cuqmbr/homelab
1
0
Fork 0
Code

add forgejo provisioning and installation

Browse Source
This commit is contained in:
cuqmbr 2025-07-01 13:08:48 +03:00
parent 5ad54f4cac
commit 0034fde1ad
Signed by: cuqmbr
GPG Key ID: 1F62396D020F375C
18 changed files with 612 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
ansible/22_forgejo.yml Normal file
View File

@ -0,0 +1,16 @@
---
- hosts: forgejo
gather_facts: false
pre_tasks:
- name: Update apt cache.
ansible.builtin.apt:
update_cache: true
cache_valid_time: 86400
roles:
- role: roles/init
- role: roles/fluent_bit
- role: roles/prometheus_node_exporter
- role: roles/forgejo

18
ansible/inventories/common/group_vars/load_balancers.yml
View File

@ -51,6 +51,24 @@ nginx_settings:
statements:
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for
- proxy_set_header X-Real-IP $remote_addr
- upstream:
name: forgejo
servers:
- 192.168.0.20:3000
server:
listen_port: 80
names:
- gitea.dev.cuqmbr.xyz
- gitea.dev.cuqmbr.home
- git.dev.cuqmbr.xyz
- git.dev.cuqmbr.home
statements:
- proxy_set_header Connection $http_connection
- proxy_set_header Upgrade $http_upgrade
- proxy_set_header Host $host
- proxy_set_header X-Real-IP $remote_addr
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for
- proxy_set_header X-Forwarded-Proto $scheme
# name: prometheus
# servers:
# - 192.168.0.252:9090

6
ansible/inventories/common/group_vars/monitoring.yml
View File

@ -54,6 +54,12 @@ prometheus_options:
labels:
env: dev
hostname: searxng
- targets:
# forgejo
- 192.168.0.20:9100
labels:
env: dev
hostname: forgejo
- targets:
# bastion
- 192.168.0.254:9100

132
ansible/inventories/dev/group_vars/forgejo.yml Normal file
View File

@ -0,0 +1,132 @@
---
users:
- name: admin
password_hash: !vault |
$ANSIBLE_VAULT;1.1;AES256
30623138653735643561343061356531373430393662383764633038383238383837626636393432
3138653539356430306266663864343563616332656131310a343632323363653665646363366437
66643430626437333461656231303339656435346261336238313036306431396333643965666631
3665393163623266320a373838313538626438623330393533353931336331623464613664633430
32303734396634376431383936643431313561303864343930393363623130663236666636353637
63613237383666656263316661333031643032323266636464313839653065316138343035346161
64313037336666353136383462333832373031623637636630326330313832333265386632343139
30306638356434376635346637346134653064613236326333656566383137353166393063333563
32623638343263313463313062303465626439356461613235656661623364656138
ssh_public_keys:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKNzJdo6/c7uXrg0lqVwyXOhcNxO/BnylyJeqoBe4rAO5fhjwWLsvMAeCEmYa/3i8ITSvurFEou7BELo25vM58dNfGQHig52LrA/GU/jwDAhHyTXP3AvqqgIFa0ysMaHasYny6oqXi+eb2w/KimtgOhe5/oUdNBe/KgqZ+hP3qlTchxBl5MEzZIKgXTXQeYJpYYrnFb0l/R8qSkFBJv2xzxVJxEamN71SG7OIsi9m14D6hd2pNDHDDqHgKBVbN5irxDuJAzHN5upzfziXiYCOusud23tX6/nNv8t03CbB7FW0OxaCGhAjbavTFAf164L9GM7j76BGsLwWSh2HhG9G9lKs2bEI3IQudllMc6p9N6j2FhMOCKK6YYekdAOVc3ozTFc73VLkXtN8pnTC8OCSavthSt5jOUd0qTsQGH91lWlEkVe0bWi+s9nggfeWFM7HMVmqsR1jYlOXoi5s7xYwKLUdeUjRk3/rkzIFoOxquE5sVVuNDRNCaqcpPVY4k0gE= openpgp:0x8880F3E0"
opendoas_settings: "permit persist admin as root"
- name: ansible
password_hash: ""
ssh_public_keys:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKNzJdo6/c7uXrg0lqVwyXOhcNxO/BnylyJeqoBe4rAO5fhjwWLsvMAeCEmYa/3i8ITSvurFEou7BELo25vM58dNfGQHig52LrA/GU/jwDAhHyTXP3AvqqgIFa0ysMaHasYny6oqXi+eb2w/KimtgOhe5/oUdNBe/KgqZ+hP3qlTchxBl5MEzZIKgXTXQeYJpYYrnFb0l/R8qSkFBJv2xzxVJxEamN71SG7OIsi9m14D6hd2pNDHDDqHgKBVbN5irxDuJAzHN5upzfziXiYCOusud23tX6/nNv8t03CbB7FW0OxaCGhAjbavTFAf164L9GM7j76BGsLwWSh2HhG9G9lKs2bEI3IQudllMc6p9N6j2FhMOCKK6YYekdAOVc3ozTFc73VLkXtN8pnTC8OCSavthSt5jOUd0qTsQGH91lWlEkVe0bWi+s9nggfeWFM7HMVmqsR1jYlOXoi5s7xYwKLUdeUjRk3/rkzIFoOxquE5sVVuNDRNCaqcpPVY4k0gE= openpgp:0x8880F3E0"
opendoas_settings: "permit nopass ansible"
forgejo_clean_binaries: false
forgejo_version: 11.0.2
forgejo_app_name: "cuqmbr's Forgejo"
forgejo_app_slogan: ""
forgejo_run_mode: prod
forgejo_db_type: postgres
forgejo_db_host: 192.168.0.3:5432
forgejo_db_name: forgejo_db
forgejo_db_username: forgejo
forgejo_db_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
32373165333932643133666362336336326538646533303763343465336338393538666235616464
3065363334323132633161646437366636653462333237350a643161303166376532636562373331
39353331613939643639323431653233356161313937616536656363643933643734393032623831
3562373130643365630a633836326638666261386330653134333938306162646466393133316335
39323030373266393239353633343863313566356533636539666463336538656535613137373634
64633934393538336630373233373961613735363838333237356332313461303231323031313630
31663564373062306165373238376430653837316139353663313730376339386233633330653234
38386138316334376635616532383530663163663666643430666432623633303166376338613761
62373866303234613635366432333661393465636335626537353561643035306265666139663238
63623835303537626162653564303430383962646531373330323639643635393665633564303237
333866366330316466636164326130303031
forgejo_ssl_mode: disable
forgejo_server_domain: git.dev.cuqmbr.xyz
forgejo_server_root_url: http://git.dev.cuqmbr.xyz
forgejo_server_http_address: 0.0.0.0
forgejo_server_http_port: 3000
forgejo_server_ssh_port: 22
forgejo_server_lfs_secret: !vault |
$ANSIBLE_VAULT;1.1;AES256
65316236393837386464643938366564623532303139383765306631643864643363356561643666
6335343266313432366136323932306536623261643236640a363738366366303030383537633033
62356465313061376464633634333238316466633464626134363932373963373963383262666534
3134343137323734660a326638636162636539636663386437643034313661323266633361646461
31653534326664393138666237353438393739613565643137653438626462653165366136353039
3538653438613964653965303932643062306230383832633639
forgejo_mailer_from: "\"cuqmbr's Forgejo\" <no-reply@cuqmbr.xyz>"
forgejo_mailer_protocol: smtps
forgejo_mailer_address: mail.cuqmbr.xyz
forgejo_mailer_port: 465
forgejo_mailer_user: no-reply@cuqmbr.xyz
forgejo_mailer_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
31356466316634336162653164316232653865393539656336356130353764316537633535396433
3862343463633864336633373036323364373863613439310a663461636136366532633639313139
32336632623631346236336263306633326261393238346632653733343163643737383537393939
6263326538363633350a316666323566646638316535333934626638356434353864373566653338
37303436626261333863313961386465353831633537636537343166666438326138
forgejo_security_install_lock: true
forgejo_security_internal_token: !vault |
$ANSIBLE_VAULT;1.1;AES256
37396532353265376134316465336263616562373030663762333165363362313135653434383961
6334363937636138383865353639333261376437393839320a333834643939373231623134393865
31646263626533326533306136323735313237343437653265393534313739353930316462313765
3933643737663934320a363661353761646133366133366539306331396634626162306430346364
39313833336264666634393765336232643961393364646664643538396336316364623430343034
64643932613961613931336339353462373438333631633533363633656638383235353939313831
31313165623130633034613566343461663661323834303930323832343766313661643033626238
32613830383031346361343735393535623931356438383539303038343562373264343666373165
65333632303535626237373835353665623237353734383436346664663036376538
forgejo_oauth2_jwt_secret: !vault |
$ANSIBLE_VAULT;1.1;AES256
62663534346334366537303037613331396164323637643033383961383165333239313934316661
6461323764383861663237323066333132393434386137330a343239346561373139386164626562
35653437653762663231643439346139373133303738366139663332376461323531333065333732
6466373034346231650a363164373264633432393639323232633565656436663761343634616366
37643964383837376630303036363737343464666461336533393362313830376335326530306139
6331323465376131656666306361623637643864616665333436
fluentbit_settings:
service:
flush: 1
daemon: false
log_level: info
http_server: false
pipeline:
inputs:
- name: systemd
tag: systemd_input
filters:
- name: rewrite_tag
match: systemd_input
rule: $_SYSTEMD_UNIT ^(forgejo.service)$ forgejo false
- name: rewrite_tag
match: systemd_input
rule: $_SYSTEMD_UNIT ^(forgejo.service.+|(?!forgejo.service).*)$ systemd false
- name: record_modifier
match: forgejo
allowlist_key:
- MESSAGE
outputs:
- name: loki
host: 192.168.0.252
labels: "env=dev,hostname=forgejo,service_name=forgejo"
match: forgejo
- name: loki
host: 192.168.0.252
labels: "env=dev,hostname=forgejo,service_name=systemd"
match: systemd

