diff --git a/roles/forgejo/handlers/main.yml b/roles/forgejo/handlers/main.yml index e598141..ef8c7bf 100644 --- a/roles/forgejo/handlers/main.yml +++ b/roles/forgejo/handlers/main.yml @@ -19,5 +19,4 @@ - name: wait for forgejo wait_for: - host: localhost - port: 3000 + path: /var/lib/forgejo/socket diff --git a/roles/forgejo/tasks/main.yml b/roles/forgejo/tasks/main.yml index 90cb159..f59fcb4 100644 --- a/roles/forgejo/tasks/main.yml +++ b/roles/forgejo/tasks/main.yml @@ -13,89 +13,73 @@ - forgejo-runner@testing - podman -- name: Enable forgejo service - service: - name: forgejo - state: started - enabled: yes - - name: Create nginx site template: dest: /etc/nginx/http.d/forgejo.conf src: forgejo.conf.j2 notify: reload nginx -- meta: flush_handlers - -- name: Get passwords - set_fact: - password: '{{ lookup("passwordstore", "vm/"~inventory_hostname, returnall=true) | from_yaml }}' - -- name: Post installation data - uri: - creates: /var/lib/forgejo/db/forgejo.db - url: 'https://{{ fqdns | first }}' - method: POST - body_format: form-urlencoded - body: - - [ db_type, sqlite3 ] - - [ db_path, /var/lib/forgejo/db/forgejo.db ] - - [ app_name, 'FRI git' ] - - [ repo_root_path, /var/lib/forgejo/git ] - - [ lfs_root_path, /var/lib/forgejo/data/lfs ] - - [ run_user, forgejo ] - - [ http_port, 3000 ] - - [ ssh_port, 22 ] - - [ domain, '{{ fqdns | first }}' ] - - [ app_url, 'https://{{ fqdns | first }}/' ] - - [ log_root_path, /var/lib/forgejo/log ] - - [ allow_only_external_registration, on ] - - [ default_allow_create_organization, on ] - - [ default_enable_timetracking, on ] - - [ enable_open_id_sign_up, on ] - - [ offline_mode, on ] - - [ disable_gravatar, on ] - - [ admin_name, '{{ password.admin_user }}' ] - - [ admin_email, '{{ password.admin_mail }}' ] - - [ admin_passwd, '{{ password.admin_pass }}' ] - - [ admin_confirm_passwd, '{{ password.admin_pass }}' ] - #- [ no_reply_address, noreply.localhost ] - - name: Configure forgejo ini_file: path: /etc/forgejo/app.ini - section: '{{ item.section }}' + section: '{{ item.section | default("") }}' option: '{{ item.option }}' value: '{{ item.value }}' loop: - - section: repository - option: DEFAULT_BRANCH - value: master - - section: repository - option: ENABLE_PUSH_CREATE_ORG - value: true - - section: repository - option: ENABLE_PUSH_CREATE_USER - value: true + - { option: APP_NAME, value: 'FRI git' } + - { section: security, option: INSTALL_LOCK, value: true } + - { section: cron.update_checker, option: ENABLED, value: false } + - { section: lfs, option: PATH, value: /var/lib/forgejo/data/lfs } + - { section: log, option: ROOT_PATH, value: /var/lib/forgejo/log } + - { section: server, option: PROTOCOL, value: http+unix } + - { section: server, option: HTTP_ADDR, value: socket } + - { section: server, option: UNIX_SOCKET_PERMISSION, value: 660 } + - { section: server, option: ROOT_URL, value: 'https://{{ dns_name }}/' } + - { section: server, option: LFS_START_SERVER, value: true } + - { section: service, option: ALLOW_ONLY_EXTERNAL_REGISTRATION, value: true } + - { section: repository, option: DEFAULT_BRANCH, value: master } + - { section: repository, option: ENABLE_PUSH_CREATE_ORG, value: true } + - { section: repository, option: ENABLE_PUSH_CREATE_USER, value: true } notify: restart forgejo -- name: Set up SSO +- name: Enable forgejo service + service: + name: forgejo + enabled: yes + notify: restart forgejo + +- meta: flush_handlers + +- name: Set up authentication become: yes become_method: su become_user: forgejo - command: | - forgejo admin auth add-oauth --provider=openidConnect \ - --name '{{ password.oidc_name }}' - --auto-discover-url '{{ password.oidc_endpoint }}' - --key '{{ password.oidc_client_id }}' - --secret '{{ password.oidc_client_secret }}' - register: result - changed_when: - - result.rc == 0 - failed_when: - # task fails when both are true - - result.rc != 0 - - '"login source already exists" not in result.stderr' + block: + - name: Get passwords + set_fact: + password: '{{ lookup("passwordstore", "vm/"~inventory_hostname, returnall=true) | from_yaml }}' + + - name: Create admin user + command: | + forgejo admin user create --admin + --username '{{ password.admin_user }}' + --email '{{ password.admin_mail }}' + --password '{{ password.admin_pass }}' + notify: restart forgejo + register: result + changed_when: 'result.rc == 0' + failed_when: 'result.rc != 0 and "user already exists" not in result.stderr' + + - name: Set up SSO + command: | + forgejo admin auth add-oauth --provider=openidConnect \ + --name '{{ password.oidc_name }}' + --auto-discover-url '{{ password.oidc_endpoint }}' + --key '{{ password.oidc_client_id }}' + --secret '{{ password.oidc_client_secret }}' + register: result + changed_when: 'result.rc == 0' + failed_when: 'result.rc != 0 and "login source already exists" not in result.stderr' - name: Get forgejo-runner user user: diff --git a/roles/forgejo/templates/forgejo.conf.j2 b/roles/forgejo/templates/forgejo.conf.j2 index c835c25..df06a84 100644 --- a/roles/forgejo/templates/forgejo.conf.j2 +++ b/roles/forgejo/templates/forgejo.conf.j2 @@ -7,7 +7,7 @@ server { ssl_certificate_key /etc/letsencrypt/live/{{ fqdn }}/privkey.pem; location / { - proxy_pass http://127.0.0.1:3000; + proxy_pass http://unix:/var/lib/forgejo/socket; proxy_set_header Connection $http_connection; proxy_set_header Upgrade $http_upgrade;