@ -0,0 +1,10 @@ | |||
--- | |||
host_fqdn: '{{ ansible_hostname }}.dmz.{{ domain }}' | |||
gitea_version: 1.11.6 | |||
gitea_nginx_fqdn: 'projects.{{ domain }}' | |||
gitea_renew_secrets: false | |||
ldap_server: 'ldap1.dmz.{{ domain }}' | |||
ldap_basedn: 'dc={{ domain.replace(".", ",dc=") }}' | |||
ldap_tls_enabled: true | |||
ldap_tls_server_ca: '{{ tls_root_ca }}' | |||
... |
@ -0,0 +1,64 @@ | |||
[Unit] | |||
Description=Gitea (Git with a cup of tea) | |||
After=syslog.target | |||
After=network.target | |||
Requires=postgresql.service | |||
#Requires=memcached.service | |||
#Requires=redis.service | |||
### | |||
# If using socket activation for main http/s | |||
### | |||
#After=gitea.main.socket | |||
#Requires=gitea.main.socket | |||
# | |||
### | |||
# (You can also provide gitea an http fallback and/or ssh socket too) | |||
# | |||
# An example of /etc/systemd/system/gitea.main.socket | |||
### | |||
## | |||
## [Unit] | |||
## Description=Gitea Web Socket | |||
## PartOf=gitea.service | |||
## | |||
## [Socket] | |||
## Service=gitea.service | |||
## ListenStream=<some_port> | |||
## NoDelay=true | |||
## | |||
## [Install] | |||
## WantedBy=sockets.target | |||
## | |||
### | |||
[Service] | |||
# Modify these two values and uncomment them if you have | |||
# repos with lots of files and get an HTTP error 500 because | |||
# of that | |||
### | |||
#LimitMEMLOCK=infinity | |||
#LimitNOFILE=65535 | |||
RestartSec=2s | |||
Type=simple | |||
User=git | |||
Group=git | |||
WorkingDirectory=/var/lib/gitea/ | |||
# If using Unix socket: tells systemd to create the /run/gitea folder, which will contain the gitea.sock file | |||
# (manually creating /run/gitea doesn't work, because it would not persist across reboots) | |||
RuntimeDirectory=gitea | |||
ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini | |||
Restart=always | |||
Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea | |||
# If you want to bind Gitea to a port below 1024, uncomment | |||
# the two values below, or use socket activation to pass Gitea its ports as above | |||
### | |||
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE | |||
#AmbientCapabilities=CAP_NET_BIND_SERVICE | |||
### | |||
[Install] | |||
WantedBy=multi-user.target |
@ -0,0 +1,22 @@ | |||
# | |||
# LDAP Defaults | |||
# | |||
# See ldap.conf(5) for details | |||
# This file should be world readable but not world writable. | |||
#BASE dc=example,dc=com | |||
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666 | |||
#SIZELIMIT 12 | |||
#TIMELIMIT 15 | |||
#DEREF never | |||
# TLS certificates (needed for GnuTLS) | |||
TLS_CACERT /etc/ldap/server_ca.crt | |||
#TLS_CERT /etc/ldap/ldap.crt | |||
#TLS_KEY /etc/ldap/ldap.key | |||
# TLSv1.3 Only | |||
TLS_CIPHER_SUITE SECURE:-VERS-ALL:+VERS-TLS1.3 | |||
@ -0,0 +1,2 @@ | |||
- name: 'update trusted ca' | |||
shell: '/usr/sbin/update-ca-certificates' |
@ -0,0 +1,5 @@ | |||
--- | |||
dependencies: | |||
- role: 'nginx' | |||
nginx_site_fqdn: '{{ gitea_nginx_fqdn }}' | |||
... |
@ -0,0 +1,84 @@ | |||
--- | |||
- name: 'install requirements' | |||
apt: | |||
pkg: | |||
- 'git' | |||
- 'postgresql' | |||
