Thomas Buck 5 år sedan
förälder
incheckning
4ab56bdf6e

+ 2
- 0
README.md Visa fil

@@ -28,6 +28,7 @@ What do you get if you point Sovereign at a server? All kinds of good stuff!
28 28
 -   [CalDAV](https://en.wikipedia.org/wiki/CalDAV) and [CardDAV](https://en.wikipedia.org/wiki/CardDAV) to keep your calendars and contacts in sync, via [NextCloud](http://nextcloud.com/).
29 29
 -   Your own VPN server via [OpenVPN](http://openvpn.net/index.php/open-source.html).
30 30
 -   An IRC bouncer via [ZNC](http://wiki.znc.in/ZNC).
31
+-   Git Repo hosting via [gitea](https://gitea.io/en-us/).
31 32
 -   [Monit](http://mmonit.com/monit/) to keep everything running smoothly (and alert you when it’s not).
32 33
 -   Web hosting (ex: for your blog) via [Apache](https://www.apache.org/).
33 34
 -   Statistics for the website using [Fathom](https://github.com/usefathom/fathom).
@@ -116,6 +117,7 @@ Create `A` or `CNAME` records which point to your server's IP address:
116 117
 * `fathom.example.com` (for web stats)
117 118
 * `news.example.com` (for Selfoss)
118 119
 * `cloud.example.com` (for NextCloud)
120
+* `git.example.com` (for gitea)
119 121
 
120 122
 ### 6. Run the Ansible Playbooks
121 123
 

+ 10
- 0
roles/common/templates/etc_fail2ban_jail.local.j2 Visa fil

@@ -62,3 +62,13 @@ logpath = /var/log/mail.log
62 62
 maxretry = 20
63 63
 findtime = 1200
64 64
 bantime = 1200
65
+
66
+[gitea]
67
+enabled = true
68
+port = http,https
69
+filter = gitea
70
+logpath = /data/gitea/log/gitea.log
71
+maxretry = 10
72
+findtime = 3600
73
+bantime = 900
74
+action = iptables-allports

+ 22
- 0
roles/gitea/defaults/main.yml Visa fil

@@ -0,0 +1,22 @@
1
+secret_root: '{{ inventory_dir | realpath }}'
2
+secret_name: 'secret'
3
+secret: '{{ secret_root + "/" + secret_name }}'
4
+
5
+gitea_subdomain: "git"
6
+gitea_domain: "{{ gitea_subdomain }}.{{ domain }}"
7
+
8
+gitea_version: "1.7.3"
9
+gitea_release: "https://github.com/go-gitea/gitea/releases/download/v{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64"
10
+
11
+gitea_admin_username: "{{ main_user_name }}"
12
+gitea_admin_password: "{{ lookup('password', secret + '/' + 'gitea_admin_password length=32') }}"
13
+
14
+gitea_db_username: giteauser
15
+gitea_db_password: "{{ lookup('password', secret + '/' + 'gitea_db_password length=32') }}"
16
+gitea_db_database: gitea
17
+
18
+gitea_secret: "{{ lookup('password', secret + '/' + 'db_admin_password length=14') }}"
19
+
20
+# must match values in roles/common
21
+db_admin_username: 'postgres'
22
+db_admin_password: "{{ lookup('password', secret + '/' + 'db_admin_password length=32') }}"

+ 4
- 0
roles/gitea/files/etc_fail2ban_filter.d_gitea.conf Visa fil

@@ -0,0 +1,4 @@
1
+# gitea.conf
2
+[Definition]
3
+failregex =  .*Failed authentication attempt for .* from <HOST>
4
+ignoreregex =

+ 17
- 0
roles/gitea/files/etc_systemd_system_gitea.service Visa fil

@@ -0,0 +1,17 @@
1
+[Unit]
2
+Description=Starts the gitea server
3
+Requires=network.target
4
+After=network.target
5
+After=syslog.target
6
+
7
+[Service]
8
+Type=simple
9
+User=git
10
+Restart=always
11
+RestartSec=3
12
+WorkingDirectory=/data/gitea
13
+ExecStart=/usr/local/bin/gitea web -c /etc/gitea/app.ini
14
+Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/data/gitea
15
+
16
+[Install]
17
+WantedBy=multi-user.target

+ 2
- 0
roles/gitea/handlers/main.yml Visa fil

@@ -0,0 +1,2 @@
1
+- name: restart apache
2
+  service: name=apache2 state=restarted

