update to version 1.17.1

Bumps [py](https://github.com/pytest-dev/py) from 1.8.0 to 1.10.0.
- [Release notes](https://github.com/pytest-dev/py/releases)
- [Changelog](https://github.com/pytest-dev/py/blob/master/CHANGELOG.rst)
- [Commits](https://github.com/pytest-dev/py/compare/1.8.0...1.10.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/workflows/ansible-linting-check.yml

@@ -0,0 +1,22 @@
+---
+name: Ansible Lint check
+
+# yamllint disable-line rule:truthy
+on: [push, pull_request]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Lint Ansible Playbook
+        uses: ansible/ansible-lint-action@master
+        with:
+          targets: "."
+          # [required]
+          # Paths to ansible files (i.e., playbooks, tasks, handlers etc..)
+          args: ""
+          # [optional]

.travis.yml

@@ -7,11 +7,12 @@ env:
   matrix:
     - MOLECULE_DISTRO: centos8
     - MOLECULE_DISTRO: centos7
+    - MOLECULE_DISTRO: ubuntu2004
     - MOLECULE_DISTRO: ubuntu1804
     - MOLECULE_DISTRO: ubuntu1604
     - MOLECULE_DISTRO: debian10
     - MOLECULE_DISTRO: debian9
-    - MOLECULE_DISTRO: fedora31
+    - MOLECULE_DISTRO: fedora33
 
 services:
   - docker

README.md

@@ -58,9 +58,11 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we
 
 * `gitea_version_check`: Check if installed version != `gitea_version` before initiating binary download
 * `gitea_user`: UNIX user used by Gitea
+* `gitea_group`: UNIX group used by Gitea
 * `gitea_home`: Base directory to work
 * `gitea_dl_url`: The URL, the compiled gitea-binary will be downloaded from
 * `gitea_systemd_cap_net_bind_service`: Adds `AmbientCapabilities=CAP_NET_BIND_SERVICE` to systemd service file
+* `gitea_extra_config`: Additional configuration
 
 ### Look and feel
 
@@ -69,15 +71,19 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we
 * `gitea_disable_gravatar`: Do you want to disable Gravatar ? (privacy and so on) (true/false)
 * `gitea_offline_mode`: Same but for disabling CDNs for frontend assets (true/false)
 * `gitea_disable_registration`: Do you want to disable user registration ? (true/false)
+* `gitea_register_email_confirm`: Enable this to ask for mail confirmation of registration. Requires `gitea_mailer_enabled` to be enabled (Default: `false`)
 * `gitea_only_allow_external_registration`: Do you want to force registration only using third-party services ? (true/false)
 * `gitea_show_registration_button`: Do you want to show the registration button? (true/false)
 * `gitea_require_signin`: Do you require a signin to see repo's (even public ones) ? (true/false)
 * `gitea_enable_captcha`: Do you want to enable captcha's ? (true/false)
-* `gitea_secret_key`: Cookie secret key
-* `gitea_internal_token`: Internal API token
 * `gitea_themes`: List of enabled themes
 * `gitea_theme_default`: Default theme
 
+### Security
+* `gitea_secret_key`: Cookie secret key
+* `gitea_internal_token`: Internal API token
+* `gitea_disable_git_hooks`: Do you want to disable the interface to add git hooks? If enabled it could be a security bug as it can be used for RCE. Defaults to true (true/false)
+
 ### Limits
 
 * `gitea_user_repo_limit`: Limit how many repos a user can have (-1 for unlimited)
@@ -88,8 +94,9 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we
 * `gitea_root_url`: Root URL used to access your web app (full URL)
 * `gitea_protocol`: Listening protocol (http/https)
 * `gitea_http_listen`: Bind address
-* `gitea_http_port`: Bind port
+* `gitea_http_port`: Bind port (redirect from `80` will be activated if value is `443` - Default: `3000`)
 * `gitea_disable_http_git`: Disable the use of Git over HTTP ? (true/false)
+* `gitea_http_letsencrypt_mail` Enable Let`s Encrypt if a email address is given
 
 ### SSH configuration
 
@@ -105,7 +112,7 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we
 * `gitea_db_name`: Database name
 * `gitea_db_user`: Database username
 * `gitea_db_password`: Database password
-* `gitea_db_ssl`: Use SSL ? (postgres only!). Can be `required`, `disable`, `verify-full`
+* `gitea_db_ssl`: Use SSL ? (postgres only!). Can be `require`, `disable`, `verify-ca` or `verify-full`
 * `gitea_db_path`: DB path, if you use `sqlite3`. The default is good enough to work though.
 
 ### Mailer configuration
@@ -117,7 +124,16 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we
 * `gitea_mailer_user`: SMTP server username
 * `gitea_mailer_password`: SMTP server password
 * `gitea_mailer_from`: Sender mail address
+* `gitea_subject_prefix`: Prefix to be placed before e-mail subject lines (Default: ``)
 * `gitea_enable_notify_mail`:  Whether e-mail should be send to watchers of a repository when something happens. Default: `false`
+* `gitea_mail_default`: Default configuration for email notifications for users (user configurable). Options: enabled, onmention, disable  (Default: `onmention` )
+* `gitea_autowatch_new_repo`: Enable this to let all organisation users watch new repos when they are created (Default: `false`)
+* `gitea_autowatch_on_change`: Enable this to make users watch a repository after their first commit to it (Default: `true`)
+* `gitea_show_mailstones_dashboard`: Enable this to show the milestones dashboard page - a view of all the user’s milestones (Default: `true`)
+
+### Log configuration
+* `gitea_log_systemd` Disable logging into `file`, use systemd-journald
+* `gitea_log_only_warning` Log only warnings or above, no http access or sql logging (Default: `true`)
 
 ### Fail2Ban configuration
 
@@ -134,8 +150,12 @@ As this will only deploy config files, fail2ban already has to be installed or o
 ### Oauth2 provider configuration
 
 * `gitea_oauth2_enabled`: Enable the Oauth2 provider (true/false)
-* `gitea_oauth2_jwt_secret`: JWT secret, cannot be longer than 32 characters
+* `gitea_oauth2_jwt_secret`: Oauth2 JWT secret. Can be generated with ``gitea generate secret JWT_SECRET``
 
+### GIT LFS configuration
+* `gitea_lfs_enabled`: Enable GIT LFS (large filesystem)
+* `gitea_lfs_mode`: should lfs be in offline mode (true/false)
+* `gitea_lfs_secret`: JWT secret for remote LFS usage 
 
 ### Metrics endpoint configuration
 
@@ -150,6 +170,10 @@ As this will only deploy config files, fail2ban already has to be installed or o
 * `gitea_repo_exclude_vendored`: Exclude vendored files from the index. Default: `true`
 * `gitea_repo_indexer_max_file_size`: Maximum size of files to be indexed (in bytes). Default: `1048576` (1 MB)
 
+### backup on upgrade
+* `gitea_backup_on_upgrade`: Optionally a backup can be created with every update of gitea. Default: `false`
+* `gitea_backup_location`: Where to store the gitea backup if one is created with this role. Default: `{{ gitea_home }}/backups/`
+
 ## Contributing
 Don't hesitate to create a pull request, and when in doubt you can reach me on
 Twitter [@thomas_maurice](https://twitter.com/thomas_maurice).

defaults/main.yml

@@ -1,15 +1,18 @@
 ---
-gitea_version: "1.12.0"
+gitea_version: "1.17.1"
 gitea_version_check: true
 gitea_dl_url: "https://github.com/go-gitea/gitea/releases/download/v{{ gitea_version }}/gitea-{{ gitea_version }}-linux-{{ gitea_arch }}"
+gitea_gpg_key: "7C9E68152594688862D62AF62D9AE806EC1592E2"
+gitea_gpg_server: "hkps://keys.openpgp.org"
 
 gitea_app_name: "Gitea"
 gitea_user: "gitea"
+gitea_group: "gitea"
 gitea_home: "/var/lib/gitea"
 gitea_shell: "/bin/false"
 gitea_systemd_cap_net_bind_service: false
 
-gitea_repository_root: "{{ gitea_home }}"
+gitea_repository_root: "{{ gitea_home }}/repos"
 gitea_user_repo_limit: -1
 
 gitea_http_domain: localhost
@@ -17,11 +20,15 @@ gitea_root_url: http://localhost:3000
 gitea_protocol: http
 gitea_http_listen: 127.0.0.1
 gitea_http_port: 3000
+# gitea_http_letsencrypt_mail:  - required
 gitea_disable_http_git: false
 gitea_offline_mode: true
 
 gitea_lfs_server_enabled: false
-gitea_lfs_content_path: "data/lfs"
+gitea_lfs_content_path: "{{ gitea_home }}/data/lfs"
+gitea_lfs_jwt_secret: ''
+gitea_lfs_secret: SomethingVeryLong
+gitea_lfs_mode: true
 
 gitea_db_type: sqlite3
 gitea_db_host: 127.0.0.0:3306
@@ -38,15 +45,21 @@ gitea_ssh_port: 2222
 
 gitea_secret_key: T0pS3cr31
 gitea_internal_token: SomethingVeryLong
+gitea_disable_git_hooks: true
 
 gitea_show_user_email: false
 gitea_disable_gravatar: true
 gitea_disable_registration: false
+gitea_register_email_confirm: false
 gitea_show_registration_button: true
 gitea_require_signin: true
 gitea_enable_captcha: true
 gitea_only_allow_external_registration: false
 gitea_enable_notify_mail: false
+gitea_mail_default: onmention
+gitea_autowatch_new_repo: false
+gitea_autowatch_on_change: true
+gitea_show_mailstones_dashboard: true
 
 gitea_force_private: false
 
@@ -57,8 +70,12 @@ gitea_mailer_host: localhost:25
 gitea_mailer_from: noreply@your.domain
 gitea_mailer_user: ""
 gitea_mailer_password: ""
+gitea_subject_prefix: ""
 gitea_mailer_type: smtp
 
+gitea_log_systemd: false
+gitea_log_only_warning: true
+
 gitea_fail2ban_enabled: false
 gitea_fail2ban_jail_maxretry: 10
 gitea_fail2ban_jail_findtime: 3600
@@ -66,7 +83,7 @@ gitea_fail2ban_jail_bantime: 900
 gitea_fail2ban_jail_action: iptables-allports
 
 gitea_oauth2_enabled: true
-gitea_oauth2_jwt_secret: ChangeMe
+gitea_oauth2_jwt_secret: ''
 
 gitea_metrics_enabled: false
 gitea_metrics_token: ~
@@ -79,3 +96,10 @@ gitea_repo_indexer_include: ""
 gitea_repo_indexer_exclude: ""
 gitea_repo_exclude_vendored: true
 gitea_repo_indexer_max_file_size: 1048576
+
+gitea_log_level: Info
+
+gitea_extra_config: ""
+
+gitea_backup_on_upgrade: false
+gitea_backup_location: "{{ gitea_home }}/backups/"

handlers/main.yml

@@ -1,17 +1,17 @@
 ---
 - name: "Restart gitea"
-  service:
+  ansible.builtin.service:
     name: gitea
     state: restarted
   when: ansible_service_mgr == "systemd"
 
