Make role working with gitea v1.20.0

defaults/main.yml

@@ -26,7 +26,6 @@ gitea_offline_mode: true
 gitea_lfs_server_enabled: false
 gitea_lfs_content_path: "{{ gitea_home }}/data/lfs"
 gitea_lfs_jwt_secret: ''
-gitea_lfs_content_path: "data/lfs"
 gitea_lfs_secret: SomethingVeryLong
 gitea_lfs_mode: true
 
@@ -59,17 +58,33 @@ gitea_mail_default: onmention
 gitea_autowatch_new_repo: false
 gitea_autowatch_on_change: true
 gitea_show_mailstones_dashboard: true
+# make sure, that register_email_confirm is false when register_manual_confirm is set to true
+gitea_register_email_confirm: false
+gitea_register_manual_confirm: true
+gitea_default_allow_create_organization: false
+gitea_default_user_is_restricted: true
+gitea_email_domain_allowlist: ""
+gitea_auto_watch_new_repos: false
+gitea_default_user_visibility: limited
+gitea_default_org_visibility: limited
+gitea_allow_only_internal_registration: true
+
 
 gitea_force_private: false
 
 gitea_mailer_enabled: false
-gitea_mailer_skip_verify: false
 gitea_mailer_tls_enabled: true
-gitea_mailer_host: localhost:25
+gitea_mailer_smtp_addr: "localhost"
+gitea_mailer_smtp_port: "25"
 gitea_mailer_from: [email protected]
 gitea_mailer_user: ""
 gitea_mailer_password: ""
 gitea_mailer_type: smtp
+gitea_mailer_protocol: "smtp"
+# protocol can be one of "smtp", "smtps", "smtp+starttls", "smtp+unix", "sendmail", "dummy"
+gitea_mailer_force_trust_server_cert: false
+gitea_mailer_use_client_cert: false
+gitea_mailer_enable_helo: true
 
 gitea_fail2ban_enabled: false
 gitea_fail2ban_jail_maxretry: 10

tasks/main.yml

@@ -32,7 +32,8 @@
   notify: "Restart gitea"
   when: (not gitea_version_check|bool) or (not ansible_check_mode and (gitea_active_version.stdout != gitea_version))
 
-- include: create_user.yml
+- include_tasks: 
+    file: create_user.yml
 
 - name: "Create config and data directory"
   ansible.builtin.file:
@@ -62,7 +63,8 @@
     - "{{ gitea_home }}/log"
     - "{{ gitea_repository_root }}"
 
-- include: install_systemd.yml
+- include_tasks: 
+    file: install_systemd.yml
   when: ansible_service_mgr == "systemd"
 
 - include_tasks: jwt_secrets.yml
@@ -87,5 +89,6 @@
     enabled: true
   when: ansible_service_mgr == "systemd"
 
-- include: fail2ban.yml
+- include_tasks: 
+    file: fail2ban.yml
   when: gitea_fail2ban_enabled|bool

templates/gitea.ini.j2

@@ -1,163 +1,186 @@
 ; this file is the configuration of your local gitea instance
 ; {{ ansible_managed }}
-;
+; 
 ; This file overwrites the default values from gitea.
 ; undefined variables will use the default value from gitea.
 ; Cheat Sheet: https://docs.gitea.io/en-us/config-cheat-sheet/
-;
+; 
 ; App name that shows on every page title
 APP_NAME = {{ gitea_app_name }}
 ; Change it if you run locally
 RUN_USER = {{ gitea_user }}
 ; Either "dev", "prod" or "test", default is "dev"
 RUN_MODE = prod
+WORK_PATH = /usr/local/bin
 
 [repository]
-ROOT                = {{ gitea_repository_root }}
+ROOT = {{ gitea_repository_root }}
 ; Force every new repository to be private
-FORCE_PRIVATE       = {{ gitea_force_private | ternary('true', 'false') }}
+FORCE_PRIVATE = {{ gitea_force_private | ternary('true', 'false') }}
 ; Global limit of repositories per user, applied at creation time. -1 means no limit
-MAX_CREATION_LIMIT  = {{ gitea_user_repo_limit }}
+MAX_CREATION_LIMIT = {{ gitea_user_repo_limit }}
 ; Mirror sync queue length, increase if mirror syncing starts hanging
-MIRROR_QUEUE_LENGTH = 1000
+; --> MIRROR_QUEUE_LENGTH = 1000
 ; Disable the ability to interact with repositories using the HTTP protocol
-DISABLE_HTTP_GIT    = {{ gitea_disable_http_git | ternary('true', 'false') }}
+DISABLE_HTTP_GIT = {{ gitea_disable_http_git | ternary('true', 'false') }}
 
