m5p3nc3r/ansible-playbooks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add gitea service

Browse Source 
Needed to modify the nginx configuration to allow streaming of ssh.
Using docker compose for this service, will probably migrate all others soon.
This commit is contained in:
Matt Spencer
2026-01-18 12:37:12 +00:00
parent 0f21b271bc
commit d7c18b747e
8 changed files with 177 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@@ -7,4 +7,7 @@ ansible-playbook -i inventory -e @secrets.enc --ask-vault-pass frontend.yaml
# Github runner
ansible-playbook -i inventory -e @secrets.enc --ask-vault-pass github-runner.yaml
# gitea server
ansible-playbook -i inventory -e @secrets.enc --ask-vault-pass gitea.yaml
```

45
apptabulous/reverseproxy/conf.d/reverse_proxy.conf
View File

@@ -26,6 +26,25 @@ server {
}
}
# gitea.m5p3nc3r webserver
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
server_name gitea.m5p3nc3r.co.uk;
ssl_certificate /etc/letsencrypt/live/apptabulous.co.uk/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/apptabulous.co.uk/privkey.pem;
# if ($block_uri = 1) {
# return 403;
# }
location / {
proxy_pass http://rpi5-2:3000;
}
}
# apptabulous webserver
server {
@@ -69,32 +88,6 @@ server {
}
}
# my-aiva.apptabulous.co.uk
# server {
# listen 80;
# listen [::]:80;
# listen 443 ssl;
# listen [::]:443 ssl;
# server_name my-aiva.apptabulous.co.uk;
# ssl_certificate /etc/letsencrypt/live/apptabulous.co.uk/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/apptabulous.co.uk/privkey.pem;
# if ($block_uri = 1) {
# return 403;
# }
# # This must come before the / endpoint so as not to be masked
# location /webhook {
# proxy_pass http://my-aiva:5000;
# }
# location / {
# proxy_pass http://my-aiva:3000;
# }
# }
# Watchtower
server {
listen 80;

35
apptabulous/reverseproxy/nginx.conf Normal file
View File

@@ -0,0 +1,35 @@
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
stream {
include /etc/nginx/stream.d/*.conf;
}

7
apptabulous/reverseproxy/stream.d/ssh.conf Normal file
View File

@@ -0,0 +1,7 @@
# Stream the ssh connections for gitea
server {
listen 2222;
proxy_pass rpi5-2:2222; # the machine where sshd runs (often same as gitea)
proxy_timeout 1h;
proxy_connect_timeout 10s;
}

9
frontend.yaml
View File

@@ -20,9 +20,9 @@
- "www.apptabulous.co.uk"
- "hub.apptabulous.co.uk"
- "watchtower.apptabulous.co.uk"
- "my-aiva.apptabulous.co.uk"
- "m5p3nc3r.co.uk"
- "www.m5p3nc3r.co.uk"
- "gitea.m5p3nc3r.co.uk"
certbot_repo: https://github.com/certbot/certbot.git
certbot_version: master
@@ -58,15 +58,18 @@
- name: Start reverse proxy container
community.docker.docker_container:
name: reverse_proxy
#image: nginx:1.26.2-alpine-slim
image: ghcr.io/m5p3nc3r/nginx-keyval:main
image: nginx:alpine
#image: ghcr.io/m5p3nc3r/nginx-keyval:main
restart_policy: always
volumes:
- /etc/reverseproxy/nginx.conf:/etc/nginx/nginx.conf
- /etc/reverseproxy/conf.d:/etc/nginx/conf.d
- /etc/reverseproxy/stream.d:/etc/nginx/stream.d
- /etc/letsencrypt:/etc/letsencrypt
ports:
- "80:80"
- "443:443"
- "2222:2222"
state: started
- name: Start docker registry

71
gitea.yaml Normal file
View File

@@ -0,0 +1,71 @@
---
- name: Frontend setup
hosts: gitea
vars:
username: matt
nas_host: nas.localdomain
mounts:
gitea_repos:
local: "/mnt/gitea-repos"
remote: "/volume1/gitea-repos"
gitea_backups:
local: "/mnt/gitea-backups"
remote: "/volume1/gitea-backups"
docker_add_repo: true
docker_users:
- "{{ username }}"
roles:
- role: geerlingguy.git
become: true
- role: geerlingguy.docker
become: true
tasks:
- name: Create myapp directory in home
ansible.builtin.file:
path: "{{ ansible_env.HOME }}/gitea"
state: directory
mode: "0755"
- name: Copy the gitea compose file to the host
ansible.builtin.copy:
src: gitea/compose.yaml
dest: "{{ ansible_env.HOME }}/gitea/compose.yaml"
# - name: Install NFS client
# ansible.builtin.apt:
# name: nfs-common
# state: present
# update_cache: true
# become: true
- name: Create mountpoint directories for gitea
ansible.builtin.file:
path: "{{ item.value.local }}"
state: directory
mode: "0755"
loop: "{{mounts | dict2items }}"
become: true
- name: Mount an NFS volume for repositories
ansible.posix.mount:
src: "nas.localdomain:{{ item.value.remote }}"
path: "{{ item.value.local }}"
opts: nfsvers=3,proto=tcp,rw
state: mounted
fstype: nfs
loop: "{{ mounts | dict2items }}"
become: true
- name: Create and start services
community.docker.docker_compose_v2:
project_src: "{{ ansible_env.HOME }}/gitea/"
state: present

32
gitea/compose.yaml Normal file
View File

@@ -0,0 +1,32 @@
services:
gitea:
image: gitea/gitea:latest
container_name: gitea
# restart: unless-stopped
environment:
# Gitea-supported vars for internal ownership/permissions
- USER_UID=1027
- USER_GID=65536
- TZ=Europe/London
volumes:
# Local: app.ini, database (sqlite by default), queues (LevelDB), sessions, etc.
- gitea-data:/data
# NAS: only repositories (best practice)
- /mnt/gitea-repos:/data/git/repositories
# Optional: put LFS on NAS too
# - /mnt/gitea-lfs:/data/git/lfs
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
ports:
- "3000:3000" # Web
- "2222:22" # SSH (container 22 -> host 2222)
volumes:
gitea-data:
driver: local

3
inventory
View File

@@ -3,3 +3,6 @@ rpi4-2.localdomain
[github-runners]
rpi5-1.localdomain
[gitea]
rpi5-2.localdomain