From 975be7e627163641882d838d8b2dd67a1810600d Mon Sep 17 00:00:00 2001 From: L3D Date: Fri, 27 Jan 2023 01:35:16 +0100 Subject: [PATCH] Adding support for forgejo installation --- README.md | 2 + defaults/main.yml | 1 + tasks/backup.yml | 2 +- tasks/gitea_secrets.yml | 4 +- tasks/install_forgejo.yml | 78 +++++++++++++++ tasks/{install.yml => install_gitea.yml} | 4 +- tasks/jwt_secrets.yml | 4 +- tasks/main.yml | 6 +- tasks/set_forgejo_version.yml | 98 +++++++++++++++++++ ...{set_version.yml => set_gitea_version.yml} | 2 +- templates/gitea.service.j2 | 4 +- vars/fork_forgejo.yml | 6 ++ vars/fork_gitea.yml | 3 + vars/main.yml | 1 - 14 files changed, 201 insertions(+), 14 deletions(-) create mode 100644 tasks/install_forgejo.yml rename tasks/{install.yml => install_gitea.yml} (97%) create mode 100644 tasks/set_forgejo_version.yml rename tasks/{set_version.yml => set_gitea_version.yml} (94%) diff --git a/README.md b/README.md index 61fd7db..a236d11 100644 --- a/README.md +++ b/README.md @@ -48,6 +48,7 @@ Either you define exactly which release you install. Or you use the option ``lat | `gitea_version` | `latest` | Define either the exact release to install *(eg. `1.16.0`)* or use ``latest`` *(default)* to install the latest release. | | `gitea_version_check` | `true` | Check if installed version != `gitea_version` before initiating binary download | | `gitea_gpg_key` | `7C9E68152594688862D62AF62D9AE806EC1592E2` | the gpg key the gitea binary is signed with | +| `gitea_forgejo_gpg_key` | `EB114F5E6C0DC2BCDD183550A4B61A2DC5923710` | the gpg key the forgejo binary is signed with | | `gitea_gpg_server` | `hkps://keys.openpgp.org` | A gpg key server where this role can download the gpg key | | `gitea_backup_on_upgrade` | `false` | Optionally a backup can be created with every update of gitea. | | `gitea_backup_location` | `{{ gitea_home }}/backups/` | Where to store the gitea backup if one is created with this role. | @@ -61,6 +62,7 @@ Either you define exactly which release you install. Or you use the option ``lat | `gitea_home` | `/var/lib/gitea` | Base directory to work | | `gitea_user_home` | `{{ gitea_home }}` | home of gitea user | | `gitea_executable_path` | `/usr/local/bin/gitea` | Path for gitea executable | +| `gitea_forgejo_executable_path` | `/usr/local/bin/forgejo` | Path for forgejo executable | | `gitea_configuraion_path` | `/etc/gitea` | Where to put the gitea.ini config | | `gitea_shell` | `/bin/false` | UNIX shell used by gitea. Set it to `/bin/bash` if you don't use the gitea built-in ssh server. | | `gitea_systemd_cap_net_bind_service` | `false` | Adds `AmbientCapabilities=CAP_NET_BIND_SERVICE` to systemd service file | diff --git a/defaults/main.yml b/defaults/main.yml index ecd9e09..37e8bd8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -19,6 +19,7 @@ gitea_group: 'gitea' gitea_home: '/var/lib/gitea' gitea_user_home: '{{ gitea_home }}' gitea_executable_path: '/usr/local/bin/gitea' +gitea_forgejo_executable_path: '/usr/local/bin/forgejo' gitea_configuraion_path: '/etc/gitea' gitea_shell: '/bin/false' gitea_systemd_cap_net_bind_service: false diff --git a/tasks/backup.yml b/tasks/backup.yml index 4c04e86..9699fca 100644 --- a/tasks/backup.yml +++ b/tasks/backup.yml @@ -29,7 +29,7 @@ - name: Backing up gitea