Compare commits

..

40 commits

Author SHA1 Message Date
751d0d724b update to version 1.17.1 2022-08-21 13:01:42 +02:00
df5db3d4b9 fix custom path 2022-08-21 13:00:22 +02:00
73aa14f13f fix repo path 2022-08-21 12:59:48 +02:00
692b92c2d8 improve logging 2022-08-21 12:59:47 +02:00
4abe8ae2bf improve mailing configuration 2022-08-21 12:59:19 +02:00
37116739cc improve logging support 2022-08-21 12:58:54 +02:00
0dcb32eed6 improve https support 2022-08-21 12:57:48 +02:00
dependabot[bot]
d7296c69df
Bump py from 1.8.0 to 1.10.0 (#100)
Bumps [py](https://github.com/pytest-dev/py) from 1.8.0 to 1.10.0.
- [Release notes](https://github.com/pytest-dev/py/releases)
- [Changelog](https://github.com/pytest-dev/py/blob/master/CHANGELOG.rst)
- [Commits](https://github.com/pytest-dev/py/compare/1.8.0...1.10.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-08-14 11:27:38 +01:00
dependabot[bot]
0a85dd3554
Bump ansible from 2.10 to 2.10.7 (#101)
Bumps [ansible](https://github.com/ansible/ansible) from 2.10 to 2.10.7.
- [Release notes](https://github.com/ansible/ansible/releases)
- [Commits](https://github.com/ansible/ansible/compare/v2.10.0...v2.10.7)

---
updated-dependencies:
- dependency-name: ansible
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-08-14 11:27:21 +01:00
dependabot[bot]
504a5e3e86
Bump urllib3 from 1.26.4 to 1.26.5 (#102)
Bumps [urllib3](https://github.com/urllib3/urllib3) from 1.26.4 to 1.26.5.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](https://github.com/urllib3/urllib3/compare/1.26.4...1.26.5)

---
updated-dependencies:
- dependency-name: urllib3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-08-14 11:27:04 +01:00
Maxim Burgerhout
ed984bb95a
Fix double endif in gitea.ini (#97)
Removed the second one: text between if and endif is now all about lfs,
which seemed to be the point ;)
2021-04-12 18:11:57 +01:00
firesoft-de
c5a0653264
fail2ban only if installed (#98)
* Add condition to only configure fail2ban if it is installed

* Add package_facts to determine if fail2ban is installed

* Added warning message by @DO1JLR 

+ Warning message by @DO1JLR 
   -> The message will prompt a warning to the user if fail2ban is not installed without stopping the execution.
+ removed trailing whitespaces
2021-04-12 18:06:19 +01:00
dependabot[bot]
502a360b14
Bump urllib3 from 1.26.3 to 1.26.4 (#90)
Bumps [urllib3](https://github.com/urllib3/urllib3) from 1.26.3 to 1.26.4.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](https://github.com/urllib3/urllib3/compare/1.26.3...1.26.4)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-04-10 18:40:03 +01:00
Anton
4dfd303061
Upgrade/ansible version 2.10 (#84)
* added new vars for lfs remote usage
git lfs can be hosted elsewhere and therefore need some config

* added configuration describtion for lfs vars

* added new vars for notifications

* added describtion for new vars for mail notis

* added gitea_lfs_secret describtion to README

* remove whitespaces and lines

* upgraded minimum ansible version to 2.10

* refactored coansible to use minimum version 2.10

* Cleanup template (#85)

improve template and create loglevel variable

* update requirements for molecule (#78)

* start upgrading requirements

* add some more updated requirements

* add another junk

* add another junk

* update ansible version

* modify backup on upgrade (#81)

* create backup direcotry

create a backup folder and move the gitea backup to backup.yml

* make the backup on update optional

Documentation and introduction of the variable `gitea_backup_on_upgrade: false`

* change become_method to sudo

change become_method to sudo as suggested by @wzzrd. removed become_flags.

* Full path to gitea binary in backup task. thanks to @wzzrd

* update gitea to 1.13.4 (#86)

The current release of gitea is [v1.13.4](https://github.com/go-gitea/gitea/releases/tag/v1.13.4).

The current master of this role is not able to do a version update properly. PLEASE first merge https://github.com/thomas-maurice/ansible-role-gitea/pull/81

* Bump pyyaml from 5.3.1 to 5.4 (#89)

Bumps [pyyaml](https://github.com/yaml/pyyaml) from 5.3.1 to 5.4.
- [Release notes](https://github.com/yaml/pyyaml/releases)
- [Changelog](https://github.com/yaml/pyyaml/blob/master/CHANGES)
- [Commits](https://github.com/yaml/pyyaml/compare/5.3.1...5.4)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* bump gitea version (#87)

fixes security issues https://github.com/go-gitea/gitea/releases/tag/v1.13.6

* added new vars for lfs remote usage
git lfs can be hosted elsewhere and therefore need some config

added configuration describtion for lfs vars

added new vars for notifications

added describtion for new vars for mail notis

added gitea_lfs_secret describtion to README

remove whitespaces and lines

upgraded minimum ansible version to 2.10

refactored coansible to use minimum version 2.10

Co-authored-by: L3D <l3d@c3woc.de>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jens Timmerman <jens.timmerman@gmail.com>
2021-04-10 18:07:02 +01:00
L3D
b04f4ca1dd
change keyserver to keys.openpgp.org (#92)
* change keyserver to keys.openpgp.org

based on https://docs.gitea.io/en-us/install-from-binary/ gitea is recomending ``keys.openpgp.org`` as key server.

RESOLVE #91

* s/hkp:\/\//hkps:\/\//
2021-04-10 18:06:07 +01:00
L3D
ca2f5df0c1
update to gitea v1.13.7 (#93)
https://github.com/go-gitea/gitea/releases/tag/v1.13.7
2021-04-10 18:03:22 +01:00
Jens Timmerman
d3ab000e54
bump gitea version (#87)
fixes security issues https://github.com/go-gitea/gitea/releases/tag/v1.13.6
2021-03-26 15:29:35 +00:00
dependabot[bot]
05d32284a0
Bump pyyaml from 5.3.1 to 5.4 (#89)
Bumps [pyyaml](https://github.com/yaml/pyyaml) from 5.3.1 to 5.4.
- [Release notes](https://github.com/yaml/pyyaml/releases)
- [Changelog](https://github.com/yaml/pyyaml/blob/master/CHANGES)
- [Commits](https://github.com/yaml/pyyaml/compare/5.3.1...5.4)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-03-26 15:28:11 +00:00
L3D
ab6b357e39
update gitea to 1.13.4 (#86)
The current release of gitea is [v1.13.4](https://github.com/go-gitea/gitea/releases/tag/v1.13.4).

The current master of this role is not able to do a version update properly. PLEASE first merge https://github.com/thomas-maurice/ansible-role-gitea/pull/81
2021-03-21 16:11:16 +00:00
L3D
71ea49b7ac
modify backup on upgrade (#81)
* create backup direcotry

create a backup folder and move the gitea backup to backup.yml

* make the backup on update optional

Documentation and introduction of the variable `gitea_backup_on_upgrade: false`

* change become_method to sudo

change become_method to sudo as suggested by @wzzrd. removed become_flags.

