From 91ac694306c5990ca20b88351df712fdafd48844 Mon Sep 17 00:00:00 2001
From: Patryk Hegenberg <patrykhegenberg@gmail.com>
Date: Mon, 26 May 2025 11:28:24 +0200
Subject: [PATCH] ci: deploy gitea via flux (git.patanix.de. 40GiB PVC, SOPS)

---
 apps/gitea/certificate.yaml            | 13 +++++++++
 apps/gitea/gitea-admin-secret.yaml     | 37 ++++++++++++++++++++++++++
 apps/gitea/gitea-postgres-secret.yaml  | 37 ++++++++++++++++++++++++++
 apps/gitea/helmrelease.yaml            | 33 ++++++++++++++++++-----
 apps/gitea/kustomization.yaml          |  4 +++
 apps/gitea/pvc.yaml                    | 12 +++++++++
 apps/kustomization.yaml                |  1 +
 clusters/production/gitea.yaml         | 16 +++++++++++
 clusters/production/kustomization.yaml |  2 +-
 9 files changed, 147 insertions(+), 8 deletions(-)
 create mode 100644 apps/gitea/certificate.yaml
 create mode 100644 apps/gitea/gitea-admin-secret.yaml
 create mode 100644 apps/gitea/gitea-postgres-secret.yaml
 create mode 100644 apps/gitea/pvc.yaml
 create mode 100644 clusters/production/gitea.yaml

diff --git a/apps/gitea/certificate.yaml b/apps/gitea/certificate.yaml
new file mode 100644
index 0000000..1aa1971
--- /dev/null
+++ b/apps/gitea/certificate.yaml
@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: gitea-tls
+  namespace: gitea
+spec:
+  secretName: gitea-tls
+  issuerRef:
+    name: letsencrypt-dns
+    kind: ClusterIssuer
+  commonName: git.patanix.de
+  dnsNames:
+    - git.patanix.de
diff --git a/apps/gitea/gitea-admin-secret.yaml b/apps/gitea/gitea-admin-secret.yaml
new file mode 100644
index 0000000..1ba3b58
--- /dev/null
+++ b/apps/gitea/gitea-admin-secret.yaml
@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: gitea-admin
+    namespace: gitea
+type: Opaque
+stringData:
+    username: ENC[AES256_GCM,data:8i52Lz3nygblugk=,iv:c91g6ngjoRRFCjtHSdSLmKOOve+0A9t9RcoYrgchk/8=,tag:nWslgYM6XcVLEDwdLsEIXg==,type:str]
+    password: ENC[AES256_GCM,data:3qkc31BWsJgkPZc=,iv:SY26hBe99LDq0HXZhFmfiEddiRQ0hTO5aVk2ISmQMao=,tag:1zOp5itE12tiaZOsoi7AQQ==,type:str]
+    email: ENC[AES256_GCM,data:8lRKn6O6GqWJUm+dvC3y5fy53ShJhbwzuw==,iv:nfwo89TiW+a4WQJG/z4ENv4gcJWt9i/AaZe63HrlPSw=,tag:XWc8+PBUB3671W23GvRn2g==,type:str]
+sops:
+    lastmodified: "2025-05-26T09:27:04Z"
+    mac: ENC[AES256_GCM,data:2YtDFEh9DMDQSUgGfkgBRFbWcgpoRIVDLtkM3828n2G4xrrhEonD3Whl0g+GJoHVCa07SE6QTLD7aLNAh7kTH0bxuuc64wNZE+QaZCs4NOJ7PETRK+wLtn6hKKJ0GvwiVSsefh61ia1fVOG67nTaUhmxpDsk/OMZGxlFSwyvHQk=,iv:qWxDJVphXjeSkEYKU5d10GLj+uMWLlrvo0SgfU1on/8=,tag:bFVzzWHRbMf012oOZdIklw==,type:str]
+    pgp:
+        - created_at: "2025-05-26T09:27:04Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxd/Yh1BfDklAQ/+LOuVPVvF6m9E4PImKzBk+ftdcOUXGnOCMYq1pAZucqCd
+            U/pr5Jg8KIFKwiQMSUgsL4ZDfrTa+tHnLZmjvVtFRC323RbkmgjqEQrFmxoPm++P
+            SBIJup4IPAxQDloCU2ZNht5RP9dwsrwjLspHw7qH/4XWIFcJLtToMej0jPJoZE26
+            U3DTjRidVCMSi9bWXAfH0iFiVI09UE7ZKhfkk9EExJ+8u/1VV2YM+ZFqT38CNnqK
+            7GvoUcq/JzMgt7vDI/oFxakHNs6fto3lxpm3nEJcVa1hoOJmOJp4wbY7cRhhok7B
+            +BDBqnU6Nu79ZaDq2Br//RnTVmPGz94ZihifsZzvQmlACHqnX0zXQu03ozYJu5F2
+            GM/YeIIkchBvKNjM8VmD8iivT4UozyBHnvzKIR+j65VAeHp7h4+7EOHMenGRF9Lx
+            j1IfC9OnOrtZZXJo+uhuGbmTlJLzAwxqg2UNXPTZT2VJwI1nznb/u5oomR8oW57P
+            wjjcAwDH1QQuQvTaPnW9yl5WXA5xqrBSy29byr9ScRLjld28Gs+Nq5Aov5P3mAUn
+            wJi9nPm2HBNceFpybgfLSkCpKE9L6aEJr0V6bfRhNH6B00O18bbbZzHk2sHyoIVf
+            vGvn3yEJjglvG3nY3x6p3Pn3oOntF4U45+LwOFhAnpV948aQQY24ysKb1p2Zf/rU
+            aAEJAhDtuzDWKWQwm6hakLlozhxZ4y4R0Xeo6F7uENJkzvF/hDDLvhMCgzntIdgq
+            KqLpS0i68/6udId/EFk8FGtgARA0gZku2N4eXm2wi0ZRZcLLjZhoQO7nldcKDjY5
+            BQ6qceVnelJI
+            =YlWO
+            -----END PGP MESSAGE-----
+          fp: F20CF3DE0B4ACDFCAF07A9D76399FB237185E764
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2
diff --git a/apps/gitea/gitea-postgres-secret.yaml b/apps/gitea/gitea-postgres-secret.yaml
new file mode 100644
index 0000000..13decae
--- /dev/null
+++ b/apps/gitea/gitea-postgres-secret.yaml
@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: gitea-postgres
+    namespace: gitea
+type: Opaque
+stringData:
+    postgresql-username: ENC[AES256_GCM,data:wDK4U1M=,iv:pp1svR88BsVDp86YSuKwYHptU2o1kmYC/Rsh9KZ1qcQ=,tag:kRH0Psqsh80CZAcoa7DaIg==,type:str]
+    postgresql-password: ENC[AES256_GCM,data:Xf3JTparRAEYLwYNV4nsR/s=,iv:xbLtBtcDY0SHRmuEwwiXBojXhIZlcV816Ad22NvYx9I=,tag:yRWpI/8UpSTt/sGvzMBFpw==,type:str]
+    postgresql-database: ENC[AES256_GCM,data:kAj7y7w=,iv:3LN5NjnXChsBUuJYTvVspxmKR6LT1oJ863Kg8RNBM2s=,tag:L/PGeFyMhmxrlruSoOZ9bw==,type:str]
+sops:
+    lastmodified: "2025-05-26T09:26:56Z"
+    mac: ENC[AES256_GCM,data:vq7+29bz1TRxTDWKcD7UDTU8JMjRm7hsL5iRE3e5zn35b8yddBPLnWBPQML/123PQQ/oeJwlekqzh6Sm6Llp2cP/wqYsaOQ/uEWJ3Iy6+Zou9VKytolM9dvvMcjmPYyM9WVqsbF2a8sNJ6OSZIlXd+7ngBJ2Z29ztP9y2aHAQNE=,iv:iVOj9GHjmSjVmcv36XlBaHVTVPrdF58UknvkLj884DM=,tag:ZEW8Tmzvb3ZoZ01nKH2xUg==,type:str]
+    pgp:
+        - created_at: "2025-05-26T09:26:56Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxd/Yh1BfDklARAAi1hB7OruAZemE/MY2dw9ZTt3IP93hUhvV0NK/1vzqACr
+            YmRTr80tFkayytvKU++NCSgWZ17qfqdwexPfl5g10/ge/33FSJL+2ClyvI5C6Tqm
+            hdSJE96ILAnURu3J2sbOcvmPrJmDEE8MA6nhVmVaJOOUmG4pBzgpmHppV7Ctuhhn
+            xeIdc9rwJIQ8+9gOy112WS5USxhOAS7mKMQvfQ9u+u2/HRYyOzzVzKq9ByJLnnpq
+            CVyOxAEJs4+VfX6rf3VcL+xPFUESBOQYfDK4dkBGvtsGICEiqg51LEt3hMFfEZB5
+            ZiMwW92F4nLDQRzWdjgWihd+3xpQ0GujXNNmgZEIrubdR4h80WGu79w6EXmP1wvE
+            YimIsMrFmJ7xb81cvDwpd4WPbKP5Wu4dLZ3X2oktOhFFtC/J6jL1tfS7rysOiWFw
+            MghxxfDNnnvTeQRFXal0zpxOF6lU2Bo6cFneA/xpqKtn5tWeh/bDFjNoQp6bVEYM
+            mh5o3lEOsBUgHxz/krJhExi0yBmnM5YBNWQnag6eVavpXgDGA2dU73Rdmnp5MZeR
+            wB/CcysKxhe4PE3nzipFrnvWkHb/KeTicFfkPU6/7EoTjdJkoZ/gfOT7PwpwVxly
+            zv1/xdL4v/6YKFQXtd2fmaERHQ+gd6MjaO7uQMB1O5GvRYhq9cGKCVFKeErZv8zU
+            aAEJAhDUHWRd/spqIfKe1sep4glWcGiUHLA2NfH/YbFKBxb0PcSOBqpHL97wUCGO
+            NvQIcsTtf1pPiXvEb1SdWto2dsaK5Yl3x2MYQCsemFfz+wNWVQ84w2LaIrAtLju9
+            V0GBGSbnNaZ2
+            =vpRf
+            -----END PGP MESSAGE-----
+          fp: F20CF3DE0B4ACDFCAF07A9D76399FB237185E764
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2
diff --git a/apps/gitea/helmrelease.yaml b/apps/gitea/helmrelease.yaml
index 4bf68a5..c3c6d9d 100644
--- a/apps/gitea/helmrelease.yaml
