Prefix variables with gitea_
This commit is contained in:
parent
7912185c05
commit
40050b05d8
|
@ -1,14 +1,14 @@
|
||||||
---
|
---
|
||||||
# defaults file for vars
|
# defaults file for vars
|
||||||
system_dep: "['apt-transport-https', 'git', 'nginx', 'mariadb-server', 'mariadb-client', 'python3-mysqldb', 'redis-server', 'certbot']"
|
gitea_system_dep: "['apt-transport-https', 'git', 'nginx', 'mariadb-server', 'mariadb-client', 'python3-mysqldb', 'redis-server', 'certbot']"
|
||||||
git_version: '1.21.3'
|
gitea_git_version: '1.21.3'
|
||||||
gitea_url: "https://dl.gitea.io/gitea/{{ git_version }}/gitea-{{ git_version }}-linux-amd64"
|
gitea_url: "https://dl.gitea.io/gitea/{{ gitea_git_version }}/gitea-{{ gitea_git_version }}-linux-amd64"
|
||||||
gitea_checksum: "sha256:ccf6cc2077401e382bca0d000553a781a42c9103656bd33ef32bf093cca570eb"
|
gitea_checksum: "sha256:ccf6cc2077401e382bca0d000553a781a42c9103656bd33ef32bf093cca570eb"
|
||||||
domains: ['example.domain.org']
|
gitea_domains: ['example.domain.org']
|
||||||
certbot_admin_email: 'security@example.domain.org'
|
gitea_certbot_admin_email: 'security@example.domain.org'
|
||||||
db_host: '127.0.0.1:3306'
|
gitea_db_host: '127.0.0.1:3306'
|
||||||
db_name: "{{ service }}"
|
gitea_db_name: "{{ gitea_service }}"
|
||||||
db_user: "{{ service }}"
|
gitea_db_user: "{{ gitea_service }}"
|
||||||
db_password: 'UQ6_CHANGE_ME_Gzb'
|
gitea_db_password: 'UQ6_CHANGE_ME_Gzb'
|
||||||
redis_maxclients: '128'
|
gitea_redis_maxclients: '128'
|
||||||
redis_maxmemory: '300M'
|
gitea_redis_maxmemory: '300M'
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
|
|
||||||
- name: Install main system dependencies
|
- name: Install main system dependencies
|
||||||
apt:
|
apt:
|
||||||
name: "{{ system_dep }}"
|
name: "{{ gitea_system_dep }}"
|
||||||
update_cache: yes
|
update_cache: yes
|
||||||
|
|
||||||
- name: Download gitea binary
|
- name: Download gitea binary
|
||||||
|
@ -15,31 +15,31 @@
|
||||||
|
|
||||||
- name: Create symbolic link
|
- name: Create symbolic link
|
||||||
file:
|
file:
|
||||||
src: "/usr/local/bin/gitea-{{ git_version }}-linux-amd64"
|
src: "/usr/local/bin/gitea-{{ gitea_git_version }}-linux-amd64"
|
||||||
dest: "/usr/local/bin/gitea"
|
dest: "/usr/local/bin/gitea"
|
||||||
state: link
|
state: link
|
||||||
|
|
||||||
- name: Add UNIX account
|
- name: Add UNIX account
|
||||||
user:
|
user:
|
||||||
name: "{{ service }}"
|
name: "{{ gitea_service }}"
|
||||||
shell: /bin/bash
|
shell: /bin/bash
|
||||||
|
|
||||||
- name: Add www-data (nginx) to service's group
|
- name: Add www-data (nginx) to service's group
|
||||||
user:
|
user:
|
||||||
name: www-data
|
name: www-data
|
||||||
#group: www-data
|
#group: www-data
|
||||||
groups: "{{ service }}"
|
groups: "{{ gitea_service }}"
|
||||||
append: true
|
append: true
|
||||||
|
|
||||||
- name: Add database
|
- name: Add database
|
||||||
mysql_db:
|
mysql_db:
|
||||||
name: "{{ db_name }}"
|
name: "{{ gitea_db_name }}"
|
||||||
|
|
||||||
- name: Add database user
|
- name: Add database user
|
||||||
mysql_user:
|
mysql_user:
|
||||||
name: "{{ db_user }}"
|
name: "{{ gitea_db_user }}"
|
||||||
