roles/gitea: new role!

roles/gitea/defaults/main.yaml

@@ -0,0 +1,10 @@
+---
+host_fqdn: '{{ ansible_hostname }}.dmz.{{ domain }}'
+gitea_version: 1.11.6
+gitea_nginx_fqdn: 'projects.{{ domain }}'
+gitea_renew_secrets: false
+ldap_server: 'ldap1.dmz.{{ domain }}'
+ldap_basedn: 'dc={{ domain.replace(".", ",dc=") }}'
+ldap_tls_enabled: true
+ldap_tls_server_ca: '{{ tls_root_ca }}'
+...

roles/gitea/files/gitea.service

@@ -0,0 +1,64 @@
+[Unit]
+Description=Gitea (Git with a cup of tea)
+After=syslog.target
+After=network.target
+
+Requires=postgresql.service
+#Requires=memcached.service
+#Requires=redis.service
+
+
+###
+# If using socket activation for main http/s
+###
+
+#After=gitea.main.socket
+#Requires=gitea.main.socket
+#
+###
+# (You can also provide gitea an http fallback and/or ssh socket too)
+#
+# An example of /etc/systemd/system/gitea.main.socket
+###
+##
+## [Unit]
+## Description=Gitea Web Socket
+## PartOf=gitea.service
+##
+## [Socket]
+## Service=gitea.service
+## ListenStream=<some_port>
+## NoDelay=true
+##
+## [Install]
+## WantedBy=sockets.target
+##
+###
+
+[Service]
+# Modify these two values and uncomment them if you have
+# repos with lots of files and get an HTTP error 500 because
+# of that
+###
+#LimitMEMLOCK=infinity
+#LimitNOFILE=65535
+RestartSec=2s
+Type=simple
+User=git
+Group=git
+WorkingDirectory=/var/lib/gitea/
+# If using Unix socket: tells systemd to create the /run/gitea folder, which will contain the gitea.sock file
+# (manually creating /run/gitea doesn't work, because it would not persist across reboots)
+RuntimeDirectory=gitea
+ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini
+Restart=always
+Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea
+# If you want to bind Gitea to a port below 1024, uncomment
+# the two values below, or use socket activation to pass Gitea its ports as above
+###
+#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+#AmbientCapabilities=CAP_NET_BIND_SERVICE
+###
+
+[Install]
+WantedBy=multi-user.target

roles/gitea/files/ldap.conf

@@ -0,0 +1,22 @@
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+#BASE	dc=example,dc=com
+#URI	ldap://ldap.example.com ldap://ldap-master.example.com:666
+
+#SIZELIMIT	12
+#TIMELIMIT	15
+#DEREF		never
+
+# TLS certificates (needed for GnuTLS)
+TLS_CACERT	/etc/ldap/server_ca.crt
+#TLS_CERT	/etc/ldap/ldap.crt
+#TLS_KEY	/etc/ldap/ldap.key
+
+# TLSv1.3 Only
+TLS_CIPHER_SUITE	SECURE:-VERS-ALL:+VERS-TLS1.3
+

roles/gitea/handlers/main.yaml

@@ -0,0 +1,2 @@
+- name: 'update trusted ca'
+  shell: '/usr/sbin/update-ca-certificates'

roles/gitea/meta/main.yaml

@@ -0,0 +1,5 @@
+---
+dependencies:
+  - role: 'nginx'
+    nginx_site_fqdn: '{{ gitea_nginx_fqdn }}'
+...

