Merge pull request roles-ansible#92 from roles-ansible/forgejo

Option to install Forgejo

Author: DO1JLR

README.md

@@ -1,10 +1,11 @@
 [![Ansible Galaxy](https://raw.githubusercontent.com/roles-ansible/ansible_role_gitea/main/.github/galaxy.svg?sanitize=true)](https://galaxy.ansible.com/do1jlr/gitea) [![MIT License](https://raw.githubusercontent.com/roles-ansible/ansible_role_gitea/main/.github/license.svg?sanitize=true)](https://github.com/roles-ansible/ansible_role_gitea/blob/main/LICENSE)
 
- ansible role gitea
-===================
+ ansible role gitea/forgejo
+============================
 
-This role installs and manages [gitea](https://gitea.io) - Git with a cup of tea. A painless self-hosted Git service. Gitea is a community managed lightweight code hosting solution written in Go.
+This role installs and manages [gitea](https://gitea.io) or [forgejo](https://forgejo.org). A painless self-hosted Git service. Gitea is a community managed lightweight code hosting solution written in Go. Forgejo is a fork of it.
 [Source code & screenshots](https://github.com/go-gitea/gitea).
+[Source code forgejo](https://codeberg.org/forgejo/forgejo)
 
 ## Sample example of use in a playbook
 
@@ -20,17 +21,24 @@ The following code has been tested with the latest Debian Stable, it should work
   vars:
     # Here we assume we are behind a reverse proxy that will
     # handle https for us, so we bind on localhost:3000 using HTTP
+    # see https://docs.gitea.io/en-us/reverse-proxies/#nginx
     gitea_fqdn: 'git.example.com'
     gitea_root_url: 'https://git.example.com'
     gitea_protocol: http
-
     gitea_start_ssh: true
 ```
 
  Variables
 -----------
 Here is a deeper insight into the variables of this gitea role. For the exact function of some variables and the possibility to add more options we recommend a look at this [config cheat sheet](https://docs.gitea.io/en-us/config-cheat-sheet/).
 
+### Chose between gitea and forgejo
+There is a fork of gitea called forgejo. Why? Read the [forgejo FAQ](https://forgejo.org/faq/).
+You have the option to choose between [gitea](https://gitea.io) and [forgejo](https://forgejo.org) by modifying the ``gitea_fork`` variable.
+| variable name | default value | description |
+| ------------- | ------------- | ----------- |
+| `gitea_fork`  | `gitea`       | optional choose to install forgejo instead of gitea by setting this value to `forgejo`. |
+
 ### gitea update mechanism
 To determine which gitea version to install, you can choose between two variants.
 Either you define exactly which release you install. Or you use the option ``latest`` to always install the latest release from the [gitea releases](https://github.com/go-gitea/gitea/releases/latest).
@@ -41,6 +49,7 @@ Either you define exactly which release you install. Or you use the option ``lat
 | `gitea_version` | `latest` | Define either the exact release to install *(eg. `1.16.0`)* or use ``latest`` *(default)* to install the latest release. |
 | `gitea_version_check` | `true` | Check if installed version != `gitea_version` before initiating binary download |
 | `gitea_gpg_key` | `7C9E68152594688862D62AF62D9AE806EC1592E2` | the gpg key the gitea binary is signed with |
+| `gitea_forgejo_gpg_key` | `EB114F5E6C0DC2BCDD183550A4B61A2DC5923710` | the gpg key the forgejo binary is signed with |
 | `gitea_gpg_server` | `hkps://keys.openpgp.org` | A gpg key server where this role can download the gpg key |
