ds_gitea/README.org

#+TITLE: Gitea Server Installer Role
#+AUTHOR: DeadSwitch | The Silent Architect
#+OPTIONS: toc:nil num:nil \n:t

[[https://opensource.org/licenses/MIT][https://img.shields.io/badge/license-MIT-blue.svg]] [[https://img.shields.io/badge/version-3.0.0-green.svg]]

* ds-gitea

This role installs and configures a [[https://docs.gitea.com/][Gitea]] server.

It uses SQLite as its default database service - with optional PostgreSQL support.

The role can set up a reverse proxy with SSL using Nginx.
Self-signed certificates and Let's Encrypt with =certbot= are supported.

- Use the =ds-ufw= role to configure the firewall.
- Use the =ds-posgresql= role to configure the database.
- Use the =ds-nginx= role to install the proxy server.
- Use the =ds-act_runner= role to configure and register Actions runners.

* Role Behavior

1. Download and install the Gitea binary
2. (Optionally) Set up the PostgreSQL user and database
3. Set up the user and group for the service
4. Create the required directory structure
5. Wait for the secret creation and storage in SOPS - if secrets are not present
6. Deploy the Gitea configuration
7. Deploy the Gitea systemd service file
8. (Optionally) Set up the reverse proxy with optional SSL
9. Enable and start the service

* Defaults

#+begin_src yaml
gitea_user: git
gitea_group: git
gitea_http_port: 3000
gitea_ssh_port: 22
gitea_database_server: ''
gitea_reverse_proxy: ''
#+end_src

* Requirements

- Ansible >= 2.12
- Debian 12+ or compatible
- git
- sudo
- ca-certificates
- (optional) PosgreSQL database
- (optional) Nginx server

* Variables

| Variable                   | Type    | Comment                                      |
|----------------------------+---------+----------------------------------------------|
| gitea_user                 | string  | Gitea user                                   |
| gitea_group                | string  | Gitea group                                  |
| gitea_binary_url           | string  | Download URL of Gitea                        |
| gitea_checksum_url         | string  | Checksum URL of the binary                   |
| gitea_app_name             | string  | Gitea server title                           |
| gitea_ssh_domain           | string  | SSH domain                                   |
| gitea_domain               | string  | Domain to reach Gitea                        |
| gitea_http_port            | int     | HTTP port                                    |
| gitea_ssh_port             | int     | SSH port                                     |
| gitea_root_url             | string  | Protocol + FQDN + port                       |
| gitea_lfs_jwt_secret       | string  | LFS storage secret                           |
| gitea_internal_token       | string  | Internal token                               |
| gitea_jwt_secret           | string  | JWT secret                                   |
| gitea_database_server      | string  | DB server - 'postgresql' or empty for sqlite |
| gitea_db_password          | string  | PosgreSQL db password (if pgsql is used)     |
| gitea_reverse_proxy        | string  | Reverse proxy to use or not set for no proxy |
| gitea_enable_https         | boolean | Configure HTTPS in the proxy                 |
| gitea_ssl_cert             | string  | SSL certificate                              |
| gitea_ssl_key              | string  | SSL key                                      |
| gitea_enable_http_redirect | boolean | Redirect HTTP to HTTPS                       |
| gitea_self_signed          | boolean | Generate a self-signed cert and key          |
| gitea_lets_encrypt         | boolean | Use certbot to configure the SSL             |
| gitea_certbot_email        | string  | Email to register the certificates           |

* Handlers

- =Reload_systemd=: It runs a =daemon-reload=
- =Restart_gitea=: It restarts the Gitea service

* Secrets

Always save the production secrets in SOPS, or in Ansible Vault.

Generate the secrets manually when the playbook stops:

#+begin_src shell
gitea generate secret INTERNAL_TOKEN
gitea generate secret JWT_SECRET
#+end_src

Use the =JWT_SECRET= command to generate the =gitea_lfs_jwt_secret= as well. It's an alias.

Then re-run the playbook to finish the installation.

* Example Playbook

#+begin_src yaml
- name: Deploy a Gitea server
  hosts: gitea
  become: true

  vars:
    gitea_user: git
    gitea_group: git
    gitea_binary_url: https://dl.gitea.com/gitea/1.25.4/gitea-1.25.4-linux-amd64
    gitea_checksum_url: https://dl.gitea.com/gitea/1.25.4/gitea-1.25.4-linux-amd64.sha256
    gitea_app_name: Tom's IT Cafe Gitea Server
    gitea_ssh_domain: gitea.tomsitcafe.com
    gitea_domain: gitea.tomsitcafe.com
    gitea_http_port: 3000
    gitea_root_url: https://gitea.tomsitcafe.com

    # Optional Postgresql database backend
    gitea_database_server: postgresql

    # Optional Nginx reverse proxy configuration
    gitea_reverse_proxy: nginx
    gitea_enable_https: true          # Use HTTPS
    gitea_self_signed: false          # Don't generate self-signed certs
    gitea_lets_encrypt: true          # Use certbot
    gitea_enable_http_redirect: true  # Redirect HTTP to HTTPS

    # Certbot configuration
    gitea_certbot_email: email@domain.tld
    gitea_ssl_cert: /etc/letsencrypt/live/{{ gitea_domain }}/fullchain.pem
    gitea_ssl_key: /etc/letsencrypt/live/{{ gitea_domain }}/privkey.pem
    gitea_ssl_trusted_certificate: /etc/letsencrypt/live/{{ gitea_domain }}/chain.pem 

    # In prod put the secrets in SOPS:
    gitea_lfs_jwt_secret: G9bZrRHMhRQ8w4R0KkH2VLnx2rzq81ROQ951IQjlMs4 
    gitea_internal_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3NzA2Mzk1Njh9.ybbaeNLFiLbyvxfj4vkqhXSAXKRGpwvP8jIm9YLPgXw
    gitea_jwt_secret: uJni4x4e0AzpkLYc-t4keRJKOB6EaLzwVsdLeamkFyU
    gitea_db_password: Eegh7Aothooph7pa6eu7eitha_zaim0G

  roles:
    - role: ds-gitea
#+end_src

* License

MIT

=[ Fear the Silence. Fear the Switch. ]=