Emi Matchu
091d6f8267
In response to a security update! I didn't bother doing the backup and doctor and stuff this time, since this upgrade seems minor. And indeed, just hot-swapping the binary like last time seems to have worked great!
103 lines
3 KiB
YAML
103 lines
3 KiB
YAML
---
|
|
# Adapted from https://forgejo.org/docs/latest/admin/installation-binary/
|
|
- name: Install Forgejo
|
|
hosts: webserver
|
|
become: yes
|
|
become_user: root
|
|
tasks:
|
|
- name: Download Forgejo binary to /usr/local/bin (and verify its checksum)
|
|
get_url:
|
|
url: https://codeberg.org/forgejo/forgejo/releases/download/v1.21.10-0/forgejo-1.21.10-0-linux-amd64
|
|
dest: /usr/local/bin/forgejo
|
|
checksum: "sha256:ca5644c382de4ebde77363add0d7ce034663a4e50db67334c1a19575a31277ee"
|
|
mode: "755"
|
|
notify:
|
|
- Restart Forgejo
|
|
|
|
- name: Update apt cache
|
|
apt:
|
|
update_cache: true
|
|
|
|
- name: Install git and git-lfs
|
|
apt:
|
|
name:
|
|
- git
|
|
- git-lfs
|
|
|
|
- name: Create git user
|
|
user:
|
|
name: git
|
|
password: "!" # disables password login
|
|
home: /home/git
|
|
shell: /bin/bash
|
|
comment: Git Version Control
|
|
|
|
- name: Create Forgejo's data directory
|
|
file:
|
|
path: /var/lib/forgejo
|
|
state: directory
|
|
mode: "750"
|
|
owner: git
|
|
group: git
|
|
|
|
- name: Create Forgejo's config directory
|
|
file:
|
|
path: /etc/forgejo
|
|
state: directory
|
|
mode: "750"
|
|
owner: root
|
|
group: git
|
|
|
|
# NOTE: Instead of copying a pre-built app.ini, you could also skip this,
|
|
# use SSH tunneling to access the server over port 3000, and use their
|
|
# built-in setup process. You'd need to temporarily change /etc/forgejo to
|
|
# have mode "770", to allow Forgejo to write its own config file. (This is
|
|
# what we did for our first-time setup, then we copied app.ini to here!)
|
|
- name: Copy app.ini to Forgejo's config directory
|
|
copy:
|
|
src: files/app.ini
|
|
dest: /etc/forgejo/app.ini
|
|
mode: "640"
|
|
notify:
|
|
- Restart Forgejo
|
|
|
|
# NOTE: Instead of having a separate secrets directory, you could hardcode
|
|
# the secrets into app.ini. This extra indirection just lets us share our
|
|
# app.ini publicly, while keeping the secret tokens in gitignored files.
|
|
# Also, the directory name "secrets" and the file names we chose aren't
|
|
# reserved by Forgejo! Forgejo simply ignores any unrecognized files in
|
|
# /etc/forgejo, then we reference our secret files by path in app.ini.
|
|
- name: Copy secrets directory to Forgejo's config directory
|
|
copy:
|
|
src: files/secrets
|
|
dest: /etc/forgejo
|
|
directory_mode: "750"
|
|
mode: "640"
|
|
owner: root
|
|
group: git
|
|
notify:
|
|
- Restart Forgejo
|
|
|
|
- name: Install systemd service for Forgejo
|
|
copy:
|
|
src: files/forgejo.service
|
|
dest: /etc/systemd/system/forgejo.service
|
|
notify:
|
|
- Reload service files
|
|
- Restart Forgejo
|
|
|
|
- name: Enable Forgejo service
|
|
systemd_service:
|
|
name: forgejo
|
|
enabled: true
|
|
state: started
|
|
|
|
handlers:
|
|
- name: Reload service files
|
|
systemd_service:
|
|
daemon_reload: true
|
|
|
|
- name: Restart Forgejo
|
|
systemd_service:
|
|
name: forgejo
|
|
state: restarted
|