|
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198 |
- ---
- - hosts: git.example.com
- user: root
-
- tasks:
-
- - include_vars: vars/all.yml
-
- - name: Install Prerequisites
- apt:
- name: "{{ item }}"
- state: present
- update_cache: yes
- with_items:
- - git
- - postgresql
- - fail2ban
- - python-psycopg2
- - python3-psycopg2
- - nginx
- - certbot
- - python-certbot-nginx
-
- - name: Create Gitea Database
- become: yes
- become_user: postgres
- postgresql_db:
- name: "{{ gitea_db }}"
-
- - name: Prepare a Postgresql User
- become: yes
- become_user: postgres
- postgresql_user:
- db: "{{ gitea_db }}"
- name: "{{ gitea_db_user }}"
- password: "{{ lookup('password', '/tmp/{{ gitea_db_user }}.pass chars=ascii_letters,digits length=32') }}"
- priv: "ALL"
- encrypted: yes
- expires: infinity
-
- - name: Get Gitea checksum file
- local_action:
- module: get_url
- url: "https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64.sha256"
- dest: "/tmp"
-
- - name: Get Gitea
- get_url:
- url: https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64
- dest: "/usr/local/bin/gitea"
- mode: +x
- checksum: "sha256:{{ lookup('file', '/tmp/gitea-{{ gitea_version }}-linux-amd64.sha256').split()[0] }}"
-
- - name: Create git user
- user:
- name: git
- comment: GIT Version Control
- shell: /bin/bash
- system: yes
- home: /home/git
-
- - name: Create Ditectory Structure
- file:
- path: "{{ item.path }}"
- owner: "{{ item.owner }}"
- group: "{{ item.group }}"
- mode: "{{ item.mode }}"
- state: directory
- with_items:
- - { path: /var/lib/gitea/custom, owner: root, group: root, mode: 755}
- - { path: /var/lib/gitea/public, owner: root, group: root, mode: 755}
- - { path: /var/lib/gitea/data, owner: git, group: git, mode: 750}
- - { path: /var/lib/gitea/indexers, owner: git, group: git, mode: 750}
- - { path: /var/lib/gitea/log, owner: git, group: git, mode: 750}
- - { path: /etc/gitea, owner: root, group: git, mode: 770}
-
- - name: Create a Gitea service
- template:
- src: templates/gitea.service.j2
- dest: /etc/systemd/system/gitea.service
-
- - name: Reload systemd
- command: systemctl daemon-reload
-
- - name: Start Gitea
- service:
- name: gitea
- enabled: yes
- state: started
-
- - name: Deploy Nginx HTTP vhost
- template:
- src: "{{ item.source }}"
- dest: "{{ item.destination }}"
- with_items:
- - { source: "templates/nginx_vhost.j2", destination: "/etc/nginx/sites-available/{{ gitea_fqdn }}" }
-
- - name: Enable Gitea vhost
- file:
- src: "/etc/nginx/sites-available/{{ gitea_fqdn }}"
- dest: "/etc/nginx/sites-enabled/{{ gitea_fqdn }}"
- state: link
- notify:
- - Disable Default vhost
- - Restart Nginx
-
- - name: Configure UFW
- ufw:
- rule: allow
- proto: tcp
- direction: in
- to_port: "{{ item }}"
- dest: any
- src: any
- with_items:
- - 80
- - 443
-
- - name: Fetch app.ini
- fetch:
- src: /etc/gitea/app.ini
- dest: /tmp/gitea-app.ini
- flat: yes
-
- - name: Get INTERNAL_TOKEN
- set_fact:
- gitea_internal_token: "{{ (lookup('file', '/tmp/gitea-app.ini')|regex_search('(INTERNAL_TOKEN.*)')).split()[2] }}"
-
- - name: Deploy Gitea configuration
- template:
- src: templates/app.ini.j2
- dest: /etc/gitea/app.ini
- notify:
- - Restart Gitea
-
- - name: Create the .well-known directory
- file:
- path: /var/www/html/.well-known
- owner: www-data
- group: www-data
- state: directory
-
- - name: Generate a Let's encrypt certificate
- command: |
- certbot \
- certonly \
- --webroot \
- --webroot-path /var/www/html/ \
- --installer nginx \
- --non-interactive \
- --quiet \
- --domains {{ gitea_fqdn }} \
- --agree-tos \
- -m theo@theo-andreou.org
- args:
- creates: "/etc/letsencrypt/live/{{ gitea_fqdn }}/fullchain.pem"
-
- - name: Deploy Nginx configuration and certificates
- template:
- src: "{{ item.source }}"
- dest: "{{ item.destination }}"
- with_items:
- - { source: "templates/nginx_vhost_tls.j2", destination: "/etc/nginx/sites-available/{{ gitea_fqdn }}" }
- notify:
- - Restart Nginx
-
- - name: Fail2Ban configuration for Gitea
- template:
- src: "{{ item.source }}"
- dest: "{{ item.destination }}"
- with_items:
- - { source: "templates/f2b-gitea.conf.j2", destination: "/etc/fail2ban/filter.d/gitea.conf" }
- - { source: "templates/f2b-gitea.local.j2", destination: "/etc/fail2ban/jail.d/jail.local" }
- notify:
- - Restart Fail2Ban
-
- handlers:
-
- - name: Disable Default vhost
- file:
- path: /etc/nginx/sites-enabled/default
- state: absent
-
- - name: Restart Nginx
- service:
- name: nginx
- state: restarted
-
- - name: Restart Gitea
- service:
- name: gitea
- enabled: yes
- state: restarted
-
- - name: Restart Fail2Ban
- service:
- name: fail2ban
- state: restarted
|