feat(k8s/gitea): add Gitea with PostgreSQL, backups, and Authelia OIDC

README.md

@@ -27,6 +27,8 @@ homelab-v2/
     ├── app/
     │   ├── archmirror/
     │   ├── external/       # External service vars (e.g. Home Assistant)
+    │   ├── firefly/
+    │   ├── gitea/
     │   ├── grocy/
     │   ├── homepage/
     │   ├── immich/
@@ -44,6 +46,8 @@ homelab-v2/
 
 | Service | Description |
 |---------|-------------|
+| **Gitea** | Self-hosted Git service |
+| **Firefly III** | Personal finance manager |
 | **Immich** | Photo and video management with face recognition |
 | **Jellyfin** | Media streaming with Intel GPU hardware transcoding |
 | **Media Stack** | Sonarr, Radarr, Prowlarr, qBittorrent — automated media acquisition |

kubernetes/app/firefly/cronjob-backup.yaml

@@ -0,0 +1,144 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: firefly-db-backup
+  namespace: firefly
+  labels:
+    app: firefly-backup
+spec:
+  schedule: "0 2 * * *"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels:
+            app: firefly-backup
+        spec:
+          restartPolicy: OnFailure
+          initContainers:
+            - name: pg-dump
+              image: postgres:17
+              imagePullPolicy: IfNotPresent
+              env:
+                - name: PGHOST
+                  value: firefly-db
+                - name: PGUSER
+                  valueFrom:
+                    secretKeyRef:
+                      name: firefly-credentials
+                      key: DB_USERNAME
+                - name: PGPASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: firefly-credentials
+                      key: DB_PASSWORD
+                - name: PGDATABASE
+                  valueFrom:
+                    secretKeyRef:
+                      name: firefly-credentials
+                      key: DB_DATABASE
+              command:
+                - sh
+                - -c
+                - pg_dump --clean --if-exists > /backup/dump.sql
+              volumeMounts:
+                - name: backup-tmp
+                  mountPath: /backup
+          containers:
+            - name: resticprofile
+              image: creativeprojects/resticprofile:0.32.0
+              imagePullPolicy: IfNotPresent
+              command:
+                - sh
+                - -c
+                - |
+                  resticprofile -c /secrets/profiles.yaml -n firefly-db backup
+                  resticprofile -c /secrets/profiles.yaml -n firefly-db copy
+              env:
+                - name: B2_ACCOUNT_ID
+                  valueFrom:
+                    secretKeyRef:
+                      name: firefly-backup-config
+                      key: B2_ACCOUNT_ID
+                - name: B2_ACCOUNT_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      name: firefly-backup-config
+                      key: B2_ACCOUNT_KEY
+              volumeMounts:
+                - name: secrets
+                  mountPath: /secrets
+                  readOnly: true
+                - name: backup-tmp
+                  mountPath: /backup
+          volumes:
+            - name: secrets
+              secret:
+                secretName: firefly-backup-config
+            - name: backup-tmp
+              emptyDir: {}
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: firefly-uploads-backup
+  namespace: firefly
+  labels:
+    app: firefly-backup
+spec:
+  schedule: "0 3 * * *"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels:
+            app: firefly-backup
+        spec:
+          restartPolicy: OnFailure
+          containers:
+            - name: resticprofile
+              image: creativeprojects/resticprofile:0.32.0
+              imagePullPolicy: IfNotPresent
+              command:
+                - sh
+                - -c
+                - |
+                  resticprofile -c /secrets/profiles.yaml -n firefly-uploads backup
+                  resticprofile -c /secrets/profiles.yaml -n firefly-uploads copy
+              env:
+                - name: B2_ACCOUNT_ID
+                  valueFrom:
+                    secretKeyRef:
+                      name: firefly-backup-config
+                      key: B2_ACCOUNT_ID
+                - name: B2_ACCOUNT_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      name: firefly-backup-config
+                      key: B2_ACCOUNT_KEY
+              volumeMounts:
+                - name: secrets
+                  mountPath: /secrets
+                  readOnly: true
+                - name: uploads
+                  mountPath: /uploads
+                  readOnly: true
+              resources:
+                requests:
+                  cpu: 100m
+                  memory: 256Mi
+                limits:
+                  memory: 1Gi
+          volumes:
+            - name: secrets
+              secret:
+                secretName: firefly-backup-config
+            - name: uploads
+              persistentVolumeClaim:
+                claimName: firefly-firefly-iii

kubernetes/app/firefly/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: firefly

kubernetes/app/firefly/networkpolicy.yaml

@@ -0,0 +1,95 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-ingress
+  namespace: firefly
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-ingress-controller
+  namespace: firefly
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: firefly-iii
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: traefik
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-app-to-db
+  namespace: firefly
+spec:
+  podSelector:
+    matchLabels:
+      app: firefly-db
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/name: firefly-iii
+      ports:
+        - port: 5432
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-backup-to-db
+  namespace: firefly
+spec:
+  podSelector:
+    matchLabels:
+      app: firefly-db
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: firefly-backup
+      ports:
+        - port: 5432
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-backup-egress
+  namespace: firefly
+spec:
+  podSelector:
+    matchLabels:
+      app: firefly-backup
+  policyTypes:
+    - Egress
+  egress:
+    - ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
+    - ports:
+        - port: 8888
+          protocol: TCP
+    - ports:
+        - port: 443
+          protocol: TCP
+    - ports:
+        - port: 5432
+          protocol: TCP
+      to:
+        - podSelector:
+            matchLabels:
+              app: firefly-db

kubernetes/app/firefly/release.yaml

@@ -0,0 +1,79 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: firefly-iii
+  namespace: flux-system
+spec:
+  chart:
+    spec:
+      chart: firefly-iii
+      version: 1.9.13
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: firefly-iii
+        namespace: flux-system
+  targetNamespace: firefly
+  interval: 1m0s
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  values:
+    deploymentStrategyType: Recreate
+
+    podSecurityContext:
+      seccompProfile:
+        type: RuntimeDefault
+
+    resources:
+      requests:
+        cpu: 50m
+        memory: 256Mi
+      limits:
+        memory: 512Mi
+
+    persistence:
+      enabled: true
+      storageClassName: nfs-synology-ssd
+      storage: 5Gi
+
+    config:
+      existingSecret: firefly-credentials
+      env:
+        DB_HOST: firefly-db
+        DB_CONNECTION: pgsql
+        DB_PORT: "5432"
+        DB_DATABASE: firefly
+        DB_USERNAME: firefly
+        TZ: Europe/Kyiv
+        TRUSTED_PROXIES: "10.244.0.0/24"
+        APP_URL: https://${FIREFLY_HOST}
+        AUTHENTICATION_GUARD: remote_user_guard
+        AUTHENTICATION_GUARD_HEADER: Remote-Email
+        AUTHENTICATION_GUARD_EMAIL: Remote-Email
+        MAIL_MAILER: smtp
+        MAIL_HOST: smtp.protonmail.ch
+        MAIL_PORT: "587"
+        MAIL_ENCRYPTION: tls
+
+    cronjob:
+      enabled: true
+      auth:
+        existingSecret: firefly-credentials
+        secretKey: STATIC_CRON_TOKEN
+      schedule: "0 3 * * *"
+
+    ingress:
+      enabled: true
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt
+        traefik.ingress.kubernetes.io/router.middlewares: authelia-chain-authelia-authelia-auth@kubernetescrd
+      hosts:
+        - ${FIREFLY_HOST}
+      tls:
+        - secretName: firefly-tls
+          hosts:
+            - ${FIREFLY_HOST}