* Full path to gitea binary in backup task. thanks to @wzzrd
2021-03-21 16:10:42 +00:00
L3D
8b71e3f137
update requirements for molecule (#78)
* start upgrading requirements

* add some more updated requirements

* add another junk

* add another junk

* update ansible version
2021-03-02 09:38:20 +00:00
L3D
2fa3f51eb4
Cleanup template (#85)
improve template and create loglevel variable
2021-03-02 09:35:13 +00:00
Maxim Burgerhout
183e58f0e5
Add / correct accepted SSL modes for PostgreSQL (#83)
Supported SSL modues for PostgreSQL are: disabled, require, verify-ca
and verify-full.

This fix adds `verify-ca` to README.md and gitea.ini.j2, and corrects
`require` to `required` in README.md.
2021-02-15 18:35:27 +00:00
Finwë
56375819a7
Improve ARM Support (#74)
* Gitea user should be a system user

* Improve installation system

* Download archive instead of binary
* Add checksum validation
* Add GPG check
* Add backup process before upgrading

* Improve ARM support

* Improve support for Vault Encrypted JWT tokens

* Fix spacing in gitea configuration template

When Gitea rewrite the configuration file (e.g.: the JWT token is not
set or doesn't fit their criteria), it'll align space on a per-section
basis in the .ini file.
If the template is not properly spaced, at the next Ansible run, you'll
have an enormous diff, hidding what the real changes are.

* add proper redhat/debian deps for molecule testing

* Gitea group should be a system group

* fix linting for CI

* Update CI and meta information for up-to-date tests and distros

* molecule: fix typo for redhat packages

* fix typo

* bump gitea version to 1.13.1

* Use Ubuntu keyservers to play nicely with everyone

* Update minimum required ansible version to 2.9.8

This is required for Ubuntu Focal, which comes with systemd >= 245
The Get Facts modules doesn't work well with it before the bugfix
introduced in 2.9.8

* Replace yes by True to please the linting

* Truthy values needs to be lower-case

* bump gitea version to 1.13.2

* perform gitea dump as gitea user

* need to set become to yes

* autogenerate JWT_SECRETS (#77)

* autogenerate JWT_SECRETS

Based on https://docs.gitea.io/en-us/command-line/#generate we will now autogenerate JWT_SECRETS if they are not defined.
In my opinion a much better idea than writing a value in the default config.

The check if the variables for the secrets are now 43 characters long i took out. Gitea generates itself suitable secrets, if the user given ones do not fit.

* drop ansible.builtin. syntax

* Update file permissions for "{{ gitea_home }}" (#75)

The file permissions for {{ gitea_home }} especially in conjunction with the recurse: true flag are on closer inspection very open to all and also have a +x set on files.

This should be done better. And I have done here now.

By the way: To improve the -x on normal files in his gitea installation this shell command was useful for me
```
find . -type f -exec chmod a-x {} \+;
find . -type f -exec chmod u=rwX {} \+;
```

* Bump cryptography from 3.2 to 3.3.2 (#79)

Bumps [cryptography](https://github.com/pyca/cryptography) from 3.2 to 3.3.2.
- [Release notes](https://github.com/pyca/cryptography/releases)
- [Changelog](https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/3.2...3.3.2)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Gitea user should be a system user

* Improve installation system

* Download archive instead of binary
* Add checksum validation
* Add GPG check
* Add backup process before upgrading

* Improve ARM support

* Fix spacing in gitea configuration template

When Gitea rewrite the configuration file (e.g.: the JWT token is not
set or doesn't fit their criteria), it'll align space on a per-section
basis in the .ini file.
If the template is not properly spaced, at the next Ansible run, you'll
have an enormous diff, hidding what the real changes are.

* add proper redhat/debian deps for molecule testing

* Gitea group should be a system group

* fix linting for CI

* Update CI and meta information for up-to-date tests and distros

* molecule: fix typo for redhat packages

* fix typo

* bump gitea version to 1.13.1

* Use Ubuntu keyservers to play nicely with everyone

* Update minimum required ansible version to 2.9.8

This is required for Ubuntu Focal, which comes with systemd >= 245
The Get Facts modules doesn't work well with it before the bugfix
introduced in 2.9.8

* Replace yes by True to please the linting

* Truthy values needs to be lower-case

* bump gitea version to 1.13.2

* perform gitea dump as gitea user

* need to set become to yes

* check-variables.yml doesn't exists anymore

Co-authored-by: L3D <l3d@c3woc.de>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-02-12 17:56:31 +00:00
dependabot[bot]
f6f5e733f0
Bump cryptography from 3.2 to 3.3.2 (#79)
Bumps [cryptography](https://github.com/pyca/cryptography) from 3.2 to 3.3.2.
- [Release notes](https://github.com/pyca/cryptography/releases)
- [Changelog](https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/3.2...3.3.2)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-02-10 19:07:04 +00:00
L3D
7d91337447
Update file permissions for "{{ gitea_home }}" (#75)
The file permissions for {{ gitea_home }} especially in conjunction with the recurse: true flag are on closer inspection very open to all and also have a +x set on files.

This should be done better. And I have done here now.

By the way: To improve the -x on normal files in his gitea installation this shell command was useful for me
```
find . -type f -exec chmod a-x {} \+;
find . -type f -exec chmod u=rwX {} \+;
```
2021-02-10 19:05:04 +00:00
L3D
9cd664d91f
autogenerate JWT_SECRETS (#77)
* autogenerate JWT_SECRETS

Based on https://docs.gitea.io/en-us/command-line/#generate we will now autogenerate JWT_SECRETS if they are not defined.
In my opinion a much better idea than writing a value in the default config.

The check if the variables for the secrets are now 43 characters long i took out. Gitea generates itself suitable secrets, if the user given ones do not fit.

* drop ansible.builtin. syntax
2021-02-10 19:04:13 +00:00
L3D
67afb71160
add default "gitea_group: gitea" (#71)
* delete trailing whitespace

* Add gitea_group

This will add the `gitea_group: gitea` and will probably
RESOLVE https://github.com/thomas-maurice/ansible-role-gitea/issues/70

* update variable length

update variable length to make this role idempotent

* vars should not include special character
2021-01-27 14:13:02 +00:00
L3D
cde4a964d5 add LFS_JWT_SECRET option
+ Add comments about git-lfs to the README.
+ New variable for LFS_JWT_SECRET.
+ absolute path for gitea_lfs_content_path.
+ maybe some help to resolve https://github.com/thomas-maurice/ansible-role-gitea/issues/70
2021-01-22 11:07:28 +00:00
L3D
c68565952a delete trailing whitespace 2021-01-22 11:07:28 +00:00
L3D
2500047d22 improve all easy to fix yaml warnings 2021-01-22 11:06:55 +00:00
L3D
fb45c4dfc5 add linting check and fix warning
There is this linting message:
```
[208] File permissions unset or incorrect
tasks/main.yml:27
Task/Handler: Create config and data directory
```

