--- forgejo_enabled: true forgejo_version: 1.21.11-0 forgejo_identifier: forgejo forgejo_scheme: https # The fully-qualified name of your Forgejo server (e.g. `forgejo.example.com`) forgejo_hostname: '' forgejo_path_prefix: / forgejo_uid: '' forgejo_gid: '' forgejo_container_image: "{{ forgejo_container_image_registry_prefix }}forgejo/forgejo:{{ forgejo_container_image_tag }}" forgejo_container_image_tag: "{{ forgejo_version }}-rootless" forgejo_container_image_force_pull: "{{ forgejo_container_image.endswith(':latest') }}" forgejo_container_image_registry_prefix: codeberg.org/ forgejo_base_path: "/{{ forgejo_identifier }}" forgejo_data_dir_path: "{{ forgejo_base_path }}/data" forgejo_config_dir_path: "{{ forgejo_base_path }}/config" forgejo_ssh_port: 22 forgejo_http_bind_port: '' forgejo_ssh_bind_port: "{{ forgejo_ssh_port }}" forgejo_systemd_required_systemd_services_list: ['docker.service'] forgejo_config_database_type: postgres forgejo_config_database_hostname: '' forgejo_config_database_port: 5432 forgejo_config_database_name: forgejo forgejo_config_database_username: '' forgejo_config_database_password: '' forgejo_config_root_url: "{{ forgejo_scheme }}://{{ forgejo_hostname }}{{ forgejo_path_prefix }}" # Controls the RUN_USER configuration setting (`GITEA____RUN_USER` environment variable). # # This defaults to `git` in the upstream configuration. # # On startup, Forgejo checks if the resolved username for the user it works with matches the RUN_USER. # # Because we run the container with a custom user (forgejo_uid), # and not with uid=1000 matching the git user and inside the container, # unless we unset this, we'd get an error message: # > `Expect user 'git' but current user is: ` # The relevant check is here: https://github.com/go-forgejo/forgejo/blob/ccd3a55bf4f07a390e13d48100c58fb937fd3dcf/modules/setting/setting.go#L297-L300C4 # # Unsetting this to an empty string makes it match. Unless you forgejo_uid accidentally hits some other user that is part of the container's /etc/passwd file. forgejo_config_run_user: "{{ 'git' if forgejo_uid | string == '1000' else '' }}" # When integrating Forgejo with Woodpecker CI, and if Woodpecker is # served under a subpath (e.g. `https://forgejo.host/ci`), it is # necessary to use Docker's `--add-host` option to point Forgejo to # the external host IP, so that webhook calls to Woodpecker can work. # # For example: # # forgejo_container_add_host_domain_name: "{{ devture_woodpecker_ci_server_hostname }}" # forgejo_container_add_host_domain_ip_address: "{{ ansible_host }}" # # Don't forget to also update `webhook.ALLOWED_HOST_LIST` on Forgejo's # app.ini config file. forgejo_container_add_host_domain_name: '' forgejo_container_add_host_domain_ip_address: '' # forgejo_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. # See `roles/custom/forgejo/templates/labels.j2` for details. # # To inject your own other container labels, see `forgejo_container_labels_additional_labels`. forgejo_container_labels_traefik_enabled: true forgejo_container_labels_traefik_docker_network: '' forgejo_container_labels_traefik_hostname: "{{ forgejo_hostname }}" # The path prefix must either be `/` or not end with a slash (e.g. `/forgejo`). forgejo_container_labels_traefik_path_prefix: "{{ forgejo_path_prefix }}" forgejo_container_labels_traefik_rule: "Host(`{{ forgejo_container_labels_traefik_hostname }}`){% if forgejo_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ forgejo_container_labels_traefik_path_prefix | quote }}`){% endif %}" forgejo_container_labels_traefik_priority: 0 forgejo_container_labels_traefik_entrypoints: web-secure forgejo_container_labels_traefik_tls: "{{ forgejo_container_labels_traefik_entrypoints != 'web' }}" forgejo_container_labels_traefik_tls_certResolver: default # noqa var-naming # Controls which additional headers to attach to all HTTP requests. # To add your own custom request headers, use `forgejo_container_labels_traefik_additional_response_headers_custom` forgejo_container_labels_traefik_additional_request_headers: "{{ forgejo_container_labels_traefik_additional_request_headers_auto | combine(forgejo_container_labels_traefik_additional_request_headers_custom) }}" forgejo_container_labels_traefik_additional_request_headers_auto: | {{ {} | combine ({'X-Script-Name': forgejo_path_prefix} if forgejo_path_prefix != '/' else {}) }} forgejo_container_labels_traefik_additional_request_headers_custom: {} # Controls which additional headers to attach to all HTTP responses. # To add your own custom response headers, use `forgejo_container_labels_traefik_additional_response_headers_custom` forgejo_container_labels_traefik_additional_response_headers: "{{ forgejo_container_labels_traefik_additional_response_headers_auto | combine(forgejo_container_labels_traefik_additional_response_headers_custom) }}" forgejo_container_labels_traefik_additional_response_headers_auto: | {{ {} | combine ({'X-XSS-Protection': forgejo_http_header_xss_protection} if forgejo_http_header_xss_protection else {}) | combine ({'X-Frame-Options': forgejo_http_header_frame_options} if forgejo_http_header_frame_options else {}) | combine ({'X-Content-Type-Options': forgejo_http_header_content_type_options} if forgejo_http_header_content_type_options else {}) | combine ({'Content-Security-Policy': forgejo_http_header_content_security_policy} if forgejo_http_header_content_security_policy else {}) | combine ({'Permission-Policy': forgejo_http_header_content_permission_policy} if forgejo_http_header_content_permission_policy else {}) | combine ({'Strict-Transport-Security': forgejo_http_header_strict_transport_security} if forgejo_http_header_strict_transport_security and forgejo_container_labels_traefik_tls else {}) }} forgejo_container_labels_traefik_additional_response_headers_custom: {} # forgejo_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. # See `roles/custom/forgejo/templates/labels.j2` for details. # # Example: # forgejo_container_labels_additional_labels: | # my.label=1 # another.label="here" forgejo_container_labels_additional_labels: '' # forgejo_container_additional_environment_variables contains a multiline string with additional environment variables to pass to the container. # # Example: # forgejo_container_additional_environment_variables: | # VAR=1 # ANOTHER=value forgejo_container_additional_environment_variables: '' forgejo_container_network: "{{ forgejo_identifier }}" # A list of additional container networks that the container would be connected to. # The playbook does not create these networks, so make sure they already exist. # Use this to expose this container to a reverse proxy, which runs in a different container network. forgejo_container_additional_networks: "{{ forgejo_container_additional_networks_auto + forgejo_container_additional_networks_custom }}" forgejo_container_additional_networks_auto: [] forgejo_container_additional_networks_custom: [] # Additional environment variables. forgejo_environment_variables_additional_variables: '' # Specifies the value of the `X-XSS-Protection` header # Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. # # Learn more about it is here: # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection # - https://portswigger.net/web-security/cross-site-scripting/reflected forgejo_http_header_xss_protection: "1; mode=block" # Specifies the value of the `X-Frame-Options` header which controls whether framing can happen. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options forgejo_http_header_frame_options: SAMEORIGIN # Specifies the value of the `X-Content-Type-Options` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options forgejo_http_header_content_type_options: nosniff # Specifies the value of the `Content-Security-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy forgejo_http_header_content_security_policy: frame-ancestors 'self' # Specifies the value of the `Permission-Policy` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy forgejo_http_header_content_permission_policy: "{{ 'interest-cohort=()' if forgejo_floc_optout_enabled else '' }}" # Specifies the value of the `Strict-Transport-Security` header. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security forgejo_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if forgejo_hsts_preload_enabled else '' }}" # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses # # Learn more about what it is here: # - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea # - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network # - https://amifloced.org/ # # Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. # See: `forgejo_content_permission_policy` forgejo_floc_optout_enabled: true # Controls if HSTS preloading is enabled # # In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and # indicates a willingness to be "preloaded" into browsers: # `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` # For more information visit: # - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security # - https://hstspreload.org/#opt-in # See: `forgejo_http_header_strict_transport_security` forgejo_hsts_preload_enabled: false