Compare commits
3 Commits
v3.0.3
...
developmen
| Author | SHA1 | Date | |
|---|---|---|---|
c77128583a
|
|||
|
53cb178ee8
|
|||
|
d0245e00b7
|
94
README.org
94
README.org
@@ -2,17 +2,17 @@
|
||||
#+AUTHOR: DeadSwitch | The Silent Architect
|
||||
#+OPTIONS: toc:nil num:nil \n:t
|
||||
|
||||
[[https://opensource.org/licenses/MIT][https://img.shields.io/badge/license-MIT-blue.svg]] [[https://img.shields.io/badge/version-3.0.3-green.svg]]
|
||||
[[https://opensource.org/licenses/MIT][https://img.shields.io/badge/license-MIT-blue.svg]] [[https://img.shields.io/badge/version-3.1.0-green.svg]]
|
||||
|
||||
* ds_gitea
|
||||
|
||||
This role can install and configures a [[https://docs.gitea.com/][Gitea]] server.
|
||||
|
||||
- It uses SQLite as its default database service - with optional PostgreSQL support (=ds-posgresql=).
|
||||
- The role can set up a reverse proxy with SSL using Nginx (=ds-nginx=).
|
||||
- Self-signed certificates and Let's Encrypt with =certbot= are supported.
|
||||
- The =ds-ufw= role can configure the firewall.
|
||||
- The =ds-act_runner= role can configure and register Actions runners.
|
||||
- Defaults to SQLite backend with optional PostgreSQL support (Install it with =ds_posgresql=).
|
||||
- It can set up a reverse proxy with SSL using Nginx (Install it with =ds_nginx=).
|
||||
- The role supports self-signed certificates and /Let's Encrypt/ with =certbot=.
|
||||
- The =ds_ufw= role can configure the host firewall.
|
||||
- The =ds_act_runner= role can configure and register /Gitea Actions/ runners.
|
||||
|
||||
* Role Behavior
|
||||
|
||||
@@ -21,7 +21,7 @@ This role can install and configures a [[https://docs.gitea.com/][Gitea]] server
|
||||
3. (Optionally) Set up an =nginx= reverse proxy with SSL support
|
||||
4. Create a user and group for the service
|
||||
5. Create the required directory structure
|
||||
6. Wait to save the secrets in SOPS (only if secrets are not present)
|
||||
6. Wait for the operator to save the secrets in SOPS or Ansible Vault (only if secrets are not present)
|
||||
7. Deploy the Gitea =app.ini= configuration
|
||||
8. Deploy the Gitea systemd service
|
||||
9. Enable and start the services
|
||||
@@ -33,6 +33,11 @@ gitea_user: git
|
||||
gitea_group: git
|
||||
gitea_http_port: 3000
|
||||
gitea_ssh_port: 22
|
||||
gitea_work_path: /var/lib/gitea
|
||||
gitea_app_data_path: /var/lib/gitea/data
|
||||
gitea_repo_root: /var/lib/gitea/data/gitea-repositories
|
||||
gitea_lfs_path: /var/lib/gitea/data/lfs
|
||||
gitea_log_path: /var/lib/gitea/log
|
||||
gitea_require_signin_view: true
|
||||
gitea_disable_registration: true
|
||||
gitea_register_manual_confirm: false
|
||||
@@ -53,45 +58,46 @@ gitea_default_keep_email_private: true
|
||||
|
||||
* Variables
|
||||
|
||||
| Variable | Type | Comment |
|
||||
|----------------------------------+---------+--------------------------------------------------|
|
||||
| gitea_user | string | Gitea user |
|
||||
| gitea_group | string | Gitea group |
|
||||
| gitea_binary_url | string | Download URL of Gitea |
|
||||
| gitea_checksum_url | string | Checksum URL of the binary |
|
||||
| gitea_app_name | string | Gitea server title |
|
||||
| gitea_ssh_domain | string | SSH domain |
|
||||
| gitea_domain | string | Domain to reach Gitea |
|
||||
| gitea_http_port | int | HTTP port |
|
||||
| gitea_ssh_port | int | SSH port |
|
||||
| gitea_root_url | string | Protocol + FQDN + port |
|
||||
| gitea_lfs_jwt_secret | string | LFS storage secret |
|
||||
| gitea_internal_token | string | Internal token |
|
||||
| gitea_jwt_secret | string | JWT secret |
|
||||
| gitea_database_server | string | DB server - 'postgresql' or empty for sqlite |
|
||||
| gitea_db_password | string | PosgreSQL db password (if pgsql is used) |
|
||||
| gitea_reverse_proxy | string | Reverse proxy to use or not set for no proxy |
|
||||
| gitea_enable_https | boolean | Configure HTTPS in the proxy |
|
||||
| gitea_ssl_cert | string | SSL certificate |
|
||||
| gitea_ssl_key | string | SSL key |
|
||||
| gitea_enable_http_redirect | boolean | Redirect HTTP to HTTPS |
|
||||
| gitea_self_signed | boolean | Generate a self-signed cert and key |
|
||||
| gitea_lets_encrypt | boolean | Use certbot to configure the SSL |
|
||||
| gitea_certbot_email | string | Email to register the certificates |
|
||||
| gitea_require_signin_view | boolean | If false, public repos are visible without login |
|
||||
| gitea_disable_registration | boolean | Turn off the user registration feature |
|
||||
| gitea_register_manual_confirm | boolean | Registration requires admin verification |
|
||||
| gitea_enable_captcha | boolean | Enable captcha for registration |
|
||||
| gitea_default_keep_email_private | boolean | Default email policy: private |
|
||||
|
||||
* Handlers
|
||||
|
||||
- =Reload_systemd=: It runs a =daemon-reload=
|
||||
- =Restart_gitea=: It restarts the Gitea service
|
||||
| Variable | Type | Comment |
|
||||
|----------------------------------+---------+---------------------------------------------------------|
|
||||
| gitea_user | string | Gitea user |
|
||||
| gitea_group | string | Gitea group |
|
||||
| gitea_binary_url | string | Download URL of Gitea |
|
||||
| gitea_checksum_url | string | Checksum URL of the binary |
|
||||
| gitea_app_name | string | Gitea server title |
|
||||
| gitea_ssh_domain | string | SSH domain |
|
||||
| gitea_domain | string | Domain to reach Gitea |
|
||||
| gitea_http_port | int | HTTP port |
|
||||
| gitea_ssh_port | int | SSH port |
|
||||
| gitea_work_path | string | Workdir |
|
||||
| gitea_app_data_path | string | Application data path |
|
||||
| gitea_repo_root | string | Repo root path |
|
||||
| gitea_lfs_path | string | LFS path |
|
||||
| gitea_log_path | string | Log path |
|
||||
| gitea_root_url | string | Protocol + FQDN + port |
|
||||
| gitea_lfs_jwt_secret | string | LFS storage secret |
|
||||
| gitea_internal_token | string | Internal token |
|
||||
| gitea_jwt_secret | string | JWT secret |
|
||||
| gitea_database_server | string | DB server - 'postgresql' or empty for sqlite |
|
||||
| gitea_db_password | string | PosgreSQL db password (if pgsql is used) |
|
||||
| gitea_reverse_proxy | string | 'nginx' to set up a reverse proxy or empty for no proxy |
|
||||
| gitea_enable_https | boolean | Configure HTTPS in the proxy |
|
||||
| gitea_ssl_cert | string | Path to the SSL certificate |
|
||||
| gitea_ssl_key | string | Path to the SSL key |
|
||||
| gitea_ssl_trusted_certificate | string | Path to the SSL certificate chain |
|
||||
| gitea_enable_http_redirect | boolean | Redirect HTTP traffic to HTTPS |
|
||||
| gitea_self_signed | boolean | Generate a self-signed certificate and key |
|
||||
| gitea_lets_encrypt | boolean | Use certbot to configure HTTPS |
|
||||
| gitea_certbot_email | string | Email to register the certificates |
|
||||
| gitea_require_signin_view | boolean | If false, public repos are visible without login |
|
||||
| gitea_disable_registration | boolean | Turn off the user registration feature |
|
||||
| gitea_register_manual_confirm | boolean | Registration requires admin verification |
|
||||
| gitea_enable_captcha | boolean | Enable captcha for registration |
|
||||
| gitea_default_keep_email_private | boolean | Default email policy: private |
|
||||
|
||||
* Secrets
|
||||
|
||||
Always save the production secrets in SOPS, or in Ansible Vault.
