Merge pull request 'Proxy and SSL support' (#7) from development into main

Reviewed-on: http://gitea.tomsitcafe.com:3000/iron/ds-gitea/pulls/7

.gitea/workflows/test.yml

@@ -1,10 +0,0 @@
-name: Test the role
-on:
-  - push
-
-jobs:
-  test-the-role:
-    runs-on: iron-runner
-    steps:
-      - uses: actions/checkout@v6
-      - run: ansible-lint --profile production .

README.org

@@ -1,30 +1,30 @@
-#+TITLE: Gitea Server Role
+#+TITLE: Gitea Server Installer Role
 #+AUTHOR: DeadSwitch | The Silent Architect
 #+OPTIONS: toc:nil num:nil \n:t
 
-[[https://opensource.org/licenses/MIT][https://img.shields.io/badge/license-MIT-blue.svg]] [[https://img.shields.io/badge/version-3.1.0-green.svg]]
+* ds-gitea
 
-* ds_gitea
+This role installs and configures a [[https://docs.gitea.com/][Gitea]] server.
 
-This role can install and configures a [[https://docs.gitea.com/][Gitea]] server.
+It uses SQLite as its default database service - with optional PostgreSQL support.
 
-- Defaults to SQLite backend with optional PostgreSQL support (Install it with =ds_posgresql=).
+The role can set up a reverse proxy with SSL using Nginx.
-- It can set up a reverse proxy with SSL using Nginx (Install it with =ds_nginx=).
+
-- The role supports self-signed certificates and /Let's Encrypt/ with =certbot=.
+- Use the =ds-ufw= role to configure the firewall.
-- The =ds_ufw= role can configure the host firewall.
+- Use the =ds-posgresql= role to configure the database.
-- The =ds_act_runner= role can configure and register /Gitea Actions/ runners.
+- Use the =ds-nginx= role to install the proxy server.
 
 * Role Behavior
 
 1. Download and install the Gitea binary
 2. (Optionally) Set up the PostgreSQL user and database
-3. (Optionally) Set up an =nginx= reverse proxy with SSL support
+3. Set up the user and group for the service
-4. Create a user and group for the service
+4. Create the required directory structure
-5. Create the required directory structure
+5. Wait for the secret creation and storage in SOPS - if secrets are not present
-6. Wait for the operator to save the secrets in SOPS or Ansible Vault (only if secrets are not present)
+6. Deploy the Gitea configuration
-7. Deploy the Gitea =app.ini= configuration
+7. Deploy the Gitea systemd service file
-8. Deploy the Gitea systemd service
+8. (Optionally) Set up the reverse proxy with optional SSL
-9. Enable and start the services
+9. Enable and start the service
 
 * Defaults
 
@@ -33,87 +33,68 @@ gitea_user: git
 gitea_group: git
 gitea_http_port: 3000
 gitea_ssh_port: 22
-gitea_work_path: /var/lib/gitea
+gitea_database_server: ''
-gitea_app_data_path: /var/lib/gitea/data
+gitea_reverse_proxy: ''
-gitea_repo_root: /var/lib/gitea/data/gitea-repositories
-gitea_lfs_path: /var/lib/gitea/data/lfs
-gitea_log_path: /var/lib/gitea/log
-gitea_require_signin_view: true
-gitea_disable_registration: true
-gitea_register_manual_confirm: false
-gitea_enable_captcha: false
-gitea_default_keep_email_private: true
 #+end_src
 
 * Requirements
 
 - Ansible >= 2.12
-- Debian 12+ or compatible
+- Debian-based OS (Bookworm, Trixie)
 - git
 - sudo
 - ca-certificates
 - (optional) PosgreSQL database
 - (optional) Nginx server
-- (optional) certbot for Let's Encrypt
 
