├── .config
    └── ansible-lint.yml
├── .github
    └── FUNDING.yml
├── .gitignore
├── CHANGELOG.md
├── LICENSE
├── Makefile
├── README.md
├── ansible.cfg
├── docs
    ├── README.md
    ├── configuring-dns.md
    ├── configuring-playbook-backups.md
    ├── configuring-playbook-database.md
    ├── configuring-playbook-interoperability.md
    ├── configuring-playbook-reverse-proxy.md
    ├── configuring-playbook-woodpecker-ci.md
    ├── configuring-playbook.md
    ├── installing.md
    ├── prerequisites.md
    └── updating.md
├── examples
    ├── host-vars.yml
    └── hosts
├── group_vars
    └── gitea_servers
├── inventory
    └── .gitkeep
├── justfile
├── requirements.yml
├── roles
    └── custom
    │   ├── base
    │       ├── defaults
    │       │   └── main.yml
    │       └── tasks
    │       │   ├── main.yml
    │       │   ├── setup.yml
    │       │   └── validate_config.yml
    │   ├── gitea
    │       ├── defaults
    │       │   └── main.yml
    │       ├── tasks
    │       │   ├── main.yml
    │       │   ├── setup_install.yml
    │       │   └── validate_config.yml
    │       └── templates
    │       │   ├── env.j2
    │       │   ├── gitea-gitea.service.j2
    │       │   └── labels.j2
    │   ├── gitea_backup
    │       ├── defaults
    │       │   └── main.yml
    │       ├── tasks
    │       │   ├── main.yml
    │       │   ├── setup_install.yml
    │       │   ├── setup_install_debian.yml
    │       │   ├── setup_install_redhat.yml
    │       │   └── validate_config.yml
    │       └── templates
    │       │   ├── bin
    │       │       └── backup.j2
    │       │   ├── provider
    │       │       └── b2
    │       │       │   └── env
    │       │   └── systemd
    │       │       ├── gitea-backup.service.j2
    │       │       └── gitea-backup.timer.j2
    │   └── gitea_playbook_migration
    │       └── tasks
    │           ├── devture_traefik_to_gitea_traefik.yml
    │           ├── main.yml
    │           └── validate_config.yml
└── setup.yml


/.config/ansible-lint.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | 
 3 | use_default_rules: true
 4 | 
 5 | skip_list:
 6 |   - unnamed-task
 7 |   - no-handler
 8 | 
 9 | offline: false
10 | 


--------------------------------------------------------------------------------
/.github/FUNDING.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # These are supported funding model platforms
3 | 
4 | # https://liberapay.com/s.pantaleev/
5 | liberapay: s.pantaleev
6 | # https://ko-fi.com/spantaleev
7 | ko_fi: spantaleev
8 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | /inventory/*
2 | !/inventory/.gitkeep
3 | !/inventory/host_vars/.gitkeep
4 | 
5 | # ignore roles pulled by ansible-galaxy
6 | /roles/galaxy/*
7 | !/roles/galaxy/.gitkeep
8 | 


--------------------------------------------------------------------------------
/CHANGELOG.md:
--------------------------------------------------------------------------------
  1 | # 2023-03-16
  2 | 
  3 | ## This playbook has been absorbed into the MASH playbook
  4 | 
  5 | To avoid maintaining too many similarly-looking playbooks, I've decided to merge this playbook into the newly-created [MASH playbook](https://github.com/mother-of-all-self-hosting/mash-playbook). For more details about this, see the [Why create such a mega playbook?](https://github.com/mother-of-all-self-hosting/mash-playbook/tree/main#why-create-such-a-mega-playbook) section of the new playbook's README file.
  6 | 
  7 | **This `gitea-docker-ansible-deploy` playbook will not receive additional updates**.
  8 | 
  9 | Steps to migrate from `gitea-docker-ansible-deploy` to hosting Gitea using the MASH playbook:
 10 | 
 11 | 1. Get started with the [MASH playbook](https://github.com/mother-of-all-self-hosting/mash-playbook). Do an initial installation which contains Postgres, Traefik, etc. Enabling the Gitea service is done below in step 2.
 12 | 
 13 | 2. Configure the [Gitea service](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/services/gitea.md) with the MASH playbook. You can reuse your `vars.yml` file with these changes:
 14 | 
 15 | - **renaming** `gitea_gitea_` to `gitea_` in all variable names
 16 | - the **addition** of `gitea_enabled: true`
 17 | - the **removal** of various `gitea_playbook_` variables. You may need to replace them with `mosh_playbook_` variables
 18 | - the **removal** of `gitea_generic_secret_key`. This has been superseded by `mash_playbook_generic_secret_key`
 19 | - the **removal** of any other variables you had in your old `vars.yml` file (`devture_postgres_connection_password`, etc.). Your new `vars.yml` file likely already defines some of these variables, so there's no need to define them twice.
 20 | 
 21 | 3. If you were using the [Woodpecker CI](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/services/woodpecker-ci.md) service (agent or server), configure it as well.
 22 | 
 23 | 4. Do an initial installation by running the following command **in the MASH playbook's directory**: `just run-tags install-all`. NOTE: there's a difference between `just run-tags install-all` and `just install-all`; we use the former here, because we don't want to start the Gitea service just yet
 24 | 
 25 | 5. SSH into the server and do the following:
 26 | 
 27 |    - Create a database dump by running: `/gitea/postgres/bin/dump-all /gitea`. This will create the `/gitea/latest-dump.sql.gz` file
 28 | 
 29 |     - Stop and disable all old Gitea services by running: `cd /etc/systemd/system && systemctl disable --now gitea*` (note the `*` at the end)
 30 | 
 31 |     - Sync the Gitea data by running: `rsync -avr /gitea/gitea/. /mash/gitea/.`
 32 | 
 33 |     - Fix permissions for the Gitea data: `chown -R mash:mash /mash/gitea`
 34 | 
 35 |     - (Optional) Sync the Woodpecker CI server data by running: `rsync -avr /gitea/woodpecker-ci/server/. /mash/woodpecker-ci/server/.`
 36 | 
 37 |     - (Optional) Fix permissions for the Woodpecker CI server data: `chown -R mash:mash /mash/woodpecker-ci/server/`
 38 | 
 39 | 6. Import the Gitea database dump into the Postgres instance by running the following command **in the MASH playbook's directory**: `just run-tags import-postgres --extra-vars=server_path_postgres_dump=/gitea/latest-dump.sql.gz --extra-vars=postgres_default_import_database=gitea`
 40 | 
 41 | 7.  Re-run the MASH playbook and start all services by running the following command **in the MASH playbook's directory**: `just run-tags install-all,start`
 42 | 
 43 | 8. Verify that your new Gitea installation works
 44 | 
 45 | 9. Clean up by SSH-ing into the server and doing the following:
 46 | 
 47 |     - `rm /etc/systemd/system/gitea*`
 48 |     - `rm -rf /gitea`
 49 |     - getting rid of this playbook
 50 | 
 51 | 
 52 | # 2023-01-13
 53 | 
 54 | ## Support for running commands via just
 55 | 
 56 | We've previously used [make](https://www.gnu.org/software/make/) for easily running some playbook commands (e.g. `make roles` which triggers `ansible-galaxy`, see [Makefile](Makefile)).
 57 | Our `Makefile` is still around and you can still run these commands.
 58 | 
 59 | In addition, we've added support for running commands via [just](https://github.com/casey/just) - a more modern command-runner alternative to `make`. Instead of `make roles`, you can now run `just roles` to accomplish the same.
 60 | 
 61 | Our [justfile](justfile) already defines some additional helpful **shortcut** commands that weren't part of our `Makefile`. Here are some examples:
 62 | 
 63 | - `just install-all` to trigger the much longer `ansible-playbook -i inventory/hosts setup.yml --tags=install-all,start` command
 64 | - `just install-all --ask-vault-pass` - commands also support additional arguments (`--ask-vault-pass` will be appended to the above installation command)
 65 | - `just run-tags install-gitea-backup,start` - to run specific playbook tags
 66 | - `just start-all` - (re-)starts all services
 67 | - `just stop-group postgres` - to stop only the Postgres service
 68 | 
 69 | Additional helpful commands and shortcuts may be defined in the future.
 70 | 
 71 | This is all completely optional. If you find it difficult to [install `just`](https://github.com/casey/just#installation) or don't find any of this convenient, feel free to run all commands manually.
 72 | 
 73 | 
 74 | # 2022-12-14
 75 | 
 76 | # Container networks have flipped around
 77 | 
 78 | If you're using an externally-managed Traefik server or other reverse-proxy, you may need to adapt your `vars.yml` configuration.
 79 | 
 80 | To ensure connectivity of Gitea to Traefik, we used to put Gitea in Traefik's network (as a main network), and then also connect the Gitea container to "additional networks" (its own `gitea` network, etc.).
 81 | 
 82 | While this worked, it was a little backwards. We now have a better way to do things - putting Gitea in its own `gitea` network as main, and connecting the Gitea container to additional networks (e.g. `traefik`) after creating the container, but before starting it. This also seems to work well and is more straightforward.
 83 | 
 84 | The playbook will warn you if you're using any variables that have been renamed or dropped.
 85 | 
 86 | 
 87 | # 2022-11-25
 88 | 
 89 | # Traefik now runs in a separate container network from the rest of the Gitea services
 90 | 
 91 | Until now, Traefik ran in the same container network (`gitea`) as all Gitea services so it could reverse-proxy to them easily.
 92 | 
 93 | From now on:
 94 | 
 95 | - Traefik runs in its own new `traefik` container network
 96 | 
 97 | - Gitea services continue to run in the `gitea` container network
 98 | 
 99 | - Gitea services which Traefik needs to reverse-proxy to (e.g. the `gitea-gitea` container) are automatically connected to the `traefik` additional container network, thanks to a new `gitea_playbook_reverse_proxyable_services_additional_networks` variable controlling this behavior
100 | 
101 | To **upgrade your setup**, consider first stopping all services (running the playbook with `--tags=stop`) and then installing (`--tags=setup-all,start`).
102 | 
103 | If you're reverse-proxying via your own Traefik instance (not installed by this playbook), you may need to use this additional configuration: `nextcloud_playbook_reverse_proxyable_services_additional_networks: [traefik]` (for Traefik running in a container network named `traefik`).
104 | 
105 | 
106 | # 2022-10-21
107 | 
108 | Initial release
109 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                     GNU AFFERO GENERAL PUBLIC LICENSE
  2 |                        Version 3, 19 November 2007
  3 | 
  4 |  Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
  5 |  Everyone is permitted to copy and distribute verbatim copies
  6 |  of this license document, but changing it is not allowed.
  7 | 
  8 |                             Preamble
  9 | 
 10 |   The GNU Affero General Public License is a free, copyleft license for
 11 | software and other kinds of works, specifically designed to ensure
 12 | cooperation with the community in the case of network server software.
 13 | 
 14 |   The licenses for most software and other practical works are designed
 15 | to take away your freedom to share and change the works.  By contrast,
 16 | our General Public Licenses are intended to guarantee your freedom to
 17 | share and change all versions of a program--to make sure it remains free
 18 | software for all its users.
 19 | 
 20 |   When we speak of free software, we are referring to freedom, not
 21 | price.  Our General Public Licenses are designed to make sure that you
 22 | have the freedom to distribute copies of free software (and charge for
 23 | them if you wish), that you receive source code or can get it if you
 24 | want it, that you can change the software or use pieces of it in new
 25 | free programs, and that you know you can do these things.
 26 | 
 27 |   Developers that use our General Public Licenses protect your rights
 28 | with two steps: (1) assert copyright on the software, and (2) offer
 29 | you this License which gives you legal permission to copy, distribute
 30 | and/or modify the software.
 31 | 
 32 |   A secondary benefit of defending all users' freedom is that
 33 | improvements made in alternate versions of the program, if they
 34 | receive widespread use, become available for other developers to
 35 | incorporate.  Many developers of free software are heartened and
 36 | encouraged by the resulting cooperation.  However, in the case of
 37 | software used on network servers, this result may fail to come about.
 38 | The GNU General Public License permits making a modified version and
 39 | letting the public access it on a server without ever releasing its
 40 | source code to the public.
 41 | 
 42 |   The GNU Affero General Public License is designed specifically to
 43 | ensure that, in such cases, the modified source code becomes available
 44 | to the community.  It requires the operator of a network server to
 45 | provide the source code of the modified version running there to the
 46 | users of that server.  Therefore, public use of a modified version, on
 47 | a publicly accessible server, gives the public access to the source
 48 | code of the modified version.
 49 | 
 50 |   An older license, called the Affero General Public License and
 51 | published by Affero, was designed to accomplish similar goals.  This is
 52 | a different license, not a version of the Affero GPL, but Affero has
 53 | released a new version of the Affero GPL which permits relicensing under
 54 | this license.
 55 | 
 56 |   The precise terms and conditions for copying, distribution and
 57 | modification follow.
 58 | 
 59 |                        TERMS AND CONDITIONS
 60 | 
 61 |   0. Definitions.
 62 | 
 63 |   "This License" refers to version 3 of the GNU Affero General Public License.
 64 | 
 65 |   "Copyright" also means copyright-like laws that apply to other kinds of
 66 | works, such as semiconductor masks.
 67 | 
 68 |   "The Program" refers to any copyrightable work licensed under this
 69 | License.  Each licensee is addressed as "you".  "Licensees" and
 70 | "recipients" may be individuals or organizations.
 71 | 
 72 |   To "modify" a work means to copy from or adapt all or part of the work
 73 | in a fashion requiring copyright permission, other than the making of an
 74 | exact copy.  The resulting work is called a "modified version" of the
 75 | earlier work or a work "based on" the earlier work.
 76 | 
 77 |   A "covered work" means either the unmodified Program or a work based
 78 | on the Program.
 79 | 
 80 |   To "propagate" a work means to do anything with it that, without
 81 | permission, would make you directly or secondarily liable for
 82 | infringement under applicable copyright law, except executing it on a
 83 | computer or modifying a private copy.  Propagation includes copying,
 84 | distribution (with or without modification), making available to the
 85 | public, and in some countries other activities as well.
 86 | 
 87 |   To "convey" a work means any kind of propagation that enables other
 88 | parties to make or receive copies.  Mere interaction with a user through
 89 | a computer network, with no transfer of a copy, is not conveying.
 90 | 
 91 |   An interactive user interface displays "Appropriate Legal Notices"
 92 | to the extent that it includes a convenient and prominently visible
 93 | feature that (1) displays an appropriate copyright notice, and (2)
 94 | tells the user that there is no warranty for the work (except to the
 95 | extent that warranties are provided), that licensees may convey the
 96 | work under this License, and how to view a copy of this License.  If
 97 | the interface presents a list of user commands or options, such as a
 98 | menu, a prominent item in the list meets this criterion.
 99 | 
100 |   1. Source Code.
101 | 
102 |   The "source code" for a work means the preferred form of the work
103 | for making modifications to it.  "Object code" means any non-source
104 | form of a work.
105 | 
106 |   A "Standard Interface" means an interface that either is an official
107 | standard defined by a recognized standards body, or, in the case of
108 | interfaces specified for a particular programming language, one that
109 | is widely used among developers working in that language.
110 | 
111 |   The "System Libraries" of an executable work include anything, other
112 | than the work as a whole, that (a) is included in the normal form of
113 | packaging a Major Component, but which is not part of that Major
114 | Component, and (b) serves only to enable use of the work with that
115 | Major Component, or to implement a Standard Interface for which an
116 | implementation is available to the public in source code form.  A
117 | "Major Component", in this context, means a major essential component
118 | (kernel, window system, and so on) of the specific operating system
119 | (if any) on which the executable work runs, or a compiler used to
120 | produce the work, or an object code interpreter used to run it.
121 | 
122 |   The "Corresponding Source" for a work in object code form means all
123 | the source code needed to generate, install, and (for an executable
124 | work) run the object code and to modify the work, including scripts to
125 | control those activities.  However, it does not include the work's
126 | System Libraries, or general-purpose tools or generally available free
127 | programs which are used unmodified in performing those activities but
128 | which are not part of the work.  For example, Corresponding Source
129 | includes interface definition files associated with source files for
130 | the work, and the source code for shared libraries and dynamically
131 | linked subprograms that the work is specifically designed to require,
132 | such as by intimate data communication or control flow between those
133 | subprograms and other parts of the work.
134 | 
135 |   The Corresponding Source need not include anything that users
136 | can regenerate automatically from other parts of the Corresponding
137 | Source.
138 | 
139 |   The Corresponding Source for a work in source code form is that
140 | same work.
141 | 
142 |   2. Basic Permissions.
143 | 
144 |   All rights granted under this License are granted for the term of
145 | copyright on the Program, and are irrevocable provided the stated
146 | conditions are met.  This License explicitly affirms your unlimited
147 | permission to run the unmodified Program.  The output from running a
148 | covered work is covered by this License only if the output, given its
149 | content, constitutes a covered work.  This License acknowledges your
150 | rights of fair use or other equivalent, as provided by copyright law.
151 | 
152 |   You may make, run and propagate covered works that you do not
153 | convey, without conditions so long as your license otherwise remains
154 | in force.  You may convey covered works to others for the sole purpose
155 | of having them make modifications exclusively for you, or provide you
156 | with facilities for running those works, provided that you comply with
157 | the terms of this License in conveying all material for which you do
158 | not control copyright.  Those thus making or running the covered works
159 | for you must do so exclusively on your behalf, under your direction
160 | and control, on terms that prohibit them from making any copies of
161 | your copyrighted material outside their relationship with you.
162 | 
163 |   Conveying under any other circumstances is permitted solely under
164 | the conditions stated below.  Sublicensing is not allowed; section 10
165 | makes it unnecessary.
166 | 
167 |   3. Protecting Users' Legal Rights From Anti-Circumvention Law.
168 | 
169 |   No covered work shall be deemed part of an effective technological
170 | measure under any applicable law fulfilling obligations under article
171 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
172 | similar laws prohibiting or restricting circumvention of such
173 | measures.
174 | 
175 |   When you convey a covered work, you waive any legal power to forbid
176 | circumvention of technological measures to the extent such circumvention
177 | is effected by exercising rights under this License with respect to
178 | the covered work, and you disclaim any intention to limit operation or
179 | modification of the work as a means of enforcing, against the work's
180 | users, your or third parties' legal rights to forbid circumvention of
181 | technological measures.
182 | 
183 |   4. Conveying Verbatim Copies.
184 | 
185 |   You may convey verbatim copies of the Program's source code as you
186 | receive it, in any medium, provided that you conspicuously and
187 | appropriately publish on each copy an appropriate copyright notice;
188 | keep intact all notices stating that this License and any
189 | non-permissive terms added in accord with section 7 apply to the code;
190 | keep intact all notices of the absence of any warranty; and give all
191 | recipients a copy of this License along with the Program.
192 | 
193 |   You may charge any price or no price for each copy that you convey,
194 | and you may offer support or warranty protection for a fee.
195 | 
196 |   5. Conveying Modified Source Versions.
197 | 
198 |   You may convey a work based on the Program, or the modifications to
199 | produce it from the Program, in the form of source code under the
200 | terms of section 4, provided that you also meet all of these conditions:
201 | 
202 |     a) The work must carry prominent notices stating that you modified
203 |     it, and giving a relevant date.
204 | 
205 |     b) The work must carry prominent notices stating that it is
206 |     released under this License and any conditions added under section
207 |     7.  This requirement modifies the requirement in section 4 to
208 |     "keep intact all notices".
209 | 
210 |     c) You must license the entire work, as a whole, under this
211 |     License to anyone who comes into possession of a copy.  This
212 |     License will therefore apply, along with any applicable section 7
213 |     additional terms, to the whole of the work, and all its parts,
214 |     regardless of how they are packaged.  This License gives no
215 |     permission to license the work in any other way, but it does not
216 |     invalidate such permission if you have separately received it.
217 | 
218 |     d) If the work has interactive user interfaces, each must display
219 |     Appropriate Legal Notices; however, if the Program has interactive
220 |     interfaces that do not display Appropriate Legal Notices, your
221 |     work need not make them do so.
222 | 
223 |   A compilation of a covered work with other separate and independent
224 | works, which are not by their nature extensions of the covered work,
225 | and which are not combined with it such as to form a larger program,
226 | in or on a volume of a storage or distribution medium, is called an
227 | "aggregate" if the compilation and its resulting copyright are not
228 | used to limit the access or legal rights of the compilation's users
229 | beyond what the individual works permit.  Inclusion of a covered work
230 | in an aggregate does not cause this License to apply to the other
231 | parts of the aggregate.
232 | 
233 |   6. Conveying Non-Source Forms.
234 | 
235 |   You may convey a covered work in object code form under the terms
236 | of sections 4 and 5, provided that you also convey the
237 | machine-readable Corresponding Source under the terms of this License,
238 | in one of these ways:
239 | 
240 |     a) Convey the object code in, or embodied in, a physical product
241 |     (including a physical distribution medium), accompanied by the
242 |     Corresponding Source fixed on a durable physical medium
243 |     customarily used for software interchange.
244 | 
245 |     b) Convey the object code in, or embodied in, a physical product
246 |     (including a physical distribution medium), accompanied by a
247 |     written offer, valid for at least three years and valid for as
248 |     long as you offer spare parts or customer support for that product
249 |     model, to give anyone who possesses the object code either (1) a
250 |     copy of the Corresponding Source for all the software in the
251 |     product that is covered by this License, on a durable physical
252 |     medium customarily used for software interchange, for a price no
253 |     more than your reasonable cost of physically performing this
254 |     conveying of source, or (2) access to copy the
255 |     Corresponding Source from a network server at no charge.
256 | 
257 |     c) Convey individual copies of the object code with a copy of the
258 |     written offer to provide the Corresponding Source.  This
259 |     alternative is allowed only occasionally and noncommercially, and
260 |     only if you received the object code with such an offer, in accord
261 |     with subsection 6b.
262 | 
263 |     d) Convey the object code by offering access from a designated
264 |     place (gratis or for a charge), and offer equivalent access to the
265 |     Corresponding Source in the same way through the same place at no
266 |     further charge.  You need not require recipients to copy the
267 |     Corresponding Source along with the object code.  If the place to
268 |     copy the object code is a network server, the Corresponding Source
269 |     may be on a different server (operated by you or a third party)
270 |     that supports equivalent copying facilities, provided you maintain
271 |     clear directions next to the object code saying where to find the
272 |     Corresponding Source.  Regardless of what server hosts the
273 |     Corresponding Source, you remain obligated to ensure that it is
274 |     available for as long as needed to satisfy these requirements.
275 | 
276 |     e) Convey the object code using peer-to-peer transmission, provided
277 |     you inform other peers where the object code and Corresponding
278 |     Source of the work are being offered to the general public at no
279 |     charge under subsection 6d.
280 | 
281 |   A separable portion of the object code, whose source code is excluded
282 | from the Corresponding Source as a System Library, need not be
283 | included in conveying the object code work.
284 | 
285 |   A "User Product" is either (1) a "consumer product", which means any
286 | tangible personal property which is normally used for personal, family,
287 | or household purposes, or (2) anything designed or sold for incorporation
288 | into a dwelling.  In determining whether a product is a consumer product,
289 | doubtful cases shall be resolved in favor of coverage.  For a particular
290 | product received by a particular user, "normally used" refers to a
291 | typical or common use of that class of product, regardless of the status
292 | of the particular user or of the way in which the particular user
293 | actually uses, or expects or is expected to use, the product.  A product
294 | is a consumer product regardless of whether the product has substantial
295 | commercial, industrial or non-consumer uses, unless such uses represent
296 | the only significant mode of use of the product.
297 | 
298 |   "Installation Information" for a User Product means any methods,
299 | procedures, authorization keys, or other information required to install
300 | and execute modified versions of a covered work in that User Product from
301 | a modified version of its Corresponding Source.  The information must
302 | suffice to ensure that the continued functioning of the modified object
303 | code is in no case prevented or interfered with solely because
304 | modification has been made.
305 | 
306 |   If you convey an object code work under this section in, or with, or
307 | specifically for use in, a User Product, and the conveying occurs as
308 | part of a transaction in which the right of possession and use of the
309 | User Product is transferred to the recipient in perpetuity or for a
310 | fixed term (regardless of how the transaction is characterized), the
311 | Corresponding Source conveyed under this section must be accompanied
312 | by the Installation Information.  But this requirement does not apply
313 | if neither you nor any third party retains the ability to install
314 | modified object code on the User Product (for example, the work has
315 | been installed in ROM).
316 | 
317 |   The requirement to provide Installation Information does not include a
318 | requirement to continue to provide support service, warranty, or updates
319 | for a work that has been modified or installed by the recipient, or for
320 | the User Product in which it has been modified or installed.  Access to a
321 | network may be denied when the modification itself materially and
322 | adversely affects the operation of the network or violates the rules and
323 | protocols for communication across the network.
324 | 
325 |   Corresponding Source conveyed, and Installation Information provided,
326 | in accord with this section must be in a format that is publicly
327 | documented (and with an implementation available to the public in
328 | source code form), and must require no special password or key for
329 | unpacking, reading or copying.
330 | 
331 |   7. Additional Terms.
332 | 
333 |   "Additional permissions" are terms that supplement the terms of this
334 | License by making exceptions from one or more of its conditions.
335 | Additional permissions that are applicable to the entire Program shall
336 | be treated as though they were included in this License, to the extent
337 | that they are valid under applicable law.  If additional permissions
338 | apply only to part of the Program, that part may be used separately
339 | under those permissions, but the entire Program remains governed by
340 | this License without regard to the additional permissions.
341 | 
342 |   When you convey a copy of a covered work, you may at your option
343 | remove any additional permissions from that copy, or from any part of
344 | it.  (Additional permissions may be written to require their own
345 | removal in certain cases when you modify the work.)  You may place
346 | additional permissions on material, added by you to a covered work,
347 | for which you have or can give appropriate copyright permission.
348 | 
349 |   Notwithstanding any other provision of this License, for material you
350 | add to a covered work, you may (if authorized by the copyright holders of
351 | that material) supplement the terms of this License with terms:
352 | 
353 |     a) Disclaiming warranty or limiting liability differently from the
354 |     terms of sections 15 and 16 of this License; or
355 | 
356 |     b) Requiring preservation of specified reasonable legal notices or
357 |     author attributions in that material or in the Appropriate Legal
358 |     Notices displayed by works containing it; or
359 | 
360 |     c) Prohibiting misrepresentation of the origin of that material, or
361 |     requiring that modified versions of such material be marked in
362 |     reasonable ways as different from the original version; or
363 | 
364 |     d) Limiting the use for publicity purposes of names of licensors or
365 |     authors of the material; or
366 | 
367 |     e) Declining to grant rights under trademark law for use of some
368 |     trade names, trademarks, or service marks; or
369 | 
370 |     f) Requiring indemnification of licensors and authors of that
371 |     material by anyone who conveys the material (or modified versions of
372 |     it) with contractual assumptions of liability to the recipient, for
373 |     any liability that these contractual assumptions directly impose on
374 |     those licensors and authors.
375 | 
376 |   All other non-permissive additional terms are considered "further
377 | restrictions" within the meaning of section 10.  If the Program as you
378 | received it, or any part of it, contains a notice stating that it is
379 | governed by this License along with a term that is a further
380 | restriction, you may remove that term.  If a license document contains
381 | a further restriction but permits relicensing or conveying under this
382 | License, you may add to a covered work material governed by the terms
383 | of that license document, provided that the further restriction does
384 | not survive such relicensing or conveying.
385 | 
386 |   If you add terms to a covered work in accord with this section, you
387 | must place, in the relevant source files, a statement of the
388 | additional terms that apply to those files, or a notice indicating
389 | where to find the applicable terms.
390 | 
391 |   Additional terms, permissive or non-permissive, may be stated in the
392 | form of a separately written license, or stated as exceptions;
393 | the above requirements apply either way.
394 | 
395 |   8. Termination.
396 | 
397 |   You may not propagate or modify a covered work except as expressly
398 | provided under this License.  Any attempt otherwise to propagate or
399 | modify it is void, and will automatically terminate your rights under
400 | this License (including any patent licenses granted under the third
401 | paragraph of section 11).
402 | 
403 |   However, if you cease all violation of this License, then your
404 | license from a particular copyright holder is reinstated (a)
405 | provisionally, unless and until the copyright holder explicitly and
406 | finally terminates your license, and (b) permanently, if the copyright
407 | holder fails to notify you of the violation by some reasonable means
408 | prior to 60 days after the cessation.
409 | 
410 |   Moreover, your license from a particular copyright holder is
411 | reinstated permanently if the copyright holder notifies you of the
412 | violation by some reasonable means, this is the first time you have
413 | received notice of violation of this License (for any work) from that
414 | copyright holder, and you cure the violation prior to 30 days after
415 | your receipt of the notice.
416 | 
417 |   Termination of your rights under this section does not terminate the
418 | licenses of parties who have received copies or rights from you under
419 | this License.  If your rights have been terminated and not permanently
420 | reinstated, you do not qualify to receive new licenses for the same
421 | material under section 10.
422 | 
423 |   9. Acceptance Not Required for Having Copies.
424 | 
425 |   You are not required to accept this License in order to receive or
426 | run a copy of the Program.  Ancillary propagation of a covered work
427 | occurring solely as a consequence of using peer-to-peer transmission
428 | to receive a copy likewise does not require acceptance.  However,
429 | nothing other than this License grants you permission to propagate or
430 | modify any covered work.  These actions infringe copyright if you do
431 | not accept this License.  Therefore, by modifying or propagating a
432 | covered work, you indicate your acceptance of this License to do so.
433 | 
434 |   10. Automatic Licensing of Downstream Recipients.
435 | 
436 |   Each time you convey a covered work, the recipient automatically
437 | receives a license from the original licensors, to run, modify and
438 | propagate that work, subject to this License.  You are not responsible
439 | for enforcing compliance by third parties with this License.
440 | 
441 |   An "entity transaction" is a transaction transferring control of an
442 | organization, or substantially all assets of one, or subdividing an
443 | organization, or merging organizations.  If propagation of a covered
444 | work results from an entity transaction, each party to that
445 | transaction who receives a copy of the work also receives whatever
446 | licenses to the work the party's predecessor in interest had or could
447 | give under the previous paragraph, plus a right to possession of the
448 | Corresponding Source of the work from the predecessor in interest, if
449 | the predecessor has it or can get it with reasonable efforts.
450 | 
451 |   You may not impose any further restrictions on the exercise of the
452 | rights granted or affirmed under this License.  For example, you may
453 | not impose a license fee, royalty, or other charge for exercise of
454 | rights granted under this License, and you may not initiate litigation
455 | (including a cross-claim or counterclaim in a lawsuit) alleging that
456 | any patent claim is infringed by making, using, selling, offering for
457 | sale, or importing the Program or any portion of it.
458 | 
459 |   11. Patents.
460 | 
461 |   A "contributor" is a copyright holder who authorizes use under this
462 | License of the Program or a work on which the Program is based.  The
463 | work thus licensed is called the contributor's "contributor version".
464 | 
465 |   A contributor's "essential patent claims" are all patent claims
466 | owned or controlled by the contributor, whether already acquired or
467 | hereafter acquired, that would be infringed by some manner, permitted
468 | by this License, of making, using, or selling its contributor version,
469 | but do not include claims that would be infringed only as a
470 | consequence of further modification of the contributor version.  For
471 | purposes of this definition, "control" includes the right to grant
472 | patent sublicenses in a manner consistent with the requirements of
473 | this License.
474 | 
475 |   Each contributor grants you a non-exclusive, worldwide, royalty-free
476 | patent license under the contributor's essential patent claims, to
477 | make, use, sell, offer for sale, import and otherwise run, modify and
478 | propagate the contents of its contributor version.
479 | 
480 |   In the following three paragraphs, a "patent license" is any express
481 | agreement or commitment, however denominated, not to enforce a patent
482 | (such as an express permission to practice a patent or covenant not to
483 | sue for patent infringement).  To "grant" such a patent license to a
484 | party means to make such an agreement or commitment not to enforce a
485 | patent against the party.
486 | 
487 |   If you convey a covered work, knowingly relying on a patent license,
488 | and the Corresponding Source of the work is not available for anyone
489 | to copy, free of charge and under the terms of this License, through a
490 | publicly available network server or other readily accessible means,
491 | then you must either (1) cause the Corresponding Source to be so
492 | available, or (2) arrange to deprive yourself of the benefit of the
493 | patent license for this particular work, or (3) arrange, in a manner
494 | consistent with the requirements of this License, to extend the patent
495 | license to downstream recipients.  "Knowingly relying" means you have
496 | actual knowledge that, but for the patent license, your conveying the
497 | covered work in a country, or your recipient's use of the covered work
498 | in a country, would infringe one or more identifiable patents in that
499 | country that you have reason to believe are valid.
500 | 
501 |   If, pursuant to or in connection with a single transaction or
502 | arrangement, you convey, or propagate by procuring conveyance of, a
503 | covered work, and grant a patent license to some of the parties
504 | receiving the covered work authorizing them to use, propagate, modify
505 | or convey a specific copy of the covered work, then the patent license
506 | you grant is automatically extended to all recipients of the covered
507 | work and works based on it.
508 | 
509 |   A patent license is "discriminatory" if it does not include within
510 | the scope of its coverage, prohibits the exercise of, or is
511 | conditioned on the non-exercise of one or more of the rights that are
512 | specifically granted under this License.  You may not convey a covered
513 | work if you are a party to an arrangement with a third party that is
514 | in the business of distributing software, under which you make payment
515 | to the third party based on the extent of your activity of conveying
516 | the work, and under which the third party grants, to any of the
517 | parties who would receive the covered work from you, a discriminatory
518 | patent license (a) in connection with copies of the covered work
519 | conveyed by you (or copies made from those copies), or (b) primarily
520 | for and in connection with specific products or compilations that
521 | contain the covered work, unless you entered into that arrangement,
522 | or that patent license was granted, prior to 28 March 2007.
523 | 
524 |   Nothing in this License shall be construed as excluding or limiting
525 | any implied license or other defenses to infringement that may
526 | otherwise be available to you under applicable patent law.
527 | 
528 |   12. No Surrender of Others' Freedom.
529 | 
530 |   If conditions are imposed on you (whether by court order, agreement or
531 | otherwise) that contradict the conditions of this License, they do not
532 | excuse you from the conditions of this License.  If you cannot convey a
533 | covered work so as to satisfy simultaneously your obligations under this
534 | License and any other pertinent obligations, then as a consequence you may
535 | not convey it at all.  For example, if you agree to terms that obligate you
536 | to collect a royalty for further conveying from those to whom you convey
537 | the Program, the only way you could satisfy both those terms and this
538 | License would be to refrain entirely from conveying the Program.
539 | 
540 |   13. Remote Network Interaction; Use with the GNU General Public License.
541 | 
542 |   Notwithstanding any other provision of this License, if you modify the
543 | Program, your modified version must prominently offer all users
544 | interacting with it remotely through a computer network (if your version
545 | supports such interaction) an opportunity to receive the Corresponding
546 | Source of your version by providing access to the Corresponding Source
547 | from a network server at no charge, through some standard or customary
548 | means of facilitating copying of software.  This Corresponding Source
549 | shall include the Corresponding Source for any work covered by version 3
550 | of the GNU General Public License that is incorporated pursuant to the
551 | following paragraph.
552 | 
553 |   Notwithstanding any other provision of this License, you have
554 | permission to link or combine any covered work with a work licensed
555 | under version 3 of the GNU General Public License into a single
556 | combined work, and to convey the resulting work.  The terms of this
557 | License will continue to apply to the part which is the covered work,
558 | but the work with which it is combined will remain governed by version
559 | 3 of the GNU General Public License.
560 | 
561 |   14. Revised Versions of this License.
562 | 
563 |   The Free Software Foundation may publish revised and/or new versions of
564 | the GNU Affero General Public License from time to time.  Such new versions
565 | will be similar in spirit to the present version, but may differ in detail to
566 | address new problems or concerns.
567 | 
568 |   Each version is given a distinguishing version number.  If the
569 | Program specifies that a certain numbered version of the GNU Affero General
570 | Public License "or any later version" applies to it, you have the
571 | option of following the terms and conditions either of that numbered
572 | version or of any later version published by the Free Software
573 | Foundation.  If the Program does not specify a version number of the
574 | GNU Affero General Public License, you may choose any version ever published
575 | by the Free Software Foundation.
576 | 
577 |   If the Program specifies that a proxy can decide which future
578 | versions of the GNU Affero General Public License can be used, that proxy's
579 | public statement of acceptance of a version permanently authorizes you
580 | to choose that version for the Program.
581 | 
582 |   Later license versions may give you additional or different
583 | permissions.  However, no additional obligations are imposed on any
584 | author or copyright holder as a result of your choosing to follow a
585 | later version.
586 | 
587 |   15. Disclaimer of Warranty.
588 | 
589 |   THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
590 | APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
591 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
592 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
593 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
594 | PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
595 | IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
596 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
597 | 
598 |   16. Limitation of Liability.
599 | 
600 |   IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
601 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
602 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
603 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
604 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
605 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
606 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
607 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
608 | SUCH DAMAGES.
609 | 
610 |   17. Interpretation of Sections 15 and 16.
611 | 
612 |   If the disclaimer of warranty and limitation of liability provided
613 | above cannot be given local legal effect according to their terms,
614 | reviewing courts shall apply local law that most closely approximates
615 | an absolute waiver of all civil liability in connection with the
616 | Program, unless a warranty or assumption of liability accompanies a
617 | copy of the Program in return for a fee.
618 | 
619 |                      END OF TERMS AND CONDITIONS
620 | 
621 |             How to Apply These Terms to Your New Programs
622 | 
623 |   If you develop a new program, and you want it to be of the greatest
624 | possible use to the public, the best way to achieve this is to make it
625 | free software which everyone can redistribute and change under these terms.
626 | 
627 |   To do so, attach the following notices to the program.  It is safest
628 | to attach them to the start of each source file to most effectively
629 | state the exclusion of warranty; and each file should have at least
630 | the "copyright" line and a pointer to where the full notice is found.
631 | 
632 |     <one line to give the program's name and a brief idea of what it does.>
633 |     Copyright (C) <year>  <name of author>
634 | 
635 |     This program is free software: you can redistribute it and/or modify
636 |     it under the terms of the GNU Affero General Public License as published
637 |     by the Free Software Foundation, either version 3 of the License, or
638 |     (at your option) any later version.
639 | 
640 |     This program is distributed in the hope that it will be useful,
641 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
642 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
643 |     GNU Affero General Public License for more details.
644 | 
645 |     You should have received a copy of the GNU Affero General Public License
646 |     along with this program.  If not, see <https://www.gnu.org/licenses/>.
647 | 
648 | Also add information on how to contact you by electronic and paper mail.
649 | 
650 |   If your software can interact with users remotely through a computer
651 | network, you should also make sure that it provides a way for users to
652 | get its source.  For example, if your program is a web application, its
653 | interface could display a "Source" link that leads users to an archive
654 | of the code.  There are many ways you could offer source, and different
655 | solutions will be better for different programs; see section 13 for the
656 | specific requirements.
657 | 
658 |   You should also get your employer (if you work as a programmer) or school,
659 | if any, to sign a "copyright disclaimer" for the program, if necessary.
660 | For more information on this, and how to apply and follow the GNU AGPL, see
661 | <https://www.gnu.org/licenses/>.
662 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | .PHONY: roles lint
 2 | 
 3 | help: ## Show this help.
 4 | 	@grep -F -h "##" $(MAKEFILE_LIST) | grep -v grep | sed -e 's/\\$$//' | sed -e 's/##//'
 5 | 
 6 | roles: ## Pull roles
 7 | 	rm -rf roles/galaxy
 8 | 	ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force
 9 | 
10 | lint: ## Runs ansible-lint against all roles in the playbook
11 | 	ansible-lint
12 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Gitea server setup using Ansible and Docker
 2 | 
 3 | -------
 4 | 
 5 | **WARNING**: this playbook has been **made obsolete** by the [MASH playbook](https://github.com/mother-of-all-self-hosting/mash-playbook), which also supports installing the [Gitea](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/services/gitea.md) and [Woodpecker CI](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/services/woodpecker-ci.md) server and agent services. There's a [migration guide](CHANGELOG.md#this-playbook-has-been-absorbed-into-the-mash-playbook) in the changelog.
 6 | 
 7 | -------
 8 | 
 9 | This [Ansible](https://www.ansible.com/) playbook can help you set up your own [Gitea](https://gitea.io/) server instance:
10 | 
11 | - on your own Debian/CentOS/RedHat server
12 | 
13 | - with all services ([Gitea](https://gitea.io/), [PostgreSQL](https://www.postgresql.org/), [Traefik](https://traefik.io), etc.) running in [Docker](https://www.docker.com/) containers
14 | 
15 | - powered by the official [gitea/gitea](https://hub.docker.com/r/gitea/gitea) container image
16 | 
17 | - [interoperates nicely](docs/configuring-playbook-interoperability.md) with [related](#related) Ansible playbooks or other services using Traefik for reverse-proxying
18 | 
19 | SSL certificates are automatically managed by a [Traefik](https://traefik.io) reverse-proxy.
20 | 
21 | Various components (Postgres, Traefik, etc.) can be disabled and replaced with your own other implementations (see [configuring the playbook](docs/configuring-playbook.md)).
22 | 
23 | 
24 | ## Features
25 | 
26 | Using this playbook, you can get the following services configured on your server:
27 | 
28 | - a [Gitea](https://gitea.io/) server - storing your Git data
29 | 
30 | - (optional) a [PostgreSQL](https://www.postgresql.org/) database for Gitea
31 | 
32 | - (optional) free [Let's Encrypt](https://letsencrypt.org/) SSL certificate, which secures the connection to the Gitea server
33 | 
34 | - (optional) [backups](docs/configuring-playbook-backups.md)
35 | 
36 | - (optional) [Woodpecker CI](https://woodpecker-ci.org/) server + agent setup integrated with the Gitea server - for running your [Continuous Integration](https://en.wikipedia.org/wiki/Continuous_integration) jobs
37 | 
38 | Basically, this playbook aims to get you up-and-running with all the basic necessities around Gitea.
39 | 
40 | 
41 | ## Installation
42 | 
43 | To configure and install Gitea on your own server, follow the [README in the docs/ directory](docs/README.md).
44 | 
45 | 
46 | ## Changes
47 | 
48 | This playbook evolves over time, sometimes with backward-incompatible changes.
49 | 
50 | When updating the playbook, refer to [the changelog](CHANGELOG.md) to catch up with what's new.
51 | 
52 | 
53 | ## Support
54 | 
55 | - Matrix room: [#gitea-docker-ansible-deploy:devture.com](https://matrix.to/#/#gitea-docker-ansible-deploy:devture.com)
56 | 
57 | - GitHub issues: [spantaleev/gitea-docker-ansible-deploy/issues](https://github.com/spantaleev/gitea-docker-ansible-deploy/issues)
58 | 
59 | 
60 | ## Related
61 | 
62 | You may also be interested in these other playbooks:
63 | 
64 | - [matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) - for deploying a fully-featured [Matrix](https://matrix.org) homeserver
65 | 
66 | - [nextcloud-docker-ansible-deploy](https://github.com/spantaleev/nextcloud-docker-ansible-deploy) - for deploying a [Nextcloud](https://nextcloud.com/) server
67 | 
68 | - [peertube-docker-ansible-deploy](https://github.com/spantaleev/peertube-docker-ansible-deploy) - for deploying a [PeerTube](https://joinpeertube.org/) video-platform server
69 | 
70 | - [vaultwarden-docker-ansible-deploy](https://github.com/spantaleev/vaultwarden-docker-ansible-deploy) - for deploying a [Vaultwarden](https://github.com/dani-garcia/vaultwarden) password manager server (unofficial [Bitwarden](https://bitwarden.com/) compatible server)
71 | 


--------------------------------------------------------------------------------
/ansible.cfg:
--------------------------------------------------------------------------------
1 | [defaults]
2 | retry_files_enabled = False
3 | 


--------------------------------------------------------------------------------
/docs/README.md:
--------------------------------------------------------------------------------
 1 | # Table of Contents
 2 | 
 3 | - [Prerequisites](prerequisites.md)
 4 | 
 5 | - [Configuring DNS](configuring-dns.md)
 6 | 
 7 | - [Configuring the playbook](configuring-playbook.md)
 8 | 
 9 | - [Installing](installing.md)
10 | 
11 | - [Updating](updating.md)
12 | 
13 | - [Backups](backups.md)
14 | 


--------------------------------------------------------------------------------
/docs/configuring-dns.md:
--------------------------------------------------------------------------------
 1 | # Configuring your DNS server
 2 | 
 3 | To set up Gitea on your domain, you'd need to do some DNS configuration.
 4 | 
 5 | ## DNS settings for services enabled by default
 6 | 
 7 | | Type  | Host                         | Priority | Weight | Port | Target                 |
 8 | | ----- | ---------------------------- | -------- | ------ | ---- | ---------------------- |
 9 | | A     | `gitea`                      | -        | -      | -    | `gitea-server-IP`      |
10 | 
11 | Be mindful as to how long it will take for the DNS records to propagate.
12 | 
13 | When you're done configuring DNS, proceed to [Configuring the playbook](configuring-playbook.md).
14 | 


--------------------------------------------------------------------------------
/docs/configuring-playbook-backups.md:
--------------------------------------------------------------------------------
 1 | # Backups
 2 | 
 3 | The backup and restore functionality is still not very advanced.
 4 | 
 5 | 
 6 | ## Enabling backups
 7 | 
 8 | To enable Gitea backups you'll need this additional `vars.yml` configuration:
 9 | 
10 | ```yaml
11 | gitea_backup_enabled: true
12 | 
13 | # Backups are gpg-encrypted.
14 | #
15 | # You can encrypt the password, so that it's not visible in your vars.yml file in clear text.
16 | # Use the `ansible-vault encrypt_string` tool and the value provided by it.
17 | # If you start using encrypted values in your vars.yml file (such as an encrypted password here),
18 | # you'll need to pass `--ask-vault-pass` to all `ansible-playbook` commands that you run in the future.
19 | gitea_backup_encryption_password: SOME_PASSWORD
20 | ```
21 | 
22 | **Warning**: a database dump will be included in the backup file **only** if you're using the integrated Postgres server provided with this playbook. If you're [using another database](configuring-playbook-database.md) it will **not** be backed up.
23 | 
24 | The backup system is activated every day at 06:30 (according to the `gitea_backup_schedule` variable).
25 | 
26 | To guarantee a consistent backup, Gitea will be temporarily stopped while the backup process is running.
27 | This behavior can be changed by tweaking the `gitea_backup_stop_gitea_while_running` variable.
28 | 
29 | The backup system will generate a `/gitea/backup/gitea-latest-backup.tar.gpg` file.
30 | 
31 | You can pull it from another remote system or potentially push it elsewhere.
32 | 
33 | 
34 | ### Custom shell commands after backup creation
35 | 
36 | You can use the `gitea_backup_post_backup_custom_shell_commands` variable to set custom shell commands that will be executed after a backup is created.
37 | 
38 | Take a look at `roles/custom/gitea_backup/defaults/main.yml` for usage information.
39 | 
40 | 
41 | ### Pushing backups to backup providers
42 | 
43 | #### Backblaze B2
44 | 
45 | To push backups to a [Backblaze B2](https://www.backblaze.com/b2/cloud-storage.html) bucket, use the following additional `vars.yml` configuration:
46 | 
47 | ```yaml
48 | gitea_backup_b2_enabled: true
49 | gitea_backup_b2_bucket: ''
50 | gitea_backup_b2_key_id: ''
51 | gitea_backup_b2_key_secret: ''
52 | ```
53 | 
54 | ### Additional providers
55 | 
56 | For now, we don't support additional backup providers. Feel free to contribute support for others!
57 | 
58 | 
59 | ## Restoring backups
60 | 
61 | Restoring is a relatively manual process that goes like this:
62 | 
63 | 1. If you have an existing Gitea service on the server, make sure it's stopped: `ansible-playbook -i inventory/hosts setup.yml --tags=stop`
64 | 2. Ensure there is no `/gitea` directory on the server
65 | 3. Get your `DATE-gitea-latest.tar.gpg` backup file onto the server
66 | 4. Decrypt it: `gpg --no-symkey-cache -d FILE.tar.gpg > FILE.tar`
67 | 5. Extract it: ` tar xf FILE.tar -C /` (this will create the `/gitea` directory and put all files under it)
68 | 6. Re-run the playbook **without** a `start` tag. See [Installing](installing.md)
69 | 8. Import the Postgres database dump (`/gitea/backup/data/latest-dump.sql.gz`) by running: `ansible-playbook -i inventory/hosts setup.yml --tags=import-postgres --extra-vars='{"server_path_postgres_dump": "/gitea/backup/data/latest-dump.sql.gz"}'`
70 | 9. Start services: `ansible-playbook -i inventory/hosts setup.yml --tags=start`
71 | 


