ccchb/ansible-role-gitea
4
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Compare commits

base: ccchb:master
Branches Tags
ccchb:master
ccchb:patch-1
..
compare: ccchb:patch-1
Branches Tags
ccchb:master
ccchb:patch-1

1 commit
master ... patch-1

Author SHA1 Message Date
genofire
8e7c8102fe
fix logging path 2020-09-18 12:11:42 +02:00
21 changed files with 146 additions and 442 deletions
Show stats Expand all files Collapse all files

22
.github/workflows/ansible-linting-check.yml vendored
View file

@ -1,22 +0,0 @@
---
name: Ansible Lint check
# yamllint disable-line rule:truthy
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Lint Ansible Playbook
uses: ansible/ansible-lint-action@master
with:
targets: "."
# [required]
# Paths to ansible files (i.e., playbooks, tasks, handlers etc..)
args: ""
# [optional]

3
.travis.yml
View file

@ -7,12 +7,11 @@ env:
matrix:
- MOLECULE_DISTRO: centos8
- MOLECULE_DISTRO: centos7
- MOLECULE_DISTRO: ubuntu2004
- MOLECULE_DISTRO: ubuntu1804
- MOLECULE_DISTRO: ubuntu1604
- MOLECULE_DISTRO: debian10
- MOLECULE_DISTRO: debian9
- MOLECULE_DISTRO: fedora33
- MOLECULE_DISTRO: fedora31
services:
- docker

34
README.md
View file

@ -58,11 +58,9 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we
* `gitea_version_check`: Check if installed version != `gitea_version` before initiating binary download
* `gitea_user`: UNIX user used by Gitea
* `gitea_group`: UNIX group used by Gitea
* `gitea_home`: Base directory to work
* `gitea_dl_url`: The URL, the compiled gitea-binary will be downloaded from
* `gitea_systemd_cap_net_bind_service`: Adds `AmbientCapabilities=CAP_NET_BIND_SERVICE` to systemd service file
* `gitea_extra_config`: Additional configuration
### Look and feel
@ -71,18 +69,14 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we
* `gitea_disable_gravatar`: Do you want to disable Gravatar ? (privacy and so on) (true/false)
* `gitea_offline_mode`: Same but for disabling CDNs for frontend assets (true/false)
* `gitea_disable_registration`: Do you want to disable user registration ? (true/false)
* `gitea_register_email_confirm`: Enable this to ask for mail confirmation of registration. Requires `gitea_mailer_enabled` to be enabled (Default: `false`)
* `gitea_only_allow_external_registration`: Do you want to force registration only using third-party services ? (true/false)
* `gitea_show_registration_button`: Do you want to show the registration button? (true/false)
* `gitea_require_signin`: Do you require a signin to see repo's (even public ones) ? (true/false)
* `gitea_enable_captcha`: Do you want to enable captcha's ? (true/false)
* `gitea_themes`: List of enabled themes
* `gitea_theme_default`: Default theme
### Security
* `gitea_secret_key`: Cookie secret key
* `gitea_internal_token`: Internal API token
* `gitea_disable_git_hooks`: Do you want to disable the interface to add git hooks? If enabled it could be a security bug as it can be used for RCE. Defaults to true (true/false)
* `gitea_themes`: List of enabled themes
* `gitea_theme_default`: Default theme
### Limits
@ -94,9 +88,8 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we
* `gitea_root_url`: Root URL used to access your web app (full URL)
* `gitea_protocol`: Listening protocol (http/https)
* `gitea_http_listen`: Bind address
* `gitea_http_port`: Bind port (redirect from `80` will be activated if value is `443` - Default: `3000`)
* `gitea_http_port`: Bind port
* `gitea_disable_http_git`: Disable the use of Git over HTTP ? (true/false)
* `gitea_http_letsencrypt_mail` Enable Let`s Encrypt if a email address is given
### SSH configuration
@ -112,7 +105,7 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we
* `gitea_db_name`: Database name
* `gitea_db_user`: Database username
* `gitea_db_password`: Database password
* `gitea_db_ssl`: Use SSL ? (postgres only!). Can be `require`, `disable`, `verify-ca` or `verify-full`
* `gitea_db_ssl`: Use SSL ? (postgres only!). Can be `required`, `disable`, `verify-full`
* `gitea_db_path`: DB path, if you use `sqlite3`. The default is good enough to work though.
### Mailer configuration
@ -124,16 +117,7 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we
* `gitea_mailer_user`: SMTP server username
* `gitea_mailer_password`: SMTP server password
* `gitea_mailer_from`: Sender mail address
* `gitea_subject_prefix`: Prefix to be placed before e-mail subject lines (Default: ``)
* `gitea_enable_notify_mail`: Whether e-mail should be send to watchers of a repository when something happens. Default: `false`
* `gitea_mail_default`: Default configuration for email notifications for users (user configurable). Options: enabled, onmention, disable (Default: `onmention` )
* `gitea_autowatch_new_repo`: Enable this to let all organisation users watch new repos when they are created (Default: `false`)
* `gitea_autowatch_on_change`: Enable this to make users watch a repository after their first commit to it (Default: `true`)
* `gitea_show_mailstones_dashboard`: Enable this to show the milestones dashboard page - a view of all the users milestones (Default: `true`)
### Log configuration
* `gitea_log_systemd` Disable logging into `file`, use systemd-journald
* `gitea_log_only_warning` Log only warnings or above, no http access or sql logging (Default: `true`)
### Fail2Ban configuration
@ -150,12 +134,8 @@ As this will only deploy config files, fail2ban already has to be installed or o
### Oauth2 provider configuration
* `gitea_oauth2_enabled`: Enable the Oauth2 provider (true/false)
* `gitea_oauth2_jwt_secret`: Oauth2 JWT secret. Can be generated with ``gitea generate secret JWT_SECRET``
* `gitea_oauth2_jwt_secret`: JWT secret, cannot be longer than 32 characters
### GIT LFS configuration
* `gitea_lfs_enabled`: Enable GIT LFS (large filesystem)
* `gitea_lfs_mode`: should lfs be in offline mode (true/false)
* `gitea_lfs_secret`: JWT secret for remote LFS usage
### Metrics endpoint configuration
@ -170,10 +150,6 @@ As this will only deploy config files, fail2ban already has to be installed or o
* `gitea_repo_exclude_vendored`: Exclude vendored files from the index. Default: `true`
* `gitea_repo_indexer_max_file_size`: Maximum size of files to be indexed (in bytes). Default: `1048576` (1 MB)
### backup on upgrade
* `gitea_backup_on_upgrade`: Optionally a backup can be created with every update of gitea. Default: `false`
* `gitea_backup_location`: Where to store the gitea backup if one is created with this role. Default: `{{ gitea_home }}/backups/`
## Contributing
Don't hesitate to create a pull request, and when in doubt you can reach me on
Twitter [@thomas_maurice](https://twitter.com/thomas_maurice).

