autogenerate JWT_SECRETS (#77)
* autogenerate JWT_SECRETS Based on https://docs.gitea.io/en-us/command-line/#generate we will now autogenerate JWT_SECRETS if they are not defined. In my opinion a much better idea than writing a value in the default config. The check if the variables for the secrets are now 43 characters long i took out. Gitea generates itself suitable secrets, if the user given ones do not fit. * drop ansible.builtin. syntax
This commit is contained in:
parent
67afb71160
commit
9cd664d91f
5 changed files with 44 additions and 20 deletions
|
@ -128,7 +128,7 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we
|
||||||
|
|
||||||
* `gitea_lfs_enabled`: Enable GIT LFS *(git large file storeage: [git-lfs](https://git-lfs.github.com/))*. Default: `false`
|
* `gitea_lfs_enabled`: Enable GIT LFS *(git large file storeage: [git-lfs](https://git-lfs.github.com/))*. Default: `false`
|
||||||
* `gitea_lfs_content_path`: path where the lfs files are stored
|
* `gitea_lfs_content_path`: path where the lfs files are stored
|
||||||
* `gitea_lfs_secret`: JWT secret for remote LFS usage, has to be exactly 43 characters long
|
* `gitea_lfs_secret`: JWT secret for remote LFS usage. Can be generated with ``gitea generate secret JWT_SECRET``
|
||||||
|
|
||||||
|
|
||||||
### Fail2Ban configuration
|
### Fail2Ban configuration
|
||||||
|
@ -146,7 +146,7 @@ As this will only deploy config files, fail2ban already has to be installed or o
|
||||||
### Oauth2 provider configuration
|
### Oauth2 provider configuration
|
||||||
|
|
||||||
* `gitea_oauth2_enabled`: Enable the Oauth2 provider (true/false)
|
* `gitea_oauth2_enabled`: Enable the Oauth2 provider (true/false)
|
||||||
* `gitea_oauth2_jwt_secret`: JWT secret, has to be exactly 43 characters long
|
* `gitea_oauth2_jwt_secret`: Oauth2 JWT secret. Can be generated with ``gitea generate secret JWT_SECRET``
|
||||||
|
|
||||||
|
|
||||||
### Metrics endpoint configuration
|
### Metrics endpoint configuration
|
||||||
|
|
|
@ -23,7 +23,7 @@ gitea_offline_mode: true
|
||||||
|
|
||||||
gitea_lfs_server_enabled: false
|
gitea_lfs_server_enabled: false
|
||||||
gitea_lfs_content_path: "{{ gitea_home }}/data/lfs"
|
gitea_lfs_content_path: "{{ gitea_home }}/data/lfs"
|
||||||
gitea_lfs_jwt_secret: 'ChangeMe1GGm26cTz5jsH9S3Df4MPzBx599wLCdKwmw'
|
gitea_lfs_jwt_secret: ''
|
||||||
|
|
||||||
gitea_db_type: sqlite3
|
gitea_db_type: sqlite3
|
||||||
gitea_db_host: 127.0.0.0:3306
|
gitea_db_host: 127.0.0.0:3306
|
||||||
|
@ -69,7 +69,7 @@ gitea_fail2ban_jail_bantime: 900
|
||||||
gitea_fail2ban_jail_action: iptables-allports
|
gitea_fail2ban_jail_action: iptables-allports
|
||||||
|
|
||||||
gitea_oauth2_enabled: true
|
gitea_oauth2_enabled: true
|
||||||
gitea_oauth2_jwt_secret: PLZChangeThisToAFourtyThreeCharacterString1
|
gitea_oauth2_jwt_secret: ''
|
||||||
|
|
||||||
gitea_metrics_enabled: false
|
gitea_metrics_enabled: false
|
||||||
gitea_metrics_token: ~
|
gitea_metrics_token: ~
|
||||||
|
|
|
@ -1,14 +0,0 @@
|
||||||
---
|
|
||||||
- name: run checks to ensure gitea_oauth2_jwt_secret do not crash gitea and is idempotent
|
|
||||||
block:
|
|
||||||
- name: "check token length"
|
|
||||||
fail:
|
|
||||||
msg: 'gitea_oauth2_jwt_secret has to be 43 characters long. It is currently {{ gitea_oauth2_jwt_secret | length }} long.'
