Update to 2021-12-01 19:13

roles/gitea/defaults/main.yml

@@ -0,0 +1,39 @@
+---
+
+# Version to install
+gitea_version: 1.15.6
+# URL to the binary
+gitea_bin_url: https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64
+# sha256 of the binary
+gitea_bin_sha256: 1b7473b5993e07b33fec58edbc1a90f15f040759ca4647e97317c33d5dfe58be
+# Handle updates. If set to false, ansible will only install
+# Gitea and then won't touch an existing installation
+gitea_manage_upgrade: True
+# Root directory of the gitea
+gitea_root_dir: /opt/gitea
+
+# The domain name will be used to build GIT URL in the UI
+gitea_domain: "{{ inventory_hostname }}"
+# Used to build ssh URL. Can be different from gitea_domain, if using a reverse proxy for example
+gitea_ssh_domain: "{{ gitea_domain }}"
+# Set to the public URL where gitea will be available
+gitea_public_url: 'http://%(DOMAIN)s:%(HTTP_PORT)s/'
+# Port of the web interface (plain text http)
+gitea_web_port: 3280
+# Port for SSH access
+gitea_ssh_port: 22
+# Used to restrict access to the web interface
+gitea_web_src_ip: []
+# If set, will read username from the following HTTP header
+# use when behind a reverse proxy
+# gitea_username_header: Auth-User
+
+# Enable user registration
+gitea_registration: False
+
+# Database settings
+gitea_db_server: "{{ mysql_server | default('localhost') }}"
+gitea_db_name: gitea
+gitea_db_user: gitea
+# A random pass will be created if not set here
+# gitea_db_pass: xxxxx

roles/gitea/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+
+- name: restart gitea
+  service: name=gitea state=restarted

roles/gitea/meta/main.yml

@@ -0,0 +1,6 @@
+---
+dependencies:
+  - role: repo_scl
+    when:
+      - ansible_os_family == 'RedHat'
+      - ansible_distribution_major_version is version('8', '<')

roles/gitea/tasks/admin_user.yml

@@ -0,0 +1,30 @@
+---
+- name: Check if admin user exists
+  command: "mysql --host={{ gitea_db_server }} --user={{ gitea_db_user }} --password='{{ gitea_db_pass }}' {{ gitea_db_name }} -ss -e \"select count(*) from user where lower_name='gitadmin'\""
+  register: gitea_admin
+  changed_when: False
+  retries: 10 # first time gitea starts, it'll take some time to create the tables
+  delay: 10
+  until: gitea_admin.rc == 0
+  tags: gitea
+
+  # The user table is created before the email_address. So on first run, we might have an error when creating the
+  # admin account. Here, we just ensure the email_address table exists before we can continue
+- name: Check if the email_address table exists
+  command: "mysql --host={{ gitea_db_server }} --user={{ gitea_db_user }} --password='{{ gitea_db_pass }}' {{ gitea_db_name }} -ss -e \"select count(*) from email_address\""
+  register: gitea_email_table
+  changed_when: False
+  retries: 10
+  delay: 10
+  until: gitea_email_table.rc == 0
+  when: gitea_admin.stdout != "1"
+  tags: gitea
+
+- name: Create the admin account
+  command: "{{ gitea_root_dir }}/bin/gitea admin user create --name gitadmin --admin --password admin --email admin@example.net --config {{ gitea_root_dir }}/etc/app.ini"
+  args:
+    chdir: "{{ gitea_root_dir }}"
+  become_user: gitea
+  when: gitea_admin.stdout != "1"
+  tags: gitea
+

roles/gitea/tasks/archive_post.yml

@@ -0,0 +1,6 @@
+---
+- import_tasks: ../includes/webapps_compress_archive.yml
+  vars:
+    - root_dir: "{{ gitea_root_dir }}"
+    - version: "{{ gitea_current_version }}"
+  tags: gitea

