Prefix variables with gitea_
This commit is contained in:
parent
1ea5401211
commit
c085628bb2
|
@ -1,14 +1,14 @@
|
|||
---
|
||||
# defaults file for vars
|
||||
system_dep: "['apt-transport-https', 'git', 'nginx', 'mariadb-server', 'mariadb-client', 'python3-mysqldb', 'redis-server', 'certbot']"
|
||||
git_version: '1.21.3'
|
||||
gitea_url: "https://dl.gitea.io/gitea/{{ git_version }}/gitea-{{ git_version }}-linux-amd64"
|
||||
gitea_system_dep: "['apt-transport-https', 'git', 'nginx', 'mariadb-server', 'mariadb-client', 'python3-mysqldb', 'redis-server', 'certbot']"
|
||||
gitea_git_version: '1.21.3'
|
||||
gitea_url: "https://dl.gitea.io/gitea/{{ gitea_git_version }}/gitea-{{ gitea_git_version }}-linux-amd64"
|
||||
gitea_checksum: "sha256:ccf6cc2077401e382bca0d000553a781a42c9103656bd33ef32bf093cca570eb"
|
||||
domains: ['example.domain.org']
|
||||
certbot_admin_email: 'security@example.domain.org'
|
||||
db_host: '127.0.0.1:3306'
|
||||
db_name: "{{ service }}"
|
||||
db_user: "{{ service }}"
|
||||
db_password: 'UQ6_CHANGE_ME_Gzb'
|
||||
redis_maxclients: '128'
|
||||
redis_maxmemory: '300M'
|
||||
gitea_domains: ['example.domain.org']
|
||||
gitea_certbot_admin_email: 'security@example.domain.org'
|
||||
gitea_db_host: '127.0.0.1:3306'
|
||||
gitea_db_name: "{{ gitea_service }}"
|
||||
gitea_db_user: "{{ gitea_service }}"
|
||||
gitea_db_password: 'UQ6_CHANGE_ME_Gzb'
|
||||
gitea_redis_maxclients: '128'
|
||||
gitea_redis_maxmemory: '300M'
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
|
||||
- name: Install main system dependencies
|
||||
apt:
|
||||
name: "{{ system_dep }}"
|
||||
name: "{{ gitea_system_dep }}"
|
||||
update_cache: yes
|
||||
|
||||
- name: Download gitea binary
|
||||
|
@ -15,31 +15,31 @@
|
|||
|
||||
- name: Create symbolic link
|
||||
file:
|
||||
src: "/usr/local/bin/gitea-{{ git_version }}-linux-amd64"
|
||||
src: "/usr/local/bin/gitea-{{ gitea_git_version }}-linux-amd64"
|
||||
dest: "/usr/local/bin/gitea"
|
||||
state: link
|
||||
|
||||
- name: Add UNIX account
|
||||
user:
|
||||
name: "{{ service }}"
|
||||
name: "{{ gitea_service }}"
|
||||
shell: /bin/bash
|
||||
|
||||
- name: Add www-data (nginx) to service's group
|
||||
user:
|
||||
name: www-data
|
||||
#group: www-data
|
||||
groups: "{{ service }}"
|
||||
groups: "{{ gitea_service }}"
|
||||
append: true
|
||||
|
||||
- name: Add database
|
||||
mysql_db:
|
||||
name: "{{ db_name }}"
|
||||
name: "{{ gitea_db_name }}"
|
||||
|
||||
- name: Add database user
|
||||
mysql_user:
|
||||
name: "{{ db_user }}"
|
||||
password: "{{ db_password }}"
|
||||
priv: "{{ db_name }}.*:{{privileges |default('SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,INDEX,ALTER,CREATE TEMPORARY TABLES')}}"
|
||||
name: "{{ gitea_db_user }}"
|
||||
password: "{{ gitea_db_password }}"
|
||||
priv: "{{ gitea_db_name }}.*:{{privileges |default('SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,INDEX,ALTER,CREATE TEMPORARY TABLES')}}"
|
||||
update_password: on_create
|
||||
|
||||
- name: Create the gitea conf dir if needed
|
||||
|
@ -51,9 +51,9 @@
|
|||
- name: Template gitea ini file
