Start new role forgejo

playbook.yml

@@ -3,11 +3,11 @@
   hosts: lime2
   roles:
     - role: common
-      tags: [mail, gitea, deuxpuissanceiks, tunuifranken]
+      tags: [mail, forgejo, deuxpuissanceiks, tunuifranken]
     - role: mail
       tags: mail
-    - role: gitea
-      tags: gitea
+    - role: forgejo
+      tags: forgejo
     - role: deuxpuissanceiks
       tags: deuxpuissanceiks
     - role: tunuifranken

roles/forgejo/meta/main.yml

@@ -0,0 +1,6 @@
+---
+dependencies:
+  - role: setup_fail2ban
+  - role: setup_apache2
+  - role: setup_mariadb
+  - role: setup_certbot

roles/forgejo/tasks/apache2.yml

@@ -0,0 +1,25 @@
+---
+- name: Enable proxy modules
+  become: true
+  community.general.apache2_module:
+    name: "{{ item }}"
+    state: present
+  with_items:
+    - proxy
+    - proxy_http
+  notify: Reload apache2 service
+
+- name: Copy vHost conf
+  become: true
+  ansible.builtin.template:
+    src: apache2/git.tunuifranken.info.conf.j2
+    dest: /etc/apache2/sites-available/git.tunuifranken.info.conf
+    mode: 0644
+  notify: Reload apache2 service
+
+- name: Activate vHost
+  become: true
+  ansible.builtin.command: a2ensite git.tunuifranken.info.conf
+  register: result
+  changed_when: "'already enabled' not in result.stdout"
+  notify: Reload apache2 service

roles/forgejo/tasks/main.yml

@@ -0,0 +1,12 @@
+---
+- name: Include vault variables
+  ansible.builtin.include_vars: vault.yml
+
+- name: Include apache2 tasks
+  ansible.builtin.include_tasks: apache2.yml
+
+- name: Include mariadb tasks
+  ansible.builtin.include_tasks: mariadb.yml
+
+- name: Include unix tasks
+  ansible.builtin.include_tasks: unix.yml

roles/forgejo/tasks/mariadb.yml

@@ -0,0 +1,29 @@
+---
+- name: Include vault variables
+  ansible.builtin.include_vars: vault.yml
+
+- name: Create gitea database
+  become: true
+  community.mysql.mysql_db:
+    name: "{{ db_name }}"
+    state: present
+    encoding: utf8mb4
+    collation: utf8mb4_unicode_ci
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+
+- name: Set gitea database user and privileges
+  become: true
+  community.mysql.mysql_user:
+    name: "{{ db_user }}"
+    password: "{{ db_pass }}"
+    priv: "{{ db_name }}.*:ALL"
+    state: present
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+
+- name: Check gitea database connection
+  community.mysql.mysql_info:
+    login_user: "{{ db_user }}"
+    login_db: "{{ db_name }}"
+    login_host: localhost
+    login_password: "{{ db_pass }}"
+    filter: version

roles/forgejo/tasks/unix.yml

@@ -0,0 +1,55 @@
+---
+- name: Install needed packages
+  become: true
+  ansible.builtin.apt:
+    name:
+      - git
+      - unzip
+      - gpg  # to verify binary
+      - acl  # for become_user: git
+    state: present
+
+- name: Create git group
+  become: true
+  ansible.builtin.group:
+    name: git
+    system: true
+
+- name: Create git user
+  become: true
+  ansible.builtin.user:
+    name: git
+    group: git
+    append: true
+    groups:
+      - sudo
+      - mail
+    create_home: false
+    home: "{{ forgejo_run_dir }}"
+    shell: /bin/bash
+    system: true
+
+- name: Create needed directories
+  become: true
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: git
+    group: git
+    mode: 0750
+  with_items:
+    - "{{ forgejo_conf_dir }}"
+    - "{{ forgejo_run_dir }}"
+    - "{{ forgejo_custom_dir }}"
+    - "{{ forgejo_data_dir }}"
+    - "{{ forgejo_log_dir }}"
+
+- name: Set sudoer permissions to git user
+  become: true
+  ansible.builtin.copy:
+    content: 'git ALL=(root) NOPASSWD:/usr/bin/systemctl'
+    dest: /etc/sudoers.d/git
+    owner: root
+    group: root
+    mode: 0440
+    validate: /usr/sbin/visudo -csf %s

