infra/files/cloud-init/ops.yml

#cloud-config

package_update: true
package_upgrade: true

packages:
  - docker.io
  - docker-compose-v2
  - git
  - curl
  - sqlite3
  - python3
  - python3-bcrypt

users:
  - name: deploy
    groups: docker, sudo
    shell: /bin/bash
    sudo: ALL=(ALL) NOPASSWD:ALL
    ssh_authorized_keys:
      - ${ssh_public_key}

write_files:
  - path: /opt/writekit/.env
    permissions: '0600'
    content: |
      ${indent(6, env_file)}

  - path: /opt/writekit/docker-compose.yml
    permissions: '0644'
    content: |
      ${indent(6, docker_compose)}

  - path: /etc/docker/daemon.json
    permissions: '0644'
    content: |
      {
        "insecure-registries": ["10.0.0.3:5000"],
        "log-driver": "json-file",
        "log-opts": {
          "max-size": "10m",
          "max-file": "3"
        }
      }

  - path: /opt/writekit/.ssh/deploy_key
    permissions: '0600'
    content: |
      ${indent(6, deploy_ssh_private_key)}

  - path: /opt/writekit/setup-forgejo-oauth.sh
    permissions: '0755'
    content: |
      #!/bin/bash
      set -a
      . /opt/writekit/.env
      set +a

      DB="/var/lib/docker/volumes/writekit_forgejo-data/_data/gitea/gitea.db"

      for i in {1..60}; do
        [ -f "$$DB" ] && break
        sleep 5
      done

      sleep 10

      HASHED_SECRET=$$(python3 -c "import bcrypt; print(bcrypt.hashpw(b'$$WOODPECKER_FORGEJO_SECRET', bcrypt.gensalt()).decode())")

      sqlite3 "$$DB" <<EOF
      INSERT OR IGNORE INTO login_source (type, name, is_active, is_sync_enabled, cfg, created_unix, updated_unix)
      VALUES (6, 'GitHub', 1, 0, '{"Provider":"github","ClientID":"$$GITHUB_CLIENT_ID","ClientSecret":"$$GITHUB_CLIENT_SECRET","OpenIDConnectAutoDiscoveryURL":"","CustomURLMapping":null,"IconURL":"","Scopes":["read:user","user:email"],"RequiredClaimName":"","RequiredClaimValue":"","GroupClaimName":"","AdminGroup":"","RestrictedGroup":"","GroupTeamMap":"","GroupTeamMapRemoval":false}', strftime('%s','now'), strftime('%s','now'));

      INSERT OR IGNORE INTO oauth2_application (uid, name, client_id, client_secret, confidential_client, redirect_uris, created_unix, updated_unix)
      VALUES (0, 'Woodpecker CI', '$$WOODPECKER_FORGEJO_CLIENT', '$$HASHED_SECRET', 1, 'https://ci.$$DOMAIN/authorize', strftime('%s','now'), strftime('%s','now'));
      EOF

  - path: /opt/writekit/promote-admin.sh
    permissions: '0755'
    content: |
      #!/bin/bash
      set -a
      . /opt/writekit/.env
      set +a
      cd /opt/writekit
      docker compose exec -T forgejo gitea admin user change-password --username "$$WOODPECKER_ADMIN" --password "temppass123" 2>/dev/null || true
      docker compose exec -T forgejo gitea admin user create --username "$$WOODPECKER_ADMIN" --email "$${WOODPECKER_ADMIN}@localhost" --password "temppass123" --admin 2>/dev/null || \
      docker compose exec -T forgejo gitea admin user change-password --username "$$WOODPECKER_ADMIN" --must-change-password=false 2>/dev/null
      sqlite3 "/var/lib/docker/volumes/writekit_forgejo-data/_data/gitea/gitea.db" "UPDATE user SET is_admin=1 WHERE lower_name='$$(echo $$WOODPECKER_ADMIN | tr '[:upper:]' '[:lower:]')';"
      echo "User $$WOODPECKER_ADMIN promoted to admin"

runcmd:
  - systemctl enable docker
  - systemctl start docker
  - mkdir -p /opt/writekit/.ssh
  - chown -R deploy:deploy /opt/writekit

  - |
    set -a
    . /opt/writekit/.env
    set +a
    cd /opt/writekit && docker compose up -d

  - /opt/writekit/setup-forgejo-oauth.sh

  - |
    for i in {1..30}; do
      ssh-keyscan -H 10.0.0.2 >> /opt/writekit/.ssh/known_hosts 2>/dev/null && break
      sleep 10
    done
    chown deploy:deploy /opt/writekit/.ssh/known_hosts

final_message: "WriteKit ops server ready after $$UPTIME seconds"
init 2026-01-09 00:22:05 +02:00			`#cloud-config`

			`package_update: true`
			`package_upgrade: true`

			`packages:`
			`- docker.io`
			`- docker-compose-v2`
			`- git`
			`- curl`
			`- sqlite3`
fix: resolve Woodpecker-Forgejo OAuth integration issues - Enable Forgejo registration for OAuth users (DISABLE_REGISTRATION=false) - Use public URL for Woodpecker OAuth redirects instead of internal hostname - Add WOODPECKER_OPEN=true to allow new user registrations - Bcrypt hash OAuth client secret before storing in database Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-09 00:44:35 +02:00			`- python3`
			`- python3-bcrypt`
init 2026-01-09 00:22:05 +02:00
			`users:`
			`- name: deploy`
			`groups: docker, sudo`
			`shell: /bin/bash`
			`sudo: ALL=(ALL) NOPASSWD:ALL`
			`ssh_authorized_keys:`
			`- ${ssh_public_key}`

			`write_files:`
			`- path: /opt/writekit/.env`
			`permissions: '0600'`
			`content: \|`
			`${indent(6, env_file)}`

			`- path: /opt/writekit/docker-compose.yml`
			`permissions: '0644'`
			`content: \|`
			`${indent(6, docker_compose)}`

			`- path: /etc/docker/daemon.json`
			`permissions: '0644'`
			`content: \|`
			`{`
			`"insecure-registries": ["10.0.0.3:5000"],`
			`"log-driver": "json-file",`
			`"log-opts": {`
			`"max-size": "10m",`
			`"max-file": "3"`
			`}`
			`}`

			`- path: /opt/writekit/.ssh/deploy_key`
			`permissions: '0600'`
			`content: \|`
			`${indent(6, deploy_ssh_private_key)}`

			`- path: /opt/writekit/setup-forgejo-oauth.sh`
			`permissions: '0755'`
			`content: \|`
			`#!/bin/bash`
			`set -a`
			`. /opt/writekit/.env`
			`set +a`

			`DB="/var/lib/docker/volumes/writekit_forgejo-data/_data/gitea/gitea.db"`

			`for i in {1..60}; do`
			`[ -f "$$DB" ] && break`
			`sleep 5`
			`done`

			`sleep 10`

fix: resolve Woodpecker-Forgejo OAuth integration issues - Enable Forgejo registration for OAuth users (DISABLE_REGISTRATION=false) - Use public URL for Woodpecker OAuth redirects instead of internal hostname - Add WOODPECKER_OPEN=true to allow new user registrations - Bcrypt hash OAuth client secret before storing in database Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-09 00:44:35 +02:00			`HASHED_SECRET=$$(python3 -c "import bcrypt; print(bcrypt.hashpw(b'$$WOODPECKER_FORGEJO_SECRET', bcrypt.gensalt()).decode())")`

init 2026-01-09 00:22:05 +02:00			`sqlite3 "$$DB" <<EOF`
			`INSERT OR IGNORE INTO login_source (type, name, is_active, is_sync_enabled, cfg, created_unix, updated_unix)`
			`VALUES (6, 'GitHub', 1, 0, '{"Provider":"github","ClientID":"$$GITHUB_CLIENT_ID","ClientSecret":"$$GITHUB_CLIENT_SECRET","OpenIDConnectAutoDiscoveryURL":"","CustomURLMapping":null,"IconURL":"","Scopes":["read:user","user:email"],"RequiredClaimName":"","RequiredClaimValue":"","GroupClaimName":"","AdminGroup":"","RestrictedGroup":"","GroupTeamMap":"","GroupTeamMapRemoval":false}', strftime('%s','now'), strftime('%s','now'));`

			`INSERT OR IGNORE INTO oauth2_application (uid, name, client_id, client_secret, confidential_client, redirect_uris, created_unix, updated_unix)`
fix: resolve Woodpecker-Forgejo OAuth integration issues - Enable Forgejo registration for OAuth users (DISABLE_REGISTRATION=false) - Use public URL for Woodpecker OAuth redirects instead of internal hostname - Add WOODPECKER_OPEN=true to allow new user registrations - Bcrypt hash OAuth client secret before storing in database Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-09 00:44:35 +02:00			`VALUES (0, 'Woodpecker CI', '$$WOODPECKER_FORGEJO_CLIENT', '$$HASHED_SECRET', 1, 'https://ci.$$DOMAIN/authorize', strftime('%s','now'), strftime('%s','now'));`
init 2026-01-09 00:22:05 +02:00			`EOF`

			`- path: /opt/writekit/promote-admin.sh`
			`permissions: '0755'`
			`content: \|`
			`#!/bin/bash`
			`set -a`
			`. /opt/writekit/.env`
			`set +a`
			`cd /opt/writekit`
			`docker compose exec -T forgejo gitea admin user change-password --username "$$WOODPECKER_ADMIN" --password "temppass123" 2>/dev/null \|\| true`
			`docker compose exec -T forgejo gitea admin user create --username "$$WOODPECKER_ADMIN" --email "$${WOODPECKER_ADMIN}@localhost" --password "temppass123" --admin 2>/dev/null \|\| \`
			`docker compose exec -T forgejo gitea admin user change-password --username "$$WOODPECKER_ADMIN" --must-change-password=false 2>/dev/null`
			`sqlite3 "/var/lib/docker/volumes/writekit_forgejo-data/_data/gitea/gitea.db" "UPDATE user SET is_admin=1 WHERE lower_name='$$(echo $$WOODPECKER_ADMIN \| tr '[:upper:]' '[:lower:]')';"`
			`echo "User $$WOODPECKER_ADMIN promoted to admin"`

			`runcmd:`
			`- systemctl enable docker`
			`- systemctl start docker`
			`- mkdir -p /opt/writekit/.ssh`
			`- chown -R deploy:deploy /opt/writekit`

			`- \|`
			`set -a`
			`. /opt/writekit/.env`
			`set +a`
			`cd /opt/writekit && docker compose up -d`

			`- /opt/writekit/setup-forgejo-oauth.sh`

			`- \|`
			`for i in {1..30}; do`
			`ssh-keyscan -H 10.0.0.2 >> /opt/writekit/.ssh/known_hosts 2>/dev/null && break`
			`sleep 10`
			`done`
			`chown deploy:deploy /opt/writekit/.ssh/known_hosts`

			`final_message: "WriteKit ops server ready after $$UPTIME seconds"`