feat: maintainers

Reviewed-on: #10
Reviewed-by: p4u1 <p4u1@noreply.git.coopcloud.tech>

.env.sample

@@ -1,6 +1,6 @@
-TYPE=gitea
+TYPE=forgejo
 
-DOMAIN=gitea.example.com
+DOMAIN=forgejo.example.com
 LETS_ENCRYPT_ENV=production
 COMPOSE_FILE="compose.yml"
 ENABLE_BACKUPS=true
@@ -8,11 +8,12 @@ COMPOSE_FILE="$COMPOSE_FILE:compose.mariadb.yml"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.sqlite3.yml"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.postgres.yml"
 
-# Enable to use forgejo instead of gitea
-# COMPOSE_FILE="$COMPOSE_FILE:compose.forgejo.yml"
-# SECRET_LFS_JWT_SECRET_VERSION=v1 # length=43
+SECRET_LFS_JWT_SECRET_VERSION=v1 # length=43
 
-GITEA_DOMAIN=git.example.com
+# Anubis
+# COMPOSE_FILE="$COMPOSE_FILE:compose.anubis.yml"
+
+GITEA_DOMAIN="${DOMAIN}"
 GITEA_ALLOW_ONLY_EXTERNAL_REGISTRATION=true
 GITEA_APP_NAME="Git with solidaritea"
 GITEA_AUTO_WATCH_NEW_REPOS=false

MAINTENANCE.md

@@ -0,0 +1,32 @@
+# Forgejo Recipe Maintenance
+
+All contributions should be made via a pull request. This is to ensure a
+certain quality and consistency, that others can rely on.
+
+## Maintainer Responsibilities
+
+A recipe maintainer has the following responsibilities:
+
+- Respond to pull requests / issues within a week
+- Make image security updates within a day
+- Make image patch / minor updates within a week
+- Make image major updates within a month
+
+In order to fullfill these responsibilities a recipe maintainer:
+
+- Has to watch the repository (to get notifications)
+- Needs to make sure renovate is configured properly
+
+## Pull Requests
+
+A pull request can be merged if it is approved by at least one maintainer. For
+pull requests opened by a maintainer they need to be approved by another
+maintainer. Even though it is okay to merge a pull request with one approval, it
+is always better if all maintainers looked at the pull request and approved it.
+
+## Become a maintainer
+
+Everyone can apply to be a recipe maintainer:
+1. Watch the repository to always get updates
+2. Simply add your self to the list in the [README.md](./README.md) and open a new pull request with the change.
+3. Once the pull request gets merged you will be added to the [forgejo maintainers team](https://git.coopcloud.tech/org/coop-cloud/teams/forgejo-maintainers).

README.md

@@ -3,6 +3,7 @@
 [![Build Status](https://build.coopcloud.tech/api/badges/coop-cloud/forgejo/status.svg)](https://build.coopcloud.tech/coop-cloud/forgejo)
 
 <!-- metadata -->
+* **Maintainer**: [@p4u1](https://git.coopcloud.tech/p4u1), [@fauno](https://git.coopcloud.tech/fauno)
 * **Category**: Development
 * **Status**: 5
 * **Image**: [`forgejo/forgejo`](https://codeberg.org/forgejo/-/packages/container/forgejo/13-rootless), 4, upstream
@@ -59,3 +60,9 @@ ssh -T -p 2222 git@my.gitea.example.com
 ```
 
 Note that gitea should be configured to listen to port 2222, i.e. `GITEA_SSH_PORT=2222` in the gitea config.
+
+## Protect Forgejo from scrapers with Anubis
+
+Uncomment the Anubis compose file from the `.env` file and re-deploy the
+app.  Don't forget to actually [enable Anubis on the Traefik app
+too](https://recipes.coopcloud.tech/traefik)!

abra.sh

@@ -1,4 +1,4 @@
-export APP_INI_VERSION=v21
+export APP_INI_VERSION=v23
 export DOCKER_SETUP_SH_VERSION=v1
 export PG_BACKUP_VERSION=v1
 

app.ini.tmpl

@@ -28,6 +28,7 @@ DEFAULT_USER_VISIBILITY = {{ env "GITEA_DEFAULT_USER_VISIBILITY" }}
 ALLOWED_USER_VISIBILITY_MODES = {{ env "GITEA_ALLOWED_USER_VISIBILITY_MODES" }}
 DEFAULT_ORG_VISIBILITY = {{ env "GITEA_DEFAULT_ORG_VISIBILITY" }}
 REQUIRE_SIGNIN_VIEW = {{ env "GITEA_REQUIRE_SIGNIN_VIEW" }}
+ENABLE_INTERNAL_SIGNIN = {{ env "GITEA_ENABLE_INTERNAL_SIGNIN" }}
 
 [openid]
 ENABLE_OPENID_SIGNIN = {{ env "GITEA_ENABLE_OPENID_SIGNIN" }}

compose.anubis.yml

@@ -0,0 +1,7 @@
+---
+version: "3.8"
+services:
+  app:
+    deploy:
+      labels:
+      - "traefik.http.routers.${STACK_NAME}.middlewares=anubis,${STACK_NAME}_cors"

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: codeberg.org/forgejo/forgejo:12.0.2-rootless
+    image: codeberg.org/forgejo/forgejo:13.0.4-rootless
     configs:
       - source: app_ini
         target: /etc/gitea/app.ini
@@ -14,6 +14,7 @@ services:
       - internal_token
       - jwt_secret
       - secret_key
+      - lfs_jwt_secret
     environment:
       - GITEA_ALLOW_ONLY_EXTERNAL_REGISTRATION
       - GITEA_APP_NAME
@@ -53,6 +54,7 @@ services:
       - GITEA_REQUIRE_SIGNIN_VIEW
       - GITEA__oauth2__REFRESH_TOKEN_EXPIRATION_TIME
       - GITEA_LFS_START_SERVER=${GITEA_LFS_START_SERVER:-false}
+      - GITEA_ENABLE_INTERNAL_SIGNIN
     volumes:
       - data:/var/lib/gitea
       - config:/etc/gitea
@@ -87,7 +89,7 @@ services:
         - "traefik.http.middlewares.${STACK_NAME}_cors.headers.accesscontrolalloworiginlist=https://${GITEA_CORS_ALLOW_DOMAIN}"
         - "traefik.http.middlewares.${STACK_NAME}_cors.headers.accesscontrolmaxage=100"
         - "traefik.http.middlewares.${STACK_NAME}_cors.headers.addvaryheader=true"
-        - coop-cloud.${STACK_NAME}.version=4.0.0+12.0.2-rootless
+        - coop-cloud.${STACK_NAME}.version=5.0.3+13.0.4-rootless
 
 
 networks:

release/5.0.0+13.0.2-rootless

@@ -0,0 +1 @@
+For breaking changes see: https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/13.0.0.md

renovate.json

@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ]
+}