 | `gitea_backup_on_upgrade` | `false` | Optionally a backup can be created with every update of gitea. |
 | `gitea_backup_location` | `{{ gitea_home }}/backups/` | Where to store the gitea backup if one is created with this role. |
@@ -54,6 +63,7 @@ Either you define exactly which release you install. Or you use the option ``lat
 | `gitea_home` | `/var/lib/gitea` | Base directory to work |
 | `gitea_user_home` | `{{ gitea_home }}` | home of gitea user |
 | `gitea_executable_path` | `/usr/local/bin/gitea` | Path for gitea executable |
+| `gitea_forgejo_executable_path` | `/usr/local/bin/forgejo` | Path for forgejo executable |
 | `gitea_configuraion_path` | `/etc/gitea` | Where to put the gitea.ini config |
 | `gitea_shell` | `/bin/false` | UNIX shell used by gitea. Set it to `/bin/bash` if you don't use the gitea built-in ssh server. |
 | `gitea_systemd_cap_net_bind_service` | `false` | Adds `AmbientCapabilities=CAP_NET_BIND_SERVICE` to systemd service file |
@@ -97,6 +107,7 @@ Either you define exactly which release you install. Or you use the option ``lat
 | `gitea_enable_repo_signing_extra` | | you can use this variable to pass additional config parameters in the `[repository.signing]` section of the config. |
 
 ### CORS ([cors](https://docs.gitea.io/en-us/config-cheat-sheet/#cors-cors))
+| variable name | default value | description |
 | ------------- | ------------- | ----------- |
 | `gitea_enable_cors` | `false` | enable cors headers (disabled by default) |
 | `gitea_cors_scheme` | `http` | scheme of allowed requests |
@@ -133,7 +144,6 @@ Either you define exactly which release you install. Or you use the option ``lat
 | `gitea_root_url` | `http://localhost:3000` | Root URL used to access your web app (full URL) |
 | `gitea_http_listen` | `127.0.0.1` | HTTP listen address |
 | `gitea_http_port` | `3000` | Bind port *(redirect from `80` will be activated if value is `443`)* |
-
 | `gitea_start_ssh` | `true` | When enabled, use the built-in SSH server. |
 | `gitea_ssh_domain` | `{{ gitea_http_domain ` |  Domain name of this server, used for displayed clone URL |
 | `gitea_ssh_port` | `2222` | SSH port displayed in clone URL. |

defaults/main.yml

@@ -1,9 +1,13 @@
 ---
+# Choose between https://forgejo.org/ and https://gitea.io/
+gitea_fork: 'gitea'  # 'gitea' and 'forgejo' are valid options
+
 # gitea version
 # Use 'latest' to auto-update; upgrading past role version may lead to errors.
 gitea_version: 'latest'
 gitea_version_check: true
 gitea_gpg_key: '7C9E68152594688862D62AF62D9AE806EC1592E2'
+gitea_forgejo_gpg_key: 'EB114F5E6C0DC2BCDD183550A4B61A2DC5923710'
 gitea_gpg_server: 'hkps://keys.openpgp.org'
 gitea_backup_on_upgrade: false
 gitea_backup_location: "{{ gitea_home }}/backups/"
@@ -15,6 +19,7 @@ gitea_group: 'gitea'
 gitea_home: '/var/lib/gitea'
 gitea_user_home: '{{ gitea_home }}'
 gitea_executable_path: '/usr/local/bin/gitea'
+gitea_forgejo_executable_path: '/usr/local/bin/forgejo'
 gitea_configuraion_path: '/etc/gitea'
 gitea_shell: '/bin/false'
 gitea_systemd_cap_net_bind_service: false

meta/main.yml

@@ -2,7 +2,7 @@
 galaxy_info:
   role_name: gitea
   author: do1jlr
-  description: Ansible role to configure and deploy gitea, a painless self-hosted Git service.
+  description: Ansible role to configure and deploy gitea and forgejo, a painless self-hosted Git service.
