--- # ================================================================= # Gitea Git Service Role - Simplified Configuration # ================================================================= # Self-contained Gitea installation that manages its own database # Follows rick-infra patterns for pragmatic service deployment # ================================================================= # Service Configuration # ================================================================= # Service Management gitea_service_enabled: true gitea_service_state: "started" # User and Paths (Arch Linux defaults) gitea_user: "git" gitea_group: "git" gitea_home: "/var/lib/gitea" # Network Configuration gitea_http_port: 3000 # ================================================================= # Domain and Caddy Integration # ================================================================= # Domain setup (follows rick-infra pattern) gitea_http_domain: "git.jnss.me" gitea_ssh_domain: "jnss.me" # Caddy integration caddy_sites_enabled_dir: "/etc/caddy/sites-enabled" # ================================================================= # Database Configuration (Self-Contained) # ================================================================= # Gitea manages its own database (Unix socket connection) # Uses infrastructure variables for consistent socket path reference gitea_db_type: "postgres" gitea_db_host: "{{ postgresql_unix_socket_directories }}" # Unix socket from infrastructure gitea_db_port: "{{ postgresql_port }}" gitea_db_name: "gitea" gitea_db_user: "gitea" gitea_db_password: "{{ vault_gitea_db_password }}" # ================================================================= # Application Settings # ================================================================= # Basic Gitea configuration gitea_app_name: "Gitea: Git with a cup of tea" gitea_run_mode: "prod" # Repository settings gitea_default_branch: "main" gitea_enable_lfs: true # ================================================================= # Private Git Server & OAuth Configuration # ================================================================= # Access Control - Private server with public repos allowed gitea_disable_registration: true # No public registration (admin only) gitea_require_signin: false # Require sign-in (unauthorized users read-only) gitea_show_registration_button: false # Hide registration UI # OAuth Configuration - Preferred but not forced gitea_enable_password_signin: false # Hide password login form gitea_enable_basic_auth: true # Keep password API auth as backup gitea_oauth2_auto_registration: true # Auto-create OAuth users gitea_oauth2_account_linking: "login" # Show account linking page gitea_oauth2_username_source: "preferred_username" gitea_oauth2_update_avatar: true gitea_oauth2_scopes: "profile,email,groups" gitea_oauth2_register_email_confirm: false # ================================================================= # Email Configuration (Titan Email via Hostinger) # ================================================================= gitea_mailer_enabled: true gitea_mailer_protocol: "smtp+starttls" # Port 587 with STARTTLS gitea_smtp_addr: "smtp.titan.email" gitea_smtp_port: 587 gitea_mailer_from: "hello@jnss.me" gitea_mailer_user: "hello@jnss.me" gitea_mailer_password: "{{ vault_smtp_password }}" gitea_mailer_subject_prefix: "[Gitea]" # ================================================================= # Enhanced Security Settings # ================================================================= # Session Security gitea_session_provider: "file" gitea_session_cookie_name: "gitea_session" gitea_session_life_time: 3600 # 1 hour gitea_cookie_secure: true # HTTPS-only cookies gitea_session_same_site: "strict" # Strict CSRF protection # Security Hardening gitea_csrf_cookie_httponly: true # Prevent XSS on CSRF token gitea_password_check_pwn: true # Check password breach database gitea_reverse_proxy_limit: 1 # Trust only one proxy (Caddy) gitea_reverse_proxy_trusted_proxies: "127.0.0.0/8,::1/128" # ================================================================= # Repository Configuration # ================================================================= # Privacy Defaults (private by default, public allowed) gitea_default_private: "private" # New repos are private gitea_default_push_create_private: true # Push-created repos are private # Note: NOT setting gitea_force_private - allows public repos # Repository Features gitea_disabled_repo_units: "repo.ext_issues,repo.ext_wiki" gitea_enable_push_create_user: false # Require manual repo creation gitea_enable_push_create_org: false # ================================================================= # Features & Capabilities # ================================================================= # CI/CD Actions gitea_actions_enabled: true # Enable Gitea Actions gitea_actions_default_url: "github" # Use GitHub actions gitea_actions_log_retention_days: 90 gitea_actions_artifact_retention_days: 30 # Repository Mirroring gitea_mirror_enabled: true gitea_mirror_default_interval: "8h" gitea_mirror_min_interval: "1h" # Organization & User Management gitea_allow_create_org: true # Users can create orgs # API Configuration gitea_api_swagger_enabled: false # Disable API docs # Webhook Security gitea_webhook_allowed_hosts: "private,loopback" gitea_webhook_skip_tls_verify: false gitea_webhook_deliver_timeout: 5 # ================================================================= # Service Explore Configuration # ================================================================= gitea_explore_require_signin: false # Allow browsing public content # ================================================================= # SSH Mode Configuration # ================================================================= # SSH Mode: 'passthrough' or 'dedicated' # - passthrough (default): Use system SSH on port 22 # * More secure (single SSH daemon, smaller attack surface) # * Standard Git URLs (no :2222 port number needed) # * System fail2ban automatically protects Git operations # * Recommended for production use # # - dedicated (fallback): Run Gitea's built-in SSH server on port 2222 # * Complete isolation from system SSH # * Independent configuration and restarts # * Requires opening port 2222 in firewall # * Useful for debugging or when passthrough causes issues gitea_ssh_mode: "passthrough" # Dynamic SSH configuration based on mode gitea_ssh_port: "{{ 22 if gitea_ssh_mode == 'passthrough' else 2222 }}" gitea_start_ssh_server: "{{ false if gitea_ssh_mode == 'passthrough' else true }}" # ================================================================= # Firewall Configuration # ================================================================= # Firewall management (only opens port in dedicated mode) gitea_manage_firewall: "{{ true if gitea_ssh_mode == 'dedicated' else false }}" # ================================================================= # Infrastructure Dependencies (Read-only) # ================================================================= # These variables reference infrastructure services defined by their roles # Applications MUST NOT modify these values - they are provided by infrastructure postgresql_unix_socket_directories: "/var/run/postgresql" postgresql_client_group: "postgres-clients" postgresql_port: 5432 # ================================================================= # Rick-Infra Integration Notes # ================================================================= # This role: # - Depends on PostgreSQL infrastructure role # - Creates its own database and user # - Deploys Caddy configuration to sites-enabled # - Uses native Arch Linux Gitea package # - Follows self-contained service pattern