Merge pull request 'New options in the app.ini template.' (#2) from development into main

Reviewed-on: ghost-automation/ds-gitea#2

README.org

@@ -1,34 +1,33 @@
-#+TITLE: Gitea Server Installer Role
+#+TITLE: Gitea Server Role
 #+AUTHOR: DeadSwitch | The Silent Architect
 #+OPTIONS: toc:nil num:nil \n:t
 
-[[https://opensource.org/licenses/MIT][https://img.shields.io/badge/license-MIT-blue.svg]] [[https://img.shields.io/badge/version-3.0.0-green.svg]]
+[[https://opensource.org/licenses/MIT][https://img.shields.io/badge/license-MIT-blue.svg]] [[https://img.shields.io/badge/version-3.0.2-green.svg]]
 
 * ds-gitea
 
-This role installs and configures a [[https://docs.gitea.com/][Gitea]] server.
+This role can install and configures a [[https://docs.gitea.com/][Gitea]] server.
 
-It uses SQLite as its default database service - with optional PostgreSQL support.
+It uses SQLite as its default database service - with optional PostgreSQL support (=ds-posgresql=).
 
-The role can set up a reverse proxy with SSL using Nginx.
+The role can set up a reverse proxy with SSL using Nginx (=ds-nginx=).
 Self-signed certificates and Let's Encrypt with =certbot= are supported.
 
-- Use the =ds-ufw= role to configure the firewall.
+The =ds-ufw= role can configure the firewall.
-- Use the =ds-posgresql= role to configure the database.
+
-- Use the =ds-nginx= role to install the proxy server.
+The =ds-act_runner= role can configure and register Actions runners.
-- Use the =ds-act_runner= role to configure and register Actions runners.
 
 * Role Behavior
 
 1. Download and install the Gitea binary
 2. (Optionally) Set up the PostgreSQL user and database
-3. Set up the user and group for the service
+3. (Optionally) Set up an =nginx= reverse proxy with SSL support
-4. Create the required directory structure
+4. Create a user and group for the service
-5. Wait for the secret creation and storage in SOPS - if secrets are not present
+5. Create the required directory structure
-6. Deploy the Gitea configuration
+6. Wait to save the secrets in SOPS (only if secrets are not present)
-7. Deploy the Gitea systemd service file
+7. Deploy the Gitea =app.ini= configuration
-8. (Optionally) Set up the reverse proxy with optional SSL
+8. Deploy the Gitea systemd service
-9. Enable and start the service
+9. Enable and start the services
 
 * Defaults
 
@@ -37,8 +36,11 @@ gitea_user: git
 gitea_group: git
 gitea_http_port: 3000
 gitea_ssh_port: 22
-gitea_database_server: ''
+gitea_require_signin_view: true
-gitea_reverse_proxy: ''
+gitea_disable_registration: true
+gitea_register_manual_confirm: false
+gitea_enable_captcha: false
+gitea_default_keep_email_private: true
 #+end_src
 
 * Requirements
@@ -50,34 +52,40 @@ gitea_reverse_proxy: ''
 - ca-certificates
 - (optional) PosgreSQL database
 - (optional) Nginx server
+- (optional) certbot for Let's Encrypt
 