I fixed it in this commit and added a github action
to run the official™ ansible linting check!
2021-01-22 11:06:55 +00:00
Simeon Keske
aa75493677 add option to specify extra configuration 2020-12-06 21:39:19 +00:00
Leo Maroni
8af72e355e Add disable_git_hooks config option to security 2020-12-06 21:37:51 +00:00
Jens Timmerman
ecfff9cbc0 bump gitea version
gitea 1.13.0 was released which fixes security issues

some breaking changes were reported in the release notes but I didn't find any issues with them on my system, caution is advised

Support Gitea development, we now have a shop for Swag

    SECURITY
        Add Allow-/Block-List for Migrate & Mirrors (#13610) (#13776)
        Prevent git operations for inactive users (#13527) (#13536)
        Disallow urlencoded new lines in git protocol paths if there is a port (#13521) (#13524)
        Mitigate Security vulnerability in the git hook feature (#13058)
        Disable DSA ssh keys by default (#13056)
        Set TLS minimum version to 1.2 (#12689)
        Use argon as default password hash algorithm (#12688)
    BREAKING
        Set RUN_MODE prod by default (#13765) (#13767)
        Don't replace underscores in auto-generated IDs in goldmark (#12805)
        Add Primary Key to Topic and RepoTopic tables (#12639)
        Disable password complexity check default (#12557)
        Change PIDFile default from /var/run/gitea.pid to /run/gitea.pid (#12500)
        Add extension Support to Attachments (allow all types for releases) (#12465)
        Remove IE11 Support (#11470)
2020-12-06 21:36:06 +00:00
dependabot[bot]
d5ca00bc21 Bump cryptography from 2.9 to 3.2
Bumps [cryptography](https://github.com/pyca/cryptography) from 2.9 to 3.2.
- [Release notes](https://github.com/pyca/cryptography/releases)
- [Changelog](https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/2.9...3.2)

Signed-off-by: dependabot[bot] <support@github.com>
2020-11-02 10:17:17 +00:00
883b6d958e fix logging path 2020-09-24 17:21:36 +01:00
Jens Timmerman
667c375a9d Update install_systemd.yml 2020-09-24 16:00:51 +01:00
Jens Timmerman
4976d531ba Update install_systemd.yml
reload systemd should be triggered via handler
2020-09-24 16:00:51 +01:00
Jens Timmerman
73d72a8264 1.12.4 was released which fixes security issues 2020-09-24 15:59:48 +01:00
21 changed files with 442 additions and 146 deletions

View file

@ -0,0 +1,22 @@
---
name: Ansible Lint check
# yamllint disable-line rule:truthy
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Lint Ansible Playbook
uses: ansible/ansible-lint-action@master
with:
targets: "."
# [required]
# Paths to ansible files (i.e., playbooks, tasks, handlers etc..)
args: ""
# [optional]

View file

@ -7,11 +7,12 @@ env:
matrix:
- MOLECULE_DISTRO: centos8
- MOLECULE_DISTRO: centos7
- MOLECULE_DISTRO: ubuntu2004
- MOLECULE_DISTRO: ubuntu1804
- MOLECULE_DISTRO: ubuntu1604
- MOLECULE_DISTRO: debian10
- MOLECULE_DISTRO: debian9
- MOLECULE_DISTRO: fedora31
- MOLECULE_DISTRO: fedora33
services:
- docker

View file

@ -58,9 +58,11 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we
* `gitea_version_check`: Check if installed version != `gitea_version` before initiating binary download
* `gitea_user`: UNIX user used by Gitea
* `gitea_group`: UNIX group used by Gitea
* `gitea_home`: Base directory to work
* `gitea_dl_url`: The URL, the compiled gitea-binary will be downloaded from
* `gitea_systemd_cap_net_bind_service`: Adds `AmbientCapabilities=CAP_NET_BIND_SERVICE` to systemd service file
* `gitea_extra_config`: Additional configuration
### Look and feel
@ -69,15 +71,19 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we
* `gitea_disable_gravatar`: Do you want to disable Gravatar ? (privacy and so on) (true/false)
* `gitea_offline_mode`: Same but for disabling CDNs for frontend assets (true/false)
* `gitea_disable_registration`: Do you want to disable user registration ? (true/false)
* `gitea_register_email_confirm`: Enable this to ask for mail confirmation of registration. Requires `gitea_mailer_enabled` to be enabled (Default: `false`)
* `gitea_only_allow_external_registration`: Do you want to force registration only using third-party services ? (true/false)
* `gitea_show_registration_button`: Do you want to show the registration button? (true/false)
* `gitea_require_signin`: Do you require a signin to see repo's (even public ones) ? (true/false)
* `gitea_enable_captcha`: Do you want to enable captcha's ? (true/false)
* `gitea_secret_key`: Cookie secret key
* `gitea_internal_token`: Internal API token
* `gitea_themes`: List of enabled themes
* `gitea_theme_default`: Default theme
### Security
* `gitea_secret_key`: Cookie secret key
* `gitea_internal_token`: Internal API token
* `gitea_disable_git_hooks`: Do you want to disable the interface to add git hooks? If enabled it could be a security bug as it can be used for RCE. Defaults to true (true/false)
### Limits
* `gitea_user_repo_limit`: Limit how many repos a user can have (-1 for unlimited)
@ -88,8 +94,9 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we
* `gitea_root_url`: Root URL used to access your web app (full URL)
* `gitea_protocol`: Listening protocol (http/https)
* `gitea_http_listen`: Bind address
* `gitea_http_port`: Bind port
* `gitea_http_port`: Bind port (redirect from `80` will be activated if value is `443` - Default: `3000`)
* `gitea_disable_http_git`: Disable the use of Git over HTTP ? (true/false)
* `gitea_http_letsencrypt_mail` Enable Let`s Encrypt if a email address is given
### SSH configuration
@ -105,7 +112,7 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we
* `gitea_db_name`: Database name
* `gitea_db_user`: Database username
* `gitea_db_password`: Database password
* `gitea_db_ssl`: Use SSL ? (postgres only!). Can be `required`, `disable`, `verify-full`
* `gitea_db_ssl`: Use SSL ? (postgres only!). Can be `require`, `disable`, `verify-ca` or `verify-full`
* `gitea_db_path`: DB path, if you use `sqlite3`. The default is good enough to work though.
### Mailer configuration
@ -117,7 +124,16 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we
* `gitea_mailer_user`: SMTP server username
* `gitea_mailer_password`: SMTP server password
* `gitea_mailer_from`: Sender mail address
* `gitea_subject_prefix`: Prefix to be placed before e-mail subject lines (Default: ``)
* `gitea_enable_notify_mail`: Whether e-mail should be send to watchers of a repository when something happens. Default: `false`
* `gitea_mail_default`: Default configuration for email notifications for users (user configurable). Options: enabled, onmention, disable (Default: `onmention` )
* `gitea_autowatch_new_repo`: Enable this to let all organisation users watch new repos when they are created (Default: `false`)
* `gitea_autowatch_on_change`: Enable this to make users watch a repository after their first commit to it (Default: `true`)
* `gitea_show_mailstones_dashboard`: Enable this to show the milestones dashboard page - a view of all the users milestones (Default: `true`)
### Log configuration
* `gitea_log_systemd` Disable logging into `file`, use systemd-journald
* `gitea_log_only_warning` Log only warnings or above, no http access or sql logging (Default: `true`)
### Fail2Ban configuration
@ -134,8 +150,12 @@ As this will only deploy config files, fail2ban already has to be installed or o
### Oauth2 provider configuration
* `gitea_oauth2_enabled`: Enable the Oauth2 provider (true/false)
* `gitea_oauth2_jwt_secret`: JWT secret, cannot be longer than 32 characters
* `gitea_oauth2_jwt_secret`: Oauth2 JWT secret. Can be generated with ``gitea generate secret JWT_SECRET``
### GIT LFS configuration
* `gitea_lfs_enabled`: Enable GIT LFS (large filesystem)
* `gitea_lfs_mode`: should lfs be in offline mode (true/false)
* `gitea_lfs_secret`: JWT secret for remote LFS usage
### Metrics endpoint configuration
@ -150,6 +170,10 @@ As this will only deploy config files, fail2ban already has to be installed or o
* `gitea_repo_exclude_vendored`: Exclude vendored files from the index. Default: `true`
* `gitea_repo_indexer_max_file_size`: Maximum size of files to be indexed (in bytes). Default: `1048576` (1 MB)
### backup on upgrade
* `gitea_backup_on_upgrade`: Optionally a backup can be created with every update of gitea. Default: `false`
* `gitea_backup_location`: Where to store the gitea backup if one is created with this role. Default: `{{ gitea_home }}/backups/`
## Contributing
Don't hesitate to create a pull request, and when in doubt you can reach me on
Twitter [@thomas_maurice](https://twitter.com/thomas_maurice).

