The file permissions for {{ gitea_home }} especially in conjunction with the recurse: true flag are on closer inspection very open to all and also have a +x set on files.
This should be done better. And I have done here now.
By the way: To improve the -x on normal files in his gitea installation this shell command was useful for me
```
find . -type f -exec chmod a-x {} \+;
find . -type f -exec chmod u=rwX {} \+;
```
* autogenerate JWT_SECRETS
Based on https://docs.gitea.io/en-us/command-line/#generate we will now autogenerate JWT_SECRETS if they are not defined.
In my opinion a much better idea than writing a value in the default config.
The check if the variables for the secrets are now 43 characters long i took out. Gitea generates itself suitable secrets, if the user given ones do not fit.
* drop ansible.builtin. syntax
* delete trailing whitespace
* Add gitea_group
This will add the `gitea_group: gitea` and will probably
RESOLVE https://github.com/thomas-maurice/ansible-role-gitea/issues/70
* update variable length
update variable length to make this role idempotent
* vars should not include special character
There is this linting message:
```
[208] File permissions unset or incorrect
tasks/main.yml:27
Task/Handler: Create config and data directory
```
I fixed it in this commit and added a github action
to run the official™ ansible linting check!
Recursively set the gitea user as owner of all it's directories (and create /indexers and /logs directories.
This is needed if one tried to start gitea as root before.
This is due the fact that Ansible often takes another default shell
to execute its commands, e.g., /bin/sh.
Solution is to require /bin/bash for the particular command.
In check_mode, the binary download task depends on the execution of the
previous one, which uses the module shell to fill in a variable. In the
download binary task we use a field on that variable that does not exist
in check_mode, so the task fails.
Signed-off-by: L. Alberto Giménez <agimenez@sysvalve.es>
ANsible comes with the error:
```bash
[DEPRECATION WARNING]: evaluating gitea_fail2ban_enabled as a bare variable, this behaviour will go away and you might need to add |bool to the expression in the future. Also see CONDITIONAL_BARE_VARS configuration toggle.. This
feature will be removed in version 2.12. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
```
appending ``|bool`` after a boolean variable will resolve the issue.
Old behavior is to download the binary of `gitea_version` every run,
then checksum it against the currently installed version to see if it needs
to be copied over.
New behavior is to attempt to extract the current running version of gitea
and only initiate the old behavior if the running version != `gitea_version`.
Default is old behavior due to the major logic change involved.