before upgrade become: true ansible.builtin.command: - cmd: "sudo -u {{ gitea_user }} {{ gitea_executable_path }} dump -c {{ gitea_configuraion_path }}/gitea.ini" + cmd: "sudo -u {{ gitea_user }} {{ gitea_full_executable_path }} dump -c {{ gitea_configuraion_path }}/gitea.ini" chdir: "{{ gitea_backup_location }}" changed_when: true rescue: diff --git a/tasks/gitea_secrets.yml b/tasks/gitea_secrets.yml index b599d82..c5b1e20 100644 --- a/tasks/gitea_secrets.yml +++ b/tasks/gitea_secrets.yml @@ -1,7 +1,7 @@ --- - name: Generate gitea SECRET_KEY if not provided become: true - ansible.builtin.shell: 'umask 077; {{ gitea_executable_path }} generate secret SECRET_KEY > {{ gitea_configuraion_path }}/gitea_secret_key' + ansible.builtin.shell: 'umask 077; {{ gitea_full_executable_path }} generate secret SECRET_KEY > {{ gitea_configuraion_path }}/gitea_secret_key' args: creates: '{{ gitea_configuraion_path }}/gitea_secret_key' when: gitea_secret_key | string | length == 0 @@ -20,7 +20,7 @@ - name: Generate gitea INTERNAL_TOKEN if not provided become: true - ansible.builtin.shell: 'umask 077; {{ gitea_executable_path }} generate secret INTERNAL_TOKEN > {{ gitea_configuraion_path }}/gitea_internal_token' + ansible.builtin.shell: 'umask 077; {{ gitea_full_executable_path }} generate secret INTERNAL_TOKEN > {{ gitea_configuraion_path }}/gitea_internal_token' args: creates: '{{ gitea_configuraion_path }}/gitea_internal_token' when: gitea_internal_token | string | length == 0 diff --git a/tasks/install_forgejo.yml b/tasks/install_forgejo.yml new file mode 100644 index 0000000..018ca9b --- /dev/null +++ b/tasks/install_forgejo.yml @@ -0,0 +1,78 @@ +--- +- name: Dependency block + block: + - name: Update apt cache + become: true + ansible.builtin.apt: + cache_valid_time: 3600 + update_cache: true + register: _pre_update_apt_cache + until: _pre_update_apt_cache is succeeded + when: + - ansible_pkg_mgr == "apt" + + - name: Install dependencies + become: true + ansible.builtin.package: + name: "{{ gitea_dependencies }}" + state: present + register: _install_dep_packages + until: _install_dep_packages is succeeded + retries: 5 + delay: 2 + +- name: Install forgejo block + when: (not gitea_version_check | bool) or (not ansible_check_mode and (gitea_active_version.stdout != gitea_version_target)) + block: + - name: Download forgejo archive + ansible.builtin.get_url: + url: "{{ gitea_forgejo_dl_url | first }}" + dest: "/tmp/{{ gitea_filename }}" + checksum: "sha256:{{ gitea_forgejo_checksum }}" + mode: 0640 + register: _download_archive + until: _download_archive is succeeded + retries: 5 + delay: 2 + + - name: Download forgejo asc file + ansible.builtin.get_url: + url: "{{ gitea_forgejo_signed_url | first }}" + dest: "/tmp/{{ gitea_filename }}.asc" + mode: 0640 + register: _download_asc + until: _download_asc is succeeded + retries: 5 + delay: 2 + + - name: Check forgejo gpg key + ansible.builtin.command: "gpg --list-keys 0x{{ gitea_forgejo_gpg_key }}" + register: _gitea_gpg_key_status + changed_when: false + failed_when: _gitea_gpg_key_status.rc not in (0, 2) + + - name: print gpg key staus on verbosity + ansible.builtin.debug: + msg: "{{ _gitea_gpg_key_status.stdout }}" + verbosity: 1 + + - name: Import forgejo gpg key + ansible.builtin.command: "gpg --keyserver {{ gitea_gpg_server }} --recv {{ gitea_forgejo_gpg_key }}" + register: _gitea_import_key + changed_when: '"imported: 1" in _gitea_import_key.stderr' + when: '_gitea_gpg_key_status.rc != 0 or "expired" in _gitea_gpg_key_status.stdout' + + - name: Check archive signature + ansible.builtin.command: "gpg --verify /tmp/{{ gitea_filename }}.asc /tmp/{{ gitea_filename }}" + changed_when: false + + - name: Propagate gitea binary + become: true + ansible.builtin.copy: + src: "/tmp/{{ gitea_filename }}" + remote_src: true + dest: "{{ gitea_full_executable_path }}" + mode: 0755 + owner: root + group: root + notify: "Restart gitea" diff --git a/tasks/install.yml b/tasks/install_gitea.yml similarity index 97% rename from tasks/install.yml rename to tasks/install_gitea.yml index f3da30a..d212f9b 100644 --- a/tasks/install.yml +++ b/tasks/install_gitea.yml @@ -21,7 +21,7 @@ retries: 5 delay: 2 -- name: Install block +- name: Install gitea block when: (not gitea_version_check | bool) or (not ansible_check_mode and (gitea_active_version.stdout != gitea_version_target)) block: - name: Download gitea archive @@ -76,7 +76,7 @@ ansible.builtin.copy: src: "/tmp/{{ gitea_filename }}" remote_src: true - dest: "{{ gitea_executable_path }}" + dest: "{{ gitea_full_executable_path }}" mode: 0755 owner: root group: root diff --git a/tasks/jwt_secrets.yml b/tasks/jwt_secrets.yml index d620350..f56abf0 100644 --- a/tasks/jwt_secrets.yml +++ b/tasks/jwt_secrets.yml @@ -1,7 +1,7 @@ --- - name: Generate OAuth2 JWT_SECRET if not provided become: true - ansible.builtin.shell: 'umask 077; {{ gitea_executable_path }} generate secret JWT_SECRET > {{ gitea_configuraion_path }}/gitea_oauth_jwt_secret' + ansible.builtin.shell: 'umask 077; {{ gitea_full_executable_path }} generate secret JWT_SECRET > {{ gitea_configuraion_path }}/gitea_oauth_jwt_secret' args: creates: '{{ gitea_configuraion_path }}/gitea_oauth_jwt_secret' when: gitea_oauth2_jwt_secret | length == 0 @@ -20,7 +20,7 @@ - name: Generate LFS JWT_SECRET if not provided become: true - ansible.builtin.shell: 'umask 077; {{ gitea_executable_path }} generate secret JWT_SECRET > {{ gitea_configuraion_path }}/gitea_lfs_jwt_secret' + ansible.builtin.shell: 'umask 077; {{ gitea_full_executable_path }} generate secret JWT_SECRET > {{ gitea_configuraion_path }}/gitea_lfs_jwt_secret' args: creates: '{{ gitea_configuraion_path }}/gitea_lfs_jwt_secret' when: gitea_lfs_jwt_secret | length == 0 diff --git a/tasks/main.yml b/tasks/main.yml index d8d4339..7fe7331 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -20,7 +20,7 @@ ansible.builtin.include_vars: "{{ lookup('first_found', gitea_variables) }}" - name: Gather versioning information - ansible.builtin.include_tasks: set_version.yml + ansible.builtin.include_tasks: "set_{{ gitea_fork | lower }}_version.yml" - name: Backup gitea before update ansible.builtin.include_tasks: backup.yml @@ -29,8 +29,8 @@ - name: Create gitea user and role ansible.builtin.include_tasks: create_user.yml -- name: Install or update gitea - ansible.builtin.include_tasks: install.yml +- name: "Install or update {{ gitea_fork }}" + ansible.builtin.include_tasks: "install_{{ gitea_fork | lower }}.yml" - name: Create directories ansible.builtin.include_tasks: directory.yml