Huge role refactoring/cleanup. Other commits will propably follow. Because some bugs will exist. Still important for longrun and also for auto docs/help/slideshow generation

2025-08-29 23:08:06 +02:00 · 2025-07-08 23:43:13 +02:00
parent 6b87a049d4
commit 563d5fd528
1242 changed files with 2301 additions and 1355 deletions
--- a/roles/web-app-gitea/tasks/cleanup.yml
+++ b/roles/web-app-gitea/tasks/cleanup.yml
@@ -0,0 +1,7 @@
+- name: Execute OIDC Cleanup Routine
+  include_tasks: cleanup/oidc.yml
+  when: not (applications | is_feature_enabled('oidc', application_id))
+
+- name: Execute LDAP Cleanup Routine
+  include_tasks: cleanup/ldap.yml
+  when: not (applications | is_feature_enabled('ldap', application_id))
--- a/roles/web-app-gitea/tasks/cleanup/ldap.yml
+++ b/roles/web-app-gitea/tasks/cleanup/ldap.yml
@@ -0,0 +1,22 @@
+- name: "Lookup existing LDAP auth source ID"
+  shell: |
+    docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
+      exec -T --user git application \
+      gitea admin auth list \
+      | awk -v name="LDAP ({{ primary_domain }})" '$0 ~ name {print $1; exit}'
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  register: ldap_source_id_raw
+  failed_when: false
+  changed_when: false
+
+- name: "Delete existing LDAP auth source if present"
+  shell: |
+    docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
+      exec -T --user git application \
+      gitea admin auth delete --id {{ ldap_source_id_raw.stdout }}
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  when: ldap_source_id_raw.stdout != ""
+  register: ldap_delete
+  failed_when: ldap_delete.rc != 0
--- a/roles/web-app-gitea/tasks/cleanup/oidc.yml
+++ b/roles/web-app-gitea/tasks/cleanup/oidc.yml
@@ -0,0 +1,23 @@
+
+- name: "Lookup existing OIDC auth source ID"
+  shell: |
+    docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
+      exec -T --user git application \
+      gitea admin auth list \
+      | awk -v name="{{ oidc.button_text }}" '$0 ~ name {print $1; exit}'
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  register: oidc_source_id_raw
+  failed_when: false
+  changed_when: false
+
+- name: "Delete existing OIDC auth source if present"
+  shell: |
+    docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
+      exec -T --user git application \
+      gitea admin auth delete --id {{ oidc_source_id_raw.stdout }}
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  when: oidc_source_id_raw.stdout != ""
+  register: oidc_delete
+  failed_when: oidc_delete.rc != 0
--- a/roles/web-app-gitea/tasks/main.yml
+++ b/roles/web-app-gitea/tasks/main.yml
@@ -0,0 +1,73 @@
+---
+- name: "include service-rdbms-central"
+  include_role: 
+    name: service-rdbms-central
+
+- name: "include role webserver-proxy-domain for {{application_id}}"
+  include_role:
+    name: webserver-proxy-domain
+  vars:
+    domain:   "{{ domains | get_domain(application_id) }}"
+    http_port:   "{{ ports.localhost.http[application_id] }}"
+
+- name: Wait for Gitea HTTP endpoint
+  wait_for:
+    host: "127.0.0.1"
+    port: "{{ ports.localhost.http[application_id] }}"
+    delay: 5
+    timeout: 300
+
+- name: "Run DB migrations inside Gitea container"
+  shell: |
+    docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
+      exec -T --user git application \
+      /app/gitea/gitea migrate
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  register: migrate
+  changed_when: "'migrations completed' in migrate.stdout"
+
+- name: "Create initial admin user"
+  shell: |
+    docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
+      exec -T --user git application \
+      /app/gitea/gitea admin user create \
+        --admin \
+        --username "{{ users.administrator.username }}" \
+        --password "{{ users.administrator.password }}" \
+        --email    "{{ users.administrator.email }}" \
+        -c /data/gitea/conf/app.ini
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  register: create_admin
+  changed_when: "'has been successfully created' in create_admin.stdout"
+  failed_when: create_admin.rc != 0 and 'user already exists' not in create_admin.stderr
+
+- name: "Wait until Gitea setup and migrations are ready"
+  uri:
+    url: "http://127.0.0.1:{{ ports.localhost.http[application_id] }}/api/v1/version"
+    method: GET
+    status_code: 200
+    return_content: no
+  register: gitea_ready
+  until: gitea_ready.status == 200
+  retries: 20
+  delay: 5
