Add self-contained Gitea Git service with PostgreSQL integration
- Implements complete Gitea Git service following rick-infra self-contained architecture - Uses PostgreSQL infrastructure role as dependency and manages own database/user - Native Arch Linux installation via pacman packages - Automatic database setup (gitea database and user creation) - SystemD service with security hardening and proper dependency management - Caddy reverse proxy integration deployed to sites-enabled directory - SSH server on port 2222 with automatic host key generation - Production-ready with LFS support, security headers, and HTTPS via Caddy - Follows simplified configuration approach with essential variables only - Self-contained pattern: service manages complete setup independently
This commit is contained in:
60
roles/gitea/templates/app.ini.j2
Normal file
60
roles/gitea/templates/app.ini.j2
Normal file
@@ -0,0 +1,60 @@
|
||||
# Gitea Configuration - Rick-Infra
|
||||
# Generated by Ansible Gitea role
|
||||
|
||||
[DEFAULT]
|
||||
APP_NAME = {{ gitea_app_name }}
|
||||
RUN_MODE = {{ gitea_run_mode }}
|
||||
|
||||
[repository]
|
||||
ROOT = {{ gitea_home }}/repositories
|
||||
DEFAULT_BRANCH = {{ gitea_default_branch }}
|
||||
|
||||
[server]
|
||||
PROTOCOL = http
|
||||
DOMAIN = {{ gitea_full_domain }}
|
||||
HTTP_PORT = {{ gitea_http_port }}
|
||||
ROOT_URL = https://{{ gitea_full_domain }}/
|
||||
DISABLE_SSH = false
|
||||
START_SSH_SERVER = {{ gitea_start_ssh_server | lower }}
|
||||
SSH_DOMAIN = {{ gitea_full_domain }}
|
||||
SSH_PORT = {{ gitea_ssh_port }}
|
||||
SSH_LISTEN_PORT = {{ gitea_ssh_port }}
|
||||
LOCAL_ROOT_URL = http://127.0.0.1:{{ gitea_http_port }}/
|
||||
APP_DATA_PATH = {{ gitea_home }}/data
|
||||
|
||||
[database]
|
||||
DB_TYPE = {{ gitea_db_type }}
|
||||
HOST = {{ gitea_db_host }}:{{ gitea_db_port }}
|
||||
NAME = {{ gitea_db_name }}
|
||||
USER = {{ gitea_db_user }}
|
||||
PASSWD = {{ gitea_db_password }}
|
||||
SSL_MODE = disable
|
||||
CHARSET = utf8
|
||||
|
||||
[security]
|
||||
INSTALL_LOCK = true
|
||||
SECRET_KEY = {{ ansible_machine_id }}{{ gitea_db_password | hash('sha256') }}
|
||||
INTERNAL_TOKEN = {{ (ansible_machine_id + gitea_db_password) | hash('sha256') }}
|
||||
|
||||
[service]
|
||||
DISABLE_REGISTRATION = {{ gitea_disable_registration | lower }}
|
||||
REQUIRE_SIGNIN_VIEW = {{ gitea_require_signin | lower }}
|
||||
DEFAULT_KEEP_EMAIL_PRIVATE = true
|
||||
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
|
||||
NO_REPLY_ADDRESS = noreply.{{ gitea_domain }}
|
||||
|
||||
[log]
|
||||
MODE = console
|
||||
LEVEL = Info
|
||||
ROOT_PATH = {{ gitea_home }}/log
|
||||
|
||||
{% if gitea_enable_lfs %}
|
||||
[lfs]
|
||||
START_SERVER = true
|
||||
CONTENT_PATH = {{ gitea_home }}/data/lfs
|
||||
{% endif %}
|
||||
|
||||
[git]
|
||||
PATH = /usr/bin/git
|
||||
|
||||
# Rick-Infra: Simplified Gitea configuration for self-contained service
|
||||
32
roles/gitea/templates/gitea.caddy.j2
Normal file
32
roles/gitea/templates/gitea.caddy.j2
Normal file
@@ -0,0 +1,32 @@
|
||||
# Gitea Caddy Configuration - Rick-Infra
|
||||
# Generated by Ansible Gitea role
|
||||
# Deployed to {{ caddy_sites_enabled_dir }}/gitea.caddy
|
||||
|
||||
{{ gitea_full_domain }} {
|
||||
# Reverse proxy to Gitea
|
||||
reverse_proxy 127.0.0.1:{{ gitea_http_port }}
|
||||
|
||||
# Security headers
|
||||
header {
|
||||
# Enable HSTS
|
||||
Strict-Transport-Security max-age=31536000;
|
||||
# Prevent embedding in frames
|
||||
X-Frame-Options DENY
|
||||
# Prevent content type sniffing
|
||||
X-Content-Type-Options nosniff
|
||||
# XSS protection
|
||||
X-XSS-Protection "1; mode=block"
|
||||
}
|
||||
|
||||
# Logging
|
||||
log {
|
||||
output file /var/log/caddy/gitea_access.log
|
||||
}
|
||||
|
||||
# Optional: Custom error pages
|
||||
handle_errors {
|
||||
respond "Git service temporarily unavailable" 503
|
||||
}
|
||||
}
|
||||
|
||||
# Rick-Infra: Self-contained Gitea service with Caddy reverse proxy
|
||||
33
roles/gitea/templates/gitea.service.j2
Normal file
33
roles/gitea/templates/gitea.service.j2
Normal file
@@ -0,0 +1,33 @@
|
||||
# Gitea SystemD Service - Rick-Infra
|
||||
# Generated by Ansible Gitea role
|
||||
|
||||
[Unit]
|
||||
Description=Gitea Git with a cup of tea
|
||||
After=network.target postgresql.service
|
||||
Wants=postgresql.service
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User={{ gitea_user }}
|
||||
Group={{ gitea_group }}
|
||||
WorkingDirectory={{ gitea_home }}
|
||||
ExecStart=/usr/bin/gitea web --config /etc/gitea/app.ini
|
||||
Restart=always
|
||||
RestartSec=10
|
||||
|
||||
# Security hardening
|
||||
NoNewPrivileges=true
|
||||
PrivateTmp=true
|
||||
ProtectHome=true
|
||||
ProtectSystem=strict
|
||||
ReadWritePaths={{ gitea_home }}
|
||||
ReadWritePaths=/etc/gitea
|
||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||
|
||||
# Process limits
|
||||
LimitNOFILE=65536
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
# Rick-Infra: Self-contained Gitea service with security hardening
|
||||
Reference in New Issue
Block a user