ci: deploy forgejo via helm (git.patanix.de, 40GiB PVC, PostgreSQL, SOPS)

apps/forgejo/certificate.yaml

@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: forgejo-tls
+  namespace: forgejo
+spec:
+  secretName: forgejo-tls
+  issuerRef:
+    name: letsencrypt-dns
+    kind: ClusterIssuer
+  commonName: git.patanix.de
+  dnsNames:
+    - git.patanix.de

apps/forgejo/forgejo-admin-secret.yaml

@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: forgejo-admin
+    namespace: forgejo
+type: Opaque
+stringData:
+    username: ENC[AES256_GCM,data:fMYot9k=,iv:pYWAXZJwbeGkVYqkkCwy+mt2+C/nV0htJTLElbCsC9w=,tag:uHCY5wXI2Hw5evHmLvjGGA==,type:str]
+    email: ENC[AES256_GCM,data:qmtRbInJDiFatiZ9/+UfqzLThgEAZHXG+g==,iv:jLL8HQOlp26DucUd6926FiddgdXAgPlRg0Bh/TYSFGg=,tag:jFwn/W4yim/FAS8Inh0/fw==,type:str]
+    password: ENC[AES256_GCM,data:/H3kA+soznxZAME=,iv:pCtsO6HWYXYu7hbhQw+8dnHbBztmsQc2jDfMztZMY/g=,tag:4eUxzfwuBOF3fG3dUqMPkw==,type:str]
+sops:
+    lastmodified: "2025-05-26T05:35:31Z"
+    mac: ENC[AES256_GCM,data:P1dvbZRm3YtrV1Xj8WuvTVWbmyaj3Grejlrs8QqmNawFyetAQo0by0iGsYvWzPhTbLbrK6GS/WOfc+hW85asRuresXDaJCzfuYcJX0wav5z4P5hrTDZDV/Mi1jgZ3v75ZVHqTqV7m0kCY0tgRCDyGL0FKi9gqLO2SPjPgMUKCHM=,iv:BARvvC59BgmghzunnihyVIiNenA+hd0k8XRh5H7QL9c=,tag:E05gPL7F+RfMyFX1qUrpog==,type:str]
+    pgp:
+        - created_at: "2025-05-26T05:35:31Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxd/Yh1BfDklAQ//QOjSRd8bXDBaiCel1n5BnudTkPcZuHNeR0HQtAVG4eHh
+            FT32Zq18mdaIDyLFuDHbyERICBZFs4d/JuXOblbmg2FvIUhR4a/egiaAGSdu6kqZ
+            VUYmDZyVkE2pdHb47wKazzQ6/QVQ3LTWDBMOMCS2svMrVcMskw6qAVT3nqTXWTT0
+            P6qwCCbNF+SMtn6K8QR8ihbF0nbjvVgafyKVFU/jmagu4P9th2nhpeePpc0HXAii
+            +PnTi88TJ/OH0qPtZsqP90WICQkJ9IbHKH7cNf/Q4qn2K2KtfgUZJJJLDuqDwsKL
+            4h34T3U+QOZUVgmEeyfGAvgVN95sIvnXjcab0TTtZCajjTy4RvjJ19x3iRYKEMwW
+            vAsuztDUFb7PYk2xOxCQHUf8eZVKL4immIIkQ5+ERKGGjV3lWakeiVfIGjqHy3U3
+            I1tEpQ+fT/aQGx7UyIeu1Aa/s9yhBWwpcwddXG5P52f2CagzjqvIE+qFKtrDyyUm
+            PR1/dIi1lhbCkMMr9q93y06xOLvxgvWedV4prtOCQnsadbZoCFOgGJFrAXZ3nQmo
+            iu5UG4cZU29kuN4GLItXpowusLXXquGH9lXF0MKrDIyOhf3k9b1DNoF1Vir2K7jg
+            +XkN+T2n+GfOswp4WJx7am2P/jK0/4WuwWhCq+t/I80u/jKuttytKqXrZ+nHBanU
+            aAEJAhDihxbI/EkSjsK7yMXrF2oA/s8eRSrh9t3FtdbkSLPPjp2pNR80CrcBW1+5
+            74S1hKyv637XyIDdG61ELiJ0Rz6YolshZo2g37+Y7udX0F9exVZX5GcosEpWzjzE
+            UCRfv3bJp/E4
+            =oQ/p
+            -----END PGP MESSAGE-----
+          fp: F20CF3DE0B4ACDFCAF07A9D76399FB237185E764
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2

apps/forgejo/helmrelease.yaml

@@ -0,0 +1,50 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: forgejo
+  namespace: forgejo
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: forgejo
+      version: 12.5.1
+      sourceRef:
+        kind: OCIRepository
+        name: forgejo
+        namespace: flux-system
+  values:
+    persistence:
+      enabled: true
+      existingClaim: forgejo-data
+    ingress:
+      enabled: true
+      className: traefik
+      hosts:
+        - host: git.patanix.de
+          paths:
+            - path: /
+              pathType: Prefix
+      tls:
+        - secretName: forgejo-tls
+          hosts:
+            - git.patanix.de
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt-dns
+    admin:
+      existingSecret: forgejo-admin
+      usernameKey: username
+      passwordKey: password
+      emailKey: email
+    postgresql:
+      enabled: true
+      auth:
+        existingSecret: forgejo-postgresql
+        usernameKey: postgres-user
+        passwordKey: postgres-password
+        databaseKey: postgres-db
+      primary:
+        persistence:
+          enabled: true
+          storageClass: local-path
+          size: 8Gi

