diff --git a/.yamllint b/.yamllint index cb32cb1..e9713ae 100644 --- a/.yamllint +++ b/.yamllint @@ -2,7 +2,7 @@ extends: default rules: - # 150 chars should be enough, but don't fail if a line is longer + # 170 chars should be enough, but don't fail if a line is longer line-length: - max: 150 + max: 170 level: warning diff --git a/handlers/main.yml b/handlers/main.yml index eade7a3..fc2696b 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,17 +1,20 @@ --- - name: "Restart gitea" + become: true service: name: gitea state: restarted when: ansible_service_mgr == "systemd" - name: "Reload systemd" + become: true systemd: daemon_reload: true when: ansible_service_mgr == "systemd" -- name: "Restart fail2ban" - service: +- name: "systemctl restart fail2ban" + become: true + ansible.builtin.systemd: name: fail2ban state: restarted when: ansible_service_mgr == "systemd" diff --git a/tasks/backup.yml b/tasks/backup.yml index e3b8ab3..5bbf374 100644 --- a/tasks/backup.yml +++ b/tasks/backup.yml @@ -1,15 +1,18 @@ --- - name: Get service facts - service_facts: + ansible.builtin.service_facts: - block: - name: Stopping gitea before upgrade - service: + become: true + ansible.builtin.systemd: name: gitea state: stopped + when: ansible_service_mgr == "systemd" - name: "Create backup directory" - file: + become: true + ansible.builtin.file: path: "{{ item }}" state: directory owner: "{{ gitea_user }}" @@ -19,13 +22,11 @@ - "{{ gitea_backup_location }}" - name: Backing up gitea before upgrade - command: + ansible.builtin.command: cmd: "gitea dump -c /etc/gitea/gitea.ini" chdir: "{{ gitea_backup_location }}" become: true - become_method: su become_user: "{{ gitea_user }}" - become_flags: "-s /bin/sh" when: - ansible_facts.services["gitea.service"] is defined - ansible_facts.services["gitea.service"].state == "running" diff --git a/tasks/configure.yml b/tasks/configure.yml new file mode 100644 index 0000000..ae86a3e --- /dev/null +++ b/tasks/configure.yml @@ -0,0 +1,18 @@ +--- +- name: "Configure gitea" + become: true + ansible.builtin.template: + src: gitea.ini.j2 + dest: /etc/gitea/gitea.ini + owner: "{{ gitea_user }}" + group: "{{ gitea_group }}" + mode: 0600 + notify: "Restart gitea" + +- name: "Service gitea" + become: true + ansible.builtin.systemd: + name: gitea + state: started + enabled: true + when: ansible_service_mgr == "systemd" diff --git a/tasks/create_user.yml b/tasks/create_user.yml index 50d308a..776a614 100644 --- a/tasks/create_user.yml +++ b/tasks/create_user.yml @@ -1,12 +1,14 @@ --- - name: "Create Gitea Group" - group: + become: true + ansible.builtin.group: name: "{{ gitea_group }}" system: true state: "present" - name: "Create Gitea user" - user: + become: true + ansible.builtin.user: name: "{{ gitea_user }}" comment: "Gitea user" home: "{{ gitea_home }}" diff --git a/tasks/directory.yml b/tasks/directory.yml new file mode 100644 index 0000000..2a42b6a --- /dev/null +++ b/tasks/directory.yml @@ -0,0 +1,19 @@ +--- +- name: "Create config and data directory" + become: true + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: "{{ gitea_user }}" + group: "{{ gitea_group }}" + mode: 'u=rwX,g=rX,o=' + with_items: + - "/etc/gitea" + - "{{ gitea_home }}" + - "{{ gitea_home }}/data" + - "{{ gitea_home }}/custom" + - "{{ gitea_home }}/custom/https" + - "{{ gitea_home }}/custom/mailer" + - "{{ gitea_home }}/indexers" + - "{{ gitea_home }}/log" + - "{{ gitea_repository_root }}" diff --git a/tasks/fail2ban.yml b/tasks/fail2ban.yml index 5a9837e..640b754 100644 --- a/tasks/fail2ban.yml +++ b/tasks/fail2ban.yml @@ -1,18 +1,20 @@ --- - name: Install fail2ban filter - template: + become: true + ansible.builtin.template: src: fail2ban/filter.conf.j2 dest: /etc/fail2ban/filter.d/gitea.conf owner: root group: root mode: 0444 - notify: Restart fail2ban + notify: systemctl restart fail2ban - name: Install fail2ban jail - template: + become: true + ansible.builtin.template: src: fail2ban/jail.conf.j2 dest: /etc/fail2ban/jail.d/gitea.conf owner: root group: root mode: 0444 - notify: Restart fail2ban + notify: systemctl restart fail2ban diff --git a/tasks/gitea_secrets.yml b/tasks/gitea_secrets.yml index e9d909e..51303ae 100644 --- a/tasks/gitea_secrets.yml +++ b/tasks/gitea_secrets.yml @@ -1,38 +1,38 @@ --- - name: generate gitea SECRET_KEY if not provided become: true - shell: 'umask 077; /usr/local/bin/gitea generate secret SECRET_KEY > /etc/gitea/gitea_secret_key' + ansible.builtin.shell: 'umask 077; /usr/local/bin/gitea generate secret SECRET_KEY > /etc/gitea/gitea_secret_key' args: creates: '/etc/gitea/gitea_secret_key' when: gitea_secret_key | length == 0 - name: read gitea SECRET_KEY from file become: true - slurp: + ansible.builtin.slurp: src: '/etc/gitea/gitea_secret_key' register: remote_secret_key when: gitea_secret_key | length == 0 - name: set fact gitea_secret_key - set_fact: + ansible.builtin.set_fact: gitea_secret_key: "{{ remote_secret_key['content'] | b64decode }}" when: gitea_secret_key | length == 0 - name: generate gitea INTERNAL_TOKEN if not provided become: true - shell: 'umask 077; /usr/local/bin/gitea generate secret INTERNAL_TOKEN > /etc/gitea/gitea_internal_token' + ansible.builtin.shell: 'umask 077; /usr/local/bin/gitea generate secret INTERNAL_TOKEN > /etc/gitea/gitea_internal_token' args: creates: '/etc/gitea/gitea_internal_token' when: gitea_internal_token | length == 0 - name: read gitea INTERNAL_TOKEN from file become: true - slurp: + ansible.builtin.slurp: src: '/etc/gitea/gitea_internal_token' register: remote_internal_token when: gitea_internal_token | length == 0 - name: set fact gitea_internal_token - set_fact: + ansible.builtin.set_fact: gitea_internal_token: "{{ remote_internal_token['content'] | b64decode }}" when: gitea_internal_token | length == 0 diff --git a/tasks/install.yml b/tasks/install.yml index 474df90..c38133b 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -1,7 +1,8 @@ --- - block: - name: Update apt cache - apt: + become: true + ansible.builtin.apt: cache_valid_time: 3600 update_cache: true register: _pre_update_apt_cache @@ -10,7 +11,8 @@ - ansible_pkg_mgr == "apt" - name: Install dependencies - package: + become: true + ansible.builtin.package: name: "{{ gitea_dependencies }}" state: present register: _install_dep_packages @@ -20,9 +22,9 @@ - block: - name: Download gitea archive - get_url: + ansible.builtin.get_url: url: "{{ gitea_dl_url }}.xz" - dest: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz" + dest: "/tmp/{{ gitea_filename }}.xz" checksum: "sha256:{{ gitea_dl_url }}.xz.sha256" register: _download_archive until: _download_archive is succeeded @@ -30,38 +32,40 @@ delay: 2 - name: Download gitea asc file - get_url: + ansible.builtin.get_url: url: "{{ gitea_dl_url }}.xz.asc" - dest: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz.asc" + dest: "/tmp/{{ gitea_filename }}.xz.asc" register: _download_asc until: _download_asc is succeeded retries: 5 delay: 2 - name: Check gitea gpg key - command: "gpg --list-keys 0x{{ gitea_gpg_key }}" + ansible.builtin.command: "gpg --list-keys 0x{{ gitea_gpg_key }}" register: _gitea_gpg_key_status changed_when: false failed_when: _gitea_gpg_key_status.rc not in (0, 2) - name: Import gitea gpg key - command: "gpg --keyserver {{ gitea_gpg_server }} --recv {{ gitea_gpg_key }}" + become: true + ansible.builtin.command: "gpg --keyserver {{ gitea_gpg_server }} --recv {{ gitea_gpg_key }}" register: _gitea_import_key changed_when: '"imported: 1" in _gitea_import_key.stderr' when: _gitea_gpg_key_status.rc != 0 - name: Check archive signature - command: "gpg --verify /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz.asc /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz" + ansible.builtin.command: "gpg --verify /tmp/{{ gitea_filename }}.xz.asc /tmp/{{ gitea_filename }}.xz" changed_when: false - name: Unpack gitea binary - command: - cmd: "xz -k -d /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz" - creates: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}" + ansible.builtin.command: + cmd: "xz -k -d /tmp/{{ gitea_filename }}.xz" + creates: "/tmp/{{ gitea_filename }}" - name: Propagate gitea binary - copy: - src: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}" + become: true + ansible.builtin.copy: + src: "/tmp/{{ gitea_filename }}" remote_src: true dest: "/usr/local/bin/gitea" mode: 0755 diff --git a/tasks/install_systemd.yml b/tasks/install_systemd.yml index 4079aac..78173a9 100644 --- a/tasks/install_systemd.yml +++ b/tasks/install_systemd.yml @@ -1,6 +1,7 @@ --- - name: "Setup systemd service" - template: + become: true + ansible.builtin.template: src: gitea.service.j2 dest: /lib/systemd/system/gitea.service owner: root @@ -10,8 +11,7 @@ - "Reload systemd" - "Restart gitea" -# systemd to be reloaded the first time because -# it is the only way Systemd is going to be aware of the new unit file. - name: "Reload systemd" - systemd: + become: true + ansible.builtin.systemd: daemon_reload: true diff --git a/tasks/jwt_secrets.yml b/tasks/jwt_secrets.yml index ca334c7..3ce8ba5 100644 --- a/tasks/jwt_secrets.yml +++ b/tasks/jwt_secrets.yml @@ -1,38 +1,38 @@ --- - name: generate OAuth2 JWT_SECRET if not provided become: true - shell: 'umask 077; /usr/local/bin/gitea generate secret JWT_SECRET > /etc/gitea/gitea_oauth_jwt_secret' + ansible.builtin.shell: 'umask 077; /usr/local/bin/gitea generate secret JWT_SECRET > /etc/gitea/gitea_oauth_jwt_secret' args: creates: '/etc/gitea/gitea_oauth_jwt_secret' when: gitea_oauth2_jwt_secret | length == 0 - name: read OAuth2 JWT_SECRET from file become: true - slurp: + ansible.builtin.slurp: src: '/etc/gitea/gitea_oauth_jwt_secret' register: oauth_jwt_secret when: gitea_oauth2_jwt_secret | length == 0 - name: set fact gitea_oauth2_jwt_secret - set_fact: + ansible.builtin.set_fact: gitea_oauth2_jwt_secret: "{{ oauth_jwt_secret['content'] | b64decode }}" when: gitea_oauth2_jwt_secret | length == 0 - name: generate LFS JWT_SECRET if not provided become: true - shell: 'umask 077; /usr/local/bin/gitea generate secret JWT_SECRET > /etc/gitea/gitea_lfs_jwt_secret' + ansible.builtin.shell: 'umask 077; /usr/local/bin/gitea generate secret JWT_SECRET > /etc/gitea/gitea_lfs_jwt_secret' args: creates: '/etc/gitea/gitea_lfs_jwt_secret' when: gitea_lfs_jwt_secret | length == 0 - name: read LFS JWT_SECRET from file become: true - slurp: + ansible.builtin.slurp: src: '/etc/gitea/gitea_lfs_jwt_secret' register: lfs_jwt_secret when: gitea_lfs_jwt_secret | length == 0 - name: set fact gitea_lfs_jwt_secret - set_fact: + ansible.builtin.set_fact: gitea_lfs_jwt_secret: "{{ lfs_jwt_secret['content'] | b64decode }}" when: gitea_lfs_jwt_secret | length == 0 diff --git a/tasks/main.yml b/tasks/main.yml index e62be44..e0c49ba 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -4,16 +4,10 @@ when: submodules_versioncheck|bool - name: Gather variables for each operating system - include_vars: "{{ item }}" - with_first_found: - - "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml" - - "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml" - - "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml" - - "{{ ansible_distribution | lower }}.yml" - - "{{ ansible_os_family | lower }}.yml" + ansible.builtin.include_vars: "{{ lookup('first_found', gitea_variables) }}" - name: "Check gitea version" - shell: "set -eo pipefail; /usr/local/bin/gitea -v | cut -d' ' -f 3" + ansible.builtin.shell: "set -eo pipefail; /usr/local/bin/gitea -v | cut -d' ' -f 3" args: executable: /bin/bash register: gitea_active_version @@ -22,64 +16,31 @@ when: gitea_version_check|bool - name: backup gitea before update - include_tasks: backup.yml + ansible.builtin.include_tasks: backup.yml when: gitea_backup_on_upgrade|bool +- name: create gitea user and role + ansible.builtin.include_tasks: create_user.yml + - name: install or update gitea - include_tasks: install.yml + ansible.builtin.include_tasks: install.yml -- include: create_user.yml +- name: Create directorys + ansible.builtin.include_tasks: directory.yml -- name: "Create config directory" - file: - path: "{{ item }}" - state: directory - owner: "{{ gitea_user }}" - group: "{{ gitea_group }}" - mode: '0755' - with_items: - - "/etc/gitea" - -- name: "Create data directory" - file: - path: "{{ item }}" - state: directory - owner: "{{ gitea_user }}" - group: "{{ gitea_group }}" - mode: 'u=rwX,g=rX,o=' - recurse: true - with_items: - - "{{ gitea_home }}" - - "{{ gitea_home }}/data" - - "{{ gitea_home }}/custom" - - "{{ gitea_home }}/custom/https" - - "{{ gitea_home }}/custom/mailer" - - "{{ gitea_home }}/indexers" - - "{{ gitea_home }}/log" - - "{{ gitea_repository_root }}" - -- include: install_systemd.yml +- name: setup gitea systemd service + ansible.builtin.include_tasks: install_systemd.yml when: ansible_service_mgr == "systemd" -- include_tasks: jwt_secrets.yml +- name: generate JWT Secrets if undefined + ansible.builtin.include_tasks: jwt_secrets.yml -- include_tasks: gitea_secrets.yml +- name: generate gitea secrets if undefined + ansible.builtin.include_tasks: gitea_secrets.yml -- name: "Configure gitea" - template: - src: gitea.ini.j2 - dest: /etc/gitea/gitea.ini - owner: "{{ gitea_user }}" - group: "{{ gitea_group }}" - mode: 0600 - notify: "Restart gitea" +- name: configure gitea + ansible.builtin.include_tasks: configure.yml -- name: "Service gitea" - service: - name: gitea - state: started - enabled: true - when: ansible_service_mgr == "systemd" - -- include: fail2ban.yml +- name: deploy optional fail2ban rules + ansible.builtin.include_tasks: fail2ban.yml when: gitea_fail2ban_enabled|bool diff --git a/vars/main.yml b/vars/main.yml index 217afb2..26bbdec 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -8,6 +8,17 @@ gitea_go_arch_map: armv5l: 'arm-5' gitea_arch: "{{ gitea_go_arch_map[ansible_architecture] | default(ansible_architecture) }}" +gitea_filename: "gitea-{{ gitea_version }}.linux-{{ gitea_arch }}" -playbook_version_number: 6 # should be int +gitea_variables: + files: + - "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml" + - "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml" + - "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml" + - "{{ ansible_distribution | lower }}.yml" + - "{{ ansible_os_family | lower }}.yml" + paths: + - 'vars' + +playbook_version_number: 7 # should be int playbook_version_path: 'do1jlr.gitea.version'