shione/images/forgejo/README.md

Forgejo container image

It's very basic, possibly insecure but I will improve that later on. The key points to remember is that all secrets must be provided in the form of files to avoid any leakage.

Create the admin user

Unfortunately there is no way to pre-seed forgejo's DB with an admin user to avoid any post-installation procedures. The following allows you to create it.

$ podman exec \
    "$container_id" \
    /usr/local/bin/forgejo \
        -w /var/lib/forgejo \
        -c /etc/forgejo/app.ini \
        admin user create \
            --admin \
            --username "$username" \
            --password "$basic_password" \
            --email "$email"

NOTE:: You should do this before exposing your container to the internet just to be safe. Make sure to change the password once the account has been created.

TODO

• Switch to PostgreSQL once I have an image emulating shione's setup running.
• Test forgejo's OAuth2 thouroughly since it will be used to authenticate other services running on shione.
• Switch to redis for caching once an image of it is available.
• Host-container SSH forwarding.
• systemd service.
  • Debian packaging which also creates a git UNIX user and stuff?
  • Maybe just use ansible?
• Figure out what to backup.
  • Everything will be backed up using borgbase on the host side, possibly backup git repositories, databases and anything oauth2-related?
• Setup mail.
• Is PASSWORD_HASH_ALGO = pbkdf2_hi the best we could use?
• Disable as many unneeded services integrated by default as possible? Is it possible to strip the binary from such services e.g., ACME-related code?
• What to do with CI/CD? It would be nice to deploy shione services using forgejo.
• Packaging forgejo using Guix or Debian? Is this too much?
• Separate the base image from the image responsible only for copying host-specific secret artifacts to the final image.