gitea: backup and restore based on tags

roles/essential/tasks/main.yml

@@ -15,9 +15,15 @@
       - fail2ban
       - goaccess
       - htop
+      - sqlite3
       - zsh # :D
       - python3-certbot-nginx
 
+- name: Grab package facts
+  package_facts:
+    manager: auto
+  tags: always
+
 - name: Setup zsh
   user:
     name: "{{ ansible_user }}"

roles/gitea/defaults/main.yml

@@ -1,2 +1,3 @@
 ---
-giteaPort: 3000
+giteaPort: 3000
+giteaBackup: backups/gitea-dump.zip

roles/gitea/tasks/backup.yml

@@ -1,26 +1,51 @@
 ---
+# based on advice from https://docs.gitea.io/en-us/backup-and-restore/
+
 - name: Stop Gitea
   systemd:
     name: gitea
     enabled: yes
     state: stopped
+  tags: backup
+
+- name: Make Temp dir
+  file:
+    path: /etc/gitea/temp
+    state: directory
+    owner: gitea
+  tags: backup
 
 - name: Dump Gitea
   shell:
-    cmd: gitea dump -c /etc/gitea/app.ini --work-path=/etc/gitea --file=gitea-dump.zip
+    cmd: gitea dump -c /etc/gitea/app.ini --work-path=/etc/gitea --file=gitea-dump.zip --tempdir=/etc/gitea/temp
     chdir: /etc/gitea
   become: true
   become_method: su
   become_user: gitea
+  tags: backup
+
+- name: Fetch backup
+  fetch:
+    src: /etc/gitea/gitea-dump.zip
+    dest: "{{ giteaBackup }}"
+    flat: true
+  tags: backup
+
+- name: Remove remote dump
+  file:
+    path: "{{ giteaBackup }}"
+    state: absent
+  tags: backup
+
+- name: Remove Temp
+  file:
+    path: /etc/gitea/temp
+    state: absent
+  tags: backup
 
 - name: Start Gitea
   systemd:
     name: gitea
     enabled: yes
     state: started
-
-- name: Fetch backup
-  fetch:
-    src: /etc/gitea/gitea-dump.zip
-    dest: backups/gitea-dump.zip
-    flat: true
+  tags: backup

roles/gitea/tasks/main.yml

@@ -4,42 +4,36 @@
     path: /etc/apt/trusted.gpg.d/morph027-gitea.gpg
   register: gitea_key
 
-- name: Grab package facts
-  package_facts:
-    manager: auto
-
-- name: Install Gitea
+- name: Add Gitea key, repository && install
   block:
-    - name: Add Gitea key, repository && install
-      block:
-        - name: Import Gitea key
-          shell: curl -s https://packaging.gitlab.io/gitea/gpg.key | sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/morph027-gitea.gpg --import && sudo chmod 644 /etc/apt/trusted.gpg.d/morph027-gitea.gpg
-          when: gitea_key.stat.exists == false or gitea_key.stat.mode != "0644"
+    - name: Import Gitea key
+      shell: curl -s https://packaging.gitlab.io/gitea/gpg.key | sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/morph027-gitea.gpg --import && sudo chmod 644 /etc/apt/trusted.gpg.d/morph027-gitea.gpg
+      when: gitea_key.stat.exists == false or gitea_key.stat.mode != "0644"
 
-        - name: Add Gitea repository
-          apt_repository:
-            filename: morph027-gitea
-            repo: deb https://packaging.gitlab.io/gitea gitea main
+    - name: Add Gitea repository
+      apt_repository:
+        filename: morph027-gitea
+        repo: deb https://packaging.gitlab.io/gitea gitea main
 
-        - name: Add Gitea package
-          package:
-            name: gitea
-      when: "'gitea' not in ansible_facts.packages"
+    - name: Add Gitea package
+      package:
+        name: gitea
 
     - name: Configure Gitea
       template:
         src: templates/app.ini
         dest: /etc/gitea/app.ini
         owner: gitea
-        force: no # we don't want to kill our existing config D:
+  when: "'gitea' not in ansible_facts.packages"
 
-    - name: Reload Gitea
-      systemd:
-        name: gitea
-        enabled: yes
-        state: started
+- name: Backup db
+  include_tasks: backup.yml
+  tags:
+    - never
+    - backup
 
