From 5dd519d88a54cdcf3604a51d32a9fa1cb25085ea Mon Sep 17 00:00:00 2001
From: polyfloyd <floyd@polyfloyd.net>
Date: Sun, 21 Apr 2024 19:15:10 +0200
Subject: [PATCH] Add git role

---
 git.yaml                                   |   7 ++
 group_vars/git.yaml                        |   5 +
 roles/git-server/defaults/main.yaml        |   3 +
 roles/git-server/handlers/main.yaml        |   7 ++
 roles/git-server/tasks/main.yaml           | 109 +++++++++++++++++++++
 roles/git-server/templates/cronjob         |   4 +
 roles/git-server/templates/forgejo.service |  18 ++++
 roles/git-server/templates/nginx-site.conf |  40 ++++++++
 roles/git-server/templates/update.sh       |  22 +++++
 9 files changed, 215 insertions(+)
 create mode 100644 git.yaml
 create mode 100644 group_vars/git.yaml
 create mode 100644 roles/git-server/defaults/main.yaml
 create mode 100644 roles/git-server/handlers/main.yaml
 create mode 100644 roles/git-server/tasks/main.yaml
 create mode 100644 roles/git-server/templates/cronjob
 create mode 100644 roles/git-server/templates/forgejo.service
 create mode 100644 roles/git-server/templates/nginx-site.conf
 create mode 100644 roles/git-server/templates/update.sh

diff --git a/git.yaml b/git.yaml
new file mode 100644
index 0000000..050090d
--- /dev/null
+++ b/git.yaml
@@ -0,0 +1,7 @@
+---
+- hosts: git
+  roles:
+    - common
+    - common-bitlair
+    - acme
+    - git-server
diff --git a/group_vars/git.yaml b/group_vars/git.yaml
new file mode 100644
index 0000000..ed549a9
--- /dev/null
+++ b/group_vars/git.yaml
@@ -0,0 +1,5 @@
+acme_domains:
+  - "{{ git_server_domain }}"
+git_server_domain: git.bitlair.nl
+git_server_title: Gitlair
+git_server_bootstrap_cert: no
diff --git a/roles/git-server/defaults/main.yaml b/roles/git-server/defaults/main.yaml
new file mode 100644
index 0000000..9e54d8f
--- /dev/null
+++ b/roles/git-server/defaults/main.yaml
@@ -0,0 +1,3 @@
+git_server_user: git
+git_server_working_dir: /var/lib/gitea
+git_server_title: Gitea
diff --git a/roles/git-server/handlers/main.yaml b/roles/git-server/handlers/main.yaml
new file mode 100644
index 0000000..563eeaa
--- /dev/null
+++ b/roles/git-server/handlers/main.yaml
@@ -0,0 +1,7 @@
+---
+- import_tasks: ../../common/handlers/main.yaml
+
+- name: reload forgejo
+  systemd:
+    name: forgejo
+    state: reloaded
diff --git a/roles/git-server/tasks/main.yaml b/roles/git-server/tasks/main.yaml
new file mode 100644
index 0000000..73fb5c6
--- /dev/null
+++ b/roles/git-server/tasks/main.yaml
@@ -0,0 +1,109 @@
+---
+- name: Install dependencies
+  apt:
+    name:
+      - git
+      - nginx
+      - xq
+    state: present
+
+- name: Clear default nginx site
+  file:
+    state: absent
+    path: /etc/nginx/sites-enabled/default
+  notify: reload nginx
+
+- name: Install nginx site
+  template:
+    src: nginx-site.conf
+    dest: /etc/nginx/sites-available/forgejo
+    owner: root
+    group: root
+    mode: 0644
+  notify: reload nginx
+
+- name: Enable nginx site
+  file:
+    src: /etc/nginx/sites-available/forgejo
+    dest: /etc/nginx/sites-enabled/forgejo
+    state: link
+  notify: reload nginx
+
+- name: Create user
+  user:
+    name: "{{ git_server_user }}"
+    home: "{{ git_server_working_dir }}"
+    shell: /bin/bash
+    comment: Git server
+
+- name: Create logging dir
+  file:
+    state: directory
+    path: /var/log/forgejo
+    owner: "{{ git_server_user }}"
+    group: "{{ git_server_user }}"
+    mode: 0755
+
+
+# TODO: Install initial config
+
+- name: Install service file
+  template:
+    src: forgejo.service
+    dest: /etc/systemd/system/forgejo.service
+    owner: root
+    group: root
+    mode: 0644
+  notify: reload forgejo
+
+- name: Install update script
+  template:
+    src: update.sh
+    dest: "{{ git_server_working_dir }}/update.sh"
+    owner: "{{ git_server_user }}"
+    group: "{{ git_server_user }}"
+    mode: 0755
+
+- name: Perform initial update
+  command: "{{ git_server_working_dir }}/update.sh"
+  args:
+    creates: "{{ git_server_working_dir }}/forgejo"
+  notify: reload forgejo
+
+- name: Enable service
+  systemd:
+    name: forgejo
+    enabled: yes
+    daemon_reload: true
+
+- name: Start service
+  systemd:
+    name: forgejo
+    state: started
+    daemon_reload: true
+
+- name: Install cronjob
+  template:
+    src: cronjob
+    dest: /etc/cron.d/forgejo
+
+- name: Allow Git SSH, HTTP and HTTPS
+  iptables:
+    chain: INPUT
+    protocol: tcp
+    destination_port: "{{ item.port }}"
+    ctstate: NEW
+    jump: ACCEPT
+    ip_version: "{{ item.ip }}"
+    action: insert
+  with_items:
+    - { ip: ipv4, port: 80 }
+    - { ip: ipv4, port: 22 }
+    - { ip: ipv4, port: 443 }
+    - { ip: ipv6, port: 80 }
+    - { ip: ipv6, port: 22 }
+    - { ip: ipv6, port: 443 }
+  notify: persist iptables
+
+- debug:
+    msg: If Forgejo has not been setup yet, please do so manually.
