commit 283549c188776183de14e8420bdf1924dd93a8fe
Author: Alex <caskd@420blaze.it>
Date:   Mon May 25 21:33:10 2020 +0200

    Initial commit

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..4dc51e8
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+vault/
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..596b6be
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,7 @@
+- name: Verify binary with gpg
+  command:
+        argv:
+                - "gpg"
+                - "--verify"
+                - "/tmp/gitea-master-linux-amd64.asc"
+                - "/usr/local/bin/gitea"
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..41e4fe7
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,47 @@
+- name: Include sensitive info
+  include_vars:
+        dir: '{{ role_path }}/vault'
+  tags:
+        - gitea
+        - vault
+- name: Fetch Gitea gpg key
+  command:
+        argv:
+                - "gpg"
+                - "--recv"
+                - "7C9E68152594688862D62AF62D9AE806EC1592E2"
+  tags:
+        - gitea
+        - keys
+        - packages
+- name: Download Gitea binary signature
+  get_url:
+        url: "https://dl.gitea.io/gitea/master/gitea-master-linux-amd64.asc"
+        dest: "/tmp/gitea-master-linux-amd64.asc"
+  tags:
+        - gitea
+        - keys
+        - packages
+- name: Download Gitea binary
+  get_url:
+        url: "https://dl.gitea.io/gitea/master/gitea-master-linux-amd64"
+        dest: "/usr/local/bin/gitea" # TODO: Don't update the binary unless the GPG check passes
+        checksum: "sha256:https://dl.gitea.io/gitea/master/gitea-master-linux-amd64.sha256"
+        mode: "+x"
+  tags:
+        - gitea
+        - packages
+  notify: Verify binary with gpg
+- name: Copy templates
+  loop:
+        - { src: "gitea.service", dest: "/etc/systemd/system/gitea.service", owner: "{{ gitea.user }}", mode: "600" }
+        - { src: "gitea.ini", dest: "/etc/gitea/app.ini", owner: "{{ gitea.user }}", mode: "600" }
+  template:
+        follow: yes
+        src: "{{ item.src }}.j2"
+        dest: "{{ item.dest }}"
+        mode: "{{ item.mode }}"
+        owner: "{{ item.owner }}"
+  tags:
+        - gitea
+  notify: Run service actions
diff --git a/templates/gitea.ini.j2 b/templates/gitea.ini.j2
new file mode 100644
index 0000000..5c7ea31
--- /dev/null
+++ b/templates/gitea.ini.j2
@@ -0,0 +1,93 @@
+APP_NAME = RedXen Git
+RUN_MODE = prod
+
+[repository]
+ROOT = /mnt/gitea/git/repositories
+MAX_CREATION_LIMIT = 0
+
+[repository.local]
+LOCAL_COPY_PATH = /mnt/gitea/gitea/tmp/local-repo
+
+[repository.upload]
+TEMP_PATH = /mnt/gitea/gitea/uploads
+
+[server]
+APP_DATA_PATH    = /mnt/gitea/gitea
+SSH_DOMAIN       = git.redxen.eu
+HTTP_ADDR        = {{ ansible_ens10.ipv4.address }}
+HTTP_PORT        = {{ gitea.port.http }}
+ROOT_URL         = https://{{ gitea.domain }}/
+DISABLE_SSH      = false
+START_SSH_SERVER = true
+BUILTIN_SSH_SERVER_USER = git
+SSH_PORT         = {{ gitea.port.ssh }}
+LFS_CONTENT_PATH = /mnt/gitea/git/lfs
+LANDING_PAGE     = explore
+
+[database]
+PATH    = /mnt/gitea/gitea/gitea.db
+DB_TYPE = postgres
+HOST    = {{ global.backend.postgres.host }}:{{ global.backend.postgres.port }}
+NAME    = gitea
+USER    = gitea
+PASSWD  = {{ vault_postgres.dbpass['gitea'] }}
+
+[ui]
+DEFAULT_THEME = arc-green
+
+[ui.meta]
+AUTHOR = RedXen Git - Where code is a currency
+DESCRIPTION = The RedXen git is the center of development of the RedXen community.
+
+[indexer]
+ISSUE_INDEXER_QUEUE_TYPE = redis
+ISSUE_INDEXER_QUEUE_CONN_STR = addrs={{ global.backend.redis.host }}:{{ global.backend.redis.port }} db=6
+
+[session]
+PROVIDER = redis
+PROVIDER_CONFIG = network=tcp,addr={{ global.backend.redis.host }}:{{ global.backend.redis.port }},db=4,pool_size=100,idle_timeout=180
+COOKIE_SECURE = true
+
+[picture]
+AVATAR_UPLOAD_PATH            = /mnt/gitea/gitea/avatars
+REPOSITORY_AVATAR_UPLOAD_PATH = /mnt/gitea/gitea/repo-avatars
+
+[attachment]
+PATH = /mnt/gitea/gitea/attachments
+
+[log]
+ROOT_PATH = /mnt/gitea/gitea/log
+
+[security]
+INSTALL_LOCK   = true
+SECRET_KEY     = {{ vault_gitea.secret_key }}
+INTERNAL_TOKEN = {{ vault_gitea.internal_token }}
+
+[service]
+DISABLE_REGISTRATION = false
+REQUIRE_SIGNIN_VIEW  = false
+REGISTER_EMAIL_CONFIRM = true
+NO_REPLY_ADDRESS = noreply.redxen.eu
+ENABLE_USER_HEATMAP = true
+
+[mailer]
+ENABLED = true
+HOST = email-smtp.eu-west-1.amazonaws.com:587
+FROM = "Gitea" <gitea@redxen.eu>
+USER = {{ vault_gitea.ses.user }}
+PASSWD = {{ vault_gitea.ses.passwd }}
+MAILER_TYPE = smtp
+IS_TLS_ENABLED = true
+
+[cache]
+ADAPTER = redis
+HOST = network=tcp,addr={{ global.backend.redis.host }}:{{ global.backend.redis.port }},db=3,pool_size=100,idle_timeout=180
+
+[oauth2]
+JWT_SECRET = {{ vault_gitea.oauth_jwt }}
+
+[cron]
+ENABLED = true
+
+[metrics]
+ENABLED = true
diff --git a/templates/gitea.service.j2 b/templates/gitea.service.j2
new file mode 100644
index 0000000..c533a77
--- /dev/null
+++ b/templates/gitea.service.j2
@@ -0,0 +1,61 @@
+[Unit]
+Description=Gitea (Git with a cup of tea)
+After=syslog.target
+After=network.target
+###
+# If using socket activation for main http/s
+###
+#
+#After=gitea.main.socket
+#Requires=gitea.main.socket
+#
+###
+
+[Service]
+ProtectSystem=strict
+PrivateUsers=true
+NoNewPrivileges=yes
+TemporaryFileSystem=/:ro
+ConfigurationDirectory={{ gitea.path.config }}
+BindPaths={{ gitea.path.data }}
+BindReadOnlyPaths=/etc
+BindReadOnlyPaths=/usr
+BindReadOnlyPaths=/lib
+BindReadOnlyPaths=/lib64
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+MemoryDenyWriteExecute=yes
+LockPersonality=yes
+PrivateTmp=yes
+PrivateDevices=yes
+# Modify these two values and uncomment them if you have
+# repos with lots of files and get an HTTP error 500 because
+# of that
+###
+#LimitMEMLOCK=infinity
+#LimitNOFILE=65535
+RestartSec=2s
+Type=simple
+User=git
+Group=git
+WorkingDirectory={{ gitea.path.data }}
+# If using Unix socket: tells systemd to create the /run/gitea folder, which will contain the gitea.sock file
+# (manually creating /run/gitea doesn't work, because it would not persist across reboots)
+#RuntimeDirectory=gitea
+ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini
+Restart=always
+Environment=USER=git HOME=/home/git GITEA_WORK_DIR={{ gitea.path.data }}
+# If you want to bind Gitea to a port below 1024, uncomment
+# the two values below, or use socket activation to pass Gitea its ports as above
+###
+#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+#AmbientCapabilities=CAP_NET_BIND_SERVICE
+###
+
+[Install]
+WantedBy=multi-user.target