167 lines
5.4 KiB
YAML
167 lines
5.4 KiB
YAML
---
|
|
# The home-server project produces a multi-purpose setup using Ansible.
|
|
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
|
|
|
### UPSTREAM BEGIN ⇒ ###
|
|
- name: pull prerequisites from upstream
|
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
|
|
vars:
|
|
msg: Gitea
|
|
### ⇐ UPSTREAM BEGIN ###
|
|
|
|
- name: install software
|
|
package:
|
|
name: "{{item}}"
|
|
with_items:
|
|
- gitea
|
|
- asciidoctor
|
|
|
|
- name: set git home to Gitea repos
|
|
user:
|
|
name: git
|
|
home: /var/lib/gitea/repos
|
|
create_home: true
|
|
shell: /bin/sh
|
|
|
|
### UPSTREAM END ⇒ ###
|
|
- name: merge upstream
|
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
|
|
vars:
|
|
msg: Gitea
|
|
### ⇐ UPSTREAM END ###
|
|
|
|
- name: PostgreSQL user for Gitea
|
|
postgresql_user:
|
|
login_unix_socket: /run/shared_sockets
|
|
name: "{{gitea_db_user}}"
|
|
password: "{{gitea_db_password}}"
|
|
encrypted: true
|
|
become: true
|
|
become_user: postgres
|
|
|
|
- name: PostgreSQL database for Gitea
|
|
postgresql_db:
|
|
login_unix_socket: /run/shared_sockets
|
|
name: "{{gitea_db}}"
|
|
owner: "{{gitea_db_user}}"
|
|
become: true
|
|
become_user: postgres
|
|
|
|
- name: make sure the Gitea user owns its work-directories
|
|
file:
|
|
path: '{{item}}'
|
|
state: directory
|
|
owner: git
|
|
recurse: true
|
|
with_items:
|
|
- /var/lib/gitea
|
|
- /var/log/gitea
|
|
|
|
- name: configure Gitea
|
|
ini_file:
|
|
path: /etc/gitea/app.ini
|
|
section: '{{item.s}}'
|
|
option: '{{item.o}}'
|
|
value: '{{item.v}}'
|
|
with_items:
|
|
- {s: null, o: RUN_USER, v: git}
|
|
- {s: null, o: RUN_MODE, v: prod}
|
|
- {s: repository, o: ROOT, v: /var/lib/gitea/repos}
|
|
- {s: repository.editor, o: LINE_WRAP_EXTENSIONS, v: '.txt,.md,.markdown,.mdown,.mkd,.adoc,.asciidoc,'}
|
|
- {s: ui, o: SHOW_USER_EMAIL, v: 'false'}
|
|
- {s: server, o: PROTOCOL, v: unix}
|
|
- {s: server, o: DOMAIN, v: '{{net_soa}}'}
|
|
- {s: server, o: ROOT_URL, v: 'https://{{net_soa}}{{http_pfx_gitea}}/'}
|
|
- {s: server, o: HTTP_ADDR, v: /run/shared_sockets/gitea}
|
|
- {s: server, o: LOCAL_ROOT_URL, v: ''}
|
|
- {s: server, o: SSH_DOMAIN, v: '{{net_soa}}'}
|
|
- {s: server, o: SSH_PORT, v: 2222}
|
|
- {s: server, o: SSH_ROOT_PATH, v: /var/lib/gitea/repos/.ssh}
|
|
- {s: server, o: MINIMUM_KEY_SIZE_CHECK, v: 'true'}
|
|
- {s: server, o: LFS_START_SERVER, v: 'false'}
|
|
- {s: ssh.minimum_key_sizes, o: ECDSA, v: '-1'}
|
|
- {s: ssh.minimum_key_sizes, o: DSA, v: '-1'}
|
|
- {s: database, o: DB_TYPE, v: postgres}
|
|
- {s: database, o: HOST, v: /run/shared_sockets}
|
|
- {s: database, o: NAME, v: '{{gitea_db}}'}
|
|
- {s: database, o: USER, v: '{{gitea_db_user}}'}
|
|
- {s: database, o: PASSWD, v: '{{gitea_db_password}}'}
