From 80dd996ee50b168ed0d43eb04739e5916a18296b Mon Sep 17 00:00:00 2001 From: Mathieu Gauthier-Pilote Date: Fri, 10 Mar 2023 10:43:44 -0500 Subject: [PATCH 1/5] New role to install + upgrade Gitea --- webapps/gitea/LISEZMOI.md | 49 +++++++ webapps/gitea/README.md | 49 +++++++ webapps/gitea/defaults/main.yml | 13 ++ webapps/gitea/handlers/main.yml | 2 + webapps/gitea/meta/main.yml | 52 ++++++++ webapps/gitea/tasks/main.yml | 156 +++++++++++++++++++++++ webapps/gitea/tasks/upgrade.yml | 26 ++++ webapps/gitea/templates/gitea.ini.j2 | 40 ++++++ webapps/gitea/templates/gitea.service.j2 | 22 ++++ webapps/gitea/templates/redis.conf.j2 | 22 ++++ webapps/gitea/templates/redis.service.j2 | 14 ++ webapps/gitea/templates/vhost.conf.j2 | 26 ++++ webapps/gitea/tests/inventory | 2 + webapps/gitea/tests/test.yml | 5 + webapps/gitea/vars/main.yml | 2 + 15 files changed, 480 insertions(+) create mode 100644 webapps/gitea/LISEZMOI.md create mode 100644 webapps/gitea/README.md create mode 100644 webapps/gitea/defaults/main.yml create mode 100644 webapps/gitea/handlers/main.yml create mode 100644 webapps/gitea/meta/main.yml create mode 100644 webapps/gitea/tasks/main.yml create mode 100644 webapps/gitea/tasks/upgrade.yml create mode 100644 webapps/gitea/templates/gitea.ini.j2 create mode 100644 webapps/gitea/templates/gitea.service.j2 create mode 100644 webapps/gitea/templates/redis.conf.j2 create mode 100644 webapps/gitea/templates/redis.service.j2 create mode 100644 webapps/gitea/templates/vhost.conf.j2 create mode 100644 webapps/gitea/tests/inventory create mode 100644 webapps/gitea/tests/test.yml create mode 100644 webapps/gitea/vars/main.yml diff --git a/webapps/gitea/LISEZMOI.md b/webapps/gitea/LISEZMOI.md new file mode 100644 index 00000000..cfd38cb0 --- /dev/null +++ b/webapps/gitea/LISEZMOI.md @@ -0,0 +1,49 @@ +gitea +===== + +Ce rôle installe un serveur gitea. + +Notez qu'hormis le présent fichier LISEZMOI.md, tous les fichiers du rôle gitea sont rédigés en anglais afin de suivre les conventions de la communauté Ansible, favoriser sa réutilisation et son amélioration, etc. Libre à vous cependant de faire appel à ce role dans un playbook rédigé principalement en français ou toute autre langue. + +Requis +------ + +... + +Variables du rôle +----------------- + +Plusieurs des valeurs par défaut dans defaults/main.yml doivent être changées soit directement dans defaults/main.yml ou mieux encore en les supplantant ailleurs, par exemple dans votre playbook (voir l'exemple ci-bas). + +Dépendances +------------ + +Ce rôle Ansible dépend des rôles suivants : + +- nodejs + +Exemple de playbook +------------------- + +``` +- name: "Déployer un serveur gitea" + hosts: + - all + vars: + # Supplanter ici les variables du rôle + domains: ['votre-vrai-domaine.org'] + service: 'mon-gitea' + + roles: + - { role: webapps/gitea , tags: "gitea" } +``` + +Licence +------- + +GPLv3 + +Infos sur l'auteur +------------------ + +Mathieu Gauthier-Pilote, administrateur de systèmes chez Evolix. diff --git a/webapps/gitea/README.md b/webapps/gitea/README.md new file mode 100644 index 00000000..9296b3a8 --- /dev/null +++ b/webapps/gitea/README.md @@ -0,0 +1,49 @@ +gitea +===== + +This role installs or upgrades the server for gitea. + +FRENCH: Voir le fichier LISEZMOI.md pour le français. + +Requirements +------------ + +... + +Role Variables +-------------- + +Several of the default values in defaults/main.yml must be changed either directly in defaults/main.yml or better even by overwriting them somewhere else, for example in your playbook (see the example below). + +Dependencies +------------ + +This Ansible role depends on the following other roles: + +- nodejs + +Example Playbook +---------------- + +``` +- name: "Deploy an gitea server" + hosts: + - all + vars: + # Overwrite the role variable here + domains: ['your-real-domain.org'] + service: 'my-gitea' + + roles: + - { role: webapps/gitea , tags: "gitea" } +``` + +License +------- + +GPLv3 + +Author Information +------------------ + +Mathieu Gauthier-Pilote, sys. admin. at Evolix. diff --git a/webapps/gitea/defaults/main.yml b/webapps/gitea/defaults/main.yml new file mode 100644 index 00000000..d8ee93bd --- /dev/null +++ b/webapps/gitea/defaults/main.yml @@ -0,0 +1,13 @@ +--- +# defaults file for vars +system_dep: "['apt-transport-https', 'git', 'nginx', 'mariadb-server', 'mariadb-client', 'python3-mysqldb', 'redis-server', 'certbot']" +git_version: '1.18.5' +gitea_url: "https://dl.gitea.io/gitea/{{ git_version }}/gitea-{{ git_version }}-linux-amd64" +gitea_checksum: "sha256:4766ad9310bd39d50676f8199563292ae0bab3a1922b461ece0feb4611e867f2" +domains: ['example.domain.org'] +db_host: '127.0.0.1:3306' +db_name: "{{ service }}" +db_user: "{{ service }}" +db_password: 'UQ6_CHANGE_ME_Gzb' +redis_maxclients: '128' +redis_maxmemory: '300M' diff --git a/webapps/gitea/handlers/main.yml b/webapps/gitea/handlers/main.yml new file mode 100644 index 00000000..214734cf --- /dev/null +++ b/webapps/gitea/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file diff --git a/webapps/gitea/meta/main.yml b/webapps/gitea/meta/main.yml new file mode 100644 index 00000000..b065fb2a --- /dev/null +++ b/webapps/gitea/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: Mathieu Gauthier-Pilote + description: sys. admin. + company: Evolix + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license GPL-3.0-only + + min_ansible_version: 2.10 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/webapps/gitea/tasks/main.yml b/webapps/gitea/tasks/main.yml new file mode 100644 index 00000000..b19c326b --- /dev/null +++ b/webapps/gitea/tasks/main.yml @@ -0,0 +1,156 @@ +--- +# tasks file for gitea install + +- name: Install main system dependencies + apt: + name: "{{ system_dep }}" + +- name: Download gitea binary + get_url: + url: "{{ gitea_url }}" + dest: /usr/local/bin + checksum: "{{ gitea_checksum }}" + mode: '0755' + +- name: Create symbolic link + file: + src: "/usr/local/bin/gitea-{{ git_version }}-linux-amd64" + dest: "/usr/local/bin/gitea" + state: link + +- name: Add UNIX account + user: + name: "{{ service }}" + shell: /bin/bash + +- name: Add www-data (nginx) to service's group + user: + name: www-data + #group: www-data + groups: "{{ service }}" + append: true + +- name: Add database + mysql_db: + name: "{{ db_name }}" + +- name: Add database user + mysql_user: + name: "{{ db_user }}" + password: "{{ db_password }}" + priv: "{{ db_name }}.*:{{privileges |default('SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,INDEX,ALTER,CREATE TEMPORARY TABLES')}}" + update_password: on_create + +- name: Create the gitea conf dir if needed + file: + path: /etc/gitea + state: directory + mode: '0755' + +- name: Skip if gitea.ini is already present + stat: + path: "/etc/gitea/{{ service }}.ini" + register: gitea_ini + +- name: Template gitea ini file + template: + src: "gitea.ini.j2" + dest: "/etc/gitea/{{ service }}.ini" + owner: 'root' + group: "{{ service }}" + mode: '0660' + when: gitea_ini.stat.exists == false + +- name: Template gitea systemd unit + template: + src: "gitea.service.j2" + dest: "/etc/systemd/system/gitea@.service" + +- name: Start gitea systemd unit + service: + name: "gitea@{{ service }}" + state: started + +- name: Create the redis dir if needed + file: + path: /home/{{ service }}/redis + state: directory + owner: "{{ service }}" + group: "{{ service }}" + mode: '0750' + +- name: Create the log dir if needed + file: + path: /home/{{ service }}/log + state: directory + owner: "{{ service }}" + group: "{{ service }}" + mode: '0750' + +- name: Template redis conf + template: + src: "redis.conf.j2" + dest: "/home/{{ service }}/redis/redis.conf" + owner: "{{ service }}" + group: "{{ service }}" + mode: '0640' + +- name: Template redis systemd unit + template: + src: "redis.service.j2" + dest: "/etc/systemd/system/redis@.service" + +- name: Start redis systemd unit + service: + name: "redis@{{ service }}" + state: started + +#~ - name: Check if SSL certificate is present and register result + #~ stat: + #~ path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem" + #~ register: ssl + +#~ - name: Generate certificate only if required (first time) + #~ block: + #~ - name: Template vhost without SSL for successfull LE challengce + #~ template: + #~ src: "vhost.conf.j2" + #~ dest: "/etc/nginx/sites-available/{{ service }}.conf" + #~ - name: Enable temporary nginx vhost for gitea + #~ file: + #~ src: "/etc/nginx/sites-available/{{ service }}.conf" + #~ dest: "/etc/nginx/sites-enabled/{{ service }}.conf" + #~ state: link + #~ - name: Reload nginx conf + #~ service: + #~ name: nginx + #~ state: reloaded + #~ - name: Make sure /var/lib/letsencrypt exists and has correct permissions + #~ file: + #~ path: /var/lib/letsencrypt + #~ state: directory + #~ mode: '0755' + #~ - name: Generate certificate with certbot + #~ shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt -d {{ domains |first }} + #~ when: ssl.stat.exists == true + +#~ - name: (Re)check if SSL certificate is present and register result + #~ stat: + #~ path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem" + #~ register: ssl + +- name: (Re)template conf file for nginx vhost with SSL + template: + src: "vhost.conf.j2" + dest: "/etc/nginx/sites-available/{{ service }}.conf" + +- name: Enable nginx vhost for gitea + file: + src: "/etc/nginx/sites-available/{{ service }}.conf" + dest: "/etc/nginx/sites-enabled/{{ service }}.conf" + state: link + +- name: Reload nginx conf + service: + name: nginx + state: reloaded diff --git a/webapps/gitea/tasks/upgrade.yml b/webapps/gitea/tasks/upgrade.yml new file mode 100644 index 00000000..f849a8c7 --- /dev/null +++ b/webapps/gitea/tasks/upgrade.yml @@ -0,0 +1,26 @@ +--- +# tasks file for gitea upgrade + +- name: Download gitea binary + get_url: + url: "{{ gitea_url }}" + dest: /usr/local/bin + checksum: "{{ gitea_checksum }}" + mode: '0755' + +- name: Create symbolic link + file: + src: "/usr/local/bin/gitea-{{ git_version }}-linux-amd64" + dest: "/usr/local/bin/gitea" + state: link + +- name: Start gitea systemd unit + service: + name: "gitea@{{ service }}" + state: restarted + +- name: Reload nginx conf + service: + name: nginx + state: reloaded + diff --git a/webapps/gitea/templates/gitea.ini.j2 b/webapps/gitea/templates/gitea.ini.j2 new file mode 100644 index 00000000..eb5ea23e --- /dev/null +++ b/webapps/gitea/templates/gitea.ini.j2 @@ -0,0 +1,40 @@ +APP_NAME = Gitea +RUN_USER = {{ service }} +RUN_MODE = prod + +[server] +PROTOCOL = unix +DOMAIN = {{ domains | first }} +HTTP_ADDR = /home/{{ service }}/gitea.sock +UNIX_SOCKET_PERMISSION = 660 +OFFLINE_MODE = true +SSH_DOMAIN = {{ domains | first }} +ROOT_URL = http://{{ domains | first }}/ + +[repository] +ROOT = /home/{{ service }}/repositories + +[log] +ROOT_PATH = /home/{{ service }}/log/ +MODE = console +LEVEL = info +ROUTER = console + +[i18n] +LANGS = fr-FR, en-US +NAMES = Français,English + +[database] +DB_TYPE = mysql +HOST = {{ db_host }} +NAME = {{ db_name }} +USER = {{ db_user }} +PASSWD = {{ db_password }} + +[session] +PROVIDER = redis +PROVIDER_CONFIG = network=unix,addr=/home/{{ service }}/redis/redis.sock,db=0,pool_size=100,idle_timeout=180 + +[cache] +ADAPTER = redis +HOST = network=unix,addr=/home/{{ service }}/redis/redis.sock,db=1,pool_size=100,idle_timeout=180 diff --git a/webapps/gitea/templates/gitea.service.j2 b/webapps/gitea/templates/gitea.service.j2 new file mode 100644 index 00000000..d5927dc6 --- /dev/null +++ b/webapps/gitea/templates/gitea.service.j2 @@ -0,0 +1,22 @@ +[Unit] +Description=Gitea (Git with a cup of tea) +After=syslog.target +After=network.target +After=mysqld.service + +[Service] +User=%i +Group=%i + +Type=simple +RestartSec=2s +Restart=always + +WorkingDirectory=/home/%i +ExecStart=/usr/local/bin/gitea web --config /etc/gitea/%i.ini +Environment=GITEA_WORK_DIR=/home/%i/internals + + +[Install] +WantedBy=multi-user.target + diff --git a/webapps/gitea/templates/redis.conf.j2 b/webapps/gitea/templates/redis.conf.j2 new file mode 100644 index 00000000..0eee5ff2 --- /dev/null +++ b/webapps/gitea/templates/redis.conf.j2 @@ -0,0 +1,22 @@ +bind 127.0.0.1 ::1 +protected-mode yes + +port 0 +unixsocket /home/{{ service }}/redis/redis.sock +unixsocketperm 770 +timeout 0 +tcp-keepalive 300 + +loglevel notice +logfile /home/{{ service }}/log/redis-server.log + +databases 16 +save 900 1 +save 300 10 +save 60 10000 + +dbfilename dump.rdb +dir /home/{{ service }}/redis + +maxclients {{ redis_maxclients }} +maxmemory {{ redis_maxmemory }} diff --git a/webapps/gitea/templates/redis.service.j2 b/webapps/gitea/templates/redis.service.j2 new file mode 100644 index 00000000..d07a7770 --- /dev/null +++ b/webapps/gitea/templates/redis.service.j2 @@ -0,0 +1,14 @@ +[Unit] +Description=Advanced key-value store +After=network.target + +[Service] +Type=simple +ExecStart=/usr/bin/redis-server /home/%i/redis/redis.conf +TimeoutStopSec=0 +Restart=always +User=%i +Group=%i + +[Install] +WantedBy=multi-user.target diff --git a/webapps/gitea/templates/vhost.conf.j2 b/webapps/gitea/templates/vhost.conf.j2 new file mode 100644 index 00000000..98c22aee --- /dev/null +++ b/webapps/gitea/templates/vhost.conf.j2 @@ -0,0 +1,26 @@ +upstream gitea_{{ service }} { + server unix:/home/{{ service }}/gitea.sock; +} + +server { + listen 0.0.0.0:80; + listen [::]:80; + #listen 0.0.0.0:443 ssl http2; + #listen [::]:443 ssl http2; + + server_name {{ domains | first }}; + + #include /etc/nginx/letsencrypt.conf; + #include /etc/nginx/ssl/{{ domains | first }}.conf; + + #if ( $scheme = http ) { + # return 301 https://$server_name$request_uri; + #} + + location / { + proxy_pass http://gitea_{{ service }}; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_read_timeout 10; + } +} diff --git a/webapps/gitea/tests/inventory b/webapps/gitea/tests/inventory new file mode 100644 index 00000000..878877b0 --- /dev/null +++ b/webapps/gitea/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/webapps/gitea/tests/test.yml b/webapps/gitea/tests/test.yml new file mode 100644 index 00000000..69c8cd9a --- /dev/null +++ b/webapps/gitea/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - privatebin diff --git a/webapps/gitea/vars/main.yml b/webapps/gitea/vars/main.yml new file mode 100644 index 00000000..2053e362 --- /dev/null +++ b/webapps/gitea/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file From ce366970896f0afce7c8d0bd2806b8b4d9bd4480 Mon Sep 17 00:00:00 2001 From: Mathieu Gauthier-Pilote Date: Wed, 26 Apr 2023 15:51:49 -0400 Subject: [PATCH 2/5] Now installs a LE SSL cert via certbot by default --- webapps/gitea/defaults/main.yml | 1 + webapps/gitea/tasks/main.yml | 85 ++++++++++++--------- webapps/gitea/templates/gitea.ini.j2 | 2 +- webapps/gitea/templates/letsencrypt.conf.j2 | 5 ++ webapps/gitea/templates/ssl.conf.j2 | 22 ++++++ webapps/gitea/templates/vhost.conf.j2 | 32 +++++--- 6 files changed, 98 insertions(+), 49 deletions(-) create mode 100644 webapps/gitea/templates/letsencrypt.conf.j2 create mode 100644 webapps/gitea/templates/ssl.conf.j2 diff --git a/webapps/gitea/defaults/main.yml b/webapps/gitea/defaults/main.yml index d8ee93bd..5d20121b 100644 --- a/webapps/gitea/defaults/main.yml +++ b/webapps/gitea/defaults/main.yml @@ -5,6 +5,7 @@ git_version: '1.18.5' gitea_url: "https://dl.gitea.io/gitea/{{ git_version }}/gitea-{{ git_version }}-linux-amd64" gitea_checksum: "sha256:4766ad9310bd39d50676f8199563292ae0bab3a1922b461ece0feb4611e867f2" domains: ['example.domain.org'] +certbot_admin_email: 'mgauthier@evolix.ca' db_host: '127.0.0.1:3306' db_name: "{{ service }}" db_user: "{{ service }}" diff --git a/webapps/gitea/tasks/main.yml b/webapps/gitea/tasks/main.yml index b19c326b..36a79663 100644 --- a/webapps/gitea/tasks/main.yml +++ b/webapps/gitea/tasks/main.yml @@ -4,6 +4,7 @@ - name: Install main system dependencies apt: name: "{{ system_dep }}" + update_cache: yes - name: Download gitea binary get_url: @@ -47,11 +48,6 @@ state: directory mode: '0755' -- name: Skip if gitea.ini is already present - stat: - path: "/etc/gitea/{{ service }}.ini" - register: gitea_ini - - name: Template gitea ini file template: src: "gitea.ini.j2" @@ -59,7 +55,6 @@ owner: 'root' group: "{{ service }}" mode: '0660' - when: gitea_ini.stat.exists == false - name: Template gitea systemd unit template: @@ -69,7 +64,7 @@ - name: Start gitea systemd unit service: name: "gitea@{{ service }}" - state: started + state: restarted - name: Create the redis dir if needed file: @@ -105,39 +100,53 @@ name: "redis@{{ service }}" state: started -#~ - name: Check if SSL certificate is present and register result - #~ stat: - #~ path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem" - #~ register: ssl +- name: Template nginx snippet for Let's Encrypt/Certbot + template: + src: "letsencrypt.conf.j2" + dest: "/etc/nginx/snippets/letsencrypt.conf" -#~ - name: Generate certificate only if required (first time) - #~ block: - #~ - name: Template vhost without SSL for successfull LE challengce - #~ template: - #~ src: "vhost.conf.j2" - #~ dest: "/etc/nginx/sites-available/{{ service }}.conf" - #~ - name: Enable temporary nginx vhost for gitea - #~ file: - #~ src: "/etc/nginx/sites-available/{{ service }}.conf" - #~ dest: "/etc/nginx/sites-enabled/{{ service }}.conf" - #~ state: link - #~ - name: Reload nginx conf - #~ service: - #~ name: nginx - #~ state: reloaded - #~ - name: Make sure /var/lib/letsencrypt exists and has correct permissions - #~ file: - #~ path: /var/lib/letsencrypt - #~ state: directory - #~ mode: '0755' - #~ - name: Generate certificate with certbot - #~ shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt -d {{ domains |first }} - #~ when: ssl.stat.exists == true +- name: Check if SSL certificate is present and register result + stat: + path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem" + register: ssl -#~ - name: (Re)check if SSL certificate is present and register result - #~ stat: - #~ path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem" - #~ register: ssl +- name: Generate certificate only if required (first time) + block: + - name: Template vhost without SSL for successfull LE challengce + template: + src: "vhost.conf.j2" + dest: "/etc/nginx/sites-available/{{ service }}.conf" + - name: Enable temporary nginx vhost for gitea + file: + src: "/etc/nginx/sites-available/{{ service }}.conf" + dest: "/etc/nginx/sites-enabled/{{ service }}.conf" + state: link + - name: Reload nginx conf + service: + name: nginx + state: reloaded + - name: Make sure /var/lib/letsencrypt exists and has correct permissions + file: + path: /var/lib/letsencrypt + state: directory + mode: '0755' + - name: Generate certificate with certbot + shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ certbot_admin_email }} -d {{ domains |first }} + - name: Create the ssl dir if needed + file: + path: /etc/nginx/ssl + state: directory + mode: '0750' + - name: Template ssl bloc for nginx vhost + template: + src: "ssl.conf.j2" + dest: "/etc/nginx/ssl/{{ domains |first }}.conf" + when: ssl.stat.exists != true + +- name: (Re)check if SSL certificate is present and register result + stat: + path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem" + register: ssl - name: (Re)template conf file for nginx vhost with SSL template: diff --git a/webapps/gitea/templates/gitea.ini.j2 b/webapps/gitea/templates/gitea.ini.j2 index eb5ea23e..4b1b32a1 100644 --- a/webapps/gitea/templates/gitea.ini.j2 +++ b/webapps/gitea/templates/gitea.ini.j2 @@ -9,7 +9,7 @@ HTTP_ADDR = /home/{{ service }}/gitea.sock UNIX_SOCKET_PERMISSION = 660 OFFLINE_MODE = true SSH_DOMAIN = {{ domains | first }} -ROOT_URL = http://{{ domains | first }}/ +ROOT_URL = https://{{ domains | first }}/ [repository] ROOT = /home/{{ service }}/repositories diff --git a/webapps/gitea/templates/letsencrypt.conf.j2 b/webapps/gitea/templates/letsencrypt.conf.j2 new file mode 100644 index 00000000..6b33847e --- /dev/null +++ b/webapps/gitea/templates/letsencrypt.conf.j2 @@ -0,0 +1,5 @@ +location ~ /.well-known/acme-challenge { + alias /var/lib/letsencrypt/; + try_files $uri =404; + allow all; +} diff --git a/webapps/gitea/templates/ssl.conf.j2 b/webapps/gitea/templates/ssl.conf.j2 new file mode 100644 index 00000000..86194389 --- /dev/null +++ b/webapps/gitea/templates/ssl.conf.j2 @@ -0,0 +1,22 @@ +## +# Certificates +# you need a certificate to run in production. see https://letsencrypt.org/ +## +ssl_certificate /etc/letsencrypt/live/{{ domains | first }}/fullchain.pem; +ssl_certificate_key /etc/letsencrypt/live/{{ domains | first }}/privkey.pem; + +## +# Security hardening (as of Nov 15, 2020) +# based on Mozilla Guideline v5.6 +## + +ssl_protocols TLSv1.2 TLSv1.3; +ssl_prefer_server_ciphers on; +ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4 +ssl_session_timeout 1d; # defaults to 5m +ssl_session_cache shared:SSL:10m; # estimated to 40k sessions +ssl_session_tickets off; +ssl_stapling on; +ssl_stapling_verify on; +# HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives +#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; diff --git a/webapps/gitea/templates/vhost.conf.j2 