Setup of a multi-purpose home-server using Ansible: systemd, nftables, port-knocking, etckeeper, Let’s Encrypt, dynamic DNS, OpenLDAP, SSO, mail, PostgreSQL, Dotclear, Gitea, Nextcloud, NFS, XMPP, print & scan, DLNA, Transmission, iodine…
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

167 lines
5.4 KiB

  1. ---
  2. # The home-server project produces a multi-purpose setup using Ansible.
  3. # Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
  4. # Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
  5. ### UPSTREAM BEGIN ⇒ ###
  6. - name: pull prerequisites from upstream
  7. include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
  8. vars:
  9. msg: Gitea
  10. ### ⇐ UPSTREAM BEGIN ###
  11. - name: install software
  12. package:
  13. name: "{{item}}"
  14. with_items:
  15. - gitea
  16. - asciidoctor
  17. - name: set git home to Gitea repos
  18. user:
  19. name: git
  20. home: /var/lib/gitea/repos
  21. create_home: true
  22. shell: /bin/sh
  23. ### UPSTREAM END ⇒ ###
  24. - name: merge upstream
  25. include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
  26. vars:
  27. msg: Gitea
  28. ### ⇐ UPSTREAM END ###
  29. - name: PostgreSQL user for Gitea
  30. postgresql_user:
  31. login_unix_socket: /run/shared_sockets
  32. name: "{{gitea_db_user}}"
  33. password: "{{gitea_db_password}}"
  34. encrypted: true
  35. become: true
  36. become_user: postgres
  37. - name: PostgreSQL database for Gitea
  38. postgresql_db:
  39. login_unix_socket: /run/shared_sockets
  40. name: "{{gitea_db}}"
  41. owner: "{{gitea_db_user}}"
  42. become: true
  43. become_user: postgres
  44. - name: make sure the Gitea user owns its work-directories
  45. file:
  46. path: '{{item}}'
  47. state: directory
  48. owner: git
  49. recurse: true
  50. with_items:
  51. - /var/lib/gitea
  52. - /var/log/gitea
  53. - name: configure Gitea
  54. ini_file:
  55. path: /etc/gitea/app.ini
  56. section: '{{item.s}}'
  57. option: '{{item.o}}'
  58. value: '{{item.v}}'
  59. with_items:
  60. - {s: null, o: RUN_USER, v: git}
  61. - {s: null, o: RUN_MODE, v: prod}
  62. - {s: repository, o: ROOT, v: /var/lib/gitea/repos}
  63. - {s: repository.editor, o: LINE_WRAP_EXTENSIONS, v: '.txt,.md,.markdown,.mdown,.mkd,.adoc,.asciidoc,'}
  64. - {s: ui, o: SHOW_USER_EMAIL, v: 'false'}
  65. - {s: server, o: PROTOCOL, v: unix}
  66. - {s: server, o: DOMAIN, v: '{{net_soa}}'}
  67. - {s: server, o: ROOT_URL, v: 'https://{{net_soa}}{{http_pfx_gitea}}/'}
  68. - {s: server, o: HTTP_ADDR, v: /run/shared_sockets/gitea}
  69. - {s: server, o: LOCAL_ROOT_URL, v: ''}
  70. - {s: server, o: SSH_DOMAIN, v: '{{net_soa}}'}
  71. - {s: server, o: SSH_PORT, v: 2222}
  72. - {s: server, o: SSH_ROOT_PATH, v: /var/lib/gitea/repos/.ssh}
  73. - {s: server, o: MINIMUM_KEY_SIZE_CHECK, v: 'true'}
  74. - {s: server, o: LFS_START_SERVER, v: 'false'}
  75. - {s: ssh.minimum_key_sizes, o: ECDSA, v: '-1'}
  76. - {s: ssh.minimum_key_sizes, o: DSA, v: '-1'}
  77. - {s: database, o: DB_TYPE, v: postgres}
  78. - {s: database, o: HOST, v: /run/shared_sockets}
  79. - {s: database, o: NAME, v: '{{gitea_db}}'}
  80. - {s: database, o: USER, v: '{{gitea_db_user}}'}
  81. - {s: database, o: PASSWD, v: '{{gitea_db_password}}'}
  82. - {s: database, o: LOG_SQL, v: 'false'}
  83. - {s: indexer, o: REPO_INDEXER_ENABLED, v: 'true'}
  84. - {s: admin, o: DISABLE_REGULAR_ORG_CREATION, v: '{{gitea_disable_org_creation}}'}
  85. - {s: security, o: INSTALL_LOCK, v: 'true'}
  86. - {s: security, o: SECRET_KEY, v: '{{gitea_security_secret}}'}
  87. - {s: security, o: REVERSE_PROXY_AUTHENTICATION_USER, v: Remote-User}
  88. - {s: service, o: REGISTER_EMAIL_CONFIRM, v: 'true'}
  89. - {s: service, o: DISABLE_REGISTRATION, v: '{{gitea_disable_registration}}'}
  90. - {s: service, o: ENABLE_NOTIFY_MAIL, v: '{{gitea_enable_notify_email}}'}
  91. - {s: service, o: ENABLE_REVERSE_PROXY_AUTHENTICATION, v: 'true'}
  92. - {s: service, o: ENABLE_REVERSE_PROXY_AUTO_REGISTRATION, v: 'true'}
  93. - {s: service, o: DEFAULT_KEEP_EMAIL_PRIVATE, v: 'true'}
  94. - {s: service, o: NO_REPLY_ADDRESS, v: masked.invalid}
  95. - {s: mailer, o: ENABLED, v: 'true'}
  96. - {s: mailer, o: FROM, v: 'git@{{net_soa}}'}
  97. - {s: mailer, o: USE_SENDMAIL, v: 'true'}
  98. - {s: session, o: PROVIDER, v: file}
  99. - {s: session, o: COOKIE_SECURE, v: 'true'}
  100. - {s: attachment, o: ALLOWED_TYPES, v: '{{gitea_mime_attach | replace(" ", "|")}}'}
  101. - {s: log, o: ROOT_PATH, v: /var/log/gitea/}
  102. - {s: log, o: MODE, v: console}
  103. - {s: log, o: LEVEL, v: Warn}
  104. - {s: log.console, o: LEVEL, v: Warn}
  105. - {s: markup.asciidoc, o: ENABLED, v: 'true'}
  106. - {s: markup.asciidoc, o: RENDER_COMMAND, v: 'asciidoctor --out-file=- -'}
  107. - {s: other, o: SHOW_FOOTER_VERSION, v: 'false'}
  108. - {s: other, o: SHOW_FOOTER_TEMPLATE_LOAD_TIME, v: 'false'}
  109. notify:
  110. - restart gitea.service
  111. - name: prepare to override gitea.service
  112. file:
  113. path: /etc/systemd/system/gitea.service.d
  114. state: directory
  115. mode: 0755
  116. - name: make sure Gitea runs after its dependencies
  117. copy:
  118. content: |
  119. [Unit]
  120. After=postgresql.service
  121. After=systemd-tmpfiles-setup.service
  122. dest: /etc/systemd/system/gitea.service.d/after_psql+sockets.conf
  123. mode: 0644
  124. notify:
  125. - restart gitea.service
  126. - name: make Gitea more secure
  127. copy:
  128. content: |
  129. [Service]
  130. User=git
  131. Environment=USER=git
  132. CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
  133. PrivateDevices=true
  134. PrivateTmp=true
  135. ProtectHome=true
  136. ProtectSystem=true
  137. NoNewPrivileges=true
  138. dest: /etc/systemd/system/gitea.service.d/secure-{{nickname}}.conf
  139. mode: 0644
  140. notify:
  141. - restart gitea.service
  142. - name: enable gitea.service
  143. systemd:
  144. daemon_reload: true
  145. name: gitea.service
  146. enabled: true
  147. ### LOCAL COMMIT ⇒ ###
  148. - name: commit local changes
  149. include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
  150. vars:
  151. msg: Gitea
  152. ### ⇐ LOCAL COMMIT ###
  153. - meta: flush_handlers