diff --git a/.ansible-lint b/.ansible-lint deleted file mode 100644 index a48e52d..0000000 --- a/.ansible-lint +++ /dev/null @@ -1,9 +0,0 @@ -use_default_rules: true - -exclude_paths: - - venv/ - - molecule/default/ - - tests/ - -#skip_list: -# - '301' diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..dde6f4a --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,9 @@ +--- +# See https://docs.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates +version: 2 +updates: + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" diff --git a/.github/workflows/ansible-linting-check.yml b/.github/workflows/ansible-linting-check.yml index 7973217..5c55ca6 100644 --- a/.github/workflows/ansible-linting-check.yml +++ b/.github/workflows/ansible-linting-check.yml @@ -2,27 +2,22 @@ name: Ansible Lint check # yamllint disable-line rule:truthy -on: - push: - branches: '*' - pull_request: - branches: '*' - schedule: - - cron: '42 6 * */1 *' +on: [push, pull_request] jobs: build: - + name: Ansible Lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - name: 'checkout git repo' + uses: actions/checkout@v3 + with: + lfs: true + submodules: false + fetch-depth: 0 - - name: Lint Ansible Playbook - uses: ansible/ansible-lint-action@master + - name: 'Lint Ansible Playbook' + uses: ansible/ansible-lint-action@v6 with: - targets: "." - # [required] - # Paths to ansible files (i.e., playbooks, tasks, handlers etc..) - args: "" - # [optional] + path: "." diff --git a/.github/workflows/galaxy.yml b/.github/workflows/galaxy.yml index b5dc0ec..39fa2be 100644 --- a/.github/workflows/galaxy.yml +++ b/.github/workflows/galaxy.yml @@ -12,9 +12,11 @@ jobs: build: runs-on: ubuntu-latest steps: - - name: checkout - uses: actions/checkout@v2 - - name: galaxy - uses: robertdebock/galaxy-action@1.1.0 + - name: 'checkout git repo' + uses: actions/checkout@v3 + + - name: 'release on galaxy' + uses: robertdebock/galaxy-action@1.2.1 with: galaxy_api_key: ${{ secrets.galaxy_api_key }} + git_branch: 'main' diff --git a/.github/workflows/yamllint.yaml b/.github/workflows/yamllint.yaml index ddb5b89..361b111 100644 --- a/.github/workflows/yamllint.yaml +++ b/.github/workflows/yamllint.yaml @@ -7,18 +7,17 @@ on: branches: '*' pull_request: branches: '*' - schedule: - - cron: '23 6 * */1 *' jobs: yamllint: name: 'Yamllint' runs-on: ubuntu-latest steps: - - name: 'Checkout' - uses: actions/checkout@master + - name: 'checkout git repo' + uses: actions/checkout@v3 + - name: 'Yamllint' - uses: karancode/yamllint-github-action@master + uses: karancode/yamllint-github-action@v2.1.1 with: yamllint_file_or_dir: '.' yamllint_config_filepath: './.yamllint' diff --git a/.yamllint b/.yamllint index e9713ae..2e52fdc 100644 --- a/.yamllint +++ b/.yamllint @@ -2,7 +2,7 @@ extends: default rules: - # 170 chars should be enough, but don't fail if a line is longer + # 190 chars should be enough, but don't fail if a line is longer line-length: - max: 170 + max: 190 level: warning diff --git a/README.md b/README.md index 7e1af2b..1bfd033 100644 --- a/README.md +++ b/README.md @@ -1,29 +1,33 @@ -[![Ansible Galaxy](https://raw.githubusercontent.com/roles-ansible/ansible_role_gitea/main/.github/galaxy.svg?sanitize=true)](https://galaxy.ansible.com/do1jlr/gitea) [![MIT License](https://raw.githubusercontent.com/roles-ansible/ansible_role_gitea/main/.github/license.svg?sanitize=true)](https://github.com/roles-ansible/ansible_role_gitea/blob/main/LICENSE) +[![Ansible Galaxy](https://ansible.l3d.space/svg/l3d.gitea.svg)](https://galaxy.ansible.com/l3d/gitea) +[![BSD-3 Clause](https://ansible.l3d.space/svg/l3d.gitea_license.svg)](LICENSE) +[![Maintainance](https://ansible.l3d.space/svg/l3d.gitea_maintainance.svg)](https://ansible.l3d.space/#l3d.gitea) - ansible role gitea -=================== + ansible role gitea/forgejo +============================ -This role installs and manages [gitea](https://gitea.io) - Git with a cup of tea. A painless self-hosted Git service. Gitea is a community managed lightweight code hosting solution written in Go. -[Source code & screenshots](https://github.com/go-gitea/gitea). +This role installs and manages [gitea](https://gitea.io) or [forgejo](https://forgejo.org). A painless self-hosted Git service. Gitea is a community managed lightweight code hosting solution written in Go. Forgejo is a fork of it. +[Source code & screenshots gitea](https://github.com/go-gitea/gitea). +[Source code forgejo](https://codeberg.org/forgejo/forgejo). +This role is also Part of the Ansible-Collection [l3d.git](https://galaxy.ansible.com/l3d/git). [![l3d.git](https://ansible.l3d.space/svg/l3d.git_ansible-collection_collection.svg)](https://github.com/roles-ansible/ansible_collection_git.git). -## Sample example of use in a playbook +## Sample Usage in a playbook The following code has been tested with the latest Debian Stable, it should work on Ubuntu and RedHat as well. ```yaml -# ansible-galaxy install do1jlr.gitea +# ansible-galaxy install l3d.gitea - name: "Install gitea" hosts: git.example.com roles: - - {role: do1jlr.gitea, tags: gitea} + - {role: l3d.gitea, tags: gitea} vars: # Here we assume we are behind a reverse proxy that will # handle https for us, so we bind on localhost:3000 using HTTP + # see https://docs.gitea.io/en-us/reverse-proxies/#nginx gitea_fqdn: 'git.example.com' gitea_root_url: 'https://git.example.com' gitea_protocol: http - gitea_start_ssh: true ``` @@ -31,6 +35,13 @@ The following code has been tested with the latest Debian Stable, it should work ----------- Here is a deeper insight into the variables of this gitea role. For the exact function of some variables and the possibility to add more options we recommend a look at this [config cheat sheet](https://docs.gitea.io/en-us/config-cheat-sheet/). +### Chose between gitea and forgejo +There is a fork of gitea called forgejo. Why? Read the [forgejo FAQ](https://forgejo.org/faq/). +You have the option to choose between [gitea](https://gitea.io) and [forgejo](https://forgejo.org) by modifying the ``gitea_fork`` variable. +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_fork` | `gitea` | optional choose to install forgejo instead of gitea by setting this value to `forgejo`. | + ### gitea update mechanism To determine which gitea version to install, you can choose between two variants. Either you define exactly which release you install. Or you use the option ``latest`` to always install the latest release from the [gitea releases](https://github.com/go-gitea/gitea/releases/latest). @@ -38,9 +49,10 @@ Either you define exactly which release you install. Or you use the option ``lat ### gitea update | variable name | default value | description | | ------------- | ------------- | ----------- | -| `gitea_version` | **WILL CHANGE SOON** | Define either the exact release to install or use ``latest`` to install the latest release. | +| `gitea_version` | `latest` | Define either the exact release to install *(eg. `1.16.0`)* or use ``latest`` *(default)* to install the latest release. | | `gitea_version_check` | `true` | Check if installed version != `gitea_version` before initiating binary download | | `gitea_gpg_key` | `7C9E68152594688862D62AF62D9AE806EC1592E2` | the gpg key the gitea binary is signed with | +| `gitea_forgejo_gpg_key` | `EB114F5E6C0DC2BCDD183550A4B61A2DC5923710` | the gpg key the forgejo binary is signed with | | `gitea_gpg_server` | `hkps://keys.openpgp.org` | A gpg key server where this role can download the gpg key | | `gitea_backup_on_upgrade` | `false` | Optionally a backup can be created with every update of gitea. | | `gitea_backup_location` | `{{ gitea_home }}/backups/` | Where to store the gitea backup if one is created with this role. | @@ -49,8 +61,13 @@ Either you define exactly which release you install. Or you use the option ``lat ### gitea in the linux world | variable name | default value | description | | ------------- | ------------- | ----------- | -| `gitea_group` | `gitea` | UNIX group used by Gitea | +| `gitea_group` | `gitea` | Primary UNIX group used by Gitea | +| `gitea_groups` | null | Optionally a list of secondary UNIX groups used by Gitea | | `gitea_home` | `/var/lib/gitea` | Base directory to work | +| `gitea_user_home` | `{{ gitea_home }}` | home of gitea user | +| `gitea_executable_path` | `/usr/local/bin/gitea` | Path for gitea executable | +| `gitea_forgejo_executable_path` | `/usr/local/bin/forgejo` | Path for forgejo executable | +| `gitea_configuration_path` | `/etc/gitea` | Where to put the gitea.ini config | | `gitea_shell` | `/bin/false` | UNIX shell used by gitea. Set it to `/bin/bash` if you don't use the gitea built-in ssh server. | | `gitea_systemd_cap_net_bind_service` | `false` | Adds `AmbientCapabilities=CAP_NET_BIND_SERVICE` to systemd service file | @@ -60,45 +77,103 @@ Either you define exactly which release you install. Or you use the option ``lat | `gitea_app_name` | `Gitea` | Displayed application name | | `gitea_user` | `gitea ` | UNIX user used by Gitea | | `gitea_run_mode`| `prod`| Application run mode, affects performance and debugging. Either “dev”, “prod” or “test”. | +| `gitea_fqdn` | `localhost` | Base FQDN for the installation, used as default for other variables. Set it to the FQDN where you can reach your gitea server | ### Repository ([repository](https://docs.gitea.io/en-us/config-cheat-sheet/#repository-repository)) | variable name | default value | description | | ------------- | ------------- | ----------- | -| `gitea_repository_root` | `{{ gitea_home }}/repos` | Root path for storing all repository data. It must be an absolute path. | -| `gitea_force_private` | `false` | Force every new repository to be private. | -| `gitea_user_repo_limit` | `-1` | Limit how many repos a user can have *(`-1` for unlimited)* | -| `gitea_disable_http_git` | `false` | Disable the ability to interact with repositories over the HTTP protocol. (true/false) | | `gitea_default_branch` | `main` | Default branch name of all repositories. | | `gitea_default_private` | `last` | Default private when creating a new repository. [`last`, `private`, `public`] | -| `gitea_repository_extra_config` | `''` | you can use this variable to pass additional config parameters in the `[repository]` section of the config. | -| `gitea_repository_upload_extra_config` | you can use this variable to pass additional config parameters in the `[repository.upload]` section of the config. | +| `gitea_default_repo_units` | *(see defaults)* | Comma separated list of default repo units. See official docs for more | +| `gitea_disabled_repo_units` | | Comma separated list of globally disabled repo units. | +| `gitea_disable_http_git` | `false` | Disable the ability to interact with repositories over the HTTP protocol. (true/false) | +| `gitea_disable_stars` | `false` | Disable stars feature. | +| `gitea_enable_push_create_org` | `false` | Allow users to push local repositories to Gitea and have them automatically created for an