1
1
Fork 0
mirror of https://github.com/roles-ansible/ansible_role_gitea.git synced 2024-08-16 11:39:50 +02:00

Merge pull request #2 from roles-ansible/docs

start updating docs and generate undefined secrets
This commit is contained in:
L3D 2021-03-21 02:35:40 +01:00 committed by GitHub
commit 8ed69febc1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 114 additions and 51 deletions

View file

@ -50,40 +50,57 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we
- gitea - gitea
``` ```
## More detailed options Variables
### General -----------
Here is a deeper insight into the variables of this gitea role. For the exact function of some variables and the possibility to add more options we recommend a look at the config cheat sheet. For the exact function of some variables and the possibility to add more options we recommend a look at this [config cheat sheet](https://docs.gitea.io/en-us/config-cheat-sheet/).
* `gitea_version_check`: Check if installed version != `gitea_version` before initiating binary download ### gitea version
* `gitea_user`: UNIX user used by Gitea | variable name | default value | description |
* `gitea_group`: UNIX group used by Gitea | ------------- | ------------- | ----------- |
* `gitea_home`: Base directory to work | `gitea_version` | *(see [defaults/main.yml](defaults/main.yml#L3))* | The gitea version this role shoud install |
* `gitea_dl_url`: The URL, the compiled gitea-binary will be downloaded from | `gitea_version_check` | `true` | Check if installed version != `gitea_version` before initiating binary download |
* `gitea_systemd_cap_net_bind_service`: Adds `AmbientCapabilities=CAP_NET_BIND_SERVICE` to systemd service file | `gitea_dl_url` | *(see [defaults/main.yml](defaults/main.yml#L5))* | The path from where this role downloads the gitea binary |
* `gitea_extra_config`: Additional configuration | `gitea_gpg_key` | `7C9E68152594688862D62AF62D9AE806EC1592E2` | the gpg key the gitea binary is signed with |
| `gitea_gpg_server` | `hkp://keyserver.ubuntu.com:80` | A gpg key server where this role can download the gpg key |
### gitea in the linux world
| variable name | default value | description |
| ------------- | ------------- | ----------- |
| `gitea_user` | `gitea ` | UNIX user used by Gitea |
| `gitea_group` | `gitea` | UNIX group used by Gitea |
| `gitea_home` | `/var/lib/gitea` | Base directory to work |
| `gitea_shell` | `/bin/false` | UNIX shell used by gitea. Set it to `/bin/bash` if you don't use the gitea built-in ssh server. |
### Look and feel ### Look and feel
| variable name | default value | description |
| ------------- | ------------- | ----------- |
| `gitea_app_name` | `Gitea` | Displayed application name |
| `gitea_repository_root` | `{{ gitea_home }}/repos` | The path where all gitea repositorys are stored |
| `gitea_show_user_email` | `false` | Do you want to display email addresses ? (true/false) |
| `gitea_disable_gravatar` | `true` | Do you want to disable Gravatar ? (privacy and so on) (true/false) |
| `gitea_disable_registration` | `false` | Do you want to disable user registration? (true/false) |
| `gitea_register_email_confirm` | `false` | Enable this to ask for mail confirmation of registration. Requires `gitea_mailer_enabled` to be enabled. |
| `gitea_offline_mode` | `true` | Disables use of CDN for static files and Gravatar for profile pictures. (true/false) |
| `gitea_only_allow_external_registration` | `false` | Set to true to force registration only using third-party services (true/false) |
| `gitea_show_registration_button` | `true` | Here you can hide the registration button. This will not disable registration! (true/false)|
| `gitea_require_signin` | `true` | Do you require a signin to see repo's (even public ones)? (true/false)|
| `gitea_enable_captcha` | `true` | Do you want to enable captcha's ? (true/false)|
| `gitea_enable_notify_mail` | `false` | Enable this to send e-mail to watchers of a repository when something happens, like creating issues (true/false) |
| `gitea_auto_watch_new_repos` | `true` | Enable this to let all organisation users watch new repos when they are created (true/false) |
| `gitea_themes` | `gitea,arc-green` | List of enabled themes |
| `gitea_theme_default` | `gitea` | Default theme |
* `gitea_app_name`: Displayed application name
* `gitea_show_user_email`: Do you want to display email addresses ? (true/false)
