testing

dev/gitea.yml

@@ -6,4 +6,5 @@
   roles:
     - base
     - docker
+    - mariadb
     - gitea

dev/host_vars/gitea.yml

@@ -2,6 +2,12 @@
 allow_reboot: false
 manage_network: false
 
+users:
+  git:
+    uid: 1001
+    gid: 1001
+    home: true
+
 # Import my GPG key for git signature verification
 root_gpgkeys:
   - name: kris@lamoureux.io
@@ -16,10 +22,24 @@ docker_compose_deploy:
   # Traefik
   - name: traefik
     url: https://github.com/krislamo/traefik
-    version: 31ee724feebc1d5f91cb17ffd6892c352537f194
+    version: 398eb48d311db78b86abf783f903af4a1658d773
     enabled: true
-    accept_newhostkey: true # Consider verifying manually instead
+    accept_newhostkey: true
     trusted_keys:
       - FBF673CEEC030F8AECA814E73EDA9C3441EDA925
     env:
       ENABLE: true
+  # Gitea
+  - name: gitea
+    url: https://github.com/krislamo/gitea
+    version: b0ce66f6a1ab074172eed79eeeb36d7e9011ef8f
+    env:
+      USER_UID: "{{ users.git.uid }}"
+      USER_GID: "{{ users.git.gid }}"
+      DB_PASSWD: "{{ gitea.DB_PASSWD }}"
+
+# gitea
+gitea:
+  DB_NAME: gitea
+  DB_USER: gitea
+  DB_PASSWD: password

forward-ssh.sh

@@ -23,9 +23,10 @@ function ssh_connect {
     [yY])
       printf "[INFO]: Starting new vagrant SSH tunnel on PID "
       sudo -u "$USER" ssh -fNT -i "$PRIVATE_KEY" \
-        -L 8443:localhost:8443 \
+        -L 22:localhost:22 \
         -L 80:localhost:80 \
         -L 443:localhost:443 \
+        -L 8443:localhost:8443 \
         -o UserKnownHostsFile=/dev/null \
         -o StrictHostKeyChecking=no \
         vagrant@"$HOST_IP" 2>/dev/null

roles/base/tasks/system.yml

@@ -66,13 +66,27 @@
     mode: 0400
   when: authorized_keys is defined
 
+- name: Create system user groups
+  ansible.builtin.group:
+    name: "{{ item.key }}"
+    gid: "{{ item.value.gid }}"
+    state: present
+  loop: "{{ users | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  when: users is defined
+
 - name: Create system users
   ansible.builtin.user:
-    name: "{{ item.name }}"
+    name: "{{ item.key }}"
     state: present
-    shell: "{{ item.shell | default('/bin/bash') }}"
+    uid: "{{ item.value.uid }}"
-    create_home: "{{ item.home | default(false) }}"
+    group: "{{ item.value.gid }}"
-  loop: "{{ users }}"
+    shell: "{{ item.value.shell | default('/bin/bash') }}"
+    create_home: "{{ item.value.home | default(false) }}"
+  loop: "{{ users | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
   when: users is defined
 
 - name: Set authorized_keys for system users
@@ -80,7 +94,9 @@
     user: "{{ item.key }}"
     key: "{{ item.value.key }}"
     state: present
-  loop: "{{ users }}"
+  loop: "{{ users | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
   when: users is defined and item.value.key is defined
 
 - name: Manage filesystem mounts

roles/gitea/tasks/main.yml

@@ -1,38 +1,23 @@
-- name: Create Gitea directory
+- name: Install MySQL module for Ansible
-  ansible.builtin.file:
+  ansible.builtin.apt:
-    path: "{{ gitea_root }}"
+    name: python3-pymysql
-    state: directory
+    state: present
 
 - name: Create Gitea database
   community.mysql.mysql_db:
-    name: "{{ gitea_dbname }}"
+    name: "{{ gitea.DB_NAME }}"
     state: present
     login_unix_socket: /var/run/mysqld/mysqld.sock
 
 - name: Create Gitea database user
   community.mysql.mysql_user:
-    name: "{{ gitea_dbuser }}"
+    name: "{{ gitea.DB_USER }}"
-    password: "{{ gitea_dbpass }}"
+    password: "{{ gitea.DB_PASSWD }}"
     host: '%'
     state: present
-    priv: "{{ gitea_dbname }}.*:ALL"
+    priv: "{{ gitea.DB_NAME }}.*:ALL"
     login_unix_socket: /var/run/mysqld/mysqld.sock
 
-- name: Create git user
-  ansible.builtin.user:
-    name: git
-    state: present
-
-- name: Git user uid
-  ansible.builtin.getent:
-    database: passwd
-    key: git
-
-- name: Git user gid
-  ansible.builtin.getent:
-    database: group
-    key: git
-
 - name: Create git's .ssh directory
   ansible.builtin.file:
     path: /home/git/.ssh
@@ -70,28 +55,11 @@
     dest: /usr/local/bin/gitea
     mode: 0755
 
-- name: Install Gitea's docker-compose file
-  ansible.builtin.template:
-    src: docker-compose.yml.j2
-    dest: "{{ gitea_root }}/docker-compose.yml"
-  notify: restart_gitea
-
-- name: Install Gitea's docker-compose variables
-  ansible.builtin.template:
-    src: compose-env.j2
-    dest: "{{ gitea_root }}/.env"
-  notify: restart_gitea
-
 - name: Create Gitea's logging directory
   ansible.builtin.file:
     name: /var/log/gitea
     state: directory
 
-- name: Create Gitea's initial log file
-  ansible.builtin.file:
-    name: /var/log/gitea/gitea.log
-    state: touch
-
 - name: Install Gitea's Fail2ban filter
   ansible.builtin.template:
     src: fail2ban-filter.conf.j2

roles/mariadb/defaults/main.yml

@@ -1,3 +0,0 @@
-mariadb_trust:
-  - "172.16.0.0/12"
-  - "192.168.0.0/16"

roles/mariadb/handlers/main.yml

@@ -0,0 +1,5 @@
+- name: Restart MariaDB
+  ansible.builtin.service:
+    name: mariadb
+    state: restarted
+  listen: restart_mariadb

roles/mariadb/tasks/main.yml

@@ -3,23 +3,20 @@
     name: mariadb-server
     state: present
 
-- name: Change the bind-address to allow Docker
+- name: Regather facts for the potentially new docker0 interface
+  ansible.builtin.setup:
+
+- name: Change the bind-address to allow from docker0
   ansible.builtin.lineinfile:
     path: /etc/mysql/mariadb.conf.d/50-server.cnf
     regex: "^bind-address"
-    line: "bind-address            = 0.0.0.0"
+    line: "bind-address            = {{ ansible_facts.docker0.ipv4.address }}"
-  register: mariadb_conf
+  notify: restart_mariadb
 
-- name: Restart MariaDB
+- name: Allow database connections from Docker
-  ansible.builtin.service:
-    name: mariadb
-    state: restarted
-  when: mariadb_conf.changed
-
-- name: Allow database connections
   community.general.ufw:
     rule: allow
     port: "3306"
     proto: tcp
     src: "{{ item }}"
-  loop: "{{ mariadb_trust }}"
+  loop: "{{ mariadb_trust | default(['172.16.0.0/12']) }}"