Migrate Forgejo Ansible role from Homebrew to source build

Replace brew install/services with source-built binary + mcquack LaunchAgent, matching the zot/caddy/alloy pattern. Key changes: - defaults: new paths (~/forgejo, ~/code/3rd/forgejo), run_user → erichblume - tasks: binary stat check instead of brew install, LaunchAgent deployment - handlers: launchctl unload/load instead of brew services restart - new forgejo.plist.j2 LaunchAgent template Also stamps frigate-notify, cloudnative-pg, blumeops-pg as reviewed (all up to date) and updates forgejo tracking to v14.0.3. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 08:19:24 -07:00 · 2026-03-28 07:53:49 -07:00 · 2026-03-28 07:53:49 -07:00
commit 521cec5fde
6 changed files with 89 additions and 21 deletions
--- a/ansible/roles/forgejo/defaults/main.yml
+++ b/ansible/roles/forgejo/defaults/main.yml
@ -4,16 +4,21 @@

 forgejo_app_name: Forgejo
 forgejo_app_slogan: "Beyond coding. We Forge."
-forgejo_run_user: forgejo
+forgejo_run_user: erichblume
 forgejo_run_mode: prod

-# Paths (brew-managed for now, will change to mcquack per migrate-forgejo-from-brew)
-forgejo_work_path: /opt/homebrew/var/forgejo
+# Source build paths
+forgejo_repo_dir: /Users/erichblume/code/3rd/forgejo
+forgejo_binary: "{{ forgejo_repo_dir }}/forgejo"
+
+# Data paths (migrated from brew to ~/forgejo)
+forgejo_work_path: /Users/erichblume/forgejo
 forgejo_config_path: "{{ forgejo_work_path }}/custom/conf/app.ini"
 forgejo_data_path: "{{ forgejo_work_path }}/data"
 forgejo_repo_root: "{{ forgejo_data_path }}/forgejo-repositories"
 forgejo_lfs_path: "{{ forgejo_data_path }}/lfs"
 forgejo_log_path: "{{ forgejo_work_path }}/log"
+forgejo_log_dir: /Users/erichblume/Library/Logs

 # Server settings
 forgejo_http_addr: 0.0.0.0
--- a/ansible/roles/forgejo/handlers/main.yml
+++ b/ansible/roles/forgejo/handlers/main.yml
@ -1,4 +1,6 @@
 ---
 - name: Restart forgejo
-  ansible.builtin.command: brew services restart forgejo
+  ansible.builtin.shell: |
+    launchctl unload ~/Library/LaunchAgents/mcquack.eblume.forgejo.plist 2>/dev/null || true
+    launchctl load ~/Library/LaunchAgents/mcquack.eblume.forgejo.plist
  changed_when: true
--- a/ansible/roles/forgejo/tasks/main.yml
+++ b/ansible/roles/forgejo/tasks/main.yml
@ -1,16 +1,37 @@
 ---
-# Forgejo role
+# Forgejo role — source-built binary with LaunchAgent
 #
-# Currently uses brew-managed forgejo. Phase 3 of ci-cd-bootstrap will
-# transition to mcquack LaunchAgent with CI-built binary.
+# ONE-TIME SETUP (before running ansible):
+#
+# 1. Clone forgejo from codeberg (avoid circular dependency):
+#    ssh indri 'git clone https://codeberg.org/forgejo/forgejo.git ~/code/3rd/forgejo'
+#
+# 2. Add forge mirror as secondary remote:
+#    ssh indri 'cd ~/code/3rd/forgejo && git remote add forge https://forge.eblu.me/mirrors/forgejo.git'
+#
+# 3. Set up Go and Node via mise:
+#    ssh indri 'cd ~/code/3rd/forgejo && mise use go@1.25 node@24'
+#
+# 4. Build:
+#    ssh indri 'cd ~/code/3rd/forgejo && TAGS="bindata timetzdata sqlite sqlite_unlock_notify" mise x -- make build && mise x -- make forgejo'
+#
+# 5. Run ansible to deploy config and LaunchAgent
 #
 # Secrets (lfs_jwt_secret, internal_token, oauth2_jwt_secret) are fetched
 # from 1Password in the playbook pre_tasks.