--------------------------------------------------------------------------------
/docs/configuring-playbook-database.md:
--------------------------------------------------------------------------------
 1 | # Configuring the database
 2 | 
 3 | By default, this playbook installs Postgres in a container alongside Gitea.
 4 | 
 5 | To use your own Postgres server, use a `vars.yml` configuration like this:
 6 | 
 7 | ```yaml
 8 | # Disable the integrated Postgres service
 9 | devture_postgres_enabled: false
10 | 
11 | # Uncomment and possibly change this, if you'd like to use another database engine.
12 | # gitea_gitea_config_database_type: mysql
13 | 
14 | # Fill these out
15 | gitea_gitea_config_database_hostname: ""
16 | gitea_gitea_config_database_port: 5432
17 | gitea_gitea_config_database_name: ""
18 | gitea_gitea_config_database_username: ""
19 | gitea_gitea_config_database_password: ""
20 | ```
21 | 


--------------------------------------------------------------------------------
/docs/configuring-playbook-interoperability.md:
--------------------------------------------------------------------------------
 1 | # Configuring interoperability with other services
 2 | 
 3 | This playbook tries to get you up and running with minimal effort - installing all required services (Gitea, Postgres, [Traefik](https://traefik.io), etc).
 4 | 
 5 | Sometimes, you're using a server to host multiple services. In such cases these are undesirable:
 6 | 
 7 | - this playbook overtaking your whole server (more specifically ports `tcp/80` and `tcp/443`) with its own Traefik instance
 8 | 
 9 | - multiple playbooks trying to install Docker, etc.
10 | 
11 | Below, we offer some suggestions for how to make this playbook more interoperable. Feel free to cherry-pick the parts that make sense for your set up.
12 | 
13 | 
14 | ## Disabling Traefik installation
15 | 
16 | If you're installing [Traefik](https://traefik.io) on your server in another way:
17 | 
18 | ```yaml
19 | # Tell the playbook you're using Traefik installed in another way.
20 | # It won't bother installing Traefik.
21 | gitea_playbook_reverse_proxy_type: other-traefik-container
22 | 
23 | # Tell the playbook to attach services which require reverse-proxying to an additional network by default (e.g. traefik)
24 | # This needs to match your Traefik network.
25 | gitea_playbook_reverse_proxyable_services_additional_network: traefik
26 | ```
27 | 
28 | All services (among which the `gitea-gitea` container) will have container labels attached, so that a Traefik instance can reverse-proxy to them. See `roles/custom/gitea/templates/labels.j2` for an example.
29 | 
30 | Also, refer to the [configuring the reverse-proxy](configuring-playbook-reverse-proxy.md) documentation page for more information.
31 | 
32 | 
33 | ## Disabling Docker installation
34 | 
35 | If you're installing [Docker](https://www.docker.com/) on your server in another way, disable this component from the playbook:
36 | 
37 | ```yaml
38 | gitea_playbook_docker_installation_enabled: false
39 | ```
40 | 
41 | 
42 | ## Disabling Postgres installation
43 | 
44 | If you're installing [PostgreSQL](https://www.postgresql.org/) on your server in another way or wish to use an external Postgres server or another type of database, disable this component from the playbook:
45 | 
46 | ```yaml
47 | devture_postgres_enabled: false
48 | ```
49 | 
50 | Also, refer to the [configuring the database](configuring-playbook-database.md) documentation page for more information on using another database.
51 | 
52 | 
53 | ## Disabling timesyncing (systemd-timesyncd / ntp) installation
54 | 
55 | If you're installing `systemd-timesyncd` or `ntp` on your server in another way, disable this component from the playbook:
56 | 
57 | ```yaml
58 | devture_timesync_installation_enabled: false
59 | ```
60 | 


--------------------------------------------------------------------------------
/docs/configuring-playbook-reverse-proxy.md:
--------------------------------------------------------------------------------
 1 | # Configuring the reverse-proxy
 2 | 
 3 | By default, this playbook installs a [Traefik](https://traefik.io/) reverse-proxy, but that can be disabled if you'd like to using your own Traefik instance or to reverse-proxy in another way.
 4 | 
 5 | 
 6 | ## Reverse-proxy type
 7 | 
 8 | To control the playbook's reverse-proxy integration use `gitea_playbook_reverse_proxy_type` variable, which controls the type of reverse-proxy that the playbook will use. Valid values:
 9 | 
10 |   - `playbook-managed-traefik` (the default)
11 |   - `other-traefik-container`, see [Using your own Traefik server (installed separately)](#using-your-own-traefik-server-installed-separately)
12 |   - `none`, see [Disabling Traefik and reverse-proxying manually](#disabling-traefik-and-reverse-proxying-manually)
13 | 
14 | Learn more about these values and their behavior from [roles/custom/base/defaults/main.yml](../roles/custom/base/defaults/main.yml)
15 | 
16 | 
17 | ## Other variables of interest
18 | 
19 | The variables below are **automatically set** based on the reverse-proxy type (`gitea_playbook_reverse_proxy_type`). Nevertheless, you may find them useful if you need to do something more advanced.
20 | 
21 | - `devture_traefik_enabled` (default `true`) - controls whether the Traefik role's functionality is enabled or not.
22 | 
23 | - `gitea_playbook_traefik_labels_enabled` (default `true`) - controls whether Traefik container labels are attached to services. You may disable Traefik with the variables above, yet still keep attaching labels, so that a separately-installed Traefik instance can reverse-proxy to these services. If you're not using Traefik at all, flip this to `false`
24 | 
25 | - `gitea_playbook_reverse_proxyable_services_additional_network` (default `traefik`) - additional container network for reverse-proxyable services (like `gitea-gitea`). We default these to the `traefik` network for the default Traefik installation's benefit, but you can set this to another network
26 | 
27 | 
28 | ## Examples
29 | 
30 | ### Using your own Traefik server (installed separately)
31 | 
32 | If you'd like to avoid the playbook installing its own Traefik server and instead use your own, use this configuration:
33 | 
34 | ```yaml
35 | gitea_playbook_reverse_proxy_type: other-traefik-container
36 | # Specify the name of your Traefik network here
37 | gitea_playbook_reverse_proxyable_services_additional_network: traefik
38 | ```
39 | 
40 | All services will have container labels attached, so that a Traefik instance can reverse-proxy to them.
41 | 
42 | 
43 | ### Using Traefik in local-only mode
44 | 
45 | Below is an example of **putting Traefik in local-only mode** (no SSL termination) and letting you use another SSL-terminating reverse-proxy in front:
46 | 
47 | ```yaml
48 | # We keep the default reverse-proxy type
49 | # gitea_playbook_reverse_proxy_type: playbook-managed-traefik
50 | 
51 | # We disable Traefik's web-secure endpoint, which will disable SSL certificate retrieval and http-to-https redirection
52 | devture_traefik_config_entrypoint_web_secure_enabled: false
53 | ```
54 | 
55 | You can now reverse-proxy to port `80` where Traefik handles domains for all services managed by the playbook (Gitea and potentially others, if enabled).
56 | 
57 | 
58 | ### Disabling Traefik and reverse-proxying manually
59 | 
60 | Below is an example of **disabling Traefik completely** and letting you reverse-proxy using other means:
61 | 
62 | ```yaml
63 | gitea_playbook_reverse_proxy_type: none
64 | 
65 | # Expose the Gitea container's webserver to port 3000 on the loopback network interface only.
66 | # You can reverse-proxy to it using a locally running webserver.
67 | gitea_gitea_http_bind_port: '127.0.0.1:3000'
68 | 
69 | # Or:
70 | # Expose the Gitea container's webserver to port 3000 on all network interfaces.
71 | # You can reverse-proxy to it from another machine on the public or private network.
72 | # gitea_gitea_http_bind_port: '3000'
73 | ```
74 | 
75 | You can now reverse-proxy to port `3000` for Gitea. If you need to expose other services managed by this playbook, you'd need to expose them the same way (`_bind_port` variables) manually.
76 | 


--------------------------------------------------------------------------------
/docs/configuring-playbook-woodpecker-ci.md:
--------------------------------------------------------------------------------
 1 | # Woodpecker CI
 2 | 
 3 | This playbook can install and configure [Woodpecker CI](https://woodpecker-ci.org/) for you.
 4 | 
 5 | Woodpecker CI is a [Continuous Integration](https://en.wikipedia.org/wiki/Continuous_integration) engine which can build and deploy your code automatically after pushing to a Gitea repository.
 6 | 
 7 | A Woodpecker CI installation contains 2 components:
 8 | 
 9 | - one Woodpecker CI **server** (web interface, central management node)
10 | - one or more Woodpecker CI **agent** instances (which run your CI jobs)
11 | 
12 | It's better to run the **agent** instances elsewhere (not on the Gitea server) - on a machine that doesn't contain sensitive data.
13 | Small installations which only run trusted CI jobs can afford to run an agent instance on the Gitea server itself.
14 | 
15 | **Warning**: The example configuration below documents a setup in which both the **server** and a single **agent** instance run on the Gitea server itself. If you need to run CI jobs for untrusted repositories, you may wish to tweak the configuration in a way which deploys the **agent** nodes to a different server (other than Gitea).
16 | 
17 | 
18 | ## Preparation
19 | 
20 | ### DNS configuration
21 | 
22 | The Woodpecker CI server is hosted on a domain name, as specified in the `devture_woodpecker_ci_server_server_fqn` variable (see **Installation** below).
23 | 
24 | You'll need to create a dedicated domain name for Woodpecker CI (e.g. `woodpecker.example.com`), pointing to the Gitea server - a DNS `CNAME` record is suitable.
25 | 
26 | ### Gitea configuration
27 | 
28 | Below is a summary of the [Woodpecker CI documentation for Gitea](https://woodpecker-ci.org/docs/administration/vcs/gitea#registration):
29 | 
30 | 1. Go to **User Settings** -> **Applications** (`/user/settings/applications`).
31 | 2. Create a new OAuth 2 application with **any** name and a **Redirect URI** of `https://YOUR_WOODPECKER_DOMAIN_NAME/authorize` (`YOUR_WOODPECKER_DOMAIN_NAME` needs to match what you've chosen for `devture_woodpecker_ci_server_server_fqn` - see the **DNS configuration** step above)
32 | 3. Copy the client ID and client secret for the newly created OAuth 2 application. You will need then below, during the **Installation** step
33 | 
34 | 
35 | ## Installation
36 | 
37 | Before adjusting your the `vars.yml` configuration as explained below, you will need to follow the **Preparation** steps.
38 | 
39 | **After** that, adjust your `vars.yml` configuration like this:
40 | 
41 | ```yaml
42 | #########################################
43 | # Woodpecker CI server component        #
44 | #########################################
45 | 
46 | devture_woodpecker_ci_server_enabled: true
47 | 
48 | # You will need to create a DNS record for this domain,
49 | # as explained in "DNS configuration" above.
50 | devture_woodpecker_ci_server_server_fqn: woodpecker.DOMAIN
51 | 
52 | # Generate this secret with `openssl rand -hex 32`
53 | devture_woodpecker_ci_server_config_agent_secret: ''
54 | 
55 | # Add one or more Gitea usernames below.
56 | # These users will have admin privileges upon signup.
57 | devture_woodpecker_ci_server_config_admins:
58 |   - YOUR_GITEA_USERNAME_HERE
59 |   - ANOTHER_GITEA_USERNAME_HERE
60 | 
61 | # Populate these with the OAuth 2 application information
62 | # (see the Gitea configuration section above)
63 | devture_woodpecker_ci_server_config_gitea_client: GITEA_OAUTH_CLIENT_ID_HERE
64 | devture_woodpecker_ci_server_config_gitea_secret: GITEA_OAUTH_CLIENT_SECRET_HERE
65 | 
66 | #########################################
67 | # /Woodpecker CI server component       #
68 | #########################################
69 | 
70 | 
71 | #########################################
72 | # Woodpecker CI agent component         #
73 | #########################################
74 | 
75 | devture_woodpecker_ci_agent_enabled: true
76 | 
77 | #########################################
78 | # /Woodpecker CI agent component        #
79 | #########################################
80 | ```
81 | 
82 | Then proceed to install by re-running the playbook (`--tags=install-all,start`). See [installing](installing.md).
83 | 
84 | 
85 | ## Usage
86 | 
87 | After installation, you should be able to access the Woodpecker CI server instance at `https://woodpecker.DOMAIN` (matching the `devture_woodpecker_ci_server_server_fqn` value configured in `vars.yml`).
88 | 
89 | The **Log in** button should take you to Gitea, where you can authorize Woodpecker CI with the OAuth 2 application.
90 | 
91 | Follow the official Woodpecker CI [Getting started](https://woodpecker-ci.org/docs/usage/intro) documentation for additional usage details.
92 | 


--------------------------------------------------------------------------------
/docs/configuring-playbook.md:
--------------------------------------------------------------------------------
 1 | # Configuring the playbook
 2 | 
 3 | ## Preparing the inventory and your variables file (`vars.yml`)
 4 | 
 5 | Follow these steps inside the playbook directory:
 6 | 
 7 | - create a directory to hold your configuration (`mkdir inventory/host_vars/gitea.<your-domain>`)
 8 | 
 9 | - copy the sample configuration file (`cp examples/host-vars.yml inventory/host_vars/gitea.<your-domain>/vars.yml`)
10 | 
11 | - edit the configuration file (`inventory/host_vars/gitea.<your-domain>/vars.yml`) to your liking. See more in [Configuring Services](#configuring-services).
12 | 
13 | - copy the sample inventory hosts file (`cp examples/hosts inventory/hosts`)
14 | 
15 | - edit the inventory hosts file (`inventory/hosts`) to your liking
16 | 
17 | 
18 | ## Configuring Services
19 | 
20 | Doing the above preparation step, you're all set to proceed to [Installing](installing.md) with our default recommended configuration.
21 | 
22 | However, you may wish to tweak a few other things before installing (or any time later):
23 | 
24 | - [configuring the database](configuring-playbook-database.md) - if you'd like to use an external Postgres server or another type of database (MySQL, etc) - by default, we install Postgres in a container alongside Gitea
25 | 
26 | - [configuring the reverse-proxy](configuring-playbook-reverse-proxy.md) - if you'd like to expose your Gitea service to the internet using another HTTP webserver - by default, we set up [Traefik](https://traefik.io) which will handle ports `80` (`http`) and `443` (`https`)
27 | 
28 | - [configuring backups](configuring-playbook-backups.md)
29 | 
30 | - [configuring Woodpecker CI](configuring-playbook-woodpecker-ci.md) - for installing a [Woodpecker CI](https://woodpecker-ci.org/) server and agent to run your [Continuous Integration](https://en.wikipedia.org/wiki/Continuous_integration) jobs
31 | 
32 | You may also take a look at the various `defaults/main.yml` files in `roles/` and see if there's anything you'd like to copy over and override in your `vars.yml` configuration file.
33 | 
34 | 
35 | ## Installing
36 | 
37 | Once you've configured everything, you can proceed to [Installing](installing.md).
38 | 
39 | After installation, you can continue changing settings in `vars.yml` and re-running the installation step to make your server consistent with the configuration.
40 | 


--------------------------------------------------------------------------------
/docs/installing.md:
--------------------------------------------------------------------------------
 1 | # Installing
 2 | 
 3 | After [configuring DNS](configuring-dns.md) and [configuring the playbook](configuring-playbook.md), you're ready to install.
 4 | 
 5 | **Before installing** and each time you update the playbook in the future, you will need to update the Ansible roles in this playbook by running `just roles`. `just roles` is a shortcut (a `roles` target defined in [`justfile`](../justfile) and executed by the [`just`](https://github.com/casey/just) utility) which ultimately runs [ansible-galaxy](https://docs.ansible.com/ansible/latest/cli/ansible-galaxy.html) to download Ansible roles. If you don't have `just`, you can also manually run the `roles` commands seen in the `justfile`.
 6 | 
 7 | 
 8 | ## Playbook tags introduction
 9 | 
10 | The Ansible playbook's tasks are tagged, so that certain parts of the Ansible playbook can be run without running all other tasks.
11 | 
12 | The general command syntax is: `ansible-playbook -i inventory/hosts setup.yml --tags=COMMA_SEPARATED_TAGS_GO_HERE`
13 | 
14 | Here are some playbook tags that you should be familiar with:
15 | 
16 | - `setup-all` - runs all setup tasks (installation and uninstallation) for all components, but does not start/restart services
17 | 
18 | - `install-all` - like `setup-all`, but skips uninstallation tasks. Useful for maintaining your setup quickly when its components remain unchanged. If you adjust your `vars.yml` to remove components, you'd need to run `setup-all` though, or these components will still remain installed
19 | 
20 | - `setup-SERVICE` (e.g. `setup-gitea`) - runs the setup tasks only for a given role, but does not start/restart services. You can discover these additional tags in each role (`roles/*/main.yml`). Running per-component setup tasks is **not recommended**, as components sometimes depend on each other
21 | 
22 | - `install-SERVICE` (e.g. `install-gitea`) - like `setup-SERVICE`, but skips uninstallation tasks. See `install-all` above for additional information.
23 | 
24 | - `start` - starts all systemd services and makes them start automatically in the future
25 | 
26 | - `stop` - stops all systemd services
27 | 
28 | `setup-*` tags and `install-*` tags **do not start services** automatically, because you may wish to do things before starting services, such as importing a database dump, restoring data from another server, etc.
29 | 
30 | 
31 | ## Installation
32 | 
33 | Run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags=install-all`.
34 | 
35 | If your inventory file (`vars.yml`) contains encrypted variables, you may need to pass `--ask-vault-pass` to the `ansible-playbook` command.
36 | 
37 | After installing, you can start services with `just start-all` (or `ansible-playbook -i inventory/hosts setup.yml --tags=start`).
38 | 
39 | **Hint**: In the future (especially if you'll be disabling playbook components), you may wish to use the `setup-all` tag (instead of `install-all`) to ensure that disabled components are uninstalled correctly. Read more about [playbook tags](#playbook-tags-introduction) above.
40 | 
41 | 
42 | ## Initial Gitea setup
43 | 
44 | After some time, you should be able to access your new Gitea instance at: `https://gitea.DOMAIN` (matching the `gitea_server_fqn_gitea` value you've set in `vars.yml`).
45 | 
46 | Going there, you'll be taken to the initial setup wizard, which will let you assign some paswords and other configuration.
47 | 


--------------------------------------------------------------------------------
/docs/prerequisites.md:
--------------------------------------------------------------------------------
 1 | # Prerequisites
 2 | 
 3 | - (Recommended) An **x86** or `arm64` (untested, but it may work) server running one of these operating systems:
 4 |   - **CentOS** (7+)
 5 |   - **Debian** (10/Buster or newer)
 6 |   - **Ubuntu** (18.04 or newer)
 7 |   - **Archlinux**
 8 | 
 9 | - the machine's SSH server needs to be moved to another port (e.g. `2222`), so that port `22` would be available for Gitea's own purposes. This behaviour can be changed by setting `gitea_gitea_ssh_bind_port` to a custom value in your `vars.yml`. NOTE: Do not forget to open up the correct ports when changing this default.
10 | 
11 | - `root` access to your server (or a user capable of elevating to `root` via `sudo`).
12 | 
13 | - [Python](https://www.python.org/) being installed on the server. Most distributions install Python by default, but some don't
14 | 
15 | - the [Ansible](http://ansible.com/) program being installed on your own computer. It's used to run this playbook and configures your server for you
16 | 
17 | - [`git`](https://git-scm.com/) is the recommended way to download the playbook to your computer
18 | 
19 | - Properly configured DNS records for `<your-domain>` (details in [Configuring DNS](configuring-dns.md)).
20 | 
21 | - Some TCP ports open. This playbook (actually [Docker itself](https://docs.docker.com/network/iptables/)) configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports:
22 | 
23 |   - `22/tcp`: Gitea's SSH server
24 |   - `80/tcp`: HTTP webserver
25 |   - `443/tcp`: HTTPS webserver
26 |   - `2222/tcp` (or some other): the system's SSH server that we've asked you to relocate away from port `22`, so that port `22` is free for Gitea to use
27 | 
28 | When ready to proceed, continue with [Configuring DNS](configuring-dns.md).
29 | 


--------------------------------------------------------------------------------
/docs/updating.md:
--------------------------------------------------------------------------------
1 | # Updating
2 | 
3 | To update your Gitea server:
4 | 
5 | - update this playbook (`git pull` if you've cloned via git; downloading it a-new if you've downloaded it as an archive)
6 | - run `just roles` to update the Ansible roles
7 | - execute `just setup-all`
8 | 


--------------------------------------------------------------------------------
/examples/host-vars.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | 
 3 | gitea_server_fqn_gitea: "gitea.YOUR_DOMAIN_NAME_HERE"
 4 | 
 5 | # A secret used as a base, for generating various other secrets.
 6 | # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
 7 | gitea_generic_secret_key: ''
 8 | 
 9 | # The email address to provide to Traefik (which is then provided to Let's Encrypt) for obtaining SSL certificates
10 | devture_traefik_config_certificatesResolvers_acme_email: ''
11 | 
12 | # A Postgres password to use for the superuser Postgres user (called `root` by default).
13 | #
14 | # The playbook creates additional Postgres users and databases (one for each enabled service) using this superuser account.
15 | devture_postgres_connection_password: ''
16 | 


--------------------------------------------------------------------------------
/examples/hosts:
--------------------------------------------------------------------------------
1 | [gitea_servers]
2 | # To connect using a non-root user (and elevate to root with sudo later),
3 | # replace `ansible_ssh_user=root` with something like this: `ansible_ssh_user=username become=true become_user=root`
4 | #
5 | # For improved Ansible performance, SSH pipelining is enabled by default (`ansible_ssh_pipelining=yes`).
6 | # If this causes SSH connection troubles, feel free to disable it.
7 | gitea.<your-domain> ansible_host=<IP address> ansible_ssh_port=2222 ansible_ssh_pipelining=yes
8 | 


--------------------------------------------------------------------------------
/group_vars/gitea_servers:
--------------------------------------------------------------------------------
  1 | ---
  2 | 
  3 | ########################################################################
  4 | #                                                                      #
  5 | # Playbook                                                             #
  6 | #                                                                      #
  7 | ########################################################################
  8 | 
  9 | # Controls whether to install Docker or not
 10 | # Also see `devture_docker_sdk_for_python_installation_enabled`.
 11 | gitea_playbook_docker_installation_enabled: true
 12 | 
 13 | # Controls whether to attach Traefik labels to services.
 14 | # This is separate from `devture_traefik_enabled`, because you may wish to disable Traefik installation by the playbook,
 15 | # yet still use Traefik installed in another way.
 16 | gitea_playbook_traefik_labels_enabled: "{{ gitea_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
 17 | 
 18 | # Controls the additional network that reverse-proxyable services will be connected to.
 19 | gitea_playbook_reverse_proxyable_services_additional_network: "{{ devture_traefik_container_network if devture_traefik_enabled else '' }}"
 20 | 
 21 | ########################################################################
 22 | #                                                                      #
 23 | # /Playbook                                                            #
 24 | #                                                                      #
 25 | ########################################################################
 26 | 
 27 | 
 28 | 
 29 | ########################################################################
 30 | #                                                                      #
 31 | # com.devture.ansible.role.systemd_service_manager                     #
 32 | #                                                                      #
 33 | ########################################################################
 34 | 
 35 | devture_systemd_service_manager_services_list_auto: |
 36 |   {{
 37 |     ([{'name': 'gitea-gitea.service', 'priority': 1000, 'groups': ['gitea', 'gitea-server']}])
 38 |     +
 39 |     ([{'name': 'gitea-backup.timer', 'priority': 2500, 'groups': ['gitea', 'gitea-backup']}] if gitea_backup_enabled else [])
 40 |     +
 41 |     ([{'name': (devture_postgres_identifier + '.service'), 'priority': 500, 'groups': ['gitea', 'postgres']}] if devture_postgres_enabled else [])
 42 |     +
 43 |     ([{'name': (devture_postgres_backup_identifier + '.service'), 'priority': 5000, 'groups': ['gitea', 'backup', 'postgres-backup']}] if devture_postgres_backup_enabled else [])
 44 |     +
 45 |     ([{'name': (devture_woodpecker_ci_server_identifier + '.service'), 'priority': 4000, 'groups': ['woodpecker', 'ci', 'ci-server']}] if devture_woodpecker_ci_server_enabled else [])
 46 |     +
 47 |     ([{'name': (devture_woodpecker_ci_agent_identifier + '.service'), 'priority': 4100, 'groups': ['woodpecker', 'ci', 'ci-agent']}] if devture_woodpecker_ci_agent_enabled else [])
 48 |     +
 49 |     ([{'name': (devture_container_socket_proxy_identifier + '.service'), 'priority': 2900, 'groups': ['gitea', 'reverse-proxies', 'container-socket-proxy']}] if devture_container_socket_proxy_enabled else [])
 50 |     +
 51 |     ([{'name': (devture_traefik_identifier + '.service'), 'priority': 3000, 'groups': ['gitea', 'traefik', 'reverse-proxies']}] if devture_traefik_enabled else [])
 52 |   }}
 53 | 
 54 | ########################################################################
 55 | #                                                                      #
 56 | # /com.devture.ansible.role.systemd_service_manager                    #
 57 | #                                                                      #
 58 | ########################################################################
 59 | 
 60 | 
 61 | 
 62 | ########################################################################
 63 | #                                                                      #
 64 | # gitea                                                                #
 65 | #                                                                      #
 66 | ########################################################################
 67 | 
 68 | gitea_gitea_systemd_required_systemd_services_list: |
 69 |   {{
 70 |     (['docker.service'])
 71 |     +
 72 |     ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else [])
 73 |   }}
 74 | 
 75 | gitea_gitea_container_additional_networks: "{{ [gitea_playbook_reverse_proxyable_services_additional_network] if gitea_playbook_reverse_proxyable_services_additional_network else [] }}"
 76 | 
 77 | gitea_gitea_container_labels_traefik_enabled: "{{ gitea_playbook_traefik_labels_enabled }}"
 78 | gitea_gitea_container_labels_traefik_docker_network: "{{ gitea_playbook_reverse_proxyable_services_additional_network }}"
 79 | 
 80 | gitea_gitea_config_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}"
 81 | gitea_gitea_config_database_port: "{{ '5432' if devture_postgres_enabled else '' }}"
 82 | gitea_gitea_config_database_username: "gitea"
 83 | gitea_gitea_config_database_password: "{{ '%s' | format(gitea_generic_secret_key) | password_hash('sha512', 'db.gitea', rounds=655555) | to_uuid }}"
 84 | 
 85 | ########################################################################
 86 | #                                                                      #
 87 | # /gitea                                                               #
 88 | #                                                                      #
 89 | ########################################################################
 90 | 
 91 | 
 92 | 
 93 | ########################################################################
 94 | #                                                                      #
 95 | # gitea_backup                                                         #
 96 | #                                                                      #
 97 | ########################################################################
 98 | 
 99 | gitea_backup_enabled: false
100 | 
101 | gitea_backup_paths_to_backup: "{{ [gitea_base_path] }}"
102 | 
103 | gitea_backup_paths_to_exclude_auto: |
104 |   {{
105 |     (
106 |       [gitea_backup_data_path + '/gitea-latest-backup.tar.gpg']
107 |     )
108 |     +
109 |     ([
110 |       devture_postgres_base_path
111 |     ] if devture_postgres_enabled else [])
112 |     +
113 |     ([
114 |       devture_postgres_backup_base_path
115 |     ] if devture_postgres_backup_enabled else [])
116 |   }}
117 | 
118 | ########################################################################
119 | #                                                                      #
120 | # /gitea_backup                                                        #
121 | #                                                                      #
122 | ########################################################################
123 | 
124 | 
125 | 
126 | ########################################################################
127 | #                                                                      #
128 | # woodpecker-ci-server                                                 #
129 | #                                                                      #
130 | ########################################################################
131 | 
132 | devture_woodpecker_ci_server_enabled: false
133 | 
134 | devture_woodpecker_ci_server_identifier: gitea-woodpecker-ci-server
135 | 
136 | devture_woodpecker_ci_server_uid: "{{ gitea_uid }}"
137 | devture_woodpecker_ci_server_gid: "{{ gitea_gid }}"
138 | 
139 | devture_woodpecker_ci_server_base_path: "{{ gitea_base_path }}/woodpecker-ci/server"
140 | 
141 | devture_woodpecker_ci_server_systemd_required_systemd_services_list: |
142 |   {{
143 |     (['docker.service'])
144 |     +
145 |     ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else [])
146 |   }}
147 | 
148 | devture_woodpecker_ci_server_container_additional_networks: |
149 |   {{
150 |     (
151 |       ([gitea_gitea_container_network])
152 |       +
153 |       ([devture_postgres_container_network] if devture_postgres_enabled else [])
154 |       +
155 |       ([gitea_playbook_reverse_proxyable_services_additional_network] if gitea_playbook_reverse_proxyable_services_additional_network else [])
156 |     ) | unique
157 |   }}
158 | 
159 | 
160 | devture_woodpecker_ci_server_container_labels_traefik_enabled: "{{ gitea_playbook_traefik_labels_enabled }}"
161 | devture_woodpecker_ci_server_container_labels_traefik_docker_network: "{{ gitea_playbook_reverse_proxyable_services_additional_network }}"
162 | 
163 | devture_woodpecker_ci_server_provider: gitea
164 | 
165 | # We must use the public URL here, because it's also used for login redirects
166 | devture_woodpecker_ci_server_config_gitea_url: "https://{{ gitea_server_fqn_gitea }}"
167 | 
168 | devture_woodpecker_ci_server_container_add_host_domain_name: "{{ gitea_server_fqn_gitea }}"
169 | devture_woodpecker_ci_server_container_add_host_ip_address: "{{ ansible_host }}"
170 | 
171 | devture_woodpecker_ci_server_database_driver: postgres
172 | devture_woodpecker_ci_server_database_datasource: "postgres://{{ devture_woodpecker_ci_server_database_datasource_username }}:{{ devture_woodpecker_ci_server_database_datasource_password }}@{{ devture_woodpecker_ci_server_database_datasource_hostname }}:{{ devture_woodpecker_ci_server_database_datasource_port }}/{{ devture_woodpecker_ci_server_database_datasource_db_name }}?sslmode=disable"
173 | 
174 | devture_woodpecker_ci_server_database_datasource_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}"
175 | devture_woodpecker_ci_server_database_datasource_port: "{{ '5432' if devture_postgres_enabled else '' }}"
176 | devture_woodpecker_ci_server_database_datasource_username: woodpecker_ci_server
177 | devture_woodpecker_ci_server_database_datasource_password: "{{ '%s' | format(gitea_generic_secret_key) | password_hash('sha512', 'woodpecker.ci', rounds=655555) | to_uuid }}"
178 | devture_woodpecker_ci_server_database_datasource_db_name: woodpecker_ci_server
179 | 
180 | ########################################################################
181 | #                                                                      #
182 | # /woodpecker-ci-server                                                #
183 | #                                                                      #
184 | ########################################################################
185 | 
186 | 
187 | 
188 | ########################################################################
189 | #                                                                      #
190 | # woodpecker-ci-agent                                                  #
191 | #                                                                      #
192 | ########################################################################
193 | 
194 | devture_woodpecker_ci_agent_enabled: false
195 | 
196 | devture_woodpecker_ci_agent_identifier: gitea-woodpecker-ci-agent
197 | 
198 | devture_woodpecker_ci_agent_uid: "{{ gitea_uid }}"
199 | devture_woodpecker_ci_agent_gid: "{{ gitea_gid }}"
200 | 
201 | devture_woodpecker_ci_agent_base_path: "{{ gitea_base_path }}/woodpecker-ci/agent"
202 | 
203 | devture_woodpecker_ci_agent_systemd_required_systemd_services_list: |
204 |   {{
205 |     (['docker.service'])
206 |     +
207 |     ([devture_woodpecker_ci_server_identifier ~ '.service'] if devture_woodpecker_ci_server_enabled else [])
208 |   }}
209 | 
210 | devture_woodpecker_ci_agent_container_additional_networks: |
211 |   {{
212 |     (
213 |       ([devture_woodpecker_ci_server_container_network] if devture_woodpecker_ci_server_enabled and devture_woodpecker_ci_server_container_network != devture_woodpecker_ci_agent_container_network else [])
214 |     ) | unique
215 |   }}
216 | 
217 | devture_woodpecker_ci_agent_config_server: "{{ (devture_woodpecker_ci_server_identifier + ':' + devture_woodpecker_ci_server_config_grpc_addr_port | string) if devture_woodpecker_ci_agent_enabled else '' }}"
218 | 
219 | devture_woodpecker_ci_agent_config_agent_secret: "{{ devture_woodpecker_ci_server_config_agent_secret if devture_woodpecker_ci_agent_enabled else '' }}"
220 | 
221 | ########################################################################
222 | #                                                                      #
223 | # /woodpecker-ci-agent                                                 #
224 | #                                                                      #
225 | ########################################################################
226 | 
227 | 
228 | 
229 | ########################################################################
230 | #                                                                      #
231 | # com.devture.ansible.role.postgres                                    #
232 | #                                                                      #
233 | ########################################################################
234 | 
235 | # To completely disable installing Postgres, use `devture_postgres_enabled: false`.
236 | 
237 | devture_postgres_identifier: gitea-postgres
238 | 
239 | devture_postgres_architecture: "{{ gitea_architecture }}"
240 | 
241 | devture_postgres_base_path: "{{ gitea_base_path }}/postgres"
242 | 
243 | devture_postgres_container_network: "{{ gitea_container_network }}"
244 | 
245 | devture_postgres_uid: "{{ gitea_uid }}"
246 | devture_postgres_gid: "{{ gitea_gid }}"
247 | 
248 | devture_postgres_systemd_services_to_stop_for_maintenance_list: |
249 |   {{
250 |     (['gitea-gitea.service'])
251 |   }}
252 | 
253 | devture_postgres_managed_databases_auto: |
254 |   {{
255 |     [{
256 |       'name': gitea_gitea_config_database_name,
257 |       'username': gitea_gitea_config_database_username,
258 |       'password': gitea_gitea_config_database_password,
259 |     }]
260 |     +
261 |     ([{
262 |       'name': devture_woodpecker_ci_server_database_datasource_db_name,
263 |       'username': devture_woodpecker_ci_server_database_datasource_username,
264 |       'password': devture_woodpecker_ci_server_database_datasource_password,
265 |     }] if devture_woodpecker_ci_server_enabled else [])
266 |   }}
267 | 
268 | ########################################################################
269 | #                                                                      #
270 | # /com.devture.ansible.role.postgres                                   #
271 | #                                                                      #
272 | ########################################################################
273 | 
274 | 
275 | 
276 | ########################################################################
277 | #                                                                      #
278 | # com.devture.ansible.role.postgres_backup                             #
279 | #                                                                      #
280 | ########################################################################
281 | 
282 | devture_postgres_backup_enabled: false
283 | 
284 | devture_postgres_backup_identifier: gitea-postgres-backup
285 | 
286 | devture_postgres_backup_architecture: "{{ gitea_architecture }}"
287 | 
288 | devture_postgres_backup_base_path: "{{ gitea_base_path }}/postgres-backup"
289 | 
290 | devture_postgres_backup_systemd_required_services_list: |
291 |   {{
292 |     (['docker.service'])
293 |     +
294 |     ([(devture_postgres_identifier + '.service')] if devture_postgres_enabled else [])
295 |   }}
296 | 
297 | devture_postgres_backup_container_network: "{{ gitea_container_network }}"
298 | 
299 | devture_postgres_backup_uid: "{{ gitea_uid }}"
300 | devture_postgres_backup_gid: "{{ gitea_gid }}"
301 | 
302 | devture_postgres_backup_connection_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}"
303 | devture_postgres_backup_connection_port: "{{ devture_postgres_connection_port if devture_postgres_enabled else 5432 }}"
304 | devture_postgres_backup_connection_username: "{{ devture_postgres_connection_username if devture_postgres_enabled else '' }}"
305 | devture_postgres_backup_connection_password: "{{ devture_postgres_connection_password if devture_postgres_enabled else '' }}"
306 | 
307 | devture_postgres_backup_postgres_data_path: "{{ devture_postgres_data_path if devture_postgres_enabled else '' }}"
308 | 
309 | devture_postgres_backup_databases: "{{ devture_postgres_managed_databases | map(attribute='name') if devture_postgres_enabled else [] }}"
310 | 
311 | ########################################################################
312 | #                                                                      #
313 | # /com.devture.ansible.role.postgres_backup                            #
314 | #                                                                      #
315 | ########################################################################
316 | 
317 | 
318 | 
319 | ########################################################################
320 | #                                                                      #
321 | # com.devture.ansible.role.playbook_state_preserver                    #
322 | #                                                                      #
323 | ########################################################################
324 | 
325 | # To completely disable this feature, use `devture_playbook_state_preserver_enabled: false`.
326 | 
327 | devture_playbook_state_preserver_uid: "{{ gitea_uid }}"
328 | devture_playbook_state_preserver_gid: "{{ gitea_gid }}"
329 | 
330 | devture_playbook_state_preserver_vars_preservation_dst: "{{ gitea_base_path }}/vars.yml"
331 | 
332 | devture_playbook_state_preserver_commit_hash_preservation_dst: "{{ gitea_base_path }}/git_hash.yml"
333 | 
334 | ########################################################################
335 | #                                                                      #
336 | # /com.devture.ansible.role.playbook_state_preserver                   #
337 | #                                                                      #
338 | ########################################################################
339 | 
340 | 
341 | 
342 | ########################################################################
343 | #                                                                      #
344 | # com.devture.ansible.role.container_socket_proxy                      #
345 | #                                                                      #
346 | ########################################################################
347 | 
348 | devture_container_socket_proxy_enabled: "{{ gitea_playbook_reverse_proxy_type == 'playbook-managed-traefik' }}"
349 | 
350 | devture_container_socket_proxy_identifier: gitea-container-socket-proxy
351 | 
352 | devture_container_socket_proxy_base_path: "{{ gitea_base_path }}/container-socket-proxy"
353 | 
354 | devture_container_socket_proxy_uid: "{{ gitea_uid }}"
355 | devture_container_socket_proxy_gid: "{{ gitea_gid }}"
356 | 
357 | # Traefik requires read access to the containers APIs to do its job
358 | devture_container_socket_proxy_api_containers_enabled: true
359 | 
360 | ########################################################################
361 | #                                                                      #
362 | # /com.devture.ansible.role.container_socket_proxy                     #
363 | #                                                                      #
364 | ########################################################################
365 | 
366 | 
367 | 
368 | ########################################################################
369 | #                                                                      #
370 | # com.devture.ansible.role.traefik                                     #
371 | #                                                                      #
372 | ########################################################################
373 | 
374 | devture_traefik_enabled: "{{ gitea_playbook_reverse_proxy_type == 'playbook-managed-traefik' }}"
375 | 
376 | devture_traefik_identifier: gitea-traefik
377 | 
378 | devture_traefik_base_path: "{{ gitea_base_path }}/traefik"
379 | 
380 | devture_traefik_uid: "{{ gitea_uid }}"
381 | devture_traefik_gid: "{{ gitea_gid }}"
382 | 
383 | devture_traefik_config_providers_docker_endpoint: "{{ devture_container_socket_proxy_endpoint if devture_container_socket_proxy_enabled else 'unix:///var/run/docker.sock' }}"
384 | 
385 | devture_traefik_container_additional_networks: |
386 |   {{
387 |     ([devture_container_socket_proxy_container_network] if devture_container_socket_proxy_enabled else [])
388 |   }}
389 | 
390 | devture_traefik_systemd_required_services_list: |
391 |   {{
392 |     (['docker.service'])
393 |     +
394 |     ([devture_container_socket_proxy_identifier + '.service'] if devture_container_socket_proxy_enabled else [])
395 |   }}
396 | 
397 | ########################################################################
398 | #                                                                      #
399 | # /com.devture.ansible.role.traefik                                    #
400 | #                                                                      #
401 | ########################################################################
402 | 
403 | 
404 | 
405 | ########################################################################
406 | #                                                                      #
407 | # com.devture.ansible.role.docker_sdk_for_python                       #
408 | #                                                                      #
409 | ########################################################################
410 | 
411 | # To completely disable installing the Docker SDK for Python, use `devture_docker_sdk_for_python_installation_enabled: false`.
412 | 
413 | ########################################################################
414 | #                                                                      #
415 | # /com.devture.ansible.role.docker_sdk_for_python                      #
416 | #                                                                      #
417 | ########################################################################
418 | 
419 | 
420 | 
421 | ########################################################################
422 | #                                                                      #
423 | # com.devture.ansible.role.timesync                                    #
424 | #                                                                      #
425 | ########################################################################
426 | 
427 | # To completely disable installing systemd-timesyncd/ntpd, use `devture_timesync_installation_enabled: false`.
428 | 
429 | ########################################################################
430 | #                                                                      #
431 | # /com.devture.ansible.role.timesync                                   #
432 | #                                                                      #
433 | ########################################################################
434 | 


