diff --git a/roles/forgejo/defaults/main.yml b/roles/forgejo/defaults/main.yml new file mode 100644 index 0000000..848f7a1 --- /dev/null +++ b/roles/forgejo/defaults/main.yml @@ -0,0 +1,7 @@ +--- +forgejo_url: >- + {{ + "https://codeberg.org/forgejo/forgejo/releases/download/v" + + forgejo_version + "/forgejo-" + forgejo_version + "-" + + ansible_system | lower + "-amd64" + }} diff --git a/roles/forgejo/files/forgejo.service b/roles/forgejo/files/forgejo.service new file mode 100644 index 0000000..289ccdc --- /dev/null +++ b/roles/forgejo/files/forgejo.service @@ -0,0 +1,16 @@ +[Unit] +Description=Forgejo (Beyond coding. We forge.) +After=syslog.target +After=network.target + +[Service] +Type=simple +User=forgejo +Group=forgejo +WorkingDirectory=/srv/forgejo +ExecStart=/usr/local/bin/forgejo web --config /etc/forgejo/app.ini +Restart=always +Environment=HOME=/srv/forgejo FORGEJO_WORK_DIR=/srv/forgejo + +[Install] +WantedBy=multi-user.target diff --git a/roles/forgejo/handlers/main.yml b/roles/forgejo/handlers/main.yml new file mode 100644 index 0000000..4b650b4 --- /dev/null +++ b/roles/forgejo/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart forgejo + ansible.builtin.service: + name: forgejo + state: restarted diff --git a/roles/forgejo/meta/main.yml b/roles/forgejo/meta/main.yml new file mode 100644 index 0000000..d5e8ce4 --- /dev/null +++ b/roles/forgejo/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - {role: git} + - {role: nginx} diff --git a/roles/forgejo/tasks/main.yml b/roles/forgejo/tasks/main.yml new file mode 100644 index 0000000..4b8c6f2 --- /dev/null +++ b/roles/forgejo/tasks/main.yml @@ -0,0 +1,107 @@ +--- +- name: Install dependencies + ansible.builtin.package: + name: git-lfs + state: installed + +- name: Download binary + ansible.builtin.get_url: + url: "{{ forgejo_url }}" + checksum: "sha256:{{ forgejo_url }}.sha256" + dest: /usr/local/bin/forgejo + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart forgejo + +- name: Create group + ansible.builtin.group: + name: forgejo + gid: 303 + +- name: Create user + ansible.builtin.user: + name: forgejo + comment: Service Forgejo + createhome: false + group: forgejo + home: /var/empty + shell: /sbin/nologin + uid: 303 + +- name: Create config directory + ansible.builtin.file: + path: /etc/forgejo + state: directory + mode: "0750" + owner: root + group: forgejo + +- name: Create config + ansible.builtin.template: + dest: /etc/forgejo/app.ini + src: app.ini.j2 + mode: "0640" + owner: root + group: forgejo + notify: Restart forgejo + +- name: Create data directory + ansible.builtin.file: + path: /export/forgejo + state: directory + mode: "0750" + owner: forgejo + group: forgejo + +- name: Link data directory + ansible.builtin.file: + path: /srv/forgejo + state: link + src: /export/forgejo + owner: root + group: "{{ ansible_wheel }}" + follow: false + +- name: Create service file + ansible.builtin.copy: + dest: /etc/systemd/system/forgejo.service + src: forgejo.service + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart forgejo + +- name: Enable service + ansible.builtin.service: + name: forgejo + state: started + enabled: true + +- name: Allow nginx to connect forgejo + ansible.posix.seboolean: + name: httpd_can_network_connect + state: true + persistent: true + +- name: Copy nginx config + ansible.builtin.copy: + dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/forgejo.conf" + content: | + client_max_body_size 100m; + location / { + proxy_pass http://127.0.0.1:3000; + } + mode: "0644" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart nginx + +- name: Add forgejo alias for root + ansible.builtin.blockinfile: + path: /root/.bashrc + block: | + # run forgejo as forgejo user + alias forgejo='sudo -u forgejo HOME=/srv/forgejo \ + GITEA_WORK_DIR=/srv/forgejo \ + /usr/local/bin/forgejo -c /etc/forgejo/app.ini' diff --git a/roles/forgejo/templates/app.ini.j2 b/roles/forgejo/templates/app.ini.j2 new file mode 100644 index 0000000..2355cb3 --- /dev/null +++ b/roles/forgejo/templates/app.ini.j2 @@ -0,0 +1,78 @@ +APP_NAME = foo.sh - GIT +RUN_USER = forgejo +RUN_MODE = prod + +[database] +DB_TYPE = mysql +HOST = sqldb02.home.foo.sh +NAME = forgejo +USER = forgejo +PASSWD = {{ forgejo_mysql_pass }} +SCHEMA = +SSL_MODE = true +CHARSET = utf8 +PATH = /srv/forgejo/data/forgejo.db +LOG_SQL = false + +[repository] +ROOT = /srv/forgejo/data/forgejo-repositories + +[server] +SSH_DOMAIN = localhost +DOMAIN = git.foo.sh +HTTP_ADDR = 127.0.0.1 +HTTP_PORT = 3000 +ROOT_URL = https://git.foo.sh/ +DISABLE_SSH = true +SSH_PORT = 22 +LFS_START_SERVER = true +LFS_JWT_SECRET = {{ forgejo_lfs_jwt_secret }} +OFFLINE_MODE = false + +[lfs] +PATH = /srv/forgejo/data/lfs + +[mailer] +ENABLED = false + +[service] +REGISTER_EMAIL_CONFIRM = false +ENABLE_NOTIFY_MAIL = false +DISABLE_REGISTRATION = true +ALLOW_ONLY_EXTERNAL_REGISTRATION = false +ENABLE_CAPTCHA = false +REQUIRE_SIGNIN_VIEW = false +DEFAULT_KEEP_EMAIL_PRIVATE = false +DEFAULT_ALLOW_CREATE_ORGANIZATION = true +DEFAULT_ENABLE_TIMETRACKING = true +NO_REPLY_ADDRESS = noreply.localhost + +[openid] +ENABLE_OPENID_SIGNIN = false +ENABLE_OPENID_SIGNUP = false + +[session] +PROVIDER = file + +[log] +MODE = console +LEVEL = info + +[repository.pull-request] +DEFAULT_MERGE_STYLE = merge + +[repository.signing] +DEFAULT_TRUST_MODEL = committer + +[security] +INSTALL_LOCK = true +INTERNAL_TOKEN = {{ forgejo_internal_token }} +PASSWORD_HASH_ALGO = pbkdf2 +REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.0/8,::1/128 +REVERSE_PROXY_LIMIT = 1 + +[actions] +ENABLED = true + +[oauth2] +JWT_SECRET = {{ gitea_oauth_jwt_secret }}