|
||||
Always save the production secrets in SOPS or in Ansible Vault.
|
||||
|
||||
You can generate the secrets manually when the playbook stops:
|
||||
|
||||
@@ -100,7 +106,7 @@ gitea generate secret INTERNAL_TOKEN
|
||||
gitea generate secret JWT_SECRET
|
||||
#+end_src
|
||||
|
||||
Use the =JWT_SECRET= command to generate the =gitea_lfs_jwt_secret= as well. It's an alias.
|
||||
Use the =JWT_SECRET= option to generate the =gitea_lfs_jwt_secret= as well.
|
||||
|
||||
Then re-run the playbook to finish the installation.
|
||||
|
||||
|
||||
@@ -3,6 +3,11 @@ gitea_user: git
|
||||
gitea_group: git
|
||||
gitea_http_port: 3000
|
||||
gitea_ssh_port: 22
|
||||
gitea_work_path: /var/lib/gitea
|
||||
gitea_app_data_path: /var/lib/gitea/data
|
||||
gitea_repo_root: /var/lib/gitea/data/gitea-repositories
|
||||
gitea_lfs_path: /var/lib/gitea/data/lfs
|
||||
gitea_log_path: /var/lib/gitea/log
|
||||
gitea_require_signin_view: true
|
||||
gitea_disable_registration: true
|
||||
gitea_register_manual_confirm: false
|
||||
|
||||
@@ -76,8 +76,9 @@
|
||||
- name: Create the gitea user
|
||||
ansible.builtin.user:
|
||||
name: "{{ gitea_user }}"
|
||||
comment: "Gitea Service User"
|
||||
group: "{{ gitea_group }}"
|
||||
home: /home/{{ gitea_user }}
|
||||
home: "{{ gitea_work_path }}"
|
||||
shell: /bin/bash
|
||||
password: '*'
|
||||
system: true
|
||||
@@ -130,7 +131,7 @@
|
||||
|
||||
- name: Create the data dir base
|
||||
ansible.builtin.file:
|
||||
path: /var/lib/gitea
|
||||
path: "{{ gitea_work_path }}"
|
||||
owner: "{{ gitea_user }}"
|
||||
group: "{{ gitea_group }}"
|
||||
mode: '0750'
|
||||
@@ -144,9 +145,9 @@
|
||||
mode: '0750'
|
||||
state: directory
|
||||
loop:
|
||||
- /var/lib/gitea/custom
|
||||
- /var/lib/gitea/data
|
||||
- /var/lib/gitea/log
|
||||
- "{{ gitea_work_path }}/custom"
|
||||
- "{{ gitea_app_data_path }}"
|
||||
- "{{ gitea_log_path }}"
|
||||
|
||||
- name: Create the config dir
|
||||
ansible.builtin.file:
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
- name: Create the certs directory
|
||||
ansible.builtin.file:
|
||||
path: /var/lib/gitea/certs
|
||||
path: "{{ gitea_work_path }}/certs"
|
||||
owner: "{{ gitea_user }}"
|
||||
group: "{{ gitea_group }}"
|
||||
mode: '0750'
|
||||
@@ -11,9 +11,9 @@
|
||||
ansible.builtin.command: >
|
||||
gitea cert
|
||||
--host {{ gitea_domain }},{{ gitea_ssh_domain }}
|
||||
--out /var/lib/gitea/certs/cert.pem
|
||||
--keyout /var/lib/gitea/certs/key.pem
|
||||
--out {{ gitea_work_path }}/certs/cert.pem
|
||||
--keyout {{ gitea_work_path }}/certs/key.pem
|
||||
become: true
|
||||
become_user: "{{ gitea_user }}"
|
||||
args:
|
||||
creates: /var/lib/gitea/certs/cert.pem
|
||||
creates: "{{ gitea_work_path }}/certs/cert.pem"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
|
||||
APP_NAME = {{ gitea_app_name }}
|
||||
RUN_USER = {{ gitea_user }}
|
||||
WORK_PATH = /var/lib/gitea
|
||||
WORK_PATH = {{ gitea_work_path }}
|
||||
RUN_MODE = prod
|
||||
|
||||
{% if gitea_database_server | default('') == "postgresql" %}
|
||||
@@ -22,19 +22,19 @@ USER = {{ gitea_user }}
|
||||
PASSWD =
|
||||
SCHEMA =
|
||||
SSL_MODE = disable
|
||||
PATH = /var/lib/gitea/data/gitea.db
|
||||
PATH = {{ gitea_app_data_path }}/gitea.db
|
||||
LOG_SQL = false
|
||||
{% endif %}
|
||||
|
||||
[repository]
|
||||
ROOT = /var/lib/gitea/data/gitea-repositories
|
||||
ROOT = {{ gitea_repo_root }}
|
||||
|
||||
[server]
|
||||
SSH_DOMAIN = {{ gitea_ssh_domain }}
|
||||
DOMAIN = {{ gitea_domain }}
|
||||
HTTP_PORT = {{ gitea_http_port }}
|
||||
ROOT_URL = {{ gitea_root_url }}
|
||||
APP_DATA_PATH = /var/lib/gitea/data
|
||||
APP_DATA_PATH = {{ gitea_app_data_path }}
|
||||
DISABLE_SSH = false
|
||||
SSH_PORT = {{ gitea_ssh_port }}
|
||||
LFS_START_SERVER = true
|
||||
@@ -42,7 +42,7 @@ LFS_JWT_SECRET = {{ gitea_lfs_jwt_secret }}
|
||||
OFFLINE_MODE = true
|
||||
|
||||
[lfs]
|
||||
PATH = /var/lib/gitea/data/lfs
|
||||
PATH = {{ gitea_lfs_path }}
|
||||
|
||||
[mailer]
|
||||
ENABLED = false
|
||||
@@ -73,7 +73,7 @@ PROVIDER = file
|
||||
[log]
|
||||
MODE = console
|
||||
LEVEL = info
|
||||
ROOT_PATH = /var/lib/gitea/log
|
||||
ROOT_PATH = {{ gitea_log_path }}
|
||||
|
||||
[repository.pull-request]
|
||||
DEFAULT_MERGE_STYLE = merge
|
||||
|
||||
@@ -13,10 +13,10 @@ RestartSec=2s
|
||||
Type=simple
|
||||
User={{ gitea_user }}
|
||||
Group={{ gitea_group }}
|
||||
WorkingDirectory=/var/lib/gitea/
|
||||
WorkingDirectory={{ gitea_work_path }}
|
||||
ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini
|
||||
Restart=always
|
||||
Environment=USER={{ gitea_user }} HOME=/home/{{ gitea_user }} GITEA_WORK_DIR=/var/lib/gitea
|
||||
Environment=USER={{ gitea_user }} HOME={{ gitea_work_path }} GITEA_WORK_DIR={{ gitea_work_path }}
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
Reference in New Issue
Block a user