Compare commits

...

4 commits

Author SHA1 Message Date
6642f25f2a store certificates in long-term storage 2023-05-02 14:54:23 +02:00
5e5e16bafd enable https for forgejo 2023-05-02 14:46:04 +02:00
2db2f5172f enable https 2023-05-02 14:41:14 +02:00
0ae631bfde add forgejo stack 2023-05-02 14:25:54 +02:00
8 changed files with 209 additions and 1 deletions

View file

@ -1 +1,2 @@
data_directory_base: /mnt/data
git_ssh_port: 56287

View file

@ -2,8 +2,10 @@ docker_node_labels:
- hostname: maestro
labels:
traefik: "true"
forgejo: "true"
- hostname: worker1
labels:
syncthing: "true"
data_directories: []
data_directories:
- 'forgejo'

View file

@ -4,3 +4,4 @@
roles:
- {role: traefik, tags: traefik}
- {role: syncthing, tags: syncthing}
- {role: forgejo, tags: forgejo}

View file

@ -0,0 +1,104 @@
APP_NAME = Forgejo: Beyond coding. We forge.
RUN_MODE = prod
RUN_USER = git
[repository]
ROOT = /data/git/repositories
DEFAULT_BRANCH = master
[repository.local]
LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
[repository.upload]
TEMP_PATH = /data/gitea/uploads
[server]
APP_DATA_PATH = /data/gitea
DOMAIN = {{ git_domain }}
SSH_DOMAIN = {{ git_domain }}
HTTP_PORT = 3000
ROOT_URL = {{ root_url }}
DISABLE_SSH = false
SSH_PORT = {{ git_ssh_port }}
SSH_LISTEN_PORT = 22
LFS_START_SERVER = true
LFS_JWT_SECRET = {{ lfs_jwt_secret }}
OFFLINE_MODE = false
[database]
PATH = /data/gitea/gitea.db
DB_TYPE = sqlite3
HOST = localhost:3306
NAME = gitea
USER = root
PASSWD =
LOG_SQL = false
SCHEMA =
SSL_MODE = disable
CHARSET = utf8
[indexer]
ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
ISSUE_INDEXER_TYPE = db
[session]
PROVIDER_CONFIG = /data/gitea/sessions
PROVIDER = file
[picture]
AVATAR_UPLOAD_PATH = /data/gitea/avatars
REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
ENABLE_FEDERATED_AVATAR = false
[attachment]
PATH = /data/gitea/attachments
[log]
MODE = console
LEVEL = info
ROUTER = console
ROOT_PATH = /data/gitea/log
[security]
INSTALL_LOCK = true
SECRET_KEY =
REVERSE_PROXY_LIMIT = 1
REVERSE_PROXY_TRUSTED_PROXIES = *
INTERNAL_TOKEN = {{ internal_token }}
PASSWORD_HASH_ALGO = pbkdf2
[service]
DISABLE_REGISTRATION = true
REQUIRE_SIGNIN_VIEW = false
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = false
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
ENABLE_CAPTCHA = false
DEFAULT_KEEP_EMAIL_PRIVATE = true
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
DEFAULT_ENABLE_TIMETRACKING = true
NO_REPLY_ADDRESS = noreply.localhost
[lfs]
PATH = /data/git/lfs
[mailer]
ENABLED = true
SMTP_ADDR = {{ mailer_host }}
SMTP_PORT = 587
FROM = {{ mailer_from }}
USER =
PASSWD =
[openid]
ENABLE_OPENID_SIGNIN = true
ENABLE_OPENID_SIGNUP = false
[repository.pull-request]
DEFAULT_MERGE_STYLE = merge
[repository.signing]
DEFAULT_TRUST_MODEL = committer
[ui]
DEFAULT_THEME = forgejo-light

View file

@ -0,0 +1,44 @@
# vi: ft=yaml
version: "3"
networks:
traefik:
external: true
configs:
config:
file: /srv/forgejo/app.ini
services:
server:
image: codeberg.org/forgejo/forgejo:1.18
environment:
- USER_UID=1000
- USER_GID=1000
networks:
- traefik
ports:
- "{{ git_ssh_port }}:22"
volumes:
- type: bind
source: /mnt/data/forgejo
target: /data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
deploy:
placement:
constraints:
- "node.labels.forgejo == true"
labels:
- traefik.port=443
- traefik.enable=true
- traefik.http.routers.forgejo.entrypoints=websecure
- traefik.http.routers.forgejo.rule=Host(`{{ git_domain }}`)
- traefik.http.routers.forgejo.tls=true
- traefik.http.routers.forgejo.tls.certresolver=letsencrypt
- traefik.http.routers.forgejo.service=forgejo
- traefik.http.services.forgejo.loadbalancer.server.port=3000
- traefik.docker.network=traefik
configs:
- source: config
target: /data/gitea/conf/app.ini

View file

@ -0,0 +1,20 @@
- name: Create working directory
file:
path: /srv/forgejo
state: directory
- name: Copy config file
template:
src: "{{ role_path }}/app.ini.j2"
dest: /srv/forgejo/app.ini
- name: Copy Docker stack file
template:
src: "{{ role_path }}/docker-stack.yml.j2"
dest: /srv/forgejo/docker-stack.yml
- name: Deploy Docker stack
docker_stack:
name: forgejo
compose:
- /srv/forgejo/docker-stack.yml

View file

@ -0,0 +1,23 @@
git_domain: "git.pim.kunis.nl"
root_url: "https://{{ git_domain }}"
mailer_host: "smtp.tweak.nl"
mailer_from: "git@kunis.nl"
lfs_jwt_secret: !vault |
$ANSIBLE_VAULT;1.1;AES256
66613032363837346461326131303839646332646233633736623865346135623739343233396165
6530326162323466623939393133623336366466343837620a613532616365646137326138383235
32313264653262656564336531646662323039623865393366616536633531306430336137313862
3361373539373561390a653236306433393737616561306236343362396438366134313032656233
35626364373961613361366138383566353463626136393861383934326263383336393766623063
3434656437663165376635326139383065383861386133623765
internal_token: !vault |
$ANSIBLE_VAULT;1.1;AES256
62633334656235613035343830326237633637626639363465313861323734393766636464303862
3936306561343863316630616164616537323537333262650a336337303232623832636666353038
64313134383330646537356432383332386238373835656663313431373939373630373566396339
6561643037383666340a643464326531623731303564646464376239613263643761643766623930
37623362326561346262306331376663313661633635323435333339396138383134303364306532
37353264363737643965643932356336633734316534303262336461313038626538396536333964
36353635323731353061393430656166363263366437313434336139616666326335633037663336
37353665613938613731316330396461343632643039643864343164303937613263343262623964
33366364636339623633653035313736653563363064646233383437373431373232

View file

@ -11,6 +11,7 @@ services:
networks:
- traefik
ports:
- 443:443
- 80:80
- 8080:8080
deploy:
@ -25,6 +26,9 @@ services:
- type: bind
source: /var/run/docker.sock
target: /var/run/docker.sock
- type: bind
source: /mnt/data/traefik/acme.json
target: /acme.json
command:
- --providers.docker
- --providers.docker.swarmmode
@ -33,4 +37,13 @@ services:
- --api.insecure=true
- --api.dashboard=true
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entrypoint=true
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entrypoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.web.http.redirections.entrypoint.permanent=true
- --entrypoints.websecure.address=:443
- --providers.docker.exposedbydefault=false
- --certificatesresolvers.letsencrypt.acme=true
- --certificatesresolvers.letsencrypt.acme.email=pim@kunis.nl
- --certificatesresolvers.letsencrypt.acme.httpchallenge=true
- --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web