diff --git a/LICENSE b/LICENSE index 24a5b6b..4124656 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2024 jriou +Copyright (c) 2024 Julien Riou Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: diff --git a/README.md b/README.md index ae71344..2822173 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,3 @@ -# ansible-role-forgejo +# Ansible Role Forgejo -Ansible role to manage a Forgejo instance \ No newline at end of file +Ansible role to manage a Forgejo instance. diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..38d220d --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,10 @@ +--- +forgejo_home_dir: /var/lib/forgejo +forgejo_config_dir: /etc/forgejo +forgejo_web_port: 3000 +forgejo_ssh_port: 222 +forgejo_db_username: forgejo +forgejo_db_password: CHANGEME +forgejo_db_database: forgejo +forgejo_manage_iptables: false +forgejo_allowed_sources: [] diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..aa0f296 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,4 @@ +--- +- name: save iptables + ansible.builtin.shell: + cmd: netfilter-persistent save diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..3f5647c --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: +- role: geerlingguy.docker diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..270cc31 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,61 @@ +--- +- name: add forgejo user + ansible.builtin.user: + name: forgejo + system: yes + password: '!' + home: "{{ forgejo_home_dir }}" + create_home: no + +- name: read forgejo attributes + ansible.builtin.getent: + database: passwd + key: forgejo + +- name: create directories + ansible.builtin.file: + state: directory + path: "{{ item }}" + owner: forgejo + group: forgejo + mode: "0755" + loop: + - "{{ forgejo_config_dir }}" + - "{{ forgejo_home_dir }}" + - "{{ forgejo_home_dir }}/server" + - "{{ forgejo_home_dir }}/db" + +- name: create docker-compose configuration + ansible.builtin.template: + src: "{{ item.name }}.j2" + dest: "{{ forgejo_config_dir }}/{{ item.name }}" + owner: root + group: root + mode: "{{ item.mode }}" + loop: + - name: docker-compose.yml + mode: "0644" + - name: server.env + mode: "0600" + - name: db.env + mode: "0600" + +- name: start service + community.docker.docker_compose_v2: + project_src: "{{ forgejo_config_dir }}" + files: + - docker-compose.yml + +- name: allow with iptables + ansible.builtin.iptables: + chain: INPUT + protocol: tcp + source: "{{ item }}" + destination_ports: + - "{{ forgejo_web_port }}" + - "{{ forgejo_ssh_port }}" + jump: ACCEPT + comment: forgejo + loop: "{{ forgejo_allowed_sources }}" + notify: Save iptables + when: forgejo_manage_iptables diff --git a/templates/db.env.j2 b/templates/db.env.j2 new file mode 100644 index 0000000..ba5ecbd --- /dev/null +++ b/templates/db.env.j2 @@ -0,0 +1,6 @@ +{{ ansible_managed | comment }} +POSTGRES_USER="{{ forgejo_db_username }}" +POSTGRES_PASSWORD="{{ forgejo_db_password }}" +POSTGRES_DB="{{ forgejo_db_database }}" +POSTGRES_INITDB_ARGS="--data-checksums" +POSTGRES_HOST_AUTH_METHOD=scram-sha-256 diff --git a/templates/docker-compose.yml.j2 b/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..1402d8b --- /dev/null +++ b/templates/docker-compose.yml.j2 @@ -0,0 +1,35 @@ +--- +{{ ansible_managed | comment }} +services: + server: + image: codeberg.org/forgejo/forgejo:9 + container_name: forgejo-server + env_file: {{ forgejo_config_dir }}/server.env + restart: always + networks: + - forgejo + volumes: + - "{{ forgejo_home_dir }}/server:/data" + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + ports: + - "{{ forgejo_web_port }}:3000" + - "{{ forgejo_ssh_port }}:22" + depends_on: + - db + + db: + image: postgres:17 + hostname: db + container_name: forgejo-db + restart: always + env_file: {{ forgejo_config_dir }}/db.env + user: "{{ ansible_facts.getent_passwd.forgejo[1] }}:{{ ansible_facts.getent_passwd.forgejo[2] }}" + networks: + - forgejo + volumes: + - "{{ forgejo_home_dir }}/db:/var/lib/postgresql/data" + +networks: + forgejo: + external: false diff --git a/templates/server.env.j2 b/templates/server.env.j2 new file mode 100644 index 0000000..9334a43 --- /dev/null +++ b/templates/server.env.j2 @@ -0,0 +1,9 @@ +{{ ansible_managed | comment }} +USER_UID={{ ansible_facts.getent_passwd.forgejo[1] }} +USER_GID={{ ansible_facts.getent_passwd.forgejo[2] }} +FORGEJO__server__SSH_PORT={{ forgejo_ssh_port }} +FORGEJO__database__DB_TYPE=postgres +FORGEJO__database__HOST=db:5432 +FORGEJO__database__NAME="{{ forgejo_db_database }}" +FORGEJO__database__USER="{{ forgejo_db_username }}" +FORGEJO__database__PASSWD="{{ forgejo_db_password }}"