docs: rewrite README with structured overview and quick start guide

Replaces the minimal project description with a comprehensive README
including a component overview table, quick start instructions, common
Ansible operations, and links to detailed documentation. Aligns with
Red Panda Approval™ standards.

ansible/gitea/app.ini.j2

@@ -0,0 +1,166 @@
+; Gitea Configuration File
+; Generated by Ansible
+
+APP_NAME = Gitea: Git with a cup of tea
+RUN_MODE = prod
+
+[server]
+PROTOCOL = http
+DOMAIN = {{ gitea_domain }}
+ROOT_URL = {{ gitea_root_url }}
+HTTP_ADDR = 0.0.0.0
+HTTP_PORT = {{ gitea_web_port }}
+DISABLE_SSH = false
+SSH_DOMAIN = {{ gitea_domain }}
+SSH_PORT = {{ gitea_ssh_port }}
+SSH_LISTEN_PORT = {{ gitea_ssh_port }}
+START_SSH_SERVER = true
+LFS_START_SERVER = {{ gitea_lfs_enabled | lower }}
+LFS_HTTP_AUTH_EXPIRY = 20m
+OFFLINE_MODE = false
+
+[database]
+DB_TYPE = {{ gitea_db_type }}
+HOST = {{ gitea_db_host }}:{{ gitea_db_port }}
+NAME = {{ gitea_db_name }}
+USER = {{ gitea_db_user }}
+PASSWD = {{ gitea_db_password }}
+SSL_MODE = {{ gitea_db_ssl_mode }}
+LOG_SQL = false
+AUTO_MIGRATION = true
+
+[repository]
+ROOT = {{ gitea_repo_root }}
+DEFAULT_BRANCH = main
+DEFAULT_PRIVATE = public
+ENABLE_PUSH_CREATE_USER = true
+ENABLE_PUSH_CREATE_ORG = false
+DISABLED_REPO_UNITS = 
+DEFAULT_REPO_UNITS = repo.code,repo.releases,repo.issues,repo.pulls,repo.wiki,repo.projects,repo.packages
+
+[repository.signing]
+SIGNING_KEY = default
+INITIAL_COMMIT = always
+
+[repository.local]
+LOCAL_COPY_PATH = {{ gitea_data_dir }}/tmp/local-repo
+
+[repository.upload]
+TEMP_PATH = {{ gitea_data_dir }}/tmp/uploads
+
+[lfs]
+PATH = {{ gitea_lfs_dir }}
+
+[security]
+INSTALL_LOCK = true
+SECRET_KEY = {{ gitea_secret_key }}
+MIN_PASSWORD_LENGTH = 8
+PASSWORD_COMPLEXITY = lower,upper,digit
+PASSWORD_HASH_ALGO = argon2
+REVERSE_PROXY_LIMIT = 1
+REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.0/8,::1/128,10.0.0.0/8
+
+[service]
+DISABLE_REGISTRATION = {{ gitea_disable_registration | lower }}
+REQUIRE_SIGNIN_VIEW = {{ gitea_require_signin_view | lower }}
+REGISTER_EMAIL_CONFIRM = false
+ENABLE_NOTIFY_MAIL = false
+DEFAULT_KEEP_EMAIL_PRIVATE = true
+DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+DEFAULT_ENABLE_TIMETRACKING = true
+NO_REPLY_ADDRESS = noreply.{{ gitea_domain }}
+
+[service.explore]
+REQUIRE_SIGNIN_VIEW = {{ gitea_require_signin_view | lower }}
+DISABLE_USERS_PAGE = false
+
+[mailer]
+ENABLED = true
+SMTP_ADDR = {{ smtp_host }}
+SMTP_PORT = {{ smtp_port }}
+FROM = {{ smtp_from }}
+
+[session]
+PROVIDER = memcache
+PROVIDER_CONFIG = 127.0.0.1:11211
+COOKIE_NAME = gitea_session
+COOKIE_SECURE = true
+
+[picture]
+AVATAR_UPLOAD_PATH = {{ gitea_data_dir }}/avatars
+REPOSITORY_AVATAR_UPLOAD_PATH = {{ gitea_data_dir }}/repo-avatars
+DISABLE_GRAVATAR = false
+
+[attachment]
+PATH = {{ gitea_data_dir }}/attachments
+MAX_SIZE = 50
+MAX_FILES = 5
+
+[log]
+MODE = console
+LEVEL = Info
+ENABLE_SSH_LOG = true
+;; Sub-logger modes using new 1.21+ format
+logger.router.MODE = console
+logger.access.MODE = console
+
+[log.console]
+LEVEL = Info
+STDERR = false
+
+[git]
+PATH = /usr/bin/git
+DISABLE_DIFF_HIGHLIGHT = false
+MAX_GIT_DIFF_LINES = 1000
+MAX_GIT_DIFF_LINE_CHARACTERS = 5000
+MAX_GIT_DIFF_FILES = 100
+GC_ARGS = 
+
+[git.timeout]
+DEFAULT = 360
+MIGRATE = 600
+MIRROR = 300
+
+[indexer]
+ISSUE_INDEXER_TYPE = bleve
+ISSUE_INDEXER_PATH = {{ gitea_data_dir }}/indexers/issues.bleve
+REPO_INDEXER_ENABLED = true
+REPO_INDEXER_TYPE = bleve
+REPO_INDEXER_PATH = {{ gitea_data_dir }}/indexers/repos.bleve
+
+[queue]
+TYPE = level
+DATADIR = {{ gitea_data_dir }}/queues
+
+[metrics]
+ENABLED = {{ gitea_metrics_enabled | lower }}
+ENABLED_ISSUE_BY_LABEL = false
+ENABLED_ISSUE_BY_REPOSITORY = false
+TOKEN = {{ gitea_metrics_token }}
+
+[cache]
+ADAPTER = memcache
+HOST = 127.0.0.1:11211
+ITEM_TTL = 16h
+
+[webhook]
+ALLOWED_HOST_LIST = *
+
+[oauth2]
+ENABLED = true
+JWT_SIGNING_ALGORITHM = RS256
+JWT_SECRET = {{ gitea_lfs_jwt_secret }}
+
+[oauth2_client]
+ENABLE_AUTO_REGISTRATION = true
+ACCOUNT_LINKING = auto
+OPENID_CONNECT_SCOPES = openid profile email
+UPDATE_AVATAR = false
+
+[packages]
+ENABLED = true
+CHUNKED_UPLOAD_PATH = {{ gitea_data_dir }}/tmp/package-upload
+
+[actions]
+ENABLED = true
+DEFAULT_ACTIONS_URL = https://github.com