roles/gitea/tasks/archive_pre.yml

@@ -0,0 +1,23 @@
+---
+- name: Create archive directory
+  file: path={{ gitea_root_dir }}/archives/{{ gitea_current_version }} state=directory mode=700
+  tags: gitea
+
+- name: Archive previous version
+  copy: src={{ gitea_root_dir }}/bin/gitea dest={{ gitea_root_dir }}/archives/{{ gitea_current_version }} remote_src=True
+  tags: gitea
+
+- name: Archive the database
+  mysql_db:
+    state: dump
+    name: "{{ gitea_db_name }}"
+    target: "{{ gitea_root_dir }}/archives/{{ gitea_current_version }}/{{ gitea_db_name }}.sql.xz"
+    login_host: "{{ gitea_db_server | default(mysql_server) }}"
+    login_user: sqladmin
+    login_password: "{{ mysql_admin_pass }}"
+    quick: True
+    single_transaction: True
+  environment:
+    XZ_OPT: -T0
+  tags: gitea
+

roles/gitea/tasks/cleanup.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Remove tmp and obsolete files
+  file: path={{ item }} state=absent
+  loop:
+    - /etc/profile.d/git.sh
+    - "{{ gitea_root_dir }}/db_dumps"
+  tags: gitea

roles/gitea/tasks/conf.yml

@@ -0,0 +1,34 @@
+---
+
+- name: Create random tokens
+  shell: "{{ gitea_root_dir }}/bin/gitea generate secret {{ item }} > {{ gitea_root_dir }}/meta/ansible_{{ item }}"
+  args:
+    creates: "{{ gitea_root_dir }}/meta/ansible_{{ item }}"
+  with_items:
+    - INTERNAL_TOKEN
+    - LFS_JWT_SECRET
+    - SECRET_KEY
+    - JWT_SECRET
+  tags: gitea
+
+- name: Read random tokens
+  command: cat {{ gitea_root_dir }}/meta/ansible_{{ item }}
+  with_items:
+    - INTERNAL_TOKEN
+    - LFS_JWT_SECRET
+    - SECRET_KEY
+    - JWT_SECRET
+  changed_when: False
+  register: gitea_tokens
+  tags: gitea
+
+- name: Deploy gitea configuration
+  template: src=app.ini.j2 dest={{ gitea_root_dir }}/etc/app.ini owner=root group=gitea mode=0660
+  notify: restart gitea
+  tags: gitea
+
+- name: Set optimal permissions
+  command: "{{ gitea_root_dir }}/perms.sh"
+  changed_when: False
+  tags: gitea
+

roles/gitea/tasks/directories.yml

@@ -0,0 +1,28 @@
+---
+- name: Create directory structure
+  file:
+    path: "{{ gitea_root_dir }}/{{ item.dir }}"
+    state: directory
+    owner: "{{ item.owner | default('gitea') }}"
+    group: "{{ item.group | default('gitea') }}"
+    mode: "{{ item.mode | default('750') }}"
+  loop:
+    - dir: /
+      owner: gitea
+      group: gitea
+    - dir: data
+    - dir: data/repositories
+    - dir: custom
+    - dir: public
+    - dir: etc
+    - dir: tmp
+    - dir: bin
+    - dir: meta
+      owner: root
+      group: root
+      mode: 700
+    - dir: backup
+      owner: root
+      group: root
+      mode: 700
+  tags: gitea

