Joakim
467e79c84b
Major Changes: - Configure private Git server with OAuth-preferred authentication - Integrate Titan Email for notifications and OAuth workflows - Enable CI/CD Actions and repository mirroring - Implement enhanced security hardening Authentication & Access Control: - Require sign-in for all access (unauthorized users blocked) - OAuth via Authentik as primary login method (password form hidden) - Password authentication still functional as backup via direct URL - Registration disabled (admin-only user creation) - Auto-registration for OAuth users with account linking support Email Configuration (Titan Email): - SMTP: smtp.titan.email:587 (STARTTLS) - From address: hello@jnss.me - Used for: OAuth account linking, notifications, confirmations - Subject prefix: [Gitea] Repository Privacy & Features: - Private repositories by default (public repos allowed) - Unauthorized users cannot view any content (must sign in) - External integrations disabled (ext_issues, ext_wiki) - Manual repository creation required (no push-to-create) - LFS enabled for large file storage Features Enabled: - CI/CD Actions with GitHub actions support - Repository mirroring (pull/push mirrors enabled) - User organization creation - Webhook security (restricted to private/loopback) Security Enhancements: - HTTPS-only session cookies with strict SameSite policy - CSRF cookie HTTP-only protection - Password breach checking (HaveIBeenPwned) - 1-hour session timeout (reduced from 24h) - Reverse proxy trust limited to Caddy only - API Swagger docs disabled in production Configuration Sections Added: - [oauth2_client] - OAuth integration settings - [mailer] - Email/SMTP configuration - [session] - Enhanced session security - [actions] - CI/CD workflow configuration - [mirror] - Repository mirroring settings - [api] - API access configuration - [webhook] - Webhook security restrictions - [service.explore] - Public content settings Files Changed: - roles/gitea/defaults/main.yml: +97 lines (OAuth, email, security vars) - roles/gitea/templates/app.ini.j2: +94 lines (config sections) - host_vars/arch-vps/vault.yml: +1 line (SMTP password - not committed) Deployment Status: - Successfully deployed to arch-vps - Service running and healthy - Ready for OAuth provider configuration in Authentik - Tested: HTTP access, configuration generation, service health
203 lines
7.8 KiB
YAML
203 lines
7.8 KiB
YAML
---
|
|
# =================================================================
|
|
# Gitea Git Service Role - Simplified Configuration
|
|
# =================================================================
|
|
# Self-contained Gitea installation that manages its own database
|
|
# Follows rick-infra patterns for pragmatic service deployment
|
|
|
|
# =================================================================
|
|
# Service Configuration
|
|
# =================================================================
|
|
|
|
# Service Management
|
|
gitea_service_enabled: true
|
|
gitea_service_state: "started"
|
|
|
|
# User and Paths (Arch Linux defaults)
|
|
gitea_user: "git"
|
|
gitea_group: "git"
|
|
gitea_home: "/var/lib/gitea"
|
|
|
|
# Network Configuration
|
|
gitea_http_port: 3000
|
|
|
|
# =================================================================
|
|
# Domain and Caddy Integration
|
|
# =================================================================
|
|
|
|
# Domain setup (follows rick-infra pattern)
|
|
gitea_http_domain: "git.jnss.me"
|
|
gitea_ssh_domain: "jnss.me"
|
|
|
|
# Caddy integration
|
|
caddy_sites_enabled_dir: "/etc/caddy/sites-enabled"
|
|
|
|
# =================================================================
|
|
# Database Configuration (Self-Contained)
|
|
# =================================================================
|
|
|
|
# Gitea manages its own database (Unix socket connection)
|
|
# Uses infrastructure variables for consistent socket path reference
|
|
gitea_db_type: "postgres"
|
|
gitea_db_host: "{{ postgresql_unix_socket_directories }}" # Unix socket from infrastructure
|
|
gitea_db_port: "{{ postgresql_port }}"
|
|
gitea_db_name: "gitea"
|
|
gitea_db_user: "gitea"
|
|
gitea_db_password: "{{ vault_gitea_db_password }}"
|
|
|
|
# =================================================================
|
|
# Application Settings
|
|
# =================================================================
|
|
|
|
# Basic Gitea configuration
|
|
gitea_app_name: "Gitea: Git with a cup of tea"
|
|
gitea_run_mode: "prod"
|
|
|
|
# Repository settings
|
|
gitea_default_branch: "main"
|
|
gitea_enable_lfs: true
|
|
|
|
# =================================================================
|
|
# Private Git Server & OAuth Configuration
|
|
# =================================================================
|
|
|
|
# Access Control - Private server with public repos allowed
|
|
gitea_disable_registration: true # No public registration (admin only)
|
|
gitea_require_signin: true # Require sign-in (unauthorized users read-only)
|
|
gitea_show_registration_button: false # Hide registration UI
|
|
|
|
# OAuth Configuration - Preferred but not forced
|
|
gitea_enable_password_signin: false # Hide password login form
|
|
gitea_enable_basic_auth: true # Keep password API auth as backup
|
|
gitea_oauth2_auto_registration: true # Auto-create OAuth users
|
|
gitea_oauth2_account_linking: "login" # Show account linking page
|
|
gitea_oauth2_username_source: "preferred_username"
|
|
gitea_oauth2_update_avatar: true
