221 lines
9.1 KiB
YAML
221 lines
9.1 KiB
YAML
---
|
||
# The home-server project produces a multi-purpose setup using Ansible.
|
||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||
|
||
### UPSTREAM BEGIN ⇒ ###
|
||
- name: pull prerequisites from upstream
|
||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
|
||
vars:
|
||
msg: Gitea
|
||
### ⇐ UPSTREAM BEGIN ###
|
||
|
||
- name: install software
|
||
package:
|
||
name: "{{item}}"
|
||
with_items:
|
||
- gitea
|
||
- asciidoctor
|
||
|
||
### UPSTREAM END ⇒ ###
|
||
- name: merge upstream
|
||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
|
||
vars:
|
||
msg: Gitea
|
||
### ⇐ UPSTREAM END ###
|
||
|
||
- name: PostgreSQL user for Gitea
|
||
postgresql_user:
|
||
login_unix_socket: /run/shared_sockets
|
||
name: "{{gitea_db_user}}"
|
||
password: "{{gitea_db_password}}"
|
||
encrypted: true
|
||
become: true
|
||
become_user: postgres
|
||
|
||
- name: PostgreSQL database for Gitea
|
||
postgresql_db:
|
||
login_unix_socket: /run/shared_sockets
|
||
name: "{{gitea_db}}"
|
||
owner: "{{gitea_db_user}}"
|
||
become: true
|
||
become_user: postgres
|
||
|
||
- name: create Gitea configuration file
|
||
file:
|
||
path: /etc/gitea/app.ini
|
||
state: touch
|
||
|
||
- name: make sure the Gitea user owns its work-directories
|
||
file:
|
||
path: '{{item}}'
|
||
state: directory
|
||
owner: '{{gitea_user}}'
|
||
recurse: true
|
||
with_items:
|
||
- /etc/gitea
|
||
- /var/lib/gitea
|
||
- /var/log/gitea
|
||
|
||
- name: configure Gitea
|
||
ini_file:
|
||
path: /etc/gitea/app.ini
|
||
section: '{{item.s}}'
|
||
option: '{{item.o}}'
|
||
value: '{{item.v}}'
|
||
with_items:
|
||
- {s: null, o: RUN_USER, v: '{{gitea_user}}'}
|
||
- {s: null, o: RUN_MODE, v: prod}
|
||
- {s: repository, o: ROOT, v: /var/lib/gitea/repos}
|
||
- {s: repository, o: DISABLE_HTTP_GIT, v: '{{gitea_disable_http_git}}'}
|
||
- {s: repository, o: DISABLE_MIRRORS, v: '{{gitea_disable_mirrors}}'}
|
||
- {s: repository.editor, o: LINE_WRAP_EXTENSIONS, v: '.txt,.md,.markdown,.mdown,.mkd,.adoc,.asciidoc,'}
|
||
- {s: ui, o: SHOW_USER_EMAIL, v: 'false'}
|
||
- {s: ui, o: USE_SERVICE_WORKER, v: '{{gitea_enable_cache}}'}
|
||
- {s: ui.meta, o: MIN_TIMEOUT, v: '{{gitea_notif_min_timeout}}s'}
|
||
- {s: ui.meta, o: MAX_TIMEOUT, v: '{{gitea_notif_max_timeout}}s'}
|
||
- {s: ui.meta, o: TIMEOUT_STEP, v: '{{gitea_notif_timeout_step}}s'}
|
||
- {s: ui.meta, o: EVENT_SOURCE_UPDATE_TIME, v: '{{gitea_notif_min_timeout}}s'}
|
||
- {s: server, o: PROTOCOL, v: unix}
|
||
- {s: server, o: DOMAIN, v: '{{net_soa}}'}
|
||
- {s: server, o: ROOT_URL, v: 'https://{{net_soa}}{{http_pfx_gitea}}/'}
|
||
- {s: server, o: HTTP_ADDR, v: /run/shared_sockets/gitea}
|
||
- {s: server, o: HTTP_PORT, v: ''}
|
||
- {s: server, o: LOCAL_ROOT_URL, v: ''}
|
||
- {s: server, o: SSH_DOMAIN, v: '{{net_soa}}'}
|
||
- {s: server, o: SSH_PORT, v: 2222}
|
||
- {s: server, o: SSH_ROOT_PATH, v: /var/lib/gitea/.ssh}
|
||
- {s: server, o: MINIMUM_KEY_SIZE_CHECK, v: 'true'}
|
||
- {s: server, o: DISABLE_ROUTER_LOG, v: '{{gitea_disable_router_log}}'}
|
||
- {s: server, o: LFS_START_SERVER, v: 'false'}
|
||
- {s: ssh.minimum_key_sizes, o: ECDSA, v: '-1'}