kubernetes/app/firefly/repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: firefly-iii
+  namespace: flux-system
+spec:
+  interval: 1m0s
+  url: https://firefly-iii.github.io/kubernetes

kubernetes/app/firefly/secret-backup.sops.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: firefly-backup-config
+    namespace: firefly
+stringData:
+    profiles.yaml: ENC[AES256_GCM,data:2IDoUurD5tw5uTUX/rWuhGZbaCcYcR/J2ClSdr61rq5w1jjZunnyqeY8Vrp2LSaiDhYd6nIHB0oeM8HVsvkzbLksXVzbS/4/098KEJtey3I7yxfvvlgu9ZKbw0wuLqeXjfEkl7cArTdjMKwA3/B5/Jmqw9Q0g5QUPP97MF12Hagg/kpKipXD/n5YoOtv7ZqfHnxrIIh6XXIpa98pJ58x+7ct7K7DeUUj1s/3WAI7idJ4kTexwOb/NVup9qpheuxqAZmF0z8YUC73W0qzQzgUAOJ4+O09xc15PFRq19a95W9SnSHn8Ao56S67s26d2Hbp4JCa8U6MxHDJ09IdHzpu/bmGAVL6LxDheegYOLZWJtNoAryyE6sQN2PJQxIwFngKaMvs6CHSrZWIbCfKzIhNrJPr/u/l5pDvCSMcvg2oX7Bkc2uJ4WY/yFXSHhaWIdJv0VSvcUH04li1inrZe9AYfnsajRVuzgXrnhonqy/2NXrH32leSVjEeU97+Ma1eOX/t3+SNBglL5kJxJIRJ/tSkPDe/9GpVr+2QNQUmRMuIpSsRNQgGODU/XCFrMyJ1Ikl+pKhHitOELfckJ3FuZPRJB6HEqfkE2fZLK5e2G0JRJ4FinYFo6HkXzk4IAzLDlN2E7kgyPyCqHJQt4C/X+OTwE6MErPEPgE5o9pwC8TGv+Q8AN6rRdYs7FPBR9jxqWxoSTCdz49sVf/kcgcWnicn8XmFEGdWTWk3MqKDe8YdN6fyqPha2lxpsz7FkZMcTV2ZrLvIR65lkmL9Vb1I7SwroYuTr+sj3jTAJLZXgRTXpKodc2zTQR9rQEKvA1C7YgchTJa4axDkMY37MDHZnHPW6MEmPlpPw8NMge6QfNYDTAWvrwThGWQ051RSm8KbYfm+qlMWqx+zCFRcypKwBUKVWuf7TYa0jnL9u4QrUvpLBAr6jErNRdRLgm79h80n/ucPEBLCHlzhPzHGW/evdWMDTCd0B5dYbP0zpPkGEmzfBfnH23ru48DotzPV/y0j+SNacgUXQPFkC5x50jOS2Fay+5qInOyA75aSiFD5EMZmf8gx1a3+rDtUt+6Qict8Umtb3ZzpTrWxvxbV5oxCXNwWShSLAFyfwoNE1sEq++xu+Jp0SzTuSg+Kxz+CmuCJ4bnbYkrhJxyKfw==,iv:WdIFJmhmZ8S+ma5l5SS7de2PrxZJgKK2njrPbLVQSuo=,tag:/mPn6QHatxQYwsZInrK30w==,type:str]
+    restic-password-nas: ENC[AES256_GCM,data:RIn57MOwyqVGR/GuVpIXi+p5jZ2UQm4VgioCgE1GXIk=,iv:DcF6cD+AVa0LoXY6+wACfQvoAtdndl0chmPcm463fEE=,tag:RK9FF1RMFsfHGmg+ZcBEVA==,type:str]
+    restic-password-b2: ENC[AES256_GCM,data:nIcy6uJY4fCjQH3aVggt3meckNAytAsw/ZNnGBBm7DM=,iv:zPf9YTDgT9dlq1nlyW6weMjZ0b3eVAuB15Lyx897xGU=,tag:+x0Sn3UQZEyhdMYrTK+Nqg==,type:str]
+    B2_ACCOUNT_ID: ENC[AES256_GCM,data:t4YqtZRIpLpP7QHGBTeZ8vCL2L+1BjbLug==,iv:TvsBorT7r5A1d1AjPbYZ2vnm0x7gCPe4qY2bXFoK66Y=,tag:zaRhrGV/4siiWiykPlF6Gw==,type:str]
+    B2_ACCOUNT_KEY: ENC[AES256_GCM,data:xZjFBj7oT2FcKHdwGBzyD1xR/bKtHGLEBsnAqblE+g==,iv:gtJfZvTZucbx6983OOk7WdD8KhJtrW6Wv0hnECYXQ8s=,tag:DCvHrL1Wv3NodzbH5aXylQ==,type:str]
+sops:
+    age:
+        - recipient: age1zffnskvuezntkk703a0pyxsd5m8vx2hm33dr47wdfy8mn4fdw4sqgw0jgc
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRSVBheDRtOEd0T0RJeG5x
+            dnRtN2RTeEs1andrVk9XUTZtMklDdmx5aEhrCmlNR1puUHVGaFYrUHNHYU1hbnpz
+            Q2J2ditrY1FuTXg3MUsvWm05WFcrUVUKLS0tIHdqeGFvNnkvVkdPWUphSkhETUpi
+            R1RWWEpDVkdHamx3M1p5a2YwUkR2REEKp/sZFcCNeZnHCvpwcOu827HLg0wxLWJG
+            EXHzgm5lZgiA/pQgxOJCiaz9HoNn3ttVE8z3aCnShUqAoXzpnh1Rpw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-04-21T20:22:40Z"
+    mac: ENC[AES256_GCM,data:wlXAnMwySlqHadgeAtgC+QCceqSw+mODWzKrqOTb4JSqvK1aEbPDUJWn8ow+0ff5OcU/3XVBr6b9GVzD6DsPXhg/aLsM/d5h6BRFb/qmrusD5YRyScu/gokwiD52I3qDf7rHeLNsYmoO4I6KuwEQRXasJ6H+QIOTNUxbcd+TTnM=,iv:8dNbZg7oJODgdR7mT3XgKL7sXooNYAvr8GM2l0DK6ao=,tag:M2JPh6qkisTG+A+2DCgABA==,type:str]
+    encrypted_regex: ^(data|stringData|email)$
+    version: 3.12.2