- name: Install forgejo via homebrew
-  community.general.homebrew:
-    name: forgejo
-    state: present
+- name: Verify forgejo binary exists
+  ansible.builtin.stat:
+    path: "{{ forgejo_binary }}"
+  register: forgejo_binary_stat
+
+- name: Fail if forgejo binary not found
+  ansible.builtin.fail:
+    msg: |
+      Forgejo binary not found at {{ forgejo_binary }}.
+      Please build from source first:
+        ssh indri 'cd ~/code/3rd/forgejo && TAGS="bindata timetzdata sqlite sqlite_unlock_notify" mise x -- make build && mise x -- make forgejo'
+  when: not forgejo_binary_stat.stat.exists

 - name: Ensure forgejo config directory exists
  ansible.builtin.file:
@ -25,8 +46,21 @@
    mode: '0600'
  notify: Restart forgejo

- name: Ensure forgejo service is started
-  ansible.builtin.command: brew services start forgejo
-  register: forgejo_brew_start
-  changed_when: "'Successfully started' in forgejo_brew_start.stdout"
+- name: Deploy forgejo LaunchAgent plist
+  ansible.builtin.template:
+    src: forgejo.plist.j2
+    dest: ~/Library/LaunchAgents/mcquack.eblume.forgejo.plist
+    mode: '0644'
+  notify: Restart forgejo
+
+- name: Check if forgejo LaunchAgent is loaded
+  ansible.builtin.command: launchctl list mcquack.eblume.forgejo
+  register: forgejo_launchctl_check
+  changed_when: false
+  failed_when: false
+
+- name: Load forgejo LaunchAgent if not loaded
+  ansible.builtin.command: launchctl load ~/Library/LaunchAgents/mcquack.eblume.forgejo.plist
+  when: forgejo_launchctl_check.rc != 0
+  changed_when: true
  failed_when: false
--- a/ansible/roles/forgejo/templates/forgejo.plist.j2
+++ b/ansible/roles/forgejo/templates/forgejo.plist.j2
@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- {{ ansible_managed }} -->
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Label</key>
+	<string>mcquack.eblume.forgejo</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>{{ forgejo_binary }}</string>
+		<string>-w</string>
+		<string>{{ forgejo_work_path }}</string>
+		<string>-c</string>
+		<string>{{ forgejo_config_path }}</string>
+		<string>web</string>
+	</array>
+	<key>RunAtLoad</key>
+	<true/>
+	<key>KeepAlive</key>
+	<true/>
+	<key>StandardOutPath</key>
+	<string>{{ forgejo_log_dir }}/mcquack.forgejo.out.log</string>
+	<key>StandardErrorPath</key>
+	<string>{{ forgejo_log_dir }}/mcquack.forgejo.err.log</string>
+</dict>
+</plist>
--- a/docs/changelog.d/build-forgejo-from-source.infra.md
+++ b/docs/changelog.d/build-forgejo-from-source.infra.md
@ -0,0 +1 @@
+Migrate Forgejo from Homebrew to source build with mcquack LaunchAgent, matching the pattern used by zot, caddy, and alloy. Upgrades to v14.0.3 (7 security fixes including PKCE bypass and OAuth scope bypass).
--- a/service-versions.yaml
+++ b/service-versions.yaml
@ -59,7 +59,7 @@ services:

  - name: frigate-notify
    type: argocd
-    last-reviewed: 2026-02-22
+    last-reviewed: 2026-03-28
    current-version: "v0.5.4"
    upstream-source: https://github.com/0x2142/frigate-notify/releases

@ -112,7 +112,7 @@ services:

  - name: cloudnative-pg
    type: argocd
-    last-reviewed: 2026-02-24
+    last-reviewed: 2026-03-28
    current-version: "v1.28.1"
    upstream-source: https://github.com/cloudnative-pg/cloudnative-pg/releases
    notes: Deployed via Helm chart (chart v0.27.1 from forge mirror)
@ -147,7 +147,7 @@ services:

  - name: blumeops-pg
    type: argocd
-    last-reviewed: 2026-02-27
+    last-reviewed: 2026-03-28
    current-version: "18.3"
    upstream-source: https://github.com/cloudnative-pg/cloudnative-pg/releases
    notes: CloudNativePG Cluster resource; pinned to PG minor version
@ -287,10 +287,10 @@ services:

  - name: forgejo
    type: ansible
-    last-reviewed: 2026-02-22
-    current-version: "14.0.2"
+    last-reviewed: 2026-03-28
+    current-version: "14.0.3"
    upstream-source: https://codeberg.org/forgejo/forgejo/releases
-    notes: Installed via Homebrew on indri; plan to migrate to source build
+    notes: Built from source on indri (~/code/3rd/forgejo)

  - name: alloy
    type: ansible
				`@ -0,0 +1 @@`
				`Migrate Forgejo from Homebrew to source build with mcquack LaunchAgent, matching the pattern used by zot, caddy, and alloy. Upgrades to v14.0.3 (7 security fixes including PKCE bypass and OAuth scope bypass).`