|
||
- {s: ssh.minimum_key_sizes, o: DSA, v: '-1'}
|
||
- {s: database, o: DB_TYPE, v: postgres}
|
||
- {s: database, o: HOST, v: /run/shared_sockets}
|
||
- {s: database, o: NAME, v: '{{gitea_db}}'}
|
||
- {s: database, o: USER, v: '{{gitea_db_user}}'}
|
||
- {s: database, o: PASSWD, v: '{{gitea_db_password}}'}
|
||
- {s: database, o: LOG_SQL, v: 'false'}
|
||
- {s: indexer, o: ISSUE_INDEXER_TYPE, v: 'db'}
|
||
- {s: indexer, o: REPO_INDEXER_ENABLED, v: '{{gitea_enable_repo_indexer}}'}
|
||
- {s: admin, o: DISABLE_REGULAR_ORG_CREATION, v: '{{gitea_disable_org_creation}}'}
|
||
- {s: security, o: INSTALL_LOCK, v: 'true'}
|
||
- {s: security, o: SECRET_KEY, v: '{{gitea_security_secret}}'}
|
||
- {s: security, o: REVERSE_PROXY_AUTHENTICATION_USER, v: Remote-User}
|
||
- {s: service, o: REGISTER_EMAIL_CONFIRM, v: 'true'}
|
||
- {s: service, o: DISABLE_REGISTRATION, v: '{{gitea_disable_registration}}'}
|
||
- {s: service, o: ENABLE_NOTIFY_MAIL, v: '{{gitea_enable_notify_email}}'}
|
||
- {s: service, o: ENABLE_REVERSE_PROXY_AUTHENTICATION, v: 'true'}
|
||
- {s: service, o: ENABLE_REVERSE_PROXY_AUTO_REGISTRATION, v: 'true'}
|
||
- {s: service, o: DEFAULT_KEEP_EMAIL_PRIVATE, v: 'true'}
|
||
- {s: service, o: ENABLE_USER_HEATMAP, v: '{{gitea_enable_user_heatmap}}'}
|
||
- {s: service, o: ENABLE_TIMETRACKING, v: '{{gitea_enable_timetracking}}'}
|
||
- {s: service, o: NO_REPLY_ADDRESS, v: masked.invalid}
|
||
- {s: service, o: AUTO_WATCH_NEW_REPOS, v: '{{gitea_auto_watch_new_repos}}'}
|
||
- {s: mailer, o: ENABLED, v: 'true'}
|
||
- {s: mailer, o: FROM, v: 'git@{{net_soa}}'}
|
||
- {s: mailer, o: MAILER_TYPE, v: 'sendmail'}
|
||
- {s: cache, o: ENABLED, v: '{{gitea_enable_cache}}'}
|
||
- {s: cache.last_commit, o: ENABLED, v: '{{gitea_enable_cache}}'}
|
||
- {s: session, o: PROVIDER, v: file}
|
||
- {s: session, o: COOKIE_SECURE, v: 'true'}
|
||
- {s: picture, o: DISABLE_GRAVATAR, v: '{{gitea_disable_gravatar}}'}
|
||
- {s: attachment, o: ALLOWED_TYPES, v: '{{gitea_mime_attach | replace(" ", "|")}}'}
|
||
- {s: log, o: ROOT_PATH, v: /var/log/gitea/}
|
||
- {s: log, o: MODE, v: console}
|
||
- {s: log, o: ROUTER_LOG_LEVEL, v: Warn}
|
||
- {s: log, o: LEVEL, v: Warn}
|
||
- {s: log.console, o: LEVEL, v: Warn}
|
||
- {s: cron, o: ENABLED, v: 'true'}
|
||
- {s: cron, o: RUN_AT_START, v: 'true'}
|
||
- {s: cron.update_mirrors, o: ENABLED, v: 'false'}
|
||
- {s: cron.update_mirrors, o: RUN_AT_START, v: 'true'}
|
||
- {s: cron.repo_health_check, o: ENABLED, v: 'false'}
|
||
- {s: cron.repo_health_check, o: RUN_AT_START, v: 'true'}
|
||
- {s: cron.repo_health_check, o: SCHEDULE, v: '@every 168h'}
|
||
- {s: cron.check_repo_stats, o: ENABLED, v: 'true'}
|
||
- {s: cron.check_repo_stats, o: RUN_AT_START, v: 'true'}
|
||
- {s: cron.check_repo_stats, o: SCHEDULE, v: '@every 168h'}
|
||
- {s: cron.archive_cleanup, o: ENABLED, v: 'false'}
|
||
- {s: cron.archive_cleanup, o: RUN_AT_START, v: 'true'}
|
||
- {s: cron.archive_cleanup, o: SCHEDULE, v: '@every 168h'}
|
||
- {s: cron.sync_external_users, o: ENABLED, v: 'false'}
|
||
- {s: cron.sync_external_users, o: RUN_AT_START, v: 'false'}
|
||
- {s: cron.deleted_branches_cleanup, o: ENABLED, v: 'false'}
