Initial commit
This commit is contained in:
commit
283549c188
|
@ -0,0 +1 @@
|
||||||
|
vault/
|
|
@ -0,0 +1,7 @@
|
||||||
|
- name: Verify binary with gpg
|
||||||
|
command:
|
||||||
|
argv:
|
||||||
|
- "gpg"
|
||||||
|
- "--verify"
|
||||||
|
- "/tmp/gitea-master-linux-amd64.asc"
|
||||||
|
- "/usr/local/bin/gitea"
|
|
@ -0,0 +1,47 @@
|
||||||
|
- name: Include sensitive info
|
||||||
|
include_vars:
|
||||||
|
dir: '{{ role_path }}/vault'
|
||||||
|
tags:
|
||||||
|
- gitea
|
||||||
|
- vault
|
||||||
|
- name: Fetch Gitea gpg key
|
||||||
|
command:
|
||||||
|
argv:
|
||||||
|
- "gpg"
|
||||||
|
- "--recv"
|
||||||
|
- "7C9E68152594688862D62AF62D9AE806EC1592E2"
|
||||||
|
tags:
|
||||||
|
- gitea
|
||||||
|
- keys
|
||||||
|
- packages
|
||||||
|
- name: Download Gitea binary signature
|
||||||
|
get_url:
|
||||||
|
url: "https://dl.gitea.io/gitea/master/gitea-master-linux-amd64.asc"
|
||||||
|
dest: "/tmp/gitea-master-linux-amd64.asc"
|
||||||
|
tags:
|
||||||
|
- gitea
|
||||||
|
- keys
|
||||||
|
- packages
|
||||||
|
- name: Download Gitea binary
|
||||||
|
get_url:
|
||||||
|
url: "https://dl.gitea.io/gitea/master/gitea-master-linux-amd64"
|
||||||
|
dest: "/usr/local/bin/gitea" # TODO: Don't update the binary unless the GPG check passes
|
||||||
|
checksum: "sha256:https://dl.gitea.io/gitea/master/gitea-master-linux-amd64.sha256"
|
||||||
|
mode: "+x"
|
||||||
|
tags:
|
||||||
|
- gitea
|
||||||
|
- packages
|
||||||
|
notify: Verify binary with gpg
|
||||||
|
- name: Copy templates
|
||||||
|
loop:
|
||||||
|
- { src: "gitea.service", dest: "/etc/systemd/system/gitea.service", owner: "{{ gitea.user }}", mode: "600" }
|
||||||
|
- { src: "gitea.ini", dest: "/etc/gitea/app.ini", owner: "{{ gitea.user }}", mode: "600" }
|
||||||
|
template:
|
||||||
|
follow: yes
|
||||||
|
src: "{{ item.src }}.j2"
|
||||||
|
dest: "{{ item.dest }}"
|
||||||
|
mode: "{{ item.mode }}"
|
||||||
|
owner: "{{ item.owner }}"
|
||||||
|
tags:
|
||||||
|
- gitea
|
||||||
|
notify: Run service actions
|
|
@ -0,0 +1,93 @@
|
||||||
|
APP_NAME = RedXen Git
|
||||||
|
RUN_MODE = prod
|
||||||
|
|
||||||
|
[repository]
|
||||||
|
ROOT = /mnt/gitea/git/repositories
|
||||||
|
MAX_CREATION_LIMIT = 0
|
||||||
|
|
||||||
|
[repository.local]
|
||||||
|
LOCAL_COPY_PATH = /mnt/gitea/gitea/tmp/local-repo
|
||||||
|
|
||||||
|
[repository.upload]
|
||||||
|
TEMP_PATH = /mnt/gitea/gitea/uploads
|
||||||
|
|
||||||
|
[server]
|
||||||
|
APP_DATA_PATH = /mnt/gitea/gitea
|
||||||
|
SSH_DOMAIN = git.redxen.eu
|
||||||
|
HTTP_ADDR = {{ ansible_ens10.ipv4.address }}
|
||||||
|
HTTP_PORT = {{ gitea.port.http }}
|
||||||
|
ROOT_URL = https://{{ gitea.domain }}/
|
||||||
|
DISABLE_SSH = false
|
||||||
|
START_SSH_SERVER = true
|
||||||
|
BUILTIN_SSH_SERVER_USER = git
|
||||||
|
SSH_PORT = {{ gitea.port.ssh }}
|
||||||
|
LFS_CONTENT_PATH = /mnt/gitea/git/lfs
|
||||||
|
LANDING_PAGE = explore
|
||||||
|
|
||||||
|
[database]
|
||||||
|
PATH = /mnt/gitea/gitea/gitea.db
|
||||||
|
DB_TYPE = postgres
|
||||||
|
HOST = {{ global.backend.postgres.host }}:{{ global.backend.postgres.port }}
|
||||||
|
NAME = gitea
|
||||||
|
USER = gitea
|
||||||
|
PASSWD = {{ vault_postgres.dbpass['gitea'] }}
|
||||||
|
|
||||||
|
[ui]
|
||||||
|
DEFAULT_THEME = arc-green
|
||||||
|
|
||||||
|
[ui.meta]
|
||||||
|
AUTHOR = RedXen Git - Where code is a currency
|
||||||
|
DESCRIPTION = The RedXen git is the center of development of the RedXen community.