ansible/gitea/deploy.yml

@@ -0,0 +1,229 @@
+---
+- name: Deploy Gitea
+  hosts: gitea
+  become: true
+  tasks:
+    - name: Check if host has gitea service
+      ansible.builtin.set_fact:
+        has_gitea_service: "{{ 'gitea' in services | default([]) }}"
+
+    - name: Skip hosts without gitea service
+      ansible.builtin.meta: end_host
+      when: not has_gitea_service
+
+    - name: Install required packages
+      ansible.builtin.apt:
+        name:
+          - git
+          - git-lfs
+          - curl
+          - memcached
+        state: present
+        update_cache: true
+
+    - name: Ensure Memcached is running
+      ansible.builtin.service:
+        name: memcached
+        state: started
+        enabled: true
+
+    - name: Create git system group
+      ansible.builtin.group:
+        name: "{{ gitea_group }}"
+        system: true
+        state: present
+
+    - name: Create git system user
+      ansible.builtin.user:
+        name: "{{ gitea_user }}"
+        group: "{{ gitea_group }}"
+        system: true
+        shell: /bin/bash
+        home: "{{ gitea_home_dir }}"
+        create_home: true
+        comment: "Git Version Control"
+
+    - name: Create Gitea directories
+      ansible.builtin.file:
+        path: "{{ item.path }}"
+        state: directory
+        owner: "{{ item.owner }}"
+        group: "{{ item.group }}"
+        mode: "{{ item.mode }}"
+      loop:
+        - { path: "{{ gitea_work_dir }}", owner: "{{ gitea_user }}", group: "{{ gitea_group }}", mode: "0755" }
+        - { path: "{{ gitea_work_dir }}/custom", owner: "{{ gitea_user }}", group: "{{ gitea_group }}", mode: "0755" }
+        - { path: "{{ gitea_data_dir }}", owner: "{{ gitea_user }}", group: "{{ gitea_group }}", mode: "0755" }
+        - { path: "{{ gitea_lfs_dir }}", owner: "{{ gitea_user }}", group: "{{ gitea_group }}", mode: "0755" }
+        - { path: "{{ gitea_repo_root }}", owner: "{{ gitea_user }}", group: "{{ gitea_group }}", mode: "0755" }
+        - { path: "/etc/gitea", owner: "root", group: "{{ gitea_group }}", mode: "0770" }
+
+    - name: Get installed Gitea version
+      ansible.builtin.command:
+        cmd: /usr/local/bin/gitea --version
+      register: gitea_installed_version
+      changed_when: false
+      failed_when: false
+
+    - name: Parse installed version
+      ansible.builtin.set_fact:
+        gitea_current_version: "{{ gitea_installed_version.stdout | regex_search('([0-9]+\\.[0-9]+\\.[0-9]+)') | default('0.0.0') }}"
+      when: gitea_installed_version.rc == 0
+
+    - name: Set current version to 0.0.0 if not installed
+      ansible.builtin.set_fact:
+        gitea_current_version: "0.0.0"
+      when: gitea_installed_version.rc != 0
+
+    - name: Get latest Gitea release version from GitHub
+      ansible.builtin.uri:
+        url: https://api.github.com/repos/go-gitea/gitea/releases/latest
+        return_content: true
+      register: gitea_latest_release
+
+    - name: Extract latest version number
+      ansible.builtin.set_fact:
+        gitea_latest_version: "{{ gitea_latest_release.json.tag_name | regex_replace('^v', '') }}"
+
+    - name: Display version information
+      ansible.builtin.debug:
+        msg: "Gitea: installed={{ gitea_current_version }}, latest={{ gitea_latest_version }}"
+
+    - name: Stop Gitea before upgrade
+      ansible.builtin.systemd:
+        name: gitea
+        state: stopped
+      when:
+        - gitea_current_version != gitea_latest_version
+        - gitea_current_version != "0.0.0"
+
+    - name: Download Gitea binary
+      ansible.builtin.get_url:
+        url: "https://dl.gitea.com/gitea/{{ gitea_latest_version }}/gitea-{{ gitea_latest_version }}-linux-amd64"
+        dest: /usr/local/bin/gitea
+        mode: '0755'
+        owner: root
+        group: root
+        force: true
+      when: gitea_current_version != gitea_latest_version
+      notify: restart gitea
+
+    - name: Template Gitea configuration
+      ansible.builtin.template:
+        src: app.ini.j2
+        dest: "{{ gitea_config_file }}"
+        owner: "{{ gitea_user }}"
+        group: "{{ gitea_group }}"
+        mode: '0640'
+      notify: restart gitea
+
+    - name: Create Gitea systemd service
+      ansible.builtin.copy:
+        dest: /etc/systemd/system/gitea.service
+        mode: '0644'
+        owner: root
+        group: root
+        content: |
+          [Unit]
+          Description=Gitea (Git with a cup of tea)
+          After=syslog.target
+          After=network.target
+          After=postgresql.service
+
+          [Service]
+          RestartSec=2s
+          Type=simple
+          User={{ gitea_user }}
+          Group={{ gitea_group }}
+          WorkingDirectory={{ gitea_work_dir }}/
+          ExecStart=/usr/local/bin/gitea web --config {{ gitea_config_file }}
+          Restart=always
+          Environment=USER={{ gitea_user }} HOME={{ gitea_home_dir }} GITEA_WORK_DIR={{ gitea_work_dir }}
+
+          [Install]
+          WantedBy=multi-user.target
+      notify: restart gitea
+
+    - name: Reload systemd daemon
+      ansible.builtin.systemd:
+        daemon_reload: true
+
+    - name: Enable and start Gitea service
+      ansible.builtin.systemd:
+        name: gitea
+        enabled: true
+        state: started
+
+    # OAuth2 Provider Configuration (Casdoor SSO)
+    - name: Flush handlers to ensure Gitea is restarted before healthcheck
+      ansible.builtin.meta: flush_handlers
+
+    - name: Wait for Gitea to be ready
+      ansible.builtin.uri:
+        url: "http://127.0.0.1:{{ gitea_web_port }}/api/healthz"
+        method: GET
+        status_code: 200
+      register: gitea_health
+      until: gitea_health.status == 200
+      retries: 30
+      delay: 5
+      when: gitea_oauth_enabled | default(false)
+
+    - name: Check if Casdoor OAuth source exists
+      ansible.builtin.command:
+        cmd: >
+          /usr/local/bin/gitea admin auth list
+          --config {{ gitea_config_file }}
+      become: true
+      become_user: "{{ gitea_user }}"
+      register: gitea_auth_list
+      changed_when: false
+      when: gitea_oauth_enabled | default(false)
+
+    - name: Add Casdoor OAuth2 authentication source
+      ansible.builtin.command:
+        cmd: >
+          /usr/local/bin/gitea admin auth add-oauth
+          --config {{ gitea_config_file }}
+          --name "{{ gitea_oauth_name }}"
+          --provider openidConnect
+          --key "{{ gitea_oauth_client_id }}"
+          --secret "{{ gitea_oauth_client_secret }}"
+          --auto-discover-url "https://id.ouranos.helu.ca/.well-known/openid-configuration"
+          --scopes "{{ gitea_oauth_scopes }}"
+          --skip-local-2fa
+          --group-claim-name ""
+          --admin-group ""
+      become: true
+      become_user: "{{ gitea_user }}"
+      when:
+        - gitea_oauth_enabled | default(false)
+        - gitea_oauth_name not in gitea_auth_list.stdout
+      notify: restart gitea
+
+    - name: Update Casdoor OAuth2 authentication source
+      ansible.builtin.command:
+        cmd: >
+          /usr/local/bin/gitea admin auth update-oauth
+          --config {{ gitea_config_file }}
+          --id {{ gitea_auth_list.stdout_lines | select('search', gitea_oauth_name) | first | regex_search('^\d+') }}
+          --name "{{ gitea_oauth_name }}"
+          --provider openidConnect
+          --key "{{ gitea_oauth_client_id }}"
+          --secret "{{ gitea_oauth_client_secret }}"
+          --auto-discover-url "https://id.ouranos.helu.ca/.well-known/openid-configuration"
+          --scopes "{{ gitea_oauth_scopes }}"
+          --skip-local-2fa
+      become: true
+      become_user: "{{ gitea_user }}"
+      when:
+        - gitea_oauth_enabled | default(false)
+        - gitea_oauth_name in gitea_auth_list.stdout
+      notify: restart gitea
+
+  handlers:
+    - name: restart gitea
+      ansible.builtin.systemd:
+        name: gitea
+        state: restarted
+        daemon_reload: true