View file

@ -1,15 +1,18 @@
---
gitea_version: "1.12.0"
gitea_version: "1.17.1"
gitea_version_check: true
gitea_dl_url: "https://github.com/go-gitea/gitea/releases/download/v{{ gitea_version }}/gitea-{{ gitea_version }}-linux-{{ gitea_arch }}"
gitea_gpg_key: "7C9E68152594688862D62AF62D9AE806EC1592E2"
gitea_gpg_server: "hkps://keys.openpgp.org"
gitea_app_name: "Gitea"
gitea_user: "gitea"
gitea_group: "gitea"
gitea_home: "/var/lib/gitea"
gitea_shell: "/bin/false"
gitea_systemd_cap_net_bind_service: false
gitea_repository_root: "{{ gitea_home }}"
gitea_repository_root: "{{ gitea_home }}/repos"
gitea_user_repo_limit: -1
gitea_http_domain: localhost
@ -17,11 +20,15 @@ gitea_root_url: http://localhost:3000
gitea_protocol: http
gitea_http_listen: 127.0.0.1
gitea_http_port: 3000
# gitea_http_letsencrypt_mail: - required
gitea_disable_http_git: false
gitea_offline_mode: true
gitea_lfs_server_enabled: false
gitea_lfs_content_path: "data/lfs"
gitea_lfs_content_path: "{{ gitea_home }}/data/lfs"
gitea_lfs_jwt_secret: ''
gitea_lfs_secret: SomethingVeryLong
gitea_lfs_mode: true
gitea_db_type: sqlite3
gitea_db_host: 127.0.0.0:3306
@ -38,15 +45,21 @@ gitea_ssh_port: 2222
gitea_secret_key: T0pS3cr31
gitea_internal_token: SomethingVeryLong
gitea_disable_git_hooks: true
gitea_show_user_email: false
gitea_disable_gravatar: true
gitea_disable_registration: false
gitea_register_email_confirm: false
gitea_show_registration_button: true
gitea_require_signin: true
gitea_enable_captcha: true
gitea_only_allow_external_registration: false
gitea_enable_notify_mail: false
gitea_mail_default: onmention
gitea_autowatch_new_repo: false
gitea_autowatch_on_change: true
gitea_show_mailstones_dashboard: true
gitea_force_private: false
@ -57,8 +70,12 @@ gitea_mailer_host: localhost:25
gitea_mailer_from: noreply@your.domain
gitea_mailer_user: ""
gitea_mailer_password: ""
gitea_subject_prefix: ""
gitea_mailer_type: smtp
gitea_log_systemd: false
gitea_log_only_warning: true
gitea_fail2ban_enabled: false
gitea_fail2ban_jail_maxretry: 10
gitea_fail2ban_jail_findtime: 3600
@ -66,7 +83,7 @@ gitea_fail2ban_jail_bantime: 900
gitea_fail2ban_jail_action: iptables-allports
gitea_oauth2_enabled: true
gitea_oauth2_jwt_secret: ChangeMe
gitea_oauth2_jwt_secret: ''
gitea_metrics_enabled: false
gitea_metrics_token: ~
@ -79,3 +96,10 @@ gitea_repo_indexer_include: ""
gitea_repo_indexer_exclude: ""
gitea_repo_exclude_vendored: true
gitea_repo_indexer_max_file_size: 1048576
gitea_log_level: Info
gitea_extra_config: ""
gitea_backup_on_upgrade: false
gitea_backup_location: "{{ gitea_home }}/backups/"

View file

@ -1,17 +1,17 @@
---
- name: "Restart gitea"
service:
ansible.builtin.service:
name: gitea
state: restarted
when: ansible_service_mgr == "systemd"
- name: "Reload systemd"
systemd:
ansible.builtin.systemd:
daemon_reload: true
when: ansible_service_mgr == "systemd"
- name: "Restart fail2ban"
service:
ansible.builtin.service:
name: fail2ban
state: restarted
when: ansible_service_mgr == "systemd"

View file

@ -2,7 +2,7 @@
galaxy_info:
author: Thomas Maurice
description: Ansible Role - Gitea
min_ansible_version: 2.7.9
min_ansible_version: 2.10
license: BSD-3-Clause
galaxy_tags:
- git
@ -16,12 +16,17 @@ galaxy_info:
platforms:
- name: Debian
versions:
- jessie
- stretch
- name: EL
versions:
- 7
- buster
- name: Ubuntu
versions:
- xenial
- bionic
- focal
- name: CentOS
versions:
- 7
- 8
- name: Fedora
versions:
- 33

View file

@ -1,22 +1,27 @@
---
- name: Perpare
- name: Prepare
hosts: all
become: true
tasks:
- name: install dependencies for gitea (RedHat based systems)
yum:
name: "{{ packages }}"
name: "{{ redhat_packages }}"
state: present
update_cache: true
when: ansible_os_family == "RedHat"
- name: install dependencies for gitea (Debian based systems)
apt:
name: "{{ packages }}"
name: "{{ debian_packages }}"
state: present
update_cache: true
when: ansible_os_family == "Debian"
vars:
packages:
debian_packages:
- git
- curl
- xz-utils
redhat_packages:
- git
- curl
- xz

