Merge pull request 'Linting during the CI.' (#3 ) from development into main

Reviewed-on: #3
Merge pull request 'New options in the app.ini template.' (#2 ) from development into main
2026-02-18 18:01:06 +01:00 · 2026-02-15 15:37:27 +01:00 · 2026-02-12 07:20:30 +01:00 · 2026-02-11 21:43:35 +01:00 · 2026-02-11 17:18:47 +01:00 · 2026-02-11 13:20:18 +01:00
6 changed files with 61 additions and 73 deletions
--- a/README.org
+++ b/README.org
@@ -2,17 +2,17 @@
 #+AUTHOR: DeadSwitch | The Silent Architect
 #+OPTIONS: toc:nil num:nil \n:t

-[[https://opensource.org/licenses/MIT][https://img.shields.io/badge/license-MIT-blue.svg]] [[https://img.shields.io/badge/version-3.1.0-green.svg]]
+[[https://opensource.org/licenses/MIT][https://img.shields.io/badge/license-MIT-blue.svg]] [[https://img.shields.io/badge/version-3.0.3-green.svg]]

 * ds_gitea

 This role can install and configures a [[https://docs.gitea.com/][Gitea]] server.

- Defaults to SQLite backend with optional PostgreSQL support (Install it with =ds_posgresql=).
- It can set up a reverse proxy with SSL using Nginx (Install it with =ds_nginx=).
- The role supports self-signed certificates and /Let's Encrypt/ with =certbot=.
- The =ds_ufw= role can configure the host firewall.
- The =ds_act_runner= role can configure and register /Gitea Actions/ runners.
+- It uses SQLite as its default database service - with optional PostgreSQL support (=ds-posgresql=).
+- The role can set up a reverse proxy with SSL using Nginx (=ds-nginx=).
+- Self-signed certificates and Let's Encrypt with =certbot= are supported.
+- The =ds-ufw= role can configure the firewall.
+- The =ds-act_runner= role can configure and register Actions runners.

 * Role Behavior

@@ -21,7 +21,7 @@ This role can install and configures a [[https://docs.gitea.com/][Gitea]] server
 3. (Optionally) Set up an =nginx= reverse proxy with SSL support
 4. Create a user and group for the service
 5. Create the required directory structure
-6. Wait for the operator to save the secrets in SOPS or Ansible Vault (only if secrets are not present)
+6. Wait to save the secrets in SOPS (only if secrets are not present)
 7. Deploy the Gitea =app.ini= configuration
 8. Deploy the Gitea systemd service
 9. Enable and start the services
@@ -33,11 +33,6 @@ gitea_user: git
 gitea_group: git
 gitea_http_port: 3000
 gitea_ssh_port: 22
-gitea_work_path: /var/lib/gitea
-gitea_app_data_path: /var/lib/gitea/data
-gitea_repo_root: /var/lib/gitea/data/gitea-repositories
-gitea_lfs_path: /var/lib/gitea/data/lfs
-gitea_log_path: /var/lib/gitea/log
 gitea_require_signin_view: true
 gitea_disable_registration: true
 gitea_register_manual_confirm: false
@@ -58,46 +53,45 @@ gitea_default_keep_email_private: true

