Forgejo

From Gentoo Wiki
Jump to:navigation Jump to:search
This article is a stub. Please help out by expanding it - how to get started.
Resources

Forgejo is a fork of Gitea.

Installation

As of 2024-09-18, Forgejo is not provided as a Gentoo package, but is available in the GURU overlay. Alternatively, Forgejo is distributed as a single binary file.

Official binaries

Forgejo

The Forgejo project distributes binaries for AMD64 and ARM64 architectures, which can be downloaded here. The binaries are compatible with musl-based systems.

To download and verify the binary file, follow the instructions provided here.

Note
In case GnuPG fails to retrieve the key, the key can be imported manually:

The binary does not require root privileges to run and can be launched from any directory:

user $./forgejo-*-linux-arm64

If there is a plan to install the binary into the system, follow the steps provided here.

SELinux policy
Note
The policy was tested with Forgejo v. 8.0.3 on the default/linux/arm64/23.0/musl/hardened/selinux profile. This section also covers the requirements of Forgejo Actions.

Forgejo requires the git_client_manage_all_user_home_content, user_tcp_server and global_ssp booleans to be enabled:

root #semanage boolean --modify --on git_client_manage_all_user_home_content
root #semanage boolean --modify --on user_tcp_server
root #semanage boolean --modify --on global_ssp

Alongside, the following SELinux module needs to be installed:

FILE forgejo-workaround.te
module forgejo-workaround 1.0;

require {
	type user_t;
	type user_home_t;
	type shell_exec_t;
	type sysfs_t;
	type proc_t;
	type ntop_port_t;
	type user_git_t;
	class file { execute execute_no_trans getattr map open read };
	class process { getsched setpgid signal };
	class filesystem getattr;
	class tcp_socket { name_bind name_connect };
}

#============= user_t ==============

allow user_t ntop_port_t:tcp_socket name_bind;

#============= user_git_t ==============
allow user_git_t ntop_port_t:tcp_socket name_connect;
allow user_git_t proc_t:filesystem getattr;
allow user_git_t self:process { getsched setpgid signal };
allow user_git_t shell_exec_t:file { execute execute_no_trans getattr map open read };
allow user_git_t sysfs_t:file read;
allow user_git_t user_home_t:file { execute execute_no_trans };

To compile and install the policy module, follow the instructions provided here.

Forgejo Actions (self-hosted)

Warning
This section describes a way to run Actions on bare hardware, without virtualization or containers. This means that everything that is uploaded to the repository will run on the same system that the server is running on. This can lead to any number of consequences (data loss, hardware damage, etc.). Only persons with the ultimate level of trust should be able to push data to repositories.

The runner can be downloaded from here.

Once downloaded, create and copy the token via GUI as described here.

Register the runner:

user $./forgejo-runner-* register --no-interactive --token <OBTAINED TOKEN> --name self-hosted --instance http://[::1]:3001/
Note
http://[::1]:3001/ is Forgejo's address.

Once registered, create the minimal configuration file:

FILE config.yml
log:
  level: info

runner:
  timeout: 1h
  labels:
    - self-hosted

cache:
  enabled: false

And launch the runner as a daemon:

user $./forgejo-runner-* --config config.yml daemon

To test that everything works, push the following file to the repository:

FILE .forgejo/workflows/demo.yaml
on: [push]
jobs:
  test:
    runs-on: self-hosted
    steps:
      - run: echo Works

See also

Retrieved from "https://wiki.gentoo.org/index.php?title=Forgejo&oldid=1316745"