gitea: Add Gitea

gitea/gitea-admin-secret.enc.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: gitea-admin-secret
+    namespace: gitea
+stringData:
+    username: ENC[AES256_GCM,data:3i59iz9U,iv:m4dkqidSA6zIQcCcsutPHaAnEyU81zEyjkKanwX2hbA=,tag:Smx08HGp8xQvY3cPZtw3eg==,type:str]
+    password: ENC[AES256_GCM,data:ByuQHlvQ+EDqX+MKb5HlEum7Hlw=,iv:IwD25SMziMFHo5DxoBrt6O1f+9UtP7MqRqoTskoESJE=,tag:AeHmmeWi5SUGbAeaf5LmUA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age14dgmts59tc2gv2xu9305auvu854n3pfl8vkheqzzqyrygyeequ0sjhl92v
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXNFQyNXViaEZkNk1SeWY5
+            Yk5mTyttWmpVUjQ5WlV6Y0dXTTU3KzJ0d0ZFCjZMM1FGTTJlWmhCa3puNHNVZHRu
+            S2RtYzR5eUtPa2RNZkI0TmZlR1E5eHcKLS0tIHlpZmMwZDMvL0hsbWhXdnpoS0t3
+            eDRhMGZlZ0hZSkhwdHVYci9DV3FxQVkKAnD9tzGFWwvl6W3JhLF5vRjZ8RCN4EcH
+            GHUGCqJnnJzHO/MWaUQm+J/D9NQLusU74UjK/VWQ0qusia57w5raDQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-11-28T21:32:07Z"
+    mac: ENC[AES256_GCM,data:wEIvCSQWvOuEX09mVWgoULlbWD3DXS0+QkH5+SMNA3zm+srgni55H8LHpR2X1c5YWYMbqbwyy8oOL48+oqvTbfhsEeu8QMCd04ZwPxnVcGxrkG9XV7gx3HBNRCLZmDdtINs2i/wRJEyIypKXuTCSV26okHUQXdLvBuAH2zFuNVQ=,iv:m5OFflAhDz/mmFjw5AxM1/VQr5qIuFDn0M24tQh6RQA=,tag:PScMxHtfANIHiB0//mYpuA==,type:str]
+    pgp: []
+    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
+    version: 3.8.1

gitea/ingress.yaml

@@ -0,0 +1,14 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gitea-web-ingress
+  namespace: gitea
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`git.namesny.com`)
+    kind: Rule
+    services:
+    - name: gitea-http
+      port: 3000

gitea/kustomization.yaml

@@ -0,0 +1,28 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: gitea
+
+resources:
+- namespace.yaml
+- ingress.yaml
+- runner-pvc.yaml
+- runner-deployment.yaml
+
+generators:
+- secret-generator.yaml
+
+helmCharts:
+- name: gitea
+  releaseName: gitea
+  version: 9.6.0
+  repo: https://dl.gitea.io/charts/
+  namespace: gitea
+  valuesMerge: merge
+  valuesFile: values.yaml
+- name: renovate
+  releaseName: renovate
+  version: 37.68.3
+  repo: https://docs.renovatebot.com/helm-charts
+  namespace: gitea
+  valuesFile: renovate-bot-values.yaml
+

