Migration commit; fresh start

2021-04-08 11:29:16 +02:00 · 2021-04-08 11:29:16 +02:00 · bcbed674fb
parent e7ad4e1f09
commit bcbed674fb
14 changed files with 399 additions and 3 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,2 @@
+.vagrant
+*.log
--- a/2
+++ b/2
@ -1,4 +1,4 @@
-MIT License Copyright (c) <year> <copyright holders>
+MIT License Copyright (c) 2021 "Stichting Disroot.org"

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/Playbooks/gitea.yml
+++ b/Playbooks/gitea.yml
@ -0,0 +1,9 @@
+---
+
+- hosts: gitea
+  roles:
+    - postgresql
+    - gitea
+
+  vars_files:
+    - ../defaults/main.yml
--- a/README.md
+++ b/README.md
@ -1,3 +1,14 @@
-# gitea
+# Gitea - Ansible Role
+
+This role covers deployment, configuration and software updates of Gitea. This role is released under MIT Licence and we give no warranty for this piece of software. Currently supported OS - Debian.
+
+You can deploy test instance using `Vagrantfile` attached to the role.
+`vagrant up`
+
+`ansible-playbook -b Playbooks/gitea.yml`
+
+Then you can then access gitea from your computer on `http://192.168.33.14:3000`
+
+## Playbook
+The playbook includes postgresql role and deploys entire stack needed to run Gitea. Additional roles are also available in the Ansible roles repos in git.

-This role deploys, updates and configures Gitea, https://gitea.io
--- a/20
+++ b/20
@ -0,0 +1,20 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+# All Vagrant configuration is done below. The "2" in Vagrant.configure
+# configures the configuration version (we support older styles for
+# backwards compatibility). Please don't change it unless you know what
+# you're doing.
+Vagrant.configure("2") do |config|
+  #config.ssh.insert_key = false
+  config.vm.define "gitea" do |gitea|
+    gitea.vm.box = "generic/debian10"
+    gitea.vm.provider :libvirt do |libvirt|
+      libvirt.memory = 256
+    end
+    gitea.vm.network "forwarded_port", guest: 80, host: 8888, host_ip: "192.168.33.14"
+    gitea.vm.network "forwarded_port", guest: 443, host: 4443, host_ip: "192.168.33.14"
+    gitea.vm.network "private_network", ip: "192.168.33.14"
+
+end
+end
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -0,0 +1,123 @@
+---
+
+gitea_bindir: "/usr/local/bin/gitea"
+gitea_lib_dir: "/var/lib/gitea"
+gitea_user: 'git'
+gitea_group: 'git'
+gitea_confdir: '/etc/gitea/app.ini'
+gitea_version: '1.13.6'
+
+
+#[CONFIG]
+
+# App.ini file variables
+gitea_base_config:
+  - 'APP_NAME = Gitea: Git with a cup of tea'
+  - 'RUN_USER = git'
+  - 'RUN_MODE = prod'
+
+gitea_oauth2_config:
+  - 'JWT_SECRET = ' #41 random chars
+
+gitea_ui_config:
+  - 'DEFAULT_THEME = arc-green'
+
+gitea_security_config:
+  - 'INTERNAL_TOKEN = ' #106 random chars
+  - 'INSTALL_LOCK   = true'
+  - 'SECRET_KEY     = ' #64 random chars
+
+gitea_database_config:
+  - 'DB_TYPE  = postgres'
+  - 'HOST     = localhost:5432'
+  - 'NAME     = gitea'
+  - 'USER     = admin'
+  - 'PASSWD   = changeme'
+  - 'SSL_MODE = disable'
+  - 'PATH     = /home/git/data/gitea.db'
+
+gitea_repository_config:
+  - 'ROOT = /home/git/gitea-repositories'
+
+gitea_server_config:
+  - 'SSH_DOMAIN       = git.example.org'
+  - 'DOMAIN           = git.example.org'
+  - 'HTTP_PORT        = 3000'
+  - 'ROOT_URL         = https://git.example.org'
+  - 'DISABLE_SSH      = false'
+  - 'SSH_PORT         = 22'
+  - 'LFS_START_SERVER = true'
+  - 'LFS_CONTENT_PATH = /home/git/data/lfs'
+  - 'LFS_JWT_SECRET   = ' #40 random chars
+  - 'OFFLINE_MODE     = false'
+
+gitea_mailer_config:
+  - 'ENABLED        = true'
+  - 'HOST           = mail.example.org:587'
+  - 'FROM           = noreply@example.org'
+  - 'USER           = noreply@example.org'
+  - 'PASSWD         = CHANGEME' #PASSWD
+  - 'IS_TLS_ENABLED = true'
