move files from infra-office repo

Signed-off-by: Jakub Sokołowski <jakub@status.im>

README.md

@@ -0,0 +1,48 @@
+# Description
+
+This role configures an instance of [Gitea](https://gitea.io/) using Docker Compose.
+
+# Configuration
+
+```yaml
+gitea_app_name: 'Example.org Repos'
+gitea_app_web_domain: 'gitea.example.org'
+gitea_app_ssh_domain: 'git.example.org'
+gitea_app_ssh_port: 22
+gitea_app_secret_key: 'super-secret-key'
+gitea_app_log_level: 'debug'
+
+# DB
+gitea_db_pass: 'super-secret-db-pass'
+
+# Admin
+gitea_app_admin_user: 'root'
+gitea_app_admin_pass: 'secret-root-pass'
+gitea_app_admin_email: 'root@example.org'
+```
+
+# Administration
+
+You can manage the services using Docker Compose:
+```
+ > docker-compose ps
+  Name                 Command               State                           Ports                         
+-----------------------------------------------------------------------------------------------------------
+gitea-app   /usr/bin/entrypoint /bin/s ...   Up      22/tcp, 0.0.0.0:2222->2222/tcp, 0.0.0.0:3000->3000/tcp
+gitea-db    docker-entrypoint.sh postgres    Up      0.0.0.0:5432->5432/tcp  
+```
+For example you can easily re-create containers:
+```
+ > docker-compose up --force-recreate -d
+Recreating gitea-db ... done
+Recreating gitea-app ... done
+```
+
+# Backups
+
+A Systemd timer creates `pg_dump` backups of the PostgreSQL database daily:
+```
+ > sudo systemctl list-timers -a dump-gitea-db
+NEXT                        LEFT    LAST PASSED UNIT                ACTIVATES            
+Sat 2021-03-20 00:00:00 UTC 9h left n/a  n/a    dump-gitea-db.timer dump-gitea-db.service
+```

defaults/main.yml

@@ -0,0 +1,56 @@
+---
+gitea_service_name: 'gitea'
+gitea_service_path: '/docker/{{ gitea_service_name }}'
+gitea_compose_file: '{{ gitea_service_path }}/docker-compose.yml'
+
+# General
+gitea_app_name:
+gitea_app_web_domain:
+gitea_app_ssh_domain: '{{ gitea_app_web_domain | mandatory }}'
+gitea_app_ssh_port: 22
+gitea_app_disable_registration: true
+gitea_app_install_lock: true
+gitea_app_log_level: 'info'
+
+# Secrets
+#gitea_app_secret_key:
+#gitea_app_security_token:
+#gitea_app_jwt_secret:
+
+# Admin user
+#gitea_app_admin_user: ~
+#gitea_app_admin_pass: ~
+#gitea_app_admin_email: ~
+
+# App
+gitea_app_cont_name: '{{ gitea_service_name }}-app'
+gitea_app_cont_vol: '{{ gitea_service_path }}/app'
+gitea_app_cont_digest: 'sha256:24fed63774f280f7fa4294b17a90fb80d75e3bbb658277967dce6050a998843a' # 1.17.0
+gitea_app_cont_image: 'gitea/gitea@{{ gitea_app_cont_digest }}'
+gitea_app_cont_ssh_port: 2222
+gitea_app_cont_web_port: 3000
+gitea_app_cont_web_url: 'http://localhost:{{ gitea_app_cont_web_port }}'
+gitea_app_cont_uid: 1000
+gitea_app_host_uid: '{{ 100000 + gitea_app_cont_uid | int }}'
+# DB
+gitea_db_cont_name: '{{ gitea_service_name }}-db'
+gitea_db_cont_vol: '{{ gitea_service_path }}/db'
+gitea_db_cont_tag: '9.6'
+gitea_db_cont_image: 'postgres:{{ gitea_db_cont_tag }}'
+gitea_db_cont_port: 5432
+gitea_db_cont_uid: 70
+gitea_db_host_uid: '{{ 100000 + gitea_db_cont_uid | int }}'
+gitea_db_name: 'gitea'
+gitea_db_user: 'gitea'
+gitea_db_pass: 'changeMeIfYouCare'
+
+# Backups
+gitea_db_backup_service_name: 'dump-{{ gitea_service_name }}-db'
+gitea_db_backup_frequency: 'daily'
+gitea_db_backup_timeout: 300
+gitea_db_backup_user: 'root'
+
+# General container management
+compose_recreate: 'smart'
+compose_state: 'present'
+compose_restart: false

tasks/admin.yml

@@ -0,0 +1,26 @@
+---
+- name: Wait for Web port to be available
+  wait_for:
+    port: '{{ gitea_app_cont_web_port }}'
+    delay: 15
+  when: gitea_container.changed
+
+- name: Check if admin user already exists
+  uri:
+    url: '{{ gitea_app_cont_web_url }}/api/v1/users/{{ gitea_app_admin_user }}'
+    status_code: [200, 404]
+    return_content: true
+    user: '{{ gitea_app_admin_user | mandatory }}'
+    password: '{{ gitea_app_admin_pass | mandatory }}'
+    force_basic_auth: true
+  register: gitea_admin_user_raw
+
+- name: Create main Gitea admin user
+  command: |
+    docker exec -i {{ gitea_app_cont_name }} \
+      gitea admin create-user --admin \
+        --username '{{ gitea_app_admin_user | mandatory }}' \
+        --password '{{ gitea_app_admin_pass | mandatory }}' \
+        --email '{{ gitea_app_admin_email | mandatory }}' \
+        --must-change-password=false
+  when: gitea_admin_user_raw.status == 404

