Skip to content

Instantly share code, notes, and snippets.

@int3hh

int3hh/forgejo.sh

Created May 31, 2025 14:31
Show Gist options
  • Save int3hh/6ac2a7f880ae91ce9ad3d242718a81c4 to your computer and use it in GitHub Desktop.
Save int3hh/6ac2a7f880ae91ce9ad3d242718a81c4 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
forgejo.sh
#!/usr/bin/env bash
[ "$EUID" -eq 0 ] || { echo "Please run as root"; exit 1; }
apt install jq systemd-container
RELEASE=$(curl -fsSL https://codeberg.org/api/v1/repos/forgejo/forgejo/releases/latest | grep -oP '"tag_name":\s*"\K[^"]+' | sed 's/^v//')
wget "https://codeberg.org/forgejo/forgejo/releases/download/v${RELEASE}/forgejo-${RELEASE}-linux-amd64"
gpg --keyserver keys.openpgp.org --recv EB114F5E6C0DC2BCDD183550A4B61A2DC5923710
wget "https://codeberg.org/forgejo/forgejo/releases/download/v${RELEASE}/forgejo-${RELEASE}-linux-amd64.asc"
gpg --verify forgejo-${RELEASE}-linux-amd64.asc forgejo-${RELEASE}-linux-amd64
cp forgejo-${RELEASE}-linux-amd64 /usr/local/bin/forgejo
chmod 755 /usr/local/bin/forgejo
adduser --system --shell /bin/bash --gecos 'Git Version Control' --group --disabled-password --home /home/git git
mkdir /var/lib/forgejo
chown git:git /var/lib/forgejo
chmod 750 /var/lib/forgejo
mkdir /etc/forgejo
chown root:git /etc/forgejo
chmod 770 /etc/forgejo
wget -O /etc/systemd/system/forgejo.service https://codeberg.org/forgejo/forgejo/raw/branch/forgejo/contrib/systemd/forgejo.service
systemctl daemon-reload
systemctl enable forgejo.service
systemctl start forgejo.service
#Caddy
apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
apt update
apt install caddy
cat > /etc/caddy/Caddyfile <<EOF
95.95.95.95 {
# Use self-signed certificate
tls internal
# Reverse proxy to Forgejo
reverse_proxy 127.0.0.1:3000
header {
-Server
X-Content-Type-Options nosniff
X-Frame-Options DENY
X-XSS-Protection "1; mode=block"
Referrer-Policy strict-origin-when-cross-origin
}
encode gzip
}
EOF
systemctl restart caddy.service
#Actions
export RUNNER_VERSION=$(curl -X 'GET' https://data.forgejo.org/api/v1/repos/forgejo/runner/releases/latest | jq .name -r | cut -c 2-)
wget -O forgejo-runner https://code.forgejo.org/forgejo/runner/releases/download/v${RUNNER_VERSION}/forgejo-runner-${RUNNER_VERSION}-linux-amd64
chmod +x forgejo-runner
wget -O forgejo-runner.asc https://code.forgejo.org/forgejo/runner/releases/download/v${RUNNER_VERSION}/forgejo-runner-${RUNNER_VERSION}-linux-amd64.asc
gpg --keyserver keys.openpgp.org --recv EB114F5E6C0DC2BCDD183550A4B61A2DC5923710
gpg --verify forgejo-runner.asc forgejo-runner
cp forgejo-runner /usr/local/bin/forgejo-runner
useradd --create-home forgejo-runner
loginctl enable-linger forgejo-runner
#RUN MANUALLY
su forgejo-runner <<'EOF'
cd /home/forgejo-runner
mkdir -p .config/systemd/user
export XDG_RUNTIME_DIR=/run/user/$(id -u)
systemctl --user enable podman.socket
systemctl --user start podman.socket
cat > .config/systemd/user/forgejo-runner.service << 'EOHD'
[Unit]
Description=Forgejo Runner
Documentation=https://forgejo.org/docs/latest/admin/actions/
After=podman.socket
[Service]
ExecStart=/usr/local/bin/forgejo-runner daemon
ExecReload=/bin/kill -s HUP $MAINPID
Environment="DOCKER_HOST=unix:///run/user/$(id -u)/podman/podman.sock"
WorkingDirectory=/home/forgejo-runner
Restart=on-failure
TimeoutSec=0
RestartSec=10
[Install]
WantedBy=default.target
EOHD
systemctl --user daemon-reload
systemctl --user enable forgejo-runner.service
EOF
@int3hh
Copy link
Author

int3hh commented May 31, 2025
edited
Loading 

#!/usr/bin/bash
# hello world 2

HOST="$1"
USERNAME="$2"
GPWD="changeme"

if [ -z "$HOST" ] || [ -z "$USERNAME" ]; then
    echo "USAGE: sprovision.sh HOST USER"
    exit 1
fi

ssh root@$HOST /bin/bash <<EOF
    apt-get update
    apt-get upgrade -y
    apt-get dist-upgrade -y
    apt -y install doas openssl vim rsync git uidmap slirp4netns git-lfs jq
    useradd -m -p \$(openssl passwd -1 "$GPWD") -s /bin/bash -c "$USERNAME" "$USERNAME"
    echo "permit persist $USERNAME as root" >> /etc/doas.conf
    mkdir -p /home/$USERNAME/.ssh
    cp /root/.ssh/authorized_keys /home/$USERNAME/.ssh/
    chmod 600 /home/$USERNAME/.ssh/authorized_keys
    chmod 700 /home/$USERNAME/.ssh
    chown -R $USERNAME:$USERNAME /home/$USERNAME
    sed -i '/^PermitRootLogin /c\PermitRootLogin no' /etc/ssh/sshd_config
    sed -i 's/^#\?PasswordAuthentication \(yes\|no\)/PasswordAuthentication no/' /etc/ssh/sshd_config
    systemctl restart sshd
    apt -y install podman podman-compose
    loginctl enable-linger $USERNAME
    echo "unset HISTFILE" >> /home/$USERNAME/.bashrc
    echo 'net.ipv4.ip_unprivileged_port_start=80' | tee -a /etc/sysctl.conf
    echo 'net.ipv4.ip_unprivileged_port_start=443' | tee -a /etc/sysctl.conf
    sysctl -p
EOF

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment