--- - name: 'Install required software' become: true ansible.builtin.apt: name: 'podman' state: 'present' - name: 'Create forgejo podman network' become: true containers.podman.podman_network: name: '{{ forgejo_network_name }}' ipv6: true state: 'quadlet' notify: - 'Reload forgejo services' - 'Restart forgejo network' - name: 'Create forgejo volumes' become: true containers.podman.podman_volume: name: '{{ item }}' state: 'quadlet' loop: - '{{ forgejo_db_volume_name }}' - '{{ forgejo_app_volume_name }}' notify: - 'Reload forgejo services' - 'Restart forgejo volumes' - name: 'Define forgejo-db image' become: true containers.podman.podman_image: name: '{{ forgejo_db_image_name }}:{{ forgejo_db_image_tag }}' quadlet_filename: 'forgejo-db' state: 'quadlet' notify: - 'Reload forgejo services' - 'Restart forgejo-db image' - name: 'Create forgejo-db container' become: true containers.podman.podman_container: name: 'forgejo-db' image: 'forgejo-db.image' network: '{{ forgejo_network_name }}.network' state: 'quadlet' volume: - '{{ forgejo_db_volume_name }}.volume:/var/lib/postgresql/data/' env: POSTGRES_DB: '{{ forgejo_db_database }}' POSTGRES_USER: '{{ forgejo_db_user }}' POSTGRES_PASSWORD: '{{ forgejo_db_password }}' quadlet_options: | [Install] WantedBy=default.target notify: - 'Reload forgejo services' - 'Restart forgejo-db container' # Application - name: 'Prepare config location' become: true ansible.builtin.file: path: '{{ forgejo_conf_path }}' state: 'directory' owner: 'root' group: 'root' mode: 'u=rwx,g=rx,o=rx' - name: 'Deploy application config' become: true ansible.builtin.template: src: 'forgejo.ini.j2' dest: '{{ forgejo_conf_path }}/forgejo.ini' owner: 'root' group: 'root' mode: 'u=rw,g=r,o=r' notify: 'Restart forgejo-app container' - name: 'Define forgejo-app image' become: true containers.podman.podman_image: name: '{{ forgejo_app_image_name }}:{{ forgejo_app_image_tag }}' quadlet_filename: 'forgejo-app' state: 'quadlet' notify: - 'Reload forgejo services' - 'Restart forgejo-app image' - name: 'Create forgejo-app container' become: true containers.podman.podman_container: name: 'forgejo-app' image: 'forgejo-app.image' network: '{{ forgejo_network_name }}.network' state: 'quadlet' volume: - '{{ forgejo_app_volume_name }}.volume:/data/' - '/etc/timezone:/etc/timezone:ro' - '/etc/localtime:/etc/localtime:ro' - '{{ forgejo_conf_path }}/forgejo.ini:/data/gitea/conf/app.ini:ro' env: USER_UID: '1000' USER_GID: '1000' FORGEJO__database__DB_TYPE: 'postgres' FORGEJO__database__HOST: 'forgejo-db:5432' FORGEJO__database__NAME: '{{ forgejo_db_database }}' FORGEJO__database__USER: '{{ forgejo_db_user }}' FORGEJO__database__PASSWD: '{{ forgejo_db_password }}' quadlet_options: | [Install] WantedBy=default.target [Unit] Requires=forgejo-db.service After=forgejo-db.service notify: - 'Reload forgejo services' - 'Restart forgejo-app container' - name: 'Flush handlers' ansible.builtin.meta: 'flush_handlers' # Authentication source - name: 'Configure forgejo authentication source' become: true when: 'forgejo_sso_create_source' enbewe.forgejo.forgejo_oauth: state: 'present' update: '{{ forgejo_sso_update | default(false) }}' name: '{{ forgejo_sso_name }}' provider: '{{ forgejo_sso_provider }}' key: '{{ forgejo_sso_key }}' secret: '{{ forgejo_sso_secret }}' auto_discover_url: '{{ forgejo_sso_auto_discover_url | default("") }}' use_custom_urls: '{{ forgejo_sso_use_custom_urls | default(false) }}' custom_tenant_id: '{{ forgejo_sso_custom_tenant_id | default("") }}' custom_auth_url: '{{ forgejo_sso_custom_auth_url | default("") }}' custom_token_url: '{{ forgejo_sso_custom_token_url | default("") }}' custom_profile_url: '{{ forgejo_sso_custom_profile_url | default("") }}' custom_email_url: '{{ forgejo_sso_custom_email_url | default("") }}' icon_url: '{{ forgejo_sso_icon_url | default("") }}' skip_local_2fa: '{{ forgejo_sso_skip_local_2fa | default(true) }}' scopes: '{{ forgejo_sso_scopes | default("") }}' required_claim_name: '{{ forgejo_sso_required_claim_name | default("") }}' required_claim_value: '{{ forgejo_sso_required_claim_value | default("") }}' group_claim_name: '{{ forgejo_sso_group_claim_name | default("") }}' admin_group: '{{ forgejo_sso_admin_group | default("") }}' restricted_group: '{{ forgejo_sso_restricted_group | default("") }}' group_team_map: '{{ forgejo_sso_group_team_map | default("") }}' group_team_map_removal: '{{ forgejo_sso_group_team_map_removal | default(false) }}' retries: 5 delay: 5 - name: 'Create forgejo-shell on host' become: true ansible.builtin.template: src: 'forgejo-shell.j2' dest: '/usr/local/bin/forgejo-shell' owner: 'root' group: 'root' mode: 'u=rwx,g=rx,o=rx' - name: 'Create the git user on the host to forward requests to forgejo' become: true ansible.builtin.user: name: 'git' shell: '/usr/local/bin/forgejo-shell' - name: 'Create the permission for git user to run things in container' become: true ansible.builtin.template: src: 'sudoers-forgejo-shell.j2' dest: '/etc/sudoers.d/forgejo-shell' owner: 'root' group: 'root' mode: 'u=rw,g=r,o=' - name: 'Redirect authorized hosts checks for git user' become: true ansible.builtin.blockinfile: path: '/etc/ssh/sshd_config' append_newline: true prepend_newline: true block: | Match User git AuthorizedKeysCommandUser root AuthorizedKeysCommand /usr/bin/podman exec -u 1000:1000 -i forgejo-app /usr/local/bin/forgejo keys -e git -u %u -t %t -k %k