nult/roles/gitea/tasks/config.yml

---
# =============================================================================
# Configuration Tasks - Update Domain Settings
# =============================================================================
#
# Updates Gitea's app.ini configuration file with the new domain.
#
# The app.ini file lives inside the Docker volume at /data/gitea/conf/app.ini.
# We extract it, modify it on the host, then copy it back into the container.
#
# Settings that need updating for domain rename:
#   [server]
#   DOMAIN          = git.veridion.ru       (web domain)
#   SSH_DOMAIN      = git.veridion.ru       (SSH clone URLs)
#   ROOT_URL        = https://git.veridion.ru/  (base URL for all links)
#
# Reference: https://docs.gitea.com/administration/config-cheat-sheet
# =============================================================================

# Create a temporary directory on the host for config editing.
# We'll extract app.ini here, modify it, then copy back.
# check_mode: false - tempfile is harmless, needed for subsequent tasks
- name: Create temporary directory for config editing
  ansible.builtin.tempfile:
    state: directory
    prefix: gitea_config_
  register: gitea_config_temp_dir
  check_mode: false

# -----------------------------------------------------------------------------
# Extract Configuration from Container
# -----------------------------------------------------------------------------
# docker cp extracts files from a container to the host filesystem.
# Format: docker cp <container>:<path_in_container> <path_on_host>
# check_mode: false - read-only extraction needed for lineinfile to evaluate changes

- name: Extract app.ini from Gitea container
  ansible.builtin.command:
    cmd: "docker cp {{ gitea_container_name }}:/data/gitea/conf/app.ini {{ gitea_config_temp_dir.path }}/app.ini"
  changed_when: false
  check_mode: false

# -----------------------------------------------------------------------------
# Update Domain Settings
# -----------------------------------------------------------------------------
# Using lineinfile module to update specific settings in app.ini.
# Each task finds a line matching the regexp and replaces it.
#
# lineinfile parameters:
#   path:    File to modify
#   regexp:  Pattern to find (uses Python regex)
#   line:    Replacement line
#   backrefs: If true, allows using \1, \2 for captured groups (not used here)
#
# The regexp patterns:
#   ^DOMAIN\s*=    Matches "DOMAIN = " at start of line, with any whitespace
#   ^\s*DOMAIN\s*= Would also match indented lines (not typical in app.ini)

- name: Update DOMAIN setting in app.ini
  ansible.builtin.lineinfile:
    path: "{{ gitea_config_temp_dir.path }}/app.ini"
    regexp: '^DOMAIN\s*='
    line: "DOMAIN = {{ gitea_domain }}"
  register: gitea_domain_updated

- name: Update SSH_DOMAIN setting in app.ini
  ansible.builtin.lineinfile:
    path: "{{ gitea_config_temp_dir.path }}/app.ini"
    regexp: '^SSH_DOMAIN\s*='
    line: "SSH_DOMAIN = {{ gitea_ssh_domain }}"
  register: gitea_ssh_domain_updated

# ROOT_URL must include the protocol (https://) and trailing slash
- name: Update ROOT_URL setting in app.ini
  ansible.builtin.lineinfile:
    path: "{{ gitea_config_temp_dir.path }}/app.ini"
    regexp: '^ROOT_URL\s*='
    line: "ROOT_URL = {{ gitea_root_url }}/"
  register: gitea_root_url_updated

# -----------------------------------------------------------------------------
# Apply Security Hardening (Optional)
# -----------------------------------------------------------------------------
# These settings enhance security. They're applied during domain update
# since we're already modifying the config.
#
# Each setting is conditional on whether the variable is defined,
# allowing operators to skip specific hardening options.

# Password hashing: argon2 is more secure than pbkdf2 (Gitea default)
- name: Update password hash algorithm
  ansible.builtin.lineinfile:
    path: "{{ gitea_config_temp_dir.path }}/app.ini"
    regexp: '^PASSWORD_HASH_ALGO\s*='
    line: "PASSWORD_HASH_ALGO = {{ gitea_password_hash_algo }}"
    insertafter: '^\[security\]'
  when: gitea_password_hash_algo is defined

# Disable git hooks to prevent arbitrary code execution
- name: Update git hooks setting
  ansible.builtin.lineinfile:
    path: "{{ gitea_config_temp_dir.path }}/app.ini"
    regexp: '^DISABLE_GIT_HOOKS\s*='
    line: "DISABLE_GIT_HOOKS = {{ gitea_disable_git_hooks | lower }}"
    insertafter: '^\[security\]'
  when: gitea_disable_git_hooks is defined

# -----------------------------------------------------------------------------
# Copy Updated Configuration Back to Container
# -----------------------------------------------------------------------------
# docker cp can also copy from host to container.
# Format: docker cp <path_on_host> <container>:<path_in_container>

- name: Copy updated app.ini back to container
  ansible.builtin.command:
    cmd: "docker cp {{ gitea_config_temp_dir.path }}/app.ini {{ gitea_container_name }}:/data/gitea/conf/app.ini"
  changed_when: true
  when: gitea_domain_updated.changed or gitea_ssh_domain_updated.changed or gitea_root_url_updated.changed

# -----------------------------------------------------------------------------
# Cleanup
# -----------------------------------------------------------------------------
# Remove the temporary directory we created.
# check_mode: false - clean up the temp dir we created with check_mode: false

- name: Remove temporary config directory
  ansible.builtin.file:
    path: "{{ gitea_config_temp_dir.path }}"
    state: absent
  check_mode: false

# Display summary of changes for operator visibility
- name: Display configuration changes
  ansible.builtin.debug:
    msg: |
      Configuration updated:
        DOMAIN     = {{ gitea_domain }}
        SSH_DOMAIN = {{ gitea_ssh_domain }}
        ROOT_URL   = {{ gitea_root_url }}/