 * Variables

-| Variable                         | Type    | Comment                                                 |
-|----------------------------------+---------+---------------------------------------------------------|
-| gitea_user                       | string  | Gitea user                                              |
-| gitea_group                      | string  | Gitea group                                             |
-| gitea_binary_url                 | string  | Download URL of Gitea                                   |
-| gitea_checksum_url               | string  | Checksum URL of the binary                              |
-| gitea_app_name                   | string  | Gitea server title                                      |
-| gitea_ssh_domain                 | string  | SSH domain                                              |
-| gitea_domain                     | string  | Domain to reach Gitea                                   |
-| gitea_http_port                  | int     | HTTP port                                               |
-| gitea_ssh_port                   | int     | SSH port                                                |
-| gitea_work_path                  | string  | Workdir                                                 |
-| gitea_app_data_path              | string  | Application data path                                   |
-| gitea_repo_root                  | string  | Repo root path                                          |
-| gitea_lfs_path                   | string  | LFS path                                                |
-| gitea_log_path                   | string  | Log path                                                |
-| gitea_root_url                   | string  | Protocol + FQDN + port                                  |
-| gitea_lfs_jwt_secret             | string  | LFS storage secret                                      |
-| gitea_internal_token             | string  | Internal token                                          |
-| gitea_jwt_secret                 | string  | JWT secret                                              |
-| gitea_database_server            | string  | DB server - 'postgresql' or empty for sqlite            |
-| gitea_db_password                | string  | PosgreSQL db password (if pgsql is used)                |
-| gitea_reverse_proxy              | string  | 'nginx' to set up a reverse proxy or empty for no proxy |
-| gitea_enable_https               | boolean | Configure HTTPS in the proxy                            |
-| gitea_ssl_cert                   | string  | Path to the SSL certificate                             |
-| gitea_ssl_key                    | string  | Path to the SSL key                                     |
-| gitea_ssl_trusted_certificate    | string  | Path to the SSL certificate chain                       |
-| gitea_enable_http_redirect       | boolean | Redirect HTTP traffic to HTTPS                          |
-| gitea_self_signed                | boolean | Generate a self-signed certificate and key              |
-| gitea_lets_encrypt               | boolean | Use certbot to configure HTTPS                          |
-| gitea_certbot_email              | string  | Email to register the certificates                      |
-| gitea_require_signin_view        | boolean | If false, public repos are visible without login        |
-| gitea_disable_registration       | boolean | Turn off the user registration feature                  |
-| gitea_register_manual_confirm    | boolean | Registration requires admin verification                |
-| gitea_enable_captcha             | boolean | Enable captcha for registration                         |
-| gitea_default_keep_email_private | boolean | Default email policy: private                           |
+| Variable                         | Type    | Comment                                          |
+|----------------------------------+---------+--------------------------------------------------|
+| gitea_user                       | string  | Gitea user                                       |
+| gitea_group                      | string  | Gitea group                                      |
+| gitea_binary_url                 | string  | Download URL of Gitea                            |
+| gitea_checksum_url               | string  | Checksum URL of the binary                       |
+| gitea_app_name                   | string  | Gitea server title                               |
+| gitea_ssh_domain                 | string  | SSH domain                                       |
+| gitea_domain                     | string  | Domain to reach Gitea                            |
+| gitea_http_port                  | int     | HTTP port                                        |
+| gitea_ssh_port                   | int     | SSH port                                         |
+| gitea_root_url                   | string  | Protocol + FQDN + port                           |
+| gitea_lfs_jwt_secret             | string  | LFS storage secret                               |
+| gitea_internal_token             | string  | Internal token                                   |
+| gitea_jwt_secret                 | string  | JWT secret                                       |
+| gitea_database_server            | string  | DB server - 'postgresql' or empty for sqlite     |
+| gitea_db_password                | string  | PosgreSQL db password (if pgsql is used)         |
+| gitea_reverse_proxy              | string  | Reverse proxy to use or not set for no proxy     |
+| gitea_enable_https               | boolean | Configure HTTPS in the proxy                     |
+| gitea_ssl_cert                   | string  | SSL certificate                                  |
+| gitea_ssl_key                    | string  | SSL key                                          |
+| gitea_enable_http_redirect       | boolean | Redirect HTTP to HTTPS                           |
+| gitea_self_signed                | boolean | Generate a self-signed cert and key              |
+| gitea_lets_encrypt               | boolean | Use certbot to configure the SSL                 |
+| gitea_certbot_email              | string  | Email to register the certificates               |
+| gitea_require_signin_view        | boolean | If false, public repos are visible without login |
+| gitea_disable_registration       | boolean | Turn off the user registration feature           |
+| gitea_register_manual_confirm    | boolean | Registration requires admin verification         |
+| gitea_enable_captcha             | boolean | Enable captcha for registration                  |
+| gitea_default_keep_email_private | boolean | Default email policy: private                    |
+
+* Handlers
+
+- =Reload_systemd=: It runs a =daemon-reload=
+- =Restart_gitea=: It restarts the Gitea service

 * Secrets

-Always save the production secrets in SOPS or in Ansible Vault.
+Always save the production secrets in SOPS, or in Ansible Vault.

 You can generate the secrets manually when the playbook stops:

@@ -106,7 +100,7 @@ gitea generate secret INTERNAL_TOKEN
 gitea generate secret JWT_SECRET
 #+end_src

-Use the =JWT_SECRET= option to generate the =gitea_lfs_jwt_secret= as well.
+Use the =JWT_SECRET= command to generate the =gitea_lfs_jwt_secret= as well. It's an alias.

