🔥 archive gitea

2025-09-17 18:24:14 +02:00 · 2023-08-26 12:15:16 +02:00
parent 2be9a8218b
commit e2fc397136
11 changed files with 2 additions and 3 deletions
--- a/kubernetes/archive/gitea/app/externalbackup.yaml
+++ b/kubernetes/archive/gitea/app/externalbackup.yaml
@@ -0,0 +1,87 @@
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: &app gitea-external-backup
+  namespace: default
+spec:
+  schedule: "@daily"
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          name: *app
+        spec:
+          containers:
+            - name: *app
+              image: ghcr.io/auricom/kubectl:1.27.4@sha256:52ff5e12ddd066b6b0fdfefc494c6f92d3eb4ccfbada834c9bc7c5b12f46bff7
+              imagePullPolicy: IfNotPresent
+              command:
+                - "/bin/bash"
+                - "-c"
+                - |
+                  #!/bin/bash
+
+                  set -o nounset
+                  set -o errexit
+
+                  mkdir -p ~/.ssh
+                  cp /opt/id_rsa ~/.ssh/id_rsa
+                  chmod 600 ~/.ssh/id_rsa
+
+                  ssh -o StrictHostKeyChecking=no homelab@${LOCAL_LAN_TRUENAS} << 'EOF'
+
+                    set -o nounset
+                    set -o errexit
+
+                    WORK_DIR="/mnt/storage/backups/apps/gitea"
+
+                    ORGANISATIONS=$(curl --silent --location --request GET "https://gitea.${SECRET_CLUSTER_DOMAIN}/api/v1/orgs" --header "Authorization: Bearer ${SECRET_GITEA_API_TOKEN}" | jq --raw-output .[].username)
+                    ORGANISATIONS+=" auricom"
+
+                    for org in $ORGANISATIONS
+                    do
+                        mkdir -p $WORK_DIR/$org
+                        if [ $org == "auricom" ]; then
+                            keyword="users"
+                        else
+                            keyword="orgs"
+                        fi
+                        REPOSITORIES=$(curl --silent --location --request GET "https://gitea.${SECRET_CLUSTER_DOMAIN}/api/v1/$keyword/$org/repos?limit=1000" --header "Authorization: Bearer ${SECRET_GITEA_API_TOKEN}" | jq --raw-output .[].name)
+                        for repo in $REPOSITORIES
+                        do
+                            if [ -d "$WORK_DIR/$org/$repo" ]; then
+                                echo "INFO: pull $org/$repo..."
+                                cd $WORK_DIR/$org/$repo
+                                git remote show origin -n | grep -c main &> /dev/null && MAIN_BRANCH="main" || MAIN_BRANCH="master"
+                                git fetch --all
+                                test $? -ne 0 && exit 1
+                                git reset --hard origin/$MAIN_BRANCH
+                                test $? -ne 0 && exit 1
+                                git pull origin $MAIN_BRANCH
+                                test $? -ne 0 && exit 1
+                                echo "INFO: clean $org/$repo..."
+                                git fetch --prune
+                                for branch in $(git branch -vv | grep ': gone]' | awk '{print $1}')
+                                do
+                                  git branch -D $branch
+                                done
+                            else
+                                echo "INFO: clone $org/$repo..."
+                                cd $WORK_DIR/$org
+                                git clone git@gitea.${SECRET_DOMAIN}:$org/$repo.git
+                                test $? -ne 0 && exit 1
+                            fi
+                        done
+                    done
+                    echo "INFO: Backup done"
+                  EOF
+              volumeMounts:
+                - name: secret
+                  mountPath: /opt/id_rsa
+                  subPath: GITEA_DEPLOYMENT_PRIVATE_KEY
+          volumes:
+            - name: secret
+              secret:
+                secretName: gitea-secret
+          restartPolicy: Never
--- a/kubernetes/archive/gitea/app/externalsecret.yaml
+++ b/kubernetes/archive/gitea/app/externalsecret.yaml
@@ -0,0 +1,36 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: gitea
+  namespace: default
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: gitea-secret
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      data:
+        # App
+        GITEA_ADMIN_EMAIL: "{{ .GITEA_ADMIN_EMAIL }}"
+        GITEA_ADMIN_PASSWORD: "{{ .GITEA_ADMIN_PASSWORD }}"
+        GITEA_AWS_S3_ACCESS_KEY: "{{ .GITEA_AWS_S3_ACCESS_KEY }}"
+        GITEA_AWS_S3_SECRET_KEY: "{{ .GITEA_AWS_S3_SECRET_KEY }}"
+        GITEA_DEPLOYMENT_PRIVATE_KEY: "{{ .GITEA_DEPLOYMENT_PRIVATE_KEY }}"
+        POSTGRES_USERNAME: &dbUser "{{ .POSTGRES_USERNAME }}"
+        POSTGRES_PASSWORD: &dbPass "{{ .POSTGRES_PASSWORD }}"
+        # Postgres Init
+        INIT_POSTGRES_DBNAME: gitea
+        INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local
+        INIT_POSTGRES_USER: *dbUser
+        INIT_POSTGRES_PASS: *dbPass
+        INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
+  dataFrom:
+    - extract:
+        key: cloudnative-pg
+    - extract:
+        key: gitea
--- a/kubernetes/archive/gitea/app/helmrelease.yaml
+++ b/kubernetes/archive/gitea/app/helmrelease.yaml
@@ -0,0 +1,195 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: gitea
+  namespace: default
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: gitea
+      version: 9.2.0
+      sourceRef:
+        kind: HelmRepository
+        name: gitea
+        namespace: flux-system
+  maxHistory: 2
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  uninstall:
+    keepHistory: false
+  values:
+    image:
+      repository: gitea/gitea
+      tag: 1.20.3
+      rootless: true
+    containerSecurityContext:
+      capabilities:
+        add: ["SYS_CHROOT"]
+    gitea:
+      admin:
+        username: auricom
+      config:
+        APP_NAME: "Gitea Homelab"
+        cron.resync_all_sshkeys:
+          ENABLED: true
+          RUN_AT_START: true
+        database:
+          DB_TYPE: postgres
+          HOST: postgres-rw.default.svc.cluster.local:5432
+          NAME: gitea
+          SCHEMA: public
+          SSL_MODE: disable
+        server:
+          SSH_PORT: 22
+          SSH_LISTEN_PORT: 30322
+          SSH_DOMAIN: gitea.${SECRET_DOMAIN}
+          ROOT_URL: https://gitea.${SECRET_CLUSTER_DOMAIN}
+        respository:
+          DEFAULT_BRANCH: main
+          DEFAULT_PRIVATE: true
+        admin:
+          DISABLE_REGULAR_ORG_CREATION: true
+        security:
+          PASSWORD_COMPLEXITY: "lower,upper"
+          MIN_PASSWORD_LENGTH: 12
+        service:
+          DISABLE_REGISTRATION: true
+          REQUIRE_SIGNIN_VIEW: true
+        cron:
+          ENABLED: true
+        attachment:
+          STORAGE_TYPE: minio
+          MINIO_ENDPOINT: truenas.${SECRET_DOMAIN}:51515
+          MINIO_BUCKET: gitea
+          MINIO_USE_SSL: true
+        storage:
+          STORAGE_TYPE: minio
+          MINIO_ENDPOINT: truenas.${SECRET_DOMAIN}:51515
+          MINIO_BUCKET: gitea
+          MINIO_USE_SSL: true
+        mailer:
+          ENABLED: true
+          MAILER_TYPE: smtp
+          SMTP_ADDR: smtp-relay.default
+          SMTP_PORT: 2525
+          FROM: "Gitea <gitea@${SECRET_DOMAIN}>"
+        webhook:
+          ALLOWED_HOST_LIST: drone.default.svc
+        cache:
+          ADAPTER: redis
+          HOST: redis://redis-master.default.svc.cluster.local:6379
+        session:
+          PROVIDER: redis
+          PROVIDER_CONFIG: redis://redis-master.default.svc.cluster.local:6379
+      #   openid:
+      #     ENABLE_OPENID_SIGNIN: false
+      #     ENABLE_OPENID_SIGNUP: true
+      #     WHITELISTED_URIS: "auth.${SECRET_CLUSTER_DOMAIN}"
+      # oauth:
+      #   - name: authelia
+      #     provider: openidConnect
+      #     key: gitea
+      #     secret: "${SECRET_GITEA_OAUTH_CLIENT_SECRET}"
+      #     autoDiscoverUrl: "https://auth.${SECRET_CLUSTER_DOMAIN}/.well-known/openid-configuration"
+      #     groupClaimName: groups
+      #     adminGroup: admins
+      #     restrictedGroup: people
+      metrics:
+        enabled: true
+        serviceMonitor:
+          enabled: true
+    postgresql:
+      enabled: false
+    postgresql-ha:
+      enabled: false
+    memcached:
+      enabled: false
+    redis-cluster:
+      enabled: false
+    persistence:
+      enabled: true
+      existingClaim: "gitea-config"
+    service:
+      ssh:
+        type: LoadBalancer
+        port: 22
+        loadBalancerIP: ${CLUSTER_LB_GITEA}
+    ingress:
+      enabled: true
+      className: nginx
+      annotations:
+        hajimari.io/icon: mdi:code-json
+      hosts:
+        - host: "gitea.${SECRET_CLUSTER_DOMAIN}"
+          paths:
+            - path: /
+              pathType: Prefix
+      tls:
+        - hosts:
+            - "gitea.${SECRET_CLUSTER_DOMAIN}"
+    resources:
+      requests:
+        cpu: 15m
+        memory: 226M
+      limits:
+        cpu: 500m
+        memory: 1Gi
+  valuesFrom:
+    - targetPath: gitea.admin.email
+      kind: Secret
+      name: gitea-secret
+      valuesKey: GITEA_ADMIN_EMAIL
+    - targetPath: gitea.admin.password
+      kind: Secret
+      name: gitea-secret
+      valuesKey: GITEA_ADMIN_PASSWORD
+    - targetPath: gitea.config.attachment.MINIO_ACCESS_KEY_ID
+      kind: Secret
+      name: gitea-secret
+      valuesKey: GITEA_AWS_S3_ACCESS_KEY
+    - targetPath: gitea.config.attachment.MINIO_SECRET_ACCESS_KEY
+      kind: Secret
+      name: gitea-secret
+      valuesKey: GITEA_AWS_S3_SECRET_KEY
+    - targetPath: gitea.config.database.PASSWD
+      kind: Secret
+      name: gitea-secret
+      valuesKey: POSTGRES_PASSWORD
+    - targetPath: gitea.config.database.USER
+      kind: Secret
+      name: gitea-secret
+      valuesKey: POSTGRES_USERNAME
+    - targetPath: gitea.config.storage.MINIO_ACCESS_KEY_ID
+      kind: Secret
+      name: gitea-secret
+      valuesKey: GITEA_AWS_S3_ACCESS_KEY
+    - targetPath: gitea.config.storage.MINIO_SECRET_ACCESS_KEY
+      kind: Secret
+      name: gitea-secret
+      valuesKey: GITEA_AWS_S3_SECRET_KEY
+  postRenderers:
+    - kustomize:
+        patchesStrategicMerge:
+          - kind: Deployment
+            apiVersion: apps/v1
+            metadata:
+              name: gitea
+            spec:
+              template:
+                spec:
+                  initContainers:
+                    - name: 01-init-db
+                      image: ghcr.io/auricom/postgres-init:15.4
+                      imagePullPolicy: IfNotPresent
+                      envFrom:
+                        - secretRef:
+                            name: gitea-secret
--- a/kubernetes/archive/gitea/app/kustomization.yaml
+++ b/kubernetes/archive/gitea/app/kustomization.yaml
@@ -0,0 +1,11 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - ./externalbackup.yaml
+  - ./externalsecret.yaml
+  - ./helmrelease.yaml
+  - ./volsync.yaml
+  - ./volume.yaml
--- a/kubernetes/archive/gitea/app/volsync.yaml
+++ b/kubernetes/archive/gitea/app/volsync.yaml
@@ -0,0 +1,49 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: gitea-restic
+  namespace: default
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: gitea-restic-secret
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/gitea'
+        RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}'
+        AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
+        AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
+  dataFrom:
+    - extract:
+        key: volsync-restic-template
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: gitea
+  namespace: default
+spec:
+  sourcePVC: gitea-config
+  trigger:
+    schedule: "0 7 * * *"
+  restic:
+    copyMethod: Snapshot
+    pruneIntervalDays: 7
+    repository: gitea-restic-secret
+    cacheCapacity: 10Gi
+    volumeSnapshotClassName: csi-ceph-blockpool
+    storageClassName: rook-ceph-block
+    moverSecurityContext:
+      runAsUser: 1000
+      runAsGroup: 1000
+      fsGroup: 1000
+    retain:
+      daily: 7
+      within: 3d
--- a/kubernetes/archive/gitea/app/volume.yaml
+++ b/kubernetes/archive/gitea/app/volume.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: gitea-config
+  namespace: default
+  labels:
+    app.kubernetes.io/name: &name gitea
+    app.kubernetes.io/instance: *name
+    snapshot.home.arpa/enabled: "true"
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: rook-ceph-block
+  resources:
+    requests:
+      storage: 10Gi