forgejo: listen on unix socket

Instead of 0.0.0.0:3000. Skip installation page, and set config values and create admin user manually.
2024-06-05 15:00:14 +02:00 · 2024-06-05 15:00:14 +02:00 · b3aff08ce3
parent 22f363d06a
commit b3aff08ce3
3 changed files with 52 additions and 69 deletions
--- a/roles/forgejo/handlers/main.yml
+++ b/roles/forgejo/handlers/main.yml
@ -19,5 +19,4 @@

 - name: wait for forgejo
  wait_for:
-    host: localhost
-    port: 3000
+    path: /var/lib/forgejo/socket
--- a/roles/forgejo/tasks/main.yml
+++ b/roles/forgejo/tasks/main.yml
@ -13,89 +13,73 @@
      - forgejo-runner@testing
      - podman

- name: Enable forgejo service
-  service:
-    name: forgejo
-    state: started
-    enabled: yes
-
 - name: Create nginx site
  template:
    dest: /etc/nginx/http.d/forgejo.conf
    src: forgejo.conf.j2
  notify: reload nginx

- meta: flush_handlers
-
- name: Get passwords
-  set_fact:
-    password: '{{ lookup("passwordstore", "vm/"~inventory_hostname, returnall=true) | from_yaml }}'
-
- name: Post installation data
-  uri:
-    creates: /var/lib/forgejo/db/forgejo.db
-    url: 'https://{{ fqdns | first }}'
-    method: POST
-    body_format: form-urlencoded
-    body:
-      - [ db_type, sqlite3 ]
-      - [ db_path, /var/lib/forgejo/db/forgejo.db ]
-      - [ app_name, 'FRI git' ]
-      - [ repo_root_path, /var/lib/forgejo/git ]
-      - [ lfs_root_path, /var/lib/forgejo/data/lfs ]
-      - [ run_user, forgejo ]
-      - [ http_port, 3000 ]
-      - [ ssh_port, 22 ]
-      - [ domain, '{{ fqdns | first }}' ]
-      - [ app_url, 'https://{{ fqdns | first }}/' ]
-      - [ log_root_path, /var/lib/forgejo/log ]
-      - [ allow_only_external_registration, on ]
-      - [ default_allow_create_organization, on ]
-      - [ default_enable_timetracking, on ]
-      - [ enable_open_id_sign_up, on ]
-      - [ offline_mode, on ]
-      - [ disable_gravatar, on ]
-      - [ admin_name, '{{ password.admin_user }}' ]
-      - [ admin_email, '{{ password.admin_mail }}' ]
-      - [ admin_passwd, '{{ password.admin_pass }}' ]
-      - [ admin_confirm_passwd, '{{ password.admin_pass }}' ]
-      #- [ no_reply_address, noreply.localhost ]
-
 - name: Configure forgejo
  ini_file:
    path: /etc/forgejo/app.ini
-    section: '{{ item.section }}'
+    section: '{{ item.section | default("") }}'
    option: '{{ item.option }}'
    value: '{{ item.value }}'
  loop:
-    - section: repository
-      option: DEFAULT_BRANCH
-      value: master
-    - section: repository
-      option: ENABLE_PUSH_CREATE_ORG
-      value: true
-    - section: repository
-      option: ENABLE_PUSH_CREATE_USER
-      value: true
+    - { option: APP_NAME, value: 'FRI git' }
+    - { section: security, option: INSTALL_LOCK, value: true }
+    - { section: cron.update_checker, option: ENABLED, value: false }
+    - { section: lfs, option: PATH, value: /var/lib/forgejo/data/lfs }
+    - { section: log, option: ROOT_PATH, value: /var/lib/forgejo/log }
+    - { section: server, option: PROTOCOL, value: http+unix }
+    - { section: server, option: HTTP_ADDR, value: socket }
+    - { section: server, option: UNIX_SOCKET_PERMISSION, value: 660 }
+    - { section: server, option: ROOT_URL, value: 'https://{{ dns_name }}/' }
+    - { section: server, option: LFS_START_SERVER, value: true }
+    - { section: service, option: ALLOW_ONLY_EXTERNAL_REGISTRATION, value: true }
+    - { section: repository, option: DEFAULT_BRANCH, value: master }
+    - { section: repository, option: ENABLE_PUSH_CREATE_ORG, value: true }
+    - { section: repository, option: ENABLE_PUSH_CREATE_USER, value: true }
  notify: restart forgejo

- name: Set up SSO
+- name: Enable forgejo service
+  service:
+    name: forgejo
+    enabled: yes
+  notify: restart forgejo
+
+- meta: flush_handlers
+
+- name: Set up authentication
  become: yes
  become_method: su
  become_user: forgejo
-  command: |
-    forgejo admin auth add-oauth --provider=openidConnect \
-        --name '{{ password.oidc_name }}'
-        --auto-discover-url '{{ password.oidc_endpoint }}'
-        --key '{{ password.oidc_client_id }}'
-        --secret '{{ password.oidc_client_secret }}'
-  register: result
-  changed_when:
-    - result.rc == 0
-  failed_when:
-    # task fails when both are true
-    - result.rc != 0
-    - '"login source already exists" not in result.stderr'
+  block:
+    - name: Get passwords
+      set_fact:
+        password: '{{ lookup("passwordstore", "vm/"~inventory_hostname, returnall=true) | from_yaml }}'
+
+    - name: Create admin user
+      command: |
+        forgejo admin user create --admin
+            --username '{{ password.admin_user }}'
+            --email '{{ password.admin_mail }}'
+            --password '{{ password.admin_pass }}'
+      notify: restart forgejo
+      register: result
+      changed_when: 'result.rc == 0'
+      failed_when: 'result.rc != 0 and "user already exists" not in result.stderr'
+
+    - name: Set up SSO
+      command: |
+        forgejo admin auth add-oauth --provider=openidConnect \
+            --name '{{ password.oidc_name }}'
+            --auto-discover-url '{{ password.oidc_endpoint }}'
+            --key '{{ password.oidc_client_id }}'
+            --secret '{{ password.oidc_client_secret }}'
+      register: result
+      changed_when: 'result.rc == 0'
+      failed_when: 'result.rc != 0 and "login source already exists" not in result.stderr'

 - name: Get forgejo-runner user
  user:
--- a/roles/forgejo/templates/forgejo.conf.j2
+++ b/roles/forgejo/templates/forgejo.conf.j2
@ -7,7 +7,7 @@ server {
    ssl_certificate_key /etc/letsencrypt/live/{{ fqdn }}/privkey.pem;

    location / {
-        proxy_pass http://127.0.0.1:3000;
+        proxy_pass http://unix:/var/lib/forgejo/socket;

        proxy_set_header Connection $http_connection;
        proxy_set_header Upgrade $http_upgrade;