roles/gitea/tasks/facts.yml

@@ -0,0 +1,36 @@
+---
+
+- include_vars: "{{ item }}"
+  with_first_found:
+    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_distribution }}.yml
+    - vars/{{ ansible_os_family }}.yml
+  tags: gitea
+
+- import_tasks: ../includes/webapps_set_install_mode.yml
+  vars:
+    - root_dir: "{{ gitea_root_dir }}"
+    - version: "{{ gitea_version }}"
+  tags: gitea
+- set_fact: gitea_install_mode={{ (install_mode == 'upgrade' and not gitea_manage_upgrade) | ternary('none',install_mode) }}
+  tags: gitea
+- set_fact: gitea_current_version={{ current_version | default('') }}
+  tags: gitea
+
+- import_tasks: ../includes/get_rand_pass.yml
+  vars:
+    - pass_file: "{{ gitea_root_dir }}/meta/ansible_key"
+  tags: gitea
+- set_fact: gitea_key={{ rand_pass }}
+  tags: gitea
+
+- import_tasks: ../includes/get_rand_pass.yml
+  vars:
+    - pass_file: "{{ gitea_root_dir }}/meta/ansible_dbpass"
+  when: gitea_db_pass is not defined
+  tags: gitea
+- set_fact: gitea_db_pass={{ rand_pass }}
+  when: gitea_db_pass is not defined
+  tags: gitea
+

roles/gitea/tasks/install.yml

@@ -0,0 +1,61 @@
+---
+- name: Install packages
+  yum: name={{ gitea_packages }}
+  tags: gitea
+
+- name: Download gitea binary
+  get_url:
+    url: "{{ gitea_bin_url }}"
+    dest: "{{ gitea_root_dir }}/tmp/gitea"
+    checksum: "sha256:{{ gitea_bin_sha256 }}"
+  when: gitea_install_mode != 'none'
+  notify: restart gitea
+  tags: gitea
+
+- name: Move gitea binary
+  command: mv -f {{ gitea_root_dir }}/tmp/gitea {{ gitea_root_dir }}/bin/
+  when: gitea_install_mode != 'none'
+  tags: gitea
+
+- name: Make gitea executable
+  file: path={{ gitea_root_dir }}/bin/gitea mode=0755
+  tags: gitea
+
+- name: Deploy gitea service unit
+  template: src=gitea.service.j2 dest=/etc/systemd/system/gitea.service
+  register: gitea_unit
+  notify: restart gitea
+  tags: gitea
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: gitea_unit.changed
+  tags: gitea
+
+  # Create MySQL database
+- import_tasks: ../includes/webapps_create_mysql_db.yml
+  vars:
+    - db_name: "{{ gitea_db_name }}"
+    - db_user: "{{ gitea_db_user }}"
+    - db_server: "{{ gitea_db_server }}"
+    - db_pass: "{{ gitea_db_pass }}"
+  tags: gitea
+
+- name: Deploy pre/post backup scripts
+  template: src={{ item }}_backup.sh.j2 dest=/etc/backup/{{ item }}.d/gitea.sh mode=0750
+  with_items:
+    - pre
+    - post
+  tags: gitea
+
+- name: Deploy permission script
+  template: src=perms.sh.j2 dest={{ gitea_root_dir }}/perms.sh mode=755
+  tags: gitea
+
+- name: Set correct SELinux context
+  sefcontext:
+    target: "{{ gitea_root_dir }}/.ssh(/.*)?"
+    setype: ssh_home_t
+    state: present
+  when: ansible_selinux.status == 'enabled'
+  tags: gitea

roles/gitea/tasks/iptables.yml

@@ -0,0 +1,14 @@
+---
+
+- name:  Handle gitea ports in the firewall
+  iptables_raw:
+    name: "{{ item.name }}"
+    state: "{{ (item.src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp --dport {{ item.port }} -s {{ item.src_ip | join(',') }} -j ACCEPT"
+  when: iptables_manage | default(True)
+  with_items:
+    - port: "{{ gitea_web_port }}"
+      name: gitea_web_port
+      src_ip: "{{ gitea_web_src_ip }}"
+  tags: firewall,gitea
+

roles/gitea/tasks/main.yml

@@ -0,0 +1,16 @@
+---
+
+- include: user.yml
+- include: directories.yml
+- include: facts.yml
+- include: archive_pre.yml
+  when: gitea_install_mode == 'upgrade'
+- include: install.yml
+- include: conf.yml
+- include: iptables.yml
+- include: service.yml
+- include: admin_user.yml
+- include: archive_post.yml
+  when: gitea_install_mode == 'upgrade'
+- include: write_version.yml
+- include: cleanup.yml

