forgejo: listen on unix socket

Instead of 0.0.0.0:3000. Skip installation page, and set config values
and create admin user manually.
This commit is contained in:
Timotej Lazar 2024-06-05 15:00:14 +02:00
parent 22f363d06a
commit b3aff08ce3
3 changed files with 52 additions and 69 deletions

View file

@ -19,5 +19,4 @@
- name: wait for forgejo - name: wait for forgejo
wait_for: wait_for:
host: localhost path: /var/lib/forgejo/socket
port: 3000

View file

@ -13,89 +13,73 @@
- forgejo-runner@testing - forgejo-runner@testing
- podman - podman
- name: Enable forgejo service
service:
name: forgejo
state: started
enabled: yes
- name: Create nginx site - name: Create nginx site
template: template:
dest: /etc/nginx/http.d/forgejo.conf dest: /etc/nginx/http.d/forgejo.conf
src: forgejo.conf.j2 src: forgejo.conf.j2
notify: reload nginx notify: reload nginx
- meta: flush_handlers
- name: Get passwords
set_fact:
password: '{{ lookup("passwordstore", "vm/"~inventory_hostname, returnall=true) | from_yaml }}'
- name: Post installation data
uri:
creates: /var/lib/forgejo/db/forgejo.db
url: 'https://{{ fqdns | first }}'
method: POST
body_format: form-urlencoded
body:
- [ db_type, sqlite3 ]
- [ db_path, /var/lib/forgejo/db/forgejo.db ]
- [ app_name, 'FRI git' ]
- [ repo_root_path, /var/lib/forgejo/git ]
- [ lfs_root_path, /var/lib/forgejo/data/lfs ]
- [ run_user, forgejo ]
- [ http_port, 3000 ]
- [ ssh_port, 22 ]
- [ domain, '{{ fqdns | first }}' ]
- [ app_url, 'https://{{ fqdns | first }}/' ]
- [ log_root_path, /var/lib/forgejo/log ]
- [ allow_only_external_registration, on ]
- [ default_allow_create_organization, on ]
- [ default_enable_timetracking, on ]
- [ enable_open_id_sign_up, on ]
- [ offline_mode, on ]
- [ disable_gravatar, on ]
- [ admin_name, '{{ password.admin_user }}' ]
- [ admin_email, '{{ password.admin_mail }}' ]
- [ admin_passwd, '{{ password.admin_pass }}' ]
- [ admin_confirm_passwd, '{{ password.admin_pass }}' ]
#- [ no_reply_address, noreply.localhost ]
- name: Configure forgejo - name: Configure forgejo
ini_file: ini_file:
path: /etc/forgejo/app.ini path: /etc/forgejo/app.ini
section: '{{ item.section }}' section: '{{ item.section | default("") }}'
option: '{{ item.option }}' option: '{{ item.option }}'
value: '{{ item.value }}' value: '{{ item.value }}'
loop: loop:
- section: repository - { option: APP_NAME, value: 'FRI git' }
option: DEFAULT_BRANCH - { section: security, option: INSTALL_LOCK, value: true }
value: master - { section: cron.update_checker, option: ENABLED, value: false }
- section: repository - { section: lfs, option: PATH, value: /var/lib/forgejo/data/lfs }
option: ENABLE_PUSH_CREATE_ORG - { section: log, option: ROOT_PATH, value: /var/lib/forgejo/log }
value: true - { section: server, option: PROTOCOL, value: http+unix }
- section: repository - { section: server, option: HTTP_ADDR, value: socket }
option: ENABLE_PUSH_CREATE_USER - { section: server, option: UNIX_SOCKET_PERMISSION, value: 660 }
value: true - { section: server, option: ROOT_URL, value: 'https://{{ dns_name }}/' }
- { section: server, option: LFS_START_SERVER, value: true }
- { section: service, option: ALLOW_ONLY_EXTERNAL_REGISTRATION, value: true }
- { section: repository, option: DEFAULT_BRANCH, value: master }
- { section: repository, option: ENABLE_PUSH_CREATE_ORG, value: true }
- { section: repository, option: ENABLE_PUSH_CREATE_USER, value: true }
notify: restart forgejo notify: restart forgejo
- name: Set up SSO - name: Enable forgejo service
service:
name: forgejo
enabled: yes
notify: restart forgejo
- meta: flush_handlers
- name: Set up authentication
become: yes become: yes
become_method: su become_method: su
become_user: forgejo become_user: forgejo
command: | block:
forgejo admin auth add-oauth --provider=openidConnect \ - name: Get passwords
--name '{{ password.oidc_name }}' set_fact:
--auto-discover-url '{{ password.oidc_endpoint }}' password: '{{ lookup("passwordstore", "vm/"~inventory_hostname, returnall=true) | from_yaml }}'
--key '{{ password.oidc_client_id }}'
--secret '{{ password.oidc_client_secret }}' - name: Create admin user
register: result command: |
changed_when: forgejo admin user create --admin
- result.rc == 0 --username '{{ password.admin_user }}'
failed_when: --email '{{ password.admin_mail }}'
# task fails when both are true --password '{{ password.admin_pass }}'
- result.rc != 0 notify: restart forgejo
- '"login source already exists" not in result.stderr' register: result
changed_when: 'result.rc == 0'
failed_when: 'result.rc != 0 and "user already exists" not in result.stderr'
- name: Set up SSO
command: |
forgejo admin auth add-oauth --provider=openidConnect \
--name '{{ password.oidc_name }}'
--auto-discover-url '{{ password.oidc_endpoint }}'
--key '{{ password.oidc_client_id }}'
--secret '{{ password.oidc_client_secret }}'
register: result
changed_when: 'result.rc == 0'
failed_when: 'result.rc != 0 and "login source already exists" not in result.stderr'
- name: Get forgejo-runner user - name: Get forgejo-runner user
user: user:

View file

@ -7,7 +7,7 @@ server {
ssl_certificate_key /etc/letsencrypt/live/{{ fqdn }}/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/{{ fqdn }}/privkey.pem;
location / { location / {
proxy_pass http://127.0.0.1:3000; proxy_pass http://unix:/var/lib/forgejo/socket;
proxy_set_header Connection $http_connection; proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;