From 6ec2f8ed045dbbb5a1d4a3d262d17cfd92ec69ed Mon Sep 17 00:00:00 2001
From: L3D <l3d@c3woc.de>
Date: Sun, 21 Mar 2021 02:22:36 +0100
Subject: [PATCH] change secret mechanism and continue with README clenaup

---
 README.md               | 18 +++++++++---------
 defaults/main.yml       | 10 +++++-----
 tasks/gitea_secrets.yml | 38 ++++++++++++++++++++++++++++++++++++++
 tasks/main.yml          |  2 ++
 4 files changed, 54 insertions(+), 14 deletions(-)
 create mode 100644 tasks/gitea_secrets.yml

diff --git a/README.md b/README.md
index 8d2a6a0..aa62133 100644
--- a/README.md
+++ b/README.md
@@ -94,16 +94,16 @@ Here is a deeper insight into the variables of this gitea role. For the exact fu
 ### Security
 | variable name | default value | description |
 | ------------- | ------------- | ----------- |
-| `gitea_secret_key` | **PLEASE CHANGE** | Global secret key. This should be changed. |
-| `gitea_internal_token`: Internal API token
-* `gitea_disable_git_hooks`: Do you want to disable the interface to add git hooks? If enabled it could be a security bug as it can be used for RCE. Defaults to true (true/false)
+| `gitea_secret_key` | `''` | Global secret key. Will be autogenerated if not defined. Should be unique. |
+| `gitea_internal_token` | `''` | Internal API token. Will be autogenerated if not defined. Should be unique. |
+| `gitea_disable_git_hooks` | `true` | Set to false to enable users with git hook privilege to create custom git hooks. Can be dangerous. |
+| `gitea_user_repo_limit` | `-1` | Limit how many repos a user can have *(`-1` for unlimited)* |
+| `gitea_lfs_secret` | `''` < JWT secret for remote LFS usage. Can be generated with ``gitea generate secret JWT_SECRET``. Will be autogenerated if not defined |
+|
+| `gitea_oauth2_jwt_secret` | `''` | Oauth2 JWT secret. Can be generated with ``gitea generate secret JWT_SECRET``. Will be autogenerated if not defined. |
 
-* `gitea_systemd_cap_net_bind_service`: Adds `AmbientCapabilities=CAP_NET_BIND_SERVICE` to systemd service file
-* `gitea_extra_config`: Additional configuration
 
-### Limits
 
-* `gitea_user_repo_limit`: Limit how many repos a user can have (-1 for unlimited)
 
 ### HTTP configuration
 
@@ -148,7 +148,6 @@ Here is a deeper insight into the variables of this gitea role. For the exact fu
 
 * `gitea_lfs_enabled`: Enable GIT LFS *(git large file storeage: [git-lfs](https://git-lfs.github.com/))*. Default: `false`
 * `gitea_lfs_content_path`: path where the lfs files are stored
-* `gitea_lfs_secret`: JWT secret for remote LFS usage. Can be generated with ``gitea generate secret JWT_SECRET``
 
 ### Log configuration
 * `gitea_log_systemd` Disable logging into `file`, use systemd-journald
@@ -169,7 +168,6 @@ As this will only deploy config files, fail2ban already has to be installed or o
 ### Oauth2 provider configuration
 
 * `gitea_oauth2_enabled`: Enable the Oauth2 provider (true/false)
-* `gitea_oauth2_jwt_secret`: Oauth2 JWT secret. Can be generated with ``gitea generate secret JWT_SECRET``
 
 
 ### Metrics endpoint configuration
@@ -189,6 +187,8 @@ As this will only deploy config files, fail2ban already has to be installed or o
 * `gitea_backup_on_upgrade`: Optionally a backup can be created with every update of gitea. Default: `false`
 * `gitea_backup_location`: Where to store the gitea backup if one is created with this role. Default: `{{ gitea_home }}/backups/`
 
+* `gitea_systemd_cap_net_bind_service`: Adds `AmbientCapabilities=CAP_NET_BIND_SERVICE` to systemd service file
+* `gitea_extra_config`: Additional configuration
 ## Contributing
 Don't hesitate to create a pull request, and when in doubt you can reach me on
 Mastodon [@l3d@chaos.social](https://chaos.social/@l3d).
diff --git a/defaults/main.yml b/defaults/main.yml
index 1d2d759..1ef001b 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -30,9 +30,12 @@ gitea_themes: gitea,arc-green
 gitea_theme_default: gitea
 
 # security
-gitea_secret_key: T0pS3cr31
-gitea_internal_token: SomethingVeryLong
+gitea_secret_key: ''
+gitea_internal_token: ''
 gitea_disable_git_hooks: true
+gitea_user_repo_limit: -1
+gitea_lfs_jwt_secret: ''
+gitea_oauth2_jwt_secret: ''
 
 gitea_http_domain: localhost
 
@@ -44,10 +47,8 @@ gitea_http_port: 3000
 gitea_disable_http_git: false
 
 
-gitea_user_repo_limit: -1
 gitea_lfs_server_enabled: false
 gitea_lfs_content_path: "{{ gitea_home }}/data/lfs"
-gitea_lfs_jwt_secret: ''
 
 gitea_systemd_cap_net_bind_service: false
 gitea_db_type: sqlite3
@@ -87,7 +88,6 @@ gitea_fail2ban_jail_bantime: 900
 gitea_fail2ban_jail_action: iptables-allports
 
 gitea_oauth2_enabled: true
-gitea_oauth2_jwt_secret: ''
 
 gitea_metrics_enabled: false
 gitea_metrics_token: ~
diff --git a/tasks/gitea_secrets.yml b/tasks/gitea_secrets.yml
new file mode 100644
index 0000000..07ffa84
--- /dev/null
+++ b/tasks/gitea_secrets.yml
@@ -0,0 +1,38 @@
+---
+- name: generate gitea SECRET_KEY if not provided
+  become: true
+  shell: 'umask 077; /usr/local/bin/gitea generate secret SECRET_KEY > /etc/gitea/gitea_secret_key'
+  args:
+    creates: '/etc/gitea/gitea_secret_key'
+  when: gitea_secret_key | length == 0
+
+- name: read gitea SECRET_KEY from file
+  become: true
+  slurp:
+    src: '/etc/gitea/gitea_secret_key'
+  register: remote_secret_key:
+  when: gitea_secret_key | length == 0
+
+- name: set fact gitea_secret_key
+  set_fact:
+    gitea_secret_key: "{{ remote_secret_key['content'] | b64decode }}"
+  when: gitea_secret_key | length == 0
+
+- name: generate gitea INTERNAL_TOKEN if not provided
+  become: true
+  shell: 'umask 077; /usr/local/bin/gitea generate secret INTERNAL_TOKEN > /etc/gitea/gitea_internal_token'
+  args:
+    creates: '/etc/gitea/gitea_internal_token'
+  when: gitea_internal_token | length == 0
+
+- name: read gitea INTERNAL_TOKEN from file
+  become: true
+  slurp:
+    src: '/etc/gitea/gitea_internal_token'
+  register: remote_internal_token
+  when: gitea_internal_token | length == 0
+
+- name: set fact gitea_internal_token
+  set_fact:
+    gitea_internal_token: "{{ remote_internal_token['content'] | b64decode }}"
+  when: gitea_internal_token | length == 0
diff --git a/tasks/main.yml b/tasks/main.yml
index dfb5a58..cf2ae75 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -59,6 +59,8 @@
 
 - include_tasks: jwt_secrets.yml
 
+- include_tasks: gitea_secrets.yml
+
 - name: "Configure gitea"
   template:
     src: gitea.ini.j2