DeadSwitch
d0245e00b7
All checks were successful
Test the role / test-the-role (push) Successful in 8s
184 lines
4.8 KiB
YAML
184 lines
4.8 KiB
YAML
---
|
|
- name: Make sure dependencies are installed
|
|
ansible.builtin.apt:
|
|
name:
|
|
- git
|
|
- sudo
|
|
- ca-certificates
|
|
update_cache: true
|
|
state: present
|
|
|
|
- name: Set up the PostgreSQL database
|
|
when: gitea_database_server | default('') == "postgresql"
|
|
block:
|
|
- name: Ensure PostgreSQL Python client is installed
|
|
ansible.builtin.apt:
|
|
name: python3-psycopg2
|
|
update_cache: true
|
|
state: present
|
|
|
|
- name: Create the gitea DB role
|
|
community.postgresql.postgresql_user:
|
|
name: gitea
|
|
password: "{{ gitea_db_password }}"
|
|
role_attr_flags: "NOSUPERUSER,NOCREATEDB,NOCREATEROLE"
|
|
become: true
|
|
become_user: postgres
|
|
|
|
- name: Create the gitea database
|
|
community.postgresql.postgresql_db:
|
|
name: giteadb
|
|
owner: gitea
|
|
template: template0
|
|
encoding: UTF8
|
|
lc_collate: en_US.UTF-8
|
|
lc_ctype: en_US.UTF-8
|
|
become: true
|
|
become_user: postgres
|
|
|
|
- name: Ensure pg_hba.conf has local access for gitea
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/postgresql/{{ postgresql_version }}/main/pg_hba.conf
|
|
regexp: '^local\s+giteadb\s+gitea\s+'
|
|
line: 'local giteadb gitea scram-sha-256'
|
|
state: present
|
|
backup: true
|
|
notify:
|
|
- Reload_postgresql
|
|
|
|
- name: Set up the reverse proxy
|
|
when: gitea_reverse_proxy | default('') == "nginx"
|
|
block:
|
|
- name: Deploy the site configuration
|
|
ansible.builtin.template:
|
|
src: gitea.j2
|
|
dest: /etc/nginx/sites-available/gitea
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
notify: Reload_nginx
|
|
|
|
- name: Enable the gitea site
|
|
ansible.builtin.file:
|
|
src: /etc/nginx/sites-available/gitea
|
|
dest: /etc/nginx/sites-enabled/gitea
|
|
state: link
|
|
owner: root
|
|
group: root
|
|
force: true
|
|
notify: Reload_nginx
|
|
|
|
- name: Create the gitea group
|
|
ansible.builtin.group:
|
|
name: "{{ gitea_group }}"
|
|
system: true
|
|
|
|
- name: Create the gitea user
|
|
ansible.builtin.user:
|
|
name: "{{ gitea_user }}"
|
|
group: "{{ gitea_group }}"
|
|
home: /home/{{ gitea_user }}
|
|
shell: /bin/bash
|
|
password: '*'
|
|
system: true
|
|
create_home: true
|
|
|
|
- name: Download the Gitea binary
|
|
ansible.builtin.get_url:
|
|
url: "{{ gitea_binary_url }}"
|
|
dest: /usr/local/bin/gitea
|
|
checksum: "sha256:{{ gitea_checksum_url }}"
|
|
owner: "{{ gitea_user }}"
|
|
group: "{{ gitea_group }}"
|
|
mode: '0750'
|
|
|
|
- name: Set the permissions of the Gitea binary
|
|
ansible.builtin.file:
|
|
path: /usr/local/bin/gitea
|
|
owner: "{{ gitea_user }}"
|
|
group: "{{ gitea_group }}"
|
|
mode: '0750'
|
|
|
|
- name: Generate self-signed certificates
|
|
ansible.builtin.include_tasks:
|
|
file: self-signed-cert.yml
|
|
when: gitea_self_signed | default(false)
|
|
|
|
- name: Configure the Let's Encrypt certificates
|
|
ansible.builtin.include_tasks:
|
|
file: lets-encrypt.yml
|
|
when: gitea_lets_encrypt | default(false)
|
|
|
|
- name: Pause to generate and save the secrets in SOPS
|
|
ansible.builtin.pause:
|
|
prompt: |
|
|
[SECURITY NOTICE]
|
|
If this is a fresh install, generate these secrets:
|
|
1. gitea generate secret INTERNAL_TOKEN - for gitea_internal_token
|
|
2. gitea generate secret JWT_SECRET - for gitea_lfs_jwt_secret
|
|
3. gitea generate secret JWT_SECRET - for gitea_jwt_secret
|
|
Copy the following keys into SOPS:
|
|
- gitea_internal_token
|
|
- gitea_lfs_jwt_secret
|
|
- gitea_jwt_secret
|
|
Press ENTER once done to continue.
|
|
when: gitea_internal_token is not defined
|
|
|
|
- name: Stop play until SOPS secrets are added
|
|
ansible.builtin.meta: end_play
|
|
when: gitea_internal_token is not defined
|
|
|
|
- name: Create the data dir base
|
|
ansible.builtin.file:
|
|
path: "{{ gitea_work_path }}"
|
|
owner: "{{ gitea_user }}"
|
|
group: "{{ gitea_group }}"
|
|
mode: '0750'
|
|
state: directory
|
|
|
|
- name: Create the data dirs
|
|
ansible.builtin.file:
|
|
path: "{{ item }}"
|
|
owner: "{{ gitea_user }}"
|
|
group: "{{ gitea_group }}"
|
|
mode: '0750'
|
|
state: directory
|
|
loop:
|
|
- "{{ gitea_work_path }}/custom"
|
|
- "{{ gitea_app_data_path }}"
|
|
- "{{ gitea_log_path }}"
|
|
|
|
- name: Create the config dir
|
|
ansible.builtin.file:
|
|
path: /etc/gitea
|
|
owner: root
|
|
group: "{{ gitea_group }}"
|
|
mode: '0750'
|
|
state: directory
|
|
|
|
- name: Deploy the systemd service unit
|
|
ansible.builtin.template:
|
|
src: gitea.service.j2
|
|
dest: /etc/systemd/system/gitea.service
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
notify:
|
|
- Reload_systemd
|
|
|
|
- name: Deploy the Gitea configuration
|
|
ansible.builtin.template:
|
|
src: app.ini.j2
|
|
dest: /etc/gitea/app.ini
|
|
owner: root
|
|
group: "{{ gitea_group }}"
|
|
mode: '0640'
|
|
notify:
|
|
- Restart_gitea
|
|
|
|
- name: Start and enable Gitea
|
|
ansible.builtin.systemd_service:
|
|
name: gitea.service
|
|
state: started
|
|
enabled: true
|