From bea9cb35921240f261c9aaf6992a92e5deace229 Mon Sep 17 00:00:00 2001
From: CPunch <sethtstubbs@gmail.com>
Date: Fri, 3 Feb 2023 15:40:59 -0600
Subject: [PATCH] gitea: backup and restore based on tags

---
 roles/essential/tasks/main.yml |  6 +++
 roles/gitea/defaults/main.yml  |  3 +-
 roles/gitea/tasks/backup.yml   | 39 +++++++++++---
 roles/gitea/tasks/main.yml     | 50 ++++++++----------
 roles/gitea/tasks/restore.yml  | 92 ++++++++++++++++++++++++++++++++++
 roles/gitea/templates/app.ini  |  1 +
 roles/nginx/tasks/main.yml     |  6 ---
 roles/nginx/tasks/setup.yml    |  7 +--
 run.yml                        |  6 ++-
 9 files changed, 161 insertions(+), 49 deletions(-)

diff --git a/roles/essential/tasks/main.yml b/roles/essential/tasks/main.yml
index 6f682d3..506f69f 100644
--- a/roles/essential/tasks/main.yml
+++ b/roles/essential/tasks/main.yml
@@ -15,9 +15,15 @@
       - fail2ban
       - goaccess
       - htop
+      - sqlite3
       - zsh # :D
       - python3-certbot-nginx
 
+- name: Grab package facts
+  package_facts:
+    manager: auto
+  tags: always
+
 - name: Setup zsh
   user:
     name: "{{ ansible_user }}"
diff --git a/roles/gitea/defaults/main.yml b/roles/gitea/defaults/main.yml
index 780b99d..6b516f5 100644
--- a/roles/gitea/defaults/main.yml
+++ b/roles/gitea/defaults/main.yml
@@ -1,2 +1,3 @@
 ---
-giteaPort: 3000
\ No newline at end of file
+giteaPort: 3000
+giteaBackup: backups/gitea-dump.zip
\ No newline at end of file
diff --git a/roles/gitea/tasks/backup.yml b/roles/gitea/tasks/backup.yml
index 5ec5616..97195eb 100644
--- a/roles/gitea/tasks/backup.yml
+++ b/roles/gitea/tasks/backup.yml
@@ -1,26 +1,51 @@
 ---
+# based on advice from https://docs.gitea.io/en-us/backup-and-restore/
+
 - name: Stop Gitea
   systemd:
     name: gitea
     enabled: yes
     state: stopped
+  tags: backup
+
+- name: Make Temp dir
+  file:
+    path: /etc/gitea/temp
+    state: directory
+    owner: gitea
+  tags: backup
 
 - name: Dump Gitea
   shell:
-    cmd: gitea dump -c /etc/gitea/app.ini --work-path=/etc/gitea --file=gitea-dump.zip
+    cmd: gitea dump -c /etc/gitea/app.ini --work-path=/etc/gitea --file=gitea-dump.zip --tempdir=/etc/gitea/temp
     chdir: /etc/gitea
   become: true
   become_method: su
   become_user: gitea
+  tags: backup
+
+- name: Fetch backup
+  fetch:
+    src: /etc/gitea/gitea-dump.zip
+    dest: "{{ giteaBackup }}"
+    flat: true
+  tags: backup
+
+- name: Remove remote dump
+  file:
+    path: "{{ giteaBackup }}"
+    state: absent
+  tags: backup
+
+- name: Remove Temp
+  file:
+    path: /etc/gitea/temp
+    state: absent
+  tags: backup
 
 - name: Start Gitea
   systemd:
     name: gitea
     enabled: yes
     state: started
-
-- name: Fetch backup
-  fetch:
-    src: /etc/gitea/gitea-dump.zip
-    dest: backups/gitea-dump.zip
-    flat: true
\ No newline at end of file
+  tags: backup
\ No newline at end of file
diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml
index 35db1ca..1ca63e2 100644
--- a/roles/gitea/tasks/main.yml
+++ b/roles/gitea/tasks/main.yml
@@ -4,42 +4,36 @@
     path: /etc/apt/trusted.gpg.d/morph027-gitea.gpg
   register: gitea_key
 
-- name: Grab package facts
-  package_facts:
-    manager: auto
-
-- name: Install Gitea
+- name: Add Gitea key, repository && install
   block:
-    - name: Add Gitea key, repository && install
-      block:
-        - name: Import Gitea key
-          shell: curl -s https://packaging.gitlab.io/gitea/gpg.key | sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/morph027-gitea.gpg --import && sudo chmod 644 /etc/apt/trusted.gpg.d/morph027-gitea.gpg
-          when: gitea_key.stat.exists == false or gitea_key.stat.mode != "0644"
+    - name: Import Gitea key
+      shell: curl -s https://packaging.gitlab.io/gitea/gpg.key | sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/morph027-gitea.gpg --import && sudo chmod 644 /etc/apt/trusted.gpg.d/morph027-gitea.gpg
+      when: gitea_key.stat.exists == false or gitea_key.stat.mode != "0644"
 
-        - name: Add Gitea repository
-          apt_repository:
-            filename: morph027-gitea
-            repo: deb https://packaging.gitlab.io/gitea gitea main
+    - name: Add Gitea repository
+      apt_repository:
+        filename: morph027-gitea
+        repo: deb https://packaging.gitlab.io/gitea gitea main
 
-        - name: Add Gitea package
-          package:
-            name: gitea
-      when: "'gitea' not in ansible_facts.packages"
+    - name: Add Gitea package
+      package:
+        name: gitea
 
