8.0.2 (#57)

Co-authored-by: meaz <meaz@disroot.org>
Reviewed-on: #57
Reviewed-by: meaz <meaz@no-reply@disroot.org>
Co-authored-by: muppeth <muppeth@disroot.org>
Co-committed-by: muppeth <muppeth@disroot.org>

Playbooks/forgejo.yml

@@ -1,6 +1,53 @@
 ---
+- name: 'Create backup directories'
+  hosts: forgejo
+  tasks:
+    - name: '[BACKUP] - Create backup dir'
+      file:
+        path: '{{ forgejo_dump_path }}'
+        state: directory
+        mode: '0775'
+    - name: '[BACKUP] - Create db backup dir'
+      file:
+        path: '{{ forgejo_dump_path }}/db'
+        state: directory
+        mode: '0755'
+    - name: '[BACKUP] - Create code backup dir'
+      file:
+        path: '{{ forgejo_dump_path }}/code'
+        state: directory
+        owner: '{{ forgejo_user }}'
+        mode: '0755'
 
-- hosts: forgejo
+- name: 'Create db backup for forgejo'
+  hosts: forgejo
+  tasks:
+    - name: '[BACKUP] - Run db backup for forgejo'
+      shell:
+        cmd: 'sudo -u postgres pg_dump {{ forgejo_db_name }} | gzip -c > {{ forgejo_dump_path }}/db/{{ forgejo_db_name }}-{{ ansible_date_time.iso8601_basic_short }}.sql.gz'
+    - name: '[BACKUP] - Remove all but two latest backup files'
+      shell:
+        cmd: 'ls -t |tail -n +3 | xargs --no-run-if-empty rm'
+        chdir: '{{ forgejo_dump_path }}/db'
+  vars_files:
+    - ../defaults/main.yml
+
+- name: 'Make backup of forgejo'
+  hosts: 'forgejo'
+  tasks:
+    - name: '[BACKUP] - Remove all but two latest backup files'
+      shell:
+        cmd: 'ls -t |tail -n +2 | xargs --no-run-if-empty rm'
+        chdir: '{{ forgejo_dump_path }}/code'
+    - name: '[BACKUP] - Make backup of forgejo'
+      shell:
+        cmd: 'sudo -u {{ forgejo_user }} {{ forgejo_bindir }}/forgejo dump -c {{ forgejo_confdir }}'
+        chdir: '{{ forgejo_dump_path}}/code'
+  vars_files: 
+    - ../defaults/main.yml
+
+- name: 'Run Forgejo role' 
+  hosts: forgejo
   roles:
     - postgresql
     - forgejo

README.md

@@ -9,6 +9,8 @@ You can deploy test instance using `Vagrantfile` attached to the role.
 
 Then you can then access forgejo from your computer on `http://192.168.33.14:3000`
 
+The first user you create becomes the admin.
+
 # Gitea or Forgejo
 This role allows for deployment of gitea and forgejo. By default the role deploys forgejo and this is the flavor that is supported and maintained. Installing Gitea using the role is possible however starting from version 1.18.2 is no longer maintained by Disroot team.
 To switch to gitea, update following variables in your Playbook/host_vars:
@@ -27,7 +29,7 @@ The playbook includes postgresql role and deploys entire stack needed to run For
 ## Customization
 You can deploy custom themes with this role. To do so, uncomment `forgejo_theme_dir` and `forgejo_custom_themes`  from `defaults/main.yml`. Add the theme repos' address and name there, enable them and then deploy with `ansible-playbook -b Playbooks/forgejo.yml --tags theme`.
 
-You can also add you own images like favicon, icons, etc. See https://docs.gitea.io/en-us/customizing-gitea/ to see how to prepare your images.
+You can also add you own images like favicon, icons, etc. See https://forgejo.org/docs/v1.21/developer/customization/ to see how to prepare your images.
 Then, copy them in the `img` folder of this role and uncomment `forgejo_extra_files_path` and `forgejo_theme_dir` from `defaults/main.yml`. You can then deploy with `ansible-playbook -b Playbooks/forgejo.yml --tags config`.
 
-For more information about customizaton, check https://docs.gitea.io/en-us/customizing-gitea/.
+For more information about customizaton, check https://forgejo.org/docs/v1.21/developer/customization/

Vagrantfile

@@ -8,7 +8,7 @@
 Vagrant.configure("2") do |config|
   #config.ssh.insert_key = false
   config.vm.define "forgejo" do |forgejo|
-    forgejo.vm.box = "generic/debian11"
+    forgejo.vm.box = "generic/debian12"
     forgejo.vm.provider :libvirt do |libvirt|
       libvirt.memory = 256
     end

defaults/main.yml

@@ -5,9 +5,10 @@ forgejo_lib_dir: "/var/lib/forgejo"
 forgejo_user: 'git'
 forgejo_group: 'git'
 forgejo_confdir: '/etc/forgejo/app.ini'
-
+forgejo_dump_path: '/srv/forgejo-dump'
 forgejo_flavor: 'forgejo'
-forgejo_version: '1.20.6-0'
+forgejo_version: '8.0.2'
+#forgejo_version: '1.21.7-0'
 forgejo_arch: 'linux-amd64'
 #forgejo_download_url: 'https://github.com/go-gitea/gitea/releases/download/v{{ forgejo_version }}/gitea-{{ forgejo_version }}-{{ forgejo_arch }}'
 
@@ -30,9 +31,15 @@ forgejo_base_config:
 forgejo_oauth2_config:
   - 'JWT_SECRET = ' #41 random chars
 
+forgejo_oauth2_client_config:
+  - 'ENABLE_AUTO_REGISTRATION = false'
+  - 'REGISTER_EMAIL_CONFIRM = false'
+  - 'ACCOUNT_LINKING = login'
+  - 'UPDATE_AVATAR = false'
+
 forgejo_ui_config:
-  - 'THEMES = auto,arc-green,gitea,forgejo-auto,forgejo-light,forgejo-dark' # add only the default ones, not themes ones
-  - 'DEFAULT_THEME = arc-green'
+  - 'THEMES = gitea-auto,gitea-light,gitea-dark,forgejo-auto,forgejo-light,forgejo-dark' # add only the default ones, not themes ones
+  - 'DEFAULT_THEME = gitea-dark'
 
 forgejo_security_config:
   - 'INTERNAL_TOKEN = ' #106 random chars
@@ -48,7 +55,7 @@ forgejo_database_config:
   - 'SSL_MODE = disable'
 
 forgejo_repository_config:
-  - 'ROOT = /home/git/forgejo-repositories'
+  - 'ROOT = {{ forgejo_lib_dir }}/gitea-repositories'
 
 forgejo_server_config:
   - 'SSH_DOMAIN       = git.example.org'
@@ -132,6 +139,15 @@ forgejo_email_incoming:
   - 'DELETE_HANDLED_MESSAGE = true'
   - 'MAXIMUM_MESSAGE_SIZE = 0'
 
+
+# Systemd
+# forgejo_dbservice: 'postgresql.service' # uncomment to enable this. You can cnange to mysql, mariadb, redis, memcached
+# forgejo_websocket: 'true' # uncomment to enable this
+# forgejo_limitnofile: '524288:524288' # Uncomment if you have repos with lots of files and get a HTTP 500 error because of that
+# forgejo_custom_path: 'Environment=PATH={{ forgejo_custom_path }}:/bin:/sbin:/usr/bin:/usr/sbin' # Uncomment if you install Git to directory prefix other than default PATH and add that prefix to PATH
+# forgejo_cap_net_bind_service: 'CAP_NET_BIND_SERVICE' # Uncomment if you want to bind Forgejo to a port below 1024, or use socket activation to pass Forgejo its ports as above
+# forgejo_privateusers: 'false' #  Uncomment, when using forgejo_cap_net_bind_service option, to allow capabilities to be applied on Forgejo process. If set to true sandboxes Forgejo service and prevent any processes from running with privileges in the host user namespace
+
 #apt
 forgejo_apt_list:
   - git

handlers/main.yml

@@ -4,3 +4,8 @@
   systemd:
     name: forgejo
     state: restarted
+
+- name: 'Stop forgejo'
+  systemd:
+    name: forgejo
+    state: stopped

tasks/configure.yml

@@ -45,9 +45,18 @@
   notify: Restart forgejo
   tags: config
 
+- name: "[CONF] - Create assets dir"
+  file:
+    path: "{{ forgejo_theme_dir }}/public/assets/"
+    state: 'directory'
+    owner: '{{ forgejo_user }}'
+    group: '{{ forgejo_group }}'
+  when: forgejo_extra_files_path is defined
+  tags: config
+
 - name: "[CONF] - Create img folder"
   file:
-    path: "{{ forgejo_theme_dir }}/public/img/"
+    path: "{{ forgejo_theme_dir }}/public/assets/img/"
     state: 'directory'
     owner: '{{ forgejo_user }}'
     group: '{{ forgejo_group }}'
@@ -57,7 +66,7 @@
 - name: "[CONF] - Deploy img folder"
   copy:
     src: '{{ forgejo_extra_files_path }}/'
-    dest: "{{ forgejo_theme_dir }}/public/img/"
+    dest: "{{ forgejo_theme_dir }}/public/assets/img/"
     owner: "{{ forgejo_user }}"
     group: "{{ forgejo_group }}"
     mode: 0755

tasks/custom_themes.yml

@@ -1,16 +1,8 @@
 ---
 
-- name: '[THEME] - Create public dir'
-  file:
-    path: '{{ forgejo_theme_dir }}/public/'
-    state: directory
-    owner: "{{ forgejo_user }}"
-    group: "{{ forgejo_group }}"
-  tags: theme
-
 - name: '[THEME] - Create css dir'
   file:
-    path: '{{ forgejo_theme_dir }}/public/css'
+    path: '{{ forgejo_theme_dir }}/public/assets/css'
     state: directory
     owner: "{{ forgejo_user }}"
     group: "{{ forgejo_group }}"
@@ -19,7 +11,7 @@
 # First, remove the css files from public folder, then theme repos
 - name: "[THEME] - Remove css files from the css folder"
   shell:
-    cmd: find "{{ forgejo_theme_dir }}/{{ item.name }}" -type f -name "*.css" -printf "%f\n" | xargs -I{} rm public/css/{}
+    cmd: find "{{ forgejo_theme_dir }}/{{ item.name }}" -type f -name "*.css" -printf "%f\n" | xargs -I{} rm public/assets/css/{}
     chdir: "{{ forgejo_theme_dir }}"
   loop: "{{ forgejo_custom_themes }}"
   when: item.enable == 'false' 
@@ -47,18 +39,33 @@
   become_user: "{{ forgejo_user }}"
   tags: theme
 
-- name: "[THEME] - Find css files from different repos and copy them in the public folder"
-  shell:
-    cmd: find "{{ forgejo_theme_dir }}" -type f -name "*.css" -not -path "{{ forgejo_theme_dir }}/public/*" | xargs cp -t "{{ forgejo_theme_dir }}/public/css"
-    chdir: "{{ forgejo_theme_dir }}"
+- name: "[THEME] - Find css files from different repos"
+  find:
+    paths: "{{ forgejo_theme_dir }}"
+    patterns: ".*(?<!\\.min)\\.css$"
+    recurse: yes
+    use_regex: yes
+  register: css_files
+  tags: theme
+
+- name: "[THEME] - Copy css files to the public folder"
+  copy:
+    src: "{{ item.path }}"
+    dest: "{{ forgejo_theme_dir }}/public/assets/css/"
+    remote_src: yes
+    force: yes
+    mode: '0644'
+  with_items: "{{ css_files.files }}"
+  when: "'/public/' not in item.path"
   become: true
   become_user: "{{ forgejo_user }}"
   tags: theme
 
+
 # Lastly, update app.ini by adding the theme's name list.
 - name: "[THEME] - Get and prepare a list for app.ini of css files in public folder, register it"
   shell:
-    cmd: ls "{{ forgejo_theme_dir }}/public/css" | sed -e 's/theme-//g' | sed -e 's/.css//g' | paste -s -d,
+    cmd: ls "{{ forgejo_theme_dir }}/public/assets/css" | awk '{ if ($0 ~ /^theme-/) { gsub(/^theme-/, "", $0) }; gsub(/.css$/, "", $0); print }' | paste -s -d,
     chdir: "{{ forgejo_theme_dir }}"
   register: theme_name
   tags: theme

tasks/install.yml

@@ -1,37 +0,0 @@
----
-
-- name: '[INSTALL] - Install dependencies'
-  apt:
-    name: "{{ forgejo_apt_list }}"
-    update_cache: yes
-
-- name: '[INSTALL] - Get forgejo download url'
-  shell:
-    cmd: wget -O - https://codeberg.org/forgejo/forgejo/releases | grep -B 1 forgejo-{{ forgejo_version }}-{{ forgejo_arch }}\< | sed -n 's/.*href="\(.*\)".*/\1/p'
-  register: forgejo_url
-  when: forgejo_flavor == 'forgejo'
-
-- name: "[INSTALL] - Set forgejo download url"
-  set_fact:
-    forgejo_download_url: '{{ forgejo_url.stdout }}'
-  when: forgejo_flavor == 'forgejo'
-
-- name: '[INSTALL] - Download forgejo binary'
-  get_url:
-    url: '{{ forgejo_download_url }}'
-    dest: '{{ forgejo_bindir }}/forgejo'
-    mode: '0750'
-    owner: '{{ forgejo_user }}'
-    group: '{{ forgejo_group }}'
-    force: 'yes'
-  notify: 'Restart forgejo'
-
-- name: '[INSTALL] - Set /etc/forgejo rights to read-only'
-  file:
-    path: '/etc/forgejo'
-    mode: '0750'
-
-- name: '[INSTALL] - Set app.ini rights to read-only'
-  file:
-    path: '/etc/forgejo/app.ini'
-    mode: '0640'

tasks/install_upgrade.yml

@@ -0,0 +1,113 @@
+---
+
+- name: '[INSTALL] - Install dependencies'
+  apt:
+    name: "{{ forgejo_apt_list }}"
+    update_cache: yes
+
+- name: '[INSTALL] - Get forgejo download url'
+  shell:
+    cmd: wget -O - https://codeberg.org/forgejo/forgejo/releases | grep -B 1 forgejo-{{ forgejo_version }}-{{ forgejo_arch }}\< | sed -n 's/.*href="\(.*\)".*/\1/p'
+  register: forgejo_url
+  when: forgejo_flavor == 'forgejo'
+
+- name: "[INSTALL] - Set forgejo download url"
+  set_fact:
+    forgejo_download_url: '{{ forgejo_url.stdout }}'
+  when: forgejo_flavor == 'forgejo'
+
+- name: '[INSTALL] - Check if forgejo is already installed'
+  shell:
+    cmd: '{{ forgejo_bindir }}/forgejo --version -c {{ forgejo_confdir }}'
+  register: forgejo_is_installed 
+  ignore_errors: true # needed when forgejo is not yet installed
+
+# The following task is needed for the doctor check task, as `gitea-repositories` needs to exist,
+# but is created only when the first user creates a repo # so doctor gives an error on first installation
+# and on other installation if no user has created any repo yet.
+# It also allows to make sure forgejo was installed and used.
+- name: '[INSTALL] - Check gitea-repositories exists'
+  stat:
+    path: "{{ forgejo_lib_dir }}/gitea-repositories"
+  register: gitea_repositories
+
+- name: '[UPGRADE] - Check forgejo health with doctor before updating'
+  shell:
+    cmd:  '{{ forgejo_bindir }}/forgejo doctor check --all -c {{ forgejo_confdir }}'
+  become: 'yes'
+  become_user: '{{ forgejo_user }}'
+  register: forgejo_health
+  when: 
+    - forgejo_is_installed.rc == 0
+    - gitea_repositories.stat.exists
+
+- name: '[UPGRADE] - Restart forgejo'
+  systemd:
+    name: forgejo
+    state: restarted
+  when:
+    - forgejo_is_installed.rc == 0
+    - forgejo_health is defined and forgejo_health.rc is defined and forgejo_health.rc == 0
+
+- name: '[UPGRADE] - Wait for forgejo to be back online'
+  pause:
+    seconds: 10
+  when:
+    - forgejo_is_installed.rc == 0
+    - forgejo_health is defined and forgejo_health.rc is defined and forgejo_health.rc == 0
+
+- name: '[UPGRADE] - Flush all queues'
+  shell:
+    cmd:  '{{ forgejo_bindir }}/forgejo manager flush-queues -c {{ forgejo_confdir }}'
+  become: 'yes'
+  become_user: '{{ forgejo_user }}'
+  when:
+    - forgejo_is_installed.rc == 0 
+    - forgejo_health is defined and forgejo_health.rc is defined and forgejo_health.rc == 0
+
+- name: '[UPGRADE] - Stop forgejo'
+  systemd:
+    name: forgejo
+    state: stopped
+  when:
+    - forgejo_is_installed.rc == 0
+    - forgejo_health is defined and forgejo_health.rc is defined and forgejo_health.rc == 0
+
+- name: '[INSTALL] - Download forgejo binary'
+  get_url:
+    url: '{{ forgejo_download_url }}'
+    dest: '{{ forgejo_bindir }}/forgejo'
+    mode: '0750'
+    owner: '{{ forgejo_user }}'
+    group: '{{ forgejo_group }}'
+    force: 'yes'
+  notify: 'Restart forgejo'
+
+- name: '[INSTALL] - Set /etc/forgejo rights to read-only'
+  file:
+    path: '/etc/forgejo'
+    mode: '0750'
+
+- name: '[INSTALL] - Set app.ini rights to read-only'
+  file:
+    path: '/etc/forgejo/app.ini'
+    mode: '0640'
+
+- name: '[UPGRADE] - Check forgejo health after upgrading'
+  shell:
+    cmd:  '{{ forgejo_bindir }}/forgejo doctor check --all -c {{ forgejo_confdir }}'
+  become: 'yes'
+  become_user: '{{ forgejo_user }}'
+  register: forgejo_health
+  when: 
+    - forgejo_is_installed.rc == 0
+    - gitea_repositories.stat.exists
+
+- name: '[UPGRADE] - Display problem message'
+  fail:
+    msg: 'Forgejo doctor detected issues after upgrade task. Please check the instance manually and fix issues before continuing'
+  when: 
+    - forgejo_is_installed.rc == 0
+    - forgejo_health is defined and forgejo_health.rc is defined and forgejo_health.rc != 0
+  notify: 'Stop forgejo'
+

tasks/main.yml

@@ -7,8 +7,8 @@
   include_tasks: configure.yml
   tags: config
 
-- name: "[FORGEJO] - install"
-  include_tasks: install.yml
+- name: "[FORGEJO] - install or upgrade"
+  include_tasks: install_upgrade.yml
 
 - name: "[FORGEJO] - theme"
   include_tasks: custom_themes.yml

templates/etc/forgejo/app.ini.j2

@@ -8,6 +8,11 @@
 {{ item }}
 {% endfor %}
 
+[oauth2_client]
+{% for item in forgejo_oauth2_client_config %}
+{{ item }}
+{% endfor %}
+
 [ui]
 {% for item in forgejo_ui_config %}
 {{ item }}
@@ -65,7 +70,6 @@
 {{ item }}
 {% endfor %}
 
-
 [session]
 {% for item in forgejo_session_config %}
 {{ item }}

templates/etc/systemd/system/forgejo.service.j2

@@ -1,34 +1,97 @@
 [Unit]
-Description=Forgejo (Git with a cup of tea)
+Description=Forgejo (Beyond coding. We forge.)
 After=syslog.target
 After=network.target
-#Requires=mysql.service
-#Requires=mariadb.service
-#Requires=postgresql.service
-#Requires=memcached.service
-#Requires=redis.service
+###
+# Don't forget to add the database service dependencies
+###
+{% if forgejo_dbservice is defined %}
+Wants={{ forgejo_dbservice }}
+After={{ forgejo_dbservice }}
+{% endif %}
+
+###
+# If using socket activation for main http/s
+###
+{% if forgejo_websocket is defined %}
+After=forgejo.main.socket
+Requires=forgejo.main.socket
+
+###
+# (You can also provide forgejo an http fallback and/or ssh socket too)
+#
+# An example of /etc/systemd/system/forgejo.main.socket
+###
+
+[Unit]
+Description=Forgejo Web Socket
+PartOf=forgejo.service
+
+[Socket]
+Service=forgejo.service
+ListenStream=<some_port>
+NoDelay=true
+
+[Install]
+WantedBy=sockets.target
+{% endif %}
+
 
 [Service]
-# Modify these two values and uncomment them if you have
-# repos with lots of files and get an HTTP error 500 because
-# of that
-###
-#LimitMEMLOCK=infinity
-#LimitNOFILE=65535
+# Uncomment the next line if you have repos with lots of files and get a HTTP 500 error because of that
+{% if forgejo_limitnofile is defined %}
+LimitNOFILE={{ forgejo_limitnofile }}
+{% else %}
+# LimitNOFILE=524288:524288
+{% endif %}
 RestartSec=2s
 Type=simple
 User={{ forgejo_user }}
 Group={{ forgejo_group }}
 WorkingDirectory={{ forgejo_lib_dir }}
+# If using Unix socket: tells systemd to create the /run/forgejo folder, which will contain the forgejo.sock file
+# (manually creating /run/forgejo doesn't work, because it would not persist across reboots)
+{% if forgejo_websocket is defined %}
+RuntimeDirectory=forgejo
+{% else %}
+#RuntimeDirectory=forgejo
+{% endif %}
 ExecStart={{ forgejo_bindir }}/forgejo web -c {{ forgejo_confdir }}
 Restart=always
 RestartSec=3
 Environment=USER={{ forgejo_user }} HOME=/home/{{ forgejo_user }} FORGEJO_WORK_DIR={{ forgejo_lib_dir }} FORGEJO_CUSTOM={{ forgejo_theme_dir }}
-# If you want to bind Forgejo to a port below 1024 uncomment
-# the two values below
+# If you install Git to directory prefix other than default PATH (which happens
+# for example if you install other versions of Git side-to-side with
+# distribution version), uncomment below line and add that prefix to PATH
+# Don't forget to place git-lfs binary on the PATH below if you want to enable
+# Git LFS support
+{% if forgejo_custom_path is defined %}
+Environment=PATH={{ forgejo_custom_path }}:/bin:/sbin:/usr/bin:/usr/sbin
+{% else %}
+#Environment=PATH=/path/to/git/bin:/bin:/sbin:/usr/bin:/usr/sbin
+{% endif %}
+# If you want to bind Forgejo to a port below 1024, uncomment
+# the two values below, or use socket activation to pass Forgejo its ports as above
 ###
+{% if forgejo_cap_net_bind_service is defined %}
+CapabilityBoundingSet={{ forgejo_cap_net_bind_service }} 
+AmbientCapabilities={{ forgejo_cap_net_bind_service }} 
+{% else %}
 #CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 #AmbientCapabilities=CAP_NET_BIND_SERVICE
+{% endif %}
+###
+# In some cases, when using CapabilityBoundingSet and AmbientCapabilities option, you may want to
+# set the following value to false to allow capabilities to be applied on Forgejo process. The following
+# value if set to true sandboxes Forgejo service and prevent any processes from running with privileges
+# in the host user namespace.
+###
+{% if forgejo_privateusers is defined %}
+PrivateUsers={{ forgejo_privateusers }}
+{% else %}
+#PrivateUsers=false
+{% endif %}
+###
 
 [Install]
 WantedBy=multi-user.target