Erich Blume
3017f759a7
## Summary - Migrate Forgejo from Homebrew to source-built binary with mcquack LaunchAgent - Matches the established pattern used by zot, caddy, and alloy - Upgrades to v14.0.3 (7 security fixes: PKCE bypass, OAuth scope bypass, open redirect, and more) ## Changes - **Ansible role**: Replace brew install/services with binary stat check + LaunchAgent - **Paths**: `/opt/homebrew/var/forgejo` → `~/forgejo`, binary at `~/code/3rd/forgejo/forgejo` - **Run user**: `forgejo` → `erichblume` (LaunchAgent user; SSH git user stays `forgejo`) - **Docs**: Updated Forgejo reference card, restart-indri guide - **Service review**: Stamped frigate-notify, cloudnative-pg, blumeops-pg as current ## One-time migration steps (manual, on indri) 1. Clone from Codeberg, add forge mirror remote 2. Check out v14.0.3, build with `make build && make forgejo` 3. Stop brew, `cp -a` data to `~/forgejo`, fix ownership 4. Run `provision-indri --tags forgejo` 5. Verify, then `brew uninstall forgejo` ## Data safety - `cp -a` preserves everything (repos, SQLite DB, LFS, sessions, OAuth config) - Brew version stays installed as rollback until verification passes - No schema changes between 14.0.2 → 14.0.3 Reviewed-on: #316
63 lines
2 KiB
YAML
63 lines
2 KiB
YAML
---
|
|
# Forgejo role — source-built binary with LaunchAgent
|
|
#
|
|
# ONE-TIME SETUP (before running ansible):
|
|
#
|
|
# 1. Clone forgejo from codeberg (avoid circular dependency):
|
|
# ssh indri 'git clone https://codeberg.org/forgejo/forgejo.git ~/code/3rd/forgejo'
|
|
#
|
|
# 2. Add forge mirror as secondary remote:
|
|
# ssh indri 'cd ~/code/3rd/forgejo && git remote add forge https://forge.eblu.me/mirrors/forgejo.git'
|
|
#
|
|
# 3. Build (mise.toml handles Go/Node versions and build tags):
|
|
# ssh indri 'cd ~/code/3rd/forgejo && mise run build'
|
|
#
|
|
# 4. Run ansible to deploy config and LaunchAgent
|
|
#
|
|
# Secrets (lfs_jwt_secret, internal_token, oauth2_jwt_secret) are fetched
|
|
# from 1Password in the playbook pre_tasks.
|
|
|
|
- name: Verify forgejo binary exists
|
|
ansible.builtin.stat:
|
|
path: "{{ forgejo_binary }}"
|
|
register: forgejo_binary_stat
|
|
|
|
- name: Fail if forgejo binary not found
|
|
ansible.builtin.fail:
|
|
msg: |
|
|
Forgejo binary not found at {{ forgejo_binary }}.
|
|
Please build from source first:
|
|
ssh indri 'cd ~/code/3rd/forgejo && mise run build'
|
|
when: not forgejo_binary_stat.stat.exists
|
|
|
|
- name: Ensure forgejo config directory exists
|
|
ansible.builtin.file:
|
|
path: "{{ forgejo_work_path }}/custom/conf"
|
|
state: directory
|
|
mode: '0755'
|
|
|
|
- name: Deploy forgejo config
|
|
ansible.builtin.template:
|
|
src: app.ini.j2
|
|
dest: "{{ forgejo_config_path }}"
|
|
mode: '0600'
|
|
notify: Restart forgejo
|
|
|
|
- name: Deploy forgejo LaunchAgent plist
|
|
ansible.builtin.template:
|
|
src: forgejo.plist.j2
|
|
dest: ~/Library/LaunchAgents/mcquack.eblume.forgejo.plist
|
|
mode: '0644'
|
|
notify: Restart forgejo
|
|
|
|
- name: Check if forgejo LaunchAgent is loaded
|
|
ansible.builtin.command: launchctl list mcquack.eblume.forgejo
|
|
register: forgejo_launchctl_check
|
|
changed_when: false
|
|
failed_when: false
|
|
|
|
- name: Load forgejo LaunchAgent if not loaded
|
|
ansible.builtin.command: launchctl load ~/Library/LaunchAgents/mcquack.eblume.forgejo.plist
|
|
when: forgejo_launchctl_check.rc != 0
|
|
changed_when: true
|
|
failed_when: false
|