roles/gitea/tasks/service.yml

@@ -0,0 +1,4 @@
+---
+- name: Start and enable the service
+  service: name=gitea state=started enabled=True
+  tags: gitea

roles/gitea/tasks/user.yml

@@ -0,0 +1,8 @@
+---
+- import_tasks: ../includes/create_system_user.yml
+  vars:
+    - user: gitea
+    - comment: GIT Repository account
+    - home: "{{ gitea_root_dir }}"
+    - shell: /bin/bash
+  tags: gitea

roles/gitea/tasks/write_version.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Write version
+  copy: content={{ gitea_version }} dest={{ gitea_root_dir }}/meta/ansible_version
+  tags: gitea
+

roles/gitea/templates/app.ini.j2

@@ -0,0 +1,106 @@
+APP_NAME = Gitea: Git with a cup of tea
+RUN_USER = gitea
+RUN_MODE = prod
+
+[security]
+INTERNAL_TOKEN = {{ gitea_tokens.results | selectattr('item','equalto','INTERNAL_TOKEN') | map(attribute='stdout') | first | string }}
+INSTALL_LOCK   = true
+SECRET_KEY     = {{ gitea_tokens.results | selectattr('item','equalto','SECRET_KEY') | map(attribute='stdout') | first | string }}
+{% if gitea_username_header is defined %}
+REVERSE_PROXY_AUTHENTICATION_USER = {{ gitea_username_header }}
+{% endif %}
+{% if gitea_web_src_ip is defined and gitea_web_src_ip | length > 0 %}
+REVERSE_PROXY_LIMIT = 1
+REVERSE_PROXY_TRUSTED_PROXIES = {{ gitea_web_src_ip | select('search','\\.\\d+$') | list | join(',') }}
+REVERSE_PROXY_TRUSTED_NETWORKS = {{ gitea_web_src_ip | select('search','/\\d+$') | list | join(',') }}
+{% endif %}
+
+[server]
+LOCAL_ROOT_URL   = http://localhost:{{ gitea_web_port }}/
+SSH_DOMAIN       = {{ gitea_ssh_domain }}
+DOMAIN           = {{ gitea_domain }}
+HTTP_PORT        = {{ gitea_web_port }}
+ROOT_URL         = {{ gitea_public_url }}
+DISABLE_SSH      = false
+SSH_PORT         = {{ gitea_ssh_port }}
+LFS_START_SERVER = true
+LFS_CONTENT_PATH = {{ gitea_root_dir }}/data/lfs
+LFS_JWT_SECRET   = {{ gitea_tokens.results | selectattr('item','equalto','LFS_JWT_SECRET') | map(attribute='stdout') | first | string }}
+OFFLINE_MODE     = true
+STATIC_ROOT_PATH = {{ gitea_root_dir }}
+LANDING_PAGE     = explore
+
+[oauth2]
+JWT_SECRET = {{ gitea_tokens.results | selectattr('item','equalto','JWT_SECRET') | map(attribute='stdout') | first | string }}
+
+[ssh.minimum_key_sizes]
+DSA = -1
+
+[ui]
+ISSUE_PAGING_NUM = 20
+
+[repository.upload]
+TEMP_PATH = tmp/uploads
+
+[database]
+DB_TYPE  = mysql
+HOST     = {{ gitea_db_server }}
+NAME     = {{ gitea_db_name }}
+USER     = {{ gitea_db_user }}
+PASSWD   = `{{ gitea_db_pass }}`
+LOG_SQL  = false
+
+[repository]
+ROOT = {{ gitea_root_dir }}/data/repositories
+
+[mailer]
+ENABLED = true
+HOST    = localhost:25
+FROM    = gitea-no-reply@{{ ansible_domain }}
+USER    =
+PASSWD  =
+
+[service]
+REGISTER_EMAIL_CONFIRM                 = true
+ENABLE_NOTIFY_MAIL                     = true
+DISABLE_REGISTRATION                   = {{ gitea_registration | ternary('false','true') }}
+ALLOW_ONLY_EXTERNAL_REGISTRATION       = false
+ENABLE_CAPTCHA                         = false
+REQUIRE_SIGNIN_VIEW                    = false
+DEFAULT_KEEP_EMAIL_PRIVATE             = true
+DEFAULT_ALLOW_CREATE_ORGANIZATION      = true
+DEFAULT_ENABLE_TIMETRACKING            = true
+NO_REPLY_ADDRESS                       = noreply.{{ ansible_domain }}
+{% if gitea_username_header is defined %}
+ENABLE_REVERSE_PROXY_AUTHENTICATION    = true
+ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = true
+{% endif %}
+
+[picture]
+DISABLE_GRAVATAR        = false
+ENABLE_FEDERATED_AVATAR = true
+
+[openid]
+ENABLE_OPENID_SIGNIN = false
+ENABLE_OPENID_SIGNUP = false
+
+[session]
+PROVIDER = file
+
+[log]
+MODE      = console
+LEVEL     = Trace
+ROOT_PATH = {{ gitea_root_dir }}/log
+
+[log.console]
+LEVEL = Trace
+
+[indexer]
+REPO_INDEXER_ENABLED = true
+STARTUP_TIMEOUT = 300s
+
+[other]
+SHOW_FOOTER_VERSION = false
+
+[migrations]
+ALLOW_LOCALNETWORKS = true