|
||||||
|
|
||||||
|
[indexer]
|
||||||
|
ISSUE_INDEXER_QUEUE_TYPE = redis
|
||||||
|
ISSUE_INDEXER_QUEUE_CONN_STR = addrs={{ global.backend.redis.host }}:{{ global.backend.redis.port }} db=6
|
||||||
|
|
||||||
|
[session]
|
||||||
|
PROVIDER = redis
|
||||||
|
PROVIDER_CONFIG = network=tcp,addr={{ global.backend.redis.host }}:{{ global.backend.redis.port }},db=4,pool_size=100,idle_timeout=180
|
||||||
|
COOKIE_SECURE = true
|
||||||
|
|
||||||
|
[picture]
|
||||||
|
AVATAR_UPLOAD_PATH = /mnt/gitea/gitea/avatars
|
||||||
|
REPOSITORY_AVATAR_UPLOAD_PATH = /mnt/gitea/gitea/repo-avatars
|
||||||
|
|
||||||
|
[attachment]
|
||||||
|
PATH = /mnt/gitea/gitea/attachments
|
||||||
|
|
||||||
|
[log]
|
||||||
|
ROOT_PATH = /mnt/gitea/gitea/log
|
||||||
|
|
||||||
|
[security]
|
||||||
|
INSTALL_LOCK = true
|
||||||
|
SECRET_KEY = {{ vault_gitea.secret_key }}
|
||||||
|
INTERNAL_TOKEN = {{ vault_gitea.internal_token }}
|
||||||
|
|
||||||
|
[service]
|
||||||
|
DISABLE_REGISTRATION = false
|
||||||
|
REQUIRE_SIGNIN_VIEW = false
|
||||||
|
REGISTER_EMAIL_CONFIRM = true
|
||||||
|
NO_REPLY_ADDRESS = noreply.redxen.eu
|
||||||
|
ENABLE_USER_HEATMAP = true
|
||||||
|
|
||||||
|
[mailer]
|
||||||
|
ENABLED = true
|
||||||
|
HOST = email-smtp.eu-west-1.amazonaws.com:587
|
||||||
|
FROM = "Gitea" <gitea@redxen.eu>
|
||||||
|
USER = {{ vault_gitea.ses.user }}
|
||||||
|
PASSWD = {{ vault_gitea.ses.passwd }}
|
||||||
|
MAILER_TYPE = smtp
|
||||||
|
IS_TLS_ENABLED = true
|
||||||
|
|
||||||
|
[cache]
|
||||||
|
ADAPTER = redis
|
||||||
|
HOST = network=tcp,addr={{ global.backend.redis.host }}:{{ global.backend.redis.port }},db=3,pool_size=100,idle_timeout=180
|
||||||
|
|
||||||
|
[oauth2]
|
||||||
|
JWT_SECRET = {{ vault_gitea.oauth_jwt }}
|
||||||
|
|
||||||
|
[cron]
|
||||||
|
ENABLED = true
|
||||||
|
|
||||||
|
[metrics]
|
||||||
|
ENABLED = true
|
|
@ -0,0 +1,61 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Gitea (Git with a cup of tea)
|
||||||
|
After=syslog.target
|
||||||
|
After=network.target
|
||||||
|
###
|
||||||
|
# If using socket activation for main http/s
|
||||||
|
###
|
||||||
|
#
|
||||||
|
#After=gitea.main.socket
|
||||||
|
#Requires=gitea.main.socket
|
||||||
|
#
|
||||||
|
###
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
ProtectSystem=strict
|
||||||
|
PrivateUsers=true
|
||||||
|
NoNewPrivileges=yes
|
||||||
|
TemporaryFileSystem=/:ro
|
||||||
|
ConfigurationDirectory={{ gitea.path.config }}
|
||||||
|
BindPaths={{ gitea.path.data }}
|
||||||
|
BindReadOnlyPaths=/etc
|
||||||
|
BindReadOnlyPaths=/usr
|
||||||
|
BindReadOnlyPaths=/lib
|
||||||
|
BindReadOnlyPaths=/lib64
|
||||||
|
ProtectControlGroups=yes
|
||||||
|
ProtectKernelModules=yes
|
||||||
|
ProtectKernelTunables=yes
|
||||||
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
||||||
|
RestrictNamespaces=yes
|
||||||
|
RestrictRealtime=yes
|
||||||
|
RestrictSUIDSGID=yes
|
||||||
|
MemoryDenyWriteExecute=yes
|
||||||
|
LockPersonality=yes
|
||||||
|
PrivateTmp=yes
|
||||||
|
PrivateDevices=yes
|
||||||
|
# Modify these two values and uncomment them if you have
|
||||||
|
# repos with lots of files and get an HTTP error 500 because
|
||||||
|
# of that
|
||||||
|
###
|
||||||
|
#LimitMEMLOCK=infinity
|
||||||
|
#LimitNOFILE=65535
|
||||||
|
RestartSec=2s
|
||||||
|
Type=simple
|
||||||
|
User=git
|
||||||
|
Group=git
|
||||||
|
WorkingDirectory={{ gitea.path.data }}
|
||||||
|
# If using Unix socket: tells systemd to create the /run/gitea folder, which will contain the gitea.sock file
|
||||||
|
# (manually creating /run/gitea doesn't work, because it would not persist across reboots)
|
||||||
|
#RuntimeDirectory=gitea
|
||||||
|
ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini
|
||||||
|
Restart=always
|
||||||
|
Environment=USER=git HOME=/home/git GITEA_WORK_DIR={{ gitea.path.data }}
|
||||||
|
# If you want to bind Gitea to a port below 1024, uncomment
|
||||||
|
# the two values below, or use socket activation to pass Gitea its ports as above
|
||||||
|
###
|
||||||
|
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
||||||
|
#AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||||||
|
###
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
Reference in New Issue