# Forgejo Self-Hosting Deploy your own **Forgejo** Git server on **Scaleway** or **Hetzner** with automated infrastructure provisioning and secure configuration. ## Features - **One-command deployment** via interactive setup wizard - **Infrastructure as Code** using Terraform/Terragrunt - **Automated configuration** via Ansible - **Secure by default**: Tailscale VPN + UFW firewall - **Automatic HTTPS** via Caddy and Let's Encrypt - **PostgreSQL database** with optimized settings - **Redis caching** for improved performance - **Automated backups** with configurable retention - **Docker-based** Forgejo deployment ## Supported Providers - **Scaleway** (France) - European cloud provider - **Hetzner** (Germany) - European cloud provider ## Prerequisites - macOS or Linux - [Terraform](https://terraform.io) >= 1.5.0 - [Terragrunt](https://terragrunt.gruntwork.io) - [Ansible](https://ansible.com) >= 2.14 - SSH key pair - Cloud provider account (Scaleway or Hetzner) - Domain name with DNS access ## Quick Start ```bash # Clone the repository git clone https://git.dumontix.eu/dumontix/forgejo-autohebergement.git cd forgejo-autohebergement # Run the interactive setup wizard ./setup-wizard.sh ``` The wizard will guide you through: 1. Checking dependencies 2. Selecting your SSH key 3. Choosing cloud provider (Scaleway/Hetzner) 4. Configuring secrets (Ansible Vault) 5. Setting up cloud credentials 6. Configuring your domain 7. Creating infrastructure 8. Deploying Forgejo 9. Setting up Tailscale VPN 10. Enabling UFW firewall ## Architecture ``` ┌─────────────────────────────────────────────────────────────┐ │ Internet │ └─────────────────────────────────────────────────────────────┘ │ ┌─────────┴─────────┐ │ Caddy (HTTPS) │ ← Let's Encrypt │ Port 80, 443 │ └─────────┬─────────┘ │ ┌─────────┴─────────┐ │ Forgejo │ ← Docker Container │ Port 3000 │ └─────────┬─────────┘ │ ┌─────────────────┼─────────────────┐ │ │ │ ┌────────┴────────┐ ┌──────┴──────┐ ┌────────┴──────┐ │ PostgreSQL │ │ Redis │ │ Tailscale │ │ (Database) │ │ (Cache) │ │ (VPN/SSH) │ └─────────────────┘ └─────────────┘ └───────────────┘ ``` ## Security - **SSH access**: Only via Tailscale VPN (port 22 blocked publicly) - **Git SSH**: Only via Tailscale (port 2222 blocked publicly) - **Web access**: HTTPS only (HTTP redirects to HTTPS) - **Firewall**: UFW with strict rules - **2FA**: Enabled by default for user accounts ## Configuration After deployment, you can customize your Forgejo instance: ```bash # Edit configuration make ansible-vault-edit # Re-deploy with changes make deploy ``` See `docs/CONFIGURATION.md` for all available options. ## Operations ```bash # Check status make status # View logs make logs # Create backup make backup # Update Forgejo make update # SSH to server (via Tailscale) ssh root@ ``` See `docs/OPERATIONS.md` for detailed operations guide. ## File Structure ``` forgejo-selfhosting/ ├── ansible/ │ ├── inventory/production/ # Server inventory │ ├── playbooks/ # Deployment playbooks │ └── roles/forgejo/ # Forgejo role ├── terraform/ │ ├── scaleway/ # Scaleway infrastructure │ └── hetzner/ # Hetzner infrastructure ├── docs/ # Documentation ├── setup-wizard.sh # Interactive setup └── Makefile # Convenience commands ``` ## Troubleshooting ### Cannot SSH after UFW enabled SSH is only accessible via Tailscale after UFW is enabled. Use: ```bash ssh root@ ``` ### Forgejo not starting Check logs: ```bash docker logs forgejo ``` ### Database connection issues Verify PostgreSQL is running and accessible: ```bash systemctl status postgresql ``` ## License Apache 2.0 see LICENSE for details ## Contributing Contributions are welcome! Please read the contributing guidelines before submitting PRs.