-    - name: Backup db
-      include_tasks: backup.yml
-      tags: ['never', 'backup']
-  tags: ['gitea', 'backup']
+- name: Restore db
+  include_tasks: restore.yml
+  tags:
+    - never
+    - restore

roles/gitea/tasks/restore.yml

@@ -0,0 +1,92 @@
+---
+# based on advice from https://docs.gitea.io/en-us/backup-and-restore/
+
+- name: Stop Gitea
+  systemd:
+    name: gitea
+    enabled: yes
+    state: stopped
+  tags: restore
+
+- name: Make restore dir
+  file:
+    path: /etc/gitea/gitea-dump
+    state: directory
+    owner: gitea
+  tags: restore
+
+- name: Extract backup to host
+  unarchive:
+    src: "{{ giteaBackup }}"
+    dest: /etc/gitea/gitea-dump
+    owner: gitea
+  tags: restore
+
+- name: Delete Gitea
+  file:
+    path: /var/lib/gitea
+    state: absent
+  tags: restore
+
+- name: Create Gitea
+  file:
+    path: /var/lib/gitea
+    state: directory
+    owner: gitea
+  tags: restore
+
+- name: Install data
+  copy:
+    src: /etc/gitea/gitea-dump/data/
+    dest: /var/lib/gitea/data
+    remote_src: true
+    owner: gitea
+  tags: restore
+
+- name: Install log
+  copy:
+    src: /etc/gitea/gitea-dump/log/
+    dest: /var/lib/gitea/log/
+    remote_src: true
+    owner: gitea
+  tags: restore
+  ignore_errors: true
+
+- name: Install repositories
+  copy:
+    src: /etc/gitea/gitea-dump/repos/
+    dest: /var/lib/gitea/gitea-repositories/
+    remote_src: true
+    owner: gitea
+  tags: restore
+
+- name: Install config
+  copy:
+    src: /etc/gitea/gitea-dump/app.ini
+    dest: /etc/gitea/app.ini
+    owner: gitea
+    remote_src: true
+  tags: restore
+
+- name: Generate sqlite3 db
+  shell: sqlite3 /var/lib/gitea/data/gitea.db </etc/gitea/gitea-dump/gitea-db.sql
+  become: true
+  become_method: su
+  become_user: gitea
+  tags: restore
+
+- name: Start Gitea
+  systemd:
+    name: gitea
+    enabled: yes
+    state: started
+  tags: restore
+
+- name: Finalize
+  shell:
+    cmd: ./gitea admin regenerate hooks -c /etc/gitea/app.ini
+    chdir: /usr/bin
+  become: true
+  become_method: su
+  become_user: gitea
+  tags: restore

roles/gitea/templates/app.ini

@@ -43,6 +43,7 @@ NO_REPLY_ADDRESS                  = noreply.localhost
 [picture]
 DISABLE_GRAVATAR        = true
 ENABLE_FEDERATED_AVATAR = false
+REPOSITORY_AVATAR_FALLBACK = random
 
 [openid]
 ENABLE_OPENID_SIGNIN = false

roles/nginx/tasks/main.yml

@@ -23,12 +23,6 @@
     force: no
   notify: setup nginx
 
-- name: Uninstall nginx config for git.{{ domain }}
-  file:
-    path: /etc/nginx/conf.d/git.{{ domain }}.conf
-    state: absent
-  notify: setup nginx
-
 - name: Install nginx config for our Hidden Service
   template:
     src: templates/tor.conf

roles/nginx/tasks/setup.yml

@@ -1,9 +1,6 @@
 ---
-- name: Setup certbot for {{ domain }}
-  shell: "certbot --nginx --non-interactive --agree-tos -m {{ contact_email }} -d {{ domain }}"
-
-- name: Setup certbot for git.{{ domain }}
-  shell: "certbot --nginx --non-interactive --agree-tos -m {{ contact_email }} -d git.{{ domain }}"
+- name: Setup certbot
+  shell: "certbot --nginx --non-interactive --agree-tos --email {{ contact_email }} -d {{ domain }} -d git.{{ domain }}"
 
 - name: Reload Nginx
   systemd:

run.yml

@@ -11,10 +11,12 @@
     - role: essential
     - role: firewall
     - role: git
+      tags: secrets
     - role: deadswitch
+      tags: secrets
     - role: blog
     - role: gitea
-      tags: [backup]
     - role: nginx
     - role: goaccess
-    - role: tor
+    - role: tor
+      tags: secrets