 [ui]
 ; Whether the email of the user should be shown in the Explore Users page
 SHOW_USER_EMAIL = {{ gitea_show_user_email | ternary('true', 'false') }}
-THEMES          = {{ gitea_themes }}
-DEFAULT_THEME   = {{ gitea_theme_default }}
+THEMES = {{ gitea_themes }}
+DEFAULT_THEME = {{ gitea_theme_default }}
 
 [server]
 ; The protocol the server listens on. One of 'http', 'https', 'unix' or 'fcgi'.
-PROTOCOL         = {{ gitea_protocol }}
-DOMAIN           = {{ gitea_http_domain }}
-ROOT_URL         = {{ gitea_root_url }}
+PROTOCOL = {{ gitea_protocol }}
+DOMAIN = {{ gitea_http_domain }}
+ROOT_URL = {{ gitea_root_url }}
 ; The address to listen on. Either a IPv4/IPv6 address or the path to a unix socket.
-HTTP_ADDR        = {{ gitea_http_listen }}
-HTTP_PORT        = {{ gitea_http_port }}
+HTTP_ADDR = {{ gitea_http_listen }}
+HTTP_PORT = {{ gitea_http_port }}
 ; Disable SSH feature when not available
-DISABLE_SSH      = false
+DISABLE_SSH = false
 ; Whether to use the builtin SSH server or not.
 START_SSH_SERVER = {{ gitea_start_ssh | ternary('true', 'false') }}
 ; Domain name to be exposed in clone URL
-SSH_DOMAIN       = {{ gitea_ssh_domain }}
+SSH_DOMAIN = {{ gitea_ssh_domain }}
 ; The network interface the builtin SSH server should listen on
-SSH_LISTEN_HOST  = {{ gitea_ssh_listen }}
+SSH_LISTEN_HOST = {{ gitea_ssh_listen }}
 ; Port number to be exposed in clone URL
-SSH_PORT         = {{ gitea_ssh_port }}
+SSH_PORT = {{ gitea_ssh_port }}
 ; The port number the builtin SSH server should listen on
-SSH_LISTEN_PORT  = %(SSH_PORT)s
-; Disable CDN even in "prod" mode
-OFFLINE_MODE     = {{ gitea_offline_mode | ternary('true', 'false') }}
+SSH_LISTEN_PORT = %(SSH_PORT)s
 ; Default path for App data
-APP_DATA_PATH    = {{ gitea_home }}/data
+APP_DATA_PATH = {{ gitea_home }}/data
 {% if gitea_lfs_server_enabled | bool -%}
-;Enables git-lfs support.
+; Enables git-lfs support.
 LFS_START_SERVER = true
 ; Where to store LFS files.
-LFS_CONTENT_PATH = {{ gitea_lfs_content_path }}
+; --> LFS_CONTENT_PATH = {{ gitea_lfs_content_path }}
 ; LFS authentication secret
-LFS_JWT_SECRET   = {{ gitea_lfs_jwt_secret }}
-LFS_CONTENT_PATH      = {{ gitea_lfs_content_path }}
+; LFS_JWT_SECRET = {{ gitea_lfs_jwt_secret }}
+; --> LFS_CONTENT_PATH = {{ gitea_lfs_content_path }}
 ; if the LFS sotre is not offline/local
-LFS_JWT_SECRET       = {{ gitea_lfs_secret }} 
-OFFLINE_MODE         = {{ gitea_lfs_mode }}
+LFS_JWT_SECRET = {{ gitea_lfs_secret }} 
+OFFLINE_MODE = {{ gitea_lfs_mode }}
 {% endif %}
+
+[lfs]
+PATH = {{ gitea_lfs_content_path }}
+
 [database]
 ; Either "mysql", "postgres", "mssql" or "sqlite3", it's your choice
-DB_TYPE  = {{ gitea_db_type }}
-HOST     = {{ gitea_db_host }}
-NAME     = {{ gitea_db_name }}
-USER     = {{ gitea_db_user }}
+DB_TYPE = {{ gitea_db_type }}
+HOST = {{ gitea_db_host }}
+NAME = {{ gitea_db_name }}
+USER = {{ gitea_db_user }}
 ; Use PASSWD = `your password` for quoting if you use special characters in the password.
-PASSWD   = {{ gitea_db_password }}
+PASSWD = {{ gitea_db_password }}
 ; For Postgres, either "disable" (default), "require", "verify-ca" or "verify-full"
 ; For MySQL, either "false" (default), "true", or "skip-verify"
 SSL_MODE = {{ gitea_db_ssl }}
 ; For "sqlite3" and "tidb", use an absolute path when you start gitea as service
-PATH     = {{ gitea_db_path }}
+PATH = {{ gitea_db_path }}
 