password: "{{ db_password }}"
|
password: "{{ gitea_db_password }}"
|
||||||
priv: "{{ db_name }}.*:{{privileges |default('SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,INDEX,ALTER,CREATE TEMPORARY TABLES')}}"
|
priv: "{{ gitea_db_name }}.*:{{privileges |default('SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,INDEX,ALTER,CREATE TEMPORARY TABLES')}}"
|
||||||
update_password: on_create
|
update_password: on_create
|
||||||
|
|
||||||
- name: Create the gitea conf dir if needed
|
- name: Create the gitea conf dir if needed
|
||||||
|
@ -51,9 +51,9 @@
|
||||||
- name: Template gitea ini file
|
- name: Template gitea ini file
|
||||||
template:
|
template:
|
||||||
src: "gitea.ini.j2"
|
src: "gitea.ini.j2"
|
||||||
dest: "/etc/gitea/{{ service }}.ini"
|
dest: "/etc/gitea/{{ gitea_service }}.ini"
|
||||||
owner: 'root'
|
owner: 'root'
|
||||||
group: "{{ service }}"
|
group: "{{ gitea_service }}"
|
||||||
mode: '0660'
|
mode: '0660'
|
||||||
|
|
||||||
- name: Template gitea systemd unit
|
- name: Template gitea systemd unit
|
||||||
|
@ -63,31 +63,31 @@
|
||||||
|
|
||||||
- name: Start gitea systemd unit
|
- name: Start gitea systemd unit
|
||||||
service:
|
service:
|
||||||
name: "gitea@{{ service }}"
|
name: "gitea@{{ gitea_service }}"
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
- name: Create the redis dir if needed
|
- name: Create the redis dir if needed
|
||||||
file:
|
file:
|
||||||
path: /home/{{ service }}/redis
|
path: /home/{{ gitea_service }}/redis
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ service }}"
|
owner: "{{ gitea_service }}"
|
||||||
group: "{{ service }}"
|
group: "{{ gitea_service }}"
|
||||||
mode: '0750'
|
mode: '0750'
|
||||||
|
|
||||||
- name: Create the log dir if needed
|
- name: Create the log dir if needed
|
||||||
file:
|
file:
|
||||||
path: /home/{{ service }}/log
|
path: /home/{{ gitea_service }}/log
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ service }}"
|
owner: "{{ gitea_service }}"
|
||||||
group: "{{ service }}"
|
group: "{{ gitea_service }}"
|
||||||
mode: '0750'
|
mode: '0750'
|
||||||
|
|
||||||
- name: Template redis conf
|
- name: Template redis conf
|
||||||
template:
|
template:
|
||||||
src: "redis.conf.j2"
|
src: "redis.conf.j2"
|
||||||
dest: "/home/{{ service }}/redis/redis.conf"
|
dest: "/home/{{ gitea_service }}/redis/redis.conf"
|
||||||
owner: "{{ service }}"
|
owner: "{{ gitea_service }}"
|
||||||
group: "{{ service }}"
|
group: "{{ gitea_service }}"
|
||||||
mode: '0640'
|
mode: '0640'
|
||||||
|
|
||||||
- name: Template redis systemd unit
|
- name: Template redis systemd unit
|
||||||
|
@ -97,7 +97,7 @@
|
||||||
|
|
||||||
- name: Start redis systemd unit
|
- name: Start redis systemd unit
|
||||||
service:
|
service:
|
||||||
name: "redis@{{ service }}"
|
name: "redis@{{ gitea_service }}"
|
||||||
state: started
|
state: started
|
||||||
|
|
||||||
- name: Template nginx snippet for Let's Encrypt/Certbot
|
- name: Template nginx snippet for Let's Encrypt/Certbot
|
||||||
|
@ -107,7 +107,7 @@
|
||||||
|
|
||||||
- name: Check if SSL certificate is present and register result
|
