forgejo-mcp-broker/deploy/podman/fjmcp-broker.env.example

# Example environment file for fjmcp-broker.
#
# Copy this to ~/.config/fjmcp-broker.env (chmod 0600) and fill in the
# real values. The Quadlet unit reads this via EnvironmentFile=.

# Public-facing URL — what clients (Claude.ai) will see. MUST match
# what Caddy serves; the broker uses this verbatim in OAuth metadata.
FJMCP_BROKER_PUBLIC_URL=https://mcp.example.com

# Upstream Forgejo instance. The broker delegates user authentication
# here via OAuth2.
FORGEJO_URL=https://forgejo.example.com

# OAuth2 application credentials. Create the application at
# Forgejo → Settings → Applications → OAuth2 Applications,
# with the redirect URI set to ${FJMCP_BROKER_PUBLIC_URL}/oauth/callback.
FORGEJO_OAUTH_CLIENT_ID=replace-with-your-forgejo-app-id
FORGEJO_OAUTH_CLIENT_SECRET=replace-with-your-forgejo-app-secret

# Scopes requested from Forgejo. The default covers the full forgejo-mcp
# tool surface. Trim if your users don't need write access.
FORGEJO_OAUTH_SCOPES=read:user write:repository write:issue write:notification read:organization

# Optional: verbose logging.
# FJMCP_BROKER_DEBUG=true
feat(deploy): rootless podman + Quadlet deployment (forgejo-mcp-broker-8yd) Adds a multi-stage Containerfile, Quadlet unit, and operator walkthrough for a production deploy. The broker spawns forgejo-mcp per session, so the image bundles both binaries — broker built from this repo, forgejo-mcp pinned via FORGEJO_MCP_VERSION build-arg (default 2.18.0). Image stages: 1. golang:alpine compiles the broker with ldflags-stamped buildinfo 2. golang:alpine clones forgejo-mcp at the pinned tag and compiles it 3. distroless static-nonroot copies both binaries; uid 65532 Persistent state via the named volume `fjmcp-state` mounted at /data. SQLite WAL + SHM sidecars live alongside broker.db on the same volume, so a container swap or image upgrade preserves all OAuth clients, issued tokens, and refresh-token history. Verified end-to-end: podman run --rm -d -v fjmcp-test-state:/data ... fjmcp-broker:test curl /healthz # store: ok, broker.db created podman stop fjmcp-test podman run --rm -d -v fjmcp-test-state:/data ... fjmcp-broker:test curl /healthz # store: ok, same broker.db ls volume → broker.db, broker.db-shm, broker.db-wal all present Quadlet unit (deploy/podman/fjmcp-broker.container) drops into ~/.config/containers/systemd/, reads secrets from a 0600 env file outside the unit, publishes :8080 on loopback for Caddy to front. Makefile gains `image` and `image-run` targets. README links to the new docs/deploy-podman.md walkthrough. Closes forgejo-mcp-broker-8yd. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-27 17:42:09 +02:00			`# Example environment file for fjmcp-broker.`
			`#`
			`# Copy this to ~/.config/fjmcp-broker.env (chmod 0600) and fill in the`
			`# real values. The Quadlet unit reads this via EnvironmentFile=.`

			`# Public-facing URL — what clients (Claude.ai) will see. MUST match`
			`# what Caddy serves; the broker uses this verbatim in OAuth metadata.`
			`FJMCP_BROKER_PUBLIC_URL=https://mcp.example.com`

			`# Upstream Forgejo instance. The broker delegates user authentication`
			`# here via OAuth2.`
			`FORGEJO_URL=https://forgejo.example.com`

			`# OAuth2 application credentials. Create the application at`
			`# Forgejo → Settings → Applications → OAuth2 Applications,`
			`# with the redirect URI set to ${FJMCP_BROKER_PUBLIC_URL}/oauth/callback.`
			`FORGEJO_OAUTH_CLIENT_ID=replace-with-your-forgejo-app-id`
			`FORGEJO_OAUTH_CLIENT_SECRET=replace-with-your-forgejo-app-secret`

			`# Scopes requested from Forgejo. The default covers the full forgejo-mcp`
			`# tool surface. Trim if your users don't need write access.`
			`FORGEJO_OAUTH_SCOPES=read:user write:repository write:issue write:notification read:organization`

			`# Optional: verbose logging.`
			`# FJMCP_BROKER_DEBUG=true`