From 37350776bf88227c0e752f76d03ec8280a28e4af Mon Sep 17 00:00:00 2001
From: Elizabeth Hunt <elizabeth.hunt@simponic.xyz>
Date: Wed, 10 Jan 2024 02:44:20 -0500
Subject: [PATCH] gitea

---
 deploy-gitea.yml                              |  4 ++
 group_vars/all.yml                            |  1 +
 inventory                                     |  3 ++
 roles/gitea/files/.gitignore                  |  1 +
 roles/gitea/tasks/main.yml                    | 46 +++++++++++++++++++
 roles/gitea/templates/docker-compose.yml.j2   | 20 ++++++++
 .../nameservers/templates/db.simponic.xyz.j2  |  1 +
 .../files/nijika/http.git.simponic.xyz.conf   | 13 ++++++
 .../files/nijika/https.git.simponic.xyz.conf  | 39 ++++++++++++++++
 9 files changed, 128 insertions(+)
 create mode 100644 deploy-gitea.yml
 create mode 100644 roles/gitea/files/.gitignore
 create mode 100644 roles/gitea/tasks/main.yml
 create mode 100644 roles/gitea/templates/docker-compose.yml.j2
 create mode 100644 roles/webservers/files/nijika/http.git.simponic.xyz.conf
 create mode 100644 roles/webservers/files/nijika/https.git.simponic.xyz.conf

diff --git a/deploy-gitea.yml b/deploy-gitea.yml
new file mode 100644
index 0000000..150a618
--- /dev/null
+++ b/deploy-gitea.yml
@@ -0,0 +1,4 @@
+- name: gitea setup
+  hosts: gitea
+  roles:
+    - gitea
diff --git a/group_vars/all.yml b/group_vars/all.yml
index 6a4a738..0c458b9 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -1,5 +1,6 @@
 ---
 johan_ip: '100.64.0.5'
+nijika_ip: '100.64.0.2'
 
 dns_servers:
   - 1.1.1.1
diff --git a/inventory b/inventory
index b1d4c90..f1ce37e 100644
--- a/inventory
+++ b/inventory
@@ -48,3 +48,6 @@ europa  ansible_user=root ansible_connection=ssh
 
 [scurvy]
 europa  ansible_user=root ansible_connection=ssh
+
+[gitea]
+nijika  ansible_user=root ansible_connection=ssh
diff --git a/roles/gitea/files/.gitignore b/roles/gitea/files/.gitignore
new file mode 100644
index 0000000..7ac6d1c
--- /dev/null
+++ b/roles/gitea/files/.gitignore
@@ -0,0 +1 @@
+app.ini
diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml
new file mode 100644
index 0000000..c18b861
--- /dev/null
+++ b/roles/gitea/tasks/main.yml
@@ -0,0 +1,46 @@
+---
+- name: ensure gitea docker/compose exist
+  file:
+    path: /etc/docker/compose/gitea
+    state: directory
+    owner: root
+    group: root
+    mode: 0700
+
+- name: create gitea docker/compose/data/gitea with set uid/gid
+  file:
+    path: /etc/docker/compose/gitea/data
+    state: directory
+    owner: 1000
+    group: 1000
+    mode: 0700
+
+- name: ensure gitea docker/compose/data/gitea exist
+  file:
+    path: /etc/docker/compose/gitea/data/gitea/conf
+    state: directory
+    owner: 1000
+    group: 1000
+    mode: 0700
+
+- name: copy app.ini
+  copy:
+    src: ../files/app.ini
+    dest: /etc/docker/compose/gitea/data/gitea/conf/app.ini
+    owner: 1000
+    group: 1000
+    mode: 0700
+
+- name: build gitea docker-compose.yml.j2
+  template:
+    src: ../templates/docker-compose.yml.j2
+    dest: /etc/docker/compose/gitea/docker-compose.yml
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+
+- name: daemon-reload and enable gitea
+  ansible.builtin.systemd_service:
+    state: restarted
+    enabled: true
+    name: docker-compose@gitea
diff --git a/roles/gitea/templates/docker-compose.yml.j2 b/roles/gitea/templates/docker-compose.yml.j2
new file mode 100644
index 0000000..5a0a071
--- /dev/null
+++ b/roles/gitea/templates/docker-compose.yml.j2
@@ -0,0 +1,20 @@
+version: "3"
+
+networks:
+  gitea:
+    external: false
+
+services:
+  server:
+    image: gitea/gitea:1.21.3
+    container_name: gitea
+    restart: always
+    networks:
+      - gitea
+    volumes:
+      - ./data:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - "127.0.0.1:9966:3000"
+      - "{{ nijika_ip }}:222:22"
diff --git a/roles/nameservers/templates/db.simponic.xyz.j2 b/roles/nameservers/templates/db.simponic.xyz.j2
index a5c31a3..d43c0dc 100644
--- a/roles/nameservers/templates/db.simponic.xyz.j2
+++ b/roles/nameservers/templates/db.simponic.xyz.j2
@@ -32,6 +32,7 @@ s1._domainkey.simponic.xyz.	1	IN	CNAME	s1.domainkey.u25709709.wl210.sendgrid.net
 s2._domainkey.simponic.xyz.	1	IN	CNAME	s2.domainkey.u25709709.wl210.sendgrid.net.
 headscale.simponic.xyz.	1	IN	CNAME	nijika.simponic.xyz.
 authelia.simponic.xyz.	1	IN	CNAME	nijika.simponic.xyz.
+git.simponic.xyz. 1 IN  CNAME simponic.xyz.
 
 ;; MX Records
 simponic.xyz.	1	IN	MX	10 mail.simponic.xyz.
diff --git a/roles/webservers/files/nijika/http.git.simponic.xyz.conf b/roles/webservers/files/nijika/http.git.simponic.xyz.conf
new file mode 100644
index 0000000..2a962a1
--- /dev/null
+++ b/roles/webservers/files/nijika/http.git.simponic.xyz.conf
@@ -0,0 +1,13 @@
+server {
+  listen 80;
+  server_name git.simponic.xyz;
+
+  location /.well-known/acme-challenge {
+    root /var/www/letsencrypt;
+    try_files $uri $uri/ =404;
+  }
+
+  location / {
+    rewrite ^ https://git.simponic.xyz$request_uri? permanent;
+  }
+}
diff --git a/roles/webservers/files/nijika/https.git.simponic.xyz.conf b/roles/webservers/files/nijika/https.git.simponic.xyz.conf
new file mode 100644
index 0000000..2abd4fd
--- /dev/null
+++ b/roles/webservers/files/nijika/https.git.simponic.xyz.conf
@@ -0,0 +1,39 @@
+server {
+  listen 443 ssl;
+  server_name git.simponic.xyz;
+
+  ssl_certificate         /etc/letsencrypt/live/git.simponic.xyz/fullchain.pem;
+  ssl_certificate_key     /etc/letsencrypt/live/git.simponic.xyz/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/git.simponic.xyz/fullchain.pem;
+
+  ssl_session_cache shared:SSL:50m;
+  ssl_session_timeout 5m;
+  ssl_stapling on;
+  ssl_stapling_verify on;
+
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+
+  ssl_dhparam /etc/nginx/dhparams.pem;
+  ssl_prefer_server_ciphers on;
+
+  location / {
+    proxy_pass http://127.0.0.1:9966;
+
+    client_body_buffer_size 128k;
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Host $http_host;
+    proxy_set_header X-Forwarded-Uri $request_uri;
+    proxy_set_header X-Forwarded-Ssl on;
+    proxy_redirect  http://  $scheme://;
+    proxy_http_version 1.1;
+    proxy_set_header Connection "";
+    proxy_cache_bypass $cookie_session;
+    proxy_no_cache $cookie_session;
+    proxy_buffers 64 256k;
+  }
+}