kubernetes/app/firefly/secret.sops.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: firefly-credentials
+    namespace: firefly
+stringData:
+    APP_KEY: ENC[AES256_GCM,data:OugBKeVQqUDf8rFrGxMYgNROPesgVLsoKuQmWVvW9Kg=,iv:hnASzIOuoLczCUf0Luq2d6YXz5sKoHHawSys29cCMaE=,tag:u3SeTEc0VIb/NOwnXTn9Vg==,type:str]
+    STATIC_CRON_TOKEN: ENC[AES256_GCM,data:YL+ghixRjb1t6K1Q09clyxlYeYSj3rsy82n78efFVAw=,iv:V2q7uKOpl3e/FROZFvH7YCXBSUnQm7QcwqFyZaBbx2I=,tag:dZ1XPxEOGgAvfyL426rDTw==,type:str]
+    DB_USERNAME: ENC[AES256_GCM,data:Vk4jFf4Znw==,iv:LpP9DqkC1IlAwFNak8MTLPLf75iEpDwEm9ReLZPxRJo=,tag:qMexrfvQONJjfG11xh07wA==,type:str]
+    DB_PASSWORD: ENC[AES256_GCM,data:SsGb3qXMiq7EqGyfU2E6xqku1HbmWM8C,iv:+3V3Fh76gim9wcrhYd6CX7smyz0Kc8Qywx5j0wrmVaw=,tag:UawliAt7zOD0rpxNe3KcPw==,type:str]
+    DB_DATABASE: ENC[AES256_GCM,data:tLd4MWLoqQ==,iv:sG65BMBOAaKqYgCZ/xpv7LYaDNAPX+9KAeOBvYfUbgw=,tag:tRKptDmGV3iwV6luVFv/wQ==,type:str]
+    MAIL_USERNAME: ENC[AES256_GCM,data:npTpeFJuH7rOmPN7+0tuAgSdK+OxIjHIOHFVhFGcwA==,iv:ugGlT9MfWedvLFb/iQTxSIB5pPQsKGS5utalEP0pyUs=,tag:iv1i73xuCs0svFIgysb9dA==,type:str]
+    SITE_OWNER: ENC[AES256_GCM,data:WhpJSSWjniUumYjtRLHbOc51tcZ84JBtWw==,iv:nfy/1lXXlQYQW49LQevRevbVee1DODvqFKLPm3nRmU0=,tag:3nMwbS06dxD8oTvURw3OWA==,type:str]
+    MAIL_FROM: ENC[AES256_GCM,data:JcZt/4D8pa6St+3Z5oX61Ez7I0PscCIDSJhVnDUyfQ==,iv:r8rSDEXjdWzpivA3QQQRiQScdv6rNK5VzAnlwl+13jQ=,tag:N55MPwZ6KGO9L18DTOJ/CA==,type:str]
+    MAIL_PASSWORD: ENC[AES256_GCM,data:YrqECSPI6I7aYdx+oUmgGA==,iv:rvggM+Chw0JIOqfifzH5Q5yw4JhAv5BZgJfKevfWm2c=,tag:c9Wmxy8iivL4DKwEQj8VPg==,type:str]
+sops:
+    age:
+        - recipient: age1zffnskvuezntkk703a0pyxsd5m8vx2hm33dr47wdfy8mn4fdw4sqgw0jgc
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWdDRxUU1walNTNWY1VlVj
+            MVB3OFo2Nm03b3haTjFtV09TaWtuYnJXNEN3CmFFOUM4czgxWGFubUJrNDRpOTBq
+            eHB0ckJNZnltMC84S2NyQVRmUWNNMjQKLS0tIERUL0hwSzVmYlRHSVJwVnE0bkVt
+            Zm1kOVhMU0JOa1U1MzN2M2FhdlVYUG8KhOhnu/8FxuEJdW5O0HeYVCu5eLgeyqaN
+            Q88TjwbcwcIruXo/e0ATxWRp+yzwGB0nspQHZzAMP16uN6r3gZo3Zw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-04-22T21:18:05Z"
+    mac: ENC[AES256_GCM,data:JszWTjBGpBSuldSp+k/ZhO9P6+v+6WhTddv56WSHkkh1JT0JnomgKYReMj5bDxYeA6hJPLgFmD0N4gjporu3n8oCvADJgpXnVTEmYPnIJJqhEn3z8pGCKjeuxEvJk1MV7XvLEhZZJuvvb04uquyxvl1M8h9BJSCuPk7wxcM5pLA=,iv:MlF48Pqoi4239h3NAFj0VMO6YXJSt88GqCT+cA0qqXY=,tag:/mgkPgXMX3iyTomvKikO8A==,type:str]
+    encrypted_regex: ^(data|stringData|email)$
+    version: 3.12.2

kubernetes/app/firefly/service-db.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: firefly-db
+  namespace: firefly
+spec:
+  clusterIP: None
+  selector:
+    app: firefly-db
+  ports:
+    - port: 5432
+      targetPort: 5432

kubernetes/app/firefly/statefulset-db.yaml

@@ -0,0 +1,80 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: firefly-db
+  namespace: firefly
+  labels:
+    app: firefly-db
+spec:
+  serviceName: firefly-db
+  replicas: 1
+  selector:
+    matchLabels:
+      app: firefly-db
+  template:
+    metadata:
+      labels:
+        app: firefly-db
+    spec:
+      securityContext:
+        runAsUser: 999
+        runAsGroup: 999
+        fsGroup: 999
+      containers:
+        - name: postgres
+          image: postgres:17
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: POSTGRES_USER
+              valueFrom:
+                secretKeyRef:
+                  name: firefly-credentials
+                  key: DB_USERNAME
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: firefly-credentials
+                  key: DB_PASSWORD
+            - name: POSTGRES_DB
+              valueFrom:
+                secretKeyRef:
+                  name: firefly-credentials
+                  key: DB_DATABASE
+            - name: PGDATA
+              value: /var/lib/postgresql/data/pgdata
+          ports:
+            - containerPort: 5432
+          startupProbe:
+            tcpSocket:
+              port: 5432
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            failureThreshold: 30
+          livenessProbe:
+            tcpSocket:
+              port: 5432
+            periodSeconds: 30
+            failureThreshold: 5
+          readinessProbe:
+            tcpSocket:
+              port: 5432
+            periodSeconds: 10
+            failureThreshold: 3
+          resources:
+            requests:
+              cpu: 50m
+              memory: 256Mi
+            limits:
+              memory: 1Gi
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/postgresql/data
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        storageClassName: nfs-synology-ssd
+        resources:
+          requests:
+            storage: 5Gi