gitea/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gitea

gitea/renovate-bot-secret.enc.yaml

@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: renovate-bot-secret
+    namespace: gitea
+stringData:
+    RENOVATE_AUTODISCOVER: ENC[AES256_GCM,data:20/nNkA=,iv:o6OgPwx03/U7kHbO4WBh1HVLAdr8HBsWWGRlrIx3ZvE=,tag:7BpQuJpwI20Jqlf0zrVqBA==,type:str]
+    RENOVATE_ENDPOINT: ENC[AES256_GCM,data:PfAFF87I1COu9aGUf8uxPbzaUeyYvFpHmlK5DuP6,iv:JUgHIzaTSjCGpGucftT9AzFB7Gclwau8y9o2cbEJ2XU=,tag:52QvbgdaJRVTB5ARW0gn2Q==,type:str]
+    RENOVATE_GIT_AUTHOR: ENC[AES256_GCM,data:5tCkXdiheQkI293yf7Fh0Tb1kvWtDXHTIikP21IJQgFUyw==,iv:L1x3FDp6m/oJRq4Gcp3lusUF8Fufx+wWUVUQeYerDGk=,tag:h2XSao9P/wDHTpPRhEzVuQ==,type:str]
+    RENOVATE_PLATFORM: ENC[AES256_GCM,data:5bRuvgQ=,iv:m2RtjwWANMCNjXaEmzZc8QZKff5oxy+cVazmM0Qs6bE=,tag:Zp+2HLlEJgSZB0U2xRS2uw==,type:str]
+    RENOVATE_TOKEN: ENC[AES256_GCM,data:lPV9X8pZsSHzb7xFLuQ0Ixg5EaBgsuEmCFvXSkmxImUnImAKWINjBw==,iv:/hkxQNNqLcH/pbYs/Mn4P9FW1/DOIOKAUEjZNutoZok=,tag:Pd/NCxYZRJVaUiWT9FaMcA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age14dgmts59tc2gv2xu9305auvu854n3pfl8vkheqzzqyrygyeequ0sjhl92v
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0NWRIZnROK3dkY0xMa1ha
+            cXBINWpXU000YXQ5QW0zMjllRnlzOEJoRlVZClhCUWhqK0M4bTVqNjBFR05LU1NP
+            ejJaaHJSc003Q0V6UlpzWFdCTnd5RVEKLS0tIDllcVhFUE51Z1VsOGVJZ216TVdE
+            eVhjc2VlOVROOC9oakF3K29nODdEM0EKZkIo+FdHZAyQ9ogoK9994B0q5lkWWXOw
+            EgXamhJ800zjy9zFeO6bxPMsgPze1iNshhlV7HjT8uh+qs5laCqatg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-11-28T21:31:06Z"
+    mac: ENC[AES256_GCM,data:O/Vw1S40Dz0g6Fo9K87iCIFh3TSNW4/f+mWNnbjPpjehj1+JbOovpchjizI1c+OZ++/rqlow8Ib/yesMDdPd16ErkyHgINMBtLuqfUYJ1WSwg52Rp5zfZP7eSXHTeqcGuuASIfzEcclZ/5QIPeiSOJG5iSAl/MDeNte6/YwEqQo=,iv:lieOLB5tOP4XagOr+cRWQZQC00EHz9UUcx7e2uwUjpU=,tag:JJ4YgTKMCZtujAJfi+TcxA==,type:str]
+    pgp: []
+    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
+    version: 3.8.1

gitea/renovate-bot-values.yaml

@@ -0,0 +1,12 @@
+renovate:
+  config : |
+    {
+      "repositories": ["Cluster/k3s-configs"]
+    }
+  persistence:
+    cache:
+      enabled: true
+      storageClass: retain-local-path
+existingSecret: renovate-bot-secret
+apiVersionOverrides:
+  cronjob: 'batch/v1'

gitea/runner-deployment.yaml

@@ -0,0 +1,45 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: act-runner
+  name: act-runner
+  namespace: gitea
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: act-runner
+  strategy: {}
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: act-runner
+    spec:
+      restartPolicy: Always
+      volumes:
+      - name: runner-data
+        persistentVolumeClaim:
+          claimName: act-runner-vol
+      securityContext:
+        fsGroup: 1001
+      containers:
+      - name: runner
+        image: gitea/act_runner:nightly-dind-rootless
+        imagePullPolicy: Always
+        env:
+        - name: DOCKER_HOST
+          value: unix:///var/run/user/1000/docker.sock
+        - name: GITEA_INSTANCE_URL
+          value: http://gitea-http.gitea.svc.cluster.local:3000
+        - name: GITEA_RUNNER_REGISTRATION_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: runner-secret
+              key: token
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - name: runner-data
+          mountPath: /data

gitea/runner-pvc.yaml

@@ -0,0 +1,12 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: act-runner-vol
+  namespace: gitea
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: retain-local-path

gitea/runner-secret.enc.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: runner-secret
+    namespace: gitea
+stringData:
+    token: ENC[AES256_GCM,data:L4knV26n07ITqEAiiCtI+bMDyDV5XbbxwCyimir1F9KIpveWuE8MwA==,iv:H+qTTGqo3MALmJ583kqQyXGCeVxBzoh8c9+CqLEUzZI=,tag:WzQcxgtmSuVyNet9J2qTHg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age14dgmts59tc2gv2xu9305auvu854n3pfl8vkheqzzqyrygyeequ0sjhl92v
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrODNya2FReElkL1dwa01p
+            OXZvWURJY0YwOGkzb1l5bGhZVGVSRmRvOUR3Cm0zdWVHMk9LbG1wc0pqSnZvM0Ft
+            dlVMYzljUHB5TmZFREVoWjJZSmhIMG8KLS0tIHl3SVc1Ky9aei9sS0UzRTQ0Qklp
+            dVBWa3BPK1pBaUxKRnB1REVkM2NuaDAKFL93pbjyy2kDGgZTDlC+/7azF7rggUXY
+            Vf3oSu6u+i/AEPJzmi7iX1FBM+Tag9A3Q5zIfo/8L9XI+uqpX4HcUg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-11-28T21:32:44Z"
+    mac: ENC[AES256_GCM,data:PeEdV0W+anjtndAxAQSEa/4TFHaawKTbBqJbFoHPPsd60+q5XHXdxokTk1szENrdDC3f0cZ6xAdCIW5oyaGUICd1hrOVGyhMN84SbP/KP+P9lkFICD1AXNhVXHa0U6G9UdvP5gFVhDV2k1LdRNkjmHkpn6hpUijlZc7+LIfXiKI=,iv:yS5af3UBRlNMdqmvSfimDFRTw5LevPo3iA9b4SNKisM=,tag:xD4h8kABvH1xZqOMTn15fQ==,type:str]
+    pgp: []
+    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
+    version: 3.8.1

gitea/secret-generator.yaml

@@ -0,0 +1,12 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: gitea-secret-generator
+  annotations:
+    config.kubernetes.io/function: |
+        exec:
+          path: ksops
+files:
+- ./gitea-admin-secret.enc.yaml
+- ./renovate-bot-secret.enc.yaml
+- ./runner-secret.enc.yaml

gitea/values.yaml

@@ -0,0 +1,65 @@
+redis-cluster:
+  enabled: false
+postgresql-ha:
+  enabled: false
+postgresql:
+  enabled: true
+  primary:
+    persistence:
+      storageClass: retain-local-path
+
+persistence:
+  enabled: true
+  storageClass: retain-local-path
+
+image:
+  rootless: true
+
+gitea:
+  admin:
+    existingSecret: gitea-admin-secret
+    email: "matus@namesny.com"
+  config:
+    actions:
+      ENABLED: true
+    federation:
+      ENABLED: true
+    database:
+      DB_TYPE: postgres
+    session:
+      PROVIDER: db
+    cache:
+      ADAPTER: memory
+    queue:
+      TYPE: level
+    server:
+      BUILTIN_SSH_SERVER_USER: git
+      ROOT_URL: https://git.namesny.com
+      DOMAIN: git.namesny.com
+      SSH_CREATE_AUTHORIZED_KEYS_FILE: false
+      LANDING_PAGE: explore
+    service:
+      REGISTER_MANUAL_CONFIRM: true
+    indexer:
+      ISSUE_INDEXER_TYPE: bleve
+      REPO_INDEXER_ENABLED: true
+
+service:
+  http:
+    type: ClusterIP
+    port: 3000
+    clusterIP:
+  ssh:
+    type: ClusterIP
+    port: 22
+
+podSecurityContext:
+  fsGroup: 1001
+
+containerSecurityContext:
+  runAsGroup: 1001
+  runAsNonRoot: true
+  runAsUser: 1001
+
+test:
+  enabled: false