tasks/backup.yml

@@ -0,0 +1,19 @@
+---
+- name: 'Create timer for Gitea backup: {{ gitea_db_backup_service_name }}'
+  include_role: name=systemd-timer
+  vars:
+    systemd_timer_name: '{{ gitea_db_backup_service_name }}'
+    systemd_timer_description: 'Dump Gitea PostgreSQL database.'
+    systemd_timer_user: '{{ gitea_db_backup_user }}'
+    systemd_timer_frequency: '{{ gitea_db_backup_frequency }}'
+    systemd_timer_timeout_sec: '{{ gitea_db_backup_timeout }}'
+    systemd_timer_after_extra: 'docker.service'
+    systemd_timer_start_on_creation: false
+    systemd_timer_script_content: |
+      #!/usr/bin/env bash
+      BKP_DIR="{{ gitea_db_cont_vol }}/backup/{{ gitea_db_name }}"
+      rm -vfr "${BKP_DIR}"
+      /usr/bin/docker exec -i {{ gitea_db_cont_name }} \
+        pg_dump -F directory -f "/backup/{{ gitea_db_name }}" \
+        -U {{ gitea_db_user }} {{ gitea_db_name }}
+      chmod 750 -R "${BKP_DIR}"

tasks/config.yml

@@ -0,0 +1,39 @@
+---
+- name: Create directories for app data
+  file:
+    path: '{{ gitea_app_cont_vol }}/{{ item }}'
+    state: directory
+    owner: '{{ gitea_app_host_uid }}'
+    group: dockremap
+    mode: 0755
+  with_items:
+    - 'data/gitea/conf'
+    - 'data/gitea/log'
+    - 'data/git'
+    - 'data/git/.ssh'
+
+- name: Create SSH directory
+  file:
+    path: '{{ gitea_app_cont_vol }}/data/ssh'
+    state: directory
+    owner: '{{ gitea_app_host_uid }}'
+    group: dockremap
+    mode: 0700
+
+- name: Create directory for DB data
+  file:
+    path: '{{ gitea_db_cont_vol }}/data'
+    state: directory
+    owner: '{{ gitea_db_host_uid }}'
+    group: dockremap
+    mode: 0777
+    recurse: true
+
+- name: Create Gitea configuration
+  template:
+    src: 'gitea.ini.j2'
+    dest: '{{ gitea_app_cont_vol }}/data/gitea/conf/app.ini'
+    owner: '{{ gitea_app_host_uid }}'
+    group: dockremap
+    mode: 0640
+  register: gitea_config

tasks/consul.yml

@@ -0,0 +1,14 @@
+---
+- name: Create Consul service definition
+  include_role: name=consul-service
+  vars:
+    consul_config_name: '{{ gitea_service_name }}'
+    consul_services:
+      - name: '{{ gitea_service_name }}'
+        tags: ['gitea', 'git', 'repos']
+        port: '{{ gitea_app_cont_web_port }}'
+        checks:
+          - id: '{{ gitea_service_name }}-status'
+            name: Gitea Healthcheck
+            type: http
+            http: 'http://localhost:{{ gitea_app_cont_web_port }}/api/v1/version'

tasks/container.yml

@@ -0,0 +1,17 @@
+---
+- name: Create compose file
+  template:
+    src: 'docker-compose.yml.j2'
+    dest: '{{ gitea_compose_file }}'
+    owner: 'dockremap'
+    group: 'docker'
+    mode: 0640
+
+- name: Create containers
+  docker_compose:
+    project_src: '{{ gitea_service_path }}'
+    pull: true
+    state: '{{ compose_state }}'
+    restarted: '{{ compose_restart }}'
+    recreate: '{{ gitea_config.changed | ternary("always", compose_recreate) }}'
+  register: gitea_container

tasks/main.yml

@@ -0,0 +1,7 @@
+---
+- import_tasks: config.yml
+- import_tasks: container.yml
+- import_tasks: admin.yml
+- import_tasks: token.yml
+- import_tasks: backup.yml
+- import_tasks: consul.yml

