add gitea role

TODO.md

@@ -1,2 +1,4 @@
 - [ ] nameservers for users
-- [ ] create dmarc.report, postmaster email users, give access to infra users
+- [ ] read email for service accounts dmarc.report, postmaster email users, give access to infra users
+- [ ] allow infra users to ssh into any machine in infra, regular users into their tilde account on himmel
+- [ ] allow ufw and setup wireguard on himmel

deploy.yml

@@ -14,3 +14,6 @@
 
 - name: Mail
   ansible.builtin.import_playbook: playbooks/deploy-mail.yml
+
+- name: Gitea
+  ansible.builtin.import_playbook: playbooks/deploy-gitea.yml

docs/PEOPLE_PLAYBOOK.md

@@ -13,3 +13,7 @@ kanidm person posix set --name idm_admin <username> --shell /bin/zsh
 kanidm person update <username> --legalname "<display name>" --mail <username>@hatecomputers.club
 kanidm group add-members mail <username>
 ```
+
+groups you'll probably want to add people:
++ gitea-access
++ mail

group_vars/gitea.yml

@@ -0,0 +1,5 @@
+---
+
+gitea_app_name: HateComputers' Gitea
+gitea_domain: git.hatecomputers.club
+gitea_auth_domain: auth.hatecomputers.club

group_vars/host_domains.yml

@@ -2,6 +2,9 @@
 
 host_domains:
   fern.hatecomputers.club:
-    - fern.hatecomputers.club
+    # - fern.hatecomputers.club
     - auth.hatecomputers.club
     - mail.hatecomputers.club
+  himmel.hatecomputers.club:
+    # - himmel.hatecomputers.club
+    - git.hatecomputers.club

inventory

@@ -1,17 +1,24 @@
 [docker]
 fern.hatecomputers.club  ansible_user=root ansible_connection=ssh
+himmel.hatecomputers.club  ansible_user=root ansible_connection=ssh
 
 [host_domains]
 fern.hatecomputers.club  ansible_user=root ansible_connection=ssh
+himmel.hatecomputers.club  ansible_user=root ansible_connection=ssh
 
 [nginx]
 fern.hatecomputers.club  ansible_user=root ansible_connection=ssh
+himmel.hatecomputers.club  ansible_user=root ansible_connection=ssh
 
 [certbot]
 fern.hatecomputers.club  ansible_user=root ansible_connection=ssh
+himmel.hatecomputers.club  ansible_user=root ansible_connection=ssh
 
 [kanidm]
 fern.hatecomputers.club  ansible_user=root ansible_connection=ssh
 
 [mail]
 fern.hatecomputers.club  ansible_user=root ansible_connection=ssh
+
+[gitea]
+himmel.hatecomputers.club  ansible_user=root ansible_connection=ssh

playbooks/deploy-gitea.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Gitea setup
+  hosts: gitea
+  roles:
+    - gitea

playbooks/roles/common/tasks/main.yml

@@ -22,11 +22,17 @@
       - systemd-resolved
       - vim
       - git
+      - rsync
     state: latest
     update_cache: true
   notify:
     - Enable systemd-timesyncd
 
+## DNS
+- name: Configure systemd-resolved
+  ansible.builtin.include_tasks:
+    file: "systemd-resolved.yml"
+
 ## SSH
 - name: Copy sshd_config
   ansible.builtin.copy:
@@ -61,14 +67,3 @@
     state: "enabled"
   notify:
     - Reload ufw
-
-## DNS
-- name: Configure systemd-resolved
-  ansible.builtin.include_tasks:
-    file: "systemd-resolved.yml"
-
-## RSYNC
-- name: Install rsync
-  ansible.builtin.apt:
-    name: rsync
-    state: present

playbooks/roles/gitea/tasks/main.yml

@@ -0,0 +1,47 @@
+---
+- name: Ensure gitea docker/compose exist
+  ansible.builtin.file:
+    path: /etc/docker/compose/gitea
+    state: directory
+    owner: root
+    group: root
+    mode: 0700
+
+- name: Ensure gitea docker/compose/data/gitea/conf exist
+  ansible.builtin.file:
+    path: /etc/docker/compose/gitea/data/gitea/conf
+    state: directory
+    owner: 1000
+    group: 1000
+    mode: 0700
+    recurse: true
+
+- name: Build gitea configuration
+  ansible.builtin.template:
+    src: app.ini.j2
+    dest: /etc/docker/compose/gitea/data/gitea/conf/app.ini
+    owner: 1000
+    group: 1000
+    mode: 0700
+
+- name: Copy public assets
+  ansible.builtin.copy:
+    src: public/
+    dest: /etc/docker/compose/gitea/data/gitea/public
+    owner: 1000
+    group: 1000
+    mode: 0700
+
+- name: Build gitea docker-compose.yml.j2
+  ansible.builtin.template:
+    src: docker-compose.yml.j2
+    dest: /etc/docker/compose/gitea/docker-compose.yml
+    owner: root
+    group: root
+    mode: 0700
+
+- name: Daemon-reload and enable gitea
+  ansible.builtin.systemd_service:
+    state: restarted
+    enabled: true
+    name: docker-compose@gitea

playbooks/roles/gitea/templates/app.ini.j2

@@ -0,0 +1,105 @@
+APP_NAME = {{ gitea_app_name }}
+RUN_MODE = prod
+RUN_USER = git
+WORK_PATH = /data/gitea
+
+[repository]
+ROOT = /data/git/repositories
+
+[repository.local]
+LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
+
+[repository.upload]
+TEMP_PATH = /data/gitea/uploads
+
+[server]
+APP_DATA_PATH = /data/gitea
+DOMAIN = {{ gitea_domain }}
+SSH_DOMAIN = {{ gitea_domain }}
+HTTP_PORT = 3000
+ROOT_URL = https://{{ gitea_domain }}/
+DISABLE_SSH = false
+SSH_PORT = 22
+SSH_LISTEN_PORT = 22
+LFS_START_SERVER = true
+LFS_JWT_SECRET = {{ gitea_jwt_secret }}
+OFFLINE_MODE = false
+LANDING_PAGE = explore
+
+[database]
+PATH = /data/gitea/gitea.db
+DB_TYPE = sqlite3
+HOST = localhost:3306
+NAME = gitea
+USER = root
+PASSWD =
+LOG_SQL = false
+SCHEMA =
+SSL_MODE = disable
+
+[indexer]
+ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
+
+[session]
+PROVIDER_CONFIG = /data/gitea/sessions
+PROVIDER = file
+
+[picture]
+AVATAR_UPLOAD_PATH = /data/gitea/avatars
+REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
+
+[attachment]
+PATH = /data/gitea/attachments
+
+[log]
+MODE = console
+LEVEL = info
+ROOT_PATH = /data/gitea/log
+
+[security]
+INSTALL_LOCK = true
+SECRET_KEY =
+REVERSE_PROXY_LIMIT = 1
+REVERSE_PROXY_TRUSTED_PROXIES = *
+INTERNAL_TOKEN = {{ gitea_internal_token }}
+PASSWORD_HASH_ALGO = pbkdf2
+
+[service]
+DISABLE_REGISTRATION = false
+REQUIRE_SIGNIN_VIEW = false
+REGISTER_EMAIL_CONFIRM = false
+ENABLE_NOTIFY_MAIL = false
+ALLOW_ONLY_EXTERNAL_REGISTRATION = true
+SHOW_REGISTRATION_BUTTON = false
+ENABLE_CAPTCHA = false
+DEFAULT_KEEP_EMAIL_PRIVATE = false
+DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+DEFAULT_ENABLE_TIMETRACKING = true
+NO_REPLY_ADDRESS = noreply.localhost
+
+[lfs]
+PATH = /data/git/lfs
+
+[mailer]
+ENABLED = false
+
+[openid]
+ENABLE_OPENID_SIGNIN = false
+ENABLE_OPENID_SIGNUP = true
+WHITELISTED_URIS     = {{ gitea_auth_domain }}
+
+[cron.update_checker]
+ENABLED = false
+
+[repository.pull-request]
+DEFAULT_MERGE_STYLE = merge
+
+[repository.signing]
+DEFAULT_TRUST_MODEL = committer
+
+[oauth2]
+JWT_SECRET = {{ gitea_oauth2_jwt_secret }}
+
+[webhook]
+; Allow insecure certification
+SKIP_TLS_VERIFY = true

playbooks/roles/gitea/templates/docker-compose.yml.j2

@@ -0,0 +1,19 @@
+version: "3"
+
+networks:
+  gitea:
+    external: false
+
+services:
+  server:
+    image: gitea/gitea:latest
+    restart: always
+    networks:
+      - gitea
+    volumes:
+      - ./data:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - "127.0.0.1:9966:3000"
+      - "0.0.0.0:222:22"

playbooks/roles/nginx/templates/himmel.hatecomputers.club/http.git.hatecomputers.club.conf

@@ -0,0 +1,8 @@
+server {
+  listen 80;
+  server_name git.hatecomputers.club;
+
+  location / {
+    rewrite ^ https://git.hatecomputers.club$request_uri? permanent;
+  }
+}

playbooks/roles/nginx/templates/himmel.hatecomputers.club/https.git.hatecomputers.club.conf

@@ -0,0 +1,21 @@
+server {
+  server_name git.hatecomputers.club;
+  listen 443 ssl;
+
+  ssl_dhparam /etc/nginx/dhparams.pem;
+  
+  ssl_session_timeout 1d;
+  ssl_session_tickets off;
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+  ssl_prefer_server_ciphers off;
+
+  ssl_certificate /etc/letsencrypt/live/git.hatecomputers.club/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/git.hatecomputers.club/privkey.pem;
+
+  location / {
+    proxy_pass         http://127.0.0.1:9966;
+    proxy_set_header   X-Real-IP $remote_addr;
+    proxy_set_header   Host $host;
+  }
+}

secrets.txt

@@ -3,3 +3,6 @@ certbot_email
 email_ldap_api_token
 roundcube_oauth2_client_id
 roundcube_oauth2_client_basic_secret
+gitea_jwt_secret
+gitea_oauth2_jwt_secret
+gitea_internal_token