- name: Check if SSL certificate is present and register result
|
||||||
stat:
|
stat:
|
||||||
path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
|
path: "/etc/letsencrypt/live/{{ gitea_domains |first }}/fullchain.pem"
|
||||||
register: ssl
|
register: ssl
|
||||||
|
|
||||||
- name: Generate certificate only if required (first time)
|
- name: Generate certificate only if required (first time)
|
||||||
|
@ -115,11 +115,11 @@
|
||||||
- name: Template vhost without SSL for successfull LE challengce
|
- name: Template vhost without SSL for successfull LE challengce
|
||||||
template:
|
template:
|
||||||
src: "vhost.conf.j2"
|
src: "vhost.conf.j2"
|
||||||
dest: "/etc/nginx/sites-available/{{ service }}.conf"
|
dest: "/etc/nginx/sites-available/{{ gitea_service }}.conf"
|
||||||
- name: Enable temporary nginx vhost for gitea
|
- name: Enable temporary nginx vhost for gitea
|
||||||
file:
|
file:
|
||||||
src: "/etc/nginx/sites-available/{{ service }}.conf"
|
src: "/etc/nginx/sites-available/{{ gitea_service }}.conf"
|
||||||
dest: "/etc/nginx/sites-enabled/{{ service }}.conf"
|
dest: "/etc/nginx/sites-enabled/{{ gitea_service }}.conf"
|
||||||
state: link
|
state: link
|
||||||
- name: Reload nginx conf
|
- name: Reload nginx conf
|
||||||
service:
|
service:
|
||||||
|
@ -131,7 +131,7 @@
|
||||||
state: directory
|
state: directory
|
||||||
mode: '0755'
|
mode: '0755'
|
||||||
- name: Generate certificate with certbot
|
- name: Generate certificate with certbot
|
||||||
shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ certbot_admin_email }} -d {{ domains |first }}
|
shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ gitea_certbot_admin_email }} -d {{ gitea_domains |first }}
|
||||||
- name: Create the ssl dir if needed
|
- name: Create the ssl dir if needed
|
||||||
file:
|
file:
|
||||||
path: /etc/nginx/ssl
|
path: /etc/nginx/ssl
|
||||||
|
@ -140,23 +140,23 @@
|
||||||
- name: Template ssl bloc for nginx vhost
|
- name: Template ssl bloc for nginx vhost
|
||||||
template:
|
template:
|
||||||
src: "ssl.conf.j2"
|
src: "ssl.conf.j2"
|
||||||
dest: "/etc/nginx/ssl/{{ domains |first }}.conf"
|
dest: "/etc/nginx/ssl/{{ gitea_domains |first }}.conf"
|
||||||
when: ssl.stat.exists != true
|
when: ssl.stat.exists != true
|
||||||
|
|
||||||
- name: (Re)check if SSL certificate is present and register result
|
- name: (Re)check if SSL certificate is present and register result
|
||||||
stat:
|
stat:
|
||||||
path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
|
path: "/etc/letsencrypt/live/{{ gitea_domains |first }}/fullchain.pem"
|
||||||
register: ssl
|
register: ssl
|
||||||
|
|
||||||
- name: (Re)template conf file for nginx vhost with SSL
|
- name: (Re)template conf file for nginx vhost with SSL
|
||||||
template:
|
template:
|
||||||
src: "vhost.conf.j2"
|
src: "vhost.conf.j2"
|
||||||
dest: "/etc/nginx/sites-available/{{ service }}.conf"
|
dest: "/etc/nginx/sites-available/{{ gitea_service }}.conf"
|
||||||
|
|
||||||
- name: Enable nginx vhost for gitea
|
- name: Enable nginx vhost for gitea
|
||||||
file:
|
file:
|
||||||
src: "/etc/nginx/sites-available/{{ service }}.conf"
|
src: "/etc/nginx/sites-available/{{ gitea_service }}.conf"