 - name: "Reload systemd"
-  systemd:
+  ansible.builtin.systemd:
     daemon_reload: true
   when: ansible_service_mgr == "systemd"
 
 - name: "Restart fail2ban"
-  service:
+  ansible.builtin.service:
     name: fail2ban
     state: restarted
   when: ansible_service_mgr == "systemd"

meta/main.yml

@@ -2,7 +2,7 @@
 galaxy_info:
   author: Thomas Maurice
   description: Ansible Role - Gitea
-  min_ansible_version: 2.7.9
+  min_ansible_version: 2.10
   license: BSD-3-Clause
   galaxy_tags:
     - git
@@ -16,12 +16,17 @@ galaxy_info:
   platforms:
     - name: Debian
       versions:
-        - jessie
         - stretch
-    - name: EL
-      versions:
-        - 7
+        - buster
     - name: Ubuntu
       versions:
         - xenial
         - bionic
+        - focal
+    - name: CentOS
+      versions:
+        - 7
+        - 8
+    - name: Fedora
+      versions:
+        - 33

molecule/default/prepare.yml

@@ -1,22 +1,27 @@
 ---
-- name: Perpare
+- name: Prepare
   hosts: all
   become: true
   tasks:
     - name: install dependencies for gitea (RedHat based systems)
       yum:
-        name: "{{ packages }}"
+        name: "{{ redhat_packages }}"
         state: present
         update_cache: true
       when: ansible_os_family == "RedHat"
     - name: install dependencies for gitea (Debian based systems)
       apt:
-        name: "{{ packages }}"
+        name: "{{ debian_packages }}"
         state: present
         update_cache: true
       when: ansible_os_family == "Debian"
 
   vars:
-    packages:
+    debian_packages:
       - git
       - curl
+      - xz-utils
+    redhat_packages:
+      - git
+      - curl
+      - xz

requirements-travis.txt

@@ -1,24 +1,21 @@
-ansible==2.9.6
+ansible==2.10.7
 ansible-lint==4.2.0
 anyconfig==0.9.7
 arrow==0.15.5
 asn1crypto==0.24.0
-atomicwrites==1.3.0
-attrs==19.1.0
-autopep8==1.5.1
-bcrypt==3.1.7
 binaryornot==0.4.4
 Cerberus==1.3.2
-certifi==2020.4.5.1
-cffi==1.14.0
-chardet==3.0.4
-click==7.1.1
+certifi==2020.12.5
+cffi==1.14.4
+chardet==4.0.0
+click==7.1.2
 click-completion==0.5.2
-click-help-colors==0.8
-colorama==0.4.3
-cookiecutter==1.7.0
-cryptography==2.9
-docker==4.2.0
+click-help-colors==0.9
+colorama==0.4.4
+cookiecutter==1.7.2
+cryptography==3.3.1
+cryptography==3.3.2
+docker==4.4.1
 docker-pycreds==0.4.0
 entrypoints==0.3
 fasteners==0.15
@@ -27,23 +24,23 @@ future==0.18.2
 git-url-parse==1.2.1
 idna==2.9
 importlib-metadata==1.6.0
-Jinja2==2.11.2
+Jinja2==2.11.3
 jinja2-time==0.2.0
 MarkupSafe==1.1.1
 mccabe==0.6.1
 molecule==3.0.3
 monotonic==1.5
-more-itertools==6.0.0
-paramiko==2.7.1
-pathspec==0.8.0
-pbr==5.1.1
+more-itertools==8.6.0
+paramiko==2.7.2
+pathspec==0.8.1
+pbr==5.5.1
 pexpect==4.8.0
 pi==0.1.2
 pluggy==0.13.1
 poyo==0.5.0
 psutil==5.6.6
 ptyprocess==0.6.0
-py==1.8.0
+py==1.10.0
 pyasn1==0.4.5
 pycodestyle==2.5.0
 pycparser==2.20
@@ -52,7 +49,7 @@ PyNaCl==1.3.0
 pytest==4.3.1
 python-dateutil==2.8.1
 python-gilt==1.2.3
-PyYAML==5.3.1
+PyYAML==5.4
 requests==2.23.0
 ruamel.yaml==0.16.10
 ruamel.yaml.clib==0.2.0
@@ -60,10 +57,10 @@ sh==1.12.14
 shellingham==1.3.2
 six==1.14.0
 tabulate==0.8.7
-testinfra==5.0.0
+testinfra==6.0.0
 tree-format==0.1.2
-urllib3==1.25.8
+urllib3==1.26.5
 websocket-client==0.57.0
 whichcraft==0.6.1
-yamllint==1.22.1
-zipp==3.1.0
+yamllint==1.26.0
+zipp==3.4.0

tasks/backup.yml

@@ -0,0 +1,30 @@
+---
+- name: Get service facts
+  service_facts:
+
+- block:
+    - name: Stopping gitea before upgrade
+      service:
+        name: gitea
+        state: stopped
+
+    - name: "Create backup directory"
+      file:
+        path: "{{ item }}"
+        state: directory
+        owner: "{{ gitea_user }}"
+        group: "{{ gitea_group }}"
+        mode: 'u=rwx,g=rx,o='
+      with_items:
+        - "{{ gitea_backup_location }}"
+
+    - name: Backing up gitea before upgrade
+      command:
+        cmd: "/usr/local/bin/gitea dump -c /etc/gitea/gitea.ini"
+        chdir: "{{ gitea_backup_location }}"
+      become: true
+      become_user: "{{ gitea_user }}"
+  when:
+    - ansible_facts.services["gitea.service"] is defined
+    - ansible_facts.services["gitea.service"].state == "running"
+    - gitea_active_version.stdout != gitea_version

