more playbook examples in the =examples= directory.
#+begin_src yaml
- name: Deploy a Gitea server
hosts: gitea
@@ -128,32 +90,14 @@ You can find more playbook examples in the =examples= directory.
gitea_ssh_domain: gitea.tomsitcafe.com
gitea_domain: gitea.tomsitcafe.com
gitea_http_port: 3000
gitea_root_url: https://gitea.tomsitcafe.com
# Optional Postgresql database backend
gitea_database_server: postgresql
# Optional Nginx reverse proxy configuration
gitea_reverse_proxy: nginx
gitea_enable_https: true # Use HTTPS
gitea_self_signed: false # Don't generate self-signed certs
gitea_lets_encrypt: true # Use certbot
gitea_enable_http_redirect: true # Redirect HTTP to HTTPS
# Certbot configuration
gitea_certbot_email: email@domain.tld
gitea_ssl_cert: /etc/letsencrypt/live/{{ gitea_domain }}/fullchain.pem
gitea_ssl_key: /etc/letsencrypt/live/{{ gitea_domain }}/privkey.pem
gitea_ssl_trusted_certificate: /etc/letsencrypt/live/{{ gitea_domain }}/chain.pem
# In prod put the secrets in SOPS:
gitea_root_url: http://gitea.tomsitcafe.com:3000
# In prod put these secrets in SOPS:
gitea_lfs_jwt_secret: G9bZrRHMhRQ8w4R0KkH2VLnx2rzq81ROQ951IQjlMs4
gitea_internal_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3NzA2Mzk1Njh9.ybbaeNLFiLbyvxfj4vkqhXSAXKRGpwvP8jIm9YLPgXw
gitea_jwt_secret: uJni4x4e0AzpkLYc-t4keRJKOB6EaLzwVsdLeamkFyU
gitea_db_password: Eegh7Aothooph7pa6eu7eitha_zaim0G
roles:
- role: ds_gitea
- role: ds-gitea
#+end_src
* License

12
defaults/main.yml
View File

@@ -1,15 +1,3 @@
---
gitea_user: git
gitea_group: git
gitea_http_port: 3000
gitea_ssh_port: 22
gitea_work_path: /var/lib/gitea
gitea_app_data_path: /var/lib/gitea/data
gitea_repo_root: /var/lib/gitea/data/gitea-repositories
gitea_lfs_path: /var/lib/gitea/data/lfs
gitea_log_path: /var/lib/gitea/log
gitea_require_signin_view: true
gitea_disable_registration: true
gitea_register_manual_confirm: false
gitea_enable_captcha: false
gitea_default_keep_email_private: true

34
examples/certbot-playbook.yml
View File

@@ -1,34 +0,0 @@
---
- name: Install Gitea
hosts: gitea
become: true
roles:
- role: ds_postgresql
- role: ds_nginx
- role: ds_gitea
vars:
gitea_user: git
gitea_group: git
gitea_database_server: postgresql
gitea_binary_url: https://dl.gitea.com/gitea/1.25.4/gitea-1.25.4-linux-amd64
gitea_checksum_url: https://dl.gitea.com/gitea/1.25.4/gitea-1.25.4-linux-amd64.sha256
gitea_app_name: Tom's IT Cafe Test Gitea Server
gitea_domain: gitea.tomsitcafe.com
gitea_ssh_domain: "{{ gitea_domain }}"
gitea_http_port: 3000
gitea_ssh_port: 22
gitea_root_url: https://{{ gitea_domain }}
gitea_reverse_proxy: nginx
gitea_enable_https: true
gitea_lets_encrypt: true
gitea_enable_http_redirect: true
gitea_certbot_email: tom@tomsitcafe.com
gitea_ssl_cert: /etc/letsencrypt/live/{{ gitea_domain }}/fullchain.pem
gitea_ssl_key: /etc/letsencrypt/live/{{ gitea_domain }}/privkey.pem
gitea_ssl_trusted_certificate: /etc/letsencrypt/live/{{ gitea_domain }}/chain.pem
# Secrets to SOPS
gitea_lfs_jwt_secret: G9bZrRHMhRQ8w4R0KkH2VLnx2rzq81ROQ951IQjlMs4
gitea_internal_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3NzA2Mzk1Njh9.ybbaeNLFiLbyvxfj4vkqhXSAXKRGpwvP8jIm9YLPgXw
gitea_jwt_secret: uJni4x4e0AzpkLYc-t4keRJKOB6EaLzwVsdLeamkFyU
gitea_db_password: Eegh7Aothooph7pa6eu7eitha_zaim0G

21
examples/lightweight-playbook.yml
View File

@@ -1,21 +0,0 @@
- name: Install Gitea
hosts: gitea
become: true
roles:
- role: ds_gitea
vars:
gitea_user: git
gitea_group: git
gitea_binary_url: https://dl.gitea.com/gitea/1.25.4/gitea-1.25.4-linux-amd64
gitea_checksum_url: https://dl.gitea.com/gitea/1.25.4/gitea-1.25.4-linux-amd64.sha256
gitea_app_name: Tom's IT Cafe Test Gitea Server
gitea_domain: gitea.tomsitcafe.com
gitea_ssh_domain: "{{ gitea_domain }}"
gitea_http_port: 3000
gitea_ssh_port: 22
gitea_root_url: http://{{ gitea_domain }}:{{ gitea_http_port }}
# Secrets to SOPS
gitea_lfs_jwt_secret: G9bZrRHMhRQ8w4R0KkH2VLnx2rzq81ROQ951IQjlMs4
gitea_internal_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3NzA2Mzk1Njh9.ybbaeNLFiLbyvxfj4vkqhXSAXKRGpwvP8jIm9YLPgXw
gitea_jwt_secret: uJni4x4e0AzpkLYc-t4keRJKOB6EaLzwVsdLeamkFyU

31
examples/self-signed-playbook.yml
View File

@@ -1,31 +0,0 @@
- name: Install Gitea
hosts: gitea
become: true
roles:
- role: ds_postgresql
- role: ds_nginx
- role: ds_gitea
vars:
gitea_user: git
gitea_group: git
gitea_database_server: postgresql
gitea_binary_url: https://dl.gitea.com/gitea/1.25.4/gitea-1.25.4-linux-amd64
gitea_checksum_url: https://dl.gitea.com/gitea/1.25.4/gitea-1.25.4-linux-amd64.sha256
gitea_app_name: Tom's IT Cafe Test Gitea Server
gitea_domain: gitea.tomsitcafe.com
gitea_ssh_domain: "{{ gitea_domain }}"
gitea_http_port: 3000
gitea_ssh_port: 22
gitea_root_url: https://{{ gitea_domain }}
gitea_reverse_proxy: nginx
gitea_enable_https: true
gitea_self_signed: true
gitea_ssl_cert: /var/lib/gitea/certs/cert.pem
gitea_ssl_key: /var/lib/gitea/certs/key.pem
gitea_enable_http_redirect: true
# Secrets to SOPS
gitea_lfs_jwt_secret: G9bZrRHMhRQ8w4R0KkH2VLnx2rzq81ROQ951IQjlMs4
gitea_internal_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3NzA2Mzk1Njh9.ybbaeNLFiLbyvxfj4vkqhXSAXKRGpwvP8jIm9YLPgXw
gitea_jwt_secret: uJni4x4e0AzpkLYc-t4keRJKOB6EaLzwVsdLeamkFyU
gitea_db_password: Eegh7Aothooph7pa6eu7eitha_zaim0G

29
tasks/lets-encrypt.yml
View File

@@ -1,29 +0,0 @@
---
- name: Install certbot
ansible.builtin.apt:
name:
- certbot
state: present
- name: Ensure webroot directory exists
ansible.builtin.file:
path: /var/www/html/.well-known/acme-challenge
state: directory
owner: www-data
group: www-data
mode: '0755'
- name: Obtain or renew TLS certificate (non-destructive)
ansible.builtin.command:
cmd: >
certbot certonly
--webroot
-w /var/www/html
-d {{ gitea_domain }}
--agree-tos
--email {{ gitea_certbot_email }}
--non-interactive
--keep-until-expiring
register: certbot_result
changed_when: "'Congratulations' in certbot_result.stdout"
notify: Reload_nginx

91
tasks/main.yml
View File

@@ -8,66 +8,6 @@
update_cache: true
state: present
- name: Set up the PostgreSQL database
when: gitea_database_server | default('') == "postgresql"
block:
- name: Ensure PostgreSQL Python client is installed
ansible.builtin.apt:
name: python3-psycopg2
update_cache: true
state: present
- name: Create the gitea DB role
community.postgresql.postgresql_user:
name: gitea
password: "{{ gitea_db_password }}"
role_attr_flags: "NOSUPERUSER,NOCREATEDB,NOCREATEROLE"
become: true
become_user: postgres
- name: Create the gitea database
community.postgresql.postgresql_db:
name: giteadb
owner: gitea
template: template0
encoding: UTF8
lc_collate: en_US.UTF-8
lc_ctype: en_US.UTF-8
become: true
become_user: postgres
- name: Ensure pg_hba.conf has local access for gitea
ansible.builtin.lineinfile:
path: /etc/postgresql/{{ postgresql_version }}/main/pg_hba.conf
regexp: '^local\s+giteadb\s+gitea\s+'
line: 'local giteadb gitea scram-sha-256'
state: present
backup: true
notify:
- Reload_postgresql
- name: Set up the reverse proxy
when: gitea_reverse_proxy | default('') == "nginx"
block:
- name: Deploy the site configuration
ansible.builtin.template:
src: gitea.j2
dest: /etc/nginx/sites-available/gitea
owner: root
group: root
mode: '0644'
notify: Reload_nginx
- name: Enable the gitea site
ansible.builtin.file:
src: /etc/nginx/sites-available/gitea
dest: /etc/nginx/sites-enabled/gitea
state: link
owner: root
group: root
force: true
notify: Reload_nginx
- name: Create the gitea group
ansible.builtin.group:
name: "{{ gitea_group }}"
@@ -76,22 +16,17 @@
- name: Create the gitea user
ansible.builtin.user:
name: "{{ gitea_user }}"
comment: "Gitea Service User"
group: "{{ gitea_group }}"
home: "{{ gitea_work_path }}"
shell: /bin/bash
password: '*'
home: /home/{{ gitea_user }}
shell: /usr/sbin/nologin
system: true
create_home: true
- name: Download the Gitea binary
ansible.builtin.get_url:
url: "{{ gitea_binary_url }}"
dest: /usr/local/bin/gitea
checksum: "sha256:{{ gitea_checksum_url }}"
owner: "{{ gitea_user }}"
group: "{{ gitea_group }}"
mode: '0750'
- name: Set the permissions of the Gitea binary
ansible.builtin.file:
@@ -100,16 +35,6 @@
group: "{{ gitea_group }}"
mode: '0750'
- name: Generate self-signed certificates
ansible.builtin.include_tasks:
file: self-signed-cert.yml
when: gitea_self_signed | default(false)
- name: Configure the Let's Encrypt certificates
ansible.builtin.include_tasks:
file: lets-encrypt.yml
when: gitea_lets_encrypt | default(false)
- name: Pause to generate and save the secrets in SOPS
ansible.builtin.pause:
prompt: |
@@ -131,7 +56,7 @@
- name: Create the data dir base
ansible.builtin.file:
path: "{{ gitea_work_path }}"
path: /var/lib/gitea
owner: "{{ gitea_user }}"
group: "{{ gitea_group }}"
mode: '0750'
@@ -145,9 +70,9 @@
mode: '0750'
state: directory
loop:
- "{{ gitea_work_path }}/custom"
- "{{ gitea_app_data_path }}"
- "{{ gitea_log_path }}"
- /var/lib/gitea/custom
- /var/lib/gitea/data
- /var/lib/gitea/log
- name: Create the config dir
ansible.builtin.file:
@@ -176,7 +101,7 @@
mode: '0640'
notify:
- Restart_gitea
- name: Start and enable Gitea
ansible.builtin.systemd_service:
name: gitea.service

19
tasks/self-signed-cert.yml
View File

@@ -1,19 +0,0 @@
---
- name: Create the certs directory
ansible.builtin.file:
path: "{{ gitea_work_path }}/certs"
owner: "{{ gitea_user }}"
group: "{{ gitea_group }}"
mode: '0750'
state: directory
- name: Generate the self-signed certs for Gitea
ansible.builtin.command: >
gitea cert
--host {{ gitea_domain }},{{ gitea_ssh_domain }}
--out {{ gitea_work_path }}/certs/cert.pem
--keyout {{ gitea_work_path }}/certs/key.pem
become: true
become_user: "{{ gitea_user }}"
args:
creates: "{{ gitea_work_path }}/certs/cert.pem"

