Merge pull request 'New options in the app.ini template.' (#2) from development into main

Reviewed-on: ghost-automation/ds-gitea#2

README.org

@@ -1,57 +1,91 @@
-#+TITLE: Gitea Server Installer Role
+#+TITLE: Gitea Server Role
 #+AUTHOR: DeadSwitch | The Silent Architect
 #+OPTIONS: toc:nil num:nil \n:t
 
+[[https://opensource.org/licenses/MIT][https://img.shields.io/badge/license-MIT-blue.svg]] [[https://img.shields.io/badge/version-3.0.2-green.svg]]
+
 * ds-gitea
 
-This role installs and configures a basic [[https://docs.gitea.com/][Gitea]] server.
+This role can install and configures a [[https://docs.gitea.com/][Gitea]] server.
 
-Currently it uses SQLite as its database service.
+It uses SQLite as its default database service - with optional PostgreSQL support (=ds-posgresql=).
 
-Use the =ds-ufw= role to set up the firewall.
+The role can set up a reverse proxy with SSL using Nginx (=ds-nginx=).
+Self-signed certificates and Let's Encrypt with =certbot= are supported.
 
-* Features
+The =ds-ufw= role can configure the firewall.
 
-- Download and install the Gitea binary
+The =ds-act_runner= role can configure and register Actions runners.
-- Set up the user and group for the service
+
-- Create the required directory structure
+* Role Behavior
-- Deploy the Gitea configuration
+
-- Deploy the Gitea service file
+1. Download and install the Gitea binary
-- Enable and start the service
+2. (Optionally) Set up the PostgreSQL user and database
+3. (Optionally) Set up an =nginx= reverse proxy with SSL support
+4. Create a user and group for the service
+5. Create the required directory structure
+6. Wait to save the secrets in SOPS (only if secrets are not present)
+7. Deploy the Gitea =app.ini= configuration
+8. Deploy the Gitea systemd service
+9. Enable and start the services
 
 * Defaults
 
 #+begin_src yaml
 gitea_user: git
 gitea_group: git
+gitea_http_port: 3000
+gitea_ssh_port: 22
+gitea_require_signin_view: true
+gitea_disable_registration: true
+gitea_register_manual_confirm: false
+gitea_enable_captcha: false
+gitea_default_keep_email_private: true
 #+end_src
 
-The remaining variables must be declared in the inventory.
-
 * Requirements
 
 - Ansible >= 2.12
-- Debian-based OS (Bookworm, Trixie)
+- Debian 12+ or compatible
 - git
 - sudo
 - ca-certificates
+- (optional) PosgreSQL database
+- (optional) Nginx server
+- (optional) certbot for Let's Encrypt
 
