134 lines
3.7 KiB
YAML
134 lines
3.7 KiB
YAML
---
|
|
- name: Include vault variables
|
|
ansible.builtin.include_vars: vault.yml
|
|
|
|
- name: Include apache2 tasks
|
|
ansible.builtin.include_tasks: apache2.yml
|
|
|
|
- name: Include mariadb tasks
|
|
ansible.builtin.include_tasks: mariadb.yml
|
|
|
|
- name: Include unix tasks
|
|
ansible.builtin.include_tasks: unix.yml
|
|
|
|
- name: Include binary tasks
|
|
ansible.builtin.include_tasks: binary.yml
|
|
|
|
- name: Include backup tasks
|
|
ansible.builtin.include_tasks: backup.yml
|
|
|
|
- name: Copy /etc/systemd/system/gitea.service
|
|
become: true
|
|
ansible.builtin.copy:
|
|
src: gitea.service
|
|
dest: /etc/systemd/system/gitea.service
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
notify:
|
|
- Reload systemd daemon
|
|
- Start gitea service
|
|
|
|
- name: Copy /etc/gitea/app.ini
|
|
become: true
|
|
ansible.builtin.template:
|
|
src: app.ini.j2
|
|
dest: /etc/gitea/app.ini
|
|
owner: git
|
|
group: git
|
|
mode: 0640
|
|
notify:
|
|
- Restart gitea service
|
|
|
|
- name: Make sure systemd daemon is reloaded
|
|
ansible.builtin.meta: flush_handlers
|
|
|
|
- name: Make sure gitea is running
|
|
become: true
|
|
ansible.builtin.systemd:
|
|
name: gitea
|
|
state: started
|
|
enabled: true
|
|
|
|
# fail2ban tasks need the gitea log file, which should be created when gitea runs
|
|
- name: Include fail2ban tasks
|
|
ansible.builtin.include_tasks: fail2ban.yml
|
|
|
|
- name: Set today's string for zipfile name
|
|
ansible.builtin.set_fact:
|
|
today: "{{ ansible_date_time.year }}{{ ansible_date_time.month }}{{ ansible_date_time.day }}"
|
|
|
|
- name: Ask to push latest gitea_dump zipfile
|
|
ansible.builtin.pause:
|
|
prompt: "Local path to latest gitea dump, so we can push it [leave empty to not push]"
|
|
echo: true
|
|
register: latest_gitea_dump_path
|
|
|
|
- name: Make sure the filename makes sense
|
|
ansible.builtin.assert:
|
|
that:
|
|
- "{{ latest_gitea_dump_path.user_input | basename }} == gitea-dump-{{ today }}.zip"
|
|
when: latest_gitea_dump_path.user_input != ''
|
|
|
|
- name: Push latest gitea_dump zipfile
|
|
become: true
|
|
ansible.builtin.copy:
|
|
src: "{{ latest_gitea_dump_path.user_input }}"
|
|
dest: "/var/lib/gitea/gitea-dumps/gitea-dump-{{ today }}.zip"
|
|
owner: git
|
|
group: git
|
|
mode: 0640
|
|
when: latest_gitea_dump_path.user_input != ''
|
|
|
|
- name: Deploy repos
|
|
become: true
|
|
become_user: git
|
|
ansible.builtin.command:
|
|
cmd: "/var/lib/gitea/gitea_backup.sh restore /var/lib/gitea/gitea-dumps/gitea-dump-{{ today }}.zip"
|
|
creates: /var/lib/gitea/gitea-repositories # when this dir exists, the command won't run, so we don't overwrite existing repos
|
|
|
|
- name: Setup logrotate for gitea logs
|
|
become: true
|
|
ansible.builtin.copy:
|
|
src: gitea.logrotate
|
|
dest: /etc/logrotate.d/gitea
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
|
|
- name: Generate SSH keys for git
|
|
become: true
|
|
become_user: git
|
|
community.crypto.openssh_keypair:
|
|
path: ~/.ssh/id_rsa
|
|
type: rsa
|
|
comment: "git@{{ ansible_fqdn }}"
|
|
register: ssh_key
|
|
|
|
- name: Get previously added SSH keys
|
|
ansible.builtin.uri:
|
|
url: https://git.tunuifranken.info/api/v1/user/keys
|
|
method: GET
|
|
user: "{{ gitea_user }}"
|
|
password: "{{ gitea_pass }}"
|
|
force_basic_auth: true
|
|
register: present_ssh_keys
|
|
|
|
- name: List SSH fingerprints
|
|
ansible.builtin.set_fact:
|
|
present_ssh_fingerprints: "{{ present_ssh_keys.json | map(attribute='fingerprint') }}"
|
|
|
|
- name: Add SSH key using Gitea's API
|
|
ansible.builtin.uri:
|
|
url: https://git.tunuifranken.info/api/v1/user/keys
|
|
method: POST
|
|
user: "{{ gitea_user }}"
|
|
password: "{{ gitea_pass }}"
|
|
force_basic_auth: true
|
|
status_code: 201
|
|
body_format: json
|
|
body:
|
|
key: "{{ ssh_key.public_key | trim }}"
|
|
read_only: false
|
|
title: "{{ ssh_key.comment | trim }}"
|
|
when: ssh_key.fingerprint not in present_ssh_fingerprints
|