self-hosting/roles/gitea/tasks/main.yml

---
- name: Include vault variables
  ansible.builtin.include_vars: vault.yml

- name: Include apache2 tasks
  ansible.builtin.include_tasks: apache2.yml

- name: Include mariadb tasks
  ansible.builtin.include_tasks: mariadb.yml

- name: Include unix tasks
  ansible.builtin.include_tasks: unix.yml

- name: Find latest gitea version
  ansible.builtin.uri:
    url: https://dl.gitea.io/gitea/version.json
  register: gitea_binary

- name: Find if latest gitea version is installed
  ansible.builtin.stat:
    path: "/var/lib/gitea/gitea-{{ gitea_binary.json.latest.version }}"
  register: latest_gitea_binary

- name: Set gitea binary architecture to amd64
  ansible.builtin.set_fact:
    gitea_binary_arch: amd64
  when: ansible_facts['architecture'] == 'x86_64'

- name: Set gitea binary architecture to arm-6
  ansible.builtin.set_fact:
    gitea_binary_arch: arm-6
  when: ansible_facts['architecture'] != 'x86_64'

- name: Get latest gitea binary
  become: true
  ansible.builtin.get_url:
    url: "https://dl.gitea.io/gitea/{{ gitea_binary.json.latest.version }}/gitea-{{ gitea_binary.json.latest.version }}-linux-{{ gitea_binary_arch }}"
    dest: "/var/lib/gitea/gitea-{{ gitea_binary.json.latest.version }}"
    owner: git
    group: git
    mode: 0664
  when: not latest_gitea_binary.stat.exists
  notify:
    - Receive gitea pgp key
    - Download gitea asc file
    - Verify gitea binary with gpg

- name: Verify downloaded binary
  ansible.builtin.meta: flush_handlers

- name: Copy gitea binary to global location
  become: true
  ansible.builtin.copy:
    src: "/var/lib/gitea/gitea-{{ gitea_binary.json.latest.version }}"
    dest: /usr/local/bin/gitea
    remote_src: true
    owner: root
    group: root
    mode: 0755

- name: Copy /etc/systemd/system/gitea.service
  become: true
  ansible.builtin.copy:
    src: gitea.service
    dest: /etc/systemd/system/gitea.service
    owner: root
    group: root
    mode: 0644
  notify:
    - Reload systemd daemon
    - Start gitea service

- name: Copy /etc/gitea/app.ini
  become: true
  ansible.builtin.template:
    src: app.ini.j2
    dest: /etc/gitea/app.ini
    owner: git
    group: git
    mode: 0640
  notify:
    - Restart gitea service

- name: Make sure systemd daemon is reloaded
  ansible.builtin.meta: flush_handlers

- name: Make sure gitea is running
  become: true
  ansible.builtin.systemd:
    name: gitea
    state: started
    enabled: true

# fail2ban tasks need the gitea log file, which should be created when gitea runs
- name: Include fail2ban tasks
  ansible.builtin.include_tasks: fail2ban.yml

- name: Copy gitea_backup.sh script
  become: true
  ansible.builtin.template:
    src: gitea_backup.sh.j2
    dest: /usr/local/bin/gitea_backup.sh
    owner: git
    group: git
    mode: 0775

- name: Create gitea-dumps directory
  become: true
  ansible.builtin.file:
    path: /var/lib/gitea/gitea-dumps
    state: directory
    owner: git
    group: git
    mode: 0755

- name: Set today's string for zipfile name
  ansible.builtin.set_fact:
    today: "{{ ansible_date_time.year }}{{ ansible_date_time.month }}{{ ansible_date_time.day }}"

- name: Ask to push latest gitea_dump zipfile
  ansible.builtin.pause:
    prompt: "Local path to latest gitea dump, so we can push it [leave empty to not push]"
    echo: true
  register: latest_gitea_dump_path

- name: Make sure the filename makes sense
  ansible.builtin.assert:
    that:
      - "{{ latest_gitea_dump_path.user_input | basename }} == gitea-dump-{{ today }}.zip"
  when: latest_gitea_dump_path.user_input != ''

- name: Push latest gitea_dump zipfile
  become: true
  ansible.builtin.copy:
    src: "{{ latest_gitea_dump_path.user_input }}"
    dest: "/var/lib/gitea/gitea-dumps/gitea-dump-{{ today }}.zip"
    owner: git
    group: git
    mode: 0640
  when: latest_gitea_dump_path.user_input != ''

- name: Deploy repos
  become: true
  become_user: git
  ansible.builtin.command:
    cmd: "/var/lib/gitea/gitea_backup.sh restore /var/lib/gitea/gitea-dumps/gitea-dump-{{ today }}.zip"
    creates: /var/lib/gitea/gitea-repositories  # when this dir exists, the command won't run, so we don't overwrite existing repos

- name: Setup gitea-backup crontab
  become: true
  ansible.builtin.copy:
    src: gitea-backup.cron
    dest: /etc/cron.d/gitea-backup
    mode: 0644

- name: Setup logrotate for gitea logs
  become: true
  ansible.builtin.copy:
    src: gitea.logrotate
    dest: /etc/logrotate.d/gitea
    owner: root
    group: root
    mode: 0644

- name: Generate SSH keys for git
  become: true
  become_user: git
  community.crypto.openssh_keypair:
    path: ~/.ssh/id_rsa
    type: rsa
    comment: "git@{{ ansible_fqdn }}"
  register: ssh_key

- name: Get previously added SSH keys
  ansible.builtin.uri:
    url: https://git.tunuifranken.info/api/v1/user/keys
    method: GET
    user: "{{ gitea_user }}"
    password: "{{ gitea_pass }}"
    force_basic_auth: true
  register: present_ssh_keys

- name: List SSH fingerprints
  ansible.builtin.set_fact:
    present_ssh_fingerprints: "{{ present_ssh_keys.json | map(attribute='fingerprint') }}"

- name: Add SSH key using Gitea's API
  ansible.builtin.uri:
    url: https://git.tunuifranken.info/api/v1/user/keys
    method: POST
    user: "{{ gitea_user }}"
    password: "{{ gitea_pass }}"
    force_basic_auth: true
    status_code: 201
    body_format: json
    body:
      key: "{{ ssh_key.public_key | trim }}"
      read_only: false
      title: "{{ ssh_key.comment | trim }}"
  when: ssh_key.fingerprint not in present_ssh_fingerprints