3
ansible/inventories/dev/hosts.yml
View File

@ -10,3 +10,6 @@ all:
searxng:
hosts:
192.168.0.15:
forgejo:
hosts:
192.168.0.20:

2
ansible/notes.txt
View File

@ -1 +1,3 @@
export user="ansible"; ansible-playbook -u "${user}" --ssh-common-args "-o ProxyCommand='ssh -p 22 -W %h:%p -q ${user}@bastion.cuqmbr.home'" -J -b --become-method doas -i inventories/hosts.yml 10_monitoring.yml
https://github.com/ansiblebook/ansible_role_ssh/blob/main/molecule/default/molecule.yml

34
ansible/roles/forgejo/defaults/main.yml Normal file
View File

@ -0,0 +1,34 @@
---
forgejo_clean_binaries: false
forgejo_version: 10.0.3
forgejo_app_name: "cuqmbr's Forgejo"
forgejo_app_slogan: ""
forgejo_run_mode: prod
forgejo_db_type: postgres
forgejo_db_host: 127.0.0.1:5432
forgejo_db_name: forgejo_db
forgejo_db_username: forgejo
forgejo_db_password: 123
forgejo_ssl_mode: disable
forgejo_server_domain: git.dev.cuqmbr.xyz
forgejo_server_root_url: https://git.dev.cuqmbr.xyz
forgejo_server_http_address: 0.0.0.0
forgejo_server_http_port: 3000
forgejo_server_ssh_port: 22
forgejo_server_lfs_secret: 123
forgejo_mailer_from: "\"cuqmbr's Forgejo\" <no-reply@cuqmbr.xyz>"
forgejo_mailer_protocol: smtps
forgejo_mailer_address: mail.cuqmbr.xyz
forgejo_mailer_port: 465
forgejo_mailer_user: no-reply@cuqmbr.xyz
forgejo_mailer_password: 123
forgejo_security_install_lock: false
forgejo_security_internal_token: 123
forgejo_oauth2_jwt_secret: 123

