From 36a54fef3ddf803e9c68f3780bbc8af848e60a67 Mon Sep 17 00:00:00 2001
From: Tobias Reisinger <tobias@msrg.cc>
Date: Wed, 11 Jun 2025 21:09:49 +0200
Subject: [PATCH] Replace forgejo config with explicit ini

---
 playbooks/roles/forgejo/tasks/main.yml |   8 +-
 playbooks/roles/forgejo/vars/main.yml  | 127 ++++++++++++++-----------
 2 files changed, 80 insertions(+), 55 deletions(-)

diff --git a/playbooks/roles/forgejo/tasks/main.yml b/playbooks/roles/forgejo/tasks/main.yml
index cf1f637..e679711 100644
--- a/playbooks/roles/forgejo/tasks/main.yml
+++ b/playbooks/roles/forgejo/tasks/main.yml
@@ -5,12 +5,18 @@
 - name: Deploy {{ role_name }}
   vars:
     svc: "{{ forgejo_svc }}"
-    env: "{{ forgejo_env }}"
     compose: "{{ forgejo_compose }}"
   block:
     - name: Import prepare tasks for common service
       ansible.builtin.import_tasks: tasks/prepare-common-service.yml
 
+    - name: Create the app.ini file
+      ansible.builtin.copy:
+        dest: "{{ (service_path, 'app.ini') | path_join }}"
+        content: '{{ forgejo_ini | to_ini }}'
+        mode: "0644"
+      notify: Restart service {{ role_name }}
+
     - name: Copy the template files
       ansible.builtin.copy:
         src: templates/
diff --git a/playbooks/roles/forgejo/vars/main.yml b/playbooks/roles/forgejo/vars/main.yml
index 39eff82..4cfdea0 100644
--- a/playbooks/roles/forgejo/vars/main.yml
+++ b/playbooks/roles/forgejo/vars/main.yml
@@ -10,77 +10,95 @@ forgejo_svc:
     port: "{{ postgres.port }}"
   ssh_port: 22
 
-forgejo_env:
-  FORGEJO__database__DB_TYPE: postgres
-  FORGEJO__database__HOST: "{{ svc.db.host }}:{{ svc.db.port }}"
-  FORGEJO__database__NAME: "{{ opentofu.postgresql_data.forgejo.database }}"
-  FORGEJO__database__USER: "{{ opentofu.postgresql_data.forgejo.user }}"
-  FORGEJO__database__PASSWD: "{{ opentofu.postgresql_data.forgejo.pass }}"
-  FORGEJO__database__SSL_MODE: verify-full
+forgejo_ini:
+  database:
+    DB_TYPE: postgres
+    HOST: "{{ svc.db.host }}:{{ svc.db.port }}"
+    NAME: "{{ opentofu.postgresql_data.forgejo.database }}"
+    USER: "{{ opentofu.postgresql_data.forgejo.user }}"
+    PASSWD: "{{ opentofu.postgresql_data.forgejo.pass }}"
+    SSL_MODE: verify-full
 
-  FORGEJO__repository__ENABLE_PUSH_CREATE_USER: true
-  FORGEJO__repository__ENABLE_PUSH_CREATE_ORG: true
-  FORGEJO__repository__DEFAULT_BRANCH: main
+  repository:
+    ENABLE_PUSH_CREATE_USER: true
+    ENABLE_PUSH_CREATE_ORG: true
+    DEFAULT_BRANCH: main
 
-  FORGEJO__cors__ENABLED: true
-  FORGEJO__cors__SCHEME: https
+  cors:
+    ENABLED: true
+    SCHEME: https
 
-  FORGEJO__ui__DEFAULT_THEME: forgejo-dark
+  ui:
+    DEFAULT_THEME: forgejo-dark
 
-  FORGEJO__server__DOMAIN: "{{ svc.domain }}"
-  FORGEJO__server__SSH_DOMAIN: "{{ svc.domain }}"
-  FORGEJO__server__SSH_PORT: "{{ svc.ssh_port }}"
-  FORGEJO__server__ROOT_URL: https://{{ svc.domain }}
-  FORGEJO__server__OFFLINE_MODE: true
-  FORGEJO__server__LFS_JWT_SECRET: "{{ vault_forgejo.server_lfs_jwt_secret }}"
-  FORGEJO__server__LFS_START_SERVER: true
+  server:
+    DOMAIN: "{{ svc.domain }}"
+    SSH_DOMAIN: "{{ svc.domain }}"
+    SSH_PORT: "{{ svc.ssh_port }}"
+    ROOT_URL: https://{{ svc.domain }}
+    OFFLINE_MODE: true
+    LFS_JWT_SECRET: "{{ vault_forgejo.server_lfs_jwt_secret }}"
+    LFS_START_SERVER: true
 
-  FORGEJO__security__INSTALL_LOCK: true
-  FORGEJO__security__INTERNAL_TOKEN: "{{ vault_forgejo.security_internal_token }}"
-  FORGEJO__security__SECRET_KEY: "{{ vault_forgejo.security_secret_key }}"
+  security:
+    INSTALL_LOCK: true
+    INTERNAL_TOKEN: "{{ vault_forgejo.security_internal_token }}"
+    SECRET_KEY: "{{ vault_forgejo.security_secret_key }}"
 
-  FORGEJO__openid__ENABLE_OPENID_SIGNUP: true
-  FORGEJO__openid__ENABLE_OPENID_SIGNIN: false
+  openid:
+    ENABLE_OPENID_SIGNUP: true
+    ENABLE_OPENID_SIGNIN: false
 
-  FORGEJO__service__ALLOW_ONLY_EXTERNAL_REGISTRATION: true
-  FORGEJO__service__ENABLE_BASIC_AUTHENTICATION: false
-  FORGEJO__service__DEFAULT_KEEP_EMAIL_PRIVATE: true
-  FORGEJO__service__NO_REPLY_ADDRESS: discard.msrg.cc
+  service:
+    ALLOW_ONLY_EXTERNAL_REGISTRATION: true
+    ENABLE_BASIC_AUTHENTICATION: false
+    DEFAULT_KEEP_EMAIL_PRIVATE: true
+    NO_REPLY_ADDRESS: discard.msrg.cc
 
-  FORGEJO__webhook__DELIVER_TIMEOUT: 60
+  webhook:
+    DELIVER_TIMEOUT: 60
 
-  FORGEJO__mailer__ENABLED: true
-  FORGEJO__mailer__PROTOCOL: smtp+starttls
-  FORGEJO__mailer__SMTP_ADDR: "{{ mailer.host }}"
-  FORGEJO__mailer__SMTP_PORT: "{{ mailer.port }}"
-  FORGEJO__mailer__FROM: "git <{{ opentofu.mailcow_data.forgejo.address }}>"
-  FORGEJO__mailer__USER: "{{ opentofu.mailcow_data.forgejo.address }}"
-  FORGEJO__mailer__PASSWD: "{{ opentofu.mailcow_data.forgejo.password }}"
-  FORGEJO__mailer__SEND_AS_PLAIN_TEXT: true
+  mailer:
+    ENABLED: true
+    PROTOCOL: smtp+starttls
+    SMTP_ADDR: "{{ mailer.host }}"
+    SMTP_PORT: "{{ mailer.port }}"
+    FROM: "git <{{ opentofu.mailcow_data.forgejo.address }}>"
+    USER: "{{ opentofu.mailcow_data.forgejo.address }}"
+    PASSWD: "{{ opentofu.mailcow_data.forgejo.password }}"
+    SEND_AS_PLAIN_TEXT: true
 
-  FORGEJO__picture__DISABLE_GRAVATAR: true
+  picture:
+    DISABLE_GRAVATAR: true
 
-  FORGEJO__attachment__MAX_FILES: 10
+  attachment:
+    MAX_FILES: 10
 
-  FORGEJO__oauth2__JWT_SECRET: "{{ vault_forgejo.oauth2_jwt_secret }}"
+  oauth2:
+    JWT_SECRET: "{{ vault_forgejo.oauth2_jwt_secret }}"
 
-  FORGEJO__log.console__FLAGS: "level,medfile,shortfuncname"
+  log.console:
+    FLAGS: "level,medfile,shortfuncname"
 
-  FORGEJO__metrics__ENABLED: true
-  FORGEJO__metrics__TOKEN: "{{ vault_metrics_token }}"
+  metrics:
+    ENABLED: true
+    TOKEN: "{{ vault_metrics_token }}"
 
-  FORGEJO__actions__ENABLED: true
+  actions:
+    ENABLED: true
 
-  FORGEJO__storage__STORAGE_TYPE: minio
-  FORGEJO__storage__MINIO_ENDPOINT: "{{ opentofu.scaleway_data.forgejo.api_endpoint | urlsplit('hostname') }}"
-  FORGEJO__storage__MINIO_ACCESS_KEY_ID: "{{ opentofu.scaleway_data.forgejo.access_key }}"
-  FORGEJO__storage__MINIO_SECRET_ACCESS_KEY: "{{ opentofu.scaleway_data.forgejo.secret_key }}"
-  FORGEJO__storage__MINIO_BUCKET: "{{ opentofu.scaleway_data.forgejo.name }}"
-  FORGEJO__storage__MINIO_LOCATION: "{{ opentofu.scaleway_data.forgejo.region }}"
-  FORGEJO__storage__MINIO_USE_SSL: true
+  storage:
+    STORAGE_TYPE: minio
+    MINIO_ENDPOINT: "{{ opentofu.scaleway_data.forgejo.api_endpoint | urlsplit('hostname') }}"
+    MINIO_ACCESS_KEY_ID: "{{ opentofu.scaleway_data.forgejo.access_key }}"
+    MINIO_SECRET_ACCESS_KEY: "{{ opentofu.scaleway_data.forgejo.secret_key }}"
+    MINIO_BUCKET: "{{ opentofu.scaleway_data.forgejo.name }}"
+    MINIO_LOCATION: "{{ opentofu.scaleway_data.forgejo.region }}"
+    MINIO_USE_SSL: true
 
-  FORGEJO__other__SHOW_FOOTER_VERSION: true
-  FORGEJO__other__SHOW_FOOTER_TEMPLATE_LOAD_TIME: false
+  other:
+    SHOW_FOOTER_VERSION: true
+    SHOW_FOOTER_TEMPLATE_LOAD_TIME: false
 
 forgejo_compose:
   watchtower: update
@@ -88,6 +106,7 @@ forgejo_compose:
   image: codeberg.org/forgejo/forgejo:11
   volumes:
     - data:/data
+    - ./app.ini:/data/gitea/conf/app.ini
     - ./templates:/data/gitea/templates
     - ./public:/data/gitea/public
     - /etc/timezone:/etc/timezone:ro