View file

@ -1,24 +1,21 @@
ansible==2.9.6
ansible==2.10.7
ansible-lint==4.2.0
anyconfig==0.9.7
arrow==0.15.5
asn1crypto==0.24.0
atomicwrites==1.3.0
attrs==19.1.0
autopep8==1.5.1
bcrypt==3.1.7
binaryornot==0.4.4
Cerberus==1.3.2
certifi==2020.4.5.1
cffi==1.14.0
chardet==3.0.4
click==7.1.1
certifi==2020.12.5
cffi==1.14.4
chardet==4.0.0
click==7.1.2
click-completion==0.5.2
click-help-colors==0.8
colorama==0.4.3
cookiecutter==1.7.0
cryptography==2.9
docker==4.2.0
click-help-colors==0.9
colorama==0.4.4
cookiecutter==1.7.2
cryptography==3.3.1
cryptography==3.3.2
docker==4.4.1
docker-pycreds==0.4.0
entrypoints==0.3
fasteners==0.15
@ -27,23 +24,23 @@ future==0.18.2
git-url-parse==1.2.1
idna==2.9
importlib-metadata==1.6.0
Jinja2==2.11.2
Jinja2==2.11.3
jinja2-time==0.2.0
MarkupSafe==1.1.1
mccabe==0.6.1
molecule==3.0.3
monotonic==1.5
more-itertools==6.0.0
paramiko==2.7.1
pathspec==0.8.0
pbr==5.1.1
more-itertools==8.6.0
paramiko==2.7.2
pathspec==0.8.1
pbr==5.5.1
pexpect==4.8.0
pi==0.1.2
pluggy==0.13.1
poyo==0.5.0
psutil==5.6.6
ptyprocess==0.6.0
py==1.8.0
py==1.10.0
pyasn1==0.4.5
pycodestyle==2.5.0
pycparser==2.20
@ -52,7 +49,7 @@ PyNaCl==1.3.0
pytest==4.3.1
python-dateutil==2.8.1
python-gilt==1.2.3
PyYAML==5.3.1
PyYAML==5.4
requests==2.23.0
ruamel.yaml==0.16.10
ruamel.yaml.clib==0.2.0
@ -60,10 +57,10 @@ sh==1.12.14
shellingham==1.3.2
six==1.14.0
tabulate==0.8.7
testinfra==5.0.0
testinfra==6.0.0
tree-format==0.1.2
urllib3==1.25.8
urllib3==1.26.5
websocket-client==0.57.0
whichcraft==0.6.1
yamllint==1.22.1
zipp==3.1.0
yamllint==1.26.0
zipp==3.4.0

30
tasks/backup.yml Normal file
View file

@ -0,0 +1,30 @@
---
- name: Get service facts
service_facts:
- block:
- name: Stopping gitea before upgrade
service:
name: gitea
state: stopped
- name: "Create backup directory"
file:
path: "{{ item }}"
state: directory
owner: "{{ gitea_user }}"
group: "{{ gitea_group }}"
mode: 'u=rwx,g=rx,o='
with_items:
- "{{ gitea_backup_location }}"
- name: Backing up gitea before upgrade
command:
cmd: "/usr/local/bin/gitea dump -c /etc/gitea/gitea.ini"
chdir: "{{ gitea_backup_location }}"
become: true
become_user: "{{ gitea_user }}"
when:
- ansible_facts.services["gitea.service"] is defined
- ansible_facts.services["gitea.service"].state == "running"
- gitea_active_version.stdout != gitea_version

View file

@ -1,7 +0,0 @@
---
- name: run checks to ensure set variables do not crash gitea
block:
- name: "check token length"
fail:
msg: 'gitea_oauth2_jwt_secret cannot be longer than 32 characters.'
when: gitea_oauth2_jwt_secret | length > 32

View file

@ -1,7 +1,14 @@
---
- name: "Create Gitea Group"
group:
name: "{{ gitea_group }}"
system: true
state: "present"
- name: "Create Gitea user"
user:
ansible.builtin.user:
name: "{{ gitea_user }}"
comment: "Gitea user"
home: "{{ gitea_home }}"
shell: "{{ gitea_shell }}"
system: true

View file

@ -1,18 +1,26 @@
---
- name: Install fail2ban filter
template:
ansible.builtin.template:
src: fail2ban/filter.conf.j2
dest: /etc/fail2ban/filter.d/gitea.conf
owner: root
group: root
mode: 0444
notify: Restart fail2ban
when: "'fail2ban' in ansible_facts.packages"
- name: Install fail2ban jail
template:
ansible.builtin.template:
src: fail2ban/jail.conf.j2
dest: /etc/fail2ban/jail.d/gitea.conf
owner: root
group: root
mode: 0444
notify: Restart fail2ban
when: "'fail2ban' in ansible_facts.packages"
- name: warn if fail2ban is not installed
ansible.builtin.fail:
msg: "the package fail2ban is not installed. no fail2ban filters deployed."
when: "'fail2ban' not in ansible_facts.packages"
ignore_errors: true

71
tasks/install.yml Normal file
View file

@ -0,0 +1,71 @@
---
- block:
- name: Update apt cache
apt:
cache_valid_time: 3600
update_cache: true
register: _pre_update_apt_cache
until: _pre_update_apt_cache is succeeded
when:
- ansible_pkg_mgr == "apt"
- name: Install dependencies
package:
name: "{{ gitea_dependencies }}"
state: present
register: _install_dep_packages
until: _install_dep_packages is succeeded
retries: 5
delay: 2
- block:
- name: Download gitea archive
get_url:
url: "{{ gitea_dl_url }}.xz"
dest: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz"
checksum: "sha256:{{ gitea_dl_url }}.xz.sha256"
register: _download_archive
until: _download_archive is succeeded
retries: 5
delay: 2
- name: Download gitea asc file
get_url:
url: "{{ gitea_dl_url }}.xz.asc"
dest: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz.asc"
register: _download_asc
until: _download_asc is succeeded
retries: 5
delay: 2
- name: Check gitea gpg key
command: "gpg --list-keys 0x{{ gitea_gpg_key }}"
register: _gitea_gpg_key_status
changed_when: false
failed_when: _gitea_gpg_key_status.rc not in (0, 2)
- name: Import gitea gpg key
command: "gpg --keyserver {{ gitea_gpg_server }} --recv {{ gitea_gpg_key }}"
register: _gitea_import_key
changed_when: '"imported: 1" in _gitea_import_key.stderr'
when: _gitea_gpg_key_status.rc != 0
- name: Check archive signature
command: "gpg --verify /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz.asc /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz"
changed_when: false
- name: Unpack gitea binary
command:
cmd: "xz -k -d /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz"
creates: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}"
- name: Propagate gitea binary
copy:
src: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}"
remote_src: true
dest: "/usr/local/bin/gitea"
mode: 0755
owner: root
group: root
notify: "Restart gitea"
when: (not gitea_version_check|bool) or (not ansible_check_mode and (gitea_active_version.stdout != gitea_version))

