init

ansible/roles/gitea/README.md

@@ -0,0 +1,109 @@
+# Gitea Setup Notes
+
+## 1️⃣ Добавление HTTPS сертификата (Let's Encrypt + Nginx)
+
+### Установка certbot 
+ставим certbot на хост (НЕ в контейнер)
+
+``` bash
+sudo apt update
+sudo apt install certbot python3-certbot-nginx -y
+```
+
+### Базовый nginx конфиг (HTTP → прокси в Gitea)
+
+Файл: `./nginx/nginx.conf`
+
+``` nginx
+server {
+    listen 80;
+    server_name gitea.quietblock.net;
+
+    location / {
+        proxy_pass http://gitea:3000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    }
+}
+```
+
+### Получение сертификата
+
+``` bash
+sudo certbot certonly --standalone -d gitea.quietblock.net
+```
+
+Запрашивает SSL сертификат для домена через standalone режим.
+
+После успеха сертификаты будут:
+
+    /etc/letsencrypt/live/gitea.quietblock.net/fullchain.pem
+    /etc/letsencrypt/live/gitea.quietblock.net/privkey.pem
+
+### Docker nginx сервис
+
+``` yaml
+nginx:
+  image: nginx:stable
+  container_name: nginx
+  restart: always
+
+  ports:
+    - "80:80"
+    - "443:443"
+
+  volumes:
+    - ./nginx:/etc/nginx/conf.d
+    - /etc/letsencrypt:/etc/letsencrypt:ro
+
+  depends_on:
+    - gitea
+```
+
+### Финальный nginx конфиг (HTTP → HTTPS + SSL)
+
+``` nginx
+server {
+    listen 80;
+    server_name gitea.quietblock.net;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    server_name gitea.quietblock.net;
+
+    ssl_certificate /etc/letsencrypt/live/gitea.quietblock.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/gitea.quietblock.net/privkey.pem;
+
+    location / {
+        proxy_pass http://gitea:3000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    }
+}
+```
+
+Что происходит: - HTTP редиректится на HTTPS - nginx использует SSL
+сертификаты - HTTPS проксируется в контейнер gitea
+
+------------------------------------------------------------------------
+
+## 2️⃣ Создание администратора в Gitea
+
+### Зайти внутрь контейнера
+
+``` bash
+docker exec -it --user git gitea /bin/bash
+```
+
+Открывает shell внутри контейнера gitea от пользователя git.
+
+### Создать администратора
+
+``` bash
+gitea admin user create   --username adminuser   --password 14881488   --email you@mail.com   --admin
+```

ansible/roles/gitea/tasks/main.yml

@@ -0,0 +1,23 @@
+- name: ensure directory structure exists
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: "root"
+    group: "root"
+    mode: "0755"
+  loop:
+    - "/opt/gitea"
+    - "/opt/gitea/nginx"
+
+- name: render stack files
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "/opt/gitea/{{ item.dest }}"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  loop:
+    - { src: "docker-compose.yml.j2", dest: "docker-compose.yml" }
+    - { src: ".env.j2", dest: ".env", mode: "0600" }
+    - { src: "nginx/nginx.conf.j2", dest: "nginx/nginx.conf" }
+  register: rendered

ansible/roles/gitea/templates/docker-compose.yml.j2

@@ -0,0 +1,78 @@
+version: "3.9"
+
+services:
+  postgres:
+    image: postgres:15
+    container_name: postgres
+    restart: always
+
+    environment:
+      POSTGRES_DB: ${POSTGRES_DB}
+      POSTGRES_USER: ${POSTGRES_USER}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+
+    volumes:
+      - ./data/postgres:/var/lib/postgresql/data
+
+    networks:
+      - gitea_net
+
+  gitea:
+    image: gitea/gitea:latest
+    container_name: gitea
+    restart: always
+
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
+
+      # DB
+      - GITEA__database__DB_TYPE=postgres
+      - GITEA__database__HOST=postgres:5432
+      - GITEA__database__NAME=${POSTGRES_DB}
+      - GITEA__database__USER=${POSTGRES_USER}
+      - GITEA__database__PASSWD=${POSTGRES_PASSWORD}
+
+      # basic
+      - GITEA__server__DOMAIN=${GITEA_URL}
+      - GITEA__server__ROOT_URL=https://${GITEA_URL}/
+      - GITEA__server__SSH_DOMAIN=${GITEA_URL}
+      - GITEA__server__HTTP_PORT=3000
+      - GITEA__server__SSH_PORT=2222
+
+      # security
+      - GITEA__security__INSTALL_LOCK=true
+      - GITEA__service__DISABLE_REGISTRATION=true
+
+    volumes:
+      - ./data/gitea:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+
+    depends_on:
+      - postgres
+
+    networks:
+      - gitea_net
+
+  nginx:
+    image: nginx:stable
+    container_name: nginx
+    restart: always
+
+    ports:
+      - "80:80"
+      - "443:443"
+
+    volumes:
+      - ./nginx:/etc/nginx/conf.d
+      - /etc/letsencrypt:/etc/letsencrypt:ro
+
+    depends_on:
+      - gitea
+
+    networks:
+      - gitea_net
+
+networks:
+  gitea_net:

ansible/roles/gitea/templates/nginx/nginx.conf.j2

@@ -0,0 +1,23 @@
+server {
+    listen 80;
+    server_name gitea.quietblock.net;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    server_name gitea.quietblock.net;
+
+    ssl_certificate /etc/letsencrypt/live/gitea.quietblock.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/gitea.quietblock.net/privkey.pem;
+
+    location / {
+        proxy_pass http://gitea:3000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    }
+
+    client_max_body_size 50M;
+}