Add Template to deploy forgejo.

This template allows deploying a forgejo en either Scaleway or Hetzner
(untested) without much knowledge about them.
It DOES require knowledge about Terragrunt and ansible. A wizard of
sorts is provided but it will not guarantee success without some
knowledge about the underlying technology.

ansible/playbooks/vars/main.yml

@@ -0,0 +1,64 @@
+---
+# Main variables for Forgejo deployment
+# NOTE: Domain-specific settings should be in inventory/production/hosts.yml
+#       Variables here are lower-priority defaults only.
+
+# Forgejo version (can be overridden in inventory)
+# forgejo_version: "9.0.2"
+
+# Protocol for public URLs (https recommended)
+forgejo_protocol: https
+
+# System configuration
+forgejo_user: git
+forgejo_group: git
+forgejo_uid: 1100
+forgejo_gid: 1100
+
+# Installation paths
+forgejo_base_path: /opt/forgejo
+forgejo_data_path: "{{ forgejo_base_path }}/data"
+forgejo_config_path: "{{ forgejo_base_path }}/config"
+
+# Network ports
+forgejo_http_port: 3000
+forgejo_ssh_port: 2222
+
+# Database configuration
+forgejo_db_type: postgres
+forgejo_db_host: localhost
+forgejo_db_port: 5432
+forgejo_db_name: forgejo
+forgejo_db_user: forgejo
+
+# Redis configuration
+forgejo_use_redis: true
+redis_host: localhost
+redis_port: 6379
+
+# SSL/TLS configuration
+forgejo_enable_letsencrypt: true
+letsencrypt_email: "admin@{{ forgejo_domain }}"
+
+# Features (can be overridden in inventory)
+forgejo_enable_lfs: true
+forgejo_enable_2fa: true
+# forgejo_disable_registration - set in inventory
+# forgejo_require_signin_view - set in inventory
+
+# Backup configuration
+forgejo_enable_backups: true
+forgejo_backup_schedule: "0 2 * * *"
+forgejo_backup_retention_days: 30
+
+# Monitoring
+forgejo_enable_prometheus: false
+
+# Email configuration
+forgejo_enable_email: false
+
+# S3 configuration
+forgejo_enable_s3: false
+
+# Security
+forgejo_log_level: Info

ansible/playbooks/vars/secrets.yml.example

@@ -0,0 +1,40 @@
+---
+# Ansible Vault Encrypted Secrets
+#
+# IMPORTANT: Do NOT commit secrets.yml to git, even if encrypted!
+# The .gitignore is configured to exclude it, but always verify.
+#
+# To set up:
+#   1. cp secrets.yml.example secrets.yml
+#   2. Edit secrets.yml with your actual values
+#   3. ansible-vault encrypt secrets.yml
+#   4. Verify: git status should NOT show secrets.yml
+#
+# To edit encrypted secrets: ansible-vault edit secrets.yml
+
+# Database passwords
+vault_forgejo_db_password: "CHANGE_ME_STRONG_PASSWORD_HERE"
+
+# Admin account
+vault_forgejo_admin_password: "CHANGE_ME_ADMIN_PASSWORD_HERE"
+
+# Secret keys (generate with: openssl rand -base64 32)
+vault_forgejo_secret_key: "CHANGE_ME_SECRET_KEY_64_CHARS_MINIMUM_XXXXXXXXXXXXXXXXX"
+vault_forgejo_internal_token: "CHANGE_ME_INTERNAL_TOKEN_XXXXXXXXXXXXXXXXXXXXXXXXX"
+vault_forgejo_jwt_secret: "CHANGE_ME_JWT_SECRET_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
+
+# Metrics token (if prometheus enabled)
+vault_forgejo_metrics_token: "CHANGE_ME_METRICS_TOKEN_XXXXXXXXX"
+
+# Email password (if email enabled)
+vault_email_password: ""
+
+# S3 credentials (if S3 enabled)
+vault_s3_access_key: ""
+vault_s3_secret_key: ""
+
+# Notes:
+# - Generate strong passwords: openssl rand -base64 32
+# - Never commit unencrypted secrets to version control
+# - Keep a secure backup of your vault password
+# - Rotate secrets regularly