--------------------------------------------------------------------------------
/inventory/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/spantaleev/gitea-docker-ansible-deploy/a13f27ec1441f63754768123f9fd3098e20b324a/inventory/.gitkeep


--------------------------------------------------------------------------------
/justfile:
--------------------------------------------------------------------------------
 1 | # Shows help
 2 | default:
 3 | 	@just --list --justfile {{ justfile() }}
 4 | 
 5 | # Pulls external Ansible roles
 6 | roles:
 7 | 	rm -rf roles/galaxy
 8 | 	ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force
 9 | 
10 | # Runs ansible-lint against all roles in the playbook
11 | lint:
12 | 	ansible-lint
13 | 
14 | # Runs the playbook with --tags=install-all,start and optional arguments
15 | install-all *extra_args: (run-tags "install-all,start" extra_args)
16 | 
17 | # Runs the playbook with --tags=setup-all,start and optional arguments
18 | setup-all *extra_args: (run-tags "setup-all,start" extra_args)
19 | 
20 | # Runs the playbook with the given list of arguments
21 | run +extra_args:
22 | 	time ansible-playbook -i inventory/hosts setup.yml {{ extra_args }}
23 | 
24 | # Runs the playbook with the given list of comma-separated tags and optional arguments
25 | run-tags tags *extra_args:
26 | 	just --justfile {{ justfile() }} run --tags={{ tags }} {{ extra_args }}
27 | 
28 | # Starts all services
29 | start-all *extra_args: (run-tags "start-all" extra_args)
30 | 
31 | # Starts a specific service group
32 | start-group group *extra_args:
33 | 	@just --justfile {{ justfile() }} run-tags start-group --extra-vars="group={{ group }}" {{ extra_args }}
34 | 
35 | # Stops all services
36 | stop-all *extra_args: (run-tags "stop-all" extra_args)
37 | 
38 | # Stops a specific service group
39 | stop-group group *extra_args:
40 | 	@just --justfile {{ justfile() }} run-tags stop-group --extra-vars="group={{ group }}" {{ extra_args }}
41 | 


--------------------------------------------------------------------------------
/requirements.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | 
 3 | - src: geerlingguy.docker
 4 |   version: 6.1.0
 5 | 
 6 | - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git
 7 |   version: 129c8590e106b83e6f4c259649a613c6279e937a
 8 | 
 9 | - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
10 |   version: c1f40e82b4d6b072b6f0e885239322bdaaaf554f
11 | 
12 | - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
13 |   version: 327d2e17f5189ac2480d6012f58cf64a2b46efba
14 | 
15 | - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
16 |   version: 3d5bb2976815958cdce3f368fa34fb51554f899b
17 | 
18 | - src: git+https://github.com/devture/com.devture.ansible.role.playbook_state_preserver.git
19 |   version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16
20 | 
21 | - src: git+https://github.com/devture/com.devture.ansible.role.postgres.git
22 |   version: a1bb78d194434b38005f3a9e623bfa4b2c06c7bc
23 | 
24 | - src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git
25 |   version: 8e9ec48a09284c84704d7a2dce17da35f181574d
26 | 
27 | - src: git+https://github.com/devture/com.devture.ansible.role.woodpecker_ci_server.git
28 |   version: 85a1258f37c614ea7cba8d946206475a2c48b06b
29 | 
30 | - src: git+https://github.com/devture/com.devture.ansible.role.woodpecker_ci_agent.git
31 |   version: 07f679feb928932cebd61434c83265c9de653214
32 | 
33 | - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git
34 |   version: v0.1.1-1
35 | 
36 | - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git
37 |   version: v2.9.8-2
38 | 
39 | - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git
40 |   version: 6ccb88ac5fc27e1e70afcd48278ade4b564a9096
41 | 
42 | - src: git+https://github.com/devture/com.devture.ansible.role.playbook_runtime_messages.git
43 |   version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6
44 | 


--------------------------------------------------------------------------------
/roles/custom/base/defaults/main.yml:
--------------------------------------------------------------------------------
 1 | # Base directory that contains everything
 2 | gitea_base_path: "/gitea"
 3 | 
 4 | gitea_container_network: gitea
 5 | 
 6 | gitea_uid: "1000"
 7 | gitea_gid: "1000"
 8 | 
 9 | # A secret used as a base, for generating various other secrets.
10 | # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
11 | gitea_generic_secret_key: ''
12 | 
13 | # The architecture that your server runs.
14 | # Recognized values by us are 'amd64', 'arm32' and 'arm64'.
15 | # Not all architectures support all services, so your experience (on non-amd64) may vary.
16 | gitea_architecture: "{{ 'amd64' if ansible_architecture == 'x86_64' else ('arm64' if ansible_architecture == 'aarch64' else ('arm32' if ansible_architecture.startswith('armv') else '')) }}"
17 | 
18 | # Specifies the type of reverse-proxy used by the playbook.
19 | #
20 | # Changing this has an effect on whether a reverse-proxy is installed at all and what its type is,
21 | # as well as how all other services are configured.
22 | #
23 | # Valid options and a description of their behavior:
24 | #
25 | # - `playbook-managed-traefik`
26 | #     - the playbook will run a managed Traefik instance (gitea-traefik)
27 | #     - Traefik will do SSL termination, unless you disable it (e.g. `devture_traefik_config_entrypoint_web_secure_enabled: false`)
28 | #     - if SSL termination is enabled (as it is by default), you need to populate: `devture_traefik_config_certificatesResolvers_acme_email`
29 | #
30 | # - `other-traefik-container`
31 | #     - this playbook will not install Traefik
32 | #     - nevertheless, the playbook expects that you would install Traefik yourself via other means
33 | #     - you should make sure your Traefik configuration is compatible with what the playbook would have configured (web, web-secure entrypoints, etc.)
34 | #     - you need to set `gitea_playbook_reverse_proxyable_services_additional_network` to the name of your Traefik network
35 | #
36 | # - `none`
37 | #     - no reverse-proxy will be installed
38 | #     - no port exposure will be done for any of the container services
39 | #     - it's up to you to expose the ports you want, etc.
40 | gitea_playbook_reverse_proxy_type: playbook-managed-traefik
41 | 


--------------------------------------------------------------------------------
/roles/custom/base/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | 
 3 | - block:
 4 |     - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
 5 |   tags:
 6 |     - setup-all
 7 |     - setup-gitea
 8 |     - install-all
 9 |     - install-gitea
10 | 
11 | - block:
12 |     - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup.yml"
13 |   tags:
14 |     - setup-all
15 |     - install-all
16 | 


--------------------------------------------------------------------------------
/roles/custom/base/tasks/setup.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | 
 3 | - name: Ensure Gitea base path exists
 4 |   ansible.builtin.file:
 5 |     path: "{{ gitea_base_path }}"
 6 |     state: directory
 7 |     mode: "0750"
 8 |     owner: "{{ gitea_uid }}"
 9 |     group: "{{ gitea_gid }}"
10 | 
11 | # `docker_network` doesn't work as expected when the given network
12 | # is a substring of a network that already exists.
13 | #
14 | # See:
15 | # - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/12
16 | # - https://github.com/ansible/ansible/issues/32926
17 | #
18 | # Due to that, we employ a workaround below.
19 | #
20 | # - name: Ensure Gitea network is created in Docker
21 | #   docker_network:
22 | #     name: "{{ gitea_container_network }}"
23 | #     driver: bridge
24 | - name: Check existence of Gitea network in Docker
25 |   ansible.builtin.command:
26 |     cmd: "docker network ls -q --filter='name=^{{ gitea_container_network }}$'"
27 |   register: gitea_result_docker_network
28 |   changed_when: false
29 | 
30 | - name: Create Gitea network in Docker
31 |   ansible.builtin.command:
32 |     cmd: "docker network create --driver=bridge {{ gitea_container_network }}"
33 |   when: "gitea_result_docker_network.stdout == ''"
34 | 


