Improve ARM Support (#74)

* Gitea user should be a system user

* Improve installation system

* Download archive instead of binary
* Add checksum validation
* Add GPG check
* Add backup process before upgrading

* Improve ARM support

* Improve support for Vault Encrypted JWT tokens

* Fix spacing in gitea configuration template

When Gitea rewrite the configuration file (e.g.: the JWT token is not
set or doesn't fit their criteria), it'll align space on a per-section
basis in the .ini file.
If the template is not properly spaced, at the next Ansible run, you'll
have an enormous diff, hidding what the real changes are.

* add proper redhat/debian deps for molecule testing

* Gitea group should be a system group

* fix linting for CI

* Update CI and meta information for up-to-date tests and distros

* molecule: fix typo for redhat packages

* fix typo

* bump gitea version to 1.13.1

* Use Ubuntu keyservers to play nicely with everyone

* Update minimum required ansible version to 2.9.8

This is required for Ubuntu Focal, which comes with systemd >= 245
The Get Facts modules doesn't work well with it before the bugfix
introduced in 2.9.8

* Replace yes by True to please the linting

* Truthy values needs to be lower-case

* bump gitea version to 1.13.2

* perform gitea dump as gitea user

* need to set become to yes

* autogenerate JWT_SECRETS (#77)

* autogenerate JWT_SECRETS

Based on https://docs.gitea.io/en-us/command-line/#generate we will now autogenerate JWT_SECRETS if they are not defined.
In my opinion a much better idea than writing a value in the default config.

The check if the variables for the secrets are now 43 characters long i took out. Gitea generates itself suitable secrets, if the user given ones do not fit.

* drop ansible.builtin. syntax

* Update file permissions for "{{ gitea_home }}" (#75)

The file permissions for {{ gitea_home }} especially in conjunction with the recurse: true flag are on closer inspection very open to all and also have a +x set on files.

This should be done better. And I have done here now.

By the way: To improve the -x on normal files in his gitea installation this shell command was useful for me
```
find . -type f -exec chmod a-x {} \+;
find . -type f -exec chmod u=rwX {} \+;
```

* Bump cryptography from 3.2 to 3.3.2 (#79)

Bumps [cryptography](https://github.com/pyca/cryptography) from 3.2 to 3.3.2.
- [Release notes](https://github.com/pyca/cryptography/releases)
- [Changelog](https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/3.2...3.3.2)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Gitea user should be a system user

* Improve installation system

* Download archive instead of binary
* Add checksum validation
* Add GPG check
* Add backup process before upgrading

* Improve ARM support

* Fix spacing in gitea configuration template

When Gitea rewrite the configuration file (e.g.: the JWT token is not
set or doesn't fit their criteria), it'll align space on a per-section
basis in the .ini file.
If the template is not properly spaced, at the next Ansible run, you'll
have an enormous diff, hidding what the real changes are.

* add proper redhat/debian deps for molecule testing

* Gitea group should be a system group

* fix linting for CI

* Update CI and meta information for up-to-date tests and distros

* molecule: fix typo for redhat packages

* fix typo

* bump gitea version to 1.13.1

* Use Ubuntu keyservers to play nicely with everyone

* Update minimum required ansible version to 2.9.8

This is required for Ubuntu Focal, which comes with systemd >= 245
The Get Facts modules doesn't work well with it before the bugfix
introduced in 2.9.8

* Replace yes by True to please the linting

* Truthy values needs to be lower-case

* bump gitea version to 1.13.2

* perform gitea dump as gitea user

* need to set become to yes

* check-variables.yml doesn't exists anymore

Co-authored-by: L3D <l3d@c3woc.de>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This commit is contained in:
Finwë 2021-02-12 18:56:31 +01:00 committed by GitHub
parent f6f5e733f0
commit 56375819a7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 231 additions and 113 deletions

View file

@ -7,11 +7,12 @@ env:
matrix:
- MOLECULE_DISTRO: centos8
- MOLECULE_DISTRO: centos7
- MOLECULE_DISTRO: ubuntu2004
- MOLECULE_DISTRO: ubuntu1804
- MOLECULE_DISTRO: ubuntu1604
- MOLECULE_DISTRO: debian10
- MOLECULE_DISTRO: debian9
- MOLECULE_DISTRO: fedora31
- MOLECULE_DISTRO: fedora33
services:
- docker

View file

@ -1,7 +1,9 @@
---
gitea_version: "1.13.0"
gitea_version: "1.13.2"
gitea_version_check: true
gitea_dl_url: "https://github.com/go-gitea/gitea/releases/download/v{{ gitea_version }}/gitea-{{ gitea_version }}-linux-{{ gitea_arch }}"
gitea_gpg_key: "7C9E68152594688862D62AF62D9AE806EC1592E2"
gitea_gpg_server: "hkp://keyserver.ubuntu.com:80"
gitea_app_name: "Gitea"
gitea_user: "gitea"

