add gitea role

2024-03-23 17:43:50 -04:00 · 2024-03-23 17:43:50 -04:00 · e29bfd0799
parent c9bb61dcc0
commit e29bfd0799
18 changed files with 243 additions and 13 deletions
--- a/TODO.md
+++ b/TODO.md
@ -1,2 +1,4 @@
 - [ ] nameservers for users
- [ ] create dmarc.report, postmaster email users, give access to infra users
+- [ ] read email for service accounts dmarc.report, postmaster email users, give access to infra users
+- [ ] allow infra users to ssh into any machine in infra, regular users into their tilde account on himmel
+- [ ] allow ufw and setup wireguard on himmel
--- a/deploy.yml
+++ b/deploy.yml
@ -14,3 +14,6 @@

 - name: Mail
  ansible.builtin.import_playbook: playbooks/deploy-mail.yml
+
+- name: Gitea
+  ansible.builtin.import_playbook: playbooks/deploy-gitea.yml
--- a/docs/PEOPLE_PLAYBOOK.md
+++ b/docs/PEOPLE_PLAYBOOK.md
@ -13,3 +13,7 @@ kanidm person posix set --name idm_admin <username> --shell /bin/zsh
 kanidm person update <username> --legalname "<display name>" --mail <username>@hatecomputers.club
 kanidm group add-members mail <username>
 ```
+
+groups you'll probably want to add people:
+ gitea-access
+ mail
--- a/group_vars/gitea.yml
+++ b/group_vars/gitea.yml
@ -0,0 +1,5 @@
+---
+
+gitea_app_name: HateComputers' Gitea
+gitea_domain: git.hatecomputers.club
+gitea_auth_domain: auth.hatecomputers.club
--- a/group_vars/host_domains.yml
+++ b/group_vars/host_domains.yml
@ -2,6 +2,9 @@

 host_domains:
  fern.hatecomputers.club:
-    - fern.hatecomputers.club
+    # - fern.hatecomputers.club
    - auth.hatecomputers.club
    - mail.hatecomputers.club
+  himmel.hatecomputers.club:
+    # - himmel.hatecomputers.club
+    - git.hatecomputers.club
--- a/7
+++ b/7
@ -1,17 +1,24 @@
 [docker]
 fern.hatecomputers.club  ansible_user=root ansible_connection=ssh
+himmel.hatecomputers.club  ansible_user=root ansible_connection=ssh

 [host_domains]
 fern.hatecomputers.club  ansible_user=root ansible_connection=ssh
+himmel.hatecomputers.club  ansible_user=root ansible_connection=ssh

 [nginx]
 fern.hatecomputers.club  ansible_user=root ansible_connection=ssh
+himmel.hatecomputers.club  ansible_user=root ansible_connection=ssh

 [certbot]
 fern.hatecomputers.club  ansible_user=root ansible_connection=ssh
+himmel.hatecomputers.club  ansible_user=root ansible_connection=ssh

 [kanidm]
 fern.hatecomputers.club  ansible_user=root ansible_connection=ssh

 [mail]
 fern.hatecomputers.club  ansible_user=root ansible_connection=ssh
+
+[gitea]
+himmel.hatecomputers.club  ansible_user=root ansible_connection=ssh
--- a/playbooks/deploy-gitea.yml
+++ b/playbooks/deploy-gitea.yml
@ -0,0 +1,6 @@
+---
+
+- name: Gitea setup
+  hosts: gitea
+  roles:
+    - gitea
--- a/playbooks/roles/common/tasks/main.yml
+++ b/playbooks/roles/common/tasks/main.yml
@ -22,11 +22,17 @@
      - systemd-resolved
      - vim
      - git
+      - rsync
    state: latest
    update_cache: true
  notify:
    - Enable systemd-timesyncd

+## DNS
+- name: Configure systemd-resolved
+  ansible.builtin.include_tasks:
+    file: "systemd-resolved.yml"
+