roles/gitea/tasks/01-install.yaml

@@ -0,0 +1,84 @@
+---
+- name: 'install requirements'
+  apt:
+    pkg:
+      - 'git'
+      - 'postgresql'
+      - 'postgresql-contrib'
+      - 'python3-psycopg2'
+      - 'gnupg2'
+      - 'ca-certificates'
+    state: 'present'
+    update_cache: true
+    cache_valid_time: 3600
+
+- name: 'create git system user'
+  user:
+    name: 'git'
+    state: 'present'
+    home: '/home/git'
+    shell: '/bin/bash'
+    comment: 'Git Version Control'
+    system: true
+
+- name: 'add www-data to git group'
+  user:
+    append: true
+    name: 'www-data'
+    groups: 'git'
+
+- name: 'create gitea var directories'
+  file: 
+    state: 'directory'
+    path: '{{ item }}'
+    owner: 'git'
+    group: 'git'
+    mode: 0750
+  loop:
+    - '/var/lib/gitea'
+    - '/var/lib/gitea/custom'
+    - '/var/lib/gitea/data'
+    - '/var/lib/gitea/data/lfs'
+    - '/var/lib/gitea/log'
+
+- name: 'create gitea config directory'
+  file:
+    state: 'directory'
+    path: '/etc/gitea'
+    owner: 'root'
+    group: 'git'
+    mode: 0750
+
+- name: 'download gitea'
+  get_url:
+    url: 'https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64'
+    dest: '/usr/local/bin/gitea'
+    mode: '750'
+    owner: 'root'
+    group: 'git'
+
+- block:
+   - name: 'create gitea DB'
+     postgresql_db:
+       name: 'gitea'
+   - name: 'create gitea DB user'
+     postgresql_user:
+       name: 'git'
+       db: 'gitea'
+       priv: 'ALL'
+  become: true
+  become_method: 'su'
+  become_user: 'postgres'
+  tags: psql
+
+- name: 'create systemd unit'
+  copy:
+    src: 'gitea.service'
+    dest: '/etc/systemd/system/gitea.service'
+
+- name: 'enable systemd unit'
+  systemd:
+    daemon_reload: true
+    enabled: true
+    name: 'gitea'
+...

