mirror of
https://github.com/roles-ansible/ansible_role_gitea.git
synced 2024-08-16 11:39:50 +02:00
Merge pull request #2 from roles-ansible/docs
start updating docs and generate undefined secrets
This commit is contained in:
commit
8ed69febc1
5 changed files with 114 additions and 51 deletions
75
README.md
75
README.md
|
@ -50,40 +50,57 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we
|
||||||
- gitea
|
- gitea
|
||||||
```
|
```
|
||||||
|
|
||||||
## More detailed options
|
Variables
|
||||||
### General
|
-----------
|
||||||
|
Here is a deeper insight into the variables of this gitea role. For the exact function of some variables and the possibility to add more options we recommend a look at the config cheat sheet. For the exact function of some variables and the possibility to add more options we recommend a look at this [config cheat sheet](https://docs.gitea.io/en-us/config-cheat-sheet/).
|
||||||
|
|
||||||
* `gitea_version_check`: Check if installed version != `gitea_version` before initiating binary download
|
### gitea version
|
||||||
* `gitea_user`: UNIX user used by Gitea
|
| variable name | default value | description |
|
||||||
* `gitea_group`: UNIX group used by Gitea
|
| ------------- | ------------- | ----------- |
|
||||||
* `gitea_home`: Base directory to work
|
| `gitea_version` | *(see [defaults/main.yml](defaults/main.yml#L3))* | The gitea version this role shoud install |
|
||||||
* `gitea_dl_url`: The URL, the compiled gitea-binary will be downloaded from
|
| `gitea_version_check` | `true` | Check if installed version != `gitea_version` before initiating binary download |
|
||||||
* `gitea_systemd_cap_net_bind_service`: Adds `AmbientCapabilities=CAP_NET_BIND_SERVICE` to systemd service file
|
| `gitea_dl_url` | *(see [defaults/main.yml](defaults/main.yml#L5))* | The path from where this role downloads the gitea binary |
|
||||||
* `gitea_extra_config`: Additional configuration
|
| `gitea_gpg_key` | `7C9E68152594688862D62AF62D9AE806EC1592E2` | the gpg key the gitea binary is signed with |
|
||||||
|
| `gitea_gpg_server` | `hkp://keyserver.ubuntu.com:80` | A gpg key server where this role can download the gpg key |
|
||||||
|
|
||||||
|
### gitea in the linux world
|
||||||
|
| variable name | default value | description |
|
||||||
|
| ------------- | ------------- | ----------- |
|
||||||
|
| `gitea_user` | `gitea ` | UNIX user used by Gitea |
|
||||||
|
| `gitea_group` | `gitea` | UNIX group used by Gitea |
|
||||||
|
| `gitea_home` | `/var/lib/gitea` | Base directory to work |
|
||||||
|
| `gitea_shell` | `/bin/false` | UNIX shell used by gitea. Set it to `/bin/bash` if you don't use the gitea built-in ssh server. |
|
||||||
|
|
||||||
### Look and feel
|
### Look and feel
|
||||||
|
| variable name | default value | description |
|
||||||
|
| ------------- | ------------- | ----------- |
|
||||||
|
| `gitea_app_name` | `Gitea` | Displayed application name |
|
||||||
|
| `gitea_repository_root` | `{{ gitea_home }}/repos` | The path where all gitea repositorys are stored |
|
||||||
|
| `gitea_show_user_email` | `false` | Do you want to display email addresses ? (true/false) |
|
||||||
|
| `gitea_disable_gravatar` | `true` | Do you want to disable Gravatar ? (privacy and so on) (true/false) |
|
||||||
|
| `gitea_disable_registration` | `false` | Do you want to disable user registration? (true/false) |
|
||||||
|
| `gitea_register_email_confirm` | `false` | Enable this to ask for mail confirmation of registration. Requires `gitea_mailer_enabled` to be enabled. |