|
|
gitea_oauth2_scopes: "profile,email,groups"
|
|
gitea_oauth2_register_email_confirm: false
|
|
|
|
# =================================================================
|
|
# Email Configuration (Titan Email via Hostinger)
|
|
# =================================================================
|
|
|
|
gitea_mailer_enabled: true
|
|
gitea_mailer_protocol: "smtp+starttls" # Port 587 with STARTTLS
|
|
gitea_smtp_addr: "smtp.titan.email"
|
|
gitea_smtp_port: 587
|
|
gitea_mailer_from: "hello@jnss.me"
|
|
gitea_mailer_user: "hello@jnss.me"
|
|
gitea_mailer_password: "{{ vault_gitea_smtp_password }}"
|
|
gitea_mailer_subject_prefix: "[Gitea]"
|
|
|
|
# =================================================================
|
|
# Enhanced Security Settings
|
|
# =================================================================
|
|
|
|
# Session Security
|
|
gitea_session_provider: "file"
|
|
gitea_session_cookie_name: "gitea_session"
|
|
gitea_session_life_time: 3600 # 1 hour
|
|
gitea_cookie_secure: true # HTTPS-only cookies
|
|
gitea_session_same_site: "strict" # Strict CSRF protection
|
|
|
|
# Security Hardening
|
|
gitea_csrf_cookie_httponly: true # Prevent XSS on CSRF token
|
|
gitea_password_check_pwn: true # Check password breach database
|
|
gitea_reverse_proxy_limit: 1 # Trust only one proxy (Caddy)
|
|
gitea_reverse_proxy_trusted_proxies: "127.0.0.0/8,::1/128"
|
|
|
|
# =================================================================
|
|
# Repository Configuration
|
|
# =================================================================
|
|
|
|
# Privacy Defaults (private by default, public allowed)
|
|
gitea_default_private: "private" # New repos are private
|
|
gitea_default_push_create_private: true # Push-created repos are private
|
|
# Note: NOT setting gitea_force_private - allows public repos
|
|
|
|
# Repository Features
|
|
gitea_disabled_repo_units: "repo.ext_issues,repo.ext_wiki"
|
|
gitea_enable_push_create_user: false # Require manual repo creation
|
|
gitea_enable_push_create_org: false
|
|
|
|
# =================================================================
|
|
# Features & Capabilities
|
|
# =================================================================
|
|
|
|
# CI/CD Actions
|
|
gitea_actions_enabled: true # Enable Gitea Actions
|
|
gitea_actions_default_url: "github" # Use GitHub actions
|
|
gitea_actions_log_retention_days: 90
|
|
gitea_actions_artifact_retention_days: 30
|
|
|
|
# Repository Mirroring
|
|
gitea_mirror_enabled: true
|
|
gitea_mirror_default_interval: "8h"
|
|
gitea_mirror_min_interval: "1h"
|
|
|
|
# Organization & User Management
|
|
gitea_allow_create_org: true # Users can create orgs
|
|
|
|
# API Configuration
|
|
gitea_api_swagger_enabled: false # Disable API docs
|
|
|
|
# Webhook Security
|
|
gitea_webhook_allowed_hosts: "private,loopback"
|
|
gitea_webhook_skip_tls_verify: false
|
|
gitea_webhook_deliver_timeout: 5
|
|
|
|
# =================================================================
|
|
# Service Explore Configuration
|
|
# =================================================================
|
|
|
|
gitea_explore_require_signin: false # Allow browsing public content
|
|
|
|
# =================================================================
|
|
# SSH Mode Configuration
|
|
# =================================================================
|
|
|
|
# SSH Mode: 'passthrough' or 'dedicated'
|
|
# - passthrough (default): Use system SSH on port 22
|
|
# * More secure (single SSH daemon, smaller attack surface)
|
|
# * Standard Git URLs (no :2222 port number needed)
|
|
# * System fail2ban automatically protects Git operations
|
|
# * Recommended for production use
|
|
#
|
|
# - dedicated (fallback): Run Gitea's built-in SSH server on port 2222
|
|
# * Complete isolation from system SSH
|
|
# * Independent configuration and restarts
|
|
# * Requires opening port 2222 in firewall
|
|
# * Useful for debugging or when passthrough causes issues
|
|
gitea_ssh_mode: "passthrough"
|
|
|
|
# Dynamic SSH configuration based on mode
|
|
gitea_ssh_port: "{{ 22 if gitea_ssh_mode == 'passthrough' else 2222 }}"
|
|
gitea_start_ssh_server: "{{ false if gitea_ssh_mode == 'passthrough' else true }}"
|
|
|
|
# =================================================================
|
|
# Firewall Configuration
|
|
# =================================================================
|
|
|
|
# Firewall management (only opens port in dedicated mode)
|
|
gitea_manage_firewall: "{{ true if gitea_ssh_mode == 'dedicated' else false }}"
|
|
|
|
# =================================================================
|
|
# Infrastructure Dependencies (Read-only)
|
|
# =================================================================
|
|
# These variables reference infrastructure services defined by their roles
|
|
# Applications MUST NOT modify these values - they are provided by infrastructure
|
|
|
|
postgresql_unix_socket_directories: "/var/run/postgresql"
|
|
postgresql_client_group: "postgres-clients"
|
|
postgresql_port: 5432
|
|
|
|
# =================================================================
|
|
# Rick-Infra Integration Notes
|
|
# =================================================================
|
|
# This role:
|
|
# - Depends on PostgreSQL infrastructure role
|
|
# - Creates its own database and user
|
|
# - Deploys Caddy configuration to sites-enabled
|
|
# - Uses native Arch Linux Gitea package
|
|
# - Follows self-contained service pattern
|