tf/modules/swarm/forgejo/main.tf

data "docker_registry_image" "forgejo" {
  name = "codeberg.org/forgejo/forgejo:1.21"
}

data "docker_network" "traefik" {
  name = "traefik"
}

locals {
  labels = {
    "shepherd.auto-update"                                   = "true",
    "traefik.enable"                                         = "true"
    "traefik.http.services.forgejo.loadbalancer.server.port" = "3000",
    "traefik.http.routers.forgejo.rule"                      = "Host(`git.chaoswest.tv`)",
    "traefik.http.routers.forgejo.tls"                       = "true",
    "traefik.http.routers.forgejo.tls.certresolver"          = "default",
  }
}

resource "docker_service" "forgejo" {
  name = "forgejo"

  dynamic "labels" {
    for_each = local.labels
    content {
      label = labels.key
      value = labels.value
    }
  }

  task_spec {
    networks_advanced {
      name = data.docker_network.traefik.id
    }

    container_spec {
      image = "${data.docker_registry_image.forgejo.name}@${data.docker_registry_image.forgejo.sha256_digest}"

      env = {
        USER_UID                = "1000"
        USER_GID                = "1000"
        FORGEJO__server__DOMAIN = "git.chaoswest.tv"
        # Enabling checkouts via SSH through docker is possible, but not worth the effort
        FORGEJO__server__DISABLE_SSH = "true"
        FORGEJO__server__ROOT_URL    = "https://git.chaoswest.tv"
        # Login only through Authentik
        FORGEJO__service__DISABLE_REGISTRATION             = "false"
        FORGEJO__service__ALLOW_ONLY_EXTERNAL_REGISTRATION = "true"
        FORGEJO__openid__ENABLE_OPENID_SIGNIN              = "false"
        FORGEJO__openid__ENABLE_OPENID_SIGNUP              = "false"
        # Allow everyone to create an account through Authentik
        FORGEJO__oauth2_client__ENABLE_AUTO_REGISTRATION = "true"
        # Disable users from being able to create repos/orgs without admin intervention
        FORGEJO__repository__MAX_CREATION_LIMIT      = "0"
        FORGEJO__admin__DISABLE_REGULAR_ORG_CREATION = "true"
      }

      mounts {
        target = "/data"
        source = "/mnt/data/forgejo/"
        type   = "bind"
      }

      mounts {
        target    = "/etc/localtime"
        source    = "/etc/localtime"
        type      = "bind"
        read_only = true
      }
    }
  }
}

data "hetznerdns_zone" "primary" {
  name = "chaoswest.tv"
}

resource "hetznerdns_record" "primary" {
  zone_id = data.hetznerdns_zone.primary.id
  name    = "git"
  value   = "ax41-1.fsn.mon2.de."
  type    = "CNAME"
}