Find a file
Finwë 56375819a7
Improve ARM Support (#74)
* Gitea user should be a system user

* Improve installation system

* Download archive instead of binary
* Add checksum validation
* Add GPG check
* Add backup process before upgrading

* Improve ARM support

* Improve support for Vault Encrypted JWT tokens

* Fix spacing in gitea configuration template

When Gitea rewrite the configuration file (e.g.: the JWT token is not
set or doesn't fit their criteria), it'll align space on a per-section
basis in the .ini file.
If the template is not properly spaced, at the next Ansible run, you'll
have an enormous diff, hidding what the real changes are.

* add proper redhat/debian deps for molecule testing

* Gitea group should be a system group

* fix linting for CI

* Update CI and meta information for up-to-date tests and distros

* molecule: fix typo for redhat packages

* fix typo

* bump gitea version to 1.13.1

* Use Ubuntu keyservers to play nicely with everyone

* Update minimum required ansible version to 2.9.8

This is required for Ubuntu Focal, which comes with systemd >= 245
The Get Facts modules doesn't work well with it before the bugfix
introduced in 2.9.8

* Replace yes by True to please the linting

* Truthy values needs to be lower-case

* bump gitea version to 1.13.2

* perform gitea dump as gitea user

* need to set become to yes

* autogenerate JWT_SECRETS (#77)

* autogenerate JWT_SECRETS

Based on https://docs.gitea.io/en-us/command-line/#generate we will now autogenerate JWT_SECRETS if they are not defined.
In my opinion a much better idea than writing a value in the default config.

The check if the variables for the secrets are now 43 characters long i took out. Gitea generates itself suitable secrets, if the user given ones do not fit.

* drop ansible.builtin. syntax

* Update file permissions for "{{ gitea_home }}" (#75)

The file permissions for {{ gitea_home }} especially in conjunction with the recurse: true flag are on closer inspection very open to all and also have a +x set on files.

This should be done better. And I have done here now.

By the way: To improve the -x on normal files in his gitea installation this shell command was useful for me
```
find . -type f -exec chmod a-x {} \+;
find . -type f -exec chmod u=rwX {} \+;
```

* Bump cryptography from 3.2 to 3.3.2 (#79)

Bumps [cryptography](https://github.com/pyca/cryptography) from 3.2 to 3.3.2.
- [Release notes](https://github.com/pyca/cryptography/releases)
- [Changelog](https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/3.2...3.3.2)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Gitea user should be a system user

* Improve installation system

* Download archive instead of binary
* Add checksum validation
* Add GPG check
* Add backup process before upgrading

* Improve ARM support

* Fix spacing in gitea configuration template

When Gitea rewrite the configuration file (e.g.: the JWT token is not
set or doesn't fit their criteria), it'll align space on a per-section
basis in the .ini file.
If the template is not properly spaced, at the next Ansible run, you'll
have an enormous diff, hidding what the real changes are.

* add proper redhat/debian deps for molecule testing

* Gitea group should be a system group

* fix linting for CI

* Update CI and meta information for up-to-date tests and distros

* molecule: fix typo for redhat packages

* fix typo

* bump gitea version to 1.13.1

* Use Ubuntu keyservers to play nicely with everyone

* Update minimum required ansible version to 2.9.8

This is required for Ubuntu Focal, which comes with systemd >= 245
The Get Facts modules doesn't work well with it before the bugfix
introduced in 2.9.8

