From 6096767d26c10d277a54caafc8dde0b833d1d613 Mon Sep 17 00:00:00 2001 From: L3D Date: Mon, 22 Mar 2021 21:08:40 +0100 Subject: [PATCH 1/6] simplify directory handling and start using new ansible name scheme --- tasks/directory.yml | 18 +++++++++++++++++ tasks/main.yml | 48 +++++++++------------------------------------ vars/main.yml | 10 ++++++++++ 3 files changed, 37 insertions(+), 39 deletions(-) create mode 100644 tasks/directory.yml diff --git a/tasks/directory.yml b/tasks/directory.yml new file mode 100644 index 0000000..a684bb2 --- /dev/null +++ b/tasks/directory.yml @@ -0,0 +1,18 @@ +--- +- name: "Create config and data directory" + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: "{{ gitea_user }}" + group: "{{ gitea_group }}" + mode: 'u=rwX,g=rX,o=' + with_items: + - "/etc/gitea" + - "{{ gitea_home }}" + - "{{ gitea_home }}/data" + - "{{ gitea_home }}/custom" + - "{{ gitea_home }}/custom/https" + - "{{ gitea_home }}/custom/mailer" + - "{{ gitea_home }}/indexers" + - "{{ gitea_home }}/log" + - "{{ gitea_repository_root }}" diff --git a/tasks/main.yml b/tasks/main.yml index e62be44..0dfaba0 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -4,16 +4,10 @@ when: submodules_versioncheck|bool - name: Gather variables for each operating system - include_vars: "{{ item }}" - with_first_found: - - "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml" - - "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml" - - "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml" - - "{{ ansible_distribution | lower }}.yml" - - "{{ ansible_os_family | lower }}.yml" + ansible.builtin.include_vars: "{{ lookup('first_found', gitea_variables) }}" - name: "Check gitea version" - shell: "set -eo pipefail; /usr/local/bin/gitea -v | cut -d' ' -f 3" + ansible.builtin.shell: "set -eo pipefail; /usr/local/bin/gitea -v | cut -d' ' -f 3" args: executable: /bin/bash register: gitea_active_version @@ -22,41 +16,17 @@ when: gitea_version_check|bool - name: backup gitea before update - include_tasks: backup.yml + ansible.builtin.include_tasks: backup.yml when: gitea_backup_on_upgrade|bool -- name: install or update gitea - include_tasks: install.yml - -- include: create_user.yml +- name: create gitea user and role + ansible.builtin.include_tasks: create_user.yml -- name: "Create config directory" - file: - path: "{{ item }}" - state: directory - owner: "{{ gitea_user }}" - group: "{{ gitea_group }}" - mode: '0755' - with_items: - - "/etc/gitea" +- name: install or update gitea + ansible.builtin.include_tasks: install.yml -- name: "Create data directory" - file: - path: "{{ item }}" - state: directory - owner: "{{ gitea_user }}" - group: "{{ gitea_group }}" - mode: 'u=rwX,g=rX,o=' - recurse: true - with_items: - - "{{ gitea_home }}" - - "{{ gitea_home }}/data" - - "{{ gitea_home }}/custom" - - "{{ gitea_home }}/custom/https" - - "{{ gitea_home }}/custom/mailer" - - "{{ gitea_home }}/indexers" - - "{{ gitea_home }}/log" - - "{{ gitea_repository_root }}" +- name: Create directorys + ansible.builtin.include_tasks: directory.yml - include: install_systemd.yml when: ansible_service_mgr == "systemd" diff --git a/vars/main.yml b/vars/main.yml index 217afb2..775aca8 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -9,5 +9,15 @@ gitea_go_arch_map: gitea_arch: "{{ gitea_go_arch_map[ansible_architecture] | default(ansible_architecture) }}" +gitea_variables: + files: + - "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml" + - "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml" + - "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml" + - "{{ ansible_distribution | lower }}.yml" + - "{{ ansible_os_family | lower }}.yml" + paths: + - 'vars' + playbook_version_number: 6 # should be int playbook_version_path: 'do1jlr.gitea.version' From d3c26ac0f87cbec5288bb61ba2a6d8411cec43e8 Mon Sep 17 00:00:00 2001 From: L3D Date: Mon, 22 Mar 2021 21:21:25 +0100 Subject: [PATCH 2/6] use new