tasks/token.yml

@@ -0,0 +1,39 @@
+---
+- name: Check if API token file exists
+  stat:
+    path: '{{ gitea_service_path }}/api-token'
+  register: gitea_token_file
+
+- name: Create API token
+  when: not gitea_token_file.stat.exists
+  block:
+    - name: Generate API token for admin
+      uri:
+        url: '{{ gitea_app_cont_web_url }}/api/v1/users/{{ gitea_app_admin_user }}/tokens'
+        method: 'POST'
+        status_code: 201
+        body_format: 'json'
+        body: { name: 'ansible' }
+        return_content: true
+        user: '{{ gitea_app_admin_user | mandatory }}'
+        password: '{{ gitea_app_admin_pass | mandatory }}'
+        force_basic_auth: true
+      register: gitea_app_admin_token_raw
+
+    - name: Create an API token file
+      copy:
+        dest: '{{ gitea_service_path }}/api-token'
+        content: '{{ gitea_app_admin_token_raw.json.sha1 }}'
+        mode: 0400
+      when: not gitea_app_admin_token_raw.skipped
+
+- name: Read API token from file
+  slurp:
+    path: '{{ gitea_service_path }}/api-token'
+  register: gitea_app_admin_token_raw
+  when: gitea_token_file.stat.exists
+
+- name: Decode token from file cointents
+  set_fact:
+    gitea_app_admin_token: '{{ gitea_app_admin_token_raw.content | b64decode | trim }}'
+  when: gitea_token_file.stat.exists

templates/docker-compose.yml.j2

@@ -0,0 +1,35 @@
+---
+version: '3.7'
+services:
+  app:
+    container_name: '{{ gitea_app_cont_name }}'
+    image: '{{ gitea_app_cont_image }}'
+    restart: 'always'
+    volumes:
+      - '{{ gitea_app_cont_vol }}/data:/data'
+      - '/etc/timezone:/etc/timezone:ro'
+      - '/etc/localtime:/etc/localtime:ro'
+    ports:
+      - '{{ gitea_app_cont_web_port }}:{{ gitea_app_cont_web_port }}/tcp'
+      - '{{ gitea_app_cont_ssh_port }}:22/tcp'
+    depends_on:
+      - db
+ 
+  db:
+    container_name: '{{ gitea_db_cont_name }}'
+    image: '{{ gitea_db_cont_image }}'
+    restart: always
+    ports:
+      - '{{ gitea_db_cont_port }}:{{ gitea_db_cont_port }}'
+    environment:
+      POSTGRES_DB:       '{{ gitea_db_name }}'
+      POSTGRES_USER:     '{{ gitea_db_user }}'
+      POSTGRES_PASSWORD: '{{ gitea_db_pass }}'
+      # This fixes chmod errors on DB startup due to volume + userns-remap
+      PGDATA: '/var/lib/postgresql/data/pgdata'
+    tmpfs:
+      - '/run/postgresql:size=512K'
+      - '/tmp:size=256K'
+    volumes:
+      - '{{ gitea_db_cont_vol }}/data:/var/lib/postgresql/data'
+      - '{{ gitea_db_cont_vol }}/backup:/backup'

templates/gitea.ini.j2

@@ -0,0 +1,75 @@
+APP_NAME = {{ gitea_app_name | mandatory }}
+RUN_MODE = prod
+
+[repository]
+ROOT = /data/git/repositories
+DEFAULT_BRANCH = master
+
+[repository.local]
+LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
+
+[repository.upload]
+TEMP_PATH = /data/gitea/uploads
+
+[server]
+APP_DATA_PATH    = /data/gitea
+DOMAIN           = {{ gitea_app_web_domain | mandatory }}
+SSH_DOMAIN       = {{ gitea_app_ssh_domain | mandatory }}
+HTTP_PORT        = {{ gitea_app_cont_web_port }}
+ROOT_URL         = https://{{ gitea_app_web_domain | mandatory }}
+DISABLE_SSH      = false
+SSH_PORT         = {{ gitea_app_ssh_port }}
+LFS_START_SERVER = false
+LFS_CONTENT_PATH = /data/git/lfs
+LANDING_PAGE     = explore
+
+[database]
+DB_TYPE = postgres
+HOST    = db:{{ gitea_db_cont_port }}
+NAME    = {{ gitea_db_name }}
+USER    = {{ gitea_db_user }}
+PASSWD  = {{ gitea_db_pass }}
+LOG_SQL = false
+
+[indexer]
+ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
+
+[session]
+PROVIDER = db
+COOKIE_SECURE = true
+SAME_SITE = strict
+
+[ui]
+DEFAULT_THEME = arc-green
+
+[api]
+ENABLE_SWAGGER = true
+
+[picture]
+AVATAR_UPLOAD_PATH            = /data/gitea/avatars
+REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
+
+[attachment]
+PATH = /data/gitea/attachments
+
+[log]
+MODE   = console
+ROUTER = console
+LEVEL  = {{ gitea_app_log_level }}
+
+[log.console]
+COLORIZE = false
+
+[security]
+INSTALL_LOCK   = {{ gitea_app_install_lock }}
+SECRET_KEY     = {{ gitea_app_secret_key | mandatory }}
+INTERNAL_TOKEN = {{ gitea_app_security_token | mandatory }}
+# Accept X-Forwarded-For headers
+REVERSE_PROXY_TRUSTED_PROXIES = *
+
+[service]
+DISABLE_REGISTRATION = {{ gitea_app_disable_registration }}
+REQUIRE_SIGNIN_VIEW  = false
+
+[oauth2]
+JWT_SECRET = {{ gitea_app_jwt_secret | mandatory }}