diff options
Diffstat (limited to 'roles')
-rw-r--r-- | roles/gitea/Readme.md | 76 | ||||
-rw-r--r-- | roles/gitea/defaults/main.yml | 74 | ||||
-rw-r--r-- | roles/gitea/tasks/main.yml | 36 | ||||
-rw-r--r-- | roles/gitea/tasks/secrets.yml | 24 | ||||
-rw-r--r-- | roles/gitea/templates/app.ini.j2 | 105 |
5 files changed, 162 insertions, 153 deletions
diff --git a/roles/gitea/Readme.md b/roles/gitea/Readme.md index 56edd0a..c306d1b 100644 --- a/roles/gitea/Readme.md +++ b/roles/gitea/Readme.md @@ -1,13 +1,12 @@ # kompetenzbolzen.stuff.gitea -``` +normal gitea `app.ini` config parameters can be passed under `config.` + +Available vars: `jwt_sec.content`, `int_tok.content`, `sec_key.content` + +```yaml +--- gitea: - root_url: 'https://gitea.example.com' - ssl: - cert: '/etc/ssl/certs/ssl-cert-snakeoil.pem' - key: '/etc/ssl/private/ssl-cert-snakeoil.key' - version: - ver: '1.15.3' ldap: enable: true security: 'starttls' @@ -22,21 +21,50 @@ gitea: firstname_attribute: 'givenName' surname_attribute: 'sn' email_attribute: 'mail' - mysql: - host: 'db.example.com:3306' - db: '' - user: '' - passwd: '' - ssl: 'true' - mail: - enable: false - smtp_host: '' - tls: false - skip_verify: false - from: '' - user: '' - pass: '' - plain_text: false - subject_prefix: '' - + version: + ver: '1.21.1' + config: + APP_NAME: "Gitea: Git with a cup of tea" + RUN_USER: git + RUN_MODE: prod + repository: + ROOT: /home/git/gitea-repositories + server: + APP_DATA_PATH: /var/lib/gitea/data + PROTOCOL: https + DOMAIN: '{{ ansible_facts.fqdn }}' + STATIC_URL_PREFIX: + HTTP_ADDR: 0.0.0.0 + HTTP_PORT: 8443 + LOCAL_ROOT_URL: "%(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/" + DISABLE_SSH: false + SSH_DOMAIN: "%(DOMAIN)s" + SSH_PORT: 22 + SSH_CREATE_AUTHORIZED_KEYS_FILE: true + SSH_CREATE_AUTHORIZED_PRINCIPALS_FILE: true + CERT_FILE: '/etc/ssl/certs/ssl-cert-snakeoil.pem' + KEY_FILE: '/etc/ssl/certs/ssl-cert-snakeoil.pem' + LANDING_PAGE: login + database: + DB_TYPE: mysql + HOST: db.example.com:3306 + NAME: db + USER: dbuser + PASSWD: "`dbpass`" + SSL_MODE: true + CHARSET: utf8mb4 + security: + INSTALL_LOCK: true + SECRET_KEY: '{{ sec_key.content }}' + INTERNAL_TOKEN: '{{ int_tok.content }}' + DISABLE_GIT_HOOKS: true + service: + DISABLE_REGISTRATION: true + REQUIRE_SIGNIN_VIEW: true + ENABLE_NOTIFY_MAIL: false + webhook: + ALLOWED_HOST_LIST: '' + oauth2: + ENABLE: false + JWT_SECRET: '{{ jwt_sec.content }}' ``` diff --git a/roles/gitea/defaults/main.yml b/roles/gitea/defaults/main.yml index 6892455..acb6f80 100644 --- a/roles/gitea/defaults/main.yml +++ b/roles/gitea/defaults/main.yml @@ -1,14 +1,5 @@ +--- gitea: - root_url: 'https://gitea.example.com' - name: 'Gitea: Git with a cup of tea' - webhook_allowed_hosts: '*' - require_signing_view: true - actions: false - ssl: - cert: '/etc/ssl/certs/ssl-cert-snakeoil.pem' - key: '/etc/ssl/private/ssl-cert-snakeoil.key' - version: - ver: '1.19.1' ldap: enable: true security: 'starttls' @@ -23,20 +14,49 @@ gitea: firstname_attribute: 