ansible name scheme at more tasks --- handlers/main.yml | 7 +++++-- tasks/backup.yml | 13 +++++++------ tasks/configure.yml | 18 ++++++++++++++++++ tasks/create_user.yml | 2 ++ tasks/fail2ban.yml | 10 ++++++---- tasks/install_systemd.yml | 4 ++-- tasks/main.yml | 29 ++++++++++------------------- 7 files changed, 50 insertions(+), 33 deletions(-) create mode 100644 tasks/configure.yml diff --git a/handlers/main.yml b/handlers/main.yml index eade7a3..fc2696b 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,17 +1,20 @@ --- - name: "Restart gitea" + become: true service: name: gitea state: restarted when: ansible_service_mgr == "systemd" - name: "Reload systemd" + become: true systemd: daemon_reload: true when: ansible_service_mgr == "systemd" -- name: "Restart fail2ban" - service: +- name: "systemctl restart fail2ban" + become: true + ansible.builtin.systemd: name: fail2ban state: restarted when: ansible_service_mgr == "systemd" diff --git a/tasks/backup.yml b/tasks/backup.yml index e3b8ab3..5bbf374 100644 --- a/tasks/backup.yml +++ b/tasks/backup.yml @@ -1,15 +1,18 @@ --- - name: Get service facts - service_facts: + ansible.builtin.service_facts: - block: - name: Stopping gitea before upgrade - service: + become: true + ansible.builtin.systemd: name: gitea state: stopped + when: ansible_service_mgr == "systemd" - name: "Create backup directory" - file: + become: true + ansible.builtin.file: path: "{{ item }}" state: directory owner: "{{ gitea_user }}" @@ -19,13 +22,11 @@ - "{{ gitea_backup_location }}" - name: Backing up gitea before upgrade - command: + ansible.builtin.command: cmd: "gitea dump -c /etc/gitea/gitea.ini" chdir: "{{ gitea_backup_location }}" become: true - become_method: su become_user: "{{ gitea_user }}" - become_flags: "-s /bin/sh" when: - ansible_facts.services["gitea.service"] is defined - ansible_facts.services["gitea.service"].state == "running" diff --git a/tasks/configure.yml b/tasks/configure.yml new file mode 100644 index 0000000..ae86a3e --- /dev/null +++ b/tasks/configure.yml @@ -0,0 +1,18 @@ +--- +- name: "Configure gitea" + become: true + ansible.builtin.template: + src: gitea.ini.j2 + dest: /etc/gitea/gitea.ini + owner: "{{ gitea_user }}" + group: "{{ gitea_group }}" + mode: 0600 + notify: "Restart gitea" + +- name: "Service gitea" + become: true + ansible.builtin.systemd: + name: gitea + state: started + enabled: true + when: ansible_service_mgr == "systemd" diff --git a/tasks/create_user.yml b/tasks/create_user.yml index 50d308a..7a8919d 100644 --- a/tasks/create_user.yml +++ b/tasks/create_user.yml @@ -1,11 +1,13 @@ --- - name: "Create Gitea Group" + become: true group: name: "{{ gitea_group }}" system: true state: "present" - name: "Create Gitea user" + become: true user: name: "{{ gitea_user }}" comment: "Gitea user" diff --git a/tasks/fail2ban.yml b/tasks/fail2ban.yml index 5a9837e..640b754 100644 --- a/tasks/fail2ban.yml +++ b/tasks/fail2ban.yml @@ -1,18 +1,20 @@ --- - name: Install fail2ban filter - template: + become: true + ansible.builtin.template: src: fail2ban/filter.conf.j2 dest: /etc/fail2ban/filter.d/gitea.conf owner: root group: root mode: 0444 - notify: Restart fail2ban + notify: systemctl restart fail2ban - name: Install fail2ban jail - template: + become: true + ansible.builtin.template: src: fail2ban/jail.conf.j2 dest: /etc/fail2ban/jail.d/gitea.conf owner: root group: root mode: 0444 - notify: Restart fail2ban + notify: systemctl restart fail2ban diff --git a/tasks/install_systemd.yml b/tasks/install_systemd.yml index 4079aac..695a268 100644 --- a/tasks/install_systemd.yml +++ b/tasks/install_systemd.yml @@ -1,5 +1,6 @@ --- - name: "Setup systemd service" + become: true template: src: gitea.service.j2 dest: /lib/systemd/system/gitea.service @@ -10,8 +11,7 @@ - "Reload systemd" - "Restart gitea" -# systemd to be reloaded the first time because -# it is the only way Systemd is going to be aware of the new unit