diff --git a/tasks/set_forgejo_version.yml b/tasks/set_forgejo_version.yml new file mode 100644 index 0000000..e607df4 --- /dev/null +++ b/tasks/set_forgejo_version.yml @@ -0,0 +1,98 @@ +--- +- name: "Check forgejo installed version" + ansible.builtin.shell: "set -eo pipefail; {{ gitea_full_executable_path }} -v | cut -d' ' -f 3" + args: + executable: /bin/bash + register: gitea_active_version + changed_when: false + failed_when: false + +- name: "Determine 'latest' version release" + when: gitea_version == "latest" + block: + - name: "Get latest forgejo release metadata" + ansible.builtin.uri: + url: 'https://codeberg.org/api/v1/repos/forgejo/forgejo/releases?limit=1' + return_content: true + register: gitea_forgejo_remote_metadata + when: not ansible_check_mode + + - name: "Fail if running in check mode without versions set." + ansible.builtin.fail: + msg: | + "You are running this playbook in check mode: + Please set the Gitea version with the variable 'gitea_version', because the URI module cannot detect the latest version in this mode." + when: ansible_check_mode and (gitea_version == 'latest' or gitea_version == 'present') + + - name: "Set fact latest forgejo release" + ansible.builtin.set_fact: + gitea_remote_version: "{{ gitea_forgejo_remote_metadata.json.0.tag_name[1:] }}" + when: not ansible_check_mode + + - name: "Set forgejo version target (latest)" + ansible.builtin.set_fact: + gitea_version_target: "{{ gitea_remote_version }}" + when: not ansible_check_mode + +- name: "Set gitea version target {{ gitea_version }}" + ansible.builtin.set_fact: + gitea_version_target: "{{ gitea_version }}" + when: gitea_version != "latest" + +- name: "Get specific forgejo release metadata" + ansible.builtin.uri: + url: 'https://codeberg.org/api/v1/repos/forgejo/forgejo/releases/tags/v{{ gitea_version_target }}' + return_content: true + register: gitea_forgejo_remote_tags_metadata + when: not ansible_check_mode + +- name: "Generate forgejo download url" + ansible.builtin.set_fact: + gitea_forgejo_dl_url: "{{ gitea_forgejo_remote_tags_metadata.json | community.general.json_query(gitea_forgejo_query_download) }}" + when: not ansible_check_mode + +- name: "Generate forgejo download checksum url" + ansible.builtin.set_fact: + gitea_forgejo_checksum_url: "{{ gitea_forgejo_remote_tags_metadata.json | community.general.json_query(gitea_forgejo_query_checksum) }}" + when: not ansible_check_mode + +- name: Get forgejo checksum + ansible.builtin.uri: + url: "{{ gitea_forgejo_checksum_url | first }}" + return_content: true + register: _gitea_forgejo_dl_checksum + when: not ansible_check_mode + +- name: Set forjeo checksum + ansible.builtin.set_fact: + gitea_forgejo_checksum: "{{ _gitea_forgejo_dl_checksum.content.split(' ')[0] }}" + when: not ansible_check_mode + +- name: "Generate forgejo download signed url" + ansible.builtin.set_fact: + gitea_forgejo_signed_url: "{{ gitea_forgejo_remote_tags_metadata.json | community.general.json_query(gitea_forgejo_query_signed) }}" + when: not ansible_check_mode + +- name: "Set a example forgejo download link if in check mode" + ansible.builtin.set_fact: + gitea_forgejo_dl_url: ['https://codeberg.org/attachments/a00333ad-250a-4d30-a764-9a37fb24f419'] + when: ansible_check_mode + +- name: "Set a example forgejo checksum link if in check mode" + ansible.builtin.set_fact: + gitea_forgejo_checksum: 'f8c71464d1b250bf022eaa3df270c810950904ceb71da5cefc7ec24a034a4c87' + when: ansible_check_mode + +- name: "Set a example forgejo checksum link if in check mode" + ansible.builtin.set_fact: + gitea_forgejo_signed_url: ['https://codeberg.org/attachments/ae5e50c6-e86e-4202-b95f-f142e8138e2f'] + when: ansible_check_mode + +- name: Show Download URLs + ansible.builtin.debug: + msg: "{{ item }}" + verbosity: 1 + with_items: + - "gitea_forgejo_dl_url: {{ gitea_forgejo_dl_url | first }}" + - "gitea_forgejo_checksum: {{ gitea_forgejo_checksum }}" + - "gitea_forgejo_signed_url: {{ gitea_forgejo_signed_url | first }}" diff --git a/tasks/set_version.yml b/tasks/set_gitea_version.yml similarity index 94% rename from tasks/set_version.yml rename to tasks/set_gitea_version.yml index cd18b67..b964ea9 100644 --- a/tasks/set_version.yml +++ b/tasks/set_gitea_version.yml @@ -1,6 +1,6 @@ --- - name: "Check gitea installed version" - ansible.builtin.shell: "set -eo pipefail; {{ gitea_executable_path }} -v | cut -d' ' -f 3" + ansible.builtin.shell: "set -eo pipefail; {{ gitea_full_executable_path }} -v | cut -d' ' -f 3" args: executable: /bin/bash register: gitea_active_version diff --git a/templates/gitea.service.j2 b/templates/gitea.service.j2 index a14a422..1db7f85 100644 --- a/templates/gitea.service.j2 +++ b/templates/gitea.service.j2 @@ -1,11 +1,11 @@ [Unit] -Description=Gitea git server +Description={{ gitea_fork }} git server After=network.target [Service] User={{ gitea_user }} Group={{ gitea_group }} -ExecStart={{ gitea_executable_path }} web -c {{ gitea_configuraion_path }}/gitea.ini --custom-path {{ gitea_custom }}/ +ExecStart={{ gitea_full_executable_path }} web -c {{ gitea_configuraion_path }}/gitea.ini --custom-path {{ gitea_custom }}/ Restart=on-failure WorkingDirectory={{ gitea_home }} {% if gitea_systemd_cap_net_bind_service %} diff --git a/vars/fork_forgejo.yml b/vars/fork_forgejo.yml index ed97d53..2ac6803 100644 --- a/vars/fork_forgejo.yml +++ b/vars/fork_forgejo.yml @@ -1 +1,7 @@ --- +# set filenames for forgejo +gitea_full_executable_path: "{{ gitea_forgejo_executable_path }}" +gitea_filename: "forgejo-{{ gitea_version_target }}-linux-{{ gitea_arch }}" +gitea_forgejo_query_download: "assets[?name==`{{ gitea_filename }}`].browser_download_url" +gitea_forgejo_query_checksum: "assets[?name==`{{ gitea_filename }}.sha256`].browser_download_url" +gitea_forgejo_query_signed: "assets[?name==`{{ gitea_filename }}.asc`].browser_download_url" diff --git a/vars/fork_gitea.yml b/vars/fork_gitea.yml index ed97d53..607bfd8 100644 --- a/vars/fork_gitea.yml +++ b/vars/fork_gitea.yml @@ -1 +1,4 @@ --- +# set filenames for gitea +gitea_full_executable_path: "{{ gitea_executable_path }}" +gitea_filename: "gitea-{{ gitea_version_target }}.linux-{{ gitea_arch }}" diff --git a/vars/main.yml b/vars/main.yml index f2f4b56..0990cb4 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -8,7 +8,6 @@ gitea_go_arch_map: armv5l: 'arm-5' gitea_arch: "{{ gitea_go_arch_map[ansible_architecture] | default(ansible_architecture) }}" -gitea_filename: "gitea-{{ gitea_version_target }}.linux-{{ gitea_arch }}" gitea_supported_forks: 'gitea and forgejo' gitea_fork_variables: