diff --git a/cluster/apps/development/gitea/backup-job.yaml b/cluster/apps/development/gitea/backup-job.yaml index f6a8329d2..a79d12661 100644 --- a/cluster/apps/development/gitea/backup-job.yaml +++ b/cluster/apps/development/gitea/backup-job.yaml @@ -3,7 +3,7 @@ apiVersion: batch/v1 kind: CronJob metadata: name: gitea-repositories-backup - namespace: development + namespace: default spec: schedule: "@daily" jobTemplate: @@ -12,9 +12,6 @@ spec: metadata: name: gitea-repositories-backup spec: - serviceAccountName: jobs - imagePullSecrets: - - name: regcred containers: - name: gitea-repositories-backup image: ghcr.io/auricom/kubectl:v1.25.0@sha256:ee2a4883c68adf439fe76a8102261a29cdff34c427822a08bafe264d8dbd09be @@ -85,5 +82,5 @@ spec: volumes: - name: secret secret: - secretName: gitea-secrets + secretName: gitea-config restartPolicy: Never diff --git a/cluster/apps/development/gitea/helm-release.yaml b/cluster/apps/development/gitea/helm-release.yaml index 043871947..3f5893bc4 100644 --- a/cluster/apps/development/gitea/helm-release.yaml +++ b/cluster/apps/development/gitea/helm-release.yaml @@ -3,36 +3,37 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: gitea - namespace: development + namespace: default spec: - interval: 5m + interval: 15m chart: spec: - # renovate: registryUrl=https://dl.gitea.io/charts chart: gitea version: 6.0.1 sourceRef: kind: HelmRepository name: gitea-charts namespace: flux-system - interval: 5m + install: + createNamespace: true + remediation: + retries: 5 + upgrade: + remediation: + retries: 5 values: image: repository: gitea/gitea tag: 1.17.2 rootless: true - containerSecurityContext: capabilities: add: ["SYS_CHROOT"] - gitea: admin: - email: ${SECRET_GITEA_ADMIN_EMAIL} username: auricom - password: ${SECRET_GITEA_ADMIN_PASSWORD} config: - APP_NAME: "Homelab Gitea" + APP_NAME: "Gitea Homelab" cron.resync_all_sshkeys: ENABLED: true RUN_AT_START: true @@ -50,6 +51,7 @@ spec: SSH_DOMAIN: gitea.${SECRET_DOMAIN} ROOT_URL: https://gitea.${SECRET_CLUSTER_DOMAIN} respository: + DEFAULT_BRANCH: main DEFAULT_PRIVATE: true admin: DISABLE_REGULAR_ORG_CREATION: true @@ -59,34 +61,60 @@ spec: service: DISABLE_REGISTRATION: true REQUIRE_SIGNIN_VIEW: true - webhook: - ALLOWED_HOST_LIST: "drone.${SECRET_CLUSTER_DOMAIN}" - + cron: + ENABLED: true + attachment: + STORAGE_TYPE: minio + MINIO_ENDPOINT: truenas.${SECRET_DOMAIN}:9000 + MINIO_BUCKET: gitea + MINIO_USE_SSL: true + storage: + STORAGE_TYPE: minio + MINIO_ENDPOINT: truenas.${SECRET_DOMAIN}:9000 + MINIO_BUCKET: gitea + MINIO_USE_SSL: true + mailer: + ENABLED: true + MAILER_TYPE: smtp + HOST: smtp-relay.default:2525 + FROM: "Gitea " + openid: + ENABLE_OPENID_SIGNIN: false + ENABLE_OPENID_SIGNUP: true + WHITELISTED_URIS: "auth.${SECRET_CLUSTER_DOMAIN}" + oauth: + - name: authelia + provider: openidConnect + key: gitea + secret: "${SECRET_GITEA_OAUTH_CLIENT_SECRET}" + autoDiscoverUrl: "https://auth.