From 356f574a31991b3596d6fb06f1d8fbd7c4da2dc2 Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Fri, 25 Nov 2022 11:10:54 +0100
Subject: [PATCH] [gitea] Role to deploy git2

---
 group_vars/gitea.yml                          | 19 +++++
 hosts                                         |  3 +
 plays/gitea.yml                               |  7 ++
 roles/gitea/handlers/main.yml                 |  9 +++
 roles/gitea/tasks/main.yml                    | 49 ++++++++++++
 roles/gitea/templates/gitea/app.ini.j2        | 74 +++++++++++++++++++
 .../templates/systemd/system/gitea.service.j2 | 19 +++++
 7 files changed, 180 insertions(+)
 create mode 100644 group_vars/gitea.yml
 create mode 100644 plays/gitea.yml
 create mode 100644 roles/gitea/handlers/main.yml
 create mode 100644 roles/gitea/tasks/main.yml
 create mode 100644 roles/gitea/templates/gitea/app.ini.j2
 create mode 100644 roles/gitea/templates/systemd/system/gitea.service.j2

diff --git a/group_vars/gitea.yml b/group_vars/gitea.yml
new file mode 100644
index 00000000..3aaf8b61
--- /dev/null
+++ b/group_vars/gitea.yml
@@ -0,0 +1,19 @@
+---
+glob_gitea:
+  version: 1.17.3
+  home_path: /stock/git
+  data_path: /stock/gitea
+  config:
+    app_name: "CR@NS Gitea"
+    oauth2:
+      jwt_secret: "{{ vault.gitea.oauth2.jwt_secret }}"
+    security:
+      internal_token: "{{ vault.gitea.security.internal_token }}"
+      secret_key: "{{ vault.gitea.security.secret_key }}"
+    database:
+      passwd: "{{ vault.gitea.database.passwd }}"
+    server:
+      ssh_domain: git2.crans.org
+      domain: git2.crans.org
+      root_url: https://git2.crans.org/
+      lfs_jwt_secret: "{{ vault.gitea.server.lfs_jwt_secret }}"
diff --git a/hosts b/hosts
index 35512386..5c04af70 100644
--- a/hosts
+++ b/hosts
@@ -102,6 +102,9 @@ voyager.adm.crans.org
 [galene]
 neree.adm.crans.org
 
+[gitea]
+sputnik.adm.crans.org
+
 [gitlab]
 gitzly.adm.crans.org
 
diff --git a/plays/gitea.yml b/plays/gitea.yml
new file mode 100644
index 00000000..7d545f40
--- /dev/null
+++ b/plays/gitea.yml
@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: gitea
+  vars:
+    gitea: "{{ glob_gitea | default({}) | combine(loc_gitea | default({})) }}"
+  roles:
+    - gitea
diff --git a/roles/gitea/handlers/main.yml b/roles/gitea/handlers/main.yml
new file mode 100644
index 00000000..c3fbe563
--- /dev/null
+++ b/roles/gitea/handlers/main.yml
@@ -0,0 +1,9 @@
+---
+- name: systemctl daemon-reload
+  ansible.builtin.systemd:
+    daemon_reload: true
+
+- name: systemctl restart gitea.service
+  ansible.builtin.systemd:
+    name: gitea
+    state: restarted
diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml
new file mode 100644
index 00000000..c36f7413
--- /dev/null
+++ b/roles/gitea/tasks/main.yml
@@ -0,0 +1,49 @@
+---
+- name: download gitea binary
+  ansible.builtin.get_url:
+    url: "https://dl.gitea.io/gitea/{{ gitea.version }}/gitea-{{ gitea.version }}-linux-amd64"
+    dest: /usr/local/sbin/gitea
+    mode: 0755
+  notify: systemctl restart gitea.service
+
+- name: create user git
+  ansible.builtin.user:
+    name: git
+    system: true
+    shell: /bin/bash
+    comment: "Git Version Control"
+    home: "{{ gitea.home_path }}"
+
+- name: create gitea directories
+  ansible.builtin.file:
+    path: '{{ item.path }}'
+    mode: '{{ item.mode | default("0755") }}'
+    group: git
+    owner: '{{ item.owner | default("git") }}'
+    state: directory
+  loop:
+    - { path: /etc/gitea/, mode: "0750", owner: root }
+    - { path: "{{ gitea.data_path }}", mode: "0750" }
+    - path: "{{ (gitea.data_path, 'custom') | path_join }}"
+    - path: "{{ (gitea.data_path, 'data') | path_join }}"
+    - path: "{{ (gitea.data_path, 'log') | path_join }}"
+  notify: systemctl restart gitea.service
+
+- name: deploy gitea configuration
+  ansible.builtin.template:
+    src: gitea/app.ini.j2
+    dest: /etc/gitea/app.ini
+    mode: '0640'
+    group: git
+  notify: systemctl restart gitea.service
+
+- name: deploy systemd unit
+  ansible.builtin.template:
+    src: systemd/system/gitea.service.j2
+    dest: /etc/systemd/system/gitea.service
+  notify: systemctl daemon-reload
+
+- name: systemctl enable gitea.service
+  ansible.builtin.systemd:
+    name: gitea
+    enabled: true
diff --git a/roles/gitea/templates/gitea/app.ini.j2 b/roles/gitea/templates/gitea/app.ini.j2
new file mode 100644
index 00000000..d0f3a47c
--- /dev/null
+++ b/roles/gitea/templates/gitea/app.ini.j2
@@ -0,0 +1,74 @@
+{{ ansible_header | comment }}
+
+APP_NAME = {{ gitea.config.app_name }}
+RUN_USER = git
+RUN_MODE = prod
+
+[oauth2]
+JWT_SECRET = {{ gitea.config.oauth2.jwt_secret }}
+
+[security]
+INTERNAL_TOKEN = {{ gitea.config.security.internal_token }}
+INSTALL_LOCK   = true
+SECRET_KEY     = {{ gitea.config.security.secret_key }}
+
+[database]
+DB_TYPE  = sqlite3
+NAME     = gitea
+USER     = gitea
+PASSWD   = {{ gitea.config.database.passwd }}
+SCHEMA   =
+SSL_MODE = disable
+CHARSET  = utf8
+PATH     = {{ (gitea.data_path, 'data', 'gitea.db') | path_join }}
+LOG_SQL  = false
+
+[repository]
+ROOT = {{ (gitea.home_path, 'gitea-repositories') | path_join }}
+
+[server]
+SSH_DOMAIN       = {{ gitea.config.server.ssh_domain }}
+DOMAIN           = {{ gitea.config.server.domain }}
+HTTP_ADDR        = 127.0.0.1
+HTTP_PORT        = 3000
+ROOT_URL         = {{ gitea.config.server.root_url }}
+DISABLE_SSH      = false
+SSH_PORT         = 22
+LFS_START_SERVER = true
+LFS_CONTENT_PATH = {{ (gitea.data_path, 'data', 'lfs') | path_join }}
+LFS_JWT_SECRET   = {{ gitea.config.server.lfs_jwt_secret }}
+OFFLINE_MODE     = false
+
+[mailer]
+ENABLED = false
+
+[service]
+REGISTER_EMAIL_CONFIRM            = false
+ENABLE_NOTIFY_MAIL                = false
+DISABLE_REGISTRATION              = true
+ALLOW_ONLY_EXTERNAL_REGISTRATION  = false
+ENABLE_CAPTCHA                    = false
+REQUIRE_SIGNIN_VIEW               = false
+DEFAULT_KEEP_EMAIL_PRIVATE        = false
+DEFAULT_ALLOW_CREATE_ORGANIZATION = false
+DEFAULT_ENABLE_TIMETRACKING       = true
+NO_REPLY_ADDRESS                  = noreply.localhost
+
+[picture]
+DISABLE_GRAVATAR        = true
+ENABLE_FEDERATED_AVATAR = false
+
+[openid]
+ENABLE_OPENID_SIGNIN = false
+ENABLE_OPENID_SIGNUP = false
+
+[session]
+PROVIDER = file
+
+[log]
+MODE                 = console
+LEVEL                = warning
+ROOT_PATH            = {{ (gitea.data_path, 'log') | path_join }}
+REDIRECT_MACARON_LOG = true
+MACARON              = console
+ROUTER               = console
diff --git a/roles/gitea/templates/systemd/system/gitea.service.j2 b/roles/gitea/templates/systemd/system/gitea.service.j2
new file mode 100644
index 00000000..8750ef19
--- /dev/null
+++ b/roles/gitea/templates/systemd/system/gitea.service.j2
@@ -0,0 +1,19 @@
+{{ ansible_header | comment }}
+
+[Unit]
+Description=Gitea (Git with a cup of tea)
+After=syslog.target
+After=network.target
+
+[Service]
+RestartSec=2s
+Type=simple
+User=git
+Group=git
+WorkingDirectory={{ gitea.data_path }}
+ExecStart=/usr/local/sbin/gitea web --config /etc/gitea/app.ini
+Restart=always
+Environment=USER=git HOME={{ gitea.home_path }} GITEA_WORK_DIR={{ gitea.data_path }}
+
+[Install]
+WantedBy=multi-user.target