|
||||||
|
| `gitea_offline_mode` | `true` | Disables use of CDN for static files and Gravatar for profile pictures. (true/false) |
|
||||||
|
| `gitea_only_allow_external_registration` | `false` | Set to true to force registration only using third-party services (true/false) |
|
||||||
|
| `gitea_show_registration_button` | `true` | Here you can hide the registration button. This will not disable registration! (true/false)|
|
||||||
|
| `gitea_require_signin` | `true` | Do you require a signin to see repo's (even public ones)? (true/false)|
|
||||||
|
| `gitea_enable_captcha` | `true` | Do you want to enable captcha's ? (true/false)|
|
||||||
|
| `gitea_enable_notify_mail` | `false` | Enable this to send e-mail to watchers of a repository when something happens, like creating issues (true/false) |
|
||||||
|
| `gitea_auto_watch_new_repos` | `true` | Enable this to let all organisation users watch new repos when they are created (true/false) |
|
||||||
|
| `gitea_themes` | `gitea,arc-green` | List of enabled themes |
|
||||||
|
| `gitea_theme_default` | `gitea` | Default theme |
|
||||||
|
|
||||||
* `gitea_app_name`: Displayed application name
|
|
||||||
* `gitea_show_user_email`: Do you want to display email addresses ? (true/false)
|
|
||||||
* `gitea_disable_gravatar`: Do you want to disable Gravatar ? (privacy and so on) (true/false)
|
|
||||||
* `gitea_offline_mode`: Same but for disabling CDNs for frontend assets (true/false)
|
|
||||||
* `gitea_disable_registration`: Do you want to disable user registration ? (true/false)
|
|
||||||
* `gitea_register_email_confirm`: Enable this to ask for mail confirmation of registration. Requires `gitea_mailer_enabled` to be enabled (Default: `false`)
|
|
||||||
* `gitea_only_allow_external_registration`: Do you want to force registration only using third-party services ? (true/false)
|
|
||||||
* `gitea_show_registration_button`: Do you want to show the registration button? (true/false)
|
|
||||||
* `gitea_require_signin`: Do you require a signin to see repo's (even public ones) ? (true/false)
|
|
||||||
* `gitea_enable_captcha`: Do you want to enable captcha's ? (true/false)
|
|
||||||
* `gitea_themes`: List of enabled themes
|
|
||||||
* `gitea_theme_default`: Default theme
|
|
||||||
|
|
||||||
### Security
|
### Security
|
||||||
* `gitea_secret_key`: Cookie secret key
|
| variable name | default value | description |
|
||||||
* `gitea_internal_token`: Internal API token
|
| ------------- | ------------- | ----------- |
|
||||||
* `gitea_disable_git_hooks`: Do you want to disable the interface to add git hooks? If enabled it could be a security bug as it can be used for RCE. Defaults to true (true/false)
|
| `gitea_secret_key` | `''` | Global secret key. Will be autogenerated if not defined. Should be unique. |
|
||||||
|
| `gitea_internal_token` | `''` | Internal API token. Will be autogenerated if not defined. Should be unique. |
|
||||||
|
| `gitea_disable_git_hooks` | `true` | Set to false to enable users with git hook privilege to create custom git hooks. Can be dangerous. |
|
||||||
|
| `gitea_user_repo_limit` | `-1` | Limit how many repos a user can have *(`-1` for unlimited)* |
|
||||||
|
| `gitea_lfs_secret` | `''` | < JWT secret for remote LFS usage. Can be generated with ``gitea generate secret JWT_SECRET``. Will be autogenerated if not defined |
|
||||||
|