* `gitea_disable_gravatar`: Do you want to disable Gravatar ? (privacy and so on) (true/false)
* `gitea_offline_mode`: Same but for disabling CDNs for frontend assets (true/false)
* `gitea_disable_registration`: Do you want to disable user registration ? (true/false)
* `gitea_register_email_confirm`: Enable this to ask for mail confirmation of registration. Requires `gitea_mailer_enabled` to be enabled (Default: `false`)
* `gitea_only_allow_external_registration`: Do you want to force registration only using third-party services ? (true/false)
* `gitea_show_registration_button`: Do you want to show the registration button? (true/false)
* `gitea_require_signin`: Do you require a signin to see repo's (even public ones) ? (true/false)
* `gitea_enable_captcha`: Do you want to enable captcha's ? (true/false)
* `gitea_themes`: List of enabled themes
* `gitea_theme_default`: Default theme
### Security ### Security
* `gitea_secret_key`: Cookie secret key | variable name | default value | description |
* `gitea_internal_token`: Internal API token | ------------- | ------------- | ----------- |
* `gitea_disable_git_hooks`: Do you want to disable the interface to add git hooks? If enabled it could be a security bug as it can be used for RCE. Defaults to true (true/false) | `gitea_secret_key` | `''` | Global secret key. Will be autogenerated if not defined. Should be unique. |
| `gitea_internal_token` | `''` | Internal API token. Will be autogenerated if not defined. Should be unique. |
| `gitea_disable_git_hooks` | `true` | Set to false to enable users with git hook privilege to create custom git hooks. Can be dangerous. |
| `gitea_user_repo_limit` | `-1` | Limit how many repos a user can have *(`-1` for unlimited)* |
| `gitea_lfs_secret` | `''` | < JWT secret for remote LFS usage. Can be generated with ``gitea generate secret JWT_SECRET``. Will be autogenerated if not defined |
| `gitea_oauth2_jwt_secret` | `''` | Oauth2 JWT secret. Can be generated with ``gitea generate secret JWT_SECRET``. Will be autogenerated if not defined. |
### Limits
* `gitea_user_repo_limit`: Limit how many repos a user can have (-1 for unlimited)
### HTTP configuration ### HTTP configuration
@ -128,7 +145,6 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we
* `gitea_lfs_enabled`: Enable GIT LFS *(git large file storeage: [git-lfs](https://git-lfs.github.com/))*. Default: `false` * `gitea_lfs_enabled`: Enable GIT LFS *(git large file storeage: [git-lfs](https://git-lfs.github.com/))*. Default: `false`
* `gitea_lfs_content_path`: path where the lfs files are stored * `gitea_lfs_content_path`: path where the lfs files are stored
* `gitea_lfs_secret`: JWT secret for remote LFS usage. Can be generated with ``gitea generate secret JWT_SECRET``
### Log configuration ### Log configuration
* `gitea_log_systemd` Disable logging into `file`, use systemd-journald * `gitea_log_systemd` Disable logging into `file`, use systemd-journald
@ -149,7 +165,6 @@ As this will only deploy config files, fail2ban already has to be installed or o
### Oauth2 provider configuration ### Oauth2 provider configuration
* `gitea_oauth2_enabled`: Enable the Oauth2 provider (true/false) * `gitea_oauth2_enabled`: Enable the Oauth2 provider (true/false)
* `gitea_oauth2_jwt_secret`: Oauth2 JWT secret. Can be generated with ``gitea generate secret JWT_SECRET``
### Metrics endpoint configuration ### Metrics endpoint configuration
@ -169,6 +184,8 @@ As this will only deploy config files, fail2ban already has to be installed or o
* `gitea_backup_on_upgrade`: Optionally a backup can be created with every update of gitea. Default: `false` * `gitea_backup_on_upgrade`: Optionally a backup can be created with every update of gitea. Default: `false`
* `gitea_backup_location`: Where to store the gitea backup if one is created with this role. Default: `{{ gitea_home }}/backups/` * `gitea_backup_location`: Where to store the gitea backup if one is created with this role. Default: `{{ gitea_home }}/backups/`
* `gitea_systemd_cap_net_bind_service`: Adds `AmbientCapabilities=CAP_NET_BIND_SERVICE` to systemd service file
* `gitea_extra_config`: Additional configuration
## Contributing ## Contributing
Don't hesitate to create a pull request, and when in doubt you can reach me on Don't hesitate to create a pull request, and when in doubt you can reach me on
Mastodon [@l3d@chaos.social](https://chaos.social/@l3d). Mastodon [@l3d@chaos.social](https://chaos.social/@l3d).

