An Ansible Playbook for deploying your own self-hosted Gitea instance
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

deploy_gitea.yml 5.0KB

1 year ago
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198
  1. ---
  2. - hosts: git.example.com
  3. user: root
  4. tasks:
  5. - include_vars: vars/all.yml
  6. - name: Install Prerequisites
  7. apt:
  8. name: "{{ item }}"
  9. state: present
  10. update_cache: yes
  11. with_items:
  12. - git
  13. - postgresql
  14. - fail2ban
  15. - python-psycopg2
  16. - python3-psycopg2
  17. - nginx
  18. - certbot
  19. - python-certbot-nginx
  20. - name: Create Gitea Database
  21. become: yes
  22. become_user: postgres
  23. postgresql_db:
  24. name: "{{ gitea_db }}"
  25. - name: Prepare a Postgresql User
  26. become: yes
  27. become_user: postgres
  28. postgresql_user:
  29. db: "{{ gitea_db }}"
  30. name: "{{ gitea_db_user }}"
  31. password: "{{ lookup('password', '/tmp/{{ gitea_db_user }}.pass chars=ascii_letters,digits length=32') }}"
  32. priv: "ALL"
  33. encrypted: yes
  34. expires: infinity
  35. - name: Get Gitea checksum file
  36. local_action:
  37. module: get_url
  38. url: "https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64.sha256"
  39. dest: "/tmp"
  40. - name: Get Gitea
  41. get_url:
  42. url: https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64
  43. dest: "/usr/local/bin/gitea"
  44. mode: +x
  45. checksum: "sha256:{{ lookup('file', '/tmp/gitea-{{ gitea_version }}-linux-amd64.sha256').split()[0] }}"
  46. - name: Create git user
  47. user:
  48. name: git
  49. comment: GIT Version Control
  50. shell: /bin/bash
  51. system: yes
  52. home: /home/git
  53. - name: Create Ditectory Structure
  54. file:
  55. path: "{{ item.path }}"
  56. owner: "{{ item.owner }}"
  57. group: "{{ item.group }}"
  58. mode: "{{ item.mode }}"
  59. state: directory
  60. with_items:
  61. - { path: /var/lib/gitea/custom, owner: root, group: root, mode: 755}
  62. - { path: /var/lib/gitea/public, owner: root, group: root, mode: 755}
  63. - { path: /var/lib/gitea/data, owner: git, group: git, mode: 750}
  64. - { path: /var/lib/gitea/indexers, owner: git, group: git, mode: 750}
  65. - { path: /var/lib/gitea/log, owner: git, group: git, mode: 750}
  66. - { path: /etc/gitea, owner: root, group: git, mode: 770}
  67. - name: Create a Gitea service
  68. template:
  69. src: templates/gitea.service.j2
  70. dest: /etc/systemd/system/gitea.service
  71. - name: Reload systemd
  72. command: systemctl daemon-reload
  73. - name: Start Gitea
  74. service:
  75. name: gitea
  76. enabled: yes
  77. state: started
  78. - name: Deploy Nginx HTTP vhost
  79. template:
  80. src: "{{ item.source }}"
  81. dest: "{{ item.destination }}"
  82. with_items:
  83. - { source: "templates/nginx_vhost.j2", destination: "/etc/nginx/sites-available/{{ gitea_fqdn }}" }
  84. - name: Enable Gitea vhost
  85. file:
  86. src: "/etc/nginx/sites-available/{{ gitea_fqdn }}"
  87. dest: "/etc/nginx/sites-enabled/{{ gitea_fqdn }}"
  88. state: link
  89. notify:
  90. - Disable Default vhost
  91. - Restart Nginx
  92. - name: Configure UFW
  93. ufw:
  94. rule: allow
  95. proto: tcp
  96. direction: in
  97. to_port: "{{ item }}"
  98. dest: any
  99. src: any
  100. with_items:
  101. - 80
  102. - 443
  103. - name: Fetch app.ini
  104. fetch:
  105. src: /etc/gitea/app.ini
  106. dest: /tmp/gitea-app.ini
  107. flat: yes
  108. - name: Get INTERNAL_TOKEN
  109. set_fact:
  110. gitea_internal_token: "{{ (lookup('file', '/tmp/gitea-app.ini')|regex_search('(INTERNAL_TOKEN.*)')).split()[2] }}"
  111. - name: Deploy Gitea configuration
  112. template:
  113. src: templates/app.ini.j2
  114. dest: /etc/gitea/app.ini
  115. notify:
  116. - Restart Gitea
  117. - name: Create the .well-known directory
  118. file:
  119. path: /var/www/html/.well-known
  120. owner: www-data
  121. group: www-data
  122. state: directory
  123. - name: Generate a Let's encrypt certificate
  124. command: |
  125. certbot \
  126. certonly \
  127. --webroot \
  128. --webroot-path /var/www/html/ \
  129. --installer nginx \
  130. --non-interactive \
  131. --quiet \
  132. --domains {{ gitea_fqdn }} \
  133. --agree-tos \
  134. -m theo@theo-andreou.org
  135. args:
  136. creates: "/etc/letsencrypt/live/{{ gitea_fqdn }}/fullchain.pem"
  137. - name: Deploy Nginx configuration and certificates
  138. template:
  139. src: "{{ item.source }}"
  140. dest: "{{ item.destination }}"
  141. with_items:
  142. - { source: "templates/nginx_vhost_tls.j2", destination: "/etc/nginx/sites-available/{{ gitea_fqdn }}" }
  143. notify:
  144. - Restart Nginx
  145. - name: Fail2Ban configuration for Gitea
  146. template:
  147. src: "{{ item.source }}"
  148. dest: "{{ item.destination }}"
  149. with_items:
  150. - { source: "templates/f2b-gitea.conf.j2", destination: "/etc/fail2ban/filter.d/gitea.conf" }
  151. - { source: "templates/f2b-gitea.local.j2", destination: "/etc/fail2ban/jail.d/jail.local" }
  152. notify:
  153. - Restart Fail2Ban
  154. handlers:
  155. - name: Disable Default vhost
  156. file:
  157. path: /etc/nginx/sites-enabled/default
  158. state: absent
  159. - name: Restart Nginx
  160. service:
  161. name: nginx
  162. state: restarted
  163. - name: Restart Gitea
  164. service:
  165. name: gitea
  166. enabled: yes
  167. state: restarted
  168. - name: Restart Fail2Ban
  169. service:
  170. name: fail2ban
  171. state: restarted