199 lines
5 KiB
YAML
199 lines
5 KiB
YAML
---
|
|
- hosts: git.example.com
|
|
user: root
|
|
|
|
tasks:
|
|
|
|
- include_vars: vars/all.yml
|
|
|
|
- name: Install Prerequisites
|
|
apt:
|
|
name: "{{ item }}"
|
|
state: present
|
|
update_cache: yes
|
|
with_items:
|
|
- git
|
|
- postgresql
|
|
- fail2ban
|
|
- python-psycopg2
|
|
- python3-psycopg2
|
|
- nginx
|
|
- certbot
|
|
- python-certbot-nginx
|
|
|
|
- name: Create Gitea Database
|
|
become: yes
|
|
become_user: postgres
|
|
postgresql_db:
|
|
name: "{{ gitea_db }}"
|
|
|
|
- name: Prepare a Postgresql User
|
|
become: yes
|
|
become_user: postgres
|
|
postgresql_user:
|
|
db: "{{ gitea_db }}"
|
|
name: "{{ gitea_db_user }}"
|
|
password: "{{ lookup('password', '/tmp/{{ gitea_db_user }}.pass chars=ascii_letters,digits length=32') }}"
|
|
priv: "ALL"
|
|
encrypted: yes
|
|
expires: infinity
|
|
|
|
- name: Get Gitea checksum file
|
|
local_action:
|
|
module: get_url
|
|
url: "https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64.sha256"
|
|
dest: "/tmp"
|
|
|
|
- name: Get Gitea
|
|
get_url:
|
|
url: https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64
|
|
dest: "/usr/local/bin/gitea"
|
|
mode: +x
|
|
checksum: "sha256:{{ lookup('file', '/tmp/gitea-{{ gitea_version }}-linux-amd64.sha256').split()[0] }}"
|
|
|
|
- name: Create git user
|
|
user:
|
|
name: git
|
|
comment: GIT Version Control
|
|
shell: /bin/bash
|
|
system: yes
|
|
home: /home/git
|
|
|
|
- name: Create Ditectory Structure
|
|
file:
|
|
path: "{{ item.path }}"
|
|
owner: "{{ item.owner }}"
|
|
group: "{{ item.group }}"
|
|
mode: "{{ item.mode }}"
|
|
state: directory
|
|
with_items:
|
|
- { path: /var/lib/gitea/custom, owner: root, group: root, mode: 755}
|
|
- { path: /var/lib/gitea/public, owner: root, group: root, mode: 755}
|
|
- { path: /var/lib/gitea/data, owner: git, group: git, mode: 750}
|
|
- { path: /var/lib/gitea/indexers, owner: git, group: git, mode: 750}
|
|
- { path: /var/lib/gitea/log, owner: git, group: git, mode: 750}
|
|
- { path: /etc/gitea, owner: root, group: git, mode: 770}
|
|
|
|
- name: Create a Gitea service
|
|
template:
|
|
src: templates/gitea.service.j2
|
|
dest: /etc/systemd/system/gitea.service
|
|
|
|
- name: Reload systemd
|
|
command: systemctl daemon-reload
|
|
|
|
- name: Start Gitea
|
|
service:
|
|
name: gitea
|
|
enabled: yes
|
|
state: started
|
|
|
|
- name: Deploy Nginx HTTP vhost
|
|
template:
|
|
src: "{{ item.source }}"
|
|
dest: "{{ item.destination }}"
|
|
with_items:
|
|
- { source: "templates/nginx_vhost.j2", destination: "/etc/nginx/sites-available/{{ gitea_fqdn }}" }
|
|
|
|
- name: Enable Gitea vhost
|
|
file:
|
|
src: "/etc/nginx/sites-available/{{ gitea_fqdn }}"
|
|
dest: "/etc/nginx/sites-enabled/{{ gitea_fqdn }}"
|
|
state: link
|
|
notify:
|
|
- Disable Default vhost
|
|
- Restart Nginx
|
|
|
|
- name: Configure UFW
|
|
ufw:
|
|
rule: allow
|
|
proto: tcp
|
|
direction: in
|
|
to_port: "{{ item }}"
|
|
dest: any
|
|
src: any
|
|
with_items:
|
|
- 80
|
|
- 443
|
|
|
|
- name: Fetch app.ini
|
|
fetch:
|
|
src: /etc/gitea/app.ini
|
|
dest: /tmp/gitea-app.ini
|
|
flat: yes
|
|
|
|
- name: Get INTERNAL_TOKEN
|
|
set_fact:
|
|
gitea_internal_token: "{{ (lookup('file', '/tmp/gitea-app.ini')|regex_search('(INTERNAL_TOKEN.*)')).split()[2] }}"
|
|
|
|
- name: Deploy Gitea configuration
|
|
template:
|
|
src: templates/app.ini.j2
|
|
dest: /etc/gitea/app.ini
|
|
notify:
|
|
- Restart Gitea
|
|
|
|
- name: Create the .well-known directory
|
|
file:
|
|
path: /var/www/html/.well-known
|
|
owner: www-data
|
|
group: www-data
|
|
state: directory
|
|
|
|
- name: Generate a Let's encrypt certificate
|
|
command: |
|
|
certbot \
|
|
certonly \
|
|
--webroot \
|
|
--webroot-path /var/www/html/ \
|
|
--installer nginx \
|
|
--non-interactive \
|
|
--quiet \
|
|
--domains {{ gitea_fqdn }} \
|
|
--agree-tos \
|
|
-m theo@theo-andreou.org
|
|
args:
|
|
creates: "/etc/letsencrypt/live/{{ gitea_fqdn }}/fullchain.pem"
|
|
|
|
- name: Deploy Nginx configuration and certificates
|
|
template:
|
|
src: "{{ item.source }}"
|
|
dest: "{{ item.destination }}"
|
|
with_items:
|
|
- { source: "templates/nginx_vhost_tls.j2", destination: "/etc/nginx/sites-available/{{ gitea_fqdn }}" }
|
|
notify:
|
|
- Restart Nginx
|
|
|
|
- name: Fail2Ban configuration for Gitea
|
|
template:
|
|
src: "{{ item.source }}"
|
|
dest: "{{ item.destination }}"
|
|
with_items:
|
|
- { source: "templates/f2b-gitea.conf.j2", destination: "/etc/fail2ban/filter.d/gitea.conf" }
|
|
- { source: "templates/f2b-gitea.local.j2", destination: "/etc/fail2ban/jail.d/jail.local" }
|
|
notify:
|
|
- Restart Fail2Ban
|
|
|
|
handlers:
|
|
|
|
- name: Disable Default vhost
|
|
file:
|
|
path: /etc/nginx/sites-enabled/default
|
|
state: absent
|
|
|
|
- name: Restart Nginx
|
|
service:
|
|
name: nginx
|
|
state: restarted
|
|
|
|
- name: Restart Gitea
|
|
service:
|
|
name: gitea
|
|
enabled: yes
|
|
state: restarted
|
|
|
|
- name: Restart Fail2Ban
|
|
service:
|
|
name: fail2ban
|
|
state: restarted
|