data "docker_registry_image" "forgejo" { name = "codeberg.org/forgejo/forgejo:1.21" } data "docker_network" "traefik" { name = "traefik" } locals { labels = { "shepherd.auto-update" = "true", "traefik.enable" = "true" "traefik.http.services.forgejo.loadbalancer.server.port" = "3000", "traefik.http.routers.forgejo.rule" = "Host(`git.chaoswest.tv`)", "traefik.http.routers.forgejo.tls" = "true", "traefik.http.routers.forgejo.tls.certresolver" = "default", } } resource "docker_service" "forgejo" { name = "forgejo" dynamic "labels" { for_each = local.labels content { label = labels.key value = labels.value } } task_spec { networks_advanced { name = data.docker_network.traefik.id } container_spec { image = "${data.docker_registry_image.forgejo.name}@${data.docker_registry_image.forgejo.sha256_digest}" env = { USER_UID = "1000" USER_GID = "1000" FORGEJO__server__DOMAIN = "git.chaoswest.tv" # Enabling checkouts via SSH through docker is possible, but not worth the effort FORGEJO__server__DISABLE_SSH = "true" FORGEJO__server__ROOT_URL = "https://git.chaoswest.tv" # Login only through Authentik FORGEJO__service__DISABLE_REGISTRATION = "false" FORGEJO__service__ALLOW_ONLY_EXTERNAL_REGISTRATION = "true" FORGEJO__openid__ENABLE_OPENID_SIGNIN = "false" FORGEJO__openid__ENABLE_OPENID_SIGNUP = "false" # Allow everyone to create an account through Authentik FORGEJO__oauth2_client__ENABLE_AUTO_REGISTRATION = "true" # Disable users from being able to create repos/orgs without admin intervention FORGEJO__repository__MAX_CREATION_LIMIT = "0" FORGEJO__admin__DISABLE_REGULAR_ORG_CREATION = "true" } mounts { target = "/data" source = "/mnt/data/forgejo/" type = "bind" } mounts { target = "/etc/localtime" source = "/etc/localtime" type = "bind" read_only = true } } } } data "hetznerdns_zone" "primary" { name = "chaoswest.tv" } resource "hetznerdns_record" "primary" { zone_id = data.hetznerdns_zone.primary.id name = "git" value = "ax41-1.fsn.mon2.de." type = "CNAME" }