|
||||||
dest: "/etc/nginx/sites-enabled/{{ service }}.conf"
|
dest: "/etc/nginx/sites-enabled/{{ gitea_service }}.conf"
|
||||||
state: link
|
state: link
|
||||||
|
|
||||||
- name: Reload nginx conf
|
- name: Reload nginx conf
|
||||||
|
|
|
@ -10,13 +10,13 @@
|
||||||
|
|
||||||
- name: Create symbolic link
|
- name: Create symbolic link
|
||||||
file:
|
file:
|
||||||
src: "/usr/local/bin/gitea-{{ git_version }}-linux-amd64"
|
src: "/usr/local/bin/gitea-{{ gitea_git_version }}-linux-amd64"
|
||||||
dest: "/usr/local/bin/gitea"
|
dest: "/usr/local/bin/gitea"
|
||||||
state: link
|
state: link
|
||||||
|
|
||||||
- name: Start gitea systemd unit
|
- name: Start gitea systemd unit
|
||||||
service:
|
service:
|
||||||
name: "gitea@{{ service }}"
|
name: "gitea@{{ gitea_service }}"
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
- name: Reload nginx conf
|
- name: Reload nginx conf
|
||||||
|
|
|
@ -1,21 +1,21 @@
|
||||||
APP_NAME = Gitea
|
APP_NAME = Gitea
|
||||||
RUN_USER = {{ service }}
|
RUN_USER = {{ gitea_service }}
|
||||||
RUN_MODE = prod
|
RUN_MODE = prod
|
||||||
|
|
||||||
[server]
|
[server]
|
||||||
PROTOCOL = unix
|
PROTOCOL = unix
|
||||||
DOMAIN = {{ domains | first }}
|
DOMAIN = {{ gitea_domains | first }}
|
||||||
HTTP_ADDR = /home/{{ service }}/gitea.sock
|
HTTP_ADDR = /home/{{ gitea_service }}/gitea.sock
|
||||||
UNIX_SOCKET_PERMISSION = 660
|
UNIX_SOCKET_PERMISSION = 660
|
||||||
OFFLINE_MODE = true
|
OFFLINE_MODE = true
|
||||||
SSH_DOMAIN = {{ domains | first }}
|
SSH_DOMAIN = {{ gitea_domains | first }}
|
||||||
ROOT_URL = https://{{ domains | first }}/
|
ROOT_URL = https://{{ gitea_domains | first }}/
|
||||||
|
|
||||||
[repository]
|
[repository]
|
||||||
ROOT = /home/{{ service }}/repositories
|
ROOT = /home/{{ gitea_service }}/repositories
|
||||||
|
|
||||||
[log]
|
[log]
|
||||||
ROOT_PATH = /home/{{ service }}/log/
|
ROOT_PATH = /home/{{ gitea_service }}/log/
|
||||||
MODE = console
|
MODE = console
|
||||||
LEVEL = info
|
LEVEL = info
|
||||||
|
|
||||||
|
@ -25,15 +25,15 @@ NAMES = Français,English
|
||||||
|
|
||||||
[database]
|
[database]
|
||||||
DB_TYPE = mysql
|
DB_TYPE = mysql
|
||||||
HOST = {{ db_host }}
|
HOST = {{ gitea_db_host }}
|
||||||
NAME = {{ db_name }}
|
NAME = {{ gitea_db_name }}
|
||||||
USER = {{ db_user }}
|
USER = {{ gitea_db_user }}
|
||||||
PASSWD = {{ db_password }}
|
PASSWD = {{ gitea_db_password }}
|
||||||
|
|
||||||
[session]
|
[session]
|
||||||
PROVIDER = redis
|
PROVIDER = redis
|
||||||
PROVIDER_CONFIG = network=unix,addr=/home/{{ service }}/redis/redis.sock,db=0,pool_size=100,idle_timeout=180
|
PROVIDER_CONFIG = network=unix,addr=/home/{{ gitea_service }}/redis/redis.sock,db=0,pool_size=100,idle_timeout=180
|
||||||
|
|
||||||
[cache]
|
[cache]
|
||||||
ADAPTER = redis
|
ADAPTER = redis
|
||||||
HOST = network=unix,addr=/home/{{ service }}/redis/redis.sock,db=1,pool_size=100,idle_timeout=180
|
HOST = network=unix,addr=/home/{{ gitea_service }}/redis/redis.sock,db=1,pool_size=100,idle_timeout=180
|
||||||
|
|
|
@ -2,13 +2,13 @@ bind 127.0.0.1 ::1
|
||||||
protected-mode yes
|
protected-mode yes
|
||||||
|
|
||||||
