Initial commit - realms platform

devops/forgejo-server/.env.example

@@ -0,0 +1,41 @@
+# =============================================================================
+# Forgejo Server Environment Configuration
+# Copy to .env and fill in values
+# =============================================================================
+
+# Domain for Forgejo (required)
+FORGEJO_DOMAIN=bit.realms.pub
+
+# PostgreSQL Configuration
+POSTGRES_USER=forgejo
+POSTGRES_PASSWORD=CHANGE_ME_SECURE_PASSWORD
+POSTGRES_DB=forgejo
+
+# Forgejo Security Keys (generate with: openssl rand -hex 32)
+# SECRET_KEY: Used for encrypting data
+FORGEJO_SECRET_KEY=CHANGE_ME_GENERATE_WITH_openssl_rand_hex_32
+
+# INTERNAL_TOKEN: Used for internal API authentication
+FORGEJO_INTERNAL_TOKEN=CHANGE_ME_GENERATE_WITH_openssl_rand_hex_32
+
+# JWT_SECRET: Used for OAuth2 JWT tokens
+FORGEJO_JWT_SECRET=CHANGE_ME_GENERATE_WITH_openssl_rand_hex_32
+
+# =============================================================================
+# Runner Configuration (set after initial setup)
+# =============================================================================
+
+# Runner registration token (get from Forgejo admin panel)
+# Site Administration > Actions > Runners > Create new Runner
+# RUNNER_TOKEN=
+
+# =============================================================================
+# Generate secure values with:
+#
+#   # Generate all secrets at once
+#   echo "FORGEJO_SECRET_KEY=$(openssl rand -hex 32)"
+#   echo "FORGEJO_INTERNAL_TOKEN=$(openssl rand -hex 32)"
+#   echo "FORGEJO_JWT_SECRET=$(openssl rand -hex 32)"
+#   echo "POSTGRES_PASSWORD=$(openssl rand -base64 24)"
+#
+# =============================================================================

devops/forgejo-server/Caddyfile

@@ -0,0 +1,40 @@
+# =============================================================================
+# Caddy Configuration for Forgejo
+# Automatic HTTPS with Let's Encrypt
+# =============================================================================
+
+{$FORGEJO_DOMAIN} {
+    # Reverse proxy to Forgejo
+    reverse_proxy forgejo:3000
+
+    # Enable compression
+    encode gzip zstd
+
+    # Security headers
+    header {
+        # HSTS
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        # Prevent clickjacking
+        X-Frame-Options "SAMEORIGIN"
+        # XSS protection
+        X-Content-Type-Options "nosniff"
+        X-XSS-Protection "1; mode=block"
+        # Referrer policy
+        Referrer-Policy "strict-origin-when-cross-origin"
+        # Remove server header
+        -Server
+    }
+
+    # Logging
+    log {
+        output file /data/access.log {
+            roll_size 10mb
+            roll_keep 5
+        }
+    }
+}
+
+# HTTP to HTTPS redirect (automatic with Caddy, but explicit for clarity)
+http://{$FORGEJO_DOMAIN} {
+    redir https://{$FORGEJO_DOMAIN}{uri} permanent
+}