file. - name: "Reload systemd" + become: true systemd: daemon_reload: true diff --git a/tasks/main.yml b/tasks/main.yml index 0dfaba0..e0c49ba 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -28,28 +28,19 @@ - name: Create directorys ansible.builtin.include_tasks: directory.yml -- include: install_systemd.yml +- name: setup gitea systemd service + ansible.builtin.include_tasks: install_systemd.yml when: ansible_service_mgr == "systemd" -- include_tasks: jwt_secrets.yml +- name: generate JWT Secrets if undefined + ansible.builtin.include_tasks: jwt_secrets.yml -- include_tasks: gitea_secrets.yml +- name: generate gitea secrets if undefined + ansible.builtin.include_tasks: gitea_secrets.yml -- name: "Configure gitea" - template: - src: gitea.ini.j2 - dest: /etc/gitea/gitea.ini - owner: "{{ gitea_user }}" - group: "{{ gitea_group }}" - mode: 0600 - notify: "Restart gitea" +- name: configure gitea + ansible.builtin.include_tasks: configure.yml -- name: "Service gitea" - service: - name: gitea - state: started - enabled: true - when: ansible_service_mgr == "systemd" - -- include: fail2ban.yml +- name: deploy optional fail2ban rules + ansible.builtin.include_tasks: fail2ban.yml when: gitea_fail2ban_enabled|bool From 0e0a319773b818f4dd67998e0e2c0cb6be75ccf1 Mon Sep 17 00:00:00 2001 From: L3D Date: Mon, 22 Mar 2021 21:28:51 +0100 Subject: [PATCH 3/6] Add new ansible naming scheme --- tasks/create_user.yml | 4 ++-- tasks/directory.yml | 1 + tasks/gitea_secrets.yml | 12 ++++++------ tasks/install.yml | 22 +++++++++++++--------- tasks/install_systemd.yml | 4 ++-- tasks/jwt_secrets.yml | 12 ++++++------ 6 files changed, 30 insertions(+), 25 deletions(-) diff --git a/tasks/create_user.yml b/tasks/create_user.yml index 7a8919d..776a614 100644 --- a/tasks/create_user.yml +++ b/tasks/create_user.yml @@ -1,14 +1,14 @@ --- - name: "Create Gitea Group" become: true - group: + ansible.builtin.group: name: "{{ gitea_group }}" system: true state: "present" - name: "Create Gitea user" become: true - user: + ansible.builtin.user: name: "{{ gitea_user }}" comment: "Gitea user" home: "{{ gitea_home }}" diff --git a/tasks/directory.yml b/tasks/directory.yml index a684bb2..2a42b6a 100644 --- a/tasks/directory.yml +++ b/tasks/directory.yml @@ -1,5 +1,6 @@ --- - name: "Create config and data directory" + become: true ansible.builtin.file: path: "{{ item }}" state: directory diff --git a/tasks/gitea_secrets.yml b/tasks/gitea_secrets.yml index e9d909e..51303ae 100644 --- a/tasks/gitea_secrets.yml +++ b/tasks/gitea_secrets.yml @@ -1,38 +1,38 @@ --- - name: generate gitea SECRET_KEY if not provided become: true - shell: 'umask 077; /usr/local/bin/gitea generate secret SECRET_KEY > /etc/gitea/gitea_secret_key' + ansible.builtin.shell: 'umask 077; /usr/local/bin/gitea generate secret SECRET_KEY > /etc/gitea/gitea_secret_key' args: creates: '/etc/gitea/gitea_secret_key' when: gitea_secret_key | length == 0 - name: read gitea SECRET_KEY from file become: true - slurp: + ansible.builtin.slurp: src: '/etc/gitea/gitea_secret_key' register: remote_secret_key when: gitea_secret_key | length == 0 - name: set fact gitea_secret_key - set_fact: + ansible.builtin.set_fact: gitea_secret_key: "{{ remote_secret_key['content'] | b64decode }}" when: gitea_secret_key | length == 0 - name: generate gitea INTERNAL_TOKEN if not provided become: true - shell: 'umask 077; /usr/local/bin/gitea generate secret INTERNAL_TOKEN > /etc/gitea/gitea_internal_token' + ansible.builtin.shell: 'umask 077; /usr/local/bin/gitea generate secret INTERNAL_TOKEN > /etc/gitea/gitea_internal_token' args: creates: '/etc/gitea/gitea_internal_token' when: gitea_internal_token | length == 0 - name: read gitea INTERNAL_TOKEN from file become: true - slurp: + ansible.builtin.slurp: src: '/etc/gitea/gitea_internal_token' register: remote_internal_token when: gitea_internal_token | length == 0 - name: set fact gitea_internal_token - set_fact: + ansible.builtin.set_fact: gitea_internal_token: "{{ remote_internal_token['content'] | b64decode }}" when: gitea_internal_token | length == 0 diff --git a/tasks/install.yml b/tasks/install.yml index 474df90..5dfa5d8 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -1,7 +1,8 @@ --- - block: - name: Update apt cache - apt: + become: true + ansible.builtin.apt: cache_valid_time: 3600 update_cache: true register: _pre_update_apt_cache @@ -10,7 +11,8 @@ - ansible_pkg_mgr == "apt" - name: Install dependencies - package: + become: true + ansible.builtin.package: name: "{{ gitea_dependencies }}" state: present register: _install_dep_packages @@ -20,7 +22,7 @@ - block: - name: Download gitea archive - get_url: + ansible.builtin.get_url: url: "{{ gitea_dl_url }}.xz" dest: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz" checksum: "sha256:{{ gitea_dl_url }}.xz.sha256" @@ -30,7 +32,7 @@ delay: 2 - name: Download gitea asc file - get_url: + ansible.builtin.get_url: url: "{{ gitea_dl_url }}.xz.asc" dest: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz.asc" register: _download_asc @@ -39,28 +41,30 @@ delay: 2 - name: Check gitea gpg key - command: "gpg --list-keys 0x{{ gitea_gpg_key }}" + ansible.builtin.command: "gpg --list-keys 0x{{ gitea_gpg_key }}" register: _gitea_gpg_key_status changed_when: false failed_when: _gitea_gpg_key_status.rc not in (0, 2) - name: Import gitea gpg key - command: "gpg --keyserver {{ gitea_gpg_server }} --recv {{ gitea_gpg_key }}" + become: true + ansible.builtin.command: "gpg --keyserver {{ gitea_gpg_server }} --recv {{ gitea_gpg_key }}" register: _gitea_import_key changed_when: '"imported: 1" in _gitea_import_key.stderr' when: _gitea_gpg_key_status.rc != 0 - name: Check archive signature - command: "gpg --verify /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz.asc /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz" + ansible.builtin.command: "gpg --verify /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz.asc /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz" changed_when: false - name: Unpack gitea binary - command: + ansible.builtin.command: cmd: "xz -k -d /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz" creates: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}" - name: Propagate gitea binary - copy: + become: true + ansible.builtin.copy: src: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}" remote_src: true dest: "/usr/local/bin/gitea" diff --git a/tasks/install_systemd.yml b/tasks/install_systemd.yml index 695a268..78173a9 100644 --- a/tasks/install_systemd.yml +++ b/tasks/install_systemd.yml @@ -1,7 +1,7 @@ --- - name: "Setup systemd service" become: true - template: + ansible.builtin.template: src: gitea.service.j2 dest: /lib/systemd/system/gitea.service owner: root @@ -13,5 +13,5 @@ - name: "Reload systemd" become: true - systemd: + ansible.builtin.systemd: daemon_reload: true diff --git a/tasks/jwt_secrets.yml b/tasks/jwt_secrets.yml index ca334c7..3ce8ba5 100644 --- a/tasks/jwt_secrets.yml +++ b/tasks/jwt_secrets.yml @@ -1,38 +1,38 @@ --- - name: generate OAuth2 JWT_SECRET if not provided become: true - shell: 'umask 077; /usr/local/bin/gitea generate secret JWT_SECRET > /etc/gitea/gitea_oauth_jwt_secret' + ansible.builtin.shell: 'umask 077; /usr/local/bin/gitea generate secret JWT_SECRET > /etc/gitea/gitea_oauth_jwt_secret' args: creates: '/etc/gitea/gitea_oauth_jwt_secret' when: gitea_oauth2_jwt_secret | length == 0 - name: read OAuth2 JWT_SECRET from file become: true - slurp: + ansible.builtin.slurp: src: '/etc/gitea/gitea_oauth_jwt_secret' register: oauth_jwt_secret when: gitea_oauth2_jwt_secret | length == 0 - name: set fact gitea_oauth2_jwt_secret - set_fact: + ansible.builtin.set_fact: gitea_oauth2_jwt_secret: "{{ oauth_jwt_secret['content'] | b64decode }}" when: gitea_oauth2_jwt_secret | length == 0 - name: generate LFS JWT_SECRET if not provided become: true - shell: 'umask 