git.autonomic.zone/ansible/post-deploy.yml

---
- hosts: all
  gather_facts: false
  tasks:
    - name: Load variables
      include_vars:
        dir: "{{ dokku_lib_root }}/data/ansible/gitea/vars/"
        extensions:
          - yml

    - name: Set HTTP 80 port proxy
      dokku_ports:
        app: gitea
        mappings:
          - "http:80:{{ http_port }}"
        state: present

    - name: Setup LE certificates
      shell: dokku letsencrypt gitea
      args:
        creates: /home/dokku/gitea/letsencrypt/certs

    - name: Setup LE certificates renew cron job
      shell: dokku letsencrypt:cron-job --add
      args:
        creates: /home/dokku/gitea/letsencrypt/cron-job

    - name: Remove automatically configured ports
      dokku_ports:
        app: gitea
        mappings:
          - "http:3000:3000"
          - "http:2222:2222"
        state: absent

    - name: Set HTTP 443 port
      dokku_ports:
        app: gitea
        mappings:
          - "https:443:{{ http_port }}"
        state: present

    - name: Ensure jq package is installed
      apt:
        name: jq
        state: present

    - name: Retrieve application container IP address
      shell: "dokku ps:inspect gitea | jq -r .[0].NetworkSettings.IPAddress"
      register: dokku_ps_inspect

    - name: Setup the SSH passthrough script
      vars:
        ssh_listen_port: "{{ ssh_listen_port }}"
        dokku_container_ip: "{{ dokku_ps_inspect.stdout }}"
      template:
        src: gitea.j2
        dest: /app/gitea/gitea
        owner: git
        group: git
        mode: "+x"
        force: true
      become: true

    - name: Store the git user public key
      shell: cat /home/git/.ssh/id_rsa.pub
      register: git_id_rsa_pub
      become: true

    - name: Store the gitea authorized_keys file
      shell: cat /var/lib/gitea/git/.ssh/authorized_keys
      register: git_auth_keys
      become: true

    - name: Check if the public key is already in place
      command: 'grep -Fxq "{{ git_id_rsa_pub.stdout}}" /var/lib/gitea/git/.ssh/authorized_keys'
      check_mode: false
      ignore_errors: true
      changed_when: false
      register: git_id_rsa_pub_check
      become: true

    - name: Ensure git public key is in gitea loaded authorized_keys
      blockinfile:
        path: /var/lib/gitea/git/.ssh/authorized_keys
        block: "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty {{ git_id_rsa_pub.stdout }}"
        state: present
        owner: git
        group: git
        create: true
        insertbefore: BOF
        backup: true
        marker: "# ansible inserted git <-> gitea public key"
      become: true
      when: git_id_rsa_pub_check.rc == 0

    - name: Symlink the gitea authorized keys configuration to the host git user
      file:
        src: /var/lib/gitea/git/.ssh/authorized_keys
        dest: /home/git/.ssh/authorized_keys
        state: link
        force: true
        owner: git
      become: true

    - name: Add git user to AllowUsers SSH configuration
      replace:
        backup: true
        dest: /etc/ssh/sshd_config
        regexp: '^(AllowUsers(?!.*\bgit\b).*)$'
        replace: '\1 git'
Clean up and add header marker 2020-03-19 00:57:09 +00:00			`---`
Ansible plugin attempts 2020-03-19 00:46:09 +00:00			`- hosts: all`
Shuffle perms and don't gather facts 2020-03-22 11:26:48 +00:00			`gather_facts: false`
Ansible plugin attempts 2020-03-19 00:46:09 +00:00			`tasks:`
New vars, new tasks, new app! 2020-03-22 10:53:49 +00:00			`- name: Load variables`
			`include_vars:`
			`dir: "{{ dokku_lib_root }}/data/ansible/gitea/vars/"`
			`extensions:`
Fix extension 2020-03-22 10:54:58 +00:00			`- yml`
New vars, new tasks, new app! 2020-03-22 10:53:49 +00:00
			`- name: Set HTTP 80 port proxy`
			`dokku_ports:`
			`app: gitea`
			`mappings:`
Try to change default Gitea port 2020-03-25 10:41:44 +00:00			`- "http:80:{{ http_port }}"`
New vars, new tasks, new app! 2020-03-22 10:53:49 +00:00			`state: present`

			`- name: Setup LE certificates`
			`shell: dokku letsencrypt gitea`
			`args:`
			`creates: /home/dokku/gitea/letsencrypt/certs`

Add cron and domain 2020-03-22 11:39:40 +00:00			`- name: Setup LE certificates renew cron job`
			`shell: dokku letsencrypt:cron-job --add`
			`args:`
			`creates: /home/dokku/gitea/letsencrypt/cron-job`