 * Variables
 
-| Variable                         | Type    | Comment                                                 |
+| Variable                   | Type    | Comment                                      |
-|----------------------------------+---------+---------------------------------------------------------|
+|----------------------------+---------+----------------------------------------------|
-| gitea_user                       | string  | Gitea user                                              |
+| gitea_user                 | string  | Gitea user                                   |
-| gitea_group                      | string  | Gitea group                                             |
+| gitea_group                | string  | Gitea group                                  |
-| gitea_binary_url                 | string  | Download URL of Gitea                                   |
+| gitea_binary_url           | string  | Download URL of Gitea                        |
-| gitea_checksum_url               | string  | Checksum URL of the binary                              |
+| gitea_checksum_url         | string  | Checksum URL of the binary                   |
-| gitea_app_name                   | string  | Gitea server title                                      |
+| gitea_app_name             | string  | Gitea server title                           |
-| gitea_ssh_domain                 | string  | SSH domain                                              |
+| gitea_ssh_domain           | string  | SSH domain                                   |
-| gitea_domain                     | string  | Domain to reach Gitea                                   |
+| gitea_domain               | string  | Domain to reach Gitea                        |
-| gitea_http_port                  | int     | HTTP port                                               |
+| gitea_http_port            | int     | HTTP port                                    |
-| gitea_ssh_port                   | int     | SSH port                                                |
+| gitea_ssh_port             | int     | SSH port                                     |
-| gitea_work_path                  | string  | Workdir                                                 |
+| gitea_root_url             | string  | Protocol + FQDN + port                       |
-| gitea_app_data_path              | string  | Application data path                                   |
+| gitea_lfs_jwt_secret       | string  | LFS storage secret                           |
-| gitea_repo_root                  | string  | Repo root path                                          |
+| gitea_internal_token       | string  | Internal token                               |
-| gitea_lfs_path                   | string  | LFS path                                                |
+| gitea_jwt_secret           | string  | JWT secret                                   |
-| gitea_log_path                   | string  | Log path                                                |
+| gitea_database_server      | string  | DB server - 'postgresql' or empty for sqlite |
-| gitea_root_url                   | string  | Protocol + FQDN + port                                  |
+| gitea_db_password          | string  | PosgreSQL db password (if pgsql is used)     |
-| gitea_lfs_jwt_secret             | string  | LFS storage secret                                      |
+| gitea_reverse_proxy        | string  | Reverse proxy to use or not set for no proxy |
-| gitea_internal_token             | string  | Internal token                                          |
+| gitea_enable_https         | boolean | Configure HTTPS in the proxy                 |
-| gitea_jwt_secret                 | string  | JWT secret                                              |
+| gitea_ssl_cert             | string  | SSL certificate                              |
-| gitea_database_server            | string  | DB server - 'postgresql' or empty for sqlite            |
+| gitea_ssl_key              | string  | SSL key                                      |
-| gitea_db_password                | string  | PosgreSQL db password (if pgsql is used)                |
+| gitea_enable_http_redirect | boolean | Redirect HTTP to HTTPS                       |
-| gitea_reverse_proxy              | string  | 'nginx' to set up a reverse proxy or empty for no proxy |
+| gitea_self_signed          | boolean | Generate a self-signed cert and key          |
-| gitea_enable_https               | boolean | Configure HTTPS in the proxy                            |
+
-| gitea_ssl_cert                   | string  | Path to the SSL certificate                             |
+* Handlers
-| gitea_ssl_key                    | string  | Path to the SSL key                                     |
+
-| gitea_ssl_trusted_certificate    | string  | Path to the SSL certificate chain                       |
+- =Reload_systemd=: It runs a =daemon-reload=
-| gitea_enable_http_redirect       | boolean | Redirect HTTP traffic to HTTPS                          |
+- =Restart_gitea=: It restarts the Gitea service
-| gitea_self_signed                | boolean | Generate a self-signed certificate and key              |
-| gitea_lets_encrypt               | boolean | Use certbot to configure HTTPS                          |
-| gitea_certbot_email              | string  | Email to register the certificates                      |
-| gitea_require_signin_view        | boolean | If false, public repos are visible without login        |
-| gitea_disable_registration       | boolean | Turn off the user registration feature                  |
-| gitea_register_manual_confirm    | boolean | Registration requires admin verification                |
-| gitea_enable_captcha             | boolean | Enable captcha for registration                         |
-| gitea_default_keep_email_private | boolean | Default email policy: private                           |
 
 * Secrets
 
-Always save the production secrets in SOPS or in Ansible Vault.
+Always save the production secrets in SOPS, or in Ansible Vault.
 
-You can generate the secrets manually when the playbook stops:
+Generate the secrets manually when the playbook stops:
 
 #+begin_src shell
 gitea generate secret INTERNAL_TOKEN
 gitea generate secret JWT_SECRET
 #+end_src
 
-Use the =JWT_SECRET= option to generate the =gitea_lfs_jwt_secret= as well.
+Use the =JWT_SECRET= command to generate the =gitea_lfs_jwt_secret= as well. It's an alias.
 
 Then re-run the playbook to finish the installation.
 
 * Example Playbook
 
-You can find more playbook examples in the =examples= directory.
-
 #+begin_src yaml
 - name: Deploy a Gitea server
   hosts: gitea
@@ -128,32 +109,27 @@ You can find more playbook examples in the =examples= directory.
     gitea_ssh_domain: gitea.tomsitcafe.com
     gitea_domain: gitea.tomsitcafe.com
     gitea_http_port: 3000
-    gitea_root_url: https://gitea.tomsitcafe.com
+    gitea_root_url: http://gitea.tomsitcafe.com:3000
 
     # Optional Postgresql database backend
     gitea_database_server: postgresql
 
     # Optional Nginx reverse proxy configuration
     gitea_reverse_proxy: nginx
-    gitea_enable_https: true          # Use HTTPS
+    gitea_enable_https: true
-    gitea_self_signed: false          # Don't generate self-signed certs
+    gitea_self_signed: true
-    gitea_lets_encrypt: true          # Use certbot
+    gitea_ssl_cert: /var/lib/gitea/certs/cert.pem
-    gitea_enable_http_redirect: true  # Redirect HTTP to HTTPS
+    gitea_ssl_key: /var/lib/gitea/certs/key.pem
+    gitea_enable_http_redirect: true
 
-    # Certbot configuration
+    # In prod put these secrets in SOPS:
-    gitea_certbot_email: email@domain.tld
-    gitea_ssl_cert: /etc/letsencrypt/live/{{ gitea_domain }}/fullchain.pem
-    gitea_ssl_key: /etc/letsencrypt/live/{{ gitea_domain }}/privkey.pem
-    gitea_ssl_trusted_certificate: /etc/letsencrypt/live/{{ gitea_domain }}/chain.pem 
-
-    # In prod put the secrets in SOPS:
     gitea_lfs_jwt_secret: G9bZrRHMhRQ8w4R0KkH2VLnx2rzq81ROQ951IQjlMs4 
     gitea_internal_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3NzA2Mzk1Njh9.ybbaeNLFiLbyvxfj4vkqhXSAXKRGpwvP8jIm9YLPgXw
     gitea_jwt_secret: uJni4x4e0AzpkLYc-t4keRJKOB6EaLzwVsdLeamkFyU
     gitea_db_password: Eegh7Aothooph7pa6eu7eitha_zaim0G
 
   roles:
-    - role: ds_gitea
+    - role: ds-gitea
 #+end_src
 
 * License

defaults/main.yml

@@ -3,13 +3,3 @@ gitea_user: git
 gitea_group: git
 gitea_http_port: 3000
 gitea_ssh_port: 22
-gitea_work_path: /var/lib/gitea
-gitea_app_data_path: /var/lib/gitea/data
-gitea_repo_root: /var/lib/gitea/data/gitea-repositories
-gitea_lfs_path: /var/lib/gitea/data/lfs
-gitea_log_path: /var/lib/gitea/log
-gitea_require_signin_view: true
-gitea_disable_registration: true
-gitea_register_manual_confirm: false
-gitea_enable_captcha: false
-gitea_default_keep_email_private: true