+ 122
- 0
roles/gitea/tasks/gitea.yml Visa fil

@@ -0,0 +1,122 @@
1
+- name: Create temporary gitea directory
2
+  file: state=directory path=/root/gitea
3
+
4
+- name: Download gitea {{ gitea_version }} release
5
+  get_url:
6
+    url="{{ gitea_release }}"
7
+    dest=/root/gitea/gitea-{{ gitea_version }}
8
+
9
+- name: Make gitea release download executable
10
+  file: path=/root/gitea/gitea-{{ gitea_version }} mode=0775
11
+
12
+- name: Create /usr/local/bin
13
+  file: state=directory path=/usr/local/bin
14
+
15
+- name: Stop old gitea instance
16
+  service: name=gitea state=stopped
17
+  ignore_errors: True
18
+
19
+- name: Copy gitea binary to /usr/local/bin
20
+  shell: cp gitea/gitea-{{ gitea_version }} /usr/local/bin/gitea chdir=/root
21
+
22
+- name: Add git user
23
+  user:
24
+    name: git
25
+    home: /home/git
26
+    create_home: yes
27
+    shell: /bin/bash
28
+    password_lock: yes
29
+    state: present
30
+    system: yes
31
+
32
+- name: Create gitea data directories
33
+  file:
34
+    state: directory
35
+    path: "/data/{{ item }}"
36
+    owner: git
37
+    group: git
38
+    mode: 0750
39
+  with_items:
40
+    - gitea
41
+    - gitea/custom
42
+    - gitea/data
43
+    - gitea/log
44
+    - gitea/repos
45
+
46
+- name: Create gitea config directory
47
+  file:
48
+    state: directory
49
+    path: "/etc/gitea"
50
+    owner: git
51
+    group: git
52
+    mode: 0750
53
+
54
+- name: Add gitea config file
55
+  template:
56
+    src=etc_gitea_app_ini.j2
57
+    dest=/etc/gitea/app.ini
58
+    owner=git
59
+    group=root
60
+    mode=0644
61
+
62
+- name: Add gitea postgres user
63
+  postgresql_user:
64
+    login_host=localhost
65
+    login_user={{ db_admin_username }}
66
+    login_password="{{ db_admin_password }}"
67
+    name={{ gitea_db_username }}
68
+    password="{{ gitea_db_password }}"
69
+    encrypted=yes
70
+    state=present
71
+
72
+- name: Create gitea database
73
+  postgresql_db:
74
+    login_host=localhost
75
+    login_user={{ db_admin_username }}
76
+    login_password="{{ db_admin_password }}"
77
+    name={{ gitea_db_database }}
78
+    state=present
79
+    owner={{ gitea_db_username }}
80
+
81
+# Unfortunately, create-user is not idempotent, so this task will fail
82
+# https://github.com/go-gitea/gitea/issues/6307
83
+- name: Create gitea admin user account
84
+  become: true
85
+  become_user: git
86
+  shell: /usr/local/bin/gitea admin create-user --admin --config /etc/gitea/app.ini --name {{ gitea_admin_username }} --password {{ gitea_admin_password }} --email {{ admin_email }}
87
+  args:
88
+    chdir: /data/gitea
89
+  ignore_errors: True
90
+
91
+- name: Add fail2ban script for gitea
92
+  copy:
93
+    src=etc_fail2ban_filter.d_gitea.conf
94
+    dest=/etc/fail2ban/filter.d/gitea.conf
95
+    owner=root
96
+    group=root
97
+
98
+- name: Add systemd service to start gitea automatically
99
+  copy:
100
+    src=etc_systemd_system_gitea.service
101
+    dest=/etc/systemd/system/gitea.service
102
+    owner=root
103
+    group=root
104
+
105
+- name: Register new gitea service
106
+  systemd: name=gitea daemon_reload=yes enabled=yes
107
+
108
+- name: Start new gitea instance
109
+  service: name=gitea state=started
110
+
111
+- name: Create the Apache gitea sites config files
112
+  template:
113
+    src=etc_apache2_sites-available_gitea.j2
114
+    dest=/etc/apache2/sites-available/gitea_{{ item.name }}.conf
115
+    owner=root
116
+    group=root
117
+  with_items: "{{ virtual_domains }}"
118
+
119
+- name: Enable Apache sites (creates new sites-enabled symlinks)
120
+  command: a2ensite gitea_{{ item }}.conf creates=/etc/apache2/sites-enabled/gitea_{{ item }}.conf
121
+  notify: restart apache
122
+  with_items: "{{ virtual_domains | json_query('[*].name') }}"