 Then re-run the playbook to finish the installation.

--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -3,11 +3,6 @@ gitea_user: git
 gitea_group: git
 gitea_http_port: 3000
 gitea_ssh_port: 22
-gitea_work_path: /var/lib/gitea
-gitea_app_data_path: /var/lib/gitea/data
-gitea_repo_root: /var/lib/gitea/data/gitea-repositories
-gitea_lfs_path: /var/lib/gitea/data/lfs
-gitea_log_path: /var/lib/gitea/log
 gitea_require_signin_view: true
 gitea_disable_registration: true
 gitea_register_manual_confirm: false
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -76,9 +76,8 @@
 - name: Create the gitea user
  ansible.builtin.user:
    name: "{{ gitea_user }}"
-    comment: "Gitea Service User"
    group: "{{ gitea_group }}"
-    home: "{{ gitea_work_path }}"
+    home: /home/{{ gitea_user }}
    shell: /bin/bash
    password: '*'
    system: true
@@ -131,7 +130,7 @@

 - name: Create the data dir base
  ansible.builtin.file:
-    path: "{{ gitea_work_path }}"
+    path: /var/lib/gitea
    owner: "{{ gitea_user }}"
    group: "{{ gitea_group }}"
    mode: '0750'
@@ -145,9 +144,9 @@
    mode: '0750'
    state: directory
  loop:
-    - "{{ gitea_work_path }}/custom"
-    - "{{ gitea_app_data_path }}"
-    - "{{ gitea_log_path }}"
+    - /var/lib/gitea/custom
+    - /var/lib/gitea/data
+    - /var/lib/gitea/log

 - name: Create the config dir
  ansible.builtin.file:
--- a/tasks/self-signed-cert.yml
+++ b/tasks/self-signed-cert.yml
@@ -1,7 +1,7 @@
 ---
 - name: Create the certs directory
  ansible.builtin.file:
-    path: "{{ gitea_work_path }}/certs"
+    path: /var/lib/gitea/certs
    owner: "{{ gitea_user }}"
    group: "{{ gitea_group }}"
    mode: '0750'
@@ -11,9 +11,9 @@
  ansible.builtin.command: >
    gitea cert
    --host {{ gitea_domain }},{{ gitea_ssh_domain }}
-    --out {{ gitea_work_path }}/certs/cert.pem
-    --keyout {{ gitea_work_path }}/certs/key.pem
+    --out /var/lib/gitea/certs/cert.pem
+    --keyout /var/lib/gitea/certs/key.pem
  become: true
  become_user: "{{ gitea_user }}"
  args:
-    creates: "{{ gitea_work_path }}/certs/cert.pem"
+    creates: /var/lib/gitea/certs/cert.pem
--- a/templates/app.ini.j2
+++ b/templates/app.ini.j2
@@ -2,7 +2,7 @@

 APP_NAME = {{ gitea_app_name }}
 RUN_USER = {{ gitea_user }}
-WORK_PATH = {{ gitea_work_path }}
+WORK_PATH = /var/lib/gitea
 RUN_MODE = prod

 {% if gitea_database_server | default('') == "postgresql" %}
@@ -22,19 +22,19 @@ USER = {{ gitea_user }}
 PASSWD = 
 SCHEMA = 
 SSL_MODE = disable
-PATH = {{ gitea_app_data_path }}/gitea.db
+PATH = /var/lib/gitea/data/gitea.db
 LOG_SQL = false
 {% endif %}

 [repository]
-ROOT = {{ gitea_repo_root }}
+ROOT = /var/lib/gitea/data/gitea-repositories

 [server]
 SSH_DOMAIN = {{ gitea_ssh_domain }}
 DOMAIN = {{ gitea_domain }}
 HTTP_PORT = {{ gitea_http_port }}
 ROOT_URL = {{ gitea_root_url }}
-APP_DATA_PATH = {{ gitea_app_data_path }}
+APP_DATA_PATH = /var/lib/gitea/data
 DISABLE_SSH = false
 SSH_PORT = {{ gitea_ssh_port }}
 LFS_START_SERVER = true
@@ -42,7 +42,7 @@ LFS_JWT_SECRET = {{ gitea_lfs_jwt_secret }}
 OFFLINE_MODE = true

 [lfs]
-PATH = {{ gitea_lfs_path }}
+PATH = /var/lib/gitea/data/lfs

 [mailer]
 ENABLED = false
@@ -73,7 +73,7 @@ PROVIDER = file
 [log]
 MODE = console
 LEVEL = info
-ROOT_PATH = {{ gitea_log_path }}
+ROOT_PATH = /var/lib/gitea/log

 [repository.pull-request]
 DEFAULT_MERGE_STYLE = merge
--- a/templates/gitea.service.j2
+++ b/templates/gitea.service.j2
@@ -13,10 +13,10 @@ RestartSec=2s
 Type=simple
 User={{ gitea_user }}
 Group={{ gitea_group }}
-WorkingDirectory={{ gitea_work_path }}
+WorkingDirectory=/var/lib/gitea/
 ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini
 Restart=always
-Environment=USER={{ gitea_user }} HOME={{ gitea_work_path }} GITEA_WORK_DIR={{ gitea_work_path }}
+Environment=USER={{ gitea_user }} HOME=/home/{{ gitea_user }} GITEA_WORK_DIR=/var/lib/gitea

 [Install]
 WantedBy=multi-user.target
Author	SHA1	Message	Date
Tom	2004182b7e	Merge pull request 'Linting during the CI.' (#3 ) from development into main All checks were successful Test the role / test-the-role (push) Successful in 8s Details Reviewed-on: #3	2026-02-18 18:01:06 +01:00
Tom	bfabc38a46	Merge pull request 'New options in the app.ini template.' (#2 ) from development into main Reviewed-on: ghost-automation/ds-gitea#2	2026-02-15 15:37:27 +01:00
Tom	d3927f6c5d	Merge pull request 'Templated registration config.' (#1 ) from development into main Reviewed-on: ghost-automation/ds-gitea#1	2026-02-12 07:20:30 +01:00
Tom	e4ea3a420d	Merge pull request 'Added unregistered view.' (#10 ) from development into main Reviewed-on: http://gitea.tomsitcafe.com:3000/iron/ds-gitea/pulls/10	2026-02-11 21:43:35 +01:00
DeadSwitch	1816d8a585	Merge pull request 'Readme update and registration admin verification.' (#9 ) from development into main Reviewed-on: http://gitea.tomsitcafe.com:3000/iron/ds-gitea/pulls/9	2026-02-11 17:18:47 +01:00
DeadSwitch	09e8534569	Merge pull request 'Certbot (Let's Encrypt) support.' (#8 ) from development into main Reviewed-on: http://gitea.tomsitcafe.com:3000/iron/ds-gitea/pulls/8	2026-02-11 13:20:18 +01:00
DeadSwitch	7b0b2e8194	Merge pull request 'Proxy and SSL support' (#7 ) from development into main Reviewed-on: http://gitea.tomsitcafe.com:3000/iron/ds-gitea/pulls/7	2026-02-10 13:52:44 +01:00
DeadSwitch	c8fa7680ca	Merge pull request 'Service file update with the Postgresql service' (#6 ) from development into main Reviewed-on: http://gitea.tomsitcafe.com:3000/iron/ds-gitea/pulls/6	2026-02-10 10:18:17 +01:00
DeadSwitch	0f2c17071c	Merge pull request 'Added the PostgreSQL support to the role.' (#5 ) from development into main Reviewed-on: http://gitea.tomsitcafe.com:3000/iron/ds-gitea/pulls/5	2026-02-09 20:33:58 +01:00
DeadSwitch	d716fefb88	Merge pull request 'Fixed a typo in the readme.' (#3 ) from development into main Reviewed-on: http://gitea.tomsitcafe.com:3000/iron/ds-gitea/pulls/3	2026-02-09 15:44:16 +01:00
DeadSwitch	764883f26d	Gitea development v0.0.1 (#1 ) The first working version is tested against a Debian machine. Reviewed-on: http://gitea.tomsitcafe.com:3000/iron/ds-gitea/pulls/1 Co-authored-by: DeadSwitch <deadswitch404@proton.me> Co-committed-by: DeadSwitch <deadswitch404@proton.me>	2026-02-09 15:08:11 +01:00