tasks/check-variables.yml

@@ -1,7 +0,0 @@
----
-- name: run checks to ensure set variables do not crash gitea
-  block:
-    - name: "check token length"
-      fail:
-        msg: 'gitea_oauth2_jwt_secret cannot be longer than 32 characters.'
-      when: gitea_oauth2_jwt_secret | length > 32

tasks/create_user.yml

@@ -1,7 +1,14 @@
 ---
+- name: "Create Gitea Group"
+  group:
+    name: "{{ gitea_group }}"
+    system: true
+    state: "present"
+
 - name: "Create Gitea user"
-  user:
+  ansible.builtin.user:
     name: "{{ gitea_user }}"
     comment: "Gitea user"
     home: "{{ gitea_home }}"
     shell: "{{ gitea_shell }}"
+    system: true

tasks/fail2ban.yml

@@ -1,18 +1,26 @@
 ---
 - name: Install fail2ban filter
-  template:
+  ansible.builtin.template:
     src: fail2ban/filter.conf.j2
     dest: /etc/fail2ban/filter.d/gitea.conf
     owner: root
     group: root
     mode: 0444
   notify: Restart fail2ban
+  when: "'fail2ban' in ansible_facts.packages"
 
 - name: Install fail2ban jail
-  template:
+  ansible.builtin.template:
     src: fail2ban/jail.conf.j2
     dest: /etc/fail2ban/jail.d/gitea.conf
     owner: root
     group: root
     mode: 0444
   notify: Restart fail2ban
+  when: "'fail2ban' in ansible_facts.packages"
+
+- name: warn if fail2ban is not installed
+  ansible.builtin.fail:
+    msg: "the package fail2ban is not installed. no fail2ban filters deployed."
+  when: "'fail2ban' not in ansible_facts.packages"
+  ignore_errors: true

tasks/install.yml

@@ -0,0 +1,71 @@
+---
+- block:
+    - name: Update apt cache
+      apt:
+        cache_valid_time: 3600
+        update_cache: true
+      register: _pre_update_apt_cache
+      until: _pre_update_apt_cache is succeeded
+      when:
+        - ansible_pkg_mgr == "apt"
+
+    - name: Install dependencies
+      package:
+        name: "{{ gitea_dependencies }}"
+        state: present
+      register: _install_dep_packages
+      until: _install_dep_packages is succeeded
+      retries: 5
+      delay: 2
+
+- block:
+    - name: Download gitea archive
+      get_url:
+        url: "{{ gitea_dl_url }}.xz"
+        dest: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz"
+        checksum: "sha256:{{ gitea_dl_url }}.xz.sha256"
+      register: _download_archive
+      until: _download_archive is succeeded
+      retries: 5
+      delay: 2
+
+    - name: Download gitea asc file
+      get_url:
+        url: "{{ gitea_dl_url }}.xz.asc"
+        dest: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz.asc"
+      register: _download_asc
+      until: _download_asc is succeeded
+      retries: 5
+      delay: 2
+
+    - name: Check gitea gpg key
+      command: "gpg --list-keys 0x{{ gitea_gpg_key }}"
+      register: _gitea_gpg_key_status
+      changed_when: false
+      failed_when: _gitea_gpg_key_status.rc not in (0, 2)
+
+    - name: Import gitea gpg key
+      command: "gpg --keyserver {{ gitea_gpg_server }} --recv {{ gitea_gpg_key }}"
+      register: _gitea_import_key
+      changed_when: '"imported: 1" in _gitea_import_key.stderr'
+      when: _gitea_gpg_key_status.rc != 0
+
+    - name: Check archive signature
+      command: "gpg --verify /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz.asc /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz"
+      changed_when: false
+
+    - name: Unpack gitea binary
+      command:
+        cmd: "xz -k -d /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz"
+        creates: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}"
+
+    - name: Propagate gitea binary
+      copy:
+        src: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}"
+        remote_src: true
+        dest: "/usr/local/bin/gitea"
+        mode: 0755
+        owner: root
+        group: root
+      notify: "Restart gitea"
+  when: (not gitea_version_check|bool) or (not ansible_check_mode and (gitea_active_version.stdout != gitea_version))

tasks/install_systemd.yml

@@ -1,6 +1,6 @@
 ---
 - name: "Setup systemd service"
-  template:
+  ansible.builtin.template:
     src: gitea.service.j2
     dest: /lib/systemd/system/gitea.service
     owner: root
@@ -10,6 +10,8 @@
     - "Reload systemd"
     - "Restart gitea"
 
+# systemd to be reloaded the first time because
+#  it is the only way Systemd is going to be aware of the new unit file.
 - name: "Reload systemd"
-  systemd:
+  ansible.builtin.systemd:
     daemon_reload: true

tasks/jwt_secrets.yml

@@ -0,0 +1,38 @@
+---
+- name: generate OAuth2 JWT_SECRET if not provided
+  become: true
+  shell: 'umask 077; /usr/local/bin/gitea generate secret JWT_SECRET > /etc/gitea/gitea_oauth_jwt_secret'
+  args:
+    creates: '/etc/gitea/gitea_oauth_jwt_secret'
+  when: gitea_oauth2_jwt_secret | length == 0
+
+- name: read OAuth2 JWT_SECRET from file
+  become: true
+  slurp:
+    src: '/etc/gitea/gitea_oauth_jwt_secret'
+  register: oauth_jwt_secret
+  when: gitea_oauth2_jwt_secret | length == 0
+
+- name: set fact gitea_oauth2_jwt_secret
+  set_fact:
+    gitea_oauth2_jwt_secret: "{{ oauth_jwt_secret['content'] | b64decode }}"
+  when: gitea_oauth2_jwt_secret | length == 0
+
+- name: generate LFS JWT_SECRET if not provided
+  become: true
+  shell: 'umask 077; /usr/local/bin/gitea generate secret JWT_SECRET > /etc/gitea/gitea_lfs_jwt_secret'
+  args:
+    creates: '/etc/gitea/gitea_lfs_jwt_secret'
+  when: gitea_lfs_jwt_secret | length == 0
+
+- name: read LFS JWT_SECRET from file
+  become: true
+  slurp:
+    src: '/etc/gitea/gitea_lfs_jwt_secret'
+  register: lfs_jwt_secret
+  when: gitea_lfs_jwt_secret | length == 0
+
+- name: set fact gitea_lfs_jwt_secret
+  set_fact:
+    gitea_lfs_jwt_secret: "{{ lfs_jwt_secret['content'] | b64decode }}"
+  when: gitea_lfs_jwt_secret | length == 0

tasks/main.yml

@@ -1,9 +1,19 @@
 ---
+- name: Gather variables for each operating system
+  include_vars: "{{ item }}"
+  with_first_found:
+    - "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml"
+    - "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
+    - "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
+    - "{{ ansible_distribution | lower }}.yml"
+    - "{{ ansible_os_family | lower }}.yml"
 
-- include: check-variables.yml
+- name: Gather installed packages for checks in the role (fail2ban)
+  ansible.builtin.package_facts:
+    manager: auto
 
 - name: "Check gitea version"
-  shell: "set -eo pipefail; /usr/local/bin/gitea -v | cut -d' ' -f 3"
+  ansible.builtin.shell: "set -eo pipefail; /usr/local/bin/gitea -v | cut -d' ' -f 3"
   args:
     executable: /bin/bash
   register: gitea_active_version
@@ -12,7 +22,7 @@
   when: gitea_version_check|bool
 
 - name: "Download the binary"
-  get_url:
+  ansible.builtin.get_url:
     url: "{{ gitea_dl_url }}"
     dest: /usr/local/bin/gitea
     owner: root
@@ -25,39 +35,53 @@
 - include: create_user.yml
 
 - name: "Create config and data directory"
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
+    mode: '0755'
+  with_items:
+    - "/etc/gitea"
+
+- name: "Create data directory"
   file:
     path: "{{ item }}"
     state: directory
     owner: "{{ gitea_user }}"
-    recurse: True
+    group: "{{ gitea_group }}"
+    mode: 'u=rwX,g=rX,o='
+    recurse: true
   with_items:
-    - "/etc/gitea"
     - "{{ gitea_home }}"
     - "{{ gitea_home }}/data"
     - "{{ gitea_home }}/custom"
     - "{{ gitea_home }}/custom/https"
     - "{{ gitea_home }}/custom/mailer"
     - "{{ gitea_home }}/indexers"
-    - "{{ gitea_home }}/logs"
+    - "{{ gitea_home }}/log"
+    - "{{ gitea_repository_root }}"
 
 - include: install_systemd.yml
   when: ansible_service_mgr == "systemd"
 
+- include_tasks: jwt_secrets.yml
 - name: 'Install git'
-  package:
+  ansible.builtin.package:
     name: 'git'
     state: 'present'
 
 - name: "Configure gitea"
-  template:
+  ansible.builtin.template:
     src: gitea.ini.j2
     dest: /etc/gitea/gitea.ini
     owner: "{{ gitea_user }}"
+    group: "{{ gitea_group }}"
     mode: 0600
   notify: "Restart gitea"
 
 - name: "Service gitea"
-  service:
+  ansible.builtin.service:
     name: gitea
     state: started
     enabled: true

templates/gitea.ini.j2

@@ -3,193 +3,219 @@
 ;
 ; This file overwrites the default values from gitea.
 ; undefined variables will use the default value from gitea.
-; Cheat Sheet: https://docs.gitea.io/en-us/config-cheat-sheet/ 
+; Cheat Sheet: https://docs.gitea.io/en-us/config-cheat-sheet/
 ;
 ; App name that shows on every page title
-APP_NAME = {{ gitea_app_name }}
+APP_NAME = {{ gitea_app_name }}
 ; Change it if you run locally
 RUN_USER = {{ gitea_user }}
 ; Either "dev", "prod" or "test", default is "dev"
 RUN_MODE = prod
 
 [repository]
-ROOT                  = {{ gitea_repository_root }}
+ROOT                = {{ gitea_repository_root }}
 ; Force every new repository to be private
-FORCE_PRIVATE         = {{ gitea_force_private }}
+FORCE_PRIVATE       = {{ gitea_force_private | ternary('true', 'false') }}
 ; Global limit of repositories per user, applied at creation time. -1 means no limit
-MAX_CREATION_LIMIT    = {{ gitea_user_repo_limit }}
+MAX_CREATION_LIMIT  = {{ gitea_user_repo_limit }}
 ; Mirror sync queue length, increase if mirror syncing starts hanging
 MIRROR_QUEUE_LENGTH = 1000
 ; Disable the ability to interact with repositories using the HTTP protocol
-DISABLE_HTTP_GIT      = {{ gitea_disable_http_git }}
+DISABLE_HTTP_GIT    = {{ gitea_disable_http_git | ternary('true', 'false') }}
 
 [ui]
 ; Whether the email of the user should be shown in the Explore Users page
-SHOW_USER_EMAIL       = {{ gitea_show_user_email }}
-THEMES                = {{ gitea_themes }}
-DEFAULT_THEME         = {{ gitea_theme_default }}
+SHOW_USER_EMAIL = {{ gitea_show_user_email | ternary('true', 'false') }}
+THEMES          = {{ gitea_themes }}
+DEFAULT_THEME   = {{ gitea_theme_default }}
 
 [server]
 ; The protocol the server listens on. One of 'http', 'https', 'unix' or 'fcgi'.
-PROTOCOL              = {{ gitea_protocol }}
-DOMAIN                = {{ gitea_http_domain }}
-ROOT_URL              = {{ gitea_root_url }}
+PROTOCOL         = {{ gitea_protocol }}
+DOMAIN           = {{ gitea_http_domain }}
+ROOT_URL         = {{ gitea_root_url }}
 ; The address to listen on. Either a IPv4/IPv6 address or the path to a unix socket.
 HTTP_ADDR             = {{ gitea_http_listen }}
 HTTP_PORT             = {{ gitea_http_port }}
+{% if gitea_http_port == 443 %}
+PORT_TO_REDIRECT      = 80
+{% endif %}
+{% if gitea_http_letsencrypt_mail is defined %}
+ENABLE_LETSENCRYPT    = true
+LETSENCRYPT_ACCEPTTOS = true
+LETSENCRYPT_EMAIL     = {{ gitea_http_letsencrypt_mail }}
+{% endif %}
 ; Disable SSH feature when not available
-DISABLE_SSH = false
+DISABLE_SSH      = false
 ; Whether to use the builtin SSH server or not.
-START_SSH_SERVER      = {{ gitea_start_ssh }}
+START_SSH_SERVER = {{ gitea_start_ssh | ternary('true', 'false') }}
 ; Domain name to be exposed in clone URL
-SSH_DOMAIN            = {{ gitea_ssh_domain }}
+SSH_DOMAIN       = {{ gitea_ssh_domain }}
 ; The network interface the builtin SSH server should listen on
-SSH_LISTEN_HOST       = {{ gitea_ssh_listen }}
+SSH_LISTEN_HOST  = {{ gitea_ssh_listen }}
 ; Port number to be exposed in clone URL
-SSH_PORT              = {{ gitea_ssh_port }}
+SSH_PORT         = {{ gitea_ssh_port }}
 ; The port number the builtin SSH server should listen on
-SSH_LISTEN_PORT       = %(SSH_PORT)s
+SSH_LISTEN_PORT  = %(SSH_PORT)s
 ; Disable CDN even in "prod" mode
-OFFLINE_MODE          = {{ gitea_offline_mode }}
+OFFLINE_MODE     = {{ gitea_offline_mode | ternary('true', 'false') }}
 ; Default path for App data
-APP_DATA_PATH         = {{ gitea_home }}/data
-{%- if gitea_lfs_server_enabled | bool %}
+APP_DATA_PATH    = {{ gitea_home }}/data
+{% if gitea_lfs_server_enabled | bool -%}
 ;Enables git-lfs support.
-LFS_START_SERVER      = true
+LFS_START_SERVER = true
 ; Where to store LFS files.
+LFS_CONTENT_PATH = {{ gitea_lfs_content_path }}
+; LFS authentication secret
+LFS_JWT_SECRET   = {{ gitea_lfs_jwt_secret }}
 LFS_CONTENT_PATH      = {{ gitea_lfs_content_path }}
-{%- endif %}
-
+; if the LFS sotre is not offline/local
+LFS_JWT_SECRET       = {{ gitea_lfs_secret }} 
+OFFLINE_MODE         = {{ gitea_lfs_mode }}
+{% endif %}
 [database]
 ; Either "mysql", "postgres", "mssql" or "sqlite3", it's your choice
-DB_TYPE               = {{ gitea_db_type }}
-HOST                  = {{ gitea_db_host }}
-NAME                  = {{ gitea_db_name }}
-USER                  = {{ gitea_db_user }}
+DB_TYPE  = {{ gitea_db_type }}
+HOST     = {{ gitea_db_host }}
+NAME     = {{ gitea_db_name }}
+USER     = {{ gitea_db_user }}
 ; Use PASSWD = `your password` for quoting if you use special characters in the password.
-PASSWD                = {{ gitea_db_password }}
-; For Postgres, either "disable" (default), "require", or "verify-full"
+PASSWD   = {{ gitea_db_password }}
+; For Postgres, either "disable" (default), "require", "verify-ca" or "verify-full"
 ; For MySQL, either "false" (default), "true", or "skip-verify"
-SSL_MODE              = {{ gitea_db_ssl }}
+SSL_MODE = {{ gitea_db_ssl }}
 ; For "sqlite3" and "tidb", use an absolute path when you start gitea as service
 PATH                  = {{ gitea_db_path }}
+{% if gitea_log_only_warning %}
+LOG_SQL               = false
+{% endif %}
 