roles/forgejo/templates/apache2/git.tunuifranken.info.conf.j2

@@ -0,0 +1,28 @@
+<VirtualHost *:80>
+    ServerName git.tunuifranken.info
+    ServerAdmin {{ server_admin }}
+    DocumentRoot /var/www/empty
+
+    RewriteEngine on
+    RewriteCond %{SERVER_NAME} =git.tunuifranken.info
+    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
+
+    ErrorLog ${APACHE_LOG_DIR}/git.tunuifranken.info.error.log
+    CustomLog ${APACHE_LOG_DIR}/git.tunuifranken.info.access.log combined
+</VirtualHost>
+<VirtualHost *:443>
+    ServerName git.tunuifranken.info
+    ServerAdmin {{ server_admin }}
+
+    ProxyPreserveHost On
+    ProxyRequests off
+    AllowEncodedSlashes NoDecode
+    ProxyPass / http://localhost:3000/ nocanon
+    ProxyPassReverse / http://localhost:3000/
+
+    ErrorLog ${APACHE_LOG_DIR}/git.tunuifranken.info.error.log
+    CustomLog ${APACHE_LOG_DIR}/git.tunuifranken.info.access.log combined
+
+    #SSLCertificateFile /etc/letsencrypt/live/git.tunuifranken.info/fullchain.pem
+    #SSLCertificateKeyFile /etc/letsencrypt/live/git.tunuifranken.info/privkey.pem
+</VirtualHost>

roles/forgejo/vars/main.yml

@@ -0,0 +1,20 @@
+---
+server_admin: "{{ vault_forgejo_server_admin }}"
+forgejo_domain: git.tunuifranken.info
+forgejo_jtw_secret: "{{ vault_forgejo_jtw_secret }}"
+forgejo_internal_token: "{{ vault_forgejo_internal_token }}"
+forgejo_secret_key: "{{ vault_forgejo_secret_key }}"
+forgejo_ssh_host: tunuifranken.info
+forgejo_ssh_port: 22
+forgejo_mail_user: git
+forgejo_mail_pass: "{{ vault_forgejo_mail_pass }}"
+forgejo_user: "{{ vault_forgejo_user }}"
+forgejo_pass: "{{ vault_forgejo_pass }}"
+db_name: forgejodb
+db_user: forgejo
+db_pass: "{{ vault_db_pass }}"
+forgejo_conf_dir: /etc/forgejo
+forgejo_run_dir: /var/lib/forgejo
+forgejo_custom_dir: "{{ forgejo_run_dir }}/custom"
+forgejo_data_dir: "{{ forgejo_run_dir }}/data"
+forgejo_log_dir: /var/log/forgejo

roles/forgejo/vars/vault.yml

@@ -0,0 +1,30 @@
+$ANSIBLE_VAULT;1.1;AES256
+35343933623164666630336436373533343662646366323763383230633131666630663263623838
+3932633530666338666165346335336266636264383866390a383034323034623032336437633138
+35643032323935663664666335383932633932653366316234646630666563323837303463663362
+6138376536363731340a613963346434343063353932316564613032656333656562653361346436
+33346261663139333137623463303438333634393131633862653763373566346134343362393439
+35613965626534366334653735626239313438653431363839306565663833333036623733643237
+65326261636432613462356563643238373165626639363131636133623562663938616661396465
+64306661613232656537306638373136616137356438353830333763393039306665323931393066
+63373335353036643532643735633731666133353364316331626536343166393332396138313532
+39366235396136653766316438313635613735333561306233366130306364313432353136366339
+32643936356366626232663932623233336334313231333431613234366437666461366234386532
+34323234356632613162373164393361333466396165633766623261393139393938303932393066
+33313237343761653633623661643263303563373730376665623033633335613165626132336231
+33613761336634313931633065376638306335353336363538343036626639313937393939643131
+64386561623430333061666435356264333937663036343463323564393033346661663435656364
+33366663623732663462666237313133646637363439663439386139623662353039613964373065
+66363338396335613363613532323862663763613438346330353032363233306537323937356361
+65636439646335333038346164366263323332643534636365313664336365336365333261303538
+64383766333636623437373631646164366434313336633564613062383432633137356164373739
+33306562316335656239383033313437613363633162343739323538653234313138383133616162
+63356431393563643763343532353437326464356566316166383736623232393334656463356262
+65613566343231366530373131373866383534393933666666353235323263616139653866396564
+39323131366330303631633665376135633733316436646664616230333061356465383461613330
+33373234313534396632623539363263393064383537396236616638363365373230356365666132
+66616636653838653430663931643437366330663361333833623336613466653737353834613265
+62393132396164626235316365366435316130343836656364646665323835343064306130623635
+30613737393461333361346333303732326434643930626639323431623939393831663065643031
+33353561333639386461343535333566653931353639353639343364353033333233343436636366
+3837