890a23e8d5
Some checks failed
Update Automation Tests / Integration Tests (pull_request) Failing after 40s
Infrastructure & Permissions: - Set recovery_window_in_days=0 on secrets for immediate deletion on destroy - Add secretsmanager:UpdateSecret permission to EC2 IAM role - Move SES secret definition from ses.tf to secrets.tf for better organization - Create scripts/empty-s3-bucket.sh to handle versioned S3 object deletion - Update Makefile to use S3 cleanup script in full-destroy target Gitea Admin User Automation: - Remove non-functional GITEA_ADMIN_* environment variables from docker-compose.yml - Add CLI-based admin user creation via docker exec in deploy-gitea.yml - Add database update to disable must_change_password requirement - Fix runner token API call to use GET instead of POST Runner Setup Fixes: - Change runner gitea_instance to http://localhost:3000 (was failing with public URL) - Fix registration to work from same host as Gitea Domain Migration: - Change domain from gitea.poll-streams.com to git.poll-streams.com - Update DNS, docker-compose, nginx configs, ansible inventory, and SSL setup - Enables fresh SSL certificate (avoids Let's Encrypt rate limit) All changes enable zero-to-one deployment: make full-destroy && make full-deploy
81 lines
2.2 KiB
YAML
81 lines
2.2 KiB
YAML
---
|
|
- name: Setup SSL certificates
|
|
hosts: gitea
|
|
become: true
|
|
|
|
tasks:
|
|
- name: Create nginx config directories
|
|
ansible.builtin.file:
|
|
path: "/opt/gitea/nginx/{{ item }}"
|
|
state: directory
|
|
owner: ubuntu
|
|
group: ubuntu
|
|
mode: "0755"
|
|
loop:
|
|
- ""
|
|
- "conf.d"
|
|
|
|
- name: Copy nginx main config
|
|
ansible.builtin.copy:
|
|
src: ../docker/nginx/nginx.conf
|
|
dest: /opt/gitea/nginx/nginx.conf
|
|
owner: ubuntu
|
|
group: ubuntu
|
|
mode: "0644"
|
|
|
|
- name: Copy initial nginx config (HTTP only for ACME challenge)
|
|
ansible.builtin.copy:
|
|
src: ../docker/nginx/conf.d/gitea-init.conf
|
|
dest: /opt/gitea/nginx/conf.d/gitea.conf
|
|
owner: ubuntu
|
|
group: ubuntu
|
|
mode: "0644"
|
|
|
|
- name: Start services with nginx
|
|
community.docker.docker_compose_v2:
|
|
project_src: /opt/gitea
|
|
state: present
|
|
become_user: ubuntu
|
|
|
|
- name: Wait for nginx to be ready
|
|
ansible.builtin.wait_for:
|
|
port: 80
|
|
delay: 5
|
|
timeout: 60
|
|
|
|
- name: Run certbot to obtain SSL certificate
|
|
community.docker.docker_compose_v2:
|
|
project_src: /opt/gitea
|
|
services:
|
|
- certbot
|
|
state: present
|
|
become_user: ubuntu
|
|
register: certbot_result
|
|
failed_when: false
|
|
|
|
- name: Check if certificate was obtained
|
|
ansible.builtin.command:
|
|
cmd: docker exec gitea-nginx ls /etc/letsencrypt/live/git.poll-streams.com/fullchain.pem
|
|
register: cert_check
|
|
changed_when: false
|
|
failed_when: false
|
|
|
|
- name: Copy final nginx config with SSL
|
|
ansible.builtin.copy:
|
|
src: ../docker/nginx/conf.d/gitea.conf
|
|
dest: /opt/gitea/nginx/conf.d/gitea.conf
|
|
owner: ubuntu
|
|
group: ubuntu
|
|
mode: "0644"
|
|
when: cert_check.rc == 0
|
|
|
|
- name: Reload nginx to use SSL certificate
|
|
ansible.builtin.command:
|
|
cmd: docker exec gitea-nginx nginx -s reload
|
|
when: cert_check.rc == 0
|
|
changed_when: true
|
|
|
|
- name: Display certificate status
|
|
ansible.builtin.debug:
|
|
msg: "SSL certificate {{ 'obtained successfully' if cert_check.rc == 0 else 'failed - check DNS and try again' }}"
|