oleksandr/homelab
1
0
Fork 0
Code Pull Requests Activity

feat(k8s/gitea): add Gitea with PostgreSQL, backups, and Authelia OIDC

Browse Source
This commit is contained in:
Oleksandr Berezovskyi
2026-04-29 22:45:42 +03:00
parent db633544c6
commit 191da01138
12 changed files with 617 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@@ -28,6 +28,7 @@ homelab-v2/
│ ├── archmirror/
│ ├── external/ # External service vars (e.g. Home Assistant)
│ ├── firefly/
│ ├── gitea/
│ ├── grocy/
│ ├── homepage/
│ ├── immich/
@@ -45,6 +46,7 @@ homelab-v2/
| Service | Description |
|---------|-------------|
| **Gitea** | Self-hosted Git service |
| **Firefly III** | Personal finance manager |
| **Immich** | Photo and video management with face recognition |
| **Jellyfin** | Media streaming with Intel GPU hardware transcoding |

150
kubernetes/app/gitea/cronjob-backup.yaml Normal file
View File

@@ -0,0 +1,150 @@
apiVersion: batch/v1
kind: CronJob
metadata:
name: gitea-db-backup
namespace: gitea
labels:
app: gitea-backup
spec:
schedule: "0 2 * * *"
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: 3
failedJobsHistoryLimit: 3
jobTemplate:
spec:
template:
metadata:
labels:
app: gitea-backup
spec:
restartPolicy: OnFailure
initContainers:
- name: pg-dump
image: postgres:17
imagePullPolicy: IfNotPresent
env:
- name: PGHOST
value: gitea-db
- name: PGUSER
valueFrom:
secretKeyRef:
name: gitea-credentials
key: DB_USERNAME
- name: PGPASSWORD
valueFrom:
secretKeyRef:
name: gitea-credentials
key: DB_PASSWORD
- name: PGDATABASE
valueFrom:
secretKeyRef:
name: gitea-credentials
key: DB_DATABASE_NAME
command:
- sh
- -c
- pg_dump --clean --if-exists > /backup/dump.sql
volumeMounts:
- name: backup-tmp
mountPath: /backup
containers:
- name: resticprofile
image: creativeprojects/resticprofile:0.32.0
imagePullPolicy: IfNotPresent
command:
- sh
- -c
- |
resticprofile -c /secrets/profiles.yaml -n gitea-db backup
resticprofile -c /secrets/profiles.yaml -n gitea-db copy
env:
- name: B2_ACCOUNT_ID
valueFrom:
secretKeyRef:
name: gitea-backup-config
key: B2_ACCOUNT_ID
- name: B2_ACCOUNT_KEY
valueFrom:
secretKeyRef:
name: gitea-backup-config
key: B2_ACCOUNT_KEY
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
memory: 1Gi
volumeMounts:
- name: secrets
mountPath: /secrets
readOnly: true
- name: backup-tmp
mountPath: /backup
volumes:
- name: secrets
secret:
secretName: gitea-backup-config
- name: backup-tmp
emptyDir: {}
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: gitea-data-backup
namespace: gitea
labels:
app: gitea-backup
spec:
schedule: "0 3 * * *"
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: 3
failedJobsHistoryLimit: 3
jobTemplate:
spec:
template:
metadata:
labels:
app: gitea-backup
spec:
restartPolicy: OnFailure
containers:
- name: resticprofile
image: creativeprojects/resticprofile:0.32.0
imagePullPolicy: IfNotPresent
command:
- sh
- -c
- |
resticprofile -c /secrets/profiles.yaml -n gitea-data backup
resticprofile -c /secrets/profiles.yaml -n gitea-data copy
env:
- name: B2_ACCOUNT_ID
valueFrom:
secretKeyRef:
name: gitea-backup-config
key: B2_ACCOUNT_ID
- name: B2_ACCOUNT_KEY
valueFrom:
secretKeyRef:
name: gitea-backup-config
key: B2_ACCOUNT_KEY
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
memory: 1Gi
volumeMounts:
- name: secrets
mountPath: /secrets
readOnly: true
- name: data
mountPath: /data
readOnly: true
volumes:
- name: secrets
secret:
secretName: gitea-backup-config
- name: data
persistentVolumeClaim:
claimName: gitea-data