${SECRET_CLUSTER_DOMAIN}/.well-known/openid-configuration" + groupClaimName: groups + adminGroup: admins + restrictedGroup: people + metrics: + enabled: true + serviceMonitor: + enabled: true + podAnnotations: + secret.reloader.stakater.com/reload: gitea-config postgresql: enabled: false - memcached: image: repository: bitnami/memcached tag: 1.6.17 service: port: 11211 - persistence: enabled: true existingClaim: "gitea-config" - service: - annotations: - prometheus.io/probe: "true" - prometheus.io/protocol: "tcp" ssh: type: LoadBalancer port: 22 externalTrafficPolicy: Local externalIPs: - ${CLUSTER_LB_GITEA} - ingress: enabled: true className: nginx @@ -98,3 +126,28 @@ spec: tls: - hosts: - "gitea.${SECRET_CLUSTER_DOMAIN}" + valuesFrom: + - targetPath: gitea.admin.email + kind: Secret + name: gitea-config + valuesKey: adminEmail + - targetPath: gitea.admin.password + kind: Secret + name: gitea-config + valuesKey: adminPassword + - targetPath: gitea.config.attachment.MINIO_ACCESS_KEY_ID + kind: Secret + name: gitea-config + valuesKey: minioAccessKeyId + - targetPath: gitea.config.attachment.MINIO_SECRET_ACCESS_KEY + kind: Secret + name: gitea-config + valuesKey: minioSecretAccessKey + - targetPath: gitea.config.storage.MINIO_ACCESS_KEY_ID + kind: Secret + name: gitea-config + valuesKey: minioAccessKeyId + - targetPath: gitea.config.storage.MINIO_SECRET_ACCESS_KEY + kind: Secret + name: gitea-config + valuesKey: minioSecretAccessKey diff --git a/cluster/apps/development/gitea/kustomization.yaml b/cluster/apps/development/gitea/kustomization.yaml index c707432e3..d2a882be6 100644 --- a/cluster/apps/development/gitea/kustomization.yaml +++ b/cluster/apps/development/gitea/kustomization.yaml @@ -1,7 +1,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - secrets.sops.yaml + - secret.sops.yaml - volume.yaml - helm-release.yaml - backup-job.yaml diff --git a/cluster/apps/development/gitea/secret.sops.yaml b/cluster/apps/development/gitea/secret.sops.yaml new file mode 100644 index 000000000..155820f9c --- /dev/null +++ b/cluster/apps/development/gitea/secret.sops.yaml @@ -0,0 +1,32 @@ +kind: Secret +apiVersion: v1 +type: Opaque +metadata: + name: gitea-config + namespace: default +stringData: + adminEmail: ENC[AES256_GCM,data:KUhhtTXAU/lcKVsuy3tF+QjgRk8m,iv:goqGhOEkpbnYa6uELXYfdQjCdKPOW2KGAjb4cfdHrn0=,tag:SFENNvmSkEfcAgat/BHksg==,type:str] + adminPassword: ENC[AES256_GCM,data:SMR6vlFSysGv7iG+zjk=,iv:PtceAzAWR1nc8nACAYSOe+19evR9+orQa9DRzbcXU4U=,tag:Rq+3Ua0XhOzsnFw6/OdY4A==,type:str] + minioAccessKeyId: ENC[AES256_GCM,data:Gh41eINrkyjgEpTO5O+5lPWNPd8=,iv:XFH3RvyJwUEtszqtKVjLtMxTamPHPx4Aqi0PqsUmDCQ=,tag:abNj9gjgSlPJFsS9DBs+gw==,type:str] + minioSecretAccessKey: ENC[AES256_GCM,data:ZiCMwvRnVavI62F7+OIDoYEOSvM9Jfh1eqJGbJjOR+GiC2YXw7T4+A==,iv:bbCaIOXhwrCFqiu8AQ1qyWzE+yuTotCjJgaK14qC1Qs=,tag:ZESnmDhsgqffe1rdKoVStQ==,type:str] + deployment_rsa_priv_key: ENC[AES256_GCM,data:3Olhz6VZ6oI18hwCUDIHNLUEMM7PnGIcDDTCtX7sb6+yOmmW8cyKfZo2Ks6c4pEXJjWQ0JpvIYd/JMP53Noyb62H2+JAlcnIYgivJYpKmZ2fFD5i9Nyg+a91w6xkwwfBHEO6BBGAM4j3wARfFqLo4xqQFgf0/2DEUMVwHgXP6JGuqik+fOTHFRP66fQ16m+p+3iig1cvMvkjN7y/KmuBgT8w3VBJ6xukb/rC3mx+h5KIhoMfi+aBXi/SI7hUvnDPmaJs2Q/QlpcudQQHEYC51df0uGEeJaM/136+BON6B8fi2xUw1y/zYPJFabZg3b5Y7KRxKrDUJyOclaXEi8ZI+1Wz64KJ3Zhb7bITNLX7iIMuE2bQZq574xJre5HH/aI6/VAwLIKOFAV/l+WadfEh+1mbmoGRhjC3Ylin01mC9/z+8dxnG5sX+DvGzG7EiwoApIHpEZ4n7DZThi9xR1RSfYCqG5K9D3q+RpsnVoi6busJbevJ9U7fb0Yq7iiZfv+iiZc8HmEWyAy6r967oUGNss8VF/ahucP4uAE6nzTVadOSLc/UyS/jeil593SSn62h2hDYPuDxP/M3odiI40m0kCMuLNdIxFDl8xXNtSNy5nUmdlP/Ez9ach5Zigw+gJaeK/CVhr2e6TFkzfcYri7ryOVVNmoFw6hr66TXGjiwHATj6Ucpm0OLS1C2GP/G5FGqpdbYMTxe6JCOQggnBXLe3v5Dtr2Qrp49yA8UxLG5Ksxxd19Q1uaudWbc4S/Lg6gfey7IkuaMQ6zGIAE8vMNnKHdx0XBqKwBpwajCsFXDCrTnAs6YyST1KXHm/YmRep5KcMMuUk3UhE6TwAYTNK9SHSwXHOxaRETrVnf1XEzg7GATomW7U3Gp4v4OAnZy2T/7NJ1EfhQiMjw4J3RKN7bswITmfhLamXwDk6tiVGv9pQdsAEtr0+A5kKXV2kNXGfZ5U1Uv0wdcAhXxYnc0TaFmQ2J95Kljl/O+SYFxv3UyvQs4O1JQdeXVIrqpRzGtMRQHaPpaT0FMlk5ntShRQhGYZEoHknKw0cniajNpfCC6pqNEGbcL6PhROx9X2AK59YveX4g2z2jEhfrzb/eRow2Ha5gubmMGnwiV07wwzEe5VQCwDQgdcAc8l2bbkpgcws8RCg342towNRwjq81fqWX+hWsufXxIip9PX+AQsAcBpbdfcAEbcxLQLhkxCqA23+k+Ih8Yt/4qqKCT7QMyiJgRmigaXW5J61lVSuRjU2gQfGOqjtqQc23K6bUzrzgGiymWJEMMwKOJuxJiKk7uTs2xowmiSgFsfFdsiD+3UzOX5Fh6Y0OV858oXpzx/vD8J9RwrLnsV36xfeXPX1yh8UoCc0ZeVyvvWvXIa942RSDXtvgt86Y4kT/uTIEKrikReCD1K+1BdE8bwaMHakrKYrRwbauQM3S2SV17/XC6t8A1f4vu8/vV5Ir1oge2tFI/pJU6AqF/k7Lit1JTWXf1qiXxAxFEJJDzuwABWLQKvw1QUBHQiR/Kq5myDN589qSU5/C2zh1zq8k7BE54NR1ZyCAnIkmbZNMEMBNMArr44DbTgm5tiGhCh+OgJD/5DUGi1+E6a4IqoMzgvh3ToHAKveSz3mRQwhXx7RJH4WFkcGBVUaQohg2YlqIQilb1NFHwG5UFnoXlVPY0VpIhyoFCfvg2X/L1UmfpU7V9OpKHOcMFQ0A7YIGXgp/nGVZZchuOcuiwkF5z/GTI14RZOiBFh5P2LR3pa56j4P4PrhWV5mGgAkdfDvh0DY0yWRTzjo0piZPBCnLf/hUn8rpT9T8xIqz0EDoH3pHRR/VKgGxFOcgRecSD+fTnYFGUEi4akcBT5Lgm11/c3VNbO3/nZq6dlTxbjT8/VGOps/tPWPHUUbf/8U1NTD46zjbRGWEjod7Pwnz1hFxU3ql0KBDBhS/J+0kSmz98CPmeS8uW0OCKPFvIoPYJhr9CsxJNVEiW2+pd/WabvlIeOXtmQKjjwvmQaW77FTkKVP8Y0+9qH8Ln4M9h4QrP69YHGBtt3oIej5MUDCoZ+ut1L7ikEHbuOEb1c1a2z0PdzooudgT+NMhcBlGCpoUiC9ZcspOJn+nU6IBkJ2Sjyfl/BrMTBmJ+rs3suoEY3NvA4gWRU9xevNKpjqNRtxiYLll1JZl43lJL5RkG4bXb5JK4nSwJfADu6aIhWL2IjpFYd93A4lg19jf3nVpcazxFXcYY7UpYDhOb7fbWYmI6xV+AX52SwTKRM9fLK7j0EWx/fo0SfdZUNl4T/dtPsqe8Te/ZzkQlHA8tbC5kQeEJxGw72lvjMHNq4Fv0hVZ7r4gEFZhiPlciYG9cOwG1A2GifGthy+1fsCnKxNBx/5Cf+1OOz8AY7ZL9ECSPOrK3zlpXC6P6HhxokvTe5qY9eIR0ztYg1vgxz+XrqzOU7drfUdDigt+uqRZwvfC5AoNF2e5bFO+y83fdeVisZI0qtsOElhBYS6EIHmh1LRNhRfD3tpRyFinNlVVbOy/33A7yEUv+ieO9hL5VOvkJEvEdmeTtcCevniESu2tQEANFUiI6NpoxNycmJaCeejiZ5LvrC+BQjylqPIqAhgHdfWDIcmKjRQuolkOQ2PbzRrGCCcV3sbDaCbH769hGrdBV06bN3gNZNvnAo6kafEw62RGRaGjxJ/O8zHRALVwDECLtE3yW9ghjgPdw2zGItza0qlG2Hr+nzER9aMLWI4dzqnMNFTtiqJDLkL2Qo33h8qtGTtIEuP8jjTbGqMbs8xFzsqPkeSROW34kLAzJold7JAoRLevFGAshk0kGv4C+sXexBwNuTn4JduUdB6niVxzKkhQM3OcKNuFQ0tZNQY8fxbg0h2YhONG3spfQ8UC2bT2lSJfWec26fP8W2VzjjVLeNxpODco0eHre3i/6BRSEn8q2i+n15zKtiDlcEw8R7phnjB3I+JCZAvwy33mI0qJ/5fKIzRKtYtzPWRDcoOazdtfByBZrXjVUpSIm0e4Dxl1AIyKj5ec5DC2Czv1p+uUYMA5lhw1alXOSrlzJnRnsnohtdXIgH+xEf19V6zYf6IQBsB+4Kz1hQYo1IVwKj6qkXReNy9tQ5OrBFMzDLrbCd50gaMyT+86R8EsSZ2nW5anIaMxvSERdmED7QZkizeyUHLyLFPduv20OYQbaUxQ0oRWxpCY9OOq/vxOwLLqoRU+ohc7wnLCjsUmjQA5V5zlBYok8TMv971WM2rqmOfa7F5uOxiQ5RJ4GLCMryBl0UuLpNmN2JTdq3RjzduiQP/osJspJP0evz9ln9b0sdf6KqSnCnTiu2NUMZHhj7oGpFjBZpG7KWROVcjUiS0OVmKWjbYHJE5DNXAK9zcHodPxrAYVxUG+lDhVJ+4GmNY5o+KO5yCOswD93HrTX+KkwaLG9vhdKM3IrC6ttynCzvl1CME5A9HL+VszsJQoXWnZYNl36pD7p1k8AMqINeAN+KahalogAoMXk,iv:CYw3LLwOeyEu3/BK/SjdjneQvXPk2mHMPiFm2T4sXHQ=,tag:Et4HAytIgiVg4n8+D5anfw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSd2h2N2RELzkvODM0WE1p + c1M3bEQxdDZkZ3Zlcm9uKzFWYklLWWpUYXhvCkN1bXU3YmNrY255RmkwSXFDWmt1 + dHExaGZRODhKdm1NR2xYV29CeE5vbk0KLS0tIHpBUGVaNUhKaE5UOU1hM3c0akxX + ZWRhWnBrY1FBNVQyOU0yVGFXb0QrVnMK26Nc5Bw/jOzuxXcufHcxnugG1bzqO9T8 + LNIau17zdWX5bfWGDj++ipnm8x1sPswEULal4U2Muc2Iy7GuZPhVyg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-09-13T23:26:40Z" + mac: ENC[AES256_GCM,data:uUgDRhsPIF9lG9iFV+GGHzmR//Dor0B6Ph0Pxlu2L5ku9yhjK2PgFpucZhUZXHoU3o/EDLmGXNtLWjGaUOFZk21SVr8YMNzLlHJ/UaGgQdwcFYgUDUo/8CKeFZfQIxs+Dkjjnok6flWojyzo5SFhznpcgyskHXk88PhJYWMQlP0=,iv:73N4xGTM+Yw15nhoV2/fB82zwwIuJgq6RdkyH6xrlZE=,tag:1KykIwbWbM/F0FrHlsJgWg==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/cluster/apps/development/gitea/secrets.sops.yaml b/cluster/apps/development/gitea/secrets.sops.yaml deleted file mode 100644 index 22c2c12d9..000000000 --- a/cluster/apps/development/gitea/secrets.sops.yaml +++ /dev/null @@ -1,27 +0,0 @@ -kind: Secret -apiVersion: v1 -metadata: - name: gitea-secrets - namespace: development -stringData: - deployment_rsa_priv_key: ENC[AES256_GCM,data:Lq5ZoC8cAHFNmqHa6oVcwb4rbfdbQdaxQWJ2EeTjWRAP/ySBa6RyLknqejdJT46pxEDsJub1ponZJnRXhpVzzIgpul5fYo8eD/CFYHJB3y0o29HAWXaSAH+A1u5mDD1YYUMrfoEofb2E3gLu7rTvxePaVF/eGu4W/rQueIppkRlEOFcCjaCV7ezXpa3UBeqXAIdQbQyothMVpGjk0uVZXpEPr7QeBFgopBDRFtnr2b1Hz9xIfntB6I251ISmPnzuBdhn16nLcQihZt12/8E4Mgy5gcHyeApKKYXcNK66rPqojDBKLvfDacEp/S6BriUYrMqwuCgagoHrj0TGENepVufblICOLH7wSKEfk9dOjRRqTlwIAPs5Umtv4tuB/amaQSdxcH7xOYW7OCtX/seQqn92uwo1VPcOjMTymWWt36pGkbhI2JXJr4h5XUbDZ2M7ppurWp1S4/lGgoQSucRYQUIlVxdLx13CmL/znk6XwFNa8BOYW8PqP2Ydqvsp60QkymJjK8r8ox3HEwkBkiqsfiMlzvtXbfHuImXyP1WTB+txxCv88u7pdGq6/yXHUFWJ13qPkWC+68bPxzD27aVe9PD/4dKsPysxAOu0P/htQ73ltzStz+lvXO2F+rFVAwdjrttSiQG5BmBfeGqJva1ZTu6aEQbYgavN/7gVhX+FbZ1JY2v+/Tk2xCE9TCp8/8MmgqsZH3TJE7VUwx9yJoR6/xNIjYfaZxNTNO2ndKbWBpu3vS46YJx9pLgE9B0YXaRAkJqemryJZd5KXOzutfNMqvNnrQSWpRQ6gzS8M2hbgj1xQUJIlWyB8c9YSZaGxoq+GW4m09GYiuGoYiIIgY5sN5L0nf+2I7OZ9aVvVLuyj39XLZ+/udD2BG5wDX6NKh7Ha6ci4QG1Og7IQYS6LdX4c2Y8/C+E4PY3scx0px2H2S9JW0tZ4fcnz8iiAYkWr0RewXXnpr/hidbugkNtHGD5lT9SnVJmxcYZ8R3v2G+4q0HPlM6ThJUHIP4To8n1Ya71Ne/TJW5BLkSEyxSASvtPtqIdNLml3aIr5+UgEXSNZdK8PRCe153r+XCt8kCgXBOt5q2lLXwXtSFgMQEmRf53I2zZB2f9XcqZv13I6Y1loQgPJLVdghnKNOLiR+VBQ1SC0vChhHTMvqM5w9WYsfGW0v2LZUURNUM6pmNdNrFHZ3rEakKPfI0FDDsyfo62m8iJClReprHgLsHjSP1425wvlW09OO5w+z3ibVKNTYbdI2AT3kzZnljkPQYf8HgLBKnh06hA/X6hoZoKvxW8F6Pos7TVMD81TUrttOZCT8wh8dlceP6PW9qAa/TMBzZ5NGVQqh8e3kjkcqW3ATwlumW0hK1OZx3HNTm1PFQv4D7uvfRlFJSsxzWJgIsOGF8A04YtoAQKXbEuSldqg4s68Hpu5fERwOAah59V/FvR70Cbe2sqoF96/LM08MZ0Wg+IE/gSnhaOz9MEsYzLmUMFKHQZ2zDheH143zcHnf4T16E+8BEf4GDaBHfLHt7xxQlgyKmG0gHRVYkA6J77nMgmKUvO18D5x8qhlZVQV5Fww3LIhn1TfduMjltfz3ZFnkSrDB022iaRBeV8bgC/9+1fegkko30Wf9PSCsPWEbddjika4oVdOF2Sg7f8CmueCiSu3KGB61Qy3Pcexw/1yBBG6KcWtsIfUdas5o44FS99tTv0DthhYi2NQgf7CK4MD467QRJ7j31/S+NbRF6sLAf0f6i28+2Zt3uPwlJuiI6rsDdV2r8duqYyDFYcvTdfo3wNxuZF6uZLcrgRdk25iAtPvBKOmB/1ps3qqVvp14NDcU4x7hl9pEY60m0HLnA0z7npTEycyvgbV3jlfsrX8Hpvmn93w9k8X10Ktjwk5cu3k5RPkjpnrZlUmOjgRhI4ZS9Pw2BdwM0D/zok5d+O2Xfuhp8mFGf5nSxILUJ7GyTxQNRgKQN6qkoJNXLSPGhfk6rUElDTBj5vwTX+tJXS+HNuztRHh5eKHMuVcG1ZVdHPveRyz+mnom3UdQGpbIkHME0lS2jykj5RT7BoYRutb/uMkB0F7QWDbrznCGHXqm6ZH/1v7bV19LWw3Dmk85HX6rHRERKrbitrGs8LiCB/lUaGiC12dnzgvo5YtBNf+AgTihidAuuu5C/QIw3AhGuB7AdkPHo87RYyxTzeMKTkJWX49+lVtVcbdy6N8SjFR2RrAX0874OkgtEnyePBumL+wzckCozFjMEyduAnk5hQ+oGtrHftFiSKKfeh+6EbX/YGu4lqU8L7GueBXon95UyTi41Lcv64TqeX+GWZbkk3koTiWdLlH7UfjFtxonSAGHHsWmiQwcW3RxHn0yJBuSXPnGy0PXPqkam5V2Jm8X5Xwu/9yQICCQfWrk+jOFitziF3ydCC6vFUaQk+dlvd06d0bwIMsz/L8GQun7rh2NGR1gPoLzSnJDLkEz6q9Q/zcUZ9JeGbn8ufKiJ0KWXFOa4illjifkZNIMkmtojTeKJMOdxCJzVlgrJZ8JNJAjCgOfWueOrboNcCDee7YAvY1APJDzc4dvuIGGvlquNW9IpS58CXl+OqXt79EQt6JVko7Y0B+FBP225qTKLpGY+R5ql4dHBsJXNVvBl3+IkqnADDrPAHKu0TGG+rvJU79pi35V6a2eQSOy7bcEDAKRuC0b85pkQ+EXOejwks5vIITJD3MTki+rIoOQ0+n6kt9GKYakfiQh/d507/UF2Vu4m2K7vfFSUx+t9NDyIZ/nZauXYK4HnzDwxsRAHWFAqqHCzkG2Q4QpY6fTePEo3KnDMr4UUz++8RhEh4BqXyfwqUzevVAk1iSpHN6aXSxf9RqcC65SLpEufTNt6fKdvoUxatkkUr/JVs5eTSYbI6U8oiRmacQ/bJocXLU9WBBF8zgrNSiCwahnvBoHJW+1rzvQSZuddYRrvWtpHRgqFfbE4yZtvWkermpiLaU3e7v78gLd/izKMNDauGW4B9e+C+9EuAtdwddbfQOVj5N9jIJPNCSAV/MOxFGAWuQPx2img+wJCqwxs9fyTPNbCe/H/a3ypc6Oog27ie8RMrDyNj5mzhUD/D2lhuLcy32pQKl3/+0NvytTi/FIOGGKSswdOLQ1fmIyDAHLfUwWgfKEL8pudNOnC6FVpspWOSYJL4D/Ah0QeHxjoLzPBNF00vQoRaMTS/4iSkPlg8YqpFjcVCNRKPsVm55gr6LO2aKI6qZqAI9TYkPRVIPt4M93EjdcUsaWa+TrJGITIlnxEO+T81HkbA9V6lQML6DYYUjPkVc1/u4HXtNnDQfdCN0uu7AzHZWJN7Zn64NM0DJ8ZVhZu8dB3wK4zt5021o1f/rp3dhhudLe1YRdnDYJXkkawI1J0KzIbRwy/qwQ/YYOo+xI/Uq6pTFJpFswOuQSXtxx2x6GyfzQjy+K5o6NfeepRCPMLQ7YRhs/6tR/Dugsk3XJRBrLp0mRWlmGAiF7eq12vI,iv:PKmf+mytOTMdVitS5avOAi5yChAx44mG2YNnaDFLTlw=,tag:0ejHj1EpeXqRF686ZsmVmA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5UnFTTUZTT2dxV1JFY2R0 - aS9yUWNHeDdnVStyTTV1ZjRXU1hQYVVQRTFvCktjL0VwNjdsczdmcFI2TnhXMHU1 - RXRhQnhhYjc4ZHNzN0wyN1ErcVkvNXcKLS0tIE1WNTBhV0xwSk9rcklLWkVESElS - ZVpwVVRmV2VHU0NJcFptYXJPZnhXT28KIQgCy66P7kb1hc9TxEolPBaP68Pp116Y - 5cxfpbXZYnsDItjB1FtwrIxFRjDBHrpHoEb2e6AC47pHvai+OflqCg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-07-03T14:41:34Z" - mac: ENC[AES256_GCM,data:dQ7zJWFeZboFrR1pbKHoXcnqv6yjZVrHahb79bfdfJiXt7qbnr1w+WSTbcv78zsN9y0pZ6hPyzc8+QzwFH5xbBSdi8TkHifcuvQqTMtmrMnHZM6GMXyiN8BUvPEq8iT5OO0UFwbXitQSavn9Ib52j+HSvyDzLy9MkGbmLHrKA88=,iv:YywQ58kygqVBKQ4BxIVkGMgi8SoL842qsuJ4q7hZikY=,tag:17wpoXBlhOdHnls7uU5IQA==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/cluster/apps/development/gitea/volume.yaml b/cluster/apps/development/gitea/volume.yaml index e30d7cad0..8d56d94f6 100644 --- a/cluster/apps/development/gitea/volume.yaml +++ b/cluster/apps/development/gitea/volume.yaml @@ -3,7 +3,7 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: name: gitea-config - namespace: development + namespace: default labels: kasten-io/backup: "true" spec: diff --git a/cluster/apps/development/jobs/kustomization.yaml b/cluster/apps/development/jobs/kustomization.yaml deleted file mode 100644 index cf30275bb..000000000 --- a/cluster/apps/development/jobs/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - serviceaccount.yaml diff --git a/cluster/apps/development/jobs/serviceaccount.yaml b/cluster/apps/development/jobs/serviceaccount.yaml deleted file mode 100644 index c8dd563be..000000000 --- a/cluster/apps/development/jobs/serviceaccount.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: jobs - namespace: development ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: jobs-edit - namespace: development -subjects: - - kind: ServiceAccount - name: jobs -roleRef: - kind: ClusterRole - name: edit - apiGroup: rbac.authorization.k8s.io diff --git a/cluster/apps/development/kustomization.yaml b/cluster/apps/development/kustomization.yaml index 60c35c158..b8d5446f9 100644 --- a/cluster/apps/development/kustomization.yaml +++ b/cluster/apps/development/kustomization.yaml @@ -1,6 +1,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - namespace.yaml - gitea - - jobs diff --git a/cluster/apps/development/namespace.yaml b/cluster/apps/development/namespace.yaml deleted file mode 100644 index 912442914..000000000 --- a/cluster/apps/development/namespace.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: development diff --git a/cluster/apps/development/readme.md b/cluster/apps/development/readme.md new file mode 100644 index 000000000..b7a4dc1f7 --- /dev/null +++ b/cluster/apps/development/readme.md @@ -0,0 +1,67 @@ +# Development + +## Gitea + +### S3 Configuration + +1. Create `~/.mc/config.json` + + ```json + { + "version": "10", + "aliases": { + "minio": { + "url": "https://s3.", + "accessKey": "", + "secretKey": "", + "api": "S3v4", + "path": "auto" + } + } + } + ``` + +2. Create the outline user and password + + ```sh + mc admin user add minio gitea + ``` + +3. Create the outline bucket + + ```sh + mc mb minio/gitea + ``` + +4. Create `gitea-user-policy.json` + + ```json + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "s3:ListBucket", + "s3:PutObject", + "s3:GetObject", + "s3:DeleteObject" + ], + "Effect": "Allow", + "Resource": ["arn:aws:s3:::gitea/*", "arn:aws:s3:::gitea"], + "Sid": "" + } + ] + } + ``` + +5. Apply the bucket policies + + ```sh + mc admin policy add minio gitea-private gitea-user-policy.json + ``` + +6. Associate private policy with the user + + ```sh + mc admin policy set minio gitea-private user=gitea + ``` diff --git a/cluster/configuration/cluster-secrets.sops.yaml b/cluster/configuration/cluster-secrets.sops.yaml index 01057e66f..3e617b476 100644 --- a/cluster/configuration/cluster-secrets.sops.yaml +++ b/cluster/configuration/cluster-secrets.sops.yaml @@ -24,6 +24,8 @@ stringData: SECRET_GITEA_ADMIN_PASSWORD: ENC[AES256_GCM,data:w1BcZzMeLqEMVFdX94c=,iv:bc4IaH9YXvRQTW38Rb1tySKx9/1npWtqI2DtS0y/p3w=,tag:X3hyHEhbGNJcYaH2yWMQNQ==,type:str] SECRET_GITEA_API_TOKEN: ENC[AES256_GCM,data:Xsk9tJLyy6LaoGdIhIQ0rrbu4qREg5fKWJ0KDp7f4qPme7Q1Iha7YA==,iv:uHcaLAaQ/l737UMTzjX3okEAba7gxrowMDu/GO98FnM=,tag:4rKcU+z1sqnDcZoZ+9Zqxg==,type:str] SECRET_GITEA_DB_PASSWORD: ENC[AES256_GCM,data:1Nol+xY5U6bwK5OpCII=,iv:309gSLUAMPpou+D1+MqjaPXxz7fWPnJVV0y3irmQe68=,tag:NIAbD7cLSFJ3Na64H9PV7A==,type:str] + SECRET_GITEA_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:VWetZHP8haXPy1r20RMJvECxEWw=,iv:B3+rjPXWSbyCdi4KAy/FeMbtNUv40UIWN462OWfv9Ww=,tag:5wK7nUGu7HmdC90d2jllwQ==,type:str] + SECRET_GRAFANA_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:3igfeqGHygjnmJXnoiKV7W8Tm2M=,iv:Hrjh38GuRvzS4Hi69QftBhaAJ02is5B0E5h23XICpUc=,tag:O4JFVSaoTQDhf3QZPLbn1Q==,type:str] SECRET_HASS_DB_URL: ENC[AES256_GCM,data:Rrq3O82kQksrHzBlH/+iVFoyOGUNkvwO0PQa6wKWCjR9u4niYEFgy0q7pkU8VhF250GASrM2B+pGfio0+IfgAS1OHJdWIeqwA9N1Lw==,iv:YvdgnaSVhwFqB80wgbk5dhbri6BWV23wOFw7A7yvr+w=,tag:3+8heFgAELFJy/6HKWOFyA==,type:str] SECRET_HASS_LATITUDE: ENC[AES256_GCM,data:t3MRZlv84+0w0oNAYPl9XsQ=,iv:4Res2auWXUXGNBgbg6nhv347oFOKD5v2c4901u6Cxis=,tag:DrYJmj14uL902BGqSuyGtA==,type:str] SECRET_HASS_LONGITUDE: ENC[AES256_GCM,data:4oVXOt3rIcGoG4hw2rmdlFg=,iv:o9xgLwOqmFf6lKmemdnsHoII3IkJ5/8kTVqYEyz9cTI=,tag:cWgo7COp7macBiQJm/Me9A==,type:str] @@ -40,12 +42,12 @@ stringData: SECRET_KUBE_PROMETHEUS_STACK_ALERTMANAGER_PUSHOVER_TOKEN: ENC[AES256_GCM,data:Bwvuy/jHIRduy/r1A8dOs0OE8ewdjCgs8g/br1oW,iv:PdnPH9I509MT6UJkUG1zLAGn9aV4AVrROgAVCD4a3Y0=,tag:59kBGx9qx3jeauokyoolQQ==,type:str] SECRET_KUBE_PROMETHEUS_STACK_GRAFANA_ADMIN_PASSWORD: ENC[AES256_GCM,data:L7LS6+tuwPCyb5HN4zg=,iv:JM2KTtDN/VrKicjp5qwqusWiJKHRZnfTtsZE2hkLq6Q=,tag:XGF3L5P6JxVBrlGuKosdZA==,type:str] SECRET_LYCHEE_DB_PASSWORD: ENC[AES256_GCM,data:tn8r2epnKSC0koed54s=,iv:2ojoEzTJYQHniFD002bx2i3uBlTdwV17dYBCBoMSglo=,tag:jcuI1iqJXaKPCwmSuOYjJw==,type:str] - SECRET_MARIADB_ROOT_PASSWORD: ENC[AES256_GCM,data:RPW9YDRn+OE0b0xmmuPZMw==,iv:vG/rLxCDs7MWGFY63ERINRRPnEXRombhobnEKq9oJjE=,tag:LNae+haPYSoFMvw6lxOYvw==,type:str] SECRET_MINIO_ACCESS_KEY: ENC[AES256_GCM,data:cv4//sg=,iv:dx1hciCvVBFcKXbAqoArkTjc/YLyKUp1sXPGuPoX7lw=,tag:+AYVkGKVWXR06h+TwTO9ZQ==,type:str] SECRET_MINIO_SECRET_KEY: ENC[AES256_GCM,data:qcV/b9q12949ZYExzDP3Yy2nAOY=,iv:7qg5IGEWBF1idgZxObcbWyxeNDAXbuwuf4BqwqC67Qo=,tag:wx44bn38jTel2TocUkCghA==,type:str] SECRET_MINIO_ENDPOINT: ENC[AES256_GCM,data:2/+oaWr84857KBx8yXrR7JK+EFIGw7ed,iv:iyfCkYl7yIgwDn0fR95rjcLj5Tsrho17ubGW1KDfym8=,tag:o2VTxHOjKrbX94wbRKHRRA==,type:str] SECRET_MQTT_USERNAME: ENC[AES256_GCM,data:KkxVYfSPPz/bBFphww==,iv:zh83aX1OySv2+n1mhTmcgK9SzCAQcVtvlmXbAhiNQcE=,tag:mCHE13e12m4DHOWelYY4Zg==,type:str] SECRET_MQTT_PASSWORD: ENC[AES256_GCM,data:8B3BfPFPQm/eZnhMYe4DOGdmiQ==,iv:a1PzZHBVDSVTE0oDy1Abb99F4RyPNIIm8cMV53AySQk=,tag:VzaPwV9bu9R7brGRy7N7wg==,type:str] + SECRET_OUTLINE_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:BB/eZQ/oLQ09AxGwKRddbiyiRMA=,iv:dhiyOUP3GyvHXUdPYqQKPQCMmqornj6WVWtfreq9T6A=,tag:WijFyu8XGk3dklYJR4/81A==,type:str] SECRET_PGADMIN_EMAIL: ENC[AES256_GCM,data:Cqvgf0l1A3V8C43YJ20RkCToOGQrxA==,iv:6TsLUzW0yMnx+pGK9MLD/1pm7TGcoVz/Ibn4wYGWZ3k=,tag:YBHhIJl28Cnnncz+fPbPNw==,type:str] SECRET_PGADMIN_PASSWORD: ENC[AES256_GCM,data:1TDN5XLr4ZGQC4qjF9A=,iv:ydluXBbIfFYNEfhgNKxtVOOdqsY2SX+40CjyN4nOsvQ=,tag:hPmQpDYQR3X67AEIOa6sog==,type:str] SECRET_POSTGRESQL_POSTGRES_PASSWORD: ENC[AES256_GCM,data:AVc452aMFD0v7yemNC/KdA==,iv:fkCQPJJXP/PSyOjvvi3USHfpodT0DY6LDubbr7sITo4=,tag:8Fp5aTnnhg0ojGUN1DP6Xg==,type:str] @@ -62,11 +64,6 @@ stringData: SECRET_VIKUNJA_JWT_SECRET: ENC[AES256_GCM,data:8axiOB5PPhjEwBoYB3NtT0ewlNWNK92EAIEAi+NR1J4=,iv:uNBL/FfhamQwBzfKbZTPBeGUgbOfKKQM4SdDCGMv+HU=,tag:YpK+cW/ISWj9jGCeWBeJSg==,type:str] SECRET_VIKUNJA_PASSWORD: ENC[AES256_GCM,data:m3pGmQGYvqPO0ubxhaDGNg==,iv:hIzZP5JMnG9W3QWr50YeZ9FDRNRh1qOWFliRIDHV6+I=,tag:6/ymdGs4Q2cla+bN8r9KGw==,type:str] SECRET_WALLABAG_DB_PASSWORD: ENC[AES256_GCM,data:6kI1fYuCEZzgNSqJ0vE=,iv:QMzl/GI5Wmudv7kp4y5PtyiCygAQDJHfVzLquMkjLsY=,tag:6Dr9lwtxKL1hlskTtcyKBg==,type:str] - SECRET_WIFI_SSID: ENC[AES256_GCM,data:ChUJY7mgQSZ1IQ==,iv:uJ8FasEK+ZvxLMulSp7l9wXOjb3Ojnnt31sfekPRm9s=,tag:QBwdk4qtLCwG7G0AqdOoQA==,type:str] - SECRET_WIFI_PASSWORD: ENC[AES256_GCM,data:pE7jOD2WNVw6+KmyRzlXgwErVbVCSpx4p9AL3kyv,iv:51HVZpqSMVt10b96Ugx9ZDOG0Eh47QR9gypCr2s/FCc=,tag:hxhk8vuVBSZeihZoF2nwsA==,type:str] - SECRET_OUTLINE_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:BB/eZQ/oLQ09AxGwKRddbiyiRMA=,iv:dhiyOUP3GyvHXUdPYqQKPQCMmqornj6WVWtfreq9T6A=,tag:WijFyu8XGk3dklYJR4/81A==,type:str] - SECRET_GRAFANA_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:3igfeqGHygjnmJXnoiKV7W8Tm2M=,iv:Hrjh38GuRvzS4Hi69QftBhaAJ02is5B0E5h23XICpUc=,tag:O4JFVSaoTQDhf3QZPLbn1Q==,type:str] - SECRET_GITEA_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:VWetZHP8haXPy1r20RMJvECxEWw=,iv:B3+rjPXWSbyCdi4KAy/FeMbtNUv40UIWN462OWfv9Ww=,tag:5wK7nUGu7HmdC90d2jllwQ==,type:str] sops: kms: [] gcp_kms: [] @@ -82,8 +79,8 @@ sops: WG82VkdBMlNnRzBySFQzMk41cEtXSlEKBqOmq9UpO61C85+pj0ibdT31y4pmFsbm pTi4N0vv81kcf4ilqBU5h1gudNCb42Q2iL0eGNR4e3JzH4iaNsvnEg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-09-13T21:06:40Z" - mac: ENC[AES256_GCM,data:fi8v5TVbw/Ki4z2l53CJJ1h+XNtX6YczzHD71UKJEWgHIyp6R9mY5UHTCdGJYNurcOA6IzP24XRjx2Z3s43jArIy0ojyVYYudyVLzrUYTf712CvgBF1YVeWu9sluM+7xutEvpG7byJ7gEml+B6FlN2duf902KFiiZIMhh4fvVmI=,iv:KnVclXvl3qgLlrQXG6FtXjmW5TFyvWoJMoJk3O9kwVs=,tag:moe3SNsZF+a5cPpW0XfMvg==,type:str] + lastmodified: "2022-09-13T22:56:56Z" + mac: ENC[AES256_GCM,data:lLQYL2TJ4KxZhviBd3Co2WGQPy09kyZF5a0oMR2QGud8JPqbSUzxNspu4n1cxJRuF7PAfsb3FWoeal/DmjTP06grqj1RNwSpNQfCBKb6bi1/9MONkA1PKUf1fzoZK+s8h8nTK0nknm6nMk/sSJg+Sgz/Zuy8rt/CuJgYEVVGb8w=,iv:VP5rnNNBZjGkTXOQfXcV8zLKcf9sjVwTJ+44K8Rmdgw=,tag:zukSR3nXrWiDlo67EKgsPg==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.7.3