+
+gitea_service_config:
+  - 'REGISTER_EMAIL_CONFIRM            = true'
+  - 'ENABLE_NOTIFY_MAIL                = true'
+  - 'DISABLE_REGISTRATION              = false'
+  - 'ALLOW_ONLY_EXTERNAL_REGISTRATION  = false'
+  - 'ENABLE_CAPTCHA                    = false'
+  - 'REQUIRE_SIGNIN_VIEW               = true'
+  - 'DEFAULT_KEEP_EMAIL_PRIVATE        = true'
+  - 'DEFAULT_ALLOW_CREATE_ORGANIZATION = true'
+  - 'DEFAULT_ENABLE_TIMETRACKING       = true'
+  - 'NO_REPLY_ADDRESS                  = noreply@example.org'
+
+gitea_picture_config:
+  - 'DISABLE_GRAVATAR        = true'
+  - 'ENABLE_FEDERATED_AVATAR = true'
+
+gitea_openid_config:
+  - 'ENABLE_OPENID_SIGNIN = false'
+  - 'ENABLE_OPENID_SIGNUP = false'
+
+gitea_session_config:
+  - 'PROVIDER = file'
+
+gitea_log_config:
+  - 'MODE      = file'
+  - 'LEVEL     = Info'
+  - 'ROOT_PATH = /home/git/log'
+
+
+#apt
+gitea_apt_list:
+  - git
+
+
+
+# POSTGRES
+postgresql_version: 12
+postgresql_listen_addresses:
+    - "127.0.0.1"
+
+postgresql_pg_hba_default:
+    - { type: local, database: all, user: '{{ postgresql_admin_user }}', address: '', method: '{{ postgresql_default_auth_method }}', comment: '' }
+    - { type: local, database: all, user: all, address: '',             method: '{{ postgresql_default_auth_method }}', comment: '"local" is for Unix domain     socket           connections only' }
+    - { type: host,  database: all, user: all, address: '127.0.0.1/32', method: '{{ postgresql_default_auth_method_hosts }}', comment: 'IPv4 local connections:' }
+
+postgresql_databases:
+    - name: gitea
+      owner: admin          # optional; specify the owner of the database
+      hstore: no         # flag to install the hstore extension on this database (yes/no)
+      uuid_ossp: no      # flag to install the uuid-ossp extension on this database (yes/no)
+      citext: no         # flag to install the citext extension on this database (yes/no)
+
+postgresql_users:
+    - name: admin
+      pass: changeme
+      encrypted: yes       # denotes if the password is already encrypted.
+
+postgresql_user_privileges:
+    - name: admin                   # user name
+      db: gitea              # database
+      priv: "ALL"                 # privilege string format: example: INSERT,UPDATE/table:SELECT/anothertable:ALL
+      role_attr_flags: "" # role attribute flags
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -0,0 +1,6 @@
+---
+
+- name: 'Restart gitea'
+  systemd:
+    name: gitea
+    state: restarted
--- a/tasks/configure.yml
+++ b/tasks/configure.yml
@ -0,0 +1,44 @@
+---
+
+- name: '[DIR] - Create bin dir'
+  file:
+    path: '{{ gitea_bindir }}'
+    state: directory
+    owner: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
+    mode: '0750'
+
+- name: '[DIR] - Create lib dir'
+  file:
+    path: '{{ gitea_lib_dir }}'
+    state: directory
+    mode: '0750'
+    owner: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
+
+- name: '[DIR] - Create lib dirs'
+  file:
+    path: "{{ gitea_lib_dir }}/{{ item }}"
+    state: directory
+    mode: '0750'
+    owner: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
+  with_items:
+    - 'custom'
+    - 'data'
+    - 'log'
+
+- name: '[DIR] - Create etc dir'
+  file:
+    path: /etc/gitea
+    state: directory
+    mode: '0770'
+    owner: "{{ gitea_user }}" 
+    group: "{{ gitea_group }}"
+
+- name: '[CONF] - Deploy gitea config'
+  template:
+    src: etc/gitea/app.ini.j2
+    dest: "{{ gitea_confdir }}"
+    owner: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
--- a/tasks/install.yml
+++ b/tasks/install.yml
@ -0,0 +1,28 @@
+---
+
+- name: '[INSTALL] - Install dependencies'
+  apt:
+    name: "{{ gitea_apt_list }}"
+    update_cache: yes
+
+
+- name: '[INSTALL] - Download gitea binary'
