From 56faa4323b855437d1dbff9bf279a0fed353898d Mon Sep 17 00:00:00 2001
From: Chewing_Bever <roosensjef@gmail.com>
Date: Fri, 9 Aug 2024 13:53:13 +0200
Subject: [PATCH] gitea: add config

---
 group_vars/all/vars.yml                       |   5 +
 group_vars/all/vault.yml                      |  44 +++++--
 hosts.ini                                     |   3 +
 roles/gitea-web/meta/main.yml                 |   3 +
 roles/gitea-web/tasks/main.yml                |   9 ++
 roles/gitea-web/templates/gitea.Caddyfile.j2  |   3 +
 roles/gitea/files/compose.yml                 |  40 +++++++
 roles/gitea/files/gitea.data.backup.sh        |  12 ++
 roles/gitea/files/gitea.lfs.backup.sh         |  12 ++
 roles/gitea/files/gitea.postgres.backup.sh    |   7 ++
 .../gitea/files/gitea.repositories.backup.sh  |  12 ++
 roles/gitea/files/gitea.service               |  15 +++
 roles/gitea/handlers/main.yml                 |   5 +
 roles/gitea/tasks/main.yml                    |  73 ++++++++++++
 roles/gitea/templates/app.ini.j2              | 112 ++++++++++++++++++
 ruby.yml                                      |   6 +
 web.yml                                       |   6 +
 17 files changed, 354 insertions(+), 13 deletions(-)
 create mode 100644 roles/gitea-web/meta/main.yml
 create mode 100644 roles/gitea-web/tasks/main.yml
 create mode 100644 roles/gitea-web/templates/gitea.Caddyfile.j2
 create mode 100644 roles/gitea/files/compose.yml
 create mode 100644 roles/gitea/files/gitea.data.backup.sh
 create mode 100644 roles/gitea/files/gitea.lfs.backup.sh
 create mode 100644 roles/gitea/files/gitea.postgres.backup.sh
 create mode 100644 roles/gitea/files/gitea.repositories.backup.sh
 create mode 100644 roles/gitea/files/gitea.service
 create mode 100644 roles/gitea/handlers/main.yml
 create mode 100644 roles/gitea/tasks/main.yml
 create mode 100644 roles/gitea/templates/app.ini.j2

diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
index c71902c..02ae9c2 100644
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@@ -22,3 +22,8 @@ woodpecker_secret: "{{ vault_woodpecker_secret }}"
 restic_version: '0.16.2'
 
 ntfy_user_pi_pass: "{{ vault_ntfy_user_pi_pass }}"
+
+gitea_lfs_jwt_secret: "{{ vault_gitea_lfs_jwt_secret }}"
+gitea_secret_key: "{{ vault_gitea_secret_key }}"
+gitea_internal_token: "{{ vault_gitea_internal_token }}"
+gitea_jwt_secret: "{{ vault_gitea_jwt_secret }}"
diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml
index e941cec..13fc149 100644
--- a/group_vars/all/vault.yml
+++ b/group_vars/all/vault.yml
@@ -1,14 +1,32 @@
 $ANSIBLE_VAULT;1.1;AES256
-35353730613932643733343565323332383038383461626535616166616338653066306533366164
-6261353438653937326264623632363336633039383361620a333239333937663561613162376161
-30393966656236656634633035643336626538373733643863613864373439363564376563613361
-3666616235623631370a373439393839313336323466306461373534626661616231333436326663
-37616638353830323865356236363937313033643563646466366432623762393539386334623938
-63303331363165313437383061353037313536333132393439653538316264376362336466313231
-66313530313937373232613534343065626534666136326233626137353631386161653133643933
-37356237643362643161383131623035373037653139643331663435623162323566643635353731
-62663165383465656432613339353466313437323365393766313865323565623138363537356561
-31623565353362356464376637386633373133333365336662346331633236383934623638366662
-31326264306434633532373131303839613735343364613232306164316661313933636235633161