--------------------------------------------------------------------------------
/roles/custom/base/tasks/validate_config.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | 
 3 | - name: Fail if required generic settings not defined
 4 |   ansible.builtin.fail:
 5 |     msg: >-
 6 |       You need to define a required configuration setting (`{{ item }}`) for using this role.
 7 |   when: "vars[item] == ''"
 8 |   with_items:
 9 |     - gitea_generic_secret_key
10 | 
11 | - name: Fail if gitea_playbook_reverse_proxy_type is set incorrectly
12 |   ansible.builtin.fail:
13 |     msg: "Detected that variable gitea_playbook_reverse_proxy_type (current value: `{{ gitea_playbook_reverse_proxy_type }}`) appears to be set incorrectly. See roles/custom/base/defaults/main.yml for valid choices."
14 |   when: gitea_playbook_reverse_proxy_type not in ['playbook-managed-traefik', 'other-traefik-container', 'none']
15 | 


--------------------------------------------------------------------------------
/roles/custom/gitea/defaults/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | 
 3 | # The fully-qualified name of your Gitea server (e.g. `gitea.example.com`)
 4 | gitea_server_fqn_gitea: ''
 5 | 
 6 | gitea_gitea_container_image: "docker.io/gitea/gitea:{{ gitea_gitea_container_image_tag }}"
 7 | gitea_gitea_container_image_tag: "1.18.5-rootless"
 8 | gitea_gitea_container_image_force_pull: "{{ gitea_gitea_container_image.endswith(':latest') }}"
 9 | 
10 | gitea_gitea_base_path: "{{ gitea_base_path }}/gitea"
11 | gitea_gitea_data_dir_path: "{{ gitea_gitea_base_path }}/data"
12 | gitea_gitea_config_dir_path: "{{ gitea_gitea_base_path }}/config"
13 | 
14 | gitea_gitea_http_bind_port: ''
15 | gitea_gitea_ssh_bind_port: 0.0.0.0:22
16 | 
17 | gitea_gitea_systemd_required_systemd_services_list: ['docker.service']
18 | 
19 | gitea_gitea_config_database_type: postgres
20 | gitea_gitea_config_database_hostname: ''
21 | gitea_gitea_config_database_port: 5432
22 | gitea_gitea_config_database_name: gitea
23 | gitea_gitea_config_database_username: ''
24 | gitea_gitea_config_database_password: ''
25 | 
26 | # gitea_gitea_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
27 | # See `roles/custom/gitea/templates/labels.j2` for details.
28 | #
29 | # To inject your own other container labels, see `gitea_gitea_container_labels_additional_labels`.
30 | gitea_gitea_container_labels_traefik_enabled: true
31 | gitea_gitea_container_labels_traefik_docker_network: ''
32 | gitea_gitea_container_labels_traefik_rule: 'Host(`{{ gitea_server_fqn_gitea }}`)'
33 | gitea_gitea_container_labels_traefik_entrypoints: web-secure
34 | gitea_gitea_container_labels_traefik_tls_certResolver: default  # noqa var-naming
35 | 
36 | # gitea_gitea_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
37 | # See `roles/custom/gitea/templates/labels.j2` for details.
38 | #
39 | # Example:
40 | # gitea_gitea_container_labels_additional_labels: |
41 | #   my.label=1
42 | #   another.label="here"
43 | gitea_gitea_container_labels_additional_labels: ''
44 | 
45 | # gitea_gitea_container_additional_environment_variables contains a multiline string with additional environment variables to pass to the container.
46 | #
47 | # Example:
48 | # gitea_gitea_container_additional_environment_variables: |
49 | #   VAR=1
50 | #   ANOTHER=value
51 | gitea_gitea_container_additional_environment_variables: ''
52 | 
53 | gitea_gitea_container_network: "{{ gitea_container_network }}"
54 | 
55 | # A list of additional container networks that the container would be connected to.
56 | # The playbook does not create these networks, so make sure they already exist.
57 | #
58 | # Use this to expose the container to another reverse proxy, which runs in a different container network,
59 | # without exposing all other container services to that other reverse-proxy.
60 | #
61 | # For background, see: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1498
62 | gitea_gitea_container_additional_networks: []
63 | 


--------------------------------------------------------------------------------
/roles/custom/gitea/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | 
 3 | - block:
 4 |     - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
 5 | 
 6 |     - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
 7 |   tags:
 8 |     - setup-all
 9 |     - setup-gitea
10 |     - install-all
11 |     - install-gitea
12 | 


--------------------------------------------------------------------------------
/roles/custom/gitea/tasks/setup_install.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | 
 3 | - name: Ensure Gitea image is pulled
 4 |   community.docker.docker_image:
 5 |     name: "{{ gitea_gitea_container_image }}"
 6 |     source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
 7 |     force_source: "{{ gitea_gitea_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
 8 |     force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else gitea_gitea_container_image_force_pull }}"
 9 | 
10 | - name: Ensure Gitea paths exist
11 |   ansible.builtin.file:
12 |     path: "{{ item }}"
13 |     state: directory
14 |     mode: "0750"
15 |     owner: "{{ gitea_uid }}"
16 |     group: "{{ gitea_gid }}"
17 |   with_items:
18 |     - "{{ gitea_gitea_base_path }}"
19 |     - "{{ gitea_gitea_data_dir_path }}"
20 |     - "{{ gitea_gitea_config_dir_path }}"
21 | 
22 | - name: Ensure Gitea support files created
23 |   ansible.builtin.template:
24 |     src: "{{ role_path }}/templates/{{ item }}.j2"
25 |     dest: "{{ gitea_gitea_base_path }}/{{ item }}"
26 |     owner: "{{ gitea_uid }}"
27 |     group: "{{ gitea_gid }}"
28 |     mode: 0640
29 |   with_items:
30 |     - env
31 |     - labels
32 | 
33 | - name: Ensure gitea-gitea.service installed
34 |   ansible.builtin.template:
35 |     src: "{{ role_path }}/templates/gitea-gitea.service.j2"
36 |     dest: "{{ devture_systemd_docker_base_systemd_path }}/gitea-gitea.service"
37 |     mode: 0640
38 | 


--------------------------------------------------------------------------------
/roles/custom/gitea/tasks/validate_config.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | 
 3 | - name: Fail if required Gitea settings not defined
 4 |   ansible.builtin.fail:
 5 |     msg: >-
 6 |       You need to define a required configuration setting (`{{ item }}`) for using this role.
 7 |   when: "vars[item] == ''"
 8 |   with_items:
 9 |     - gitea_server_fqn_gitea
10 |     - gitea_gitea_config_database_hostname
11 |     - gitea_gitea_config_database_username
12 |     - gitea_gitea_config_database_password
13 | 
14 | - name: Fail if required Gitea Traefik integration settings not defined
15 |   ansible.builtin.fail:
16 |     msg: >-
17 |       You need to define a required configuration setting (`{{ item }}`) for using this role.
18 |   when: "gitea_gitea_container_labels_traefik_enabled and vars[item] == ''"
19 |   with_items:
20 |     - gitea_gitea_container_labels_traefik_docker_network
21 | 


--------------------------------------------------------------------------------
/roles/custom/gitea/templates/env.j2:
--------------------------------------------------------------------------------
1 | GITEA__database__DB_TYPE={{ gitea_gitea_config_database_type }}
2 | GITEA__database__HOST={{ gitea_gitea_config_database_hostname }}:{{ gitea_gitea_config_database_port }}
3 | GITEA__database__NAME={{ gitea_gitea_config_database_name }}
4 | GITEA__database__USER={{ gitea_gitea_config_database_username }}
5 | GITEA__database__PASSWD={{ gitea_gitea_config_database_password }}
6 | 
7 | {{ gitea_gitea_container_additional_environment_variables }}
8 | 


--------------------------------------------------------------------------------
/roles/custom/gitea/templates/gitea-gitea.service.j2:
--------------------------------------------------------------------------------
 1 | [Unit]
 2 | Description=Gitea
 3 | {% for service in gitea_gitea_systemd_required_systemd_services_list %}
 4 | Requires={{ service }}
 5 | After={{ service }}
 6 | {% endfor %}
 7 | DefaultDependencies=no
 8 | 
 9 | [Service]
10 | Type=simple
11 | Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
12 | ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill gitea-gitea 2>/dev/null'
13 | ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm gitea-gitea 2>/dev/null'
14 | 
15 | ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
16 | 			--rm \
17 | 			--name=gitea-gitea \
18 | 			--log-driver=none \
19 | 			--network={{ gitea_gitea_container_network }} \
20 | 			--user={{ gitea_uid }}:{{ gitea_gid }} \
21 | 			--cap-drop=ALL \
22 | 			--read-only \
23 | 			--hostname={{ gitea_server_fqn_gitea }} \
24 | 			{% if gitea_gitea_http_bind_port != '' %}
25 | 			-p {{ gitea_gitea_http_bind_port }}:3000 \
26 | 			{% endif %}
27 | 			{% if gitea_gitea_ssh_bind_port != '' %}
28 | 			-p {{ gitea_gitea_ssh_bind_port }}:2222 \
29 | 			{% endif %}
30 | 			--env-file={{ gitea_gitea_base_path }}/env \
31 | 			--label-file={{ gitea_gitea_base_path }}/labels \
32 | 			--mount type=bind,src={{ gitea_gitea_data_dir_path }},dst=/var/lib/gitea \
33 | 			--mount type=bind,src={{ gitea_gitea_config_dir_path }},dst=/etc/gitea \
34 | 			--mount type=bind,src=/etc/timezone,dst=/etc/timezone,ro \
35 | 			--mount type=bind,src=/etc/localtime,dst=/etc/localtime,ro \
36 | 			--tmpfs=/tmp:rw,noexec,nosuid,size=128m \
37 | 			{{ gitea_gitea_container_image }}
38 | 
39 | {% for network in gitea_gitea_container_additional_networks %}
40 | ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} gitea-gitea
41 | {% endfor %}
42 | 
43 | ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach gitea-gitea
44 | 
45 | ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill gitea-gitea 2>/dev/null'
46 | ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm gitea-gitea 2>/dev/null'
47 | Restart=always
48 | RestartSec=30
49 | SyslogIdentifier=gitea-gitea
50 | 
51 | [Install]
52 | WantedBy=multi-user.target
53 | 


--------------------------------------------------------------------------------
/roles/custom/gitea/templates/labels.j2:
--------------------------------------------------------------------------------
 1 | {% if gitea_gitea_container_labels_traefik_enabled %}
 2 | traefik.enable=true
 3 | {% if gitea_gitea_container_labels_traefik_docker_network %}
 4 | traefik.docker.network={{ gitea_gitea_container_labels_traefik_docker_network }}
 5 | {% endif %}
 6 | traefik.http.routers.gitea-gitea.rule={{ gitea_gitea_container_labels_traefik_rule }}
 7 | traefik.http.routers.gitea-gitea.entrypoints={{ gitea_gitea_container_labels_traefik_entrypoints }}
 8 | traefik.http.routers.gitea-gitea.tls.certResolver={{ gitea_gitea_container_labels_traefik_tls_certResolver }}
 9 | traefik.http.services.gitea-gitea.loadbalancer.server.port=3000
10 | {% endif %}
11 | 
12 | {{ gitea_gitea_container_labels_additional_labels }}
13 | 


--------------------------------------------------------------------------------
/roles/custom/gitea_backup/defaults/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | 
 3 | gitea_backup_enabled: true
 4 | 
 5 | gitea_backup_base_path: "{{ gitea_base_path }}/backup"
 6 | gitea_backup_bin_path: "{{ gitea_backup_base_path }}/bin"
 7 | gitea_backup_etc_path: "{{ gitea_backup_base_path }}/etc"
 8 | gitea_backup_data_path: "{{ gitea_backup_base_path }}/data"
 9 | 
10 | # gitea_backup_encryption_password holds a password to use for symmetric gpg encryption
11 | gitea_backup_encryption_password: ''
12 | 
13 | # gitea_backup_stop_gitea_while_running controls whether the Gitea systemd service will be stopped while backups are running.
14 | # It will be started back up after the backup process.
15 | #
16 | # By default, we favor extra safety, at the expense of some downtime while backing up.
17 | gitea_backup_stop_gitea_while_running: true
18 | 
19 | # gitea_backup_paths_to_backup contains a list of paths to include in the backup.
20 | # Example: [/gitea]
21 | gitea_backup_paths_to_backup: []
22 | 
23 | # gitea_backup_paths_to_exclude contains a list of paths to exclude from the backup
24 | # Example: [/gitea/something, /gitea/postgres/data]
25 | #
26 | # Playbook-managed paths are injected into `gitea_backup_paths_to_exclude_auto`.
27 | # To define your own paths, use `gitea_backup_paths_to_exclude_additional`.
28 | # If you'd like to override the auto-excluded paths from the playbook, override `gitea_backup_paths_to_exclude_auto`
29 | # or change `gitea_backup_paths_to_exclude`.
30 | gitea_backup_paths_to_exclude: "{{ gitea_backup_paths_to_exclude_auto + gitea_backup_paths_to_exclude_additional }}"
31 | gitea_backup_paths_to_exclude_auto: [gitea_backup_data_path + '/gitea-latest-backup.tar.gpg']
32 | gitea_backup_paths_to_exclude_additional: []
33 | 
34 | # gitea_backup_schedule contains a systemd OnCalendar definition which controls how often `gitea-backup.timer` runs
35 | gitea_backup_schedule: '*-*-* 06:30:00'
36 | 
37 | gitea_backup_b2_enabled: false
38 | gitea_backup_b2_container_image: docker.io/tianon/backblaze-b2:3.6.0
39 | gitea_backup_b2_container_image_force_pull: "{{ gitea_backup_b2_container_image.endswith(':latest') }}"
40 | gitea_backup_b2_bucket: bucket-name
41 | gitea_backup_b2_key_id: ~
42 | gitea_backup_b2_key_secret: ~
43 | 
44 | # gitea_backup_post_backup_custom_shell_commands contains a multiline string containing shell (bash) commands to execute
45 | # after the backup file is created and before pushing it to any backup providers.
46 | #
47 | # These commands are injected into `../templates/backup.j2` (`{{ gitea_backup_bin_path }}/backup` on the server).
48 | #
49 | # Also see: gitea_backup_before_exit_custom_shell_commands
50 | #
51 | # Example:
52 | #
53 | # # The commands below expose the latest backup as a `/home/backup/gitea-latest-backup.tar.gpg` file,
54 | # # to be periodically pulled from a remote machine over SSH (via `backup@gitea.DOMAIN`).
55 | # # Setting up this `backup` user, home directory and access (SSH keys, etc.) is not managed by the playbook.
56 | # gitea_backup_post_backup_custom_shell_commands: |-
57 | #   cp {{ gitea_backup_data_path }}/gitea-latest-backup.tar.gpg /home/backup/gitea-latest-backup.tar.gpg
58 | #   chown backup:backup /home/backup/gitea-latest-backup.tar.gpg
59 | #   chmod 400 /home/backup/gitea-latest-backup.tar.gpg
60 | gitea_backup_post_backup_custom_shell_commands: ''
61 | 
62 | # gitea_backup_before_exit_custom_shell_commands contains a multiline string containing shell (bash) commands to execute
63 | # at the end of the backup script.
64 | #
65 | # These commands are injected into `../templates/backup.j2` (`{{ gitea_backup_bin_path }}/backup` on the server).
66 | #
67 | # Example:
68 | #
69 | # # The command below signals to a https://healthchecks.io/ check that the backup script
70 | # # reached the end without hitting any errors.
71 | # gitea_backup_before_exit_custom_shell_commands: |-
72 | #   curl -fsS -m 10 --retry 5 -o /dev/null https://healthchecks.DOMAIN/ping/healthcheck-id
73 | gitea_backup_before_exit_custom_shell_commands: ''
74 | 


--------------------------------------------------------------------------------
/roles/custom/gitea_backup/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | 
 3 | - block:
 4 |     - when: gitea_backup_enabled | bool
 5 |       ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
 6 | 
 7 |     - when: gitea_backup_enabled | bool
 8 |       ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
 9 |   tags:
10 |     - setup-all
11 |     - setup-gitea-backup
12 |     - install-all
13 |     - install-gitea-backup
14 | 


