r/gitea: Update to 1.17.0

The only major change that affects the configuration policy is the
introduction of the `webhook.ALLOWED_HOST_LIST` setting.  For some dumb
reason, the default value of this setting *denies* access to machines on
the local network.  This makes no sense; why do they expect you to host
your CI or whatever on a *public* network?  Of course, the only reason
given is "for security reasons."

gitea.yml

@@ -1,7 +1,8 @@
 - hosts: gitea
   roles:
   - apache
-  - gitea
+  - role: gitea
+    tags: gitea
   - sshd
   tasks:
   - name: ensure apache is running

roles/gitea/defaults/main.yml

@@ -1,11 +1,13 @@
-gitea_version: 1.11.0
+gitea_version: 1.17.1
 gitea_arch: '{{ _gitea_arch_map[ansible_architecture] }}'
 gitea_bin: gitea-{{ gitea_version }}-linux-{{ gitea_arch }}
 gitea_bin_sha256: >-
-  d4df5f456cf13d49c096525ff762ad70386251d3f0d2805735b5dfade17e88d4
+  {{ _gitea_cksm_map[gitea_version][gitea_arch] }}
 gitea_download_url: >-
   https://dl.gitea.io/gitea/{{ gitea_version }}/{{ gitea_bin }}
 
 gitea_ssh_domain: '{{ ansible_fqdn }}'
 gitea_http_domain: '{{ gitea_ssh_domain }}'
 gitea_root_url: 'http://{{ gitea_http_domain }}:3000/'
+gitea_webhook_allowed_host_list:
+- '*'

roles/gitea/tasks/main.yml

@@ -31,7 +31,7 @@
   get_url:
     url: '{{ gitea_download_url }}'
     dest: 'roles/gitea/files/{{ gitea_bin }}'
-    checksum: 'sha256:{{ gitea_bin_sha256 }}'
+    checksum: '{{ gitea_bin_sha256 }}'
   tags:
   - download
 - name: ensure gitea is installed

roles/gitea/templates/app.ini.j2

@@ -67,3 +67,6 @@ JWT_SECRET = {{ gitea_oauth2_jwt_secret }}
 
 [metrics]
 ENABLED = true
+
+[webhook]
+ALLOWED_HOST_LIST = {{ gitea_webhook_allowed_host_list|join(',') }}

roles/gitea/vars/main.yml

@@ -3,3 +3,7 @@ _gitea_arch_map:
   x86_64: amd64
   aarch64: arm64
   armv7l: arm
+
+_gitea_cksm_map:
+  1.17.1:
+    amd64: sha256:eafd476ee2a303d758448314272add00898d045439ab0d353ff4286c5e63496f