b/webapps/gitea/templates/vhost.conf.j2 index 98c22aee..95e85988 100644 --- a/webapps/gitea/templates/vhost.conf.j2 +++ b/webapps/gitea/templates/vhost.conf.j2 @@ -3,19 +3,30 @@ upstream gitea_{{ service }} { } server { - listen 0.0.0.0:80; - listen [::]:80; - #listen 0.0.0.0:443 ssl http2; - #listen [::]:443 ssl http2; + listen 80; + listen [::]:80; + server_name {{ domains | first }}; + + # For certbot + include /etc/nginx/snippets/letsencrypt.conf; + + {% if ssl.stat.exists %} + location / { return 301 https://$host$request_uri; } + {% endif %} +} + +{% if ssl.stat.exists %} +server { + listen 0.0.0.0:443 ssl http2; + listen [::]:443 ssl http2; server_name {{ domains | first }}; + + access_log /var/log/nginx/{{ service }}.access.log; + error_log /var/log/nginx/{{ service }}.error.log; - #include /etc/nginx/letsencrypt.conf; - #include /etc/nginx/ssl/{{ domains | first }}.conf; - - #if ( $scheme = http ) { - # return 301 https://$server_name$request_uri; - #} + include /etc/nginx/snippets/letsencrypt.conf; + include /etc/nginx/ssl/{{ domains | first }}.conf; location / { proxy_pass http://gitea_{{ service }}; @@ -24,3 +35,4 @@ server { proxy_read_timeout 10; } } +{% endif %} From 7912185c05e996b70ae82cc4fa97a1ae30de1fd7 Mon Sep 17 00:00:00 2001 From: Mathieu Gauthier-Pilote Date: Wed, 10 Jan 2024 14:33:19 -0500 Subject: [PATCH 3/5] Gitea upgrade : v1.18.5 => v1.21.3 --- webapps/gitea/defaults/main.yml | 6 +++--- webapps/gitea/templates/gitea.ini.j2 | 1 - 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/webapps/gitea/defaults/main.yml b/webapps/gitea/defaults/main.yml index 5d20121b..956662b9 100644 --- a/webapps/gitea/defaults/main.yml +++ b/webapps/gitea/defaults/main.yml @@ -1,11 +1,11 @@ --- # defaults file for vars system_dep: "['apt-transport-https', 'git', 'nginx', 'mariadb-server', 'mariadb-client', 'python3-mysqldb', 'redis-server', 'certbot']" -git_version: '1.18.5' +git_version: '1.21.3' gitea_url: "https://dl.gitea.io/gitea/{{ git_version }}/gitea-{{ git_version }}-linux-amd64" -gitea_checksum: "sha256:4766ad9310bd39d50676f8199563292ae0bab3a1922b461ece0feb4611e867f2" +gitea_checksum: "sha256:ccf6cc2077401e382bca0d000553a781a42c9103656bd33ef32bf093cca570eb" domains: ['example.domain.org'] -certbot_admin_email: 'mgauthier@evolix.ca' +certbot_admin_email: 'security@example.domain.org' db_host: '127.0.0.1:3306' db_name: "{{ service }}" db_user: "{{ service }}" diff --git a/webapps/gitea/templates/gitea.ini.j2 b/webapps/gitea/templates/gitea.ini.j2 index 4b1b32a1..aed6dce8 100644 --- a/webapps/gitea/templates/gitea.ini.j2 +++ b/webapps/gitea/templates/gitea.ini.j2 @@ -18,7 +18,6 @@ ROOT = /home/{{ service }}/repositories ROOT_PATH = /home/{{ service }}/log/ MODE = console LEVEL = info -ROUTER = console [i18n] LANGS = fr-FR, en-US From 40050b05d8d4f9c4f48c939a58d4ca8d5081c52a Mon Sep 17 00:00:00 2001 From: Mathieu Gauthier-Pilote Date: Thu, 16 May 2024 15:18:11 -0400 Subject: [PATCH 4/5] Prefix variables with gitea_ --- webapps/gitea/defaults/main.yml | 22 +++++----- webapps/gitea/tasks/main.yml | 62 +++++++++++++-------------- webapps/gitea/tasks/upgrade.yml | 4 +- webapps/gitea/templates/gitea.ini.j2 | 26 +++++------ webapps/gitea/templates/redis.conf.j2 | 10 ++--- webapps/gitea/templates/ssl.conf.j2 | 4 +- webapps/gitea/templates/vhost.conf.j2 | 16 +++---- 7 files changed, 72 insertions(+), 72 deletions(-) diff --git a/webapps/gitea/defaults/main.yml b/webapps/gitea/defaults/main.yml index 956662b9..b75898f9 100644 --- a/webapps/gitea/defaults/main.yml +++ b/webapps/gitea/defaults/main.yml @@ -1,14 +1,14 @@ --- # defaults file for vars -system_dep: "['apt-transport-https', 'git', 'nginx', 'mariadb-server', 'mariadb-client', 'python3-mysqldb', 'redis-server', 'certbot']" -git_version: '1.21.3' -gitea_url: "https://dl.gitea.io/gitea/{{ git_version }}/gitea-{{ git_version }}-linux-amd64" +gitea_system_dep: "['apt-transport-https', 'git', 'nginx', 'mariadb-server', 'mariadb-client', 'python3-mysqldb', 'redis-server', 'certbot']" +gitea_git_version: '1.21.3' +gitea_url: "https://dl.gitea.io/gitea/{{ gitea_git_version }}/gitea-{{ gitea_git_version }}-linux-amd64" gitea_checksum: "sha256:ccf6cc2077401e382bca0d000553a781a42c9103656bd33ef32bf093cca570eb" -domains: ['example.domain.org'] -certbot_admin_email: 'security@example.domain.org' -db_host: '127.0.0.1:3306' -db_name: "{{ service }}" -db_user: "{{ service }}" -db_password: 'UQ6_CHANGE_ME_Gzb' -redis_maxclients: '128' -redis_maxmemory: '300M' +gitea_domains: ['example.domain.org'] +gitea_certbot_admin_email: 'security@example.domain.org' +gitea_db_host: '127.0.0.1:3306' +gitea_db_name: "{{ gitea_service }}" +gitea_db_user: "{{ gitea_service }}" +gitea_db_password: 'UQ6_CHANGE_ME_Gzb' +gitea_redis_maxclients: '128' +gitea_redis_maxmemory: '300M' diff --git a/webapps/gitea/tasks/main.yml b/webapps/gitea/tasks/main.yml index 36a79663..0fa5865d 100644 --- a/webapps/gitea/tasks/main.yml +++ b/webapps/gitea/tasks/main.yml @@ -3,7 +3,7 @@ - name: Install main system dependencies apt: - name: "{{ system_dep }}" + name: "{{ gitea_system_dep }}" update_cache: yes - name: Download gitea binary @@ -15,31 +15,31 @@ - name: Create symbolic link file: - src: "/usr/local/bin/gitea-{{ git_version }}-linux-amd64" + src: "/usr/local/bin/gitea-{{ gitea_git_version }}-linux-amd64" dest: "/usr/local/bin/gitea" state: link - name: Add UNIX account user: - name: "{{ service }}" + name: "{{ gitea_service }}" shell: /bin/bash - name: Add www-data (nginx) to service's group user: name: www-data #group: www-data - groups: "{{ service }}" + groups: "{{ gitea_service }}" append: true - name: Add database mysql_db: - name: "{{ db_name }}" + name: "{{ gitea_db_name }}" - name: Add database user mysql_user: - name: "{{ db_user }}" - password: "{{ db_password }}" - priv: "{{ db_name }}.