|
||||
template:
|
||||
src: "gitea.ini.j2"
|
||||
dest: "/etc/gitea/{{ service }}.ini"
|
||||
dest: "/etc/gitea/{{ gitea_service }}.ini"
|
||||
owner: 'root'
|
||||
group: "{{ service }}"
|
||||
group: "{{ gitea_service }}"
|
||||
mode: '0660'
|
||||
|
||||
- name: Template gitea systemd unit
|
||||
|
@ -63,31 +63,31 @@
|
|||
|
||||
- name: Start gitea systemd unit
|
||||
service:
|
||||
name: "gitea@{{ service }}"
|
||||
name: "gitea@{{ gitea_service }}"
|
||||
state: restarted
|
||||
|
||||
- name: Create the redis dir if needed
|
||||
file:
|
||||
path: /home/{{ service }}/redis
|
||||
path: /home/{{ gitea_service }}/redis
|
||||
state: directory
|
||||
owner: "{{ service }}"
|
||||
group: "{{ service }}"
|
||||
owner: "{{ gitea_service }}"
|
||||
group: "{{ gitea_service }}"
|
||||
mode: '0750'
|
||||
|
||||
- name: Create the log dir if needed
|
||||
file:
|
||||
path: /home/{{ service }}/log
|
||||
path: /home/{{ gitea_service }}/log
|
||||
state: directory
|
||||
owner: "{{ service }}"
|
||||
group: "{{ service }}"
|
||||
owner: "{{ gitea_service }}"
|
||||
group: "{{ gitea_service }}"
|
||||
mode: '0750'
|
||||
|
||||
- name: Template redis conf
|
||||
template:
|
||||
src: "redis.conf.j2"
|
||||
dest: "/home/{{ service }}/redis/redis.conf"
|
||||
owner: "{{ service }}"
|
||||
group: "{{ service }}"
|
||||
dest: "/home/{{ gitea_service }}/redis/redis.conf"
|
||||
owner: "{{ gitea_service }}"
|
||||
group: "{{ gitea_service }}"
|
||||
mode: '0640'
|
||||
|
||||
- name: Template redis systemd unit
|
||||
|
@ -97,7 +97,7 @@
|
|||
|
||||
- name: Start redis systemd unit
|
||||
service:
|
||||
name: "redis@{{ service }}"
|
||||
name: "redis@{{ gitea_service }}"
|
||||
state: started
|
||||
|
||||
- name: Template nginx snippet for Let's Encrypt/Certbot
|
||||
|
@ -107,7 +107,7 @@
|
|||
|
||||
- name: Check if SSL certificate is present and register result
|
||||
stat:
|
||||
path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
|
||||
path: "/etc/letsencrypt/live/{{ gitea_domains |first }}/fullchain.pem"
|
||||
register: ssl
|
||||
|
||||
- name: Generate certificate only if required (first time)
|
||||
|
@ -115,11 +115,11 @@
|
|||
- name: Template vhost without SSL for successfull LE challengce
|
||||
template:
|
||||
src: "vhost.conf.j2"
|
||||
dest: "/etc/nginx/sites-available/{{ service }}.conf"
|
||||
dest: "/etc/nginx/sites-available/{{ gitea_service }}.conf"
|
||||
- name: Enable temporary nginx vhost for gitea
|
||||
file:
|
||||
src: "/etc/nginx/sites-available/{{ service }}.conf"
|
||||
dest: "/etc/nginx/sites-enabled/{{ service }}.conf"
|
||||
src: "/etc/nginx/sites-available/{{ gitea_service }}.conf"
|
||||
dest: "/etc/nginx/sites-enabled/{{ gitea_service }}.conf"
|
||||
state: link
|
||||
- name: Reload nginx conf
|
||||
service:
|
||||
|
@ -131,7 +131,7 @@
|
|||
state: directory
|
||||
mode: '0755'
|
||||
- name: Generate certificate with certbot
|
||||
shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ certbot_admin_email }} -d {{ domains |first }}
|
||||
shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ gitea_certbot_admin_email }} -d {{ gitea_domains |first }}