devops/forgejo-server/README.md

@@ -0,0 +1,137 @@
+# Forgejo Server Setup
+
+Git server with CI/CD for realms.india infrastructure.
+
+## Prerequisites
+
+- Droplet with Docker and Docker Compose installed (via Terraform cloud-init)
+- Volume mounted at `/mnt/forgejo`
+- DNS A record pointing to droplet IP
+
+## Initial Setup
+
+### 1. Copy configuration files
+
+```bash
+# SSH to Forgejo server via jump host
+ssh realms-forgejo
+
+# Copy files to /opt/forgejo
+cd /opt/forgejo
+# (upload docker-compose.yml, Caddyfile, .env.example)
+```
+
+### 2. Generate secrets and configure environment
+
+```bash
+cd /opt/forgejo
+cp .env.example .env
+
+# Generate secure values
+echo "FORGEJO_SECRET_KEY=$(openssl rand -hex 32)"
+echo "FORGEJO_INTERNAL_TOKEN=$(openssl rand -hex 32)"
+echo "FORGEJO_JWT_SECRET=$(openssl rand -hex 32)"
+echo "POSTGRES_PASSWORD=$(openssl rand -base64 24)"
+
+# Edit .env with generated values
+vim .env
+```
+
+### 3. Start Forgejo (without runner)
+
+```bash
+docker compose up -d forgejo-db forgejo caddy
+docker compose logs -f forgejo
+```
+
+### 4. Initial Forgejo Configuration
+
+1. Visit `https://bit.realms.pub`
+2. Create admin account (first user becomes admin)
+3. Configure settings as needed
+
+### 5. Register the Actions Runner
+
+```bash
+# Get runner token from Forgejo
+# Site Administration > Actions > Runners > Create new Runner
+
+# Register the runner
+docker compose run --rm forgejo-runner \
+  forgejo-runner register \
+  --instance https://bit.realms.pub \
+  --token YOUR_RUNNER_TOKEN \
+  --name realms-runner \
+  --labels ubuntu-latest,docker \
+  --no-interactive
+
+# Start the runner
+docker compose up -d forgejo-runner
+```
+
+### 6. Verify Setup
+
+```bash
+# Check all services
+docker compose ps
+
+# Check logs
+docker compose logs -f
+
+# Test Git SSH
+ssh -T git@bit.realms.pub -p 2222
+```
+
+## Maintenance
+
+### View logs
+```bash
+docker compose logs -f [service]
+```
+
+### Restart services
+```bash
+docker compose restart [service]
+```
+
+### Backup
+```bash
+# Stop services
+docker compose down
+
+# Backup volumes
+tar -czvf forgejo-backup-$(date +%Y%m%d).tar.gz /mnt/forgejo
+
+# Restart
+docker compose up -d
+```
+
+### Update Forgejo
+
+```bash
+# Pull new image
+docker compose pull forgejo
+
+# Recreate container
+docker compose up -d forgejo
+```
+
+## Troubleshooting
+
+### Runner won't start
+- Ensure runner is registered first
+- Check `/mnt/forgejo/runner-data/.runner` exists
+- Check logs: `docker compose logs forgejo-runner`
+
+### SSL certificate issues
+- Ensure DNS is properly configured
+- Check Caddy logs: `docker compose logs caddy`
+- Caddy auto-obtains certs, may take a minute on first start
+
+### Database connection issues
+- Check PostgreSQL is healthy: `docker compose ps`
+- Check logs: `docker compose logs forgejo-db`
+
+### Git SSH not working
+- Verify port 2222 is open in firewall
+- Test: `ssh -T git@bit.realms.pub -p 2222 -v`

devops/forgejo-server/docker-compose.yml

@@ -0,0 +1,208 @@
+# =============================================================================
+# Forgejo Git Server - Docker Compose Stack
+# Forgejo 11.0.8 LTS with PostgreSQL, Caddy, and Actions Runner
+# =============================================================================
+
+services:
+  # ---------------------------------------------------------------------------
+  # PostgreSQL Database
+  # ---------------------------------------------------------------------------
+  forgejo-db:
+    image: postgres:16-alpine
+    container_name: forgejo-db
+    restart: unless-stopped
+    environment:
+      POSTGRES_USER: ${POSTGRES_USER:-forgejo}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD required}
+      POSTGRES_DB: ${POSTGRES_DB:-forgejo}
+    volumes:
+      - /mnt/forgejo/forgejo-db:/var/lib/postgresql/data
+    networks:
+      - forgejo-internal
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-forgejo} -d ${POSTGRES_DB:-forgejo}"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+  # ---------------------------------------------------------------------------
+  # Forgejo Git Server
+  # Using rootless image for better security
+  # ---------------------------------------------------------------------------
+  forgejo:
+    image: codeberg.org/forgejo/forgejo:11.0.8-rootless
+    container_name: forgejo
+    restart: unless-stopped
+    depends_on:
+      forgejo-db:
+        condition: service_healthy
+    environment:
+      # Database
+      FORGEJO__database__DB_TYPE: postgres
+      FORGEJO__database__HOST: forgejo-db:5432
+      FORGEJO__database__NAME: ${POSTGRES_DB:-forgejo}
+      FORGEJO__database__USER: ${POSTGRES_USER:-forgejo}
+      FORGEJO__database__PASSWD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD required}
+
+      # Server configuration
+      FORGEJO__server__DOMAIN: ${FORGEJO_DOMAIN:?FORGEJO_DOMAIN required}
+      FORGEJO__server__ROOT_URL: https://${FORGEJO_DOMAIN}/
+      FORGEJO__server__SSH_DOMAIN: ${FORGEJO_DOMAIN}
+      FORGEJO__server__SSH_PORT: 2222
+      FORGEJO__server__SSH_LISTEN_PORT: 2222
+      FORGEJO__server__START_SSH_SERVER: "true"
+      FORGEJO__server__HTTP_PORT: 3000
+      FORGEJO__server__LFS_START_SERVER: "true"
+
+      # Security
+      FORGEJO__security__INSTALL_LOCK: "true"
+      FORGEJO__security__SECRET_KEY: ${FORGEJO_SECRET_KEY:?FORGEJO_SECRET_KEY required}
+      FORGEJO__security__INTERNAL_TOKEN: ${FORGEJO_INTERNAL_TOKEN:?FORGEJO_INTERNAL_TOKEN required}
+      FORGEJO__security__PASSWORD_COMPLEXITY: "lower,upper,digit"
+      FORGEJO__security__MIN_PASSWORD_LENGTH: "12"
+
+      # OAuth2 JWT secret
+      FORGEJO__oauth2__JWT_SECRET: ${FORGEJO_JWT_SECRET:?FORGEJO_JWT_SECRET required}
+
+      # Service settings
+      FORGEJO__service__DISABLE_REGISTRATION: "false"
+      FORGEJO__service__REQUIRE_SIGNIN_VIEW: "false"
+      FORGEJO__service__ENABLE_NOTIFY_MAIL: "false"
+
+      # Actions (CI/CD)
+      FORGEJO__actions__ENABLED: "true"
+      FORGEJO__actions__DEFAULT_ACTIONS_URL: "https://code.forgejo.org"
+
+      # Repository settings
+      FORGEJO__repository__DEFAULT_BRANCH: "main"
+      FORGEJO__repository__ENABLE_PUSH_CREATE_USER: "true"
+      FORGEJO__repository__ENABLE_PUSH_CREATE_ORG: "true"
+
+      # LFS settings
+      FORGEJO__lfs__PATH: /data/lfs
+
+      # Webhook settings (for CI/CD)
+      FORGEJO__webhook__ALLOWED_HOST_LIST: "private"
+      FORGEJO__webhook__SKIP_TLS_VERIFY: "false"
+
+      # Log settings
+      FORGEJO__log__MODE: "console"
+      FORGEJO__log__LEVEL: "Info"
+
+    volumes:
+      - /mnt/forgejo/forgejo-data:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    networks:
+      - forgejo-internal
+      - forgejo-public
+    ports:
+      # Git SSH - exposed publicly
+      - "2222:2222"
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:3000/api/healthz"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 60s
+
+  # ---------------------------------------------------------------------------
+  # Caddy Reverse Proxy
+  # Automatic HTTPS with Let's Encrypt
+  # ---------------------------------------------------------------------------
+  caddy:
+    image: caddy:2-alpine
+    container_name: forgejo-caddy
+    restart: unless-stopped
+    depends_on:
+      forgejo:
+        condition: service_healthy
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - ./Caddyfile:/etc/caddy/Caddyfile:ro
+      - caddy_data:/data
+      - caddy_config:/config
+    networks:
+      - forgejo-public
+    environment:
+      FORGEJO_DOMAIN: ${FORGEJO_DOMAIN}
+
+  # ---------------------------------------------------------------------------
+  # Forgejo Actions Runner
+  # For CI/CD pipelines
+  # ---------------------------------------------------------------------------
+  forgejo-runner:
+    image: code.forgejo.org/forgejo/runner:6.3.1
+    container_name: forgejo-runner
+    restart: unless-stopped
+    depends_on:
+      forgejo:
+        condition: service_healthy
+      docker-dind:
+        condition: service_started
+    environment:
+      DOCKER_HOST: tcp://docker-dind:2376
+      DOCKER_TLS_VERIFY: "1"
+      DOCKER_CERT_PATH: /certs/client
+    volumes:
+      - /mnt/forgejo/runner-data:/data
+      - dind-certs-client:/certs/client:ro
+    networks:
+      - forgejo-internal
+      - dind-network
+    command: >
+      sh -c '
+        if [ ! -f /data/.runner ]; then
+          echo "Runner not registered. Please run registration command first."
+          echo "See README for registration instructions."
+          sleep infinity
+        fi
+        forgejo-runner daemon --config /data/config.yaml
+      '
+
+  # ---------------------------------------------------------------------------
+  # Docker-in-Docker for Runner
+  # Allows building Docker images in CI/CD
+  # ---------------------------------------------------------------------------
+  docker-dind:
+    image: docker:27-dind
+    container_name: forgejo-dind
+    restart: unless-stopped
+    privileged: true
+    environment:
+      DOCKER_TLS_CERTDIR: /certs
+    volumes:
+      - dind-certs-ca:/certs/ca
+      - dind-certs-client:/certs/client
+      - dind-storage:/var/lib/docker
+    networks:
+      - dind-network
+    # Resource limits for 1GB RAM droplet
+    deploy:
+      resources:
+        limits:
+          memory: 512M
+
+# =============================================================================
+# Networks
+# =============================================================================
+networks:
+  forgejo-internal:
+    driver: bridge
+    internal: true
+  forgejo-public:
+    driver: bridge
+  dind-network:
+    driver: bridge
+
+# =============================================================================
+# Volumes
+# =============================================================================
+volumes:
+  caddy_data:
+  caddy_config:
+  dind-certs-ca:
+  dind-certs-client:
+  dind-storage: