ci: deploy gitea via flux (git.patanix.de. 40GiB PVC, SOPS)

2025-05-26 11:28:24 +02:00 · 2025-05-26 11:28:24 +02:00 · 91ac694306
commit 91ac694306
parent 3d85ef9bf6
9 changed files with 147 additions and 8 deletions
--- a/apps/gitea/certificate.yaml
+++ b/apps/gitea/certificate.yaml
@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: gitea-tls
+  namespace: gitea
+spec:
+  secretName: gitea-tls
+  issuerRef:
+    name: letsencrypt-dns
+    kind: ClusterIssuer
+  commonName: git.patanix.de
+  dnsNames:
+    - git.patanix.de
--- a/apps/gitea/gitea-admin-secret.yaml
+++ b/apps/gitea/gitea-admin-secret.yaml
@ -0,0 +1,37 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: gitea-admin
+    namespace: gitea
+type: Opaque
+stringData:
+    username: ENC[AES256_GCM,data:8i52Lz3nygblugk=,iv:c91g6ngjoRRFCjtHSdSLmKOOve+0A9t9RcoYrgchk/8=,tag:nWslgYM6XcVLEDwdLsEIXg==,type:str]
+    password: ENC[AES256_GCM,data:3qkc31BWsJgkPZc=,iv:SY26hBe99LDq0HXZhFmfiEddiRQ0hTO5aVk2ISmQMao=,tag:1zOp5itE12tiaZOsoi7AQQ==,type:str]
+    email: ENC[AES256_GCM,data:8lRKn6O6GqWJUm+dvC3y5fy53ShJhbwzuw==,iv:nfwo89TiW+a4WQJG/z4ENv4gcJWt9i/AaZe63HrlPSw=,tag:XWc8+PBUB3671W23GvRn2g==,type:str]
+sops:
+    lastmodified: "2025-05-26T09:27:04Z"
+    mac: ENC[AES256_GCM,data:2YtDFEh9DMDQSUgGfkgBRFbWcgpoRIVDLtkM3828n2G4xrrhEonD3Whl0g+GJoHVCa07SE6QTLD7aLNAh7kTH0bxuuc64wNZE+QaZCs4NOJ7PETRK+wLtn6hKKJ0GvwiVSsefh61ia1fVOG67nTaUhmxpDsk/OMZGxlFSwyvHQk=,iv:qWxDJVphXjeSkEYKU5d10GLj+uMWLlrvo0SgfU1on/8=,tag:bFVzzWHRbMf012oOZdIklw==,type:str]
+    pgp:
+        - created_at: "2025-05-26T09:27:04Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxd/Yh1BfDklAQ/+LOuVPVvF6m9E4PImKzBk+ftdcOUXGnOCMYq1pAZucqCd
+            U/pr5Jg8KIFKwiQMSUgsL4ZDfrTa+tHnLZmjvVtFRC323RbkmgjqEQrFmxoPm++P
+            SBIJup4IPAxQDloCU2ZNht5RP9dwsrwjLspHw7qH/4XWIFcJLtToMej0jPJoZE26
+            U3DTjRidVCMSi9bWXAfH0iFiVI09UE7ZKhfkk9EExJ+8u/1VV2YM+ZFqT38CNnqK
+            7GvoUcq/JzMgt7vDI/oFxakHNs6fto3lxpm3nEJcVa1hoOJmOJp4wbY7cRhhok7B
+            +BDBqnU6Nu79ZaDq2Br//RnTVmPGz94ZihifsZzvQmlACHqnX0zXQu03ozYJu5F2
+            GM/YeIIkchBvKNjM8VmD8iivT4UozyBHnvzKIR+j65VAeHp7h4+7EOHMenGRF9Lx
+            j1IfC9OnOrtZZXJo+uhuGbmTlJLzAwxqg2UNXPTZT2VJwI1nznb/u5oomR8oW57P
+            wjjcAwDH1QQuQvTaPnW9yl5WXA5xqrBSy29byr9ScRLjld28Gs+Nq5Aov5P3mAUn
+            wJi9nPm2HBNceFpybgfLSkCpKE9L6aEJr0V6bfRhNH6B00O18bbbZzHk2sHyoIVf
+            vGvn3yEJjglvG3nY3x6p3Pn3oOntF4U45+LwOFhAnpV948aQQY24ysKb1p2Zf/rU
+            aAEJAhDtuzDWKWQwm6hakLlozhxZ4y4R0Xeo6F7uENJkzvF/hDDLvhMCgzntIdgq
+            KqLpS0i68/6udId/EFk8FGtgARA0gZku2N4eXm2wi0ZRZcLLjZhoQO7nldcKDjY5