+  when: applications | is_feature_enabled('oidc', application_id) or applications | is_feature_enabled('ldap', application_id)
+
+- name: Execute Setup Routines
+  include_tasks: setup.yml
+
+- name: Execute Cleanup Routines
+  include_tasks: cleanup.yml 
+  when: mode_cleanup
+
+- name: Include DNS role to register Gitea domain(s)
+  include_role:
+    name: network-dns-records
+  vars:
+    cloudflare_api_token:   "{{ certbot_dns_api_token }}"
+    cloudflare_domains:     "{{ [ domains | get_domain(application_id) ] }}"
+    cloudflare_target_ip:   "{{ networks.internet.ip4 }}"
+    cloudflare_proxied:     false
+  when: dns_provider == 'cloudflare'
--- a/roles/web-app-gitea/tasks/setup.yml
+++ b/roles/web-app-gitea/tasks/setup.yml
@@ -0,0 +1,7 @@
+- name: Execute OIDC Setup Routine
+  include_tasks: setup/oidc.yml
+  when: applications | is_feature_enabled('oidc', application_id)
+
+- name: Execute LDAP Setup Routine
+  include_tasks: setup/ldap.yml
+  when: applications | is_feature_enabled('ldap', application_id)
--- a/roles/web-app-gitea/tasks/setup/ldap.yml
+++ b/roles/web-app-gitea/tasks/setup/ldap.yml
@@ -0,0 +1,42 @@
+- name: "Add LDAP Authentication Source"
+  shell: |
+    docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
+      exec -T --user git application \
+      gitea admin auth add-ldap \
+      {{ gitea_ldap_auth_args | join(' ') }}
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  register: ldap_manage
+  failed_when: ldap_manage.rc != 0 and "login source already exists" not in ldap_manage.stderr
+
+- name: "Lookup existing LDAP auth source ID"
+  shell: |
+    docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
+      exec -T --user git application \
+      gitea admin auth list \
+      | tail -n +2 \
+      | grep -F "LDAP ({{ primary_domain }})" \
+      | awk '{print $1; exit}'
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  register: ldap_source_id_raw
+  failed_when:
+    - ldap_source_id_raw.rc != 0
+    - ldap_source_id_raw.stdout == ""
+  changed_when: false
+
+- name: "Set LDAP source ID fact"
+  set_fact:
+    ldap_source_id: "{{ ldap_source_id_raw.stdout }}"
+
+- name: "Update LDAP Authentication Source"
+  shell: |
+    docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
+      exec -T --user git application \
+      gitea admin auth update-ldap \
+      --id {{ ldap_source_id }} \
+      {{ gitea_ldap_auth_args | join(' ') }}
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  register: ldap_manage
+  failed_when: ldap_manage.rc != 0
--- a/roles/web-app-gitea/tasks/setup/oidc.yml
+++ b/roles/web-app-gitea/tasks/setup/oidc.yml
@@ -0,0 +1,52 @@
+- name: "Add Keycloak OIDC Provider"
+  shell: |
+    docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
+      exec -T --user git application \
+      gitea admin auth add-oauth \
+        --provider openidConnect \
+        --name     "{{ oidc.button_text }}" \
+        --key      "{{ oidc.client.id }}" \
+        --secret   "{{ oidc.client.secret }}" \
+        --auto-discover-url "{{ oidc.client.discovery_document }}" \
+        --scopes   "openid profile email"
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  register: oidc_manage
+  failed_when: oidc_manage.rc != 0 and "login source already exists" not in oidc_manage.stderr
+
+- name: "Lookup existing Keycloak auth source ID"
+  shell: |
+    docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
+      exec -T --user git application \
+      /app/gitea/gitea admin auth list \
+      | tail -n +2 \
+      | grep -F "{{ oidc.button_text }}" \
+      | awk '{print $1; exit}'
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  register: oidc_source_id_raw
+  failed_when:
+    - oidc_source_id_raw.rc != 0
+    - oidc_source_id_raw.stdout == ""
+  changed_when: false
+
+- name: "Set Keycloak source ID fact"
+  set_fact:
+    oidc_source_id: "{{ oidc_source_id_raw.stdout }}"
+
+- name: "Update Keycloak OIDC Provider"
+  shell: |
+    docker-compose -f "{{ docker_compose.directories.instance }}/docker-compose.yml" \
+      exec -T --user git application \
+      gitea admin auth update-oauth \
+        --id {{ oidc_source_id }}\
+        --provider openidConnect \
+        --name     "{{ oidc.button_text }}" \
+        --key      "{{ oidc.client.id }}" \
+        --secret   "{{ oidc.client.secret }}" \
+        --auto-discover-url "{{ oidc.client.discovery_document }}" \
+        --scopes   "openid profile email"
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  register: oidc_manage
+  failed_when: oidc_manage.rc != 0