|
|
- {s: database, o: LOG_SQL, v: 'false'}
|
|
- {s: indexer, o: REPO_INDEXER_ENABLED, v: 'true'}
|
|
- {s: admin, o: DISABLE_REGULAR_ORG_CREATION, v: '{{gitea_disable_org_creation}}'}
|
|
- {s: security, o: INSTALL_LOCK, v: 'true'}
|
|
- {s: security, o: SECRET_KEY, v: '{{gitea_security_secret}}'}
|
|
- {s: security, o: REVERSE_PROXY_AUTHENTICATION_USER, v: Remote-User}
|
|
- {s: service, o: REGISTER_EMAIL_CONFIRM, v: 'true'}
|
|
- {s: service, o: DISABLE_REGISTRATION, v: '{{gitea_disable_registration}}'}
|
|
- {s: service, o: ENABLE_NOTIFY_MAIL, v: '{{gitea_enable_notify_email}}'}
|
|
- {s: service, o: ENABLE_REVERSE_PROXY_AUTHENTICATION, v: 'true'}
|
|
- {s: service, o: ENABLE_REVERSE_PROXY_AUTO_REGISTRATION, v: 'true'}
|
|
- {s: service, o: DEFAULT_KEEP_EMAIL_PRIVATE, v: 'true'}
|
|
- {s: service, o: NO_REPLY_ADDRESS, v: masked.invalid}
|
|
- {s: mailer, o: ENABLED, v: 'true'}
|
|
- {s: mailer, o: FROM, v: 'git@{{net_soa}}'}
|
|
- {s: mailer, o: USE_SENDMAIL, v: 'true'}
|
|
- {s: session, o: PROVIDER, v: file}
|
|
- {s: session, o: COOKIE_SECURE, v: 'true'}
|
|
- {s: attachment, o: ALLOWED_TYPES, v: '{{gitea_mime_attach | replace(" ", "|")}}'}
|
|
- {s: log, o: ROOT_PATH, v: /var/log/gitea/}
|
|
- {s: log, o: MODE, v: console}
|
|
- {s: log, o: LEVEL, v: Warn}
|
|
- {s: log.console, o: LEVEL, v: Warn}
|
|
- {s: markup.asciidoc, o: ENABLED, v: 'true'}
|
|
- {s: markup.asciidoc, o: RENDER_COMMAND, v: 'asciidoctor --out-file=- -'}
|
|
- {s: other, o: SHOW_FOOTER_VERSION, v: 'false'}
|
|
- {s: other, o: SHOW_FOOTER_TEMPLATE_LOAD_TIME, v: 'false'}
|
|
notify:
|
|
- restart gitea.service
|
|
|
|
- name: prepare to override gitea.service
|
|
file:
|
|
path: /etc/systemd/system/gitea.service.d
|
|
state: directory
|
|
mode: 0755
|
|
|
|
- name: make sure Gitea runs after its dependencies
|
|
copy:
|
|
content: |
|
|
[Unit]
|
|
After=postgresql.service
|
|
After=systemd-tmpfiles-setup.service
|
|
dest: /etc/systemd/system/gitea.service.d/after_psql+sockets.conf
|
|
mode: 0644
|
|
notify:
|
|
- restart gitea.service
|
|
|
|
- name: make Gitea more secure
|
|
copy:
|
|
content: |
|
|
[Service]
|
|
User=git
|
|
Environment=USER=git
|
|
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
|
|
PrivateDevices=true
|
|
PrivateTmp=true
|
|
ProtectHome=true
|
|
ProtectSystem=true
|
|
NoNewPrivileges=true
|
|
dest: /etc/systemd/system/gitea.service.d/secure-{{nickname}}.conf
|
|
mode: 0644
|
|
notify:
|
|
- restart gitea.service
|
|
|
|
- name: enable gitea.service
|
|
systemd:
|
|
daemon_reload: true
|
|
name: gitea.service
|
|
enabled: true
|
|
|
|
### LOCAL COMMIT ⇒ ###
|
|
- name: commit local changes
|
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
|
vars:
|
|
msg: Gitea
|
|
### ⇐ LOCAL COMMIT ###
|
|
- meta: flush_handlers
|