joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cf71fb3a8de05203872ab283d5ca874238e601d1
rick-infra/roles/gitea/defaults/main.yml
Joakim cf71fb3a8d Implement SSH passthrough mode and refactor Gitea domain configuration 
Major Changes:
- Add dual SSH mode system (passthrough default, dedicated fallback)
- Refactor domain configuration to use direct specification pattern
- Fix critical fail2ban security gap in dedicated mode
- Separate HTTP and SSH domains for cleaner Git URLs
2025-12-17 21:51:24 +01:00

112 lines
4.1 KiB
YAML
Raw Blame History

---
# =================================================================
# Gitea Git Service Role - Simplified Configuration
# =================================================================
# Self-contained Gitea installation that manages its own database
# Follows rick-infra patterns for pragmatic service deployment
# =================================================================
# Service Configuration
# =================================================================
# Service Management
gitea_service_enabled: true
gitea_service_state: "started"
# User and Paths (Arch Linux defaults)
gitea_user: "git"
gitea_group: "git"
gitea_home: "/var/lib/gitea"
# Network Configuration
gitea_http_port: 3000
# =================================================================
# Domain and Caddy Integration
# =================================================================
# Domain setup (follows rick-infra pattern)
gitea_http_domain: "git.jnss.me"
gitea_ssh_domain: "jnss.me"
# Caddy integration
caddy_sites_enabled_dir: "/etc/caddy/sites-enabled"
# =================================================================
# Database Configuration (Self-Contained)
# =================================================================
# Gitea manages its own database (Unix socket connection)
# Uses infrastructure variables for consistent socket path reference
gitea_db_type: "postgres"
gitea_db_host: "{{ postgresql_unix_socket_directories }}" # Unix socket from infrastructure
gitea_db_port: "{{ postgresql_port }}"
gitea_db_name: "gitea"
gitea_db_user: "gitea"
gitea_db_password: "{{ vault_gitea_db_password }}"
# =================================================================
# Application Settings
# =================================================================
# Basic Gitea configuration
gitea_app_name: "Gitea: Git with a cup of tea"
gitea_run_mode: "prod"
# Repository settings
gitea_default_branch: "main"
gitea_enable_lfs: true
# Security settings
gitea_disable_registration: false
gitea_require_signin: false
# =================================================================
# SSH Mode Configuration
# =================================================================
# SSH Mode: 'passthrough' or 'dedicated'
# - passthrough (default): Use system SSH on port 22
# * More secure (single SSH daemon, smaller attack surface)
# * Standard Git URLs (no :2222 port number needed)
# * System fail2ban automatically protects Git operations
# * Recommended for production use
#
# - dedicated (fallback): Run Gitea's built-in SSH server on port 2222
# * Complete isolation from system SSH
# * Independent configuration and restarts
# * Requires opening port 2222 in firewall
# * Useful for debugging or when passthrough causes issues
gitea_ssh_mode: "passthrough"
# Dynamic SSH configuration based on mode
gitea_ssh_port: "{{ 22 if gitea_ssh_mode == 'passthrough' else 2222 }}"
gitea_start_ssh_server: "{{ false if gitea_ssh_mode == 'passthrough' else true }}"
# =================================================================
# Firewall Configuration
# =================================================================
# Firewall management (only opens port in dedicated mode)
gitea_manage_firewall: "{{ true if gitea_ssh_mode == 'dedicated' else false }}"
# =================================================================
# Infrastructure Dependencies (Read-only)
# =================================================================
# These variables reference infrastructure services defined by their roles
# Applications MUST NOT modify these values - they are provided by infrastructure
postgresql_unix_socket_directories: "/var/run/postgresql"
postgresql_client_group: "postgres-clients"
postgresql_port: 5432
# =================================================================
# Rick-Infra Integration Notes
# =================================================================
# This role:
# - Depends on PostgreSQL infrastructure role
# - Creates its own database and user
# - Deploys Caddy configuration to sites-enabled
# - Uses native Arch Linux Gitea package
# - Follows self-contained service pattern
Reference in New Issue View Git Blame Copy Permalink