org. | +| `gitea_enable_push_create_user` | `false` | Allow users to push local repositories to Gitea and have them automatically created for an user. | +| `gitea_force_private` | `false` | Force every new repository to be private. | +| `gitea_user_repo_limit` | `-1` | Limit how many repos a user can have *(`-1` for unlimited)* | +| `gitea_repository_root` | `{{ gitea_home }}/repos` | Root path for storing all repository data. It must be an absolute path. | +| `gitea_repository_extra_config` | | you can use this variable to pass additional config parameters in the `[repository]` section of the config. | + +### Repository - Upload ([repository.upload](https://docs.gitea.io/en-us/administration/config-cheat-sheet/#repository---upload-repositoryupload)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_repository_upload_enabled` | `true` | Whether repository file uploads are enabled | +| `gitea_repository_upload_max_size` | `4` | Max size of each file in megabytes. | +| `gitea_repository_upload_extra_config` | | you can use this variable to pass additional config parameters in the `[repository.upload]` section of the config. | + +### Repository - Signing ([repository.signing](https://docs.gitea.io/en-us/config-cheat-sheet/#repository---signing-repositorysigning)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_enable_repo_signing_options` | `false` | Allow to configure repo signing options | +| `gitea_repo_signing_key` | `default` | Key to sign with. | +| `gitea_repo_signing_name` | | if a KEYID is provided as the `gitea_repo_signing_key`, use these as the Name and Email address of the signer. | +| `gitea_repo_signing_email` | | if a KEYID is provided as the `gitea_repo_signing_key`, use these as the Name and Email address of the signer. | +| `gitea_repo_initial_commit` | `always` | Sign initial commit. | +| `gitea_repo_default_trust_model` | `collaborator` | The default trust model used for verifying commits. | +| `gitea_repo_wiki` | `never` | Sign commits to wiki. | +| `gitea_repo_crud_actions` | *(see defaults)* | Sign CRUD actions. | +| `gitea_repo_merges` | *(see defaults)* | Sign merges. | +| `gitea_enable_repo_signing_extra` | | you can use this variable to pass additional config parameters in the `[repository.signing]` section of the config. | + +### CORS ([cors](https://docs.gitea.io/en-us/config-cheat-sheet/#cors-cors)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_enable_cors` | `false` | enable cors headers (disabled by default) | +| `gitea_cors_scheme` | `http` | scheme of allowed requests | +| `gitea_cors_allow_domain` | `*` | list of requesting domains that are allowed | +| `gitea_cors_allow_subdomain` | `false` |allow subdomains of headers listed above to request | +| `gitea_cors_methods` | *(see defaults)* | list of methods allowed to request | +| `gitea_cors_max_age` | `10m` | max time to cache response | +| `gitea_cors_allow_credentials` | `false` | allow request with credentials | +| `gitea_cors_headers` | `Content-Type,User-Agent` | additional headers that are permitted in requests | +| `gitea_cors_x_frame_options` | `SAMEORIGIN` | Set the `X-Frame-Options` header value. | +| `gitea_cors_extra` | | you can use this variable to pass additional config parameters in the `[cors]` section of the config. | ### UI ([ui](https://docs.gitea.io/en-us/config-cheat-sheet/#ui-ui)) | variable name | default value | description | | ------------- | ------------- | ----------- | | `gitea_show_user_email` | `false` | Do you want to display email addresses ? (true/false) | -| `gitea_theme_default` | `gitea` | Default theme | -| `gitea_themes` | `gitea,arc-green` | List of enabled themes | -| `gitea_ui_extra_config` | `''` | you can use this variable to pass additional config parameters in the `[ui]` section of the config. | +| `gitea_theme_default` | `auto` | Default theme | +| `gitea_themes` | `auto,gitea,arc-green` | List of enabled themes | +| `gitea_ui_extra_config` | | you can use this variable to pass additional config parameters in the `[ui]` section of the config. | + +### UI - Meta ([ui.meta](https://docs.gitea.io/en-us/config-cheat-sheet/#ui---metadata-uimeta)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_ui_author` | *(see defaults)* | Author meta tag of the homepage. | +| `gitea_ui_description` | *(see defaults)* | Description meta tag of the homepage. | +| `gitea_ui_keywords` | *(see defaults)* | Keywords meta tag of the homepage | +| `gitea_ui_meta_extra_config` | | you can use this variable to pass additional config parameters in the `[ui.meta]` section of the config. | ### Server ([server](https://docs.gitea.io/en-us/config-cheat-sheet/#server-server)) | variable name | default value | description | | ------------- | ------------- | ----------- | | `gitea_protocol`| `http` | Listening protocol [http, https, fcgi, unix, fcgi+unix] | -| `gitea_http_domain` | `localhost` | Domain name of this server. Set it to the FQDN where you can reach your gitea server | -| `gitea_root_url` | `http://localhost:3000` | Root URL used to access your web app (full URL) | +| `gitea_http_domain` | `{{ gitea_fqdn }}` which is `localhost` | Domain name of this server. | +| `gitea_root_url` | `http://{{ gitea_fqdn }}:3000` | Root URL used to access your web app (full URL) | | `gitea_http_listen` | `127.0.0.1` | HTTP listen address | | `gitea_http_port` | `3000` | Bind port *(redirect from `80` will be activated if value is `443`)* | -| `gitea_http_letsencrypt_mail` | `undefined` | Enable Let`s Encrypt if a email address is given | | `gitea_start_ssh` | `true` | When enabled, use the built-in SSH server. | -| `gitea_ssh_domain` | `{{ gitea_http_domain ` | Domain name of this server, used for displayed clone URL | +| `gitea_ssh_domain` | `{{ gitea_fqdn }} ` | Domain name of this server, used for displayed clone URL | | `gitea_ssh_port` | `2222` | SSH port displayed in clone URL. | | `gitea_ssh_listen` | `0.0.0.0` | Listen address for the built-in SSH server. | | `gitea_offline_mode` | `true` | Disables use of CDN for static files and Gravatar for profile pictures. (true/false) | -| `gitea_lfs_enabled` | `false` | Enable GIT-LFS Support *(git large file storage: [git-lfs](https://git-lfs.github.com/))*. | -| `gitea_lfs_content_path` | `{{ gitea_home }}/data/lfs` | LFS content path. *(if it is on local storage.)* | -| `gitea_lfs_jwt_secret` | `''` | LFS authentication secret. Can be generated with ``gitea generate secret JWT_SECRET``. Will be autogenerated if not defined | -| `gitea_server_extra_config` | `''` | you can use this variable to pass additional config parameters in the `[ui]` section of the config. | +| `gitea_landing_page` | `home` | Landing page for unauthenticated users | +| `gitea_lfs_server_enabled` | `false` | Enable GIT-LFS Support *(git large file storage: [git-lfs](https://git-lfs.github.com/))*. | +| `gitea_lfs_jwt_secret` | | LFS authentication secret. Can be generated with ``gitea generate secret JWT_SECRET``. Will be autogenerated if not defined | +| `gitea_redirect_other_port` | `false` | If true and `gitea_protocol` is https, allows redirecting http requests on `gitea_port_to_redirect` to the https port Gitea listens on. | +| `gitea_port_to_redirect` | `80` | Port for the http redirection service to listen on, if enabled | +| `gitea_enable_tls_certs` | `false` | Write TLS Cert and Key Path to config file | +| `gitea_tls_cert_file` | `https/cert.pem` | Cert file path used for HTTPS. | +| `gitea_tls_key_file` | `https/key.pem` | Key file path used for HTTPS. | +| `gitea_enable_acme` | `false` | Flag to enable automatic certificate management via an ACME capable CA Server. *(default is letsencrypt)* | +| `gitea_acme_url` | | The CA’s ACME directory URL | +| `gitea_acme_accepttos` | `false` | This is an explicit check that you accept the terms of service of the ACME provider. | +| `gitea_acme_directory` | `https` | Directory that the certificate manager will use to cache information such as certs and private keys. | +| `gitea_acme_email` | | Email used for the ACME registration | +| `gitea_acme_ca_root` | | The CA’s root certificate. If left empty, it defaults to using the system’s trust chain. | +| `gitea_server_extra_config` | | you can use this variable to pass additional config parameters in the `[server]` section of the config. | ### Database ([database](https://docs.gitea.io/en-us/config-cheat-sheet/#database-database)) | variable name | default value | description | @@ -111,26 +186,28 @@ Either you define exactly which release you install. Or you use the option ``lat | `gitea_db_ssl` | `disable` | Configure SSL only if your database type supports it. Have a look into the [config-cheat-sheet](https://docs.gitea.io/en-us/config-cheat-sheet/#database-database) for more detailed information | | `gitea_db_path` | `{{ gitea_home }}/data/gitea.db` | DB path, if you use `sqlite3`. | | `gitea_db_log_sql` | `false` | Log the executed SQL. | -| `gitea_database_extra_config` | `''` | you can use this variable to pass additional config parameters in the `[database]` section of the config. | +| `gitea_database_extra_config` | | you can use this variable to pass additional config parameters in the `[database]` section of the config. | ### Indexer ([indexer](https://docs.gitea.io/en-us/config-cheat-sheet/#indexer-indexer)) | variable name | default value | description | | ------------- | ------------- | ----------- | | `gitea_repo_indexer_enabled` | `false` | Enables code search *(uses a lot of disk space, about 6 times more than the repository size).* | -| `gitea_repo_indexer_include` | `''` |Glob patterns to include in the index *(comma-separated list)*. An empty list means include all files. | -| `gitea_repo_indexer_exclude` | `''` | Glob patterns to exclude from the index (comma-separated list). | +| `gitea_repo_indexer_include` | |Glob patterns to include in the index *(comma-separated list)*. An empty list means include all files. | +| `gitea_repo_indexer_exclude` | | Glob patterns to exclude from the index (comma-separated list). | | `gitea_repo_exclude_vendored` | `true` | Exclude vendored files from index. | | `gitea_repo_indexer_max_file_size` | `1048576` | Maximum size in bytes of files to be indexed. | -| `gitea_indexer_extra_config` | `''` | you can use this variable to pass additional config parameters in the `[indexer]` section of the config. | +| `gitea_indexer_extra_config` | | you can use this variable to pass additional config parameters in the `[indexer]` section of the config. | +| `gitea_queue_issue_indexer_extra_config` | | | you can use this variable to pass additional config parameters in the `[queue.issue_indexer]` section of the config. | ### Security ([security](https://docs.gitea.io/en-us/config-cheat-sheet/#security-security)) | variable name | default value | description | | ------------- | ------------- | ----------- | -| `gitea_secret_key` | `''` | Global secret key. Will be autogenerated if not defined. Should be unique. | -| `gitea_internal_token` | `''` | Internal API token. Will be autogenerated if not defined. Should be unique. | +| `gitea_secret_key` | | Global secret key. Will be autogenerated if not defined. Should be unique. | | `gitea_disable_git_hooks` | `true` | Set to false to enable users with git hook privilege to create custom git hooks. Can be dangerous. | +| `gitea_disable_webhooks` | `false` | Set to true to disable webhooks feature. | +| `gitea_internal_token` | | Internal API token. Will be autogenerated if not defined. Should be unique. | | `gitea_password_check_pwn` | `false` | Check [HaveIBeenPwned](https://haveibeenpwned.com/Passwords) to see if a password has been exposed. | -| `gitea_security_extra_config` | `''` | you can use this variable to pass additional config parameters in the `[security]` section of the config. | +| `gitea_security_extra_config` | | you can use this variable to pass additional config parameters in the `[security]` section of the config. | ### Service ([service](https://docs.gitea.io/en-us/config-cheat-sheet/#service-service)) | variable name | default value | description | @@ -144,64 +221,107 @@ Either you define exactly which release you install. Or you use the option ``lat | `gitea_only_allow_external_registration` | `false` | Set to true to force registration only using third-party services (true/false) | | `gitea_enable_notify_mail` | `false` | Enable this to send e-mail to watchers of a repository when something happens, like creating issues (true/false) | | `gitea_auto_watch_new_repos` | `true` | Enable this to let all organisation users watch new repos when they are created (true/false) | -| `gitea_service_extra_config` | `''` | you can use this variable to pass additional config parameters in the `[service]` section of the config. | +| `gitea_service_extra_config` | | you can use this variable to pass additional config parameters in the `[service]` section of the config. | ### Mailer ([mailer](https://docs.gitea.io/en-us/config-cheat-sheet/#mailer-mailer)) | variable name | default value | description | | ------------- | ------------- | ----------- | | `gitea_mailer_enabled` | `false` | Whether to enable the mailer. | -| `gitea_mailer_host` | `localhost:25` | SMTP server hostname and port | -| `gitea_mailer_skip_verify` | `false` | Skip SMTP TLS certificate verification (true/false) | -| `gitea_mailer_tls_enabled` | `true` | Forcibly use TLS to connect even if not on a default SMTPS port. | -| `gitea_mailer_from` | `noreply@{{ gitea_http_domain }}` | Mail from address, RFC 5322. This can be just an email address, or the “Name” format. | -| `gitea_mailer_user` | `''` | Username of mailing user *(usually the sender’s e-mail address)*. | -| `gitea_mailer_password` | `''` | SMTP server password | -| `gitea_subject_prefix` | `''` | Prefix to be placed before e-mail subject lines | -| `gitea_mailer_type` | `smtp` | `[smtp, sendmail, dummy]` | -| `gitea_mailer_extra_config` | `''` | you can use this variable to pass additional config parameters in the `[mailer]` section of the config. | +| `gitea_mailer_protocol` | `dummy` |Mail server protocol. One of “smtp”, “smtps”, “smtp+starttls”, “smtp+unix”, “sendmail”, “dummy”.| +| `gitea_mailer_smtp_addr` | | Mail server address. e.g. smtp.gmail.com. For smtp+unix, this should be a path to a unix socket instead. | +| `gitea_mailer_smtp_port` | | Mail server port | +| `gitea_mailer_use_client_cert` | `false` | Use client certificate for TLS/SSL. | +| `gitea_mailer_client_cert_file` | | Client certificate file. | +| `gitea_mailer_client_key_file` | | Client key file. | +| `gitea_mailer_force_trust_server_cert` | `false` | completely ignores server certificate validation errors. This option is unsafe. Consider adding the certificate to the system trust store instead. | +| `gitea_mailer_user` | | Username of mailing user (usually the sender’s e-mail address). | +| `gitea_mailer_password ` | |Password of mailing user. Use `your password` for quoting if you use special characters in the password. | +| `gitea_mailer_enable_helo` | `true` |Enable HELO operation. | +| `gitea_mailer_from` | `noreply@{{ gitea_http_domain }}` | Mail from address, RFC 5322. | +| `gitea_subject_prefix` | |Prefix to be placed before e-mail subject lines. | +| `gitea_mailer_send_as_plaintext` | `false` | Send mails only in plain text, without HTML alternative. | +| `gitea_mailer_extra_config` | | you can use this variable to pass additional config parameters in the `[mailer]` section of the config. | ### Session ([session](https://docs.gitea.io/en-us/config-cheat-sheet/#session-session)) | variable name | default value | description | | ------------- | ------------- | ----------- | | `gitea_session_provider` | `file` | Session engine provider | -| `gitea_session_extra_config` | `''` | you can use this variable to pass additional config parameters in the `[session]` section of the config. | +| `gitea_session_extra_config` | | you can use this variable to pass additional config parameters in the `[session]` section of the config. | ### Picture ([picture](https://docs.gitea.io/en-us/config-cheat-sheet/#picture-picture)) | variable name | default value | description | | ------------- | ------------- | ----------- | -| `gitea_disable_gravatar` | `true` | Do you want to disable Gravatar ? (privacy and so on) (true/false) | -| `gitea_picture_extra_config` | `''` | you can use this variable to pass additional config parameters in the `[picture]` section of the config. | +| `gitea_picture_extra_config` | | you can use this variable to pass additional config parameters in the `[picture]` section of the config. | ### Issue and pull request attachments ([attachment](https://docs.gitea.io/en-us/config-cheat-sheet/#issue-and-pull-request-attachments-attachment)) | variable name | default value | description | | ------------- | ------------- | ----------- | | `attachment_enabled` | `true` | Whether issue and pull request attachments are enabled. | -| `gitea_attachment_extra_config` | `''` | you can use this variable to pass additional config parameters in the `[attachment]` section of the config. | +| `gitea_attachment_types` | see Docs | Comma-separated list of allowed file extensions (`.zip,.txt`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types. | +| `gitea_attachment_max_size` | `4` | Maximum size (MB). | +| `gitea_attachment_extra_config` | | you can use this variable to pass additional config parameters in the `[attachment]` section of the config. | ### Log ([log](https://docs.gitea.io/en-us/config-cheat-sheet/#log-log)) | variable name | default value | description | | ------------- | ------------- | ----------- | | `gitea_log_systemd` | `false` | Disable logging into `file`, use systemd-journald | | `gitea_log_level` | `Warn` | General log level. `[Trace, Debug, Info, Warn, Error, Critical, Fatal, None]` | -| `gitea_log_extra_config` | `''` | you can use this variable to pass additional config parameters in the `[log]` section of the config. | +| `gitea_log_extra_config` | | you can use this variable to pass additional config parameters in the `[log]` section of the config. | ### Metrics ([metrics](https://docs.gitea.io/en-us/config-cheat-sheet/#metrics-metrics)) | variable name | default value | description | | ------------- | ------------- | ----------- | | `gitea_metrics_enabled`| `false` | Enable the metrics endpoint | -| `gitea_metrics_token`| `''` | Bearer token for the Prometheus scrape job | +| `gitea_metrics_token`| | Bearer token for the Prometheus scrape job | +| `gitea_metrics_extra` | | you can use this variable to pass additional config parameters in the `[metrics]` section of the config. | ### OAuth2 ([oauth2](https://docs.gitea.io/en-us/config-cheat-sheet/#oauth2-oauth2)) | variable name | default value | description | | ------------- | ------------- | ----------- | | `gitea_oauth2_enabled` | `true` | Enable the Oauth2 provider (true/false) | -| `gitea_oauth2_jwt_secret` | `''` | Oauth2 JWT secret. Can be generated with ``gitea generate secret JWT_SECRET``. Will be autogenerated if not defined. | -| `gitea_oauth2_extra_config` | `''` | you can use this variable to pass additional config parameters in the `[oauth2]` section of the config. | +| `gitea_oauth2_jwt_secret` | | Oauth2 JWT secret. Can be generated with ``gitea generate secret JWT_SECRET``. Will be autogenerated if not defined. | +| `gitea_oauth2_extra_config` | | you can use this variable to pass additional config parameters in the `[oauth2]` section of the config. | + +### Federation ([federation](https://docs.gitea.io/en-us/config-cheat-sheet/#federation-federation)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_federation_enabled` | `false` | Enable/Disable federation capabilities | +| `gitea_federation_share_user_stats` | `false` | Enable/Disable user statistics for nodeinfo if federation is enabled | +| `gitea_federation_extra` | | you can use this variable to pass additional config parameters in the `[federation]` section of the config. | + +### Packages ([packages](https://docs.gitea.io/en-us/config-cheat-sheet/#packages-packages)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_packages_enabled` | `true` | Enable/Disable package registry capabilities | +| `gitea_packages_extra` | |you can use this variable to pass additional config parameters in the `[packages]` section of the config. | + +### LFS ([lfs](https://docs.gitea.io/en-us/config-cheat-sheet/#lfs-lfs)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_lfs_storage_type` | `local` | Storage type for lfs | +| `gitea_lfs_serve_direct` | `false` | Allows the storage driver to redirect to authenticated URLs to serve files directly. *(only Minio/S3)* | +| `gitea_lfs_content_path` | `{{ gitea_home }}/data/lfs` | Where to store LFS files | +| `gitea_lfs_extra` | | you can use this variable to pass additional config parameters in the `[lfs]` section of the config. | + +### Actions ([actions](https://docs.gitea.io/en-us/config-cheat-sheet/#actions-actions)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_actions_enabled` | `false` | Enable/Disable actions capabilities globaly. You may want to add `repo.actions` to `gitea_default_repo_units` to enable actions on all new repositories | +| `gitea_actions_default_actions_url` | `https://gitea.com/` | Default address to get action plugins, e.g. the default value means downloading from `https://gitea.com/actions/checkout` for `uses: actions/checkout@v3` | +| `gitea_actions_extra` | | you can use this variable to pass additional config parameters in the `[actions]` section of the config. | + +### Other ([other](https://docs.gitea.io/en-us/config-cheat-sheet/#other-other)) +| variable name | default value | description | +| ------------- | ------------- | ----------- | +| `gitea_other_show_footer_version` | `true` | Show Gitea and Go version information in the footer. | +| `gitea_other_show_footer_template_load_time` | `true` | Show time of template execution in the footer. | +| `gitea_other_enable_sitemap` | `true` | Generate