--- - name: Deploy Gitea application hosts: gitea become: true vars: secret_name: "qvest-task-db-credentials" ses_secret_name: "qvest-task-ses-smtp-credentials" aws_region: "eu-central-1" tasks: - name: Create application directory ansible.builtin.file: path: /opt/gitea state: directory owner: ubuntu group: ubuntu mode: "0755" - name: Copy docker-compose.yml ansible.builtin.copy: src: ../docker/docker-compose.yml dest: /opt/gitea/docker-compose.yml owner: ubuntu group: ubuntu mode: "0644" - name: Copy nginx configuration ansible.builtin.copy: src: ../docker/nginx/ dest: /opt/gitea/nginx/ owner: ubuntu group: ubuntu mode: "0644" directory_mode: "0755" - name: Fetch database credentials from Secrets Manager ansible.builtin.shell: | aws secretsmanager get-secret-value \ --secret-id "{{ secret_name }}" \ --region "{{ aws_region }}" \ --query SecretString \ --output text register: db_secret changed_when: false - name: Parse database credentials ansible.builtin.set_fact: db_creds: "{{ db_secret.stdout | from_json }}" - name: Fetch SES SMTP credentials from Secrets Manager ansible.builtin.shell: | aws secretsmanager get-secret-value \ --secret-id "{{ ses_secret_name }}" \ --region "{{ aws_region }}" \ --query SecretString \ --output text register: ses_secret changed_when: false - name: Parse SES SMTP credentials ansible.builtin.set_fact: ses_creds: "{{ ses_secret.stdout | from_json }}" - name: Create .env file ansible.builtin.copy: content: | DB_USER={{ db_creds.username }} DB_PASSWORD={{ db_creds.password }} DB_NAME={{ db_creds.database }} GITEA_ADMIN_USERNAME={{ db_creds.admin_username }} GITEA_ADMIN_PASSWORD={{ db_creds.admin_password }} GITEA_ADMIN_EMAIL={{ db_creds.admin_email }} SMTP_HOST={{ ses_creds.smtp_host }} SMTP_PORT={{ ses_creds.smtp_port }} SMTP_USERNAME={{ ses_creds.smtp_username }} SMTP_PASSWORD={{ ses_creds.smtp_password }} ALERT_EMAIL={{ ses_creds.alert_email }} dest: /opt/gitea/.env owner: ubuntu group: ubuntu mode: "0600" - name: Start Docker Compose services community.docker.docker_compose_v2: project_src: /opt/gitea state: present become_user: ubuntu - name: Wait for Gitea to be ready ansible.builtin.uri: url: http://localhost:3000 status_code: 200 register: result until: result.status == 200 retries: 30 delay: 10 - name: Create Gitea admin user via CLI ansible.builtin.shell: | docker exec --user git gitea gitea admin user create \ --username "{{ db_creds.admin_username }}" \ --password "{{ db_creds.admin_password }}" \ --email "{{ db_creds.admin_email }}" \ --admin \ --must-change-password=false register: admin_create failed_when: - admin_create.rc != 0 - "'already exists' not in admin_create.stderr" changed_when: "'New user' in admin_create.stdout" - name: Disable password change requirement ansible.builtin.shell: | docker exec gitea-postgres psql -U {{ db_creds.username }} \ -d {{ db_creds.database }} \ -c "UPDATE public.user SET must_change_password = false \ WHERE name = '{{ db_creds.admin_username }}';" changed_when: true - name: Generate Gitea Actions runner registration token ansible.builtin.uri: url: http://localhost:3000/api/v1/admin/runners/registration-token method: GET user: "{{ db_creds.admin_username }}" password: "{{ db_creds.admin_password }}" force_basic_auth: true status_code: 200 register: runner_token_response retries: 5 delay: 5 until: runner_token_response.status == 200 - name: Update AWS Secrets Manager with runner token ansible.builtin.shell: | set -o pipefail SECRET_JSON=$(aws secretsmanager get-secret-value \ --secret-id "{{ secret_name }}" \ --region "{{ aws_region }}" \ --query SecretString \ --output text) UPDATED_JSON=$(echo "$SECRET_JSON" | jq --arg token "{{ runner_token_response.json.token }}" \ '.gitea_runner_token = $token') aws secretsmanager update-secret \ --secret-id "{{ secret_name }}" \ --region "{{ aws_region }}" \ --secret-string "$UPDATED_JSON" args: executable: /bin/bash changed_when: true