 * Variables
 
-| Variable             | Type   | Comment                    |
+| Variable                         | Type    | Comment                                          |
-|----------------------+--------+----------------------------|
+|----------------------------------+---------+--------------------------------------------------|
-| gitea_user           | string | Gitea user                 |
+| gitea_user                       | string  | Gitea user                                       |
-| gitea_group          | string | Gitea group                |
+| gitea_group                      | string  | Gitea group                                      |
-| gitea_binary_url     | string | Download URL of Gitea      |
+| gitea_binary_url                 | string  | Download URL of Gitea                            |
-| gitea_checksum_url   | string | Checksum URL of the binary |
+| gitea_checksum_url               | string  | Checksum URL of the binary                       |
-| gitea_app_name       | string | Gitea application title    |
+| gitea_app_name                   | string  | Gitea server title                               |
-| gitea_ssh_domain     | string | SSH domain                 |
+| gitea_ssh_domain                 | string  | SSH domain                                       |
-| gitea_domain         | string | Domain to reach Gitea      |
+| gitea_domain                     | string  | Domain to reach Gitea                            |
-| gitea_http_port      | int    | Gitea HTTP port            |
+| gitea_http_port                  | int     | HTTP port                                        |
-| gitea_root_url       | string | Protocoll + FQDN           |
+| gitea_ssh_port                   | int     | SSH port                                         |
-| gitea_lfs_jwt_secret | string | LFS storage secret         |
+| gitea_root_url                   | string  | Protocol + FQDN + port                           |
-| gitea_internal_token | string | Internal token             |
+| gitea_lfs_jwt_secret             | string  | LFS storage secret                               |
-| gitea_jwt_secret     | string | JWT secret                 |
+| gitea_internal_token             | string  | Internal token                                   |
+| gitea_jwt_secret                 | string  | JWT secret                                       |
+| gitea_database_server            | string  | DB server - 'postgresql' or empty for sqlite     |
+| gitea_db_password                | string  | PosgreSQL db password (if pgsql is used)         |
+| gitea_reverse_proxy              | string  | Reverse proxy to use or not set for no proxy     |
+| gitea_enable_https               | boolean | Configure HTTPS in the proxy                     |
+| gitea_ssl_cert                   | string  | SSL certificate                                  |
+| gitea_ssl_key                    | string  | SSL key                                          |
+| gitea_enable_http_redirect       | boolean | Redirect HTTP to HTTPS                           |
+| gitea_self_signed                | boolean | Generate a self-signed cert and key              |
+| gitea_lets_encrypt               | boolean | Use certbot to configure the SSL                 |
+| gitea_certbot_email              | string  | Email to register the certificates               |
+| gitea_require_signin_view        | boolean | If false, public repos are visible without login |
+| gitea_disable_registration       | boolean | Turn off the user registration feature           |
+| gitea_register_manual_confirm    | boolean | Registration requires admin verification         |
+| gitea_enable_captcha             | boolean | Enable captcha for registration                  |
+| gitea_default_keep_email_private | boolean | Default email policy: private                    |
 
 * Handlers
 
@@ -60,9 +94,9 @@ The remaining variables must be declared in the inventory.
 
 * Secrets
 
-Always store the production secrets in SOPS, or in Ansible Vault.
+Always save the production secrets in SOPS, or in Ansible Vault.
 
-Generate the secrets manually when the playbook stops:
+You can generate the secrets manually when the playbook stops:
 
 #+begin_src shell
 gitea generate secret INTERNAL_TOKEN
@@ -75,6 +109,8 @@ Then re-run the playbook to finish the installation.
 
 * Example Playbook
 
+You can find more playbook examples in the =examples= directory.
+
 #+begin_src yaml
 - name: Deploy a Gitea server
   hosts: gitea
@@ -89,11 +125,29 @@ Then re-run the playbook to finish the installation.
     gitea_ssh_domain: gitea.tomsitcafe.com
     gitea_domain: gitea.tomsitcafe.com
     gitea_http_port: 3000
-    gitea_root_url: http://gitea.tomsitcafe.com:3000
+    gitea_root_url: https://gitea.tomsitcafe.com
-    # In prod put these secrets in SOPS:
+
+    # Optional Postgresql database backend
+    gitea_database_server: postgresql
+
+    # Optional Nginx reverse proxy configuration
+    gitea_reverse_proxy: nginx
+    gitea_enable_https: true          # Use HTTPS
+    gitea_self_signed: false          # Don't generate self-signed certs
+    gitea_lets_encrypt: true          # Use certbot
+    gitea_enable_http_redirect: true  # Redirect HTTP to HTTPS
+
+    # Certbot configuration
+    gitea_certbot_email: email@domain.tld
+    gitea_ssl_cert: /etc/letsencrypt/live/{{ gitea_domain }}/fullchain.pem
+    gitea_ssl_key: /etc/letsencrypt/live/{{ gitea_domain }}/privkey.pem
+    gitea_ssl_trusted_certificate: /etc/letsencrypt/live/{{ gitea_domain }}/chain.pem 
+
+    # In prod put the secrets in SOPS:
     gitea_lfs_jwt_secret: G9bZrRHMhRQ8w4R0KkH2VLnx2rzq81ROQ951IQjlMs4 
     gitea_internal_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3NzA2Mzk1Njh9.ybbaeNLFiLbyvxfj4vkqhXSAXKRGpwvP8jIm9YLPgXw
     gitea_jwt_secret: uJni4x4e0AzpkLYc-t4keRJKOB6EaLzwVsdLeamkFyU
+    gitea_db_password: Eegh7Aothooph7pa6eu7eitha_zaim0G
 