roles/gitea/templates/git.sh.j2

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+source scl_source enable sclo-git212

roles/gitea/templates/gitea.service.j2

@@ -0,0 +1,26 @@
+[Unit]
+Description=Gitea (Git with a cup of tea)
+After=syslog.target
+After=network.target
+
+[Service]
+Type=simple
+User=gitea
+Group=gitea
+WorkingDirectory={{ gitea_root_dir }}
+ExecStart={{ gitea_scl_cmd }}{{ gitea_root_dir }}/bin/gitea web -c /opt/gitea/etc/app.ini
+Environment=USER=gitea HOME={{ gitea_root_dir }} GITEA_WORK_DIR={{ gitea_root_dir }}
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
+ProtectHome=yes
+NoNewPrivileges=yes
+MemoryLimit=4096M
+LimitNOFILE=65535
+SyslogIdentifier=gitea
+Restart=always
+StartLimitInterval=0
+RestartSec=10
+
+[Install]
+WantedBy=multi-user.target

roles/gitea/templates/perms.sh.j2

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+restorecon -R {{ gitea_root_dir }}
+chown root:root {{ gitea_root_dir }}/bin/gitea
+chmod 755 {{ gitea_root_dir }}/bin/gitea

roles/gitea/templates/post_backup.sh.j2

@@ -0,0 +1,3 @@
+#!/bin/bash -e
+
+rm -f {{ gitea_root_dir }}/backup/*

roles/gitea/templates/pre_backup.sh.j2

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -eo pipefail
+
+/usr/bin/mysqldump --user={{ gitea_db_user | quote }} \
+                   --password={{ gitea_db_pass | quote }} \
+                   --host={{ gitea_db_server }} \
+                   --quick --single-transaction \
+                   --add-drop-table {{ gitea_db_name }} | \
+               zstd -c > {{ gitea_root_dir }}/backup/{{ gitea_db_name }}.sql.zst

roles/gitea/vars/RedHat-7.yml

@@ -0,0 +1,6 @@
+---
+
+gitea_packages:
+  - sclo-git212-git
+  - git-lfs
+gitea_scl_cmd: '/bin/scl enable sclo-git212 -- '

roles/gitea/vars/RedHat-8.yml

@@ -0,0 +1,6 @@
+---
+
+gitea_packages:
+  - git
+  - git-lfs
+gitea_scl_cmd: ''