| `gitea_oauth2_jwt_secret` | `''` | Oauth2 JWT secret. Can be generated with ``gitea generate secret JWT_SECRET``. Will be autogenerated if not defined. |
|
||||||
|
|
||||||
### Limits
|
|
||||||
|
|
||||||
* `gitea_user_repo_limit`: Limit how many repos a user can have (-1 for unlimited)
|
|
||||||
|
|
||||||
### HTTP configuration
|
### HTTP configuration
|
||||||
|
|
||||||
|
@ -128,7 +145,6 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we
|
||||||
|
|
||||||
* `gitea_lfs_enabled`: Enable GIT LFS *(git large file storeage: [git-lfs](https://git-lfs.github.com/))*. Default: `false`
|
* `gitea_lfs_enabled`: Enable GIT LFS *(git large file storeage: [git-lfs](https://git-lfs.github.com/))*. Default: `false`
|
||||||
* `gitea_lfs_content_path`: path where the lfs files are stored
|
* `gitea_lfs_content_path`: path where the lfs files are stored
|
||||||
* `gitea_lfs_secret`: JWT secret for remote LFS usage. Can be generated with ``gitea generate secret JWT_SECRET``
|
|
||||||
|
|
||||||
### Log configuration
|
### Log configuration
|
||||||
* `gitea_log_systemd` Disable logging into `file`, use systemd-journald
|
* `gitea_log_systemd` Disable logging into `file`, use systemd-journald
|
||||||
|
@ -149,7 +165,6 @@ As this will only deploy config files, fail2ban already has to be installed or o
|
||||||
### Oauth2 provider configuration
|
### Oauth2 provider configuration
|
||||||
|
|
||||||
* `gitea_oauth2_enabled`: Enable the Oauth2 provider (true/false)
|
* `gitea_oauth2_enabled`: Enable the Oauth2 provider (true/false)
|
||||||
* `gitea_oauth2_jwt_secret`: Oauth2 JWT secret. Can be generated with ``gitea generate secret JWT_SECRET``
|
|
||||||
|
|
||||||
|
|
||||||
### Metrics endpoint configuration
|
### Metrics endpoint configuration
|
||||||
|
@ -169,6 +184,8 @@ As this will only deploy config files, fail2ban already has to be installed or o
|
||||||
* `gitea_backup_on_upgrade`: Optionally a backup can be created with every update of gitea. Default: `false`
|
* `gitea_backup_on_upgrade`: Optionally a backup can be created with every update of gitea. Default: `false`
|
||||||
* `gitea_backup_location`: Where to store the gitea backup if one is created with this role. Default: `{{ gitea_home }}/backups/`
|
* `gitea_backup_location`: Where to store the gitea backup if one is created with this role. Default: `{{ gitea_home }}/backups/`
|
||||||
|
|
||||||
|
* `gitea_systemd_cap_net_bind_service`: Adds `AmbientCapabilities=CAP_NET_BIND_SERVICE` to systemd service file
|
||||||
|
* `gitea_extra_config`: Additional configuration
|
||||||
## Contributing
|
## Contributing
|
||||||
Don't hesitate to create a pull request, and when in doubt you can reach me on
|
Don't hesitate to create a pull request, and when in doubt you can reach me on
|
||||||
Mastodon [@l3d@chaos.social](https://chaos.social/@l3d).
|
Mastodon [@l3d@chaos.social](https://chaos.social/@l3d).
|
||||||
|
|
|
@ -1,33 +1,56 @@
|
||||||
---
|
---
|
||||||
|
# gitea version
|
||||||
gitea_version: "1.13.4"
|
gitea_version: "1.13.4"
|
||||||
gitea_version_check: true
|
gitea_version_check: true
|
||||||
gitea_dl_url: "https://github.com/go-gitea/gitea/releases/download/v{{ gitea_version }}/gitea-{{ gitea_version }}-linux-{{ gitea_arch }}"
|
gitea_dl_url: "https://github.com/go-gitea/gitea/releases/download/v{{ gitea_version }}/gitea-{{ gitea_version }}-linux-{{ gitea_arch }}"
|
||||||
gitea_gpg_key: "7C9E68152594688862D62AF62D9AE806EC1592E2"
|
gitea_gpg_key: "7C9E68152594688862D62AF62D9AE806EC1592E2"
|
||||||
gitea_gpg_server: "hkp://keyserver.ubuntu.com:80"