examples/certbot-playbook.yml

@@ -1,34 +0,0 @@
----
-- name: Install Gitea
-  hosts: gitea
-  become: true
-
-  roles:
-    - role: ds_postgresql
-    - role: ds_nginx
-    - role: ds_gitea
-      vars:
-        gitea_user: git
-        gitea_group: git
-        gitea_database_server: postgresql
-        gitea_binary_url: https://dl.gitea.com/gitea/1.25.4/gitea-1.25.4-linux-amd64
-        gitea_checksum_url: https://dl.gitea.com/gitea/1.25.4/gitea-1.25.4-linux-amd64.sha256
-        gitea_app_name: Tom's IT Cafe Test Gitea Server
-        gitea_domain: gitea.tomsitcafe.com
-        gitea_ssh_domain: "{{ gitea_domain }}"
-        gitea_http_port: 3000
-        gitea_ssh_port: 22
-        gitea_root_url: https://{{ gitea_domain }}
-        gitea_reverse_proxy: nginx
-        gitea_enable_https: true
-        gitea_lets_encrypt: true
-        gitea_enable_http_redirect: true
-        gitea_certbot_email: tom@tomsitcafe.com
-        gitea_ssl_cert: /etc/letsencrypt/live/{{ gitea_domain }}/fullchain.pem
-        gitea_ssl_key: /etc/letsencrypt/live/{{ gitea_domain }}/privkey.pem
-        gitea_ssl_trusted_certificate: /etc/letsencrypt/live/{{ gitea_domain }}/chain.pem
-        # Secrets to SOPS
-        gitea_lfs_jwt_secret: G9bZrRHMhRQ8w4R0KkH2VLnx2rzq81ROQ951IQjlMs4
-        gitea_internal_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3NzA2Mzk1Njh9.ybbaeNLFiLbyvxfj4vkqhXSAXKRGpwvP8jIm9YLPgXw
-        gitea_jwt_secret: uJni4x4e0AzpkLYc-t4keRJKOB6EaLzwVsdLeamkFyU
-        gitea_db_password: Eegh7Aothooph7pa6eu7eitha_zaim0G

examples/lightweight-playbook.yml

@@ -1,21 +0,0 @@
-- name: Install Gitea
-  hosts: gitea
-  become: true
-
-  roles:
-    - role: ds_gitea
-      vars:
-        gitea_user: git
-        gitea_group: git
-        gitea_binary_url: https://dl.gitea.com/gitea/1.25.4/gitea-1.25.4-linux-amd64
-        gitea_checksum_url: https://dl.gitea.com/gitea/1.25.4/gitea-1.25.4-linux-amd64.sha256
-        gitea_app_name: Tom's IT Cafe Test Gitea Server
-        gitea_domain: gitea.tomsitcafe.com
-        gitea_ssh_domain: "{{ gitea_domain }}"
-        gitea_http_port: 3000
-        gitea_ssh_port: 22
-        gitea_root_url: http://{{ gitea_domain }}:{{ gitea_http_port }}
-        # Secrets to SOPS
-        gitea_lfs_jwt_secret: G9bZrRHMhRQ8w4R0KkH2VLnx2rzq81ROQ951IQjlMs4
-        gitea_internal_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3NzA2Mzk1Njh9.ybbaeNLFiLbyvxfj4vkqhXSAXKRGpwvP8jIm9YLPgXw
-        gitea_jwt_secret: uJni4x4e0AzpkLYc-t4keRJKOB6EaLzwVsdLeamkFyU

examples/self-signed-playbook.yml

@@ -1,31 +0,0 @@
-- name: Install Gitea
-  hosts: gitea
-  become: true
-
-  roles:
-    - role: ds_postgresql
-    - role: ds_nginx
-    - role: ds_gitea
-      vars:
-        gitea_user: git
-        gitea_group: git
-        gitea_database_server: postgresql
-        gitea_binary_url: https://dl.gitea.com/gitea/1.25.4/gitea-1.25.4-linux-amd64
-        gitea_checksum_url: https://dl.gitea.com/gitea/1.25.4/gitea-1.25.4-linux-amd64.sha256
-        gitea_app_name: Tom's IT Cafe Test Gitea Server
-        gitea_domain: gitea.tomsitcafe.com
-        gitea_ssh_domain: "{{ gitea_domain }}"
-        gitea_http_port: 3000
-        gitea_ssh_port: 22
-        gitea_root_url: https://{{ gitea_domain }}
-        gitea_reverse_proxy: nginx
-        gitea_enable_https: true
-        gitea_self_signed: true
-        gitea_ssl_cert: /var/lib/gitea/certs/cert.pem
-        gitea_ssl_key: /var/lib/gitea/certs/key.pem
-        gitea_enable_http_redirect: true
-        # Secrets to SOPS
-        gitea_lfs_jwt_secret: G9bZrRHMhRQ8w4R0KkH2VLnx2rzq81ROQ951IQjlMs4
-        gitea_internal_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3NzA2Mzk1Njh9.ybbaeNLFiLbyvxfj4vkqhXSAXKRGpwvP8jIm9YLPgXw
-        gitea_jwt_secret: uJni4x4e0AzpkLYc-t4keRJKOB6EaLzwVsdLeamkFyU
-        gitea_db_password: Eegh7Aothooph7pa6eu7eitha_zaim0G

