add forgejo, delete gitlab (and orphan onlyoffice)

forgejo/docker-compose.yml

@@ -0,0 +1,58 @@
+services:
+  # Forgejo git forge (git.nasarek.dev). Replaces GitLab.
+  forgejo:
+    image: codeberg.org/forgejo/forgejo:${FORGEJO_VERSION:-11}
+    container_name: forgejo
+    environment:
+      USER_UID: 1000
+      USER_GID: 1000
+      FORGEJO__database__DB_TYPE: postgres
+      FORGEJO__database__HOST: postgres:5432
+      FORGEJO__database__NAME: ${FORGEJO_DB_NAME}
+      FORGEJO__database__USER: ${FORGEJO_DB_USER}
+      FORGEJO__database__PASSWD: ${FORGEJO_DB_PASSWORD}
+      FORGEJO__server__DOMAIN: ${FORGEJO_DOMAIN}
+      FORGEJO__server__ROOT_URL: https://${FORGEJO_DOMAIN}/
+      FORGEJO__server__SSH_DOMAIN: ${FORGEJO_DOMAIN}
+      FORGEJO__server__HTTP_PORT: "3000"
+      # Advertised in clone URLs (Traefik forgejo-ssh entrypoint, formerly GitLab's port).
+      FORGEJO__server__SSH_PORT: "2424"
+      FORGEJO__server__SSH_LISTEN_PORT: "22"
+      FORGEJO__actions__ENABLED: "true"
+      # Skip the web installer; auto-migrate against Postgres on boot.
+      FORGEJO__security__INSTALL_LOCK: "true"
+      FORGEJO__service__DISABLE_REGISTRATION: "true"
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik
+      # HTTP
+      - traefik.http.routers.forgejo.rule=Host(`${FORGEJO_DOMAIN}`)
+      - traefik.http.routers.forgejo.entrypoints=web,websecure
+      - traefik.http.routers.forgejo.middlewares=https-redirect
+      - traefik.http.routers.forgejo.tls=true
+      - traefik.http.routers.forgejo.tls.certresolver=le
+      - traefik.http.services.forgejo.loadbalancer.server.port=3000
+      # SSH over dedicated Traefik TCP entrypoint (port 2424)
+      - "traefik.tcp.routers.forgejo-ssh.rule=HostSNI(`*`)"
+      - "traefik.tcp.routers.forgejo-ssh.entrypoints=forgejo-ssh"
+      - "traefik.tcp.services.forgejo-ssh.loadbalancer.server.port=22"
+    volumes:
+      - forgejo-data:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    networks:
+      - traefik
+      - database
+    restart: unless-stopped
+
+volumes:
+  forgejo-data:
+    name: forgejo-data
+
+networks:
+  traefik:
+    name: traefik
+    external: true
+  database:
+    name: database
+    external: true

forgejo/migrate-from-gitlab.sh

@@ -0,0 +1,82 @@
+#!/bin/bash
+#
+# Bulk-migrate every GitLab project into Forgejo with full data
+# (code, issues, merge requests, labels, milestones, releases, wiki).
+#
+# Runs both forges in parallel — GitLab is only read, never modified.
+#
+# Usage:
+#   export GITLAB_URL=https://gitlab.nasarek.dev
+#   export GITLAB_TOKEN=glpat-xxxxxxxx          # scopes: read_api, read_repository
+#   export FORGEJO_URL=https://git.nasarek.dev
+#   export FORGEJO_TOKEN=xxxxxxxx               # Forgejo app token, repo + org scope
+#   export FORGEJO_OWNER=root                   # target user/org that will own the repos
+#   ./migrate-from-gitlab.sh [--dry-run]
+#
+set -euo pipefail
+
+DRY_RUN=false
+[ "${1:-}" = "--dry-run" ] && DRY_RUN=true
+
+: "${GITLAB_URL:?set GITLAB_URL}"
+: "${GITLAB_TOKEN:?set GITLAB_TOKEN}"
+: "${FORGEJO_URL:?set FORGEJO_URL}"
+: "${FORGEJO_TOKEN:?set FORGEJO_TOKEN}"
+: "${FORGEJO_OWNER:?set FORGEJO_OWNER (target user/org)}"
+
+command -v jq >/dev/null || { echo "jq is required"; exit 1; }
+
+# Resolve the Forgejo owner's numeric uid (repos/migrate needs repo_owner name + uid).
+OWNER_UID=$(curl -fsS -H "Authorization: token ${FORGEJO_TOKEN}" \
+  "${FORGEJO_URL}/api/v1/users/${FORGEJO_OWNER}" | jq -r '.id')
+echo "Target owner: ${FORGEJO_OWNER} (uid=${OWNER_UID})"
+
+migrate_one() {
+  local clone_url="$1" name="$2" private="$3" desc="$4"
+  echo "==> ${name}  (private=${private})"
+  if $DRY_RUN; then return 0; fi
+
+  local payload
+  payload=$(jq -n \
+    --arg addr "$clone_url" --arg token "$GITLAB_TOKEN" \
+    --arg name "$name" --arg owner "$FORGEJO_OWNER" \
+    --argjson uid "$OWNER_UID" --argjson private "$private" \
+    --arg desc "$desc" \
+    '{clone_addr:$addr, service:"gitlab", auth_token:$token,
+      repo_name:$name, repo_owner:$owner, uid:$uid,
+      private:$private, description:$desc,
+      issues:true, pull_requests:true, labels:true,
+      milestones:true, releases:true, wiki:true}')
+
+  local code
+  code=$(curl -s -o /tmp/forgejo_migrate_resp.json -w '%{http_code}' \
+    -H "Authorization: token ${FORGEJO_TOKEN}" -H "Content-Type: application/json" \
+    -X POST "${FORGEJO_URL}/api/v1/repos/migrate" -d "$payload")
+
+  if [ "$code" = "201" ]; then
+    echo "    OK"
+  elif [ "$code" = "409" ]; then
+    echo "    SKIP (already exists)"
+  else
+    echo "    FAILED (HTTP $code): $(jq -r '.message // .' /tmp/forgejo_migrate_resp.json)"
+  fi
+}
+
+# Page through all GitLab projects the token can see.
+page=1
+while :; do
+  resp=$(curl -fsS -H "PRIVATE-TOKEN: ${GITLAB_TOKEN}" \
+    "${GITLAB_URL}/api/v4/projects?membership=true&per_page=100&page=${page}&simple=false")
+  count=$(echo "$resp" | jq 'length')
+  [ "$count" -eq 0 ] && break
+
+  while IFS=$'\t' read -r http_url repo_path visibility description; do
+    private=true; [ "$visibility" = "public" ] && private=false
+    # Use the bare repo slug (e.g. "dfg_3dviewer_embed"), dropping the GitLab namespace.
+    migrate_one "$http_url" "$repo_path" "$private" "${description:-}"
+  done < <(echo "$resp" | jq -r '.[] | [.http_url_to_repo, .path, .visibility, (.description // "")] | @tsv')
+
+  page=$((page + 1))
+done
+
+echo "Done."