ghost-automation/ds_gitea
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 3 Wiki Activity
Files
1120daab4010c4e1d5691c2be9c0e445952a5c93
ds_gitea/README.org
DeadSwitch 1120daab40 Templated registration config. 
Self-registration can be turned off.
Admin verification can be set.
Guest users' read-only view can be configured.
2026-02-12 07:16:52 +01:00

157 lines
6.3 KiB
Org Mode
Raw Blame History

#+TITLE: Gitea Server Role
#+AUTHOR: DeadSwitch | The Silent Architect
#+OPTIONS: toc:nil num:nil \n:t
[[https://opensource.org/licenses/MIT][https://img.shields.io/badge/license-MIT-blue.svg]] [[https://img.shields.io/badge/version-3.0.1-green.svg]]
* ds-gitea
This role can install and configures a [[https://docs.gitea.com/][Gitea]] server.
It uses SQLite as its default database service - with optional PostgreSQL support (=ds-posgresql=).
The role can set up a reverse proxy with SSL using Nginx (=ds-nginx=).
Self-signed certificates and Let's Encrypt with =certbot= are supported.
The =ds-ufw= role can configure the firewall.
The =ds-act_runner= role can configure and register Actions runners.
* Role Behavior
1. Download and install the Gitea binary
2. (Optionally) Set up the PostgreSQL user and database
3. (Optionally) Set up an =nginx= reverse proxy with SSL support
4. Create a user and group for the service
5. Create the required directory structure
6. Wait to save the secrets in SOPS (only if secrets are not present)
7. Deploy the Gitea =app.ini= configuration
8. Deploy the Gitea systemd service
9. Enable and start the services
* Defaults
#+begin_src yaml
gitea_user: git
gitea_group: git
gitea_http_port: 3000
gitea_ssh_port: 22
gitea_database_server: ''
gitea_reverse_proxy: ''
gitea_require_signin_view: true
gitea_disable_registration: true
gitea_register_manual_confirm: false
#+end_src
* Requirements
- Ansible >= 2.12
- Debian 12+ or compatible
- git
- sudo
- ca-certificates
- (optional) PosgreSQL database
- (optional) Nginx server
- (optional) certbot for Let's Encrypt
* Variables
| Variable | Type | Comment |
|-------------------------------+---------+--------------------------------------------------|
| gitea_user | string | Gitea user |
| gitea_group | string | Gitea group |
| gitea_binary_url | string | Download URL of Gitea |
| gitea_checksum_url | string | Checksum URL of the binary |
| gitea_app_name | string | Gitea server title |
| gitea_ssh_domain | string | SSH domain |
| gitea_domain | string | Domain to reach Gitea |
| gitea_http_port | int | HTTP port |
| gitea_ssh_port | int | SSH port |
| gitea_root_url | string | Protocol + FQDN + port |
| gitea_lfs_jwt_secret | string | LFS storage secret |
| gitea_internal_token | string | Internal token |
| gitea_jwt_secret | string | JWT secret |
| gitea_database_server | string | DB server - 'postgresql' or empty for sqlite |
| gitea_db_password | string | PosgreSQL db password (if pgsql is used) |
| gitea_reverse_proxy | string | Reverse proxy to use or not set for no proxy |
| gitea_enable_https | boolean | Configure HTTPS in the proxy |
| gitea_ssl_cert | string | SSL certificate |
| gitea_ssl_key | string | SSL key |
| gitea_enable_http_redirect | boolean | Redirect HTTP to HTTPS |
| gitea_self_signed | boolean | Generate a self-signed cert and key |
| gitea_lets_encrypt | boolean | Use certbot to configure the SSL |
| gitea_certbot_email | string | Email to register the certificates |
| gitea_require_signin_view | boolean | If false, public repos are visible without login |
| gitea_disable_registration | boolean | Turn off the user registration feature |
| gitea_register_manual_confirm | boolean | Registration requires admin verification |
* Handlers
- =Reload_systemd=: It runs a =daemon-reload=
- =Restart_gitea=: It restarts the Gitea service
* Secrets
Always save the production secrets in SOPS, or in Ansible Vault.
You can generate the secrets manually when the playbook stops:
#+begin_src shell
gitea generate secret INTERNAL_TOKEN
gitea generate secret JWT_SECRET
#+end_src
Use the =JWT_SECRET= command to generate the =gitea_lfs_jwt_secret= as well. It's an alias.
Then re-run the playbook to finish the installation.
* Example Playbook
#+begin_src yaml
- name: Deploy a Gitea server
hosts: gitea
become: true
vars:
gitea_user: git
gitea_group: git
gitea_binary_url: https://dl.gitea.com/gitea/1.25.4/gitea-1.25.4-linux-amd64
gitea_checksum_url: https://dl.gitea.com/gitea/1.25.4/gitea-1.25.4-linux-amd64.sha256
gitea_app_name: Tom's IT Cafe Gitea Server
gitea_ssh_domain: gitea.tomsitcafe.com
gitea_domain: gitea.tomsitcafe.com
gitea_http_port: 3000
gitea_root_url: https://gitea.tomsitcafe.com
# Optional Postgresql database backend
gitea_database_server: postgresql
# Optional Nginx reverse proxy configuration
gitea_reverse_proxy: nginx
gitea_enable_https: true # Use HTTPS
gitea_self_signed: false # Don't generate self-signed certs
gitea_lets_encrypt: true # Use certbot
gitea_enable_http_redirect: true # Redirect HTTP to HTTPS
# Certbot configuration
gitea_certbot_email: email@domain.tld
gitea_ssl_cert: /etc/letsencrypt/live/{{ gitea_domain }}/fullchain.pem
gitea_ssl_key: /etc/letsencrypt/live/{{ gitea_domain }}/privkey.pem
gitea_ssl_trusted_certificate: /etc/letsencrypt/live/{{ gitea_domain }}/chain.pem
# In prod put the secrets in SOPS:
gitea_lfs_jwt_secret: G9bZrRHMhRQ8w4R0KkH2VLnx2rzq81ROQ951IQjlMs4
gitea_internal_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3NzA2Mzk1Njh9.ybbaeNLFiLbyvxfj4vkqhXSAXKRGpwvP8jIm9YLPgXw
gitea_jwt_secret: uJni4x4e0AzpkLYc-t4keRJKOB6EaLzwVsdLeamkFyU
gitea_db_password: Eegh7Aothooph7pa6eu7eitha_zaim0G
roles:
- role: ds-gitea
#+end_src
* License
MIT
=[ Fear the Silence. Fear the Switch. ]=
Reference in New Issue View Git Blame Copy Permalink