From 16241c90374b59537e559785991089e4220c8315 Mon Sep 17 00:00:00 2001 From: "flyingscorpio@clevo" Date: Mon, 16 Jan 2023 11:21:14 +0100 Subject: [PATCH] Start new role forgejo --- playbook.yml | 6 +- roles/forgejo/meta/main.yml | 6 ++ roles/forgejo/tasks/apache2.yml | 25 +++++++++ roles/forgejo/tasks/main.yml | 12 ++++ roles/forgejo/tasks/mariadb.yml | 29 ++++++++++ roles/forgejo/tasks/unix.yml | 55 +++++++++++++++++++ .../apache2/git.tunuifranken.info.conf.j2 | 28 ++++++++++ roles/forgejo/vars/main.yml | 20 +++++++ roles/forgejo/vars/vault.yml | 30 ++++++++++ 9 files changed, 208 insertions(+), 3 deletions(-) create mode 100644 roles/forgejo/meta/main.yml create mode 100644 roles/forgejo/tasks/apache2.yml create mode 100644 roles/forgejo/tasks/main.yml create mode 100644 roles/forgejo/tasks/mariadb.yml create mode 100644 roles/forgejo/tasks/unix.yml create mode 100644 roles/forgejo/templates/apache2/git.tunuifranken.info.conf.j2 create mode 100644 roles/forgejo/vars/main.yml create mode 100644 roles/forgejo/vars/vault.yml diff --git a/playbook.yml b/playbook.yml index 44ac0b7..0c7ae7a 100644 --- a/playbook.yml +++ b/playbook.yml @@ -3,11 +3,11 @@ hosts: lime2 roles: - role: common - tags: [mail, gitea, deuxpuissanceiks, tunuifranken] + tags: [mail, forgejo, deuxpuissanceiks, tunuifranken] - role: mail tags: mail - - role: gitea - tags: gitea + - role: forgejo + tags: forgejo - role: deuxpuissanceiks tags: deuxpuissanceiks - role: tunuifranken diff --git a/roles/forgejo/meta/main.yml b/roles/forgejo/meta/main.yml new file mode 100644 index 0000000..8b55d15 --- /dev/null +++ b/roles/forgejo/meta/main.yml @@ -0,0 +1,6 @@ +--- +dependencies: + - role: setup_fail2ban + - role: setup_apache2 + - role: setup_mariadb + - role: setup_certbot diff --git a/roles/forgejo/tasks/apache2.yml b/roles/forgejo/tasks/apache2.yml new file mode 100644 index 0000000..de198f9 --- /dev/null +++ b/roles/forgejo/tasks/apache2.yml @@ -0,0 +1,25 @@ +--- +- name: Enable proxy modules + become: true + community.general.apache2_module: + name: "{{ item }}" + state: present + with_items: + - proxy + - proxy_http + notify: Reload apache2 service + +- name: Copy vHost conf + become: true + ansible.builtin.template: + src: apache2/git.tunuifranken.info.conf.j2 + dest: /etc/apache2/sites-available/git.tunuifranken.info.conf + mode: 0644 + notify: Reload apache2 service + +- name: Activate vHost + become: true + ansible.builtin.command: a2ensite git.tunuifranken.info.conf + register: result + changed_when: "'already enabled' not in result.stdout" + notify: Reload apache2 service diff --git a/roles/forgejo/tasks/main.yml b/roles/forgejo/tasks/main.yml new file mode 100644 index 0000000..c0465be --- /dev/null +++ b/roles/forgejo/tasks/main.yml @@ -0,0 +1,12 @@ +--- +- name: Include vault variables + ansible.builtin.include_vars: vault.yml + +- name: Include apache2 tasks + ansible.builtin.include_tasks: apache2.yml + +- name: Include mariadb tasks + ansible.builtin.include_tasks: mariadb.yml + +- name: Include unix tasks + ansible.builtin.include_tasks: unix.yml diff --git a/roles/forgejo/tasks/mariadb.yml b/roles/forgejo/tasks/mariadb.yml new file mode 100644 index 0000000..808f7c5 --- /dev/null +++ b/roles/forgejo/tasks/mariadb.yml @@ -0,0 +1,29 @@ +--- +- name: Include vault variables + ansible.builtin.include_vars: vault.yml + +- name: Create gitea database + become: true + community.mysql.mysql_db: + name: "{{ db_name }}" + state: present + encoding: utf8mb4 + collation: utf8mb4_unicode_ci + login_unix_socket: /var/run/mysqld/mysqld.sock + +- name: Set gitea database user and privileges + become: true + community.mysql.mysql_user: + name: "{{ db_user }}" + password: "{{ db_pass }}" + priv: "{{ db_name }}.*:ALL" + state: present + login_unix_socket: /var/run/mysqld/mysqld.sock + +- name: Check gitea database connection + community.mysql.mysql_info: + login_user: "{{ db_user }}" + login_db: "{{ db_name }}" + login_host: localhost + login_password: "{{ db_pass }}" + filter: version diff --git a/roles/forgejo/tasks/unix.yml b/roles/forgejo/tasks/unix.yml new file mode 100644 index 0000000..8afc4a4 --- /dev/null +++ b/roles/forgejo/tasks/unix.yml @@ -0,0 +1,55 @@ +--- +- name: Install needed packages + become: true + ansible.builtin.apt: + name: + - git + - unzip + - gpg # to verify binary + - acl # for become_user: git + state: present + +- name: Create git group + become: true + ansible.builtin.group: + name: git + system: true + +- name: Create git user + become: true + ansible.builtin.user: + name: git + group: git + append: true + groups: + - sudo + - mail + create_home: false + home: "{{ forgejo_run_dir }}" + shell: /bin/bash + system: true + +- name: Create needed directories + become: true + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: git + group: git + mode: 0750 + with_items: + - "{{ forgejo_conf_dir }}" + - "{{ forgejo_run_dir }}" + - "{{ forgejo_custom_dir }}" + - "{{ forgejo_data_dir }}" + - "{{ forgejo_log_dir }}" + +- name: Set sudoer permissions to git user + become: true + ansible.builtin.copy: + content: 'git ALL=(root) NOPASSWD:/usr/bin/systemctl' + dest: /etc/sudoers.d/git + owner: root + group: root + mode: 0440 + validate: /usr/sbin/visudo -csf %s diff --git a/roles/forgejo/templates/apache2/git.tunuifranken.info.conf.j2 b/roles/forgejo/templates/apache2/git.tunuifranken.info.conf.j2 new file mode 100644 index 0000000..648d04c --- /dev/null +++ b/roles/forgejo/templates/apache2/git.tunuifranken.info.conf.j2 @@ -0,0 +1,28 @@ + + ServerName git.tunuifranken.info + ServerAdmin {{ server_admin }} + DocumentRoot /var/www/empty + + RewriteEngine on + RewriteCond %{SERVER_NAME} =git.tunuifranken.info + RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] + + ErrorLog ${APACHE_LOG_DIR}/git.tunuifranken.info.error.log + CustomLog ${APACHE_LOG_DIR}/git.tunuifranken.info.access.log combined + + + ServerName git.tunuifranken.info + ServerAdmin {{ server_admin }} + + ProxyPreserveHost On + ProxyRequests off + AllowEncodedSlashes NoDecode + ProxyPass / http://localhost:3000/ nocanon + ProxyPassReverse / http://localhost:3000/ + + ErrorLog ${APACHE_LOG_DIR}/git.tunuifranken.info.error.log + CustomLog ${APACHE_LOG_DIR}/git.tunuifranken.info.access.log combined + + #SSLCertificateFile /etc/letsencrypt/live/git.tunuifranken.info/fullchain.pem + #SSLCertificateKeyFile /etc/letsencrypt/live/git.tunuifranken.info/privkey.pem + diff --git a/roles/forgejo/vars/main.yml b/roles/forgejo/vars/main.yml new file mode 100644 index 0000000..2065f96 --- /dev/null +++ b/roles/forgejo/vars/main.yml @@ -0,0 +1,20 @@ +--- +server_admin: "{{ vault_forgejo_server_admin }}" +forgejo_domain: git.tunuifranken.info +forgejo_jtw_secret: "{{ vault_forgejo_jtw_secret }}" +forgejo_internal_token: "{{ vault_forgejo_internal_token }}" +forgejo_secret_key: "{{ vault_forgejo_secret_key }}" +forgejo_ssh_host: tunuifranken.info +forgejo_ssh_port: 22 +forgejo_mail_user: git +forgejo_mail_pass: "{{ vault_forgejo_mail_pass }}" +forgejo_user: "{{ vault_forgejo_user }}" +forgejo_pass: "{{ vault_forgejo_pass }}" +db_name: forgejodb +db_user: forgejo +db_pass: "{{ vault_db_pass }}" +forgejo_conf_dir: /etc/forgejo +forgejo_run_dir: /var/lib/forgejo +forgejo_custom_dir: "{{ forgejo_run_dir }}/custom" +forgejo_data_dir: "{{ forgejo_run_dir }}/data" +forgejo_log_dir: /var/log/forgejo diff --git a/roles/forgejo/vars/vault.yml b/roles/forgejo/vars/vault.yml new file mode 100644 index 0000000..81a7e27 --- /dev/null +++ b/roles/forgejo/vars/vault.yml @@ -0,0 +1,30 @@ +$ANSIBLE_VAULT;1.1;AES256 +35343933623164666630336436373533343662646366323763383230633131666630663263623838 +3932633530666338666165346335336266636264383866390a383034323034623032336437633138 +35643032323935663664666335383932633932653366316234646630666563323837303463663362 +6138376536363731340a613963346434343063353932316564613032656333656562653361346436 +33346261663139333137623463303438333634393131633862653763373566346134343362393439 +35613965626534366334653735626239313438653431363839306565663833333036623733643237 +65326261636432613462356563643238373165626639363131636133623562663938616661396465 +64306661613232656537306638373136616137356438353830333763393039306665323931393066 +63373335353036643532643735633731666133353364316331626536343166393332396138313532 +39366235396136653766316438313635613735333561306233366130306364313432353136366339 +32643936356366626232663932623233336334313231333431613234366437666461366234386532 +34323234356632613162373164393361333466396165633766623261393139393938303932393066 +33313237343761653633623661643263303563373730376665623033633335613165626132336231 +33613761336634313931633065376638306335353336363538343036626639313937393939643131 +64386561623430333061666435356264333937663036343463323564393033346661663435656364 +33366663623732663462666237313133646637363439663439386139623662353039613964373065 +66363338396335613363613532323862663763613438346330353032363233306537323937356361 +65636439646335333038346164366263323332643534636365313664336365336365333261303538 +64383766333636623437373631646164366434313336633564613062383432633137356164373739 +33306562316335656239383033313437613363633162343739323538653234313138383133616162 +63356431393563643763343532353437326464356566316166383736623232393334656463356262 +65613566343231366530373131373866383534393933666666353235323263616139653866396564 +39323131366330303631633665376135633733316436646664616230333061356465383461613330 +33373234313534396632623539363263393064383537396236616638363365373230356365666132 +66616636653838653430663931643437366330663361333833623336613466653737353834613265 +62393132396164626235316365366435316130343836656364646665323835343064306130623635 +30613737393461333361346333303732326434643930626639323431623939393831663065643031 +33353561333639386461343535333566653931353639353639343364353033333233343436636366 +3837