kubernetes/app/gitea/cronjob-backup.yaml

@@ -0,0 +1,150 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: gitea-db-backup
+  namespace: gitea
+  labels:
+    app: gitea-backup
+spec:
+  schedule: "0 2 * * *"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels:
+            app: gitea-backup
+        spec:
+          restartPolicy: OnFailure
+          initContainers:
+            - name: pg-dump
+              image: postgres:17
+              imagePullPolicy: IfNotPresent
+              env:
+                - name: PGHOST
+                  value: gitea-db
+                - name: PGUSER
+                  valueFrom:
+                    secretKeyRef:
+                      name: gitea-credentials
+                      key: DB_USERNAME
+                - name: PGPASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: gitea-credentials
+                      key: DB_PASSWORD
+                - name: PGDATABASE
+                  valueFrom:
+                    secretKeyRef:
+                      name: gitea-credentials
+                      key: DB_DATABASE_NAME
+              command:
+                - sh
+                - -c
+                - pg_dump --clean --if-exists > /backup/dump.sql
+              volumeMounts:
+                - name: backup-tmp
+                  mountPath: /backup
+          containers:
+            - name: resticprofile
+              image: creativeprojects/resticprofile:0.32.0
+              imagePullPolicy: IfNotPresent
+              command:
+                - sh
+                - -c
+                - |
+                  resticprofile -c /secrets/profiles.yaml -n gitea-db backup
+                  resticprofile -c /secrets/profiles.yaml -n gitea-db copy
+              env:
+                - name: B2_ACCOUNT_ID
+                  valueFrom:
+                    secretKeyRef:
+                      name: gitea-backup-config
+                      key: B2_ACCOUNT_ID
+                - name: B2_ACCOUNT_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      name: gitea-backup-config
+                      key: B2_ACCOUNT_KEY
+              resources:
+                requests:
+                  cpu: 100m
+                  memory: 256Mi
+                limits:
+                  memory: 1Gi
+              volumeMounts:
+                - name: secrets
+                  mountPath: /secrets
+                  readOnly: true
+                - name: backup-tmp
+                  mountPath: /backup
+          volumes:
+            - name: secrets
+              secret:
+                secretName: gitea-backup-config
+            - name: backup-tmp
+              emptyDir: {}
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: gitea-data-backup
+  namespace: gitea
+  labels:
+    app: gitea-backup
+spec:
+  schedule: "0 3 * * *"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels:
+            app: gitea-backup
+        spec:
+          restartPolicy: OnFailure
+          containers:
+            - name: resticprofile
+              image: creativeprojects/resticprofile:0.32.0
+              imagePullPolicy: IfNotPresent
+              command:
+                - sh
+                - -c
+                - |
+                  resticprofile -c /secrets/profiles.yaml -n gitea-data backup
+                  resticprofile -c /secrets/profiles.yaml -n gitea-data copy
+              env:
+                - name: B2_ACCOUNT_ID
+                  valueFrom:
+                    secretKeyRef:
+                      name: gitea-backup-config
+                      key: B2_ACCOUNT_ID
+                - name: B2_ACCOUNT_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      name: gitea-backup-config
+                      key: B2_ACCOUNT_KEY
+              resources:
+                requests:
+                  cpu: 100m
+                  memory: 256Mi
+                limits:
+                  memory: 1Gi
+              volumeMounts:
+                - name: secrets
+                  mountPath: /secrets
+                  readOnly: true
+                - name: data
+                  mountPath: /data
+                  readOnly: true
+          volumes:
+            - name: secrets
+              secret:
+                secretName: gitea-backup-config
+            - name: data
+              persistentVolumeClaim:
+                claimName: gitea-data

kubernetes/app/gitea/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gitea

kubernetes/app/gitea/networkpolicy.yaml

@@ -0,0 +1,111 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-ingress
+  namespace: gitea
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-ingress-controller
+  namespace: gitea
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: gitea
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: traefik
+---
+# NodePort 32022 routes to pod port 2222 (rootless SSH listen port)
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-ssh-from-outside
+  namespace: gitea
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: gitea
+  policyTypes:
+    - Ingress
+  ingress:
+    - ports:
+        - port: 2222
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-app-to-db
+  namespace: gitea
+spec:
+  podSelector:
+    matchLabels:
+      app: gitea-db
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/name: gitea
+      ports:
+        - port: 5432
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-backup-to-db
+  namespace: gitea
+spec:
+  podSelector:
+    matchLabels:
+      app: gitea-db
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: gitea-backup
+      ports:
+        - port: 5432
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-backup-egress
+  namespace: gitea
+spec:
+  podSelector:
+    matchLabels:
+      app: gitea-backup
+  policyTypes:
+    - Egress
+  egress:
+    - ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
+    - ports:
+        - port: 8888
+          protocol: TCP
+    - ports:
+        - port: 443
+          protocol: TCP
+    - ports:
+        - port: 5432
+          protocol: TCP
+      to:
+        - podSelector:
+            matchLabels:
+              app: gitea-db