+  get_url:
+    url: 'https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64'
+    dest: '{{ gitea_bindir }}/gitea'
+    mode: '0750'
+    owner: '{{ gitea_user }}'
+    group: '{{ gitea_group }}'
+    force: 'yes'
+  notify: 'Restart gitea'
+
+
+- name: '[INSTALL] - Set rights to read-only'
+  file:
+    path: '/etc/gitea'
+    mode: '0750'
+
+- name: '[INSTALL] - Set rights to read-only'
+  file:
+    path: '/etc/gitea/app.ini'
+    mode: '0640'
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -0,0 +1,13 @@
+---
+
+- name: "[GITEA]- Create user"
+  include: user.yml
+
+- name: "[GITEA] - configure"
+  include: configure.yml
+
+- name: "[GITEA] - systemd"
+  include: systemd.yml
+
+- name: "[GITEA] - install"
+  include: install.yml
--- a/tasks/systemd.yml
+++ b/tasks/systemd.yml
@ -0,0 +1,24 @@
+---
+
+- name: '[SYSTEMD] - Deploy Systemd config'
+  template:
+    src: etc/systemd/system/gitea.service.j2
+    dest: /etc/systemd/system/gitea.service
+    owner: root
+    group: root
+    mode: 0644
+  register: gitea_systemd
+
+- name: '[SYSTEMD] - Enable systemd'
+  systemd:
+    name: gitea
+    enabled: yes
+    state: started
+    daemon_reload: yes
+  notify: Restart gitea
+
+- name: "[SYSTEMD] - Daemon-reload"
+  systemd:
+    daemon_reload: yes
+    name: gitea
+  when: gitea_systemd.changed
--- a/tasks/user.yml
+++ b/tasks/user.yml
@ -0,0 +1,12 @@
+---
+
+- name: Add group
+  group:
+    name: '{{ gitea_group }}'
+    state: present
+
+- name: Add user
+  user:
+    name: '{{ gitea_user }}'
+    shell: /bin/bash
+    group: '{{ gitea_group }}'
--- a/templates/etc/gitea/app.ini.j2
+++ b/templates/etc/gitea/app.ini.j2
@ -0,0 +1,70 @@
+# {{ ansible_managed }}
+{% for item in gitea_base_config %}
+{{ item }}
+{% endfor %}
+
+
+[oauth2]
+{% for item in gitea_oauth2_config %}
+{{ item }}
+{% endfor %}
+
+[ui]
+{% for item in gitea_ui_config %}
+{{ item }}
+{% endfor %}
+
+[security]
+{% for item in gitea_security_config %}
+{{ item }}
+{% endfor %}
+
+
+[database]
+{% for item in gitea_database_config %}
+{{ item }}
+{% endfor %}
+
+[repository]
+{% for item in gitea_repository_config %}
+{{ item }}
+{% endfor %}
+
+[server]
+{% for item in gitea_server_config %}
+{{ item }}
+{% endfor %}
+
+
+[mailer]
+{% for item in gitea_mailer_config %}
+{{ item }}
+{% endfor %}
+
+[service]
+{% for item in gitea_service_config %}
+{{ item }}
+{% endfor %}
+
+
+[picture]
+{% for item in gitea_picture_config %}
+{{ item }}
+{% endfor %}
+
+
+[openid]
+{% for item in gitea_openid_config %}
+{{ item }}
+{% endfor %}
+
+
+[session]
+{% for item in gitea_session_config %}
+{{ item }}
+{% endfor %}
+
+[log]
+{% for item in gitea_log_config %}
+{{ item }}
+{% endfor %}
--- a/templates/etc/systemd/system/gitea.service.j2
+++ b/templates/etc/systemd/system/gitea.service.j2
@ -0,0 +1,34 @@
+[Unit]
+Description=Gitea (Git with a cup of tea)
+After=syslog.target
+After=network.target
+#Requires=mysql.service
+#Requires=mariadb.service
+#Requires=postgresql.service
+#Requires=memcached.service
+#Requires=redis.service
+
+[Service]
+# Modify these two values and uncomment them if you have
+# repos with lots of files and get an HTTP error 500 because
+# of that
+###
+#LimitMEMLOCK=infinity
+#LimitNOFILE=65535
+RestartSec=2s
+Type=simple
+User={{ gitea_user }}
+Group={{ gitea_group }}
+WorkingDirectory=/var/lib/gitea/
+ExecStart={{ gitea_bindir }}/gitea web -c {{ gitea_confdir }}
+Restart=always
+RestartSec=3
+Environment=USER={{ gitea_user }} HOME=/home/{{ gitea_user }} GITEA_WORK_DIR=/var/lib/gitea
+# If you want to bind Gitea to a port below 1024 uncomment
+# the two values below
+###
+#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+#AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target