*:{{privileges |default('SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,INDEX,ALTER,CREATE TEMPORARY TABLES')}}" + name: "{{ gitea_db_user }}" + password: "{{ gitea_db_password }}" + priv: "{{ gitea_db_name }}.*:{{privileges |default('SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,INDEX,ALTER,CREATE TEMPORARY TABLES')}}" update_password: on_create - name: Create the gitea conf dir if needed @@ -51,9 +51,9 @@ - name: Template gitea ini file template: src: "gitea.ini.j2" - dest: "/etc/gitea/{{ service }}.ini" + dest: "/etc/gitea/{{ gitea_service }}.ini" owner: 'root' - group: "{{ service }}" + group: "{{ gitea_service }}" mode: '0660' - name: Template gitea systemd unit @@ -63,31 +63,31 @@ - name: Start gitea systemd unit service: - name: "gitea@{{ service }}" + name: "gitea@{{ gitea_service }}" state: restarted - name: Create the redis dir if needed file: - path: /home/{{ service }}/redis + path: /home/{{ gitea_service }}/redis state: directory - owner: "{{ service }}" - group: "{{ service }}" + owner: "{{ gitea_service }}" + group: "{{ gitea_service }}" mode: '0750' - name: Create the log dir if needed file: - path: /home/{{ service }}/log + path: /home/{{ gitea_service }}/log state: directory - owner: "{{ service }}" - group: "{{ service }}" + owner: "{{ gitea_service }}" + group: "{{ gitea_service }}" mode: '0750' - name: Template redis conf template: src: "redis.conf.j2" - dest: "/home/{{ service }}/redis/redis.conf" - owner: "{{ service }}" - group: "{{ service }}" + dest: "/home/{{ gitea_service }}/redis/redis.conf" + owner: "{{ gitea_service }}" + group: "{{ gitea_service }}" mode: '0640' - name: Template redis systemd unit @@ -97,7 +97,7 @@ - name: Start redis systemd unit service: - name: "redis@{{ service }}" + name: "redis@{{ gitea_service }}" state: started - name: Template nginx snippet for Let's Encrypt/Certbot @@ -107,7 +107,7 @@ - name: Check if SSL certificate is present and register result stat: - path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem" + path: "/etc/letsencrypt/live/{{ gitea_domains |first }}/fullchain.pem" register: ssl - name: Generate certificate only if required (first time) @@ -115,11 +115,11 @@ - name: Template vhost without SSL for successfull LE challengce template: src: "vhost.conf.j2" - dest: "/etc/nginx/sites-available/{{ service }}.conf" + dest: "/etc/nginx/sites-available/{{ gitea_service }}.conf" - name: Enable temporary nginx vhost for gitea file: - src: "/etc/nginx/sites-available/{{ service }}.conf" - dest: "/etc/nginx/sites-enabled/{{ service }}.conf" + src: "/etc/nginx/sites-available/{{ gitea_service }}.conf" + dest: "/etc/nginx/sites-enabled/{{ gitea_service }}.conf" state: link - name: Reload nginx conf service: @@ -131,7 +131,7 @@ state: directory mode: '0755' - name: Generate certificate with certbot - shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ certbot_admin_email }} -d {{ domains |first }} + shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ gitea_certbot_admin_email }} -d {{ gitea_domains |first }} - name: Create the ssl dir if needed file: path: /etc/nginx/ssl @@ -140,23 +140,23 @@ - name: Template ssl bloc for nginx vhost template: src: "ssl.conf.j2" - dest: "/etc/nginx/ssl/{{ domains |first }}.conf" + dest: "/etc/nginx/ssl/{{ gitea_domains |first }}.conf" when: ssl.stat.exists != true - name: (Re)check if SSL certificate is present and register result stat: - path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem" + path: "/etc/letsencrypt/live/{{ gitea_domains |first }}/fullchain.pem" register: ssl - name: (Re)template conf file for nginx vhost with SSL template: src: "vhost.conf.j2" - dest: "/etc/nginx/sites-available/{{ service }}.conf" + dest: "/etc/nginx/sites-available/{{ gitea_service }}.conf" - name: Enable nginx vhost for gitea file: - src: "/etc/nginx/sites-available/{{ service }}.conf" - dest: "/etc/nginx/sites-enabled/{{ service }}.conf" + src: "/etc/nginx/sites-available/{{ gitea_service }}.conf" + dest: "/etc/nginx/sites-enabled/{{ gitea_service }}.conf" state: link - name: Reload nginx conf diff --git a/webapps/gitea/tasks/upgrade.yml b/webapps/gitea/tasks/upgrade.yml index f849a8c7..a419ccce 100644 --- a/webapps/gitea/tasks/upgrade.yml +++ b/webapps/gitea/tasks/upgrade.yml @@ -10,13 +10,13 @@ - name: Create symbolic link file: - src: "/usr/local/bin/gitea-{{ git_version }}-linux-amd64" + src: "/usr/local/bin/gitea-{{ gitea_git_version }}-linux-amd64" dest: "/usr/local/bin/gitea" state: link - name: Start gitea systemd unit service: - name: "gitea@{{ service }}" + name: "gitea@{{ gitea_service }}" state: restarted - name: Reload nginx conf diff --git a/webapps/gitea/templates/gitea.ini.j2 b/webapps/gitea/templates/gitea.ini.j2 index aed6dce8..b8ce707a 100644 --- a/webapps/gitea/templates/gitea.ini.j2 +++ b/webapps/gitea/templates/gitea.ini.j2 @@ -1,21 +1,21 @@ APP_NAME = Gitea -RUN_USER = {{ service }} +RUN_USER = {{ gitea_service }} RUN_MODE = prod [server] PROTOCOL = unix -DOMAIN = {{ domains | first }} -HTTP_ADDR = /home/{{ service }}/gitea.sock +DOMAIN = {{ gitea_domains | first }} +HTTP_ADDR = /home/{{ gitea_service }}/gitea.sock UNIX_SOCKET_PERMISSION = 660 OFFLINE_MODE = true -SSH_DOMAIN = {{ domains | first }} -ROOT_URL = https://{{ domains | first }}/ +SSH_DOMAIN = {{ gitea_domains | first }} +ROOT_URL = https://{{ gitea_domains | first }}/ [repository] -ROOT = /home/{{ service }}/repositories +ROOT = /home/{{ gitea_service }}/repositories [log] -ROOT_PATH = /home/{{ service }}/log/ +ROOT_PATH = /home/{{ gitea_service }}/log/ MODE = console LEVEL = info @@ -25,15 +25,15 @@ NAMES = Français,English [database] DB_TYPE = mysql -HOST = {{ db_host }} -NAME = {{ db_name }} -USER = {{ db_user }} -PASSWD = {{ db_password }} +HOST = {{ gitea_db_host }} +NAME = {{ gitea_db_name }} +USER = {{ gitea_db_user }} +PASSWD = {{ gitea_db_password }} [session] PROVIDER = redis -PROVIDER_CONFIG = network=unix,addr=/home/{{ service }}/redis/redis.sock,db=0,pool_size=100,idle_timeout=180 +PROVIDER_CONFIG = network=unix,addr=/home/{{ gitea_service }}/redis/redis.sock,db=0,pool_size=100,idle_timeout=180 [cache] ADAPTER = redis -HOST = network=unix,addr=/home/{{ service }}/redis/redis.sock,db=1,pool_size=100,idle_timeout=180 +HOST = network=unix,addr=/home/{{ gitea_service }}/redis/redis.sock,db=1,pool_size=100,idle_timeout=180 diff --git a/webapps/gitea/templates/redis.conf.j2 b/webapps/gitea/templates/redis.conf.j2 index 0eee5ff2..8f16978b 100644 --- a/webapps/gitea/templates/redis.conf.j2 +++ b/webapps/gitea/templates/redis.conf.j2 @@ -2,13 +2,13 @@ bind 127.0.0.1 ::1 protected-mode yes port 0 -unixsocket /home/{{ service }}/redis/redis.sock +unixsocket /home/{{ gitea_service }}/redis/redis.sock unixsocketperm 770 timeout 0 tcp-keepalive 300 loglevel notice -logfile /home/{{ service }}/log/redis-server.log +logfile /home/{{ gitea_service }}/log/redis-server.log databases 16 save 900 1 @@ -16,7 +16,7 @@ save 300 10 save 60 10000 dbfilename dump.rdb -dir /home/{{ service }}/redis +dir /home/{{ gitea_service }}/redis -maxclients {{ redis_maxclients }} -maxmemory {{ redis_maxmemory }} +maxclients {{ gitea_redis_maxclients }} +maxmemory {{ gitea_redis_maxmemory }} diff --git a/webapps/gitea/templates/ssl.conf.j2 b/webapps/gitea/templates/ssl.conf.j2 index 86194389..6c4702c8 100644 --- a/webapps/gitea/templates/ssl.conf.j2 +++ b/webapps/gitea/templates/ssl.conf.j2 @@ -2,8 +2,8 @@ # Certificates # you need a certificate to run in production. see https://letsencrypt.org/ ## -ssl_certificate /etc/letsencrypt/live/{{ domains | first }}/fullchain.pem; -ssl_certificate_key /etc/letsencrypt/live/{{ domains | first }}/privkey.pem; +ssl_certificate /etc/letsencrypt/live/{{ gitea_domains | first }}/fullchain.pem; +ssl_certificate_key /etc/letsencrypt/live/{{ gitea_domains | first }}/privkey.pem; ## # Security hardening (as of Nov 15, 2020) diff --git a/webapps/gitea/templates/vhost.conf.j2 b/webapps/gitea/templates/vhost.conf.j2 index 95e85988..d97ac9e1 100644 --- a/webapps/gitea/templates/vhost.conf.j2 +++ b/webapps/gitea/templates/vhost.conf.j2 @@ -1,11 +1,11 @@ -upstream gitea_{{ service }} { - server unix:/home/{{ service }}/gitea.sock; +upstream gitea_{{ gitea_service }} { + server unix:/home/{{ gitea_service }}/gitea.sock; } server { listen 80; listen [::]:80; - server_name {{ domains | first }}; + server_name {{ gitea_domains | first }}; # For certbot include /etc/nginx/snippets/letsencrypt.conf; @@ -20,16 +20,16 @@ server { listen 0.0.0.0:443 ssl http2; listen [::]:443 ssl http2; - server_name {{ domains | first }}; + server_name {{ gitea_domains | first }}; - access_log /var/log/nginx/{{ service }}.access.log; - error_log /var/log/nginx/{{ service }}.error.log; + access_log /var/log/nginx/{{ gitea_service }}.access.log; + error_log /var/log/nginx/{{ gitea_service }}.error.log; include /etc/nginx/snippets/letsencrypt.conf; - include /etc/nginx/ssl/{{ domains | first }}.conf; + include /etc/nginx/ssl/{{ gitea_domains | first }}.conf; location / { - proxy_pass http://gitea_{{ service }}; + proxy_pass http://gitea_{{ gitea_service }}; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $remote_addr; proxy_read_timeout 10; From 1de20769a817b95e429c3c0164dfc09aca1caede Mon Sep 17 00:00:00 2001 From: Mathieu Gauthier-Pilote Date: Thu, 16 May 2024 15:25:48 -0400 Subject: [PATCH 5/5] ansible.builtin. prefix for modules --- webapps/gitea/tasks/main.yml | 58 ++++++++++++++++----------------- webapps/gitea/tasks/upgrade.yml | 8 ++--- 2 files changed, 33 insertions(+), 33 deletions(-) diff --git a/webapps/gitea/tasks/main.yml b/webapps/gitea/tasks/main.yml index 0fa5865d..0bfe7e57 100644 --- a/webapps/gitea/tasks/main.yml +++ b/webapps/gitea/tasks/main.yml @@ -2,54 +2,54 @@ # tasks file for gitea install - name: Install main system dependencies - apt: + ansible.builtin.apt: name: "{{ gitea_system_dep }}" update_cache: yes - name: Download gitea binary - get_url: + ansible.builtin.get_url: url: "{{ gitea_url }}" dest: /usr/local/bin checksum: "{{ gitea_checksum }}" mode: '0755' - name: Create symbolic link - file: + ansible.builtin.file: src: "/usr/local/bin/gitea-{{ gitea_git_version }}-linux-amd64" dest: "/usr/local/bin/gitea" state: link - name: Add UNIX account - user: + ansible.builtin.user: name: "{{ gitea_service }}" shell: /bin/bash - name: Add www-data (nginx) to service's group - user: + ansible.builtin.user: name: www-data #group: www-data groups: "{{ gitea_service }}" append: true - name: Add database - mysql_db: + ansible.builtin.mysql_db: name: "{{ gitea_db_name }}" - name: Add database user - mysql_user: + ansible.builtin.mysql_user: name: "{{ gitea_db_user }}" password: "{{ gitea_db_password }}" priv: "{{ gitea_db_name }}.