31
templates/app.ini.j2
View File

@@ -2,18 +2,9 @@
APP_NAME = {{ gitea_app_name }}
RUN_USER = {{ gitea_user }}
WORK_PATH = {{ gitea_work_path }}
WORK_PATH = /var/lib/gitea
RUN_MODE = prod
{% if gitea_database_server | default('') == "postgresql" %}
[database]
DB_TYPE = postgres
HOST = 127.0.0.1:5432
NAME = giteadb
USER = gitea
PASSWD = {{ gitea_db_password }}
SSL_MODE = disable
{% else %}
[database]
DB_TYPE = sqlite3
HOST = 127.0.0.1:3306
@@ -22,19 +13,18 @@ USER = {{ gitea_user }}
PASSWD =
SCHEMA =
SSL_MODE = disable
PATH = {{ gitea_app_data_path }}/gitea.db
PATH = /var/lib/gitea/data/gitea.db
LOG_SQL = false
{% endif %}
[repository]
ROOT = {{ gitea_repo_root }}
ROOT = /var/lib/gitea/data/gitea-repositories
[server]
SSH_DOMAIN = {{ gitea_ssh_domain }}
DOMAIN = {{ gitea_domain }}
HTTP_PORT = {{ gitea_http_port }}
ROOT_URL = {{ gitea_root_url }}
APP_DATA_PATH = {{ gitea_app_data_path }}
APP_DATA_PATH = /var/lib/gitea/data
DISABLE_SSH = false
SSH_PORT = {{ gitea_ssh_port }}
LFS_START_SERVER = true
@@ -42,7 +32,7 @@ LFS_JWT_SECRET = {{ gitea_lfs_jwt_secret }}
OFFLINE_MODE = true
[lfs]
PATH = {{ gitea_lfs_path }}
PATH = /var/lib/gitea/data/lfs
[mailer]
ENABLED = false
@@ -50,15 +40,14 @@ ENABLED = false
[service]
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = false
DISABLE_REGISTRATION = {{ gitea_disable_registration }}
DISABLE_REGISTRATION = false
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
ENABLE_CAPTCHA = {{ gitea_enable_captcha }}
REQUIRE_SIGNIN_VIEW = {{ gitea_require_signin_view }}
DEFAULT_KEEP_EMAIL_PRIVATE = {{ gitea_default_keep_email_private }}
ENABLE_CAPTCHA = false
REQUIRE_SIGNIN_VIEW = false
DEFAULT_KEEP_EMAIL_PRIVATE = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
DEFAULT_ENABLE_TIMETRACKING = true
NO_REPLY_ADDRESS = noreply.localhost
REGISTER_MANUAL_CONFIRM = {{ gitea_register_manual_confirm }}
[openid]
ENABLE_OPENID_SIGNIN = false
@@ -73,7 +62,7 @@ PROVIDER = file
[log]
MODE = console
LEVEL = info
ROOT_PATH = {{ gitea_log_path }}
ROOT_PATH = /var/lib/gitea/log
[repository.pull-request]
DEFAULT_MERGE_STYLE = merge

72
templates/gitea.j2
View File

@@ -1,72 +0,0 @@
# {{ ansible_managed }}
{% if gitea_enable_https | default(false) %}
server {
listen 443 ssl;
http2 on;
server_name {{ gitea_domain }};
ssl_certificate {{ gitea_ssl_cert }};
ssl_certificate_key {{ gitea_ssl_key }};
{% if gitea_lets_encrypt | default(false) %}
ssl_trusted_certificate {{ gitea_ssl_trusted_certificate }};
{% endif %}
ssl_protocols TLSv1.2 TLSv1.3;
client_max_body_size 50M;
location / {
client_max_body_size 512M;
proxy_pass http://localhost:{{ gitea_http_port }};
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
{% if gitea_enable_http_redirect | default(true) %}
server {
listen 80;
server_name {{ gitea_domain }};
{% if gitea_lets_encrypt | default(false) %}
# Allow Let's Encrypt to verify certificates
location ^~ /.well-known/acme-challenge/ {
root /var/www/html;
allow all;
}
# Redirect everything else to HTTPS
location / {
return 301 https://$host$request_uri;
}
{% else %}
return 301 https://$host$request_uri;
{% endif %}
}
{% endif %}
{% else %}
# HTTP-only configuration
server {
listen 80;
server_name {{ gitea_domain }};
client_max_body_size 50M;
location / {
client_max_body_size 512M;
proxy_pass http://localhost:{{ gitea_http_port }};
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
{% endif %}

8
templates/gitea.service.j2
View File

@@ -3,20 +3,16 @@
[Unit]
Description=Gitea (Git with a cup of tea)
After=network.target
{% if gitea_database_server | default('') == "postgresql" %}
Wants=postgresql.service
After=postgresql.service
{% endif %}
[Service]
RestartSec=2s
Type=simple
User={{ gitea_user }}
Group={{ gitea_group }}
WorkingDirectory={{ gitea_work_path }}
WorkingDirectory=/var/lib/gitea/
ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini
Restart=always
Environment=USER={{ gitea_user }} HOME={{ gitea_work_path }} GITEA_WORK_DIR={{ gitea_work_path }}
Environment=USER={{ gitea_user }} HOME=/home/{{ gitea_user }} GITEA_WORK_DIR=/var/lib/gitea
[Install]
WantedBy=multi-user.target