Add git role

This commit is contained in:
polyfloyd 2024-04-21 19:15:10 +02:00
parent 303e188e24
commit 5dd519d88a
9 changed files with 215 additions and 0 deletions

7
git.yaml Normal file
View file

@ -0,0 +1,7 @@
---
- hosts: git
roles:
- common
- common-bitlair
- acme
- git-server

5
group_vars/git.yaml Normal file
View file

@ -0,0 +1,5 @@
acme_domains:
- "{{ git_server_domain }}"
git_server_domain: git.bitlair.nl
git_server_title: Gitlair
git_server_bootstrap_cert: no

View file

@ -0,0 +1,3 @@
git_server_user: git
git_server_working_dir: /var/lib/gitea
git_server_title: Gitea

View file

@ -0,0 +1,7 @@
---
- import_tasks: ../../common/handlers/main.yaml
- name: reload forgejo
systemd:
name: forgejo
state: reloaded

View file

@ -0,0 +1,109 @@
---
- name: Install dependencies
apt:
name:
- git
- nginx
- xq
state: present
- name: Clear default nginx site
file:
state: absent
path: /etc/nginx/sites-enabled/default
notify: reload nginx
- name: Install nginx site
template:
src: nginx-site.conf
dest: /etc/nginx/sites-available/forgejo
owner: root
group: root
mode: 0644
notify: reload nginx
- name: Enable nginx site
file:
src: /etc/nginx/sites-available/forgejo
dest: /etc/nginx/sites-enabled/forgejo
state: link
notify: reload nginx
- name: Create user
user:
name: "{{ git_server_user }}"
home: "{{ git_server_working_dir }}"
shell: /bin/bash
comment: Git server
- name: Create logging dir
file:
state: directory
path: /var/log/forgejo
owner: "{{ git_server_user }}"
group: "{{ git_server_user }}"
mode: 0755
# TODO: Install initial config
- name: Install service file
template:
src: forgejo.service
dest: /etc/systemd/system/forgejo.service
owner: root
group: root
mode: 0644
notify: reload forgejo
- name: Install update script
template:
src: update.sh
dest: "{{ git_server_working_dir }}/update.sh"
owner: "{{ git_server_user }}"
group: "{{ git_server_user }}"
mode: 0755
- name: Perform initial update
command: "{{ git_server_working_dir }}/update.sh"
args:
creates: "{{ git_server_working_dir }}/forgejo"
notify: reload forgejo
- name: Enable service
systemd:
name: forgejo
enabled: yes
daemon_reload: true
- name: Start service
systemd:
name: forgejo
state: started
daemon_reload: true
- name: Install cronjob
template:
src: cronjob
dest: /etc/cron.d/forgejo
- name: Allow Git SSH, HTTP and HTTPS
iptables:
chain: INPUT
protocol: tcp
destination_port: "{{ item.port }}"
ctstate: NEW
jump: ACCEPT
ip_version: "{{ item.ip }}"
action: insert
with_items:
- { ip: ipv4, port: 80 }
- { ip: ipv4, port: 22 }
- { ip: ipv4, port: 443 }
- { ip: ipv6, port: 80 }
- { ip: ipv6, port: 22 }
- { ip: ipv6, port: 443 }
notify: persist iptables
- debug:
msg: If Forgejo has not been setup yet, please do so manually.

View file

@ -0,0 +1,4 @@
# {{ ansible_managed }}
#m h dom mon dow user command
0 2 * * 1 {{ git_server_user }} {{ git_server_working_dir }}/update.sh

View file

@ -0,0 +1,18 @@
# {{ ansible_managed }}
[Unit]
Description=Forgejo
After=network.target
[Service]
ExecStart={{ git_server_working_dir }}/forgejo web --config /etc/forgejo.ini
ExecReload=/bin/kill -HUP $MAINPID
User={{ git_server_user }}
WorkingDirectory={{ git_server_working_dir }}
AmbientCapabilities=CAP_NET_BIND_SERVICE
KillMode=process
Restart=on-failure
RestartSec=10s
[Install]
WantedBy=multi-user.target

View file

@ -0,0 +1,40 @@
# {{ ansible_managed }}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ git_server_domain }};
client_max_body_size 4G;
{% if git_server_bootstrap_cert %}
include "snippets/snakeoil.conf";
{% else %}
ssl_certificate "/var/lib/dehydrated/certs/{{ git_server_domain }}/fullchain.pem";
ssl_certificate_key "/var/lib/dehydrated/certs/{{ git_server_domain }}/privkey.pem";
{% endif %}
add_header X-Robots-Tag noindex;
location / {
proxy_pass http://localhost:9001;
include proxy_params;
}
location ~* \.keys$ {
deny all;
}
include "snippets/acme.conf";
}
server {
listen 80;
listen [::]:80;
server_name {{ git_server_domain }};
location / {
rewrite ^/(.*) https://$server_name$request_uri? redirect;
}
include "snippets/acme.conf";
}

View file

@ -0,0 +1,22 @@
#!/bin/bash
# {{ ansible_managed }}
set -euo pipefail
install="{{ git_server_working_dir }}"
arch="linux-amd64"
version=$(curl -s https://forgejo.org/releases/rss.xml | xq -x '//rss/channel/item[1]/title' | sed 's/^v//')
if [[ ! $version =~ ^[0-9]+\.[0-9]+\.[0-9\-]+$ ]]; then
echo "invalid version: $version"
exit 1
fi
ofile="$install/forgejo-$version"
if [ ! -e "$ofile" ]; then
curl -s "https://codeberg.org/forgejo/forgejo/releases/download/v$version/forgejo-$version-$arch" > "$ofile"
chmod 755 "$ofile"
ln -sf "$ofile" "$install/forgejo"
systemctl restart forgejo.service
fi