From 29b5f93b21e57365579e08bdb72696103d68fa47 Mon Sep 17 00:00:00 2001
From: Julien Riou <julien@riou.xyz>
Date: Sat, 21 Dec 2024 08:52:45 +0100
Subject: [PATCH] Initial commit

Signed-off-by: Julien Riou <julien@riou.xyz>
---
 LICENSE                         |  2 +-
 README.md                       |  4 +--
 defaults/main.yml               | 10 ++++++
 handlers/main.yml               |  4 +++
 meta/main.yml                   |  3 ++
 tasks/main.yml                  | 61 +++++++++++++++++++++++++++++++++
 templates/db.env.j2             |  6 ++++
 templates/docker-compose.yml.j2 | 35 +++++++++++++++++++
 templates/server.env.j2         |  9 +++++
 9 files changed, 131 insertions(+), 3 deletions(-)
 create mode 100644 defaults/main.yml
 create mode 100644 handlers/main.yml
 create mode 100644 meta/main.yml
 create mode 100644 tasks/main.yml
 create mode 100644 templates/db.env.j2
 create mode 100644 templates/docker-compose.yml.j2
 create mode 100644 templates/server.env.j2

diff --git a/LICENSE b/LICENSE
index 24a5b6b..4124656 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2024 jriou
+Copyright (c) 2024 Julien Riou
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 
diff --git a/README.md b/README.md
index ae71344..2822173 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,3 @@
-# ansible-role-forgejo
+# Ansible Role Forgejo
 
-Ansible role to manage a Forgejo instance
\ No newline at end of file
+Ansible role to manage a Forgejo instance.
diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..38d220d
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,10 @@
+---
+forgejo_home_dir: /var/lib/forgejo
+forgejo_config_dir: /etc/forgejo
+forgejo_web_port: 3000
+forgejo_ssh_port: 222
+forgejo_db_username: forgejo
+forgejo_db_password: CHANGEME
+forgejo_db_database: forgejo
+forgejo_manage_iptables: false
+forgejo_allowed_sources: []
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..aa0f296
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,4 @@
+---
+- name: save iptables
+  ansible.builtin.shell:
+    cmd: netfilter-persistent save
diff --git a/meta/main.yml b/meta/main.yml
new file mode 100644
index 0000000..3f5647c
--- /dev/null
+++ b/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+- role: geerlingguy.docker
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..270cc31
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,61 @@
+---
+- name: add forgejo user
+  ansible.builtin.user:
+    name: forgejo
+    system: yes
+    password: '!'
+    home: "{{ forgejo_home_dir }}"
+    create_home: no
+
+- name: read forgejo attributes
+  ansible.builtin.getent:
+    database: passwd
+    key: forgejo
+
+- name: create directories
+  ansible.builtin.file:
+    state: directory
+    path: "{{ item }}"
+    owner: forgejo
+    group: forgejo
+    mode: "0755"
+  loop:
+    - "{{ forgejo_config_dir }}"
+    - "{{ forgejo_home_dir }}"
+    - "{{ forgejo_home_dir }}/server"
+    - "{{ forgejo_home_dir }}/db"
+
+- name: create docker-compose configuration
+  ansible.builtin.template:
+    src: "{{ item.name }}.j2"
+    dest: "{{ forgejo_config_dir }}/{{ item.name }}"
+    owner: root
+    group: root
+    mode: "{{ item.mode }}"
+  loop:
+    - name: docker-compose.yml
+      mode: "0644"
+    - name: server.env
+      mode: "0600"
+    - name: db.env
+      mode: "0600"
+
+- name: start service
+  community.docker.docker_compose_v2:
+    project_src: "{{ forgejo_config_dir }}"
+    files:
+      - docker-compose.yml
+
+- name: allow with iptables
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    source: "{{ item }}"
+    destination_ports:
+      - "{{ forgejo_web_port }}"
+      - "{{ forgejo_ssh_port }}"
+    jump: ACCEPT
+    comment: forgejo
+  loop: "{{ forgejo_allowed_sources }}"
+  notify: Save iptables
+  when: forgejo_manage_iptables
diff --git a/templates/db.env.j2 b/templates/db.env.j2
new file mode 100644
index 0000000..ba5ecbd
--- /dev/null
+++ b/templates/db.env.j2
@@ -0,0 +1,6 @@
+{{ ansible_managed | comment }}
+POSTGRES_USER="{{ forgejo_db_username }}"
+POSTGRES_PASSWORD="{{ forgejo_db_password }}"
+POSTGRES_DB="{{ forgejo_db_database }}"
+POSTGRES_INITDB_ARGS="--data-checksums"
+POSTGRES_HOST_AUTH_METHOD=scram-sha-256
diff --git a/templates/docker-compose.yml.j2 b/templates/docker-compose.yml.j2
new file mode 100644
index 0000000..1402d8b
--- /dev/null
+++ b/templates/docker-compose.yml.j2
@@ -0,0 +1,35 @@
+---
+{{ ansible_managed | comment }}
+services:
+  server:
+    image: codeberg.org/forgejo/forgejo:9
+    container_name: forgejo-server
+    env_file: {{ forgejo_config_dir }}/server.env
+    restart: always
+    networks:
+      - forgejo
+    volumes:
+      - "{{ forgejo_home_dir }}/server:/data"
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - "{{ forgejo_web_port }}:3000"
+      - "{{ forgejo_ssh_port }}:22"
+    depends_on:
+      - db
+
+  db:
+    image: postgres:17
+    hostname: db
+    container_name: forgejo-db
+    restart: always
+    env_file: {{ forgejo_config_dir }}/db.env
+    user: "{{ ansible_facts.getent_passwd.forgejo[1] }}:{{ ansible_facts.getent_passwd.forgejo[2] }}"
+    networks:
+      - forgejo
+    volumes:
+      - "{{ forgejo_home_dir }}/db:/var/lib/postgresql/data"
+
+networks:
+  forgejo:
+    external: false
diff --git a/templates/server.env.j2 b/templates/server.env.j2
new file mode 100644
index 0000000..9334a43
--- /dev/null
+++ b/templates/server.env.j2
@@ -0,0 +1,9 @@
+{{ ansible_managed | comment }}
+USER_UID={{ ansible_facts.getent_passwd.forgejo[1] }}
+USER_GID={{ ansible_facts.getent_passwd.forgejo[2] }}
+FORGEJO__server__SSH_PORT={{ forgejo_ssh_port }}
+FORGEJO__database__DB_TYPE=postgres
+FORGEJO__database__HOST=db:5432
+FORGEJO__database__NAME="{{ forgejo_db_database }}"
+FORGEJO__database__USER="{{ forgejo_db_username }}"
+FORGEJO__database__PASSWD="{{ forgejo_db_password }}"