update README

README.md

@@ -3,7 +3,7 @@
 This is my failsafe (and also my helpful migration tool) for restoring the OpenPunk server. This handles setting everything back up, including:
 
 - gitea
-    - sadly, no db migration is supported right now. maybe a future todo?
+    - backup and restoring are also supported
 - blog
     - cron job for grabbing the `HEAD` of https://github.com/CPunch/openpunk && building the hugo site
 - tor mirror
@@ -30,6 +30,18 @@ ansible-playbook -i hosts --ask-vault-pass run.yml
 ```
 > NOTE: The 'secrets' directory has been omitted from this repo (so it's not going to run without the provided files)
 
+## Backup and restore
+
+Backup Gitea using the 'backup' tag
+```sh
+ansible-playbook -i hosts run.yml --tags backup
+```
+
+then, restore from the backup using the 'restore' tag
+```sh
+ansible-playbook -i hosts run.yml --tags restore
+```
+
 ## Example hosts file
 ```
 [hosts]

roles/essential/tasks/main.yml

@@ -15,9 +15,15 @@
       - fail2ban
       - goaccess
       - htop
+      - sqlite3
       - zsh # :D
       - python3-certbot-nginx
 
+- name: Grab package facts
+  package_facts:
+    manager: auto
+  tags: always
+
 - name: Setup zsh
   user:
     name: "{{ ansible_user }}"

roles/gitea/defaults/main.yml

@@ -1,2 +1,3 @@
 ---
 giteaPort: 3000
+giteaBackup: backups/gitea-dump.zip

roles/gitea/tasks/backup.yml

@@ -1,26 +1,51 @@
 ---
+# based on advice from https://docs.gitea.io/en-us/backup-and-restore/
+
 - name: Stop Gitea
   systemd:
     name: gitea
     enabled: yes
     state: stopped
+  tags: backup
+
+- name: Make Temp dir
+  file:
+    path: /etc/gitea/temp
+    state: directory
+    owner: gitea
+  tags: backup
 
 - name: Dump Gitea
   shell:
-    cmd: gitea dump -c /etc/gitea/app.ini --work-path=/etc/gitea --file=gitea-dump.zip
+    cmd: gitea dump -c /etc/gitea/app.ini --work-path=/etc/gitea --file=gitea-dump.zip --tempdir=/etc/gitea/temp
     chdir: /etc/gitea
   become: true
   become_method: su
   become_user: gitea
+  tags: backup
+
+- name: Fetch backup
+  fetch:
+    src: /etc/gitea/gitea-dump.zip
+    dest: "{{ giteaBackup }}"
+    flat: true
+  tags: backup
+
+- name: Remove remote dump
+  file:
+    path: "{{ giteaBackup }}"
+    state: absent
+  tags: backup
+
+- name: Remove Temp
+  file:
+    path: /etc/gitea/temp
+    state: absent
+  tags: backup
 
 - name: Start Gitea
   systemd:
     name: gitea
     enabled: yes
     state: started
-
+  tags: backup
-- name: Fetch backup
-  fetch:
-    src: /etc/gitea/gitea-dump.zip
-    dest: backups/gitea-dump.zip
-    flat: true

roles/gitea/tasks/main.yml

@@ -4,13 +4,7 @@
     path: /etc/apt/trusted.gpg.d/morph027-gitea.gpg
   register: gitea_key
 
-- name: Grab package facts
+- name: Add Gitea key, repository && install
-  package_facts:
-    manager: auto
-
-- name: Install Gitea
-  block:
-    - name: Add Gitea key, repository && install
   block:
     - name: Import Gitea key
       shell: curl -s https://packaging.gitlab.io/gitea/gpg.key | sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/morph027-gitea.gpg --import && sudo chmod 644 /etc/apt/trusted.gpg.d/morph027-gitea.gpg
@@ -24,22 +18,22 @@
     - name: Add Gitea package
       package:
         name: gitea
-      when: "'gitea' not in ansible_facts.packages"
 
     - name: Configure Gitea
       template:
         src: templates/app.ini
         dest: /etc/gitea/app.ini
         owner: gitea
-        force: no # we don't want to kill our existing config D:
+  when: "'gitea' not in ansible_facts.packages"
 
