Add registry.lunarfront.tech: DNS-only subdomain with Let's Encrypt cert, no CF upload limit

2026-03-31 19:14:03 -05:00
parent c280fb8cbe
commit 1ce49a7ed3
7 changed files with 96 additions and 8 deletions
--- a/ansible/roles/gitea/defaults/main.yml
+++ b/ansible/roles/gitea/defaults/main.yml
@@ -5,6 +5,9 @@ gitea_http_port: 3000
 gitea_ssh_port: 2222
 gitea_data_dir: /var/lib/gitea

+gitea_registry_domain: "registry.example.com"
+letsencrypt_email: ""
+
 # Cloudflare Origin Certificate
 cf_origin_cert: ""
 cf_origin_key: ""
--- a/ansible/roles/gitea/tasks/main.yml
+++ b/ansible/roles/gitea/tasks/main.yml
@@ -86,3 +86,51 @@
    name: nginx
    enabled: true
    state: started
+
+# ─── Registry (Let's Encrypt cert, DNS-only / no Cloudflare proxy) ────────────
+
+- name: Install certbot and Cloudflare DNS plugin
+  apt:
+    name: [certbot, python3-certbot-dns-cloudflare]
+    state: present
+
+- name: Write Cloudflare credentials for certbot
+  copy:
+    content: |
+      dns_cloudflare_api_token = {{ cloudflare_api_token }}
+    dest: /etc/letsencrypt/cloudflare.ini
+    owner: root
+    group: root
+    mode: "0600"
+
+- name: Obtain Let's Encrypt cert for registry domain
+  command: >
+    certbot certonly
+    --dns-cloudflare
+    --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini
+    --non-interactive
+    --agree-tos
+    --email {{ letsencrypt_email }}
+    -d {{ gitea_registry_domain }}
+  args:
+    creates: /etc/letsencrypt/live/{{ gitea_registry_domain }}/fullchain.pem
+
+- name: Deploy registry nginx config
+  template:
+    src: nginx-registry.conf.j2
+    dest: /etc/nginx/sites-available/registry
+    mode: "0644"
+  notify: Reload nginx
+
+- name: Enable registry nginx site
+  file:
+    src: /etc/nginx/sites-available/registry
+    dest: /etc/nginx/sites-enabled/registry
+    state: link
+  notify: Reload nginx
+
+- name: Enable certbot renewal timer
+  systemd:
+    name: certbot.timer
+    enabled: true
+    state: started
--- a/ansible/roles/gitea/templates/nginx-registry.conf.j2
+++ b/ansible/roles/gitea/templates/nginx-registry.conf.j2
@@ -0,0 +1,26 @@
+server {
+    listen 80;
+    server_name {{ gitea_registry_domain }};
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    server_name {{ gitea_registry_domain }};
+
+    ssl_certificate     /etc/letsencrypt/live/{{ gitea_registry_domain }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ gitea_registry_domain }}/privkey.pem;
+
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_ciphers         HIGH:!aNULL:!MD5;
+
+    client_max_body_size 0;
+
+    location / {
+        proxy_pass         http://127.0.0.1:{{ gitea_http_port }};
+        proxy_set_header   Host              $host;
+        proxy_set_header   X-Real-IP         $remote_addr;
+        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Proto $scheme;
+    }
+}