+            BQ6qceVnelJI
+            =YlWO
+            -----END PGP MESSAGE-----
+          fp: F20CF3DE0B4ACDFCAF07A9D76399FB237185E764
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2
--- a/apps/gitea/gitea-postgres-secret.yaml
+++ b/apps/gitea/gitea-postgres-secret.yaml
@ -0,0 +1,37 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: gitea-postgres
+    namespace: gitea
+type: Opaque
+stringData:
+    postgresql-username: ENC[AES256_GCM,data:wDK4U1M=,iv:pp1svR88BsVDp86YSuKwYHptU2o1kmYC/Rsh9KZ1qcQ=,tag:kRH0Psqsh80CZAcoa7DaIg==,type:str]
+    postgresql-password: ENC[AES256_GCM,data:Xf3JTparRAEYLwYNV4nsR/s=,iv:xbLtBtcDY0SHRmuEwwiXBojXhIZlcV816Ad22NvYx9I=,tag:yRWpI/8UpSTt/sGvzMBFpw==,type:str]
+    postgresql-database: ENC[AES256_GCM,data:kAj7y7w=,iv:3LN5NjnXChsBUuJYTvVspxmKR6LT1oJ863Kg8RNBM2s=,tag:L/PGeFyMhmxrlruSoOZ9bw==,type:str]
+sops:
+    lastmodified: "2025-05-26T09:26:56Z"
+    mac: ENC[AES256_GCM,data:vq7+29bz1TRxTDWKcD7UDTU8JMjRm7hsL5iRE3e5zn35b8yddBPLnWBPQML/123PQQ/oeJwlekqzh6Sm6Llp2cP/wqYsaOQ/uEWJ3Iy6+Zou9VKytolM9dvvMcjmPYyM9WVqsbF2a8sNJ6OSZIlXd+7ngBJ2Z29ztP9y2aHAQNE=,iv:iVOj9GHjmSjVmcv36XlBaHVTVPrdF58UknvkLj884DM=,tag:ZEW8Tmzvb3ZoZ01nKH2xUg==,type:str]
+    pgp:
+        - created_at: "2025-05-26T09:26:56Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxd/Yh1BfDklARAAi1hB7OruAZemE/MY2dw9ZTt3IP93hUhvV0NK/1vzqACr
+            YmRTr80tFkayytvKU++NCSgWZ17qfqdwexPfl5g10/ge/33FSJL+2ClyvI5C6Tqm
+            hdSJE96ILAnURu3J2sbOcvmPrJmDEE8MA6nhVmVaJOOUmG4pBzgpmHppV7Ctuhhn
+            xeIdc9rwJIQ8+9gOy112WS5USxhOAS7mKMQvfQ9u+u2/HRYyOzzVzKq9ByJLnnpq
+            CVyOxAEJs4+VfX6rf3VcL+xPFUESBOQYfDK4dkBGvtsGICEiqg51LEt3hMFfEZB5
+            ZiMwW92F4nLDQRzWdjgWihd+3xpQ0GujXNNmgZEIrubdR4h80WGu79w6EXmP1wvE
+            YimIsMrFmJ7xb81cvDwpd4WPbKP5Wu4dLZ3X2oktOhFFtC/J6jL1tfS7rysOiWFw
+            MghxxfDNnnvTeQRFXal0zpxOF6lU2Bo6cFneA/xpqKtn5tWeh/bDFjNoQp6bVEYM
+            mh5o3lEOsBUgHxz/krJhExi0yBmnM5YBNWQnag6eVavpXgDGA2dU73Rdmnp5MZeR
+            wB/CcysKxhe4PE3nzipFrnvWkHb/KeTicFfkPU6/7EoTjdJkoZ/gfOT7PwpwVxly
+            zv1/xdL4v/6YKFQXtd2fmaERHQ+gd6MjaO7uQMB1O5GvRYhq9cGKCVFKeErZv8zU
+            aAEJAhDUHWRd/spqIfKe1sep4glWcGiUHLA2NfH/YbFKBxb0PcSOBqpHL97wUCGO
+            NvQIcsTtf1pPiXvEb1SdWto2dsaK5Yl3x2MYQCsemFfz+wNWVQ84w2LaIrAtLju9
+            V0GBGSbnNaZ2
+            =vpRf
+            -----END PGP MESSAGE-----
+          fp: F20CF3DE0B4ACDFCAF07A9D76399FB237185E764
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2
--- a/apps/gitea/helmrelease.yaml
+++ b/apps/gitea/helmrelease.yaml
