feat: initial commit

2025-06-02 14:55:56 +01:00 · 2025-06-02 14:55:56 +01:00 · 072a1ed764
commit 072a1ed764
36 changed files with 1089 additions and 0 deletions
--- a/roles/podman_forgejo/defaults/main.yml
+++ b/roles/podman_forgejo/defaults/main.yml
@ -0,0 +1,7 @@
+---
+podman_forgejo_mariadb_database: forgejo
+# podman_forgejo_mariadb_password:
+# podman_forgejo_mariadb_root_password:
+podman_forgejo_mariadb_user: forgejo
+podman_forgejo_podman_rootless_user: forge
+podman_forgejo_web_hostname: "{{ inventory_hostname }}"
--- a/roles/podman_forgejo/handlers/main.yml
+++ b/roles/podman_forgejo/handlers/main.yml
@ -0,0 +1,24 @@
+---
+- name: restart forgejo
+  ansible.builtin.systemd_service:
+    name: forgejo
+    state: restarted
+    scope: user
+    daemon_reload: true
+  become: true
+  become_user: "{{ podman_forgejo_podman_rootless_user }}"
+
+- name: restart mariadb
+  ansible.builtin.systemd_service:
+    name: forgejo
+    state: restarted
+    scope: user
+    daemon_reload: true
+  become: true
+  become_user: "{{ podman_forgejo_podman_rootless_user }}"
+
+- name: restart sshd
+  service:
+    name: sshd
+    state: restarted
+  become: true
--- a/roles/podman_forgejo/tasks/main.yml
+++ b/roles/podman_forgejo/tasks/main.yml
@ -0,0 +1,88 @@
+---
+- name: setup alternate SSH port
+  lineinfile:
+    dest: "/etc/ssh/sshd_config"
+    regexp: "^Port"
+    line: "Port 2222"
+  notify: restart sshd
+  become: true
+
+- name: create service configuration directories
+  ansible.builtin.file:
+    path: "/home/{{ podman_forgejo_podman_rootless_user }}/{{ item }}"
+    state: directory
+    owner: "{{ podman_forgejo_podman_rootless_user }}"
+    group: "{{ podman_forgejo_podman_rootless_user }}"
+    mode: "0755"
+  become: true
+  with_items:
+    - mysql
+    - forgejo
+
+- name: install podman quadlet for rootless podman user
+  ansible.builtin.template:
+    src: "{{ item }}"
+    dest: "/home/{{ podman_forgejo_podman_rootless_user }}/.config/containers/systemd/{{ item }}"
+    owner: "{{ podman_forgejo_podman_rootless_user }}"
+    mode: "0400"
+  with_items:
+    - forgejo.container
+    - mariadb.container
+  notify:
+    - "restart {{ item | split('.') | first }}"
+  become: true
+
+- name: install network quadlets for rootless podman user
+  ansible.builtin.template:
+    src: "{{ item }}"
+    dest: "/home/{{ podman_forgejo_podman_rootless_user }}/.config/containers/systemd/{{ item }}"
+    owner: "{{ podman_forgejo_podman_rootless_user }}"
+    mode: "0400"
+  with_items:
+    - frontend.network
+    - forgejo.network
+  become: true
+
+- name: verify quadlets are correctly defined
+  ansible.builtin.command: /usr/libexec/podman/quadlet -dryrun -user
+  register: podman_forgejo_quadlet_result
+  ignore_errors: true
+  changed_when: false
+  become: true
+  become_user: "{{ podman_forgejo_podman_rootless_user }}"
+
+- name: assert that the quadlet verification succeeded
+  ansible.builtin.assert:
+    that:
+      - podman_forgejo_quadlet_result.rc == 0
+    fail_msg: "'/usr/libexec/podman/quadlet -dryrun -user' failed! Output withheld to prevent leaking secrets."
+
+- name: start forgejo and mariadb
+  ansible.builtin.systemd_service:
+    name: "{{ item }}"
+    state: started
+    scope: user
+    daemon_reload: true
+  become: true
+  become_user: "{{ podman_forgejo_podman_rootless_user }}"
+  with_items:
+    - forgejo
+    - mariadb
+
+- name: set up nginx
+  ansible.builtin.include_role:
+    name: podman_nginx
+  vars:
+    podman_nginx_frontend_network: frontend
+    podman_nginx_podman_rootless_user: "{{ podman_forgejo_podman_rootless_user }}"
+    podman_nginx_primary_hostname: "{{ podman_forgejo_web_hostname }}"
+
+- name: create nginx configuration file
+  ansible.builtin.template:
+    src: nginx.conf
+    dest: "/home/{{ podman_forgejo_podman_rootless_user }}/nginx/nginx.conf"
+    owner: "{{ podman_forgejo_podman_rootless_user }}"
+    group: "{{ podman_forgejo_podman_rootless_user }}"
+    mode: "0644"
+  become: true
+  notify: restart nginx
--- a/roles/podman_forgejo/templates/forgejo.container
+++ b/roles/podman_forgejo/templates/forgejo.container
@ -0,0 +1,28 @@
+[Unit]
+Requires=mariadb.service
+After=mariadb.service
+
+[Container]
+ContainerName=forgejo
+Environment=USER_UID=1000
+Environment=USER_GID=1000
+Environment=FORGEJO__database__DB_TYPE=mysql
+Environment=FORGEJO__database__HOST=mariadb:3306
+Environment=FORGEJO__database__NAME={{ podman_forgejo_mariadb_database }}
+Environment=FORGEJO__database__USER={{ podman_forgejo_mariadb_user }}
+Environment=FORGEJO__database__PASSWD={{ podman_forgejo_mariadb_password }}
+Environment=FORGEJO__oauth2_client__ENABLE_AUTO_REGISTRATION=true
+Environment=FORGEJO__server__LANDING_PAGE=/explore/repos
+Image=codeberg.org/forgejo/forgejo:11
+Network=frontend.network
+Network=forgejo.network
+PublishPort=22:22
+Volume=/home/forge/forgejo:/data
+Volume=/etc/timezone:/etc/timezone:ro
+Volume=/etc/localtime:/etc/localtime:ro
+
+[Service]
+Restart=always
+
+[Install]
+WantedBy=default.target
--- a/roles/podman_forgejo/templates/forgejo.network
+++ b/roles/podman_forgejo/templates/forgejo.network
@ -0,0 +1,2 @@
+[Network]
+NetworkName=forgejo
--- a/roles/podman_forgejo/templates/frontend.network
+++ b/roles/podman_forgejo/templates/frontend.network
@ -0,0 +1,2 @@
+[Network]
+NetworkName=frontend
--- a/roles/podman_forgejo/templates/mariadb.container
+++ b/roles/podman_forgejo/templates/mariadb.container
@ -0,0 +1,15 @@
+[Container]
+ContainerName=mariadb
+Environment=MARIADB_ROOT_PASSWORD={{ podman_forgejo_mariadb_root_password }}
+Environment=MARIADB_USER={{ podman_forgejo_mariadb_user }}
+Environment=MARIADB_PASSWORD={{ podman_forgejo_mariadb_password }}
+Environment=MARIADB_DATABASE={{ podman_forgejo_mariadb_database }}
+Image=docker.io/mariadb:11
+Network=forgejo
+Volume=/home/{{ podman_forgejo_podman_rootless_user }}/mysql:/var/lib/mysql
+
+[Service]
+Restart=always
+
+[Install]
+WantedBy=default.target
--- a/roles/podman_forgejo/templates/nginx.conf
+++ b/roles/podman_forgejo/templates/nginx.conf
@ -0,0 +1,42 @@
+# {{ ansible_managed }}
+
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name {{ podman_forgejo_web_hostname }};
+    server_tokens off;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 301 https://{{ podman_forgejo_web_hostname }}$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+
+    server_name {{ podman_forgejo_web_hostname }};
+    server_tokens off;
+
+    ssl_certificate /etc/letsencrypt/live/{{ podman_forgejo_web_hostname }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ podman_forgejo_web_hostname }}/privkey.pem;
+
+    location / {
+        proxy_pass http://forgejo:3000;
+
+        proxy_set_header Connection $http_connection;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        client_max_body_size 512M;
+    }
+}