Add forgejo role

roles/forgejo/tasks/main.yaml

@@ -0,0 +1,81 @@
+---
+- name: Ensure netcat-openbsd is installed for ssh shell
+  ansible.builtin.apt:
+    name: netcat-openbsd
+
+- name: Create git system user on host for forgejo ssh
+  ansible.builtin.user:
+    name: git
+    group: git
+    system: true
+    home: /srv/forgejo/git
+    generate_ssh_key: true
+    ssh_key_type: ed25519
+    shell: /srv/forgejo/git/ssh-shell
+  register: _forgejo_git_user
+
+- name: Add git user's own ssh key to its authorized keys
+  ansible.posix.authorized_key:
+    user: git
+    key: "{{ _forgejo_git_user.ssh_public_key }}"
+
+- name: Install ssh forwarding shell for forgejo
+  ansible.builtin.template:
+    src: ssh-shell.j2
+    dest: /srv/forgejo/git/ssh-shell
+    mode: "0755"
+
+- name: Forgejo service
+  ansible.builtin.import_role:
+    name: service
+  vars:
+    service_name: forgejo
+    service_container_image: codeberg.org/forgejo/forgejo:{{ forgejo_tag }}
+    service_container_mounts:
+      - type: volume
+        source: data
+        destination: /data
+      - type: bind
+        source: /etc/localtime
+        destination: /etc/localtime
+        readonly: true
+      - type: bind
+        source: /srv/forgejo/git/.ssh
+        destination: /data/git/.ssh
+    service_container_secrets:
+      - name: secret-key
+        value: "{{ forgejo_secret_key }}"
+    service_domains:
+      - "{{ forgejo_domain }}"
+    service_database_type: postgres
+    service_postgres_tag: 18-alpine
+    service_container_publish_ports:
+      - name: ssh
+        type: socket
+        container_port: 22
+    service_container_env:
+      USER_UID: "{{ _forgejo_git_user.uid }}"
+      USER_GID: "{{ _forgejo_git_user.group }}"
+      FORGEJO__security__SECRET_KEY_URI: file:/run/secrets/secret-key
+      FORGEJO__database__DB_TYPE: postgres
+      FORGEJO__database__USER: forgejo
+      FORGEJO__database__NAME: forgejo
+      FORGEJO__database__HOST: postgres
+      FORGEJO__database__PASSWD__FILE: /run/secrets/postgres
+      FORGEJO__server__PROTOCOL: http+unix
+      FORGEJO__server__HTTP_ADDR: /run/forgejo.sock
+      FORGEJO__server__DOMAIN: "{{ forgejo_domain }}"
+      FORGEJO__server__ROOT_URL: https://{{ forgejo_domain }}
+      FORGEJO__server__SSH_ALLOW_UNEXPECTED_AUTHORIZED_KEYS: "true"
+      FORGEJO__mailer__ENABLED: "true"
+      FORGEJO__mailer__PROTOCOL: smtp
+      FORGEJO__mailer__SMTP_ADDR: "{{ forgejo_smtp_server }}"
+      FORGEJO__mailer__SMTP_PORT: "587"
+      FORGEJO__mailer__FROM: "{{ forgejo_smtp_from }}"
+      FORGEJO__mailer__USER: "{{ forgejo_smtp_user }}"
+      FORGEJO__mailer__PASSWD: "{{ forgejo_smtp_password }}"
+      FORGEJO__service__DISABLE_REGISTRATION: "true"
+      FORGEJO__service__REQUIRE_SIGNIN_VIEW: "{{ 'true' if forgejo_require_signin_view else 'false' }}"
+      FORGEJO__service__ENABLE_INTERNAL_SIGNIN: "{{ 'true' if forgejo_enable_internal_signin else 'false' }}"
+      FORGEJO__oauth2_client__ENABLE_AUTO_REGISTRATION: "true"
+      FORGEJO__openid__ENABLE_OPENID_SIGNIN: "false"