 ## SSH
 - name: Copy sshd_config
  ansible.builtin.copy:
@ -61,14 +67,3 @@
    state: "enabled"
  notify:
    - Reload ufw
-
-## DNS
- name: Configure systemd-resolved
-  ansible.builtin.include_tasks:
-    file: "systemd-resolved.yml"
-
-## RSYNC
- name: Install rsync
-  ansible.builtin.apt:
-    name: rsync
-    state: present
--- a/playbooks/roles/gitea/files/public/assets/img/favicon.png
+++ b/playbooks/roles/gitea/files/public/assets/img/favicon.png
--- a/playbooks/roles/gitea/files/public/assets/img/favicon.svg
+++ b/playbooks/roles/gitea/files/public/assets/img/favicon.svg
--- a/playbooks/roles/gitea/files/public/assets/img/logo.png
+++ b/playbooks/roles/gitea/files/public/assets/img/logo.png
--- a/playbooks/roles/gitea/files/public/assets/img/logo.svg
+++ b/playbooks/roles/gitea/files/public/assets/img/logo.svg
--- a/playbooks/roles/gitea/tasks/main.yml
+++ b/playbooks/roles/gitea/tasks/main.yml
@ -0,0 +1,47 @@
+---
+- name: Ensure gitea docker/compose exist
+  ansible.builtin.file:
+    path: /etc/docker/compose/gitea
+    state: directory
+    owner: root
+    group: root
+    mode: 0700
+
+- name: Ensure gitea docker/compose/data/gitea/conf exist
+  ansible.builtin.file:
+    path: /etc/docker/compose/gitea/data/gitea/conf
+    state: directory
+    owner: 1000
+    group: 1000
+    mode: 0700
+    recurse: true
+
+- name: Build gitea configuration
+  ansible.builtin.template:
+    src: app.ini.j2
+    dest: /etc/docker/compose/gitea/data/gitea/conf/app.ini
+    owner: 1000
+    group: 1000
+    mode: 0700
+
+- name: Copy public assets
+  ansible.builtin.copy:
+    src: public/
+    dest: /etc/docker/compose/gitea/data/gitea/public
+    owner: 1000
+    group: 1000
+    mode: 0700
+
+- name: Build gitea docker-compose.yml.j2
+  ansible.builtin.template:
+    src: docker-compose.yml.j2
+    dest: /etc/docker/compose/gitea/docker-compose.yml
+    owner: root
+    group: root
+    mode: 0700
+
+- name: Daemon-reload and enable gitea
+  ansible.builtin.systemd_service:
+    state: restarted
+    enabled: true
+    name: docker-compose@gitea
--- a/playbooks/roles/gitea/templates/app.ini.j2
+++ b/playbooks/roles/gitea/templates/app.ini.j2
@ -0,0 +1,105 @@
+APP_NAME = {{ gitea_app_name }}
+RUN_MODE = prod
+RUN_USER = git
+WORK_PATH = /data/gitea
+
+[repository]
+ROOT = /data/git/repositories
+
+[repository.local]
+LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
+
+[repository.upload]
+TEMP_PATH = /data/gitea/uploads
+
+[server]
+APP_DATA_PATH = /data/gitea
+DOMAIN = {{ gitea_domain }}
+SSH_DOMAIN = {{ gitea_domain }}
+HTTP_PORT = 3000
+ROOT_URL = https://{{ gitea_domain }}/
+DISABLE_SSH = false
+SSH_PORT = 22
+SSH_LISTEN_PORT = 22
+LFS_START_SERVER = true
+LFS_JWT_SECRET = {{ gitea_jwt_secret }}
+OFFLINE_MODE = false
+LANDING_PAGE = explore
+
+[database]
+PATH = /data/gitea/gitea.db
+DB_TYPE = sqlite3
+HOST = localhost:3306
+NAME = gitea
+USER = root
+PASSWD =
+LOG_SQL = false
+SCHEMA =
+SSL_MODE = disable
+
+[indexer]
+ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
+
+[session]
+PROVIDER_CONFIG = /data/gitea/sessions
