Update Forgejo to rootless image

Signed-off-by: Bensuperpc <bensuperpc@gmail.com>
2025-09-03 23:24:57 +02:00 · 2025-08-24 20:09:28 +02:00
parent f48cbcc522
commit 6b39245125
12 changed files with 87 additions and 110 deletions
--- a/9
+++ b/9
@@ -11,17 +11,18 @@
 #//                                                          //
 #//////////////////////////////////////////////////////////////
-ADMIN_SERVICES := openssh 
+ADMIN_SERVICES := openssh uptime-kuma
 #uptime-kuma yacht
 #BLOG_SERVICES := wordpress
 #7DAYS_TO_DIE_SERVICES := 7daystodie_server 7daystodie_backup
 #MINECRAFT_SERVICES := minecraft_server minecraft_backup
 #SATISFACTORY_SERVICES := satisfactory_server satisfactory_backup
-#GIT_SERVICES := forgejo
+GIT_SERVICES := forgejo
 # forgejo-runner
 # gitea gitea-runner
 #IA_SERVICES := open-webui
-#SHARING_SERVICES := psitransfer picoshare privatebin projectsend jellyfin dufs syncthing
+SHARING_SERVICES := privatebin
 # jellyfin
 # psitransfer picoshare projectsend dufs syncthing
 TORRENTS_SERVICES := qbittorrent
 # transmission
 UTILS_SERVICES := it-tools omni-tools cyberchef
--- a/README.md
+++ b/README.md
@@ -23,7 +23,6 @@ If you have any **questions** or **suggestions**, feel free to open an issue or
 - [x] it-tools and omni-tools (Tools for IT)
 - [x] Open-WebUI (Local chatGPT)
 - [x] Privatebin (Pastebin)
 - [x] Yacht (Web interface for managing docker containers)
 - [X] [Satisfactory](https://github.com/bensuperpc/docker-satisfactory)
 - [x] [7 days to die](https://github.com/bensuperpc/docker-7daystodie)
 - [x] [minecraft](https://github.com/bensuperpc/docker-minecraft-server)
@@ -114,11 +113,9 @@ And then, caddy will generate the certificate for you and renew it automatically
 | [it-tools.bensuperpc.org](https://it-tools.bensuperpc.org)         | Sub  | Tools for IT                                                 |
 | [omni-tools.bensuperpc.org](https://omni-tools.bensuperpc.org)     | Sub  | Tools for IT                                                 |
 | [privatebin.bensuperpc.org](https://privatebin.bensuperpc.org)     | Sub  | Pastebin                                                     |
 | [yacht.bensuperpc.org](https://yacht.bensuperpc.org)               | Sub  | Web interface for managing docker containers                 |
 | [projectsend.bensuperpc.org](https://projectsend.bensuperpc.org)   | Sub  | ProjectSend for file sharing                                 |
 | [picoshare.bensuperpc.org](https://picoshare.bensuperpc.org)       | Sub  | Picoshare for file sharing                                   |
 | [dufs.bensuperpc.org](https://dufs.bensuperpc.org)                 | Sub  | Dufs for file sharing                                        |
 | [public.bensuperpc.org](https://public.bensuperpc.org)             | Sub  | Caddy for file sharing                                       |
 | [memos.bensuperpc.org](https://memos.bensuperpc.org)               | Sub  | Caddy for file sharing                                       |
 | [stirlingpdf.bensuperpc.org](https://stirlingpdf.bensuperpc.org)   | Sub  | Stirling PDF tools                                           |
@@ -191,12 +188,6 @@ For [psitransfer.env](infrastructure/services/psitransfer/env/psitransfer.env) f
 PSITRANSFER_ADMIN_PASS=n9jLVNT9QUotTJTT91JqH4GyBTg9pvEn
 ```
 For [yacht.env](infrastructure/services/yacht/env/yacht.env) file, you need to change the secret key.
 ```sh
 SECRET_KEY=UZvg9nbcGIJlPEB3uI39TAEWyFOz9nm8
 ```
 For [projectsend_db.env](infrastructure/services/projectsend/env/projectsend_db.env) file, you need to change the password(s) and user for the database.
 ```sh
@@ -296,6 +287,14 @@ You can change the homepage config in these files:
 ### Forgejo
 Once the installation is complete, you need to set the installation lock:
 ```sh
 FORGEJO__security__INSTALL_LOCK=true
 ```
 ### Forgejo Runner
 ```sh
 docker exec -it forgejo_runner /bin/bash
 ```
@@ -380,7 +379,6 @@ ssh -p 2222 admin@bensuperpc.org
 - [Privatebin](https://github.com/PrivateBin/PrivateBin)
 - [ghost](https://ghost.org)
 - [Homepage Tuto](https://belginux.com/installer-homepage-avec-docker/)
 - [Yacht](https://yacht.sh/)
 - [ProjectSend](https://www.projectsend.org/)
 - [Picoshare](https://github.com/mtlynch/picoshare)
 - [Dufs](https://github.com/sigoden/dufs)
--- a/infrastructure/docker-compose.yml
+++ b/infrastructure/docker-compose.yml
@@ -41,8 +41,6 @@ include:
  - services/transmission/docker-compose.transmission.yml
 # Uptime-kuma
  - services/uptime-kuma/docker-compose.uptime-kuma.yml
 # Yacht
  - services/yacht/docker-compose.yacht.yml
 # open-webui
  - services/open-webui/docker-compose.open-webui.yml
 # Minecraft
--- a/infrastructure/services/caddy/config/website/main.caddy
+++ b/infrastructure/services/caddy/config/website/main.caddy
@@ -16,12 +16,12 @@ www.{$MAIN_DOMAIN} {
 	redir https://www.{host}{uri} permanent
 }
-public.{$MAIN_DOMAIN} {
+#public.{$MAIN_DOMAIN} {
-	root * /public_data
+#	root * /public_data
-	file_server browse
+#	file_server browse
-
+#
-	header / {
+#	header / {
-		Cache-Control "no-store"
+#		Cache-Control "no-store"
-		import header_common
+#		import header_common
-	}
+#	}
-}
+#}
--- a/infrastructure/services/caddy/config/website/yacht.caddy
+++ b/infrastructure/services/caddy/config/website/yacht.caddy
@@ -1,3 +0,0 @@
 yacht.{$MAIN_DOMAIN} {
 	reverse_proxy yacht:8000
 }
--- a/infrastructure/services/forgejo/docker-compose.forgejo.yml
+++ b/infrastructure/services/forgejo/docker-compose.forgejo.yml
@@ -1,7 +1,7 @@
 services:
  # forgejo
  forgejo:
-    image: codeberg.org/forgejo/forgejo:11-rootless
+    image: codeberg.org/forgejo/forgejo:12-rootless
    container_name: forgejo
    profiles:
      - forgejo
@@ -10,7 +10,7 @@ services:
      - database_forgejo
      - caddy
    ports:
-      - "22:22"
+      - "22:2222"
    env_file:
      - ./env/forgejo.env
    volumes:
@@ -20,6 +20,7 @@ services:
      - /etc/localtime:/etc/localtime:ro
    networks:
      - infra-network
    user: ${PUID:-1000}:${PGID:-1000} 
    security_opt:
      - no-new-privileges:true
--- a/infrastructure/services/forgejo/env/forgejo.env
+++ b/infrastructure/services/forgejo/env/forgejo.env
@@ -5,12 +5,12 @@ FORGEJO__database__HOST=database_forgejo:3306
 FORGEJO__database__NAME=forgejo
 FORGEJO__database__USER=bensuperpc
 FORGEJO__database__PASSWD=K7s5yoHknnEd7vsZoxb8I3dK9mjToF1j
-FORGEJO__APP_NAME=The Homelab Git
+FORGEJO__APP_NAME=Bensuperpc's Forgejo
 FORGEJO__APP_SLOGAN=Personal Code, Mirrors, and More
 FORGEJO__server__DOMAIN=git.bensuperpc.org
 FORGEJO__server__SSH_DOMAIN=git.bensuperpc.org
 FORGEJO__server__HTTP_PORT=3000
-FORGEJO__server__SSH_LISTEN_PORT=22
+FORGEJO__server__SSH_LISTEN_PORT=2222
 FORGEJO__server__SSH_PORT=22
 FORGEJO__server__ROOT_URL=https://git.bensuperpc.org
 FORGEJO__security__SECRET_KEY=ykcZt23an1E4lFHWvrCKdAyt16WAiK9c
--- a/infrastructure/services/homepage/config/services.yaml
+++ b/infrastructure/services/homepage/config/services.yaml
@@ -64,12 +64,12 @@
        description: Dufs
        ping: dufs.bensuperpc.org
        container: dufs
-    - caddy:
+#    - caddy:
-        icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/caddy.png
+#        icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/caddy.png
-        href: https://public.bensuperpc.org/
+#        href: https://public.bensuperpc.org/
-        description: File browser
+#        description: File browser
-        ping: public.bensuperpc.org
+#        ping: public.bensuperpc.org
-        container: caddy
+#        container: caddy
 - Utils:
    - it-tools:
@@ -142,10 +142,4 @@
        description: Uptime Kuma
        ping: uptimekuma.bensuperpc.org
        container: uptime-kuma
    - yacht:
 #        icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons@master/png/yacht.png
        href: https://yacht.bensuperpc.org/
        description: Yacht
        ping: yacht.bensuperpc.org
        container: yacht
--- a/infrastructure/services/privatebin/config/conf.php
+++ b/infrastructure/services/privatebin/config/conf.php
@@ -39,16 +39,29 @@ defaultformatter = "plaintext"
 ; (optional) set a syntax highlighting theme, as found in css/prettify/
 ; syntaxhighlightingtheme = "sons-of-obsidian"
-; size limit per paste or comment in bytes, defaults to 10 Mebibytes
+; size limit per document or comment in bytes, defaults to 10 Megabytes
-sizelimit = 10485760
+sizelimit = 10000000
-; template to include, default is "bootstrap" (tpl/bootstrap.php), also
+; by default PrivateBin use "bootstrap5" template (tpl/bootstrap5.php).
-; available are "page" (tpl/page.php), the classic ZeroBin style and several
+; Optionally you can enable the template selection menu, which uses
-; bootstrap variants: "bootstrap-dark", "bootstrap-compact", "bootstrap-page",
+; a session cookie to store the choice until the browser is closed.
-; which can be combined with "-dark" and "-compact" for "bootstrap-dark-page"
+templateselection = false
-; and finally "bootstrap-compact-page" - previews at:
+
 ; List of available for selection templates when "templateselection" option is enabled
 availabletemplates[] = "bootstrap5"
 availabletemplates[] = "bootstrap"
 availabletemplates[] = "bootstrap-page"
 availabletemplates[] = "bootstrap-dark"
 availabletemplates[] = "bootstrap-dark-page"
 availabletemplates[] = "bootstrap-compact"
 availabletemplates[] = "bootstrap-compact-page"
 ; set the template your installs defaults to, defaults to "bootstrap5" (tpl/bootstrap5.php), also
 ; bootstrap template (tpl/bootstrap.php) and it's variants: "bootstrap-dark", "bootstrap-compact", "bootstrap-page",
 ; which can be combined with "-dark" and "-compact" for "bootstrap-dark-page",
 ; "bootstrap-compact-page" - previews at:
 ; https://privatebin.info/screenshots.html
-template = "bootstrap-dark"
+; template = "bootstrap5"
 ; (optional) info text to display
 ; use single, instead of double quotes for HTML attributes
@@ -66,17 +79,22 @@ languageselection = false
 ; if this is set and language selection is disabled, this will be the only language
 ; languagedefault = "en"
-; (optional) URL shortener address to offer after a new paste is created.