-    - name: Reload Gitea
+- name: Backup db
-      systemd:
-        name: gitea
-        enabled: yes
-        state: started
-
-    - name: Backup db
   include_tasks: backup.yml
-      tags: ['never', 'backup']
+  tags:
-  tags: ['gitea', 'backup']
+    - never
+    - backup
+
+- name: Restore db
+  include_tasks: restore.yml
+  tags:
+    - never
+    - restore

roles/gitea/tasks/restore.yml

@@ -0,0 +1,92 @@
+---
+# based on advice from https://docs.gitea.io/en-us/backup-and-restore/
+
+- name: Stop Gitea
+  systemd:
+    name: gitea
+    enabled: yes
+    state: stopped
+  tags: restore
+
+- name: Make restore dir
+  file:
+    path: /etc/gitea/gitea-dump
+    state: directory
+    owner: gitea
+  tags: restore
+
+- name: Extract backup to host
+  unarchive:
+    src: "{{ giteaBackup }}"
+    dest: /etc/gitea/gitea-dump
+    owner: gitea
+  tags: restore
+
+- name: Delete Gitea
+  file:
+    path: /var/lib/gitea
+    state: absent
+  tags: restore
+
+- name: Create Gitea
+  file:
+    path: /var/lib/gitea
+    state: directory
+    owner: gitea
+  tags: restore
+
+- name: Install data
+  copy:
+    src: /etc/gitea/gitea-dump/data/
+    dest: /var/lib/gitea/data
+    remote_src: true
+    owner: gitea
+  tags: restore
+
+- name: Install log
+  copy:
+    src: /etc/gitea/gitea-dump/log/
+    dest: /var/lib/gitea/log/
+    remote_src: true
+    owner: gitea
+  tags: restore
+  ignore_errors: true
+
+- name: Install repositories
+  copy:
+    src: /etc/gitea/gitea-dump/repos/
+    dest: /var/lib/gitea/gitea-repositories/
+    remote_src: true
+    owner: gitea
+  tags: restore
+
+- name: Install config
+  copy:
+    src: /etc/gitea/gitea-dump/app.ini
+    dest: /etc/gitea/app.ini
+    owner: gitea
+    remote_src: true
+  tags: restore
+
+- name: Generate sqlite3 db
+  shell: sqlite3 /var/lib/gitea/data/gitea.db </etc/gitea/gitea-dump/gitea-db.sql
+  become: true
+  become_method: su
+  become_user: gitea
+  tags: restore
+
+- name: Start Gitea
+  systemd:
+    name: gitea
+    enabled: yes
+    state: started
+  tags: restore
+
+- name: Finalize
+  shell:
+    cmd: ./gitea admin regenerate hooks -c /etc/gitea/app.ini
+    chdir: /usr/bin
+  become: true
+  become_method: su
+  become_user: gitea
+  tags: restore

roles/gitea/templates/app.ini

@@ -43,6 +43,7 @@ NO_REPLY_ADDRESS                  = noreply.localhost
 [picture]
 DISABLE_GRAVATAR        = true
 ENABLE_FEDERATED_AVATAR = false
+REPOSITORY_AVATAR_FALLBACK = random
 
 [openid]
 ENABLE_OPENID_SIGNIN = false

roles/nginx/tasks/main.yml

@@ -23,12 +23,6 @@
     force: no
   notify: setup nginx
 
-- name: Uninstall nginx config for git.{{ domain }}
-  file:
-    path: /etc/nginx/conf.d/git.{{ domain }}.conf
-    state: absent
-  notify: setup nginx
-
 - name: Install nginx config for our Hidden Service
   template:
     src: templates/tor.conf

roles/nginx/tasks/setup.yml

@@ -1,9 +1,6 @@
 ---
-- name: Setup certbot for {{ domain }}
+- name: Setup certbot
-  shell: "certbot --nginx --non-interactive --agree-tos -m {{ contact_email }} -d {{ domain }}"
+  shell: "certbot --nginx --non-interactive --agree-tos --email {{ contact_email }} -d {{ domain }} -d git.{{ domain }}"
-
-- name: Setup certbot for git.{{ domain }}
-  shell: "certbot --nginx --non-interactive --agree-tos -m {{ contact_email }} -d git.{{ domain }}"
 
 - name: Reload Nginx
   systemd:

run.yml

@@ -11,10 +11,12 @@
     - role: essential
     - role: firewall
     - role: git
+      tags: secrets
     - role: deadswitch
+      tags: secrets
     - role: blog
     - role: gitea
-      tags: [backup]
     - role: nginx
     - role: goaccess
     - role: tor
+      tags: secrets