gitea: add config

group_vars/all/vars.yml

@@ -22,3 +22,8 @@ woodpecker_secret: "{{ vault_woodpecker_secret }}"
 restic_version: '0.16.2'
 
 ntfy_user_pi_pass: "{{ vault_ntfy_user_pi_pass }}"
+
+gitea_lfs_jwt_secret: "{{ vault_gitea_lfs_jwt_secret }}"
+gitea_secret_key: "{{ vault_gitea_secret_key }}"
+gitea_internal_token: "{{ vault_gitea_internal_token }}"
+gitea_jwt_secret: "{{ vault_gitea_jwt_secret }}"

group_vars/all/vault.yml

@@ -1,14 +1,32 @@
 $ANSIBLE_VAULT;1.1;AES256
-35353730613932643733343565323332383038383461626535616166616338653066306533366164
-6261353438653937326264623632363336633039383361620a333239333937663561613162376161
-30393966656236656634633035643336626538373733643863613864373439363564376563613361
-3666616235623631370a373439393839313336323466306461373534626661616231333436326663
-37616638353830323865356236363937313033643563646466366432623762393539386334623938
-63303331363165313437383061353037313536333132393439653538316264376362336466313231
-66313530313937373232613534343065626534666136326233626137353631386161653133643933
-37356237643362643161383131623035373037653139643331663435623162323566643635353731
-62663165383465656432613339353466313437323365393766313865323565623138363537356561
-31623565353362356464376637386633373133333365336662346331633236383934623638366662
-31326264306434633532373131303839613735343364613232306164316661313933636235633161
-37346630333565313636333435323635663962376636366437383938663763366433366230376636
-3431
+62316366343931626135336332623963643864616164386132363565303565303165326238303132
+3266623662613739333637393937373137313161306136310a613335346362346333323461336130
+61386264346464376539303733393961306664376663613034316337313963343761636634636131
+3231633934646130630a303038383563346539383561386362613935376634306561643964626334
+35333166623531383236623535636362323039613136346534343232306163393436366135373634
+31303338303939613433326633373838353431653231646430333333323665643130306436663539
+35393266346232366161653332303264623733343262636363613630323366376130646264333739
+34396139303130613631646535363831623463333565396134376234356132336236373366313830
+61386661303966313862653732653338386466643838636263393766366139373237316165643764
+66336465613838316465316166653064343066623339616530303038356238303832373135663665
+35383938333362643038326635316538666536613137663633363434336138306135316665353734
+63633439366664613633353465643466663564663832396435663931643538636238643233373039
+35623438333139353632383263343538626561343035613239366266623033636335633536643431
+30663139353634663662373062363937393838393266343264386134306333326164656334316364
+39343662313464383362646237383337393664623632653235623165666636363635383636363430
+35306365383536356265363733396165303765316638366331376230306630393735393334653362
+65313332646434323831313764306230616236383963376634623437346635653937623830653064
+62396162396165643563373239373264396137666334646238616262663464623363373565626539
+64373936346166356134306431616638346633376366336136383939666665373565383633336431
+33346431353639643063616630313630653038616430316366323137303034336539643161383734
+35346430643433653866663636333639343364363831343531363937313330343865323535353533
+32666566343736653135363966643665396234636437316438636530366231653963356237613065
+30623338323733666365613631666361306666613364393261623732623963613731613933383138
+65656565396435643833613764346139343365663766623535626166346330633938626135326230
+63356535633834633763363666333662646633366537623732623835653332316239646135373933
+30333339396237386538343434653764613036396463333263333061316136323336356663666664
+36363235643334363666336364333336366439646537306235333532343832653531356430353730
+34303830343734653631313936383962343131643965303464343031633030613635356231633566
+63366531663361386461333532383638636662633261343365633361346535366132303339346664
+33626638643233333766356534393039393962343630303137653733393532633264616664363235
+343465376233356362383334663334633033

hosts.ini

@@ -26,3 +26,6 @@
 
 [atuin-server]
 192.168.0.2 static_ip=192.168.0.2
+
+[gitea]
+192.168.0.2 static_ip=192.168.0.2

roles/gitea-web/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: caddy

roles/gitea-web/tasks/main.yml

@@ -0,0 +1,9 @@
+---
+- name: Ensure Caddyfile is present
+  template:
+    src: 'gitea.Caddyfile.j2'
+    dest: '/etc/caddy/gitea.Caddyfile'
+    owner: root
+    group: root
+    mode: '0644'
+  notify: caddy-reload

roles/gitea-web/templates/gitea.Caddyfile.j2

@@ -0,0 +1,3 @@
+git.rustybever.be {
+    reverse_proxy {{ hostvars[groups['gitea'][0]].static_ip }}:8010
+}

roles/gitea/files/compose.yml

@@ -0,0 +1,40 @@
+version: '3'
+
+services:
+  app:
+    # Latest contains a development version
+    image: 'gitea/gitea:1.20.1'
+    restart: 'always'
+
+    ports:
+      - '22:22'
+      - '8010:3000'
+    volumes:
+      - '/etc/gitea/app.ini:/data/gitea/conf/app.ini'
+      - '/mnt/data1/gitea/data:/data'
+      - '/mnt/data1/gitea/repositories:/data/git/repositories'
+      - '/mnt/data1/gitea/lfs:/data/git/lfs'
+      - '/etc/timezone:/etc/timezone:ro'
+      - '/etc/localtime:/etc/localtime:ro'
+
+    depends_on:
+      db:
+        condition: service_healthy
+
+  db:
+    image: 'postgres:14.8-alpine'
+    restart: 'always'
+
+    healthcheck:
+      test: ["CMD", "pg_isready", "-U", "gitea"]
+      interval: 30s 
+      start_period: 30s
+      timeout: 5s
+      retries: 3
+
+    environment:
+      - 'POSTGRES_USER=gitea'
+      - 'POSTGRES_PASSWORD=gitea'
+      - 'POSTGRES_DB=gitea'
+    volumes:
+      - '/mnt/data1/gitea/postgres:/var/lib/postgresql/data'

roles/gitea/files/gitea.data.backup.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+data_dir='/mnt/data1/gitea/data'
+snapshot_dir="${data_dir}.snapshot"
+
+# Read-only snapshot for atomic backup
+btrfs subvolume snapshot -r "$data_dir" "$snapshot_dir" || exit $?
+
+/usr/local/bin/restic backup "$snapshot_dir"
+
+# Always remove snapshot subvolume, even if restic fails
+btrfs subvolume delete "$snapshot_dir"

roles/gitea/files/gitea.lfs.backup.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+data_dir='/mnt/data1/gitea/lfs'
+snapshot_dir="${data_dir}.snapshot"
+
+# Read-only snapshot for atomic backup
+btrfs subvolume snapshot -r "$data_dir" "$snapshot_dir" || exit $?
+
+/usr/local/bin/restic backup "$snapshot_dir"
+
+# Always remove snapshot subvolume, even if restic fails
+btrfs subvolume delete "$snapshot_dir"

roles/gitea/files/gitea.postgres.backup.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+cd /etc/gitea
+
+/usr/bin/docker compose exec -T db pg_dump -U gitea gitea |
+    /usr/bin/gzip --rsyncable |
+    /usr/local/bin/restic backup --stdin --stdin-filename gitea-postgres.sql.gz

roles/gitea/files/gitea.repositories.backup.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+data_dir='/mnt/data1/gitea/repositories'
+snapshot_dir="${data_dir}.snapshot"
+
+# Read-only snapshot for atomic backup
+btrfs subvolume snapshot -r "$data_dir" "$snapshot_dir" || exit $?
+
+/usr/local/bin/restic backup "$snapshot_dir"
+
+# Always remove snapshot subvolume, even if restic fails
+btrfs subvolume delete "$snapshot_dir"

roles/gitea/files/gitea.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Private, Fast, Reliable DevOps Platform
+After=docker.target 
+Requires=docker.target
+
+[Service]
+Type=exec
+User=gitea
+Group=gitea
+WorkingDirectory=/etc/gitea
+ExecStart=/usr/bin/docker compose up
+ExecStop=/usr/bin/docker compose down
+
+[Install]
+WantedBy=multi-user.target

roles/gitea/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: 'restart gitea'
+  ansible.builtin.service:
+    name: 'gitea'
+    state: 'restarted'

roles/gitea/tasks/main.yml

@@ -0,0 +1,73 @@
+---
+- name: Ensure data directory is present
+  ansible.builtin.file:
+    path: '/mnt/data1/gitea'
+    state: directory
+    mode: '0755'
+    owner: 'root'
+    group: 'root'
+
+- name: Ensure data subvolumes are present
+  community.general.btrfs_subvolume:
+    name: '/gitea/{{ item }}'
+  loop:
+    - 'data'
+    - 'lfs'
+    - 'repositories'
+    - 'postgres'
+
+- name: Ensure configuration directory is present
+  ansible.builtin.file:
+    path: '/etc/gitea'
+    state: directory
+    mode: '0755'
+
+- name: Ensure compose file is present
+  ansible.builtin.copy:
+    src: 'compose.yml'
+    dest: '/etc/gitea/compose.yml'
+    mode: '0644'
+    owner: 'root'
+    group: 'root'
+  notify: 'restart gitea'
+
+- name: Ensure config file is present
+  ansible.builtin.template:
+    src: 'app.ini.j2'
+    dest: '/etc/gitea/app.ini'
+    mode: '0644'
+    owner: 'root'
+    group: 'root'
+  notify: 'restart gitea'
+
+- name: Ensure backup scripts are present
+  ansible.builtin.copy:
+    src: "gitea.{{ item }}.backup.sh"
+    dest: "/etc/backups/gitea.{{ item }}.backup.sh"
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  loop:
+    - 'postgres'
+    - 'data'
+    - 'lfs'
+    - 'repositories'
+
+- name: Ensure service file is present
+  ansible.builtin.copy:
+    src: 'gitea.service'
+    dest: '/lib/systemd/system/gitea.service'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  register: res
+
+- name: systemd-reload
+  ansible.builtin.systemd_service:
+    daemon_reload: true
+  when: 'res.changed'
+
+- name: Ensure gitea service is enabled
+  ansible.builtin.service:
+    name: 'gitea'
+    enabled: true

roles/gitea/templates/app.ini.j2

@@ -0,0 +1,112 @@
+APP_NAME = The Rusty Bever
+RUN_MODE = prod
+RUN_USER = git
+WORK_PATH = /data/gitea
+
+[repository]
+ROOT = /data/git/repositories
+; Makes public the default option when creating a repo
+DEFAULT_PRIVATE = public
+; Disables releases, projects & wiki by default for new repos (but can be enabled when needed)
+DEFAULT_REPO_UNITS = repo.code,repo.issues,repo.pulls
+; Might as well be compatible with
+DEFAULT_BRANCH = main
+
+[repository.pull-request]
+WORK_IN_PROGRESS_PREFIXES = WIP:,[WIP]:,Draft:,[Draft]:
+
+[repository.local]
+LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
+
+[repository.upload]
+TEMP_PATH = /data/gitea/uploads
+
+[ui]
+; Always show the full name of a user when possible
+DEFAULT_SHOW_FULL_NAME = true
+THEMES = auto,gitea,arc-green,gitea-modern
+
+[server]
+APP_DATA_PATH = /data/gitea
+DOMAIN = git.rustybever.be
+SSH_DOMAIN = git.rustybever.be
+HTTP_PORT = 3000
+ROOT_URL = https://git.rustybever.be/
+DISABLE_SSH = false
+SSH_PORT = 22
+SSH_LISTEN_PORT = 22
+LFS_START_SERVER = true
+OFFLINE_MODE = false
+LFS_JWT_SECRET = {{ gitea_lfs_jwt_secret }}
+
+[lfs]
+PATH = /data/git/lfs
+
+[database]
+PATH = /data/gitea/gitea.db
+DB_TYPE = postgres
+HOST = db:5432
+NAME = gitea
+USER = gitea
+PASSWD = gitea
+LOG_SQL = false
+SCHEMA = 
+SSL_MODE = disable
+CHARSET = utf8
+
+[indexer]
+ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
+
+[session]
+PROVIDER_CONFIG = /data/gitea/sessions
+PROVIDER = file
+
+[picture]
+AVATAR_UPLOAD_PATH = /data/gitea/avatars
+REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
+DISABLE_GRAVATAR = false
+ENABLE_FEDERATED_AVATAR = true
+
+[attachment]
+PATH = /data/gitea/attachments
+
+[log]
+MODE = console
+LEVEL = info
+REDIRECT_MACARON_LOG = true
+MACARON = console
+ROUTER = console
+ROOT_PATH = /data/gitea/log
+
+[security]
+INSTALL_LOCK = true
+MIN_PASSWORD_LENGTH = 12
+PASSWORD_COMPLEXITY = lower,upper,digit
+SECRET_KEY = {{ gitea_secret_key }}
+INTERNAL_TOKEN = {{ gitea_internal_token }}
+
+[service]
+DISABLE_REGISTRATION = true
+REQUIRE_SIGNIN_VIEW = false
+REGISTER_EMAIL_CONFIRM = false
+ENABLE_NOTIFY_MAIL = false
+ALLOW_ONLY_EXTERNAL_REGISTRATION = false
+ENABLE_CAPTCHA = false
+DEFAULT_KEEP_EMAIL_PRIVATE = false
+DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+DEFAULT_ENABLE_TIMETRACKING = true
+NO_REPLY_ADDRESS = noreply.localhost
+
+[mailer]
+ENABLED = false
+
+[openid]
+ENABLE_OPENID_SIGNIN = true
+ENABLE_OPENID_SIGNUP = false
+
+[oauth2]
+JWT_SECRET = {{ gitea_jwt_secret }}
+
+[other]
+SHOW_FOOTER_VERSION = false
+SHOW_FOOTER_TEMPLATE_LOAD_TIME = false

ruby.yml

@@ -57,3 +57,9 @@
   roles:
     - atuin-server
   tags: atuin
+
+- hosts: ruby
+  become: yes
+  roles:
+    - gitea
+  tags: gitea

web.yml

@@ -46,3 +46,9 @@
   roles:
     - atuin-server-web
   tags: atuin
+
+- hosts: web
+  become: yes
+  roles:
+    - gitea-web
+  tags: atuin