many new containers. work in progress

2024-11-02 14:09:56 -06:00 · 2024-11-02 14:09:56 -06:00 · aed48ffdf8
commit aed48ffdf8
parent f0f9f608cc
31 changed files with 1042 additions and 1 deletions
--- a/forgejo_tailscale/.env
+++ b/forgejo_tailscale/.env
@ -0,0 +1,38 @@
+FORGEJO_TAG=8
+FORGEJO_RUNNER_TAG=4.0.1
+
+# Tailscale authorization key
+TS_AUTHKEY=tskey-auth-
+
+# Tailscale tailnet node name
+TAILNET_NAME=git
+TAILNET_SUFFIX=XXXXXX.ts.net
+
+# Instance Settings
+APP_NAME="My Git Server"
+FORGEJO_HOSTNAME=${TAILNET_NAME}.${TAILNET_SUFFIX}
+DISABLE_REGISTRATION=true
+
+# Database
+FORGEJO_DB_PASSWORD= ##REQUIRED## 
+
+# Mail
+MAIL_ENABLED=true
+MAIL_FROM='"Git Server" <noreply@mg.yourdomain.com>'
+MAIL_SMTP_USER=forgejo@mg.yourdomain.com
+MAIL_SMTP_PASSWD= ##REQUIRED##
+MAIL_SMTP_PROTOCOL=smtps
+MAIL_SMTP_ADDR=smtp.mailgun.org
+MAIL_SMTP_PORT=465
+
+# Initial user
+ROOT_USER=admin
+ROOT_EMAIL=admin@yourdomain.com
+ROOT_PASSWORD=  ##REQUIRED##
+
+# Token for runner (generate with `openssl rand -hex 20`)
+SHARED_SECRET=  ##REQUIRED##
+
+# Runner name / labels
+RUNNER_NAME=runner
+RUNNER_LABELS='[\"docker:docker://code.forgejo.org/oci/node:20-bookworm\", \"ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04\"]'
--- a/forgejo_tailscale/README.md
+++ b/forgejo_tailscale/README.md
@ -0,0 +1,19 @@
+# Forgejo via. Tailscale
+
+This example is a quick start to running an instance of the excellent Forgejo git server under Docker.
+
+* private exposed on Tailscale Tailnet
+* Pre-configured Github Action-style Runners
+* Mail delivery (assuming Mailgun, but adjustable to any SMTP server)
+* Pre-configured (no installation wizard) including admin account
+
+## Steps:
+
+0. Get an Auth Key from your tailscale account
+1. Copy `docker-compose.yml` and `.env` to a new folder
+2. Update variables in `.env` making sure to generate random secrets for the various secrets marked with `##REQUIRED##`
+5. `docker compose up -d`
+6. Wait...
+7. Wait a bit more
+8. Visit `https://git.your-name.ts.net` in your browser and login with the admin credentials in your `.env` file.
+9. Verify settings.  (i.e. do you want to disable user signups, etc.)
--- a/forgejo_tailscale/docker-compose.yml
+++ b/forgejo_tailscale/docker-compose.yml
@ -0,0 +1,132 @@
+services:
+
+  tailscale:
+    hostname: ${TAILNET_NAME}             
+    image: tailscale/tailscale
+    volumes:
+      - ./data/tailscale:/var/lib/tailscale
+      - ./ts-serve.json:/config/ts-serve.json:ro
+      - /dev/net/tun:/dev/net/tun         
+    cap_add:                          
+      - net_admin
+      - sys_module
+    environment:
+      TS_AUTHKEY: ${TS_AUTHKEY}
+      TS_SERVE_CONFIG: /config/ts-serve.json
+      TS_AUTH_ONCE: true
+      TS_STATE_DIR: /var/lib/tailscale
+      TS_HOST: ${TAILNET_NAME}
+    restart: unless-stopped
+
+  server:
+    image: codeberg.org/forgejo/forgejo:${FORGEJO_TAG}
+    command: >-
+      bash -c '
+      /bin/s6-svscan /etc/s6 &
+      sleep 10 ;
+      su -c "forgejo forgejo-cli actions register --secret ${SHARED_SECRET}" git ;
+      su -c "forgejo admin user create --admin --username ${ROOT_USER} --password ${ROOT_PASSWORD} --email ${ROOT_EMAIL}" git ;
+      sleep infinity
+      '      
+    environment:
+      # https://forgejo.org/docs/latest/admin/config-cheat-sheet/
+      - RUN_MODE=prod
+      - USER_UID=1000
+      - USER_GID=1000
+      - APP_NAME=${APP_NAME}
+      - FORGEJO__server__ROOT_URL=https://${FORGEJO_HOSTNAME}
+      # Prevent the installation wizard from running
+      - FORGEJO__security__INSTALL_LOCK=true
+      # Do we allow new signups?