+PROVIDER = file
+
+[picture]
+AVATAR_UPLOAD_PATH = /data/gitea/avatars
+REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
+
+[attachment]
+PATH = /data/gitea/attachments
+
+[log]
+MODE = console
+LEVEL = info
+ROOT_PATH = /data/gitea/log
+
+[security]
+INSTALL_LOCK = true
+SECRET_KEY =
+REVERSE_PROXY_LIMIT = 1
+REVERSE_PROXY_TRUSTED_PROXIES = *
+INTERNAL_TOKEN = {{ gitea_internal_token }}
+PASSWORD_HASH_ALGO = pbkdf2
+
+[service]
+DISABLE_REGISTRATION = false
+REQUIRE_SIGNIN_VIEW = false
+REGISTER_EMAIL_CONFIRM = false
+ENABLE_NOTIFY_MAIL = false
+ALLOW_ONLY_EXTERNAL_REGISTRATION = true
+SHOW_REGISTRATION_BUTTON = false
+ENABLE_CAPTCHA = false
+DEFAULT_KEEP_EMAIL_PRIVATE = false
+DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+DEFAULT_ENABLE_TIMETRACKING = true
+NO_REPLY_ADDRESS = noreply.localhost
+
+[lfs]
+PATH = /data/git/lfs
+
+[mailer]
+ENABLED = false
+
+[openid]
+ENABLE_OPENID_SIGNIN = false
+ENABLE_OPENID_SIGNUP = true
+WHITELISTED_URIS     = {{ gitea_auth_domain }}
+
+[cron.update_checker]
+ENABLED = false
+
+[repository.pull-request]
+DEFAULT_MERGE_STYLE = merge
+
+[repository.signing]
+DEFAULT_TRUST_MODEL = committer
+
+[oauth2]
+JWT_SECRET = {{ gitea_oauth2_jwt_secret }}
+
+[webhook]
+; Allow insecure certification
+SKIP_TLS_VERIFY = true
--- a/playbooks/roles/gitea/templates/docker-compose.yml.j2
+++ b/playbooks/roles/gitea/templates/docker-compose.yml.j2
@ -0,0 +1,19 @@
+version: "3"
+
+networks:
+  gitea:
+    external: false
+
+services:
+  server:
+    image: gitea/gitea:latest
+    restart: always
+    networks:
+      - gitea
+    volumes:
+      - ./data:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - "127.0.0.1:9966:3000"
+      - "0.0.0.0:222:22"
--- a/playbooks/roles/nginx/templates/himmel.hatecomputers.club/http.git.hatecomputers.club.conf
+++ b/playbooks/roles/nginx/templates/himmel.hatecomputers.club/http.git.hatecomputers.club.conf
@ -0,0 +1,8 @@
+server {
+  listen 80;
+  server_name git.hatecomputers.club;
+
+  location / {
+    rewrite ^ https://git.hatecomputers.club$request_uri? permanent;
+  }
+}
--- a/playbooks/roles/nginx/templates/himmel.hatecomputers.club/https.git.hatecomputers.club.conf
+++ b/playbooks/roles/nginx/templates/himmel.hatecomputers.club/https.git.hatecomputers.club.conf
@ -0,0 +1,21 @@
+server {
+  server_name git.hatecomputers.club;
+  listen 443 ssl;
+
+  ssl_dhparam /etc/nginx/dhparams.pem;
+  
+  ssl_session_timeout 1d;
+  ssl_session_tickets off;
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+  ssl_prefer_server_ciphers off;
+
+  ssl_certificate /etc/letsencrypt/live/git.hatecomputers.club/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/git.hatecomputers.club/privkey.pem;
+
+  location / {
+    proxy_pass         http://127.0.0.1:9966;
+    proxy_set_header   X-Real-IP $remote_addr;
+    proxy_set_header   Host $host;
+  }
+}
--- a/secrets.txt
+++ b/secrets.txt
@ -3,3 +3,6 @@ certbot_email
 email_ldap_api_token
 roundcube_oauth2_client_id
 roundcube_oauth2_client_basic_secret
+gitea_jwt_secret
+gitea_oauth2_jwt_secret
+gitea_internal_token