ds_gitea/README.org

#+TITLE: Gitea Server Installer Role
#+AUTHOR: DeadSwitch | The Silent Architect
#+OPTIONS: toc:nil num:nil \n:t

* ds-gitea

This role installs and configures a [[https://docs.gitea.com/][Gitea]] server.

It uses SQLite as its default database service - with optional PostgreSQL support.

The role can set up a reverse proxy with SSL.

- Use the =ds-ufw= role to configure the firewall.
- Use the =ds-posgresql= role to configure the database.
- Use the =ds-nginx= role to install the proxy server.

* Role Workflow

1. Download and install the Gitea binary
2. (Optionally) Set up the PostgreSQL user and database
3. Set up the user and group for the service
4. Create the required directory structure
5. Wait for the secret creation and storage in SOPS - if secrets are not present
6. Deploy the Gitea configuration
7. Deploy the Gitea systemd service file (With Postgresql support if the backend is used)
8. Set up the reverse proxy with optional SSL
9. Enable and start the service

* Defaults

#+begin_src yaml
gitea_user: git
gitea_group: git
gitea_http_port: 3000
gitea_ssh_port: 22
gitea_database_server: ''
gitea_reverse_proxy: ''
#+end_src

* Requirements

- Ansible >= 2.12
- Debian-based OS (Bookworm, Trixie)
- git
- sudo
- ca-certificates
- (optional) PosgreSQL database
- (optional) Nginx server

* Variables

| Variable                   | Type    | Comment                                      |
|----------------------------+---------+----------------------------------------------|
| gitea_user                 | string  | Gitea user                                   |
| gitea_group                | string  | Gitea group                                  |
| gitea_binary_url           | string  | Download URL of Gitea                        |
| gitea_checksum_url         | string  | Checksum URL of the binary                   |
| gitea_app_name             | string  | Gitea server title                           |
| gitea_ssh_domain           | string  | SSH domain                                   |
| gitea_domain               | string  | Domain to reach Gitea                        |
| gitea_http_port            | int     | HTTP port                                    |
| gitea_ssh_port             | int     | SSH port                                     |
| gitea_root_url             | string  | Protocol + FQDN + port                       |
| gitea_lfs_jwt_secret       | string  | LFS storage secret                           |
| gitea_internal_token       | string  | Internal token                               |
| gitea_jwt_secret           | string  | JWT secret                                   |
| gitea_database_server      | string  | DB server - 'postgresql' or empty for sqlite |
| gitea_db_password          | string  | PosgreSQL db password (if pgsql is used)     |
| gitea_reverse_proxy        | string  | Reverse proxy to use or not set for no proxy |
| gitea_enable_https         | boolean | Configure HTTPS in the proxy                 |
| gitea_ssl_cert             | string  | SSL certificate                              |
| gitea_ssl_key              | string  | SSL key                                      |
| gitea_enable_http_redirect | boolean | Redirect HTTP to HTTPS                       |
| gitea_self_signed          | boolean | Generate a self-signed cert and key          |

* Handlers

- =Reload_systemd=: It runs a =daemon-reload=
- =Restart_gitea=: It restarts the Gitea service

* Secrets

Always store the production secrets in SOPS, or in Ansible Vault.

Generate the secrets manually when the playbook stops:

#+begin_src shell
gitea generate secret INTERNAL_TOKEN
gitea generate secret JWT_SECRET
#+end_src

Use the =JWT_SECRET= command to generate the =gitea_lfs_jwt_secret= as well. It's an alias.

Then re-run the playbook to finish the installation.

* Example Playbook

#+begin_src yaml
- name: Deploy a Gitea server
  hosts: gitea
  become: true

  vars:
    gitea_user: git
    gitea_group: git
    gitea_binary_url: https://dl.gitea.com/gitea/1.25.4/gitea-1.25.4-linux-amd64
    gitea_checksum_url: https://dl.gitea.com/gitea/1.25.4/gitea-1.25.4-linux-amd64.sha256
    gitea_app_name: Tom's IT Cafe Gitea Server
    gitea_ssh_domain: gitea.tomsitcafe.com
    gitea_domain: gitea.tomsitcafe.com
    gitea_http_port: 3000
    gitea_root_url: http://gitea.tomsitcafe.com:3000

    # Optional Postgresql database backend
    gitea_database_server: postgresql

    # Optional Nginx reverse proxy configuration
    gitea_reverse_proxy: nginx
    gitea_enable_https: true
    gitea_self_signed: true
    gitea_ssl_cert: /var/lib/gitea/certs/cert.pem
    gitea_ssl_key: /var/lib/gitea/certs/key.pem
    gitea_enable_http_redirect: true

    # In prod put these secrets in SOPS:
    gitea_lfs_jwt_secret: G9bZrRHMhRQ8w4R0KkH2VLnx2rzq81ROQ951IQjlMs4 
    gitea_internal_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3NzA2Mzk1Njh9.ybbaeNLFiLbyvxfj4vkqhXSAXKRGpwvP8jIm9YLPgXw
    gitea_jwt_secret: uJni4x4e0AzpkLYc-t4keRJKOB6EaLzwVsdLeamkFyU
    gitea_db_password: Eegh7Aothooph7pa6eu7eitha_zaim0G

  roles:
    - role: ds-gitea
#+end_src

* License

MIT

=[ Fear the Silence. Fear the Switch. ]=