|
|
||||||
when: gitea_oauth2_jwt_secret | length != 43
|
|
||||||
|
|
||||||
- name: run checks to ensure gitea_lfs_jwt_secret do not crash gitea and is idempotent
|
|
||||||
block:
|
|
||||||
- name: "check token length"
|
|
||||||
fail:
|
|
||||||
msg: 'gitea_lfs_jwt_secret has to be 43 characters long. It is currently {{ gitea_lfs_jwt_secret | length }} long.'
|
|
||||||
when: gitea_lfs_jwt_secret | length != 43
|
|
38
tasks/jwt_secrets.yml
Normal file
38
tasks/jwt_secrets.yml
Normal file
|
@ -0,0 +1,38 @@
|
||||||
|
---
|
||||||
|
- name: generate OAuth2 JWT_SECRET if not provided
|
||||||
|
become: true
|
||||||
|
shell: 'umask 077; /usr/local/bin/gitea generate secret JWT_SECRET > /etc/gitea/gitea_oauth_jwt_secret'
|
||||||
|
args:
|
||||||
|
creates: '/etc/gitea/gitea_oauth_jwt_secret'
|
||||||
|
when: gitea_oauth2_jwt_secret | length == 0
|
||||||
|
|
||||||
|
- name: read OAuth2 JWT_SECRET from file
|
||||||
|
become: true
|
||||||
|
slurp:
|
||||||
|
src: '/etc/gitea/gitea_oauth_jwt_secret'
|
||||||
|
register: oauth_jwt_secret
|
||||||
|
when: gitea_oauth2_jwt_secret | length == 0
|
||||||
|
|
||||||
|
- name: set fact gitea_oauth2_jwt_secret
|
||||||
|
set_fact:
|
||||||
|
gitea_oauth2_jwt_secret: "{{ oauth_jwt_secret['content'] | b64decode }}"
|
||||||
|
when: gitea_oauth2_jwt_secret | length == 0
|
||||||
|
|
||||||
|
- name: generate LFS JWT_SECRET if not provided
|
||||||
|
become: true
|
||||||
|
shell: 'umask 077; /usr/local/bin/gitea generate secret JWT_SECRET > /etc/gitea/gitea_lfs_jwt_secret'
|
||||||
|
args:
|
||||||
|
creates: '/etc/gitea/gitea_lfs_jwt_secret'
|
||||||
|
when: gitea_lfs_jwt_secret | length == 0
|
||||||
|
|
||||||
|
- name: read LFS JWT_SECRET from file
|
||||||
|
become: true
|
||||||
|
slurp:
|
||||||
|
src: '/etc/gitea/gitea_lfs_jwt_secret'
|
||||||
|
register: lfs_jwt_secret
|
||||||
|
when: gitea_lfs_jwt_secret | length == 0
|
||||||
|
|
||||||
|
- name: set fact gitea_lfs_jwt_secret
|
||||||
|
set_fact:
|
||||||
|
gitea_lfs_jwt_secret: "{{ lfs_jwt_secret['content'] | b64decode }}"
|
||||||
|
when: gitea_lfs_jwt_secret | length == 0
|
|
@ -1,7 +1,5 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- include: check-variables.yml
|
|
||||||
|
|
||||||
- name: "Check gitea version"
|
- name: "Check gitea version"
|
||||||
shell: "set -eo pipefail; /usr/local/bin/gitea -v | cut -d' ' -f 3"
|
shell: "set -eo pipefail; /usr/local/bin/gitea -v | cut -d' ' -f 3"
|
||||||
args:
|
args:
|
||||||
|
@ -59,6 +57,8 @@
|
||||||
name: 'git'
|
name: 'git'
|
||||||
state: 'present'
|
state: 'present'
|
||||||
|
|
||||||
|
- include_tasks: jwt_secrets.yml
|
||||||
|
|
||||||
- name: "Configure gitea"
|
- name: "Configure gitea"
|
||||||
template:
|
template:
|
||||||
src: gitea.ini.j2
|
src: gitea.ini.j2
|
||||||
|
|
Loading…
Reference in a new issue