*:{{privileges |default('SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,INDEX,ALTER,CREATE TEMPORARY TABLES')}}" update_password: on_create - name: Create the gitea conf dir if needed - file: + ansible.builtin.file: path: /etc/gitea state: directory mode: '0755' - name: Template gitea ini file - template: + ansible.builtin.template: src: "gitea.ini.j2" dest: "/etc/gitea/{{ gitea_service }}.ini" owner: 'root' @@ -57,17 +57,17 @@ mode: '0660' - name: Template gitea systemd unit - template: + ansible.builtin.template: src: "gitea.service.j2" dest: "/etc/systemd/system/gitea@.service" - name: Start gitea systemd unit - service: + ansible.builtin.service: name: "gitea@{{ gitea_service }}" state: restarted - name: Create the redis dir if needed - file: + ansible.builtin.file: path: /home/{{ gitea_service }}/redis state: directory owner: "{{ gitea_service }}" @@ -75,7 +75,7 @@ mode: '0750' - name: Create the log dir if needed - file: + ansible.builtin.file: path: /home/{{ gitea_service }}/log state: directory owner: "{{ gitea_service }}" @@ -83,7 +83,7 @@ mode: '0750' - name: Template redis conf - template: + ansible.builtin.template: src: "redis.conf.j2" dest: "/home/{{ gitea_service }}/redis/redis.conf" owner: "{{ gitea_service }}" @@ -91,75 +91,75 @@ mode: '0640' - name: Template redis systemd unit - template: + ansible.builtin.template: src: "redis.service.j2" dest: "/etc/systemd/system/redis@.service" - name: Start redis systemd unit - service: + ansible.builtin.service: name: "redis@{{ gitea_service }}" state: started - name: Template nginx snippet for Let's Encrypt/Certbot - template: + ansible.builtin.template: src: "letsencrypt.conf.j2" dest: "/etc/nginx/snippets/letsencrypt.conf" - name: Check if SSL certificate is present and register result - stat: + ansible.builtin.stat: path: "/etc/letsencrypt/live/{{ gitea_domains |first }}/fullchain.pem" register: ssl - name: Generate certificate only if required (first time) block: - name: Template vhost without SSL for successfull LE challengce - template: + ansible.builtin.template: src: "vhost.conf.j2" dest: "/etc/nginx/sites-available/{{ gitea_service }}.conf" - name: Enable temporary nginx vhost for gitea - file: + ansible.builtin.file: src: "/etc/nginx/sites-available/{{ gitea_service }}.conf" dest: "/etc/nginx/sites-enabled/{{ gitea_service }}.conf" state: link - name: Reload nginx conf - service: + ansible.builtin.service: name: nginx state: reloaded - name: Make sure /var/lib/letsencrypt exists and has correct permissions - file: + ansible.builtin.file: path: /var/lib/letsencrypt state: directory mode: '0755' - name: Generate certificate with certbot - shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ gitea_certbot_admin_email }} -d {{ gitea_domains |first }} + ansible.builtin.shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ gitea_certbot_admin_email }} -d {{ gitea_domains |first }} - name: Create the ssl dir if needed - file: + ansible.builtin.file: path: /etc/nginx/ssl state: directory mode: '0750' - name: Template ssl bloc for nginx vhost - template: + ansible.builtin.template: src: "ssl.conf.j2" dest: "/etc/nginx/ssl/{{ gitea_domains |first }}.conf" when: ssl.stat.exists != true - name: (Re)check if SSL certificate is present and register result - stat: + ansible.builtin.stat: path: "/etc/letsencrypt/live/{{ gitea_domains |first }}/fullchain.pem" register: ssl - name: (Re)template conf file for nginx vhost with SSL - template: + ansible.builtin.template: src: "vhost.conf.j2" dest: "/etc/nginx/sites-available/{{ gitea_service }}.conf" - name: Enable nginx vhost for gitea - file: + ansible.builtin.file: src: "/etc/nginx/sites-available/{{ gitea_service }}.conf" dest: "/etc/nginx/sites-enabled/{{ gitea_service }}.conf" state: link - name: Reload nginx conf - service: + ansible.builtin.service: name: nginx state: reloaded diff --git a/webapps/gitea/tasks/upgrade.yml b/webapps/gitea/tasks/upgrade.yml index a419ccce..ee90bb42 100644 --- a/webapps/gitea/tasks/upgrade.yml +++ b/webapps/gitea/tasks/upgrade.yml @@ -2,25 +2,25 @@ # tasks file for gitea upgrade - name: Download gitea binary - get_url: + ansible.builtin.get_url: url: "{{ gitea_url }}" dest: /usr/local/bin checksum: "{{ gitea_checksum }}" mode: '0755' - name: Create symbolic link - file: + ansible.builtin.file: src: "/usr/local/bin/gitea-{{ gitea_git_version }}-linux-amd64" dest: "/usr/local/bin/gitea" state: link - name: Start gitea systemd unit - service: + ansible.builtin.service: name: "gitea@{{ gitea_service }}" state: restarted - name: Reload nginx conf - service: + ansible.builtin.service: name: nginx state: reloaded