gitea initial role

defaults/main.yml

@@ -0,0 +1,10 @@
+gitea_http_addr: 127.0.0.1
+gitea_http_port: 3000
+
+#gitea_download_url: https://dl.gitea.io/gitea/1.4/gitea-1.4-linux-amd64
+gitea_download_url: https://github.com/go-gitea/gitea/releases/download/v1.4.0/gitea-1.4.0-linux-amd64
+gitea_download_checksum: sha256:f4c4c7eecc6dd8cd5401883a33924223177b4fa0a40ecd867ad90dc6387a4080
+
+gitea_admin_username: testadmin
+gitea_admin_password: testadmin
+gitea_admin_email: admin@example.com

handlers/main.yml

@@ -0,0 +1,12 @@
+---
+
+- name: systemd daemon-reload
+  systemd:
+    daemon_reload: yes
+
+- name: restart gitea
+  systemd:
+    name: gitea.service
+    state: restarted
+  listen:
+    - restart gitea

tasks/config.yml

@@ -0,0 +1,19 @@
+---
+
+# https://github.com/ansible/ansible/issues/30599
+- name: "fill config file with a global variable because of ansible bug #30599"
+  copy:
+    content: RUN_MODE = prod
+    dest: /etc/gitea/app.ini
+    force: no
+
+- name: gitea config
+  ini_file:
+    path: /etc/gitea/app.ini
+    section: "{{ item.section }}"
+    option: "{{ item.option }}"
+    value: "{{ item.value }}"
+    owner: git
+    group: git
+  notify: restart gitea
+  with_items: "{{ _gitea_config }}"

tasks/deploy.yml

@@ -0,0 +1,86 @@
+---
+- name: debian packages
+  apt:
+    pkg: "{{item}}"
+  with_items:
+    - ca-certificates
+    - git
+    - golang
+
+- name: download gitea
+  get_url:
+    url: "{{ gitea_download_url }}"
+    dest: /usr/local/bin/gitea
+    checksum: "{{ gitea_download_checksum }}"
+
+- name: gitea executable
+  file:
+    path: /usr/local/bin/gitea
+    mode: u=rwx,g=rx,o=rx
+
+# - name: allow gitea executable to bind on privileged port
+#   capabilities:
+#     path: /usr/local/bin/gitea
+#     capability: cap_sys_chroot+eip
+#     state: present
+
+- name: git user
+  user:
+    name: git
+    system: yes
+    home: /srv/git
+
+- name: gitea home directory
+  file:
+    path: /srv/git
+    mode: u=rwx,g=rx,o=rx
+    owner: git
+    group: git
+    state: directory
+
+- name: gitea repos directory
+  file:
+    path: /srv/git/repos
+    mode: u=rwx,g=rx,o=rx
+    owner: git
+    group: git
+    state: directory
+
+- name: gitea work directory
+  file:
+    path: /var/lib/gitea
+    mode: u=rwx,g=rx,o=rx
+    owner: git
+    group: git
+    state: directory
+
+- name: gitea config directory
+  file:
+    path: /etc/gitea
+    mode: u=rwx,g=rx,o=rx
+    owner: git
+    group: git
+    state: directory
+
+- name: gitea log directory
+  file:
+    path: /var/log/gitea
+    mode: u=rwx,g=rx,o=rx
+    owner: git
+    group: git
+    state: directory
+
+- import_tasks: config.yml
+
+- name: systemd service unit
+  template:
+    src: systemd.service.j2
+    dest: /etc/systemd/system/gitea.service
+  notify:
+    - systemd daemon-reload
+    - restart gitea
+
+- name: gitea started
+  systemd:
+    name: gitea.service
+    state: started

tasks/install.yml

@@ -0,0 +1,16 @@
+---
+
+
+- name: wait for gitea http port to be open
+  wait_for:
+    port: "{{ gitea_http_port }}"
+
+- name: create gitea admin user
+  command: "/usr/local/bin/gitea admin create-user --name {{ gitea_admin_username }} --password {{ gitea_admin_password }} --email {{ gitea_admin_email }} --admin --config /etc/gitea/app.ini"
+  register: _gitea_create_admin_user
+  failed_when: _gitea_create_admin_user.rc == 1 and 'user already exists' not in _gitea_create_admin_user.stderr
+  changed_when: _gitea_create_admin_user.rc == 0
+  #no_log: true
+
+- debug:
+    msg: "{{ _gitea_create_admin_user }}"

tasks/main.yml

@@ -0,0 +1,28 @@
+---
+
+- import_tasks: deploy.yml
+
+- name: flush handlers
+  meta: flush_handlers
+
+
+- include_role:
+    name: certificate
+  vars:
+    certificate_name: gitea
+    certificate_directory: /etc/ssl
+    certificate_key_usage:
+      - digitalSignature
+      - keyEncipherment
+    certificate_extended_key_usage:
+      - serverAuth
+    certificate_alt_names:
+      - "{{ gitea_server_name | regex_replace( '(.*)','DNS:\\1' ) }}"
+
+- include_role:
+    name: nginx
+  vars:
+    nginx_vhosts: "{{ _gitea_nginx_vhosts }}"
+
+- name: flush handlers
+  meta: flush_handlers

templates/systemd.service.j2

@@ -0,0 +1,27 @@
+[Unit]
+Description=Gitea (Git with a cup of tea)
+After=syslog.target
+After=network.target
+#After=mysqld.service
+#After=postgresql.service
+#After=memcached.service
+#After=redis.service
+
+[Service]
+# Modify these two values and uncomment them if you have
+# repos with lots of files and get an HTTP error 500 because
+# of that
+###
+#LimitMEMLOCK=infinity
+#LimitNOFILE=65535
+RestartSec=2s
+Type=simple
+User=git
+Group=git
+WorkingDirectory=~
+ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini
+Restart=always
+Environment=USER=git HOME=/srv/git GITEA_WORK_DIR=/var/lib/gitea
+
+[Install]
+WantedBy=multi-user.target

vars/main.yml

@@ -0,0 +1,63 @@
+_gitea_nginx_vhosts:
+  - name: gitea
+    server_names:
+      - "{{ gitea_server_name }}"
+    locations:
+      - location: /
+        proxy_pass: http://localhost:3000
+
+_gitea_config:
+
+  - section: null
+    option: RUN_MODE
+    value: prod
+
+  - section: null
+    option: APP_NAME
+    value: "{{ gitea_app_name | default(gitea_server_name) }}"
+
+  - section: server
+    option: HTTP_ADDR
+    value: "{{ gitea_http_addr }}"
+
+  - section: server
+    option: HTTP_PORT
+    value: "{{ gitea_http_port }}"
+
+  - section: server
+    option: ROOT_URL
+    value: "https://{{ gitea_server_name }}/"
+
+  - section: server
+    option: DOMAIN
+    value: "{{ gitea_server_name }}"
+
+  - section: server
+    option: SSH_DOMAIN
+    value: "{{ gitea_server_name }}"
+
+  - section: repository
+    option: ROOT
+    value: /srv/git/repos
+
+  - section: database
+    option: DB_TYPE
+    value: sqlite3
+
+  - section: database
+    option: PATH
+    value: "/var/lib/gitea/data/gitea.db"
+
+  - section: log
+    option: ROOT_PATH
+    value: /var/log/gitea
+
+  # see: Support automatic installation via configuration management (ansible, puppet, chef, etc) #2324
+  # https://github.com/go-gitea/gitea/issues/2324
+  - section: security
+    option: INSTALL_LOCK
+    value: true
+
+  - section: security
+    option: DISABLE_GIT_HOOKS
+    value: true