* Replace yes by True to please the linting

* Truthy values needs to be lower-case

* bump gitea version to 1.13.2

* perform gitea dump as gitea user

* need to set become to yes

* check-variables.yml doesn't exists anymore

Co-authored-by: L3D <l3d@c3woc.de>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-02-12 17:56:31 +00:00
.github/workflows add default "gitea_group: gitea" (#71) 2021-01-27 14:13:02 +00:00
defaults Improve ARM Support (#74) 2021-02-12 17:56:31 +00:00
handlers Bunch of improvements around testing and ansible galaxy 2019-03-16 12:11:02 +00:00
meta Improve ARM Support (#74) 2021-02-12 17:56:31 +00:00
molecule/default Improve ARM Support (#74) 2021-02-12 17:56:31 +00:00
tasks Improve ARM Support (#74) 2021-02-12 17:56:31 +00:00
templates Improve ARM Support (#74) 2021-02-12 17:56:31 +00:00
vars Improve ARM Support (#74) 2021-02-12 17:56:31 +00:00
.ansible-lint improved testing 2020-04-20 15:09:35 +01:00
.gitignore improved testing 2020-04-20 15:09:35 +01:00
.travis.yml Improve ARM Support (#74) 2021-02-12 17:56:31 +00:00
.yamllint add default and fix linter warning 2020-04-20 15:09:35 +01:00
LICENSE Bunch of improvements around testing and ansible galaxy 2019-03-16 12:11:02 +00:00
README.md autogenerate JWT_SECRETS (#77) 2021-02-10 19:04:13 +00:00
requirements-travis.txt Improve ARM Support (#74) 2021-02-12 17:56:31 +00:00

Ansible role gitea - Install a gitea server

Build Status Ansible Role Ansible Role Ansible Quality Score

This role installs and manages a gitea server - Source code & screenshots.

Gitea is a Golang Git repository webapp, having the same look and feel as GitHub.

Sample example of use in a playbook

The following code has been tested with Debian 8, it should work on Ubuntu as well.

- name: "Install gitea"
  hosts: all
  vars:
    gitea_user: "gitea"
    gitea_home: "/var/lib/gitea"
    # To limit your users to 30 repos
    gitea_user_repo_limit: 30
    # Don't use a public CDN for frontend assets
    gitea_offline_mode: true

    # Some 'rendering' options for your URLs
    gitea_http_domain: git.yourdomain.fr
    gitea_root_url: https://git.yourdomain.fr

    # Here we assume we are behind a reverse proxy that will
    # handle https for us, so we bind on localhost:3000 using HTTP
    gitea_protocol: http
    gitea_http_listen: 127.0.0.1
    gitea_http_port: 3000

    # SSH server configuration
    gitea_ssh_listen: 0.0.0.0
    gitea_ssh_port: 2222
    # For URLs rendering again
    gitea_ssh_domain: git.yourdomain.fr
    gitea_start_ssh: true

    gitea_secret_key: 3sp00ky5me
    gitea_disable_gravatar: true
    # To make at least your first user register
    gitea_disable_registration: false
    gitea_require_signin: true
    gitea_enable_captcha: true

    gitea_show_user_email: false
  roles:
    - gitea

More detailed options

General

  • gitea_version_check: Check if installed version != gitea_version before initiating binary download
  • gitea_user: UNIX user used by Gitea
  • gitea_group: UNIX group used by Gitea
  • gitea_home: Base directory to work
  • gitea_dl_url: The URL, the compiled gitea-binary will be downloaded from
  • gitea_systemd_cap_net_bind_service: Adds AmbientCapabilities=CAP_NET_BIND_SERVICE to systemd service file
  • gitea_extra_config: Additional configuration

Look and feel

  • gitea_app_name: Displayed application name
  • gitea_show_user_email: Do you want to display email addresses ? (true/false)
  • gitea_disable_gravatar: Do you want to disable Gravatar ? (privacy and so on) (true/false)
  • gitea_offline_mode: Same but for disabling CDNs for frontend assets (true/false)
  • gitea_disable_registration: Do you want to disable user registration ? (true/false)
  • gitea_only_allow_external_registration: Do you want to force registration only using third-party services ? (true/false)
  • gitea_show_registration_button: Do you want to show the registration button? (true/false)
  • gitea_require_signin: Do you require a signin to see repo's (even public ones) ? (true/false)
  • gitea_enable_captcha: Do you want to enable captcha's ? (true/false)
  • gitea_themes: List of enabled themes
  • gitea_theme_default: Default theme

Security

  • gitea_secret_key: Cookie secret key
  • gitea_internal_token: Internal API token
  • gitea_disable_git_hooks: Do you want to disable the interface to add git hooks? If enabled it could be a security bug as it can be used for RCE. Defaults to true (true/false)

Limits

  • gitea_user_repo_limit: Limit how many repos a user can have (-1 for unlimited)

HTTP configuration

  • gitea_http_domain: HTTP domain (displayed in your clone URLs, just the domain like git.foo.fr)
  • gitea_root_url: Root URL used to access your web app (full URL)
  • gitea_protocol: Listening protocol (http/https)
  • gitea_http_listen: Bind address
  • gitea_http_port: Bind port
  • gitea_disable_http_git: Disable the use of Git over HTTP ? (true/false)

