---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.

### UPSTREAM BEGIN ⇒ ###
- name: pull prerequisites from upstream
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
  vars:
    msg: Gitea
### ⇐ UPSTREAM BEGIN ###

- name: install software
  package:
    name: "{{item}}"
  with_items:
    - gitea
    - asciidoctor

- name: set git home to Gitea repos
  user:
    name: git
    home: /var/lib/gitea/repos
    create_home: true
    shell: /bin/sh

### UPSTREAM END ⇒ ###
- name: merge upstream
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
  vars:
    msg: Gitea
### ⇐ UPSTREAM END ###

- name: PostgreSQL user for Gitea
  postgresql_user:
    login_unix_socket: /run/shared_sockets
    name: "{{gitea_db_user}}"
    password: "{{gitea_db_password}}"
    encrypted: true
  become: true
  become_user: postgres

- name: PostgreSQL database for Gitea
  postgresql_db:
    login_unix_socket: /run/shared_sockets
    name: "{{gitea_db}}"
    owner: "{{gitea_db_user}}"
  become: true
  become_user: postgres

- name: make sure the Gitea user owns its work-directories
  file:
    path: '{{item}}'
    state: directory
    owner: git
    recurse: true
  with_items:
    - /var/lib/gitea
    - /var/log/gitea

- name: configure Gitea
  ini_file:
    path: /etc/gitea/app.ini
    section: '{{item.s}}'
    option: '{{item.o}}'
    value: '{{item.v}}'
  with_items:
    - {s: null, o: RUN_USER, v: git}
    - {s: null, o: RUN_MODE, v: prod}
    - {s: repository, o: ROOT, v: /var/lib/gitea/repos}
    - {s: repository.editor, o: LINE_WRAP_EXTENSIONS, v: '.txt,.md,.markdown,.mdown,.mkd,.adoc,.asciidoc,'}
    - {s: ui, o: SHOW_USER_EMAIL, v: 'false'}
    - {s: server, o: PROTOCOL, v: unix}
    - {s: server, o: DOMAIN, v: '{{net_soa}}'}
    - {s: server, o: ROOT_URL, v: 'https://{{net_soa}}{{http_pfx_gitea}}/'}
    - {s: server, o: HTTP_ADDR, v: /run/shared_sockets/gitea}
    - {s: server, o: LOCAL_ROOT_URL, v: ''}
    - {s: server, o: SSH_DOMAIN, v: '{{net_soa}}'}
    - {s: server, o: SSH_PORT, v: 2222}
    - {s: server, o: SSH_ROOT_PATH, v: /var/lib/gitea/repos/.ssh}
    - {s: server, o: MINIMUM_KEY_SIZE_CHECK, v: 'true'}
    - {s: server, o: LFS_START_SERVER, v: 'false'}
    - {s: ssh.minimum_key_sizes, o: ECDSA, v: '-1'}
    - {s: ssh.minimum_key_sizes, o: DSA, v: '-1'}
    - {s: database, o: DB_TYPE, v: postgres}
    - {s: database, o: HOST, v: /run/shared_sockets}
    - {s: database, o: NAME, v: '{{gitea_db}}'}
    - {s: database, o: USER, v: '{{gitea_db_user}}'}
    - {s: database, o: PASSWD, v: '{{gitea_db_password}}'}
    - {s: database, o: LOG_SQL, v: 'false'}
    - {s: indexer, o: REPO_INDEXER_ENABLED, v: 'true'}
    - {s: admin, o: DISABLE_REGULAR_ORG_CREATION, v: '{{gitea_disable_org_creation}}'}
    - {s: security, o: INSTALL_LOCK, v: 'true'}
    - {s: security, o: SECRET_KEY, v: '{{gitea_security_secret}}'}
    - {s: security, o: REVERSE_PROXY_AUTHENTICATION_USER, v: Remote-User}
    - {s: service, o: REGISTER_EMAIL_CONFIRM, v: 'true'}
    - {s: service, o: DISABLE_REGISTRATION, v: '{{gitea_disable_registration}}'}
    - {s: service, o: ENABLE_NOTIFY_MAIL, v: '{{gitea_enable_notify_email}}'}
    - {s: service, o: ENABLE_REVERSE_PROXY_AUTHENTICATION, v: 'true'}
    - {s: service, o: ENABLE_REVERSE_PROXY_AUTO_REGISTRATION, v: 'true'}
    - {s: service, o: DEFAULT_KEEP_EMAIL_PRIVATE, v: 'true'}
    - {s: service, o: NO_REPLY_ADDRESS, v: masked.invalid}
    - {s: mailer, o: ENABLED, v: 'true'}
    - {s: mailer, o: FROM, v: 'git@{{net_soa}}'}
    - {s: mailer, o: USE_SENDMAIL, v: 'true'}
    - {s: session, o: PROVIDER, v: file}
    - {s: session, o: COOKIE_SECURE, v: 'true'}
    - {s: attachment, o: ALLOWED_TYPES, v: '{{gitea_mime_attach | replace(" ", "|")}}'}
    - {s: log, o: ROOT_PATH, v: /var/log/gitea/}
    - {s: log, o: MODE, v: console}
    - {s: log, o: LEVEL, v: Warn}
    - {s: log.console, o: LEVEL, v: Warn}
    - {s: markup.asciidoc, o: ENABLED, v: 'true'}
    - {s: markup.asciidoc, o: RENDER_COMMAND, v: 'asciidoctor --out-file=- -'}
    - {s: other, o: SHOW_FOOTER_VERSION, v: 'false'}
    - {s: other, o: SHOW_FOOTER_TEMPLATE_LOAD_TIME, v: 'false'}
  notify:
    - restart gitea.service

- name: prepare to override gitea.service
  file:
    path: /etc/systemd/system/gitea.service.d
    state: directory
    mode: 0755

- name: make sure Gitea runs after its dependencies
  copy:
    content: |
      [Unit]
      After=postgresql.service
      After=systemd-tmpfiles-setup.service
    dest: /etc/systemd/system/gitea.service.d/after_psql+sockets.conf
    mode: 0644
  notify:
    - restart gitea.service

- name: make Gitea more secure
  copy:
    content: |
      [Service]
      User=git
      Environment=USER=git
      CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
      PrivateDevices=true
      PrivateTmp=true
      ProtectHome=true
      ProtectSystem=true
      NoNewPrivileges=true
    dest: /etc/systemd/system/gitea.service.d/secure-{{nickname}}.conf
    mode: 0644
  notify:
    - restart gitea.service

- name: enable gitea.service
  systemd:
    daemon_reload: true
    name: gitea.service
    enabled: true

### LOCAL COMMIT ⇒ ###
- name: commit local changes
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
  vars:
    msg: Gitea
### ⇐ LOCAL COMMIT ###
- meta: flush_handlers