♻️ gitea

2025-09-17 18:24:14 +02:00 · 2022-09-14 01:30:10 +02:00
parent 56be9eec50
commit d9d14a023e
12 changed files with 180 additions and 90 deletions
--- a/cluster/apps/development/gitea/backup-job.yaml
+++ b/cluster/apps/development/gitea/backup-job.yaml
@@ -3,7 +3,7 @@ apiVersion: batch/v1
 kind: CronJob
 metadata:
  name: gitea-repositories-backup
-  namespace: development
+  namespace: default
 spec:
  schedule: "@daily"
  jobTemplate:
@@ -12,9 +12,6 @@ spec:
        metadata:
          name: gitea-repositories-backup
        spec:
-          serviceAccountName: jobs
-          imagePullSecrets:
-            - name: regcred
          containers:
            - name: gitea-repositories-backup
              image: ghcr.io/auricom/kubectl:v1.25.0@sha256:ee2a4883c68adf439fe76a8102261a29cdff34c427822a08bafe264d8dbd09be
@@ -85,5 +82,5 @@ spec:
          volumes:
            - name: secret
              secret:
-                secretName: gitea-secrets
+                secretName: gitea-config
          restartPolicy: Never
--- a/cluster/apps/development/gitea/helm-release.yaml
+++ b/cluster/apps/development/gitea/helm-release.yaml
@@ -3,36 +3,37 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: gitea
-  namespace: development
+  namespace: default
 spec:
-  interval: 5m
+  interval: 15m
  chart:
    spec:
-      # renovate: registryUrl=https://dl.gitea.io/charts
      chart: gitea
      version: 6.0.1
      sourceRef:
        kind: HelmRepository
        name: gitea-charts
        namespace: flux-system
-      interval: 5m
+  install:
+    createNamespace: true
+    remediation:
+      retries: 5
+  upgrade:
+    remediation:
+      retries: 5
  values:
    image:
      repository: gitea/gitea
      tag: 1.17.2
      rootless: true
-
    containerSecurityContext:
      capabilities:
        add: ["SYS_CHROOT"]
-
    gitea:
      admin:
-        email: ${SECRET_GITEA_ADMIN_EMAIL}
        username: auricom
-        password: ${SECRET_GITEA_ADMIN_PASSWORD}
      config:
-        APP_NAME: "Homelab Gitea"
+        APP_NAME: "Gitea Homelab"
        cron.resync_all_sshkeys:
          ENABLED: true
          RUN_AT_START: true
@@ -50,6 +51,7 @@ spec:
          SSH_DOMAIN: gitea.${SECRET_DOMAIN}
          ROOT_URL: https://gitea.${SECRET_CLUSTER_DOMAIN}
        respository:
+          DEFAULT_BRANCH: main
          DEFAULT_PRIVATE: true
        admin:
          DISABLE_REGULAR_ORG_CREATION: true
@@ -59,34 +61,60 @@ spec:
        service:
          DISABLE_REGISTRATION: true
          REQUIRE_SIGNIN_VIEW: true
-        webhook:
-          ALLOWED_HOST_LIST: "drone.${SECRET_CLUSTER_DOMAIN}"
-
+        cron:
+          ENABLED: true
+        attachment:
+          STORAGE_TYPE: minio
+          MINIO_ENDPOINT: truenas.${SECRET_DOMAIN}:9000
+          MINIO_BUCKET: gitea
+          MINIO_USE_SSL: true
+        storage:
+          STORAGE_TYPE: minio
+          MINIO_ENDPOINT: truenas.${SECRET_DOMAIN}:9000
+          MINIO_BUCKET: gitea
+          MINIO_USE_SSL: true
+        mailer:
+          ENABLED: true
+          MAILER_TYPE: smtp
+          HOST: smtp-relay.default:2525
+          FROM: "Gitea <gitea@${SECRET_DOMAIN}>"
+        openid:
+          ENABLE_OPENID_SIGNIN: false
+          ENABLE_OPENID_SIGNUP: true
+          WHITELISTED_URIS: "auth.${SECRET_CLUSTER_DOMAIN}"
+      oauth:
+        - name: authelia
+          provider: openidConnect
+          key: gitea
+          secret: "${SECRET_GITEA_OAUTH_CLIENT_SECRET}"
+          autoDiscoverUrl: "https://auth.${SECRET_CLUSTER_DOMAIN}/.well-known/openid-configuration"
+          groupClaimName: groups
+          adminGroup: admins
+          restrictedGroup: people
+      metrics:
+        enabled: true
+        serviceMonitor:
+          enabled: true
+      podAnnotations:
+        secret.reloader.stakater.com/reload: gitea-config
    postgresql:
      enabled: false
-
    memcached:
      image:
        repository: bitnami/memcached
        tag: 1.6.17
      service:
        port: 11211
-
    persistence:
      enabled: true
      existingClaim: "gitea-config"
-
    service:
-      annotations:
-        prometheus.io/probe: "true"
-        prometheus.io/protocol: "tcp"
      ssh:
        type: LoadBalancer
        port: 22
        externalTrafficPolicy: Local
        externalIPs:
          - ${CLUSTER_LB_GITEA}
-
    ingress:
      enabled: true
      className: nginx
@@ -98,3 +126,28 @@ spec:
      tls:
        - hosts:
            - "gitea.${SECRET_CLUSTER_DOMAIN}"
+  valuesFrom:
+    - targetPath: gitea.admin.email
+      kind: Secret
+      name: gitea-config
+      valuesKey: adminEmail
+    - targetPath: gitea.admin.password
+      kind: Secret
+      name: gitea-config
+      valuesKey: adminPassword
+    - targetPath: gitea.config.attachment.MINIO_ACCESS_KEY_ID
+      kind: Secret
+      name: gitea-config
+      valuesKey: minioAccessKeyId
+    - targetPath: gitea.config.attachment.MINIO_SECRET_ACCESS_KEY
+      kind: Secret
+      name: gitea-config
+      valuesKey: minioSecretAccessKey
+    - targetPath: gitea.config.storage.MINIO_ACCESS_KEY_ID
+      kind: Secret
+      name: gitea-config
+      valuesKey: minioAccessKeyId
+    - targetPath: gitea.config.storage.MINIO_SECRET_ACCESS_KEY
+      kind: Secret
+      name: gitea-config
+      valuesKey: minioSecretAccessKey
--- a/cluster/apps/development/gitea/kustomization.yaml
+++ b/cluster/apps/development/gitea/kustomization.yaml
@@ -1,7 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - secrets.sops.yaml
+  - secret.sops.yaml
  - volume.yaml
  - helm-release.yaml
  - backup-job.yaml
--- a/cluster/apps/development/gitea/secret.sops.yaml
+++ b/cluster/apps/development/gitea/secret.sops.yaml
@@ -0,0 +1,32 @@
+kind: Secret
+apiVersion: v1
+type: Opaque
+metadata:
+    name: gitea-config
+    namespace: default
+stringData:
+    adminEmail: ENC[AES256_GCM,data:KUhhtTXAU/lcKVsuy3tF+QjgRk8m,iv:goqGhOEkpbnYa6uELXYfdQjCdKPOW2KGAjb4cfdHrn0=,tag:SFENNvmSkEfcAgat/BHksg==,type:str]
+    adminPassword: ENC[AES256_GCM,data:SMR6vlFSysGv7iG+zjk=,iv:PtceAzAWR1nc8nACAYSOe+19evR9+orQa9DRzbcXU4U=,tag:Rq+3Ua0XhOzsnFw6/OdY4A==,type:str]
+    minioAccessKeyId: ENC[AES256_GCM,data:Gh41eINrkyjgEpTO5O+5lPWNPd8=,iv:XFH3RvyJwUEtszqtKVjLtMxTamPHPx4Aqi0PqsUmDCQ=,tag:abNj9gjgSlPJFsS9DBs+gw==,type:str]
+    minioSecretAccessKey: ENC[AES256_GCM,data:ZiCMwvRnVavI62F7+OIDoYEOSvM9Jfh1eqJGbJjOR+GiC2YXw7T4+A==,iv:bbCaIOXhwrCFqiu8AQ1qyWzE+yuTotCjJgaK14qC1Qs=,tag:ZESnmDhsgqffe1rdKoVStQ==,type:str]
+    deployment_rsa_priv_key: ENC[AES256_GCM,data:3Olhz6VZ6oI18hwCUDIHNLUEMM7PnGIcDDTCtX7sb6+yOmmW8cyKfZo2Ks6c4pEXJjWQ0JpvIYd/JMP53Noyb62H2+JAlcnIYgivJYpKmZ2fFD5i9Nyg+a91w6xkwwfBHEO6BBGAM4j3wARfFqLo4xqQFgf0/2DEUMVwHgXP6JGuqik+fOTHFRP66fQ16m+p+3iig1cvMvkjN7y/KmuBgT8w3VBJ6xukb/rC3mx+h5KIhoMfi+aBXi/SI7hUvnDPmaJs2Q/QlpcudQQHEYC51df0uGEeJaM/136+BON6B8fi2xUw1y/zYPJFabZg3b5Y7KRxKrDUJyOclaXEi8ZI+1Wz64KJ3Zhb7bITNLX7iIMuE2bQZq574xJre5HH/aI6/VAwLIKOFAV/l+WadfEh+1mbmoGRhjC3Ylin01mC9/z+8dxnG5sX+DvGzG7EiwoApIHpEZ4n7DZThi9xR1RSfYCqG5K9D3q+RpsnVoi6busJbevJ9U7fb0Yq7iiZfv+iiZc8HmEWyAy6r967oUGNss8VF/ahucP4uAE6nzTVadOSLc/UyS/jeil593SSn62h2hDYPuDxP/M3odiI40m0kCMuLNdIxFDl8xXNtSNy5nUmdlP/Ez9ach5Zigw+gJaeK/CVhr2e6TFkzfcYri7ryOVVNmoFw6hr66TXGjiwHATj6Ucpm0OLS1C2GP/G5FGqpdbYMTxe6JCOQggnBXLe3v5Dtr2Qrp49yA8UxLG5Ksxxd19Q1uaudWbc4S/Lg6gfey7IkuaMQ6zGIAE8vMNnKHdx0XBqKwBpwajCsFXDCrTnAs6YyST1KXHm/YmRep5KcMMuUk3UhE6TwAYTNK9SHSwXHOxaRETrVnf1XEzg7GATomW7U3Gp4v4OAnZy2T/7NJ1EfhQiMjw4J3RKN7bswITmfhLamXwDk6tiVGv9pQdsAEtr0+A5kKXV2kNXGfZ5U1Uv0wdcAhXxYnc0TaFmQ2J95Kljl/O+SYFxv3UyvQs4O1JQdeXVIrqpRzGtMRQHaPpaT0FMlk5ntShRQhGYZEoHknKw0cniajNpfCC6pqNEGbcL6PhROx9X2AK59YveX4g2z2jEhfrzb/eRow2Ha5gubmMGnwiV07wwzEe5VQCwDQgdcAc8l2bbkpgcws8RCg342towNRwjq81fqWX+hWsufXxIip9PX+AQsAcBpbdfcAEbcxLQLhkxCqA23+k+Ih8Yt/4qqKCT7QMyiJgRmigaXW5J61lVSuRjU2gQfGOqjtqQc23K6bUzrzgGiymWJEMMwKOJuxJiKk7uTs2xowmiSgFsfFdsiD+3UzOX5Fh6Y0OV858oXpzx/vD8J9RwrLnsV36xfeXPX1yh8UoCc0ZeVyvvWvXIa942RSDXtvgt86Y4kT/uTIEKrikReCD1K+1BdE8bwaMHakrKYrRwbauQM3S2SV17/XC6t8A1f4vu8/vV5Ir1oge2tFI/pJU6AqF/k7Lit1JTWXf1qiXxAxFEJJDzuwABWLQKvw1QUBHQiR/Kq5myDN589qSU5/C2zh1zq8k7BE54NR1ZyCAnIkmbZNMEMBNMArr44DbTgm5tiGhCh+OgJD/5DUGi1+E6a4IqoMzgvh3ToHAKveSz3mRQwhXx7RJH4WFkcGBVUaQohg2YlqIQilb1NFHwG5UFnoXlVPY0VpIhyoFCfvg2X/L1UmfpU7V9OpKHOcMFQ0A7YIGXgp/nGVZZchuOcuiwkF5z/GTI14RZOiBFh5P2LR3pa56j4P4PrhWV5mGgAkdfDvh0DY0yWRTzjo0piZPBCnLf/hUn8rpT9T8xIqz0EDoH3pHRR/VKgGxFOcgRecSD+fTnYFGUEi4akcBT5Lgm11/c3VNbO3/nZq6dlTxbjT8/VGOps/tPWPHUUbf/8U1NTD46zjbRGWEjod7Pwnz1hFxU3ql0KBDBhS/J+0kSmz98CPmeS8uW0OCKPFvIoPYJhr9CsxJNVEiW2+pd/WabvlIeOXtmQKjjwvmQaW77FTkKVP8Y0+9qH8Ln4M9h4QrP69YHGBtt3oIej5MUDCoZ+ut1L7ikEHbuOEb1c1a2z0PdzooudgT+NMhcBlGCpoUiC9ZcspOJn+nU6IBkJ2Sjyfl/BrMTBmJ+rs3suoEY3NvA4gWRU9xevNKpjqNRtxiYLll1JZl43lJL5RkG4bXb5JK4nSwJfADu6aIhWL2IjpFYd93A4lg19jf3nVpcazxFXcYY7UpYDhOb7fbWYmI6xV+AX52SwTKRM9fLK7j0EWx/fo0SfdZUNl4T/dtPsqe8Te/ZzkQlHA8tbC5kQeEJxGw72lvjMHNq4Fv0hVZ7r4gEFZhiPlciYG9cOwG1A2GifGthy+1fsCnKxNBx/5Cf+1OOz8AY7ZL9ECSPOrK3zlpXC6P6HhxokvTe5qY9eIR0ztYg1vgxz+XrqzOU7drfUdDigt+uqRZwvfC5AoNF2e5bFO+y83fdeVisZI0qtsOElhBYS6EIHmh1LRNhRfD3tpRyFinNlVVbOy/33A7yEUv+ieO9hL5VOvkJEvEdmeTtcCevniESu2tQEANFUiI6NpoxNycmJaCeejiZ5LvrC+BQjylqPIqAhgHdfWDIcmKjRQuolkOQ2PbzRrGCCcV3sbDaCbH769hGrdBV06bN3gNZNvnAo6kafEw62RGRaGjxJ/O8zHRALVwDECLtE3yW9ghjgPdw2zGItza0qlG2Hr+nzER9aMLWI4dzqnMNFTtiqJDLkL2Qo33h8qtGTtIEuP8jjTbGqMbs8xFzsqPkeSROW34kLAzJold7JAoRLevFGAshk0kGv4C+sXexBwNuTn4JduUdB6niVxzKkhQM3OcKNuFQ0tZNQY8fxbg0h2YhONG3spfQ8UC2bT2lSJfWec26fP8W2VzjjVLeNxpODco0eHre3i/6BRSEn8q2i+n15zKtiDlcEw8R7phnjB3I+JCZAvwy33mI0qJ/5fKIzRKtYtzPWRDcoOazdtfByBZrXjVUpSIm0e4Dxl1AIyKj5ec5DC2Czv1p+uUYMA5lhw1alXOSrlzJnRnsnohtdXIgH+xEf19V6zYf6IQBsB+4Kz1hQYo1IVwKj6qkXReNy9tQ5OrBFMzDLrbCd50gaMyT+86R8EsSZ2nW5anIaMxvSERdmED7QZkizeyUHLyLFPduv20OYQbaUxQ0oRWxpCY9OOq/vxOwLLqoRU+ohc7wnLCjsUmjQA5V5zlBYok8TMv971WM2rqmOfa7F5uOxiQ5RJ4GLCMryBl0UuLpNmN2JTdq3RjzduiQP/osJspJP0evz9ln9b0sdf6KqSnCnTiu2NUMZHhj7oGpFjBZpG7KWROVcjUiS0OVmKWjbYHJE5DNXAK9zcHodPxrAYVxUG+lDhVJ+4GmNY5o+KO5yCOswD93HrTX+KkwaLG9vhdKM3IrC6ttynCzvl1CME5A9HL+VszsJQoXWnZYNl36pD7p1k8AMqINeAN+KahalogAoMXk,iv:CYw3LLwOeyEu3/BK/SjdjneQvXPk2mHMPiFm2T4sXHQ=,tag:Et4HAytIgiVg4n8+D5anfw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSd2h2N2RELzkvODM0WE1p
+            c1M3bEQxdDZkZ3Zlcm9uKzFWYklLWWpUYXhvCkN1bXU3YmNrY255RmkwSXFDWmt1
+            dHExaGZRODhKdm1NR2xYV29CeE5vbk0KLS0tIHpBUGVaNUhKaE5UOU1hM3c0akxX
+            ZWRhWnBrY1FBNVQyOU0yVGFXb0QrVnMK26Nc5Bw/jOzuxXcufHcxnugG1bzqO9T8
+            LNIau17zdWX5bfWGDj++ipnm8x1sPswEULal4U2Muc2Iy7GuZPhVyg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-09-13T23:26:40Z"
+    mac: ENC[AES256_GCM,data:uUgDRhsPIF9lG9iFV+GGHzmR//Dor0B6Ph0Pxlu2L5ku9yhjK2PgFpucZhUZXHoU3o/EDLmGXNtLWjGaUOFZk21SVr8YMNzLlHJ/UaGgQdwcFYgUDUo/8CKeFZfQIxs+Dkjjnok6flWojyzo5SFhznpcgyskHXk88PhJYWMQlP0=,iv:73N4xGTM+Yw15nhoV2/fB82zwwIuJgq6RdkyH6xrlZE=,tag:1KykIwbWbM/F0FrHlsJgWg==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
--- a/cluster/apps/development/gitea/secrets.sops.yaml
+++ b/cluster/apps/development/gitea/secrets.sops.yaml
@@ -1,27 +0,0 @@
-kind: Secret
-apiVersion: v1
-metadata:
-    name: gitea-secrets
-    namespace: development
-stringData:
-    deployment_rsa_priv_key: ENC[AES256_GCM,data:Lq5ZoC8cAHFNmqHa6oVcwb4rbfdbQdaxQWJ2EeTjWRAP/ySBa6RyLknqejdJT46pxEDsJub1ponZJnRXhpVzzIgpul5fYo8eD/CFYHJB3y0o29HAWXaSAH+A1u5mDD1YYUMrfoEofb2E3gLu7rTvxePaVF/eGu4W/rQueIppkRlEOFcCjaCV7ezXpa3UBeqXAIdQbQyothMVpGjk0uVZXpEPr7QeBFgopBDRFtnr2b1Hz9xIfntB6I251ISmPnzuBdhn16nLcQihZt12/8E4Mgy5gcHyeApKKYXcNK66rPqojDBKLvfDacEp/S6BriUYrMqwuCgagoHrj0TGENepVufblICOLH7wSKEfk9dOjRRqTlwIAPs5Umtv4tuB/amaQSdxcH7xOYW7OCtX/seQqn92uwo1VPcOjMTymWWt36pGkbhI2JXJr4h5XUbDZ2M7ppurWp1S4/lGgoQSucRYQUIlVxdLx13CmL/znk6XwFNa8BOYW8PqP2Ydqvsp60QkymJjK8r8ox3HEwkBkiqsfiMlzvtXbfHuImXyP1WTB+txxCv88u7pdGq6/yXHUFWJ13qPkWC+68bPxzD27aVe9PD/4dKsPysxAOu0P/htQ73ltzStz+lvXO2F+rFVAwdjrttSiQG5BmBfeGqJva1ZTu6aEQbYgavN/7gVhX+FbZ1JY2v+/Tk2xCE9TCp8/8MmgqsZH3TJE7VUwx9yJoR6/xNIjYfaZxNTNO2ndKbWBpu3vS46YJx9pLgE9B0YXaRAkJqemryJZd5KXOzutfNMqvNnrQSWpRQ6gzS8M2hbgj1xQUJIlWyB8c9YSZaGxoq+GW4m09GYiuGoYiIIgY5sN5L0nf+2I7OZ9aVvVLuyj39XLZ+/udD2BG5wDX6NKh7Ha6ci4QG1Og7IQYS6LdX4c2Y8/C+E4PY3scx0px2H2S9JW0tZ4fcnz8iiAYkWr0RewXXnpr/hidbugkNtHGD5lT9SnVJmxcYZ8R3v2G+4q0HPlM6ThJUHIP4To8n1Ya71Ne/TJW5BLkSEyxSASvtPtqIdNLml3aIr5+UgEXSNZdK8PRCe153r+XCt8kCgXBOt5q2lLXwXtSFgMQEmRf53I2zZB2f9XcqZv13I6Y1loQgPJLVdghnKNOLiR+VBQ1SC0vChhHTMvqM5w9WYsfGW0v2LZUURNUM6pmNdNrFHZ3rEakKPfI0FDDsyfo62m8iJClReprHgLsHjSP1425wvlW09OO5w+z3ibVKNTYbdI2AT3kzZnljkPQYf8HgLBKnh06hA/X6hoZoKvxW8F6Pos7TVMD81TUrttOZCT8wh8dlceP6PW9qAa/TMBzZ5NGVQqh8e3kjkcqW3ATwlumW0hK1OZx3HNTm1PFQv4D7uvfRlFJSsxzWJgIsOGF8A04YtoAQKXbEuSldqg4s68Hpu5fERwOAah59V/FvR70Cbe2sqoF96/LM08MZ0Wg+IE/gSnhaOz9MEsYzLmUMFKHQZ2zDheH143zcHnf4T16E+8BEf4GDaBHfLHt7xxQlgyKmG0gHRVYkA6J77nMgmKUvO18D5x8qhlZVQV5Fww3LIhn1TfduMjltfz3ZFnkSrDB022iaRBeV8bgC/9+1fegkko30Wf9PSCsPWEbddjika4oVdOF2Sg7f8CmueCiSu3KGB61Qy3Pcexw/1yBBG6KcWtsIfUdas5o44FS99tTv0DthhYi2NQgf7CK4MD467QRJ7j31/S+NbRF6sLAf0f6i28+2Zt3uPwlJuiI6rsDdV2r8duqYyDFYcvTdfo3wNxuZF6uZLcrgRdk25iAtPvBKOmB/1ps3qqVvp14NDcU4x7hl9pEY60m0HLnA0z7npTEycyvgbV3jlfsrX8Hpvmn93w9k8X10Ktjwk5cu3k5RPkjpnrZlUmOjgRhI4ZS9Pw2BdwM0D/zok5d+O2Xfuhp8mFGf5nSxILUJ7GyTxQNRgKQN6qkoJNXLSPGhfk6rUElDTBj5vwTX+tJXS+HNuztRHh5eKHMuVcG1ZVdHPveRyz+mnom3UdQGpbIkHME0lS2jykj5RT7BoYRutb/uMkB0F7QWDbrznCGHXqm6ZH/1v7bV19LWw3Dmk85HX6rHRERKrbitrGs8LiCB/lUaGiC12dnzgvo5YtBNf+AgTihidAuuu5C/QIw3AhGuB7AdkPHo87RYyxTzeMKTkJWX49+lVtVcbdy6N8SjFR2RrAX0874OkgtEnyePBumL+wzckCozFjMEyduAnk5hQ+oGtrHftFiSKKfeh+6EbX/YGu4lqU8L7GueBXon95UyTi41Lcv64TqeX+GWZbkk3koTiWdLlH7UfjFtxonSAGHHsWmiQwcW3RxHn0yJBuSXPnGy0PXPqkam5V2Jm8X5Xwu/9yQICCQfWrk+jOFitziF3ydCC6vFUaQk+dlvd06d0bwIMsz/L8GQun7rh2NGR1gPoLzSnJDLkEz6q9Q/zcUZ9JeGbn8ufKiJ0KWXFOa4illjifkZNIMkmtojTeKJMOdxCJzVlgrJZ8JNJAjCgOfWueOrboNcCDee7YAvY1APJDzc4dvuIGGvlquNW9IpS58CXl+OqXt79EQt6JVko7Y0B+FBP225qTKLpGY+R5ql4dHBsJXNVvBl3+IkqnADDrPAHKu0TGG+rvJU79pi35V6a2eQSOy7bcEDAKRuC0b85pkQ+EXOejwks5vIITJD3MTki+rIoOQ0+n6kt9GKYakfiQh/d507/UF2Vu4m2K7vfFSUx+t9NDyIZ/nZauXYK4HnzDwxsRAHWFAqqHCzkG2Q4QpY6fTePEo3KnDMr4UUz++8RhEh4BqXyfwqUzevVAk1iSpHN6aXSxf9RqcC65SLpEufTNt6fKdvoUxatkkUr/JVs5eTSYbI6U8oiRmacQ/bJocXLU9WBBF8zgrNSiCwahnvBoHJW+1rzvQSZuddYRrvWtpHRgqFfbE4yZtvWkermpiLaU3e7v78gLd/izKMNDauGW4B9e+C+9EuAtdwddbfQOVj5N9jIJPNCSAV/MOxFGAWuQPx2img+wJCqwxs9fyTPNbCe/H/a3ypc6Oog27ie8RMrDyNj5mzhUD/D2lhuLcy32pQKl3/+0NvytTi/FIOGGKSswdOLQ1fmIyDAHLfUwWgfKEL8pudNOnC6FVpspWOSYJL4D/Ah0QeHxjoLzPBNF00vQoRaMTS/4iSkPlg8YqpFjcVCNRKPsVm55gr6LO2aKI6qZqAI9TYkPRVIPt4M93EjdcUsaWa+TrJGITIlnxEO+T81HkbA9V6lQML6DYYUjPkVc1/u4HXtNnDQfdCN0uu7AzHZWJN7Zn64NM0DJ8ZVhZu8dB3wK4zt5021o1f/rp3dhhudLe1YRdnDYJXkkawI1J0KzIbRwy/qwQ/YYOo+xI/Uq6pTFJpFswOuQSXtxx2x6GyfzQjy+K5o6NfeepRCPMLQ7YRhs/6tR/Dugsk3XJRBrLp0mRWlmGAiF7eq12vI,iv:PKmf+mytOTMdVitS5avOAi5yChAx44mG2YNnaDFLTlw=,tag:0ejHj1EpeXqRF686ZsmVmA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5UnFTTUZTT2dxV1JFY2R0
-            aS9yUWNHeDdnVStyTTV1ZjRXU1hQYVVQRTFvCktjL0VwNjdsczdmcFI2TnhXMHU1
-            RXRhQnhhYjc4ZHNzN0wyN1ErcVkvNXcKLS0tIE1WNTBhV0xwSk9rcklLWkVESElS
-            ZVpwVVRmV2VHU0NJcFptYXJPZnhXT28KIQgCy66P7kb1hc9TxEolPBaP68Pp116Y
-            5cxfpbXZYnsDItjB1FtwrIxFRjDBHrpHoEb2e6AC47pHvai+OflqCg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-07-03T14:41:34Z"
-    mac: ENC[AES256_GCM,data:dQ7zJWFeZboFrR1pbKHoXcnqv6yjZVrHahb79bfdfJiXt7qbnr1w+WSTbcv78zsN9y0pZ6hPyzc8+QzwFH5xbBSdi8TkHifcuvQqTMtmrMnHZM6GMXyiN8BUvPEq8iT5OO0UFwbXitQSavn9Ib52j+HSvyDzLy9MkGbmLHrKA88=,iv:YywQ58kygqVBKQ4BxIVkGMgi8SoL842qsuJ4q7hZikY=,tag:17wpoXBlhOdHnls7uU5IQA==,type:str]
-    pgp: []
-    encrypted_regex: ^(data|stringData)$
-    version: 3.7.3
--- a/cluster/apps/development/gitea/volume.yaml
+++ b/cluster/apps/development/gitea/volume.yaml
@@ -3,7 +3,7 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: gitea-config
-  namespace: development
+  namespace: default
  labels:
    kasten-io/backup: "true"
 spec:
--- a/cluster/apps/development/jobs/kustomization.yaml
+++ b/cluster/apps/development/jobs/kustomization.yaml
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - serviceaccount.yaml
--- a/cluster/apps/development/jobs/serviceaccount.yaml
+++ b/cluster/apps/development/jobs/serviceaccount.yaml
@@ -1,18 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: jobs
-  namespace: development
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: jobs-edit
-  namespace: development
-subjects:
-  - kind: ServiceAccount
-    name: jobs
-roleRef:
-  kind: ClusterRole
-  name: edit
-  apiGroup: rbac.authorization.k8s.io
--- a/cluster/apps/development/kustomization.yaml
+++ b/cluster/apps/development/kustomization.yaml
@@ -1,6 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - namespace.yaml
  - gitea
-  - jobs
--- a/cluster/apps/development/namespace.yaml
+++ b/cluster/apps/development/namespace.yaml
@@ -1,5 +0,0 @@
---
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: development
--- a/cluster/apps/development/readme.md
+++ b/cluster/apps/development/readme.md
@@ -0,0 +1,67 @@
+# Development
+
+## Gitea
+
+### S3 Configuration
+
+1. Create `~/.mc/config.json`
+
+    ```json
+    {
+        "version": "10",
+        "aliases": {
+            "minio": {
+                "url": "https://s3.<domain>",
+                "accessKey": "<access-key>",
+                "secretKey": "<secret-key>",
+                "api": "S3v4",
+                "path": "auto"
+            }
+        }
+    }
+    ```
+
+2. Create the outline user and password
+
+    ```sh
+    mc admin user add minio gitea <super-secret-password>
+    ```
+
+3. Create the outline bucket
+
+    ```sh
+    mc mb minio/gitea
+    ```
+
+4. Create `gitea-user-policy.json`
+
+    ```json
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Action": [
+                    "s3:ListBucket",
+                    "s3:PutObject",
+                    "s3:GetObject",
+                    "s3:DeleteObject"
+                ],
+                "Effect": "Allow",
+                "Resource": ["arn:aws:s3:::gitea/*", "arn:aws:s3:::gitea"],
+                "Sid": ""
+            }
+        ]
+    }
+    ```
+
+5. Apply the bucket policies
+
+    ```sh
+    mc admin policy add minio gitea-private gitea-user-policy.json
+    ```
+
+6. Associate private policy with the user
+
+    ```sh
+    mc admin policy set minio gitea-private user=gitea
+    ```
--- a/cluster/configuration/cluster-secrets.sops.yaml
+++ b/cluster/configuration/cluster-secrets.sops.yaml
@@ -24,6 +24,8 @@ stringData:
    SECRET_GITEA_ADMIN_PASSWORD: ENC[AES256_GCM,data:w1BcZzMeLqEMVFdX94c=,iv:bc4IaH9YXvRQTW38Rb1tySKx9/1npWtqI2DtS0y/p3w=,tag:X3hyHEhbGNJcYaH2yWMQNQ==,type:str]
    SECRET_GITEA_API_TOKEN: ENC[AES256_GCM,data:Xsk9tJLyy6LaoGdIhIQ0rrbu4qREg5fKWJ0KDp7f4qPme7Q1Iha7YA==,iv:uHcaLAaQ/l737UMTzjX3okEAba7gxrowMDu/GO98FnM=,tag:4rKcU+z1sqnDcZoZ+9Zqxg==,type:str]
    SECRET_GITEA_DB_PASSWORD: ENC[AES256_GCM,data:1Nol+xY5U6bwK5OpCII=,iv:309gSLUAMPpou+D1+MqjaPXxz7fWPnJVV0y3irmQe68=,tag:NIAbD7cLSFJ3Na64H9PV7A==,type:str]
+    SECRET_GITEA_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:VWetZHP8haXPy1r20RMJvECxEWw=,iv:B3+rjPXWSbyCdi4KAy/FeMbtNUv40UIWN462OWfv9Ww=,tag:5wK7nUGu7HmdC90d2jllwQ==,type:str]
+    SECRET_GRAFANA_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:3igfeqGHygjnmJXnoiKV7W8Tm2M=,iv:Hrjh38GuRvzS4Hi69QftBhaAJ02is5B0E5h23XICpUc=,tag:O4JFVSaoTQDhf3QZPLbn1Q==,type:str]
    SECRET_HASS_DB_URL: ENC[AES256_GCM,data:Rrq3O82kQksrHzBlH/+iVFoyOGUNkvwO0PQa6wKWCjR9u4niYEFgy0q7pkU8VhF250GASrM2B+pGfio0+IfgAS1OHJdWIeqwA9N1Lw==,iv:YvdgnaSVhwFqB80wgbk5dhbri6BWV23wOFw7A7yvr+w=,tag:3+8heFgAELFJy/6HKWOFyA==,type:str]
    SECRET_HASS_LATITUDE: ENC[AES256_GCM,data:t3MRZlv84+0w0oNAYPl9XsQ=,iv:4Res2auWXUXGNBgbg6nhv347oFOKD5v2c4901u6Cxis=,tag:DrYJmj14uL902BGqSuyGtA==,type:str]
    SECRET_HASS_LONGITUDE: ENC[AES256_GCM,data:4oVXOt3rIcGoG4hw2rmdlFg=,iv:o9xgLwOqmFf6lKmemdnsHoII3IkJ5/8kTVqYEyz9cTI=,tag:cWgo7COp7macBiQJm/Me9A==,type:str]
@@ -40,12 +42,12 @@ stringData:
    SECRET_KUBE_PROMETHEUS_STACK_ALERTMANAGER_PUSHOVER_TOKEN: ENC[AES256_GCM,data:Bwvuy/jHIRduy/r1A8dOs0OE8ewdjCgs8g/br1oW,iv:PdnPH9I509MT6UJkUG1zLAGn9aV4AVrROgAVCD4a3Y0=,tag:59kBGx9qx3jeauokyoolQQ==,type:str]
    SECRET_KUBE_PROMETHEUS_STACK_GRAFANA_ADMIN_PASSWORD: ENC[AES256_GCM,data:L7LS6+tuwPCyb5HN4zg=,iv:JM2KTtDN/VrKicjp5qwqusWiJKHRZnfTtsZE2hkLq6Q=,tag:XGF3L5P6JxVBrlGuKosdZA==,type:str]
    SECRET_LYCHEE_DB_PASSWORD: ENC[AES256_GCM,data:tn8r2epnKSC0koed54s=,iv:2ojoEzTJYQHniFD002bx2i3uBlTdwV17dYBCBoMSglo=,tag:jcuI1iqJXaKPCwmSuOYjJw==,type:str]
-    SECRET_MARIADB_ROOT_PASSWORD: ENC[AES256_GCM,data:RPW9YDRn+OE0b0xmmuPZMw==,iv:vG/rLxCDs7MWGFY63ERINRRPnEXRombhobnEKq9oJjE=,tag:LNae+haPYSoFMvw6lxOYvw==,type:str]
    SECRET_MINIO_ACCESS_KEY: ENC[AES256_GCM,data:cv4//sg=,iv:dx1hciCvVBFcKXbAqoArkTjc/YLyKUp1sXPGuPoX7lw=,tag:+AYVkGKVWXR06h+TwTO9ZQ==,type:str]
    SECRET_MINIO_SECRET_KEY: ENC[AES256_GCM,data:qcV/b9q12949ZYExzDP3Yy2nAOY=,iv:7qg5IGEWBF1idgZxObcbWyxeNDAXbuwuf4BqwqC67Qo=,tag:wx44bn38jTel2TocUkCghA==,type:str]
    SECRET_MINIO_ENDPOINT: ENC[AES256_GCM,data:2/+oaWr84857KBx8yXrR7JK+EFIGw7ed,iv:iyfCkYl7yIgwDn0fR95rjcLj5Tsrho17ubGW1KDfym8=,tag:o2VTxHOjKrbX94wbRKHRRA==,type:str]
    SECRET_MQTT_USERNAME: ENC[AES256_GCM,data:KkxVYfSPPz/bBFphww==,iv:zh83aX1OySv2+n1mhTmcgK9SzCAQcVtvlmXbAhiNQcE=,tag:mCHE13e12m4DHOWelYY4Zg==,type:str]
    SECRET_MQTT_PASSWORD: ENC[AES256_GCM,data:8B3BfPFPQm/eZnhMYe4DOGdmiQ==,iv:a1PzZHBVDSVTE0oDy1Abb99F4RyPNIIm8cMV53AySQk=,tag:VzaPwV9bu9R7brGRy7N7wg==,type:str]
+    SECRET_OUTLINE_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:BB/eZQ/oLQ09AxGwKRddbiyiRMA=,iv:dhiyOUP3GyvHXUdPYqQKPQCMmqornj6WVWtfreq9T6A=,tag:WijFyu8XGk3dklYJR4/81A==,type:str]
    SECRET_PGADMIN_EMAIL: ENC[AES256_GCM,data:Cqvgf0l1A3V8C43YJ20RkCToOGQrxA==,iv:6TsLUzW0yMnx+pGK9MLD/1pm7TGcoVz/Ibn4wYGWZ3k=,tag:YBHhIJl28Cnnncz+fPbPNw==,type:str]
    SECRET_PGADMIN_PASSWORD: ENC[AES256_GCM,data:1TDN5XLr4ZGQC4qjF9A=,iv:ydluXBbIfFYNEfhgNKxtVOOdqsY2SX+40CjyN4nOsvQ=,tag:hPmQpDYQR3X67AEIOa6sog==,type:str]
    SECRET_POSTGRESQL_POSTGRES_PASSWORD: ENC[AES256_GCM,data:AVc452aMFD0v7yemNC/KdA==,iv:fkCQPJJXP/PSyOjvvi3USHfpodT0DY6LDubbr7sITo4=,tag:8Fp5aTnnhg0ojGUN1DP6Xg==,type:str]
@@ -62,11 +64,6 @@ stringData:
    SECRET_VIKUNJA_JWT_SECRET: ENC[AES256_GCM,data:8axiOB5PPhjEwBoYB3NtT0ewlNWNK92EAIEAi+NR1J4=,iv:uNBL/FfhamQwBzfKbZTPBeGUgbOfKKQM4SdDCGMv+HU=,tag:YpK+cW/ISWj9jGCeWBeJSg==,type:str]
    SECRET_VIKUNJA_PASSWORD: ENC[AES256_GCM,data:m3pGmQGYvqPO0ubxhaDGNg==,iv:hIzZP5JMnG9W3QWr50YeZ9FDRNRh1qOWFliRIDHV6+I=,tag:6/ymdGs4Q2cla+bN8r9KGw==,type:str]
    SECRET_WALLABAG_DB_PASSWORD: ENC[AES256_GCM,data:6kI1fYuCEZzgNSqJ0vE=,iv:QMzl/GI5Wmudv7kp4y5PtyiCygAQDJHfVzLquMkjLsY=,tag:6Dr9lwtxKL1hlskTtcyKBg==,type:str]
-    SECRET_WIFI_SSID: ENC[AES256_GCM,data:ChUJY7mgQSZ1IQ==,iv:uJ8FasEK+ZvxLMulSp7l9wXOjb3Ojnnt31sfekPRm9s=,tag:QBwdk4qtLCwG7G0AqdOoQA==,type:str]
-    SECRET_WIFI_PASSWORD: ENC[AES256_GCM,data:pE7jOD2WNVw6+KmyRzlXgwErVbVCSpx4p9AL3kyv,iv:51HVZpqSMVt10b96Ugx9ZDOG0Eh47QR9gypCr2s/FCc=,tag:hxhk8vuVBSZeihZoF2nwsA==,type:str]
-    SECRET_OUTLINE_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:BB/eZQ/oLQ09AxGwKRddbiyiRMA=,iv:dhiyOUP3GyvHXUdPYqQKPQCMmqornj6WVWtfreq9T6A=,tag:WijFyu8XGk3dklYJR4/81A==,type:str]
-    SECRET_GRAFANA_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:3igfeqGHygjnmJXnoiKV7W8Tm2M=,iv:Hrjh38GuRvzS4Hi69QftBhaAJ02is5B0E5h23XICpUc=,tag:O4JFVSaoTQDhf3QZPLbn1Q==,type:str]
-    SECRET_GITEA_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:VWetZHP8haXPy1r20RMJvECxEWw=,iv:B3+rjPXWSbyCdi4KAy/FeMbtNUv40UIWN462OWfv9Ww=,tag:5wK7nUGu7HmdC90d2jllwQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
@@ -82,8 +79,8 @@ sops:
            WG82VkdBMlNnRzBySFQzMk41cEtXSlEKBqOmq9UpO61C85+pj0ibdT31y4pmFsbm
            pTi4N0vv81kcf4ilqBU5h1gudNCb42Q2iL0eGNR4e3JzH4iaNsvnEg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-09-13T21:06:40Z"
-    mac: ENC[AES256_GCM,data:fi8v5TVbw/Ki4z2l53CJJ1h+XNtX6YczzHD71UKJEWgHIyp6R9mY5UHTCdGJYNurcOA6IzP24XRjx2Z3s43jArIy0ojyVYYudyVLzrUYTf712CvgBF1YVeWu9sluM+7xutEvpG7byJ7gEml+B6FlN2duf902KFiiZIMhh4fvVmI=,iv:KnVclXvl3qgLlrQXG6FtXjmW5TFyvWoJMoJk3O9kwVs=,tag:moe3SNsZF+a5cPpW0XfMvg==,type:str]
+    lastmodified: "2022-09-13T22:56:56Z"
+    mac: ENC[AES256_GCM,data:lLQYL2TJ4KxZhviBd3Co2WGQPy09kyZF5a0oMR2QGud8JPqbSUzxNspu4n1cxJRuF7PAfsb3FWoeal/DmjTP06grqj1RNwSpNQfCBKb6bi1/9MONkA1PKUf1fzoZK+s8h8nTK0nknm6nMk/sSJg+Sgz/Zuy8rt/CuJgYEVVGb8w=,iv:VP5rnNNBZjGkTXOQfXcV8zLKcf9sjVwTJ+44K8Rmdgw=,tag:zukSR3nXrWiDlo67EKgsPg==,type:str]
    pgp: []
    encrypted_regex: ^(data|stringData)$
    version: 3.7.3