Add Template to deploy forgejo.

This template allows deploying a forgejo en either Scaleway or Hetzner (untested) without much knowledge about them. It DOES require knowledge about Terragrunt and ansible. A wizard of sorts is provided but it will not guarantee success without some knowledge about the underlying technology.
2026-01-09 16:07:44 +01:00 · 2026-01-09 16:07:44 +01:00 · 822e42dbb8
commit 822e42dbb8
parent a9f546f92a
48 changed files with 6846 additions and 2 deletions
--- a/ansible/playbooks/vars/secrets.yml.example
+++ b/ansible/playbooks/vars/secrets.yml.example
@ -0,0 +1,40 @@
+---
+# Ansible Vault Encrypted Secrets
+#
+# IMPORTANT: Do NOT commit secrets.yml to git, even if encrypted!
+# The .gitignore is configured to exclude it, but always verify.
+#
+# To set up:
+#   1. cp secrets.yml.example secrets.yml
+#   2. Edit secrets.yml with your actual values
+#   3. ansible-vault encrypt secrets.yml
+#   4. Verify: git status should NOT show secrets.yml
+#
+# To edit encrypted secrets: ansible-vault edit secrets.yml
+
+# Database passwords
+vault_forgejo_db_password: "CHANGE_ME_STRONG_PASSWORD_HERE"
+
+# Admin account
+vault_forgejo_admin_password: "CHANGE_ME_ADMIN_PASSWORD_HERE"
+
+# Secret keys (generate with: openssl rand -base64 32)
+vault_forgejo_secret_key: "CHANGE_ME_SECRET_KEY_64_CHARS_MINIMUM_XXXXXXXXXXXXXXXXX"
+vault_forgejo_internal_token: "CHANGE_ME_INTERNAL_TOKEN_XXXXXXXXXXXXXXXXXXXXXXXXX"
+vault_forgejo_jwt_secret: "CHANGE_ME_JWT_SECRET_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
+
+# Metrics token (if prometheus enabled)
+vault_forgejo_metrics_token: "CHANGE_ME_METRICS_TOKEN_XXXXXXXXX"
+
+# Email password (if email enabled)
+vault_email_password: ""
+
+# S3 credentials (if S3 enabled)
+vault_s3_access_key: ""
+vault_s3_secret_key: ""
+
+# Notes:
+# - Generate strong passwords: openssl rand -base64 32
+# - Never commit unencrypted secrets to version control
+# - Keep a secure backup of your vault password
+# - Rotate secrets regularly