|
||
- {s: cron.deleted_branches_cleanup, o: RUN_AT_START, v: 'true'}
|
||
- {s: cron.update_migration_poster_id, o: ENABLED, v: 'false'}
|
||
- {s: cron.update_migration_poster_id, o: RUN_AT_START, v: 'true'}
|
||
- {s: cron.delete_inactive_accounts, o: ENABLED, v: 'false'}
|
||
- {s: cron.delete_inactive_accounts, o: RUN_AT_START, v: 'false'}
|
||
- {s: cron.delete_repo_archives, o: ENABLED, v: 'false'}
|
||
- {s: cron.delete_repo_archives, o: RUN_AT_START, v: 'false'}
|
||
- {s: cron.git_gc_repos, o: ENABLED, v: 'false'}
|
||
- {s: cron.git_gc_repos, o: RUN_AT_START, v: 'true'}
|
||
- {s: cron.resync_all_sshkeys, o: ENABLED, v: 'false'}
|
||
- {s: cron.resync_all_sshkeys, o: RUN_AT_START, v: 'true'}
|
||
- {s: cron.resync_all_hooks, o: ENABLED, v: 'false'}
|
||
- {s: cron.resync_all_hooks, o: RUN_AT_START, v: 'false'}
|
||
- {s: cron.reinit_missing_repos, o: ENABLED, v: 'false'}
|
||
- {s: cron.reinit_missing_repos, o: RUN_AT_START, v: 'true'}
|
||
- {s: cron.delete_missing_repos, o: ENABLED, v: 'false'}
|
||
- {s: cron.delete_missing_repos, o: RUN_AT_START, v: 'true'}
|
||
- {s: cron.delete_generated_repository_avatars, o: ENABLED, v: 'false'}
|
||
- {s: cron.delete_generated_repository_avatars, o: RUN_AT_START, v: 'true'}
|
||
- {s: api, o: ENABLE_SWAGGER, v: '{{gitea_enable_api}}'}
|
||
- {s: oauth2, o: ENABLE, v: '{{gitea_enable_oauth2_provider}}'}
|
||
- {s: oauth2, o: JWT_SECRET, v: '{{gitea_jwt_secret}}'}
|
||
- {s: i18n, o: LANGS, v: '{{gitea_i18n | map(attribute="code") | join(",")}}'}
|
||
- {s: i18n, o: NAMES, v: '{{gitea_i18n | map(attribute="label") | join(",")}}'}
|
||
- {s: markup.asciidoc, o: ENABLED, v: 'true'}
|
||
- {s: markup.asciidoc, o: RENDER_COMMAND, v: 'asciidoctor --backend=html5 --no-header-footer --attribute source-highlighter=highlightjs --out-file=- -'}
|
||
- {s: other, o: SHOW_FOOTER_VERSION, v: 'false'}
|
||
- {s: other, o: SHOW_FOOTER_TEMPLATE_LOAD_TIME, v: 'false'}
|
||
notify:
|
||
- restart gitea.service
|
||
|
||
- name: prepare to override gitea.service
|
||
file:
|
||
path: /etc/systemd/system/gitea.service.d
|
||
state: directory
|
||
mode: 0755
|
||
|
||
- name: make sure Gitea runs after its dependencies
|
||
copy:
|
||
content: |
|
||
[Unit]
|
||
After=postgresql.service
|
||
After=systemd-tmpfiles-setup.service
|
||
dest: /etc/systemd/system/gitea.service.d/after_psql+sockets.conf
|
||
mode: 0644
|
||
notify:
|
||
- restart gitea.service
|
||
|
||
- name: make Gitea more secure
|
||
copy:
|
||
content: |
|
||
[Service]
|
||
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
|
||
PrivateDevices=true
|
||
PrivateTmp=true
|
||
ProtectHome=true
|
||
ProtectSystem=true
|
||
NoNewPrivileges=true
|
||
dest: /etc/systemd/system/gitea.service.d/secure-{{nickname}}.conf
|
||
mode: 0644
|
||
notify:
|
||
- restart gitea.service
|
||
|
||
- name: enable gitea.service
|
||
systemd:
|
||
daemon_reload: true
|
||
name: gitea.service
|
||
enabled: true
|
||
|
||
### LOCAL COMMIT ⇒ ###
|
||
- name: commit local changes
|
||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
||
vars:
|
||
msg: Gitea
|
||
### ⇐ LOCAL COMMIT ###
|
||
- meta: flush_handlers
|