tasks/lets-encrypt.yml

@@ -1,29 +0,0 @@
----
-- name: Install certbot
-  ansible.builtin.apt:
-    name:
-      - certbot
-    state: present
-
-- name: Ensure webroot directory exists
-  ansible.builtin.file:
-    path: /var/www/html/.well-known/acme-challenge
-    state: directory
-    owner: www-data
-    group: www-data
-    mode: '0755'
-
-- name: Obtain or renew TLS certificate (non-destructive)
-  ansible.builtin.command:
-    cmd: >
-      certbot certonly
-      --webroot
-      -w /var/www/html
-      -d {{ gitea_domain }}
-      --agree-tos
-      --email {{ gitea_certbot_email }}
-      --non-interactive
-      --keep-until-expiring
-  register: certbot_result
-  changed_when: "'Congratulations' in certbot_result.stdout"
-  notify: Reload_nginx

tasks/main.yml

@@ -9,7 +9,6 @@
     state: present
 
 - name: Set up the PostgreSQL database
-  when: gitea_database_server | default('') == "postgresql"
   block:
     - name: Ensure PostgreSQL Python client is installed
       ansible.builtin.apt:
@@ -22,7 +21,6 @@
         name: gitea
         password: "{{ gitea_db_password }}"
         role_attr_flags: "NOSUPERUSER,NOCREATEDB,NOCREATEROLE"
-      become: true
       become_user: postgres
 
     - name: Create the gitea database
@@ -33,7 +31,6 @@
         encoding: UTF8
         lc_collate: en_US.UTF-8
         lc_ctype: en_US.UTF-8
-      become: true
       become_user: postgres
 
     - name: Ensure pg_hba.conf has local access for gitea
@@ -42,12 +39,12 @@
         regexp: '^local\s+giteadb\s+gitea\s+'
         line: 'local    giteadb    gitea    scram-sha-256'
         state: present
-        backup: true
+        backup: yes
       notify:
         - Reload_postgresql
+  when: gitea_database_server | default('') == "postgresql"
 
 - name: Set up the reverse proxy
-  when: gitea_reverse_proxy | default('') == "nginx"
   block:
     - name: Deploy the site configuration
       ansible.builtin.template:
@@ -67,6 +64,7 @@
         group: root
         force: true
       notify: Reload_nginx
+  when: gitea_reverse_proxy | default('') == "nginx"
 
 - name: Create the gitea group
   ansible.builtin.group:
@@ -76,9 +74,8 @@
 - name: Create the gitea user
   ansible.builtin.user:
     name: "{{ gitea_user }}"
-    comment: "Gitea Service User"
     group: "{{ gitea_group }}"
-    home: "{{ gitea_work_path }}"
+    home: /home/{{ gitea_user }}
     shell: /bin/bash
     password: '*'
     system: true
@@ -89,9 +86,6 @@
     url: "{{ gitea_binary_url }}"
     dest: /usr/local/bin/gitea
     checksum: "sha256:{{ gitea_checksum_url }}"
-    owner: "{{ gitea_user }}"
-    group: "{{ gitea_group }}"
-    mode: '0750'
 
 - name: Set the permissions of the Gitea binary
   ansible.builtin.file:
@@ -105,11 +99,6 @@
     file: self-signed-cert.yml
   when: gitea_self_signed | default(false)
 
-- name: Configure the Let's Encrypt certificates
-  ansible.builtin.include_tasks:
-    file: lets-encrypt.yml
-  when: gitea_lets_encrypt | default(false)
-
 - name: Pause to generate and save the secrets in SOPS
   ansible.builtin.pause:
     prompt: |
@@ -131,7 +120,7 @@
 
 - name: Create the data dir base
   ansible.builtin.file:
-    path: "{{ gitea_work_path }}"
+    path: /var/lib/gitea
     owner: "{{ gitea_user }}"
     group: "{{ gitea_group }}"
     mode: '0750'
@@ -145,9 +134,9 @@
     mode: '0750'
     state: directory
   loop:
-    - "{{ gitea_work_path }}/custom"
+    - /var/lib/gitea/custom
-    - "{{ gitea_app_data_path }}"
+    - /var/lib/gitea/data
-    - "{{ gitea_log_path }}"
+    - /var/lib/gitea/log
 
 - name: Create the config dir
   ansible.builtin.file:

tasks/self-signed-cert.yml

@@ -1,7 +1,7 @@
 ---
 - name: Create the certs directory
   ansible.builtin.file:
-    path: "{{ gitea_work_path }}/certs"
+    path: /var/lib/gitea/certs
     owner: "{{ gitea_user }}"
     group: "{{ gitea_group }}"
     mode: '0750'
@@ -11,9 +11,8 @@
   ansible.builtin.command: >
     gitea cert
     --host {{ gitea_domain }},{{ gitea_ssh_domain }}
-    --out {{ gitea_work_path }}/certs/cert.pem
+    --out /var/lib/gitea/certs/cert.pem
-    --keyout {{ gitea_work_path }}/certs/key.pem
+    --keyout /var/lib/gitea/certs/key.pem
-  become: true
   become_user: "{{ gitea_user }}"
   args:
-    creates: "{{ gitea_work_path }}/certs/cert.pem"
+    creates: /var/lib/gitea/certs/cert.pem

templates/app.ini.j2

@@ -2,7 +2,7 @@
 
 APP_NAME = {{ gitea_app_name }}
 RUN_USER = {{ gitea_user }}
-WORK_PATH = {{ gitea_work_path }}
+WORK_PATH = /var/lib/gitea
 RUN_MODE = prod
 
 {% if gitea_database_server | default('') == "postgresql" %}
@@ -22,19 +22,19 @@ USER = {{ gitea_user }}
 PASSWD = 
 SCHEMA = 
 SSL_MODE = disable
-PATH = {{ gitea_app_data_path }}/gitea.db
+PATH = /var/lib/gitea/data/gitea.db
 LOG_SQL = false
 {% endif %}
 
 [repository]
-ROOT = {{ gitea_repo_root }}
+ROOT = /var/lib/gitea/data/gitea-repositories
 
 [server]
 SSH_DOMAIN = {{ gitea_ssh_domain }}
 DOMAIN = {{ gitea_domain }}
 HTTP_PORT = {{ gitea_http_port }}
 ROOT_URL = {{ gitea_root_url }}
-APP_DATA_PATH = {{ gitea_app_data_path }}
+APP_DATA_PATH = /var/lib/gitea/data
 DISABLE_SSH = false
 SSH_PORT = {{ gitea_ssh_port }}
 LFS_START_SERVER = true
@@ -42,7 +42,7 @@ LFS_JWT_SECRET = {{ gitea_lfs_jwt_secret }}
 OFFLINE_MODE = true
 
 [lfs]
-PATH = {{ gitea_lfs_path }}
+PATH = /var/lib/gitea/data/lfs
 
 [mailer]
 ENABLED = false
@@ -50,15 +50,14 @@ ENABLED = false
 [service]
 REGISTER_EMAIL_CONFIRM = false
 ENABLE_NOTIFY_MAIL = false
-DISABLE_REGISTRATION = {{ gitea_disable_registration }}
+DISABLE_REGISTRATION = false
 ALLOW_ONLY_EXTERNAL_REGISTRATION = false
-ENABLE_CAPTCHA = {{ gitea_enable_captcha }}
+ENABLE_CAPTCHA = false
-REQUIRE_SIGNIN_VIEW = {{ gitea_require_signin_view }}
+REQUIRE_SIGNIN_VIEW = false
-DEFAULT_KEEP_EMAIL_PRIVATE = {{ gitea_default_keep_email_private }}
+DEFAULT_KEEP_EMAIL_PRIVATE = false
 DEFAULT_ALLOW_CREATE_ORGANIZATION = true
 DEFAULT_ENABLE_TIMETRACKING = true
 NO_REPLY_ADDRESS = noreply.localhost
-REGISTER_MANUAL_CONFIRM = {{ gitea_register_manual_confirm }}
 
