commit 951fe81186961d9974c1720f4c9bbd131de645aa Author: olli Date: Sun Jul 10 10:50:59 2022 +0200 first commit diff --git a/README.md b/README.md new file mode 100644 index 0000000..e69de29 diff --git a/gitea.yml b/gitea.yml new file mode 100644 index 0000000..deb74e4 --- /dev/null +++ b/gitea.yml @@ -0,0 +1,253 @@ +--- +- name: gitea + hosts: ds9.dedyn.io + tasks: + + - name: Create /home/docker/gitea.{{inventory_hostname}} dir + ansible.builtin.file: + path: /home/docker/gitea.{{inventory_hostname}} + owner: root + group: docker + state: directory + mode: '0550' + + - name: /home/docker/gitea.{{inventory_hostname}}/genpw.sh (generate Random PW for Gitea and DB) + blockinfile: + path: /home/docker/gitea.{{inventory_hostname}}/genpw.sh + create: yes + mode: 0550 + owner: root + group: docker + marker: "# {mark} ANSIBLE MANAGED BLOCK" + block: | + cd /home/docker/gitea.{{inventory_hostname}} + + mysqluser=$(pwgen -s 32 1) + mysqlpassword=$(pwgen -s 32 1) + gtadminpassword=$(pwgen -s 32 1) + + [ -f env ] || echo "GITEA__database__USER=!MYSQLUSER! + GITEA__database__PASSWD=!MYSQLPASSWORD! + GTADMINPASSWD=!GTADMINPASSWD! + " >env + + [ -f env.db ] || echo "MARIADB_USER=!MYSQLUSER! + MARIADB_PASSWORD=!MYSQLPASSWORD! + " >env.db + + [ -f env.phpmyadmin ] || echo "PMA_USER=!MYSQLUSER! + PMA_PASSWORD=!MYSQLPASSWORD! + " >env.phpmyadmin + + chmod 440 env env.db env.phpmyadmin + chown root:docker env env.db env.phpmyadmin + sed -i "s/\!MYSQLUSER\!/$mysqluser/g" env env.db env.phpmyadmin + sed -i "s/\!MYSQLPASSWORD\!/$mysqlpassword/g" env env.db env.phpmyadmin + sed -i "s/\!GTADMINPASSWD\!/$gtadminpassword/g" env + backup: yes + validate: /bin/bash -n %s + notify: run genpw.sh + + - name: /home/docker/gitea.{{inventory_hostname}}/genpw.sh shebang + lineinfile: + path: /home/docker/gitea.{{inventory_hostname}}/genpw.sh + insertbefore: BOF + line: "#!/bin/bash -e" + + - name: Gen initial passwords if not exists + ansible.builtin.shell: ./genpw.sh + args: + chdir: /home/docker/gitea.{{inventory_hostname}} + creates: /home/docker/gitea.{{inventory_hostname}}/env + + - name: /home/docker/gitea.{{inventory_hostname}}/docker-compose.yml Container Configuration + blockinfile: + path: /home/docker/gitea.{{inventory_hostname}}/docker-compose.yml + create: yes + mode: 0440 + owner: root + group: docker + marker: "# {mark} ANSIBLE MANAGED BLOCK" + block: | + version: '3.6' + + services: + + gitea.{{inventory_hostname}}: + image: gitea/gitea:latest + restart: unless-stopped + env_file: env + environment: + - USER_UID=1000 + - USER_GID=1000 + - APP_NAME=gitea.{{ ansible_facts['nodename'] }} + - RUN_MODE=prod + - RUN_USER=git + - GITEA__server__DOMAIN=gitea.{{ ansible_facts['nodename'] }} + - GITEA__server__SSH_DOMAIN=gitea.{{ ansible_facts['nodename'] }} + - GITEA__server__ROOT_URL=https://gitea.ds9.dedyn.io + - GITEA__mailer__ENABLED=true + - GITEA__mailer__HOST=mail.{{ ansible_facts['nodename'] }} + - GITEA__mailer__FROM=gitea@{{ ansible_facts['nodename'] }} + - GITEA__mailer__USER= + - GITEA__mailer__PASSWD= + - GITEA__service__DISABLE_REGISTRATION=true + - GITEA__service__REQUIRE_SIGNIN_VIEW=false + - GITEA__service__REGISTER_EMAIL_CONFIRM=true + - GITEA__service__ENABLE_NOTIFY_MAIL=true + - GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION=false + - GITEA__service__ENABLE_CAPTCHA=false + - GITEA__service__DEFAULT_KEEP_EMAIL_PRIVATE=true + - GITEA__service__DEFAULT_ALLOW_CREATE_ORGANIZATION=true + - GITEA__service__DEFAULT_ENABLE_TIMETRACKING=true + - GITEA__service__NO_REPLY_ADDRESS=ds9.dedyn.io + - GITEA__security__INSTALL_LOCK=true + - GITEA__database__DB_TYPE=mysql + - GITEA__database__HOST=gitea.{{inventory_hostname}}--db:3306 + - GITEA__database__NAME=gitea-db + networks: + - traefik + - gitea.{{inventory_hostname}}--network + volumes: + - ./data:/data + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + labels: + - traefik.enable=true + # HTTPS + - traefik.http.routers.gitea-{{ ansible_facts['hostname'] }}.rule=Host(`gitea.{{ ansible_facts['nodename'] }}`) + - traefik.http.routers.gitea-{{ ansible_facts['hostname'] }}.entrypoints=https + - traefik.http.routers.gitea-{{ ansible_facts['hostname'] }}.tls=true + - traefik.http.routers.gitea-{{ ansible_facts['hostname'] }}.middlewares=secHeaders@file + # Proxy to service-port + - traefik.http.services.gitea-{{ ansible_facts['hostname'] }}.loadbalancer.server.port=3000 + - traefik.http.routers.gitea-{{ ansible_facts['hostname'] }}.service=gitea-{{ ansible_facts['hostname'] }} + # cert via letsencrypt + - traefik.http.routers.gitea-{{ ansible_facts['hostname'] }}.tls.certresolver=letsencrypt + # Traefik network + - traefik.docker.network=traefik + ports: + - 333:22 + + gitea.{{inventory_hostname}}--db: + image: mariadb:latest + cap_add: + - SYS_NICE + restart: unless-stopped + volumes: + - ./giteadb-data:/var/lib/mysql + - /etc/localtime:/etc/localtime:ro + env_file: env.db + environment: + - MARIADB_RANDOM_ROOT_PASSWORD=1 + - MARIADB_DATABASE=gitea-db + - MARIADB_AUTO_UPGRADE=1 + - MARIADB_INITDB_SKIP_TZINFO=1 + networks: + - gitea.{{inventory_hostname}}--network + + gitea.{{inventory_hostname}}--phpmyadmin: + image: phpmyadmin:latest + restart: unless-stopped + env_file: env.phpmyadmin + environment: + - PMA_ARBITRARY=0 + - PMA_HOST=gitea.{{inventory_hostname}}--db + volumes: + - /etc/localtime:/etc/localtime:ro + networks: + - gitea.{{inventory_hostname}}--network + - traefik + labels: + - traefik.enable=true + # HTTPS + - traefik.http.routers.gitea-{{ ansible_facts['hostname'] }}--phpmyadmin.rule=Host(`gitea-phpmyadmin.{{ ansible_facts['nodename'] }}`) + - traefik.http.routers.gitea-{{ ansible_facts['hostname'] }}--phpmyadmin.entrypoints=https + - traefik.http.routers.gitea-{{ ansible_facts['hostname'] }}--phpmyadmin.tls=true + # Proxy to service-port + - traefik.http.services.gitea-{{ ansible_facts['hostname'] }}--phpmyadmin.loadbalancer.server.port=80 + - traefik.http.routers.gitea-{{ ansible_facts['hostname'] }}--phpmyadmin.service=gitea-{{ ansible_facts['hostname'] }}--phpmyadmin + # cert via letsencrypt + - traefik.http.routers.gitea-{{ ansible_facts['hostname'] }}--phpmyadmin.tls.certresolver=letsencrypt + # Auth + - traefik.http.routers.gitea-{{ ansible_facts['hostname'] }}--phpmyadmin.middlewares=secHeaders@file,gitea-{{ ansible_facts['hostname'] }}--phpmyadmin-auth + - traefik.http.middlewares.gitea-{{ ansible_facts['hostname'] }}--phpmyadmin-auth.basicauth.users=admin:$$apr1$$XLxGs/Ba$$3phZ1a2RtfExOp8x6NFjZ. + # Traefik network + - traefik.docker.network=traefik + + networks: + gitea.{{inventory_hostname}}--network: + driver: bridge + driver_opts: + com.docker.network.bridge.name: br-gitea + traefik: + external: true + + backup: yes + notify: Restart gitea + + - name: Start gitea + ansible.builtin.shell: docker-compose up -d + args: + chdir: /home/docker/gitea.{{inventory_hostname}} + creates: /home/docker/gitea.{{inventory_hostname}}/data/gitea/conf/app.ini + + - name: Wait until gitea install is finished + wait_for: + path: /home/docker/gitea.{{inventory_hostname}}/data/gitea/conf/app.ini + + - name: /home/docker/gitea.{{inventory_hostname}}/gitea.init.sh + blockinfile: + path: /home/docker/gitea.{{inventory_hostname}}/gitea.init.sh + mode: "0500" + owner: root + group: root + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK" + block: | + # create admin-User + cd /home/docker/gitea.{{inventory_hostname}} + until wget -t1 --timeout=15 https://gitea.{{inventory_hostname}} >/dev/null 2>&1 + do + sleep 5 + done + if ! docker-compose exec -u git gitea.{{inventory_hostname}} gitea admin user list | grep -q " gtadmin " + then + cat env | egrep "^GTADMINPASSWD=" >env.tmp + . env.tmp + rm -f env.tmp + docker-compose exec -u git gitea.{{inventory_hostname}} gitea admin user create --username gtadmin --email admin@{{inventory_hostname}} --admin --password $GTADMINPASSWD + fi + backup: yes + validate: /bin/bash -n %s + notify: run gitea.init + + - name: Run gitea.init after install + ansible.builtin.shell: bash /home/docker/gitea.{{inventory_hostname}}/gitea.init.sh + args: + chdir: /home/docker/gitea.{{inventory_hostname}} + creates: /home/docker/gitea.{{inventory_hostname}}/gitea.init.log + + - name: Allow ssh on port 333 + community.general.ufw: + rule: allow + port: '333' + proto: tcp + + + handlers: + + - name: run genpw.sh + ansible.builtin.shell: ./genpw.sh + args: + chdir: /home/docker/gitea.{{inventory_hostname}} + notify: Restart gitea + + - name: run gitea.init + ansible.builtin.shell: bash /home/docker/gitea.{{inventory_hostname}}/gitea.init.sh + + - name: Restart gitea + ansible.builtin.shell: docker-compose up -d + args: + chdir: /home/docker/gitea.{{inventory_hostname}} +