   license: "BSD-3-Clause"
   min_ansible_version: "2.11"
   platforms:
@@ -20,6 +20,7 @@ galaxy_info:
         - all
   galaxy_tags:
     - gitea
+    - forgejo
     - git
     - system
     - development

tasks/backup.yml

@@ -29,7 +29,7 @@
     - name: Backing up gitea before upgrade
       become: true
       ansible.builtin.command:
-        cmd: "sudo -u {{ gitea_user }} {{ gitea_executable_path }} dump -c {{ gitea_configuraion_path }}/gitea.ini"
+        cmd: "sudo -u {{ gitea_user }} {{ gitea_full_executable_path }} dump -c {{ gitea_configuraion_path }}/gitea.ini"
         chdir: "{{ gitea_backup_location }}"
       changed_when: true
   rescue:

tasks/gitea_secrets.yml

@@ -1,7 +1,7 @@
 ---
 - name: Generate gitea SECRET_KEY if not provided
   become: true
-  ansible.builtin.shell: 'umask 077; {{ gitea_executable_path }} generate secret SECRET_KEY > {{ gitea_configuraion_path }}/gitea_secret_key'
+  ansible.builtin.shell: 'umask 077; {{ gitea_full_executable_path }} generate secret SECRET_KEY > {{ gitea_configuraion_path }}/gitea_secret_key'
   args:
     creates: '{{ gitea_configuraion_path }}/gitea_secret_key'
   when: gitea_secret_key | string | length == 0
@@ -20,7 +20,7 @@
 
 - name: Generate gitea INTERNAL_TOKEN if not provided
   become: true
-  ansible.builtin.shell: 'umask 077; {{ gitea_executable_path }} generate secret INTERNAL_TOKEN > {{ gitea_configuraion_path }}/gitea_internal_token'
+  ansible.builtin.shell: 'umask 077; {{ gitea_full_executable_path }} generate secret INTERNAL_TOKEN > {{ gitea_configuraion_path }}/gitea_internal_token'
   args:
     creates: '{{ gitea_configuraion_path }}/gitea_internal_token'
   when: gitea_internal_token | string | length == 0

tasks/install_forgejo.yml

@@ -0,0 +1,78 @@
+---
+- name: Dependency block
+  block:
+    - name: Update apt cache
+      become: true
+      ansible.builtin.apt:
+        cache_valid_time: 3600
+        update_cache: true
+      register: _pre_update_apt_cache
+      until: _pre_update_apt_cache is succeeded
+      when:
+        - ansible_pkg_mgr == "apt"
+
+    - name: Install dependencies
+      become: true
+      ansible.builtin.package:
+        name: "{{ gitea_dependencies }}"
+        state: present
+      register: _install_dep_packages
+      until: _install_dep_packages is succeeded
+      retries: 5
+      delay: 2
+
+- name: Install forgejo block
+  when: (not gitea_version_check | bool) or (not ansible_check_mode and (gitea_active_version.stdout != gitea_version_target))
+  block:
+    - name: Download forgejo archive
+      ansible.builtin.get_url:
+        url: "{{ gitea_forgejo_dl_url | first }}"
+        dest: "/tmp/{{ gitea_filename }}"
+        checksum: "sha256:{{ gitea_forgejo_checksum }}"
+        mode: 0640
+      register: _download_archive
+      until: _download_archive is succeeded
+      retries: 5
+      delay: 2
+
+    - name: Download forgejo asc file
+      ansible.builtin.get_url:
+        url: "{{ gitea_forgejo_signed_url | first }}"
+        dest: "/tmp/{{ gitea_filename }}.asc"
+        mode: 0640
+      register: _download_asc
+      until: _download_asc is succeeded
+      retries: 5
+      delay: 2
+
+    - name: Check forgejo gpg key
+      ansible.builtin.command: "gpg --list-keys 0x{{ gitea_forgejo_gpg_key }}"
+      register: _gitea_gpg_key_status
+      changed_when: false
+      failed_when: _gitea_gpg_key_status.rc not in (0, 2)
+
+    - name: Print gpg key staus on verbosity
+      ansible.builtin.debug:
+        msg: "{{ _gitea_gpg_key_status.stdout }}"
+        verbosity: 1
+
+    - name: Import forgejo gpg key
+      ansible.builtin.command: "gpg --keyserver {{ gitea_gpg_server }} --recv {{ gitea_forgejo_gpg_key }}"
+      register: _gitea_import_key
+      changed_when: '"imported: 1" in _gitea_import_key.stderr'
+      when: '_gitea_gpg_key_status.rc != 0 or "expired" in _gitea_gpg_key_status.stdout'
+
+    - name: Check archive signature
+      ansible.builtin.command: "gpg --verify /tmp/{{ gitea_filename }}.asc /tmp/{{ gitea_filename }}"
+      changed_when: false
+
+    - name: Propagate gitea binary
+      become: true
