Add Template to deploy forgejo.

This template allows deploying a forgejo en either Scaleway or Hetzner (untested) without much knowledge about them. It DOES require knowledge about Terragrunt and ansible. A wizard of sorts is provided but it will not guarantee success without some knowledge about the underlying technology.
2026-01-09 16:07:44 +01:00 · 2026-01-09 16:07:44 +01:00 · 822e42dbb8
commit 822e42dbb8
parent a9f546f92a
48 changed files with 6846 additions and 2 deletions
--- a/ansible/roles/forgejo/tasks/postgres.yml
+++ b/ansible/roles/forgejo/tasks/postgres.yml
@ -0,0 +1,163 @@
+---
+# PostgreSQL setup tasks
+
+- name: Install PostgreSQL
+  ansible.builtin.apt:
+    name:
+      - "postgresql-{{ postgres_version }}"
+      - "postgresql-contrib-{{ postgres_version }}"
+      - python3-psycopg2
+    state: present
+    update_cache: yes
+  become: yes
+
+- name: Ensure PostgreSQL is started and enabled
+  ansible.builtin.systemd:
+    name: postgresql
+    state: started
+    enabled: yes
+  become: yes
+
+- name: Create PostgreSQL data directory
+  ansible.builtin.file:
+    path: "{{ postgres_data_dir }}"
+    state: directory
+    owner: postgres
+    group: postgres
+    mode: '0700'
+  become: yes
+  when: forgejo_use_external_volume | bool
+
+- name: Check if PostgreSQL database exists
+  ansible.builtin.command:
+    cmd: psql -U postgres -lqt
+  register: postgres_db_list
+  changed_when: false
+  become: yes
+  become_user: postgres
+
+- name: Create Forgejo PostgreSQL database
+  community.postgresql.postgresql_db:
+    name: "{{ forgejo_db_name }}"
+    encoding: UTF8
+    lc_collate: en_US.UTF-8
+    lc_ctype: en_US.UTF-8
+    template: template0
+    state: present
+  become: yes
+  become_user: postgres
+  when: forgejo_db_name not in postgres_db_list.stdout
+
+- name: Create Forgejo PostgreSQL user
+  community.postgresql.postgresql_user:
+    name: "{{ forgejo_db_user }}"
+    password: "{{ forgejo_db_password }}"
+    state: present
+  become: yes
+  become_user: postgres
+  no_log: yes
+
+- name: Grant database privileges to Forgejo user
+  community.postgresql.postgresql_privs:
+    database: "{{ forgejo_db_name }}"
+    roles: "{{ forgejo_db_user }}"
+    type: database
+    privs: ALL
+  become: yes
+  become_user: postgres
+
+- name: Grant schema privileges to Forgejo user
+  community.postgresql.postgresql_privs:
+    database: "{{ forgejo_db_name }}"
+    roles: "{{ forgejo_db_user }}"
+    type: schema
+    objs: public
+    privs: ALL
+  become: yes
+  become_user: postgres
+
+- name: Set Forgejo user as owner of public schema
+  community.postgresql.postgresql_owner:
+    db: "{{ forgejo_db_name }}"
+    new_owner: "{{ forgejo_db_user }}"
+    obj_name: public
+    obj_type: schema
+  become: yes
+  become_user: postgres
+
+- name: Configure PostgreSQL for optimal performance
+  ansible.builtin.lineinfile:
+    path: "/etc/postgresql/{{ postgres_version }}/main/postgresql.conf"
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+    state: present
+  become: yes
+  loop:
+    - { regexp: '^max_connections', line: "max_connections = {{ postgres_max_connections }}" }
+    - { regexp: '^shared_buffers', line: "shared_buffers = {{ postgres_shared_buffers }}" }
+    - { regexp: '^effective_cache_size', line: "effective_cache_size = {{ postgres_effective_cache_size }}" }
+    - { regexp: '^maintenance_work_mem', line: "maintenance_work_mem = 128MB" }
+    - { regexp: '^checkpoint_completion_target', line: "checkpoint_completion_target = 0.9" }
+    - { regexp: '^wal_buffers', line: "wal_buffers = 16MB" }
+    - { regexp: '^default_statistics_target', line: "default_statistics_target = 100" }
+    - { regexp: '^random_page_cost', line: "random_page_cost = 1.1" }
+    - { regexp: '^effective_io_concurrency', line: "effective_io_concurrency = 200" }
+    - { regexp: '^work_mem', line: "work_mem = 8MB" }
+    - { regexp: '^min_wal_size', line: "min_wal_size = 1GB" }
+    - { regexp: '^max_wal_size', line: "max_wal_size = 4GB" }
+  notify: Restart PostgreSQL
+
+- name: Configure PostgreSQL to listen on all interfaces
+  ansible.builtin.lineinfile:
+    path: "/etc/postgresql/{{ postgres_version }}/main/postgresql.conf"
+    regexp: "^#?listen_addresses"
+    line: "listen_addresses = '*'"
+    state: present
+  become: yes
+  notify: Restart PostgreSQL
+
+- name: Configure PostgreSQL authentication
+  ansible.builtin.lineinfile:
+    path: "/etc/postgresql/{{ postgres_version }}/main/pg_hba.conf"
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+    state: present
+  become: yes
+  loop:
+    - regexp: '^local\s+all\s+postgres'
+      line: 'local   all             postgres                                peer'
+    - regexp: '^local\s+all\s+all'
+      line: 'local   all             all                                     peer'
+    - regexp: '^host\s+all\s+all\s+127\.0\.0\.1'
+      line: 'host    all             all             127.0.0.1/32            scram-sha-256'
+    - regexp: '^host\s+all\s+all\s+::1'
+      line: 'host    all             all             ::1/128                 scram-sha-256'
+  notify: Restart PostgreSQL
+
+- name: Allow Docker network to connect to PostgreSQL
+  ansible.builtin.lineinfile:
+    path: "/etc/postgresql/{{ postgres_version }}/main/pg_hba.conf"
+    line: 'host    all             all             172.16.0.0/12           scram-sha-256'
+    insertafter: '^host\s+all\s+all\s+127'
+    state: present
+  become: yes
+  notify: Restart PostgreSQL
+
+- name: Enable PostgreSQL extensions
+  community.postgresql.postgresql_ext:
+    name: "{{ item }}"
+    db: "{{ forgejo_db_name }}"
+    state: present
+  become: yes
+  become_user: postgres
+  loop:
+    - pg_trgm
+    - btree_gin
+
+- name: Create PostgreSQL backup script
+  ansible.builtin.template:
+    src: postgres_backup.sh.j2
+    dest: /usr/local/bin/postgres_backup.sh
+    mode: '0755'
+  become: yes
+  when: forgejo_enable_backups | bool