Compare commits

...

3 Commits

Author SHA1 Message Date
74e55ef1b9 gitea: fixed restore
wrong repos path
2024-02-21 16:55:17 -06:00
5212ca61bd
Merge pull request #1 from CPunch/rewrite
REFACTOR: lots of changes
2024-02-21 15:58:24 -06:00
52d526bf5c REFACTOR: lots of changes, using ansible-galaxy roles for certbot, nginx & gitea 2024-02-21 15:56:43 -06:00
16 changed files with 109 additions and 238 deletions

View File

@ -25,6 +25,13 @@ Some DNS records also need to be set:
- an A record with a `git.*` subdomain - an A record with a `git.*` subdomain
## Usage ## Usage
First, make sure to install the requirements:
```sh
ansible-galaxy install -r requirements.yml
```
Then, run the playbook:
```sh ```sh
ansible-playbook -i hosts --ask-vault-pass run.yml ansible-playbook -i hosts --ask-vault-pass run.yml
``` ```

View File

@ -1,4 +1,4 @@
--- ---
domain: openpunk.com domain: openpunk.com
contact_email: openpunk@proton.me contact_email: openpunk@proton.me
onionDomain: http://opnpnk6eutjiqy4ndpyvwxd5pncj2g2cmz6fkocr5uh3omnn4utvspad.onion onionDomain: opnpnk6eutjiqy4ndpyvwxd5pncj2g2cmz6fkocr5uh3omnn4utvspad.onion

6
requirements.yml Normal file
View File

@ -0,0 +1,6 @@
- src: l3d.gitea
version: v3.3.0
- src: geerlingguy.nginx
version: 3.1.4
- src: geerlingguy.certbot
version: 5.1.0

View File

@ -6,7 +6,7 @@ TOR_DIR=tor
buildBlog () { buildBlog () {
hugo --cleanDestinationDir --minify -d $PUBLIC_DIR -b https://{{ domain }} hugo --cleanDestinationDir --minify -d $PUBLIC_DIR -b https://{{ domain }}
hugo --cleanDestinationDir --minify -d $TOR_DIR -b {{ onionDomain }} hugo --cleanDestinationDir --minify -d $TOR_DIR -b http://{{ onionDomain }}
} }
git fetch origin git fetch origin

View File

@ -1,7 +1,7 @@
[user] [user]
email = openpunk@proton.me email = openpunk@proton.me
name = OpenPunk name = OpenPunk
[core] [core]
editor = nano editor = nano
[pull] [pull]
rebase = true rebase = true

View File

@ -1,30 +1,20 @@
--- ---
- name: Check for Gitea gpg key - name: "Install gitea"
stat: include_role:
path: /etc/apt/trusted.gpg.d/morph027-gitea.gpg name: l3d.gitea
register: gitea_key vars:
gitea_fqdn: 'git.{{ domain }}'
- name: Add Gitea key, repository && install gitea_home: '/var/lib/gitea'
block: gitea_db_type: 'sqlite3'
- name: Import Gitea key gitea_theme_default: 'arc-green'
shell: curl -s https://packaging.gitlab.io/gitea/gpg.key | sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/morph027-gitea.gpg --import && sudo chmod 644 /etc/apt/trusted.gpg.d/morph027-gitea.gpg gitea_root_url: 'https://git.{{ domain }}'
when: gitea_key.stat.exists == false or gitea_key.stat.mode != "0644" gitea_protocol: http
gitea_http_port: "{{ giteaPort }}"
- name: Add Gitea repository gitea_ssh_port: 22
apt_repository: gitea_start_ssh: false
filename: morph027-gitea gitea_allow_only_internal_registration: true
repo: deb https://packaging.gitlab.io/gitea gitea main gitea_disable_registration: true
gitea_require_signin: false
- name: Add Gitea package
package:
name: gitea
- name: Configure Gitea
template:
src: templates/app.ini
dest: /etc/gitea/app.ini
owner: gitea
when: "'gitea' not in ansible_facts.packages"
- name: Backup db - name: Backup db
include_tasks: backup.yml include_tasks: backup.yml

View File

@ -55,17 +55,23 @@
- name: Install repositories - name: Install repositories
copy: copy:
src: /etc/gitea/gitea-dump/repos/ src: /etc/gitea/gitea-dump/repos/
dest: /var/lib/gitea/gitea-repositories/ dest: /var/lib/gitea/repos/
remote_src: true remote_src: true
owner: gitea owner: gitea
tags: restore tags: restore
- name: Install config # - name: Install config
copy: # copy:
src: /etc/gitea/gitea-dump/app.ini # src: /etc/gitea/gitea-dump/app.ini
dest: /etc/gitea/app.ini # dest: /etc/gitea/app.ini
owner: gitea # owner: gitea
remote_src: true # remote_src: true
# tags: restore
- name: Remove sqlite3 db
file:
path: /var/lib/gitea/data/gitea.db
state: absent
tags: restore tags: restore
- name: Generate sqlite3 db - name: Generate sqlite3 db
@ -83,9 +89,7 @@
tags: restore tags: restore
- name: Finalize - name: Finalize
shell: shell: gitea admin regenerate hooks -c /etc/gitea/gitea.ini
cmd: ./gitea admin regenerate hooks -c /etc/gitea/app.ini
chdir: /usr/bin
become: true become: true
become_method: su become_method: su
become_user: gitea become_user: gitea