   roles:
     - role: ds-gitea

defaults/main.yml

@@ -1,3 +1,10 @@
 ---
 gitea_user: git
 gitea_group: git
+gitea_http_port: 3000
+gitea_ssh_port: 22
+gitea_require_signin_view: true
+gitea_disable_registration: true
+gitea_register_manual_confirm: false
+gitea_enable_captcha: false
+gitea_default_keep_email_private: true

examples/certbot-playbook.yml

@@ -0,0 +1,34 @@
+---
+- name: Install Gitea
+  hosts: gitea
+  become: true
+
+  roles:
+    - role: ds-postgresql
+    - role: ds-nginx
+    - role: ds-gitea
+      vars:
+        gitea_user: git
+        gitea_group: git
+        gitea_database_server: postgresql
+        gitea_binary_url: https://dl.gitea.com/gitea/1.25.4/gitea-1.25.4-linux-amd64
+        gitea_checksum_url: https://dl.gitea.com/gitea/1.25.4/gitea-1.25.4-linux-amd64.sha256
+        gitea_app_name: Tom's IT Cafe Test Gitea Server
+        gitea_domain: gitea.tomsitcafe.com
+        gitea_ssh_domain: "{{ gitea_domain }}"
+        gitea_http_port: 3000
+        gitea_ssh_port: 22
+        gitea_root_url: https://{{ gitea_domain }}
+        gitea_reverse_proxy: nginx
+        gitea_enable_https: true
+        gitea_lets_encrypt: true
+        gitea_enable_http_redirect: true
+        gitea_certbot_email: tom@tomsitcafe.com
+        gitea_ssl_cert: /etc/letsencrypt/live/{{ gitea_domain }}/fullchain.pem
+        gitea_ssl_key: /etc/letsencrypt/live/{{ gitea_domain }}/privkey.pem
+        gitea_ssl_trusted_certificate: /etc/letsencrypt/live/{{ gitea_domain }}/chain.pem 
+        # Secrets to SOPS
+        gitea_lfs_jwt_secret: G9bZrRHMhRQ8w4R0KkH2VLnx2rzq81ROQ951IQjlMs4 
+        gitea_internal_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3NzA2Mzk1Njh9.ybbaeNLFiLbyvxfj4vkqhXSAXKRGpwvP8jIm9YLPgXw
+        gitea_jwt_secret: uJni4x4e0AzpkLYc-t4keRJKOB6EaLzwVsdLeamkFyU
+        gitea_db_password: Eegh7Aothooph7pa6eu7eitha_zaim0G

examples/lightweight-playbook.yml

@@ -0,0 +1,21 @@
+- name: Install Gitea
+  hosts: gitea
+  become: true
+
+  roles:
+    - role: ds-gitea
+      vars:
+        gitea_user: git
+        gitea_group: git
+        gitea_binary_url: https://dl.gitea.com/gitea/1.25.4/gitea-1.25.4-linux-amd64
+        gitea_checksum_url: https://dl.gitea.com/gitea/1.25.4/gitea-1.25.4-linux-amd64.sha256
+        gitea_app_name: Tom's IT Cafe Test Gitea Server
+        gitea_domain: gitea.tomsitcafe.com
+        gitea_ssh_domain: "{{ gitea_domain }}"
+        gitea_http_port: 3000
+        gitea_ssh_port: 22
+        gitea_root_url: http://{{ gitea_domain }}:{{ gitea_http_port }}
+        # Secrets to SOPS
+        gitea_lfs_jwt_secret: G9bZrRHMhRQ8w4R0KkH2VLnx2rzq81ROQ951IQjlMs4 
+        gitea_internal_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3NzA2Mzk1Njh9.ybbaeNLFiLbyvxfj4vkqhXSAXKRGpwvP8jIm9YLPgXw
+        gitea_jwt_secret: uJni4x4e0AzpkLYc-t4keRJKOB6EaLzwVsdLeamkFyU