     - name: Configure Gitea
       template:
         src: templates/app.ini
         dest: /etc/gitea/app.ini
         owner: gitea
-        force: no # we don't want to kill our existing config D:
+  when: "'gitea' not in ansible_facts.packages"
 
-    - name: Reload Gitea
-      systemd:
-        name: gitea
-        enabled: yes
-        state: started
+- name: Backup db
+  include_tasks: backup.yml
+  tags:
+    - never
+    - backup
 
-    - name: Backup db
-      include_tasks: backup.yml
-      tags: ['never', 'backup']
-  tags: ['gitea', 'backup']
+- name: Restore db
+  include_tasks: restore.yml
+  tags:
+    - never
+    - restore
diff --git a/roles/gitea/tasks/restore.yml b/roles/gitea/tasks/restore.yml
index e69de29..b1452eb 100644
--- a/roles/gitea/tasks/restore.yml
+++ b/roles/gitea/tasks/restore.yml
@@ -0,0 +1,92 @@
+---
+# based on advice from https://docs.gitea.io/en-us/backup-and-restore/
+
+- name: Stop Gitea
+  systemd:
+    name: gitea
+    enabled: yes
+    state: stopped
+  tags: restore
+
+- name: Make restore dir
+  file:
+    path: /etc/gitea/gitea-dump
+    state: directory
+    owner: gitea
+  tags: restore
+
+- name: Extract backup to host
+  unarchive:
+    src: "{{ giteaBackup }}"
+    dest: /etc/gitea/gitea-dump
+    owner: gitea
+  tags: restore
+
+- name: Delete Gitea
+  file:
+    path: /var/lib/gitea
+    state: absent
+  tags: restore
+
+- name: Create Gitea
+  file:
+    path: /var/lib/gitea
+    state: directory
+    owner: gitea
+  tags: restore
+
+- name: Install data
+  copy:
+    src: /etc/gitea/gitea-dump/data/
+    dest: /var/lib/gitea/data
+    remote_src: true
+    owner: gitea
+  tags: restore
+
+- name: Install log
+  copy:
+    src: /etc/gitea/gitea-dump/log/
+    dest: /var/lib/gitea/log/
+    remote_src: true
+    owner: gitea
+  tags: restore
+  ignore_errors: true
+
+- name: Install repositories
+  copy:
+    src: /etc/gitea/gitea-dump/repos/
+    dest: /var/lib/gitea/gitea-repositories/
+    remote_src: true
+    owner: gitea
+  tags: restore
+
+- name: Install config
+  copy:
+    src: /etc/gitea/gitea-dump/app.ini
+    dest: /etc/gitea/app.ini
+    owner: gitea
+    remote_src: true
+  tags: restore
+
+- name: Generate sqlite3 db
+  shell: sqlite3 /var/lib/gitea/data/gitea.db </etc/gitea/gitea-dump/gitea-db.sql
+  become: true
+  become_method: su
+  become_user: gitea
+  tags: restore
+
+- name: Start Gitea
+  systemd:
+    name: gitea
+    enabled: yes
+    state: started
+  tags: restore
+
+- name: Finalize
+  shell:
+    cmd: ./gitea admin regenerate hooks -c /etc/gitea/app.ini
+    chdir: /usr/bin
+  become: true
+  become_method: su
+  become_user: gitea
+  tags: restore
diff --git a/roles/gitea/templates/app.ini b/roles/gitea/templates/app.ini
index 58851b9..17d5dc6 100644
--- a/roles/gitea/templates/app.ini
+++ b/roles/gitea/templates/app.ini
@@ -43,6 +43,7 @@ NO_REPLY_ADDRESS                  = noreply.localhost
 [picture]
 DISABLE_GRAVATAR        = true
 ENABLE_FEDERATED_AVATAR = false
+REPOSITORY_AVATAR_FALLBACK = random
 
 [openid]
 ENABLE_OPENID_SIGNIN = false
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index 3be6a06..ac7a85e 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -23,12 +23,6 @@
     force: no
   notify: setup nginx
 
-- name: Uninstall nginx config for git.{{ domain }}
-  file:
-    path: /etc/nginx/conf.d/git.{{ domain }}.conf
-    state: absent
-  notify: setup nginx
-
 - name: Install nginx config for our Hidden Service
   template:
     src: templates/tor.conf
diff --git a/roles/nginx/tasks/setup.yml b/roles/nginx/tasks/setup.yml
index 81c0f14..26d5dd2 100644
--- a/roles/nginx/tasks/setup.yml
+++ b/roles/nginx/tasks/setup.yml
@@ -1,9 +1,6 @@
 ---
-- name: Setup certbot for {{ domain }}
-  shell: "certbot --nginx --non-interactive --agree-tos -m {{ contact_email }} -d {{ domain }}"
-
-- name: Setup certbot for git.{{ domain }}
-  shell: "certbot --nginx --non-interactive --agree-tos -m {{ contact_email }} -d git.{{ domain }}"
+- name: Setup certbot
+  shell: "certbot --nginx --non-interactive --agree-tos --email {{ contact_email }} -d {{ domain }} -d git.{{ domain }}"
 
 - name: Reload Nginx
   systemd:
diff --git a/run.yml b/run.yml
index 32893b7..a8c0a90 100644
--- a/run.yml
+++ b/run.yml
@@ -11,10 +11,12 @@
     - role: essential
     - role: firewall
     - role: git
+      tags: secrets
     - role: deadswitch
+      tags: secrets
     - role: blog
     - role: gitea
-      tags: [backup]
     - role: nginx
     - role: goaccess
-    - role: tor
\ No newline at end of file
+    - role: tor
+      tags: secrets
\ No newline at end of file