32
defaults/main.yml
View file

@ -1,18 +1,15 @@
---
gitea_version: "1.17.1"
gitea_version: "1.12.0"
gitea_version_check: true
gitea_dl_url: "https://github.com/go-gitea/gitea/releases/download/v{{ gitea_version }}/gitea-{{ gitea_version }}-linux-{{ gitea_arch }}"
gitea_gpg_key: "7C9E68152594688862D62AF62D9AE806EC1592E2"
gitea_gpg_server: "hkps://keys.openpgp.org"
gitea_app_name: "Gitea"
gitea_user: "gitea"
gitea_group: "gitea"
gitea_home: "/var/lib/gitea"
gitea_shell: "/bin/false"
gitea_systemd_cap_net_bind_service: false
gitea_repository_root: "{{ gitea_home }}/repos"
gitea_repository_root: "{{ gitea_home }}"
gitea_user_repo_limit: -1
gitea_http_domain: localhost
@ -20,15 +17,11 @@ gitea_root_url: http://localhost:3000
gitea_protocol: http
gitea_http_listen: 127.0.0.1
gitea_http_port: 3000
# gitea_http_letsencrypt_mail: - required
gitea_disable_http_git: false
gitea_offline_mode: true
gitea_lfs_server_enabled: false
gitea_lfs_content_path: "{{ gitea_home }}/data/lfs"
gitea_lfs_jwt_secret: ''
gitea_lfs_secret: SomethingVeryLong
gitea_lfs_mode: true
gitea_lfs_content_path: "data/lfs"
gitea_db_type: sqlite3
gitea_db_host: 127.0.0.0:3306
@ -45,21 +38,15 @@ gitea_ssh_port: 2222
gitea_secret_key: T0pS3cr31
gitea_internal_token: SomethingVeryLong
gitea_disable_git_hooks: true
gitea_show_user_email: false
gitea_disable_gravatar: true
gitea_disable_registration: false
gitea_register_email_confirm: false
gitea_show_registration_button: true
gitea_require_signin: true
gitea_enable_captcha: true
gitea_only_allow_external_registration: false
gitea_enable_notify_mail: false
gitea_mail_default: onmention
gitea_autowatch_new_repo: false
gitea_autowatch_on_change: true
gitea_show_mailstones_dashboard: true
gitea_force_private: false
@ -70,12 +57,8 @@ gitea_mailer_host: localhost:25
gitea_mailer_from: noreply@your.domain
gitea_mailer_user: ""
gitea_mailer_password: ""
gitea_subject_prefix: ""
gitea_mailer_type: smtp
gitea_log_systemd: false
gitea_log_only_warning: true
gitea_fail2ban_enabled: false
gitea_fail2ban_jail_maxretry: 10
gitea_fail2ban_jail_findtime: 3600
@ -83,7 +66,7 @@ gitea_fail2ban_jail_bantime: 900
gitea_fail2ban_jail_action: iptables-allports
gitea_oauth2_enabled: true
gitea_oauth2_jwt_secret: ''
gitea_oauth2_jwt_secret: ChangeMe
gitea_metrics_enabled: false
gitea_metrics_token: ~
@ -96,10 +79,3 @@ gitea_repo_indexer_include: ""
gitea_repo_indexer_exclude: ""
gitea_repo_exclude_vendored: true
gitea_repo_indexer_max_file_size: 1048576
gitea_log_level: Info
gitea_extra_config: ""
gitea_backup_on_upgrade: false
gitea_backup_location: "{{ gitea_home }}/backups/"

6
handlers/main.yml
View file

@ -1,17 +1,17 @@
---
- name: "Restart gitea"
ansible.builtin.service:
service:
name: gitea
state: restarted
when: ansible_service_mgr == "systemd"
- name: "Reload systemd"
ansible.builtin.systemd:
systemd:
daemon_reload: true
when: ansible_service_mgr == "systemd"
- name: "Restart fail2ban"
ansible.builtin.service:
service:
name: fail2ban
state: restarted
when: ansible_service_mgr == "systemd"

15
meta/main.yml
View file

@ -2,7 +2,7 @@
galaxy_info:
author: Thomas Maurice
description: Ansible Role - Gitea
min_ansible_version: 2.10
min_ansible_version: 2.7.9
license: BSD-3-Clause
galaxy_tags:
- git
@ -16,17 +16,12 @@ galaxy_info:
platforms:
- name: Debian
versions:
- jessie
- stretch
- buster
- name: EL
versions:
- 7
- name: Ubuntu
versions:
- xenial
- bionic
- focal
- name: CentOS
versions:
- 7
- 8
- name: Fedora
versions:
- 33

13
molecule/default/prepare.yml
View file

@ -1,27 +1,22 @@
---
- name: Prepare
- name: Perpare
hosts: all
become: true
tasks:
- name: install dependencies for gitea (RedHat based systems)
yum:
name: "{{ redhat_packages }}"
name: "{{ packages }}"
state: present
update_cache: true
when: ansible_os_family == "RedHat"
- name: install dependencies for gitea (Debian based systems)
apt:
name: "{{ debian_packages }}"
name: "{{ packages }}"
state: present
update_cache: true
when: ansible_os_family == "Debian"
vars:
debian_packages:
packages:
- git
- curl
- xz-utils
redhat_packages:
- git
- curl
- xz

47
requirements-travis.txt
View file

@ -1,21 +1,24 @@
ansible==2.10.7
ansible==2.9.6
ansible-lint==4.2.0
anyconfig==0.9.7
arrow==0.15.5
asn1crypto==0.24.0
atomicwrites==1.3.0
attrs==19.1.0
autopep8==1.5.1
bcrypt==3.1.7
binaryornot==0.4.4
Cerberus==1.3.2
certifi==2020.12.5
cffi==1.14.4
chardet==4.0.0
click==7.1.2
certifi==2020.4.5.1
cffi==1.14.0
chardet==3.0.4
click==7.1.1
click-completion==0.5.2
click-help-colors==0.9
colorama==0.4.4
cookiecutter==1.7.2
cryptography==3.3.1
cryptography==3.3.2
docker==4.4.1
click-help-colors==0.8
colorama==0.4.3
cookiecutter==1.7.0
cryptography==2.9
docker==4.2.0
docker-pycreds==0.4.0
entrypoints==0.3
fasteners==0.15
@ -24,23 +27,23 @@ future==0.18.2
git-url-parse==1.2.1
idna==2.9
importlib-metadata==1.6.0
Jinja2==2.11.3
Jinja2==2.11.2
jinja2-time==0.2.0
MarkupSafe==1.1.1
mccabe==0.6.1
molecule==3.0.3
monotonic==1.5
more-itertools==8.6.0
paramiko==2.7.2
pathspec==0.8.1
pbr==5.5.1
more-itertools==6.0.0
paramiko==2.7.1
pathspec==0.8.0
pbr==5.1.1
pexpect==4.8.0
pi==0.1.2
pluggy==0.13.1
poyo==0.5.0
psutil==5.6.6
ptyprocess==0.6.0
py==1.10.0
py==1.8.0
pyasn1==0.4.5
pycodestyle==2.5.0
pycparser==2.20
@ -49,7 +52,7 @@ PyNaCl==1.3.0
pytest==4.3.1
python-dateutil==2.8.1
python-gilt==1.2.3
PyYAML==5.4
PyYAML==5.3.1
requests==2.23.0
ruamel.yaml==0.16.10
ruamel.yaml.clib==0.2.0
@ -57,10 +60,10 @@ sh==1.12.14
shellingham==1.3.2
six==1.14.0
tabulate==0.8.7
testinfra==6.0.0
testinfra==5.0.0
tree-format==0.1.2
urllib3==1.26.5
urllib3==1.25.8
websocket-client==0.57.0
whichcraft==0.6.1
yamllint==1.26.0
zipp==3.4.0
yamllint==1.22.1
zipp==3.1.0

30
tasks/backup.yml
View file

@ -1,30 +0,0 @@
---
- name: Get service facts
service_facts:
- block:
- name: Stopping gitea before upgrade
service:
name: gitea
state: stopped
- name: "Create backup directory"
file:
path: "{{ item }}"
state: directory
owner: "{{ gitea_user }}"
group: "{{ gitea_group }}"
mode: 'u=rwx,g=rx,o='
with_items:
- "{{ gitea_backup_location }}"
- name: Backing up gitea before upgrade
command:
cmd: "/usr/local/bin/gitea dump -c /etc/gitea/gitea.ini"
chdir: "{{ gitea_backup_location }}"
become: true
become_user: "{{ gitea_user }}"
when:
- ansible_facts.services["gitea.service"] is defined
- ansible_facts.services["gitea.service"].state == "running"
- gitea_active_version.stdout != gitea_version

7
tasks/check-variables.yml Normal file
View file

@ -0,0 +1,7 @@
---
- name: run checks to ensure set variables do not crash gitea
block:
- name: "check token length"
fail:
msg: 'gitea_oauth2_jwt_secret cannot be longer than 32 characters.'
when: gitea_oauth2_jwt_secret | length > 32

9
tasks/create_user.yml
View file

@ -1,14 +1,7 @@
---
- name: "Create Gitea Group"
group:
name: "{{ gitea_group }}"
system: true
state: "present"
- name: "Create Gitea user"
ansible.builtin.user:
user:
name: "{{ gitea_user }}"
comment: "Gitea user"
home: "{{ gitea_home }}"
shell: "{{ gitea_shell }}"
system: true

12
tasks/fail2ban.yml
View file

@ -1,26 +1,18 @@
---
- name: Install fail2ban filter
ansible.builtin.template:
template:
src: fail2ban/filter.conf.j2
dest: /etc/fail2ban/filter.d/gitea.conf
owner: root
group: root
mode: 0444
notify: Restart fail2ban
when: "'fail2ban' in ansible_facts.packages"
- name: Install fail2ban jail
ansible.builtin.template:
template:
src: fail2ban/jail.conf.j2
dest: /etc/fail2ban/jail.d/gitea.conf
owner: root
group: root
mode: 0444
notify: Restart fail2ban
when: "'fail2ban' in ansible_facts.packages"
- name: warn if fail2ban is not installed
ansible.builtin.fail:
msg: "the package fail2ban is not installed. no fail2ban filters deployed."
when: "'fail2ban' not in ansible_facts.packages"
ignore_errors: true

71
tasks/install.yml
View file

@ -1,71 +0,0 @@
---
- block:
- name: Update apt cache
apt:
cache_valid_time: 3600
update_cache: true
register: _pre_update_apt_cache
until: _pre_update_apt_cache is succeeded
when:
- ansible_pkg_mgr == "apt"
- name: Install dependencies
package:
name: "{{ gitea_dependencies }}"
state: present
register: _install_dep_packages
until: _install_dep_packages is succeeded
retries: 5
delay: 2
- block:
- name: Download gitea archive
get_url:
url: "{{ gitea_dl_url }}.xz"
dest: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz"
checksum: "sha256:{{ gitea_dl_url }}.xz.sha256"
register: _download_archive
until: _download_archive is succeeded
retries: 5
delay: 2
- name: Download gitea asc file
get_url:
url: "{{ gitea_dl_url }}.xz.asc"
dest: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz.asc"
register: _download_asc
until: _download_asc is succeeded
retries: 5
delay: 2
- name: Check gitea gpg key
command: "gpg --list-keys 0x{{ gitea_gpg_key }}"
register: _gitea_gpg_key_status
changed_when: false
failed_when: _gitea_gpg_key_status.rc not in (0, 2)
- name: Import gitea gpg key
command: "gpg --keyserver {{ gitea_gpg_server }} --recv {{ gitea_gpg_key }}"
register: _gitea_import_key
changed_when: '"imported: 1" in _gitea_import_key.stderr'
when: _gitea_gpg_key_status.rc != 0
- name: Check archive signature
command: "gpg --verify /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz.asc /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz"
changed_when: false
- name: Unpack gitea binary
command:
cmd: "xz -k -d /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz"
creates: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}"
- name: Propagate gitea binary
copy:
src: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}"
remote_src: true
dest: "/usr/local/bin/gitea"
mode: 0755
owner: root
group: root
notify: "Restart gitea"
when: (not gitea_version_check|bool) or (not ansible_check_mode and (gitea_active_version.stdout != gitea_version))

6
tasks/install_systemd.yml
View file

@ -1,6 +1,6 @@
---
- name: "Setup systemd service"
ansible.builtin.template:
template:
src: gitea.service.j2
dest: /lib/systemd/system/gitea.service
owner: root
@ -10,8 +10,6 @@
- "Reload systemd"
- "Restart gitea"
# systemd to be reloaded the first time because
# it is the only way Systemd is going to be aware of the new unit file.
- name: "Reload systemd"
ansible.builtin.systemd:
systemd:
daemon_reload: true

38
tasks/jwt_secrets.yml
View file

@ -1,38 +0,0 @@
---
- name: generate OAuth2 JWT_SECRET if not provided
become: true
shell: 'umask 077; /usr/local/bin/gitea generate secret JWT_SECRET > /etc/gitea/gitea_oauth_jwt_secret'
args:
creates: '/etc/gitea/gitea_oauth_jwt_secret'
when: gitea_oauth2_jwt_secret | length == 0
- name: read OAuth2 JWT_SECRET from file
become: true
slurp:
src: '/etc/gitea/gitea_oauth_jwt_secret'
register: oauth_jwt_secret
when: gitea_oauth2_jwt_secret | length == 0
- name: set fact gitea_oauth2_jwt_secret
set_fact:
gitea_oauth2_jwt_secret: "{{ oauth_jwt_secret['content'] | b64decode }}"
when: gitea_oauth2_jwt_secret | length == 0
- name: generate LFS JWT_SECRET if not provided
become: true
shell: 'umask 077; /usr/local/bin/gitea generate secret JWT_SECRET > /etc/gitea/gitea_lfs_jwt_secret'
args:
creates: '/etc/gitea/gitea_lfs_jwt_secret'
when: gitea_lfs_jwt_secret | length == 0
- name: read LFS JWT_SECRET from file
become: true
slurp:
src: '/etc/gitea/gitea_lfs_jwt_secret'
register: lfs_jwt_secret
when: gitea_lfs_jwt_secret | length == 0
- name: set fact gitea_lfs_jwt_secret
set_fact:
gitea_lfs_jwt_secret: "{{ lfs_jwt_secret['content'] | b64decode }}"
when: gitea_lfs_jwt_secret | length == 0

40
tasks/main.yml
View file

@ -1,19 +1,9 @@
---
- name: Gather variables for each operating system
include_vars: "{{ item }}"
with_first_found:
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml"
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
- "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
- "{{ ansible_distribution | lower }}.yml"
- "{{ ansible_os_family | lower }}.yml"
- name: Gather installed packages for checks in the role (fail2ban)
ansible.builtin.package_facts:
manager: auto
- include: check-variables.yml
- name: "Check gitea version"
ansible.builtin.shell: "set -eo pipefail; /usr/local/bin/gitea -v | cut -d' ' -f 3"
shell: "set -eo pipefail; /usr/local/bin/gitea -v | cut -d' ' -f 3"
args:
executable: /bin/bash
register: gitea_active_version
@ -22,7 +12,7 @@
when: gitea_version_check|bool
- name: "Download the binary"
ansible.builtin.get_url:
get_url:
url: "{{ gitea_dl_url }}"
dest: /usr/local/bin/gitea
owner: root
@ -35,24 +25,13 @@
- include: create_user.yml
- name: "Create config and data directory"
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: "{{ gitea_user }}"
group: "{{ gitea_group }}"
mode: '0755'
with_items:
- "/etc/gitea"
- name: "Create data directory"
file:
path: "{{ item }}"
state: directory
owner: "{{ gitea_user }}"
group: "{{ gitea_group }}"
mode: 'u=rwX,g=rX,o='
recurse: true
recurse: True
with_items:
- "/etc/gitea"
- "{{ gitea_home }}"
- "{{ gitea_home }}/data"
- "{{ gitea_home }}/custom"
@ -60,28 +39,25 @@
- "{{ gitea_home }}/custom/mailer"
- "{{ gitea_home }}/indexers"
- "{{ gitea_home }}/log"
- "{{ gitea_repository_root }}"
- include: install_systemd.yml
when: ansible_service_mgr == "systemd"
- include_tasks: jwt_secrets.yml
- name: 'Install git'
ansible.builtin.package:
package:
name: 'git'
state: 'present'
- name: "Configure gitea"
ansible.builtin.template:
template:
src: gitea.ini.j2
dest: /etc/gitea/gitea.ini
owner: "{{ gitea_user }}"
group: "{{ gitea_group }}"
mode: 0600
notify: "Restart gitea"
- name: "Service gitea"
ansible.builtin.service:
service:
name: gitea
state: started
enabled: true