roles/gitea/tasks/02-configure.yaml

@@ -0,0 +1,172 @@
+---
+- name: 'check if config file exists'
+  stat:
+    path: '/etc/gitea/app.ini'
+  register: gitea_config_file
+
+- block:
+    - name: 'generate instance secrets'
+      command: '/usr/local/bin/gitea generate secret {{ item }}'
+      loop: [ 'INTERNAL_TOKEN', 'JWT_SECRET', 'LFS_JWT_SECRET', 'SECRET_KEY' ]
+      register: gitea_instance_secrets_out
+      no_log: true
+    - set_fact:
+        gitea_INTERNAL_TOKEN: '{{ gitea_instance_secrets_out.results[0].stdout }}'
+        gitea_JWT_SECRET: '{{ gitea_instance_secrets_out.results[1].stdout }}'
+        gitea_LFS_JWT_SECRET: '{{ gitea_instance_secrets_out.results[2].stdout }}'
+        gitea_SECRET_KEY: '{{ gitea_instance_secrets_out.results[3].stdout }}'
+      no_log: true
+  when: not gitea_config_file.stat.exists
+
+- block:
+    - name: 'read instance secrets'
+      command: 'sed -n "s/^{{ item }}\s\?=\s\?\(.\+\)$/\1/p" /etc/gitea/app.ini'
+      loop: [ 'INTERNAL_TOKEN', 'JWT_SECRET', 'LFS_JWT_SECRET', 'SECRET_KEY' ]
+      register: gitea_instance_secrets_out
+      no_log: true
+    - set_fact:
+        gitea_INTERNAL_TOKEN: '{{ gitea_instance_secrets_out.results[0].stdout }}'
+        gitea_JWT_SECRET: '{{ gitea_instance_secrets_out.results[1].stdout }}'
+        gitea_LFS_JWT_SECRET: '{{ gitea_instance_secrets_out.results[2].stdout }}'
+        gitea_SECRET_KEY: '{{ gitea_instance_secrets_out.results[3].stdout }}'
+      no_log: true
+  when: gitea_config_file.stat.exists
+
+- name: 'create config file'
+  template:
+    src: 'app.ini.j2'
+    dest: '/etc/gitea/app.ini'
+    mode: '0640'
+    group: 'git'
+    owner: 'root'
+
+- name: 'start gitea'
+  systemd:
+    enabled: true
+    state: 'restarted'
+    name: 'gitea'
+
+- name: 'wait for gitea to build the database'
+  pause:
+    seconds: 20
+
+- name: 'try to read ldap configuration from sql'
+  postgresql_query:
+    login_user: 'git'
+    db: 'gitea'
+    query: 'SELECT cfg FROM login_source WHERE id = 1 LIMIT 1'
+  register: gitea_psql_auth_query
+  become: true
+  become_method: su
+  become_user: git
+  tags:
+   - 'role::gitea::ldap_integration'
+   - 'ldap::integration'
+
+- name: 'try to parse gitea ldap config'
+  set_fact:
+    gitea_ldap_config: '{{ gitea_psql_auth_query.query_result.0.cfg | d("{}") | from_json }}'
+  tags:
+   - 'role::gitea::ldap_integration'
+   - 'ldap::integration'
+
+- name: 'configure ldap'
+  set_fact:
+    gitea_ldap_config: '{{ gitea_ldap_config | combine({item.key: item.value}) }}'
+  loop: '{{ gitea_ldap_vars | dict2items }}'
+  loop_control:
+    label: '{{ item.key }}'
+  vars:
+    gitea_ldap_vars:
+      AdminFilter: "(&(authorizedService=gitea)(memberOf=cn=admin,ou=Group,{{ ldap_basedn }}))"
+      AllowDeactivateAll: false
+      AttributeMail: "mail"
+      AttributeName: "cn"
+      AttributeSSHPublicKey: ""
+      AttributeSurname: ""
+      AttributeUsername: "uid"
+      AttributesInBind: false
+      BindDN: "cn={{ host_fqdn }},ou=Server,{{ ldap_basedn }}"
+      Enabled: true
+      Filter: "(&(authorizedService=gitea)(uid=%s))"
+      Host: "{{ ldap_server }}"
+      Name: "ldap"
+      Port: 389
+      SearchPageSize: 0
+      SecurityProtocol: 2
+      SkipVerify: false
+      UserBase: "ou=People,{{ ldap_basedn }}"
+      UserDN: ""
+  tags:
+   - 'role::gitea::ldap_integration'
+   - 'ldap::integration'
+
+- name: 'update tls ldap server ca'
+  copy:
+    content: '{{ ldap_tls_server_ca }}'
+    dest: '/usr/local/share/ca-certificates/lilik_server_ca.crt'
+    owner: 'root'
+    group: 'root'
+    mode: 0644
+  notify: 'update trusted ca'
+  tags:
+   - 'role::gitea::ldap_integration'
+   - 'ldap::integration'
+   - 'pki'
+   - 'pki::tls'
+
+- name: 'configure ldap client'
+  copy:
+    src: 'ldap.conf'
+    dest: '/etc/ldap/ldap.conf'
+  tags:
+   - 'role::gitea::ldap_integration'
+   - 'ldap::integration'
+
+- block:
+    - name: 'generate gitea ldap password'
+      gen_passwd: length=32
+      register: gitea_ldap_passwd
+      no_log: true
+    - name: 'set gitea ldap password in ldap'
+      delegate_to: 'localhost'
+      ldap_passwd:
+        dn: 'cn={{ host_fqdn }},ou=Server,{{ ldap_basedn }}'
+        passwd: '{{ gitea_ldap_passwd.passwd }}'
+        server_uri: 'ldap://{{ ldap_server }}'
+        start_tls: '{{ ldap_tls_enabled }}'
+        bind_dn: '{{ ldap_admin_dn }}'
+        bind_pw: '{{ ldap_admin_pw }}'
+    - name: 'set gitea ldap password in gitea'
+      set_fact:
+        gitea_ldap_config: '{{ gitea_ldap_config | combine({ "BindPassword": gitea_ldap_passwd.passwd }) }}'
+  when: gitea_ldap_config["BindPassword"] | d("") == "" or gitea_renew_secrets
+  tags:
+   - 'role::gitea::ldap_integration'
+   - 'ldap::integration'
+
+
+- name: 'write ldap configuration'
+  postgresql_query:
+    login_user: 'git'
+    db: 'gitea'
+    query: |
+      INSERT INTO login_source (id, type, name, is_actived, is_sync_enabled, cfg)
+      VALUES (1, 2, 'ldap', 't', 't', %(cfg)s)
+      ON CONFLICT (id) DO UPDATE
+      SET type = excluded.type, name = excluded.name, is_actived = excluded.is_actived, is_sync_enabled = excluded.is_sync_enabled, cfg = excluded.cfg
+    named_args:
+      cfg: '{{ gitea_ldap_config | to_json }}'
+  become: true
+  become_method: su
+  become_user: git
+  tags:
+   - 'role::gitea::ldap_integration'
+   - 'ldap::integration'
+
+- name: 'create nginx configuration'
+  template:
+    src: 'nginx_gitea.conf.j2'
+    dest: '/etc/nginx/locations/{{ gitea_nginx_fqdn }}/gitea.conf'
+  notify: 'reload nginx'
+...