port 0
|
port 0
|
||||||
unixsocket /home/{{ service }}/redis/redis.sock
|
unixsocket /home/{{ gitea_service }}/redis/redis.sock
|
||||||
unixsocketperm 770
|
unixsocketperm 770
|
||||||
timeout 0
|
timeout 0
|
||||||
tcp-keepalive 300
|
tcp-keepalive 300
|
||||||
|
|
||||||
loglevel notice
|
loglevel notice
|
||||||
logfile /home/{{ service }}/log/redis-server.log
|
logfile /home/{{ gitea_service }}/log/redis-server.log
|
||||||
|
|
||||||
databases 16
|
databases 16
|
||||||
save 900 1
|
save 900 1
|
||||||
|
@ -16,7 +16,7 @@ save 300 10
|
||||||
save 60 10000
|
save 60 10000
|
||||||
|
|
||||||
dbfilename dump.rdb
|
dbfilename dump.rdb
|
||||||
dir /home/{{ service }}/redis
|
dir /home/{{ gitea_service }}/redis
|
||||||
|
|
||||||
maxclients {{ redis_maxclients }}
|
maxclients {{ gitea_redis_maxclients }}
|
||||||
maxmemory {{ redis_maxmemory }}
|
maxmemory {{ gitea_redis_maxmemory }}
|
||||||
|
|
|
@ -2,8 +2,8 @@
|
||||||
# Certificates
|
# Certificates
|
||||||
# you need a certificate to run in production. see https://letsencrypt.org/
|
# you need a certificate to run in production. see https://letsencrypt.org/
|
||||||
##
|
##
|
||||||
ssl_certificate /etc/letsencrypt/live/{{ domains | first }}/fullchain.pem;
|
ssl_certificate /etc/letsencrypt/live/{{ gitea_domains | first }}/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/{{ domains | first }}/privkey.pem;
|
ssl_certificate_key /etc/letsencrypt/live/{{ gitea_domains | first }}/privkey.pem;
|
||||||
|
|
||||||
##
|
##
|
||||||
# Security hardening (as of Nov 15, 2020)
|
# Security hardening (as of Nov 15, 2020)
|
||||||
|
|
|
@ -1,11 +1,11 @@
|
||||||
upstream gitea_{{ service }} {
|
upstream gitea_{{ gitea_service }} {
|
||||||
server unix:/home/{{ service }}/gitea.sock;
|
server unix:/home/{{ gitea_service }}/gitea.sock;
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 80;
|
listen 80;
|
||||||
listen [::]:80;
|
listen [::]:80;
|
||||||
server_name {{ domains | first }};
|
server_name {{ gitea_domains | first }};
|
||||||
|
|
||||||
# For certbot
|
# For certbot
|
||||||
include /etc/nginx/snippets/letsencrypt.conf;
|
include /etc/nginx/snippets/letsencrypt.conf;
|
||||||
|
@ -20,16 +20,16 @@ server {
|
||||||
listen 0.0.0.0:443 ssl http2;
|
listen 0.0.0.0:443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
server_name {{ domains | first }};
|
server_name {{ gitea_domains | first }};
|
||||||
|
|
||||||
access_log /var/log/nginx/{{ service }}.access.log;
|
access_log /var/log/nginx/{{ gitea_service }}.access.log;
|
||||||
error_log /var/log/nginx/{{ service }}.error.log;
|
error_log /var/log/nginx/{{ gitea_service }}.error.log;
|
||||||
|
|
||||||
include /etc/nginx/snippets/letsencrypt.conf;
|
include /etc/nginx/snippets/letsencrypt.conf;
|
||||||
include /etc/nginx/ssl/{{ domains | first }}.conf;
|
include /etc/nginx/ssl/{{ gitea_domains | first }}.conf;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
proxy_pass http://gitea_{{ service }};
|
proxy_pass http://gitea_{{ gitea_service }};
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
proxy_read_timeout 10;
|
proxy_read_timeout 10;
|
||||||
|
|
Loading…
Reference in a new issue