ansible-deploy-gitea/deploy_gitea.yml
2019-01-26 08:21:47 +02:00

199 lines
5 KiB
YAML

---
- hosts: git.example.com
user: root
tasks:
- include_vars: vars/all.yml
- name: Install Prerequisites
apt:
name: "{{ item }}"
state: present
update_cache: yes
with_items:
- git
- postgresql
- fail2ban
- python-psycopg2
- python3-psycopg2
- nginx
- certbot
- python-certbot-nginx
- name: Create Gitea Database
become: yes
become_user: postgres
postgresql_db:
name: "{{ gitea_db }}"
- name: Prepare a Postgresql User
become: yes
become_user: postgres
postgresql_user:
db: "{{ gitea_db }}"
name: "{{ gitea_db_user }}"
password: "{{ lookup('password', '/tmp/{{ gitea_db_user }}.pass chars=ascii_letters,digits length=32') }}"
priv: "ALL"
encrypted: yes
expires: infinity
- name: Get Gitea checksum file
local_action:
module: get_url
url: "https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64.sha256"
dest: "/tmp"
- name: Get Gitea
get_url:
url: https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64
dest: "/usr/local/bin/gitea"
mode: +x
checksum: "sha256:{{ lookup('file', '/tmp/gitea-{{ gitea_version }}-linux-amd64.sha256').split()[0] }}"
- name: Create git user
user:
name: git
comment: GIT Version Control
shell: /bin/bash
system: yes
home: /home/git
- name: Create Ditectory Structure
file:
path: "{{ item.path }}"
owner: "{{ item.owner }}"
group: "{{ item.group }}"
mode: "{{ item.mode }}"
state: directory
with_items:
- { path: /var/lib/gitea/custom, owner: root, group: root, mode: 755}
- { path: /var/lib/gitea/public, owner: root, group: root, mode: 755}
- { path: /var/lib/gitea/data, owner: git, group: git, mode: 750}
- { path: /var/lib/gitea/indexers, owner: git, group: git, mode: 750}
- { path: /var/lib/gitea/log, owner: git, group: git, mode: 750}
- { path: /etc/gitea, owner: root, group: git, mode: 770}
- name: Create a Gitea service
template:
src: templates/gitea.service.j2
dest: /etc/systemd/system/gitea.service
- name: Reload systemd
command: systemctl daemon-reload
- name: Start Gitea
service:
name: gitea
enabled: yes
state: started
- name: Deploy Nginx HTTP vhost
template:
src: "{{ item.source }}"
dest: "{{ item.destination }}"
with_items:
- { source: "templates/nginx_vhost.j2", destination: "/etc/nginx/sites-available/{{ gitea_fqdn }}" }
- name: Enable Gitea vhost
file:
src: "/etc/nginx/sites-available/{{ gitea_fqdn }}"
dest: "/etc/nginx/sites-enabled/{{ gitea_fqdn }}"
state: link
notify:
- Disable Default vhost
- Restart Nginx
- name: Configure UFW
ufw:
rule: allow
proto: tcp
direction: in
to_port: "{{ item }}"
dest: any
src: any
with_items:
- 80
- 443
- name: Fetch app.ini
fetch:
src: /etc/gitea/app.ini
dest: /tmp/gitea-app.ini
flat: yes
- name: Get INTERNAL_TOKEN
set_fact:
gitea_internal_token: "{{ (lookup('file', '/tmp/gitea-app.ini')|regex_search('(INTERNAL_TOKEN.*)')).split()[2] }}"
- name: Deploy Gitea configuration
template:
src: templates/app.ini.j2
dest: /etc/gitea/app.ini
notify:
- Restart Gitea
- name: Create the .well-known directory
file:
path: /var/www/html/.well-known
owner: www-data
group: www-data
state: directory
- name: Generate a Let's encrypt certificate
command: |
certbot \
certonly \
--webroot \
--webroot-path /var/www/html/ \
--installer nginx \
--non-interactive \
--quiet \
--domains {{ gitea_fqdn }} \
--agree-tos \
-m theo@theo-andreou.org
args:
creates: "/etc/letsencrypt/live/{{ gitea_fqdn }}/fullchain.pem"
- name: Deploy Nginx configuration and certificates
template:
src: "{{ item.source }}"
dest: "{{ item.destination }}"
with_items:
- { source: "templates/nginx_vhost_tls.j2", destination: "/etc/nginx/sites-available/{{ gitea_fqdn }}" }
notify:
- Restart Nginx
- name: Fail2Ban configuration for Gitea
template:
src: "{{ item.source }}"
dest: "{{ item.destination }}"
with_items:
- { source: "templates/f2b-gitea.conf.j2", destination: "/etc/fail2ban/filter.d/gitea.conf" }
- { source: "templates/f2b-gitea.local.j2", destination: "/etc/fail2ban/jail.d/jail.local" }
notify:
- Restart Fail2Ban
handlers:
- name: Disable Default vhost
file:
path: /etc/nginx/sites-enabled/default
state: absent
- name: Restart Nginx
service:
name: nginx
state: restarted
- name: Restart Gitea
service:
name: gitea
enabled: yes
state: restarted
- name: Restart Fail2Ban
service:
name: fail2ban
state: restarted