auricom-home-cluster/cluster/apps/development/gitea/helm-release.yaml

---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: gitea
  namespace: development
spec:
  interval: 5m
  chart:
    spec:
      # renovate: registryUrl=https://dl.gitea.io/charts
      chart: gitea
      version: 5.0.9
      sourceRef:
        kind: HelmRepository
        name: gitea-charts
        namespace: flux-system
      interval: 5m
  values:
    image:
      repository: gitea/gitea
      tag: 1.16.8
      rootless: true

    containerSecurityContext:
      capabilities:
        add: ["SYS_CHROOT"]

    gitea:
      admin:
        email: ${SECRET_GITEA_ADMIN_EMAIL}
        username: auricom
        password: ${SECRET_GITEA_ADMIN_PASSWORD}
      config:
        APP_NAME: "Homelab Gitea"
        cron.resync_all_sshkeys:
          ENABLED: true
          RUN_AT_START: true
        database:
          DB_TYPE: postgres
          HOST: postgresql-kube.data.svc.cluster.local.:5432
          NAME: gitea
          USER: gitea
          PASSWD: ${SECRET_GITEA_DB_PASSWORD}
          SCHEMA: public
        server:
          SSH_PORT: 22
          SSH_LISTEN_PORT: 30322
          SSH_DOMAIN: gitea.${SECRET_CLUSTER_DOMAIN_ROOT}
          ROOT_URL: https://gitea.${SECRET_CLUSTER_DOMAIN}
        respository:
          DEFAULT_PRIVATE: true
        admin:
          DISABLE_REGULAR_ORG_CREATION: true
        security:
          PASSWORD_COMPLEXITY: "lower,upper"
          MIN_PASSWORD_LENGTH: 12
        service:
          DISABLE_REGISTRATION: true
          REQUIRE_SIGNIN_VIEW: true
        webhook:
          ALLOWED_HOST_LIST: "drone.k3s.xpander.ovh"

    postgresql:
      enabled: false

    memcached:
      image:
        repository: bitnami/memcached
        tag: 1.6.15
      service:
        port: 11211

    persistence:
      enabled: true
      size: 10Gi
      existingClaim: "gitea-config"

    service:
      annotations:
        prometheus.io/probe: "true"
        prometheus.io/protocol: "tcp"
      ssh:
        type: LoadBalancer
        port: 22
        externalTrafficPolicy: Local
        externalIPs:
          - ${CLUSTER_LB_GITEA}

    ingress:
      enabled: true
      className: nginx
      hosts:
        - host: "gitea.${SECRET_CLUSTER_DOMAIN}"
          paths:
            - path: /
              pathType: Prefix
      tls:
        - hosts:
            - "gitea.${SECRET_CLUSTER_DOMAIN}"
          secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"