5.1 KiB
5.1 KiB
Gitea Server Installer Role
ds-gitea
This role installs and configures a Gitea server.
It uses SQLite as its default database service - with optional PostgreSQL support.
The role can set up a reverse proxy with SSL.
- Use the
ds-ufwrole to configure the firewall. - Use the
ds-posgresqlrole to configure the database. - Use the
ds-nginxrole to install the proxy server.
Role Workflow
- Download and install the Gitea binary
- (Optionally) Set up the PostgreSQL user and database
- Set up the user and group for the service
- Create the required directory structure
- Wait for the secret creation and storage in SOPS - if secrets are not present
- Deploy the Gitea configuration
- Deploy the Gitea systemd service file (With Postgresql support if the backend is used)
- Set up the reverse proxy with optional SSL
- Enable and start the service
Defaults
gitea_user: git
gitea_group: git
gitea_http_port: 3000
gitea_ssh_port: 22
gitea_database_server: ''
gitea_reverse_proxy: ''Requirements
- Ansible >= 2.12
- Debian-based OS (Bookworm, Trixie)
- git
- sudo
- ca-certificates
- (optional) PosgreSQL database
- (optional) Nginx server
Variables
| Variable | Type | Comment |
|---|---|---|
| gitea_user | string | Gitea user |
| gitea_group | string | Gitea group |
| gitea_binary_url | string | Download URL of Gitea |
| gitea_checksum_url | string | Checksum URL of the binary |
| gitea_app_name | string | Gitea server title |
| gitea_ssh_domain | string | SSH domain |
| gitea_domain | string | Domain to reach Gitea |
| gitea_http_port | int | HTTP port |
| gitea_ssh_port | int | SSH port |
| gitea_root_url | string | Protocol + FQDN + port |
| gitea_lfs_jwt_secret | string | LFS storage secret |
| gitea_internal_token | string | Internal token |
| gitea_jwt_secret | string | JWT secret |
| gitea_database_server | string | DB server - 'postgresql' or empty for sqlite |
| gitea_db_password | string | PosgreSQL db password (if pgsql is used) |
| gitea_reverse_proxy | string | Reverse proxy to use or not set for no proxy |
| gitea_enable_https | boolean | Configure HTTPS in the proxy |
| gitea_ssl_cert | string | SSL certificate |
| gitea_ssl_key | string | SSL key |
| gitea_enable_http_redirect | boolean | Redirect HTTP to HTTPS |
| gitea_self_signed | boolean | Generate a self-signed cert and key |
Handlers
Reload_systemd: It runs adaemon-reloadRestart_gitea: It restarts the Gitea service
Secrets
Always store the production secrets in SOPS, or in Ansible Vault.
Generate the secrets manually when the playbook stops:
gitea generate secret INTERNAL_TOKEN
gitea generate secret JWT_SECRET
Use the JWT_SECRET command to generate the gitea_lfs_jwt_secret as well. It's an alias.
Then re-run the playbook to finish the installation.
Example Playbook
- name: Deploy a Gitea server
hosts: gitea
become: true
vars:
gitea_user: git
gitea_group: git
gitea_binary_url: https://dl.gitea.com/gitea/1.25.4/gitea-1.25.4-linux-amd64
gitea_checksum_url: https://dl.gitea.com/gitea/1.25.4/gitea-1.25.4-linux-amd64.sha256
gitea_app_name: Tom's IT Cafe Gitea Server
gitea_ssh_domain: gitea.tomsitcafe.com
gitea_domain: gitea.tomsitcafe.com
gitea_http_port: 3000
gitea_root_url: http://gitea.tomsitcafe.com:3000
# Optional Postgresql database backend
gitea_database_server: postgresql
# Optional Nginx reverse proxy configuration
gitea_reverse_proxy: nginx
gitea_enable_https: true
gitea_self_signed: true
gitea_ssl_cert: /var/lib/gitea/certs/cert.pem
gitea_ssl_key: /var/lib/gitea/certs/key.pem
gitea_enable_http_redirect: true
# In prod put these secrets in SOPS:
gitea_lfs_jwt_secret: G9bZrRHMhRQ8w4R0KkH2VLnx2rzq81ROQ951IQjlMs4
gitea_internal_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3NzA2Mzk1Njh9.ybbaeNLFiLbyvxfj4vkqhXSAXKRGpwvP8jIm9YLPgXw
gitea_jwt_secret: uJni4x4e0AzpkLYc-t4keRJKOB6EaLzwVsdLeamkFyU
gitea_db_password: Eegh7Aothooph7pa6eu7eitha_zaim0G
roles:
- role: ds-giteaLicense
MIT
[ Fear the Silence. Fear the Switch. ]