aboutsummaryrefslogtreecommitdiff
path: root/roles/gitea
diff options
context:
space:
mode:
authorGravatar Jonas Gunz <himself@jonasgunz.de> 2024-01-04 22:38:36 +0100
committerGravatar Jonas Gunz <himself@jonasgunz.de> 2024-01-04 22:38:36 +0100
commit95d696a55a43f38f8aa4bd8a38d448bcc593da76 (patch)
treecc7059b4e0184eaf0838ff4968bc032cbcd7af8a /roles/gitea
parentcb5707c4bf3face21731cfa88cf7998e26d3c6c2 (diff)
downloadansible_collection-95d696a55a43f38f8aa4bd8a38d448bcc593da76.tar.gz
refactor gitea
Diffstat (limited to 'roles/gitea')
-rw-r--r--roles/gitea/Readme.md76
-rw-r--r--roles/gitea/defaults/main.yml74
-rw-r--r--roles/gitea/tasks/main.yml36
-rw-r--r--roles/gitea/tasks/secrets.yml24
-rw-r--r--roles/gitea/templates/app.ini.j2105
5 files changed, 162 insertions, 153 deletions
diff --git a/roles/gitea/Readme.md b/roles/gitea/Readme.md
index 56edd0a..c306d1b 100644
--- a/roles/gitea/Readme.md
+++ b/roles/gitea/Readme.md
@@ -1,13 +1,12 @@
# kompetenzbolzen.stuff.gitea
-```
+normal gitea `app.ini` config parameters can be passed under `config.`
+
+Available vars: `jwt_sec.content`, `int_tok.content`, `sec_key.content`
+
+```yaml
+---
gitea:
- root_url: 'https://gitea.example.com'
- ssl:
- cert: '/etc/ssl/certs/ssl-cert-snakeoil.pem'
- key: '/etc/ssl/private/ssl-cert-snakeoil.key'
- version:
- ver: '1.15.3'
ldap:
enable: true
security: 'starttls'
@@ -22,21 +21,50 @@ gitea:
firstname_attribute: 'givenName'
surname_attribute: 'sn'
email_attribute: 'mail'
- mysql:
- host: 'db.example.com:3306'
- db: ''
- user: ''
- passwd: ''
- ssl: 'true'
- mail:
- enable: false
- smtp_host: ''
- tls: false
- skip_verify: false
- from: ''
- user: ''
- pass: ''
- plain_text: false
- subject_prefix: ''
-
+ version:
+ ver: '1.21.1'
+ config:
+ APP_NAME: "Gitea: Git with a cup of tea"
+ RUN_USER: git
+ RUN_MODE: prod
+ repository:
+ ROOT: /home/git/gitea-repositories
+ server:
+ APP_DATA_PATH: /var/lib/gitea/data
+ PROTOCOL: https
+ DOMAIN: '{{ ansible_facts.fqdn }}'
+ STATIC_URL_PREFIX:
+ HTTP_ADDR: 0.0.0.0
+ HTTP_PORT: 8443
+ LOCAL_ROOT_URL: "%(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/"
+ DISABLE_SSH: false
+ SSH_DOMAIN: "%(DOMAIN)s"
+ SSH_PORT: 22
+ SSH_CREATE_AUTHORIZED_KEYS_FILE: true
+ SSH_CREATE_AUTHORIZED_PRINCIPALS_FILE: true
+ CERT_FILE: '/etc/ssl/certs/ssl-cert-snakeoil.pem'
+ KEY_FILE: '/etc/ssl/certs/ssl-cert-snakeoil.pem'
+ LANDING_PAGE: login
+ database:
+ DB_TYPE: mysql
+ HOST: db.example.com:3306
+ NAME: db
+ USER: dbuser
+ PASSWD: "`dbpass`"
+ SSL_MODE: true
+ CHARSET: utf8mb4
+ security:
+ INSTALL_LOCK: true
+ SECRET_KEY: '{{ sec_key.content }}'
+ INTERNAL_TOKEN: '{{ int_tok.content }}'
+ DISABLE_GIT_HOOKS: true
+ service:
+ DISABLE_REGISTRATION: true
+ REQUIRE_SIGNIN_VIEW: true
+ ENABLE_NOTIFY_MAIL: false
+ webhook:
+ ALLOWED_HOST_LIST: ''
+ oauth2:
+ ENABLE: false
+ JWT_SECRET: '{{ jwt_sec.content }}'
```
diff --git a/roles/gitea/defaults/main.yml b/roles/gitea/defaults/main.yml
index 6892455..acb6f80 100644
--- a/roles/gitea/defaults/main.yml
+++ b/roles/gitea/defaults/main.yml
@@ -1,14 +1,5 @@
+---
gitea:
- root_url: 'https://gitea.example.com'
- name: 'Gitea: Git with a cup of tea'
- webhook_allowed_hosts: '*'
- require_signing_view: true
- actions: false
- ssl:
- cert: '/etc/ssl/certs/ssl-cert-snakeoil.pem'
- key: '/etc/ssl/private/ssl-cert-snakeoil.key'
- version:
- ver: '1.19.1'
ldap:
enable: true
security: 'starttls'
@@ -23,20 +14,49 @@ gitea:
firstname_attribute: 'givenName'
surname_attribute: 'sn'
email_attribute: 'mail'
- mysql:
- host: 'db.example.com:3306'
- db: ''
- user: ''
- passwd: ''
- ssl: 'true'
- mail:
- enable: false
- smtp_host: ''
- tls: false
- skip_verify: false
- from: ''
- user: ''
- pass: ''
- plain_text: false
- subject_prefix: ''
-
+ version:
+ ver: '1.21.1'
+ config:
+ APP_NAME: "Gitea: Git with a cup of tea"
+ RUN_USER: git
+ RUN_MODE: prod
+ repository:
+ ROOT: /home/git/gitea-repositories
+ server:
+ APP_DATA_PATH: /var/lib/gitea/data
+ PROTOCOL: https
+ DOMAIN: '{{ ansible_facts.fqdn }}'
+ STATIC_URL_PREFIX:
+ HTTP_ADDR: 0.0.0.0
+ HTTP_PORT: 8443
+ LOCAL_ROOT_URL: "%(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/"
+ DISABLE_SSH: false
+ SSH_DOMAIN: "%(DOMAIN)s"
+ SSH_PORT: 22
+ SSH_CREATE_AUTHORIZED_KEYS_FILE: true
+ SSH_CREATE_AUTHORIZED_PRINCIPALS_FILE: true
+ CERT_FILE: '/etc/ssl/certs/ssl-cert-snakeoil.pem'
+ KEY_FILE: '/etc/ssl/certs/ssl-cert-snakeoil.pem'
+ LANDING_PAGE: login
+ database:
+ DB_TYPE: mysql
+ HOST: db.example.com:3306
+ NAME: db
+ USER: dbuser
+ PASSWD: "`dbpass`"
+ SSL_MODE: true
+ CHARSET: utf8mb4
+ security:
+ INSTALL_LOCK: true
+ SECRET_KEY: '{{ sec_key.content }}'
+ INTERNAL_TOKEN: '{{ int_tok.content }}'
+ DISABLE_GIT_HOOKS: true
+ service:
+ DISABLE_REGISTRATION: true
+ REQUIRE_SIGNIN_VIEW: true
+ ENABLE_NOTIFY_MAIL: false
+ webhook:
+ ALLOWED_HOST_LIST: ''
+ oauth2:
+ ENABLE: false
+ JWT_SECRET: '{{ jwt_sec.content }}'
diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml
index e87d956..10610cc 100644
--- a/roles/gitea/tasks/main.yml
+++ b/roles/gitea/tasks/main.yml
@@ -37,6 +37,27 @@
state: directory
become: yes
+- name: Create secrets if needed
+ include_tasks: secrets.yml
+
+- name: Read secret Key
+ slurp:
+ src: /etc/gitea/secret_key
+ become: yes
+ register: sec_key
+
+- name: Read internal token
+ slurp:
+ src: /etc/gitea/internal_token
+ become: yes
+ register: int_tok
+
+- name: Read JWT Secret
+ slurp:
+ src: /etc/gitea/jwt_secret
+ become: yes
+ register: jwt_sec
+
- name: pull sha256sum
uri:
url: 'https://dl.gitea.com/gitea/{{ gitea.version.ver }}/gitea-{{ gitea.version.ver }}-linux-amd64.sha256'
@@ -61,21 +82,6 @@
when:
- (not gitea_bin_stat.stat.exists) or (gitea_bin_stat.stat.checksum != gitea_sha256)
-- name: Check if initial setup is needed
- include_tasks: secrets.yml
-
-- name: Read secret Key
- slurp:
- src: /etc/gitea/secret_key
- become: yes
- register: sec_key
-
-- name: Read secret Key
- slurp:
- src: /etc/gitea/internal_token
- become: yes
- register: int_tok
-
- name: Install gitea config file
template:
src: app.ini.j2
diff --git a/roles/gitea/tasks/secrets.yml b/roles/gitea/tasks/secrets.yml
index cde4dd8..a5da3bb 100644
--- a/roles/gitea/tasks/secrets.yml
+++ b/roles/gitea/tasks/secrets.yml
@@ -1,4 +1,6 @@
---
+# Secret Key
+
- name: Generate SECRET_KEY
command:
cmd: gitea generate secret SECRET_KEY
