Add forgejo role

roles/forgejo/README.md

@@ -0,0 +1 @@
+Installs and configures forgejo inside podman

roles/forgejo/defaults/main.yaml

@@ -0,0 +1,6 @@
+---
+forgejo_require_signin_view: false
+forgejo_enable_internal_signin: true
+
+forgejo_smtp_user: ""
+forgejo_smtp_password: ""

roles/forgejo/meta/argument_specs.yaml

@@ -0,0 +1,45 @@
+---
+argument_specs:
+  main:
+    description: "Installs and configures forgejo inside podman"
+    options:
+      forgejo_tag:
+        description: Forgejo version to use. Can be major (x), minor (x.y) or patch (x.y.z). Major version recommended.
+        type: str
+        required: true
+      forgejo_domain:
+        description: Domain forgejo should listen on
+        type: str
+        required: true
+      forgejo_secret_key:
+        description: A long secret key for forgejo to encrypt secrets with. Must never change.
+        type: str
+        required: true
+      forgejo_smtp_server:
+        description: Smtp server for forgejo
+        type: str
+        required: true
+      forgejo_smtp_from:
+        description: Address to send email from
+        type: str
+        required: true
+      forgejo_smtp_user:
+        description: Smtp user to authenticate as
+        type: str
+        required: false
+        default: ""
+      forgejo_smtp_password:
+        description: Smtp password to authenticate with
+        type: str
+        required: false
+        default: ""
+      forgejo_require_signin_view:
+        description: Whether to require signing in to view public repositories
+        type: bool
+        required: false
+        default: false
+      forgejo_enable_internal_signin:
+        description: Whether to enable signing in using local username/password
+        type: bool
+        required: false
+        default: true

roles/forgejo/tasks/main.yaml

@@ -0,0 +1,81 @@
+---
+- name: Ensure netcat-openbsd is installed for ssh shell
+  ansible.builtin.apt:
+    name: netcat-openbsd
+
+- name: Create git system user on host for forgejo ssh
+  ansible.builtin.user:
+    name: git
+    group: git
+    system: true
+    home: /srv/forgejo/git
+    generate_ssh_key: true
+    ssh_key_type: ed25519
+    shell: /srv/forgejo/git/ssh-shell
+  register: _forgejo_git_user
+
+- name: Add git user's own ssh key to its authorized keys
+  ansible.posix.authorized_key:
+    user: git
+    key: "{{ _forgejo_git_user.ssh_public_key }}"
+
+- name: Install ssh forwarding shell for forgejo
+  ansible.builtin.template:
+    src: ssh-shell.j2
+    dest: /srv/forgejo/git/ssh-shell
+    mode: "0755"
+
+- name: Forgejo service
+  ansible.builtin.import_role:
+    name: service
+  vars:
+    service_name: forgejo
+    service_container_image: codeberg.org/forgejo/forgejo:{{ forgejo_tag }}
+    service_container_mounts:
+      - type: volume
+        source: data
+        destination: /data
+      - type: bind
+        source: /etc/localtime
+        destination: /etc/localtime
+        readonly: true
+      - type: bind
+        source: /srv/forgejo/git/.ssh
+        destination: /data/git/.ssh
+    service_container_secrets:
+      - name: secret-key
+        value: "{{ forgejo_secret_key }}"
+    service_domains:
+      - "{{ forgejo_domain }}"
+    service_database_type: postgres
+    service_postgres_tag: 18-alpine
+    service_container_publish_ports:
+      - name: ssh
+        type: socket
+        container_port: 22
+    service_container_env:
+      USER_UID: "{{ _forgejo_git_user.uid }}"
+      USER_GID: "{{ _forgejo_git_user.group }}"
+      FORGEJO__security__SECRET_KEY_URI: file:/run/secrets/secret-key
+      FORGEJO__database__DB_TYPE: postgres
+      FORGEJO__database__USER: forgejo
+      FORGEJO__database__NAME: forgejo
+      FORGEJO__database__HOST: postgres
+      FORGEJO__database__PASSWD__FILE: /run/secrets/postgres
+      FORGEJO__server__PROTOCOL: http+unix
+      FORGEJO__server__HTTP_ADDR: /run/forgejo.sock
+      FORGEJO__server__DOMAIN: "{{ forgejo_domain }}"
+      FORGEJO__server__ROOT_URL: https://{{ forgejo_domain }}
+      FORGEJO__server__SSH_ALLOW_UNEXPECTED_AUTHORIZED_KEYS: "true"
+      FORGEJO__mailer__ENABLED: "true"
+      FORGEJO__mailer__PROTOCOL: smtp
+      FORGEJO__mailer__SMTP_ADDR: "{{ forgejo_smtp_server }}"
+      FORGEJO__mailer__SMTP_PORT: "587"
+      FORGEJO__mailer__FROM: "{{ forgejo_smtp_from }}"
+      FORGEJO__mailer__USER: "{{ forgejo_smtp_user }}"
+      FORGEJO__mailer__PASSWD: "{{ forgejo_smtp_password }}"
+      FORGEJO__service__DISABLE_REGISTRATION: "true"
+      FORGEJO__service__REQUIRE_SIGNIN_VIEW: "{{ 'true' if forgejo_require_signin_view else 'false' }}"
+      FORGEJO__service__ENABLE_INTERNAL_SIGNIN: "{{ 'true' if forgejo_enable_internal_signin else 'false' }}"
+      FORGEJO__oauth2_client__ENABLE_AUTO_REGISTRATION: "true"
+      FORGEJO__openid__ENABLE_OPENID_SIGNIN: "false"

roles/forgejo/templates/ssh-shell.j2

@@ -0,0 +1,4 @@
+#!/bin/bash
+# {{ ansible_managed }}
+shift
+SHELL=/bin/bash ssh -o "ProxyCommand nc -U /run/forgejo-ssh-socat.sock" -o StrictHostKeyChecking=no git@forgejo "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $@"