This repository has been archived on 2020-10-27. You can view files and clone it, but cannot push or open issues or pull requests.
git.autonomic.zone/ansible/post-deploy.yml
Luke Murphy 7cf45a0866
All checks were successful
continuous-integration/drone/push Build is passing
Append the git user to AllowUsers
2020-03-29 23:54:29 +02:00

112 lines
3.1 KiB
YAML

---
- hosts: all
gather_facts: false
tasks:
- name: Load variables
include_vars:
dir: "{{ dokku_lib_root }}/data/ansible/gitea/vars/"
extensions:
- yml
- name: Set HTTP 80 port proxy
dokku_ports:
app: gitea
mappings:
- "http:80:{{ http_port }}"
state: present
- name: Setup LE certificates
shell: dokku letsencrypt gitea
args:
creates: /home/dokku/gitea/letsencrypt/certs
- name: Setup LE certificates renew cron job
shell: dokku letsencrypt:cron-job --add
args:
creates: /home/dokku/gitea/letsencrypt/cron-job
- name: Remove automatically configured ports
dokku_ports:
app: gitea
mappings:
- "http:3000:3000"
- "http:2222:2222"
state: absent
- name: Set HTTP 443 port
dokku_ports:
app: gitea
mappings:
- "https:443:{{ http_port }}"
state: present
- name: Ensure jq package is installed
apt:
name: jq
state: present
- name: Retrieve application container IP address
shell: "dokku ps:inspect gitea | jq -r .[0].NetworkSettings.IPAddress"
register: dokku_ps_inspect
- name: Setup the SSH passthrough script
vars:
ssh_listen_port: "{{ ssh_listen_port }}"
dokku_container_ip: "{{ dokku_ps_inspect.stdout }}"
template:
src: gitea.j2
dest: /app/gitea/gitea
owner: git
group: git
mode: "+x"
force: true
become: true
- name: Store the git user public key
shell: cat /home/git/.ssh/id_rsa.pub
register: git_id_rsa_pub
become: true
- name: Store the gitea authorized_keys file
shell: cat /var/lib/gitea/git/.ssh/authorized_keys
register: git_auth_keys
become: true
- name: Check if the public key is already in place
command: 'grep -Fxq "{{ git_id_rsa_pub.stdout}}" /var/lib/gitea/git/.ssh/authorized_keys'
check_mode: false
ignore_errors: true
changed_when: false
register: git_id_rsa_pub_check
become: true
- name: Ensure git public key is in gitea loaded authorized_keys
blockinfile:
path: /var/lib/gitea/git/.ssh/authorized_keys
block: "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty {{ git_id_rsa_pub.stdout }}"
state: present
owner: git
group: git
create: true
insertbefore: BOF
backup: true
marker: "# ansible inserted git <-> gitea public key"
become: true
when: git_id_rsa_pub_check.rc == 0
- name: Symlink the gitea authorized keys configuration to the host git user
file:
src: /var/lib/gitea/git/.ssh/authorized_keys
dest: /home/git/.ssh/authorized_keys
state: link
force: true
owner: git
become: true
- name: Add git user to AllowUsers SSH configuration
replace:
backup: true
dest: /etc/ssh/sshd_config
regexp: '^(AllowUsers(?!.*\bgit\b).*)$'
replace: '\1 git'