+++ b/apps/gitea/helmrelease.yaml
@@ -9,24 +9,42 @@ spec:
   chart:
     spec:
       chart: gitea
-      version: "11.0.1"
+      version: "12.0.0"
       sourceRef:
         kind: HelmRepository
         name: gitea-charts
         namespace: flux-system
   values:
+    valkey-cluster:
+      enabled: false
+    valkey:
+      enabled: true
+    postgresql:
+      enabled: true
+      auth:
+        existingSecret: gitea-postgres
+        # usernameKey: postgres-user
+        # passwordKey: postgres-password
+        # databaseKey: postgres-db
+    postgresql-ha:
+      enabled: false
     persistence:
       enabled: true
-      storageClass: longhorn
-      size: 5Gi
+      existingClaim: gitea-data
     ingress:
       enabled: true
       className: traefik
       hosts:
-        - host: gitea.local
+        - host: git.patanix.de
           paths:
             - path: /
               pathType: Prefix
+      tls:
+        - secretName: gitea-tls
+          hosts:
+            - git.patanix.de
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt-dns
     service:
       http:
         type: ClusterIP
@@ -36,9 +54,10 @@ spec:
         port: 22
     gitea:
       admin:
-        username: giteaadmin
-        password: changeme
-        email: patrykhegenberg@gmail.com
+        existingSecret: gitea-admin
+        usernameKey: username
+        passwordKey: password
+        emailKey: email
       metrics:
         enabled: true
     actions:
diff --git a/apps/gitea/kustomization.yaml b/apps/gitea/kustomization.yaml
index b4a3d7c..088890c 100644
--- a/apps/gitea/kustomization.yaml
+++ b/apps/gitea/kustomization.yaml
@@ -4,3 +4,7 @@ resources:
   - namespace.yaml
   - helmrepository.yaml
   - helmrelease.yaml
+  - gitea-admin-secret.yaml
+  - gitea-postgres-secret.yaml
+  - pvc.yaml
+  - certificate.yaml
diff --git a/apps/gitea/pvc.yaml b/apps/gitea/pvc.yaml
new file mode 100644
index 0000000..c135469
--- /dev/null
+++ b/apps/gitea/pvc.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: gitea-data
+  namespace: gitea
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 40Gi
+  storageClassName: local-path
diff --git a/apps/kustomization.yaml b/apps/kustomization.yaml
index f8c4c0c..197be73 100644
--- a/apps/kustomization.yaml
+++ b/apps/kustomization.yaml
@@ -3,3 +3,4 @@ kind: Kustomization
 resources:
   - home-assistant/
   - kitchenowl/
+  - gitea/
diff --git a/clusters/production/gitea.yaml b/clusters/production/gitea.yaml
new file mode 100644
index 0000000..7f3c437
--- /dev/null
+++ b/clusters/production/gitea.yaml
@@ -0,0 +1,16 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: gitea
+  namespace: flux-system
+spec:
+  interval: 10m
+  path: ../../apps/gitea
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
diff --git a/clusters/production/kustomization.yaml b/clusters/production/kustomization.yaml
index 2488197..ef7921f 100644
--- a/clusters/production/kustomization.yaml
+++ b/clusters/production/kustomization.yaml
@@ -3,7 +3,7 @@ kind: Kustomization
 resources:
   - cert-manager.yaml
   - kitchenowl.yaml
-  - forgejo.yaml
+  - gitea.yaml
   - ocirepository.yaml
   - ../../infrastructure
   - ../../apps