View file

@ -2,7 +2,7 @@
galaxy_info:
author: Thomas Maurice
description: Ansible Role - Gitea
min_ansible_version: 2.7.9
min_ansible_version: 2.9.8
license: BSD-3-Clause
galaxy_tags:
- git
@ -16,12 +16,17 @@ galaxy_info:
platforms:
- name: Debian
versions:
- jessie
- stretch
- name: EL
versions:
- 7
- buster
- name: Ubuntu
versions:
- xenial
- bionic
- focal
- name: CentOS
versions:
- 7
- 8
- name: Fedora
versions:
- 33

View file

@ -1,22 +1,27 @@
---
- name: Perpare
- name: Prepare
hosts: all
become: true
tasks:
- name: install dependencies for gitea (RedHat based systems)
yum:
name: "{{ packages }}"
name: "{{ redhat_packages }}"
state: present
update_cache: true
when: ansible_os_family == "RedHat"
- name: install dependencies for gitea (Debian based systems)
apt:
name: "{{ packages }}"
name: "{{ debian_packages }}"
state: present
update_cache: true
when: ansible_os_family == "Debian"
vars:
packages:
debian_packages:
- git
- curl
- xz-utils
redhat_packages:
- git
- curl
- xz

View file

@ -1,4 +1,4 @@
ansible==2.9.6
ansible==2.9.8
ansible-lint==4.2.0
anyconfig==0.9.7
arrow==0.15.5

View file

@ -2,7 +2,8 @@
- name: "Create Gitea Group"
group:
name: "{{ gitea_group }}"
state: present
system: true
state: "present"
- name: "Create Gitea user"
user:
@ -10,3 +11,4 @@
comment: "Gitea user"
home: "{{ gitea_home }}"
shell: "{{ gitea_shell }}"
system: true

93
tasks/install.yml Normal file
View file

@ -0,0 +1,93 @@
---
- block:
- name: Update apt cache
apt:
cache_valid_time: 3600
update_cache: true
register: _pre_update_apt_cache
until: _pre_update_apt_cache is succeeded
when:
- ansible_pkg_mgr == "apt"
- name: Install dependencies
package:
name: "{{ gitea_dependencies }}"
state: present
register: _install_dep_packages
until: _install_dep_packages is succeeded
retries: 5
delay: 2
- name: Get service facts
service_facts:
- block:
- name: Stopping gitea before upgrade
service:
name: gitea
state: stopped
- name: Backing up gitea before upgrade
command:
cmd: "gitea dump -c /etc/gitea/gitea.ini"
chdir: /var/backups/
become: true
become_method: su
become_user: "{{ gitea_user }}"
become_flags: "-s /bin/sh"
when:
- ansible_facts.services["gitea.service"] is defined
- ansible_facts.services["gitea.service"].state == "running"
- gitea_active_version.stdout != gitea_version
- block:
- name: Download gitea archive
get_url:
url: "{{ gitea_dl_url }}.xz"
dest: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz"
checksum: "sha256:{{ gitea_dl_url }}.xz.sha256"
register: _download_archive
until: _download_archive is succeeded
retries: 5
delay: 2
- name: Download gitea asc file
get_url:
url: "{{ gitea_dl_url }}.xz.asc"
dest: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz.asc"
register: _download_asc
until: _download_asc is succeeded
retries: 5
delay: 2
- name: Check gitea gpg key
command: "gpg --list-keys 0x{{ gitea_gpg_key }}"
register: _gitea_gpg_key_status
changed_when: false
failed_when: _gitea_gpg_key_status.rc not in (0, 2)
- name: Import gitea gpg key
command: "gpg --keyserver {{ gitea_gpg_server }} --recv {{ gitea_gpg_key }}"
register: _gitea_import_key
changed_when: '"imported: 1" in _gitea_import_key.stderr'
when: _gitea_gpg_key_status.rc != 0
- name: Check archive signature
command: "gpg --verify /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz.asc /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz"
changed_when: false
- name: Unpack gitea binary
command:
cmd: "xz -k -d /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz"
creates: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}"
- name: Propagate gitea binary
copy:
src: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}"
remote_src: true
dest: "/usr/local/bin/gitea"
mode: 0755
owner: root
group: root
notify: "Restart gitea"
when: (not gitea_version_check|bool) or (not ansible_check_mode and (gitea_active_version.stdout != gitea_version))

View file

@ -1,4 +1,12 @@
---
- name: Gather variables for each operating system
include_vars: "{{ item }}"
with_first_found:
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml"
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
- "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
- "{{ ansible_distribution | lower }}.yml"
- "{{ ansible_os_family | lower }}.yml"
- name: "Check gitea version"
shell: "set -eo pipefail; /usr/local/bin/gitea -v | cut -d' ' -f 3"
@ -9,16 +17,7 @@
failed_when: false
when: gitea_version_check|bool
- name: "Download the binary"
get_url:
url: "{{ gitea_dl_url }}"
dest: /usr/local/bin/gitea
owner: root
group: root
mode: 0755
force: true
notify: "Restart gitea"
when: (not gitea_version_check|bool) or (not ansible_check_mode and (gitea_active_version.stdout != gitea_version))
- include: install.yml
- include: create_user.yml
@ -48,15 +47,11 @@
- "{{ gitea_home }}/custom/mailer"
- "{{ gitea_home }}/indexers"
- "{{ gitea_home }}/log"
- "{{ gitea_repository_root }}"
- include: install_systemd.yml
when: ansible_service_mgr == "systemd"
- name: 'Install git'
package:
name: 'git'
state: 'present'
- include_tasks: jwt_secrets.yml
- name: "Configure gitea"

