Merge pull request #2 from roles-ansible/docs

start updating docs and generate undefined secrets

README.md

@@ -50,40 +50,57 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we
     - gitea
 ```
 
-## More detailed options
+ Variables
-### General
+-----------
+Here is a deeper insight into the variables of this gitea role. For the exact function of some variables and the possibility to add more options we recommend a look at the config cheat sheet.  For the exact function of some variables and the possibility to add more options we recommend a look at this [config cheat sheet](https://docs.gitea.io/en-us/config-cheat-sheet/).
 
-* `gitea_version_check`: Check if installed version != `gitea_version` before initiating binary download
+### gitea version
-* `gitea_user`: UNIX user used by Gitea
+| variable name | default value | description |
-* `gitea_group`: UNIX group used by Gitea
+| ------------- | ------------- | ----------- |
-* `gitea_home`: Base directory to work
+| `gitea_version` | *(see [defaults/main.yml](defaults/main.yml#L3))* | The gitea version this role shoud install |
-* `gitea_dl_url`: The URL, the compiled gitea-binary will be downloaded from
+| `gitea_version_check` | `true` | Check if installed version != `gitea_version` before initiating binary download |
-* `gitea_systemd_cap_net_bind_service`: Adds `AmbientCapabilities=CAP_NET_BIND_SERVICE` to systemd service file
+| `gitea_dl_url` | *(see [defaults/main.yml](defaults/main.yml#L5))* | The path from where this role downloads the gitea binary |
-* `gitea_extra_config`: Additional configuration
+| `gitea_gpg_key` | `7C9E68152594688862D62AF62D9AE806EC1592E2` | the gpg key the gitea binary is signed with |
+| `gitea_gpg_server` | `hkp://keyserver.ubuntu.com:80` | A gpg key server where this role can download the gpg key |
+
+### gitea in the linux world
+| variable name | default value | description |
+| ------------- | ------------- | ----------- |
+| `gitea_user` | `gitea ` | UNIX user used by Gitea |
+| `gitea_group` | `gitea` | UNIX group used by Gitea |
+| `gitea_home` | `/var/lib/gitea` | Base directory to work |
+| `gitea_shell` | `/bin/false` | UNIX shell used by gitea. Set it to `/bin/bash` if you don't use the gitea built-in ssh server. |
 
 ### Look and feel
+| variable name | default value | description |
+| ------------- | ------------- | ----------- |
+| `gitea_app_name` | `Gitea` | Displayed application name |
+| `gitea_repository_root` | `{{ gitea_home }}/repos` | The path where all gitea repositorys are stored |
+| `gitea_show_user_email` | `false` | Do you want to display email addresses ? (true/false) |
+| `gitea_disable_gravatar` | `true` | Do you want to disable Gravatar ? (privacy and so on) (true/false) |
+| `gitea_disable_registration` | `false` | Do you want to disable user registration? (true/false) |
+| `gitea_register_email_confirm` | `false` | Enable this to ask for mail confirmation of registration. Requires `gitea_mailer_enabled` to be enabled. |
+| `gitea_offline_mode` | `true` | Disables use of CDN for static files and Gravatar for profile pictures. (true/false) |
+| `gitea_only_allow_external_registration` | `false` | Set to true to force registration only using third-party services (true/false) |
+| `gitea_show_registration_button` | `true` | Here you can hide the registration button. This will not disable registration! (true/false)|
+| `gitea_require_signin` | `true` | Do you require a signin to see repo's (even public ones)? (true/false)|
+| `gitea_enable_captcha` | `true` | Do you want to enable captcha's ? (true/false)|
+| `gitea_enable_notify_mail` | `false` | Enable this to send e-mail to watchers of a repository when something happens, like creating issues (true/false) |
+| `gitea_auto_watch_new_repos` | `true` | Enable this to let all organisation users watch new repos when they are created (true/false) |
+| `gitea_themes` | `gitea,arc-green` | List of enabled themes |
+| `gitea_theme_default` | `gitea` | Default theme |
 
-* `gitea_app_name`: Displayed application name
-* `gitea_show_user_email`: Do you want to display email addresses ? (true/false)