4
kubernetes/app/gitea/namespace.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: gitea

111
kubernetes/app/gitea/networkpolicy.yaml Normal file
View File

@@ -0,0 +1,111 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
namespace: gitea
spec:
podSelector: {}
policyTypes:
- Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress-controller
namespace: gitea
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: gitea
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: traefik
---
# NodePort 32022 routes to pod port 2222 (rootless SSH listen port)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ssh-from-outside
namespace: gitea
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: gitea
policyTypes:
- Ingress
ingress:
- ports:
- port: 2222
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-app-to-db
namespace: gitea
spec:
podSelector:
matchLabels:
app: gitea-db
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: gitea
ports:
- port: 5432
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-backup-to-db
namespace: gitea
spec:
podSelector:
matchLabels:
app: gitea-db
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: gitea-backup
ports:
- port: 5432
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-backup-egress
namespace: gitea
spec:
podSelector:
matchLabels:
app: gitea-backup
policyTypes:
- Egress
egress:
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
- ports:
- port: 8888
protocol: TCP
- ports:
- port: 443
protocol: TCP
- ports:
- port: 5432
protocol: TCP
to:
- podSelector:
matchLabels:
app: gitea-db

145
kubernetes/app/gitea/release.yaml Normal file
View File

@@ -0,0 +1,145 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: gitea
namespace: flux-system
spec:
chart:
spec:
chart: gitea
version: 12.5.3
reconcileStrategy: ChartVersion
sourceRef:
kind: HelmRepository
name: gitea
namespace: flux-system
targetNamespace: gitea
interval: 1m0s
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
strategy:
type: Recreate
podSecurityContext:
seccompProfile:
type: RuntimeDefault
image:
rootless: true
pullPolicy: IfNotPresent
postgresql-ha:
enabled: false
postgresql:
enabled: false
valkey-cluster:
enabled: false
valkey:
enabled: false
persistence:
enabled: true
create: true
claimName: gitea-data
size: 20Gi
storageClass: nfs-synology-ssd
accessModes:
- ReadWriteOnce
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
memory: 1Gi
service:
http:
type: ClusterIP
port: 3000
ssh:
type: NodePort
port: 22
nodePort: 32022
ingress:
enabled: true
className: traefik
annotations:
cert-manager.io/cluster-issuer: letsencrypt
hosts:
- host: ${GITEA_HOST}
paths:
- path: /
pathType: Prefix
tls:
- secretName: gitea-tls
hosts:
- ${GITEA_HOST}
gitea:
admin:
existingSecret: gitea-admin
passwordMode: keepUpdated
oauth:
- name: authelia
provider: openidConnect
existingSecret: gitea-oauth-authelia
autoDiscoverUrl: https://auth.${AUTHELIA_DOMAIN}/.well-known/openid-configuration
config:
server:
DOMAIN: ${GITEA_HOST}
ROOT_URL: https://${GITEA_HOST}/
SSH_DOMAIN: ${GITEA_HOST}
SSH_PORT: "22"
SSH_LISTEN_PORT: "2222"
LANDING_PAGE: login
service:
DISABLE_REGISTRATION: true
ALLOW_ONLY_EXTERNAL_REGISTRATION: true
SHOW_REGISTRATION_BUTTON: false
ENABLE_PASSWORD_SIGNIN_FORM: false
ENABLE_PASSKEY_AUTHENTICATION: false
REQUIRE_SIGNIN_VIEW: false
"service.explore":
DISABLE_USERS_PAGE: true
DISABLE_ORGANIZATIONS_PAGE: true
openid:
ENABLE_OPENID_SIGNIN: false
ENABLE_OPENID_SIGNUP: false
oauth2_client:
ENABLE_AUTO_REGISTRATION: true
USERNAME: preferred_username
OPENID_CONNECT_SCOPES: "email profile groups"
ACCOUNT_LINKING: auto
UPDATE_AVATAR: true
REGISTER_EMAIL_CONFIRM: false
additionalConfigFromEnvs:
- name: GITEA__database__DB_TYPE
value: postgres
- name: GITEA__database__HOST
value: gitea-db:5432
- name: GITEA__database__NAME
valueFrom:
secretKeyRef:
name: gitea-credentials
key: DB_DATABASE_NAME
- name: GITEA__database__USER
valueFrom:
secretKeyRef:
name: gitea-credentials
key: DB_USERNAME
- name: GITEA__database__PASSWD
valueFrom:
secretKeyRef:
name: gitea-credentials
key: DB_PASSWORD

8
kubernetes/app/gitea/repository.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: gitea
namespace: flux-system
spec:
interval: 1m0s
url: https://dl.gitea.com/charts/

26
kubernetes/app/gitea/secret-backup.sops.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: v1
kind: Secret
metadata:
name: gitea-backup-config
namespace: gitea
stringData:
profiles.yaml: ENC[AES256_GCM,data:uHgGYQxpS3FZ46aVqp8Qu/N4hV6uLRefYRGx/zr0aPcfHGtzsl1Bibw08x3lw6zl5fjS6S8P4rqD/RutSzldQ81/YVXEMu7XIHpyeVwGyFWcYXm7MLkXrhTxuyHjeNAhNJRgrkka45tLxOzf2JSQ7csjLtQ1/fBZ7BbUyZst5WuyJ9cRAX8ljYEwE84EkoXwN3j76913iq/tU8qZG77jf3nfCZIMHcsfEQRtHTkLVwa3kRXkmdOuUhlUB70cN5B1jl0nYvhV6dfGm5jw3jOdxos14w91IVJR7kAmNCJh0HND13frOuNVZNjBQ6Jx5DlhjKQ83aDZS3IxBAzNafptTn0V529EuRYbVr9hKLNzu+MJ8T7ao17zNbUTcpd0wXxQwESyywxea6scXxu6KkAbPKVZJLGC4gyjJAJdnHBMQAbn/XvEUturdA/ExG+B6Nt05KT8sObePyY2k3NwlUjRJxk01Y+di+44E2msg/K6D4u/yZX1Eg4FikMJL5ldBpCmBaeiM2gwdZEnO4hufNr46cdGH4nZxe+HMgsD6NrCpJzeTKnwHxa6DZpBkNk/XOmCU+HLQoIspqHiKVDB6kUY8EaSb+i3Qvqq9IHi7DooiZmXNVTHjEj2RTzqd+/I8S2JmANTs7zvEdtfJJ2K+KhK4tfqjdxRAv3yc+MoCb3AQEf86ZtIEtrjOaVtrZLZEb4GVk43VAHo2t34EXo5/FDQWVRdtdIs7L5TajT9jDZgpvqZQAe9yFwP9thbo+wG3zQaWDcgSWRE16zm14DXLcB58kV08YTyUKKw4KDC8TnHU8SfDpwhgq62z72XIdAADxLHtcAYlQak/2bMAISciEtgoC6XhYHvV85L79DLp5GZTta6mYWo3LJwjxzUgSyXQv6yMfQXw9q/4sQCkz1z19Qi6yAaqtkc6aTv1cN2zCPdFjjsmPdxkPATLhUFfLgNfJspedHiRxM5NWLJPDtpk2hzzp2KPnchTVjSUX1M2MD+z3bowxFPm4NJoiyFgmJRMr+F7HJciZa3s9HUv+0mn9R7T6mABM6XugVpJne50KMylb8mCPz46gV10nUy2xfYT3OuFHVPyN/SWjUkhm7BXm16yXQwZG+O+TNBUA3uxZmXl91GQZGqf14OMeX+S2B++LIxbrVAN3QamaTTJX4O+gZIWAQLOCR4gQUmazQE2cqroqWM00nDG1ZTo9ZzLTPsl8Fo8pGgJfiP/tGc7hjSVsz6vfvRdQs=,iv:3t0Qate3LKwYCMoR4jdAzCtJfMCVW0k3T9EK22io8vU=,tag:AQrbWLhhoWxwOtdxrwvdbA==,type:str]
restic-password-nas: ENC[AES256_GCM,data:Hp6UPBipoot5NmFKf6jqYWfPUFFi0QNZAjBhuiGCj3h9t9nTxo8vHL9wlP1fY+vNmRTPcG0YFabgV5Q/4yQZTw==,iv:9gWAoQ2RxsnjJfWKbMw2CFoATb84pMdrTvXd+AsSrlk=,tag:12AxyQrODLvQ4TdZazt+3w==,type:str]
restic-password-b2: ENC[AES256_GCM,data:QaTM08WEy2pQSs9s8VWQGi7HPu4cirbQhUixi49Ddjj5ffbqAuL+g7jhJNNCEZKI1Ljra51cv9lAFWTDUhbGwQ==,iv:oSbY9X1HPYG5Kgr8vW5tBN/kBu6APqbav+ONKisxRQI=,tag:Gzfz/O2uTkAtoRSfGxPj+g==,type:str]
B2_ACCOUNT_ID: ENC[AES256_GCM,data:9FSQY03LaT4Jm21+XQ5VVcfMQJ/QGEU2MA==,iv:OguTShXUeF5cm3Pfb9rC5aHS6LMQP5SlviV12KUi2mE=,tag:OyqEGluTuqYdeaA/g4BGWQ==,type:str]
B2_ACCOUNT_KEY: ENC[AES256_GCM,data:d+qcw1eDNzcVrGoJy2+hy+xpptckxJYN7rSQ+Y/bug==,iv:I5IIcZ8MURrZqn8SncqNvsgaM3QgRMnpzfjwpat5pPw=,tag:CBiigK5dYpxwoVDYYeax2A==,type:str]
sops:
age:
- recipient: age1zffnskvuezntkk703a0pyxsd5m8vx2hm33dr47wdfy8mn4fdw4sqgw0jgc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0TmpUWGVWczArYllEc2x6
a3lxNnVmMDdLTTVENVhhQkhnNmFBcHpzdnlZCnRNTENWRUxKZ2VQazJxYmJOS0Ro
SjlKT1RXdDkyYXpqdlY5bEkvME1YYWMKLS0tIHErcUdRUDBEdTlzbUNZa0Vya2xn
ckpUQUQ0cGlNVk9BaEZKUDVHQzRjQmMKcCznhR3n3tG96SdrGKarLNKAZoTi4Xj7
28m3avAtcOMryv0IrHvL4ogC3CdARRuJzh0UL1J+fOnvmwCZeiIjDg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-04-29T19:40:09Z"
mac: ENC[AES256_GCM,data:vr6nY1wUMfB131ApoErgg7bIzGfBy9ZOebeTCsB/UI42Y4ZxHWQbP3IQz9RXwlqgSH1/oeslOrHVgQDSX429XgzKkz4GLA4ebybe/hMQQH3tNIYUEMFq4oQCjZ20sbhnQUV98+Bir6GQMjq+r7BueHFixwmOA4lTu/vM4r82Zvw=,iv:MNyWngFH4pPA3hZhDg1kqd5cBanmSBk03Q8pCyA7m+0=,tag:aNCPGwUGqb3hsoCCIiG40A==,type:str]
encrypted_regex: ^(data|stringData|email)$
version: 3.12.2

73
kubernetes/app/gitea/secret.sops.yaml Normal file
View File

@@ -0,0 +1,73 @@
apiVersion: v1
kind: Secret
metadata:
name: gitea-credentials
namespace: gitea
stringData:
DB_USERNAME: ENC[AES256_GCM,data:3cbes9s=,iv:E+zSCE93AVTPiWtQKW15+fHp/6nKtEY0RFWkC9K95w4=,tag:bpM84tAY0TJlJHkvCYl4tQ==,type:str]
DB_PASSWORD: ENC[AES256_GCM,data:PziUZ2Yg+kk6qvqs16k3gl2+gFT/MeE7DTzsfD+21bvLa8cvjPywNTTBS2gDB5h6H6+bn3f3X6tN+KYg2fNUYA==,iv:Ego7tQnpe8LcDd+XAG3ThtQUGR5cyjRnkCjppOtcW3M=,tag:zwrew+a4j78kNpgr2yfW6w==,type:str]
DB_DATABASE_NAME: ENC[AES256_GCM,data:wevUgjE=,iv:2VMHHmp4rI3EE8lmKL+88VDwtIy8RoHbxZM5dsln6Q0=,tag:Vinwbtci+UkGoyzGEEF/5A==,type:str]
sops:
age:
- recipient: age1zffnskvuezntkk703a0pyxsd5m8vx2hm33dr47wdfy8mn4fdw4sqgw0jgc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWWhqdVVJNmhUT0FBWFVk
V1V4R0wyV1V3WnpHZ1JGWm1iTnQ5TmsyeGk4ClpKSlJyMjYxNmQvUWlNbHY0cU0y
ZkJuTHd0K1k2cGhLTG1ncXBhMWk3ZzgKLS0tIEtXNXJQa2txMFovSnZkeDM1R2tk
TWwxTXBRUkJWcG1sMUl3REFtMkI2WG8KyvuPr8iwuiVC9j5wXLaok5AeJhXXq8CI
H7HCBU4mVjwd0IrtlwSCLx5vUDKTpc2e5SumJp4nSy1D5R+uOjEWBA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-04-29T19:32:53Z"
mac: ENC[AES256_GCM,data:ngT9hUeIQM+NL3v/WApSBGsdWJw7CZvAMfqb/4d80DwV0cF14WjMVupc0d6mD7ykhJGM5ptwf1zR8QPSkErCRXSHxFoLXGAJVN4h+MOy48yZ61RK/p+dip5CkPojTfb5i6rU0dIOFVpjm7z6JbPLz8UTxMTikwzo/w931AKa9PE=,iv:wXZQRvt6pImnxVIfyOhRJWQl+ytrlmDxd8odDra16XQ=,tag:/6Fixh2urHAgUfQx+h6Dsg==,type:str]
encrypted_regex: ^(data|stringData|email)$
version: 3.12.2
---
apiVersion: v1
kind: Secret
metadata:
name: gitea-admin
namespace: gitea
stringData:
username: ENC[AES256_GCM,data:w6EdTuF/JRY3QuU=,iv:DaPA4FbTz44m99OafT7rYGAuSNY1+Kd0fqoH3nl/8vQ=,tag:QZU+4g/k5Ft4w06uh/kzZw==,type:str]
password: ENC[AES256_GCM,data:tl8bLeTQfsa3NHg2WJrHzBe5LXaGd+9btVyZFgPc0Mp3hDkPZh6pAZDd1n96pO9oNYe2elmKfdaJZGhX6Xknow==,iv:boQQm3XRAg9ZrLC2yP2TBqDH6JtCneoS3y4RCBpTTMw=,tag:uKLU0mUQvCLs3FhEv3aFYQ==,type:str]
email: ENC[AES256_GCM,data:WekZNlut9EhIyIJF6Z5yZevVeBWUggeDbFYQx2A=,iv:125s6eI55SckKFvFvZ78G2MCdoiUqdXaKGNu7vtFOpw=,tag:ZVToNfQ5K11Z3QUJ0FrWPg==,type:str]
sops:
age:
- recipient: age1zffnskvuezntkk703a0pyxsd5m8vx2hm33dr47wdfy8mn4fdw4sqgw0jgc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWWhqdVVJNmhUT0FBWFVk
V1V4R0wyV1V3WnpHZ1JGWm1iTnQ5TmsyeGk4ClpKSlJyMjYxNmQvUWlNbHY0cU0y
ZkJuTHd0K1k2cGhLTG1ncXBhMWk3ZzgKLS0tIEtXNXJQa2txMFovSnZkeDM1R2tk
TWwxTXBRUkJWcG1sMUl3REFtMkI2WG8KyvuPr8iwuiVC9j5wXLaok5AeJhXXq8CI
H7HCBU4mVjwd0IrtlwSCLx5vUDKTpc2e5SumJp4nSy1D5R+uOjEWBA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-04-29T19:32:53Z"
mac: ENC[AES256_GCM,data:ngT9hUeIQM+NL3v/WApSBGsdWJw7CZvAMfqb/4d80DwV0cF14WjMVupc0d6mD7ykhJGM5ptwf1zR8QPSkErCRXSHxFoLXGAJVN4h+MOy48yZ61RK/p+dip5CkPojTfb5i6rU0dIOFVpjm7z6JbPLz8UTxMTikwzo/w931AKa9PE=,iv:wXZQRvt6pImnxVIfyOhRJWQl+ytrlmDxd8odDra16XQ=,tag:/6Fixh2urHAgUfQx+h6Dsg==,type:str]
encrypted_regex: ^(data|stringData|email)$
version: 3.12.2
---
apiVersion: v1
kind: Secret
metadata:
name: gitea-oauth-authelia
namespace: gitea
stringData:
key: ENC[AES256_GCM,data:6gbsmUI=,iv:rLq6rHHqyJ158JxbmFGkko6rPt2aJkQKCDGY/kOil5E=,tag:qz/2riJi00AkEdtOtQTJdA==,type:str]
secret: ENC[AES256_GCM,data:z8zuEZ9xgiIiSCDOtXn4yXU5n5TggMpc+5y8Vv21ja8PTXXf1l3krnc55qaJPuo85+fYqzW+NDPbTWPAIkVqtvr260N++d7z,iv:hh91ss/nbBIvxosNLQ5zy6G593Vxn92q+8f0APjiORk=,tag:FzvjgjCyEyvzmZ4J/muPlg==,type:str]
sops:
age:
- recipient: age1zffnskvuezntkk703a0pyxsd5m8vx2hm33dr47wdfy8mn4fdw4sqgw0jgc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWWhqdVVJNmhUT0FBWFVk
V1V4R0wyV1V3WnpHZ1JGWm1iTnQ5TmsyeGk4ClpKSlJyMjYxNmQvUWlNbHY0cU0y
ZkJuTHd0K1k2cGhLTG1ncXBhMWk3ZzgKLS0tIEtXNXJQa2txMFovSnZkeDM1R2tk
TWwxTXBRUkJWcG1sMUl3REFtMkI2WG8KyvuPr8iwuiVC9j5wXLaok5AeJhXXq8CI
H7HCBU4mVjwd0IrtlwSCLx5vUDKTpc2e5SumJp4nSy1D5R+uOjEWBA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-04-29T19:32:53Z"
mac: ENC[AES256_GCM,data:ngT9hUeIQM+NL3v/WApSBGsdWJw7CZvAMfqb/4d80DwV0cF14WjMVupc0d6mD7ykhJGM5ptwf1zR8QPSkErCRXSHxFoLXGAJVN4h+MOy48yZ61RK/p+dip5CkPojTfb5i6rU0dIOFVpjm7z6JbPLz8UTxMTikwzo/w931AKa9PE=,iv:wXZQRvt6pImnxVIfyOhRJWQl+ytrlmDxd8odDra16XQ=,tag:/6Fixh2urHAgUfQx+h6Dsg==,type:str]
encrypted_regex: ^(data|stringData|email)$
version: 3.12.2

12
kubernetes/app/gitea/service-db.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: Service
metadata:
name: gitea-db
namespace: gitea
spec:
clusterIP: None
selector:
app: gitea-db
ports:
- port: 5432
targetPort: 5432

80
kubernetes/app/gitea/statefulset-db.yaml Normal file
View File

@@ -0,0 +1,80 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: gitea-db
namespace: gitea
labels:
app: gitea-db
spec:
serviceName: gitea-db
replicas: 1
selector:
matchLabels:
app: gitea-db
template:
metadata:
labels:
app: gitea-db
spec:
securityContext:
runAsUser: 999
runAsGroup: 999
fsGroup: 999
containers:
- name: postgres
image: postgres:17
imagePullPolicy: IfNotPresent
env:
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: gitea-credentials
key: DB_USERNAME
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: gitea-credentials
key: DB_PASSWORD
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
name: gitea-credentials
key: DB_DATABASE_NAME
- name: PGDATA
value: /var/lib/postgresql/data/pgdata
ports:
- containerPort: 5432
startupProbe:
tcpSocket:
port: 5432
initialDelaySeconds: 10
periodSeconds: 10
failureThreshold: 30
livenessProbe:
tcpSocket:
port: 5432
periodSeconds: 30
failureThreshold: 5
readinessProbe:
tcpSocket:
port: 5432
periodSeconds: 10
failureThreshold: 3
resources:
requests:
cpu: 50m
memory: 256Mi
limits:
memory: 1Gi
volumeMounts:
- name: data
mountPath: /var/lib/postgresql/data
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes: ["ReadWriteOnce"]
storageClassName: nfs-synology-ssd
resources:
requests:
storage: 5Gi