@@ -17,6 +19,8 @@
become: yes
when: gen_sec_key.changed
+# Internale Token
+
- name: Generate INTERNAL_TOKEN
command:
cmd: gitea generate secret INTERNAL_TOKEN
@@ -34,3 +38,23 @@
mode: '640'
become: yes
when: gen_int_tok.changed
+
+# JWT
+
+- name: Generate JWT_SECRET
+ command:
+ cmd: gitea generate secret INTERNAL_TOKEN
+ creates: /etc/gitea/jwt_secret
+ become_user: git
+ become: yes
+ register: gen_jwt_sec
+
+- name: Save JWT_SECRET
+ copy:
+ content: '{{ gen_jwt_sec.stdout }}'
+ dest: /etc/gitea/jwt_secret
+ owner: root
+ group: git
+ mode: '640'
+ become: yes
+ when: gen_jwt_sec.changed
diff --git a/roles/gitea/templates/app.ini.j2 b/roles/gitea/templates/app.ini.j2
index bfb7e08..4ab2fcc 100644
--- a/roles/gitea/templates/app.ini.j2
+++ b/roles/gitea/templates/app.ini.j2
@@ -1,88 +1,19 @@
; vi: ft=dosini
-
-APP_NAME = {{ gitea.name }}
-RUN_USER = git
-RUN_MODE = prod
-
-[repository]
-ROOT = /home/git/gitea-repositories
-
-[server]
-APP_DATA_PATH = /var/lib/gitea/data
-PROTOCOL = https
-DOMAIN = {{ ansible_facts.fqdn }}
-ROOT_URL = {{ gitea.root_url }}
-STATIC_URL_PREFIX =
-HTTP_ADDR = 0.0.0.0
-HTTP_PORT = 8443
-LOCAL_ROOT_URL = %(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/
-DISABLE_SSH = false
-SSH_DOMAIN = %(DOMAIN)s
-SSH_PORT = 22
-SSH_CREATE_AUTHORIZED_KEYS_FILE = true
-SSH_CREATE_AUTHORIZED_PRINCIPALS_FILE = true
-
-CERT_FILE = {{ gitea.ssl.cert }}
-KEY_FILE = {{ gitea.ssl.key }}
-
-LANDING_PAGE = login
-
-[database]
-DB_TYPE = mysql
-HOST = {{ gitea.mysql.host }}
-NAME = {{ gitea.mysql.db }}
-USER = {{ gitea.mysql.user }}
-PASSWD = `{{ gitea.mysql.passwd }}`
-SSL_MODE = true
-CHARSET = utf8mb4
-
-[security]
-INSTALL_LOCK = true
-SECRET_KEY = {{ sec_key.content }}
-DISABLE_GIT_HOOKS = true
-INTERNAL_TOKEN = {{ int_tok.content }}
-
-[service]
-DISABLE_REGISTRATION = true
-
-REQUIRE_SIGNIN_VIEW = {{ gitea.require_signing_view }}
-ENABLE_NOTIFY_MAIL = {{ gitea.mail.enable }}
-
-
-[webhook]
-ALLOWED_HOST_LIST = {{ gitea.webhook_allowed_hosts }}
-
-[mailer]
-ENABLED = {{ gitea.mail.enable }}
-{% if gitea.mail.enable %}
-SUBJECT_PREFIX = {{ gitea.mail.subject_prefix }}
-HOST = {{ gitea.mail.smtp_host }}
-SKIP_VERIFY = {{ gitea.mail.skip_verify }}
-IS_TLS_ENABLED = {{ gitea.mail.tls }}
-FROM = {{ gitea.mail.from }}
-USER = {{ gitea.mail.user }}
-PASSWD = `{{ gitea.mail.pass }}`
-SEND_AS_PLAIN_TEXT = {{ gitea.mail.plain_text }}
-MAILER_TYPE = smtp
-SENDMAIL_PATH = sendmail
-SENDMAIL_ARGS =
-SENDMAIL_TIMEOUT = 5m
-
-[queue.mailer]
-SEND_BUFFER_LEN = 100
-{% endif %}
-
-[log]
-MODE = console
-ROUTER_LOG_LEVEL = Info
-ROUTER = console
-
-[git]
-PATH =
-
-[oauth2]
-ENABLE = false
-
-[actions]
-ENABLED = {{ gitea.actions }}
-
+; This file is managed by Ansible. Manual changes will be overridden.
+; DO NOT CHANGE!
+
+{% macro procval(key, val) -%}
+{% if val is mapping %}
+[{{ key }}]
+{% for k, v in val.items() %}{{ procval(k,v) }}
+{% endfor -%}
+{%- elif val is sameas true or val is sameas false -%}
+{{ key }} = {{ val | string | lower }}
+{%- else -%}
+{{ key }} = {{ val }}
+{%- endif -%}
+{% endmacro %}
+
+{% for key in gitea.config -%}
+{{ procval(key, gitea.config[key]) }}
+{% endfor %}