Add git role

2024-04-21 19:15:10 +02:00 · 2024-04-21 19:15:10 +02:00 · 5dd519d88a
commit 5dd519d88a
parent 303e188e24
9 changed files with 215 additions and 0 deletions
--- a/roles/git-server/templates/cronjob
+++ b/roles/git-server/templates/cronjob
@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+
+#m   h  dom mon dow user             command
+ 0   2  *   *   1   {{ git_server_user }} {{ git_server_working_dir }}/update.sh
--- a/roles/git-server/templates/forgejo.service
+++ b/roles/git-server/templates/forgejo.service
@ -0,0 +1,18 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description=Forgejo
+After=network.target
+
+[Service]
+ExecStart={{ git_server_working_dir }}/forgejo web --config /etc/forgejo.ini
+ExecReload=/bin/kill -HUP $MAINPID
+User={{ git_server_user }}
+WorkingDirectory={{ git_server_working_dir }}
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+KillMode=process
+Restart=on-failure
+RestartSec=10s
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/git-server/templates/nginx-site.conf
+++ b/roles/git-server/templates/nginx-site.conf
@ -0,0 +1,40 @@
+# {{ ansible_managed }}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+	server_name {{ git_server_domain }};
+	client_max_body_size 4G;
+
+	{% if git_server_bootstrap_cert %}
+	include "snippets/snakeoil.conf";
+	{% else %}
+	ssl_certificate     "/var/lib/dehydrated/certs/{{ git_server_domain }}/fullchain.pem";
+	ssl_certificate_key "/var/lib/dehydrated/certs/{{ git_server_domain }}/privkey.pem";
+	{% endif %}
+
+	add_header X-Robots-Tag noindex;
+
+	location / {
+		proxy_pass http://localhost:9001;
+		include proxy_params;
+	}
+
+	location ~* \.keys$ {
+		deny all;
+	}
+
+	include "snippets/acme.conf";
+}
+
+server {
+	listen 80;
+	listen [::]:80;
+	server_name {{ git_server_domain }};
+
+	location / {
+		rewrite ^/(.*) https://$server_name$request_uri? redirect;
+	}
+
+	include "snippets/acme.conf";
+}
--- a/roles/git-server/templates/update.sh
+++ b/roles/git-server/templates/update.sh
@ -0,0 +1,22 @@
+#!/bin/bash
+
+# {{ ansible_managed }}
+
+set -euo pipefail
+
+install="{{ git_server_working_dir }}"
+arch="linux-amd64"
+
+version=$(curl -s https://forgejo.org/releases/rss.xml | xq -x '//rss/channel/item[1]/title' | sed 's/^v//')
+if [[ ! $version =~ ^[0-9]+\.[0-9]+\.[0-9\-]+$ ]]; then
+    echo "invalid version: $version"
+    exit 1
+fi
+
+ofile="$install/forgejo-$version"
+if [ ! -e "$ofile" ]; then
+    curl -s "https://codeberg.org/forgejo/forgejo/releases/download/v$version/forgejo-$version-$arch" > "$ofile"
+    chmod 755 "$ofile"
+    ln -sf "$ofile" "$install/forgejo"
+    systemctl restart forgejo.service
+fi