|
gitea_gpg_server: "hkp://keyserver.ubuntu.com:80"
|
||||||
|
|
||||||
gitea_app_name: "Gitea"
|
# gitea in the linux world
|
||||||
gitea_user: "gitea"
|
gitea_user: "gitea"
|
||||||
gitea_group: "gitea"
|
gitea_group: "gitea"
|
||||||
gitea_home: "/var/lib/gitea"
|
gitea_home: "/var/lib/gitea"
|
||||||
gitea_shell: "/bin/false"
|
gitea_shell: "/bin/false"
|
||||||
gitea_systemd_cap_net_bind_service: false
|
|
||||||
|
|
||||||
|
# look and feel
|
||||||
|
gitea_app_name: "Gitea"
|
||||||
gitea_repository_root: "{{ gitea_home }}/repos"
|
gitea_repository_root: "{{ gitea_home }}/repos"
|
||||||
|
gitea_show_user_email: false
|
||||||
|
gitea_disable_gravatar: true
|
||||||
|
gitea_disable_registration: false
|
||||||
|
gitea_register_email_confirm: false
|
||||||
|
gitea_offline_mode: true
|
||||||
|
gitea_only_allow_external_registration: false
|
||||||
|
gitea_show_registration_button: true
|
||||||
|
gitea_require_signin: true
|
||||||
|
gitea_enable_captcha: true
|
||||||
|
gitea_enable_notify_mail: false
|
||||||
|
gitea_auto_watch_new_repos: true
|
||||||
|
gitea_themes: gitea,arc-green
|
||||||
|
gitea_theme_default: gitea
|
||||||
|
|
||||||
|
# security
|
||||||
|
gitea_secret_key: ''
|
||||||
|
gitea_internal_token: ''
|
||||||
|
gitea_disable_git_hooks: true
|
||||||
gitea_user_repo_limit: -1
|
gitea_user_repo_limit: -1
|
||||||
|
gitea_lfs_jwt_secret: ''
|
||||||
|
gitea_oauth2_jwt_secret: ''
|
||||||
|
|
||||||
gitea_http_domain: localhost
|
gitea_http_domain: localhost
|
||||||
|
|
||||||
gitea_root_url: http://localhost:3000
|
gitea_root_url: http://localhost:3000
|
||||||
gitea_protocol: http
|
gitea_protocol: http
|
||||||
gitea_http_listen: 127.0.0.1
|
gitea_http_listen: 127.0.0.1
|
||||||
gitea_http_port: 3000
|
gitea_http_port: 3000
|
||||||
# gitea_http_letsencrypt_mail: - required
|
# gitea_http_letsencrypt_mail: - required
|
||||||
gitea_disable_http_git: false
|
gitea_disable_http_git: false
|
||||||
gitea_offline_mode: true
|
|
||||||
|
|
||||||
gitea_lfs_server_enabled: false
|
gitea_lfs_server_enabled: false
|
||||||
gitea_lfs_content_path: "{{ gitea_home }}/data/lfs"
|
gitea_lfs_content_path: "{{ gitea_home }}/data/lfs"
|
||||||
gitea_lfs_jwt_secret: ''
|
|
||||||
|
|
||||||
|
gitea_systemd_cap_net_bind_service: false
|
||||||
gitea_db_type: sqlite3
|
gitea_db_type: sqlite3
|
||||||
gitea_db_host: 127.0.0.0:3306
|
gitea_db_host: 127.0.0.0:3306
|
||||||
gitea_db_name: root
|
gitea_db_name: root
|
||||||
|
@ -41,20 +64,6 @@ gitea_ssh_domain: localhost
|
||||||
gitea_start_ssh: true
|
gitea_start_ssh: true
|
||||||
gitea_ssh_port: 2222
|
gitea_ssh_port: 2222
|
||||||
|
|
||||||
gitea_secret_key: T0pS3cr31
|
|
||||||
gitea_internal_token: SomethingVeryLong
|
|
||||||
gitea_disable_git_hooks: true
|
|
||||||
|
|
||||||
gitea_show_user_email: false
|
|
||||||
gitea_disable_gravatar: true
|
|
||||||
gitea_disable_registration: false
|
|
||||||
gitea_register_email_confirm: false
|
|
||||||
gitea_show_registration_button: true
|
|
||||||
gitea_require_signin: true
|
|
||||||
gitea_enable_captcha: true
|
|
||||||
gitea_only_allow_external_registration: false
|
|
||||||
gitea_enable_notify_mail: false
|
|
||||||
|
|
||||||
gitea_force_private: false
|
gitea_force_private: false
|
||||||
|
|
||||||
gitea_mailer_enabled: false
|
gitea_mailer_enabled: false
|
||||||
|
@ -77,13 +86,10 @@ gitea_fail2ban_jail_bantime: 900
|
||||||
gitea_fail2ban_jail_action: iptables-allports
|
gitea_fail2ban_jail_action: iptables-allports
|
||||||
|
|
||||||
gitea_oauth2_enabled: true
|
gitea_oauth2_enabled: true
|
||||||
gitea_oauth2_jwt_secret: ''
|
|
||||||
|
|
||||||
gitea_metrics_enabled: false
|
gitea_metrics_enabled: false
|
||||||
gitea_metrics_token: ~
|
gitea_metrics_token: ~
|
||||||
|
|
||||||
gitea_themes: gitea,arc-green
|
|
||||||
gitea_theme_default: gitea
|
|
||||||
|
|
||||||
gitea_repo_indexer_enabled: false
|
gitea_repo_indexer_enabled: false
|
||||||
gitea_repo_indexer_include: ""
|
gitea_repo_indexer_include: ""
|
||||||
|
|
38
tasks/gitea_secrets.yml
Normal file
38
tasks/gitea_secrets.yml
Normal file
|
@ -0,0 +1,38 @@
|
||||||
|
---
|
||||||
|
- name: generate gitea SECRET_KEY if not provided
|
||||||
|
become: true
|
||||||
|
shell: 'umask 077; /usr/local/bin/gitea generate secret SECRET_KEY > /etc/gitea/gitea_secret_key'
|
||||||
|
args:
|
||||||
|
creates: '/etc/gitea/gitea_secret_key'
|
||||||
|
when: gitea_secret_key | length == 0
|
||||||
|
|
||||||
|
- name: read gitea SECRET_KEY from file
|
||||||
|
become: true
|
||||||
|
slurp:
|
||||||
|
src: '/etc/gitea/gitea_secret_key'
|
||||||
|
register: remote_secret_key
|
||||||
|
when: gitea_secret_key | length == 0
|
||||||
|
|
||||||
|
- name: set fact gitea_secret_key
|
||||||
|
set_fact:
|
||||||
|
gitea_secret_key: "{{ remote_secret_key['content'] | b64decode }}"
|
||||||
|
when: gitea_secret_key | length == 0
|
||||||
|
|
||||||
|
- name: generate gitea INTERNAL_TOKEN if not provided
|
||||||
|
become: true
|
||||||
|
shell: 'umask 077; /usr/local/bin/gitea generate secret INTERNAL_TOKEN > /etc/gitea/gitea_internal_token'
|
||||||
|
args:
|
||||||
|
creates: '/etc/gitea/gitea_internal_token'
|
||||||
|
when: gitea_internal_token | length == 0
|
||||||
|
|
||||||
|
- name: read gitea INTERNAL_TOKEN from file
|
||||||
|
become: true
|
||||||
|
slurp:
|
||||||
|
src: '/etc/gitea/gitea_internal_token'
|
||||||
|
register: remote_internal_token
|
||||||
|
when: gitea_internal_token | length == 0
|
||||||
|
|
||||||
|
- name: set fact gitea_internal_token
|
||||||
|
set_fact:
|
||||||
|
gitea_internal_token: "{{ remote_internal_token['content'] | b64decode }}"
|
||||||
|
when: gitea_internal_token | length == 0
|
|
@ -59,6 +59,8 @@
|
||||||
|
|
||||||
- include_tasks: jwt_secrets.yml
|
- include_tasks: jwt_secrets.yml
|
||||||
|
|
||||||
|
- include_tasks: gitea_secrets.yml
|
||||||
|
|
||||||
- name: "Configure gitea"
|
- name: "Configure gitea"
|
||||||
template:
|
template:
|
||||||
src: gitea.ini.j2
|
src: gitea.ini.j2
|
||||||
|
|
|
@ -131,7 +131,7 @@ RECAPTCHA_SITEKEY =
|
||||||
SHOW_REGISTRATION_BUTTON = {{ gitea_show_registration_button | ternary('true', 'false') }}
|
SHOW_REGISTRATION_BUTTON = {{ gitea_show_registration_button | ternary('true', 'false') }}
|
||||||
ALLOW_ONLY_EXTERNAL_REGISTRATION = {{ gitea_only_allow_external_registration | ternary('true', 'false') }}
|
ALLOW_ONLY_EXTERNAL_REGISTRATION = {{ gitea_only_allow_external_registration | ternary('true', 'false') }}
|
||||||
ENABLE_NOTIFY_MAIL = {{ gitea_enable_notify_mail | ternary('true', 'false') }}
|
ENABLE_NOTIFY_MAIL = {{ gitea_enable_notify_mail | ternary('true', 'false') }}
|
||||||
|
AUTO_WATCH_NEW_REPOS = {{ gitea_auto_watch_new_repos | ternary('true', 'false') }}
|
||||||
[mailer]
|
[mailer]
|
||||||
ENABLED = {{ gitea_mailer_enabled | ternary('true', 'false') }}
|
ENABLED = {{ gitea_mailer_enabled | ternary('true', 'false') }}
|
||||||
; Mail server
|
; Mail server
|
||||||
|
|
Loading…
Reference in a new issue