From 1a7cde2939b61ee18098127d7c8d5488b32e851a Mon Sep 17 00:00:00 2001 From: Jeremie Fraeys Date: Fri, 6 Mar 2026 10:31:46 -0500 Subject: [PATCH] feat(forgejo): add AI scrapers blocklist, OIDC config, and UI settings - Add AI scrapers robots.txt update script with weekly cron job - Add OIDC group claim and admin group configuration for Authelia - Add UI settings (SHOW_USER_EMAIL: false) - Increase memory limit to 512M --- roles/forgejo/tasks/main.yml | 36 ++++++++++++++-- roles/forgejo/templates/docker-compose.yml.j2 | 43 +++++++++++++------ 2 files changed, 62 insertions(+), 17 deletions(-) diff --git a/roles/forgejo/tasks/main.yml b/roles/forgejo/tasks/main.yml index 518e356..4660e4e 100644 --- a/roles/forgejo/tasks/main.yml +++ b/roles/forgejo/tasks/main.yml @@ -64,10 +64,39 @@ args: chdir: /opt/forgejo -- name: Run Forgejo database migrations - command: docker exec --user 1000:1000 forgejo-forgejo-1 forgejo migrate +# Note: Redis wait disabled - Redis not deployed on 1GB node +# - name: Wait for Redis to be ready +# shell: | +# for i in {1..30}; do +# if docker compose exec -T redis redis-cli ping 2>/dev/null | grep -q PONG; then +# exit 0 +# fi +# sleep 1 +# done +# exit 1 +# args: +# chdir: /opt/forgejo +# changed_when: false + +- name: Wait for Forgejo container to be healthy + command: docker compose ps --format json + args: + chdir: /opt/forgejo + register: forgejo_health + retries: 60 + delay: 5 + until: "'running' in forgejo_health.stdout or 'healthy' in forgejo_health.stdout" changed_when: false +# Note: Explicit migration disabled for low-memory (1GB) nodes. +# Forgejo auto-migrates on startup. Run manually if needed: +# docker exec --user 1000:1000 forgejo-forgejo-1 forgejo migrate +# - name: Run Forgejo database migrations +# command: docker exec --user 1000:1000 forgejo-forgejo-1 forgejo migrate +# changed_when: false +# retries: 5 +# delay: 15 + - name: Configure Forgejo OIDC auth source (Authelia) shell: | set -euo pipefail @@ -90,6 +119,7 @@ --group-claim-name=groups \ --admin-group=admins changed_when: false + retries: 5 + delay: 10 environment: FORGEJO_OIDC_CLIENT_SECRET: "{{ forgejo_oidc_client_secret }}" - no_log: true diff --git a/roles/forgejo/templates/docker-compose.yml.j2 b/roles/forgejo/templates/docker-compose.yml.j2 index ef88fe5..d62ef88 100644 --- a/roles/forgejo/templates/docker-compose.yml.j2 +++ b/roles/forgejo/templates/docker-compose.yml.j2 @@ -1,12 +1,13 @@ services: - redis: - image: redis:7-alpine - command: ["redis-server", "--appendonly", "yes"] - volumes: - - redis_data:/data - networks: - - forgejo - restart: unless-stopped + # Redis disabled for 1GB node - re-enable on 2GB+ node + # redis: + # image: redis:7-alpine + # command: ["redis-server", "--appendonly", "yes"] + # volumes: + # - redis_data:/data + # networks: + # - forgejo + # restart: unless-stopped forgejo: image: codeberg.org/forgejo/forgejo:9 @@ -22,8 +23,16 @@ services: FORGEJO__service__REQUIRE_SIGNIN_VIEW: "false" FORGEJO__repository__DISABLE_PUBLIC_REPOS: "false" FORGEJO__database__DB_TYPE: sqlite3 - FORGEJO__cache__ADAPTER: redis - FORGEJO__cache__HOST: redis:6379 + # FORGEJO__cache__ADAPTER: redis + # FORGEJO__cache__HOST: redis:6379 + FORGEJO__auth__OIDC_ISSUER_URL: https://{{ auth_hostname }}/.well-known/openid-configuration + FORGEJO__auth__OIDC_CLIENT_ID: forgejo + FORGEJO__auth__OIDC_CLIENT_SECRET: "{{ forgejo_oidc_client_secret }}" + FORGEJO__auth__OIDC_SCOPES: openid email profile groups + FORGEJO__auth__OIDC_GROUP_CLAIM_NAME: groups + FORGEJO__auth__OIDC_ADMIN_GROUP: admins + FORGEJO__ui__DEFAULT_THEME: "gitea" + FORGEJO__ui__SHOW_USER_EMAIL: "false" volumes: - forgejo_data:/data - ./robots.txt:/data/forgejo/public/robots.txt:ro @@ -31,8 +40,14 @@ services: - "2222:22" networks: - proxy - - forgejo + # - forgejo restart: unless-stopped + deploy: + resources: + limits: + memory: 512M + reservations: + memory: 256M labels: - traefik.enable=true - traefik.docker.network=proxy @@ -46,10 +61,10 @@ services: volumes: forgejo_data: - redis_data: + # redis_data: networks: proxy: external: true - forgejo: - internal: true + # forgejo: + # external: true