Add forgejo role to ansible playbook

Manages installation and service via homebrew. Config at
/opt/homebrew/var/forgejo/custom/conf/app.ini contains secrets
and is not templated - backed up by borgmatic instead.

Includes check that fails with restore instructions if config missing.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

ansible/playbooks/indri.yml

@@ -6,3 +6,4 @@
     - grafana
     - kiwix
     - borgmatic
+    - forgejo

ansible/roles/forgejo/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+- name: restart forgejo
+  ansible.builtin.command: brew services restart forgejo

ansible/roles/forgejo/tasks/main.yml

@@ -0,0 +1,28 @@
+---
+# Note: forgejo config at /opt/homebrew/var/forgejo/custom/conf/app.ini
+# is not managed here (contains secrets). It is backed up by borgmatic.
+
+- name: Install forgejo via homebrew
+  community.general.homebrew:
+    name: forgejo
+    state: present
+
+- name: Check forgejo config exists
+  ansible.builtin.stat:
+    path: /opt/homebrew/var/forgejo/custom/conf/app.ini
+  register: forgejo_config
+
+- name: Fail if forgejo config is missing
+  ansible.builtin.fail:
+    msg: |
+      Forgejo config not found at /opt/homebrew/var/forgejo/custom/conf/app.ini
+      This file contains secrets and is not managed by ansible.
+      To restore from backup, run:
+        borgmatic --config ~/.config/borgmatic/config.yaml extract --archive latest --path /opt/homebrew/var/forgejo/custom/conf/app.ini
+  when: not forgejo_config.stat.exists
+
+- name: Ensure forgejo service is started
+  ansible.builtin.command: brew services start forgejo
+  register: brew_start
+  changed_when: "'Successfully started' in brew_start.stdout"
+  failed_when: false