roles/gitea/tasks/main.yaml

@@ -0,0 +1,13 @@
+---
+- block:
+    - import_tasks: '01-install.yaml'
+      tags:
+        - 'install'
+        - 'role::gitea::install'
+    - import_tasks: '02-configure.yaml'
+      tags:
+        - 'configure'
+        - 'role::gitea::configure'
+  tags:
+    - 'role::gitea'
+...

roles/gitea/templates/app.ini.j2

@@ -0,0 +1,66 @@
+APP_NAME = Gitea: Git with a cup of tea
+RUN_USER = git
+RUN_MODE = prod
+
+[repository]
+ROOT = 
+
+[server]
+PROTOCOL = fcgi+unix
+DOMAIN = {{ gitea_nginx_fqdn }}
+ROOT_URL = https://%(DOMAIN)s/
+HTTP_ADDR = /run/gitea/gitea.sock
+UNIX_SOCKET_PERMISSION = 660
+SSH_DOMAIN = %(DOMAIN)s
+SSH_PORT = 22
+SSH_CREATE_AUTHORIZED_KEYS_FILE = true
+SSH_BACKUP_AUTHORIZED_KEYS = true
+APP_DATA_PATH = data
+LANDING_PAGE = home
+LFS_START_SERVER = true
+LFS_CONTENT_PATH = /var/lib/gitea/data/lfs
+LFS_JWT_SECRET = {{ gitea_LFS_JWT_SECRET }}
+
+[database]
+DB_TYPE = postgres
+HOST = /var/run/postgresql
+NAME = gitea
+USER = git
+;PASSWD =
+;SCHEMA =
+SSL_MODE = disable
+DB_RETRIES = 10
+DB_RETRY_BACKOFF = 3s
+MAX_IDLE_CONNS = 2
+CONN_MAX_LIFETIME = 3s
+MAX_OPEN_CONNS = 0
+
+[security]
+INSTALL_LOCK = true
+SECRET_KEY = {{ gitea_SECRET_KEY }}
+INTERNAL_TOKEN = {{ gitea_INTERNAL_TOKEN }}
+
+[openid]
+ENABLE_OPENID_SIGNIN = false
+
+[service]
+DISABLE_REGISTRATION = true
+
+[mailer]
+ENABLED = false
+SEND_BUFFER_LEN = 100
+SUBJECT_PREFIX =
+HOST =
+IS_TLS_ENABLED = false
+FROM =
+USER =
+SEND_AS_PLAIN_TEXT = false
+MAILER_TYPE = smtp
+
+[oauth2]
+ENABLE = true
+ACCESS_TOKEN_EXPIRATION_TIME=3600
+REFRESH_TOKEN_EXPIRATION_TIME=730
+INVALIDATE_REFRESH_TOKENS=false
+JWT_SECRET={{ gitea_JWT_SECRET }}
+MAX_TOKEN_LENGTH=32767

roles/gitea/templates/nginx_gitea.conf.j2

@@ -0,0 +1,4 @@
+location / {
+    include fastcgi_params;
+    fastcgi_pass unix:/run/gitea/gitea.sock;
+}