19
ansible/roles/forgejo/files/forgejo.service Normal file
View File

@ -0,0 +1,19 @@
# Managed with Ansible
[Unit]
Description=Forgejo
After=syslog.target
After=network.target
[Service]
RestartSec=2s
Type=simple
User=git
Group=git
WorkingDirectory=/var/lib/forgejo/
ExecStart=/usr/local/bin/forgejo web --config /etc/forgejo/app.ini
Restart=always
Environment=USER=forgejo HOME=/home/git FORGEJO_WORK_DIR=/var/lib/forgejo
[Install]
WantedBy=multi-user.target

6
ansible/roles/forgejo/handlers/main.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: Restart forgejo service.
ansible.builtin.service:
name: forgejo
state: restarted

10
ansible/roles/forgejo/meta/main.yml Normal file
View File

@ -0,0 +1,10 @@
---
galaxy_info:
role_name: forgejo
author: cuqmbr-homelab
description: Install and configure Forgejo.
# issue_tracker_url: http://example.com/issue/tracker
license: MIT
min_ansible_version: "2.1"
galaxy_tags: []
dependencies: []

14
ansible/roles/forgejo/molecule/default/converge.yml Normal file
View File

@ -0,0 +1,14 @@
---
- name: Converge
hosts: all
gather_facts: false
pre_tasks:
- name: Update apt cache.
ansible.builtin.apt:
update_cache: true
cache_valid_time: 86400
roles:
- forgejo

14
ansible/roles/forgejo/molecule/default/molecule.yml Normal file
View File

@ -0,0 +1,14 @@
---
driver:
name: docker
platforms:
- name: cuqmbr-homelab.forgejo_debian-12
image: docker.io/geerlingguy/docker-debian12-ansible:latest
pre_build_image: true
command: ${MOLECULE_DOCKER_COMMAND:-""}
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:rw
cgroupns_mode: host
privileged: true
published_ports:
- 127.0.0.1:80:3000

93
ansible/roles/forgejo/tasks/main.yml Normal file
View File

@ -0,0 +1,93 @@
---
- name: Install dependencies.
ansible.builtin.apt:
name:
- git
- git-lfs
state: present
- name: Create forgejo user.
ansible.builtin.user:
name: git
password: '!'
system: true
home: /home/git
state: present
- name: Create forgejo config directory.
ansible.builtin.file:
path: /etc/forgejo
owner: root
group: git
mode: "0770"
state: directory
- name: Create forgejo data directory.
ansible.builtin.file:
path: /var/lib/forgejo
owner: git
group: git
mode: "0750"
state: directory
- name: Clean forgejo binaries.
when: forgejo_clean_binaries
block:
- name: Get all forgejo binaries.
ansible.builtin.find:
paths: /usr/local/bin/
patterns: forgejo*
register: forgejo_binary_find
- name: Delete forgejo binary files.
ansible.builtin.file:
path: "{{ item.path }}"
state: absent
loop: "{{ forgejo_binary_find.files }}"
- name: Download forgejo binary.
ansible.builtin.get_url:
url: "https://codeberg.org/forgejo/forgejo/releases/download\
/v{{ forgejo_version }}/forgejo-{{ forgejo_version }}-linux-amd64"
dest: "/usr/local/bin/forgejo-{{ forgejo_version }}"
owner: root
group: root
mode: "0555"
- name: Creaty symlink to forgejo binary.
ansible.builtin.file:
src: "/usr/local/bin/forgejo-{{ forgejo_version }}"
dest: /usr/local/bin/forgejo
owner: root
group: root
mode: "0555"
state: link
notify:
- Restart forgejo service.
- name: Install forgejo service file.
ansible.builtin.copy:
src: forgejo.service
dest: /etc/systemd/system/forgejo.service
owner: root
group: root
mode: "0644"
- name: Install forgejo configuration file.
ansible.builtin.template:
src: app.ini.j2
dest: /etc/forgejo/app.ini
owner: root
group: git
mode: "0660"
notify:
- Restart forgejo service.
- name: Enable and start forgejo service.
ansible.builtin.service:
name: forgejo
state: started
enabled: true

