Add git role

2024-04-21 19:15:10 +02:00 · 2024-04-21 19:15:10 +02:00 · 5dd519d88a
commit 5dd519d88a
parent 303e188e24
9 changed files with 215 additions and 0 deletions
--- a/git.yaml
+++ b/git.yaml
@ -0,0 +1,7 @@
 ---
 - hosts: git
  roles:
    - common
    - common-bitlair
    - acme
    - git-server
--- a/group_vars/git.yaml
+++ b/group_vars/git.yaml
@ -0,0 +1,5 @@
 acme_domains:
  - "{{ git_server_domain }}"
 git_server_domain: git.bitlair.nl
 git_server_title: Gitlair
 git_server_bootstrap_cert: no
--- a/roles/git-server/defaults/main.yaml
+++ b/roles/git-server/defaults/main.yaml
@ -0,0 +1,3 @@
 git_server_user: git
 git_server_working_dir: /var/lib/gitea
 git_server_title: Gitea
--- a/roles/git-server/handlers/main.yaml
+++ b/roles/git-server/handlers/main.yaml
@ -0,0 +1,7 @@
 ---
 - import_tasks: ../../common/handlers/main.yaml
 - name: reload forgejo
  systemd:
    name: forgejo
    state: reloaded
--- a/roles/git-server/tasks/main.yaml
+++ b/roles/git-server/tasks/main.yaml
@ -0,0 +1,109 @@
 ---
 - name: Install dependencies
  apt:
    name:
      - git
      - nginx
      - xq
    state: present
 - name: Clear default nginx site
  file:
    state: absent
    path: /etc/nginx/sites-enabled/default
  notify: reload nginx
 - name: Install nginx site
  template:
    src: nginx-site.conf
    dest: /etc/nginx/sites-available/forgejo
    owner: root
    group: root
    mode: 0644
  notify: reload nginx
 - name: Enable nginx site
  file:
    src: /etc/nginx/sites-available/forgejo
    dest: /etc/nginx/sites-enabled/forgejo
    state: link
  notify: reload nginx
 - name: Create user
  user:
    name: "{{ git_server_user }}"
    home: "{{ git_server_working_dir }}"
    shell: /bin/bash
    comment: Git server
 - name: Create logging dir
  file:
    state: directory
    path: /var/log/forgejo
    owner: "{{ git_server_user }}"
    group: "{{ git_server_user }}"
    mode: 0755
 # TODO: Install initial config
 - name: Install service file
  template:
    src: forgejo.service
    dest: /etc/systemd/system/forgejo.service
    owner: root
    group: root
    mode: 0644
  notify: reload forgejo
 - name: Install update script
  template:
    src: update.sh
    dest: "{{ git_server_working_dir }}/update.sh"
    owner: "{{ git_server_user }}"
    group: "{{ git_server_user }}"
    mode: 0755
 - name: Perform initial update
  command: "{{ git_server_working_dir }}/update.sh"
  args:
    creates: "{{ git_server_working_dir }}/forgejo"
  notify: reload forgejo
 - name: Enable service
  systemd:
    name: forgejo
    enabled: yes
    daemon_reload: true
 - name: Start service
  systemd:
    name: forgejo
    state: started
    daemon_reload: true
 - name: Install cronjob
  template:
    src: cronjob
    dest: /etc/cron.d/forgejo
 - name: Allow Git SSH, HTTP and HTTPS
  iptables:
    chain: INPUT
    protocol: tcp
    destination_port: "{{ item.port }}"
    ctstate: NEW
    jump: ACCEPT
    ip_version: "{{ item.ip }}"
    action: insert
  with_items:
    - { ip: ipv4, port: 80 }
    - { ip: ipv4, port: 22 }
    - { ip: ipv4, port: 443 }
    - { ip: ipv6, port: 80 }
    - { ip: ipv6, port: 22 }
    - { ip: ipv6, port: 443 }
  notify: persist iptables
 - debug:
    msg: If Forgejo has not been setup yet, please do so manually.
--- a/roles/git-server/templates/cronjob
+++ b/roles/git-server/templates/cronjob
@ -0,0 +1,4 @@
 # {{ ansible_managed }}
 #m   h  dom mon dow user             command
 0   2  *   *   1   {{ git_server_user }} {{ git_server_working_dir }}/update.sh
--- a/roles/git-server/templates/forgejo.service
+++ b/roles/git-server/templates/forgejo.service
@ -0,0 +1,18 @@
 # {{ ansible_managed }}
 [Unit]
 Description=Forgejo
 After=network.target
 [Service]
 ExecStart={{ git_server_working_dir }}/forgejo web --config /etc/forgejo.ini
 ExecReload=/bin/kill -HUP $MAINPID
 User={{ git_server_user }}
 WorkingDirectory={{ git_server_working_dir }}
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 KillMode=process
 Restart=on-failure
 RestartSec=10s
 [Install]
 WantedBy=multi-user.target
--- a/roles/git-server/templates/nginx-site.conf
+++ b/roles/git-server/templates/nginx-site.conf
@ -0,0 +1,40 @@
 # {{ ansible_managed }}
 server {
 	listen 443 ssl http2;
 	listen [::]:443 ssl http2;
 	server_name {{ git_server_domain }};
 	client_max_body_size 4G;
 	{% if git_server_bootstrap_cert %}
 	include "snippets/snakeoil.conf";
 	{% else %}
 	ssl_certificate     "/var/lib/dehydrated/certs/{{ git_server_domain }}/fullchain.pem";
 	ssl_certificate_key "/var/lib/dehydrated/certs/{{ git_server_domain }}/privkey.pem";
 	{% endif %}
 	add_header X-Robots-Tag noindex;
 	location / {
 		proxy_pass http://localhost:9001;
 		include proxy_params;
 	}
 	location ~* \.keys$ {
 		deny all;
 	}
 	include "snippets/acme.conf";
 }
 server {
 	listen 80;
 	listen [::]:80;
 	server_name {{ git_server_domain }};
 	location / {
 		rewrite ^/(.*) https://$server_name$request_uri? redirect;
 	}
 	include "snippets/acme.conf";
 }
--- a/roles/git-server/templates/update.sh
+++ b/roles/git-server/templates/update.sh
@ -0,0 +1,22 @@
 #!/bin/bash
 # {{ ansible_managed }}
 set -euo pipefail
 install="{{ git_server_working_dir }}"
 arch="linux-amd64"
 version=$(curl -s https://forgejo.org/releases/rss.xml | xq -x '//rss/channel/item[1]/title' | sed 's/^v//')
 if [[ ! $version =~ ^[0-9]+\.[0-9]+\.[0-9\-]+$ ]]; then
    echo "invalid version: $version"
    exit 1
 fi
 ofile="$install/forgejo-$version"
 if [ ! -e "$ofile" ]; then
    curl -s "https://codeberg.org/forgejo/forgejo/releases/download/v$version/forgejo-$version-$arch" > "$ofile"
    chmod 755 "$ofile"
    ln -sf "$ofile" "$install/forgejo"
    systemctl restart forgejo.service
 fi