From 413ceec35c72a0da9793abfd18d71f4784c66907 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Thu, 7 May 2026 16:50:02 +0000
Subject: [PATCH] [forgejo] securityContext.fsGroup=1000 so /data is writable
 to forgejo
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Phase 0 enabled packages but the pod crashloops on
`mkdir /data/tmp: permission denied` — Forgejo loads the chunked
upload path (default /data/tmp/package-upload) before s6-overlay
gets a chance to chown /data. fsGroup tells kubelet to recursively
chown the volume to GID 1000 on mount, which fixes it.

Pre-23-day Forgejo deployed with packages off so this code path
never ran.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 stacks/forgejo/main.tf | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/stacks/forgejo/main.tf b/stacks/forgejo/main.tf
index b0275ac0..3b597804 100644
--- a/stacks/forgejo/main.tf
+++ b/stacks/forgejo/main.tf
@@ -72,6 +72,14 @@ resource "kubernetes_deployment" "forgejo" {
         }
       }
       spec {
+        # fsGroup chowns the mounted PVC to GID 1000 (the forgejo user) on
+        # mount. Without this, /data is owned by root and the
+        # `[packages].CHUNKED_UPLOAD_PATH` default at /data/tmp is not
+        # writable, crashlooping the pod when packages is enabled. Pre-23-day
+        # Forgejo ran without packages on so this never surfaced.
+        security_context {
+          fs_group = 1000
+        }
         container {
           name  = "forgejo"
           image = "codeberg.org/forgejo/forgejo:11"