180
templates/gitea.ini.j2
View file

@ -3,219 +3,193 @@
;
; This file overwrites the default values from gitea.
; undefined variables will use the default value from gitea.
; Cheat Sheet: https://docs.gitea.io/en-us/config-cheat-sheet/
; Cheat Sheet: https://docs.gitea.io/en-us/config-cheat-sheet/
;
; App name that shows on every page title
APP_NAME = {{ gitea_app_name }}
APP_NAME = {{ gitea_app_name }}
; Change it if you run locally
RUN_USER = {{ gitea_user }}
; Either "dev", "prod" or "test", default is "dev"
RUN_MODE = prod
[repository]
ROOT = {{ gitea_repository_root }}
ROOT = {{ gitea_repository_root }}
; Force every new repository to be private
FORCE_PRIVATE = {{ gitea_force_private | ternary('true', 'false') }}
FORCE_PRIVATE = {{ gitea_force_private }}
; Global limit of repositories per user, applied at creation time. -1 means no limit
MAX_CREATION_LIMIT = {{ gitea_user_repo_limit }}
MAX_CREATION_LIMIT = {{ gitea_user_repo_limit }}
; Mirror sync queue length, increase if mirror syncing starts hanging
MIRROR_QUEUE_LENGTH = 1000
; Disable the ability to interact with repositories using the HTTP protocol
DISABLE_HTTP_GIT = {{ gitea_disable_http_git | ternary('true', 'false') }}
DISABLE_HTTP_GIT = {{ gitea_disable_http_git }}
[ui]
; Whether the email of the user should be shown in the Explore Users page
SHOW_USER_EMAIL = {{ gitea_show_user_email | ternary('true', 'false') }}
THEMES = {{ gitea_themes }}
DEFAULT_THEME = {{ gitea_theme_default }}
SHOW_USER_EMAIL = {{ gitea_show_user_email }}
THEMES = {{ gitea_themes }}
DEFAULT_THEME = {{ gitea_theme_default }}
[server]
; The protocol the server listens on. One of 'http', 'https', 'unix' or 'fcgi'.
PROTOCOL = {{ gitea_protocol }}
DOMAIN = {{ gitea_http_domain }}
ROOT_URL = {{ gitea_root_url }}
PROTOCOL = {{ gitea_protocol }}
DOMAIN = {{ gitea_http_domain }}
ROOT_URL = {{ gitea_root_url }}
; The address to listen on. Either a IPv4/IPv6 address or the path to a unix socket.
HTTP_ADDR = {{ gitea_http_listen }}
HTTP_PORT = {{ gitea_http_port }}
{% if gitea_http_port == 443 %}
PORT_TO_REDIRECT = 80
{% endif %}
{% if gitea_http_letsencrypt_mail is defined %}
ENABLE_LETSENCRYPT = true
LETSENCRYPT_ACCEPTTOS = true
LETSENCRYPT_EMAIL = {{ gitea_http_letsencrypt_mail }}
{% endif %}
; Disable SSH feature when not available
DISABLE_SSH = false
DISABLE_SSH = false
; Whether to use the builtin SSH server or not.
START_SSH_SERVER = {{ gitea_start_ssh | ternary('true', 'false') }}
START_SSH_SERVER = {{ gitea_start_ssh }}
; Domain name to be exposed in clone URL
SSH_DOMAIN = {{ gitea_ssh_domain }}
SSH_DOMAIN = {{ gitea_ssh_domain }}
; The network interface the builtin SSH server should listen on
SSH_LISTEN_HOST = {{ gitea_ssh_listen }}
SSH_LISTEN_HOST = {{ gitea_ssh_listen }}
; Port number to be exposed in clone URL
SSH_PORT = {{ gitea_ssh_port }}
SSH_PORT = {{ gitea_ssh_port }}
; The port number the builtin SSH server should listen on
SSH_LISTEN_PORT = %(SSH_PORT)s
SSH_LISTEN_PORT = %(SSH_PORT)s
; Disable CDN even in "prod" mode
OFFLINE_MODE = {{ gitea_offline_mode | ternary('true', 'false') }}
OFFLINE_MODE = {{ gitea_offline_mode }}
; Default path for App data
APP_DATA_PATH = {{ gitea_home }}/data
{% if gitea_lfs_server_enabled | bool -%}
APP_DATA_PATH = {{ gitea_home }}/data
{%- if gitea_lfs_server_enabled | bool %}
;Enables git-lfs support.
LFS_START_SERVER = true
LFS_START_SERVER = true
; Where to store LFS files.
LFS_CONTENT_PATH = {{ gitea_lfs_content_path }}
; LFS authentication secret
LFS_JWT_SECRET = {{ gitea_lfs_jwt_secret }}
LFS_CONTENT_PATH = {{ gitea_lfs_content_path }}
; if the LFS sotre is not offline/local
LFS_JWT_SECRET = {{ gitea_lfs_secret }}
OFFLINE_MODE = {{ gitea_lfs_mode }}
{% endif %}
{%- endif %}
[database]
; Either "mysql", "postgres", "mssql" or "sqlite3", it's your choice
DB_TYPE = {{ gitea_db_type }}
HOST = {{ gitea_db_host }}
NAME = {{ gitea_db_name }}
USER = {{ gitea_db_user }}
DB_TYPE = {{ gitea_db_type }}
HOST = {{ gitea_db_host }}
NAME = {{ gitea_db_name }}
USER = {{ gitea_db_user }}
; Use PASSWD = `your password` for quoting if you use special characters in the password.
PASSWD = {{ gitea_db_password }}
; For Postgres, either "disable" (default), "require", "verify-ca" or "verify-full"
PASSWD = {{ gitea_db_password }}
; For Postgres, either "disable" (default), "require", or "verify-full"
; For MySQL, either "false" (default), "true", or "skip-verify"
SSL_MODE = {{ gitea_db_ssl }}
SSL_MODE = {{ gitea_db_ssl }}
; For "sqlite3" and "tidb", use an absolute path when you start gitea as service
PATH = {{ gitea_db_path }}
{% if gitea_log_only_warning %}
LOG_SQL = false
{% endif %}
[indexer]
; Issue indexer storage path, available when ISSUE_INDEXER_TYPE is bleve
ISSUE_INDEXER_PATH = {{ gitea_home }}/indexers/issues.bleve
ISSUE_INDEXER_PATH = {{ gitea_home }}/indexers/issues.bleve
; Issue indexer queue, currently support: channel or levelqueue, default is levelqueue
ISSUE_INDEXER_QUEUE_TYPE = levelqueue
ISSUE_INDEXER_QUEUE_TYPE = levelqueue
; When ISSUE_INDEXER_QUEUE_TYPE is levelqueue, this will be the queue will be saved path,
; default is indexers/issues.queue
ISSUE_INDEXER_QUEUE_DIR = {{ gitea_home }}/indexers/issues.queue
ISSUE_INDEXER_QUEUE_DIR = {{ gitea_home }}/indexers/issues.queue
; repo indexer by default disabled, since it uses a lot of disk space
REPO_INDEXER_ENABLED = {{ gitea_repo_indexer_enabled }}
REPO_INDEXER_PATH = {{ gitea_home }}/indexers/repos.bleve
REPO_INDEXER_INCLUDE = {{ gitea_repo_indexer_include }}
REPO_INDEXER_EXCLUDE = {{ gitea_repo_indexer_exclude }}
REPO_INDEXER_ENABLED = {{ gitea_repo_indexer_enabled }}
REPO_INDEXER_PATH = {{ gitea_home }}/indexers/repos.bleve
REPO_INDEXER_INCLUDE = {{ gitea_repo_indexer_include }}
REPO_INDEXER_EXCLUDE = {{ gitea_repo_indexer_exclude }}