kubernetes/app/gitea/release.yaml

@@ -0,0 +1,145 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: gitea
+  namespace: flux-system
+spec:
+  chart:
+    spec:
+      chart: gitea
+      version: 12.5.3
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: gitea
+        namespace: flux-system
+  targetNamespace: gitea
+  interval: 1m0s
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  values:
+    strategy:
+      type: Recreate
+
+    podSecurityContext:
+      seccompProfile:
+        type: RuntimeDefault
+
+    image:
+      rootless: true
+      pullPolicy: IfNotPresent
+
+    postgresql-ha:
+      enabled: false
+    postgresql:
+      enabled: false
+    valkey-cluster:
+      enabled: false
+    valkey:
+      enabled: false
+
+    persistence:
+      enabled: true
+      create: true
+      claimName: gitea-data
+      size: 20Gi
+      storageClass: nfs-synology-ssd
+      accessModes:
+        - ReadWriteOnce
+
+    resources:
+      requests:
+        cpu: 100m
+        memory: 256Mi
+      limits:
+        memory: 1Gi
+
+    service:
+      http:
+        type: ClusterIP
+        port: 3000
+      ssh:
+        type: NodePort
+        port: 22
+        nodePort: 32022
+
+    ingress:
+      enabled: true
+      className: traefik
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt
+      hosts:
+        - host: ${GITEA_HOST}
+          paths:
+            - path: /
+              pathType: Prefix
+      tls:
+        - secretName: gitea-tls
+          hosts:
+            - ${GITEA_HOST}
+
+    gitea:
+      admin:
+        existingSecret: gitea-admin
+        passwordMode: keepUpdated
+
+      oauth:
+        - name: authelia
+          provider: openidConnect
+          existingSecret: gitea-oauth-authelia
+          autoDiscoverUrl: https://auth.${AUTHELIA_DOMAIN}/.well-known/openid-configuration
+
+      config:
+        server:
+          DOMAIN: ${GITEA_HOST}
+          ROOT_URL: https://${GITEA_HOST}/
+          SSH_DOMAIN: ${GITEA_HOST}
+          SSH_PORT: "22"
+          SSH_LISTEN_PORT: "2222"
+          LANDING_PAGE: login
+        service:
+          DISABLE_REGISTRATION: true
+          ALLOW_ONLY_EXTERNAL_REGISTRATION: true
+          SHOW_REGISTRATION_BUTTON: false
+          ENABLE_PASSWORD_SIGNIN_FORM: false
+          ENABLE_PASSKEY_AUTHENTICATION: false
+          REQUIRE_SIGNIN_VIEW: false
+
+        "service.explore":
+          DISABLE_USERS_PAGE: true
+          DISABLE_ORGANIZATIONS_PAGE: true
+        openid:
+          ENABLE_OPENID_SIGNIN: false
+          ENABLE_OPENID_SIGNUP: false
+        oauth2_client:
+          ENABLE_AUTO_REGISTRATION: true
+          USERNAME: preferred_username
+          OPENID_CONNECT_SCOPES: "email profile groups"
+          ACCOUNT_LINKING: auto
+          UPDATE_AVATAR: true
+          REGISTER_EMAIL_CONFIRM: false
+
+      additionalConfigFromEnvs:
+        - name: GITEA__database__DB_TYPE
+          value: postgres
+        - name: GITEA__database__HOST
+          value: gitea-db:5432
+        - name: GITEA__database__NAME
+          valueFrom:
+            secretKeyRef:
+              name: gitea-credentials
+              key: DB_DATABASE_NAME
+        - name: GITEA__database__USER
+          valueFrom:
+            secretKeyRef:
+              name: gitea-credentials
+              key: DB_USERNAME
+        - name: GITEA__database__PASSWD
+          valueFrom:
+            secretKeyRef:
+              name: gitea-credentials
+              key: DB_PASSWORD

kubernetes/app/gitea/repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: gitea
+  namespace: flux-system
+spec:
+  interval: 1m0s
+  url: https://dl.gitea.com/charts/

kubernetes/app/gitea/secret-backup.sops.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: gitea-backup-config
+    namespace: gitea
+stringData:
+    profiles.yaml: ENC[AES256_GCM,data:uHgGYQxpS3FZ46aVqp8Qu/N4hV6uLRefYRGx/zr0aPcfHGtzsl1Bibw08x3lw6zl5fjS6S8P4rqD/RutSzldQ81/YVXEMu7XIHpyeVwGyFWcYXm7MLkXrhTxuyHjeNAhNJRgrkka45tLxOzf2JSQ7csjLtQ1/fBZ7BbUyZst5WuyJ9cRAX8ljYEwE84EkoXwN3j76913iq/tU8qZG77jf3nfCZIMHcsfEQRtHTkLVwa3kRXkmdOuUhlUB70cN5B1jl0nYvhV6dfGm5jw3jOdxos14w91IVJR7kAmNCJh0HND13frOuNVZNjBQ6Jx5DlhjKQ83aDZS3IxBAzNafptTn0V529EuRYbVr9hKLNzu+MJ8T7ao17zNbUTcpd0wXxQwESyywxea6scXxu6KkAbPKVZJLGC4gyjJAJdnHBMQAbn/XvEUturdA/ExG+B6Nt05KT8sObePyY2k3NwlUjRJxk01Y+di+44E2msg/K6D4u/yZX1Eg4FikMJL5ldBpCmBaeiM2gwdZEnO4hufNr46cdGH4nZxe+HMgsD6NrCpJzeTKnwHxa6DZpBkNk/XOmCU+HLQoIspqHiKVDB6kUY8EaSb+i3Qvqq9IHi7DooiZmXNVTHjEj2RTzqd+/I8S2JmANTs7zvEdtfJJ2K+KhK4tfqjdxRAv3yc+MoCb3AQEf86ZtIEtrjOaVtrZLZEb4GVk43VAHo2t34EXo5/FDQWVRdtdIs7L5TajT9jDZgpvqZQAe9yFwP9thbo+wG3zQaWDcgSWRE16zm14DXLcB58kV08YTyUKKw4KDC8TnHU8SfDpwhgq62z72XIdAADxLHtcAYlQak/2bMAISciEtgoC6XhYHvV85L79DLp5GZTta6mYWo3LJwjxzUgSyXQv6yMfQXw9q/4sQCkz1z19Qi6yAaqtkc6aTv1cN2zCPdFjjsmPdxkPATLhUFfLgNfJspedHiRxM5NWLJPDtpk2hzzp2KPnchTVjSUX1M2MD+z3bowxFPm4NJoiyFgmJRMr+F7HJciZa3s9HUv+0mn9R7T6mABM6XugVpJne50KMylb8mCPz46gV10nUy2xfYT3OuFHVPyN/SWjUkhm7BXm16yXQwZG+O+TNBUA3uxZmXl91GQZGqf14OMeX+S2B++LIxbrVAN3QamaTTJX4O+gZIWAQLOCR4gQUmazQE2cqroqWM00nDG1ZTo9ZzLTPsl8Fo8pGgJfiP/tGc7hjSVsz6vfvRdQs=,iv:3t0Qate3LKwYCMoR4jdAzCtJfMCVW0k3T9EK22io8vU=,tag:AQrbWLhhoWxwOtdxrwvdbA==,type:str]
+    restic-password-nas: ENC[AES256_GCM,data:Hp6UPBipoot5NmFKf6jqYWfPUFFi0QNZAjBhuiGCj3h9t9nTxo8vHL9wlP1fY+vNmRTPcG0YFabgV5Q/4yQZTw==,iv:9gWAoQ2RxsnjJfWKbMw2CFoATb84pMdrTvXd+AsSrlk=,tag:12AxyQrODLvQ4TdZazt+3w==,type:str]
+    restic-password-b2: ENC[AES256_GCM,data:QaTM08WEy2pQSs9s8VWQGi7HPu4cirbQhUixi49Ddjj5ffbqAuL+g7jhJNNCEZKI1Ljra51cv9lAFWTDUhbGwQ==,iv:oSbY9X1HPYG5Kgr8vW5tBN/kBu6APqbav+ONKisxRQI=,tag:Gzfz/O2uTkAtoRSfGxPj+g==,type:str]
+    B2_ACCOUNT_ID: ENC[AES256_GCM,data:9FSQY03LaT4Jm21+XQ5VVcfMQJ/QGEU2MA==,iv:OguTShXUeF5cm3Pfb9rC5aHS6LMQP5SlviV12KUi2mE=,tag:OyqEGluTuqYdeaA/g4BGWQ==,type:str]
+    B2_ACCOUNT_KEY: ENC[AES256_GCM,data:d+qcw1eDNzcVrGoJy2+hy+xpptckxJYN7rSQ+Y/bug==,iv:I5IIcZ8MURrZqn8SncqNvsgaM3QgRMnpzfjwpat5pPw=,tag:CBiigK5dYpxwoVDYYeax2A==,type:str]
+sops:
+    age:
+        - recipient: age1zffnskvuezntkk703a0pyxsd5m8vx2hm33dr47wdfy8mn4fdw4sqgw0jgc
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0TmpUWGVWczArYllEc2x6
+            a3lxNnVmMDdLTTVENVhhQkhnNmFBcHpzdnlZCnRNTENWRUxKZ2VQazJxYmJOS0Ro
+            SjlKT1RXdDkyYXpqdlY5bEkvME1YYWMKLS0tIHErcUdRUDBEdTlzbUNZa0Vya2xn
+            ckpUQUQ0cGlNVk9BaEZKUDVHQzRjQmMKcCznhR3n3tG96SdrGKarLNKAZoTi4Xj7
+            28m3avAtcOMryv0IrHvL4ogC3CdARRuJzh0UL1J+fOnvmwCZeiIjDg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-04-29T19:40:09Z"
+    mac: ENC[AES256_GCM,data:vr6nY1wUMfB131ApoErgg7bIzGfBy9ZOebeTCsB/UI42Y4ZxHWQbP3IQz9RXwlqgSH1/oeslOrHVgQDSX429XgzKkz4GLA4ebybe/hMQQH3tNIYUEMFq4oQCjZ20sbhnQUV98+Bir6GQMjq+r7BueHFixwmOA4lTu/vM4r82Zvw=,iv:MNyWngFH4pPA3hZhDg1kqd5cBanmSBk03Q8pCyA7m+0=,tag:aNCPGwUGqb3hsoCCIiG40A==,type:str]
+    encrypted_regex: ^(data|stringData|email)$
+    version: 3.12.2

kubernetes/app/gitea/secret.sops.yaml

@@ -0,0 +1,73 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: gitea-credentials
+    namespace: gitea
+stringData:
+    DB_USERNAME: ENC[AES256_GCM,data:3cbes9s=,iv:E+zSCE93AVTPiWtQKW15+fHp/6nKtEY0RFWkC9K95w4=,tag:bpM84tAY0TJlJHkvCYl4tQ==,type:str]
+    DB_PASSWORD: ENC[AES256_GCM,data:PziUZ2Yg+kk6qvqs16k3gl2+gFT/MeE7DTzsfD+21bvLa8cvjPywNTTBS2gDB5h6H6+bn3f3X6tN+KYg2fNUYA==,iv:Ego7tQnpe8LcDd+XAG3ThtQUGR5cyjRnkCjppOtcW3M=,tag:zwrew+a4j78kNpgr2yfW6w==,type:str]
+    DB_DATABASE_NAME: ENC[AES256_GCM,data:wevUgjE=,iv:2VMHHmp4rI3EE8lmKL+88VDwtIy8RoHbxZM5dsln6Q0=,tag:Vinwbtci+UkGoyzGEEF/5A==,type:str]
+sops:
+    age:
+        - recipient: age1zffnskvuezntkk703a0pyxsd5m8vx2hm33dr47wdfy8mn4fdw4sqgw0jgc
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWWhqdVVJNmhUT0FBWFVk
+            V1V4R0wyV1V3WnpHZ1JGWm1iTnQ5TmsyeGk4ClpKSlJyMjYxNmQvUWlNbHY0cU0y
+            ZkJuTHd0K1k2cGhLTG1ncXBhMWk3ZzgKLS0tIEtXNXJQa2txMFovSnZkeDM1R2tk
+            TWwxTXBRUkJWcG1sMUl3REFtMkI2WG8KyvuPr8iwuiVC9j5wXLaok5AeJhXXq8CI
+            H7HCBU4mVjwd0IrtlwSCLx5vUDKTpc2e5SumJp4nSy1D5R+uOjEWBA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-04-29T19:32:53Z"
+    mac: ENC[AES256_GCM,data:ngT9hUeIQM+NL3v/WApSBGsdWJw7CZvAMfqb/4d80DwV0cF14WjMVupc0d6mD7ykhJGM5ptwf1zR8QPSkErCRXSHxFoLXGAJVN4h+MOy48yZ61RK/p+dip5CkPojTfb5i6rU0dIOFVpjm7z6JbPLz8UTxMTikwzo/w931AKa9PE=,iv:wXZQRvt6pImnxVIfyOhRJWQl+ytrlmDxd8odDra16XQ=,tag:/6Fixh2urHAgUfQx+h6Dsg==,type:str]
+    encrypted_regex: ^(data|stringData|email)$
+    version: 3.12.2
+---
+apiVersion: v1
+kind: Secret
+metadata:
+    name: gitea-admin
+    namespace: gitea
+stringData:
+    username: ENC[AES256_GCM,data:w6EdTuF/JRY3QuU=,iv:DaPA4FbTz44m99OafT7rYGAuSNY1+Kd0fqoH3nl/8vQ=,tag:QZU+4g/k5Ft4w06uh/kzZw==,type:str]
+    password: ENC[AES256_GCM,data:tl8bLeTQfsa3NHg2WJrHzBe5LXaGd+9btVyZFgPc0Mp3hDkPZh6pAZDd1n96pO9oNYe2elmKfdaJZGhX6Xknow==,iv:boQQm3XRAg9ZrLC2yP2TBqDH6JtCneoS3y4RCBpTTMw=,tag:uKLU0mUQvCLs3FhEv3aFYQ==,type:str]
+    email: ENC[AES256_GCM,data:WekZNlut9EhIyIJF6Z5yZevVeBWUggeDbFYQx2A=,iv:125s6eI55SckKFvFvZ78G2MCdoiUqdXaKGNu7vtFOpw=,tag:ZVToNfQ5K11Z3QUJ0FrWPg==,type:str]
+sops:
+    age:
+        - recipient: age1zffnskvuezntkk703a0pyxsd5m8vx2hm33dr47wdfy8mn4fdw4sqgw0jgc
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWWhqdVVJNmhUT0FBWFVk
+            V1V4R0wyV1V3WnpHZ1JGWm1iTnQ5TmsyeGk4ClpKSlJyMjYxNmQvUWlNbHY0cU0y
+            ZkJuTHd0K1k2cGhLTG1ncXBhMWk3ZzgKLS0tIEtXNXJQa2txMFovSnZkeDM1R2tk
+            TWwxTXBRUkJWcG1sMUl3REFtMkI2WG8KyvuPr8iwuiVC9j5wXLaok5AeJhXXq8CI
+            H7HCBU4mVjwd0IrtlwSCLx5vUDKTpc2e5SumJp4nSy1D5R+uOjEWBA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-04-29T19:32:53Z"
+    mac: ENC[AES256_GCM,data:ngT9hUeIQM+NL3v/WApSBGsdWJw7CZvAMfqb/4d80DwV0cF14WjMVupc0d6mD7ykhJGM5ptwf1zR8QPSkErCRXSHxFoLXGAJVN4h+MOy48yZ61RK/p+dip5CkPojTfb5i6rU0dIOFVpjm7z6JbPLz8UTxMTikwzo/w931AKa9PE=,iv:wXZQRvt6pImnxVIfyOhRJWQl+ytrlmDxd8odDra16XQ=,tag:/6Fixh2urHAgUfQx+h6Dsg==,type:str]
+    encrypted_regex: ^(data|stringData|email)$
+    version: 3.12.2
+---
+apiVersion: v1
+kind: Secret
+metadata:
+    name: gitea-oauth-authelia
+    namespace: gitea
+stringData:
+    key: ENC[AES256_GCM,data:6gbsmUI=,iv:rLq6rHHqyJ158JxbmFGkko6rPt2aJkQKCDGY/kOil5E=,tag:qz/2riJi00AkEdtOtQTJdA==,type:str]
+    secret: ENC[AES256_GCM,data:z8zuEZ9xgiIiSCDOtXn4yXU5n5TggMpc+5y8Vv21ja8PTXXf1l3krnc55qaJPuo85+fYqzW+NDPbTWPAIkVqtvr260N++d7z,iv:hh91ss/nbBIvxosNLQ5zy6G593Vxn92q+8f0APjiORk=,tag:FzvjgjCyEyvzmZ4J/muPlg==,type:str]
+sops:
+    age:
+        - recipient: age1zffnskvuezntkk703a0pyxsd5m8vx2hm33dr47wdfy8mn4fdw4sqgw0jgc
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWWhqdVVJNmhUT0FBWFVk
+            V1V4R0wyV1V3WnpHZ1JGWm1iTnQ5TmsyeGk4ClpKSlJyMjYxNmQvUWlNbHY0cU0y
+            ZkJuTHd0K1k2cGhLTG1ncXBhMWk3ZzgKLS0tIEtXNXJQa2txMFovSnZkeDM1R2tk
+            TWwxTXBRUkJWcG1sMUl3REFtMkI2WG8KyvuPr8iwuiVC9j5wXLaok5AeJhXXq8CI
+            H7HCBU4mVjwd0IrtlwSCLx5vUDKTpc2e5SumJp4nSy1D5R+uOjEWBA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-04-29T19:32:53Z"
+    mac: ENC[AES256_GCM,data:ngT9hUeIQM+NL3v/WApSBGsdWJw7CZvAMfqb/4d80DwV0cF14WjMVupc0d6mD7ykhJGM5ptwf1zR8QPSkErCRXSHxFoLXGAJVN4h+MOy48yZ61RK/p+dip5CkPojTfb5i6rU0dIOFVpjm7z6JbPLz8UTxMTikwzo/w931AKa9PE=,iv:wXZQRvt6pImnxVIfyOhRJWQl+ytrlmDxd8odDra16XQ=,tag:/6Fixh2urHAgUfQx+h6Dsg==,type:str]
+    encrypted_regex: ^(data|stringData|email)$
+    version: 3.12.2

kubernetes/app/gitea/service-db.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitea-db
+  namespace: gitea
+spec:
+  clusterIP: None
+  selector:
+    app: gitea-db
+  ports:
+    - port: 5432
+      targetPort: 5432

kubernetes/app/gitea/statefulset-db.yaml

@@ -0,0 +1,80 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: gitea-db
+  namespace: gitea
+  labels:
+    app: gitea-db
+spec:
+  serviceName: gitea-db
+  replicas: 1
+  selector:
+    matchLabels:
+      app: gitea-db
+  template:
+    metadata:
+      labels:
+        app: gitea-db
+    spec:
+      securityContext:
+        runAsUser: 999
+        runAsGroup: 999
+        fsGroup: 999
+      containers:
+        - name: postgres
+          image: postgres:17
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: POSTGRES_USER
+              valueFrom:
+                secretKeyRef:
+                  name: gitea-credentials
+                  key: DB_USERNAME
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: gitea-credentials
+                  key: DB_PASSWORD
+            - name: POSTGRES_DB
+              valueFrom:
+                secretKeyRef:
+                  name: gitea-credentials
+                  key: DB_DATABASE_NAME
+            - name: PGDATA
+              value: /var/lib/postgresql/data/pgdata
+          ports:
+            - containerPort: 5432
+          startupProbe:
+            tcpSocket:
+              port: 5432
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            failureThreshold: 30
+          livenessProbe:
+            tcpSocket:
+              port: 5432
+            periodSeconds: 30
+            failureThreshold: 5
+          readinessProbe:
+            tcpSocket:
+              port: 5432
+            periodSeconds: 10
+            failureThreshold: 3
+          resources:
+            requests:
+              cpu: 50m
+              memory: 256Mi
+            limits:
+              memory: 1Gi
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/postgresql/data
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        storageClassName: nfs-synology-ssd
+        resources:
+          requests:
+            storage: 5Gi

kubernetes/app/immich/cronjob-backup.yaml

@@ -1,3 +1,15 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: immich-backup-cache
+  namespace: immich
+spec:
+  accessModes: ["ReadWriteOnce"]
+  storageClassName: nfs-synology-ssd
+  resources:
+    requests:
+      storage: 1Gi
+---
 apiVersion: batch/v1
 kind: CronJob
 metadata:
@@ -119,6 +131,8 @@ spec:
                     secretKeyRef:
                       name: immich-backup-config
                       key: B2_ACCOUNT_KEY
+                - name: RESTIC_CACHE_DIR
+                  value: /cache
               volumeMounts:
                 - name: secrets
                   mountPath: /secrets
@@ -126,6 +140,8 @@ spec:
                 - name: library
                   mountPath: /data
                   readOnly: true
+                - name: cache
+                  mountPath: /cache
               resources:
                 requests:
                   cpu: 100m
@@ -139,3 +155,6 @@ spec:
             - name: library
               persistentVolumeClaim:
                 claimName: immich-library
+            - name: cache
+              persistentVolumeClaim:
+                claimName: immich-backup-cache

kubernetes/app/immich/release.yaml

@@ -28,7 +28,7 @@ spec:
           main:
             image:
               repository: ghcr.io/immich-app/immich-server
-              tag: v2.7.3
+              tag: v2.7.5
             resources:
               requests:
                 cpu: 100m