View file

@ -6,7 +6,7 @@
; Cheat Sheet: https://docs.gitea.io/en-us/config-cheat-sheet/
;
; App name that shows on every page title
APP_NAME = {{ gitea_app_name }}
APP_NAME = {{ gitea_app_name }}
; Change it if you run locally
RUN_USER = {{ gitea_user }}
; Either "dev", "prod" or "test", default is "dev"
@ -21,7 +21,7 @@ MAX_CREATION_LIMIT = {{ gitea_user_repo_limit }}
; Mirror sync queue length, increase if mirror syncing starts hanging
MIRROR_QUEUE_LENGTH = 1000
; Disable the ability to interact with repositories using the HTTP protocol
DISABLE_HTTP_GIT = {{ gitea_disable_http_git }}
DISABLE_HTTP_GIT = {{ gitea_disable_http_git }}
[ui]
; Whether the email of the user should be shown in the Explore Users page
@ -35,7 +35,7 @@ PROTOCOL = {{ gitea_protocol }}
DOMAIN = {{ gitea_http_domain }}
ROOT_URL = {{ gitea_root_url }}
; The address to listen on. Either a IPv4/IPv6 address or the path to a unix socket.
HTTP_ADDR = {{ gitea_http_listen }}
HTTP_ADDR = {{ gitea_http_listen }}
HTTP_PORT = {{ gitea_http_port }}
; Disable SSH feature when not available
DISABLE_SSH = false
@ -53,15 +53,14 @@ SSH_LISTEN_PORT = %(SSH_PORT)s
OFFLINE_MODE = {{ gitea_offline_mode }}
; Default path for App data
APP_DATA_PATH = {{ gitea_home }}/data
{%- if gitea_lfs_server_enabled | bool %}
{% if gitea_lfs_server_enabled | bool -%}
;Enables git-lfs support.
LFS_START_SERVER = true
; Where to store LFS files.
LFS_CONTENT_PATH = {{ gitea_lfs_content_path }}
; LFS authentication secret
LFS_JWT_SECRET = {{ gitea_lfs_jwt_secret }}
{%- endif %}
{% endif %}
[database]
; Either "mysql", "postgres", "mssql" or "sqlite3", it's your choice
@ -85,7 +84,6 @@ ISSUE_INDEXER_QUEUE_TYPE = levelqueue
; When ISSUE_INDEXER_QUEUE_TYPE is levelqueue, this will be the queue will be saved path,
; default is indexers/issues.queue
ISSUE_INDEXER_QUEUE_DIR = {{ gitea_home }}/indexers/issues.queue
; repo indexer by default disabled, since it uses a lot of disk space
REPO_INDEXER_ENABLED = {{ gitea_repo_indexer_enabled }}
REPO_INDEXER_PATH = {{ gitea_home }}/indexers/repos.bleve
@ -146,7 +144,7 @@ FROM = {{ gitea_mailer_from }}
; Mailer user name and password
USER = {{ gitea_mailer_user }}
; Use PASSWD = `your password` for quoting if you use special characters in the password.
PASSWD = `{{ gitea_mailer_password }}`
PASSWD = {{ gitea_mailer_password }}
; Send mails as plain text
SEND_AS_PLAIN_TEXT = false
; Set Mailer Type (either SMTP, sendmail or dummy to just send to the log)
@ -156,7 +154,6 @@ SENDMAIL_PATH = sendmail
; Specify any extra sendmail arguments
SENDMAIL_ARGS =
[session]
; Either "memory", "file", or "redis", default is "memory"
PROVIDER = file

5
vars/debian.yml Normal file
View file

@ -0,0 +1,5 @@
---
gitea_dependencies:
- git
- gnupg2
- xz-utils

View file

@ -1,2 +1,10 @@
---
gitea_arch: "{{ 'amd64' if ansible_architecture == 'x86_64' else ansible_architecture }}"
gitea_go_arch_map:
i386: '386'
x86_64: 'amd64'
aarch64: 'arm64'
armv7l: 'arm-6'
armv6l: 'arm-6'
armv5l: 'arm-5'
gitea_arch: "{{ gitea_go_arch_map[ansible_architecture] | default(ansible_architecture) }}"

5
vars/redhat.yml Normal file
View file

@ -0,0 +1,5 @@
---
gitea_dependencies:
- git
- gnupg2
- xz