joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2fe194ba8228080d16d9757d8030f12544074b75
rick-infra/roles/gitea/tasks/main.yml
Joakim 2fe194ba82 Implement modular nftables architecture and Gitea SSH firewall management 
- Restructure security playbook with modular nftables loader
- Base rules loaded first, service rules second, drop rule last
- Add Gitea self-contained firewall management (port 2222)
- Add fail2ban protection for Gitea SSH brute force attacks
- Update documentation with new firewall architecture
- Create comprehensive Gitea deployment and testing guide

This enables self-contained service roles to manage their own firewall
rules without modifying the central security playbook. Each service
deploys rules to /etc/nftables.d/ which are loaded before the final
drop rule, maintaining the defense-in-depth security model.
2025-12-16 21:45:22 +01:00

165 lines
4.4 KiB
YAML
Raw Blame History

---
# Gitea Service Role - Self-Contained Implementation
# Manages Gitea Git service with own database
- name: Validate infrastructure variables are defined
assert:
that:
- postgresql_unix_socket_directories is defined
- postgresql_client_group is defined
- postgresql_port is defined
fail_msg: "Missing required infrastructure variables. Ensure PostgreSQL role has run first."
success_msg: "Infrastructure variables validated successfully"
- name: Install Gitea from Arch repository
pacman:
name: gitea
state: present
# Firewall configuration - self-managed by Gitea role
- name: Configure firewall for Gitea SSH
import_tasks: firewall.yml
tags: ['firewall']
when: gitea_manage_firewall | default(true)
# fail2ban protection - self-managed by Gitea role
- name: Configure fail2ban for Gitea SSH
import_tasks: fail2ban.yml
tags: ['fail2ban', 'security']
when: gitea_manage_firewall | default(true)
- name: Install Git
pacman:
name: git
state: present
- name: Create Gitea user and group
user:
name: "{{ gitea_user }}"
group: "{{ gitea_group }}"
system: yes
shell: /bin/bash
home: "{{ gitea_home }}"
create_home: yes
- name: Create Gitea directories
file:
path: "{{ item }}"
state: directory
owner: "{{ gitea_user }}"
group: "{{ gitea_group }}"
mode: '0755'
loop:
- "{{ gitea_home }}"
- "{{ gitea_home }}/data"
- "{{ gitea_home }}/repositories"
- "{{ gitea_home }}/log"
- /etc/gitea
- name: Create Gitea SSH directory with proper permissions
file:
path: "{{ gitea_home }}/.ssh"
state: directory
owner: "{{ gitea_user }}"
group: "{{ gitea_group }}"
mode: '0700'
# Socket access setup (using infrastructure variables)
- name: Add git user to PostgreSQL client group for socket access
user:
name: "{{ gitea_user }}"
groups: "{{ postgresql_client_group }}"
append: true
- name: Test PostgreSQL socket connectivity
postgresql_ping:
login_unix_socket: "{{ postgresql_unix_socket_directories }}"
login_user: "{{ gitea_user }}"
become: true
become_user: "{{ gitea_user }}"
# Self-contained database management
- name: Create Gitea database user via socket
postgresql_user:
name: "{{ gitea_db_user }}"
password: "{{ gitea_db_password }}"
encrypted: yes
login_unix_socket: "{{ postgresql_unix_socket_directories }}"
login_user: postgres
become: true
become_user: postgres
- name: Create Gitea database via socket
postgresql_db:
name: "{{ gitea_db_name }}"
owner: "{{ gitea_db_user }}"
encoding: UTF8
template: template0
login_unix_socket: "{{ postgresql_unix_socket_directories }}"
login_user: postgres
become: true
become_user: postgres
- name: Grant Gitea database privileges
postgresql_privs:
db: "{{ gitea_db_name }}"
privs: ALL
type: database
role: "{{ gitea_db_user }}"
login_unix_socket: "{{ postgresql_unix_socket_directories }}"
login_user: postgres
become: true
become_user: postgres
- name: Deploy Gitea configuration
template:
src: app.ini.j2
dest: /etc/gitea/app.ini
owner: "{{ gitea_user }}"
group: "{{ gitea_group }}"
mode: '0600'
notify: restart gitea
- name: Deploy Gitea systemd service file
template:
src: gitea.service.j2
dest: /etc/systemd/system/gitea.service
mode: '0644'
notify:
- reload systemd
- restart gitea
- name: Deploy Caddy configuration for Gitea
template:
src: gitea.caddy.j2
dest: "{{ caddy_sites_enabled_dir }}/gitea.caddy"
mode: '0644'
notify: reload caddy
when: caddy_sites_enabled_dir is defined
- name: Enable and start Gitea service
systemd:
name: gitea
enabled: "{{ gitea_service_enabled }}"
state: "{{ gitea_service_state }}"
daemon_reload: yes
- name: Wait for Gitea to be ready
wait_for:
port: "{{ gitea_http_port }}"
host: "127.0.0.1"
timeout: 30
when: gitea_service_state == "started"
- name: Display Gitea service status
debug:
msg: |
✅ Gitea Git service deployed successfully!
🌐 Web Interface: https://{{ gitea_full_domain }}
🔗 SSH Clone: ssh://git@{{ gitea_full_domain }}:{{ gitea_ssh_port }}
📦 Local HTTP: http://127.0.0.1:{{ gitea_http_port }}
🗄️ Database: {{ gitea_db_name }} (self-managed)
🏗️ Self-contained service ready for Git repositories!
Reference in New Issue View Git Blame Copy Permalink