From e5c3a4e0d345531c3b6d9dc5f874464b9e177015 Mon Sep 17 00:00:00 2001
From: Tobias Reisinger <tobias@msrg.cc>
Date: Tue, 13 Jun 2023 23:32:09 +0200
Subject: [PATCH] Add gitea to ansible

---
 .gitignore                             |  1 +
 _ansible/local-dev.yml                 |  1 +
 _ansible/node002.yml                   |  1 +
 _ansible/roles/acme-dns/tasks/main.yml |  6 +-
 _ansible/roles/gitea/tasks/main.yml    |  7 ++
 _ansible/roles/gitea/vars/main.yml     | 93 ++++++++++++++++++++++++++
 _ansible/roles/umami/tasks/main.yml    |  4 +-
 _ansible/templates/caddy_site.conf.j2  |  1 +
 _ansible/test.yml                      | 10 ---
 gitea/.env                             | 63 -----------------
 gitea/docker-compose.yml               | 30 ---------
 11 files changed, 110 insertions(+), 107 deletions(-)
 create mode 100644 _ansible/roles/gitea/tasks/main.yml
 create mode 100644 _ansible/roles/gitea/vars/main.yml
 delete mode 100644 _ansible/test.yml
 delete mode 100644 gitea/.env
 delete mode 100644 gitea/docker-compose.yml

diff --git a/.gitignore b/.gitignore
index adbcad1..6d8e9c7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,4 +7,5 @@ diagram_assets/
 
 # services already handled by ansible
 acme-dns/
+gitea/
 umami/
diff --git a/_ansible/local-dev.yml b/_ansible/local-dev.yml
index c69e82b..a4c851b 100644
--- a/_ansible/local-dev.yml
+++ b/_ansible/local-dev.yml
@@ -8,4 +8,5 @@
   hosts: local-dev
   roles:
     - acme-dns
+    - gitea
     - umami
diff --git a/_ansible/node002.yml b/_ansible/node002.yml
index 8dc321f..9f7217a 100644
--- a/_ansible/node002.yml
+++ b/_ansible/node002.yml
@@ -3,4 +3,5 @@
   hosts: node002
   roles:
     - acme-dns
+    - gitea
     - umami
diff --git a/_ansible/roles/acme-dns/tasks/main.yml b/_ansible/roles/acme-dns/tasks/main.yml
index fb0f2c7..57a948a 100644
--- a/_ansible/roles/acme-dns/tasks/main.yml
+++ b/_ansible/roles/acme-dns/tasks/main.yml
@@ -1,6 +1,8 @@
 ---
-- name: Deploy acme-dns
-  tags: acme-dns
+- name: Deploy {{ svc.name }}
+  tags:
+    - acme-dns
+    - certificates
   block:
     - import_tasks: steps/create-service-directory.yml
     - import_tasks: steps/template-docker-compose.yml
diff --git a/_ansible/roles/gitea/tasks/main.yml b/_ansible/roles/gitea/tasks/main.yml
new file mode 100644
index 0000000..5085537
--- /dev/null
+++ b/_ansible/roles/gitea/tasks/main.yml
@@ -0,0 +1,7 @@
+---
+- name: Deploy {{ svc.name }}
+  tags:
+    - gitea
+    - git
+  block:
+    - import_tasks: deploy-common-service.yml
diff --git a/_ansible/roles/gitea/vars/main.yml b/_ansible/roles/gitea/vars/main.yml
new file mode 100644
index 0000000..017c743
--- /dev/null
+++ b/_ansible/roles/gitea/vars/main.yml
@@ -0,0 +1,93 @@
+svc:
+  domain: "git.serguzim.me"
+  name: gitea
+  port: 3000
+  caddy_extra: header /attachments/* Access-Control-Allow-Origin *
+  db:
+    host: "{{ postgres.host }}"
+    port: "{{ postgres.port }}"
+  ssh_port: 22
+  ssh_port_alt: 3022
+
+svc_env:
+  GITEA__database__DB_TYPE: "postgres"
+  GITEA__database__HOST: "{{ svc.db.host }}:{{ svc.db.port }}"
+  GITEA__database__NAME: "gitea"
+  GITEA__database__USER: "{{ vault_gitea.db.user }}"
+  GITEA__database__PASSWD: "{{ vault_gitea.db.pass }}"
+  GITEA__database__SSL_MODE: "verify-full"
+
