jriou/ansible
1
0
Fork 0
Code Issues Pull requests Releases 1 Activity Actions

Initial commit
All checks were successful
/ ansible-docsmith (push) Successful in 41s
Details

Browse source 
Signed-off-by: Julien Riou <julien@riou.xyz>
This commit is contained in:
Julien Riou 2026-03-23 10:48:41 +01:00 committed by Julien Riou
commit f418990e84
Signed by: jriou
GPG key ID: 9A099EDA51316854
85 changed files with 3520 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

239
roles/forgejo/README.md Normal file
View file

@ -0,0 +1,239 @@
# Ansible Role Forgejo
Ansible role to manage a [Forgejo](https://forgejo.org/) instance.
## Configuration
See [Variable
precedence](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_variables.html#ansible-variable-precedence)
to find where you should put your own variables.
Then define at least `forgejo_db_password` with a strong and secure password,
encrypted using
[ansible-vault](https://docs.ansible.com/ansible/latest/cli/ansible-vault.html).
## Table of Content
<!-- ANSIBLE DOCSMITH TOC START -->
* [Role variables](#variables)
* [`forgejo_version`](#variable-forgejo_version)
* [`forgejo_user`](#variable-forgejo_user)
* [`forgejo_home_dir`](#variable-forgejo_home_dir)
* [`forgejo_config_dir`](#variable-forgejo_config_dir)
* [`forgejo_web_port`](#variable-forgejo_web_port)
* [`forgejo_ssh_port`](#variable-forgejo_ssh_port)
* [`forgejo_db_username`](#variable-forgejo_db_username)
* [`forgejo_db_password`](#variable-forgejo_db_password)
* [`forgejo_db_database`](#variable-forgejo_db_database)
* [`forgejo_mailer`](#variable-forgejo_mailer)
* [`forgejo_service`](#variable-forgejo_service)
* [`forgejo_manage_iptables`](#variable-forgejo_manage_iptables)
* [`forgejo_allowed_sources`](#variable-forgejo_allowed_sources)
<!-- ANSIBLE DOCSMITH TOC END -->
<!-- ANSIBLE DOCSMITH MAIN START -->
## Role variables<a id="variables"></a>
The following variables can be configured for this role:
| Variable | Type | Required | Default | Description (abstract) |
|----------|------|----------|---------|------------------------|
| `forgejo_version` | `int` | No | `14` | Version of the Forgejo binaries |
| `forgejo_user` | `path` | No | `"forgejo"` | Operating system user to run the server |
| `forgejo_home_dir` | `path` | No | `"/var/lib/forgejo"` | Path to the home directory |
| `forgejo_config_dir` | `path` | No | `"/etc/forgejo"` | Path to the configuration directory |
| `forgejo_web_port` | `int` | No | `3000` | Port to listen for the web UI |
| `forgejo_ssh_port` | `int` | No | `222` | Port to listen for SSH |
| `forgejo_db_username` | `str` | No | `"forgejo"` | Name of the user in the database |
| `forgejo_db_password` | `str` | Yes | N/A | Password of the user in the database |
| `forgejo_db_database` | `str` | No | `"forgejo"` | Name of the database |
| `forgejo_mailer` | `dict` | No | N/A | Configure the mailer to send e-mail notifications<br><br>Define a `enabled` key with a boolean to enable the mailer<br><br>Define a `from` key with the source e-mail address<br><br>See [Email setup](https://forgejo.org/docs/latest/admin/setup/email/) |
| `forgejo_service` | `dict` | No | N/A | Configure service settings<br><br>See [Service](https://forgejo.org/docs/latest/admin/config-cheat-sheet/#service-service) |
| `forgejo_manage_iptables` | `bool` | No | `false` | Configure iptables rules |
| `forgejo_allowed_sources` | `list` | No | N/A | List of IP ranges to allow when `forgejo_manage_iptables` is enabled |
### `forgejo_version`<a id="variable-forgejo_version"></a>
[*⇑ Back to ToC ⇑*](#toc)
Version of the Forgejo binaries
- **Type**: `int`
- **Required**: No
- **Default**: `14`
### `forgejo_user`<a id="variable-forgejo_user"></a>
[*⇑ Back to ToC ⇑*](#toc)
Operating system user to run the server
- **Type**: `path`
- **Required**: No
- **Default**: `"forgejo"`
### `forgejo_home_dir`<a id="variable-forgejo_home_dir"></a>
[*⇑ Back to ToC ⇑*](#toc)
Path to the home directory
- **Type**: `path`
- **Required**: No
- **Default**: `"/var/lib/forgejo"`
### `forgejo_config_dir`<a id="variable-forgejo_config_dir"></a>
[*⇑ Back to ToC ⇑*](#toc)
Path to the configuration directory
- **Type**: `path`
- **Required**: No
- **Default**: `"/etc/forgejo"`
### `forgejo_web_port`<a id="variable-forgejo_web_port"></a>
[*⇑ Back to ToC ⇑*](#toc)
Port to listen for the web UI
- **Type**: `int`
- **Required**: No
- **Default**: `3000`
### `forgejo_ssh_port`<a id="variable-forgejo_ssh_port"></a>
[*⇑ Back to ToC ⇑*](#toc)
Port to listen for SSH
- **Type**: `int`
- **Required**: No
- **Default**: `222`
### `forgejo_db_username`<a id="variable-forgejo_db_username"></a>
[*⇑ Back to ToC ⇑*](#toc)
Name of the user in the database
- **Type**: `str`
- **Required**: No
- **Default**: `"forgejo"`
### `forgejo_db_password`<a id="variable-forgejo_db_password"></a>
[*⇑ Back to ToC ⇑*](#toc)
Password of the user in the database
- **Type**: `str`
- **Required**: Yes
### `forgejo_db_database`<a id="variable-forgejo_db_database"></a>
[*⇑ Back to ToC ⇑*](#toc)
Name of the database
- **Type**: `str`
- **Required**: No
- **Default**: `"forgejo"`
### `forgejo_mailer`<a id="variable-forgejo_mailer"></a>
[*⇑ Back to ToC ⇑*](#toc)
Configure the mailer to send e-mail notifications
Define a `enabled` key with a boolean to enable the mailer
Define a `from` key with the source e-mail address
See [Email setup](https://forgejo.org/docs/latest/admin/setup/email/)
- **Type**: `dict`
- **Required**: No
### `forgejo_service`<a id="variable-forgejo_service"></a>
[*⇑ Back to ToC ⇑*](#toc)
Configure service settings
See [Service](https://forgejo.org/docs/latest/admin/config-cheat-sheet/#service-service)
- **Type**: `dict`
- **Required**: No
### `forgejo_manage_iptables`<a id="variable-forgejo_manage_iptables"></a>
[*⇑ Back to ToC ⇑*](#toc)
Configure iptables rules
- **Type**: `bool`
- **Required**: No
- **Default**: `false`
### `forgejo_allowed_sources`<a id="variable-forgejo_allowed_sources"></a>
[*⇑ Back to ToC ⇑*](#toc)
List of IP ranges to allow when `forgejo_manage_iptables` is enabled
- **Type**: `list`
- **Required**: No
<!-- ANSIBLE DOCSMITH MAIN END -->
## Usage
Playbook example:
```yaml
- hosts: all
roles:
- jriou.general.forgejo
```
Then run the playbook:
```
ansible-playbook play.yml
```
## Donate
As we all love FOSS projects, you should consider [donating to
Codeberg](https://donate.codeberg.org/), the non-profit organization behind
Forgejo.

91
roles/forgejo/defaults/main.yml Normal file
View file

@ -0,0 +1,91 @@
---
# Version of the Forgejo binaries
#
# - Type: int
# - Required: No
# - Default: 14
forgejo_version: 14
# Operating system user to run the server
#
# - Type: path
# - Required: No
# - Default: forgejo
forgejo_user: forgejo
# Path to the home directory
#
# - Type: path
# - Required: No
# - Default: /var/lib/forgejo
forgejo_home_dir: /var/lib/forgejo
# Path to the configuration directory
#
# - Type: path
# - Required: No
# - Default: /etc/forgejo
forgejo_config_dir: /etc/forgejo
# Port to listen for the web UI
#
# - Type: int
# - Required: No
# - Default: 3000
forgejo_web_port: 3000
# Port to listen for SSH
#
# - Type: int
# - Required: No
# - Default: 222
forgejo_ssh_port: 222
# Name of the user in the database
#
# - Type: str
# - Required: No
# - Default: forgejo
forgejo_db_username: forgejo
# Name of the database
#
# - Type: str
# - Required: No
# - Default: forgejo
forgejo_db_database: forgejo
# Configure the mailer to send e-mail notifications
#
# Define a `enabled` key with a boolean to enable the mailer
#
# Define a `from` key with the source e-mail address
#
# See
#
# - Type: dict
# - Required: No
forgejo_mailer: {}
# Configure service settings
#
# See
#
# - Type: dict
# - Required: No
forgejo_service: {}
# Configure iptables rules
#
# - Type: bool
# - Required: No
# - Default: false
forgejo_manage_iptables: false
# List of IP ranges to allow when `forgejo_manage_iptables` is enabled
#
# - Type: list
# - Required: No
forgejo_allowed_sources: []

4
roles/forgejo/handlers/main.yml Normal file
View file

@ -0,0 +1,4 @@
---
- name: Save iptables
ansible.builtin.shell:
cmd: netfilter-persistent save

84
roles/forgejo/meta/argument_specs.yml Normal file
View file

@ -0,0 +1,84 @@
---
argument_specs:
main:
short_description: Install and configure a Forgejo instance
description:
- Install and configure a [Forgejo](https://forgejo.org/) instance.
author:
- jriou
options:
forgejo_version:
description:
- Version of the Forgejo binaries
type: int
default: 14
forgejo_user:
description:
- Operating system user to run the server
type: path
default: forgejo
forgejo_home_dir:
description:
- Path to the home directory
type: path
default: /var/lib/forgejo
forgejo_config_dir:
description:
- Path to the configuration directory
type: path
default: /etc/forgejo
forgejo_web_port:
description:
- Port to listen for the web UI
type: int
default: 3000
forgejo_ssh_port:
description:
- Port to listen for SSH
type: int
default: 222
forgejo_db_username:
description:
- Name of the user in the database
default: forgejo
forgejo_db_password:
description:
- Password of the user in the database
required: true
forgejo_db_database:
description:
- Name of the database
default: forgejo
forgejo_mailer:
description:
- Configure the mailer to send e-mail notifications
- Define a `enabled` key with a boolean to enable the mailer
- Define a `from` key with the source e-mail address
- See [Email setup](https://forgejo.org/docs/latest/admin/setup/email/)
type: dict
forgejo_service:
description:
- Configure service settings
- See [Service](https://forgejo.org/docs/latest/admin/config-cheat-sheet/#service-service)
type: dict
forgejo_manage_iptables:
description:
- Configure iptables rules
type: bool
default: false
forgejo_allowed_sources:
description:
- List of IP ranges to allow when `forgejo_manage_iptables` is enabled
type: list

3
roles/forgejo/meta/main.yml Normal file
View file

@ -0,0 +1,3 @@
---
dependencies:
- role: geerlingguy.docker

72
roles/forgejo/tasks/main.yml Normal file
View file

@ -0,0 +1,72 @@
---
- name: Check required variables
ansible.builtin.assert:
that:
- forgejo_db_password is defined
- name: Create user
ansible.builtin.user:
name: "{{ forgejo_user }}"
system: true
password: '!'
home: "{{ forgejo_home_dir }}"
create_home: false
- name: Read attributes
ansible.builtin.getent:
database: passwd
key: "{{ forgejo_user }}"
- name: Create directories
ansible.builtin.file:
state: directory
path: "{{ item }}"
owner: "{{ forgejo_user }}"
group: "{{ forgejo_user }}"
mode: "0755"
loop: &forgejo_directories
- "{{ forgejo_config_dir }}"
- "{{ forgejo_home_dir }}"
- "{{ forgejo_home_dir }}/server"
- "{{ forgejo_home_dir }}/db"
- name: Ensure permissions on the directories
ansible.builtin.command:
cmd: "chown -v -R {{ forgejo_user }}:{{ forgejo_user }} {{ item }}"
loop: *forgejo_directories
register: forgejo_chown
changed_when: forgejo_chown.stdout_lines | regex_search('^changed ownership of') != None
- name: Create docker-compose configuration
ansible.builtin.template:
src: "{{ item.name }}.j2"
dest: "{{ forgejo_config_dir }}/{{ item.name }}"
owner: "{{ forgejo_user }}"
group: "{{ forgejo_user }}"
mode: "{{ item.mode }}"
loop:
- name: docker-compose.yml
mode: "0644"
- name: server.env
mode: "0600"
- name: db.env
mode: "0600"
- name: Start service
community.docker.docker_compose_v2:
project_src: "{{ forgejo_config_dir }}"
files:
- docker-compose.yml
- name: Allow with iptables
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
source: "{{ item }}"
destination_ports:
- "{{ forgejo_web_port }}"
- "{{ forgejo_ssh_port }}"
jump: ACCEPT
comment: forgejo
loop: "{{ forgejo_allowed_sources }}"
when: forgejo_manage_iptables is truthy

6
roles/forgejo/templates/db.env.j2 Normal file
View file

@ -0,0 +1,6 @@
{{ ansible_managed | comment }}
POSTGRES_USER="{{ forgejo_db_username }}"
POSTGRES_PASSWORD="{{ forgejo_db_password }}"
POSTGRES_DB="{{ forgejo_db_database }}"
POSTGRES_INITDB_ARGS="--data-checksums"
POSTGRES_HOST_AUTH_METHOD=scram-sha-256

35
roles/forgejo/templates/docker-compose.yml.j2 Normal file
View file

@ -0,0 +1,35 @@
---
{{ ansible_managed | comment }}
services:
server:
image: codeberg.org/forgejo/forgejo:{{ forgejo_version }}
container_name: forgejo-server
env_file: {{ forgejo_config_dir }}/server.env
restart: always
networks:
- forgejo
volumes:
- "{{ forgejo_home_dir }}/server:/data"
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
ports:
- "{{ forgejo_web_port }}:3000"
- "{{ forgejo_ssh_port }}:22"
depends_on:
- db
db:
image: postgres:17
hostname: db
container_name: forgejo-db
restart: always
env_file: {{ forgejo_config_dir }}/db.env
user: "{{ ansible_facts.getent_passwd.forgejo[1] }}:{{ ansible_facts.getent_passwd.forgejo[2] }}"
networks:
- forgejo
volumes:
- "{{ forgejo_home_dir }}/db:/var/lib/postgresql/data"
networks:
forgejo:
external: false

19
roles/forgejo/templates/server.env.j2 Normal file
View file

@ -0,0 +1,19 @@
{{ ansible_managed | comment }}
USER_UID={{ ansible_facts.getent_passwd.forgejo[1] }}
USER_GID={{ ansible_facts.getent_passwd.forgejo[2] }}
FORGEJO__server__SSH_PORT={{ forgejo_ssh_port }}
FORGEJO__database__DB_TYPE=postgres
FORGEJO__database__HOST=db:5432
FORGEJO__database__NAME="{{ forgejo_db_database }}"
FORGEJO__database__USER="{{ forgejo_db_username }}"
FORGEJO__database__PASSWD="{{ forgejo_db_password }}"
{% if forgejo_mailer %}
{% for k, v in forgejo_mailer.items() %}
FORGEJO__mailer__{{ k | upper }}="{{ v }}"
{% endfor %}
{% endif %}
{% if forgejo_service %}
{% for k, v in forgejo_service.items() %}
FORGEJO__service__{{ k | upper }}="{{ v }}"
{% endfor %}
{% endif %}