-* `gitea_disable_gravatar`: Do you want to disable Gravatar ? (privacy and so on) (true/false)
-* `gitea_offline_mode`: Same but for disabling CDNs for frontend assets (true/false)
-* `gitea_disable_registration`: Do you want to disable user registration ? (true/false)
-* `gitea_register_email_confirm`: Enable this to ask for mail confirmation of registration. Requires `gitea_mailer_enabled` to be enabled (Default: `false`)
-* `gitea_only_allow_external_registration`: Do you want to force registration only using third-party services ? (true/false)
-* `gitea_show_registration_button`: Do you want to show the registration button? (true/false)
-* `gitea_require_signin`: Do you require a signin to see repo's (even public ones) ? (true/false)
-* `gitea_enable_captcha`: Do you want to enable captcha's ? (true/false)
-* `gitea_themes`: List of enabled themes
-* `gitea_theme_default`: Default theme
 
 ### Security
-* `gitea_secret_key`: Cookie secret key
+| variable name | default value | description |
-* `gitea_internal_token`: Internal API token
+| ------------- | ------------- | ----------- |
-* `gitea_disable_git_hooks`: Do you want to disable the interface to add git hooks? If enabled it could be a security bug as it can be used for RCE. Defaults to true (true/false)
+| `gitea_secret_key` | `''` | Global secret key. Will be autogenerated if not defined. Should be unique. |
+| `gitea_internal_token` | `''` | Internal API token. Will be autogenerated if not defined. Should be unique. |
+| `gitea_disable_git_hooks` | `true` | Set to false to enable users with git hook privilege to create custom git hooks. Can be dangerous. |
+| `gitea_user_repo_limit` | `-1` | Limit how many repos a user can have *(`-1` for unlimited)* |
+| `gitea_lfs_secret` | `''` | < JWT secret for remote LFS usage. Can be generated with ``gitea generate secret JWT_SECRET``. Will be autogenerated if not defined |
+| `gitea_oauth2_jwt_secret` | `''` | Oauth2 JWT secret. Can be generated with ``gitea generate secret JWT_SECRET``. Will be autogenerated if not defined. |
 
-### Limits
-
-* `gitea_user_repo_limit`: Limit how many repos a user can have (-1 for unlimited)
 
 ### HTTP configuration
 
@@ -128,7 +145,6 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we
 
 * `gitea_lfs_enabled`: Enable GIT LFS *(git large file storeage: [git-lfs](https://git-lfs.github.com/))*. Default: `false`
 * `gitea_lfs_content_path`: path where the lfs files are stored
-* `gitea_lfs_secret`: JWT secret for remote LFS usage. Can be generated with ``gitea generate secret JWT_SECRET``
 
 ### Log configuration
 * `gitea_log_systemd` Disable logging into `file`, use systemd-journald
@@ -149,7 +165,6 @@ As this will only deploy config files, fail2ban already has to be installed or o
 ### Oauth2 provider configuration
 
 * `gitea_oauth2_enabled`: Enable the Oauth2 provider (true/false)
-* `gitea_oauth2_jwt_secret`: Oauth2 JWT secret. Can be generated with ``gitea generate secret JWT_SECRET``
 
 
 ### Metrics endpoint configuration
@@ -169,6 +184,8 @@ As this will only deploy config files, fail2ban already has to be installed or o
 * `gitea_backup_on_upgrade`: Optionally a backup can be created with every update of gitea. Default: `false`
 * `gitea_backup_location`: Where to store the gitea backup if one is created with this role. Default: `{{ gitea_home }}/backups/`
 
+* `gitea_systemd_cap_net_bind_service`: Adds `AmbientCapabilities=CAP_NET_BIND_SERVICE` to systemd service file
+* `gitea_extra_config`: Additional configuration
 ## Contributing
 Don't hesitate to create a pull request, and when in doubt you can reach me on
 Mastodon [@l3d@chaos.social](https://chaos.social/@l3d).

defaults/main.yml

@@ -1,33 +1,56 @@
 ---
+# gitea version
 gitea_version: "1.13.4"
 gitea_version_check: true
 gitea_dl_url: "https://github.com/go-gitea/gitea/releases/download/v{{ gitea_version }}/gitea-{{ gitea_version }}-linux-{{ gitea_arch }}"
 gitea_gpg_key: "7C9E68152594688862D62AF62D9AE806EC1592E2"
 gitea_gpg_server: "hkp://keyserver.ubuntu.com:80"
 
-gitea_app_name: "Gitea"
+# gitea in the linux world
 gitea_user: "gitea"
 gitea_group: "gitea"
 gitea_home: "/var/lib/gitea"
 gitea_shell: "/bin/false"
-gitea_systemd_cap_net_bind_service: false
 
+# look and feel
+gitea_app_name: "Gitea"
 gitea_repository_root: "{{ gitea_home }}/repos"
+gitea_show_user_email: false
+gitea_disable_gravatar: true
+gitea_disable_registration: false
+gitea_register_email_confirm: false
+gitea_offline_mode: true
+gitea_only_allow_external_registration: false
+gitea_show_registration_button: true
+gitea_require_signin: true
+gitea_enable_captcha: true
+gitea_enable_notify_mail: false
+gitea_auto_watch_new_repos: true
+gitea_themes: gitea,arc-green
+gitea_theme_default: gitea
+
+# security
+gitea_secret_key: ''
+gitea_internal_token: ''
+gitea_disable_git_hooks: true
 gitea_user_repo_limit: -1
+gitea_lfs_jwt_secret: ''
+gitea_oauth2_jwt_secret: ''
 
 gitea_http_domain: localhost
+
 gitea_root_url: http://localhost:3000
 gitea_protocol: http
 gitea_http_listen: 127.0.0.1
 gitea_http_port: 3000
 # gitea_http_letsencrypt_mail:  - required
 gitea_disable_http_git: false
-gitea_offline_mode: true
+
 
 gitea_lfs_server_enabled: false
 gitea_lfs_content_path: "{{ gitea_home }}/data/lfs"
-gitea_lfs_jwt_secret: ''
 
+gitea_systemd_cap_net_bind_service: false
 gitea_db_type: sqlite3
 gitea_db_host: 127.0.0.0:3306
 gitea_db_name: root
@@ -41,20 +64,6 @@ gitea_ssh_domain: localhost
 gitea_start_ssh: true
 gitea_ssh_port: 2222
 
-gitea_secret_key: T0pS3cr31
-gitea_internal_token: SomethingVeryLong
-gitea_disable_git_hooks: true
-
-gitea_show_user_email: false
-gitea_disable_gravatar: true
-gitea_disable_registration: false
-gitea_register_email_confirm: false
-gitea_show_registration_button: true
-gitea_require_signin: true
-gitea_enable_captcha: true
-gitea_only_allow_external_registration: false
-gitea_enable_notify_mail: false
-
 gitea_force_private: false
 
 gitea_mailer_enabled: false
@@ -77,13 +86,10 @@ gitea_fail2ban_jail_bantime: 900
 gitea_fail2ban_jail_action: iptables-allports
 
 gitea_oauth2_enabled: true
-gitea_oauth2_jwt_secret: ''
 
 gitea_metrics_enabled: false
 gitea_metrics_token: ~
 
-gitea_themes: gitea,arc-green
-gitea_theme_default: gitea
 
 gitea_repo_indexer_enabled: false
 gitea_repo_indexer_include: ""

tasks/gitea_secrets.yml

@@ -0,0 +1,38 @@
+---
+- name: generate gitea SECRET_KEY if not provided
+  become: true
+  shell: 'umask 077; /usr/local/bin/gitea generate secret SECRET_KEY > /etc/gitea/gitea_secret_key'
+  args:
+    creates: '/etc/gitea/gitea_secret_key'
+  when: gitea_secret_key | length == 0
+
+- name: read gitea SECRET_KEY from file
+  become: true
+  slurp:
+    src: '/etc/gitea/gitea_secret_key'
+  register: remote_secret_key
+  when: gitea_secret_key | length == 0
+
+- name: set fact gitea_secret_key
+  set_fact:
+    gitea_secret_key: "{{ remote_secret_key['content'] | b64decode }}"
+  when: gitea_secret_key | length == 0
+
+- name: generate gitea INTERNAL_TOKEN if not provided
+  become: true
+  shell: 'umask 077; /usr/local/bin/gitea generate secret INTERNAL_TOKEN > /etc/gitea/gitea_internal_token'
+  args:
+    creates: '/etc/gitea/gitea_internal_token'
+  when: gitea_internal_token | length == 0
+
+- name: read gitea INTERNAL_TOKEN from file
+  become: true
+  slurp:
+    src: '/etc/gitea/gitea_internal_token'
+  register: remote_internal_token
+  when: gitea_internal_token | length == 0
+
+- name: set fact gitea_internal_token
+  set_fact:
+    gitea_internal_token: "{{ remote_internal_token['content'] | b64decode }}"
+  when: gitea_internal_token | length == 0

tasks/main.yml

@@ -59,6 +59,8 @@
 
 - include_tasks: jwt_secrets.yml
 
+- include_tasks: gitea_secrets.yml
+
 - name: "Configure gitea"
   template:
     src: gitea.ini.j2

templates/gitea.ini.j2

@@ -131,7 +131,7 @@ RECAPTCHA_SITEKEY                =
 SHOW_REGISTRATION_BUTTON         = {{ gitea_show_registration_button | ternary('true', 'false') }}
 ALLOW_ONLY_EXTERNAL_REGISTRATION = {{ gitea_only_allow_external_registration | ternary('true', 'false') }}
 ENABLE_NOTIFY_MAIL               = {{ gitea_enable_notify_mail | ternary('true', 'false') }}
-
+AUTO_WATCH_NEW_REPOS             = {{ gitea_auto_watch_new_repos | ternary('true', 'false') }}
 [mailer]
 ENABLED            = {{ gitea_mailer_enabled | ternary('true', 'false') }}
 ; Mail server