SSH configuration

  • gitea_ssh_listen: Bind address for the SSH server
  • gitea_ssh_domain: SSH domain (displayed in your clone URLs)
  • gitea_start_ssh: Do you want to start a built-in SSH server ? (true/false)
  • gitea_ssh_port: SSH bind port

Database configuration

  • gitea_db_type: Database type, can be mysql, postgres or sqlite3
  • gitea_db_host: Database host string host:port or /run/postgresql/ when connectiong to postgres via local unix socket (peer authentication)
  • gitea_db_name: Database name
  • gitea_db_user: Database username
  • gitea_db_password: Database password
  • gitea_db_ssl: Use SSL ? (postgres only!). Can be required, disable, verify-full
  • gitea_db_path: DB path, if you use sqlite3. The default is good enough to work though.

Mailer configuration

  • gitea_mailer_enabled: Whether to enable the mailer. Default: false
  • gitea_mailer_skip_verify: Skip SMTP TLS certificate verification (true/false)
  • gitea_mailer_tls_enabled: Enable TLS for SMTP connections (true/false)
  • gitea_mailer_host: SMTP server hostname and port
  • gitea_mailer_user: SMTP server username
  • gitea_mailer_password: SMTP server password
  • gitea_mailer_from: Sender mail address
  • gitea_enable_notify_mail: Whether e-mail should be send to watchers of a repository when something happens. Default: false

LFS configuration

  • gitea_lfs_enabled: Enable GIT LFS (git large file storeage: git-lfs). Default: false
  • gitea_lfs_content_path: path where the lfs files are stored
  • gitea_lfs_secret: JWT secret for remote LFS usage. Can be generated with gitea generate secret JWT_SECRET

Fail2Ban configuration

If enabled, this will deploy a fail2ban filter and jail config for Gitea as described in the Gitea Documentation.

As this will only deploy config files, fail2ban already has to be installed or otherwise the role will fail.

  • gitea_fail2ban_enabled: Whether to deploy the fail2ban config or not
  • gitea_fail2ban_jail_maxretry: fail2ban jail maxretry setting. Default: 10
  • gitea_fail2ban_jail_findtime: fail2ban jail findtime setting. Default: 3600
  • gitea_fail2ban_jail_bantime: fail2ban jail bantime setting. Default: 900
  • gitea_fail2ban_jail_action: fail2ban jail action setting. Default: iptables-allports

Oauth2 provider configuration

  • gitea_oauth2_enabled: Enable the Oauth2 provider (true/false)
  • gitea_oauth2_jwt_secret: Oauth2 JWT secret. Can be generated with gitea generate secret JWT_SECRET

Metrics endpoint configuration

  • gitea_metrics_enabled: Enable the metrics endpoint
  • gitea_metrics_token: Bearer token for the Prometheus scrape job

Repository Indexer configuration

  • gitea_repo_indexer_enabled: Whether to enable the repository indexer (code search). Default: false
  • gitea_repo_indexer_include: Glob patterns to include in the index (comma-separated list). Default: "" (all files)
  • gitea_repo_indexer_exclude: Glob patterns to exclude from the index (comma-separated list). Default: "" (no files)
  • gitea_repo_exclude_vendored: Exclude vendored files from the index. Default: true
  • gitea_repo_indexer_max_file_size: Maximum size of files to be indexed (in bytes). Default: 1048576 (1 MB)

Contributing

Don't hesitate to create a pull request, and when in doubt you can reach me on Twitter @thomas_maurice.

I'm happy to fix any issue that's been opened, or even better, review your pull requests :)

Testing

Testing uses molecule. To start the tests, install the dependencies first. I would recommend you use a virtual env for that but who am I to tell you what to do.

pip install pew # install pew to manage the venvs
pew new ansible # create the venv
pip install -r requirements-travis.txt # install the requirements
molecule test # Run the actual tests

Note: you need Docker installed

Known testing limitations

Currently it's mainly validating that the playbook runs, the lint is ok, and that kind of things. Since it runs in Docker, we currently have no way to check if the service is actually launched by systemd and so on. This has to be worked on.

License

Copyright 2019-present Thomas Maurice

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.