 [indexer]
 ; Issue indexer storage path, available when ISSUE_INDEXER_TYPE is bleve
-ISSUE_INDEXER_PATH    = {{ gitea_home }}/indexers/issues.bleve
+ISSUE_INDEXER_PATH            = {{ gitea_home }}/indexers/issues.bleve
 ; Issue indexer queue, currently support: channel or levelqueue, default is levelqueue
-ISSUE_INDEXER_QUEUE_TYPE = levelqueue
+ISSUE_INDEXER_QUEUE_TYPE      = levelqueue
 ; When ISSUE_INDEXER_QUEUE_TYPE is levelqueue, this will be the queue will be saved path,
 ; default is indexers/issues.queue
-ISSUE_INDEXER_QUEUE_DIR = {{ gitea_home }}/indexers/issues.queue
-
+ISSUE_INDEXER_QUEUE_DIR       = {{ gitea_home }}/indexers/issues.queue
 ; repo indexer by default disabled, since it uses a lot of disk space
-REPO_INDEXER_ENABLED = {{ gitea_repo_indexer_enabled }}
-REPO_INDEXER_PATH       = {{ gitea_home }}/indexers/repos.bleve
-REPO_INDEXER_INCLUDE = {{ gitea_repo_indexer_include }}
-REPO_INDEXER_EXCLUDE = {{ gitea_repo_indexer_exclude }}
+REPO_INDEXER_ENABLED          = {{ gitea_repo_indexer_enabled }}
+REPO_INDEXER_PATH             = {{ gitea_home }}/indexers/repos.bleve
+REPO_INDEXER_INCLUDE          = {{ gitea_repo_indexer_include }}
+REPO_INDEXER_EXCLUDE          = {{ gitea_repo_indexer_exclude }}
 REPO_INDEXER_EXCLUDE_VENDORED = {{ gitea_repo_exclude_vendored }}
-MAX_FILE_SIZE = {{ gitea_repo_indexer_max_file_size }}
+MAX_FILE_SIZE                 = {{ gitea_repo_indexer_max_file_size }}
 
 [security]
 ; Whether the installer is disabled
-INSTALL_LOCK = true
+INSTALL_LOCK        = true
 ; !!CHANGE THIS TO KEEP YOUR USER DATA SAFE!!
-SECRET_KEY              = {{ gitea_secret_key }}
-INTERNAL_TOKEN          = {{ gitea_internal_token }}
+SECRET_KEY          = {{ gitea_secret_key }}
+INTERNAL_TOKEN      = {{ gitea_internal_token }}
 ; How long to remember that an user is logged in before requiring relogin (in days)
 LOGIN_REMEMBER_DAYS = 7
+DISABLE_GIT_HOOKS   = {{ gitea_disable_git_hooks | ternary('true', 'false') }}
 
 [service]
 ; Disallow registration, only allow admins to create accounts.
 DISABLE_REGISTRATION    = {{ gitea_disable_registration }}
+REGISTER_EMAIL_CONFIRM  = {{ gitea_register_email_confirm }}
 ; User must sign in to view anything.
-REQUIRE_SIGNIN_VIEW     = {{ gitea_require_signin }}
+REQUIRE_SIGNIN_VIEW              = {{ gitea_require_signin | ternary('true', 'false') }}
 ; Enable captcha validation for registration
-ENABLE_CAPTCHA          = {{ gitea_enable_captcha }}
+ENABLE_CAPTCHA                   = {{ gitea_enable_captcha | ternary('true', 'false') }}
 ; Type of captcha you want to use. Options: image, recaptcha
-CAPTCHA_TYPE = image
+CAPTCHA_TYPE                     = image
 ; Enable recaptcha to use Google's recaptcha service
 ; Go to https://www.google.com/recaptcha/admin to sign up for a key
-RECAPTCHA_SECRET  =
-RECAPTCHA_SITEKEY =
+RECAPTCHA_SECRET                 =
+RECAPTCHA_SITEKEY                =
 ; Show Registration button
 SHOW_REGISTRATION_BUTTON = {{ gitea_show_registration_button }}
 ALLOW_ONLY_EXTERNAL_REGISTRATION = {{ gitea_only_allow_external_registration }}
 ENABLE_NOTIFY_MAIL = {{ gitea_enable_notify_mail }}
+DEFAULT_EMAIL_NOTIFICATIONS       = {{ gitea_mail_default }} 
+AUTO_WATCH_NEW_REPOS              = {{ gitea_autowatch_new_repo }} 
+AUTO_WATCH_ON_CHANGES             = {{ gitea_autowatch_on_change }} 
+SHOW_MILESTONES_DASHBOARD_PAGE    = {{ gitea_show_mailstones_dashboard }} 
 
