flyingscorpio/self-hosting
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
self-hosting/roles/gitea/tasks/main.yml

246 lines
6.2 KiB
YAML
Raw Blame History

---
- name: Include vault variables
ansible.builtin.include_vars: vault.yml
- name: Install needed packages
become: true
ansible.builtin.apt:
name:
- git
- unzip
- gpg # to verify binary
- acl # for become_user: git
state: present
- name: Create git group
become: true
ansible.builtin.group:
name: git
system: true
- name: Create git user
become: true
ansible.builtin.user:
name: git
group: git
append: true
groups:
- sudo
- mail
create_home: true
home: /home/git
shell: /bin/bash
system: true
- name: Set sudoer permissions to git user
become: true
ansible.builtin.copy:
content: 'git ALL=(root) NOPASSWD:/usr/bin/systemctl'
dest: /etc/sudoers.d/git
owner: root
group: root
mode: 0440
validate: /usr/sbin/visudo -csf %s
- name: Create needed directories
become: true
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: git
group: git
mode: 0750
with_items:
- /etc/gitea
- /var/lib/gitea
- /var/lib/gitea/custom
- /var/lib/gitea/data
- /var/log/gitea
- name: Find latest gitea version
ansible.builtin.uri:
url: https://dl.gitea.io/gitea/version.json
register: gitea_binary
- name: Find if latest gitea version is installed
ansible.builtin.stat:
path: "/home/git/gitea-{{ gitea_binary.json.latest.version }}"
register: latest_gitea_binary
- name: Set gitea binary architecture to amd64
ansible.builtin.set_fact:
gitea_binary_arch: amd64
when: ansible_facts['architecture'] == 'x86_64'
- name: Set gitea binary architecture to arm-6
ansible.builtin.set_fact:
gitea_binary_arch: arm-6
when: ansible_facts['architecture'] != 'x86_64'
- name: Get latest gitea binary
become: true
ansible.builtin.get_url:
url: "https://dl.gitea.io/gitea/{{ gitea_binary.json.latest.version }}/gitea-{{ gitea_binary.json.latest.version }}-linux-{{ gitea_binary_arch }}"
dest: "/home/git/gitea-{{ gitea_binary.json.latest.version }}"
owner: git
group: git
mode: 0664
when: not latest_gitea_binary.stat.exists
notify:
- Receive gitea pgp key
- Download gitea asc file
- Verify gitea binary with gpg
- name: Verify downloaded binary
ansible.builtin.meta: flush_handlers
- name: Copy gitea binary to global location
become: true
ansible.builtin.copy:
src: "/home/git/gitea-{{ gitea_binary.json.latest.version }}"
dest: /usr/local/bin/gitea
remote_src: true
owner: root
group: root
mode: 0755
- name: Copy /etc/systemd/system/gitea.service
become: true
ansible.builtin.copy:
src: gitea.service
dest: /etc/systemd/system/gitea.service
owner: root
group: root
mode: 0644
notify:
- Reload systemd daemon
- Start gitea service
- name: Copy /etc/gitea/app.ini
become: true
ansible.builtin.template:
src: app.ini.j2
dest: /etc/gitea/app.ini
owner: git
group: git
mode: 0640
notify:
- Restart gitea service
- name: Make sure systemd daemon is reloaded
ansible.builtin.meta: flush_handlers
- name: Make sure gitea is running
become: true
ansible.builtin.systemd:
name: gitea
state: started
enabled: true
# fail2ban tasks need the gitea log file, which should be created when gitea runs
- name: Include fail2ban tasks
ansible.builtin.include_tasks: fail2ban.yml
- name: Copy gitea_backup.sh script
become: true
ansible.builtin.template:
src: gitea_backup.sh.j2
dest: /home/git/gitea_backup.sh
owner: git
group: git
mode: 0775
- name: Create gitea-dumps directory
become: true
ansible.builtin.file:
path: /home/git/gitea-dumps
state: directory
owner: git
group: git
mode: 0755
- name: Set today's string for zipfile name
ansible.builtin.set_fact:
today: "{{ ansible_date_time.year }}{{ ansible_date_time.month }}{{ ansible_date_time.day }}"
- name: Ask to push latest gitea_dump zipfile
ansible.builtin.pause:
prompt: "Local path to latest gitea dump, so we can push it [leave empty to not push]"
echo: true
register: latest_gitea_dump_path
- name: Make sure the filename makes sense
ansible.builtin.assert:
that:
- "{{ latest_gitea_dump_path.user_input | basename }} == gitea-dump-{{ today }}.zip"
when: latest_gitea_dump_path.user_input != ''
- name: Push latest gitea_dump zipfile
become: true
ansible.builtin.copy:
src: "{{ latest_gitea_dump_path.user_input }}"
dest: "/home/git/gitea-dumps/gitea-dump-{{ today }}.zip"
owner: git
group: git
mode: 0640
when: latest_gitea_dump_path.user_input != ''
- name: Deploy repos
become: true
become_user: git
ansible.builtin.command:
cmd: "/home/git/gitea_backup.sh restore /home/git/gitea-dumps/gitea-dump-{{ today }}.zip"
creates: /home/git/gitea-repositories # when this dir exists, the command won't run, so we don't overwrite existing repos
- name: Setup gitea-backup crontab
become: true
ansible.builtin.copy:
src: gitea-backup.cron
dest: /etc/cron.d/gitea-backup
mode: 0644
- name: Setup logrotate for gitea logs
become: true
ansible.builtin.copy:
src: gitea.logrotate
dest: /etc/logrotate.d/gitea
owner: root
group: root
mode: 0644
- name: Generate SSH keys for git
become: true
become_user: git
community.crypto.openssh_keypair:
path: ~/.ssh/id_rsa
type: rsa
comment: "git@{{ ansible_fqdn }}"
register: ssh_key
- name: Get previously added SSH keys
ansible.builtin.uri:
url: https://git.tunuifranken.info/api/v1/user/keys
method: GET
user: "{{ gitea_user }}"
password: "{{ gitea_pass }}"
force_basic_auth: true
register: present_ssh_keys
- name: List SSH fingerprints
ansible.builtin.set_fact:
present_ssh_fingerprints: "{{ present_ssh_keys.json | map(attribute='fingerprint') }}"
- name: Add SSH key using Gitea's API
ansible.builtin.uri:
url: https://git.tunuifranken.info/api/v1/user/keys
method: POST
user: "{{ gitea_user }}"
password: "{{ gitea_pass }}"
force_basic_auth: true
status_code: 201
body_format: json
body:
key: "{{ ssh_key.public_key | trim }}"
read_only: false
title: "{{ ssh_key.comment | trim }}"
when: ssh_key.fingerprint not in present_ssh_fingerprints
Reference in a new issue View git blame Copy permalink