- 'postgresql-contrib' | |||
- 'python3-psycopg2' | |||
- 'gnupg2' | |||
- 'ca-certificates' | |||
state: 'present' | |||
update_cache: true | |||
cache_valid_time: 3600 | |||
- name: 'create git system user' | |||
user: | |||
name: 'git' | |||
state: 'present' | |||
home: '/home/git' | |||
shell: '/bin/bash' | |||
comment: 'Git Version Control' | |||
system: true | |||
- name: 'add www-data to git group' | |||
user: | |||
append: true | |||
name: 'www-data' | |||
groups: 'git' | |||
- name: 'create gitea var directories' | |||
file: | |||
state: 'directory' | |||
path: '{{ item }}' | |||
owner: 'git' | |||
group: 'git' | |||
mode: 0750 | |||
loop: | |||
- '/var/lib/gitea' | |||
- '/var/lib/gitea/custom' | |||
- '/var/lib/gitea/data' | |||
- '/var/lib/gitea/data/lfs' | |||
- '/var/lib/gitea/log' | |||
- name: 'create gitea config directory' | |||
file: | |||
state: 'directory' | |||
path: '/etc/gitea' | |||
owner: 'root' | |||
group: 'git' | |||
mode: 0750 | |||
- name: 'download gitea' | |||
get_url: | |||
url: 'https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64' | |||
dest: '/usr/local/bin/gitea' | |||
mode: '750' | |||
owner: 'root' | |||
group: 'git' | |||
- block: | |||
- name: 'create gitea DB' | |||
postgresql_db: | |||
name: 'gitea' | |||
- name: 'create gitea DB user' | |||
postgresql_user: | |||
name: 'git' | |||
db: 'gitea' | |||
priv: 'ALL' | |||
become: true | |||
become_method: 'su' | |||
become_user: 'postgres' | |||
tags: psql | |||
- name: 'create systemd unit' | |||
copy: | |||
src: 'gitea.service' | |||
dest: '/etc/systemd/system/gitea.service' | |||
- name: 'enable systemd unit' | |||
systemd: | |||
daemon_reload: true | |||
enabled: true | |||
name: 'gitea' | |||
... |
@ -0,0 +1,172 @@ | |||
--- | |||
- name: 'check if config file exists' | |||
stat: | |||
path: '/etc/gitea/app.ini' | |||
register: gitea_config_file | |||
- block: | |||
- name: 'generate instance secrets' | |||
command: '/usr/local/bin/gitea generate secret {{ item }}' | |||
loop: [ 'INTERNAL_TOKEN', 'JWT_SECRET', 'LFS_JWT_SECRET', 'SECRET_KEY' ] | |||
register: gitea_instance_secrets_out | |||
no_log: true | |||
- set_fact: | |||
gitea_INTERNAL_TOKEN: '{{ gitea_instance_secrets_out.results[0].stdout }}' | |||
gitea_JWT_SECRET: '{{ gitea_instance_secrets_out.results[1].stdout }}' | |||
gitea_LFS_JWT_SECRET: '{{ gitea_instance_secrets_out.results[2].stdout }}' | |||
gitea_SECRET_KEY: '{{ gitea_instance_secrets_out.results[3].stdout }}' | |||
no_log: true | |||
when: not gitea_config_file.stat.exists | |||
- block: | |||
- name: 'read instance secrets' | |||
command: 'sed -n "s/^{{ item }}\s\?=\s\?\(.\+\)$/\1/p" /etc/gitea/app.ini' | |||
loop: [ 'INTERNAL_TOKEN', 'JWT_SECRET', 'LFS_JWT_SECRET', 'SECRET_KEY' ] | |||
register: gitea_instance_secrets_out | |||
no_log: true | |||
- set_fact: | |||
gitea_INTERNAL_TOKEN: '{{ gitea_instance_secrets_out.results[0].stdout }}' | |||
gitea_JWT_SECRET: '{{ gitea_instance_secrets_out.results[1].stdout }}' | |||
gitea_LFS_JWT_SECRET: '{{ gitea_instance_secrets_out.results[2].stdout }}' | |||
gitea_SECRET_KEY: '{{ gitea_instance_secrets_out.results[3].stdout }}' | |||