sitemap. | +| `gitea_other_enable_feed` | `true` | Enable/Disable RSS/Atom feed. | ### additional gitea config | variable name | default value | description | | ------------- | ------------- | ----------- | -| `gitea_extra_config` | `''` | Additional gitea configuration. Have a look at the [config-cheat-sheet](https://docs.gitea.io/en-us/config-cheat-sheet/) before using it! | +| `gitea_extra_config` | | Additional gitea configuration. Have a look at the [config-cheat-sheet](https://docs.gitea.io/en-us/config-cheat-sheet/) before using it! | ### Fail2Ban configuration @@ -246,14 +366,30 @@ To deploy multiple files we created the ``gitea_custom_search`` variable, that c - Create a directory with the files you want to deploy. - Point ``gitea_customize_files_path`` to this directory. *(Default ``{{ gitea_custom_search }}/gitea_files/``)* -## Contributing -Don't hesitate to create a pull request, and when in doubt you can reach me on +## Requirements +This role uses the ``ansible.builtin`` and ``community.general`` ansible Collections. To download the latest forgejo/gitea release we use json_query. This requires ``jmespath`` to be available. + +### Python packages ++ jmespath + +### Galaxy Collections ++ community.general + + +### Example requirements Installation +``` +ansible-galaxy install community.general +pip3 install jmespath +``` + +## Contribute +Don't hesitate to create a pull request, and if in doubt you can reach me at Mastodon [@l3d@chaos.social](https://chaos.social/@l3d). -I'm happy to fix any issue that's been opened, or even better, review your pull requests :) +I'll be happy to fix any issues you raise, or even better, review your pull requests :) ## Testing -There are some tests that will validate linting. A good testing CI Pipeline that will work withe the used systemd commands is still needed. +There are some tests that will validate the linting. A good test CI pipeline that works with the systemd commands used is still needed. | test status | Github Marketplace | | :--------- | :---------------- | @@ -262,4 +398,4 @@ There are some tests that will validate linting. A good testing CI Pipeline that | [![Ansible Lint check](https://github.com/roles-ansible/ansible_role_gitea/actions/workflows/ansible-linting-check.yml/badge.svg)](https://github.com/roles-ansible/ansible_role_gitea/actions/workflows/ansible-linting-check.yml) | [ansible-lint action](https://github.com/marketplace/actions/ansible-lint) ## History of this role -this ansible role was originally developed on [github.com/thomas-maurice/ansible-role-gitea](https://github.com/thomas-maurice/ansible-role-gitea.git). Since the role there has some problems like default values for the location of the gitea repositories and the merging of pull requests usually takes several months, a fork of the role was created that offers the same. Only tidier and with the claim to react faster to issues and pull requests. +this ansible role was originally developed on [github.com/thomas-maurice/ansible-role-gitea](https://github.com/thomas-maurice/ansible-role-gitea.git). Since the role there has some problems like default values for the location of the gitea repositories and the merging of pull requests usually takes several months, a fork of the role was created that offers the same. Only tidier and with the claim to react faster to issues and pull requests. It is now Part of the [l3d.git](https://galaxy.ansible.com/l3d/git) Collection too. diff --git a/defaults/main.yml b/defaults/main.yml index 4a3fa8a..ae4fee3 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,9 +1,13 @@ --- +# Choose between https://forgejo.org/ and https://gitea.io/ +gitea_fork: 'gitea' # 'gitea' and 'forgejo' are valid options + # gitea version # Use 'latest' to auto-update; upgrading past role version may lead to errors. -gitea_version: '1.15.3' +gitea_version: 'latest' gitea_version_check: true gitea_gpg_key: '7C9E68152594688862D62AF62D9AE806EC1592E2' +gitea_forgejo_gpg_key: 'EB114F5E6C0DC2BCDD183550A4B61A2DC5923710' gitea_gpg_server: 'hkps://keys.openpgp.org' gitea_backup_on_upgrade: false gitea_backup_location: "{{ gitea_home }}/backups/" @@ -11,7 +15,12 @@ submodules_versioncheck: false # gitea in the linux world gitea_group: 'gitea' +# gitea_groups: [] # Optional a list of groups user gitea will be added to gitea_home: '/var/lib/gitea' +gitea_user_home: '{{ gitea_home }}' +gitea_executable_path: '/usr/local/bin/gitea' +gitea_forgejo_executable_path: '/usr/local/bin/forgejo' +gitea_configuration_path: '/etc/gitea' gitea_shell: '/bin/false' gitea_systemd_cap_net_bind_service: false @@ -24,22 +33,65 @@ gitea_fqdn: 'localhost' # Repository (repository) # -> https://docs.gitea.io/en-us/config-cheat-sheet/#repository-repository -gitea_repository_root: "{{ gitea_home }}/repos" -gitea_force_private: false -gitea_user_repo_limit: '-1' -gitea_disable_http_git: false gitea_default_branch: 'main' gitea_default_private: 'last' +gitea_default_repo_units: 'repo.code,repo.releases,repo.issues,repo.pulls,repo.wiki,repo.projects' +gitea_disabled_repo_units: '' +gitea_disable_http_git: false +gitea_disable_stars: false +gitea_enable_push_create_org: false +gitea_enable_push_create_user: false +gitea_force_private: false +gitea_user_repo_limit: '-1' +gitea_repository_root: "{{ gitea_home }}/repos" gitea_repository_extra_config: '' + +# Repository - Upload (repository.upload) +# -> https://docs.gitea.io/en-us/administration/config-cheat-sheet/#repository---upload-repositoryupload +gitea_repository_upload_enabled: true +gitea_repository_upload_max_size: 4 gitea_repository_upload_extra_config: '' +# Repository - Signing (repository.signing) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#repository---signing-repositorysigning +gitea_enable_repo_signing_options: false +gitea_repo_signing_key: 'default' +gitea_repo_signing_name: '' +gitea_repo_signing_email: '' +gitea_repo_initial_commit: 'always' +gitea_repo_default_trust_model: 'collaborator' +gitea_repo_wiki: 'never' +gitea_repo_crud_actions: 'pubkey, twofa, parentsigned' +gitea_repo_merges: ' pubkey, twofa, basesigned, commitssigned' +gitea_enable_repo_signing_extra: '' + +# CORS (cors) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#cors-cors +gitea_enable_cors: false +gitea_cors_scheme: 'http' +gitea_cors_allow_domain: '*' +gitea_cors_allow_subdomain: false +gitea_cors_methods: 'GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS' +gitea_cors_max_age: '10m' +gitea_cors_allow_credentials: false +gitea_cors_headers: 'Content-Type,User-Agent' +gitea_cors_x_frame_options: 'SAMEORIGIN' +gitea_cors_extra: '' + # UI (ui) # -> https://docs.gitea.io/en-us/config-cheat-sheet/#ui-ui gitea_show_user_email: false -gitea_theme_default: 'gitea' -gitea_themes: 'gitea,arc-green' +gitea_theme_default: 'auto' +gitea_themes: 'auto,gitea,arc-green' gitea_ui_extra_config: '' +# UI - Metadata (ui.meta) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#ui---metadata-uimeta +gitea_ui_author: 'Gitea - Git with a cup of tea' +gitea_ui_description: 'Gitea (Git with a cup of tea) is a painless self-hosted Git service written in Go:' +gitea_ui_keywords: 'go,git,self-hosted,gitea,forgejo' +gitea_ui_meta_extra_config: '' + # Server (server) # -> https://docs.gitea.io/en-us/config-cheat-sheet/#server-server gitea_protocol: 'http' @@ -47,15 +99,25 @@ gitea_http_domain: "{{ gitea_fqdn }}" gitea_root_url: "http://{{ gitea_fqdn }}:3000" gitea_http_listen: '127.0.0.1' gitea_http_port: '3000' -# gitea_http_letsencrypt_mail: 'mail@example.com' gitea_start_ssh: true gitea_ssh_domain: "{{ gitea_fqdn }}" gitea_ssh_port: '2222' gitea_ssh_listen: '0.0.0.0' gitea_offline_mode: true +gitea_landing_page: 'home' gitea_lfs_server_enabled: false -gitea_lfs_content_path: "{{ gitea_home }}/data/lfs" gitea_lfs_jwt_secret: '' +gitea_redirect_other_port: false +gitea_port_to_redirect: '80' +gitea_enable_tls_certs: false +gitea_tls_cert_file: 'https/cert.pem' +gitea_tls_key_file: 'https/key.pem' +gitea_enable_acme: false +gitea_acme_url: '' +gitea_acme_accepttos: false +gitea_acme_directory: 'https' +gitea_acme_email: '' +gitea_acme_ca_root: '' gitea_server_extra_config: '' # Database (database) @@ -78,12 +140,14 @@ gitea_repo_indexer_exclude: '' gitea_repo_exclude_vendored: true gitea_repo_indexer_max_file_size: '1048576' gitea_indexer_extra_config: '' +gitea_queue_issue_indexer_extra_config: '' # Security (security) # -> https://docs.gitea.io/en-us/config-cheat-sheet/#security-security gitea_secret_key: '' -gitea_internal_token: '' gitea_disable_git_hooks: true +gitea_disable_webhooks: false +gitea_internal_token: '' gitea_password_check_pwn: false gitea_security_extra_config: '' @@ -103,14 +167,19 @@ gitea_service_extra_config: '' # Mailer [mailer] # -> https://docs.gitea.io/en-us/config-cheat-sheet/#mailer-mailer gitea_mailer_enabled: false -gitea_mailer_host: 'localhost:25' -gitea_mailer_skip_verify: false -gitea_mailer_tls_enabled: true -gitea_mailer_from: "noreply@{{ gitea_http_domain }}" +gitea_mailer_protocol: 'dummy' +gitea_mailer_smtp_addr: '' +gitea_mailer_smtp_port: '' +gitea_mailer_use_client_cert: false +gitea_mailer_client_cert_file: '' +gitea_mailer_client_key_file: '' +gitea_mailer_force_trust_server_cert: false gitea_mailer_user: '' gitea_mailer_password: '' +gitea_mailer_enable_helo: true +gitea_mailer_from: "noreply@{{ gitea_http_domain }}" gitea_subject_prefix: '' -gitea_mailer_type: smtp +gitea_mailer_send_as_plaintext: false gitea_mailer_extra_config: '' # Session (session) @@ -119,27 +188,65 @@ gitea_session_provider: 'file' gitea_session_extra_config: '' # Picture (picture) -gitea_disable_gravatar: true +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#picture-picture gitea_picture_extra_config: '' # Issue and pull request attachments (attachment) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#issue-and-pull-request-attachments-attachment gitea_attachment_enabled: true +gitea_attachment_types: '.csv,.docx,.fodg,.fodp,.fods,.fodt,.gif,.gz,.jpeg,.jpg,.log,.md,.mov,.mp4,.odf,.odg,.odp,.ods,.odt,.patch,.pdf,.png,.pptx,.svg,.tgz,.txt,.webm,.xls,.xlsx,.zip' +gitea_attachment_max_size: 4 gitea_attachment_extra_config: '' # Log (log) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#log-log gitea_log_systemd: false gitea_log_level: 'Warn' gitea_log_extra_config: '' # Metrics (metrics) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#metrics-metrics gitea_metrics_enabled: false gitea_metrics_token: '' +gitea_metrics_extra: '' # OAuth2 (oauth2) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#oauth2-oauth2 gitea_oauth2_enabled: true gitea_oauth2_jwt_secret: '' gitea_oauth2_extra_config: '' +# Federation (federation) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#federation-federation +gitea_federation_enabled: false +gitea_federation_share_user_stats: false +gitea_federation_extra: '' + +# Packages (packages) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#packages-packages +gitea_packages_enabled: true +gitea_packages_extra: '' + +# LFS (lfs) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#lfs-lfs +gitea_lfs_storage_type: 'local' +gitea_lfs_serve_direct: false +gitea_lfs_content_path: "{{ gitea_home }}/data/lfs" +gitea_lfs_extra: '' + +# Actions (actions) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#actions-actions +gitea_actions_enabled: false +gitea_actions_default_actions_url: "https://gitea.com" +gitea_actions_extra: '' + +# Other (other) +# -> https://docs.gitea.io/en-us/config-cheat-sheet/#other-other +gitea_other_show_footer_version: true +gitea_other_show_footer_template_load_time: true +gitea_other_enable_sitemap: true +gitea_other_enable_feed: true + # additional gitea config gitea_extra_config: "" diff --git a/handlers/main.yml b/handlers/main.yml index fc2696b..ebc1716 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,18 +1,18 @@ --- - name: "Restart gitea" become: true - service: + ansible.builtin.service: name: gitea state: restarted when: ansible_service_mgr == "systemd" - name: "Reload systemd" become: true - systemd: + ansible.builtin.systemd: daemon_reload: true when: ansible_service_mgr == "systemd" -- name: "systemctl restart fail2ban" +- name: "Systemctl restart fail2ban" become: true ansible.builtin.systemd: name: fail2ban diff --git a/meta/main.yml b/meta/main.yml index 1c0ed0a..ad117d7 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,22 +1,26 @@ --- galaxy_info: role_name: gitea - author: do1jlr - description: Ansible role to configure and deploy gitea, a painless self-hosted Git service. + author: l3d + description: Ansible role to configure and deploy gitea and forgejo, a painless self-hosted Git service. license: "BSD-3-Clause" - min_ansible_version: 2.11 - github_branch: main + min_ansible_version: "2.11" platforms: - name: Debian - versions: all + versions: + - all - name: Ubuntu - versions: all + versions: + - all - name: Fedora - versions: all + versions: + - all - name: EL - versions: all + versions: + - all galaxy_tags: - gitea + - forgejo - git - system - development @@ -24,4 +28,5 @@ galaxy_info: - selfhosted - gitserver - gogs + - linux dependencies: [] diff --git a/tasks/backup.yml b/tasks/backup.yml index 93c67f9..3dc9074 100644 --- a/tasks/backup.yml +++ b/tasks/backup.yml @@ -2,7 +2,12 @@ - name: Get service facts ansible.builtin.service_facts: -- block: +- name: Backup block + when: + - ansible_facts.services["gitea.service"] is defined + - ansible_facts.services["gitea.service"].state == "running" + - gitea_active_version.stdout != gitea_version_target + block: - name: Stopping gitea before upgrade become: true ansible.builtin.systemd: @@ -22,12 +27,19 @@ - "{{ gitea_backup_location }}" - name: Backing up gitea before upgrade + become: true ansible.builtin.command: - cmd: "gitea dump -c /etc/gitea/gitea.ini" + cmd: "sudo -u {{ gitea_user }} {{ gitea_full_executable_path }} dump -c {{ gitea_configuration_path }}/gitea.ini" chdir: "{{ gitea_backup_location }}" + changed_when: true + rescue: + - name: Starting gitea because backup failed become: true - become_user: "{{ gitea_user }}" - when: - - ansible_facts.services["gitea.service"] is defined - - ansible_facts.services["gitea.service"].state == "running" - - gitea_active_version.stdout != gitea_version_target + ansible.builtin.systemd: + name: gitea + state: stopped + when: ansible_service_mgr == "systemd" + + - name: Print updateing error + ansible.builtin.debug: + msg: "failed to backup gitea" diff --git a/tasks/configure.yml b/tasks/configure.yml index ae86a3e..3f1be1f 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -3,7 +3,7 @@ become: true ansible.builtin.template: src: gitea.ini.j2 - dest: /etc/gitea/gitea.ini + dest: "{{ gitea_configuration_path }}/gitea.ini" owner: "{{ gitea_user }}" group: "{{ gitea_group }}" mode: 0600 diff --git a/tasks/create_user.yml b/tasks/create_user.yml index 1104d94..3f2aa38 100644 --- a/tasks/create_user.yml +++ b/tasks/create_user.yml @@ -7,7 +7,7 @@ state: "present" - name: Switch shell when not using the builtin ssh server - set_fact: + ansible.builtin.set_fact: gitea_shell: "/bin/bash" when: "not gitea_start_ssh and gitea_shell == '/bin/false'" @@ -16,6 +16,8 @@ ansible.builtin.user: name: "{{ gitea_user }}" comment: "Gitea user" - home: "{{ gitea_home }}" + group: "{{ gitea_group }}" + groups: "{{ gitea_groups | default(omit) }}" + home: "{{ gitea_user_home }}" shell: "{{ gitea_shell }}" system: true diff --git a/tasks/customize_footer.yml b/tasks/customize_footer.yml index 694b952..f7f8931 100644 --- a/tasks/customize_footer.yml +++ b/tasks/customize_footer.yml @@ -1,5 +1,5 @@ --- -- name: create directory for custom footer +- name: Create directory for custom footer become: true ansible.builtin.file: path: "{{ item }}" @@ -11,7 +11,7 @@ - "{{ gitea_custom }}/templates" - "{{ gitea_custom }}/templates/custom" -- name: transfer custom footer template +- name: Transfer custom footer template become: true ansible.builtin.copy: src: "{{ lookup('first_found', transfer_custom_footer) }}" @@ -20,4 +20,5 @@ group: "{{ gitea_group }}" mode: '0644' ignore_errors: true + tags: skip_ansible_lint notify: "Restart gitea" diff --git a/tasks/customize_logo.yml b/tasks/customize_logo.yml index eb344a8..4d4d609 100644 --- a/tasks/customize_logo.yml +++ b/tasks/customize_logo.yml @@ -1,5 +1,5 @@ --- -- name: create directory for custom logos +- name: Create directory for custom logos become: true ansible.builtin.file: path: "{{ item }}" @@ -11,7 +11,7 @@ - "{{ gitea_custom }}/public" - "{{ gitea_custom }}/public/img" -- name: transfer custom logo.svg +- name: Transfer custom logo.svg become: true ansible.builtin.copy: src: "{{ lookup('first_found', transfer_custom_logo_logosvg) }}" @@ -19,9 +19,10 @@ owner: "{{ gitea_user }}" group: "{{ gitea_group }}" mode: '0644' + tags: skip_ansible_lint ignore_errors: true -- name: transfer custom logo.png +- name: Transfer custom logo.png become: true ansible.builtin.copy: src: "{{ lookup('first_found', transfer_custom_logo_logopng) }}" @@ -29,9 +30,10 @@ owner: "{{ gitea_user }}" group: "{{ gitea_group }}" mode: '0644' + tags: skip_ansible_lint ignore_errors: true -- name: transfer custom favicon.png +- name: Transfer custom favicon.png become: true ansible.builtin.copy: src: "{{ lookup('first_found', transfer_custom_logo_faviconpng) }}" @@ -39,9 +41,10 @@ owner: "{{ gitea_user }}" group: "{{ gitea_group }}" mode: '0644' + tags: skip_ansible_lint ignore_errors: true -- name: transfer custom apple-touch-icon.png +- name: Transfer custom apple-touch-icon.png become: true ansible.builtin.copy: src: "{{ lookup('first_found', transfer_custom_logo_appletouchiconpng) }}" @@ -49,4 +52,5 @@ owner: "{{ gitea_user }}" group: "{{ gitea_group }}" mode: '0644' + tags: skip_ansible_lint ignore_errors: true diff --git a/tasks/customize_public_files.yml b/tasks/customize_public_files.yml index 2ae41dd..9c14c9a 100644 --- a/tasks/customize_public_files.yml +++ b/tasks/customize_public_files.yml @@ -1,5 +1,5 @@ --- -- name: create public directory for custom public web files +- name: Create public directory for custom public web files become: true ansible.builtin.file: path: "{{ item }}" @@ -10,7 +10,7 @@ with_items: - "{{ gitea_custom }}/public" -- name: transfer custom public web data +- name: Transfer custom public web data become: true ansible.builtin.copy: src: "{{ gitea_customize_files_path }}" @@ -20,4 +20,5 @@ directory_mode: true mode: 'u=rwX,g=rX,o=' ignore_errors: true + tags: skip_ansible_lint notify: "Restart gitea" diff --git a/tasks/directory.yml b/tasks/directory.yml index 6d4b291..2a9e2aa 100644 --- a/tasks/directory.yml +++ b/tasks/directory.yml @@ -8,7 +8,8 @@ group: "{{ gitea_group }}" mode: 'u=rwX,g=rX,o=' with_items: - - "/etc/gitea" + - "{{ gitea_configuration_path }}" + - "{{ gitea_user_home }}" - "{{ gitea_home }}" - "{{ gitea_home }}/data" - "{{ gitea_custom }}" diff --git a/tasks/fail2ban.yml b/tasks/fail2ban.yml index 913127d..aa41bde 100644 --- a/tasks/fail2ban.yml +++ b/tasks/fail2ban.yml @@ -7,7 +7,7 @@ owner: root group: root mode: 0444 - notify: systemctl restart fail2ban + notify: "Systemctl restart fail2ban" when: "'fail2ban' in ansible_facts.packages" - name: Install fail2ban jail @@ -18,11 +18,12 @@ owner: root group: root mode: 0444 - notify: systemctl restart fail2ban + notify: "Systemctl restart fail2ban" when: "'fail2ban' in ansible_facts.packages" -- name: warn if fail2ban is not installed +- name: Warn if fail2ban is not installed ansible.builtin.fail: msg: "the package fail2ban is not installed. no fail2ban filters deployed." when: "'fail2ban' not in ansible_facts.packages" ignore_errors: true + tags: skip_ansible_lint_ignore-errors diff --git a/tasks/gitea_secrets.yml b/tasks/gitea_secrets.yml index 51303ae..8f61d3f 100644 --- a/tasks/gitea_secrets.yml +++ b/tasks/gitea_secrets.yml @@ -1,38 +1,38 @@ --- -- name: generate gitea SECRET_KEY if not provided +- name: Generate gitea SECRET_KEY if not provided become: true - ansible.builtin.shell: 'umask 077; /usr/local/bin/gitea generate secret SECRET_KEY > /etc/gitea/gitea_secret_key' + ansible.builtin.shell: 'umask 077; {{ gitea_full_executable_path }} generate secret SECRET_KEY > {{ gitea_configuration_path }}/gitea_secret_key' args: - creates: '/etc/gitea/gitea_secret_key' - when: gitea_secret_key | length == 0 + creates: '{{ gitea_configuration_path }}/gitea_secret_key' + when: gitea_secret_key | string | length == 0 -- name: read gitea SECRET_KEY from file +- name: Read gitea SECRET_KEY from file become: true ansible.builtin.slurp: - src: '/etc/gitea/gitea_secret_key' + src: '{{ gitea_configuration_path }}/gitea_secret_key' register: remote_secret_key - when: gitea_secret_key | length == 0 + when: gitea_secret_key | string | length == 0 -- name: set fact gitea_secret_key +- name: Set fact gitea_secret_key ansible.builtin.set_fact: gitea_secret_key: "{{ remote_secret_key['content'] | b64decode }}" - when: gitea_secret_key | length == 0 + when: gitea_secret_key | string | length == 0 -- name: generate gitea INTERNAL_TOKEN if not provided +- name: Generate gitea INTERNAL_TOKEN if not provided become: true - ansible.builtin.shell: 'umask 077; /usr/local/bin/gitea generate secret INTERNAL_TOKEN > /etc/gitea/gitea_internal_token' + ansible.builtin.shell: 'umask 077; {{ gitea_full_executable_path }} generate secret INTERNAL_TOKEN > {{ gitea_configuration_path }}/gitea_internal_token' args: - creates: '/etc/gitea/gitea_internal_token' - when: gitea_internal_token | length == 0 + creates: '{{ gitea_configuration_path }}/gitea_internal_token' + when: gitea_internal_token | string | length == 0 -- name: read gitea INTERNAL_TOKEN from file +- name: Read gitea INTERNAL_TOKEN from file become: true ansible.builtin.slurp: - src: '/etc/gitea/gitea_internal_token' + src: '{{ gitea_configuration_path }}/gitea_internal_token' register: remote_internal_token - when: gitea_internal_token | length == 0 + when: gitea_internal_token | string | length == 0 -- name: set fact gitea_internal_token +- name: Set fact gitea_internal_token ansible.builtin.set_fact: gitea_internal_token: "{{ remote_internal_token['content'] | b64decode }}" - when: gitea_internal_token | length == 0 + when: gitea_internal_token | string | length == 0 diff --git a/tasks/install_forgejo.yml b/tasks/install_forgejo.yml new file mode 100644 index 0000000..31a4801 --- /dev/null +++ b/tasks/install_forgejo.yml @@ -0,0 +1,83 @@ +--- +- name: Dependency block + block: + - name: Update apt cache + become: true + ansible.builtin.apt: + cache_valid_time: 3600 + update_cache: true + register: _pre_update_apt_cache + until: _pre_update_apt_cache is succeeded + when: + - ansible_pkg_mgr == "apt" + + - name: Install dependencies + become: true + ansible.builtin.package: + name: "{{ gitea_dependencies }}" + state: present + register: _install_dep_packages + until: _install_dep_packages is succeeded + retries: 5 + delay: 2 + +- name: Install forgejo block + when: (not gitea_version_check | bool) or (not ansible_check_mode and (gitea_active_version.stdout != gitea_version_target)) + block: + - name: Download forgejo archive + ansible.builtin.get_url: + url: "{{ gitea_forgejo_dl_url | first }}" + dest: "/tmp/{{ gitea_filename }}" + checksum: "sha256:{{ gitea_forgejo_checksum }}" + mode: 0640 + register: _download_archive + become: false + until: _download_archive is succeeded + retries: 5 + delay: 2 + + - name: Download forgejo asc file + ansible.builtin.get_url: + url: "{{ gitea_forgejo_signed_url | first }}" + dest: "/tmp/{{ gitea_filename }}.asc" + mode: 0640 + register: _download_asc + become: false + until: _download_asc is succeeded + retries: 5 + delay: 2 + + - name: Check forgejo gpg key + ansible.builtin.command: "gpg --list-keys 0x{{ gitea_forgejo_gpg_key }}" + register: _gitea_gpg_key_status + changed_when: false + become: false + failed_when: _gitea_gpg_key_status.rc not in (0, 2) + + - name: Print gpg key staus on verbosity + ansible.builtin.debug: + msg: "{{ _gitea_gpg_key_status.stdout }}" + verbosity: 1 + + - name: Import forgejo gpg key + ansible.builtin.command: "gpg --keyserver {{ gitea_gpg_server }} --recv {{ gitea_forgejo_gpg_key }}" + register: _gitea_import_key + become: false + changed_when: '"imported: 1" in _gitea_import_key.stderr' + when: '_gitea_gpg_key_status.rc != 0 or "expired" in _gitea_gpg_key_status.stdout' + + - name: Check archive signature + become: false + ansible.builtin.command: "gpg --verify /tmp/{{ gitea_filename }}.asc /tmp/{{ gitea_filename }}" + changed_when: false + + - name: Propagate gitea binary + become: true + ansible.builtin.copy: + src: "/tmp/{{ gitea_filename }}" + remote_src: true + dest: "{{ gitea_full_executable_path }}" + mode: 0755 + owner: root + group: root + notify: "Restart gitea" diff --git a/tasks/install.yml b/tasks/install_gitea.yml similarity index 78% rename from tasks/install.yml rename to tasks/install_gitea.yml index ef325f8..86823e4 100644 --- a/tasks/install.yml +++ b/tasks/install_gitea.yml @@ -1,5 +1,6 @@ --- -- block: +- name: Dependency block + block: - name: Update apt cache become: true ansible.builtin.apt: @@ -20,13 +21,17 @@ retries: 5 delay: 2 -- block: +- name: Install gitea block + when: (not gitea_version_check | bool) or (not ansible_check_mode and (gitea_active_version.stdout != gitea_version_target)) + block: - name: Download gitea archive ansible.builtin.get_url: url: "{{ gitea_dl_url }}.xz" dest: "/tmp/{{ gitea_filename }}.xz" checksum: "sha256:{{ gitea_dl_url }}.xz.sha256" + mode: 0640 register: _download_archive + become: false until: _download_archive is succeeded retries: 5 delay: 2 @@ -35,7 +40,9 @@ ansible.builtin.get_url: url: "{{ gitea_dl_url }}.xz.asc" dest: "/tmp/{{ gitea_filename }}.xz.asc" + mode: 0640 register: _download_asc + become: false until: _download_asc is succeeded retries: 5 delay: 2 @@ -46,15 +53,22 @@ changed_when: false failed_when: _gitea_gpg_key_status.rc not in (0, 2) + - name: Print gpg key staus on verbosity + ansible.builtin.debug: + msg: "{{ _gitea_gpg_key_status.stdout }}" + verbosity: 1 + - name: Import gitea gpg key ansible.builtin.command: "gpg --keyserver {{ gitea_gpg_server }} --recv {{ gitea_gpg_key }}" register: _gitea_import_key + become: false changed_when: '"imported: 1" in _gitea_import_key.stderr' - when: _gitea_gpg_key_status.rc != 0 + when: '_gitea_gpg_key_status.rc != 0 or "expired" in _gitea_gpg_key_status.stdout' - name: Check archive signature ansible.builtin.command: "gpg --verify /tmp/{{ gitea_filename }}.xz.asc /tmp/{{ gitea_filename }}.xz" changed_when: false + become: false - name: Unpack gitea binary ansible.builtin.command: @@ -66,9 +80,8 @@ ansible.builtin.copy: src: "/tmp/{{ gitea_filename }}" remote_src: true - dest: "/usr/local/bin/gitea" + dest: "{{ gitea_full_executable_path }}" mode: 0755 owner: root group: root notify: "Restart gitea" - when: (not gitea_version_check|bool) or (not ansible_check_mode and (gitea_active_version.stdout != gitea_version_target)) diff --git a/tasks/jwt_secrets.yml b/tasks/jwt_secrets.yml index 3ce8ba5..5700a3b 100644 --- a/tasks/jwt_secrets.yml +++ b/tasks/jwt_secrets.yml @@ -1,38 +1,38 @@ --- -- name: generate OAuth2 JWT_SECRET if not provided +- name: Generate OAuth2 JWT_SECRET if not provided become: true - ansible.builtin.shell: 'umask 077; /usr/local/bin/gitea generate secret JWT_SECRET > /etc/gitea/gitea_oauth_jwt_secret' + ansible.builtin.shell: 'umask 077; {{ gitea_full_executable_path }} generate secret JWT_SECRET > {{ gitea_configuration_path }}/gitea_oauth_jwt_secret' args: - creates: '/etc/gitea/gitea_oauth_jwt_secret' + creates: '{{ gitea_configuration_path }}/gitea_oauth_jwt_secret' when: gitea_oauth2_jwt_secret | length == 0 -- name: read OAuth2 JWT_SECRET from file +- name: Read OAuth2 JWT_SECRET from file become: true ansible.builtin.slurp: - src: '/etc/gitea/gitea_oauth_jwt_secret' + src: '{{ gitea_configuration_path }}/gitea_oauth_jwt_secret' register: oauth_jwt_secret when: gitea_oauth2_jwt_secret | length == 0 -- name: set fact gitea_oauth2_jwt_secret +- name: Set fact gitea_oauth2_jwt_secret ansible.builtin.set_fact: gitea_oauth2_jwt_secret: "{{ oauth_jwt_secret['content'] | b64decode }}" when: gitea_oauth2_jwt_secret | length == 0 -- name: generate LFS JWT_SECRET if not provided +- name: Generate LFS JWT_SECRET if not provided become: true - ansible.builtin.shell: 'umask 077; /usr/local/bin/gitea generate secret JWT_SECRET > /etc/gitea/gitea_lfs_jwt_secret' + ansible.builtin.shell: 'umask 077; {{ gitea_full_executable_path }} generate secret JWT_SECRET > {{ gitea_configuration_path }}/gitea_lfs_jwt_secret' args: - creates: '/etc/gitea/gitea_lfs_jwt_secret' + creates: '{{ gitea_configuration_path }}/gitea_lfs_jwt_secret' when: gitea_lfs_jwt_secret | length == 0 -- name: read LFS JWT_SECRET from file +- name: Read LFS JWT_SECRET from file become: true ansible.builtin.slurp: - src: '/etc/gitea/gitea_lfs_jwt_secret' + src: '{{ gitea_configuration_path }}/gitea_lfs_jwt_secret' register: lfs_jwt_secret when: gitea_lfs_jwt_secret | length == 0 -- name: set fact gitea_lfs_jwt_secret +- name: Set fact gitea_lfs_jwt_secret ansible.builtin.set_fact: gitea_lfs_jwt_secret: "{{ lfs_jwt_secret['content'] | b64decode }}" when: gitea_lfs_jwt_secret | length == 0 diff --git a/tasks/main.yml b/tasks/main.yml index 097818f..7fe7331 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,5 +1,5 @@ --- -- name: perform optional versionscheck +- name: Perform optional versionscheck ansible.builtin.include_tasks: versioncheck.yml when: submodules_versioncheck|bool @@ -7,50 +7,59 @@ ansible.builtin.package_facts: manager: auto +- name: Prepare gitea/forgejo variable import + block: + - name: Gather variables for gitea or forgejo + ansible.builtin.include_vars: "{{ lookup('first_found', gitea_fork_variables) }}" + rescue: + - name: Gitea/Forejo import info + ansible.builtin.fail: + msg: "Currently only {{ gitea_supported_forks }} are supported." + - name: Gather variables for each operating system ansible.builtin.include_vars: "{{ lookup('first_found', gitea_variables) }}" - name: Gather versioning information - ansible.builtin.include_tasks: set_version.yml + ansible.builtin.include_tasks: "set_{{ gitea_fork | lower }}_version.yml" -- name: backup gitea before update +- name: Backup gitea before update ansible.builtin.include_tasks: backup.yml when: gitea_backup_on_upgrade|bool -- name: create gitea user and role +- name: Create gitea user and role ansible.builtin.include_tasks: create_user.yml -- name: install or update gitea - ansible.builtin.include_tasks: install.yml +- name: "Install or update {{ gitea_fork }}" + ansible.builtin.include_tasks: "install_{{ gitea_fork | lower }}.yml" -- name: Create directorys +- name: Create directories ansible.builtin.include_tasks: directory.yml -- name: setup gitea systemd service +- name: Setup gitea systemd service ansible.builtin.include_tasks: install_systemd.yml when: ansible_service_mgr == "systemd" -- name: generate JWT Secrets if undefined +- name: Generate JWT Secrets if undefined ansible.builtin.include_tasks: jwt_secrets.yml -- name: generate gitea secrets if undefined +- name: Generate gitea secrets if undefined ansible.builtin.include_tasks: gitea_secrets.yml -- name: configure gitea +- name: Configure gitea ansible.builtin.include_tasks: configure.yml -- name: deploy optional fail2ban rules +- name: Deploy optional fail2ban rules ansible.builtin.include_tasks: fail2ban.yml when: gitea_fail2ban_enabled|bool -- name: optionally customize gitea +- name: Optionally customize gitea ansible.builtin.include_tasks: customize_logo.yml when: gitea_customize_logo|bool -- name: optionally customize footer +- name: Optionally customize footer ansible.builtin.include_tasks: customize_footer.yml when: gitea_customize_footer|bool -- name: optionally deploy public files +- name: Optionally deploy public files ansible.builtin.include_tasks: customize_public_files.yml when: gitea_customize_files|bool diff --git a/tasks/set_forgejo_version.yml b/tasks/set_forgejo_version.yml new file mode 100644 index 0000000..7b3d195 --- /dev/null +++ b/tasks/set_forgejo_version.yml @@ -0,0 +1,107 @@ +--- +- name: "Check forgejo installed version" + ansible.builtin.shell: "set -eo pipefail; {{ gitea_full_executable_path }} -v | cut -d' ' -f 3" + args: + executable: /bin/bash + register: gitea_active_version + changed_when: false + failed_when: false + +- name: "Determine 'latest' version release" + when: gitea_version == "latest" + block: + - name: "Get latest forgejo release metadata" + ansible.builtin.uri: + url: 'https://codeberg.org/api/v1/repos/forgejo/forgejo/releases?limit=1' + return_content: true + register: gitea_forgejo_remote_metadata + become: false + when: not ansible_check_mode + + - name: "Fail if running in check mode without versions set." + ansible.builtin.fail: + msg: | + "You are running this playbook in check mode: + Please set the Gitea version with the variable 'gitea_version', because the URI module cannot detect the latest version in this mode." + when: ansible_check_mode and (gitea_version == 'latest' or gitea_version == 'present') + + - name: "Set fact latest forgejo release" + ansible.builtin.set_fact: + gitea_remote_version: "{{ gitea_forgejo_remote_metadata.json.0.tag_name[1:] }}" + when: not ansible_check_mode + + - name: "Set forgejo version target (latest)" + ansible.builtin.set_fact: + gitea_version_target: "{{ gitea_remote_version }}" + when: not ansible_check_mode + +- name: "Set forgejo version target {{ gitea_version }}" + ansible.builtin.set_fact: + gitea_version_target: "{{ gitea_version }}" + when: gitea_version != "latest" + +- name: "Download forgejo version {{ gitea_version_target }}" + when: not ansible_check_mode + block: + - name: "Get specific forgejo release metadata" + ansible.builtin.uri: + url: 'https://codeberg.org/api/v1/repos/forgejo/forgejo/releases/tags/v{{ gitea_version_target }}' + return_content: true + register: gitea_forgejo_remote_tags_metadata + become: false + rescue: + - name: "Error Downloading https://codeberg.org/api/v1/repos/forgejo/forgejo/releases/tags/v{{ gitea_version_target }}" + ansible.builtin.fail: + msg: "We did not find the forgejo version you specified. Are you sure that '{{ gitea_version_target }}' is a valid forgejo version?" + +- name: "Generate forgejo download url" + ansible.builtin.set_fact: + gitea_forgejo_dl_url: "{{ gitea_forgejo_remote_tags_metadata.json | community.general.json_query(gitea_forgejo_query_download) }}" + when: not ansible_check_mode + +- name: "Generate forgejo download checksum url" + ansible.builtin.set_fact: + gitea_forgejo_checksum_url: "{{ gitea_forgejo_remote_tags_metadata.json | community.general.json_query(gitea_forgejo_query_checksum) }}" + when: not ansible_check_mode + +- name: Get forgejo checksum + ansible.builtin.uri: + url: "{{ gitea_forgejo_checksum_url | first }}" + return_content: true + register: _gitea_forgejo_dl_checksum + become: false + when: not ansible_check_mode + +- name: Set forjeo checksum + ansible.builtin.set_fact: + gitea_forgejo_checksum: "{{ _gitea_forgejo_dl_checksum.content.split(' ')[0] }}" + when: not ansible_check_mode + +- name: "Generate forgejo download signed url" + ansible.builtin.set_fact: + gitea_forgejo_signed_url: "{{ gitea_forgejo_remote_tags_metadata.json | community.general.json_query(gitea_forgejo_query_signed) }}" + when: not ansible_check_mode + +- name: "Set a example forgejo download link if in check mode" + ansible.builtin.set_fact: + gitea_forgejo_dl_url: ['https://codeberg.org/attachments/a00333ad-250a-4d30-a764-9a37fb24f419'] + when: ansible_check_mode + +- name: "Set a example forgejo checksum link if in check mode" + ansible.builtin.set_fact: + gitea_forgejo_checksum: 'f8c71464d1b250bf022eaa3df270c810950904ceb71da5cefc7ec24a034a4c87' + when: ansible_check_mode + +- name: "Set a example forgejo checksum link if in check mode" + ansible.builtin.set_fact: + gitea_forgejo_signed_url: ['https://codeberg.org/attachments/ae5e50c6-e86e-4202-b95f-f142e8138e2f'] + when: ansible_check_mode + +- name: Show Download URLs + ansible.builtin.debug: + msg: "{{ item }}" + verbosity: 1 + with_items: + - "gitea_forgejo_dl_url: {{ gitea_forgejo_dl_url | first }}" + - "gitea_forgejo_checksum: {{ gitea_forgejo_checksum }}" + - "gitea_forgejo_signed_url: {{ gitea_forgejo_signed_url | first }}" diff --git a/tasks/set_version.yml b/tasks/set_gitea_version.yml similarity index 61% rename from tasks/set_version.yml rename to tasks/set_gitea_version.yml index 469b344..c01a674 100644 --- a/tasks/set_version.yml +++ b/tasks/set_gitea_version.yml @@ -1,6 +1,6 @@ --- - name: "Check gitea installed version" - ansible.builtin.shell: "set -eo pipefail; /usr/local/bin/gitea -v | cut -d' ' -f 3" + ansible.builtin.shell: "set -eo pipefail; {{ gitea_full_executable_path }} -v | cut -d' ' -f 3" args: executable: /bin/bash register: gitea_active_version @@ -8,23 +8,34 @@ failed_when: false - name: "Determine 'latest' version release" + when: gitea_version == "latest" block: - name: "Get latest gitea release metadata" ansible.builtin.uri: url: https://api.github.com/repos/go-gitea/gitea/releases/latest return_content: true register: gitea_remote_metadata + become: false + when: not ansible_check_mode + + - name: "Fail if running in check mode without versions set." + ansible.builtin.fail: + msg: | + "You are running this playbook in check mode: + Please set the Gitea version with the variable 'gitea_version', because the URI module cannot detect the latest version in this mode." + when: ansible_check_mode and (gitea_version == 'latest' or gitea_version == 'present') - name: "Set fact latest gitea release" ansible.builtin.set_fact: gitea_remote_version: "{{ gitea_remote_metadata.json.tag_name[1:] }}" + when: not ansible_check_mode - name: "Set gitea version target (latest)" ansible.builtin.set_fact: gitea_version_target: "{{ gitea_remote_version }}" - when: gitea_version == "latest" + when: not ansible_check_mode -- name: "Set gitea version target ({{ gitea_version }})" +- name: "Set gitea version target {{ gitea_version }}" ansible.builtin.set_fact: gitea_version_target: "{{ gitea_version }}" when: gitea_version != "latest" diff --git a/tasks/versioncheck.yml b/tasks/versioncheck.yml index 5128cc8..dd22a1a 100644 --- a/tasks/versioncheck.yml +++ b/tasks/versioncheck.yml @@ -8,37 +8,38 @@ path: '/etc/.ansible-version' state: directory mode: 0755 - when: submodules_versioncheck|bool + when: submodules_versioncheck | bool -- name: check playbook version +- name: Check playbook version become: true ansible.builtin.slurp: src: "/etc/.ansible-version/{{ playbook_version_path }}" register: playbook_version - when: submodules_versioncheck|bool + when: submodules_versioncheck | bool ignore_errors: true failed_when: false - name: Print remote role version ansible.builtin.debug: msg: "Remote role version: {{ playbook_version.content | default('Y3VycmVudGx5IG5vdCBkZXBsb3llZAo=') | b64decode | string }}" - when: submodules_versioncheck|bool + when: submodules_versioncheck | bool - name: Print locale role version ansible.builtin.debug: - msg: "Local role version: '{{ playbook_version_number|string }}'." - when: submodules_versioncheck|bool + msg: "Local role version: '{{ playbook_version_number | string }}'." + when: submodules_versioncheck | bool - name: Check if your version is outdated ansible.builtin.fail: msg: "Your ansible module has the version '{{ playbook_version_number }}' and is outdated. You need to update it!" when: - - playbook_version.content|default("Mgo=")|b64decode|int - 1 >= playbook_version_number|int and submodules_versioncheck|bool + - playbook_version.content|default("Mgo=")|b64decode|int - 1 >= playbook_version_number|int and submodules_versioncheck | bool -- name: write new version to remote disk +- name: Write new version to remote disk become: true ansible.builtin.copy: content: "{{ playbook_version_number }}" dest: "/etc/.ansible-version/{{ playbook_version_path }}" mode: '0644' - when: submodules_versioncheck|bool + when: submodules_versioncheck | bool + tags: skip_ansible_lint_template-instead-of-copy diff --git a/templates/gitea.ini.j2 b/templates/gitea.ini.j2 index b322dff..cbe7cb2 100644 --- a/templates/gitea.ini.j2 +++ b/templates/gitea.ini.j2 @@ -13,53 +13,110 @@ RUN_MODE = {{ gitea_run_mode }} ; ; -> https://docs.gitea.io/en-us/config-cheat-sheet/#repository-repository [repository] -ROOT = {{ gitea_repository_root }} -FORCE_PRIVATE = {{ gitea_force_private | ternary('true', 'false') }} -MAX_CREATION_LIMIT = {{ gitea_user_repo_limit }} -DISABLE_HTTP_GIT = {{ gitea_disable_http_git | ternary('true', 'false') }} -DEFAULT_BRANCH = {{ gitea_default_branch }} -DEFAULT_PRIVATE = {{ gitea_default_private }} +ROOT = {{ gitea_repository_root }} +FORCE_PRIVATE = {{ gitea_force_private | ternary('true', 'false') }} +DEFAULT_PRIVATE = {{ gitea_default_private }} +MAX_CREATION_LIMIT = {{ gitea_user_repo_limit }} +DISABLE_HTTP_GIT = {{ gitea_disable_http_git | ternary('true', 'false') }} +ENABLE_PUSH_CREATE_USER = {{ gitea_enable_push_create_user | ternary('true', 'false') }} +ENABLE_PUSH_CREATE_ORG = {{ gitea_enable_push_create_org | ternary('true', 'false') }} +DISABLED_REPO_UNITS = {{ gitea_disabled_repo_units }} +DEFAULT_REPO_UNITS = {{ gitea_default_repo_units }} +DISABLE_STARS = {{ gitea_disable_stars | ternary('true', 'false') }} +DEFAULT_BRANCH = {{ gitea_default_branch }} {{ gitea_repository_extra_config }} ; +; +; -> https://docs.gitea.io/en-us/administration/config-cheat-sheet/#repository---upload-repositoryupload [repository.upload] +ENABLED = {{ gitea_repository_upload_enabled | ternary('true', 'false') }} TEMP_PATH = {{ gitea_home }}/data/tmp/uploads +FILE_MAX_SIZE = {{ gitea_repository_upload_max_size }} {{ gitea_repository_upload_extra_config }} ; ; +{% if gitea_enable_repo_signing_options | bool %} +; -> https://docs.gitea.io/en-us/config-cheat-sheet/#repository---signing-repositorysigning +[repository.signing] +SIGNING_KEY = {{ gitea_repo_signing_key }} +SIGNING_NAME = {{ gitea_repo_signing_name }} +SIGNING_EMAIL = {{ gitea_repo_signing_email }} +INITIAL_COMMIT = {{ gitea_repo_initial_commit }} +DEFAULT_TRUST_MODEL = {{ gitea_repo_default_trust_model }} +WIKI = {{ gitea_repo_wiki }} +CRUD_ACTIONS = {{ gitea_repo_crud_actions }} +MERGES = {{ gitea_repo_merges }} +{{ gitea_enable_repo_signing_extra }} +; +{% endif %} +; +{% if gitea_enable_cors | bool %} +; +; -> https://docs.gitea.io/en-us/config-cheat-sheet/#cors-cors +[cors] +ENABLED = {{ gitea_enable_cors | ternary('true', 'false') }} +SCHEME = {{ gitea_cors_scheme }} +ALLOW_DOMAIN = {{ gitea_cors_allow_domain }} +ALLOW_SUBDOMAIN = {{ gitea_cors_allow_subdomain | ternary('true', 'false') }} +METHODS = {{ gitea_cors_methods }} +MAX_AGE = {{ gitea_cors_max_age }} +ALLOW_CREDENTIALS = {{ gitea_cors_allow_credentials | ternary('true', 'false') }} +HEADERS = {{ gitea_cors_headers }} +X_FRAME_OPTIONS = {{ gitea_cors_x_frame_options }} +{{ gitea_cors_extra }} +; +{% endif %} +; ; -> https://docs.gitea.io/en-us/config-cheat-sheet/#ui-ui [ui] -SHOW_USER_EMAIL = {{ gitea_show_user_email | ternary('true', 'false') }} -DEFAULT_THEME = {{ gitea_theme_default }} THEMES = {{ gitea_themes }} +DEFAULT_THEME = {{ gitea_theme_default }} +SHOW_USER_EMAIL = {{ gitea_show_user_email | ternary('true', 'false') }} {{ gitea_ui_extra_config }} ; ; +; +[ui.meta] +AUTHOR = {{ gitea_ui_author }} +DESCRIPTION = {{ gitea_ui_description }} +KEYWORDS = {{ gitea_ui_keywords }} +{{ gitea_ui_meta_extra_config }} +; +; ; -> https://docs.gitea.io/en-us/config-cheat-sheet/#server-server [server] +APP_DATA_PATH = {{ gitea_home }}/data PROTOCOL = {{ gitea_protocol }} DOMAIN = {{ gitea_http_domain }} ROOT_URL = {{ gitea_root_url }} HTTP_ADDR = {{ gitea_http_listen }} HTTP_PORT = {{ gitea_http_port }} -{% if gitea_http_port == 443 %} -PORT_TO_REDIRECT = 80 -{% endif %} -{% if gitea_http_letsencrypt_mail is defined %} -ENABLE_LETSENCRYPT = true -LETSENCRYPT_ACCEPTTOS = true -LETSENCRYPT_EMAIL = {{ gitea_http_letsencrypt_mail }} -{% endif %} START_SSH_SERVER = {{ gitea_start_ssh | ternary('true', 'false') }} SSH_DOMAIN = {{ gitea_ssh_domain }} SSH_PORT = {{ gitea_ssh_port }} SSH_LISTEN_HOST = {{ gitea_ssh_listen }} OFFLINE_MODE = {{ gitea_offline_mode | ternary('true', 'false') }} -APP_DATA_PATH = {{ gitea_home }}/data +{% if gitea_enable_tls_certs | bool %} +CERT_FILE = {{ gitea_tls_cert_file }} +KEY_FILE = {{ gitea_tls_key_file }} +{% endif %} +LANDING_PAGE = {{ gitea_landing_page }} {% if gitea_lfs_server_enabled | bool -%} LFS_START_SERVER = true -LFS_CONTENT_PATH = {{ gitea_lfs_content_path }} LFS_JWT_SECRET = {{ gitea_lfs_jwt_secret }} {% endif %} +REDIRECT_OTHER_PORT = {{ gitea_redirect_other_port | ternary('true', 'false') }} +PORT_TO_REDIRECT = {{ gitea_port_to_redirect }} +ENABLE_ACME = {{ gitea_enable_acme | ternary('true', 'false') }} +{% if gitea_enable_acme | bool %} +{% if gitea_acme_url != '' %} +ACME_URL = {{ gitea_acme_url }} +{% endif %} +ACME_ACCEPTTOS = {{ gitea_acme_accepttos | ternary('true', 'false') }} +ACME_DIRECTORY = {{ gitea_acme_directory }} +ACME_EMAIL = {{ gitea_acme_email }} +ACME_CA_ROOT = {{ gitea_acme_ca_root }} +{% endif %} {{ gitea_server_extra_config }} ; ; @@ -79,7 +136,6 @@ LOG_SQL = {{ gitea_db_log_sql | ternary('true', 'false') }} ; -> https://docs.gitea.io/en-us/config-cheat-sheet/#indexer-indexer [indexer] ISSUE_INDEXER_PATH = {{ gitea_home }}/indexers/issues.bleve -ISSUE_INDEXER_QUEUE_DIR = {{ gitea_home }}/indexers/issues.queue REPO_INDEXER_ENABLED = {{ gitea_repo_indexer_enabled | ternary('true', 'false') }} REPO_INDEXER_PATH = {{ gitea_home }}/indexers/repos.bleve REPO_INDEXER_INCLUDE = {{ gitea_repo_indexer_include }} @@ -89,43 +145,61 @@ MAX_FILE_SIZE = {{ gitea_repo_indexer_max_file_size }} {{ gitea_indexer_extra_config }} ; ; +; Queue (queue and queue.*) +; -> https://docs.gitea.io/en-us/config-cheat-sheet/#queue-queue-and-queue +[queue.issue_indexer] +DATADIR = {{ gitea_home }}/indexers/issues.queue +{{ gitea_queue_issue_indexer_extra_config }} +; +; ; -> https://docs.gitea.io/en-us/config-cheat-sheet/#security-security [security] INSTALL_LOCK = true SECRET_KEY = {{ gitea_secret_key }} -INTERNAL_TOKEN = {{ gitea_internal_token }} DISABLE_GIT_HOOKS = {{ gitea_disable_git_hooks | ternary('true', 'false') }} +DISABLE_WEBHOOKS = {{ gitea_disable_webhooks | ternary('true', 'false') }} +INTERNAL_TOKEN = {{ gitea_internal_token }} PASSWORD_CHECK_PWN = {{ gitea_password_check_pwn | ternary('true', 'false') }} {{ gitea_security_extra_config }} ; ; ; -> https://docs.gitea.io/en-us/config-cheat-sheet/#service-service [service] -DISABLE_REGISTRATION = {{ gitea_disable_registration | ternary('true', 'false') }} REGISTER_EMAIL_CONFIRM = {{ gitea_register_email_confirm | ternary('true', 'false') }} +DISABLE_REGISTRATION = {{ gitea_disable_registration | ternary('true', 'false') }} REQUIRE_SIGNIN_VIEW = {{ gitea_require_signin | ternary('true', 'false') }} -DEFAULT_KEEP_EMAIL_PRIVATE = {{ gitea_default_keep_mail_private | ternary('true', 'false') }} +ENABLE_NOTIFY_MAIL = {{ gitea_enable_notify_mail | ternary('true', 'false') }} ENABLE_CAPTCHA = {{ gitea_enable_captcha | ternary('true', 'false') }} +DEFAULT_KEEP_EMAIL_PRIVATE = {{ gitea_default_keep_mail_private | ternary('true', 'false') }} SHOW_REGISTRATION_BUTTON = {{ gitea_show_registration_button | ternary('true', 'false') }} -ALLOW_ONLY_EXTERNAL_REGISTRATION = {{ gitea_only_allow_external_registration | ternary('true', 'false') }} -ENABLE_NOTIFY_MAIL = {{ gitea_enable_notify_mail | ternary('true', 'false') }} AUTO_WATCH_NEW_REPOS = {{ gitea_auto_watch_new_repos | ternary('true', 'false') }} +ALLOW_ONLY_EXTERNAL_REGISTRATION = {{ gitea_only_allow_external_registration | ternary('true', 'false') }} {{ gitea_service_extra_config }} ; ; ; -> https://docs.gitea.io/en-us/config-cheat-sheet/#mailer-mailer [mailer] -ENABLED = {{ gitea_mailer_enabled | ternary('true', 'false') }} -HOST = {{ gitea_mailer_host }} -SKIP_VERIFY = {{ gitea_mailer_skip_verify | ternary('true', 'false') }} -IS_TLS_ENABLED = {{ gitea_mailer_tls_enabled | ternary('true', 'false') }} -FROM = {{ gitea_mailer_from }} -USER = {{ gitea_mailer_user }} -PASSWD = `{{ gitea_mailer_password }}` -SUBJECT_PREFIX = {{ gitea_subject_prefix }} -MAILER_TYPE = {{ gitea_mailer_type }} +ENABLED = {{ gitea_mailer_enabled | ternary('true', 'false') }} +{% if gitea_mailer_enabled | bool %} +PROTOCOL = {{ gitea_mailer_protocol }} +SMTP_ADDR = {{ gitea_mailer_smtp_addr }} +SMTP_PORT = {{ gitea_mailer_smtp_port }} +USE_CLIENT_CERT = {{ gitea_mailer_use_client_cert | ternary('true', 'false') }} +{% if gitea_mailer_use_client_cert | bool %} +CLIENT_CERT_FILE = {{ gitea_mailer_client_cert_file }} +CLIENT_KEY_FILE = {{ gitea_mailer_client_key_file }} +{% endif %} +FORCE_TRUST_SERVER_CERT = {{ gitea_mailer_force_trust_server_cert | ternary('true', 'false') }} +USER = {{ gitea_mailer_user }} +PASSWD = `{{ gitea_mailer_password }}` +ENABLE_HELO = {{ gitea_mailer_enable_helo | ternary('true', 'false') }} +FROM = {{ gitea_mailer_from }} +SUBJECT_PREFIX = {{ gitea_subject_prefix }} +SEND_AS_PLAIN_TEXT = {{ gitea_mailer_send_as_plaintext | ternary('true', 'false') }} {{ gitea_mailer_extra_config }} ; +{% endif %} +; ; ; -> https://docs.gitea.io/en-us/config-cheat-sheet/#session-session [session] @@ -137,14 +211,15 @@ PROVIDER_CONFIG = {{ gitea_home }}/data/sessions ; -> https://docs.gitea.io/en-us/config-cheat-sheet/#picture-picture [picture] AVATAR_UPLOAD_PATH = {{ gitea_home }}/data/avatars -DISABLE_GRAVATAR = {{ gitea_disable_gravatar | ternary('true', 'false') }} {{ gitea_picture_extra_config }} ; ; ; -> https://docs.gitea.io/en-us/config-cheat-sheet/#issue-and-pull-request-attachments-attachment [attachment] -ENABLED = {{ gitea_attachment_enabled | ternary('true', 'false') }} -PATH = {{ gitea_home }}/data/attachments +ENABLED = {{ gitea_attachment_enabled | ternary('true', 'false') }} +ALLOWED_TYPES = {{ gitea_attachment_types }} +MAX_SIZE = {{ gitea_attachment_max_size }} +PATH = {{ gitea_home }}/data/attachments {{ gitea_attachment_extra_config }} ; ; @@ -152,11 +227,11 @@ PATH = {{ gitea_home }}/data/attachments [log] ROOT_PATH = {{ gitea_home }}/log {% if gitea_log_systemd %} -MODE = console +MODE = console {% else %} -MODE = file +MODE = file {% endif %} -LEVEL = {{ gitea_log_level }} +LEVEL = {{ gitea_log_level }} {{ gitea_log_extra_config }} ; ; @@ -164,14 +239,61 @@ LEVEL = {{ gitea_log_level }} [metrics] ENABLED = {{ gitea_metrics_enabled | ternary('true', 'false') }} TOKEN = {{ gitea_metrics_token }} +{{ gitea_metrics_extra }} ; ; -; https://docs.gitea.io/en-us/config-cheat-sheet/#oauth2-oauth2 +; -> https://docs.gitea.io/en-us/config-cheat-sheet/#oauth2-oauth2 [oauth2] ENABLE = {{ gitea_oauth2_enabled | ternary('true', 'false') }} JWT_SECRET = {{ gitea_oauth2_jwt_secret }} {{ gitea_oauth2_extra_config }} ; ; +; -> https://docs.gitea.io/en-us/config-cheat-sheet/#federation-federation +[federation] +ENABLED = {{ gitea_federation_enabled | ternary('true', 'false') }} +SHARE_USER_STATISTICS = {{ gitea_federation_share_user_stats | ternary('true', 'false') }} +{{ gitea_federation_extra }} +; +; +; Packages (packages) +; -> https://docs.gitea.io/en-us/config-cheat-sheet/#packages-packages +[packages] +ENABLED = {{ gitea_packages_enabled | ternary('true', 'false') }} +{% if gitea_packages_enabled | bool %} +CHUNKED_UPLOAD_PATH = {{ gitea_home }}/data/tmp/package-upload +{{ gitea_packages_extra }} +{% endif %} +; +; +{% if gitea_lfs_server_enabled | bool %} +; -> https://docs.gitea.io/en-us/config-cheat-sheet/#lfs-lfs +[lfs] +STORAGE_TYPE = {{ gitea_lfs_storage_type }} +SERVE_DIRECT = {{ gitea_lfs_serve_direct | ternary('true', 'false') }} +PATH = {{ gitea_lfs_content_path }} +{{ gitea_lfs_extra }} +{% endif %} +; +; +{% if gitea_actions_enabled | bool %} +; -> https://docs.gitea.io/en-us/config-cheat-sheet/#actions-actions +[actions] +ENABLED = {{ gitea_actions_enabled }} +DEFAULT_ACTIONS_URL = {{ gitea_actions_default_actions_url }} +{{ gitea_actions_extra }} +{% endif %} +; +; +; Other (other) +; -> https://docs.gitea.io/en-us/config-cheat-sheet/#other-other +[other] +SHOW_FOOTER_VERSION = {{ gitea_other_show_footer_version | ternary('true', 'false') }} +SHOW_FOOTER_TEMPLATE_LOAD_TIME = {{ gitea_other_show_footer_template_load_time | ternary('true', 'false') }} +ENABLE_SITEMAP = {{ gitea_other_enable_sitemap | ternary('true', 'false') }} +ENABLE_FEED = {{ gitea_other_enable_feed | ternary('true', 'false') }} +; +; +; ; Optional additional config {{ gitea_extra_config }} diff --git a/templates/gitea.service.j2 b/templates/gitea.service.j2 index ebdf810..e47ee6d 100644 --- a/templates/gitea.service.j2 +++ b/templates/gitea.service.j2 @@ -1,11 +1,11 @@ [Unit] -Description=Gitea git server +Description={{ gitea_fork }} git server After=network.target [Service] User={{ gitea_user }} Group={{ gitea_group }} -ExecStart=/usr/local/bin/gitea web -c /etc/gitea/gitea.ini --custom-path {{ gitea_custom }}/ +ExecStart={{ gitea_full_executable_path }} web --config {{ gitea_configuration_path }}/gitea.ini --custom-path {{ gitea_custom }}/ --work-path {{ gitea_home }} Restart=on-failure WorkingDirectory={{ gitea_home }} {% if gitea_systemd_cap_net_bind_service %} diff --git a/vars/fork_forgejo.yml b/vars/fork_forgejo.yml new file mode 100644 index 0000000..2ac6803 --- /dev/null +++ b/vars/fork_forgejo.yml @@ -0,0 +1,7 @@ +--- +# set filenames for forgejo +gitea_full_executable_path: "{{ gitea_forgejo_executable_path }}" +gitea_filename: "forgejo-{{ gitea_version_target }}-linux-{{ gitea_arch }}" +gitea_forgejo_query_download: "assets[?name==`{{ gitea_filename }}`].browser_download_url" +gitea_forgejo_query_checksum: "assets[?name==`{{ gitea_filename }}.sha256`].browser_download_url" +gitea_forgejo_query_signed: "assets[?name==`{{ gitea_filename }}.asc`].browser_download_url" diff --git a/vars/fork_gitea.yml b/vars/fork_gitea.yml new file mode 100644 index 0000000..607bfd8 --- /dev/null +++ b/vars/fork_gitea.yml @@ -0,0 +1,4 @@ +--- +# set filenames for gitea +gitea_full_executable_path: "{{ gitea_executable_path }}" +gitea_filename: "gitea-{{ gitea_version_target }}.linux-{{ gitea_arch }}" diff --git a/vars/main.yml b/vars/main.yml index 0eb2cdf..70d6b20 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -8,7 +8,13 @@ gitea_go_arch_map: armv5l: 'arm-5' gitea_arch: "{{ gitea_go_arch_map[ansible_architecture] | default(ansible_architecture) }}" -gitea_filename: "gitea-{{ gitea_version }}.linux-{{ gitea_arch }}" +gitea_supported_forks: 'gitea and forgejo' + +gitea_fork_variables: + files: + - "fork_{{ gitea_fork | lower }}.yml" + paths: + - 'vars' gitea_variables: files: @@ -56,5 +62,5 @@ transfer_custom_footer: - 'files/gitea_footer/extra_links_footer.tmpl' - 'files/extra_links_footer.tmpl' -playbook_version_number: 27 # should be int +playbook_version_number: 49 # should be int playbook_version_path: 'do1jlr.gitea.version'