 [mailer]
-ENABLED                 = {{ gitea_mailer_enabled }}
+ENABLED            = {{ gitea_mailer_enabled | ternary('true', 'false') }}
 ; Mail server
 ; Gmail: smtp.gmail.com:587
 ; QQ: smtp.qq.com:465
 ; Note, if the port ends with "465", SMTPS will be used. Using STARTTLS on port 587 is recommended per RFC 6409. If the server supports STARTTLS it will always be used.
-HOST                    = {{ gitea_mailer_host }}
-; Disable HELO operation when hostnames are different.
-DISABLE_HELO =
-; Custom hostname for HELO operation, if no value is provided, one is retrieved from system.
-HELO_HOSTNAME =
+HOST               = {{ gitea_mailer_host }}
 ; Do not verify the certificate of the server. Only use this for self-signed certificates
-SKIP_VERIFY             = {{ gitea_mailer_skip_verify }}
+SKIP_VERIFY        = {{ gitea_mailer_skip_verify }}
 ; Use client certificate
-USE_CERTIFICATE = false
-CERT_FILE               = {{ gitea_home }}/custom/mailer/cert.pem
-KEY_FILE                = {{ gitea_home }}/custom/mailer/key.pem
+USE_CERTIFICATE    = false
+CERT_FILE          = {{ gitea_home }}/custom/mailer/cert.pem
+KEY_FILE           = {{ gitea_home }}/custom/mailer/key.pem
 ; Should SMTP connection use TLS
-IS_TLS_ENABLED = {{ gitea_mailer_tls_enabled }}
+IS_TLS_ENABLED     = {{ gitea_mailer_tls_enabled | ternary('true', 'false') }}
 ; Mail from address, RFC 5322. This can be just an email address, or the `"Name" <email@example.com>` format
-FROM                    = {{ gitea_mailer_from }}
+FROM               = {{ gitea_mailer_from }}
 ; Mailer user name and password
-USER                    = {{ gitea_mailer_user }}
+USER               = {{ gitea_mailer_user }}
 ; Use PASSWD = `your password` for quoting if you use special characters in the password.
-PASSWD                  = `{{ gitea_mailer_password }}`
+PASSWD             = {{ gitea_mailer_password }}
 ; Send mails as plain text
 SEND_AS_PLAIN_TEXT = false
+SUBJECT_PREFIX = {{ gitea_subject_prefix }}
 ; Set Mailer Type (either SMTP, sendmail or dummy to just send to the log)
-MAILER_TYPE = {{ gitea_mailer_type }}
+MAILER_TYPE        = {{ gitea_mailer_type }}
 ; Specify an alternative sendmail binary
-SENDMAIL_PATH = sendmail
-; Specify any extra sendmail arguments
-SENDMAIL_ARGS =
-
+SENDMAIL_PATH      = sendmail
 
 [session]
 ; Either "memory", "file", or "redis", default is "memory"
-PROVIDER = file
+PROVIDER        = file
 ; Provider config options
 ; memory: doesn't have any config yet
 ; file: session file path, e.g. `data/sessions`
 ; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180
 ; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table`
-PROVIDER_CONFIG         = {{ gitea_home }}/data/sessions
+PROVIDER_CONFIG = {{ gitea_home }}/data/sessions
 
 [picture]
-AVATAR_UPLOAD_PATH      = {{ gitea_home }}/data/avatars
+AVATAR_UPLOAD_PATH = {{ gitea_home }}/data/avatars
 ; This value will always be true in offline mode.
-DISABLE_GRAVATAR        = {{ gitea_disable_gravatar }}
+DISABLE_GRAVATAR   = {{ gitea_disable_gravatar | ternary('true', 'false') }}
 
 [attachment]
 ; Whether attachments are enabled. Defaults to `true`
 ENABLED = true
 ; Path for attachments. Defaults to `data/attachments`
-PATH                    = {{ gitea_home }}/data/attachments
+PATH    = {{ gitea_home }}/data/attachments
 
 [log]
-ROOT_PATH               = {{ gitea_home }}/log
+ROOT_PATH            = {{ gitea_home }}/log
 ; Either "console", "file", "conn", "smtp" or "database", default is "console"
 ; Use comma to separate multiple modes, e.g. "console, file"
+{% if gitea_log_systemd %}
+MODE       = console
+MACARON    = console
+{% else %}
 MODE       = file
+{% endif %}
 ; Buffer length of the channel, keep it as it is if you don't know what it is.
-BUFFER_LEN = 10000
+BUFFER_LEN           = 10000
 ; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Trace"
-LEVEL      = Info
+{% if gitea_log_only_warning %}
+LEVEL      = Warn
+REDIRECT_MACARON_LOG = true
+{% else %}
+LEVEL                = {{ gitea_log_level }}
 REDIRECT_MACARON_LOG = false
+{% endif %}
 
 [oauth2]
-ENABLE = {{ gitea_oauth2_enabled }}
+ENABLE     = {{ gitea_oauth2_enabled }}
 JWT_SECRET = {{ gitea_oauth2_jwt_secret }}
 
 [metrics]
 ENABLED = {{ gitea_metrics_enabled }}
-TOKEN = {{ gitea_metrics_token }}
+TOKEN   = {{ gitea_metrics_token }}
 
+{{ gitea_extra_config }}

templates/gitea.service.j2

@@ -4,7 +4,8 @@ After=network.target
 
 [Service]
 User={{ gitea_user }}
-ExecStart=/usr/local/bin/gitea web -c /etc/gitea/gitea.ini
+Group={{ gitea_group }}
+ExecStart=/usr/local/bin/gitea web -c /etc/gitea/gitea.ini --custom-path {{ gitea_home }}/custom/
 Restart=on-failure
 WorkingDirectory={{ gitea_home }}
 {% if gitea_systemd_cap_net_bind_service %}

vars/debian.yml

@@ -0,0 +1,5 @@
+---
+gitea_dependencies:
+  - git
+  - gnupg2
+  - xz-utils

vars/main.yml

@@ -1,2 +1,10 @@
 ---
-gitea_arch: "{{ 'amd64' if ansible_architecture == 'x86_64' else ansible_architecture }}"
+gitea_go_arch_map:
+  i386: '386'
+  x86_64: 'amd64'
+  aarch64: 'arm64'
+  armv7l: 'arm-6'
+  armv6l: 'arm-6'
+  armv5l: 'arm-5'
+
+gitea_arch: "{{ gitea_go_arch_map[ansible_architecture] | default(ansible_architecture) }}"

vars/redhat.yml

@@ -0,0 +1,5 @@
+---
+gitea_dependencies:
+  - git
+  - gnupg2
+  - xz