-37346630333565313636333435323635663962376636366437383938663763366433366230376636
-3431
+62316366343931626135336332623963643864616164386132363565303565303165326238303132
+3266623662613739333637393937373137313161306136310a613335346362346333323461336130
+61386264346464376539303733393961306664376663613034316337313963343761636634636131
+3231633934646130630a303038383563346539383561386362613935376634306561643964626334
+35333166623531383236623535636362323039613136346534343232306163393436366135373634
+31303338303939613433326633373838353431653231646430333333323665643130306436663539
+35393266346232366161653332303264623733343262636363613630323366376130646264333739
+34396139303130613631646535363831623463333565396134376234356132336236373366313830
+61386661303966313862653732653338386466643838636263393766366139373237316165643764
+66336465613838316465316166653064343066623339616530303038356238303832373135663665
+35383938333362643038326635316538666536613137663633363434336138306135316665353734
+63633439366664613633353465643466663564663832396435663931643538636238643233373039
+35623438333139353632383263343538626561343035613239366266623033636335633536643431
+30663139353634663662373062363937393838393266343264386134306333326164656334316364
+39343662313464383362646237383337393664623632653235623165666636363635383636363430
+35306365383536356265363733396165303765316638366331376230306630393735393334653362
+65313332646434323831313764306230616236383963376634623437346635653937623830653064
+62396162396165643563373239373264396137666334646238616262663464623363373565626539
+64373936346166356134306431616638346633376366336136383939666665373565383633336431
+33346431353639643063616630313630653038616430316366323137303034336539643161383734
+35346430643433653866663636333639343364363831343531363937313330343865323535353533
+32666566343736653135363966643665396234636437316438636530366231653963356237613065
+30623338323733666365613631666361306666613364393261623732623963613731613933383138
+65656565396435643833613764346139343365663766623535626166346330633938626135326230
+63356535633834633763363666333662646633366537623732623835653332316239646135373933
+30333339396237386538343434653764613036396463333263333061316136323336356663666664
+36363235643334363666336364333336366439646537306235333532343832653531356430353730
+34303830343734653631313936383962343131643965303464343031633030613635356231633566
+63366531663361386461333532383638636662633261343365633361346535366132303339346664
+33626638643233333766356534393039393962343630303137653733393532633264616664363235
+343465376233356362383334663334633033
diff --git a/hosts.ini b/hosts.ini
index a7f8161..0e05815 100644
--- a/hosts.ini
+++ b/hosts.ini
@@ -26,3 +26,6 @@
 
 [atuin-server]
 192.168.0.2 static_ip=192.168.0.2
+
+[gitea]
+192.168.0.2 static_ip=192.168.0.2
diff --git a/roles/gitea-web/meta/main.yml b/roles/gitea-web/meta/main.yml
new file mode 100644
index 0000000..1dbd0f6
--- /dev/null
+++ b/roles/gitea-web/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: caddy
diff --git a/roles/gitea-web/tasks/main.yml b/roles/gitea-web/tasks/main.yml
new file mode 100644
index 0000000..0cba5b5
--- /dev/null
+++ b/roles/gitea-web/tasks/main.yml
@@ -0,0 +1,9 @@
+---
+- name: Ensure Caddyfile is present
+  template:
+    src: 'gitea.Caddyfile.j2'
+    dest: '/etc/caddy/gitea.Caddyfile'
+    owner: root
+    group: root
+    mode: '0644'
+  notify: caddy-reload
diff --git a/roles/gitea-web/templates/gitea.Caddyfile.j2 b/roles/gitea-web/templates/gitea.Caddyfile.j2
new file mode 100644
index 0000000..b2c1cd3
--- /dev/null
+++ b/roles/gitea-web/templates/gitea.Caddyfile.j2
@@ -0,0 +1,3 @@
+git.rustybever.be {
+    reverse_proxy {{ hostvars[groups['gitea'][0]].static_ip }}:8010
+}
diff --git a/roles/gitea/files/compose.yml b/roles/gitea/files/compose.yml
new file mode 100644
index 0000000..c7fe71c
--- /dev/null
+++ b/roles/gitea/files/compose.yml
@@ -0,0 +1,40 @@
+version: '3'
+
+services:
+  app:
+    # Latest contains a development version
+    image: 'gitea/gitea:1.20.1'
+    restart: 'always'
+
+    ports:
+      - '22:22'
+      - '8010:3000'
+    volumes:
+      - '/etc/gitea/app.ini:/data/gitea/conf/app.ini'
+      - '/mnt/data1/gitea/data:/data'
+      - '/mnt/data1/gitea/repositories:/data/git/repositories'
+      - '/mnt/data1/gitea/lfs:/data/git/lfs'
+      - '/etc/timezone:/etc/timezone:ro'
+      - '/etc/localtime:/etc/localtime:ro'
+
+    depends_on:
+      db:
+        condition: service_healthy
+
+  db:
+    image: 'postgres:14.8-alpine'
+    restart: 'always'
+
+    healthcheck:
+      test: ["CMD", "pg_isready", "-U", "gitea"]
+      interval: 30s 
+      start_period: 30s
+      timeout: 5s
+      retries: 3
+
+    environment:
+      - 'POSTGRES_USER=gitea'
+      - 'POSTGRES_PASSWORD=gitea'
+      - 'POSTGRES_DB=gitea'
+    volumes:
+      - '/mnt/data1/gitea/postgres:/var/lib/postgresql/data'
diff --git a/roles/gitea/files/gitea.data.backup.sh b/roles/gitea/files/gitea.data.backup.sh
new file mode 100644
index 0000000..279f68a
--- /dev/null
+++ b/roles/gitea/files/gitea.data.backup.sh
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+data_dir='/mnt/data1/gitea/data'
+snapshot_dir="${data_dir}.snapshot"
+
+# Read-only snapshot for atomic backup
+btrfs subvolume snapshot -r "$data_dir" "$snapshot_dir" || exit $?
+
+/usr/local/bin/restic backup "$snapshot_dir"
+
+# Always remove snapshot subvolume, even if restic fails
+btrfs subvolume delete "$snapshot_dir"
diff --git a/roles/gitea/files/gitea.lfs.backup.sh b/roles/gitea/files/gitea.lfs.backup.sh
new file mode 100644
index 0000000..bfc3869
--- /dev/null
+++ b/roles/gitea/files/gitea.lfs.backup.sh
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+data_dir='/mnt/data1/gitea/lfs'
+snapshot_dir="${data_dir}.snapshot"
+
+# Read-only snapshot for atomic backup
+btrfs subvolume snapshot -r "$data_dir" "$snapshot_dir" || exit $?
+
+/usr/local/bin/restic backup "$snapshot_dir"
+
+# Always remove snapshot subvolume, even if restic fails
+btrfs subvolume delete "$snapshot_dir"
diff --git a/roles/gitea/files/gitea.postgres.backup.sh b/roles/gitea/files/gitea.postgres.backup.sh
new file mode 100644
index 0000000..6217795
--- /dev/null
+++ b/roles/gitea/files/gitea.postgres.backup.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+cd /etc/gitea
+
+/usr/bin/docker compose exec -T db pg_dump -U gitea gitea |
+    /usr/bin/gzip --rsyncable |
+    /usr/local/bin/restic backup --stdin --stdin-filename gitea-postgres.sql.gz
diff --git a/roles/gitea/files/gitea.repositories.backup.sh b/roles/gitea/files/gitea.repositories.backup.sh
new file mode 100644
index 0000000..f3df264
--- /dev/null
+++ b/roles/gitea/files/gitea.repositories.backup.sh
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+data_dir='/mnt/data1/gitea/repositories'
+snapshot_dir="${data_dir}.snapshot"
+
+# Read-only snapshot for atomic backup
+btrfs subvolume snapshot -r "$data_dir" "$snapshot_dir" || exit $?