'givenName' surname_attribute: 'sn' email_attribute: 'mail' - mysql: - host: 'db.example.com:3306' - db: '' - user: '' - passwd: '' - ssl: 'true' - mail: - enable: false - smtp_host: '' - tls: false - skip_verify: false - from: '' - user: '' - pass: '' - plain_text: false - subject_prefix: '' - + version: + ver: '1.21.1' + config: + APP_NAME: "Gitea: Git with a cup of tea" + RUN_USER: git + RUN_MODE: prod + repository: + ROOT: /home/git/gitea-repositories + server: + APP_DATA_PATH: /var/lib/gitea/data + PROTOCOL: https + DOMAIN: '{{ ansible_facts.fqdn }}' + STATIC_URL_PREFIX: + HTTP_ADDR: 0.0.0.0 + HTTP_PORT: 8443 + LOCAL_ROOT_URL: "%(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/" + DISABLE_SSH: false + SSH_DOMAIN: "%(DOMAIN)s" + SSH_PORT: 22 + SSH_CREATE_AUTHORIZED_KEYS_FILE: true + SSH_CREATE_AUTHORIZED_PRINCIPALS_FILE: true + CERT_FILE: '/etc/ssl/certs/ssl-cert-snakeoil.pem' + KEY_FILE: '/etc/ssl/certs/ssl-cert-snakeoil.pem' + LANDING_PAGE: login + database: + DB_TYPE: mysql + HOST: db.example.com:3306 + NAME: db + USER: dbuser + PASSWD: "`dbpass`" + SSL_MODE: true + CHARSET: utf8mb4 + security: + INSTALL_LOCK: true + SECRET_KEY: '{{ sec_key.content }}' + INTERNAL_TOKEN: '{{ int_tok.content }}' + DISABLE_GIT_HOOKS: true + service: + DISABLE_REGISTRATION: true + REQUIRE_SIGNIN_VIEW: true + ENABLE_NOTIFY_MAIL: false + webhook: + ALLOWED_HOST_LIST: '' + oauth2: + ENABLE: false + JWT_SECRET: '{{ jwt_sec.content }}' diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml index e87d956..10610cc 100644 --- a/roles/gitea/tasks/main.yml +++ b/roles/gitea/tasks/main.yml @@ -37,6 +37,27 @@ state: directory become: yes +- name: Create secrets if needed + include_tasks: secrets.yml + +- name: Read secret Key + slurp: + src: /etc/gitea/secret_key + become: yes + register: sec_key + +- name: Read internal token + slurp: + src: /etc/gitea/internal_token + become: yes + register: int_tok + +- name: Read JWT Secret + slurp: + src: /etc/gitea/jwt_secret + become: yes + register: jwt_sec + - name: pull sha256sum uri: url: 'https://dl.gitea.com/gitea/{{ gitea.version.ver }}/gitea-{{ gitea.version.ver }}-linux-amd64.sha256' @@ -61,21 +82,6 @@ when: - (not gitea_bin_stat.stat.exists) or (gitea_bin_stat.stat.checksum != gitea_sha256) -- name: Check if initial setup is needed - include_tasks: secrets.yml - -- name: Read secret Key - slurp: - src: /etc/gitea/secret_key - become: yes - register: sec_key - -- name: Read secret Key - slurp: - src: /etc/gitea/internal_token - become: yes - register: int_tok - - name: Install gitea config file template: src: app.ini.j2 diff --git a/roles/gitea/tasks/secrets.yml b/roles/gitea/tasks/secrets.yml index cde4dd8..a5da3bb 100644 --- a/roles/gitea/tasks/secrets.yml +++ b/roles/gitea/tasks/secrets.yml @@ -1,4 +1,6 @@ --- +# Secret Key + - name: Generate SECRET_KEY command: cmd: gitea generate secret SECRET_KEY @@ -17,6 +19,8 @@ become: yes when: gen_sec_key.changed +# Internale Token + - name: Generate INTERNAL_TOKEN command: cmd: gitea generate secret INTERNAL_TOKEN @@ -34,3 +38,23 @@ mode: '640' become: yes when: gen_int_tok.changed + +# JWT + +- name: Generate JWT_SECRET + command: + cmd: gitea generate secret INTERNAL_TOKEN + creates: /etc/gitea/jwt_secret + become_user: git + become: yes + register: gen_jwt_sec + +- name: Save JWT_SECRET + copy: + content: '{{ gen_jwt_sec.stdout }}' + dest: /etc/gitea/jwt_secret + owner: root + group: git + mode: '640' + become: yes + when: gen_jwt_sec.changed diff --git a/roles/gitea/templates/app.ini.j2 b/roles/gitea/templates/app.ini.j2 index bfb7e08..4ab2fcc 100644 --- a/roles/gitea/templates/app.ini.j2 +++ b/roles/gitea/templates/app.ini.j2 @@ -1,88 +1,19 @@ ; vi: ft=dosini - -APP_NAME = {{ gitea.name }} -RUN_USER = git -RUN_MODE = prod - -[repository] -ROOT = /home/git/gitea-repositories - -[server] -APP_DATA_PATH = /var/lib/gitea/data -PROTOCOL = https -DOMAIN = {{ ansible_facts.fqdn }} -ROOT_URL = {{ gitea.root_url }} -STATIC_URL_PREFIX = -HTTP_ADDR = 0.0.0.0 -HTTP_PORT = 8443 -LOCAL_ROOT_URL = %(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/ -DISABLE_SSH = false -SSH_DOMAIN = %(DOMAIN)s -SSH_PORT = 22 -SSH_CREATE_AUTHORIZED_KEYS_FILE = true -SSH_CREATE_AUTHORIZED_PRINCIPALS_FILE = true - -CERT_FILE = {{ gitea.ssl.cert }} -KEY_FILE = {{ gitea.ssl.key }} - -LANDING_PAGE = login - -[database] -DB_TYPE = mysql -HOST = {{ gitea.mysql.host }} -NAME = {{ gitea.mysql.db }} -USER = {{ gitea.mysql.user }} -PASSWD = `{{ gitea.mysql.passwd }}` -SSL_MODE = true -CHARSET = utf8mb4 - -[security] -INSTALL_LOCK = true -SECRET_KEY = {{ sec_key.content }} -DISABLE_GIT_HOOKS = true -INTERNAL_TOKEN = {{ int_tok.content }} - -[service] -DISABLE_REGISTRATION = true - -REQUIRE_SIGNIN_VIEW = {{ gitea.require_signing_view }} -ENABLE_NOTIFY_MAIL = {{ gitea.mail.enable }} - - -[webhook] -ALLOWED_HOST_LIST = {{ gitea.webhook_allowed_hosts }} - -[mailer] -ENABLED = {{ gitea.mail.enable }} -{% if gitea.mail.enable %} -SUBJECT_PREFIX = {{ gitea.mail.subject_prefix }} -HOST = {{ gitea.mail.smtp_host }} -SKIP_VERIFY = {{ gitea.mail.skip_verify }} -IS_TLS_ENABLED = {{ gitea.mail.tls }} -FROM = {{ gitea.mail.from }} -USER = {{ gitea.mail.user }} -PASSWD = `{{ gitea.mail.pass }}` -SEND_AS_PLAIN_TEXT = {{ gitea.mail.plain_text }} -MAILER_TYPE = smtp -SENDMAIL_PATH = sendmail -SENDMAIL_ARGS = -SENDMAIL_TIMEOUT = 5m - -[queue.mailer] -SEND_BUFFER_LEN = 100 -{% endif %} - -[log] -MODE = console -ROUTER_LOG_LEVEL = Info -ROUTER = console - -[git] -PATH = - -[oauth2] -ENABLE = false - -[actions] -ENABLED = {{ gitea.actions }} - +; This file is managed by Ansible. Manual changes will be overridden. +; DO NOT CHANGE! + +{% macro procval(key, val) -%} +{% if val is mapping %} +[{{ key }}] +{% for k, v in val.items() %}{{ procval(k,v) }} +{% endfor -%} +{%- elif val is sameas true or val is sameas false -%} +{{ key }} = {{ val | string | lower }} +{%- else -%} +{{ key }} = {{ val }} +{%- endif -%} +{% endmacro %} + +{% for key in gitea.config -%} +{{ procval(key, gitea.config[key]) }} +{% endfor %} |