5
kubernetes/config/cluster-vars.sops.yaml
View File

@@ -34,6 +34,7 @@ stringData:
CRYPTPAD_CONFIG_NFS_PATH: ENC[AES256_GCM,data:VJ4h7ADenNgFIiNIFK7pJKMrUBYc4e9c4MdVzqGoR4TDWGYL,iv:8ZhMHiZLh2C4J/vh/8L96R6VIkKoWc7ib/bUAQ5rZE0=,tag:HgvJjjYybCgxatUbcRFY7Q==,type:str]
SEERR_HOST: ENC[AES256_GCM,data:l64ttp+rLNU8GfwIE4fhJROSMDEb,iv:1vHOw0LyGN9OMhYemhtRq9GE2fc4J2EprZU3bp/h4kk=,tag:WNV0Jh7816ra7IIOBMspBg==,type:str]
FIREFLY_HOST: ENC[AES256_GCM,data:EQdrW33PVlD/brZCqh/sTkqLdPWW/bo=,iv:zbNnjsT1J6lpCEWtvNyL4A3bjWsusCjI5goWcZ8hajk=,tag:VwA6YA056bsyYIKB+X59bw==,type:str]
GITEA_HOST: ENC[AES256_GCM,data:Ky3tXS9E9iadabpVzoK5zEbigmtn,iv:t6OdQeQ7Kxzb7qbi+KeoOkJd0XE2Dse5P1fFyiHM6tg=,tag:GpmHtVDr0IQVbpbALVx40g==,type:str]
BACKUP_LOCAL_HOST: ENC[AES256_GCM,data:ABaTI3NKkhF7K2FpPwvvrHA0l/tCxAi4Qek=,iv:34ixxSpKU1c12uoMdk4nz2Vo/+5A/npB7NWMsWFytIM=,tag:qjw2fQBebCKnqCnAPiBHaw==,type:str]
sops:
age:
@@ -46,7 +47,7 @@ sops:
MGJ6TFpwR0diNjlEN2syZkhNMFNwRDQK9pzmQGB0GQu6ogMIJW+kugvBNj3w+dxW
bfEF9GAznIM/N5rPytF4wNgqwfoAF7GwumgA+iD43wprKtUJn+6dqw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-04-21T20:29:36Z"
mac: ENC[AES256_GCM,data:kiPibnbuR2b2nsniS7Y/2W7gH/z6M7Ay1Nx4D7A/qcP55udjHc3C+TWRnIoy/UYWV6G2g9YfHmywyhZI9x8xMG9NoQUZ14OYeFmjDGT48GV0NvZRIVcfIjzJRyzMI+pL8Fekn9HHSiYKBhjYLS0v/q/M3/ilA53tj3/90Gfinzk=,iv:AsJAmfBERd4BqQ4kn57UbFkFX4GAp+pZWt7WwteKKbw=,tag:RVD9mCEHxyhwh8VijAQmVQ==,type:str]
lastmodified: "2026-04-29T19:47:22Z"
mac: ENC[AES256_GCM,data:WgVeGY1tGl3Y97FRGNVEkM2J4WKeHil6ki2Jsww1QOsAdGyL7QaL0vPpfRfDc8FRHhyeahS7ShacUvBKnL5Lihxnrqhkd8wA0BgxONk0k/W8/WtU/tvhXpTwxTWgQ5VyPtX3QwwkAcGTARBu+Xrp2y9QGXU8NPO56eH6cUGPEW4=,iv:KjZbbRfhy4ZHtv38MHlX8jxK+9pp/U2aGaX+d8HRK3E=,tag:wcdQVdpYR9czzeYMi554oQ==,type:str]
encrypted_regex: ^(data|stringData|email)$
version: 3.12.2

6
kubernetes/infrastructure/controllers/authelia/configmap.sops.yaml
View File

File diff suppressed because one or more lines are too long