New vars, new tasks, new app! 2020-03-22 10:53:49 +00:00			`- name: Remove automatically configured ports`
			`dokku_ports:`
			`app: gitea`
			`mappings:`
			`- "http:3000:3000"`
Open up SSH ports 2020-03-23 14:14:51 +00:00			`- "http:2222:2222"`
New vars, new tasks, new app! 2020-03-22 10:53:49 +00:00			`state: absent`
Actually, provision that port 2020-03-22 11:31:09 +00:00
			`- name: Set HTTP 443 port`
			`dokku_ports:`
			`app: gitea`
			`mappings:`
Try to change default Gitea port 2020-03-25 10:41:44 +00:00			`- "https:443:{{ http_port }}"`
Actually, provision that port 2020-03-22 11:31:09 +00:00			`state: present`
Switch to system git user 2020-03-23 15:21:12 +00:00
Wire up the SSH passthrough 2020-03-23 17:07:49 +00:00			`- name: Ensure jq package is installed`
			`apt:`
			`name: jq`
			`state: present`

			`- name: Retrieve application container IP address`
Get without quotes and always replace 2020-03-23 17:20:19 +00:00			`shell: "dokku ps:inspect gitea \| jq -r .[0].NetworkSettings.IPAddress"`
Don't overwrite vars 2020-03-23 17:17:29 +00:00			`register: dokku_ps_inspect`
Wire up the SSH passthrough 2020-03-23 17:07:49 +00:00
Run template after we get the vars 2020-03-23 17:11:02 +00:00			`- name: Setup the SSH passthrough script`
Wire up the SSH passthrough 2020-03-23 17:07:49 +00:00			`vars:`
			`ssh_listen_port: "{{ ssh_listen_port }}"`
Don't overwrite vars 2020-03-23 17:17:29 +00:00			`dokku_container_ip: "{{ dokku_ps_inspect.stdout }}"`
Run template after we get the vars 2020-03-23 17:11:02 +00:00			`template:`
			`src: gitea.j2`
			`dest: /app/gitea/gitea`
			`owner: git`
			`group: git`
			`mode: "+x"`
Get without quotes and always replace 2020-03-23 17:20:19 +00:00			`force: true`
Run template after we get the vars 2020-03-23 17:11:02 +00:00			`become: true`

Try to fix the git <-> gitea public key SSH issue 2020-03-24 08:46:26 +00:00			`- name: Store the git user public key`
			`shell: cat /home/git/.ssh/id_rsa.pub`
			`register: git_id_rsa_pub`
			`become: true`

			`- name: Store the gitea authorized_keys file`
			`shell: cat /var/lib/gitea/git/.ssh/authorized_keys`
			`register: git_auth_keys`
			`become: true`

Handle idempotency 2020-03-24 09:00:08 +00:00			`- name: Check if the public key is already in place`
Use command module instead 2020-03-24 09:03:35 +00:00			`command: 'grep -Fxq "{{ git_id_rsa_pub.stdout}}" /var/lib/gitea/git/.ssh/authorized_keys'`
			`check_mode: false`
			`ignore_errors: true`
Handle idempotency 2020-03-24 09:00:08 +00:00			`changed_when: false`
			`register: git_id_rsa_pub_check`
Use right permissions 2020-03-24 09:07:09 +00:00			`become: true`
Handle idempotency 2020-03-24 09:00:08 +00:00
Try to fix the git <-> gitea public key SSH issue 2020-03-24 08:46:26 +00:00			`- name: Ensure git public key is in gitea loaded authorized_keys`
			`blockinfile:`
			`path: /var/lib/gitea/git/.ssh/authorized_keys`
Add missing keys 2020-03-24 08:49:28 +00:00			`block: "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty {{ git_id_rsa_pub.stdout }}"`
Try to fix the git <-> gitea public key SSH issue 2020-03-24 08:46:26 +00:00			`state: present`
			`owner: git`
			`group: git`
			`create: true`
			`insertbefore: BOF`
			`backup: true`
			`marker: "# ansible inserted git <-> gitea public key"`
			`become: true`
Use command module instead 2020-03-24 09:03:35 +00:00			`when: git_id_rsa_pub_check.rc == 0`
Add authorized_keys check 2020-03-23 19:03:54 +00:00
Try to fix the git <-> gitea public key SSH issue 2020-03-24 08:46:26 +00:00			`- name: Symlink the gitea authorized keys configuration to the host git user`
Switch to system git user 2020-03-23 15:21:12 +00:00			`file:`
			`src: /var/lib/gitea/git/.ssh/authorized_keys`
			`dest: /home/git/.ssh/authorized_keys`
			`state: link`
			`force: true`
			`owner: git`
Use root perms 2020-03-23 15:23:09 +00:00			`become: true`
Append the git user to AllowUsers 2020-03-29 21:54:29 +00:00
			`- name: Add git user to AllowUsers SSH configuration`
			`replace:`
			`backup: true`
			`dest: /etc/ssh/sshd_config`
			`regexp: '^(AllowUsers(?!.\bgit\b).)$'`
			`replace: '\1 git'`