--------------------------------------------------------------------------------
/roles/custom/gitea_backup/tasks/setup_install.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | 
 3 | - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install_redhat.yml"
 4 |   when: ansible_os_family == 'RedHat'
 5 | 
 6 | - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install_debian.yml"
 7 |   when: ansible_os_family == 'Debian'
 8 | 
 9 | - name: Ensure Gitea backup paths exist
10 |   ansible.builtin.file:
11 |     path: "{{ item }}"
12 |     state: directory
13 |     mode: "0750"
14 |     owner: "{{ gitea_uid }}"
15 |     group: "{{ gitea_gid }}"
16 |   with_items:
17 |     - "{{ gitea_backup_base_path }}"
18 |     - "{{ gitea_backup_bin_path }}"
19 |     - "{{ gitea_backup_etc_path }}"
20 |     - "{{ gitea_backup_data_path }}"
21 | 
22 | - name: Ensure backup password file installed
23 |   ansible.builtin.copy:
24 |     content: "{{ gitea_backup_encryption_password }}"
25 |     dest: "{{ gitea_backup_etc_path }}/backup-password"
26 |     mode: 0750
27 | 
28 | - name: Ensure backup program installed
29 |   ansible.builtin.template:
30 |     src: "{{ role_path }}/templates/bin/backup.j2"
31 |     dest: "{{ gitea_backup_bin_path }}/backup"
32 |     mode: 0750
33 | 
34 | - name: Ensure backup systemd services installed
35 |   ansible.builtin.template:
36 |     src: "{{ role_path }}/templates/systemd/{{ item }}.j2"
37 |     dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ item }}"
38 |     mode: 0640
39 |   with_items:
40 |     - gitea-backup.service
41 |     - gitea-backup.timer
42 |   register: gitea_backup_systemd_service_result
43 | 
44 | - when: gitea_backup_b2_enabled | bool
45 |   block:
46 |     - name: Ensure B2 environment variables created
47 |       ansible.builtin.template:
48 |         src: "{{ role_path }}/templates/provider/b2/env"
49 |         dest: "{{ gitea_backup_etc_path }}/b2-env"
50 |         mode: 0640
51 | 
52 |     - name: Ensure B2 image is pulled
53 |       community.docker.docker_image:
54 |         name: "{{ gitea_backup_b2_container_image }}"
55 |         source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
56 |         force_source: "{{ gitea_backup_b2_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
57 |         force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else gitea_backup_b2_container_image_force_pull }}"
58 | 


--------------------------------------------------------------------------------
/roles/custom/gitea_backup/tasks/setup_install_debian.yml:
--------------------------------------------------------------------------------
1 | ---
2 | 
3 | - name: Ensure gpg installed
4 |   ansible.builtin.apt:
5 |     name:
6 |       - gnupg
7 |     state: present
8 | 


--------------------------------------------------------------------------------
/roles/custom/gitea_backup/tasks/setup_install_redhat.yml:
--------------------------------------------------------------------------------
1 | ---
2 | 
3 | - name: Ensure gpg installed
4 |   ansible.builtin.yum:
5 |     name:
6 |       - gnupg2
7 |     state: present
8 | 


--------------------------------------------------------------------------------
/roles/custom/gitea_backup/tasks/validate_config.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | 
 3 | - name: Fail if gitea-backup settings not defined
 4 |   ansible.builtin.fail:
 5 |     msg: >-
 6 |       You need to define a required configuration setting (`{{ item }}`) for using this role.
 7 |   when: "vars[item] == ''"
 8 |   with_items:
 9 |     - "gitea_backup_encryption_password"
10 | 
11 | - name: Fail if empty gitea_backup_paths_to_backup
12 |   ansible.builtin.fail:
13 |     msg: >-
14 |       You need at least one path to backup in `gitea_backup_paths_to_backup`
15 |   when: gitea_backup_paths_to_backup | length == 0
16 | 


--------------------------------------------------------------------------------
/roles/custom/gitea_backup/templates/bin/backup.j2:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | #################################
  4 | ### Preparation                 #
  5 | #################################
  6 | 
  7 | {% if gitea_backup_stop_gitea_while_running %}
  8 | {{ devture_systemd_docker_base_host_command_systemctl }} stop gitea-gitea.service
  9 | 
 10 | function restart_service() {
 11 | {{ devture_systemd_docker_base_host_command_systemctl }} start gitea-gitea.service
 12 | }
 13 | 
 14 | trap restart_service EXIT
 15 | {% endif %}
 16 | 
 17 | #################################
 18 | ### /Preparation                #
 19 | #################################
 20 | 
 21 | 
 22 | #################################
 23 | ### Backup                      #
 24 | #################################
 25 | 
 26 | date=`date +"%Y%m%d%H%M"`
 27 | 
 28 | {% if devture_postgres_enabled %}
 29 | {{ devture_postgres_bin_path }}/dump-all {{ gitea_backup_data_path }}
 30 | if [ $? -ne 0 ]; then
 31 | 	echo "Postgres dump failed"
 32 | 	exit 2
 33 | fi
 34 | {% endif %}
 35 | 
 36 | tar cP \
 37 | 	{% for path in gitea_backup_paths_to_exclude %}
 38 | 	--exclude={{ path }} \
 39 | 	{% endfor %}
 40 | 	{{ gitea_backup_paths_to_backup | join(' ') }} \
 41 | | gpg -q -c --batch --no-tty --passphrase-file {{ gitea_backup_etc_path }}/backup-password > {{ gitea_backup_data_path }}/gitea-latest-backup.tar.gpg
 42 | 
 43 | if [ $? -ne 0 ]; then
 44 | 	echo "Backup creation failed"
 45 | 	exit 2
 46 | fi
 47 | 
 48 | #################################
 49 | ### /Backup                     #
 50 | #################################
 51 | 
 52 | # We're done making the backup, so we can restart early, without waiting for exit.
 53 | restart_service
 54 | trap - EXIT
 55 | 
 56 | {% if gitea_backup_post_backup_custom_shell_commands %}
 57 | #############################################
 58 | ### Post-backup custom shell commands       #
 59 | #############################################
 60 | 
 61 | {{ gitea_backup_post_backup_custom_shell_commands }}
 62 | 
 63 | #############################################
 64 | ### /Post-backup custom shell commands      #
 65 | #############################################
 66 | {% endif %}
 67 | 
 68 | 
 69 | {% if gitea_backup_b2_enabled %}
 70 | #################################
 71 | ### Pushing to B2              #
 72 | #################################
 73 | 
 74 | # The `b2 upload-file` command always insists on outputting stuff, so we're hacking around it.
 75 | b2_operation_log_file=$(mktemp /tmp/gitea-backup-b2-XXXXXXXXXXX.log)
 76 | 
 77 | {{ devture_systemd_docker_base_host_command_docker }} run \
 78 | 	--rm \
 79 | 	-w /work \
 80 | 	--env-file={{ gitea_backup_etc_path }}/b2-env \
 81 | 	-e B2_FILENAME=$date-gitea-latest-backup.tar.gpg \
 82 | 	--mount type=bind,src={{ gitea_backup_data_path }}/gitea-latest-backup.tar.gpg,dst=/gitea-latest-backup.tar.gpg,ro \
 83 | 	--entrypoint=/bin/sh \
 84 | 	{{ gitea_backup_b2_container_image }} \
 85 | 	-c 'set -o pipefail && b2 authorize-account $B2_KEY_ID $B2_KEY_SECRET > /dev/null && b2 upload-file --noProgress --quiet $B2_BUCKET /gitea-latest-backup.tar.gpg $B2_FILENAME' > $b2_operation_log_file 2>&1
 86 | 
 87 | ret_val=$?
 88 | if [ $ret_val -ne 0 ]; then
 89 | 	cat $b2_operation_log_file
 90 | 	rm $b2_operation_log_file
 91 | 	exit $ret_val
 92 | fi
 93 | 
 94 | #################################
 95 | ### /Pushing to B2              #
 96 | #################################
 97 | {% endif %}
 98 | 
 99 | {% if gitea_backup_before_exit_custom_shell_commands %}
100 | #############################################
101 | ### Before exit custom shell commands       #
102 | #############################################
103 | 
104 | {{ gitea_backup_before_exit_custom_shell_commands }}
105 | 
106 | #############################################
107 | ### /Before exit custom shell commands      #
108 | #############################################
109 | {% endif %}
110 | 


--------------------------------------------------------------------------------
/roles/custom/gitea_backup/templates/provider/b2/env:
--------------------------------------------------------------------------------
1 | B2_KEY_ID={{ gitea_backup_b2_key_id }}
2 | B2_KEY_SECRET={{ gitea_backup_b2_key_secret }}
3 | B2_BUCKET={{ gitea_backup_b2_bucket }}
4 | 


--------------------------------------------------------------------------------
/roles/custom/gitea_backup/templates/systemd/gitea-backup.service.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Performs a Gitea backup
3 | 
4 | [Service]
5 | Type=oneshot
6 | ExecStart={{ gitea_backup_bin_path }}/backup
7 | 


--------------------------------------------------------------------------------
/roles/custom/gitea_backup/templates/systemd/gitea-backup.timer.j2:
--------------------------------------------------------------------------------
 1 | [Unit]
 2 | Description=Launches gitea-backup.service periodically
 3 | 
 4 | [Timer]
 5 | Unit=gitea-backup.service
 6 | OnCalendar={{ gitea_backup_schedule }}
 7 | 
 8 | [Install]
 9 | WantedBy=timers.target
10 | 


--------------------------------------------------------------------------------
/roles/custom/gitea_playbook_migration/tasks/devture_traefik_to_gitea_traefik.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | 
 3 | # This migrates Traefik from the old path (`/devture-traefik`) to the new path (`/gitea/traefik`, controlled by `devture_traefik_base_path`),
 4 | # and from the old hardcoded systemd service name (`devture-traefik.service`) to the new one (`gitea-traefik.service`, controlled by `devture_traefik_identifier`).
 5 | #
 6 | # Here, we merely disable (and stop) the old systemd service and relocate the data (`/devture-traefik` directory).
 7 | # The Traefik role itself (running later) will then ensure this data is up-to-date and will set up the new systemd service.
 8 | 
 9 | # It only makes sense to migrate if the identifier or path are different than the default (what we were using before).
10 | - when: "devture_traefik_identifier != 'devture-postgres' or devture_traefik_base_path != '/devture-traefik'"
11 |   block:
12 |     - name: Check existence of devture-traefik.service systemd service
13 |       ansible.builtin.stat:
14 |         path: "{{ devture_systemd_docker_base_systemd_path }}/devture-traefik.service"
15 |       register: devture_traefik_service_stat
16 | 
17 |     - when: devture_traefik_service_stat.stat.exists | bool
18 |       block:
19 |         - name: Ensure devture-traefik.service systemd service is stopped
20 |           ansible.builtin.systemd:
21 |             name: devture-traefik
22 |             state: stopped
23 |             enabled: false
24 |             daemon_reload: true
25 | 
26 |         - name: Ensure Traefik directory relocated
27 |           ansible.builtin.command:
28 |             cmd: "mv /devture-traefik {{ devture_traefik_base_path }}"
29 |             creates: "{{ devture_traefik_base_path }}"
30 |             removes: "/devture-traefik"
31 | 
32 |         - name: Ensure Traefik systemd service doesn't exist
33 |           ansible.builtin.file:
34 |             path: "{{ devture_systemd_docker_base_systemd_path }}/devture-traefik.service"
35 |             state: absent
36 | 


--------------------------------------------------------------------------------
/roles/custom/gitea_playbook_migration/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | 
 3 | - block:
 4 |     - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
 5 |   tags:
 6 |     - setup-all
 7 |     - install-all
 8 | 
 9 | - when: devture_traefik_enabled | bool
10 |   block:
11 |     - ansible.builtin.include_tasks: "{{ role_path }}/tasks/devture_traefik_to_gitea_traefik.yml"
12 |   tags:
13 |     - setup-all
14 |     - install-all
15 |     - setup-traefik
16 |     - install-traefik
17 | 


--------------------------------------------------------------------------------
/roles/custom/gitea_playbook_migration/tasks/validate_config.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | 
 3 | - name: (Deprecation) Catch and report renamed Gitea settings
 4 |   ansible.builtin.fail:
 5 |     msg: >-
 6 |       Your configuration contains a variable, which now has a different name.
 7 |       Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
 8 |   when: "item.old in vars"
 9 |   with_items:
10 |     - {'old': 'devture_vars_preserver_enabled', 'new': 'devture_playbook_state_preserver_enabled'}
11 |     - {'old': 'devture_vars_preserver_dst', 'new': 'devture_playbook_state_preserver_vars_preservation_dst'}
12 |     - {'old': 'devture_vars_preserver_uid', 'new': 'devture_playbook_state_preserver_uid'}
13 |     - {'old': 'devture_vars_preserver_gid', 'new': 'devture_playbook_state_preserver_gid'}
14 | 
15 |     - {'old': 'gitea_playbook_timesync_installation_enabled', 'new': 'devture_timesync_installation_enabled'}
16 | 
17 |     - {'old': 'gitea_systemd_services_list', 'new': 'devture_systemd_service_manager_services_list_auto'}
18 |     - {'old': 'gitea_systemd_services_autostart_enabled', 'new': 'devture_systemd_service_manager_services_autostart_enabled'}
19 | 
20 |     - {'old': 'gitea_playbook_postgres_installation_enabled', 'new': 'devture_postgres_enabled'}
21 | 
22 |     - {'old': 'gitea_playbook_traefik_installation_enabled', 'new': 'devture_traefik_enabled'}
23 | 
24 |     - {'old': 'gitea_playbook_reverse_proxyable_services_container_network', 'new': '<superseded by gitea_playbook_reverse_proxyable_services_additional_network>'}
25 |     - {'old': 'gitea_playbook_reverse_proxyable_services_additional_networks', 'new': '<superseded by gitea_playbook_reverse_proxyable_services_additional_network>'}
26 |     - {'old': 'gitea_playbook_traefik_role_enabled', 'new': 'devture_traefik_enabled'}
27 | 


--------------------------------------------------------------------------------
/setup.yml:
--------------------------------------------------------------------------------
 1 | - name: "Set up a Gitea server"
 2 |   hosts: "{{ target if target is defined else 'gitea_servers' }}"
 3 |   become: true
 4 | 
 5 |   roles:
 6 |     # This role has no tasks at all
 7 |     - role: galaxy/com.devture.ansible.role.playbook_help
 8 | 
 9 |     # This role has no tasks at all
10 |     - role: galaxy/com.devture.ansible.role.systemd_docker_base
11 | 
12 |     - role: custom/gitea_playbook_migration
13 | 
14 |     - when: gitea_playbook_docker_installation_enabled | bool
15 |       role: galaxy/geerlingguy.docker
16 |       vars:
17 |         docker_install_compose: false
18 |       tags:
19 |         - setup-docker
20 |         - setup-all
21 |         - install-docker
22 |         - install-all
23 | 
24 |     - when: devture_docker_sdk_for_python_installation_enabled | bool
25 |       role: galaxy/com.devture.ansible.role.docker_sdk_for_python
26 |       tags:
27 |         - setup-docker
28 |         - setup-all
29 |         - install-docker
30 |         - install-all
31 | 
32 |     - when: devture_timesync_installation_enabled | bool
33 |       role: galaxy/com.devture.ansible.role.timesync
34 |       tags:
35 |         - setup-timesync
36 |         - setup-all
37 |         - install-timesync
38 |         - install-all
39 | 
40 |     - role: custom/base
41 | 
42 |     # This role exposes various tags (setup-postgres, setup-all, upgrade-postgres, import-postgres, etc.), so we don't tag it here.
43 |     - role: galaxy/com.devture.ansible.role.postgres
44 | 
45 |     - role: custom/gitea
46 | 
47 |     - role: galaxy/com.devture.ansible.role.postgres_backup
48 | 
49 |     - role: custom/gitea_backup
50 | 
51 |     - role: galaxy/com.devture.ansible.role.woodpecker_ci_server
52 |     - role: galaxy/com.devture.ansible.role.woodpecker_ci_agent
53 | 
54 |     - role: galaxy/com.devture.ansible.role.container_socket_proxy
55 | 
56 |     - role: galaxy/com.devture.ansible.role.traefik
57 | 
58 |     - when: devture_systemd_service_manager_enabled | bool
59 |       role: galaxy/com.devture.ansible.role.systemd_service_manager
60 | 
61 |     # This is pretty much last, because we want it to better serve as a "last known good configuration".
62 |     # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2217#issuecomment-1301487601
63 |     - when: devture_playbook_state_preserver_enabled | bool
64 |       role: galaxy/com.devture.ansible.role.playbook_state_preserver
65 |       tags:
66 |         - setup-all
67 |         - install-all
68 | 
69 |     - role: galaxy/com.devture.ansible.role.playbook_runtime_messages
70 | 


--------------------------------------------------------------------------------