View file

@ -1,33 +1,56 @@
--- ---
# gitea version
gitea_version: "1.13.4" gitea_version: "1.13.4"
gitea_version_check: true gitea_version_check: true
gitea_dl_url: "https://github.com/go-gitea/gitea/releases/download/v{{ gitea_version }}/gitea-{{ gitea_version }}-linux-{{ gitea_arch }}" gitea_dl_url: "https://github.com/go-gitea/gitea/releases/download/v{{ gitea_version }}/gitea-{{ gitea_version }}-linux-{{ gitea_arch }}"
gitea_gpg_key: "7C9E68152594688862D62AF62D9AE806EC1592E2" gitea_gpg_key: "7C9E68152594688862D62AF62D9AE806EC1592E2"
gitea_gpg_server: "hkp://keyserver.ubuntu.com:80" gitea_gpg_server: "hkp://keyserver.ubuntu.com:80"
gitea_app_name: "Gitea" # gitea in the linux world
gitea_user: "gitea" gitea_user: "gitea"
gitea_group: "gitea" gitea_group: "gitea"
gitea_home: "/var/lib/gitea" gitea_home: "/var/lib/gitea"
gitea_shell: "/bin/false" gitea_shell: "/bin/false"
gitea_systemd_cap_net_bind_service: false
# look and feel
gitea_app_name: "Gitea"
gitea_repository_root: "{{ gitea_home }}/repos" gitea_repository_root: "{{ gitea_home }}/repos"
gitea_show_user_email: false
gitea_disable_gravatar: true
gitea_disable_registration: false
gitea_register_email_confirm: false
gitea_offline_mode: true
gitea_only_allow_external_registration: false
gitea_show_registration_button: true
gitea_require_signin: true
gitea_enable_captcha: true
gitea_enable_notify_mail: false
gitea_auto_watch_new_repos: true
gitea_themes: gitea,arc-green
gitea_theme_default: gitea
# security
gitea_secret_key: ''
gitea_internal_token: ''
gitea_disable_git_hooks: true
gitea_user_repo_limit: -1 gitea_user_repo_limit: -1
gitea_lfs_jwt_secret: ''
gitea_oauth2_jwt_secret: ''
gitea_http_domain: localhost gitea_http_domain: localhost
gitea_root_url: http://localhost:3000 gitea_root_url: http://localhost:3000
gitea_protocol: http gitea_protocol: http
gitea_http_listen: 127.0.0.1 gitea_http_listen: 127.0.0.1
gitea_http_port: 3000 gitea_http_port: 3000
# gitea_http_letsencrypt_mail: - required # gitea_http_letsencrypt_mail: - required
gitea_disable_http_git: false gitea_disable_http_git: false
gitea_offline_mode: true
gitea_lfs_server_enabled: false gitea_lfs_server_enabled: false
gitea_lfs_content_path: "{{ gitea_home }}/data/lfs" gitea_lfs_content_path: "{{ gitea_home }}/data/lfs"
gitea_lfs_jwt_secret: ''
gitea_systemd_cap_net_bind_service: false
gitea_db_type: sqlite3 gitea_db_type: sqlite3
gitea_db_host: 127.0.0.0:3306 gitea_db_host: 127.0.0.0:3306
gitea_db_name: root gitea_db_name: root
@ -41,20 +64,6 @@ gitea_ssh_domain: localhost
gitea_start_ssh: true gitea_start_ssh: true
gitea_ssh_port: 2222 gitea_ssh_port: 2222
gitea_secret_key: T0pS3cr31
gitea_internal_token: SomethingVeryLong
gitea_disable_git_hooks: true
gitea_show_user_email: false
gitea_disable_gravatar: true
gitea_disable_registration: false
gitea_register_email_confirm: false
gitea_show_registration_button: true
gitea_require_signin: true
gitea_enable_captcha: true
gitea_only_allow_external_registration: false