+
+/usr/local/bin/restic backup "$snapshot_dir"
+
+# Always remove snapshot subvolume, even if restic fails
+btrfs subvolume delete "$snapshot_dir"
diff --git a/roles/gitea/files/gitea.service b/roles/gitea/files/gitea.service
new file mode 100644
index 0000000..2e0aadc
--- /dev/null
+++ b/roles/gitea/files/gitea.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=Private, Fast, Reliable DevOps Platform
+After=docker.target 
+Requires=docker.target
+
+[Service]
+Type=exec
+User=gitea
+Group=gitea
+WorkingDirectory=/etc/gitea
+ExecStart=/usr/bin/docker compose up
+ExecStop=/usr/bin/docker compose down
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/gitea/handlers/main.yml b/roles/gitea/handlers/main.yml
new file mode 100644
index 0000000..f8bd4e5
--- /dev/null
+++ b/roles/gitea/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: 'restart gitea'
+  ansible.builtin.service:
+    name: 'gitea'
+    state: 'restarted'
diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml
new file mode 100644
index 0000000..948b7e7
--- /dev/null
+++ b/roles/gitea/tasks/main.yml
@@ -0,0 +1,73 @@
+---
+- name: Ensure data directory is present
+  ansible.builtin.file:
+    path: '/mnt/data1/gitea'
+    state: directory
+    mode: '0755'
+    owner: 'root'
+    group: 'root'
+
+- name: Ensure data subvolumes are present
+  community.general.btrfs_subvolume:
+    name: '/gitea/{{ item }}'
+  loop:
+    - 'data'
+    - 'lfs'
+    - 'repositories'
+    - 'postgres'
+
+- name: Ensure configuration directory is present
+  ansible.builtin.file:
+    path: '/etc/gitea'
+    state: directory
+    mode: '0755'
+
+- name: Ensure compose file is present
+  ansible.builtin.copy:
+    src: 'compose.yml'
+    dest: '/etc/gitea/compose.yml'
+    mode: '0644'
+    owner: 'root'
+    group: 'root'
+  notify: 'restart gitea'
+
+- name: Ensure config file is present
+  ansible.builtin.template:
+    src: 'app.ini.j2'
+    dest: '/etc/gitea/app.ini'
+    mode: '0644'
+    owner: 'root'
+    group: 'root'
+  notify: 'restart gitea'
+
+- name: Ensure backup scripts are present
+  ansible.builtin.copy:
+    src: "gitea.{{ item }}.backup.sh"
+    dest: "/etc/backups/gitea.{{ item }}.backup.sh"
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  loop:
+    - 'postgres'
+    - 'data'
+    - 'lfs'
+    - 'repositories'
+
+- name: Ensure service file is present
+  ansible.builtin.copy:
+    src: 'gitea.service'
+    dest: '/lib/systemd/system/gitea.service'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  register: res
+
+- name: systemd-reload
+  ansible.builtin.systemd_service:
+    daemon_reload: true
+  when: 'res.changed'
+
+- name: Ensure gitea service is enabled
+  ansible.builtin.service:
+    name: 'gitea'
+    enabled: true
diff --git a/roles/gitea/templates/app.ini.j2 b/roles/gitea/templates/app.ini.j2
new file mode 100644
index 0000000..4653ec3
--- /dev/null
+++ b/roles/gitea/templates/app.ini.j2
@@ -0,0 +1,112 @@
+APP_NAME = The Rusty Bever
+RUN_MODE = prod