REPO_INDEXER_EXCLUDE_VENDORED = {{ gitea_repo_exclude_vendored }}
MAX_FILE_SIZE = {{ gitea_repo_indexer_max_file_size }}
MAX_FILE_SIZE = {{ gitea_repo_indexer_max_file_size }}
[security]
; Whether the installer is disabled
INSTALL_LOCK = true
INSTALL_LOCK = true
; !!CHANGE THIS TO KEEP YOUR USER DATA SAFE!!
SECRET_KEY = {{ gitea_secret_key }}
INTERNAL_TOKEN = {{ gitea_internal_token }}
SECRET_KEY = {{ gitea_secret_key }}
INTERNAL_TOKEN = {{ gitea_internal_token }}
; How long to remember that an user is logged in before requiring relogin (in days)
LOGIN_REMEMBER_DAYS = 7
DISABLE_GIT_HOOKS = {{ gitea_disable_git_hooks | ternary('true', 'false') }}
[service]
; Disallow registration, only allow admins to create accounts.
DISABLE_REGISTRATION = {{ gitea_disable_registration }}
REGISTER_EMAIL_CONFIRM = {{ gitea_register_email_confirm }}
; User must sign in to view anything.
REQUIRE_SIGNIN_VIEW = {{ gitea_require_signin | ternary('true', 'false') }}
REQUIRE_SIGNIN_VIEW = {{ gitea_require_signin }}
; Enable captcha validation for registration
ENABLE_CAPTCHA = {{ gitea_enable_captcha | ternary('true', 'false') }}
ENABLE_CAPTCHA = {{ gitea_enable_captcha }}
; Type of captcha you want to use. Options: image, recaptcha
CAPTCHA_TYPE = image
CAPTCHA_TYPE = image
; Enable recaptcha to use Google's recaptcha service
; Go to https://www.google.com/recaptcha/admin to sign up for a key
RECAPTCHA_SECRET =
RECAPTCHA_SITEKEY =
RECAPTCHA_SECRET =
RECAPTCHA_SITEKEY =
; Show Registration button
SHOW_REGISTRATION_BUTTON = {{ gitea_show_registration_button }}
ALLOW_ONLY_EXTERNAL_REGISTRATION = {{ gitea_only_allow_external_registration }}
ENABLE_NOTIFY_MAIL = {{ gitea_enable_notify_mail }}
DEFAULT_EMAIL_NOTIFICATIONS = {{ gitea_mail_default }}
AUTO_WATCH_NEW_REPOS = {{ gitea_autowatch_new_repo }}
AUTO_WATCH_ON_CHANGES = {{ gitea_autowatch_on_change }}
SHOW_MILESTONES_DASHBOARD_PAGE = {{ gitea_show_mailstones_dashboard }}
[mailer]
ENABLED = {{ gitea_mailer_enabled | ternary('true', 'false') }}
ENABLED = {{ gitea_mailer_enabled }}
; Mail server
; Gmail: smtp.gmail.com:587
; QQ: smtp.qq.com:465
; Note, if the port ends with "465", SMTPS will be used. Using STARTTLS on port 587 is recommended per RFC 6409. If the server supports STARTTLS it will always be used.
HOST = {{ gitea_mailer_host }}
HOST = {{ gitea_mailer_host }}
; Disable HELO operation when hostnames are different.
DISABLE_HELO =
; Custom hostname for HELO operation, if no value is provided, one is retrieved from system.
HELO_HOSTNAME =
; Do not verify the certificate of the server. Only use this for self-signed certificates
SKIP_VERIFY = {{ gitea_mailer_skip_verify }}
SKIP_VERIFY = {{ gitea_mailer_skip_verify }}
; Use client certificate
USE_CERTIFICATE = false
CERT_FILE = {{ gitea_home }}/custom/mailer/cert.pem
KEY_FILE = {{ gitea_home }}/custom/mailer/key.pem
USE_CERTIFICATE = false
CERT_FILE = {{ gitea_home }}/custom/mailer/cert.pem
KEY_FILE = {{ gitea_home }}/custom/mailer/key.pem
; Should SMTP connection use TLS
IS_TLS_ENABLED = {{ gitea_mailer_tls_enabled | ternary('true', 'false') }}
IS_TLS_ENABLED = {{ gitea_mailer_tls_enabled }}
; Mail from address, RFC 5322. This can be just an email address, or the `"Name" <email@example.com>` format
FROM = {{ gitea_mailer_from }}
FROM = {{ gitea_mailer_from }}
; Mailer user name and password
USER = {{ gitea_mailer_user }}
USER = {{ gitea_mailer_user }}
; Use PASSWD = `your password` for quoting if you use special characters in the password.
PASSWD = {{ gitea_mailer_password }}
PASSWD = `{{ gitea_mailer_password }}`
; Send mails as plain text
SEND_AS_PLAIN_TEXT = false
SUBJECT_PREFIX = {{ gitea_subject_prefix }}
; Set Mailer Type (either SMTP, sendmail or dummy to just send to the log)
MAILER_TYPE = {{ gitea_mailer_type }}
MAILER_TYPE = {{ gitea_mailer_type }}
; Specify an alternative sendmail binary
SENDMAIL_PATH = sendmail
SENDMAIL_PATH = sendmail
; Specify any extra sendmail arguments
SENDMAIL_ARGS =
[session]
; Either "memory", "file", or "redis", default is "memory"
PROVIDER = file
PROVIDER = file
; Provider config options
; memory: doesn't have any config yet
; file: session file path, e.g. `data/sessions`
; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180
; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table`
PROVIDER_CONFIG = {{ gitea_home }}/data/sessions
PROVIDER_CONFIG = {{ gitea_home }}/data/sessions
[picture]
AVATAR_UPLOAD_PATH = {{ gitea_home }}/data/avatars
AVATAR_UPLOAD_PATH = {{ gitea_home }}/data/avatars
; This value will always be true in offline mode.
DISABLE_GRAVATAR = {{ gitea_disable_gravatar | ternary('true', 'false') }}
DISABLE_GRAVATAR = {{ gitea_disable_gravatar }}
[attachment]
; Whether attachments are enabled. Defaults to `true`
ENABLED = true
; Path for attachments. Defaults to `data/attachments`
PATH = {{ gitea_home }}/data/attachments
PATH = {{ gitea_home }}/data/attachments
[log]
ROOT_PATH = {{ gitea_home }}/log
ROOT_PATH = {{ gitea_home }}/log
; Either "console", "file", "conn", "smtp" or "database", default is "console"
; Use comma to separate multiple modes, e.g. "console, file"
{% if gitea_log_systemd %}
MODE = console
MACARON = console
{% else %}
MODE = file
{% endif %}
; Buffer length of the channel, keep it as it is if you don't know what it is.
BUFFER_LEN = 10000
BUFFER_LEN = 10000
; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Trace"
{% if gitea_log_only_warning %}
LEVEL = Warn
REDIRECT_MACARON_LOG = true
{% else %}
LEVEL = {{ gitea_log_level }}
LEVEL = Info
REDIRECT_MACARON_LOG = false
{% endif %}
[oauth2]
ENABLE = {{ gitea_oauth2_enabled }}
ENABLE = {{ gitea_oauth2_enabled }}
JWT_SECRET = {{ gitea_oauth2_jwt_secret }}
[metrics]
ENABLED = {{ gitea_metrics_enabled }}
TOKEN = {{ gitea_metrics_token }}
TOKEN = {{ gitea_metrics_token }}
{{ gitea_extra_config }}

