From ea2a2c365209593da2ca9c81d18217eb94eb8716 Mon Sep 17 00:00:00 2001 From: uumas Date: Thu, 12 Mar 2026 00:42:54 +0200 Subject: [PATCH] Add forgejo role --- roles/forgejo/README.md | 1 + roles/forgejo/defaults/main.yaml | 6 ++ roles/forgejo/meta/argument_specs.yaml | 45 ++++++++++++++ roles/forgejo/tasks/main.yaml | 81 ++++++++++++++++++++++++++ roles/forgejo/templates/ssh-shell.j2 | 4 ++ 5 files changed, 137 insertions(+) create mode 100644 roles/forgejo/README.md create mode 100644 roles/forgejo/defaults/main.yaml create mode 100644 roles/forgejo/meta/argument_specs.yaml create mode 100644 roles/forgejo/tasks/main.yaml create mode 100644 roles/forgejo/templates/ssh-shell.j2 diff --git a/roles/forgejo/README.md b/roles/forgejo/README.md new file mode 100644 index 0000000..29600f9 --- /dev/null +++ b/roles/forgejo/README.md @@ -0,0 +1 @@ +Installs and configures forgejo inside podman diff --git a/roles/forgejo/defaults/main.yaml b/roles/forgejo/defaults/main.yaml new file mode 100644 index 0000000..8b6a82e --- /dev/null +++ b/roles/forgejo/defaults/main.yaml @@ -0,0 +1,6 @@ +--- +forgejo_require_signin_view: false +forgejo_enable_internal_signin: true + +forgejo_smtp_user: "" +forgejo_smtp_password: "" diff --git a/roles/forgejo/meta/argument_specs.yaml b/roles/forgejo/meta/argument_specs.yaml new file mode 100644 index 0000000..7647d18 --- /dev/null +++ b/roles/forgejo/meta/argument_specs.yaml @@ -0,0 +1,45 @@ +--- +argument_specs: + main: + description: "Installs and configures forgejo inside podman" + options: + forgejo_tag: + description: Forgejo version to use. Can be major (x), minor (x.y) or patch (x.y.z). Major version recommended. + type: str + required: true + forgejo_domain: + description: Domain forgejo should listen on + type: str + required: true + forgejo_secret_key: + description: A long secret key for forgejo to encrypt secrets with. Must never change. + type: str + required: true + forgejo_smtp_server: + description: Smtp server for forgejo + type: str + required: true + forgejo_smtp_from: + description: Address to send email from + type: str + required: true + forgejo_smtp_user: + description: Smtp user to authenticate as + type: str + required: false + default: "" + forgejo_smtp_password: + description: Smtp password to authenticate with + type: str + required: false + default: "" + forgejo_require_signin_view: + description: Whether to require signing in to view public repositories + type: bool + required: false + default: false + forgejo_enable_internal_signin: + description: Whether to enable signing in using local username/password + type: bool + required: false + default: true diff --git a/roles/forgejo/tasks/main.yaml b/roles/forgejo/tasks/main.yaml new file mode 100644 index 0000000..9f1c62d --- /dev/null +++ b/roles/forgejo/tasks/main.yaml @@ -0,0 +1,81 @@ +--- +- name: Ensure netcat-openbsd is installed for ssh shell + ansible.builtin.apt: + name: netcat-openbsd + +- name: Create git system user on host for forgejo ssh + ansible.builtin.user: + name: git + group: git + system: true + home: /srv/forgejo/git + generate_ssh_key: true + ssh_key_type: ed25519 + shell: /srv/forgejo/git/ssh-shell + register: _forgejo_git_user + +- name: Add git user's own ssh key to its authorized keys + ansible.posix.authorized_key: + user: git + key: "{{ _forgejo_git_user.ssh_public_key }}" + +- name: Install ssh forwarding shell for forgejo + ansible.builtin.template: + src: ssh-shell.j2 + dest: /srv/forgejo/git/ssh-shell + mode: "0755" + +- name: Forgejo service + ansible.builtin.import_role: + name: service + vars: + service_name: forgejo + service_container_image: codeberg.org/forgejo/forgejo:{{ forgejo_tag }} + service_container_mounts: + - type: volume + source: data + destination: /data + - type: bind + source: /etc/localtime + destination: /etc/localtime + readonly: true + - type: bind + source: /srv/forgejo/git/.ssh + destination: /data/git/.ssh + service_container_secrets: + - name: secret-key + value: "{{ forgejo_secret_key }}" + service_domains: + - "{{ forgejo_domain }}" + service_database_type: postgres + service_postgres_tag: 18-alpine + service_container_publish_ports: + - name: ssh + type: socket + container_port: 22 + service_container_env: + USER_UID: "{{ _forgejo_git_user.uid }}" + USER_GID: "{{ _forgejo_git_user.group }}" + FORGEJO__security__SECRET_KEY_URI: file:/run/secrets/secret-key + FORGEJO__database__DB_TYPE: postgres + FORGEJO__database__USER: forgejo + FORGEJO__database__NAME: forgejo + FORGEJO__database__HOST: postgres + FORGEJO__database__PASSWD__FILE: /run/secrets/postgres + FORGEJO__server__PROTOCOL: http+unix + FORGEJO__server__HTTP_ADDR: /run/forgejo.sock + FORGEJO__server__DOMAIN: "{{ forgejo_domain }}" + FORGEJO__server__ROOT_URL: https://{{ forgejo_domain }} + FORGEJO__server__SSH_ALLOW_UNEXPECTED_AUTHORIZED_KEYS: "true" + FORGEJO__mailer__ENABLED: "true" + FORGEJO__mailer__PROTOCOL: smtp + FORGEJO__mailer__SMTP_ADDR: "{{ forgejo_smtp_server }}" + FORGEJO__mailer__SMTP_PORT: "587" + FORGEJO__mailer__FROM: "{{ forgejo_smtp_from }}" + FORGEJO__mailer__USER: "{{ forgejo_smtp_user }}" + FORGEJO__mailer__PASSWD: "{{ forgejo_smtp_password }}" + FORGEJO__service__DISABLE_REGISTRATION: "true" + FORGEJO__service__REQUIRE_SIGNIN_VIEW: "{{ 'true' if forgejo_require_signin_view else 'false' }}" + FORGEJO__service__ENABLE_INTERNAL_SIGNIN: "{{ 'true' if forgejo_enable_internal_signin else 'false' }}" + FORGEJO__oauth2_client__ENABLE_AUTO_REGISTRATION: "true" + FORGEJO__openid__ENABLE_OPENID_SIGNIN: "false" diff --git a/roles/forgejo/templates/ssh-shell.j2 b/roles/forgejo/templates/ssh-shell.j2 new file mode 100644 index 0000000..9765b21 --- /dev/null +++ b/roles/forgejo/templates/ssh-shell.j2 @@ -0,0 +1,4 @@ +#!/bin/bash +# {{ ansible_managed }} +shift +SHELL=/bin/bash ssh -o "ProxyCommand nc -U /run/forgejo-ssh-socat.sock" -o StrictHostKeyChecking=no git@forgejo "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $@"