View File

@ -1,61 +0,0 @@
APP_NAME = OpenPunk Gitea
RUN_USER = gitea
RUN_MODE = prod
[database]
DB_TYPE = sqlite3
HOST = 127.0.0.1:5432
NAME = gitea
USER = gitea
PASSWD =
SSL_MODE = disable
CHARSET = utf8
PATH = /var/lib/gitea/data/gitea.db
[repository]
ROOT = /var/lib/gitea/gitea-repositories
[server]
SSH_DOMAIN = git.{{ domain }}
DOMAIN = git.{{ domain }}
HTTP_PORT = {{ giteaPort }}
ROOT_URL = https://git.{{ domain }}/
DISABLE_SSH = false
SSH_PORT = 22
LFS_START_SERVER = false
OFFLINE_MODE = false
[mailer]
ENABLED = false
[service]
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = false
DISABLE_REGISTRATION = true
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
ENABLE_CAPTCHA = false
REQUIRE_SIGNIN_VIEW = false
DEFAULT_KEEP_EMAIL_PRIVATE = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
DEFAULT_ENABLE_TIMETRACKING = true
NO_REPLY_ADDRESS = noreply.localhost
[picture]
DISABLE_GRAVATAR = true
ENABLE_FEDERATED_AVATAR = false
REPOSITORY_AVATAR_FALLBACK = random
[openid]
ENABLE_OPENID_SIGNIN = false
ENABLE_OPENID_SIGNUP = false
[session]
PROVIDER = file
[log]
MODE = file
LEVEL = info
ROOT_PATH = /var/lib/gitea/log
[ui]
DEFAULT_THEME = arc-green

View File

@ -1,2 +0,0 @@
---
giteaPort: 3000

View File

@ -1,52 +0,0 @@
user www-data;
worker_processes auto;
include /etc/nginx/modules-enabled/*.conf;
pid /run/nginx.pid;
events {
worker_connections 768;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

View File

@ -1,4 +0,0 @@
---
- name: setup-nginx
include_tasks: setup.yml
listen: "setup nginx"

View File

@ -1,35 +1,63 @@
--- ---
- name: Install system nginx config - name: "Stop Nginx"
copy: systemd:
src: nginx.conf name: nginx
dest: /etc/nginx/nginx.conf state: stopped
notify: setup nginx
- name: "Setup Certbot"
# setup our configs for each host (we don't want to include_role:
# overwrite certbot's changes, so if it already exists, name: geerlingguy.certbot
# don't copy!) vars:
certbot_admin_email: "{{ contact_email }}"
- name: Install nginx config for {{ domain }} certbot_create_if_missing: true
template: certbot_create_standalone_stop_services: []
src: templates/site.conf certbot_certs:
dest: /etc/nginx/conf.d/{{ domain }}.conf - domains:
force: no - "{{ domain }}"
notify: setup nginx - "git.{{ domain }}"
- name: Install nginx config for git.{{ domain }} - name: "Install Nginx"
template: include_role:
src: templates/gitea.conf name: geerlingguy.nginx
dest: /etc/nginx/conf.d/git.{{ domain }}.conf vars:
force: no nginx_listen_ipv6: true
notify: setup nginx nginx_vhosts:
- listen: "443 ssl http2"
- name: Install nginx config for our Hidden Service server_name: "{{ domain }}"
template: root: "/var/www/{{ domain }}/public"
src: templates/tor.conf index: "index.html index.htm"
dest: /etc/nginx/conf.d/tor-{{ domain }}.conf extra_parameters: |
location / {
- name: Enable Nginx add_header Permissions-Policy interest-cohort=();
try_files $uri $uri/ =404;
}
ssl_certificate /etc/letsencrypt/live/{{ domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
- listen: "443 ssl http2"
server_name: "git.{{ domain }}"
client_max_body_size: "100M"
extra_parameters: |
location / {
add_header Permissions-Policy interest-cohort=();
proxy_pass http://localhost:{{ giteaPort }};
}
ssl_certificate /etc/letsencrypt/live/{{ domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
- listen: "2171"
server_name: "{{ onionDomain }}"
root: "/var/www/{{ domain }}/tor"
index: "index.html index.htm"
extra_parameters: |
location / {
add_header Permissions-Policy interest-cohort=();
try_files $uri $uri/ =404;
}
- name: "Start Nginx"
systemd: systemd:
name: nginx name: nginx
enabled: yes
state: started state: started

View File

@ -1,9 +0,0 @@
---
- name: Setup certbot
shell: "certbot --nginx --non-interactive --agree-tos --email {{ contact_email }} -d {{ domain }} -d git.{{ domain }}"
- name: Reload Nginx
systemd:
name: nginx
enabled: yes
state: restarted

View File

@ -1,11 +0,0 @@
server {
server_name git.{{ domain }};
listen 80;
location / {
add_header Permissions-Policy interest-cohort=();
proxy_pass http://localhost:{{ giteaPort }};
}
client_max_body_size 100M;
}

View File

@ -1,13 +0,0 @@
server {
server_name {{ domain }};
listen 80;
root /var/www/{{ domain }}/public;
index index.html index.htm;
location / {
add_header Permissions-Policy interest-cohort=();
add_header Referrer-Policy: "no-referrer";
try_files $uri $uri/ =404;
}
}

View File

@ -1,12 +0,0 @@
server {
root /var/www/{{ domain }}/tor;
index index.html index.htm;
location / {
add_header Permissions-Policy interest-cohort=();
try_files $uri $uri/ =404;
}
# our tor hidden service is hosted on this port
listen 2171;
}