--- - name: Include vault variables ansible.builtin.include_vars: vault.yml - name: Include apache2 tasks ansible.builtin.include_tasks: apache2.yml - name: Install needed packages become: true ansible.builtin.apt: name: - git - unzip - gpg # to verify binary - acl # for become_user: git state: present - name: Create git group become: true ansible.builtin.group: name: git system: true - name: Create git user become: true ansible.builtin.user: name: git group: git append: true groups: - sudo - mail create_home: true home: /home/git shell: /bin/bash system: true - name: Set sudoer permissions to git user become: true ansible.builtin.copy: content: 'git ALL=(root) NOPASSWD:/usr/bin/systemctl' dest: /etc/sudoers.d/git owner: root group: root mode: 0440 validate: /usr/sbin/visudo -csf %s - name: Create needed directories become: true ansible.builtin.file: path: "{{ item }}" state: directory owner: git group: git mode: 0750 with_items: - /etc/gitea - /var/lib/gitea - /var/lib/gitea/custom - /var/lib/gitea/data - /var/log/gitea - name: Find latest gitea version ansible.builtin.uri: url: https://dl.gitea.io/gitea/version.json register: gitea_binary - name: Find if latest gitea version is installed ansible.builtin.stat: path: "/home/git/gitea-{{ gitea_binary.json.latest.version }}" register: latest_gitea_binary - name: Set gitea binary architecture to amd64 ansible.builtin.set_fact: gitea_binary_arch: amd64 when: ansible_facts['architecture'] == 'x86_64' - name: Set gitea binary architecture to arm-6 ansible.builtin.set_fact: gitea_binary_arch: arm-6 when: ansible_facts['architecture'] != 'x86_64' - name: Get latest gitea binary become: true ansible.builtin.get_url: url: "https://dl.gitea.io/gitea/{{ gitea_binary.json.latest.version }}/gitea-{{ gitea_binary.json.latest.version }}-linux-{{ gitea_binary_arch }}" dest: "/home/git/gitea-{{ gitea_binary.json.latest.version }}" owner: git group: git mode: 0664 when: not latest_gitea_binary.stat.exists notify: - Receive gitea pgp key - Download gitea asc file - Verify gitea binary with gpg - name: Verify downloaded binary ansible.builtin.meta: flush_handlers - name: Copy gitea binary to global location become: true ansible.builtin.copy: src: "/home/git/gitea-{{ gitea_binary.json.latest.version }}" dest: /usr/local/bin/gitea remote_src: true owner: root group: root mode: 0755 - name: Copy /etc/systemd/system/gitea.service become: true ansible.builtin.copy: src: gitea.service dest: /etc/systemd/system/gitea.service owner: root group: root mode: 0644 notify: - Reload systemd daemon - Start gitea service - name: Copy /etc/gitea/app.ini become: true ansible.builtin.template: src: app.ini.j2 dest: /etc/gitea/app.ini owner: git group: git mode: 0640 notify: - Restart gitea service - name: Make sure systemd daemon is reloaded ansible.builtin.meta: flush_handlers - name: Make sure gitea is running become: true ansible.builtin.systemd: name: gitea state: started enabled: true # fail2ban tasks need the gitea log file, which should be created when gitea runs - name: Include fail2ban tasks ansible.builtin.include_tasks: fail2ban.yml - name: Copy gitea_backup.sh script become: true ansible.builtin.template: src: gitea_backup.sh.j2 dest: /home/git/gitea_backup.sh owner: git group: git mode: 0775 - name: Create gitea-dumps directory become: true ansible.builtin.file: path: /home/git/gitea-dumps state: directory owner: git group: git mode: 0755 - name: Set today's string for zipfile name ansible.builtin.set_fact: today: "{{ ansible_date_time.year }}{{ ansible_date_time.month }}{{ ansible_date_time.day }}" - name: Ask to push latest gitea_dump zipfile ansible.builtin.pause: prompt: "Local path to latest gitea dump, so we can push it [leave empty to not push]" echo: true register: latest_gitea_dump_path - name: Make sure the filename makes sense ansible.builtin.assert: that: - "{{ latest_gitea_dump_path.user_input | basename }} == gitea-dump-{{ today }}.zip" when: latest_gitea_dump_path.user_input != '' - name: Push latest gitea_dump zipfile become: true ansible.builtin.copy: src: "{{ latest_gitea_dump_path.user_input }}" dest: "/home/git/gitea-dumps/gitea-dump-{{ today }}.zip" owner: git group: git mode: 0640 when: latest_gitea_dump_path.user_input != '' - name: Deploy repos become: true become_user: git ansible.builtin.command: cmd: "/home/git/gitea_backup.sh restore /home/git/gitea-dumps/gitea-dump-{{ today }}.zip" creates: /home/git/gitea-repositories # when this dir exists, the command won't run, so we don't overwrite existing repos - name: Setup gitea-backup crontab become: true ansible.builtin.copy: src: gitea-backup.cron dest: /etc/cron.d/gitea-backup mode: 0644 - name: Setup logrotate for gitea logs become: true ansible.builtin.copy: src: gitea.logrotate dest: /etc/logrotate.d/gitea owner: root group: root mode: 0644 - name: Generate SSH keys for git become: true become_user: git community.crypto.openssh_keypair: path: ~/.ssh/id_rsa type: rsa comment: "git@{{ ansible_fqdn }}" register: ssh_key - name: Get previously added SSH keys ansible.builtin.uri: url: https://git.tunuifranken.info/api/v1/user/keys method: GET user: "{{ gitea_user }}" password: "{{ gitea_pass }}" force_basic_auth: true register: present_ssh_keys - name: List SSH fingerprints ansible.builtin.set_fact: present_ssh_fingerprints: "{{ present_ssh_keys.json | map(attribute='fingerprint') }}" - name: Add SSH key using Gitea's API ansible.builtin.uri: url: https://git.tunuifranken.info/api/v1/user/keys method: POST user: "{{ gitea_user }}" password: "{{ gitea_pass }}" force_basic_auth: true status_code: 201 body_format: json body: key: "{{ ssh_key.public_key | trim }}" read_only: false title: "{{ ssh_key.comment | trim }}" when: ssh_key.fingerprint not in present_ssh_fingerprints