no_log: true | |||
when: gitea_config_file.stat.exists | |||
- name: 'create config file' | |||
template: | |||
src: 'app.ini.j2' | |||
dest: '/etc/gitea/app.ini' | |||
mode: '0640' | |||
group: 'git' | |||
owner: 'root' | |||
- name: 'start gitea' | |||
systemd: | |||
enabled: true | |||
state: 'restarted' | |||
name: 'gitea' | |||
- name: 'wait for gitea to build the database' | |||
pause: | |||
seconds: 20 | |||
- name: 'try to read ldap configuration from sql' | |||
postgresql_query: | |||
login_user: 'git' | |||
db: 'gitea' | |||
query: 'SELECT cfg FROM login_source WHERE id = 1 LIMIT 1' | |||
register: gitea_psql_auth_query | |||
become: true | |||
become_method: su | |||
become_user: git | |||
tags: | |||
- 'role::gitea::ldap_integration' | |||
- 'ldap::integration' | |||
- name: 'try to parse gitea ldap config' | |||
set_fact: | |||
gitea_ldap_config: '{{ gitea_psql_auth_query.query_result.0.cfg | d("{}") | from_json }}' | |||
tags: | |||
- 'role::gitea::ldap_integration' | |||
- 'ldap::integration' | |||
- name: 'configure ldap' | |||
set_fact: | |||
gitea_ldap_config: '{{ gitea_ldap_config | combine({item.key: item.value}) }}' | |||
loop: '{{ gitea_ldap_vars | dict2items }}' | |||
loop_control: | |||
label: '{{ item.key }}' | |||
vars: | |||
gitea_ldap_vars: | |||
AdminFilter: "(&(authorizedService=gitea)(memberOf=cn=admin,ou=Group,{{ ldap_basedn }}))" | |||
AllowDeactivateAll: false | |||
AttributeMail: "mail" | |||
AttributeName: "cn" | |||
AttributeSSHPublicKey: "" | |||
AttributeSurname: "" | |||
AttributeUsername: "uid" | |||
AttributesInBind: false | |||
BindDN: "cn={{ host_fqdn }},ou=Server,{{ ldap_basedn }}" | |||
Enabled: true | |||
Filter: "(&(authorizedService=gitea)(uid=%s))" | |||
Host: "{{ ldap_server }}" | |||
Name: "ldap" | |||
Port: 389 | |||
SearchPageSize: 0 | |||
SecurityProtocol: 2 | |||
SkipVerify: false | |||
UserBase: "ou=People,{{ ldap_basedn }}" | |||
UserDN: "" | |||
tags: | |||
- 'role::gitea::ldap_integration' | |||
- 'ldap::integration' | |||
- name: 'update tls ldap server ca' | |||
copy: | |||
content: '{{ ldap_tls_server_ca }}' | |||
dest: '/usr/local/share/ca-certificates/lilik_server_ca.crt' | |||
owner: 'root' | |||
group: 'root' | |||
mode: 0644 | |||
notify: 'update trusted ca' | |||
tags: | |||
- 'role::gitea::ldap_integration' | |||
- 'ldap::integration' | |||
- 'pki' | |||
- 'pki::tls' | |||
- name: 'configure ldap client' | |||
copy: | |||
src: 'ldap.conf' | |||
dest: '/etc/ldap/ldap.conf' | |||
tags: | |||
- 'role::gitea::ldap_integration' | |||
- 'ldap::integration' | |||
- block: | |||
- name: 'generate gitea ldap password' | |||
gen_passwd: length=32 | |||
register: gitea_ldap_passwd | |||
no_log: true | |||
- name: 'set gitea ldap password in ldap' | |||
delegate_to: 'localhost' | |||
ldap_passwd: | |||
dn: 'cn={{ host_fqdn }},ou=Server,{{ ldap_basedn }}' | |||
passwd: '{{ gitea_ldap_passwd.passwd }}' | |||
server_uri: 'ldap://{{ ldap_server }}' | |||
start_tls: '{{ ldap_tls_enabled }}' | |||
bind_dn: '{{ ldap_admin_dn }}' | |||
bind_pw: '{{ ldap_admin_pw }}' | |||
- name: 'set gitea ldap password in gitea' | |||
set_fact: | |||
gitea_ldap_config: '{{ gitea_ldap_config | combine({ "BindPassword": gitea_ldap_passwd.passwd }) }}' | |||
when: gitea_ldap_config["BindPassword"] | d("") == "" or gitea_renew_secrets | |||
tags: | |||
- 'role::gitea::ldap_integration' | |||
- 'ldap::integration' | |||
- name: 'write ldap configuration' | |||
postgresql_query: | |||
login_user: 'git' | |||
db: 'gitea' | |||
query: | | |||
INSERT INTO login_source (id, type, name, is_actived, is_sync_enabled, cfg) | |||
VALUES (1, 2, 'ldap', 't', 't', %(cfg)s) | |||
ON CONFLICT (id) DO UPDATE | |||
SET type = excluded.type, name = excluded.name, is_actived = excluded.is_actived, is_sync_enabled = excluded.is_sync_enabled, cfg = excluded.cfg | |||
named_args: | |||
cfg: '{{ gitea_ldap_config | to_json }}' | |||
become: true | |||
become_method: su | |||
become_user: git | |||
tags: | |||
- 'role::gitea::ldap_integration' | |||
- 'ldap::integration' | |||
- name: 'create nginx configuration' | |||
template: | |||
src: 'nginx_gitea.conf.j2' | |||
dest: '/etc/nginx/locations/{{ gitea_nginx_fqdn }}/gitea.conf' | |||
notify: 'reload nginx' | |||
... |
@ -0,0 +1,13 @@ | |||
--- | |||
- block: | |||
- import_tasks: '01-install.yaml' | |||
tags: | |||
- 'install' | |||
- 'role::gitea::install' | |||
- import_tasks: '02-configure.yaml' | |||
tags: | |||
- 'configure' | |||
- 'role::gitea::configure' | |||
tags: | |||
- 'role::gitea' | |||
... |
@ -0,0 +1,66 @@ | |||
APP_NAME = Gitea: Git with a cup of tea | |||
RUN_USER = git | |||
RUN_MODE = prod | |||
[repository] | |||
ROOT = | |||
[server] | |||
PROTOCOL = fcgi+unix | |||
DOMAIN = {{ gitea_nginx_fqdn }} | |||
ROOT_URL = https://%(DOMAIN)s/ | |||
HTTP_ADDR = /run/gitea/gitea.sock | |||
UNIX_SOCKET_PERMISSION = 660 | |||
SSH_DOMAIN = %(DOMAIN)s | |||
SSH_PORT = 22 | |||
SSH_CREATE_AUTHORIZED_KEYS_FILE = true | |||
SSH_BACKUP_AUTHORIZED_KEYS = true | |||
APP_DATA_PATH = data | |||
LANDING_PAGE = home | |||
LFS_START_SERVER = true | |||
LFS_CONTENT_PATH = /var/lib/gitea/data/lfs | |||
LFS_JWT_SECRET = {{ gitea_LFS_JWT_SECRET }} | |||
[database] | |||
DB_TYPE = postgres | |||
HOST = /var/run/postgresql | |||
NAME = gitea | |||
USER = git | |||
;PASSWD = | |||
;SCHEMA = | |||
SSL_MODE = disable | |||
DB_RETRIES = 10 | |||
DB_RETRY_BACKOFF = 3s | |||
MAX_IDLE_CONNS = 2 | |||
CONN_MAX_LIFETIME = 3s | |||
MAX_OPEN_CONNS = 0 | |||
[security] | |||
INSTALL_LOCK = true | |||
SECRET_KEY = {{ gitea_SECRET_KEY }} | |||
INTERNAL_TOKEN = {{ gitea_INTERNAL_TOKEN }} | |||
[openid] | |||
ENABLE_OPENID_SIGNIN = false | |||
[service] | |||
DISABLE_REGISTRATION = true | |||
[mailer] | |||
ENABLED = false | |||
SEND_BUFFER_LEN = 100 | |||
SUBJECT_PREFIX = | |||
HOST = | |||
IS_TLS_ENABLED = false | |||
FROM = | |||
USER = | |||
SEND_AS_PLAIN_TEXT = false | |||
MAILER_TYPE = smtp | |||
[oauth2] | |||
ENABLE = true | |||
ACCESS_TOKEN_EXPIRATION_TIME=3600 | |||
REFRESH_TOKEN_EXPIRATION_TIME=730 | |||
INVALIDATE_REFRESH_TOKENS=false | |||
JWT_SECRET={{ gitea_JWT_SECRET }} | |||
MAX_TOKEN_LENGTH=32767 |
@ -0,0 +1,4 @@ | |||
location / { | |||
include fastcgi_params; | |||
fastcgi_pass unix:/run/gitea/gitea.sock; | |||
} |