setup HTTPS!

EDIT: I originally committed the actual secrets into this file, but
since came back in git history and rewrote this commit to redact them!
I wasn't expecting to share this repo, but now I am!

README.md

@@ -0,0 +1 @@
+WARNING: `files/app.ini` contains secrets! Do not deploy without hiding them!

files/app.ini

@@ -0,0 +1,86 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; WARNING: This file contains secrets!! ;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+APP_NAME = OpenNeo Code
+RUN_USER = git
+WORK_PATH = /var/lib/forgejo
+RUN_MODE = prod
+
+[database]
+DB_TYPE = sqlite3
+HOST = 127.0.0.1:3306
+NAME = forgejo
+USER = forgejo
+PASSWD = 
+SCHEMA = 
+SSL_MODE = disable
+PATH = /var/lib/forgejo/data/forgejo.db
+LOG_SQL = false
+
+[repository]
+ROOT = /var/lib/forgejo/data/forgejo-repositories
+
+[server]
+SSH_DOMAIN = code.openneo.net
+DOMAIN = code.openneo.net
+PROTOCOL = https
+HTTP_PORT = 443
+REDIRECT_OTHER_PORT = true
+ENABLE_ACME = true
+ACME_ACCEPTTOS = true
+ACME_EMAIL = emi@matchu.dev
+ROOT_URL = https://code.openneo.net/
+APP_DATA_PATH = /var/lib/forgejo/data
+DISABLE_SSH = false
+SSH_PORT = 22
+LFS_START_SERVER = true
+LFS_JWT_SECRET = <REDACTED 2024-01-14>
+OFFLINE_MODE = true
+
+[lfs]
+PATH = /var/lib/forgejo/data/lfs
+
+[mailer]
+ENABLED = false
+
+[service]
+REGISTER_EMAIL_CONFIRM = false
+ENABLE_NOTIFY_MAIL = false
+DISABLE_REGISTRATION = true
+ALLOW_ONLY_EXTERNAL_REGISTRATION = false
+ENABLE_CAPTCHA = false
+REQUIRE_SIGNIN_VIEW = false
+DEFAULT_KEEP_EMAIL_PRIVATE = false
+DEFAULT_ALLOW_CREATE_ORGANIZATION = false
+DEFAULT_ENABLE_TIMETRACKING = false
+NO_REPLY_ADDRESS = noreply.openneo.net
+
+[openid]
+ENABLE_OPENID_SIGNIN = false
+ENABLE_OPENID_SIGNUP = false
+
+[cron.update_checker]
+ENABLED = true
+
+[session]
+PROVIDER = file
+
+[log]
+MODE = console
+LEVEL = info
+ROOT_PATH = /var/lib/forgejo/log
+
+[repository.pull-request]
+DEFAULT_MERGE_STYLE = merge
+
+[repository.signing]
+DEFAULT_TRUST_MODEL = committer
+
+[security]
+INSTALL_LOCK = true
+INTERNAL_TOKEN = <REDACTED 2024-01-14>
+PASSWORD_HASH_ALGO = pbkdf2_hi
+
+[oauth2]
+JWT_SECRET = <REDACTED 2024-01-14>

setup-forgejo.yml

@@ -42,32 +42,33 @@
       file:
         path: /etc/forgejo
         state: directory
-        mode: "770"
+        mode: "750"
         owner: root
         group: git
 
+    - name: Copy app.ini to Forgejo's config directory
+      copy:
+        src: files/app.ini
+        dest: /etc/forgejo/app.ini
+        mode: "640"
+      notify:
+        - Restart Forgejo
+
     - name: Install systemd service for Forgejo
       copy:
         src: files/forgejo.service
         dest: /etc/systemd/system/forgejo.service
       notify:
-        - Reload Forgejo's service file and restart Forgejo
+        - Restart Forgejo
 
     - name: Start Forgejo service
       systemd_service:
         name: forgejo
         state: started
 
-    - name: Print hint to go configure
-      debug:
-        msg: >
-          Forgejo is now running on port 3000! Run `ssh -L 3000:localhost:3000
-          code.openneo.net` to be able to open `localhost:3000` in your local
-          browser and have it redirect to Forgejo's setup page!
-
   handlers:
-    - name: Reload Forgejo's service file and restart Forgejo
+    - name: Restart Forgejo
       systemd_service:
         name: forgejo
         state: restarted
-        daemon_reload: true
+        daemon_reload: true # For the case where the service file changes!