Add a gitea deployment

Yep, it's that time of year _again_
2023-01-27 17:28:45 +00:00 · 2023-01-27 17:28:45 +00:00 · a443d56a1c
commit a443d56a1c
parent 120b7d97c4
8 changed files with 214 additions and 0 deletions
--- a/ansible/main.yml
+++ b/ansible/main.yml
@ -68,6 +68,7 @@
    - tandoor
    - authentik
    - mastodon
+    - gitea

 - hosts: ingress
  roles:
--- a/ansible/roles/gitea/files/app.ini
+++ b/ansible/roles/gitea/files/app.ini
@ -0,0 +1,102 @@
+APP_NAME = Gitea: Git with a cup of orange juice
+
+[repository]
+ROOT = /mnt/repositories
+DEFAULT_BRANCH = master
+DISABLE_STARS  = true
+
+[server]
+SSH_DOMAIN              = gitea.theorangeone.net
+ROOT_URL                = https://gitea.theorangeone.net/
+START_SSH_SERVER        = true
+SSH_PORT                = 22  # Makes the SSH URLs look sane
+SSH_LISTEN_PORT         = 2222
+BUILTIN_SSH_SERVER_USER = git
+LFS_START_SERVER        = true
+DOMAIN                  = gitea.theorangeone.net
+PROTOCOL                = http  # TLS termination done by Traefik
+ENABLE_GZIP             = true
+OFFLINE_MODE            = true
+LANDING_PAGE            = explore
+LFS_JWT_SECRET          = {{ lfs_jwt_secret }}
+
+[database]
+DB_TYPE  = postgres
+HOST     = db:5432
+NAME     = gitea
+USER     = gitea
+PASSWD   = gitea
+
+[session]
+PROVIDER        = db
+COOKIE_NAME     = gitea_session
+
+[log]
+ENABLE_ACCESS_LOG = false
+
+[security]
+INSTALL_LOCK                  = true
+SECRET_KEY                    = {{ secret_key }}
+INTERNAL_TOKEN                = {{ internal_token }}
+PASSWORD_HASH_ALGO            = pbkdf2
+COOKIE_USERNAME               = gitea_username
+COOKIE_REMEMBER_NAME          = gitea_remember
+LOGIN_REMEMBER_DAYS           = 30
+
+[service]
+DISABLE_REGISTRATION              = true
+ENABLE_CAPTCHA                    = false
+SHOW_MILESTONES_DASHBOARD_PAGE    = false
+ENABLE_TIMETRACKING               = false
+DEFAULT_ORG_MEMBER_VISIBLE = true
+
+[ui.metadata]
+DESCRIPTION = Gitea (Git with a cup of orange juice)
+AUTHOR      = Jake Howard
+
+[ui.user]
+REPO_PAGING_NUM = 100
+
+[ui]
+SITEMAP_PAGING_NUM   = 100
+FEED_PAGING_NUM      = 100
+DEFAULT_THEME        = gitea
+ISSUE_PAGING_NUM     = 100
+THEME_COLOR_META_TAG = "#ff7f00"
+FEED_MAX_COMMIT_NUM  = 30
+SHOW_USER_EMAIL      = false
+EXPLORE_PAGING_NUM   = 100
+
+[openid]
+ENABLE_OPENID_SIGNIN = false
+ENABLE_OPENID_SIGNUP = false
+
+[service.explore]
+DISABLE_USERS_PAGE = true
+
+[queue]
+CONN_STR = redis://redis:6379/0
+TYPE     = redis
+
+[cache]
+ADAPTER = redis
+HOST    = redis://redis:6379/1
+ITEM_TTL = 48h
+
+[other]
+SHOW_FOOTER_TEMPLATE_LOAD_TIME = false
+SHOW_FOOTER_VERSION            = false
+SHOW_FOOTER_BRANDING=false
+
+[mirror]
+DEFAULT_INTERVAL = 1h
+
+[cron]
+ENABLED = true
+
+[indexer]
+REPO_INDEXER_ENABLED = true
+ISSUE_INDEXER_TYPE   = db
+
+[lfs]
+PATH = /mnt/lfs
--- a/ansible/roles/gitea/files/docker-compose.yml
+++ b/ansible/roles/gitea/files/docker-compose.yml
@ -0,0 +1,49 @@
+version: "2.3"
+
+services:
+  gitea:
+    image: gitea/gitea:1.18.1-rootless
+    user: "{{ docker_user.id }}:{{ docker_user.id }}"
+    environment:
+      - TZ={{ timezone }}
+    volumes:
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+      - "{{ app_data_dir }}/gitea/data:/var/lib/gitea"
+      - "{{ app_data_dir }}/gitea/config:/etc/gitea"
+      - /mnt/tank/files/gitea-repositories/repositories:/mnt/repositories
+      - /mnt/tank/files/gitea-repositories/lfs:/mnt/lfs
+    tmpfs:
+      - /var/lib/gitea/tmp
+    restart: unless-stopped
+    ports:
+      - "{{ pve_hosts.docker.ip }}:2222:2222"
+    depends_on:
+      - db
+      - redis
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.gitea.rule=Host(`gitea.theorangeone.net`)
+      - traefik.http.services.gitea-gitea.loadbalancer.server.port=3000
+    networks:
+      - default
+      - traefik
+
+  db:
+    image: postgres:14-alpine
+    restart: unless-stopped
+    volumes:
+      - /mnt/tank/dbs/postgres/gitea:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_PASSWORD=gitea
+      - POSTGRES_USER=gitea
+
+  redis:
+    image: redis:7-alpine
+    restart: unless-stopped
+    volumes:
+      - /mnt/tank/dbs/redis/gitea:/data
+
+networks:
+  traefik:
+    external: true
--- a/ansible/roles/gitea/handlers/main.yml
+++ b/ansible/roles/gitea/handlers/main.yml
@ -0,0 +1,4 @@
+- name: restart gitea
+  shell:
+    chdir: /opt/gitea
+    cmd: "{{ docker_update_command }}"
--- a/ansible/roles/gitea/tasks/main.yml
+++ b/ansible/roles/gitea/tasks/main.yml
@ -0,0 +1,29 @@
+- name: Include vault
+  include_vars: vault.yml
+
+- name: Create install directory
+  file:
+    path: /opt/gitea
+    state: directory
+    owner: "{{ docker_user.name }}"
+    mode: "{{ docker_compose_directory_mask }}"
+  become: true
+
+- name: Install compose file
+  template:
+    src: files/docker-compose.yml
+    dest: /opt/gitea/docker-compose.yml
+    mode: "{{ docker_compose_file_mask }}"
+    owner: "{{ docker_user.name }}"
+    validate: docker-compose -f %s config
+  notify: restart gitea
+  become: true
+
+- name: Install config file
+  template:
+    src: files/app.ini
+    dest: "{{ app_data_dir }}/gitea/config/app.ini"
+    mode: "{{ docker_compose_file_mask }}"
+    owner: "{{ docker_user.name }}"
+  notify: restart gitea
+  become: true
--- a/ansible/roles/gitea/vars/main.yml
+++ b/ansible/roles/gitea/vars/main.yml
@ -0,0 +1,3 @@
+lfs_jwt_secret: "{{ vault_lfs_jwt_secret }}"
+secret_key: "{{ vault_secret_key }}"
+internal_token: "{{ vault_internal_token }}"
--- a/ansible/roles/gitea/vars/vault.yml
+++ b/ansible/roles/gitea/vars/vault.yml
@ -0,0 +1,18 @@
+$ANSIBLE_VAULT;1.1;AES256
+35363665336465663661393536396531346436383939343130333536643861326432373431643063
+6161396631366662613736383232663836643336393166640a336561613064663366346536393532
+35333336653863363433633966393031323633653638623333653561373730616138353535353931
+6632613734393839660a663333313732613235316564633832613231333035363636313834356464
+30313237323364636662383333353938373338313338663131316132663831343664376362383134
+36323465666334313635383139616563623566616135653235323633643865386130636138656630
+61326363306561313733616539623661396532386561326439646535393130353035306231616239
+33656562303965306662623234316265353931656364313737353965336138393065643561363431
+64643036643632383738323961373338363437313132356139636338613137643433333064376266
+61383663333932623934343631353932323239333737613134393838363631633837353463663737
+39623137393238333735313734313539323731666264343535663464356438306662383331343338
+32303362643766313765313432623036643534386234393363386432396634346335626338353038
+34656436386636393631666534633532363039393763323137663637653131666364376262303236
+31376261396337336636303132353335323265346434393631613937666364313562613366373362
+65383836363430663237376666383239613234616137383934343931643232336266396264333366
+64363932336635356230353934613136613537636236396135373130343662613966363930323364
+65653031653436333331306262393738346265633936343833663032393839363333
--- a/terraform/theorangeone.net.tf
+++ b/terraform/theorangeone.net.tf
@ -10,6 +10,14 @@ resource "cloudflare_record" "theorangeonenet_git" {
  ttl     = 1
 }

+resource "cloudflare_record" "theorangeonenet_gitea" {
+  zone_id = cloudflare_zone.theorangeonenet.id
+  name    = "gitea"
+  value   = linode_instance.casey.ip_address
+  type    = "A"
+  ttl     = 1
+}
+
 resource "cloudflare_record" "theorangeonenet_git_registry" {
  zone_id = cloudflare_zone.theorangeonenet.id
  name    = "registry.git"