+      - FORGEJO__service__DISABLE_REGISTRATION=${DISABLE_REGISTRATION}
+      # DB Setup
+      - FORGEJO__database__DB_TYPE=postgres
+      - FORGEJO__database__HOST=db:5432
+      - FORGEJO__database__NAME=gitea
+      - FORGEJO__database__USER=gitea
+      - FORGEJO__database__PASSWD=${FORGEJO_DB_PASSWORD}
+      # Mail Setup
+      - FORGEJO__mailer__ENABLED=${MAIL_ENABLED}
+      - FORGEJO__mailer__FROM=${MAIL_FROM}
+      - FORGEJO__mailer__PROTOCOL=${MAIL_SMTP_PROTOCOL}
+      - FORGEJO__mailer__SMTP_ADDR=${MAIL_SMTP_ADDR}
+      - FORGEJO__mailer__SMTP_PORT=${MAIL_SMTP_PORT}
+      - FORGEJO__mailer__USER=${MAIL_SMTP_USER}
+      - FORGEJO__mailer__PASSWD=${MAIL_SMTP_PASSWD}
+      # Git rid of the splash screen and just show a project listing
+      # on the homepage
+      - FORGEJO__server__LANDING_PAGE=explore
+    restart: always
+    volumes:
+      - ./data/data:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    depends_on:
+      - db
+
+  db:
+    image: postgres:13
+    restart: always
+    environment:
+      - POSTGRES_USER=gitea
+      - POSTGRES_PASSWORD=${FORGEJO_DB_PASSWORD}
+      - POSTGRES_DB=gitea
+    volumes:
+      - ./data/postgres:/var/lib/postgresql/data
+
+  # Runner configuration is fairly complex and uses Docker-in-Docker
+  # Pulled from this example:
+  #  https://code.forgejo.org/forgejo/runner/src/branch/main/examples/docker-compose/compose-forgejo-and-runner.yml
+
+  runner-register:
+    image: code.forgejo.org/forgejo/runner:${FORGEJO_RUNNER_TAG}
+    links:
+      - docker-in-docker
+      - server
+    environment:
+      DOCKER_HOST: tcp://docker-in-docker:2376
+    volumes:
+      - ./data/runner-data:/data
+    user: 0:0
+    command: >-
+      bash -ec '
+      while : ; do
+        forgejo-runner create-runner-file --connect --instance http://server:3000 --name ${RUNNER_NAME} --secret ${SHARED_SECRET} && break ;
+        sleep 1 ;
+      done ;
+      sed -i -e "s|\"labels\": null|\"labels\": ${RUNNER_LABELS}|" .runner ;
+      forgejo-runner generate-config > config.yml ;
+      sed -i -e "s|network: .*|network: host|" config.yml ;
+      sed -i -e "s|^  labels: \[\]$$|  labels: ${RUNNER_LABELS}|" config.yml ;
+      sed -i -e "s|^  envs:$$|  envs:\n    DOCKER_HOST: tcp://docker:2376\n    DOCKER_TLS_VERIFY: 1\n    DOCKER_CERT_PATH: /certs/client|" config.yml ;
+      sed -i -e "s|^  options:|  options: -v /certs/client:/certs/client|" config.yml ;
+      sed -i -e "s|  valid_volumes: \[\]$$|  valid_volumes:\n    - /certs/client|" config.yml ;
+      chown -R 1000:1000 /data
+      '      
+
+  runner-daemon:
+    image: code.forgejo.org/forgejo/runner:4.0.1
+    links:
+      - docker-in-docker
+      - server
+    environment:
+      DOCKER_HOST: tcp://docker:2376
+      DOCKER_CERT_PATH: /certs/client
+      DOCKER_TLS_VERIFY: "1"
+    volumes:
+      - ./data/runner-data:/data
+      - ./data/docker_certs:/certs
+    command: >-
+      bash -c '
+      while : ; do test -w .runner && forgejo-runner --config config.yml daemon ; sleep 1 ; done
+      '      
+
+  docker-in-docker:
+    image: docker:dind
+    hostname: docker  # Must set hostname as TLS certificates are only valid for docker or localhost
+    privileged: true
+    environment:
+      DOCKER_TLS_CERTDIR: /certs
+      DOCKER_HOST: docker-in-docker
+    volumes:
+      - ./data/docker_certs:/certs
--- a/forgejo_tailscale/ts-serve.json
+++ b/forgejo_tailscale/ts-serve.json
@ -0,0 +1,22 @@
+{
+    "TCP": {
+        "22": {
+            "TCPForward": "server:22"
+        },
+        "443": {
+            "HTTPS": true
+        }
+    },
+    "Web": {
+        "${TS_CERT_DOMAIN}:443": {
+            "Handlers": {
+                "/": {
+                    "Proxy": "http://server:3000"
+                }
+            }
+        }
+    },
+    "AllowFunnel": {
+        "${TS_CERT_DOMAIN}:443": false
+    }
+}