 * Variables
 
-| Variable                   | Type    | Comment                                      |
+| Variable                         | Type    | Comment                                          |
-|----------------------------+---------+----------------------------------------------|
+|----------------------------------+---------+--------------------------------------------------|
-| gitea_user                 | string  | Gitea user                                   |
+| gitea_user                       | string  | Gitea user                                       |
-| gitea_group                | string  | Gitea group                                  |
+| gitea_group                      | string  | Gitea group                                      |
-| gitea_binary_url           | string  | Download URL of Gitea                        |
+| gitea_binary_url                 | string  | Download URL of Gitea                            |
-| gitea_checksum_url         | string  | Checksum URL of the binary                   |
+| gitea_checksum_url               | string  | Checksum URL of the binary                       |
-| gitea_app_name             | string  | Gitea server title                           |
+| gitea_app_name                   | string  | Gitea server title                               |
-| gitea_ssh_domain           | string  | SSH domain                                   |
+| gitea_ssh_domain                 | string  | SSH domain                                       |
-| gitea_domain               | string  | Domain to reach Gitea                        |
+| gitea_domain                     | string  | Domain to reach Gitea                            |
-| gitea_http_port            | int     | HTTP port                                    |
+| gitea_http_port                  | int     | HTTP port                                        |
-| gitea_ssh_port             | int     | SSH port                                     |
+| gitea_ssh_port                   | int     | SSH port                                         |
-| gitea_root_url             | string  | Protocol + FQDN + port                       |
+| gitea_root_url                   | string  | Protocol + FQDN + port                           |
-| gitea_lfs_jwt_secret       | string  | LFS storage secret                           |
+| gitea_lfs_jwt_secret             | string  | LFS storage secret                               |
-| gitea_internal_token       | string  | Internal token                               |
+| gitea_internal_token             | string  | Internal token                                   |
-| gitea_jwt_secret           | string  | JWT secret                                   |
+| gitea_jwt_secret                 | string  | JWT secret                                       |
-| gitea_database_server      | string  | DB server - 'postgresql' or empty for sqlite |
+| gitea_database_server            | string  | DB server - 'postgresql' or empty for sqlite     |
-| gitea_db_password          | string  | PosgreSQL db password (if pgsql is used)     |
+| gitea_db_password                | string  | PosgreSQL db password (if pgsql is used)         |
-| gitea_reverse_proxy        | string  | Reverse proxy to use or not set for no proxy |
+| gitea_reverse_proxy              | string  | Reverse proxy to use or not set for no proxy     |
-| gitea_enable_https         | boolean | Configure HTTPS in the proxy                 |
+| gitea_enable_https               | boolean | Configure HTTPS in the proxy                     |
-| gitea_ssl_cert             | string  | SSL certificate                              |
+| gitea_ssl_cert                   | string  | SSL certificate                                  |
-| gitea_ssl_key              | string  | SSL key                                      |
+| gitea_ssl_key                    | string  | SSL key                                          |
-| gitea_enable_http_redirect | boolean | Redirect HTTP to HTTPS                       |
+| gitea_enable_http_redirect       | boolean | Redirect HTTP to HTTPS                           |
-| gitea_self_signed          | boolean | Generate a self-signed cert and key          |
+| gitea_self_signed                | boolean | Generate a self-signed cert and key              |
-| gitea_lets_encrypt         | boolean | Use certbot to configure the SSL             |
+| gitea_lets_encrypt               | boolean | Use certbot to configure the SSL                 |
-| gitea_certbot_email        | string  | Email to register the certificates           |
+| gitea_certbot_email              | string  | Email to register the certificates               |
+| gitea_require_signin_view        | boolean | If false, public repos are visible without login |
+| gitea_disable_registration       | boolean | Turn off the user registration feature           |
+| gitea_register_manual_confirm    | boolean | Registration requires admin verification         |
+| gitea_enable_captcha             | boolean | Enable captcha for registration                  |
+| gitea_default_keep_email_private | boolean | Default email policy: private                    |
 
 * Handlers
 
@@ -88,7 +96,7 @@ gitea_reverse_proxy: ''
 
 Always save the production secrets in SOPS, or in Ansible Vault.
 
-Generate the secrets manually when the playbook stops:
+You can generate the secrets manually when the playbook stops:
 
 #+begin_src shell
 gitea generate secret INTERNAL_TOKEN
@@ -101,6 +109,8 @@ Then re-run the playbook to finish the installation.
 
 * Example Playbook
 
+You can find more playbook examples in the =examples= directory.
+
 #+begin_src yaml
 - name: Deploy a Gitea server
   hosts: gitea

defaults/main.yml

@@ -3,3 +3,8 @@ gitea_user: git
 gitea_group: git
 gitea_http_port: 3000
 gitea_ssh_port: 22
+gitea_require_signin_view: true
+gitea_disable_registration: true
+gitea_register_manual_confirm: false
+gitea_enable_captcha: false
+gitea_default_keep_email_private: true

examples/lightweight-playbook.yml

@@ -19,4 +19,3 @@
         gitea_lfs_jwt_secret: G9bZrRHMhRQ8w4R0KkH2VLnx2rzq81ROQ951IQjlMs4 
         gitea_internal_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3NzA2Mzk1Njh9.ybbaeNLFiLbyvxfj4vkqhXSAXKRGpwvP8jIm9YLPgXw
         gitea_jwt_secret: uJni4x4e0AzpkLYc-t4keRJKOB6EaLzwVsdLeamkFyU
-        gitea_db_password: Eegh7Aothooph7pa6eu7eitha_zaim0G

templates/app.ini.j2

@@ -50,14 +50,15 @@ ENABLED = false
 [service]
 REGISTER_EMAIL_CONFIRM = false
 ENABLE_NOTIFY_MAIL = false
-DISABLE_REGISTRATION = false
+DISABLE_REGISTRATION = {{ gitea_disable_registration }}
 ALLOW_ONLY_EXTERNAL_REGISTRATION = false
-ENABLE_CAPTCHA = false
+ENABLE_CAPTCHA = {{ gitea_enable_captcha }}
-REQUIRE_SIGNIN_VIEW = false
+REQUIRE_SIGNIN_VIEW = {{ gitea_require_signin_view }}
-DEFAULT_KEEP_EMAIL_PRIVATE = false
+DEFAULT_KEEP_EMAIL_PRIVATE = {{ gitea_default_keep_email_private }}
 DEFAULT_ALLOW_CREATE_ORGANIZATION = true
 DEFAULT_ENABLE_TIMETRACKING = true
 NO_REPLY_ADDRESS = noreply.localhost
+REGISTER_MANUAL_CONFIRM = {{ gitea_register_manual_confirm }}
 
 [openid]
 ENABLE_OPENID_SIGNIN = false