56375819a7
* Gitea user should be a system user * Improve installation system * Download archive instead of binary * Add checksum validation * Add GPG check * Add backup process before upgrading * Improve ARM support * Improve support for Vault Encrypted JWT tokens * Fix spacing in gitea configuration template When Gitea rewrite the configuration file (e.g.: the JWT token is not set or doesn't fit their criteria), it'll align space on a per-section basis in the .ini file. If the template is not properly spaced, at the next Ansible run, you'll have an enormous diff, hidding what the real changes are. * add proper redhat/debian deps for molecule testing * Gitea group should be a system group * fix linting for CI * Update CI and meta information for up-to-date tests and distros * molecule: fix typo for redhat packages * fix typo * bump gitea version to 1.13.1 * Use Ubuntu keyservers to play nicely with everyone * Update minimum required ansible version to 2.9.8 This is required for Ubuntu Focal, which comes with systemd >= 245 The Get Facts modules doesn't work well with it before the bugfix introduced in 2.9.8 * Replace yes by True to please the linting * Truthy values needs to be lower-case * bump gitea version to 1.13.2 * perform gitea dump as gitea user * need to set become to yes * autogenerate JWT_SECRETS (#77) * autogenerate JWT_SECRETS Based on https://docs.gitea.io/en-us/command-line/#generate we will now autogenerate JWT_SECRETS if they are not defined. In my opinion a much better idea than writing a value in the default config. The check if the variables for the secrets are now 43 characters long i took out. Gitea generates itself suitable secrets, if the user given ones do not fit. * drop ansible.builtin. syntax * Update file permissions for "{{ gitea_home }}" (#75) The file permissions for {{ gitea_home }} especially in conjunction with the recurse: true flag are on closer inspection very open to all and also have a +x set on files. This should be done better. And I have done here now. By the way: To improve the -x on normal files in his gitea installation this shell command was useful for me ``` find . -type f -exec chmod a-x {} \+; find . -type f -exec chmod u=rwX {} \+; ``` * Bump cryptography from 3.2 to 3.3.2 (#79) Bumps [cryptography](https://github.com/pyca/cryptography) from 3.2 to 3.3.2. - [Release notes](https://github.com/pyca/cryptography/releases) - [Changelog](https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/3.2...3.3.2) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Gitea user should be a system user * Improve installation system * Download archive instead of binary * Add checksum validation * Add GPG check * Add backup process before upgrading * Improve ARM support * Fix spacing in gitea configuration template When Gitea rewrite the configuration file (e.g.: the JWT token is not set or doesn't fit their criteria), it'll align space on a per-section basis in the .ini file. If the template is not properly spaced, at the next Ansible run, you'll have an enormous diff, hidding what the real changes are. * add proper redhat/debian deps for molecule testing * Gitea group should be a system group * fix linting for CI * Update CI and meta information for up-to-date tests and distros * molecule: fix typo for redhat packages * fix typo * bump gitea version to 1.13.1 * Use Ubuntu keyservers to play nicely with everyone * Update minimum required ansible version to 2.9.8 This is required for Ubuntu Focal, which comes with systemd >= 245 The Get Facts modules doesn't work well with it before the bugfix introduced in 2.9.8 * Replace yes by True to please the linting * Truthy values needs to be lower-case * bump gitea version to 1.13.2 * perform gitea dump as gitea user * need to set become to yes * check-variables.yml doesn't exists anymore Co-authored-by: L3D <l3d@c3woc.de> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
93 lines
2.9 KiB
YAML
93 lines
2.9 KiB
YAML
---
|
|
- block:
|
|
- name: Update apt cache
|
|
apt:
|
|
cache_valid_time: 3600
|
|
update_cache: true
|
|
register: _pre_update_apt_cache
|
|
until: _pre_update_apt_cache is succeeded
|
|
when:
|
|
- ansible_pkg_mgr == "apt"
|
|
|
|
- name: Install dependencies
|
|
package:
|
|
name: "{{ gitea_dependencies }}"
|
|
state: present
|
|
register: _install_dep_packages
|
|
until: _install_dep_packages is succeeded
|
|
retries: 5
|
|
delay: 2
|
|
|
|
- name: Get service facts
|
|
service_facts:
|
|
|
|
- block:
|
|
- name: Stopping gitea before upgrade
|
|
service:
|
|
name: gitea
|
|
state: stopped
|
|
|
|
- name: Backing up gitea before upgrade
|
|
command:
|
|
cmd: "gitea dump -c /etc/gitea/gitea.ini"
|
|
chdir: /var/backups/
|
|
become: true
|
|
become_method: su
|
|
become_user: "{{ gitea_user }}"
|
|
become_flags: "-s /bin/sh"
|
|
when:
|
|
- ansible_facts.services["gitea.service"] is defined
|
|
- ansible_facts.services["gitea.service"].state == "running"
|
|
- gitea_active_version.stdout != gitea_version
|
|
|
|
- block:
|
|
- name: Download gitea archive
|
|
get_url:
|
|
url: "{{ gitea_dl_url }}.xz"
|
|
dest: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz"
|
|
checksum: "sha256:{{ gitea_dl_url }}.xz.sha256"
|
|
register: _download_archive
|
|
until: _download_archive is succeeded
|
|
retries: 5
|
|
delay: 2
|
|
|
|
- name: Download gitea asc file
|
|
get_url:
|
|
url: "{{ gitea_dl_url }}.xz.asc"
|
|
dest: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz.asc"
|
|
register: _download_asc
|
|
until: _download_asc is succeeded
|
|
retries: 5
|
|
delay: 2
|
|
|
|
- name: Check gitea gpg key
|
|
command: "gpg --list-keys 0x{{ gitea_gpg_key }}"
|
|
register: _gitea_gpg_key_status
|
|
changed_when: false
|
|
failed_when: _gitea_gpg_key_status.rc not in (0, 2)
|
|
|
|
- name: Import gitea gpg key
|
|
command: "gpg --keyserver {{ gitea_gpg_server }} --recv {{ gitea_gpg_key }}"
|
|
register: _gitea_import_key
|
|
changed_when: '"imported: 1" in _gitea_import_key.stderr'
|
|
when: _gitea_gpg_key_status.rc != 0
|
|
|
|
- name: Check archive signature
|
|
command: "gpg --verify /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz.asc /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz"
|
|
changed_when: false
|
|
|
|
- name: Unpack gitea binary
|
|
command:
|
|
cmd: "xz -k -d /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz"
|
|
creates: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}"
|
|
|
|
- name: Propagate gitea binary
|
|
copy:
|
|
src: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}"
|
|
remote_src: true
|
|
dest: "/usr/local/bin/gitea"
|
|
mode: 0755
|
|
owner: root
|
|
group: root
|
|
notify: "Restart gitea"
|
|
when: (not gitea_version_check|bool) or (not ansible_check_mode and (gitea_active_version.stdout != gitea_version))
|