@ -9,24 +9,42 @@ spec:
  chart:
    spec:
      chart: gitea
-      version: "11.0.1"
+      version: "12.0.0"
      sourceRef:
        kind: HelmRepository
        name: gitea-charts
        namespace: flux-system
  values:
+    valkey-cluster:
+      enabled: false
+    valkey:
+      enabled: true
+    postgresql:
+      enabled: true
+      auth:
+        existingSecret: gitea-postgres
+        # usernameKey: postgres-user
+        # passwordKey: postgres-password
+        # databaseKey: postgres-db
+    postgresql-ha:
+      enabled: false
    persistence:
      enabled: true
-      storageClass: longhorn
-      size: 5Gi
+      existingClaim: gitea-data
    ingress:
      enabled: true
      className: traefik
      hosts:
-        - host: gitea.local
+        - host: git.patanix.de
          paths:
            - path: /
              pathType: Prefix
+      tls:
+        - secretName: gitea-tls
+          hosts:
+            - git.patanix.de
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt-dns
    service:
      http:
        type: ClusterIP
@ -36,9 +54,10 @@ spec:
        port: 22
    gitea:
      admin:
-        username: giteaadmin
-        password: changeme
-        email: patrykhegenberg@gmail.com
+        existingSecret: gitea-admin
+        usernameKey: username
+        passwordKey: password
+        emailKey: email
      metrics:
        enabled: true
    actions:
--- a/apps/gitea/kustomization.yaml
+++ b/apps/gitea/kustomization.yaml
@ -4,3 +4,7 @@ resources:
  - namespace.yaml
  - helmrepository.yaml
  - helmrelease.yaml
+  - gitea-admin-secret.yaml
+  - gitea-postgres-secret.yaml
+  - pvc.yaml
+  - certificate.yaml
--- a/apps/gitea/pvc.yaml
+++ b/apps/gitea/pvc.yaml
@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: gitea-data
+  namespace: gitea
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 40Gi
+  storageClassName: local-path
--- a/apps/kustomization.yaml
+++ b/apps/kustomization.yaml
@ -3,3 +3,4 @@ kind: Kustomization
 resources:
  - home-assistant/
  - kitchenowl/
+  - gitea/
--- a/clusters/production/gitea.yaml
+++ b/clusters/production/gitea.yaml
@ -0,0 +1,16 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: gitea
+  namespace: flux-system
+spec:
+  interval: 10m
+  path: ../../apps/gitea
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
--- a/clusters/production/kustomization.yaml
+++ b/clusters/production/kustomization.yaml
@ -3,7 +3,7 @@ kind: Kustomization
 resources:
  - cert-manager.yaml
  - kitchenowl.yaml
-  - forgejo.yaml
+  - gitea.yaml
  - ocirepository.yaml
  - ../../infrastructure
  - ../../apps