diff --git a/webapps/gitea/defaults/main.yml b/webapps/gitea/defaults/main.yml index 956662b9..b75898f9 100644 --- a/webapps/gitea/defaults/main.yml +++ b/webapps/gitea/defaults/main.yml @@ -1,14 +1,14 @@ --- # defaults file for vars -system_dep: "['apt-transport-https', 'git', 'nginx', 'mariadb-server', 'mariadb-client', 'python3-mysqldb', 'redis-server', 'certbot']" -git_version: '1.21.3' -gitea_url: "https://dl.gitea.io/gitea/{{ git_version }}/gitea-{{ git_version }}-linux-amd64" +gitea_system_dep: "['apt-transport-https', 'git', 'nginx', 'mariadb-server', 'mariadb-client', 'python3-mysqldb', 'redis-server', 'certbot']" +gitea_git_version: '1.21.3' +gitea_url: "https://dl.gitea.io/gitea/{{ gitea_git_version }}/gitea-{{ gitea_git_version }}-linux-amd64" gitea_checksum: "sha256:ccf6cc2077401e382bca0d000553a781a42c9103656bd33ef32bf093cca570eb" -domains: ['example.domain.org'] -certbot_admin_email: 'security@example.domain.org' -db_host: '127.0.0.1:3306' -db_name: "{{ service }}" -db_user: "{{ service }}" -db_password: 'UQ6_CHANGE_ME_Gzb' -redis_maxclients: '128' -redis_maxmemory: '300M' +gitea_domains: ['example.domain.org'] +gitea_certbot_admin_email: 'security@example.domain.org' +gitea_db_host: '127.0.0.1:3306' +gitea_db_name: "{{ gitea_service }}" +gitea_db_user: "{{ gitea_service }}" +gitea_db_password: 'UQ6_CHANGE_ME_Gzb' +gitea_redis_maxclients: '128' +gitea_redis_maxmemory: '300M' diff --git a/webapps/gitea/tasks/main.yml b/webapps/gitea/tasks/main.yml index 36a79663..0fa5865d 100644 --- a/webapps/gitea/tasks/main.yml +++ b/webapps/gitea/tasks/main.yml @@ -3,7 +3,7 @@ - name: Install main system dependencies apt: - name: "{{ system_dep }}" + name: "{{ gitea_system_dep }}" update_cache: yes - name: Download gitea binary @@ -15,31 +15,31 @@ - name: Create symbolic link file: - src: "/usr/local/bin/gitea-{{ git_version }}-linux-amd64" + src: "/usr/local/bin/gitea-{{ gitea_git_version }}-linux-amd64" dest: "/usr/local/bin/gitea" state: link - name: Add UNIX account user: - name: "{{ service }}" + name: "{{ gitea_service }}" shell: /bin/bash - name: Add www-data (nginx) to service's group user: name: www-data #group: www-data - groups: "{{ service }}" + groups: "{{ gitea_service }}" append: true - name: Add database mysql_db: - name: "{{ db_name }}" + name: "{{ gitea_db_name }}" - name: Add database user mysql_user: - name: "{{ db_user }}" - password: "{{ db_password }}" - priv: "{{ db_name }}.*:{{privileges |default('SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,INDEX,ALTER,CREATE TEMPORARY TABLES')}}" + name: "{{ gitea_db_user }}" + password: "{{ gitea_db_password }}" + priv: "{{ gitea_db_name }}.*:{{privileges |default('SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,INDEX,ALTER,CREATE TEMPORARY TABLES')}}" update_password: on_create - name: Create the gitea conf dir if needed @@ -51,9 +51,9 @@ - name: Template gitea ini file template: src: "gitea.ini.j2" - dest: "/etc/gitea/{{ service }}.ini" + dest: "/etc/gitea/{{ gitea_service }}.ini" owner: 'root' - group: "{{ service }}" + group: "{{ gitea_service }}" mode: '0660' - name: Template gitea systemd unit @@ -63,31 +63,31 @@ - name: Start gitea systemd unit service: - name: "gitea@{{ service }}" + name: "gitea@{{ gitea_service }}" state: restarted - name: Create the redis dir if needed file: - path: /home/{{ service }}/redis + path: /home/{{ gitea_service }}/redis state: directory - owner: "{{ service }}" - group: "{{ service }}" + owner: "{{ gitea_service }}" + group: "{{ gitea_service }}" mode: '0750' - name: Create the log dir if needed file: - path: /home/{{ service }}/log + path: /home/{{ gitea_service }}/log state: directory - owner: "{{ service }}" - group: "{{ service }}" + owner: "{{ gitea_service }}" + group: "{{ gitea_service }}" mode: '0750' - name: Template redis conf template: src: "redis.conf.j2" - dest: "/home/{{ service }}/redis/redis.conf" - owner: "{{ service }}" - group: "{{ service }}" + dest: "/home/{{ gitea_service }}/redis/redis.conf" + owner: "{{ gitea_service }}" + group: "{{ gitea_service }}" mode: '0640' - name: Template redis systemd unit @@ -97,7 +97,7 @@ - name: Start redis systemd unit service: - name: "redis@{{ service }}" + name: "redis@{{ gitea_service }}" state: started - name: Template nginx snippet for Let's Encrypt/Certbot @@ -107,7 +107,7 @@ - name: Check if SSL certificate is present and register result stat: - path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem" + path: "/etc/letsencrypt/live/{{ gitea_domains |first }}/fullchain.pem" register: ssl - name: Generate certificate only if required (first time) @@ -115,11 +115,11 @@ - name: Template vhost without SSL for successfull LE challengce template: src: "vhost.conf.j2" - dest: "/etc/nginx/sites-available/{{ service }}.conf" + dest: "/etc/nginx/sites-available/{{ gitea_service }}.conf" - name: Enable temporary nginx vhost for gitea file: - src: "/etc/nginx/sites-available/{{ service }}.conf" - dest: "/etc/nginx/sites-enabled/{{ service }}.conf" + src: "/etc/nginx/sites-available/{{ gitea_service }}.conf" + dest: "/etc/nginx/sites-enabled/{{ gitea_service }}.conf" state: link - name: Reload nginx conf service: @@ -131,7 +131,7 @@ state: directory mode: '0755' - name: Generate certificate with certbot - shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ certbot_admin_email }} -d {{ domains |first }} + shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ gitea_certbot_admin_email }} -d {{ gitea_domains |first }} - name: Create the ssl dir if needed file: path: /etc/nginx/ssl @@ -140,23 +140,23 @@ - name: Template ssl bloc for nginx vhost template: src: "ssl.conf.j2" - dest: "/etc/nginx/ssl/{{ domains |first }}.conf" + dest: "/etc/nginx/ssl/{{ gitea_domains |first }}.conf" when: ssl.stat.exists != true - name: (Re)check if SSL certificate is present and register result stat: - path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem" + path: "/etc/letsencrypt/live/{{ gitea_domains |first }}/fullchain.pem" register: ssl - name: (Re)template conf file for nginx vhost with SSL template: src: "vhost.conf.j2" - dest: "/etc/nginx/sites-available/{{ service }}.conf" + dest: "/etc/nginx/sites-available/{{ gitea_service }}.conf" - name: Enable nginx vhost for gitea file: - src: "/etc/nginx/sites-available/{{ service }}.conf" - dest: "/etc/nginx/sites-enabled/{{ service }}.conf" + src: "/etc/nginx/sites-available/{{ gitea_service }}.conf" + dest: "/etc/nginx/sites-enabled/{{ gitea_service }}.conf" state: link - name: Reload nginx conf diff --git a/webapps/gitea/tasks/upgrade.yml b/webapps/gitea/tasks/upgrade.yml index f849a8c7..a419ccce 100644 --- a/webapps/gitea/tasks/upgrade.yml +++ b/webapps/gitea/tasks/upgrade.yml @@ -10,13 +10,13 @@ - name: Create symbolic link file: - src: "/usr/local/bin/gitea-{{ git_version }}-linux-amd64" + src: "/usr/local/bin/gitea-{{ gitea_git_version }}-linux-amd64" dest: "/usr/local/bin/gitea" state: link - name: Start gitea systemd unit service: - name: "gitea@{{ service }}" + name: "gitea@{{ gitea_service }}" state: restarted - name: Reload nginx conf diff --git a/webapps/gitea/templates/gitea.ini.j2 b/webapps/gitea/templates/gitea.ini.j2 index aed6dce8..b8ce707a 100644 --- a/webapps/gitea/templates/gitea.ini.j2 +++ b/webapps/gitea/templates/gitea.ini.j2 @@ -1,21 +1,21 @@ APP_NAME = Gitea -RUN_USER = {{ service }} +RUN_USER = {{ gitea_service }} RUN_MODE = prod [server] PROTOCOL = unix -DOMAIN = {{ domains | first }} -HTTP_ADDR = /home/{{ service }}/gitea.sock +DOMAIN = {{ gitea_domains | first }} +HTTP_ADDR = /home/{{ gitea_service }}/gitea.sock UNIX_SOCKET_PERMISSION = 660 OFFLINE_MODE = true -SSH_DOMAIN = {{ domains | first }} -ROOT_URL = https://{{ domains | first }}/ +SSH_DOMAIN = {{ gitea_domains | first }} +ROOT_URL = https://{{ gitea_domains | first }}/ [repository] -ROOT = /home/{{ service }}/repositories +ROOT = /home/{{ gitea_service }}/repositories [log] -ROOT_PATH = /home/{{ service }}/log/ +ROOT_PATH = /home/{{ gitea_service }}/log/ MODE = console LEVEL = info @@ -25,15 +25,15 @@ NAMES = Français,English [database] DB_TYPE = mysql -HOST = {{ db_host }} -NAME = {{ db_name }} -USER = {{ db_user }} -PASSWD = {{ db_password }} +HOST = {{ gitea_db_host }} +NAME = {{ gitea_db_name }} +USER = {{ gitea_db_user }} +PASSWD = {{ gitea_db_password }} [session] PROVIDER = redis -PROVIDER_CONFIG = network=unix,addr=/home/{{ service }}/redis/redis.sock,db=0,pool_size=100,idle_timeout=180 +PROVIDER_CONFIG = network=unix,addr=/home/{{ gitea_service }}/redis/redis.sock,db=0,pool_size=100,idle_timeout=180 [cache] ADAPTER = redis -HOST = network=unix,addr=/home/{{ service }}/redis/redis.sock,db=1,pool_size=100,idle_timeout=180 +HOST = network=unix,addr=/home/{{ gitea_service }}/redis/redis.sock,db=1,pool_size=100,idle_timeout=180 diff --git a/webapps/gitea/templates/redis.conf.j2 b/webapps/gitea/templates/redis.conf.j2 index 0eee5ff2..8f16978b 100644 --- a/webapps/gitea/templates/redis.conf.j2 +++ b/webapps/gitea/templates/redis.conf.j2 @@ -2,13 +2,13 @@ bind 127.0.0.1 ::1 protected-mode yes port 0 -unixsocket /home/{{ service }}/redis/redis.sock +unixsocket /home/{{ gitea_service }}/redis/redis.sock unixsocketperm 770 timeout 0 tcp-keepalive 300 loglevel notice -logfile /home/{{ service }}/log/redis-server.log +logfile /home/{{ gitea_service }}/log/redis-server.log databases 16 save 900 1 @@ -16,7 +16,7 @@ save 300 10 save 60 10000 dbfilename dump.rdb -dir /home/{{ service }}/redis +dir /home/{{ gitea_service }}/redis -maxclients {{ redis_maxclients }} -maxmemory {{ redis_maxmemory }} +maxclients {{ gitea_redis_maxclients }} +maxmemory {{ gitea_redis_maxmemory }} diff --git a/webapps/gitea/templates/ssl.conf.j2 b/webapps/gitea/templates/ssl.conf.j2 index 86194389..6c4702c8 100644 --- a/webapps/gitea/templates/ssl.conf.j2 +++ b/webapps/gitea/templates/ssl.conf.j2 @@ -2,8 +2,8 @@ # Certificates # you need a certificate to run in production. see https://letsencrypt.org/ ## -ssl_certificate /etc/letsencrypt/live/{{ domains | first }}/fullchain.pem; -ssl_certificate_key /etc/letsencrypt/live/{{ domains | first }}/privkey.pem; +ssl_certificate /etc/letsencrypt/live/{{ gitea_domains | first }}/fullchain.pem; +ssl_certificate_key /etc/letsencrypt/live/{{ gitea_domains | first }}/privkey.pem; ## # Security hardening (as of Nov 15, 2020) diff --git a/webapps/gitea/templates/vhost.conf.j2 b/webapps/gitea/templates/vhost.conf.j2 index 95e85988..d97ac9e1 100644 --- a/webapps/gitea/templates/vhost.conf.j2 +++ b/webapps/gitea/templates/vhost.conf.j2 @@ -1,11 +1,11 @@ -upstream gitea_{{ service }} { - server unix:/home/{{ service }}/gitea.sock; +upstream gitea_{{ gitea_service }} { + server unix:/home/{{ gitea_service }}/gitea.sock; } server { listen 80; listen [::]:80; - server_name {{ domains | first }}; + server_name {{ gitea_domains | first }}; # For certbot include /etc/nginx/snippets/letsencrypt.conf; @@ -20,16 +20,16 @@ server { listen 0.0.0.0:443 ssl http2; listen [::]:443 ssl http2; - server_name {{ domains | first }}; + server_name {{ gitea_domains | first }}; - access_log /var/log/nginx/{{ service }}.access.log; - error_log /var/log/nginx/{{ service }}.error.log; + access_log /var/log/nginx/{{ gitea_service }}.access.log; + error_log /var/log/nginx/{{ gitea_service }}.error.log; include /etc/nginx/snippets/letsencrypt.conf; - include /etc/nginx/ssl/{{ domains | first }}.conf; + include /etc/nginx/ssl/{{ gitea_domains | first }}.conf; location / { - proxy_pass http://gitea_{{ service }}; + proxy_pass http://gitea_{{ gitea_service }}; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $remote_addr; proxy_read_timeout 10;