examples/self-signed-playbook.yml

@@ -0,0 +1,31 @@
+- name: Install Gitea
+  hosts: gitea
+  become: true
+
+  roles:
+    - role: ds-postgresql
+    - role: ds-nginx
+    - role: ds-gitea
+      vars:
+        gitea_user: git
+        gitea_group: git
+        gitea_database_server: postgresql
+        gitea_binary_url: https://dl.gitea.com/gitea/1.25.4/gitea-1.25.4-linux-amd64
+        gitea_checksum_url: https://dl.gitea.com/gitea/1.25.4/gitea-1.25.4-linux-amd64.sha256
+        gitea_app_name: Tom's IT Cafe Test Gitea Server
+        gitea_domain: gitea.tomsitcafe.com
+        gitea_ssh_domain: "{{ gitea_domain }}"
+        gitea_http_port: 3000
+        gitea_ssh_port: 22
+        gitea_root_url: https://{{ gitea_domain }}
+        gitea_reverse_proxy: nginx
+        gitea_enable_https: true
+        gitea_self_signed: true
+        gitea_ssl_cert: /var/lib/gitea/certs/cert.pem
+        gitea_ssl_key: /var/lib/gitea/certs/key.pem
+        gitea_enable_http_redirect: true
+        # Secrets to SOPS
+        gitea_lfs_jwt_secret: G9bZrRHMhRQ8w4R0KkH2VLnx2rzq81ROQ951IQjlMs4 
+        gitea_internal_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3NzA2Mzk1Njh9.ybbaeNLFiLbyvxfj4vkqhXSAXKRGpwvP8jIm9YLPgXw
+        gitea_jwt_secret: uJni4x4e0AzpkLYc-t4keRJKOB6EaLzwVsdLeamkFyU
+        gitea_db_password: Eegh7Aothooph7pa6eu7eitha_zaim0G

tasks/lets-encrypt.yml

@@ -0,0 +1,29 @@
+---
+- name: Install certbot
+  ansible.builtin.apt:
+    name:
+      - certbot
+    state: present
+
+- name: Ensure webroot directory exists
+  ansible.builtin.file:
+    path: /var/www/html/.well-known/acme-challenge
+    state: directory
+    owner: www-data
+    group: www-data
+    mode: '0755'
+
+- name: Obtain or renew TLS certificate (non-destructive)
+  ansible.builtin.command:
+    cmd: >
+      certbot certonly
+      --webroot
+      -w /var/www/html
+      -d {{ gitea_domain }}
+      --agree-tos
+      --email {{ gitea_certbot_email }}
+      --non-interactive
+      --keep-until-expiring
+  register: certbot_result
+  changed_when: "'Congratulations' in certbot_result.stdout"
+  notify: Reload_nginx

