ghost-automation/ds_gitea
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 3 Wiki Activity
Files
53cb178ee81e8b8520955760bfc37dc33b23e863
ds_gitea/README.org
DeadSwitch 53cb178ee8
All checks were successful
Test the role / test-the-role (push) Successful in 7s
Details
Updated the readme for the 3.1.0 release.
2026-02-25 10:19:57 +01:00

7.6 KiB
Raw Blame History

Gitea Server Role

https://img.shields.io/badge/license-MIT-blue.svg https://img.shields.io/badge/version-3.1.0-green.svg

ds_gitea

This role can install and configures a Gitea server.

  • Defaults to SQLite backend with optional PostgreSQL support (Install it with ds_posgresql).
  • It can set up a reverse proxy with SSL using Nginx (Install it with ds_nginx).
  • The role supports self-signed certificates and Let's Encrypt with certbot.
  • The ds_ufw role can configure the host firewall.
  • The ds_act_runner role can configure and register Gitea Actions runners.

Role Behavior

  1. Download and install the Gitea binary
  2. (Optionally) Set up the PostgreSQL user and database
  3. (Optionally) Set up an nginx reverse proxy with SSL support
  4. Create a user and group for the service
  5. Create the required directory structure
  6. Wait for the operator to save the secrets in SOPS or Ansible Vault (only if secrets are not present)
  7. Deploy the Gitea app.ini configuration
  8. Deploy the Gitea systemd service
  9. Enable and start the services

Defaults 

gitea_user: git
gitea_group: git
gitea_http_port: 3000
gitea_ssh_port: 22
gitea_work_path: /var/lib/gitea
gitea_app_data_path: /var/lib/gitea/data
gitea_repo_root: /var/lib/gitea/data/gitea-repositories
gitea_lfs_path: /var/lib/gitea/data/lfs
gitea_log_path: /var/lib/gitea/log
gitea_require_signin_view: true
gitea_disable_registration: true
gitea_register_manual_confirm: false
gitea_enable_captcha: false
gitea_default_keep_email_private: true

Requirements

  • Ansible >= 2.12
  • Debian 12+ or compatible
  • git
  • sudo
  • ca-certificates
  • (optional) PosgreSQL database
  • (optional) Nginx server
  • (optional) certbot for Let's Encrypt

Variables

Variable Type Comment
gitea_user string Gitea user
gitea_group string Gitea group
gitea_binary_url string Download URL of Gitea
gitea_checksum_url string Checksum URL of the binary
gitea_app_name string Gitea server title
gitea_ssh_domain string SSH domain
gitea_domain string Domain to reach Gitea
gitea_http_port int HTTP port
gitea_ssh_port int SSH port
gitea_work_path string Workdir
gitea_app_data_path string Application data path
gitea_repo_root string Repo root path
gitea_lfs_path string LFS path
gitea_log_path string Log path
gitea_root_url string Protocol + FQDN + port
gitea_lfs_jwt_secret string LFS storage secret
gitea_internal_token string Internal token
gitea_jwt_secret string JWT secret
gitea_database_server string DB server - 'postgresql' or empty for sqlite
gitea_db_password string PosgreSQL db password (if pgsql is used)
gitea_reverse_proxy string 'nginx' to set up a reverse proxy or empty for no proxy
gitea_enable_https boolean Configure HTTPS in the proxy
gitea_ssl_cert string Path to the SSL certificate
gitea_ssl_key string Path to the SSL key
gitea_ssl_trusted_certificate string Path to the SSL certificate chain
gitea_enable_http_redirect boolean Redirect HTTP traffic to HTTPS
gitea_self_signed boolean Generate a self-signed certificate and key
gitea_lets_encrypt boolean Use certbot to configure HTTPS
gitea_certbot_email string Email to register the certificates
gitea_require_signin_view boolean If false, public repos are visible without login
gitea_disable_registration boolean Turn off the user registration feature
gitea_register_manual_confirm boolean Registration requires admin verification
gitea_enable_captcha boolean Enable captcha for registration
gitea_default_keep_email_private boolean Default email policy: private

Secrets

Always save the production secrets in SOPS or in Ansible Vault.

You can generate the secrets manually when the playbook stops:

gitea generate secret INTERNAL_TOKEN
gitea generate secret JWT_SECRET

Use the JWT_SECRET option to generate the gitea_lfs_jwt_secret as well.

Then re-run the playbook to finish the installation.

Example Playbook

You can find more playbook examples in the examples directory.

- name: Deploy a Gitea server
  hosts: gitea
  become: true

  vars:
    gitea_user: git
    gitea_group: git
    gitea_binary_url: https://dl.gitea.com/gitea/1.25.4/gitea-1.25.4-linux-amd64
    gitea_checksum_url: https://dl.gitea.com/gitea/1.25.4/gitea-1.25.4-linux-amd64.sha256
    gitea_app_name: Tom's IT Cafe Gitea Server
    gitea_ssh_domain: gitea.tomsitcafe.com
    gitea_domain: gitea.tomsitcafe.com
    gitea_http_port: 3000
    gitea_root_url: https://gitea.tomsitcafe.com

    # Optional Postgresql database backend
    gitea_database_server: postgresql

    # Optional Nginx reverse proxy configuration
    gitea_reverse_proxy: nginx
    gitea_enable_https: true          # Use HTTPS
    gitea_self_signed: false          # Don't generate self-signed certs
    gitea_lets_encrypt: true          # Use certbot
    gitea_enable_http_redirect: true  # Redirect HTTP to HTTPS

    # Certbot configuration
    gitea_certbot_email: email@domain.tld
    gitea_ssl_cert: /etc/letsencrypt/live/{{ gitea_domain }}/fullchain.pem
    gitea_ssl_key: /etc/letsencrypt/live/{{ gitea_domain }}/privkey.pem
    gitea_ssl_trusted_certificate: /etc/letsencrypt/live/{{ gitea_domain }}/chain.pem 

    # In prod put the secrets in SOPS:
    gitea_lfs_jwt_secret: G9bZrRHMhRQ8w4R0KkH2VLnx2rzq81ROQ951IQjlMs4 
    gitea_internal_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3NzA2Mzk1Njh9.ybbaeNLFiLbyvxfj4vkqhXSAXKRGpwvP8jIm9YLPgXw
    gitea_jwt_secret: uJni4x4e0AzpkLYc-t4keRJKOB6EaLzwVsdLeamkFyU
    gitea_db_password: Eegh7Aothooph7pa6eu7eitha_zaim0G

  roles:
    - role: ds_gitea

License

MIT

[ Fear the Silence. Fear the Switch. ]

Reference in New Issue View Git Blame Copy Permalink