add default "gitea_group: gitea" (#71)

* delete trailing whitespace * Add gitea_group This will add the `gitea_group: gitea` and will probably RESOLVE https://github.com/thomas-maurice/ansible-role-gitea/issues/70 * update variable length update variable length to make this role idempotent * vars should not include special character
2021-01-27 15:13:02 +01:00 · 2021-01-27 15:13:02 +01:00 · 67afb71160
commit 67afb71160
parent cde4a964d5
7 changed files with 36 additions and 10 deletions
--- a/.github/workflows/ansible-linting-check.yml
+++ b/.github/workflows/ansible-linting-check.yml
@ -1,6 +1,7 @@
 ---
 name: Ansible Lint check

+# yamllint disable-line rule:truthy
 on: [push, pull_request]

 jobs:
@ -9,7 +10,6 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-
      - uses: actions/checkout@v2

      - name: Lint Ansible Playbook
--- a/README.md
+++ b/README.md
@ -58,6 +58,7 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we

 * `gitea_version_check`: Check if installed version != `gitea_version` before initiating binary download
 * `gitea_user`: UNIX user used by Gitea
+* `gitea_group`: UNIX group used by Gitea
 * `gitea_home`: Base directory to work
 * `gitea_dl_url`: The URL, the compiled gitea-binary will be downloaded from
 * `gitea_systemd_cap_net_bind_service`: Adds `AmbientCapabilities=CAP_NET_BIND_SERVICE` to systemd service file
@ -127,7 +128,7 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we

 * `gitea_lfs_enabled`: Enable GIT LFS *(git large file storeage: [git-lfs](https://git-lfs.github.com/))*. Default: `false`
 * `gitea_lfs_content_path`: path where the lfs files are stored
-* `gitea_lfs_secret`: JWT secret for remote LFS usage
+* `gitea_lfs_secret`: JWT secret for remote LFS usage, has to be exactly 43 characters long


 ### Fail2Ban configuration
@ -145,7 +146,7 @@ As this will only deploy config files, fail2ban already has to be installed or o
 ### Oauth2 provider configuration

 * `gitea_oauth2_enabled`: Enable the Oauth2 provider (true/false)
-* `gitea_oauth2_jwt_secret`: JWT secret, cannot be longer than 32 characters
+* `gitea_oauth2_jwt_secret`: JWT secret, has to be exactly 43 characters long


 ### Metrics endpoint configuration
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -5,6 +5,7 @@ gitea_dl_url: "https://github.com/go-gitea/gitea/releases/download/v{{ gitea_ver

 gitea_app_name: "Gitea"
 gitea_user: "gitea"
+gitea_group: "gitea"
 gitea_home: "/var/lib/gitea"
 gitea_shell: "/bin/false"
 gitea_systemd_cap_net_bind_service: false
@ -22,7 +23,7 @@ gitea_offline_mode: true

 gitea_lfs_server_enabled: false
 gitea_lfs_content_path: "{{ gitea_home }}/data/lfs"
-gitea_lfs_jwt_secret: LongUniqueS3cret_
+gitea_lfs_jwt_secret: 'ChangeMe1GGm26cTz5jsH9S3Df4MPzBx599wLCdKwmw'

 gitea_db_type: sqlite3
 gitea_db_host: 127.0.0.0:3306
@ -68,7 +69,7 @@ gitea_fail2ban_jail_bantime: 900
 gitea_fail2ban_jail_action: iptables-allports

 gitea_oauth2_enabled: true
-gitea_oauth2_jwt_secret: ChangeMe
+gitea_oauth2_jwt_secret: PLZChangeThisToAFourtyThreeCharacterString1

 gitea_metrics_enabled: false
 gitea_metrics_token: ~
--- a/tasks/check-variables.yml
+++ b/tasks/check-variables.yml
@ -1,7 +1,14 @@
 ---
- name: run checks to ensure set variables do not crash gitea
+- name: run checks to ensure gitea_oauth2_jwt_secret do not crash gitea and is idempotent
  block:
    - name: "check token length"
      fail:
-        msg: 'gitea_oauth2_jwt_secret cannot be longer than 32 characters.'
-      when: gitea_oauth2_jwt_secret | length > 32
+        msg: 'gitea_oauth2_jwt_secret has to be 43 characters long. It is currently {{ gitea_oauth2_jwt_secret | length }} long.'
+      when: gitea_oauth2_jwt_secret | length != 43
+
+- name: run checks to ensure gitea_lfs_jwt_secret do not crash gitea and is idempotent
+  block:
+    - name: "check token length"
+      fail:
+        msg: 'gitea_lfs_jwt_secret has to be 43 characters long. It is currently {{ gitea_lfs_jwt_secret | length }} long.'
+      when: gitea_lfs_jwt_secret | length != 43
--- a/tasks/create_user.yml
+++ b/tasks/create_user.yml
@ -1,4 +1,9 @@
 ---
+- name: "Create Gitea Group"
+  group:
+    name: "{{ gitea_group }}"
+    state: present
+
 - name: "Create Gitea user"
  user:
    name: "{{ gitea_user }}"
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -24,15 +24,25 @@

 - include: create_user.yml

- name: "Create config and data directory"
+- name: "Create config directory"
  file:
    path: "{{ item }}"
    state: directory
    owner: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
+    mode: '0755'
+  with_items:
+    - "/etc/gitea"
+
+- name: "Create data directory"
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
    mode: '0755'
    recurse: true
  with_items:
-    - "/etc/gitea"
    - "{{ gitea_home }}"
    - "{{ gitea_home }}/data"
    - "{{ gitea_home }}/custom"
@ -54,6 +64,7 @@
    src: gitea.ini.j2
    dest: /etc/gitea/gitea.ini
    owner: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
    mode: 0600
  notify: "Restart gitea"

--- a/templates/gitea.service.j2
+++ b/templates/gitea.service.j2
@ -4,6 +4,7 @@ After=network.target

 [Service]
 User={{ gitea_user }}
+Group={{ gitea_group }}
 ExecStart=/usr/local/bin/gitea web -c /etc/gitea/gitea.ini
 Restart=on-failure
 WorkingDirectory={{ gitea_home }}