Initial Commit

2019-01-26 08:21:47 +02:00 · 2019-01-26 08:21:47 +02:00 · fd562c3235
commit fd562c3235
11 changed files with 1090 additions and 0 deletions
--- a/templates/app.ini.j2
+++ b/templates/app.ini.j2
@ -0,0 +1,65 @@
+APP_NAME = {{ gitea_name }}
+RUN_USER = git
+RUN_MODE = prod
+
+[security]
+INTERNAL_TOKEN = {{ gitea_internal_token }}
+INSTALL_LOCK   = true
+SECRET_KEY     = {{ lookup('password', '/dev/null chars=ascii_letters,digits length=10') }}
+
+[database]
+DB_TYPE  = postgres
+HOST     = 127.0.0.1:5432
+NAME     = {{ gitea_db }}
+USER     = {{ gitea_db_user}}
+PASSWD   = {{ lookup('password', '/tmp/{{ gitea_db_user }}.pass ') }}
+SSL_MODE = disable
+
+[repository]
+ROOT = /home/git/gitea-repositories
+
+[server]
+SSH_DOMAIN       = {{ gitea_fqdn }}
+DOMAIN           = {{ gitea_fqdn }}
+HTTP_PORT        = 3000
+ROOT_URL         = https://{{ gitea_fqdn }}/
+DISABLE_SSH      = false
+SSH_PORT         = {{ custom_ssh_port }}
+LFS_START_SERVER = true
+LFS_CONTENT_PATH = /var/lib/gitea/data/lfs
+LFS_JWT_SECRET   = {{ lookup('password', '/dev/null chars=ascii_letters,digits length=43') }}
+OFFLINE_MODE     = false
+
+[mailer]
+ENABLED = true
+HOST    = {{ smtp_server }}
+FROM    = gitea@{{ domain }}
+USER    = 
+PASSWD  = 
+
+[service]
+REGISTER_EMAIL_CONFIRM            = true
+ENABLE_NOTIFY_MAIL                = true
+DISABLE_REGISTRATION              = false
+ENABLE_CAPTCHA                    = true
+REQUIRE_SIGNIN_VIEW               = false
+DEFAULT_KEEP_EMAIL_PRIVATE        = true
+DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+DEFAULT_ENABLE_TIMETRACKING       = true
+NO_REPLY_ADDRESS                  = noreply.{{ gitea_fqdn }}
+
+[picture]
+DISABLE_GRAVATAR        = false
+ENABLE_FEDERATED_AVATAR = true
+
+[openid]
+ENABLE_OPENID_SIGNIN = true
+ENABLE_OPENID_SIGNUP = true
+
+[session]
+PROVIDER = file
+
+[log]
+MODE      = file
+LEVEL     = Info
+ROOT_PATH = /var/lib/gitea/log
--- a/templates/f2b-gitea.conf.j2
+++ b/templates/f2b-gitea.conf.j2
@ -0,0 +1,3 @@
+[Definition]
+failregex =  .*Failed authentication attempt for .* from <HOST>
+ignoreregex =
--- a/templates/f2b-gitea.local.j2
+++ b/templates/f2b-gitea.local.j2
@ -0,0 +1,9 @@
+[gitea]
+enabled = true
+port = http,https
+filter = gitea
+logpath = /var/lib/gitea/log/gitea.log
+maxretry = 10
+findtime = 3600
+bantime = 900
+action = iptables-allports
--- a/templates/gitea.service.j2
+++ b/templates/gitea.service.j2
@ -0,0 +1,32 @@
+[Unit]
+Description=Gitea (Git with a cup of tea)
+After=syslog.target
+After=network.target
+#After=mysqld.service
+After=postgresql.service
+#After=memcached.service
+#After=redis.service
+
+[Service]
+# Modify these two values and uncomment them if you have
+# repos with lots of files and get an HTTP error 500 because
+# of that
+###
+#LimitMEMLOCK=infinity
+#LimitNOFILE=65535
+RestartSec=2s
+Type=simple
+User=git
+Group=git
+WorkingDirectory=/var/lib/gitea/
+ExecStart=/usr/local/bin/gitea web -c /etc/gitea/app.ini
+Restart=always
+Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea
+# If you want to bind Gitea to a port below 1024 uncomment
+# the two values below
+###
+#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+#AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target
--- a/templates/nginx_vhost.j2
+++ b/templates/nginx_vhost.j2
@ -0,0 +1,14 @@
+server {
+    listen 80;
+    server_name {{ gitea_fqdn }};
+
+    location / {
+        proxy_pass http://localhost:3000;
+        proxy_set_header X-Real-IP $remote_addr;
+    }
+
+   location ^~ /.well-known/acme-challenge/ {
+        default_type "text/plain";
+        root /var/www/html;
+    }
+}
--- a/templates/nginx_vhost_tls.j2
+++ b/templates/nginx_vhost_tls.j2
@ -0,0 +1,29 @@
+server {
+    listen 80;
+    server_name {{ gitea_fqdn }};
+
+    location / {
+        proxy_pass http://localhost:3000;
+        proxy_set_header X-Real-IP $remote_addr;
+    }
+
+   location ^~ /.well-known/acme-challenge/ {
+        default_type "text/plain";
+        root /var/www/html;
+    }
+
+    listen 443 ssl;
+    ssl_certificate /etc/letsencrypt/live/{{ gitea_fqdn }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ gitea_fqdn }}/privkey.pem;
+    ssl_session_cache shared:le_nginx_SSL:1m;
+    ssl_session_timeout 1440m;
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_prefer_server_ciphers on;
+
+    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA";
+
+    if ($scheme != "https") {
+        return 301 https://$host$request_uri;
+    }
+}