diff --git a/roles/git-server/templates/cronjob b/roles/git-server/templates/cronjob
new file mode 100644
index 0000000..9a71799
--- /dev/null
+++ b/roles/git-server/templates/cronjob
@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+
+#m   h  dom mon dow user             command
+ 0   2  *   *   1   {{ git_server_user }} {{ git_server_working_dir }}/update.sh
diff --git a/roles/git-server/templates/forgejo.service b/roles/git-server/templates/forgejo.service
new file mode 100644
index 0000000..8d826d0
--- /dev/null
+++ b/roles/git-server/templates/forgejo.service
@@ -0,0 +1,18 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description=Forgejo
+After=network.target
+
+[Service]
+ExecStart={{ git_server_working_dir }}/forgejo web --config /etc/forgejo.ini
+ExecReload=/bin/kill -HUP $MAINPID
+User={{ git_server_user }}
+WorkingDirectory={{ git_server_working_dir }}
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+KillMode=process
+Restart=on-failure
+RestartSec=10s
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/git-server/templates/nginx-site.conf b/roles/git-server/templates/nginx-site.conf
new file mode 100644
index 0000000..d8c4f37
--- /dev/null
+++ b/roles/git-server/templates/nginx-site.conf
@@ -0,0 +1,40 @@
+# {{ ansible_managed }}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+	server_name {{ git_server_domain }};
+	client_max_body_size 4G;
+
+	{% if git_server_bootstrap_cert %}
+	include "snippets/snakeoil.conf";
+	{% else %}
+	ssl_certificate     "/var/lib/dehydrated/certs/{{ git_server_domain }}/fullchain.pem";
+	ssl_certificate_key "/var/lib/dehydrated/certs/{{ git_server_domain }}/privkey.pem";
+	{% endif %}
+
+	add_header X-Robots-Tag noindex;
+
+	location / {
+		proxy_pass http://localhost:9001;
+		include proxy_params;
+	}
+
+	location ~* \.keys$ {
+		deny all;
+	}
+
+	include "snippets/acme.conf";
+}
+
+server {
+	listen 80;
+	listen [::]:80;
+	server_name {{ git_server_domain }};
+
+	location / {
+		rewrite ^/(.*) https://$server_name$request_uri? redirect;
+	}
+
+	include "snippets/acme.conf";
+}
diff --git a/roles/git-server/templates/update.sh b/roles/git-server/templates/update.sh
new file mode 100644
index 0000000..f279e85
--- /dev/null
+++ b/roles/git-server/templates/update.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+# {{ ansible_managed }}
+
+set -euo pipefail
+
+install="{{ git_server_working_dir }}"
+arch="linux-amd64"
+
+version=$(curl -s https://forgejo.org/releases/rss.xml | xq -x '//rss/channel/item[1]/title' | sed 's/^v//')
+if [[ ! $version =~ ^[0-9]+\.[0-9]+\.[0-9\-]+$ ]]; then
+    echo "invalid version: $version"
+    exit 1
+fi
+
+ofile="$install/forgejo-$version"
+if [ ! -e "$ofile" ]; then
+    curl -s "https://codeberg.org/forgejo/forgejo/releases/download/v$version/forgejo-$version-$arch" > "$ofile"
+    chmod 755 "$ofile"
+    ln -sf "$ofile" "$install/forgejo"
+    systemctl restart forgejo.service
+fi