+; (optional) URL shortener address to offer after a new document is created.
 ; It is suggested to only use this with self-hosted shorteners as this will leak
-; the pastes encryption key.
+; the documents encryption key.
 ; urlshortener = "https://shortener.example.com/api?link="
-; (optional) Let users create a QR code for sharing the paste URL with one click.
+; (optional) Whether to shorten the URL by default when a new document is created.
-; It works both when a new paste is created and when you view a paste.
+; If set to true, the "Shorten URL" functionality will be automatically called.
 ; This only works if the "urlshortener" option is set.
 ; shortenbydefault = false
 ; (optional) Let users create a QR code for sharing the document URL with one click.
 ; It works both when a new document is created and when you view a document.
 ; qrcode = true
-; (optional) Let users send an email sharing the paste URL with one click.
+; (optional) Let users send an email sharing the document URL with one click.
-; It works both when a new paste is created and when you view a paste.
+; It works both when a new document is created and when you view a document.
 ; email = true
 ; (optional) IP based icons are a weak mechanism to detect if a comment was from
@@ -84,7 +102,7 @@ languageselection = false
 ; used to get the IP of a comment poster if the server salt is leaked and a
 ; SHA512 HMAC rainbow table is generated for all (relevant) IPs.
 ; Can be set to one these values:
-; "none" / "identicon" (default) / "jdenticon" / "vizhash".
+; "none" / "identicon" / "jdenticon" (default) / "vizhash".
 ; icon = "none"
 ; Content Security Policy headers allow a website to restrict what sources are
@@ -93,24 +111,21 @@ languageselection = false
 ; scripts or run your site behind certain DDoS-protection services.
 ; Check the documentation at https://content-security-policy.com/
 ; Notes:
 ; - If you use any bootstrap theme, you can remove the allow-popups from the
 ;   sandbox restrictions.
 ; - If you use the bootstrap5 theme, you must change default-src to 'self' to
 ;   enable display of the svg icons
 ; - By default this disallows to load images from third-party servers, e.g. when
-;   they are embedded in pastes. If you wish to allow that, you can adjust the
+;   they are embedded in documents. If you wish to allow that, you can adjust the
 ;   policy here. See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-it-load-embedded-images
 ;   for details.
-; - The 'unsafe-eval' is used in two cases; to check if the browser supports
+; - The 'wasm-unsafe-eval' is used to enable webassembly support (used for zlib
-;   async functions and display an error if not and for Chrome to enable
+;   compression). You can remove it if compression doesn't need to be supported.
-;   webassembly support (used for zlib compression). You can remove it if Chrome
+; - The 'unsafe-inline' style-src is used by Chrome when displaying PDF previews
-;   doesn't need to be supported and old browsers don't need to be warned.
+;   and can be omitted if attachment upload is disabled (which is the default).
-; cspheader = "default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval'; style-src 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads"
+;   See https://issues.chromium.org/issues/343754409
-
+; - To allow displaying PDF previews in Firefox or Chrome, sandboxing must also
-; stay compatible with PrivateBin Alpha 0.19, less secure
+;   get turned off. The following CSP allows PDF previews:
-; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of
+; cspheader = "default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-ancestors 'none'; frame-src blob:; img-src 'self' data: blob:; media-src blob:; object-src blob:"
-; sha256 in HMAC for the deletion token
+;
-; zerobincompatibility = false
+; The recommended and default used CSP is:
 ; cspheader = "default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'wasm-unsafe-eval'; style-src 'self'; font-src 'self'; frame-ancestors 'none'; frame-src blob:; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-modals allow-downloads"
 ; Enable or disable the warning message when the site is served over an insecure
 ; connection (insecure HTTP instead of HTTPS), defaults to true.
@@ -119,7 +134,7 @@ languageselection = false
 ; See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-it-show-me-an-error-about-an-insecure-connection for more information.
 ; httpwarning = true
-; Pick compression algorithm or disable it. Only applies to pastes/comments
+; Pick compression algorithm or disable it. Only applies to documents & comments
 ; created after changing the setting.
 ; Can be set to one these values: "none" / "zlib" (default).
 ; compression = "zlib"
@@ -160,9 +175,9 @@ limit = 10
 ; exempted = "1.2.3.4,10.10.10/24"
 ; (optional) If you want only some source IP addresses (v4 or v6) or subnets
-; (CIDR) to be allowed to create pastes, set these here. Invalid IPs will be
+; (CIDR) to be allowed to create documents, set these here. Invalid IPs will be
 ; ignored. If multiple values are to be exempted, the list needs to be comma
-; separated. Leave unset to allow anyone to create pastes.
+; separated. Leave unset to allow anyone to create documents.
 ; creators = "1.2.3.4,10.10.10/24"
 ; (optional) if your website runs behind a reverse proxy or load balancer,
@@ -170,12 +185,12 @@ limit = 10
 ; header = "X_FORWARDED_FOR"
 [purge]
-; minimum time limit between two purgings of expired pastes, it is only
+; minimum time limit between two purgings of expired documents, it is only
-; triggered when pastes are created
+; checked when documents get created
-; Set this to 0 to run a purge every time a paste is created.
+; Set this to 0 to run a purge every time a document is created.
 limit = 300
-; maximum amount of expired pastes to delete in one purge
+; maximum amount of expired documents to delete in one purge
 ; Set this to 0 to disable purging. Set it higher, if you are running a large
 ; site
 batchsize = 10
@@ -259,7 +274,7 @@ dir = PATH "data"
 ;version = "latest"
 ;bucket = "my-bucket"
-[yourls]
+;[yourls]
 ; When using YOURLS as a "urlshortener" config item:
 ; - By default, "urlshortener" will point to the YOURLS API URL, with or without
 ;   credentials, and will be visible in public on the PrivateBin web page.
@@ -280,4 +295,4 @@ dir = PATH "data"
 ; Subresource integrity (SRI) hashes used in template files. Uncomment and set
 ; these for all js files used. See:
 ; https://github.com/PrivateBin/PrivateBin/wiki/FAQ#user-content-how-to-make-privatebin-work-when-i-have-changed-some-javascript-files
-;privatebin.js = sha512-[…]
+;js/privatebin.js = "sha512-[…]"
--- a/infrastructure/services/yacht/docker-compose.yacht.yml
+++ b/infrastructure/services/yacht/docker-compose.yacht.yml
@@ -1,23 +0,0 @@
 services:
  # yacht
  yacht:
    image: selfhostedpro/yacht:latest
    container_name: yacht
    profiles:
      - yacht
    restart: on-failure:5
    depends_on:
      - caddy
    env_file:
      - ./env/yacht.env
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - yacht_config:/config
    networks:
      - infra-network
    security_opt:
      - no-new-privileges:true
 volumes:
  yacht_config:
    name: yacht_config
--- a/infrastructure/services/yacht/env/yacht.env
+++ b/infrastructure/services/yacht/env/yacht.env
@@ -1,3 +0,0 @@
 ADMIN_EMAIL=bensuperpc@gmail.com
 SECRET_KEY=UZvg9nbcGIJlPEB3uI39TAEWyFOz9nm8
 #DATABASE_URL=postgresql://user:password@postgresserver/db
--- a/tools/docker_volumes_export.sh
+++ b/tools/docker_volumes_export.sh
@@ -37,7 +37,6 @@ volumes=(
    stirlingpdf_config
    uptimekuma_data
 #    private_data
    yacht_config
    transmission_watch
    privatebin_data
    psitransfer_data