add default "gitea_group: gitea" (#71)

* delete trailing whitespace

* Add gitea_group

This will add the `gitea_group: gitea` and will probably
RESOLVE https://github.com/thomas-maurice/ansible-role-gitea/issues/70

* update variable length

update variable length to make this role idempotent

* vars should not include special character

.github/workflows/ansible-linting-check.yml

@@ -1,6 +1,7 @@
 ---
 name: Ansible Lint check
 
+# yamllint disable-line rule:truthy
 on: [push, pull_request]
 
 jobs:
@@ -9,7 +10,6 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-
       - uses: actions/checkout@v2
 
       - name: Lint Ansible Playbook

README.md

@@ -58,6 +58,7 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we
 
 * `gitea_version_check`: Check if installed version != `gitea_version` before initiating binary download
 * `gitea_user`: UNIX user used by Gitea
+* `gitea_group`: UNIX group used by Gitea
 * `gitea_home`: Base directory to work
 * `gitea_dl_url`: The URL, the compiled gitea-binary will be downloaded from
 * `gitea_systemd_cap_net_bind_service`: Adds `AmbientCapabilities=CAP_NET_BIND_SERVICE` to systemd service file
@@ -127,7 +128,7 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we
 
 * `gitea_lfs_enabled`: Enable GIT LFS *(git large file storeage: [git-lfs](https://git-lfs.github.com/))*. Default: `false`
 * `gitea_lfs_content_path`: path where the lfs files are stored
-* `gitea_lfs_secret`: JWT secret for remote LFS usage
+* `gitea_lfs_secret`: JWT secret for remote LFS usage, has to be exactly 43 characters long
 
 
 ### Fail2Ban configuration
@@ -145,7 +146,7 @@ As this will only deploy config files, fail2ban already has to be installed or o
 ### Oauth2 provider configuration
 
 * `gitea_oauth2_enabled`: Enable the Oauth2 provider (true/false)
-* `gitea_oauth2_jwt_secret`: JWT secret, cannot be longer than 32 characters
+* `gitea_oauth2_jwt_secret`: JWT secret, has to be exactly 43 characters long
 
 
 ### Metrics endpoint configuration

defaults/main.yml

@@ -5,6 +5,7 @@ gitea_dl_url: "https://github.com/go-gitea/gitea/releases/download/v{{ gitea_ver
 
 gitea_app_name: "Gitea"
 gitea_user: "gitea"
+gitea_group: "gitea"
 gitea_home: "/var/lib/gitea"
 gitea_shell: "/bin/false"
 gitea_systemd_cap_net_bind_service: false
@@ -22,7 +23,7 @@ gitea_offline_mode: true
 
 gitea_lfs_server_enabled: false
 gitea_lfs_content_path: "{{ gitea_home }}/data/lfs"
-gitea_lfs_jwt_secret: LongUniqueS3cret_
+gitea_lfs_jwt_secret: 'ChangeMe1GGm26cTz5jsH9S3Df4MPzBx599wLCdKwmw'
 
 gitea_db_type: sqlite3
 gitea_db_host: 127.0.0.0:3306
@@ -68,7 +69,7 @@ gitea_fail2ban_jail_bantime: 900
 gitea_fail2ban_jail_action: iptables-allports
 
 gitea_oauth2_enabled: true
-gitea_oauth2_jwt_secret: ChangeMe
+gitea_oauth2_jwt_secret: PLZChangeThisToAFourtyThreeCharacterString1
 
 gitea_metrics_enabled: false
 gitea_metrics_token: ~

tasks/check-variables.yml

@@ -1,7 +1,14 @@
 ---
-- name: run checks to ensure set variables do not crash gitea
+- name: run checks to ensure gitea_oauth2_jwt_secret do not crash gitea and is idempotent
   block:
     - name: "check token length"
       fail:
-        msg: 'gitea_oauth2_jwt_secret cannot be longer than 32 characters.'
+        msg: 'gitea_oauth2_jwt_secret has to be 43 characters long. It is currently {{ gitea_oauth2_jwt_secret | length }} long.'
-      when: gitea_oauth2_jwt_secret | length > 32
+      when: gitea_oauth2_jwt_secret | length != 43
+
+- name: run checks to ensure gitea_lfs_jwt_secret do not crash gitea and is idempotent
+  block:
+    - name: "check token length"
+      fail:
+        msg: 'gitea_lfs_jwt_secret has to be 43 characters long. It is currently {{ gitea_lfs_jwt_secret | length }} long.'
+      when: gitea_lfs_jwt_secret | length != 43

tasks/create_user.yml

@@ -1,4 +1,9 @@
 ---
+- name: "Create Gitea Group"
+  group:
+    name: "{{ gitea_group }}"
+    state: present
+
 - name: "Create Gitea user"
   user:
     name: "{{ gitea_user }}"

tasks/main.yml

@@ -24,15 +24,25 @@
 
 - include: create_user.yml
 
-- name: "Create config and data directory"
+- name: "Create config directory"
   file:
     path: "{{ item }}"
     state: directory
     owner: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
+    mode: '0755'
+  with_items:
+    - "/etc/gitea"
+
+- name: "Create data directory"
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
     mode: '0755'
     recurse: true
   with_items:
-    - "/etc/gitea"
     - "{{ gitea_home }}"
     - "{{ gitea_home }}/data"
     - "{{ gitea_home }}/custom"
@@ -54,6 +64,7 @@
     src: gitea.ini.j2
     dest: /etc/gitea/gitea.ini
     owner: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
     mode: 0600
   notify: "Restart gitea"
 

templates/gitea.service.j2

@@ -4,6 +4,7 @@ After=network.target
 
 [Service]
 User={{ gitea_user }}
+Group={{ gitea_group }}
 ExecStart=/usr/local/bin/gitea web -c /etc/gitea/gitea.ini
 Restart=on-failure
 WorkingDirectory={{ gitea_home }}