Horacio Duran
822e42dbb8
This template allows deploying a forgejo en either Scaleway or Hetzner (untested) without much knowledge about them. It DOES require knowledge about Terragrunt and ansible. A wizard of sorts is provided but it will not guarantee success without some knowledge about the underlying technology.
5 KiB
5 KiB
Forgejo Self-Hosting
Deploy your own Forgejo Git server on Scaleway or Hetzner with automated infrastructure provisioning and secure configuration.
Features
- One-command deployment via interactive setup wizard
- Infrastructure as Code using Terraform/Terragrunt
- Automated configuration via Ansible
- Secure by default: Tailscale VPN + UFW firewall
- Automatic HTTPS via Caddy and Let's Encrypt
- PostgreSQL database with optimized settings
- Redis caching for improved performance
- Automated backups with configurable retention
- Docker-based Forgejo deployment
Supported Providers
- Scaleway (France) - European cloud provider
- Hetzner (Germany) - European cloud provider
Prerequisites
- macOS or Linux
- Terraform >= 1.5.0
- Terragrunt
- Ansible >= 2.14
- SSH key pair
- Cloud provider account (Scaleway or Hetzner)
- Domain name with DNS access
Quick Start
# Clone the repository
git clone https://git.dumontix.eu/dumontix/forgejo-autohebergement.git
cd forgejo-autohebergement
# Run the interactive setup wizard
./setup-wizard.sh
The wizard will guide you through:
- Checking dependencies
- Selecting your SSH key
- Choosing cloud provider (Scaleway/Hetzner)
- Configuring secrets (Ansible Vault)
- Setting up cloud credentials
- Configuring your domain
- Creating infrastructure
- Deploying Forgejo
- Setting up Tailscale VPN
- Enabling UFW firewall
Architecture
┌─────────────────────────────────────────────────────────────┐
│ Internet │
└─────────────────────────────────────────────────────────────┘
│
┌─────────┴─────────┐
│ Caddy (HTTPS) │ ← Let's Encrypt
│ Port 80, 443 │
└─────────┬─────────┘
│
┌─────────┴─────────┐
│ Forgejo │ ← Docker Container
│ Port 3000 │
└─────────┬─────────┘
│
┌─────────────────┼─────────────────┐
│ │ │
┌────────┴────────┐ ┌──────┴──────┐ ┌────────┴──────┐
│ PostgreSQL │ │ Redis │ │ Tailscale │
│ (Database) │ │ (Cache) │ │ (VPN/SSH) │
└─────────────────┘ └─────────────┘ └───────────────┘
Security
- SSH access: Only via Tailscale VPN (port 22 blocked publicly)
- Git SSH: Only via Tailscale (port 2222 blocked publicly)
- Web access: HTTPS only (HTTP redirects to HTTPS)
- Firewall: UFW with strict rules
- 2FA: Enabled by default for user accounts
Configuration
After deployment, you can customize your Forgejo instance:
# Edit configuration
make ansible-vault-edit
# Re-deploy with changes
make deploy
See docs/CONFIGURATION.md for all available options.
Operations
# Check status
make status
# View logs
make logs
# Create backup
make backup
# Update Forgejo
make update
# SSH to server (via Tailscale)
ssh root@<tailscale-hostname>
See docs/OPERATIONS.md for detailed operations guide.
File Structure
forgejo-selfhosting/
├── ansible/
│ ├── inventory/production/ # Server inventory
│ ├── playbooks/ # Deployment playbooks
│ └── roles/forgejo/ # Forgejo role
├── terraform/
│ ├── scaleway/ # Scaleway infrastructure
│ └── hetzner/ # Hetzner infrastructure
├── docs/ # Documentation
├── setup-wizard.sh # Interactive setup
└── Makefile # Convenience commands
Troubleshooting
Cannot SSH after UFW enabled
SSH is only accessible via Tailscale after UFW is enabled. Use:
ssh root@<tailscale-ip-or-hostname>
Forgejo not starting
Check logs:
docker logs forgejo
Database connection issues
Verify PostgreSQL is running and accessible:
systemctl status postgresql
License
Apache 2.0 see LICENSE for details
Contributing
Contributions are welcome! Please read the contributing guidelines before submitting PRs.