+  GITEA__repository__ENABLE_PUSH_CREATE_USER: "true"
+  GITEA__repository__ENABLE_PUSH_CREATE_ORG: "true"
+  GITEA__repository__DEFAULT_BRANCH: "main"
+
+  GITEA__cors__ENABLED: "true"
+  GITEA__cors__SCHEME: "https"
+
+  GITEA__ui__DEFAULT_THEME: "arc-green"
+
+  GITEA__server__DOMAIN: "{{ svc.domain }}"
+  GITEA__server__SSH_DOMAIN: "{{ svc.domain }}"
+  GITEA__server__SSH_PORT: "{{ svc.ssh_port }}"
+  GITEA__server__ROOT_URL: "https://{{ svc.domain }}"
+  GITEA__server__OFFLINE_MODE: "true"
+  GITEA__server__LFS_JWT_SECRET: "{{ vault_gitea.server_lfs_jwt_secret }}"
+  GITEA__server__LFS_START_SERVER: "true"
+
+  GITEA__security__INSTALL_LOCK: "true"
+  GITEA__security__INTERNAL_TOKEN: "{{ vault_gitea.security_internal_token }}"
+  GITEA__security__SECRET_KEY: "{{ vault_gitea.security_secret_key }}"
+
+  GITEA__openid__ENABLE_OPENID_SIGNUP: "true"
+  GITEA__openid__ENABLE_OPENID_SIGNIN: "false"
+
+  GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION: "true"
+  GITEA__service__ENABLE_BASIC_AUTHENTICATION: "false"
+  GITEA__service__NO_REPLY_ADDRESS: "discard.msrg.cc"
+
+  GITEA__webhook__DELIVER_TIMEOUT: "60"
+
+  GITEA__mailer__ENABLED: "true"
+  GITEA__mailer__PROTOCOL: "smtp+starttls"
+  GITEA__mailer__SMTP_ADDR: "mail.serguzim.me"
+  GITEA__mailer__SMTP_PORT: "587"
+  GITEA__mailer__FROM: "Gitea <git@serguzim.me>"
+  GITEA__mailer__USER: "git@serguzim.me"
+  GITEA__mailer__PASSWD: "{{ vault_gitea.mailer_passwd }}"
+  GITEA__mailer__SEND_AS_PLAIN_TEXT: "true"
+
+  GITEA__picture__DISABLE_GRAVATAR: "true"
+
+  GITEA__oauth2__JWT_SECRET: "{{ vault_gitea. oauth2_jwt_secret}}"
+
+  GITEA__metrics__ENABLED: "true"
+  GITEA__metrics__TOKEN: "{{ vault_gitea.metrics_token }}"
+
+  GITEA__storage__STORAGE_TYPE: "minio"
+  GITEA__storage__MINIO_ENDPOINT: "s3.serguzim.me"
+  GITEA__storage__MINIO_ACCESS_KEY_ID: "{{ vault_gitea.minio.access_key_id }}"
+  GITEA__storage__MINIO_SECRET_ACCESS_KEY: "{{ vault_gitea.minio.secret_access_key }}"
+  GITEA__storage__MINIO_BUCKET: "git"
+  GITEA__storage__MINIO_LOCATION: "de-contabo-1"
+  GITEA__storage__MINIO_USE_SSL: "true"
+
+  GITEA__OTHER__SHOW_FOOTER_BRANDING: "true"
+  GITEA__OTHER__SHOW_FOOTER_TEMPLATE_LOAD_TIME: "false"
+
+compose:
+  watchtower: true
+  image: gitea/gitea:1.19
+  env: true
+  file:
+    services:
+      app:
+        volumes:
+          - data:/data
+          - /etc/timezone:/etc/timezone:ro
+          - /etc/localtime:/etc/localtime:ro
+        ports:
+          - "{{ svc.ssh_port }}:{{ svc.ssh_port }}"
+          - "{{ svc.ssh_port_alt }}:{{ svc.ssh_port }}"
+    volumes:
+      data:
+
diff --git a/_ansible/roles/umami/tasks/main.yml b/_ansible/roles/umami/tasks/main.yml
index 3eb5229..bc2b3a7 100644
--- a/_ansible/roles/umami/tasks/main.yml
+++ b/_ansible/roles/umami/tasks/main.yml
@@ -1,7 +1,7 @@
 ---
-- name: Deploy umami
+- name: Deploy {{ svc.name }}
   tags:
-    - analytics
     - umami
+    - analytics
   block:
     - import_tasks: deploy-common-service.yml
diff --git a/_ansible/templates/caddy_site.conf.j2 b/_ansible/templates/caddy_site.conf.j2
index 782eddd..c9bc4a4 100644
--- a/_ansible/templates/caddy_site.conf.j2
+++ b/_ansible/templates/caddy_site.conf.j2
@@ -1,4 +1,5 @@
 {{ svc.domain }} {
 	import default
+	{{ svc.caddy_extra | default('') | indent(width='\t') }}
