autogenerate JWT_SECRETS (#77)

* autogenerate JWT_SECRETS Based on https://docs.gitea.io/en-us/command-line/#generate we will now autogenerate JWT_SECRETS if they are not defined. In my opinion a much better idea than writing a value in the default config. The check if the variables for the secrets are now 43 characters long i took out. Gitea generates itself suitable secrets, if the user given ones do not fit. * drop ansible.builtin. syntax
2024-08-16 11:39:50 +02:00 · 2021-02-10 20:04:13 +01:00 · 2021-02-10 20:04:13 +01:00 · 9cd664d91f
commit 9cd664d91f
parent 67afb71160
5 changed files with 44 additions and 20 deletions
--- a/README.md
+++ b/README.md
@ -128,7 +128,7 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we

 * `gitea_lfs_enabled`: Enable GIT LFS *(git large file storeage: [git-lfs](https://git-lfs.github.com/))*. Default: `false`
 * `gitea_lfs_content_path`: path where the lfs files are stored
-* `gitea_lfs_secret`: JWT secret for remote LFS usage, has to be exactly 43 characters long
+* `gitea_lfs_secret`: JWT secret for remote LFS usage. Can be generated with ``gitea generate secret JWT_SECRET``


 ### Fail2Ban configuration
@ -146,7 +146,7 @@ As this will only deploy config files, fail2ban already has to be installed or o
 ### Oauth2 provider configuration

 * `gitea_oauth2_enabled`: Enable the Oauth2 provider (true/false)
-* `gitea_oauth2_jwt_secret`: JWT secret, has to be exactly 43 characters long
+* `gitea_oauth2_jwt_secret`: Oauth2 JWT secret. Can be generated with ``gitea generate secret JWT_SECRET``


 ### Metrics endpoint configuration
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -23,7 +23,7 @@ gitea_offline_mode: true

 gitea_lfs_server_enabled: false
 gitea_lfs_content_path: "{{ gitea_home }}/data/lfs"
-gitea_lfs_jwt_secret: 'ChangeMe1GGm26cTz5jsH9S3Df4MPzBx599wLCdKwmw'
+gitea_lfs_jwt_secret: ''

 gitea_db_type: sqlite3
 gitea_db_host: 127.0.0.0:3306
@ -69,7 +69,7 @@ gitea_fail2ban_jail_bantime: 900
 gitea_fail2ban_jail_action: iptables-allports

 gitea_oauth2_enabled: true
-gitea_oauth2_jwt_secret: PLZChangeThisToAFourtyThreeCharacterString1
+gitea_oauth2_jwt_secret: ''

 gitea_metrics_enabled: false
 gitea_metrics_token: ~
--- a/tasks/check-variables.yml
+++ b/tasks/check-variables.yml
@ -1,14 +0,0 @@
---
- name: run checks to ensure gitea_oauth2_jwt_secret do not crash gitea and is idempotent
-  block:
-    - name: "check token length"
-      fail:
-        msg: 'gitea_oauth2_jwt_secret has to be 43 characters long. It is currently {{ gitea_oauth2_jwt_secret | length }} long.'
-      when: gitea_oauth2_jwt_secret | length != 43
-
- name: run checks to ensure gitea_lfs_jwt_secret do not crash gitea and is idempotent
-  block:
-    - name: "check token length"
-      fail:
-        msg: 'gitea_lfs_jwt_secret has to be 43 characters long. It is currently {{ gitea_lfs_jwt_secret | length }} long.'
-      when: gitea_lfs_jwt_secret | length != 43
--- a/tasks/jwt_secrets.yml
+++ b/tasks/jwt_secrets.yml
@ -0,0 +1,38 @@
+---
+- name: generate OAuth2 JWT_SECRET if not provided
+  become: true
+  shell: 'umask 077; /usr/local/bin/gitea generate secret JWT_SECRET > /etc/gitea/gitea_oauth_jwt_secret'
+  args:
+    creates: '/etc/gitea/gitea_oauth_jwt_secret'
+  when: gitea_oauth2_jwt_secret | length == 0
+
+- name: read OAuth2 JWT_SECRET from file
+  become: true
+  slurp:
+    src: '/etc/gitea/gitea_oauth_jwt_secret'
+  register: oauth_jwt_secret
+  when: gitea_oauth2_jwt_secret | length == 0
+
+- name: set fact gitea_oauth2_jwt_secret
+  set_fact:
+    gitea_oauth2_jwt_secret: "{{ oauth_jwt_secret['content'] | b64decode }}"
+  when: gitea_oauth2_jwt_secret | length == 0
+
+- name: generate LFS JWT_SECRET if not provided
+  become: true
+  shell: 'umask 077; /usr/local/bin/gitea generate secret JWT_SECRET > /etc/gitea/gitea_lfs_jwt_secret'
+  args:
+    creates: '/etc/gitea/gitea_lfs_jwt_secret'
+  when: gitea_lfs_jwt_secret | length == 0
+
+- name: read LFS JWT_SECRET from file
+  become: true
+  slurp:
+    src: '/etc/gitea/gitea_lfs_jwt_secret'
+  register: lfs_jwt_secret
+  when: gitea_lfs_jwt_secret | length == 0
+
+- name: set fact gitea_lfs_jwt_secret
+  set_fact:
+    gitea_lfs_jwt_secret: "{{ lfs_jwt_secret['content'] | b64decode }}"
+  when: gitea_lfs_jwt_secret | length == 0
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,7 +1,5 @@
 ---

- include: check-variables.yml
-
 - name: "Check gitea version"
  shell: "set -eo pipefail; /usr/local/bin/gitea -v | cut -d' ' -f 3"
  args:
@ -59,6 +57,8 @@
    name: 'git'
    state: 'present'

+- include_tasks: jwt_secrets.yml
+
 - name: "Configure gitea"
  template:
    src: gitea.ini.j2