128 lines
3.8 KiB
YAML
128 lines
3.8 KiB
YAML
---
|
|
- name: Read OIDC client secret for Forgejo
|
|
set_fact:
|
|
forgejo_oidc_client_secret: "{{ AUTHELIA_OIDC_FORGEJO_CLIENT_SECRET | default(lookup('env', 'AUTHELIA_OIDC_FORGEJO_CLIENT_SECRET')) }}"
|
|
no_log: true
|
|
|
|
- name: Fail if OIDC client secret for Forgejo is missing
|
|
fail:
|
|
msg: "AUTHELIA_OIDC_FORGEJO_CLIENT_SECRET is required"
|
|
when: forgejo_oidc_client_secret | length == 0
|
|
|
|
- name: Create Forgejo directory
|
|
file:
|
|
path: /opt/forgejo
|
|
state: directory
|
|
|
|
- name: Ensure proxy network exists
|
|
command: docker network inspect proxy
|
|
register: proxy_network
|
|
changed_when: false
|
|
failed_when: false
|
|
|
|
- name: Create proxy network if missing
|
|
command: docker network create proxy
|
|
when: proxy_network.rc != 0
|
|
|
|
- name: Copy update-ai-scrapers script
|
|
copy:
|
|
src: update-ai-scrapers.sh
|
|
dest: /opt/forgejo/update-ai-scrapers.sh
|
|
mode: "0755"
|
|
|
|
- name: Run AI scrapers update script (initial)
|
|
command: /opt/forgejo/update-ai-scrapers.sh
|
|
args:
|
|
chdir: /opt/forgejo
|
|
environment:
|
|
FORGEJO_HOST: "{{ forgejo_hostname }}"
|
|
register: scraper_update
|
|
changed_when: "'updated' in scraper_update.stdout"
|
|
|
|
- name: Set up cron job for periodic AI scrapers update
|
|
cron:
|
|
name: "Update AI scrapers robots.txt"
|
|
minute: "0"
|
|
hour: "2"
|
|
weekday: "6"
|
|
job: "cd /opt/forgejo && FORGEJO_HOST={{ forgejo_hostname }} /opt/forgejo/update-ai-scrapers.sh >> /var/log/forgejo-ai-scrapers-update.log 2>&1"
|
|
user: root
|
|
state: present
|
|
|
|
- name: Copy robots.txt for Forgejo (fallback)
|
|
template:
|
|
src: robots.txt.j2
|
|
dest: /opt/forgejo/robots.txt.backup
|
|
|
|
- name: Copy Docker Compose file for Forgejo
|
|
template:
|
|
src: docker-compose.yml.j2
|
|
dest: /opt/forgejo/docker-compose.yml
|
|
|
|
- name: Deploy Forgejo
|
|
command: docker compose up -d
|
|
args:
|
|
chdir: /opt/forgejo
|
|
|
|
# Note: Redis wait disabled - Redis not deployed on 1GB node
|
|
# - name: Wait for Redis to be ready
|
|
# shell: |
|
|
# for i in {1..30}; do
|
|
# if docker compose exec -T redis redis-cli ping 2>/dev/null | grep -q PONG; then
|
|
# exit 0
|
|
# fi
|
|
# sleep 1
|
|
# done
|
|
# exit 1
|
|
# args:
|
|
# chdir: /opt/forgejo
|
|
# changed_when: false
|
|
|
|
- name: Wait for Forgejo container to be healthy
|
|
command: docker compose ps --format json
|
|
args:
|
|
chdir: /opt/forgejo
|
|
register: forgejo_health
|
|
retries: 60
|
|
delay: 5
|
|
until: "'running' in forgejo_health.stdout or 'healthy' in forgejo_health.stdout"
|
|
changed_when: false
|
|
|
|
# Note: Explicit migration disabled for low-memory (1GB) nodes.
|
|
# Forgejo auto-migrates on startup. Run manually if needed:
|
|
# docker exec --user 1000:1000 forgejo-forgejo-1 forgejo migrate
|
|
# - name: Run Forgejo database migrations
|
|
# command: docker exec --user 1000:1000 forgejo-forgejo-1 forgejo migrate
|
|
# changed_when: false
|
|
# retries: 5
|
|
# delay: 15
|
|
|
|
- name: Configure Forgejo OIDC auth source (Authelia)
|
|
shell: |
|
|
set -euo pipefail
|
|
cid=$(docker ps -q --filter name=forgejo-forgejo-1 | head -n1)
|
|
if [ -z "$cid" ]; then
|
|
exit 1
|
|
fi
|
|
if docker exec --user 1000:1000 "$cid" forgejo admin auth list \
|
|
--config /data/gitea/conf/app.ini | grep -q "authelia"; then
|
|
echo "exists"
|
|
exit 0
|
|
fi
|
|
docker exec --user 1000:1000 "$cid" forgejo admin auth add-oauth \
|
|
--config /data/gitea/conf/app.ini \
|
|
--provider=openidConnect \
|
|
--name=authelia \
|
|
--key=forgejo \
|
|
--secret="$FORGEJO_OIDC_CLIENT_SECRET" \
|
|
--auto-discover-url=https://{{ auth_hostname }}/.well-known/openid-configuration \
|
|
--scopes='openid email profile groups' \
|
|
--group-claim-name=groups \
|
|
--admin-group=admins
|
|
echo "created"
|
|
register: forgejo_oidc_result
|
|
changed_when: "'created' in forgejo_oidc_result.stdout"
|
|
retries: 5
|
|
delay: 10
|
|
environment:
|
|
FORGEJO_OIDC_CLIENT_SECRET: "{{ forgejo_oidc_client_secret }}"
|