 [openid]
 ENABLE_OPENID_SIGNIN = false
@@ -73,7 +72,7 @@ PROVIDER = file
 [log]
 MODE = console
 LEVEL = info
-ROOT_PATH = {{ gitea_log_path }}
+ROOT_PATH = /var/lib/gitea/log
 
 [repository.pull-request]
 DEFAULT_MERGE_STYLE = merge

templates/gitea.j2

@@ -2,71 +2,54 @@
 
 {% if gitea_enable_https | default(false) %}
 server {
-  listen 443 ssl;
+    listen 443 ssl http2;
-  http2 on;
+    server_name {{ gitea_domain }};
-  server_name {{ gitea_domain }};
 
-  ssl_certificate     {{ gitea_ssl_cert }};
+    ssl_certificate     {{ gitea_ssl_cert }};
-  ssl_certificate_key {{ gitea_ssl_key }};
+    ssl_certificate_key {{ gitea_ssl_key }};
-{% if gitea_lets_encrypt | default(false) %}
-  ssl_trusted_certificate {{ gitea_ssl_trusted_certificate }};
-{% endif %}
 
-  ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_ciphers         HIGH:!aNULL:!MD5;
 
-  client_max_body_size 50M;
+    client_max_body_size 50M;
 
-  location / {
+    location / {
-    client_max_body_size 512M;
+        client_max_body_size 512M;
-    proxy_pass http://localhost:{{ gitea_http_port }};
+        proxy_pass http://localhost:{{ gitea_http_port }};
-    proxy_set_header Connection $http_connection;
+        proxy_set_header Connection $http_connection;
-    proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Host $host;
+        proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Proto $scheme;
-  }
+    }
 }
 
 {% if gitea_enable_http_redirect | default(true) %}
 server {
-  listen 80;
+    listen 80;
-  server_name {{ gitea_domain }};
+    server_name {{ gitea_domain }};
-
-  {% if gitea_lets_encrypt | default(false) %}
-  # Allow Let's Encrypt to verify certificates
-  location ^~ /.well-known/acme-challenge/ {
-    root /var/www/html;
-    allow all;
-  }
-
-  # Redirect everything else to HTTPS
-  location / {
     return 301 https://$host$request_uri;
-  }
-  {% else %}
-  return 301 https://$host$request_uri;
-  {% endif %}
 }
 {% endif %}
 
 {% else %}
 # HTTP-only configuration
 server {
-  listen 80;
+    listen 80;
-  server_name {{ gitea_domain }};
+    server_name {{ gitea_domain }};
 
-  client_max_body_size 50M;
+    client_max_body_size 50M;
 
-  location / {
+    location / {
-    client_max_body_size 512M;
+        client_max_body_size 512M;
-    proxy_pass http://localhost:{{ gitea_http_port }};
+        proxy_pass http://localhost:{{ gitea_http_port }};
-    proxy_set_header Connection $http_connection;
+        proxy_set_header Connection $http_connection;
-    proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Host $host;
+        proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Proto $scheme;
-  }
+    }
 }
 {% endif %}

templates/gitea.service.j2

@@ -13,10 +13,10 @@ RestartSec=2s
 Type=simple
 User={{ gitea_user }}
 Group={{ gitea_group }}
-WorkingDirectory={{ gitea_work_path }}
+WorkingDirectory=/var/lib/gitea/
 ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini
 Restart=always
-Environment=USER={{ gitea_user }} HOME={{ gitea_work_path }} GITEA_WORK_DIR={{ gitea_work_path }}
+Environment=USER={{ gitea_user }} HOME=/home/{{ gitea_user }} GITEA_WORK_DIR=/var/lib/gitea
 
 [Install]
 WantedBy=multi-user.target