077; /usr/local/bin/gitea generate secret JWT_SECRET > /etc/gitea/gitea_lfs_jwt_secret' + ansible.builtin.shell: 'umask 077; /usr/local/bin/gitea generate secret JWT_SECRET > /etc/gitea/gitea_lfs_jwt_secret' args: creates: '/etc/gitea/gitea_lfs_jwt_secret' when: gitea_lfs_jwt_secret | length == 0 - name: read LFS JWT_SECRET from file become: true - slurp: + ansible.builtin.slurp: src: '/etc/gitea/gitea_lfs_jwt_secret' register: lfs_jwt_secret when: gitea_lfs_jwt_secret | length == 0 - name: set fact gitea_lfs_jwt_secret - set_fact: + ansible.builtin.set_fact: gitea_lfs_jwt_secret: "{{ lfs_jwt_secret['content'] | b64decode }}" when: gitea_lfs_jwt_secret | length == 0 From 7f7ec4c6360a29fca726616828f9481145ea320e Mon Sep 17 00:00:00 2001 From: L3D Date: Mon, 22 Mar 2021 21:34:24 +0100 Subject: [PATCH 4/6] allow longer lines --- .yamllint | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.yamllint b/.yamllint index cb32cb1..e9713ae 100644 --- a/.yamllint +++ b/.yamllint @@ -2,7 +2,7 @@ extends: default rules: - # 150 chars should be enough, but don't fail if a line is longer + # 170 chars should be enough, but don't fail if a line is longer line-length: - max: 150 + max: 170 level: warning From 85e0517fbe1c84a217128728e4965749f0dcf30c Mon Sep 17 00:00:00 2001 From: L3D Date: Mon, 22 Mar 2021 21:35:31 +0100 Subject: [PATCH 5/6] increase version --- vars/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vars/main.yml b/vars/main.yml index 775aca8..18fb348 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -19,5 +19,5 @@ gitea_variables: paths: - 'vars' -playbook_version_number: 6 # should be int +playbook_version_number: 7 # should be int playbook_version_path: 'do1jlr.gitea.version' From d9ff631e6222b8aac8c7017e92098b8e9b42da00 Mon Sep 17 00:00:00 2001 From: L3D Date: Mon, 22 Mar 2021 21:47:28 +0100 Subject: [PATCH 6/6] add gitea_filename variable --- tasks/install.yml | 12 ++++++------ vars/main.yml | 1 + 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/tasks/install.yml b/tasks/install.yml index 5dfa5d8..c38133b 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -24,7 +24,7 @@ - name: Download gitea archive ansible.builtin.get_url: url: "{{ gitea_dl_url }}.xz" - dest: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz" + dest: "/tmp/{{ gitea_filename }}.xz" checksum: "sha256:{{ gitea_dl_url }}.xz.sha256" register: _download_archive until: _download_archive is succeeded @@ -34,7 +34,7 @@ - name: Download gitea asc file ansible.builtin.get_url: url: "{{ gitea_dl_url }}.xz.asc" - dest: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz.asc" + dest: "/tmp/{{ gitea_filename }}.xz.asc" register: _download_asc until: _download_asc is succeeded retries: 5 @@ -54,18 +54,18 @@ when: _gitea_gpg_key_status.rc != 0 - name: Check archive signature - ansible.builtin.command: "gpg --verify /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz.asc /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz" + ansible.builtin.command: "gpg --verify /tmp/{{ gitea_filename }}.xz.asc /tmp/{{ gitea_filename }}.xz" changed_when: false - name: Unpack gitea binary ansible.builtin.command: - cmd: "xz -k -d /tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}.xz" - creates: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}" + cmd: "xz -k -d /tmp/{{ gitea_filename }}.xz" + creates: "/tmp/{{ gitea_filename }}" - name: Propagate gitea binary become: true ansible.builtin.copy: - src: "/tmp/gitea-{{ gitea_version }}.linux-{{ gitea_arch }}" + src: "/tmp/{{ gitea_filename }}" remote_src: true dest: "/usr/local/bin/gitea" mode: 0755 diff --git a/vars/main.yml b/vars/main.yml index 18fb348..26bbdec 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -8,6 +8,7 @@ gitea_go_arch_map: armv5l: 'arm-5' gitea_arch: "{{ gitea_go_arch_map[ansible_architecture] | default(ansible_architecture) }}" +gitea_filename: "gitea-{{ gitea_version }}.linux-{{ gitea_arch }}" gitea_variables: files: