Supplemental notes on extending the docker-compose configuration to include a Forgejo container for local development and as private hub for gitops-based workflows.
| Date | Notes |
|---|---|
| 27 Dec 2024 | Initial write-up |
Set up a local instance of Forgejo with port 443 (https) for the web interface and port 22 for ssh access to git repositories. Forgejo uses http: and ports 3000 and 22 by default. Forgejo will only be accessible on my local lan and is not exposed to the internet. Please note this set up would need additional hardening before using on an internet-accessible network.
See README.md for more information about the current Docker host, configuration, and macvlan.
Forgejo uses port 3000 by default. The built-in web server apparently does not run as a privileged user as ports 80 and/or 443 will not work. I use a Caddy-based reverse proxy with locally created certs to enable https and port 443 access. I could have also used the built-in reverse proxy capabilities of the Synology host but chose Caddy for it's simplicity and portability.
This instance of Forgejo uses the built-in sqlite database.
I use the dns names of forge.lan and git.forge.lan for this service. There is also a separate forgejo.lan name. All are described below.
Forgejo and Caddy containers run via Docker on a Synology host. Synology DSM and Docker are the latest available from the Synology team.
Please note that I use a Fedora workstation so I may make assumptions about availability of tools or steps that may not work on non-linux computers. Also note that these are the steps I (more or less) followed and may not necessarily work well as a tutorial.
-
The
forgejoservice definition from thecompose.yamlfile is shown below. This is largely copied from the Forgejo Docker instructions with the addition of an IP address for the container (see the project README.md for more details on the macvlan) and the volume mappings between the Synology host and the container.forgejo: image: codeberg.org/forgejo/forgejo:9 container_name: Forgejo environment: - USER_UID=1000 - USER_GID=1000 restart: unless-stopped networks: macvlan1: ipv4_address: 192.168.110.212 volumes: - /volume1/docker/forgejo:/data - /etc/TZ:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro ports: - '3000' - '22'
- I used the Synology web UI to create the sub-directory for the container's
/data/directory. In my case this is aforgejosub-directory in the existing/volum1/dockerdirectory that is the root directory for all container volumes on this host.
- I used the Synology web UI to create the sub-directory for the container's
-
SSH into the Synology and start
forgejofor the first time usingdocker-compose. Forgejo will create sub-directories under/dataon the container which are mapped to the designated location on the Synology file system.sudo docker-compose -f compose.yaml up -d forgejo
-
While still in ssh on the Synology, edit the Forgejo
app.iniconfiguration file to and make necessary changes and additions. My copy is stored in this repository in theforgejosub-directory. I just used vi to make the edits but there are alternatives such as downloading to your workstation or using the Synology Text Edit application.sudo vi /volume1/docker/forgejo/gitea/conf/app.ini
- I set
DOMAIN = forge.lan,SSH_DOMAIN = git.forge.lanandROOT_URL = https://forge.lan. A copy of app.ini is archived in the repository in the./forgejosub-directory.
- I set
-
The
caddyservice definition is shown below. This is largely copied from the caddy - official image page on Docker Hub. Changes include the macvlan IP address andvolumesmappings.caddy: image: caddy:latest restart: unless-stopped networks: macvlan1: ipv4_address: 192.168.110.214 cap_add: - NET_ADMIN ports: - '80' - '443' - '443/udp' volumes: - /volume1/docker/caddy/etc:/etc/caddy - /volume1/docker/caddy/site:/srv - /volume1/docker/caddy/data:/data - /volume1/docker/caddy/config:/config
- Use the Synology web UI to create the sub-directories for the container's
/etc/caddy,/srv,/data, and/configdirectories. The/etc/caddydirectory is where the Caddyfile will be placed as well as the custom certs. A copy of theCaddyfileis in the./caddysub-directory of the repository.
- Use the Synology web UI to create the sub-directories for the container's
-
Use mkcert to create the TLS certificates for the site.
mkcertis useful if you are the only developer using the site. Other options will need to be explored for team use.mkcert -key-file syn-cert-key.pem -cert-file syn-cert.pem forge.lan forgejo.lan
-
On your workstation create the
Caddyfilecontaining the reverse proxy definitioni and set the location for the self-signed TLS certs. The Caddyfile requires tabs for indentations, not spaces.forge.lan { tls /etc/caddy/certs/syn-cert.pem /etc/caddy/certs/syn-cert-key.pem reverse_proxy forgejo.lan:3000 }-
If you have
caddyinstalled on your workstation, you can use it to correctly format theCaddyfile. Navigate to the sub-directory containing theCaddyfileand execute the following:caddy fmt --overwrite
-
Note the paths for the TLS cert and key files are relative to the container root and in the
certsub-directory of the/etc/caddyvolume defined in the docker-compose service definition. -
Create the
certssub-directory in/etc/caddyand copy the two (2) certs into it. This can be done from the command line on the docker host machine or using a web ui if available.
-
-
Create dns entries for
forge.lan,git.forge.lan, andforgejo.lan. The IP address forforge.lanwill be the address assigned to the Caddy service. The IP address forforgejo.lanandgit.forge.lanwill be the address assigned to the Forgejo service. I use pi-hole for DNS services on the lan (seecompose.yamland README.md for more information about pi-hole setup). -
SSH into the docker host (Synology in my case), and use
docker-composeto start forgejo and caddy.sudo docker-compose -f compose up -d forgejo caddy
-
Use a web browser and browse to
https://forge.lan. Create an account on the Forgejo site and configure as appropriate. Create a new project and repository in Forgejo and verify that the ssh address for the repository contains thegit.forge.lanaddress. -
Consider additional hardening steps such as configuring Forgejo to only listen for web traffic from the reverse proxy.
TBD
Docker Compose is a command line executable available for most linux systems including the Synology. There are many references available - I find the original Docker documentation very approachable and useful: https://docs.docker.com/compose/. The version of docker-compose currently available for the Synology is v2.9.0-6413-g38f6acd which is fairly old, but at least v2.
Start all services in the default compose.yaml file
sudo docker-compose -f compose.yaml upStart all services in the default compose.yaml file and detach.
sudo docker-compose -f compose.yaml up -dStart the Forgejo service in the default compose.yaml file and detach.
sudo docker-compose -f compose.yaml up -d forgejoThe open source community and sponsors for Forgejo and Caddy.
Filippo Valsorda and the other contributors for mkcert.