#+TITLE: Gitea Server Installer Role
#+AUTHOR: DeadSwitch | The Silent Architect
#+OPTIONS: toc:nil num:nil \n:t

* ds-gitea

This role installs and configures a [[https://docs.gitea.com/][Gitea]] server.

It uses SQLite as its default database service - with optional PostgreSQL support.

Use the =ds-ufw= role to configure the firewall.

Use the =ds-posgresql= to configure the database.

* Role Workflow

1. Download and install the Gitea binary
2. (Optionally) Set up the PostgreSQL user and database
3. Set up the user and group for the service
4. Create the required directory structure
5. Wait for the secret creation and storage in SOPS - if secrets are not present
6. Deploy the Gitea configuration
7. Deploy the Gitea systemd service file (With Postgresql support if the backend is used)
8. Enable and start the service

* Defaults

#+begin_src yaml
gitea_user: git
gitea_group: git
gitea_http_port: 3000
gitea_ssh_port: 22
#+end_src

* Requirements

- Ansible >= 2.12
- Debian-based OS (Bookworm, Trixie)
- git
- sudo
- ca-certificates
- (optional) PosgreSQL database

* Variables

| Variable              | Type   | Comment                                      |
|-----------------------+--------+----------------------------------------------|
| gitea_user            | string | Gitea user                                   |
| gitea_group           | string | Gitea group                                  |
| gitea_binary_url      | string | Download URL of Gitea                        |
| gitea_checksum_url    | string | Checksum URL of the binary                   |
| gitea_app_name        | string | Gitea server title                           |
| gitea_ssh_domain      | string | SSH domain                                   |
| gitea_domain          | string | Domain to reach Gitea                        |
| gitea_http_port       | int    | HTTP port                                    |
| gitea_ssh_port        | int    | SSH port                                     |
| gitea_root_url        | string | Protocol + FQDN + port                       |
| gitea_lfs_jwt_secret  | string | LFS storage secret                           |
| gitea_internal_token  | string | Internal token                               |
| gitea_jwt_secret      | string | JWT secret                                   |
| gitea_database_server | string | DB server - 'postgresql' or empty for sqlite |
| gitea_db_password     | string | PosgreSQL db password (if pgsql is used)     |

* Handlers

- =Reload_systemd=: It runs a =daemon-reload=
- =Restart_gitea=: It restarts the Gitea service

* Secrets

Always store the production secrets in SOPS, or in Ansible Vault.

Generate the secrets manually when the playbook stops:

#+begin_src shell
gitea generate secret INTERNAL_TOKEN
gitea generate secret JWT_SECRET
#+end_src

Use the =JWT_SECRET= command to generate the =gitea_lfs_jwt_secret= as well. It's an alias.

Then re-run the playbook to finish the installation.

* Example Playbook

#+begin_src yaml
- name: Deploy a Gitea server
  hosts: gitea
  become: true

  vars:
    gitea_user: git
    gitea_group: git
    gitea_binary_url: https://dl.gitea.com/gitea/1.25.4/gitea-1.25.4-linux-amd64
    gitea_checksum_url: https://dl.gitea.com/gitea/1.25.4/gitea-1.25.4-linux-amd64.sha256
    gitea_app_name: Tom's IT Cafe Gitea Server
    gitea_ssh_domain: gitea.tomsitcafe.com
    gitea_domain: gitea.tomsitcafe.com
    gitea_http_port: 3000
    gitea_root_url: http://gitea.tomsitcafe.com:3000

    # Optional
    gitea_database_server: postgresql

    # In prod put these secrets in SOPS:
    gitea_lfs_jwt_secret: G9bZrRHMhRQ8w4R0KkH2VLnx2rzq81ROQ951IQjlMs4 
    gitea_internal_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3NzA2Mzk1Njh9.ybbaeNLFiLbyvxfj4vkqhXSAXKRGpwvP8jIm9YLPgXw
    gitea_jwt_secret: uJni4x4e0AzpkLYc-t4keRJKOB6EaLzwVsdLeamkFyU
    gitea_db_password: Eegh7Aothooph7pa6eu7eitha_zaim0G

  roles:
    - role: ds-gitea
#+end_src

* License

MIT

=[ Fear the Silence. Fear the Switch. ]=