roles/gitea: Deploy Gitea server

The *gitea* role installs Gitea using the system package manager and
configures Apache as a reverse proxy for it.

The configuration file requires a number of "secret" values that need to
be unique. These must be specified as Ansible variables:

* `gitea_internal_token`
* `gitea_secret_key`
* `gitea_lfs_jwt_secret`

The `gitea generate` command can be used to create these values.

Normally, Gitea expects to run its own setup tool to generate the
configuration file and create the administrative user. Since the
configuration file is generated from the template instead, no
administrative user is created automatically. Luckily, the `gitea`
command includes a tool to create users, so the administrator can be
created manually, e.g.:

    sudo -u gitea gitea admin create-user -c /etc/gitea/app.ini \
        --admin
        --name giteadmin \
        --password giteadmin \
        --email giteadmin@example.org

roles/gitea/files/gitea.httpd.conf

@@ -0,0 +1,4 @@
+ProxyPreserveHost On
+ProxyRequests Off
+ProxyPass / http://localhost:3000/
+ProxyPassReverse / http://localhost:3000/

roles/gitea/handlers/main.yml

@@ -0,0 +1,8 @@
+- name: reload httpd
+  service:
+    name=httpd
+    state=reloaded
+- name: restart gitea
+  service:
+    name=gitea
+    state=restarted

roles/gitea/tasks/main.yml

@@ -0,0 +1,35 @@
+- name: load gitea secrets
+  include_vars: vault/gitea
+
+- name: ensure gitea is installed
+  package:
+    name=gitea
+    state=present
+  tags:
+  - install
+
+- name: ensure gitea is configured
+  template:
+    src=app.ini.j2
+    dest=/etc/gitea/app.ini
+    mode=0640
+    owner=root
+    group=gitea
+  notify: restart gitea
+
+- meta: flush_handlers
+- name: ensure gitea is running
+  service:
+    name=gitea
+    state=started
+- name: ensure gitea starts at boot
+  service:
+    name=gitea
+    enabled=yes
+
+- name: ensure apache is configured to proxy for gitea
+  copy:
+    src=gitea.httpd.conf
+    dest=/etc/httpd/conf.d/gitea.conf
+    mode=0644
+  notify: reload httpd

roles/gitea/templates/app.ini.j2

@@ -0,0 +1,63 @@
+APP_NAME = Gitea: Git with a cup of tea
+RUN_USER = gitea
+RUN_MODE = prod
+
+[security]
+INTERNAL_TOKEN = {{ gitea_internal_token }}
+INSTALL_LOCK   = true
+SECRET_KEY     = {{ gitea_secret_key }}
+
+[database]
+DB_TYPE  = sqlite3
+HOST     = 127.0.0.1:3306
+NAME     = gitea
+USER     = gitea
+PASSWD   = 
+SSL_MODE = disable
+PATH     = /var/lib/gitea/data/gitea.db
+
+[repository]
+ROOT = /var/lib/gitea/gitea-repositories
+
+[server]
+APP_DATA_PATH    = /var/lib/gitea
+SSH_DOMAIN       = localhost
+DOMAIN           = localhost
+HTTP_PORT        = 3000
+ROOT_URL         = http://localhost:3000/
+DISABLE_SSH      = false
+SSH_PORT         = 22
+LFS_START_SERVER = true
+LFS_CONTENT_PATH = /var/lib/gitea/data/lfs
+LFS_JWT_SECRET   = {{ gitea_lfs_jwt_secret }}
+OFFLINE_MODE     = false
+
+[mailer]
+ENABLED = false
+
+[service]
+REGISTER_EMAIL_CONFIRM            = false
+ENABLE_NOTIFY_MAIL                = false
+DISABLE_REGISTRATION              = true
+ENABLE_CAPTCHA                    = false
+REQUIRE_SIGNIN_VIEW               = false
+DEFAULT_KEEP_EMAIL_PRIVATE        = true
+DEFAULT_ALLOW_CREATE_ORGANIZATION = false
+DEFAULT_ENABLE_TIMETRACKING       = false
+NO_REPLY_ADDRESS                  = noreply.example.org
+
+[picture]
+DISABLE_GRAVATAR        = false
+ENABLE_FEDERATED_AVATAR = true
+
+[openid]
+ENABLE_OPENID_SIGNIN = false
+ENABLE_OPENID_SIGNUP = false
+
+[session]
+PROVIDER = file
+
+[log]
+MODE      = file
+LEVEL     = Info
+ROOT_PATH = /var/log/gitea