Initial commit

This commit is contained in:
Alex 2020-05-25 21:33:10 +02:00
commit 283549c188
Signed by: caskd
GPG Key ID: F92BA85F61F4C173
5 changed files with 209 additions and 0 deletions

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
vault/

7
handlers/main.yml Normal file
View File

@ -0,0 +1,7 @@
- name: Verify binary with gpg
command:
argv:
- "gpg"
- "--verify"
- "/tmp/gitea-master-linux-amd64.asc"
- "/usr/local/bin/gitea"

47
tasks/main.yml Normal file
View File

@ -0,0 +1,47 @@
- name: Include sensitive info
include_vars:
dir: '{{ role_path }}/vault'
tags:
- gitea
- vault
- name: Fetch Gitea gpg key
command:
argv:
- "gpg"
- "--recv"
- "7C9E68152594688862D62AF62D9AE806EC1592E2"
tags:
- gitea
- keys
- packages
- name: Download Gitea binary signature
get_url:
url: "https://dl.gitea.io/gitea/master/gitea-master-linux-amd64.asc"
dest: "/tmp/gitea-master-linux-amd64.asc"
tags:
- gitea
- keys
- packages
- name: Download Gitea binary
get_url:
url: "https://dl.gitea.io/gitea/master/gitea-master-linux-amd64"
dest: "/usr/local/bin/gitea" # TODO: Don't update the binary unless the GPG check passes
checksum: "sha256:https://dl.gitea.io/gitea/master/gitea-master-linux-amd64.sha256"
mode: "+x"
tags:
- gitea
- packages
notify: Verify binary with gpg
- name: Copy templates
loop:
- { src: "gitea.service", dest: "/etc/systemd/system/gitea.service", owner: "{{ gitea.user }}", mode: "600" }
- { src: "gitea.ini", dest: "/etc/gitea/app.ini", owner: "{{ gitea.user }}", mode: "600" }
template:
follow: yes
src: "{{ item.src }}.j2"
dest: "{{ item.dest }}"
mode: "{{ item.mode }}"
owner: "{{ item.owner }}"
tags:
- gitea
notify: Run service actions

93
templates/gitea.ini.j2 Normal file
View File

@ -0,0 +1,93 @@
APP_NAME = RedXen Git
RUN_MODE = prod
[repository]
ROOT = /mnt/gitea/git/repositories
MAX_CREATION_LIMIT = 0
[repository.local]
LOCAL_COPY_PATH = /mnt/gitea/gitea/tmp/local-repo
[repository.upload]
TEMP_PATH = /mnt/gitea/gitea/uploads
[server]
APP_DATA_PATH = /mnt/gitea/gitea
SSH_DOMAIN = git.redxen.eu
HTTP_ADDR = {{ ansible_ens10.ipv4.address }}
HTTP_PORT = {{ gitea.port.http }}
ROOT_URL = https://{{ gitea.domain }}/
DISABLE_SSH = false
START_SSH_SERVER = true
BUILTIN_SSH_SERVER_USER = git
SSH_PORT = {{ gitea.port.ssh }}
LFS_CONTENT_PATH = /mnt/gitea/git/lfs
LANDING_PAGE = explore
[database]
PATH = /mnt/gitea/gitea/gitea.db
DB_TYPE = postgres
HOST = {{ global.backend.postgres.host }}:{{ global.backend.postgres.port }}
NAME = gitea
USER = gitea
PASSWD = {{ vault_postgres.dbpass['gitea'] }}
[ui]
DEFAULT_THEME = arc-green
[ui.meta]
AUTHOR = RedXen Git - Where code is a currency
DESCRIPTION = The RedXen git is the center of development of the RedXen community.
[indexer]
ISSUE_INDEXER_QUEUE_TYPE = redis
ISSUE_INDEXER_QUEUE_CONN_STR = addrs={{ global.backend.redis.host }}:{{ global.backend.redis.port }} db=6
[session]
PROVIDER = redis
PROVIDER_CONFIG = network=tcp,addr={{ global.backend.redis.host }}:{{ global.backend.redis.port }},db=4,pool_size=100,idle_timeout=180
COOKIE_SECURE = true
[picture]
AVATAR_UPLOAD_PATH = /mnt/gitea/gitea/avatars
REPOSITORY_AVATAR_UPLOAD_PATH = /mnt/gitea/gitea/repo-avatars
[attachment]
PATH = /mnt/gitea/gitea/attachments
[log]
ROOT_PATH = /mnt/gitea/gitea/log
[security]
INSTALL_LOCK = true
SECRET_KEY = {{ vault_gitea.secret_key }}
INTERNAL_TOKEN = {{ vault_gitea.internal_token }}
[service]
DISABLE_REGISTRATION = false
REQUIRE_SIGNIN_VIEW = false
REGISTER_EMAIL_CONFIRM = true
NO_REPLY_ADDRESS = noreply.redxen.eu
ENABLE_USER_HEATMAP = true
[mailer]
ENABLED = true
HOST = email-smtp.eu-west-1.amazonaws.com:587
FROM = "Gitea" <gitea@redxen.eu>
USER = {{ vault_gitea.ses.user }}
PASSWD = {{ vault_gitea.ses.passwd }}
MAILER_TYPE = smtp
IS_TLS_ENABLED = true
[cache]
ADAPTER = redis
HOST = network=tcp,addr={{ global.backend.redis.host }}:{{ global.backend.redis.port }},db=3,pool_size=100,idle_timeout=180
[oauth2]
JWT_SECRET = {{ vault_gitea.oauth_jwt }}
[cron]
ENABLED = true
[metrics]
ENABLED = true

View File

@ -0,0 +1,61 @@
[Unit]
Description=Gitea (Git with a cup of tea)
After=syslog.target
After=network.target
###
# If using socket activation for main http/s
###
#
#After=gitea.main.socket
#Requires=gitea.main.socket
#
###
[Service]
ProtectSystem=strict
PrivateUsers=true
NoNewPrivileges=yes
TemporaryFileSystem=/:ro
ConfigurationDirectory={{ gitea.path.config }}
BindPaths={{ gitea.path.data }}
BindReadOnlyPaths=/etc
BindReadOnlyPaths=/usr
BindReadOnlyPaths=/lib
BindReadOnlyPaths=/lib64
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
LockPersonality=yes
PrivateTmp=yes
PrivateDevices=yes
# Modify these two values and uncomment them if you have
# repos with lots of files and get an HTTP error 500 because
# of that
###
#LimitMEMLOCK=infinity
#LimitNOFILE=65535
RestartSec=2s
Type=simple
User=git
Group=git
WorkingDirectory={{ gitea.path.data }}
# If using Unix socket: tells systemd to create the /run/gitea folder, which will contain the gitea.sock file
# (manually creating /run/gitea doesn't work, because it would not persist across reboots)
#RuntimeDirectory=gitea
ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini
Restart=always
Environment=USER=git HOME=/home/git GITEA_WORK_DIR={{ gitea.path.data }}
# If you want to bind Gitea to a port below 1024, uncomment
# the two values below, or use socket activation to pass Gitea its ports as above
###
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
#AmbientCapabilities=CAP_NET_BIND_SERVICE
###
[Install]
WantedBy=multi-user.target