From 9cd664d91f7aa5fbbb0a70267bc94c7c94c60593 Mon Sep 17 00:00:00 2001
From: L3D <l3d@c3woc.de>
Date: Wed, 10 Feb 2021 20:04:13 +0100
Subject: [PATCH] autogenerate JWT_SECRETS (#77)

* autogenerate JWT_SECRETS

Based on https://docs.gitea.io/en-us/command-line/#generate we will now autogenerate JWT_SECRETS if they are not defined.
In my opinion a much better idea than writing a value in the default config.

The check if the variables for the secrets are now 43 characters long i took out. Gitea generates itself suitable secrets, if the user given ones do not fit.

* drop ansible.builtin. syntax
---
 README.md                 |  4 ++--
 defaults/main.yml         |  4 ++--
 tasks/check-variables.yml | 14 --------------
 tasks/jwt_secrets.yml     | 38 ++++++++++++++++++++++++++++++++++++++
 tasks/main.yml            |  4 ++--
 5 files changed, 44 insertions(+), 20 deletions(-)
 delete mode 100644 tasks/check-variables.yml
 create mode 100644 tasks/jwt_secrets.yml

diff --git a/README.md b/README.md
index 93bbb10..0cb20d5 100644
--- a/README.md
+++ b/README.md
@@ -128,7 +128,7 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we
 
 * `gitea_lfs_enabled`: Enable GIT LFS *(git large file storeage: [git-lfs](https://git-lfs.github.com/))*. Default: `false`
 * `gitea_lfs_content_path`: path where the lfs files are stored
-* `gitea_lfs_secret`: JWT secret for remote LFS usage, has to be exactly 43 characters long
+* `gitea_lfs_secret`: JWT secret for remote LFS usage. Can be generated with ``gitea generate secret JWT_SECRET``
 
 
 ### Fail2Ban configuration
@@ -146,7 +146,7 @@ As this will only deploy config files, fail2ban already has to be installed or o
 ### Oauth2 provider configuration
 
 * `gitea_oauth2_enabled`: Enable the Oauth2 provider (true/false)
-* `gitea_oauth2_jwt_secret`: JWT secret, has to be exactly 43 characters long
+* `gitea_oauth2_jwt_secret`: Oauth2 JWT secret. Can be generated with ``gitea generate secret JWT_SECRET``
 
 
 ### Metrics endpoint configuration
diff --git a/defaults/main.yml b/defaults/main.yml
index afdfcee..65dccae 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -23,7 +23,7 @@ gitea_offline_mode: true
 
 gitea_lfs_server_enabled: false
 gitea_lfs_content_path: "{{ gitea_home }}/data/lfs"
-gitea_lfs_jwt_secret: 'ChangeMe1GGm26cTz5jsH9S3Df4MPzBx599wLCdKwmw'
+gitea_lfs_jwt_secret: ''
 
 gitea_db_type: sqlite3
 gitea_db_host: 127.0.0.0:3306
@@ -69,7 +69,7 @@ gitea_fail2ban_jail_bantime: 900
 gitea_fail2ban_jail_action: iptables-allports
 
 gitea_oauth2_enabled: true
-gitea_oauth2_jwt_secret: PLZChangeThisToAFourtyThreeCharacterString1
+gitea_oauth2_jwt_secret: ''
 
 gitea_metrics_enabled: false
 gitea_metrics_token: ~
diff --git a/tasks/check-variables.yml b/tasks/check-variables.yml
deleted file mode 100644
index 1e070f2..0000000
--- a/tasks/check-variables.yml
+++ /dev/null
@@ -1,14 +0,0 @@
----
-- name: run checks to ensure gitea_oauth2_jwt_secret do not crash gitea and is idempotent
-  block:
-    - name: "check token length"
-      fail:
-        msg: 'gitea_oauth2_jwt_secret has to be 43 characters long. It is currently {{ gitea_oauth2_jwt_secret | length }} long.'
-      when: gitea_oauth2_jwt_secret | length != 43
-
-- name: run checks to ensure gitea_lfs_jwt_secret do not crash gitea and is idempotent
-  block:
-    - name: "check token length"
-      fail:
-        msg: 'gitea_lfs_jwt_secret has to be 43 characters long. It is currently {{ gitea_lfs_jwt_secret | length }} long.'
-      when: gitea_lfs_jwt_secret | length != 43
diff --git a/tasks/jwt_secrets.yml b/tasks/jwt_secrets.yml
new file mode 100644
index 0000000..ca334c7
--- /dev/null
+++ b/tasks/jwt_secrets.yml
@@ -0,0 +1,38 @@
+---
+- name: generate OAuth2 JWT_SECRET if not provided
+  become: true
+  shell: 'umask 077; /usr/local/bin/gitea generate secret JWT_SECRET > /etc/gitea/gitea_oauth_jwt_secret'
+  args:
+    creates: '/etc/gitea/gitea_oauth_jwt_secret'
+  when: gitea_oauth2_jwt_secret | length == 0
+
+- name: read OAuth2 JWT_SECRET from file
+  become: true
+  slurp:
+    src: '/etc/gitea/gitea_oauth_jwt_secret'
+  register: oauth_jwt_secret
+  when: gitea_oauth2_jwt_secret | length == 0
+
+- name: set fact gitea_oauth2_jwt_secret
+  set_fact:
+    gitea_oauth2_jwt_secret: "{{ oauth_jwt_secret['content'] | b64decode }}"
+  when: gitea_oauth2_jwt_secret | length == 0
+
+- name: generate LFS JWT_SECRET if not provided
+  become: true
+  shell: 'umask 077; /usr/local/bin/gitea generate secret JWT_SECRET > /etc/gitea/gitea_lfs_jwt_secret'
+  args:
+    creates: '/etc/gitea/gitea_lfs_jwt_secret'
+  when: gitea_lfs_jwt_secret | length == 0
+
+- name: read LFS JWT_SECRET from file
+  become: true
+  slurp:
+    src: '/etc/gitea/gitea_lfs_jwt_secret'
+  register: lfs_jwt_secret
+  when: gitea_lfs_jwt_secret | length == 0
+
+- name: set fact gitea_lfs_jwt_secret
+  set_fact:
+    gitea_lfs_jwt_secret: "{{ lfs_jwt_secret['content'] | b64decode }}"
+  when: gitea_lfs_jwt_secret | length == 0
diff --git a/tasks/main.yml b/tasks/main.yml
index 9d683e4..37efc63 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,7 +1,5 @@
 ---
 
-- include: check-variables.yml
-
 - name: "Check gitea version"
   shell: "set -eo pipefail; /usr/local/bin/gitea -v | cut -d' ' -f 3"
   args:
@@ -59,6 +57,8 @@
     name: 'git'
     state: 'present'
 
+- include_tasks: jwt_secrets.yml
+
 - name: "Configure gitea"
   template:
     src: gitea.ini.j2