tasks/main.yml

@@ -8,6 +8,64 @@
     update_cache: true
     state: present
 
+- name: Set up the PostgreSQL database
+  block:
+    - name: Ensure PostgreSQL Python client is installed
+      ansible.builtin.apt:
+        name: python3-psycopg2
+        update_cache: true
+        state: present
+
+    - name: Create the gitea DB role
+      community.postgresql.postgresql_user:
+        name: gitea
+        password: "{{ gitea_db_password }}"
+        role_attr_flags: "NOSUPERUSER,NOCREATEDB,NOCREATEROLE"
+      become_user: postgres
+
+    - name: Create the gitea database
+      community.postgresql.postgresql_db:
+        name: giteadb
+        owner: gitea
+        template: template0
+        encoding: UTF8
+        lc_collate: en_US.UTF-8
+        lc_ctype: en_US.UTF-8
+      become_user: postgres
+
+    - name: Ensure pg_hba.conf has local access for gitea
+      ansible.builtin.lineinfile:
+        path: /etc/postgresql/{{ postgresql_version }}/main/pg_hba.conf
+        regexp: '^local\s+giteadb\s+gitea\s+'
+        line: 'local    giteadb    gitea    scram-sha-256'
+        state: present
+        backup: yes
+      notify:
+        - Reload_postgresql
+  when: gitea_database_server | default('') == "postgresql"
+
+- name: Set up the reverse proxy
+  block:
+    - name: Deploy the site configuration
+      ansible.builtin.template:
+        src: gitea.j2
+        dest: /etc/nginx/sites-available/gitea
+        owner: root
+        group: root
+        mode: '0644'
+      notify: Reload_nginx
+
+    - name: Enable the gitea site
+      ansible.builtin.file:
+        src: /etc/nginx/sites-available/gitea
+        dest: /etc/nginx/sites-enabled/gitea
+        state: link
+        owner: root
+        group: root
+        force: true
+      notify: Reload_nginx
+  when: gitea_reverse_proxy | default('') == "nginx"
+
 - name: Create the gitea group
   ansible.builtin.group:
     name: "{{ gitea_group }}"
@@ -18,7 +76,8 @@
     name: "{{ gitea_user }}"
     group: "{{ gitea_group }}"
     home: /home/{{ gitea_user }}
-    shell: /usr/sbin/nologin
+    shell: /bin/bash
+    password: '*'
     system: true
     create_home: true
     
@@ -35,6 +94,16 @@
     group: "{{ gitea_group }}"
     mode: '0750'
 
+- name: Generate self-signed certificates
+  ansible.builtin.include_tasks:
+    file: self-signed-cert.yml
+  when: gitea_self_signed | default(false)
+
+- name: Configure the Let's Encrypt certificates
+  ansible.builtin.include_tasks:
+    file: lets-encrypt.yml
+  when: gitea_lets_encrypt | default(false)
+  
 - name: Pause to generate and save the secrets in SOPS
   ansible.builtin.pause:
     prompt: |

tasks/self-signed-cert.yml

@@ -0,0 +1,18 @@
+---
+- name: Create the certs directory
+  ansible.builtin.file:
+    path: /var/lib/gitea/certs
+    owner: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
+    mode: '0750'
+    state: directory
+
+- name: Generate the self-signed certs for Gitea
+  ansible.builtin.command: >
+    gitea cert
+    --host {{ gitea_domain }},{{ gitea_ssh_domain }}
+    --out /var/lib/gitea/certs/cert.pem
+    --keyout /var/lib/gitea/certs/key.pem
+  become_user: "{{ gitea_user }}"
+  args:
+    creates: /var/lib/gitea/certs/cert.pem

templates/app.ini.j2

@@ -5,6 +5,15 @@ RUN_USER = {{ gitea_user }}
 WORK_PATH = /var/lib/gitea
 RUN_MODE = prod
 
+{% if gitea_database_server | default('') == "postgresql" %}
+[database]
+DB_TYPE  = postgres
+HOST     = 127.0.0.1:5432
+NAME     = giteadb
+USER     = gitea
+PASSWD   = {{ gitea_db_password }}
+SSL_MODE = disable
+{% else %}
 [database]
 DB_TYPE = sqlite3
 HOST = 127.0.0.1:3306
@@ -15,6 +24,7 @@ SCHEMA =
 SSL_MODE = disable
 PATH = /var/lib/gitea/data/gitea.db
 LOG_SQL = false
+{% endif %}
 
