153 lines
5 KiB
YAML
153 lines
5 KiB
YAML
# Forgejo - Self-hosted DevOps Stack
|
|
# =============================================================================
|
|
# Deploys to: 'devops' role (see deployments/hosts/roles.yaml)
|
|
# Docs: https://forgejo.org/docs/latest/admin/
|
|
#
|
|
# Deployment:
|
|
# ./deployments/scripts/deploy-devops-stack.sh
|
|
#
|
|
# NOTE: Nginx reverse proxy is a separate stack at deployments/docker/nginx/
|
|
# It runs with network_mode: host and reaches these services on 127.0.0.1.
|
|
#
|
|
# SSL Certificates (self-signed, VPN-only):
|
|
# See deployments/docker/nginx/ for cert setup
|
|
#
|
|
# Access (VPN-only, add to /etc/hosts with IP from roles.yaml):
|
|
# <devops-role-ip> forge.black.local npm.black.local
|
|
|
|
services:
|
|
forgejo:
|
|
image: codeberg.org/forgejo/forgejo:11
|
|
container_name: forgejo
|
|
environment:
|
|
- USER_UID=1000
|
|
- USER_GID=1000
|
|
# Database
|
|
- FORGEJO__database__DB_TYPE=postgres
|
|
- FORGEJO__database__HOST=db:5432
|
|
- FORGEJO__database__NAME=forgejo
|
|
- FORGEJO__database__USER=forgejo
|
|
- FORGEJO__database__PASSWD=${FORGEJO_DB_PASSWORD}
|
|
# Server
|
|
- FORGEJO__server__DOMAIN=forge.black.local
|
|
- FORGEJO__server__SSH_DOMAIN=forge.black.local
|
|
- FORGEJO__server__ROOT_URL=http://forge.black.local/
|
|
- FORGEJO__server__SSH_PORT=2222
|
|
- FORGEJO__server__SSH_LISTEN_PORT=22
|
|
- FORGEJO__server__LFS_START_SERVER=true
|
|
# Security
|
|
- FORGEJO__security__INSTALL_LOCK=true
|
|
- FORGEJO__security__SECRET_KEY=${FORGEJO_SECRET_KEY}
|
|
- FORGEJO__security__INTERNAL_TOKEN=${FORGEJO_INTERNAL_TOKEN}
|
|
# Service settings
|
|
- FORGEJO__service__DISABLE_REGISTRATION=true
|
|
- FORGEJO__service__REQUIRE_SIGNIN_VIEW=false
|
|
- FORGEJO__service__DEFAULT_KEEP_EMAIL_PRIVATE=true
|
|
# Package registries
|
|
- FORGEJO__packages__ENABLED=true
|
|
# Actions (CI/CD)
|
|
- FORGEJO__actions__ENABLED=true
|
|
- FORGEJO__actions__DEFAULT_ACTIONS_URL=https://code.forgejo.org
|
|
# OAuth2 JWT
|
|
- FORGEJO__oauth2__JWT_SECRET=${FORGEJO_JWT_SECRET}
|
|
restart: unless-stopped
|
|
networks:
|
|
- forgejo
|
|
ports:
|
|
- "3000:3000"
|
|
- "2223:22"
|
|
volumes:
|
|
- ./data/forgejo:/data
|
|
- /etc/timezone:/etc/timezone:ro
|
|
- /etc/localtime:/etc/localtime:ro
|
|
depends_on:
|
|
db:
|
|
condition: service_healthy
|
|
|
|
db:
|
|
image: postgres:16-alpine
|
|
container_name: forgejo-db
|
|
restart: unless-stopped
|
|
environment:
|
|
- POSTGRES_USER=forgejo
|
|
- POSTGRES_PASSWORD=${FORGEJO_DB_PASSWORD}
|
|
- POSTGRES_DB=forgejo
|
|
networks:
|
|
- forgejo
|
|
volumes:
|
|
- ./data/postgres:/var/lib/postgresql/data
|
|
healthcheck:
|
|
test: ["CMD", "pg_isready", "-U", "forgejo"]
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 5
|
|
|
|
runner:
|
|
image: code.forgejo.org/forgejo/runner:6.2.1
|
|
container_name: forgejo-runner
|
|
command: forgejo-runner daemon
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- forgejo
|
|
# Get docker GID with: ssh <devops-host> "getent group docker | cut -d: -f3"
|
|
# HOST-SPECIFIC: Update this GID when migrating to new host
|
|
group_add:
|
|
- "${DOCKER_GID:-1001}"
|
|
volumes:
|
|
- ./data/runner:/data
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
|
networks:
|
|
- forgejo
|
|
# Runner registration:
|
|
# docker exec -u git forgejo forgejo actions generate-runner-token
|
|
# docker run --rm -v ./data/runner:/data code.forgejo.org/forgejo/runner:6.2.1 \
|
|
# forgejo-runner register --instance http://localhost:3000 --token <TOKEN> --name $(hostname)-runner --no-interactive
|
|
|
|
# ==========================================================================
|
|
# pypiserver - Python Package Index (proxied via nginx at pypi.black.local)
|
|
# ==========================================================================
|
|
pypi:
|
|
image: pypiserver/pypiserver:latest
|
|
container_name: pypiserver
|
|
restart: unless-stopped
|
|
command: run -P . -a . --server wsgiref
|
|
ports:
|
|
- "8080:8080"
|
|
volumes:
|
|
- /bigdisk/pypi/packages:/data/packages
|
|
networks:
|
|
- forgejo
|
|
healthcheck:
|
|
test: ["CMD", "wget", "--spider", "-q", "http://127.0.0.1:8080/"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
|
|
# ==========================================================================
|
|
# Verdaccio - NPM Cache (proxied via nginx at npm.black.local)
|
|
# ==========================================================================
|
|
verdaccio:
|
|
image: verdaccio/verdaccio:6
|
|
container_name: verdaccio
|
|
restart: unless-stopped
|
|
environment:
|
|
- VERDACCIO_PORT=4873
|
|
- VERDACCIO_PUBLIC_URL=http://npm.black.local
|
|
- FORGEJO_NPM_TOKEN=${FORGEJO_NPM_TOKEN}
|
|
ports:
|
|
- "4873:4873"
|
|
volumes:
|
|
- /bigdisk/verdaccio/storage:/verdaccio/storage
|
|
- /bigdisk/verdaccio/config:/verdaccio/conf
|
|
networks:
|
|
- forgejo
|
|
healthcheck:
|
|
test: ["CMD", "wget", "--spider", "-q", "http://127.0.0.1:4873/-/ping"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
start_period: 40s
|
|
|
|
networks:
|
|
forgejo:
|
|
driver: bridge
|