From 3155eacdac68e1338290f6a1378f916bbe1a1d53 Mon Sep 17 00:00:00 2001
From: doomtube <doomtube@realms.pub>
Date: Tue, 6 Jan 2026 04:53:46 -0500
Subject: [PATCH] Add automatic SSL certificate generation

---
 devops/terraform/main.tf                      |  1 -
 .../modules/forgejo/cloud-init.yaml.tpl       | 66 +++----------------
 devops/terraform/modules/forgejo/main.tf      | 23 -------
 devops/terraform/modules/forgejo/outputs.tf   | 10 ---
 devops/terraform/modules/forgejo/variables.tf |  6 --
 devops/terraform/outputs.tf                   |  5 --
 devops/terraform/variables.tf                 |  6 --
 7 files changed, 8 insertions(+), 109 deletions(-)

diff --git a/devops/terraform/main.tf b/devops/terraform/main.tf
index caf7931..c9c4373 100644
--- a/devops/terraform/main.tf
+++ b/devops/terraform/main.tf
@@ -73,7 +73,6 @@ module "forgejo" {
   ssh_keys            = module.ssh_keys.forgejo_ssh_key_ids
   droplet_size        = var.forgejo_droplet_size
   droplet_image       = var.forgejo_droplet_image
-  volume_size         = var.forgejo_volume_size
   ssh_port            = var.forgejo_ssh_port
   git_ssh_port        = var.forgejo_git_ssh_port
   domain              = var.forgejo_domain
diff --git a/devops/terraform/modules/forgejo/cloud-init.yaml.tpl b/devops/terraform/modules/forgejo/cloud-init.yaml.tpl
index a480d8f..392655a 100644
--- a/devops/terraform/modules/forgejo/cloud-init.yaml.tpl
+++ b/devops/terraform/modules/forgejo/cloud-init.yaml.tpl
@@ -152,54 +152,6 @@ write_files:
       echo "Firewall configured successfully"
     permissions: '0755'
 
-  # Volume mount script
-  - path: /usr/local/bin/mount-volume.sh
-    content: |
-      #!/bin/bash
-      set -e
-
-      VOLUME_NAME="${volume_name}"
-      MOUNT_POINT="/mnt/forgejo"
-
-      # Create mount point
-      mkdir -p "$MOUNT_POINT"
-
-      # Find the volume device
-      # DigitalOcean volumes are typically at /dev/disk/by-id/scsi-0DO_Volume_*
-      VOLUME_DEV=$(readlink -f /dev/disk/by-id/scsi-0DO_Volume_$VOLUME_NAME 2>/dev/null || true)
-
-      if [ -z "$VOLUME_DEV" ]; then
-        echo "Waiting for volume to attach..."
-        sleep 10
-        VOLUME_DEV=$(readlink -f /dev/disk/by-id/scsi-0DO_Volume_$VOLUME_NAME 2>/dev/null || true)
-      fi
-
-      if [ -n "$VOLUME_DEV" ]; then
-        # Check if already mounted
-        if ! mountpoint -q "$MOUNT_POINT"; then
-          mount "$VOLUME_DEV" "$MOUNT_POINT"
-          echo "Volume mounted at $MOUNT_POINT"
-        fi
-
-        # Add to fstab if not already there
-        if ! grep -q "$VOLUME_DEV" /etc/fstab; then
-          echo "$VOLUME_DEV $MOUNT_POINT ext4 defaults,nofail,discard 0 2" >> /etc/fstab
-        fi
-
-        # Create subdirectories
-        mkdir -p "$MOUNT_POINT/forgejo-data"
-        mkdir -p "$MOUNT_POINT/forgejo-db"
-        mkdir -p "$MOUNT_POINT/runner-data"
-
-        # Set permissions (UID 1000 is typically the forgejo user in container)
-        chown -R 1000:1000 "$MOUNT_POINT/forgejo-data"
-        chown -R 999:999 "$MOUNT_POINT/forgejo-db"  # postgres user
-        chown -R 1000:1000 "$MOUNT_POINT/runner-data"
-      else
-        echo "WARNING: Volume not found. Please attach volume manually."
-      fi
-    permissions: '0755'
-
   # Swap configuration script (needed for 1GB RAM)
   - path: /usr/local/bin/configure-swap.sh
     content: |
@@ -269,7 +221,7 @@ write_files:
             POSTGRES_PASSWORD: $${POSTGRES_PASSWORD}
             POSTGRES_DB: $${POSTGRES_DB:-forgejo}
           volumes:
-            - /mnt/forgejo/forgejo-db:/var/lib/postgresql/data
+            - /var/lib/forgejo/forgejo-db:/var/lib/postgresql/data
           networks:
             - forgejo-internal
           healthcheck:
@@ -326,7 +278,7 @@ write_files:
             FORGEJO__log__MODE: "console"
             FORGEJO__log__LEVEL: "Info"
           volumes:
-            - /mnt/forgejo/forgejo-data:/data
+            - /var/lib/forgejo/forgejo-data:/data
             - /etc/timezone:/etc/timezone:ro
             - /etc/localtime:/etc/localtime:ro
           networks:
@@ -394,7 +346,7 @@ write_files:
             DOCKER_TLS_VERIFY: "1"
             DOCKER_CERT_PATH: /certs/client
           volumes:
-            - /mnt/forgejo/runner-data:/data
+            - /var/lib/forgejo/runner-data:/data
             - dind-certs-client:/certs/client:ro
           networks:
             - forgejo-internal
@@ -571,7 +523,7 @@ write_files:
       |  Domain: ${domain}
       |  Git SSH Port: ${git_ssh_port}
       |                                                               |
-      |  Data location: /mnt/forgejo                                  |
+      |  Data location: /var/lib/forgejo                               |
       |  Docker compose: /opt/forgejo                                 |
       |                                                               |
       |  Commands:                                                    |
@@ -633,12 +585,10 @@ runcmd:
   # Configure swap (important for 1GB RAM)
   - /usr/local/bin/configure-swap.sh
 
-  # Mount the volume
-  - /usr/local/bin/mount-volume.sh
-
-  # Fix ownership for Forgejo container (runs as UID 1000)
-  # This must run AFTER all directories are created to ensure correct permissions
-  - chown -R 1000:1000 /mnt/forgejo/forgejo-data
+  # Create data directories on local disk
+  - mkdir -p /var/lib/forgejo/forgejo-data /var/lib/forgejo/forgejo-db /var/lib/forgejo/runner-data
+  - chown -R 1000:1000 /var/lib/forgejo/forgejo-data /var/lib/forgejo/runner-data
+  - chown -R 999:999 /var/lib/forgejo/forgejo-db
 
   # Configure firewall
   - /usr/local/bin/configure-firewall.sh
diff --git a/devops/terraform/modules/forgejo/main.tf b/devops/terraform/modules/forgejo/main.tf
index d05ec67..9b7ddcc 100644
--- a/devops/terraform/modules/forgejo/main.tf
+++ b/devops/terraform/modules/forgejo/main.tf
@@ -22,19 +22,6 @@ resource "random_password" "forgejo_jwt_secret" {
   special = false
 }
 
-# =============================================================================
-# Forgejo Volume (Block Storage)
-# =============================================================================
-
-resource "digitalocean_volume" "forgejo" {
-  name                    = "${var.project_name}-forgejo-${var.environment}"
-  region                  = var.region
-  size                    = var.volume_size
-  initial_filesystem_type = "ext4"
-  description             = "Forgejo data volume for ${var.project_name}"
-  tags                    = var.tags
-}
-
 # =============================================================================
 # Forgejo Droplet
 # =============================================================================
@@ -57,7 +44,6 @@ resource "digitalocean_droplet" "forgejo" {
     ssh_port               = var.ssh_port
     git_ssh_port           = var.git_ssh_port
     vpc_ip_range           = var.vpc_ip_range
-    volume_name            = "${var.project_name}-forgejo-${var.environment}"
     domain                 = var.domain
     postgres_password      = random_password.postgres.result
     forgejo_secret_key     = random_password.forgejo_secret_key.result
@@ -73,15 +59,6 @@ resource "digitalocean_droplet" "forgejo" {
   }
 }
 
-# =============================================================================
-# Volume Attachment
-# =============================================================================
-
-resource "digitalocean_volume_attachment" "forgejo" {
-  droplet_id = digitalocean_droplet.forgejo.id
-  volume_id  = digitalocean_volume.forgejo.id
-}
-
 # =============================================================================
 # DNS Record (optional - requires domain to be managed by DigitalOcean)
 # =============================================================================
diff --git a/devops/terraform/modules/forgejo/outputs.tf b/devops/terraform/modules/forgejo/outputs.tf
index 6a39f37..70a03d3 100644
--- a/devops/terraform/modules/forgejo/outputs.tf
+++ b/devops/terraform/modules/forgejo/outputs.tf
@@ -18,16 +18,6 @@ output "urn" {
   value       = digitalocean_droplet.forgejo.urn
 }
 
-output "volume_id" {
-  description = "ID of the Forgejo volume"
-  value       = digitalocean_volume.forgejo.id
-}
-
-output "volume_name" {
-  description = "Name of the Forgejo volume"
-  value       = digitalocean_volume.forgejo.name
-}
-
 output "dns_record_fqdn" {
   description = "FQDN of the DNS record (if managed)"
   value       = var.manage_dns ? digitalocean_record.forgejo[0].fqdn : null
diff --git a/devops/terraform/modules/forgejo/variables.tf b/devops/terraform/modules/forgejo/variables.tf
index ffee337..d047983 100644
--- a/devops/terraform/modules/forgejo/variables.tf
+++ b/devops/terraform/modules/forgejo/variables.tf
@@ -40,12 +40,6 @@ variable "droplet_image" {
   default     = "debian-12-x64"
 }
 
-variable "volume_size" {
-  description = "Size of the data volume in GB"
-  type        = number
-  default     = 50
-}
-
 variable "ssh_port" {
   description = "System SSH port (non-standard, VPC only)"
   type        = number
diff --git a/devops/terraform/outputs.tf b/devops/terraform/outputs.tf
index e5fb3c1..b6be108 100644
--- a/devops/terraform/outputs.tf
+++ b/devops/terraform/outputs.tf
@@ -55,11 +55,6 @@ output "forgejo_private_ip" {
   value       = module.forgejo.private_ip
 }
 
-output "forgejo_volume_id" {
-  description = "ID of the Forgejo volume"
-  value       = module.forgejo.volume_id
-}
-
 output "forgejo_ssh_port" {
   description = "System SSH port for Forgejo (VPC only)"
   value       = var.forgejo_ssh_port
diff --git a/devops/terraform/variables.tf b/devops/terraform/variables.tf
index 67b9884..2e337e1 100644
--- a/devops/terraform/variables.tf
+++ b/devops/terraform/variables.tf
@@ -105,12 +105,6 @@ variable "forgejo_droplet_image" {
   default     = "debian-12-x64"
 }
 
-variable "forgejo_volume_size" {
-  description = "Size of the Forgejo data volume in GB"
-  type        = number
-  default     = 50
-}
-
 variable "forgejo_domain" {
   description = "Domain name for Forgejo (e.g., qbit.realms.pub)"
   type        = string