autogenerate JWT_SECRETS (#77)

* autogenerate JWT_SECRETS

Based on https://docs.gitea.io/en-us/command-line/#generate we will now autogenerate JWT_SECRETS if they are not defined.
In my opinion a much better idea than writing a value in the default config.

The check if the variables for the secrets are now 43 characters long i took out. Gitea generates itself suitable secrets, if the user given ones do not fit.

* drop ansible.builtin. syntax
This commit is contained in:
L3D 2021-02-10 20:04:13 +01:00 committed by GitHub
parent 67afb71160
commit 9cd664d91f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 44 additions and 20 deletions

View file

@ -128,7 +128,7 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we
* `gitea_lfs_enabled`: Enable GIT LFS *(git large file storeage: [git-lfs](https://git-lfs.github.com/))*. Default: `false` * `gitea_lfs_enabled`: Enable GIT LFS *(git large file storeage: [git-lfs](https://git-lfs.github.com/))*. Default: `false`
* `gitea_lfs_content_path`: path where the lfs files are stored * `gitea_lfs_content_path`: path where the lfs files are stored
* `gitea_lfs_secret`: JWT secret for remote LFS usage, has to be exactly 43 characters long * `gitea_lfs_secret`: JWT secret for remote LFS usage. Can be generated with ``gitea generate secret JWT_SECRET``
### Fail2Ban configuration ### Fail2Ban configuration
@ -146,7 +146,7 @@ As this will only deploy config files, fail2ban already has to be installed or o
### Oauth2 provider configuration ### Oauth2 provider configuration
* `gitea_oauth2_enabled`: Enable the Oauth2 provider (true/false) * `gitea_oauth2_enabled`: Enable the Oauth2 provider (true/false)
* `gitea_oauth2_jwt_secret`: JWT secret, has to be exactly 43 characters long * `gitea_oauth2_jwt_secret`: Oauth2 JWT secret. Can be generated with ``gitea generate secret JWT_SECRET``
### Metrics endpoint configuration ### Metrics endpoint configuration

View file

@ -23,7 +23,7 @@ gitea_offline_mode: true
gitea_lfs_server_enabled: false gitea_lfs_server_enabled: false
gitea_lfs_content_path: "{{ gitea_home }}/data/lfs" gitea_lfs_content_path: "{{ gitea_home }}/data/lfs"
gitea_lfs_jwt_secret: 'ChangeMe1GGm26cTz5jsH9S3Df4MPzBx599wLCdKwmw' gitea_lfs_jwt_secret: ''
gitea_db_type: sqlite3 gitea_db_type: sqlite3
gitea_db_host: 127.0.0.0:3306 gitea_db_host: 127.0.0.0:3306
@ -69,7 +69,7 @@ gitea_fail2ban_jail_bantime: 900
gitea_fail2ban_jail_action: iptables-allports gitea_fail2ban_jail_action: iptables-allports
gitea_oauth2_enabled: true gitea_oauth2_enabled: true
gitea_oauth2_jwt_secret: PLZChangeThisToAFourtyThreeCharacterString1 gitea_oauth2_jwt_secret: ''
gitea_metrics_enabled: false gitea_metrics_enabled: false
gitea_metrics_token: ~ gitea_metrics_token: ~

View file

@ -1,14 +0,0 @@
---
- name: run checks to ensure gitea_oauth2_jwt_secret do not crash gitea and is idempotent
block:
- name: "check token length"
fail:
msg: 'gitea_oauth2_jwt_secret has to be 43 characters long. It is currently {{ gitea_oauth2_jwt_secret | length }} long.'
when: gitea_oauth2_jwt_secret | length != 43
- name: run checks to ensure gitea_lfs_jwt_secret do not crash gitea and is idempotent
block:
- name: "check token length"
fail:
msg: 'gitea_lfs_jwt_secret has to be 43 characters long. It is currently {{ gitea_lfs_jwt_secret | length }} long.'
when: gitea_lfs_jwt_secret | length != 43

38
tasks/jwt_secrets.yml Normal file
View file

@ -0,0 +1,38 @@
---
- name: generate OAuth2 JWT_SECRET if not provided
become: true
shell: 'umask 077; /usr/local/bin/gitea generate secret JWT_SECRET > /etc/gitea/gitea_oauth_jwt_secret'
args:
creates: '/etc/gitea/gitea_oauth_jwt_secret'
when: gitea_oauth2_jwt_secret | length == 0
- name: read OAuth2 JWT_SECRET from file
become: true
slurp:
src: '/etc/gitea/gitea_oauth_jwt_secret'
register: oauth_jwt_secret
when: gitea_oauth2_jwt_secret | length == 0
- name: set fact gitea_oauth2_jwt_secret
set_fact:
gitea_oauth2_jwt_secret: "{{ oauth_jwt_secret['content'] | b64decode }}"
when: gitea_oauth2_jwt_secret | length == 0
- name: generate LFS JWT_SECRET if not provided
become: true
shell: 'umask 077; /usr/local/bin/gitea generate secret JWT_SECRET > /etc/gitea/gitea_lfs_jwt_secret'
args:
creates: '/etc/gitea/gitea_lfs_jwt_secret'
when: gitea_lfs_jwt_secret | length == 0
- name: read LFS JWT_SECRET from file
become: true
slurp:
src: '/etc/gitea/gitea_lfs_jwt_secret'
register: lfs_jwt_secret
when: gitea_lfs_jwt_secret | length == 0
- name: set fact gitea_lfs_jwt_secret
set_fact:
gitea_lfs_jwt_secret: "{{ lfs_jwt_secret['content'] | b64decode }}"
when: gitea_lfs_jwt_secret | length == 0

View file

@ -1,7 +1,5 @@
--- ---
- include: check-variables.yml
- name: "Check gitea version" - name: "Check gitea version"
shell: "set -eo pipefail; /usr/local/bin/gitea -v | cut -d' ' -f 3" shell: "set -eo pipefail; /usr/local/bin/gitea -v | cut -d' ' -f 3"
args: args:
@ -59,6 +57,8 @@
name: 'git' name: 'git'
state: 'present' state: 'present'
- include_tasks: jwt_secrets.yml
- name: "Configure gitea" - name: "Configure gitea"
template: template:
src: gitea.ini.j2 src: gitea.ini.j2