Initial Commit

2019-01-26 08:21:47 +02:00 · 2019-01-26 08:21:47 +02:00 · fd562c3235
commit fd562c3235
11 changed files with 1090 additions and 0 deletions
--- a/deploy_gitea.yml
+++ b/deploy_gitea.yml
@ -0,0 +1,198 @@
+---
+- hosts: git.example.com
+  user: root
+
+  tasks:
+
+  - include_vars: vars/all.yml
+
+  - name: Install Prerequisites
+    apt:
+      name: "{{ item }}"
+      state: present
+      update_cache: yes
+    with_items:
+      - git
+      - postgresql
+      - fail2ban
+      - python-psycopg2
+      - python3-psycopg2
+      - nginx
+      - certbot
+      - python-certbot-nginx
+
+  - name: Create Gitea Database
+    become: yes
+    become_user: postgres
+    postgresql_db:
+      name: "{{ gitea_db }}"
+
+  - name: Prepare a Postgresql User
+    become: yes
+    become_user: postgres
+    postgresql_user:
+      db: "{{ gitea_db }}"
+      name: "{{ gitea_db_user }}"
+      password: "{{ lookup('password', '/tmp/{{ gitea_db_user }}.pass chars=ascii_letters,digits length=32') }}"
+      priv: "ALL"
+      encrypted: yes
+      expires: infinity
+  
+  - name: Get Gitea checksum file
+    local_action:
+      module: get_url
+      url: "https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64.sha256"
+      dest: "/tmp"
+
+  - name: Get Gitea
+    get_url:
+      url: https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64
+      dest: "/usr/local/bin/gitea"
+      mode: +x
+      checksum: "sha256:{{ lookup('file', '/tmp/gitea-{{ gitea_version }}-linux-amd64.sha256').split()[0] }}"
+
+  - name: Create git user
+    user:
+      name: git
+      comment: GIT Version Control
+      shell: /bin/bash
+      system: yes
+      home: /home/git
+
+  - name: Create Ditectory Structure
+    file:
+      path: "{{ item.path }}"
+      owner: "{{ item.owner }}"
+      group: "{{ item.group }}"
+      mode: "{{ item.mode }}"
+      state: directory
+    with_items:
+      - { path: /var/lib/gitea/custom, owner: root, group: root, mode: 755}
+      - { path: /var/lib/gitea/public, owner: root, group: root, mode: 755}
+      - { path: /var/lib/gitea/data, owner: git, group: git, mode: 750}
+      - { path: /var/lib/gitea/indexers, owner: git, group: git, mode: 750}
+      - { path: /var/lib/gitea/log, owner: git, group: git, mode: 750}
+      - { path: /etc/gitea, owner: root, group: git, mode: 770}
+
+  - name: Create a Gitea service
+    template:
+      src: templates/gitea.service.j2
+      dest: /etc/systemd/system/gitea.service
+
+  - name: Reload systemd
+    command: systemctl daemon-reload
+
+  - name: Start Gitea
+    service:
+      name: gitea
+      enabled: yes
+      state: started
+
+  - name: Deploy Nginx HTTP vhost
+    template:
+      src: "{{ item.source }}"
+      dest: "{{ item.destination }}"
+    with_items:
+      - { source: "templates/nginx_vhost.j2", destination: "/etc/nginx/sites-available/{{ gitea_fqdn }}" }
+
+  - name: Enable Gitea vhost
+    file: 
+      src: "/etc/nginx/sites-available/{{ gitea_fqdn }}"
+      dest: "/etc/nginx/sites-enabled/{{ gitea_fqdn }}"
+      state: link
+    notify:
+      - Disable Default vhost
+      - Restart Nginx
+
+  - name: Configure UFW
+    ufw:
+      rule: allow
+      proto: tcp
+      direction: in
+      to_port: "{{ item }}"
+      dest: any
+      src: any
+    with_items:
+      - 80
+      - 443
+
+  - name: Fetch app.ini
+    fetch:
+      src: /etc/gitea/app.ini
+      dest: /tmp/gitea-app.ini
+      flat: yes
+
+  - name: Get INTERNAL_TOKEN
+    set_fact:
+      gitea_internal_token: "{{ (lookup('file', '/tmp/gitea-app.ini')|regex_search('(INTERNAL_TOKEN.*)')).split()[2] }}"
+
+  - name: Deploy Gitea configuration
+    template:
+      src: templates/app.ini.j2
+      dest: /etc/gitea/app.ini
+    notify:
+     - Restart Gitea
+
+  - name: Create the .well-known directory
+    file:
+      path: /var/www/html/.well-known
+      owner: www-data
+      group: www-data
+      state: directory
+
+  - name: Generate a Let's encrypt certificate
+    command: |
+      certbot \
+      certonly \
+      --webroot \
+      --webroot-path /var/www/html/ \
+      --installer nginx \
+      --non-interactive \
+      --quiet \
+      --domains {{ gitea_fqdn }} \
+      --agree-tos \
+      -m theo@theo-andreou.org
+    args:
+      creates: "/etc/letsencrypt/live/{{ gitea_fqdn }}/fullchain.pem"
+
+  - name: Deploy Nginx configuration and certificates
+    template:
+      src: "{{ item.source }}"
+      dest: "{{ item.destination }}"
+    with_items:
+      - { source: "templates/nginx_vhost_tls.j2", destination: "/etc/nginx/sites-available/{{ gitea_fqdn }}" }
+    notify:
+      - Restart Nginx
+
+  - name: Fail2Ban configuration for Gitea
+    template:
+      src: "{{ item.source }}"
+      dest: "{{ item.destination }}"
+    with_items:
+      - { source: "templates/f2b-gitea.conf.j2", destination: "/etc/fail2ban/filter.d/gitea.conf" }
+      - { source: "templates/f2b-gitea.local.j2", destination: "/etc/fail2ban/jail.d/jail.local" }
+    notify:
+      - Restart Fail2Ban
+
+  handlers:
+
+  - name: Disable Default vhost
+    file:
+      path: /etc/nginx/sites-enabled/default
+      state: absent
+
+  - name: Restart Nginx
+    service:
+      name: nginx
+      state: restarted
+
+  - name: Restart Gitea
+    service:
+      name: gitea
+      enabled: yes
+      state: restarted
+
+  - name: Restart Fail2Ban
+    service:
+      name: fail2ban
+      state: restarted