platform-deployments/docker/forgejo/docker-compose.yml

153 lines
5 KiB
YAML

# Forgejo - Self-hosted DevOps Stack
# =============================================================================
# Deploys to: 'devops' role (see deployments/hosts/roles.yaml)
# Docs: https://forgejo.org/docs/latest/admin/
#
# Deployment:
# ./deployments/scripts/deploy-devops-stack.sh
#
# NOTE: Nginx reverse proxy is a separate stack at deployments/docker/nginx/
# It runs with network_mode: host and reaches these services on 127.0.0.1.
#
# SSL Certificates (self-signed, VPN-only):
# See deployments/docker/nginx/ for cert setup
#
# Access (VPN-only, add to /etc/hosts with IP from roles.yaml):
# <devops-role-ip> forge.black.local npm.black.local
services:
forgejo:
image: codeberg.org/forgejo/forgejo:11
container_name: forgejo
environment:
- USER_UID=1000
- USER_GID=1000
# Database
- FORGEJO__database__DB_TYPE=postgres
- FORGEJO__database__HOST=db:5432
- FORGEJO__database__NAME=forgejo
- FORGEJO__database__USER=forgejo
- FORGEJO__database__PASSWD=${FORGEJO_DB_PASSWORD}
# Server
- FORGEJO__server__DOMAIN=forge.black.local
- FORGEJO__server__SSH_DOMAIN=forge.black.local
- FORGEJO__server__ROOT_URL=http://forge.black.local/
- FORGEJO__server__SSH_PORT=2222
- FORGEJO__server__SSH_LISTEN_PORT=22
- FORGEJO__server__LFS_START_SERVER=true
# Security
- FORGEJO__security__INSTALL_LOCK=true
- FORGEJO__security__SECRET_KEY=${FORGEJO_SECRET_KEY}
- FORGEJO__security__INTERNAL_TOKEN=${FORGEJO_INTERNAL_TOKEN}
# Service settings
- FORGEJO__service__DISABLE_REGISTRATION=true
- FORGEJO__service__REQUIRE_SIGNIN_VIEW=false
- FORGEJO__service__DEFAULT_KEEP_EMAIL_PRIVATE=true
# Package registries
- FORGEJO__packages__ENABLED=true
# Actions (CI/CD)
- FORGEJO__actions__ENABLED=true
- FORGEJO__actions__DEFAULT_ACTIONS_URL=https://code.forgejo.org
# OAuth2 JWT
- FORGEJO__oauth2__JWT_SECRET=${FORGEJO_JWT_SECRET}
restart: unless-stopped
networks:
- forgejo
ports:
- "3000:3000"
- "2223:22"
volumes:
- ./data/forgejo:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
depends_on:
db:
condition: service_healthy
db:
image: postgres:16-alpine
container_name: forgejo-db
restart: unless-stopped
environment:
- POSTGRES_USER=forgejo
- POSTGRES_PASSWORD=${FORGEJO_DB_PASSWORD}
- POSTGRES_DB=forgejo
networks:
- forgejo
volumes:
- ./data/postgres:/var/lib/postgresql/data
healthcheck:
test: ["CMD", "pg_isready", "-U", "forgejo"]
interval: 10s
timeout: 5s
retries: 5
runner:
image: code.forgejo.org/forgejo/runner:6.2.1
container_name: forgejo-runner
command: forgejo-runner daemon
restart: unless-stopped
depends_on:
- forgejo
# Get docker GID with: ssh <devops-host> "getent group docker | cut -d: -f3"
# HOST-SPECIFIC: Update this GID when migrating to new host
group_add:
- "${DOCKER_GID:-1001}"
volumes:
- ./data/runner:/data
- /var/run/docker.sock:/var/run/docker.sock
networks:
- forgejo
# Runner registration:
# docker exec -u git forgejo forgejo actions generate-runner-token
# docker run --rm -v ./data/runner:/data code.forgejo.org/forgejo/runner:6.2.1 \
# forgejo-runner register --instance http://localhost:3000 --token <TOKEN> --name $(hostname)-runner --no-interactive
# ==========================================================================
# pypiserver - Python Package Index (proxied via nginx at pypi.black.local)
# ==========================================================================
pypi:
image: pypiserver/pypiserver:latest
container_name: pypiserver
restart: unless-stopped
command: run -P . -a . --server wsgiref
ports:
- "8080:8080"
volumes:
- /bigdisk/pypi/packages:/data/packages
networks:
- forgejo
healthcheck:
test: ["CMD", "wget", "--spider", "-q", "http://127.0.0.1:8080/"]
interval: 30s
timeout: 10s
retries: 3
# ==========================================================================
# Verdaccio - NPM Cache (proxied via nginx at npm.black.local)
# ==========================================================================
verdaccio:
image: verdaccio/verdaccio:6
container_name: verdaccio
restart: unless-stopped
environment:
- VERDACCIO_PORT=4873
- VERDACCIO_PUBLIC_URL=http://npm.black.local
- FORGEJO_NPM_TOKEN=${FORGEJO_NPM_TOKEN}
ports:
- "4873:4873"
volumes:
- /bigdisk/verdaccio/storage:/verdaccio/storage
- /bigdisk/verdaccio/config:/verdaccio/conf
networks:
- forgejo
healthcheck:
test: ["CMD", "wget", "--spider", "-q", "http://127.0.0.1:4873/-/ping"]
interval: 30s
timeout: 10s
retries: 3
start_period: 40s
networks:
forgejo:
driver: bridge