|
||||
- name: Create the ssl dir if needed
|
||||
file:
|
||||
path: /etc/nginx/ssl
|
||||
|
@ -140,23 +140,23 @@
|
|||
- name: Template ssl bloc for nginx vhost
|
||||
template:
|
||||
src: "ssl.conf.j2"
|
||||
dest: "/etc/nginx/ssl/{{ domains |first }}.conf"
|
||||
dest: "/etc/nginx/ssl/{{ gitea_domains |first }}.conf"
|
||||
when: ssl.stat.exists != true
|
||||
|
||||
- name: (Re)check if SSL certificate is present and register result
|
||||
stat:
|
||||
path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
|
||||
path: "/etc/letsencrypt/live/{{ gitea_domains |first }}/fullchain.pem"
|
||||
register: ssl
|
||||
|
||||
- name: (Re)template conf file for nginx vhost with SSL
|
||||
template:
|
||||
src: "vhost.conf.j2"
|
||||
dest: "/etc/nginx/sites-available/{{ service }}.conf"
|
||||
dest: "/etc/nginx/sites-available/{{ gitea_service }}.conf"
|
||||
|
||||
- name: Enable nginx vhost for gitea
|
||||
file:
|
||||
src: "/etc/nginx/sites-available/{{ service }}.conf"
|
||||
dest: "/etc/nginx/sites-enabled/{{ service }}.conf"
|
||||
src: "/etc/nginx/sites-available/{{ gitea_service }}.conf"
|
||||
dest: "/etc/nginx/sites-enabled/{{ gitea_service }}.conf"
|
||||
state: link
|
||||
|
||||
- name: Reload nginx conf
|
||||
|
|
|
@ -10,13 +10,13 @@
|
|||
|
||||
- name: Create symbolic link
|
||||
file:
|
||||
src: "/usr/local/bin/gitea-{{ git_version }}-linux-amd64"
|
||||
src: "/usr/local/bin/gitea-{{ gitea_git_version }}-linux-amd64"
|
||||
dest: "/usr/local/bin/gitea"
|
||||
state: link
|
||||
|
||||
- name: Start gitea systemd unit
|
||||
service:
|
||||
name: "gitea@{{ service }}"
|
||||
name: "gitea@{{ gitea_service }}"
|
||||
state: restarted
|
||||
|
||||
- name: Reload nginx conf
|
||||
|
|
|
@ -1,21 +1,21 @@
|
|||
APP_NAME = Gitea
|
||||
RUN_USER = {{ service }}
|
||||
RUN_USER = {{ gitea_service }}
|
||||
RUN_MODE = prod
|
||||
|
||||
[server]
|
||||
PROTOCOL = unix
|
||||
DOMAIN = {{ domains | first }}
|
||||
HTTP_ADDR = /home/{{ service }}/gitea.sock
|
||||
DOMAIN = {{ gitea_domains | first }}
|
||||
HTTP_ADDR = /home/{{ gitea_service }}/gitea.sock
|
||||
UNIX_SOCKET_PERMISSION = 660
|
||||
OFFLINE_MODE = true
|
||||
SSH_DOMAIN = {{ domains | first }}
|
||||
ROOT_URL = https://{{ domains | first }}/
|
||||
SSH_DOMAIN = {{ gitea_domains | first }}
|
||||
ROOT_URL = https://{{ gitea_domains | first }}/
|
||||
|
||||
[repository]
|
||||
ROOT = /home/{{ service }}/repositories
|
||||
ROOT = /home/{{ gitea_service }}/repositories
|
||||
|
||||
[log]
|
||||
ROOT_PATH = /home/{{ service }}/log/
|
||||
ROOT_PATH = /home/{{ gitea_service }}/log/
|
||||
MODE = console
|
||||
LEVEL = info
|
||||
|
||||
|
@ -25,15 +25,15 @@ NAMES = Français,English
|
|||
|
||||
[database]
|
||||
DB_TYPE = mysql
|
||||
HOST = {{ db_host }}
|
||||
NAME = {{ db_name }}
|
||||
USER = {{ db_user }}
|
||||
PASSWD = {{ db_password }}
|
||||
HOST = {{ gitea_db_host }}
|
||||
NAME = {{ gitea_db_name }}
|
||||
USER = {{ gitea_db_user }}
|
||||
PASSWD = {{ gitea_db_password }}
|
||||
|
||||
[session]
|
||||
PROVIDER = redis
|
||||