103
ansible/roles/forgejo/templates/app.ini.j2 Normal file
View File

@ -0,0 +1,103 @@
; Managed with Ansible
; https://codeberg.org/forgejo/forgejo/src/branch/forgejo/custom/conf/app.example.ini
APP_NAME = {{ forgejo_app_name }}
APP_SLOGAN = {{ forgejo_app_slogan }}
RUN_USER = git
WORK_PATH = /var/lib/forgejo
RUN_MODE = {{ forgejo_run_mode }}
[database]
DB_TYPE = {{ forgejo_db_type }}
HOST = {{ forgejo_db_host }}
NAME = {{ forgejo_db_name }}
USER = {{ forgejo_db_username }}
PASSWD = """{{ forgejo_db_password }}"""
SCHEMA =
SSL_MODE = {{ forgejo_ssl_mode }}
PATH = /var/lib/forgejo/data/forgejo.db
LOG_SQL = false
[repository]
ROOT = /var/lib/forgejo/data/forgejo-repositories
MAX_CREATION_LIMIT = 10
ENABLE_PUSH_CREATE_USER = true
ENABLE_PUSH_CREATE_ORG = true
DEFAULT_PUSH_CREATE_PRIVATE = true
DEFAULT_REPO_UNITS = repo.code,repo.releases
DEFAULT_MIRROR_REPO_UNITS = repo.code
DISABLE_STARS = true
DISABLE_DOWNLOAD_SOURCE_ARCHIVES = true
[server]
SSH_DOMAIN = {{ forgejo_server_domain }}
DOMAIN = {{ forgejo_server_domain }}
HTTP_PORT = {{ forgejo_server_http_port }}
ROOT_URL = {{ forgejo_server_root_url }}
APP_DATA_PATH = /var/lib/forgejo/data
DISABLE_SSH = false
SSH_PORT = {{ forgejo_server_ssh_port }}
LFS_START_SERVER = true
LFS_JWT_SECRET = {{ forgejo_server_lfs_secret }}
OFFLINE_MODE = true
[lfs]
PATH = /var/lib/forgejo/data/lfs
[mailer]
ENABLED = true
FROM = {{ forgejo_mailer_from }}
PROTOCOL = {{ forgejo_mailer_protocol }}
SMTP_ADDR = {{ forgejo_mailer_address }}
SMTP_PORT = {{ forgejo_mailer_port }}
USER = {{ forgejo_mailer_user }}
PASSWD = `{{ forgejo_mailer_password }}`
[service]
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = true
DISABLE_REGISTRATION = true
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
ENABLE_CAPTCHA = false
REQUIRE_SIGNIN_VIEW = false
DEFAULT_KEEP_EMAIL_PRIVATE = true
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
DEFAULT_ENABLE_TIMETRACKING = true
NO_REPLY_ADDRESS = noreply.localhost
[openid]
ENABLE_OPENID_SIGNIN = false
ENABLE_OPENID_SIGNUP = false
[cron.update_checker]
ENABLED = true
[session]
PROVIDER = file
[log]
MODE = console
LEVEL = info
ROOT_PATH = /var/lib/forgejo/log
[repository.upload]
FILE_MAX_SIZE = 5
MAX_FILES = 5
[repository.pull-request]
DEFAULT_MERGE_STYLE = merge
[repository.signing]
DEFAULT_TRUST_MODEL = committer
[security]
INSTALL_LOCK = {{ forgejo_security_install_lock }}
INTERNAL_TOKEN = {{ forgejo_security_internal_token }}
PASSWORD_HASH_ALGO = pbkdf2_hi
[oauth2]
JWT_SECRET = {{ forgejo_oauth2_jwt_secret }}
[ui]
AMBIGUOUS_UNICODE_DETECTION = false

1
ansible/roles/prometheus_nginx_exporter/meta/main.yml
View File

@ -1,3 +1,4 @@
---
galaxy_info:
role_name: prometheus_nginx_exporter
author: cuqmbr-homelab

25
terraform/common/firewall_ipsets.tf
View File

@ -1,6 +1,6 @@
resource "proxmox_virtual_environment_firewall_ipset" "dev_loggers" {
name = "loggers"
name = "dev-loggers"
comment = "Nodes that send logs to Monitoring Node."
cidr {
@ -32,11 +32,32 @@ resource "proxmox_virtual_environment_firewall_ipset" "dev_loggers" {
name = "192.168.0.15"
comment = "searxng"
}
cidr {
name = "192.168.0.20"
comment = "forgejo"
}
}
resource "proxmox_virtual_environment_firewall_ipset" "dev_postgres_clients" {
name = "dev-postgres-clients"
comment = "Nodes that can connect to postgres Node."
cidr {
name = "192.168.0.20"
comment = "forgejo"
}
}
output "dev_postgres_clients_ipset" {
value = proxmox_virtual_environment_firewall_ipset.dev_postgres_clients
sensitive = true
}
resource "proxmox_virtual_environment_firewall_ipset" "dev_valkey_clients" {
name = "valkey_clients"
name = "dev-valkey-clients"
comment = "Nodes that can connect to valkey Node."
cidr {

109
terraform/dev/forgejo.tf Normal file
View File

@ -0,0 +1,109 @@
resource "proxmox_virtual_environment_container" "forgejo" {
node_name = "pve"
vm_id = 1050
tags = ["dev"]
unprivileged = true
cpu {
cores = 1
}
memory {
dedicated = 1024
}
disk {
datastore_id = var.datastore_id
size = 16
}
network_interface {
bridge = var.internal_network_bridge_name
name = "eth-dev"
firewall = true
enabled = true
}
initialization {
hostname = "forgejo"
ip_config {
ipv4 {
address = "192.168.0.20/24"
gateway = "192.168.0.1"
}
}
user_account {
keys = [var.ssh_public_key]
}
}
operating_system {
template_file_id = "local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst"
type = "debian"
}
started = true
startup {
order = 500
up_delay = 0
down_delay = 0
}
features {
nesting = true
}
}
resource "proxmox_virtual_environment_firewall_options" "forgejo" {
depends_on = [proxmox_virtual_environment_container.forgejo]
node_name = proxmox_virtual_environment_container.forgejo.node_name
vm_id = proxmox_virtual_environment_container.forgejo.vm_id
enabled = true
dhcp = true
input_policy = "DROP"
output_policy = "ACCEPT"
}
resource "proxmox_virtual_environment_firewall_rules" "forgejo" {
depends_on = [proxmox_virtual_environment_container.forgejo]
node_name = proxmox_virtual_environment_container.forgejo.node_name
vm_id = proxmox_virtual_environment_container.forgejo.vm_id
rule {
type = "in"
source = split("/", data.terraform_remote_state.common.outputs.bastion_ct.initialization[0].ip_config[1].ipv4[0].address)[0]
proto = "tcp"
dport = "22"
action = "ACCEPT"
comment = "SSH from Bastion."
}
rule {
type = "in"
proto = "icmp"
dport = "8"
action = "ACCEPT"
comment = "Ping."
}
rule {
type = "in"
source = split("/", data.terraform_remote_state.common.outputs.load_balancer_ct.initialization[0].ip_config[1].ipv4[0].address)[0]
proto = "tcp"
dport = "3000"
action = "ACCEPT"
comment = "Forgejo Web."
}
rule {
security_group = data.terraform_remote_state.common.outputs.prometheus_node_exporter_sg.name
comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
}
}

9
terraform/dev/postgresql.tf
View File

@ -97,4 +97,13 @@ resource "proxmox_virtual_environment_firewall_rules" "postgresql" {
security_group = data.terraform_remote_state.common.outputs.prometheus_node_exporter_sg.name
comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
}
rule {
type = "in"
source = "+${data.terraform_remote_state.common.outputs.dev_postgres_clients_ipset.name}"
proto = "tcp"
dport = "5432"
action = "ACCEPT"
comment = "Access postgres from client nodes."
}
}