+ 1
- 0
roles/gitea/tasks/main.yml Visa fil

@@ -0,0 +1 @@
1
+- include: gitea.yml tags=gitea

+ 20
- 0
roles/gitea/templates/etc_apache2_sites-available_gitea.j2 Visa fil

@@ -0,0 +1,20 @@
1
+<VirtualHost *:80>
2
+    ServerName {{ gitea_subdomain }}.{{ item.name }}
3
+
4
+    Redirect permanent / https://{{ item.name }}/
5
+</VirtualHost>
6
+
7
+<VirtualHost *:443>
8
+    ServerName {{ gitea_subdomain }}.{{ item.name }}
9
+
10
+    SSLEngine               On
11
+    DocumentRoot            "{{ item.doc_root }}"
12
+    DirectoryIndex          index.html
13
+    Options                 -Indexes
14
+    HostnameLookups         Off
15
+
16
+    ProxyRequests           Off
17
+    ProxyPreserveHost       On
18
+    ProxyPass               / http://localhost:3000/
19
+    ProxyPassReverse        / http://localhost:3000/
20
+</VirtualHost>

+ 47
- 0
roles/gitea/templates/etc_gitea_app_ini.j2 Visa fil

@@ -0,0 +1,47 @@
1
+; sovereign gitea config file
2
+; see https://github.com/go-gitea/gitea/blob/master/custom/conf/app.ini.sample
3
+
4
+APP_NAME = {{ domain }} Gitea
5
+RUN_MODE = prod
6
+
7
+[repository]
8
+ROOT = /data/gitea/repos
9
+
10
+[ui]
11
+DEFAULT_THEME = arc-green
12
+
13
+[server]
14
+PROTOCOL = http
15
+DOMAIN = {{ gitea_domain }}
16
+HTTP_ADDR = 127.0.0.1
17
+HTTP_PORT = 3000
18
+
19
+[database]
20
+DB_TYPE = postgres
21
+HOST = 127.0.0.1:5432
22
+NAME = {{ gitea_db_database }}
23
+USER = {{ gitea_db_username }}
24
+PASSWD = `{{ gitea_db_password }}`
25
+SSL_MODE = disable
26
+
27
+[security]
28
+INSTALL_LOCK = true
29
+SECRET_KEY = {{ gitea_secret }}
30
+
31
+[mailer]
32
+ENABLED = true
33
+FROM = gitea@{{ domain }}
34
+MAILER_TYPE = sendmail
35
+
36
+[log]
37
+ROOT_PATH = /data/gitea/log
38
+MODE = file
39
+LEVEL = Info
40
+
41
+[log.file]
42
+LEVEL = Info
43
+LOG_ROTATE = true
44
+MAX_LINES = 1000000
45
+MAX_SIZE_SHIFT = 28
46
+DAILY_ROTATE = true
47
+MAX_DAYS = 7

+ 8
- 0
roles/monitoring/files/etc_monit_conf.d_gitea Visa fil

@@ -0,0 +1,8 @@
1
+check process gitea matching gitea
2
+  group www
3
+  start program = "/bin/systemctl start gitea"
4
+  stop program = "/bin/systemctl stop gitea"
5
+  if failed port 3000 protocol http
6
+    with timeout 10 seconds
7
+    then restart
8
+  if 5 restarts within 5 cycles then timeout

+ 9
- 0
roles/monitoring/tasks/monit.yml Visa fil

@@ -36,6 +36,10 @@
36 36
   stat: path=/etc/rspamd/rspamd.conf
37 37
   register: rspamd_config_file
38 38
 
39
+- name: Determine if gitea is installed
40
+  stat: path=/etc/gitea/app.ini
41
+  register: gitea_config_file
42
+
39 43
 - name: Copy ZNC monit service config files into place
40 44
   copy: src=etc_monit_conf.d_znc dest=/etc/monit/conf.d/znc
41 45
   notify: restart monit
@@ -61,6 +65,11 @@
61 65
   notify: restart monit
62 66
   when: rspamd_config_file.stat.exists == True
63 67
 
68
+- name: Copy gitea monit service config files into place
69
+  copy: src=etc_monit_conf.d_gitea dest=/etc/monit/conf.d/gitea
70
+  notify: restart monit
71
+  when: gitea_config_file.stat.exists == True
72
+
64 73
 - name: Copy monit service config files into place
65 74
   copy: src=etc_monit_conf.d_{{ item }} dest=/etc/monit/conf.d/{{ item }}
66 75
   with_items:

+ 3
- 2
site.yml Visa fil

@@ -8,12 +8,13 @@
8 8
 
9 9
   roles:
10 10
     - common
11
+    - blog
11 12
     - mailserver
12 13
     - webmail
13
-    - blog
14
+    - news
14 15
     - nextcloud
16
+    - gitea
15 17
     - ircbouncer
16 18
     - xmpp
17 19
     - vpn
18
-    - news
19 20
     - monitoring  # Monitoring role should be last. See roles/monitoring/README.md

Laddar…
Avbryt
Spara