View file

@ -1,6 +1,6 @@
---
- name: "Setup systemd service"
template:
ansible.builtin.template:
src: gitea.service.j2
dest: /lib/systemd/system/gitea.service
owner: root
@ -10,6 +10,8 @@
- "Reload systemd"
- "Restart gitea"
# systemd to be reloaded the first time because
# it is the only way Systemd is going to be aware of the new unit file.
- name: "Reload systemd"
systemd:
ansible.builtin.systemd:
daemon_reload: true

38
tasks/jwt_secrets.yml Normal file
View file

@ -0,0 +1,38 @@
---
- name: generate OAuth2 JWT_SECRET if not provided
become: true
shell: 'umask 077; /usr/local/bin/gitea generate secret JWT_SECRET > /etc/gitea/gitea_oauth_jwt_secret'
args:
creates: '/etc/gitea/gitea_oauth_jwt_secret'
when: gitea_oauth2_jwt_secret | length == 0
- name: read OAuth2 JWT_SECRET from file
become: true
slurp:
src: '/etc/gitea/gitea_oauth_jwt_secret'
register: oauth_jwt_secret
when: gitea_oauth2_jwt_secret | length == 0
- name: set fact gitea_oauth2_jwt_secret
set_fact:
gitea_oauth2_jwt_secret: "{{ oauth_jwt_secret['content'] | b64decode }}"
when: gitea_oauth2_jwt_secret | length == 0
- name: generate LFS JWT_SECRET if not provided
become: true
shell: 'umask 077; /usr/local/bin/gitea generate secret JWT_SECRET > /etc/gitea/gitea_lfs_jwt_secret'
args:
creates: '/etc/gitea/gitea_lfs_jwt_secret'
when: gitea_lfs_jwt_secret | length == 0
- name: read LFS JWT_SECRET from file
become: true
slurp:
src: '/etc/gitea/gitea_lfs_jwt_secret'
register: lfs_jwt_secret
when: gitea_lfs_jwt_secret | length == 0
- name: set fact gitea_lfs_jwt_secret
set_fact:
gitea_lfs_jwt_secret: "{{ lfs_jwt_secret['content'] | b64decode }}"
when: gitea_lfs_jwt_secret | length == 0

View file

@ -1,9 +1,19 @@
---
- name: Gather variables for each operating system
include_vars: "{{ item }}"
with_first_found:
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml"
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
- "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
- "{{ ansible_distribution | lower }}.yml"
- "{{ ansible_os_family | lower }}.yml"
- include: check-variables.yml
- name: Gather installed packages for checks in the role (fail2ban)
ansible.builtin.package_facts:
manager: auto
- name: "Check gitea version"
shell: "set -eo pipefail; /usr/local/bin/gitea -v | cut -d' ' -f 3"
ansible.builtin.shell: "set -eo pipefail; /usr/local/bin/gitea -v | cut -d' ' -f 3"
args:
executable: /bin/bash
register: gitea_active_version
@ -12,7 +22,7 @@
when: gitea_version_check|bool
- name: "Download the binary"
get_url:
ansible.builtin.get_url:
url: "{{ gitea_dl_url }}"
dest: /usr/local/bin/gitea
owner: root
@ -25,13 +35,24 @@
- include: create_user.yml
- name: "Create config and data directory"
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: "{{ gitea_user }}"
group: "{{ gitea_group }}"
mode: '0755'
with_items:
- "/etc/gitea"
- name: "Create data directory"
file:
path: "{{ item }}"
state: directory
owner: "{{ gitea_user }}"
recurse: True
group: "{{ gitea_group }}"
mode: 'u=rwX,g=rX,o='
recurse: true
with_items:
- "/etc/gitea"
- "{{ gitea_home }}"
- "{{ gitea_home }}/data"
- "{{ gitea_home }}/custom"
@ -39,25 +60,28 @@
- "{{ gitea_home }}/custom/mailer"
- "{{ gitea_home }}/indexers"
- "{{ gitea_home }}/log"
- "{{ gitea_repository_root }}"
- include: install_systemd.yml
when: ansible_service_mgr == "systemd"
- include_tasks: jwt_secrets.yml
- name: 'Install git'
package:
ansible.builtin.package:
name: 'git'
state: 'present'
- name: "Configure gitea"
template:
ansible.builtin.template:
src: gitea.ini.j2
dest: /etc/gitea/gitea.ini
owner: "{{ gitea_user }}"
group: "{{ gitea_group }}"
mode: 0600
notify: "Restart gitea"
- name: "Service gitea"
service:
ansible.builtin.service:
name: gitea
state: started
enabled: true

