--- - name: gitea hosts: ds9.dedyn.io tasks: - name: Create /home/docker/gitea.{{inventory_hostname}} dir ansible.builtin.file: path: /home/docker/gitea.{{inventory_hostname}} owner: root group: docker state: directory mode: '0550' - name: /home/docker/gitea.{{inventory_hostname}}/genpw.sh (generate Random PW for Gitea and DB) blockinfile: path: /home/docker/gitea.{{inventory_hostname}}/genpw.sh create: yes mode: 0550 owner: root group: docker marker: "# {mark} ANSIBLE MANAGED BLOCK" block: | cd /home/docker/gitea.{{inventory_hostname}} mysqluser=$(pwgen -s 32 1) mysqlpassword=$(pwgen -s 32 1) gtadminpassword=$(pwgen -s 32 1) [ -f env ] || echo "GITEA__database__USER=!MYSQLUSER! GITEA__database__PASSWD=!MYSQLPASSWORD! GTADMINPASSWD=!GTADMINPASSWD! " >env [ -f env.db ] || echo "MARIADB_USER=!MYSQLUSER! MARIADB_PASSWORD=!MYSQLPASSWORD! " >env.db [ -f env.phpmyadmin ] || echo "PMA_USER=!MYSQLUSER! PMA_PASSWORD=!MYSQLPASSWORD! " >env.phpmyadmin chmod 440 env env.db env.phpmyadmin chown root:docker env env.db env.phpmyadmin sed -i "s/\!MYSQLUSER\!/$mysqluser/g" env env.db env.phpmyadmin sed -i "s/\!MYSQLPASSWORD\!/$mysqlpassword/g" env env.db env.phpmyadmin sed -i "s/\!GTADMINPASSWD\!/$gtadminpassword/g" env backup: yes validate: /bin/bash -n %s notify: run genpw.sh - name: /home/docker/gitea.{{inventory_hostname}}/genpw.sh shebang lineinfile: path: /home/docker/gitea.{{inventory_hostname}}/genpw.sh insertbefore: BOF line: "#!/bin/bash -e" - name: Gen initial passwords if not exists ansible.builtin.shell: ./genpw.sh args: chdir: /home/docker/gitea.{{inventory_hostname}} creates: /home/docker/gitea.{{inventory_hostname}}/env - name: /home/docker/gitea.{{inventory_hostname}}/docker-compose.yml Container Configuration blockinfile: path: /home/docker/gitea.{{inventory_hostname}}/docker-compose.yml create: yes mode: 0440 owner: root group: docker marker: "# {mark} ANSIBLE MANAGED BLOCK" block: | version: '3.6' services: gitea.{{inventory_hostname}}: image: gitea/gitea:latest restart: unless-stopped env_file: env environment: - USER_UID=1000 - USER_GID=1000 - APP_NAME=gitea.{{ ansible_facts['nodename'] }} - RUN_MODE=prod - RUN_USER=git - GITEA__server__DOMAIN=gitea.{{ ansible_facts['nodename'] }} - GITEA__server__SSH_DOMAIN=gitea.{{ ansible_facts['nodename'] }} - GITEA__server__ROOT_URL=https://gitea.ds9.dedyn.io - GITEA__mailer__ENABLED=true - GITEA__mailer__SMTP_ADDR=mail.{{ ansible_facts['nodename'] }} - GITEA__mailer__SMTP_PORT=25 - GITEA__mailer__FROM=gitea@{{ ansible_facts['nodename'] }} - GITEA__mailer__USER= - GITEA__mailer__PASSWD= - GITEA__service__DISABLE_REGISTRATION=true - GITEA__service__REQUIRE_SIGNIN_VIEW=false - GITEA__service__REGISTER_EMAIL_CONFIRM=true - GITEA__service__ENABLE_NOTIFY_MAIL=true - GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION=false - GITEA__service__ENABLE_CAPTCHA=false - GITEA__service__DEFAULT_KEEP_EMAIL_PRIVATE=true - GITEA__service__DEFAULT_ALLOW_CREATE_ORGANIZATION=true - GITEA__service__DEFAULT_ENABLE_TIMETRACKING=true - GITEA__service__NO_REPLY_ADDRESS=ds9.dedyn.io - GITEA__security__INSTALL_LOCK=true - GITEA__database__DB_TYPE=mysql - GITEA__database__HOST=gitea.{{inventory_hostname}}--db:3306 - GITEA__database__NAME=gitea-db networks: - traefik - gitea.{{inventory_hostname}}--network volumes: - ./data:/data - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro labels: - traefik.enable=true # HTTPS - traefik.http.routers.gitea-{{ ansible_facts['hostname'] }}.rule=Host(`gitea.{{ ansible_facts['nodename'] }}`) - traefik.http.routers.gitea-{{ ansible_facts['hostname'] }}.entrypoints=https - traefik.http.routers.gitea-{{ ansible_facts['hostname'] }}.tls=true - traefik.http.routers.gitea-{{ ansible_facts['hostname'] }}.middlewares=secHeaders@file # Proxy to service-port - traefik.http.services.gitea-{{ ansible_facts['hostname'] }}.loadbalancer.server.port=3000 - traefik.http.routers.gitea-{{ ansible_facts['hostname'] }}.service=gitea-{{ ansible_facts['hostname'] }} # cert via letsencrypt - traefik.http.routers.gitea-{{ ansible_facts['hostname'] }}.tls.certresolver=letsencrypt # Traefik network - traefik.docker.network=traefik ports: - 0.0.0.0:333:22 gitea.{{inventory_hostname}}--db: image: mariadb:latest cap_add: - SYS_NICE restart: unless-stopped volumes: - ./giteadb-data:/var/lib/mysql - /etc/localtime:/etc/localtime:ro env_file: env.db environment: - MARIADB_RANDOM_ROOT_PASSWORD=1 - MARIADB_DATABASE=gitea-db - MARIADB_AUTO_UPGRADE=1 - MARIADB_INITDB_SKIP_TZINFO=1 networks: - gitea.{{inventory_hostname}}--network gitea.{{inventory_hostname}}--phpmyadmin: image: phpmyadmin:latest restart: unless-stopped env_file: env.phpmyadmin environment: - PMA_ARBITRARY=0 - PMA_HOST=gitea.{{inventory_hostname}}--db volumes: - /etc/localtime:/etc/localtime:ro networks: - gitea.{{inventory_hostname}}--network - traefik labels: - traefik.enable=true # HTTPS - traefik.http.routers.gitea-{{ ansible_facts['hostname'] }}--phpmyadmin.rule=Host(`gitea-phpmyadmin.{{ ansible_facts['nodename'] }}`) - traefik.http.routers.gitea-{{ ansible_facts['hostname'] }}--phpmyadmin.entrypoints=https - traefik.http.routers.gitea-{{ ansible_facts['hostname'] }}--phpmyadmin.tls=true # Proxy to service-port - traefik.http.services.gitea-{{ ansible_facts['hostname'] }}--phpmyadmin.loadbalancer.server.port=80 - traefik.http.routers.gitea-{{ ansible_facts['hostname'] }}--phpmyadmin.service=gitea-{{ ansible_facts['hostname'] }}--phpmyadmin # cert via letsencrypt - traefik.http.routers.gitea-{{ ansible_facts['hostname'] }}--phpmyadmin.tls.certresolver=letsencrypt # Auth - traefik.http.routers.gitea-{{ ansible_facts['hostname'] }}--phpmyadmin.middlewares=secHeaders@file,gitea-{{ ansible_facts['hostname'] }}--phpmyadmin-auth - traefik.http.middlewares.gitea-{{ ansible_facts['hostname'] }}--phpmyadmin-auth.basicauth.users=admin:$$apr1$$XLxGs/Ba$$3phZ1a2RtfExOp8x6NFjZ. # Traefik network - traefik.docker.network=traefik networks: gitea.{{inventory_hostname}}--network: driver: bridge driver_opts: com.docker.network.bridge.name: br-gitea traefik: external: true backup: yes notify: Restart gitea - name: Start gitea ansible.builtin.shell: docker-compose up -d --force-recreate args: chdir: /home/docker/gitea.{{inventory_hostname}} creates: /home/docker/gitea.{{inventory_hostname}}/data/gitea/conf/app.ini - name: Wait until gitea install is finished wait_for: path: /home/docker/gitea.{{inventory_hostname}}/data/gitea/conf/app.ini - name: /home/docker/gitea.{{inventory_hostname}}/gitea.init.sh blockinfile: path: /home/docker/gitea.{{inventory_hostname}}/gitea.init.sh mode: "0500" owner: root group: root create: yes marker: "# {mark} ANSIBLE MANAGED BLOCK" block: | # create admin-User cd /home/docker/gitea.{{inventory_hostname}} until wget -q -t1 --timeout=15 https://gitea.{{inventory_hostname}} -O /dev/null do sleep 5 done if ! docker-compose exec -T -u git gitea.{{inventory_hostname}} gitea admin user list | grep -q " gtadmin " then cat env | egrep "^GTADMINPASSWD=" >env.tmp . env.tmp rm -f env.tmp docker-compose exec -T -u git gitea.{{inventory_hostname}} gitea admin user create --username gtadmin --email admin@{{inventory_hostname}} --admin --password $GTADMINPASSWD fi backup: yes validate: /bin/bash -n %s notify: run gitea.init - name: Run gitea.init after install ansible.builtin.shell: bash /home/docker/gitea.{{inventory_hostname}}/gitea.init.sh args: chdir: /home/docker/gitea.{{inventory_hostname}} creates: /home/docker/gitea.{{inventory_hostname}}/gitea.init.log - name: Allow ssh on port 333 community.general.ufw: rule: allow port: '333' proto: tcp handlers: - name: run genpw.sh ansible.builtin.shell: ./genpw.sh args: chdir: /home/docker/gitea.{{inventory_hostname}} notify: Restart gitea - name: run gitea.init ansible.builtin.shell: bash /home/docker/gitea.{{inventory_hostname}}/gitea.init.sh >/home/docker/gitea.{{inventory_hostname}}/gitea.init.log 2>&1 - name: Restart gitea ansible.builtin.shell: docker-compose up -d --force-recreate args: chdir: /home/docker/gitea.{{inventory_hostname}}