home-server/roles/ihmgit_back/tasks/main.yml

167 lines
5.4 KiB
YAML

---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
### UPSTREAM BEGIN ⇒ ###
- name: pull prerequisites from upstream
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
vars:
msg: Gitea
### ⇐ UPSTREAM BEGIN ###
- name: install software
package:
name: "{{item}}"
with_items:
- gitea
- asciidoctor
- name: set git home to Gitea repos
user:
name: git
home: /var/lib/gitea/repos
create_home: true
shell: /bin/sh
### UPSTREAM END ⇒ ###
- name: merge upstream
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
vars:
msg: Gitea
### ⇐ UPSTREAM END ###
- name: PostgreSQL user for Gitea
postgresql_user:
login_unix_socket: /run/shared_sockets
name: "{{gitea_db_user}}"
password: "{{gitea_db_password}}"
encrypted: true
become: true
become_user: postgres
- name: PostgreSQL database for Gitea
postgresql_db:
login_unix_socket: /run/shared_sockets
name: "{{gitea_db}}"
owner: "{{gitea_db_user}}"
become: true
become_user: postgres
- name: make sure the Gitea user owns its work-directories
file:
path: '{{item}}'
state: directory
owner: git
recurse: true
with_items:
- /var/lib/gitea
- /var/log/gitea
- name: configure Gitea
ini_file:
path: /etc/gitea/app.ini
section: '{{item.s}}'
option: '{{item.o}}'
value: '{{item.v}}'
with_items:
- {s: null, o: RUN_USER, v: git}
- {s: null, o: RUN_MODE, v: prod}
- {s: repository, o: ROOT, v: /var/lib/gitea/repos}
- {s: repository.editor, o: LINE_WRAP_EXTENSIONS, v: '.txt,.md,.markdown,.mdown,.mkd,.adoc,.asciidoc,'}
- {s: ui, o: SHOW_USER_EMAIL, v: 'false'}
- {s: server, o: PROTOCOL, v: unix}
- {s: server, o: DOMAIN, v: '{{net_soa}}'}
- {s: server, o: ROOT_URL, v: 'https://{{net_soa}}{{http_pfx_gitea}}/'}
- {s: server, o: HTTP_ADDR, v: /run/shared_sockets/gitea}
- {s: server, o: LOCAL_ROOT_URL, v: ''}
- {s: server, o: SSH_DOMAIN, v: '{{net_soa}}'}
- {s: server, o: SSH_PORT, v: 2222}
- {s: server, o: SSH_ROOT_PATH, v: /var/lib/gitea/repos/.ssh}
- {s: server, o: MINIMUM_KEY_SIZE_CHECK, v: 'true'}
- {s: server, o: LFS_START_SERVER, v: 'false'}
- {s: ssh.minimum_key_sizes, o: ECDSA, v: '-1'}
- {s: ssh.minimum_key_sizes, o: DSA, v: '-1'}
- {s: database, o: DB_TYPE, v: postgres}
- {s: database, o: HOST, v: /run/shared_sockets}
- {s: database, o: NAME, v: '{{gitea_db}}'}
- {s: database, o: USER, v: '{{gitea_db_user}}'}
- {s: database, o: PASSWD, v: '{{gitea_db_password}}'}
- {s: database, o: LOG_SQL, v: 'false'}
- {s: indexer, o: REPO_INDEXER_ENABLED, v: 'true'}
- {s: admin, o: DISABLE_REGULAR_ORG_CREATION, v: '{{gitea_disable_org_creation}}'}
- {s: security, o: INSTALL_LOCK, v: 'true'}
- {s: security, o: SECRET_KEY, v: '{{gitea_security_secret}}'}
- {s: security, o: REVERSE_PROXY_AUTHENTICATION_USER, v: Remote-User}
- {s: service, o: REGISTER_EMAIL_CONFIRM, v: 'true'}
- {s: service, o: DISABLE_REGISTRATION, v: '{{gitea_disable_registration}}'}
- {s: service, o: ENABLE_NOTIFY_MAIL, v: '{{gitea_enable_notify_email}}'}
- {s: service, o: ENABLE_REVERSE_PROXY_AUTHENTICATION, v: 'true'}
- {s: service, o: ENABLE_REVERSE_PROXY_AUTO_REGISTRATION, v: 'true'}
- {s: service, o: DEFAULT_KEEP_EMAIL_PRIVATE, v: 'true'}
- {s: service, o: NO_REPLY_ADDRESS, v: masked.invalid}
- {s: mailer, o: ENABLED, v: 'true'}
- {s: mailer, o: FROM, v: 'git@{{net_soa}}'}
- {s: mailer, o: USE_SENDMAIL, v: 'true'}
- {s: session, o: PROVIDER, v: file}
- {s: session, o: COOKIE_SECURE, v: 'true'}
- {s: attachment, o: ALLOWED_TYPES, v: '{{gitea_mime_attach | replace(" ", "|")}}'}
- {s: log, o: ROOT_PATH, v: /var/log/gitea/}
- {s: log, o: MODE, v: console}
- {s: log, o: LEVEL, v: Warn}
- {s: log.console, o: LEVEL, v: Warn}
- {s: markup.asciidoc, o: ENABLED, v: 'true'}
- {s: markup.asciidoc, o: RENDER_COMMAND, v: 'asciidoctor --out-file=- -'}
- {s: other, o: SHOW_FOOTER_VERSION, v: 'false'}
- {s: other, o: SHOW_FOOTER_TEMPLATE_LOAD_TIME, v: 'false'}
notify:
- restart gitea.service
- name: prepare to override gitea.service
file:
path: /etc/systemd/system/gitea.service.d
state: directory
mode: 0755
- name: make sure Gitea runs after its dependencies
copy:
content: |
[Unit]
After=postgresql.service
After=systemd-tmpfiles-setup.service
dest: /etc/systemd/system/gitea.service.d/after_psql+sockets.conf
mode: 0644
notify:
- restart gitea.service
- name: make Gitea more secure
copy:
content: |
[Service]
User=git
Environment=USER=git
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
ProtectSystem=true
NoNewPrivileges=true
dest: /etc/systemd/system/gitea.service.d/secure-{{nickname}}.conf
mode: 0644
notify:
- restart gitea.service
- name: enable gitea.service
systemd:
daemon_reload: true
name: gitea.service
enabled: true
### LOCAL COMMIT ⇒ ###
- name: commit local changes
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
vars:
msg: Gitea
### ⇐ LOCAL COMMIT ###
- meta: flush_handlers