 [repository]
 ROOT = /var/lib/gitea/data/gitea-repositories
@@ -26,7 +36,7 @@ HTTP_PORT = {{ gitea_http_port }}
 ROOT_URL = {{ gitea_root_url }}
 APP_DATA_PATH = /var/lib/gitea/data
 DISABLE_SSH = false
-SSH_PORT = 22
+SSH_PORT = {{ gitea_ssh_port }}
 LFS_START_SERVER = true
 LFS_JWT_SECRET = {{ gitea_lfs_jwt_secret }}
 OFFLINE_MODE = true
@@ -40,14 +50,15 @@ ENABLED = false
 [service]
 REGISTER_EMAIL_CONFIRM = false
 ENABLE_NOTIFY_MAIL = false
-DISABLE_REGISTRATION = false
+DISABLE_REGISTRATION = {{ gitea_disable_registration }}
 ALLOW_ONLY_EXTERNAL_REGISTRATION = false
-ENABLE_CAPTCHA = false
+ENABLE_CAPTCHA = {{ gitea_enable_captcha }}
-REQUIRE_SIGNIN_VIEW = false
+REQUIRE_SIGNIN_VIEW = {{ gitea_require_signin_view }}
-DEFAULT_KEEP_EMAIL_PRIVATE = false
+DEFAULT_KEEP_EMAIL_PRIVATE = {{ gitea_default_keep_email_private }}
 DEFAULT_ALLOW_CREATE_ORGANIZATION = true
 DEFAULT_ENABLE_TIMETRACKING = true
 NO_REPLY_ADDRESS = noreply.localhost
+REGISTER_MANUAL_CONFIRM = {{ gitea_register_manual_confirm }}
 
 [openid]
 ENABLE_OPENID_SIGNIN = false

templates/gitea.j2

@@ -0,0 +1,72 @@
+# {{ ansible_managed }}
+
+{% if gitea_enable_https | default(false) %}
+server {
+  listen 443 ssl;
+  http2 on;
+  server_name {{ gitea_domain }};
+
+  ssl_certificate     {{ gitea_ssl_cert }};
+  ssl_certificate_key {{ gitea_ssl_key }};
+{% if gitea_lets_encrypt | default(false) %}
+  ssl_trusted_certificate {{ gitea_ssl_trusted_certificate }};
+{% endif %}
+
+  ssl_protocols TLSv1.2 TLSv1.3;
+
+  client_max_body_size 50M;
+
+  location / {
+    client_max_body_size 512M;
+    proxy_pass http://localhost:{{ gitea_http_port }};
+    proxy_set_header Connection $http_connection;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+  }
+}
+
+{% if gitea_enable_http_redirect | default(true) %}
+server {
+  listen 80;
+  server_name {{ gitea_domain }};
+
+  {% if gitea_lets_encrypt | default(false) %}
+  # Allow Let's Encrypt to verify certificates
+  location ^~ /.well-known/acme-challenge/ {
+    root /var/www/html;
+    allow all;
+  }
+
+  # Redirect everything else to HTTPS
+  location / {
+    return 301 https://$host$request_uri;
+  }
+  {% else %}
+  return 301 https://$host$request_uri;
+  {% endif %}
+}
+{% endif %}
+
+{% else %}
+# HTTP-only configuration
+server {
+  listen 80;
+  server_name {{ gitea_domain }};
+
+  client_max_body_size 50M;
+
+  location / {
+    client_max_body_size 512M;
+    proxy_pass http://localhost:{{ gitea_http_port }};
+    proxy_set_header Connection $http_connection;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+  }
+}
+{% endif %}

templates/gitea.service.j2

@@ -3,6 +3,10 @@
 [Unit]
 Description=Gitea (Git with a cup of tea)
 After=network.target
+{% if gitea_database_server | default('') == "postgresql" %}
+Wants=postgresql.service
+After=postgresql.service
+{% endif %}
 
 [Service]
 RestartSec=2s