 	reverse_proxy {{ svc.name }}:{{ svc.port }}
 }
diff --git a/_ansible/test.yml b/_ansible/test.yml
deleted file mode 100644
index 0553b6c..0000000
--- a/_ansible/test.yml
+++ /dev/null
@@ -1,10 +0,0 @@
----
-- name: Test
-  hosts: all
-  tasks:
-    #- name: Include acme-dns role vars
-    #  ansible.builtin.include_vars:
-    #    dir: roles/acme-dns/vars
-    - name: Debug all variables
-      ansible.builtin.debug:
-        var: hostvars[inventory_hostname]
diff --git a/gitea/.env b/gitea/.env
deleted file mode 100644
index 83b2fba..0000000
--- a/gitea/.env
+++ /dev/null
@@ -1,63 +0,0 @@
-GITEA__database__DB_TYPE="postgres"
-GITEA__database__HOST="db.serguzim.me:5432"
-GITEA__database__NAME="gitea"
-GITEA__database__USER="gitea"
-GITEA__database__PASSWD=""
-GITEA__database__SSL_MODE="verify-full"
-
-GITEA__repository__ENABLE_PUSH_CREATE_USER="true"
-GITEA__repository__ENABLE_PUSH_CREATE_ORG="true"
-GITEA__repository__DEFAULT_BRANCH="main"
-
-GITEA__cors__ENABLED="true"
-GITEA__cors__SCHEME="https"
-
-GITEA__ui__DEFAULT_THEME="arc-green"
-
-GITEA__server__DOMAIN="git.serguzim.me"
-GITEA__server__SSH_DOMAIN="git.serguzim.me"
-GITEA__server__SSH_PORT="22"
-GITEA__server__ROOT_URL="https://git.serguzim.me/"
-GITEA__server__OFFLINE_MODE="true"
-GITEA__server__LFS_JWT_SECRET=""
-GITEA__server__LFS_START_SERVER="true"
-
-GITEA__security__INSTALL_LOCK="true"
-GITEA__security__INTERNAL_TOKEN=""
-GITEA__security__SECRET_KEY=""
-
-GITEA__openid__ENABLE_OPENID_SIGNUP="true"
-GITEA__openid__ENABLE_OPENID_SIGNIN="false"
-
-GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION="true"
-GITEA__service__ENABLE_BASIC_AUTHENTICATION="false"
-GITEA__service__NO_REPLY_ADDRESS="discard.msrg.cc"
-
-GITEA__webhook__DELIVER_TIMEOUT="60"
-
-GITEA__mailer__ENABLED="true"
-GITEA__mailer__PROTOCOL="smtp+starttls"
-GITEA__mailer__SMTP_ADDR="mail.serguzim.me"
-GITEA__mailer__SMTP_PORT="587"
-GITEA__mailer__FROM="Gitea <git@serguzim.me>"
-GITEA__mailer__USER="git@serguzim.me"
-GITEA__mailer__PASSWD=""
-GITEA__mailer__SEND_AS_PLAIN_TEXT="true"
-
-GITEA__picture__DISABLE_GRAVATAR="true"
-
-GITEA__oauth2__JWT_SECRET=""
-
-GITEA__metrics__ENABLED="true"
-GITEA__metrics__TOKEN=""
-
-GITEA__storage__STORAGE_TYPE="minio"
-GITEA__storage__MINIO_ENDPOINT="s3.serguzim.me"
-GITEA__storage__MINIO_ACCESS_KEY_ID=""
-GITEA__storage__MINIO_SECRET_ACCESS_KEY=""
-GITEA__storage__MINIO_BUCKET="git"
-GITEA__storage__MINIO_LOCATION="de-contabo-1"
-GITEA__storage__MINIO_USE_SSL="true"
-
-GITEA__OTHER__SHOW_FOOTER_BRANDING="true"
-GITEA__OTHER__SHOW_FOOTER_TEMPLATE_LOAD_TIME="false"
diff --git a/gitea/docker-compose.yml b/gitea/docker-compose.yml
deleted file mode 100644
index 06f782c..0000000
--- a/gitea/docker-compose.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-version: "3"
-
-services:
-  server:
-    image: gitea/gitea:1.19
-    container_name: gitea
-    labels:
-      com.centurylinklabs.watchtower.enable: true
-    env_file:
-    - .env
-    - .secret.env
-    restart: always
-    volumes:
-      - data:/data
-      - /etc/timezone:/etc/timezone:ro
-      - /etc/localtime:/etc/localtime:ro
-    ports:
-      - "3022:22"
-      - "22:22"
-    networks:
-      apps:
-        aliases:
-          - gitea
-
-volumes:
-  data:
-
-networks:
-  apps:
-    external: true