#+TITLE: Gitea Server Installer Role
#+AUTHOR: DeadSwitch | The Silent Architect
#+OPTIONS: toc:nil num:nil \n:t

* ds-gitea

This role installs and configures a basic [[https://docs.gitea.com/][Gitea]] server.

Currently it uses SQLite as its database service.

Use the =ds-ufw= role to set up the firewall.

* Features

- Download and install the Gitea binary
- Set up the user and group for the service
- Create the required directory structure
- Deploy the Gitea configuration
- Deploy the Gitea service file
- Enable and start the service

* Defaults

#+begin_src yaml
gitea_user: git
gitea_group: git
#+end_src

The remaining variables must be declared in the inventory.

* Requirements

- Ansible >= 2.12
- Debian-based OS (Bookworm, Trixie)
- git
- sudo
- ca-certificates

* Variables

| Variable             | Type   | Comment                    |
|----------------------+--------+----------------------------|
| gitea_user           | string | Gitea user                 |
| gitea_group          | string | Gitea group                |
| gitea_binary_url     | string | Download URL of Gitea      |
| gitea_checksum_url   | string | Checksum URL of the binary |
| gitea_app_name       | string | Gitea application title    |
| gitea_ssh_domain     | string | SSH domain                 |
| gitea_domain         | string | Domain to reach Gitea      |
| gitea_http_port      | int    | Gitea HTTP port            |
| gitea_ssh_port       | int    | Gitea SSH port             |
| gitea_root_url       | string | Protocol + FQDN            |
| gitea_lfs_jwt_secret | string | LFS storage secret         |
| gitea_internal_token | string | Internal token             |
| gitea_jwt_secret     | string | JWT secret                 |

* Handlers

- =Reload_systemd=: It runs a =daemon-reload=
- =Restart_gitea=: It restarts the Gitea service

* Secrets

Always store the production secrets in SOPS, or in Ansible Vault.

Generate the secrets manually when the playbook stops:

#+begin_src shell
gitea generate secret INTERNAL_TOKEN
gitea generate secret JWT_SECRET
#+end_src

Use the =JWT_SECRET= command to generate the =gitea_lfs_jwt_secret= as well. It's an alias.

Then re-run the playbook to finish the installation.

* Example Playbook

#+begin_src yaml
- name: Deploy a Gitea server
  hosts: gitea
  become: true

  vars:
    gitea_user: git
    gitea_group: git
    gitea_binary_url: https://dl.gitea.com/gitea/1.25.4/gitea-1.25.4-linux-amd64
    gitea_checksum_url: https://dl.gitea.com/gitea/1.25.4/gitea-1.25.4-linux-amd64.sha256
    gitea_app_name: Tom's IT Cafe Gitea Server
    gitea_ssh_domain: gitea.tomsitcafe.com
    gitea_domain: gitea.tomsitcafe.com
    gitea_http_port: 3000
    gitea_root_url: http://gitea.tomsitcafe.com:3000
    # In prod put these secrets in SOPS:
    gitea_lfs_jwt_secret: G9bZrRHMhRQ8w4R0KkH2VLnx2rzq81ROQ951IQjlMs4 
    gitea_internal_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3NzA2Mzk1Njh9.ybbaeNLFiLbyvxfj4vkqhXSAXKRGpwvP8jIm9YLPgXw
    gitea_jwt_secret: uJni4x4e0AzpkLYc-t4keRJKOB6EaLzwVsdLeamkFyU

  roles:
    - role: ds-gitea
#+end_src

* License

MIT

=[ Fear the Silence. Fear the Switch. ]=