rick-infra/roles/gitea/defaults/main.yml

---
# =================================================================
# Gitea Git Service Role - Simplified Configuration
# =================================================================
# Self-contained Gitea installation that manages its own database
# Follows rick-infra patterns for pragmatic service deployment

# =================================================================
# Service Configuration
# =================================================================

# Service Management
gitea_service_enabled: true
gitea_service_state: "started"

# User and Paths (Arch Linux defaults)
gitea_user: "git" 
gitea_group: "git"
gitea_home: "/var/lib/gitea"

# Network Configuration
gitea_http_port: 3000

# =================================================================
# Domain and Caddy Integration 
# =================================================================

# Domain setup (follows rick-infra pattern)
gitea_http_domain: "git.jnss.me"
gitea_ssh_domain: "jnss.me"

# Caddy integration
caddy_sites_enabled_dir: "/etc/caddy/sites-enabled"

# =================================================================
# Database Configuration (Self-Contained)
# =================================================================

# Gitea manages its own database (Unix socket connection)
# Uses infrastructure variables for consistent socket path reference
gitea_db_type: "postgres"
gitea_db_host: "{{ postgresql_unix_socket_directories }}"  # Unix socket from infrastructure
gitea_db_port: "{{ postgresql_port }}"
gitea_db_name: "gitea"
gitea_db_user: "gitea"
gitea_db_password: "{{ vault_gitea_db_password }}"

# =================================================================
# Application Settings
# =================================================================

# Basic Gitea configuration
gitea_app_name: "Gitea: Git with a cup of tea"
gitea_run_mode: "prod"

# Repository settings
gitea_default_branch: "main"
gitea_enable_lfs: true

# =================================================================
# Private Git Server & OAuth Configuration
# =================================================================

# Access Control - Private server with public repos allowed
gitea_disable_registration: true          # No public registration (admin only)
gitea_require_signin: false                # Require sign-in (unauthorized users read-only)
gitea_show_registration_button: false     # Hide registration UI

# OAuth Configuration - Preferred but not forced
gitea_enable_password_signin: false       # Hide password login form
gitea_enable_basic_auth: true             # Keep password API auth as backup
gitea_oauth2_auto_registration: true      # Auto-create OAuth users
gitea_oauth2_account_linking: "login"     # Show account linking page
gitea_oauth2_username_source: "preferred_username"
gitea_oauth2_update_avatar: true
gitea_oauth2_scopes: "profile,email,groups"
gitea_oauth2_register_email_confirm: false

# =================================================================
# Email Configuration (Titan Email via Hostinger)
# =================================================================

gitea_mailer_enabled: true
gitea_mailer_protocol: "smtp+starttls"    # Port 587 with STARTTLS
gitea_smtp_addr: "smtp.titan.email"
gitea_smtp_port: 587
gitea_mailer_from: "hello@jnss.me"
gitea_mailer_user: "hello@jnss.me"
gitea_mailer_password: "{{ vault_smtp_password }}"
gitea_mailer_subject_prefix: "[Gitea]"

# =================================================================
# Enhanced Security Settings
# =================================================================

# Session Security
gitea_session_provider: "file"
gitea_session_cookie_name: "gitea_session"
gitea_session_life_time: 3600             # 1 hour
gitea_cookie_secure: true                 # HTTPS-only cookies
gitea_session_same_site: "strict"         # Strict CSRF protection

# Security Hardening
gitea_csrf_cookie_httponly: true          # Prevent XSS on CSRF token
gitea_password_check_pwn: true            # Check password breach database
gitea_reverse_proxy_limit: 1              # Trust only one proxy (Caddy)
gitea_reverse_proxy_trusted_proxies: "127.0.0.0/8,::1/128"

# =================================================================
# Repository Configuration
# =================================================================

# Privacy Defaults (private by default, public allowed)
gitea_default_private: "private"          # New repos are private
gitea_default_push_create_private: true   # Push-created repos are private
# Note: NOT setting gitea_force_private - allows public repos

# Repository Features
gitea_disabled_repo_units: "repo.ext_issues,repo.ext_wiki"
gitea_enable_push_create_user: false      # Require manual repo creation
gitea_enable_push_create_org: false

# =================================================================
# Features & Capabilities
# =================================================================

# CI/CD Actions
gitea_actions_enabled: true               # Enable Gitea Actions
gitea_actions_default_url: "github"       # Use GitHub actions
gitea_actions_log_retention_days: 90
gitea_actions_artifact_retention_days: 30

# Repository Mirroring
gitea_mirror_enabled: true
gitea_mirror_default_interval: "8h"
gitea_mirror_min_interval: "1h"

# Organization & User Management
gitea_allow_create_org: true              # Users can create orgs

# API Configuration
gitea_api_swagger_enabled: false          # Disable API docs

# Webhook Security
gitea_webhook_allowed_hosts: "private,loopback"
gitea_webhook_skip_tls_verify: false
gitea_webhook_deliver_timeout: 5

# =================================================================
# Service Explore Configuration
# =================================================================

gitea_explore_require_signin: false       # Allow browsing public content

# =================================================================
# SSH Mode Configuration
# =================================================================

# SSH Mode: 'passthrough' or 'dedicated'
# - passthrough (default): Use system SSH on port 22
#   * More secure (single SSH daemon, smaller attack surface)
#   * Standard Git URLs (no :2222 port number needed)
#   * System fail2ban automatically protects Git operations
#   * Recommended for production use
#
# - dedicated (fallback): Run Gitea's built-in SSH server on port 2222
#   * Complete isolation from system SSH
#   * Independent configuration and restarts
#   * Requires opening port 2222 in firewall
#   * Useful for debugging or when passthrough causes issues
gitea_ssh_mode: "passthrough"

# Dynamic SSH configuration based on mode
gitea_ssh_port: "{{ 22 if gitea_ssh_mode == 'passthrough' else 2222 }}"
gitea_start_ssh_server: "{{ false if gitea_ssh_mode == 'passthrough' else true }}"

# =================================================================
# Firewall Configuration
# =================================================================

# Firewall management (only opens port in dedicated mode)
gitea_manage_firewall: "{{ true if gitea_ssh_mode == 'dedicated' else false }}"

# =================================================================
# Infrastructure Dependencies (Read-only)
# =================================================================
# These variables reference infrastructure services defined by their roles
# Applications MUST NOT modify these values - they are provided by infrastructure

postgresql_unix_socket_directories: "/var/run/postgresql"
postgresql_client_group: "postgres-clients"
postgresql_port: 5432

# =================================================================
# Rick-Infra Integration Notes
# =================================================================
# This role:
# - Depends on PostgreSQL infrastructure role
# - Creates its own database and user 
# - Deploys Caddy configuration to sites-enabled
# - Uses native Arch Linux Gitea package
# - Follows self-contained service pattern