 [indexer]
 ; Issue indexer storage path, available when ISSUE_INDEXER_TYPE is bleve
-ISSUE_INDEXER_PATH            = {{ gitea_home }}/indexers/issues.bleve
+ISSUE_INDEXER_PATH = {{ gitea_home }}/indexers/issues.bleve
 ; Issue indexer queue, currently support: channel or levelqueue, default is levelqueue
-ISSUE_INDEXER_QUEUE_TYPE      = levelqueue
+; --> ISSUE_INDEXER_QUEUE_TYPE      = levelqueue
 ; When ISSUE_INDEXER_QUEUE_TYPE is levelqueue, this will be the queue will be saved path,
 ; default is indexers/issues.queue
-ISSUE_INDEXER_QUEUE_DIR       = {{ gitea_home }}/indexers/issues.queue
+; --> ISSUE_INDEXER_QUEUE_DIR       = {{ gitea_home }}/indexers/issues.queue
 ; repo indexer by default disabled, since it uses a lot of disk space
-REPO_INDEXER_ENABLED          = {{ gitea_repo_indexer_enabled }}
-REPO_INDEXER_PATH             = {{ gitea_home }}/indexers/repos.bleve
-REPO_INDEXER_INCLUDE          = {{ gitea_repo_indexer_include }}
-REPO_INDEXER_EXCLUDE          = {{ gitea_repo_indexer_exclude }}
+REPO_INDEXER_ENABLED = {{ gitea_repo_indexer_enabled }}
+REPO_INDEXER_PATH = {{ gitea_home }}/indexers/repos.bleve
+REPO_INDEXER_INCLUDE = {{ gitea_repo_indexer_include }}
+REPO_INDEXER_EXCLUDE = {{ gitea_repo_indexer_exclude }}
 REPO_INDEXER_EXCLUDE_VENDORED = {{ gitea_repo_exclude_vendored }}
-MAX_FILE_SIZE                 = {{ gitea_repo_indexer_max_file_size }}
+MAX_FILE_SIZE = {{ gitea_repo_indexer_max_file_size }}
+
+[queue]
+LENGTH = 1000
+
+[queue.issue_indexer]
+TYPE = levelqueue
+DATADIR = {{ gitea_home }}/indexers/issues.queue
+LENGTH = 1000
 
 [security]
 ; Whether the installer is disabled
-INSTALL_LOCK        = true
+INSTALL_LOCK = true
 ; !!CHANGE THIS TO KEEP YOUR USER DATA SAFE!!
-SECRET_KEY          = {{ gitea_secret_key }}
-INTERNAL_TOKEN      = {{ gitea_internal_token }}
+SECRET_KEY = {{ gitea_secret_key }}
+INTERNAL_TOKEN = {{ gitea_internal_token }}
 ; How long to remember that an user is logged in before requiring relogin (in days)
 LOGIN_REMEMBER_DAYS = 7
-DISABLE_GIT_HOOKS   = {{ gitea_disable_git_hooks | ternary('true', 'false') }}
+DISABLE_GIT_HOOKS = {{ gitea_disable_git_hooks | ternary('true', 'false') }}
 