gitea_enable_notify_mail: false
gitea_force_private: false gitea_force_private: false
gitea_mailer_enabled: false gitea_mailer_enabled: false
@ -77,13 +86,10 @@ gitea_fail2ban_jail_bantime: 900
gitea_fail2ban_jail_action: iptables-allports gitea_fail2ban_jail_action: iptables-allports
gitea_oauth2_enabled: true gitea_oauth2_enabled: true
gitea_oauth2_jwt_secret: ''
gitea_metrics_enabled: false gitea_metrics_enabled: false
gitea_metrics_token: ~ gitea_metrics_token: ~
gitea_themes: gitea,arc-green
gitea_theme_default: gitea
gitea_repo_indexer_enabled: false gitea_repo_indexer_enabled: false
gitea_repo_indexer_include: "" gitea_repo_indexer_include: ""

38
tasks/gitea_secrets.yml Normal file
View file

@ -0,0 +1,38 @@
---
- name: generate gitea SECRET_KEY if not provided
become: true
shell: 'umask 077; /usr/local/bin/gitea generate secret SECRET_KEY > /etc/gitea/gitea_secret_key'
args:
creates: '/etc/gitea/gitea_secret_key'
when: gitea_secret_key | length == 0
- name: read gitea SECRET_KEY from file
become: true
slurp:
src: '/etc/gitea/gitea_secret_key'
register: remote_secret_key
when: gitea_secret_key | length == 0
- name: set fact gitea_secret_key
set_fact:
gitea_secret_key: "{{ remote_secret_key['content'] | b64decode }}"
when: gitea_secret_key | length == 0
- name: generate gitea INTERNAL_TOKEN if not provided
become: true
shell: 'umask 077; /usr/local/bin/gitea generate secret INTERNAL_TOKEN > /etc/gitea/gitea_internal_token'
args:
creates: '/etc/gitea/gitea_internal_token'
when: gitea_internal_token | length == 0
- name: read gitea INTERNAL_TOKEN from file
become: true
slurp:
src: '/etc/gitea/gitea_internal_token'
register: remote_internal_token
when: gitea_internal_token | length == 0
- name: set fact gitea_internal_token
set_fact:
gitea_internal_token: "{{ remote_internal_token['content'] | b64decode }}"
when: gitea_internal_token | length == 0

View file

@ -59,6 +59,8 @@
- include_tasks: jwt_secrets.yml - include_tasks: jwt_secrets.yml
- include_tasks: gitea_secrets.yml
- name: "Configure gitea" - name: "Configure gitea"
template: template:
src: gitea.ini.j2 src: gitea.ini.j2

View file

@ -131,7 +131,7 @@ RECAPTCHA_SITEKEY =
SHOW_REGISTRATION_BUTTON = {{ gitea_show_registration_button | ternary('true', 'false') }} SHOW_REGISTRATION_BUTTON = {{ gitea_show_registration_button | ternary('true', 'false') }}
ALLOW_ONLY_EXTERNAL_REGISTRATION = {{ gitea_only_allow_external_registration | ternary('true', 'false') }} ALLOW_ONLY_EXTERNAL_REGISTRATION = {{ gitea_only_allow_external_registration | ternary('true', 'false') }}
ENABLE_NOTIFY_MAIL = {{ gitea_enable_notify_mail | ternary('true', 'false') }} ENABLE_NOTIFY_MAIL = {{ gitea_enable_notify_mail | ternary('true', 'false') }}
AUTO_WATCH_NEW_REPOS = {{ gitea_auto_watch_new_repos | ternary('true', 'false') }}
[mailer] [mailer]
ENABLED = {{ gitea_mailer_enabled | ternary('true', 'false') }} ENABLED = {{ gitea_mailer_enabled | ternary('true', 'false') }}
; Mail server ; Mail server