View file

@ -3,193 +3,219 @@
;
; This file overwrites the default values from gitea.
; undefined variables will use the default value from gitea.
; Cheat Sheet: https://docs.gitea.io/en-us/config-cheat-sheet/
; Cheat Sheet: https://docs.gitea.io/en-us/config-cheat-sheet/
;
; App name that shows on every page title
APP_NAME = {{ gitea_app_name }}
APP_NAME = {{ gitea_app_name }}
; Change it if you run locally
RUN_USER = {{ gitea_user }}
; Either "dev", "prod" or "test", default is "dev"
RUN_MODE = prod
[repository]
ROOT = {{ gitea_repository_root }}
ROOT = {{ gitea_repository_root }}
; Force every new repository to be private
FORCE_PRIVATE = {{ gitea_force_private }}
FORCE_PRIVATE = {{ gitea_force_private | ternary('true', 'false') }}
; Global limit of repositories per user, applied at creation time. -1 means no limit
MAX_CREATION_LIMIT = {{ gitea_user_repo_limit }}
MAX_CREATION_LIMIT = {{ gitea_user_repo_limit }}
; Mirror sync queue length, increase if mirror syncing starts hanging
MIRROR_QUEUE_LENGTH = 1000
; Disable the ability to interact with repositories using the HTTP protocol
DISABLE_HTTP_GIT = {{ gitea_disable_http_git }}
DISABLE_HTTP_GIT = {{ gitea_disable_http_git | ternary('true', 'false') }}
[ui]
; Whether the email of the user should be shown in the Explore Users page
SHOW_USER_EMAIL = {{ gitea_show_user_email }}
THEMES = {{ gitea_themes }}
DEFAULT_THEME = {{ gitea_theme_default }}
SHOW_USER_EMAIL = {{ gitea_show_user_email | ternary('true', 'false') }}
THEMES = {{ gitea_themes }}
DEFAULT_THEME = {{ gitea_theme_default }}
[server]
; The protocol the server listens on. One of 'http', 'https', 'unix' or 'fcgi'.
PROTOCOL = {{ gitea_protocol }}
DOMAIN = {{ gitea_http_domain }}
ROOT_URL = {{ gitea_root_url }}
PROTOCOL = {{ gitea_protocol }}
DOMAIN = {{ gitea_http_domain }}
ROOT_URL = {{ gitea_root_url }}
; The address to listen on. Either a IPv4/IPv6 address or the path to a unix socket.
HTTP_ADDR = {{ gitea_http_listen }}
HTTP_PORT = {{ gitea_http_port }}
{% if gitea_http_port == 443 %}
PORT_TO_REDIRECT = 80
{% endif %}
{% if gitea_http_letsencrypt_mail is defined %}
ENABLE_LETSENCRYPT = true
LETSENCRYPT_ACCEPTTOS = true
LETSENCRYPT_EMAIL = {{ gitea_http_letsencrypt_mail }}
{% endif %}
; Disable SSH feature when not available
DISABLE_SSH = false
DISABLE_SSH = false
; Whether to use the builtin SSH server or not.
START_SSH_SERVER = {{ gitea_start_ssh }}
START_SSH_SERVER = {{ gitea_start_ssh | ternary('true', 'false') }}
; Domain name to be exposed in clone URL
SSH_DOMAIN = {{ gitea_ssh_domain }}
SSH_DOMAIN = {{ gitea_ssh_domain }}
; The network interface the builtin SSH server should listen on
SSH_LISTEN_HOST = {{ gitea_ssh_listen }}
SSH_LISTEN_HOST = {{ gitea_ssh_listen }}
; Port number to be exposed in clone URL
SSH_PORT = {{ gitea_ssh_port }}
SSH_PORT = {{ gitea_ssh_port }}
; The port number the builtin SSH server should listen on
SSH_LISTEN_PORT = %(SSH_PORT)s
SSH_LISTEN_PORT = %(SSH_PORT)s
; Disable CDN even in "prod" mode
OFFLINE_MODE = {{ gitea_offline_mode }}
OFFLINE_MODE = {{ gitea_offline_mode | ternary('true', 'false') }}
; Default path for App data
APP_DATA_PATH = {{ gitea_home }}/data
{%- if gitea_lfs_server_enabled | bool %}
APP_DATA_PATH = {{ gitea_home }}/data
{% if gitea_lfs_server_enabled | bool -%}
;Enables git-lfs support.
LFS_START_SERVER = true
LFS_START_SERVER = true
; Where to store LFS files.
LFS_CONTENT_PATH = {{ gitea_lfs_content_path }}
; LFS authentication secret
LFS_JWT_SECRET = {{ gitea_lfs_jwt_secret }}
LFS_CONTENT_PATH = {{ gitea_lfs_content_path }}
{%- endif %}
; if the LFS sotre is not offline/local
LFS_JWT_SECRET = {{ gitea_lfs_secret }}
OFFLINE_MODE = {{ gitea_lfs_mode }}
{% endif %}
[database]
; Either "mysql", "postgres", "mssql" or "sqlite3", it's your choice
DB_TYPE = {{ gitea_db_type }}
HOST = {{ gitea_db_host }}
NAME = {{ gitea_db_name }}
USER = {{ gitea_db_user }}
DB_TYPE = {{ gitea_db_type }}
HOST = {{ gitea_db_host }}
NAME = {{ gitea_db_name }}
USER = {{ gitea_db_user }}
; Use PASSWD = `your password` for quoting if you use special characters in the password.
PASSWD = {{ gitea_db_password }}
; For Postgres, either "disable" (default), "require", or "verify-full"
PASSWD = {{ gitea_db_password }}
; For Postgres, either "disable" (default), "require", "verify-ca" or "verify-full"
; For MySQL, either "false" (default), "true", or "skip-verify"
SSL_MODE = {{ gitea_db_ssl }}
SSL_MODE = {{ gitea_db_ssl }}
; For "sqlite3" and "tidb", use an absolute path when you start gitea as service
PATH = {{ gitea_db_path }}
{% if gitea_log_only_warning %}
LOG_SQL = false
{% endif %}
[indexer]
; Issue indexer storage path, available when ISSUE_INDEXER_TYPE is bleve
ISSUE_INDEXER_PATH = {{ gitea_home }}/indexers/issues.bleve
ISSUE_INDEXER_PATH = {{ gitea_home }}/indexers/issues.bleve
; Issue indexer queue, currently support: channel or levelqueue, default is levelqueue
ISSUE_INDEXER_QUEUE_TYPE = levelqueue
ISSUE_INDEXER_QUEUE_TYPE = levelqueue
; When ISSUE_INDEXER_QUEUE_TYPE is levelqueue, this will be the queue will be saved path,
; default is indexers/issues.queue
ISSUE_INDEXER_QUEUE_DIR = {{ gitea_home }}/indexers/issues.queue
ISSUE_INDEXER_QUEUE_DIR = {{ gitea_home }}/indexers/issues.queue
; repo indexer by default disabled, since it uses a lot of disk space
REPO_INDEXER_ENABLED = {{ gitea_repo_indexer_enabled }}
REPO_INDEXER_PATH = {{ gitea_home }}/indexers/repos.bleve
REPO_INDEXER_INCLUDE = {{ gitea_repo_indexer_include }}
REPO_INDEXER_EXCLUDE = {{ gitea_repo_indexer_exclude }}
REPO_INDEXER_ENABLED = {{ gitea_repo_indexer_enabled }}
REPO_INDEXER_PATH = {{ gitea_home }}/indexers/repos.bleve
REPO_INDEXER_INCLUDE = {{ gitea_repo_indexer_include }}
REPO_INDEXER_EXCLUDE = {{ gitea_repo_indexer_exclude }}
REPO_INDEXER_EXCLUDE_VENDORED = {{ gitea_repo_exclude_vendored }}
MAX_FILE_SIZE = {{ gitea_repo_indexer_max_file_size }}
MAX_FILE_SIZE = {{ gitea_repo_indexer_max_file_size }}
[security]
; Whether the installer is disabled
INSTALL_LOCK = true
INSTALL_LOCK = true
; !!CHANGE THIS TO KEEP YOUR USER DATA SAFE!!
SECRET_KEY = {{ gitea_secret_key }}
INTERNAL_TOKEN = {{ gitea_internal_token }}
SECRET_KEY = {{ gitea_secret_key }}
INTERNAL_TOKEN = {{ gitea_internal_token }}
; How long to remember that an user is logged in before requiring relogin (in days)
LOGIN_REMEMBER_DAYS = 7
DISABLE_GIT_HOOKS = {{ gitea_disable_git_hooks | ternary('true', 'false') }}
[service]
; Disallow registration, only allow admins to create accounts.
DISABLE_REGISTRATION = {{ gitea_disable_registration }}
REGISTER_EMAIL_CONFIRM = {{ gitea_register_email_confirm }}
; User must sign in to view anything.
REQUIRE_SIGNIN_VIEW = {{ gitea_require_signin }}
REQUIRE_SIGNIN_VIEW = {{ gitea_require_signin | ternary('true', 'false') }}
; Enable captcha validation for registration
ENABLE_CAPTCHA = {{ gitea_enable_captcha }}
ENABLE_CAPTCHA = {{ gitea_enable_captcha | ternary('true', 'false') }}
; Type of captcha you want to use. Options: image, recaptcha
CAPTCHA_TYPE = image
CAPTCHA_TYPE = image
; Enable recaptcha to use Google's recaptcha service
; Go to https://www.google.com/recaptcha/admin to sign up for a key
RECAPTCHA_SECRET =
RECAPTCHA_SITEKEY =
RECAPTCHA_SECRET =
RECAPTCHA_SITEKEY =
; Show Registration button
SHOW_REGISTRATION_BUTTON = {{ gitea_show_registration_button }}
ALLOW_ONLY_EXTERNAL_REGISTRATION = {{ gitea_only_allow_external_registration }}
ENABLE_NOTIFY_MAIL = {{ gitea_enable_notify_mail }}
DEFAULT_EMAIL_NOTIFICATIONS = {{ gitea_mail_default }}
AUTO_WATCH_NEW_REPOS = {{ gitea_autowatch_new_repo }}
AUTO_WATCH_ON_CHANGES = {{ gitea_autowatch_on_change }}
SHOW_MILESTONES_DASHBOARD_PAGE = {{ gitea_show_mailstones_dashboard }}
[mailer]
ENABLED = {{ gitea_mailer_enabled }}
ENABLED = {{ gitea_mailer_enabled | ternary('true', 'false') }}
; Mail server
; Gmail: smtp.gmail.com:587
; QQ: smtp.qq.com:465
; Note, if the port ends with "465", SMTPS will be used. Using STARTTLS on port 587 is recommended per RFC 6409. If the server supports STARTTLS it will always be used.
HOST = {{ gitea_mailer_host }}
; Disable HELO operation when hostnames are different.
DISABLE_HELO =
; Custom hostname for HELO operation, if no value is provided, one is retrieved from system.
HELO_HOSTNAME =
HOST = {{ gitea_mailer_host }}
; Do not verify the certificate of the server. Only use this for self-signed certificates
SKIP_VERIFY = {{ gitea_mailer_skip_verify }}
SKIP_VERIFY = {{ gitea_mailer_skip_verify }}
; Use client certificate
USE_CERTIFICATE = false
CERT_FILE = {{ gitea_home }}/custom/mailer/cert.pem
KEY_FILE = {{ gitea_home }}/custom/mailer/key.pem
USE_CERTIFICATE = false
CERT_FILE = {{ gitea_home }}/custom/mailer/cert.pem
KEY_FILE = {{ gitea_home }}/custom/mailer/key.pem
; Should SMTP connection use TLS
IS_TLS_ENABLED = {{ gitea_mailer_tls_enabled }}
IS_TLS_ENABLED = {{ gitea_mailer_tls_enabled | ternary('true', 'false') }}
; Mail from address, RFC 5322. This can be just an email address, or the `"Name" <email@example.com>` format
FROM = {{ gitea_mailer_from }}
FROM = {{ gitea_mailer_from }}
; Mailer user name and password
USER = {{ gitea_mailer_user }}
USER = {{ gitea_mailer_user }}
; Use PASSWD = `your password` for quoting if you use special characters in the password.
PASSWD = `{{ gitea_mailer_password }}`
PASSWD = {{ gitea_mailer_password }}
; Send mails as plain text
SEND_AS_PLAIN_TEXT = false
SUBJECT_PREFIX = {{ gitea_subject_prefix }}
; Set Mailer Type (either SMTP, sendmail or dummy to just send to the log)
MAILER_TYPE = {{ gitea_mailer_type }}
MAILER_TYPE = {{ gitea_mailer_type }}
; Specify an alternative sendmail binary
SENDMAIL_PATH = sendmail
; Specify any extra sendmail arguments
SENDMAIL_ARGS =
SENDMAIL_PATH = sendmail
[session]
; Either "memory", "file", or "redis", default is "memory"
PROVIDER = file
PROVIDER = file
; Provider config options
; memory: doesn't have any config yet
; file: session file path, e.g. `data/sessions`
; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180
; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table`
PROVIDER_CONFIG = {{ gitea_home }}/data/sessions
PROVIDER_CONFIG = {{ gitea_home }}/data/sessions
[picture]
AVATAR_UPLOAD_PATH = {{ gitea_home }}/data/avatars
AVATAR_UPLOAD_PATH = {{ gitea_home }}/data/avatars
; This value will always be true in offline mode.
DISABLE_GRAVATAR = {{ gitea_disable_gravatar }}
DISABLE_GRAVATAR = {{ gitea_disable_gravatar | ternary('true', 'false') }}
[attachment]
; Whether attachments are enabled. Defaults to `true`
ENABLED = true
; Path for attachments. Defaults to `data/attachments`
PATH = {{ gitea_home }}/data/attachments
PATH = {{ gitea_home }}/data/attachments
[log]
ROOT_PATH = {{ gitea_home }}/log
ROOT_PATH = {{ gitea_home }}/log
; Either "console", "file", "conn", "smtp" or "database", default is "console"
; Use comma to separate multiple modes, e.g. "console, file"
{% if gitea_log_systemd %}
MODE = console
MACARON = console
{% else %}
MODE = file
{% endif %}
; Buffer length of the channel, keep it as it is if you don't know what it is.
BUFFER_LEN = 10000
BUFFER_LEN = 10000
; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Trace"
LEVEL = Info
{% if gitea_log_only_warning %}
LEVEL = Warn
REDIRECT_MACARON_LOG = true
{% else %}
LEVEL = {{ gitea_log_level }}
REDIRECT_MACARON_LOG = false
{% endif %}
[oauth2]
ENABLE = {{ gitea_oauth2_enabled }}
ENABLE = {{ gitea_oauth2_enabled }}
JWT_SECRET = {{ gitea_oauth2_jwt_secret }}
[metrics]
ENABLED = {{ gitea_metrics_enabled }}
TOKEN = {{ gitea_metrics_token }}
TOKEN = {{ gitea_metrics_token }}
{{ gitea_extra_config }}

View file

@ -4,7 +4,8 @@ After=network.target
[Service]
User={{ gitea_user }}
ExecStart=/usr/local/bin/gitea web -c /etc/gitea/gitea.ini
Group={{ gitea_group }}
ExecStart=/usr/local/bin/gitea web -c /etc/gitea/gitea.ini --custom-path {{ gitea_home }}/custom/
Restart=on-failure
WorkingDirectory={{ gitea_home }}
{% if gitea_systemd_cap_net_bind_service %}

5
vars/debian.yml Normal file
View file

@ -0,0 +1,5 @@
---
gitea_dependencies:
- git
- gnupg2
- xz-utils

View file

@ -1,2 +1,10 @@
---
gitea_arch: "{{ 'amd64' if ansible_architecture == 'x86_64' else ansible_architecture }}"
gitea_go_arch_map:
i386: '386'
x86_64: 'amd64'
aarch64: 'arm64'
armv7l: 'arm-6'
armv6l: 'arm-6'
armv5l: 'arm-5'
gitea_arch: "{{ gitea_go_arch_map[ansible_architecture] | default(ansible_architecture) }}"

5
vars/redhat.yml Normal file
View file

@ -0,0 +1,5 @@
---
gitea_dependencies:
- git
- gnupg2
- xz