+RUN_USER = git
+WORK_PATH = /data/gitea
+
+[repository]
+ROOT = /data/git/repositories
+; Makes public the default option when creating a repo
+DEFAULT_PRIVATE = public
+; Disables releases, projects & wiki by default for new repos (but can be enabled when needed)
+DEFAULT_REPO_UNITS = repo.code,repo.issues,repo.pulls
+; Might as well be compatible with
+DEFAULT_BRANCH = main
+
+[repository.pull-request]
+WORK_IN_PROGRESS_PREFIXES = WIP:,[WIP]:,Draft:,[Draft]:
+
+[repository.local]
+LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
+
+[repository.upload]
+TEMP_PATH = /data/gitea/uploads
+
+[ui]
+; Always show the full name of a user when possible
+DEFAULT_SHOW_FULL_NAME = true
+THEMES = auto,gitea,arc-green,gitea-modern
+
+[server]
+APP_DATA_PATH = /data/gitea
+DOMAIN = git.rustybever.be
+SSH_DOMAIN = git.rustybever.be
+HTTP_PORT = 3000
+ROOT_URL = https://git.rustybever.be/
+DISABLE_SSH = false
+SSH_PORT = 22
+SSH_LISTEN_PORT = 22
+LFS_START_SERVER = true
+OFFLINE_MODE = false
+LFS_JWT_SECRET = {{ gitea_lfs_jwt_secret }}
+
+[lfs]
+PATH = /data/git/lfs
+
+[database]
+PATH = /data/gitea/gitea.db
+DB_TYPE = postgres
+HOST = db:5432
+NAME = gitea
+USER = gitea
+PASSWD = gitea
+LOG_SQL = false
+SCHEMA = 
+SSL_MODE = disable
+CHARSET = utf8
+
+[indexer]
+ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
+
+[session]
+PROVIDER_CONFIG = /data/gitea/sessions
+PROVIDER = file
+
+[picture]
+AVATAR_UPLOAD_PATH = /data/gitea/avatars
+REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
+DISABLE_GRAVATAR = false
+ENABLE_FEDERATED_AVATAR = true
+
+[attachment]
+PATH = /data/gitea/attachments
+
+[log]
+MODE = console
+LEVEL = info
+REDIRECT_MACARON_LOG = true
+MACARON = console
+ROUTER = console
+ROOT_PATH = /data/gitea/log
+
+[security]
+INSTALL_LOCK = true
+MIN_PASSWORD_LENGTH = 12
+PASSWORD_COMPLEXITY = lower,upper,digit
+SECRET_KEY = {{ gitea_secret_key }}
+INTERNAL_TOKEN = {{ gitea_internal_token }}
+
+[service]
+DISABLE_REGISTRATION = true
+REQUIRE_SIGNIN_VIEW = false
+REGISTER_EMAIL_CONFIRM = false
+ENABLE_NOTIFY_MAIL = false
+ALLOW_ONLY_EXTERNAL_REGISTRATION = false
+ENABLE_CAPTCHA = false
+DEFAULT_KEEP_EMAIL_PRIVATE = false
+DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+DEFAULT_ENABLE_TIMETRACKING = true
+NO_REPLY_ADDRESS = noreply.localhost
+
+[mailer]
+ENABLED = false
+
+[openid]
+ENABLE_OPENID_SIGNIN = true
+ENABLE_OPENID_SIGNUP = false
+
+[oauth2]
+JWT_SECRET = {{ gitea_jwt_secret }}
+
+[other]
+SHOW_FOOTER_VERSION = false
+SHOW_FOOTER_TEMPLATE_LOAD_TIME = false
diff --git a/ruby.yml b/ruby.yml
index d0ab1ee..8f590ff 100644
--- a/ruby.yml
+++ b/ruby.yml
@@ -57,3 +57,9 @@
   roles:
     - atuin-server
   tags: atuin
+
+- hosts: ruby
+  become: yes
+  roles:
+    - gitea
+  tags: gitea
diff --git a/web.yml b/web.yml
index 0178847..48bdf3d 100644
--- a/web.yml
+++ b/web.yml
@@ -46,3 +46,9 @@
   roles:
     - atuin-server-web
   tags: atuin
+
+- hosts: web
+  become: yes
+  roles:
+    - gitea-web
+  tags: atuin