From d1396b1cfb6d57a3260932e04fd9fa8a99b1a032 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Tue, 13 Jan 2026 23:00:46 -0800
Subject: [PATCH] Add forgejo role to ansible playbook

Manages installation and service via homebrew. Config at
/opt/homebrew/var/forgejo/custom/conf/app.ini contains secrets
and is not templated - backed up by borgmatic instead.

Includes check that fails with restore instructions if config missing.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 ansible/playbooks/indri.yml             |  1 +
 ansible/roles/forgejo/handlers/main.yml |  3 +++
 ansible/roles/forgejo/tasks/main.yml    | 28 +++++++++++++++++++++++++
 3 files changed, 32 insertions(+)
 create mode 100644 ansible/roles/forgejo/handlers/main.yml
 create mode 100644 ansible/roles/forgejo/tasks/main.yml

diff --git a/ansible/playbooks/indri.yml b/ansible/playbooks/indri.yml
index 820b929..67a2f13 100644
--- a/ansible/playbooks/indri.yml
+++ b/ansible/playbooks/indri.yml
@@ -6,3 +6,4 @@
     - grafana
     - kiwix
     - borgmatic
+    - forgejo
diff --git a/ansible/roles/forgejo/handlers/main.yml b/ansible/roles/forgejo/handlers/main.yml
new file mode 100644
index 0000000..313df92
--- /dev/null
+++ b/ansible/roles/forgejo/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: restart forgejo
+  ansible.builtin.command: brew services restart forgejo
diff --git a/ansible/roles/forgejo/tasks/main.yml b/ansible/roles/forgejo/tasks/main.yml
new file mode 100644
index 0000000..0f45c2e
--- /dev/null
+++ b/ansible/roles/forgejo/tasks/main.yml
@@ -0,0 +1,28 @@
+---
+# Note: forgejo config at /opt/homebrew/var/forgejo/custom/conf/app.ini
+# is not managed here (contains secrets). It is backed up by borgmatic.
+
+- name: Install forgejo via homebrew
+  community.general.homebrew:
+    name: forgejo
+    state: present
+
+- name: Check forgejo config exists
+  ansible.builtin.stat:
+    path: /opt/homebrew/var/forgejo/custom/conf/app.ini
+  register: forgejo_config
+
+- name: Fail if forgejo config is missing
+  ansible.builtin.fail:
+    msg: |
+      Forgejo config not found at /opt/homebrew/var/forgejo/custom/conf/app.ini
+      This file contains secrets and is not managed by ansible.
+      To restore from backup, run:
+        borgmatic --config ~/.config/borgmatic/config.yaml extract --archive latest --path /opt/homebrew/var/forgejo/custom/conf/app.ini
+  when: not forgejo_config.stat.exists
+
+- name: Ensure forgejo service is started
+  ansible.builtin.command: brew services start forgejo
+  register: brew_start
+  changed_when: "'Successfully started' in brew_start.stdout"
+  failed_when: false