3
templates/gitea.service.j2
View file

@ -4,8 +4,7 @@ After=network.target
[Service]
User={{ gitea_user }}
Group={{ gitea_group }}
ExecStart=/usr/local/bin/gitea web -c /etc/gitea/gitea.ini --custom-path {{ gitea_home }}/custom/
ExecStart=/usr/local/bin/gitea web -c /etc/gitea/gitea.ini
Restart=on-failure
WorkingDirectory={{ gitea_home }}
{% if gitea_systemd_cap_net_bind_service %}

5
vars/debian.yml
View file

@ -1,5 +0,0 @@
---
gitea_dependencies:
- git
- gnupg2
- xz-utils

10
vars/main.yml
View file

@ -1,10 +1,2 @@
---
gitea_go_arch_map:
i386: '386'
x86_64: 'amd64'
aarch64: 'arm64'
armv7l: 'arm-6'
armv6l: 'arm-6'
armv5l: 'arm-5'
gitea_arch: "{{ gitea_go_arch_map[ansible_architecture] | default(ansible_architecture) }}"
gitea_arch: "{{ 'amd64' if ansible_architecture == 'x86_64' else ansible_architecture }}"

5
vars/redhat.yml
View file

@ -1,5 +0,0 @@
---
gitea_dependencies:
- git
- gnupg2
- xz