From 67afb71160e72510d5a671ecffa5d21a0f600f40 Mon Sep 17 00:00:00 2001 From: L3D Date: Wed, 27 Jan 2021 15:13:02 +0100 Subject: [PATCH] add default "gitea_group: gitea" (#71) * delete trailing whitespace * Add gitea_group This will add the `gitea_group: gitea` and will probably RESOLVE https://github.com/thomas-maurice/ansible-role-gitea/issues/70 * update variable length update variable length to make this role idempotent * vars should not include special character --- .github/workflows/ansible-linting-check.yml | 2 +- README.md | 5 +++-- defaults/main.yml | 5 +++-- tasks/check-variables.yml | 13 ++++++++++--- tasks/create_user.yml | 5 +++++ tasks/main.yml | 15 +++++++++++++-- templates/gitea.service.j2 | 1 + 7 files changed, 36 insertions(+), 10 deletions(-) diff --git a/.github/workflows/ansible-linting-check.yml b/.github/workflows/ansible-linting-check.yml index 3a590c6..41dcb97 100644 --- a/.github/workflows/ansible-linting-check.yml +++ b/.github/workflows/ansible-linting-check.yml @@ -1,6 +1,7 @@ --- name: Ansible Lint check +# yamllint disable-line rule:truthy on: [push, pull_request] jobs: @@ -9,7 +10,6 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - name: Lint Ansible Playbook diff --git a/README.md b/README.md index d451b02..93bbb10 100644 --- a/README.md +++ b/README.md @@ -58,6 +58,7 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we * `gitea_version_check`: Check if installed version != `gitea_version` before initiating binary download * `gitea_user`: UNIX user used by Gitea +* `gitea_group`: UNIX group used by Gitea * `gitea_home`: Base directory to work * `gitea_dl_url`: The URL, the compiled gitea-binary will be downloaded from * `gitea_systemd_cap_net_bind_service`: Adds `AmbientCapabilities=CAP_NET_BIND_SERVICE` to systemd service file @@ -127,7 +128,7 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we * `gitea_lfs_enabled`: Enable GIT LFS *(git large file storeage: [git-lfs](https://git-lfs.github.com/))*. Default: `false` * `gitea_lfs_content_path`: path where the lfs files are stored -* `gitea_lfs_secret`: JWT secret for remote LFS usage +* `gitea_lfs_secret`: JWT secret for remote LFS usage, has to be exactly 43 characters long ### Fail2Ban configuration @@ -145,7 +146,7 @@ As this will only deploy config files, fail2ban already has to be installed or o ### Oauth2 provider configuration * `gitea_oauth2_enabled`: Enable the Oauth2 provider (true/false) -* `gitea_oauth2_jwt_secret`: JWT secret, cannot be longer than 32 characters +* `gitea_oauth2_jwt_secret`: JWT secret, has to be exactly 43 characters long ### Metrics endpoint configuration diff --git a/defaults/main.yml b/defaults/main.yml index ad40a61..afdfcee 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -5,6 +5,7 @@ gitea_dl_url: "https://github.com/go-gitea/gitea/releases/download/v{{ gitea_ver gitea_app_name: "Gitea" gitea_user: "gitea" +gitea_group: "gitea" gitea_home: "/var/lib/gitea" gitea_shell: "/bin/false" gitea_systemd_cap_net_bind_service: false @@ -22,7 +23,7 @@ gitea_offline_mode: true gitea_lfs_server_enabled: false gitea_lfs_content_path: "{{ gitea_home }}/data/lfs" -gitea_lfs_jwt_secret: LongUniqueS3cret_ +gitea_lfs_jwt_secret: 'ChangeMe1GGm26cTz5jsH9S3Df4MPzBx599wLCdKwmw' gitea_db_type: sqlite3 gitea_db_host: 127.0.0.0:3306 @@ -68,7 +69,7 @@ gitea_fail2ban_jail_bantime: 900 gitea_fail2ban_jail_action: iptables-allports gitea_oauth2_enabled: true -gitea_oauth2_jwt_secret: ChangeMe +gitea_oauth2_jwt_secret: PLZChangeThisToAFourtyThreeCharacterString1 gitea_metrics_enabled: false gitea_metrics_token: ~ diff --git a/tasks/check-variables.yml b/tasks/check-variables.yml index e343bfe..1e070f2 100644 --- a/tasks/check-variables.yml +++ b/tasks/check-variables.yml @@ -1,7 +1,14 @@ --- -- name: run checks to ensure set variables do not crash gitea +- name: run checks to ensure gitea_oauth2_jwt_secret do not crash gitea and is idempotent block: - name: "check token length" fail: - msg: 'gitea_oauth2_jwt_secret cannot be longer than 32 characters.' - when: gitea_oauth2_jwt_secret | length > 32 + msg: 'gitea_oauth2_jwt_secret has to be 43 characters long. It is currently {{ gitea_oauth2_jwt_secret | length }} long.' + when: gitea_oauth2_jwt_secret | length != 43 + +- name: run checks to ensure gitea_lfs_jwt_secret do not crash gitea and is idempotent + block: + - name: "check token length" + fail: + msg: 'gitea_lfs_jwt_secret has to be 43 characters long. It is currently {{ gitea_lfs_jwt_secret | length }} long.' + when: gitea_lfs_jwt_secret | length != 43 diff --git a/tasks/create_user.yml b/tasks/create_user.yml index 306c2d6..fd3278a 100644 --- a/tasks/create_user.yml +++ b/tasks/create_user.yml @@ -1,4 +1,9 @@ --- +- name: "Create Gitea Group" + group: + name: "{{ gitea_group }}" + state: present + - name: "Create Gitea user" user: name: "{{ gitea_user }}" diff --git a/tasks/main.yml b/tasks/main.yml index 7701a4b..9d683e4 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -24,15 +24,25 @@ - include: create_user.yml -- name: "Create config and data directory" +- name: "Create config directory" file: path: "{{ item }}" state: directory owner: "{{ gitea_user }}" + group: "{{ gitea_group }}" + mode: '0755' + with_items: + - "/etc/gitea" + +- name: "Create data directory" + file: + path: "{{ item }}" + state: directory + owner: "{{ gitea_user }}" + group: "{{ gitea_group }}" mode: '0755' recurse: true with_items: - - "/etc/gitea" - "{{ gitea_home }}" - "{{ gitea_home }}/data" - "{{ gitea_home }}/custom" @@ -54,6 +64,7 @@ src: gitea.ini.j2 dest: /etc/gitea/gitea.ini owner: "{{ gitea_user }}" + group: "{{ gitea_group }}" mode: 0600 notify: "Restart gitea" diff --git a/templates/gitea.service.j2 b/templates/gitea.service.j2 index f7c004d..0dd69a5 100644 --- a/templates/gitea.service.j2 +++ b/templates/gitea.service.j2 @@ -4,6 +4,7 @@ After=network.target [Service] User={{ gitea_user }} +Group={{ gitea_group }} ExecStart=/usr/local/bin/gitea web -c /etc/gitea/gitea.ini Restart=on-failure WorkingDirectory={{ gitea_home }}