 [service]
 ; Disallow registration, only allow admins to create accounts.
-DISABLE_REGISTRATION             = {{ gitea_disable_registration }}
+DISABLE_REGISTRATION = {{ gitea_disable_registration }}
 ; User must sign in to view anything.
-REQUIRE_SIGNIN_VIEW              = {{ gitea_require_signin | ternary('true', 'false') }}
+REQUIRE_SIGNIN_VIEW = {{ gitea_require_signin | ternary('true', 'false') }}
 ; Enable captcha validation for registration
-ENABLE_CAPTCHA                   = {{ gitea_enable_captcha | ternary('true', 'false') }}
+ENABLE_CAPTCHA = {{ gitea_enable_captcha | ternary('true', 'false') }}
 ; Type of captcha you want to use. Options: image, recaptcha
-CAPTCHA_TYPE                     = image
+CAPTCHA_TYPE = image
 ; Enable recaptcha to use Google's recaptcha service
 ; Go to https://www.google.com/recaptcha/admin to sign up for a key
-RECAPTCHA_SECRET                 =
-RECAPTCHA_SITEKEY                =
+RECAPTCHA_SECRET = 
+RECAPTCHA_SITEKEY = 
 ; Show Registration button
 SHOW_REGISTRATION_BUTTON = {{ gitea_show_registration_button }}
 ALLOW_ONLY_EXTERNAL_REGISTRATION = {{ gitea_only_allow_external_registration }}
 ENABLE_NOTIFY_MAIL = {{ gitea_enable_notify_mail }}
-DEFAULT_EMAIL_NOTIFICATIONS       = {{ gitea_mail_default }} 
-AUTO_WATCH_NEW_REPOS              = {{ gitea_autowatch_new_repo }} 
-AUTO_WATCH_ON_CHANGES             = {{ gitea_autowatch_on_change }} 
-SHOW_MILESTONES_DASHBOARD_PAGE    = {{ gitea_show_mailstones_dashboard }} 
+DEFAULT_EMAIL_NOTIFICATIONS = {{ gitea_mail_default }} 
+AUTO_WATCH_NEW_REPOS = {{ gitea_autowatch_new_repo }} 
+AUTO_WATCH_ON_CHANGES = {{ gitea_autowatch_on_change }} 
+SHOW_MILESTONES_DASHBOARD_PAGE = {{ gitea_show_mailstones_dashboard }} 
+REGISTER_EMAIL_CONFIRM = {{ gitea_register_email_confirm }}
+REGISTER_MANUAL_CONFIRM = {{ gitea_register_manual_confirm }}
+DEFAULT_ALLOW_CREATE_ORGANIZATION = {{ gitea_default_allow_create_organization }}
+DEFAULT_USER_IS_RESTRICTED = {{ gitea_default_user_is_restricted }}
+{% if gitea_email_domain_allowlist is defined and gitea_email_domain_allowlist|length  %}
+EMAIL_DOMAIN_ALLOWLIST = {{ gitea_email_domain_allowlist }}
+{% endif %}
+AUTO_WATCH_NEW_REPOS = {{ gitea_auto_watch_new_repos }}
+DEFAULT_USER_VISIBILITY = {{ gitea_default_user_visibility }}
+DEFAULT_ORG_VISIBILITY = {{ gitea_default_org_visibility }}
+ALLOW_ONLY_INTERNAL_REGISTRATION = {{ gitea_allow_only_internal_registration }}
 
 [mailer]
-ENABLED            = {{ gitea_mailer_enabled | ternary('true', 'false') }}
+ENABLED = {{ gitea_mailer_enabled | ternary('true', 'false') }}
 ; Mail server
 ; Gmail: smtp.gmail.com:587
 ; QQ: smtp.qq.com:465
 ; Note, if the port ends with "465", SMTPS will be used. Using STARTTLS on port 587 is recommended per RFC 6409. If the server supports STARTTLS it will always be used.
-HOST               = {{ gitea_mailer_host }}
+SMTP_ADDR = {{ gitea_mailer_smtp_addr }}
+SMTP_PORT = {{ gitea_mailer_smtp_port }}
+PROTOCOL = {{ gitea_mailer_protocol }}
 ; Do not verify the certificate of the server. Only use this for self-signed certificates
-SKIP_VERIFY        = {{ gitea_mailer_skip_verify }}
 ; Use client certificate
-USE_CERTIFICATE    = false
-CERT_FILE          = {{ gitea_home }}/custom/mailer/cert.pem
-KEY_FILE           = {{ gitea_home }}/custom/mailer/key.pem
+; USE_CERTIFICATE = false
+USE_CLIENT_CERT = {{ gitea_mailer_use_client_cert }}
+CLIENT_CERT_FILE = {{ gitea_home }}/custom/mailer/cert.pem
+CLIENT_KEY_FILE = {{ gitea_home }}/custom/mailer/key.pem
+FORCE_TRUST_SERVER_CERT = {{ gitea_mailer_force_trust_server_cert }}
 ; Should SMTP connection use TLS
-IS_TLS_ENABLED     = {{ gitea_mailer_tls_enabled | ternary('true', 'false') }}
 ; Mail from address, RFC 5322. This can be just an email address, or the `"Name" <[email protected]>` format
-FROM               = {{ gitea_mailer_from }}
+FROM = {{ gitea_mailer_from }}
 ; Mailer user name and password
-USER               = {{ gitea_mailer_user }}
+USER = {{ gitea_mailer_user }}
 ; Use PASSWD = `your password` for quoting if you use special characters in the password.
-PASSWD             = {{ gitea_mailer_password }}
+PASSWD = {{ gitea_mailer_password }}
 ; Send mails as plain text
 SEND_AS_PLAIN_TEXT = false
-; Set Mailer Type (either SMTP, sendmail or dummy to just send to the log)
-MAILER_TYPE        = {{ gitea_mailer_type }}
 ; Specify an alternative sendmail binary
-SENDMAIL_PATH      = sendmail
+SENDMAIL_PATH = sendmail
+ENABLE_HELO = {{ gitea_mailer_enable_helo }}
 
 [session]
 ; Either "memory", "file", or "redis", default is "memory"
-PROVIDER        = file
+PROVIDER = file
 ; Provider config options
 ; memory: doesn't have any config yet
 ; file: session file path, e.g. `data/sessions`
@@ -168,31 +191,31 @@ PROVIDER_CONFIG = {{ gitea_home }}/data/sessions
 [picture]
 AVATAR_UPLOAD_PATH = {{ gitea_home }}/data/avatars
 ; This value will always be true in offline mode.
-DISABLE_GRAVATAR   = {{ gitea_disable_gravatar | ternary('true', 'false') }}
+DISABLE_GRAVATAR = {{ gitea_disable_gravatar | ternary('true', 'false') }}
 
 [attachment]
 ; Whether attachments are enabled. Defaults to `true`
 ENABLED = true
 ; Path for attachments. Defaults to `data/attachments`
-PATH    = {{ gitea_home }}/data/attachments
+PATH = {{ gitea_home }}/data/attachments
 
 [log]
-ROOT_PATH            = {{ gitea_home }}/log
+ROOT_PATH = {{ gitea_home }}/log
 ; Either "console", "file", "conn", "smtp" or "database", default is "console"
 ; Use comma to separate multiple modes, e.g. "console, file"
-MODE                 = file
+MODE = file
 ; Buffer length of the channel, keep it as it is if you don't know what it is.
-BUFFER_LEN           = 10000
+BUFFER_LEN = 10000
 ; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Trace"
-LEVEL                = {{ gitea_log_level }}
+LEVEL = {{ gitea_log_level }}
 REDIRECT_MACARON_LOG = false
 
 [oauth2]
-ENABLE     = {{ gitea_oauth2_enabled }}
+ENABLE = {{ gitea_oauth2_enabled }}
 JWT_SECRET = {{ gitea_oauth2_jwt_secret }}
 
 [metrics]
 ENABLED = {{ gitea_metrics_enabled }}
-TOKEN   = {{ gitea_metrics_token }}
+TOKEN = {{ gitea_metrics_token }}
 
 {{ gitea_extra_config }}

templates/gitea.service.j2

@@ -11,6 +11,8 @@ WorkingDirectory={{ gitea_home }}
 {% if gitea_systemd_cap_net_bind_service %}
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 {% endif %}
+RestartSec=2s
+Type=notify
 
 [Install]
 WantedBy=multi-user.target