c96aeafb3f
Gitea Skudak (git.skudak.com): - New Gitea instance with PostgreSQL in podman pod under git user - SSH access via Gitea's built-in SSH server on port 2222 - Registration restricted to @skudak.com emails with email confirmation - SMTP configured for email delivery Domain migrations: - wiki.skudakrennsport.com → wiki.skudak.com (302 redirect) - cloud.skudakrennsport.com + cloud.skudak.com (dual-domain serving) - BookStack APP_URL updated to wiki.skudak.com - Nextcloud trusted_domains updated for cloud.skudak.com Infrastructure: - SELinux context for git user container storage (container_file_t) - Firewall rule for port 2222/tcp (Gitea Skudak SSH) - Caddy reverse proxy for git.skudak.com Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
115 lines
4.1 KiB
YAML
115 lines
4.1 KiB
YAML
---
|
|
# Deploy Gitea Skudak containers using Podman pod
|
|
# NOTE: Directories are created in podman.yml (psql dir created by postgres container)
|
|
|
|
# Ensure SELinux contexts are applied before pod creation
|
|
- name: flush handlers before gitea-skudak pod creation
|
|
ansible.builtin.meta: flush_handlers
|
|
tags: gitea, gitea-skudak
|
|
|
|
# Create pod for Skudak Gitea services
|
|
- name: create gitea-skudak pod
|
|
become: true
|
|
become_user: "{{ git_user }}"
|
|
containers.podman.podman_pod:
|
|
name: gitea-skudak-pod
|
|
state: started
|
|
ports:
|
|
- "3101:3000"
|
|
- "{{ gitea_skudak_ssh_port }}:2222"
|
|
tags: gitea, gitea-skudak
|
|
|
|
# PostgreSQL container in pod
|
|
- name: create gitea-skudak-postgres container
|
|
become: true
|
|
become_user: "{{ git_user }}"
|
|
containers.podman.podman_container:
|
|
name: gitea-skudak-postgres
|
|
image: "{{ gitea_db_image }}"
|
|
pod: gitea-skudak-pod
|
|
restart_policy: on-failure:3
|
|
log_driver: journald
|
|
env:
|
|
POSTGRES_DB: gitea
|
|
POSTGRES_USER: gitea
|
|
POSTGRES_PASSWORD: "{{ gitea_skudak_db_pass }}"
|
|
volumes:
|
|
- "{{ git_home }}/volumes/gitea-skudak/psql:/var/lib/postgresql/data"
|
|
tags: gitea, gitea-skudak
|
|
|
|
# Gitea container in pod
|
|
- name: create gitea-skudak container
|
|
become: true
|
|
become_user: "{{ git_user }}"
|
|
containers.podman.podman_container:
|
|
name: gitea-skudak
|
|
image: "{{ gitea_image }}"
|
|
pod: gitea-skudak-pod
|
|
restart_policy: on-failure:3
|
|
log_driver: journald
|
|
env:
|
|
USER_UID: "1000"
|
|
USER_GID: "1000"
|
|
GITEA__database__DB_TYPE: postgres
|
|
GITEA__database__HOST: "127.0.0.1:5432"
|
|
GITEA__database__NAME: gitea
|
|
GITEA__database__USER: gitea
|
|
GITEA__database__PASSWD: "{{ gitea_skudak_db_pass }}"
|
|
GITEA__server__DOMAIN: "{{ gitea_skudak_server_name }}"
|
|
GITEA__server__ROOT_URL: "https://{{ gitea_skudak_server_name }}/"
|
|
GITEA__server__SSH_DOMAIN: "{{ gitea_skudak_server_name }}"
|
|
# Use Gitea's built-in SSH server (non-privileged port inside container)
|
|
GITEA__server__START_SSH_SERVER: "true"
|
|
GITEA__server__DISABLE_SSH: "false"
|
|
GITEA__server__SSH_PORT: "{{ gitea_skudak_ssh_port }}"
|
|
GITEA__server__SSH_LISTEN_PORT: "2222"
|
|
GITEA__security__SECRET_KEY: "{{ gitea_skudak_secret_key }}"
|
|
GITEA__security__INTERNAL_TOKEN: "{{ gitea_skudak_internal_token }}"
|
|
GITEA__security__INSTALL_LOCK: "true"
|
|
# Allow registration only for @skudak.com emails
|
|
GITEA__service__DISABLE_REGISTRATION: "false"
|
|
GITEA__service__EMAIL_DOMAIN_ALLOWLIST: "skudak.com"
|
|
GITEA__service__REGISTER_EMAIL_CONFIRM: "true"
|
|
GITEA__service__REQUIRE_SIGNIN_VIEW: "false"
|
|
# Mailer configuration for email confirmation
|
|
GITEA__mailer__ENABLED: "true"
|
|
GITEA__mailer__PROTOCOL: "smtps"
|
|
GITEA__mailer__SMTP_ADDR: "{{ gitea_skudak_smtp_host }}"
|
|
GITEA__mailer__SMTP_PORT: "{{ gitea_skudak_smtp_port }}"
|
|
GITEA__mailer__USER: "{{ gitea_skudak_smtp_user }}"
|
|
GITEA__mailer__PASSWD: "{{ gitea_skudak_smtp_pass }}"
|
|
GITEA__mailer__FROM: "{{ gitea_skudak_smtp_from }}"
|
|
# Logging configuration - output to journald for fluent-bit capture
|
|
GITEA__log__MODE: console
|
|
GITEA__log__LEVEL: Info
|
|
GITEA__log__ENABLE_ACCESS_LOG: "true"
|
|
volumes:
|
|
- "{{ git_home }}/volumes/gitea-skudak/data:/data"
|
|
- /etc/localtime:/etc/localtime:ro
|
|
tags: gitea, gitea-skudak
|
|
|
|
# Generate systemd service for the pod
|
|
- name: create systemd job for gitea-skudak-pod
|
|
become: true
|
|
become_user: "{{ git_user }}"
|
|
ansible.builtin.shell: |
|
|
podman generate systemd --name gitea-skudak-pod --files --new
|
|
mv pod-gitea-skudak-pod.service {{ git_home }}/.config/systemd/user/
|
|
mv container-gitea-skudak-postgres.service {{ git_home }}/.config/systemd/user/
|
|
mv container-gitea-skudak.service {{ git_home }}/.config/systemd/user/
|
|
args:
|
|
chdir: "{{ git_home }}"
|
|
changed_when: false
|
|
tags: gitea, gitea-skudak
|
|
|
|
- name: enable gitea-skudak-pod service
|
|
become: true
|
|
become_user: "{{ git_user }}"
|
|
ansible.builtin.systemd:
|
|
name: pod-gitea-skudak-pod.service
|
|
daemon_reload: true
|
|
enabled: true
|
|
state: started
|
|
scope: user
|
|
tags: gitea, gitea-skudak
|