apps/forgejo/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - pvc.yaml
+  - forgejo-admin-secret.yaml
+  - forgejo-postgres-secret.yaml
+  - helmrelease.yaml
+  - certificate.yaml

apps/forgejo/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: forgejo

apps/forgejo/postgres-secret.yaml

@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: forgejo-postgres
+    namespace: forgejo
+type: Opaque
+stringData:
+    postgres-password: ENC[AES256_GCM,data:da6nuHh8My8a+hlAaEbFb3DqNw==,iv:UJndoTUbG9rgI9dCQGBUzQXWLBbmBv7BRk/sbpMpo7I=,tag:3X8eSFmg8zCoJKgFqw4oTg==,type:str]
+    postgres-user: ENC[AES256_GCM,data:7QqScpInuQ==,iv:l7HWnyMMRv3Hke1lV+wrDDUrxfbB/ZID9cZmh/DIDBg=,tag:qXlk+DsUIh/z11c9G6VMKQ==,type:str]
+    postgres-db: ENC[AES256_GCM,data:CgJLPv5kfQ==,iv:dBXw0tIg43rIj2avzPXt+sbBpV7M+hAAItCU4kka+vY=,tag:TX+yA3MSOs0w5ZLxe4zLrg==,type:str]
+sops:
+    lastmodified: "2025-05-26T05:35:45Z"
+    mac: ENC[AES256_GCM,data:GgEuhTjp5VzSXEHQEfgzcYQBNx7nWySaMrf7eLWA5U+1UHUPzgQndFEocgdSnh1juRCN3zEiBwEM4DozQfuxQ2MOHlVEyiaCxQlg0sxd+vXFNT5T5mGr31jvnY/cOb2tnLFRH+Lnfbfnrgm9yugJOQ9JGqblhIoBM5XmPiRifTA=,iv:OFDVIWaQUZf1ey7WYWiPjjcEi+TOwOJD4qVVhfdaoy4=,tag:3MjEU1JuUsIjEUCdYjJMVw==,type:str]
+    pgp:
+        - created_at: "2025-05-26T05:35:45Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxd/Yh1BfDklAQ/+JuqL1zpDzfWEa5pDwbyQHAMLt00be1cbnyYS+eYclRv3
+            LQjlsOBfB0rArezdXwIA+nf11+OB4zht66Rgdh0RC/nZ58CkOwsAaRTB3QCabaD+
+            3eY0M8sCW7ySS2zCZ7ucNjdtvOoWeQApy5mBM5+MvR22jJE6LO9RfAxMOO+ce45Q
+            GsTJqN8CcjHLaJ+1NMZWx9gmp+KwbHb8K79GPHY6t4r/c7JJQbWV3b45xgjpEhuh
+            fobXUjfg5uDqPhhEqGpJcRb1sR9kjJm3eRa4inVgLVMjhk5DZscV6Fzegi2+c0Ct
+            3BgEOLWoOPZcqDLhuy7FL2dDWMV/akf4tuYYRSx9Rtw2Q3rE0wjnPgaSlawokx9r
+            R2DfzXU6zRRJme5yEjxTnUL56pV1cfZFzowFKk2J5VcnO/kURov6td6P4mdWRze4
+            eWhguNjYQemhJ36orLIamF9ZqJTvlSmKhc4tWWLwHx//Wownn/1qtsZZ8+YSsnBR
+            Cw4ZR1rVMS89S/4utdPHduIvxZBBNvgILhdcJxv4aPo7yIf63ES+rOT8b0cGkBkC
+            40UQb4b3Fhh48x1N/VXzl/I4pgrWZZbXyXjYEnItMAJDtPEaLY8dmWl8HfnzeQBb
+            ARMO/Ns2HJU/IcsOAbmWQ9tUrA+l3mif1r5+8ICOEFd8zJX97uQEMMw+plgXix3U
+            aAEJAhA2kcPvufw+4CwWQTQdOigXEr0aVgSJsb7p6x2RlgnDDmrHXTEdQh3LDE14
+            fF4E58D6py5KFcpWaiSqjQe75OywolHg0DVwIpbQ340RA+jCrwtkEn5kMiHkm8mO
+            l4bc3613t0Ud
+            =/Q9T
+            -----END PGP MESSAGE-----
+          fp: F20CF3DE0B4ACDFCAF07A9D76399FB237185E764
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2

apps/forgejo/pvc.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: forgejo-data
+  namespace: forgejo
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 40Gi
+  storageClassName: local-path

clusters/production/forgejo.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: forgejo
+  namespace: flux-system
+spec:
+  interval: 10m
+  path: ../../apps/forgejo
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg

clusters/production/kustomization.yaml

@@ -3,5 +3,7 @@ kind: Kustomization
 resources:
   - cert-manager.yaml
   - kitchenowl.yaml
+  - forgejo.yaml
+  - ocirepository.yaml
   - ../../infrastructure
   - ../../apps

clusters/production/ocirepository.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: ocirepositories
+  namespace: flux-system
+spec:
+  interval: 10m
+  path: ../../infrastructure/ocirepositories
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system

infrastructure/ocirepositories/forgejo.yaml

@@ -0,0 +1,9 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: OCIRepository
+metadata:
+  name: forgejo
+  namespace: flux-system
+spec:
+  interval: 30m
+  url: oci://code.forgejo.org/forgejo-helm/forgejo
+