+      ansible.builtin.copy:
+        src: "/tmp/{{ gitea_filename }}"
+        remote_src: true
+        dest: "{{ gitea_full_executable_path }}"
+        mode: 0755
+        owner: root
+        group: root
+      notify: "Restart gitea"

tasks/install.yml renamed to tasks/install_gitea.yml

@@ -21,7 +21,7 @@
       retries: 5
       delay: 2
 
-- name: Install block
+- name: Install gitea block
   when: (not gitea_version_check | bool) or (not ansible_check_mode and (gitea_active_version.stdout != gitea_version_target))
   block:
     - name: Download gitea archive
@@ -51,7 +51,7 @@
       changed_when: false
       failed_when: _gitea_gpg_key_status.rc not in (0, 2)
 
-    - name: print gpg key staus on verbosity
+    - name: Print gpg key staus on verbosity
       ansible.builtin.debug:
         msg: "{{ _gitea_gpg_key_status.stdout }}"
         verbosity: 1
@@ -76,7 +76,7 @@
       ansible.builtin.copy:
         src: "/tmp/{{ gitea_filename }}"
         remote_src: true
-        dest: "{{ gitea_executable_path }}"
+        dest: "{{ gitea_full_executable_path }}"
         mode: 0755
         owner: root
         group: root

tasks/jwt_secrets.yml

@@ -1,7 +1,7 @@
 ---
 - name: Generate OAuth2 JWT_SECRET if not provided
   become: true
-  ansible.builtin.shell: 'umask 077; {{ gitea_executable_path }} generate secret JWT_SECRET > {{ gitea_configuraion_path }}/gitea_oauth_jwt_secret'
+  ansible.builtin.shell: 'umask 077; {{ gitea_full_executable_path }} generate secret JWT_SECRET > {{ gitea_configuraion_path }}/gitea_oauth_jwt_secret'
   args:
     creates: '{{ gitea_configuraion_path }}/gitea_oauth_jwt_secret'
   when: gitea_oauth2_jwt_secret | length == 0
@@ -20,7 +20,7 @@
 
 - name: Generate LFS JWT_SECRET if not provided
   become: true
-  ansible.builtin.shell: 'umask 077; {{ gitea_executable_path }} generate secret JWT_SECRET > {{ gitea_configuraion_path }}/gitea_lfs_jwt_secret'
+  ansible.builtin.shell: 'umask 077; {{ gitea_full_executable_path }} generate secret JWT_SECRET > {{ gitea_configuraion_path }}/gitea_lfs_jwt_secret'
   args:
     creates: '{{ gitea_configuraion_path }}/gitea_lfs_jwt_secret'
   when: gitea_lfs_jwt_secret | length == 0

tasks/main.yml

@@ -7,11 +7,20 @@
   ansible.builtin.package_facts:
     manager: auto
 
+- name: Prepare gitea/forgejo variable import
+  block:
+    - name: Gather variables for gitea or forgejo
+      ansible.builtin.include_vars: "{{ lookup('first_found', gitea_fork_variables) }}"
+  rescue:
+    - name: Gitea/Forejo import info
+      ansible.builtin.fail:
+        msg: "Currently only {{ gitea_supported_forks }} are supported."
+
 - name: Gather variables for each operating system
   ansible.builtin.include_vars: "{{ lookup('first_found', gitea_variables) }}"
 
 - name: Gather versioning information
-  ansible.builtin.include_tasks: set_version.yml
+  ansible.builtin.include_tasks: "set_{{ gitea_fork | lower }}_version.yml"
 
 - name: Backup gitea before update
   ansible.builtin.include_tasks: backup.yml
@@ -20,8 +29,8 @@
 - name: Create gitea user and role
   ansible.builtin.include_tasks: create_user.yml
 
-- name: Install or update gitea
-  ansible.builtin.include_tasks: install.yml
+- name: "Install or update {{ gitea_fork }}"
+  ansible.builtin.include_tasks: "install_{{ gitea_fork | lower }}.yml"
 
 - name: Create directories
   ansible.builtin.include_tasks: directory.yml

tasks/set_forgejo_version.yml

@@ -0,0 +1,98 @@
+---
+- name: "Check forgejo installed version"
+  ansible.builtin.shell: "set -eo pipefail; {{ gitea_full_executable_path }} -v | cut -d' ' -f 3"
+  args:
+    executable: /bin/bash
+  register: gitea_active_version
+  changed_when: false
+  failed_when: false
+
+- name: "Determine 'latest' version release"
+  when: gitea_version == "latest"
+  block:
+    - name: "Get latest forgejo release metadata"
+      ansible.builtin.uri:
+        url: 'https://codeberg.org/api/v1/repos/forgejo/forgejo/releases?limit=1'
+        return_content: true
+      register: gitea_forgejo_remote_metadata
+      when: not ansible_check_mode
+
+    - name: "Fail if running in check mode without versions set."
+      ansible.builtin.fail:
+        msg: |
+          "You are running this playbook in check mode:
+          Please set the Gitea version with the variable 'gitea_version', because the URI module cannot detect the latest version in this mode."
+      when: ansible_check_mode and (gitea_version == 'latest' or gitea_version == 'present')
+
+    - name: "Set fact latest forgejo release"
+      ansible.builtin.set_fact:
+        gitea_remote_version: "{{ gitea_forgejo_remote_metadata.json.0.tag_name[1:] }}"
+      when: not ansible_check_mode
+
+    - name: "Set forgejo version target (latest)"
+      ansible.builtin.set_fact:
+        gitea_version_target: "{{ gitea_remote_version }}"
+      when: not ansible_check_mode
+
+- name: "Set gitea version target {{ gitea_version }}"
+  ansible.builtin.set_fact:
+    gitea_version_target: "{{ gitea_version }}"
+  when: gitea_version != "latest"
+
+- name: "Get specific forgejo release metadata"
+  ansible.builtin.uri:
+    url: 'https://codeberg.org/api/v1/repos/forgejo/forgejo/releases/tags/v{{ gitea_version_target }}'
+    return_content: true
+  register: gitea_forgejo_remote_tags_metadata
+  when: not ansible_check_mode
+
+- name: "Generate forgejo download url"
+  ansible.builtin.set_fact:
+    gitea_forgejo_dl_url: "{{ gitea_forgejo_remote_tags_metadata.json | community.general.json_query(gitea_forgejo_query_download) }}"
+  when: not ansible_check_mode
+
+- name: "Generate forgejo download checksum url"
+  ansible.builtin.set_fact:
+    gitea_forgejo_checksum_url: "{{ gitea_forgejo_remote_tags_metadata.json | community.general.json_query(gitea_forgejo_query_checksum) }}"
+  when: not ansible_check_mode
+
+- name: Get forgejo checksum
+  ansible.builtin.uri:
+    url: "{{ gitea_forgejo_checksum_url | first }}"
+    return_content: true
+  register: _gitea_forgejo_dl_checksum
+  when: not ansible_check_mode
+
+- name: Set forjeo checksum
+  ansible.builtin.set_fact:
+    gitea_forgejo_checksum: "{{ _gitea_forgejo_dl_checksum.content.split('  ')[0] }}"
+  when: not ansible_check_mode
+
+- name: "Generate forgejo download signed url"
+  ansible.builtin.set_fact:
+    gitea_forgejo_signed_url: "{{ gitea_forgejo_remote_tags_metadata.json | community.general.json_query(gitea_forgejo_query_signed) }}"
+  when: not ansible_check_mode
+
+- name: "Set a example forgejo download link if in check mode"
+  ansible.builtin.set_fact:
+    gitea_forgejo_dl_url: ['https://codeberg.org/attachments/a00333ad-250a-4d30-a764-9a37fb24f419']
+  when: ansible_check_mode
+
+- name: "Set a example forgejo checksum link if in check mode"
+  ansible.builtin.set_fact:
+    gitea_forgejo_checksum: 'f8c71464d1b250bf022eaa3df270c810950904ceb71da5cefc7ec24a034a4c87'
+  when: ansible_check_mode
+
+- name: "Set a example forgejo checksum link if in check mode"
+  ansible.builtin.set_fact:
+    gitea_forgejo_signed_url: ['https://codeberg.org/attachments/ae5e50c6-e86e-4202-b95f-f142e8138e2f']
+  when: ansible_check_mode
+
+- name: Show Download URLs
+  ansible.builtin.debug:
+    msg: "{{ item }}"
+    verbosity: 1
+  with_items:
+    - "gitea_forgejo_dl_url: {{ gitea_forgejo_dl_url | first }}"
+    - "gitea_forgejo_checksum: {{ gitea_forgejo_checksum }}"
+    - "gitea_forgejo_signed_url: {{ gitea_forgejo_signed_url | first }}"