PROVIDER_CONFIG = network=unix,addr=/home/{{ service }}/redis/redis.sock,db=0,pool_size=100,idle_timeout=180
|
||||
PROVIDER_CONFIG = network=unix,addr=/home/{{ gitea_service }}/redis/redis.sock,db=0,pool_size=100,idle_timeout=180
|
||||
|
||||
[cache]
|
||||
ADAPTER = redis
|
||||
HOST = network=unix,addr=/home/{{ service }}/redis/redis.sock,db=1,pool_size=100,idle_timeout=180
|
||||
HOST = network=unix,addr=/home/{{ gitea_service }}/redis/redis.sock,db=1,pool_size=100,idle_timeout=180
|
||||
|
|
|
@ -2,13 +2,13 @@ bind 127.0.0.1 ::1
|
|||
protected-mode yes
|
||||
|
||||
port 0
|
||||
unixsocket /home/{{ service }}/redis/redis.sock
|
||||
unixsocket /home/{{ gitea_service }}/redis/redis.sock
|
||||
unixsocketperm 770
|
||||
timeout 0
|
||||
tcp-keepalive 300
|
||||
|
||||
loglevel notice
|
||||
logfile /home/{{ service }}/log/redis-server.log
|
||||
logfile /home/{{ gitea_service }}/log/redis-server.log
|
||||
|
||||
databases 16
|
||||
save 900 1
|
||||
|
@ -16,7 +16,7 @@ save 300 10
|
|||
save 60 10000
|
||||
|
||||
dbfilename dump.rdb
|
||||
dir /home/{{ service }}/redis
|
||||
dir /home/{{ gitea_service }}/redis
|
||||
|
||||
maxclients {{ redis_maxclients }}
|
||||
maxmemory {{ redis_maxmemory }}
|
||||
maxclients {{ gitea_redis_maxclients }}
|
||||
maxmemory {{ gitea_redis_maxmemory }}
|
||||
|
|
|
@ -2,8 +2,8 @@
|
|||
# Certificates
|
||||
# you need a certificate to run in production. see https://letsencrypt.org/
|
||||
##
|
||||
ssl_certificate /etc/letsencrypt/live/{{ domains | first }}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/{{ domains | first }}/privkey.pem;
|
||||
ssl_certificate /etc/letsencrypt/live/{{ gitea_domains | first }}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/{{ gitea_domains | first }}/privkey.pem;
|
||||
|
||||
##
|
||||
# Security hardening (as of Nov 15, 2020)
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
upstream gitea_{{ service }} {
|
||||
server unix:/home/{{ service }}/gitea.sock;
|
||||
upstream gitea_{{ gitea_service }} {
|
||||
server unix:/home/{{ gitea_service }}/gitea.sock;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name {{ domains | first }};
|
||||
server_name {{ gitea_domains | first }};
|
||||
|
||||
# For certbot
|
||||
include /etc/nginx/snippets/letsencrypt.conf;
|
||||
|
@ -20,16 +20,16 @@ server {
|
|||
listen 0.0.0.0:443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name {{ domains | first }};
|
||||
server_name {{ gitea_domains | first }};
|
||||
|
||||
access_log /var/log/nginx/{{ service }}.access.log;
|
||||
error_log /var/log/nginx/{{ service }}.error.log;
|
||||
access_log /var/log/nginx/{{ gitea_service }}.access.log;
|
||||
error_log /var/log/nginx/{{ gitea_service }}.error.log;
|
||||
|
||||
include /etc/nginx/snippets/letsencrypt.conf;
|
||||
include /etc/nginx/ssl/{{ domains | first }}.conf;
|
||||
include /etc/nginx/ssl/{{ gitea_domains | first }}.conf;
|
||||
|
||||
location / {
|
||||
proxy_pass http://gitea_{{ service }};
|
||||
proxy_pass http://gitea_{{ gitea_service }};
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_read_timeout 10;
|
||||
|
|
Loading…
Reference in a new issue