kubernetes/app/immich/secret-backup.sops.yaml

@@ -4,7 +4,7 @@ metadata:
     name: immich-backup-config
     namespace: immich
 stringData:
-    profiles.yaml: ENC[AES256_GCM,data:8xHz7OVSV5yTzjK+a+3QJp6fKoNSYjYMSytSxbl6gwSH9vhC/n/H5AkCeoRQeMbv8XxvBcW7AE8SRNRbGUGdpVa7bbGfc64NMReH15Jly/krVRYXKwuwxPwLyDLu3BJkkUMVR8WOLqcin8GL0CMxsPYw7u9pexOm8029C6OUJNkgeoZfxkw2p84duOPvJiSB4zgTK4MBUAXXk9ntaD+DyMyskjwH/wIbxhVeeqIji0BixSUPhYhiz7zpvxtoAYUaDkgQZZkIMVYayb4ors11W9Hl1pq/mQ8P8GFleaqabYJeerRCGSZbjpo67HHcAdAHlYlPD09eReDi8Lc786+0LVVstUII09kSDqz3So3NSKzo7N86s0PUTTFaBYSWz1Nc9NVvYxb5vpPLNuLjrPDHy9yRlLw53wKtX6CzioPXG96NKfTU7d6tR8ocaCk38/tXkVQxf2MTWJaj2lL3u5gGftPYTXagNHF6IQYI9hIyrznUP4FezErfZmAunaIKvRnQ+AYli7AtbNkeOUeqJ3GYIlKR7eZTxeKFhK54iOvivm7OZiSfi20ItjruAO6kpYl0zfoJGEOGO1sNFmkgRb00VMxVIjBxjszb6er1TdKx5MPW3IY3tXLXGoLe0J/MNb0C9eDWD9EgR70BVz+0dFYmrC5mgMugpMMEi9yZjD1c517NyNzREVSrrKkdqrjyD2kzNSpNZEniIMP0n0MPEZ/vIp1oKzZQ3eMev+zHxvhGp98TjQ/oWhu5tXOc/g/mWUiASaB8611Doa2laVPCXTcMQCxFo8/b2CkmfToFmGwWmzQNmp0coRK4Zjr7bUIa1Ki1SmeAd0n2/yBQuX+081+NO+no8+GhR2/FS+SlYqh5PweCeAtM7GYeCoRXYUTTxafCS5JJ912fDUbaJixLbg1F3zficPAQ1XBSsB14pHO2rGVRcRS1pEruAXwTsMSpNiTIRLghxU/ES6zCwfxwL83PRcfSgep/G+GAfdijtVawH+c+QBTHI/5bLS5rmid8qR0TYrH89UbnOMFa0evDFuNgh5qtBi938gKKqdCtPAY7kkU8l8+fT9bLied0S6jE5q7jNXmBJH3qmc47MYwNSOeouiJ2aXar9KVn/xbBlaIuHd5Go97PtU09XZK2hcAGEXGiQT6iI8MXUucl/dfvtFMmlkD0wMMytQ8q9AFt7RwodVTWLv/mMxxBg3HrWKqvM3vBOzEjCTTWctOVmjCr/qq/sLBr/mxYFg==,iv:5P67BQp0lLdEqdUx2r2PLjYlUJiUIU1A+O2rFQQP4CM=,tag:4yRRV1Cuy5O31X/++QCD0Q==,type:str]
+    profiles.yaml: ENC[AES256_GCM,data:u6/Xt5Vez8Wd78omhpoACJXZcYYqcAoGudik5djNGK9jd5VUOk7/Mxq3IEloKcgaxXtN5NXtRc89GwZNYXeQJkY++aKpmDBvQb/usXyHoYW+fn1NbzRjuShTxrnFgEIPoxT/j55Kjr9v+AmRXfH7TVHkJObVPBJ+RZw8bzAGzRxpQ20EeQuVPY9sl6TbYb0RoPr3r9uYslWXHIAbvP24AU3kTTtzK+i8aJkpIm2o1Kkl+d8Iht6V0q9rET76zR/A2W8qz2lJ+C/0mSqdxez7kwLZiQLFKlJ/GRBp1erReOh3AThwhBWH9o4clJr+qtNyyiu0wXPOtX4KqwWvv13hPOAlVxBISX+EIKQMGVMrKYdmS4CnRt/LgUh8bjJn1nfdXG18Rrcm5X3fh/cAhFCrzWlGYHaJbAQ0dEqHx3n/9npHsxstbCY7qYm/QDXA7AosEa/vp0B1aX8J4VFZEd/AH7AwW4lOvzuRSNo0SUxcGQEZqArTyEbVXlgZg2xQrCaH8DFjF5OQ5ElaP17dGYu/zyfIFxlMVVtV9snW+SeeV5A9dJsj3KSmfGpMwcHfYhaTQieaS5Crv+19Ax/MQfQYdZwfX6yjsUQEAK4dLwPHMLbu1H97djLuC/ZPYB8thO2+fEPA/g6wgCUnyKga+97B0jt6GSXRg9oYC9wfl+P2ucUrlzBDhClabygFfYRZZ+P6YK1jjodYhttRkD5+L7WwYElgxVBCxBzOZIO4aPxz1TXSPsGIE1/v6GASbvn2h7S4e2fP5YgqefDJPOxDy+iET4+N0wy5TcYd8wZqV0NJUtRvNoA6Y2a3VktAH4ZkzeIsnjdItfFNuOXMkvdhE8uF32zShHR/UVvnNBsJZdC1+hacEur1Lo7CHvnPdvbjn3e+2z+PPWts0akU+oPg06901bU1m5aiPDf55CVAoG8nD8fdOnea3cgXsoCC+uIUd7y0/CQS7EkBSaBi0ewcL8IGh2Yy4CXAnPBhSSEmiZpwJK7fe+kk+kAHllFHDme02osU70qxsBVux3dLYjStQSu7EWeQYzkeknlGPMD90GISOQSVX9BCjZOJTL5LcGVHolRNuX0/isL4xpeb7LchkgGGHjSNEp9zirjMS4eDecHQgDxv0uTXYEnVq67fBLTzeAHVlZyCvTzpOEec9cnSTvC+KLKlAIcsmkFVQduu1G0VyTb3kujGKjNvo7A7OriWQfhffse9qo/1moJUzlOFlpZzX9GtGlI4vEb81m78YE3I7aEAQ1+F/w8hzspQFBmdwTfOc5d+mm6+ogtk6BpaO6RYw4ooMcy/D4pQxwgO/gUM,iv:YZaQwbYkKOuL3XShnOB5VblbN5EEEcD3CfPyauezqyA=,tag:m0QQiuR0DfCc+o4ILSlfgg==,type:str]
     restic-password-nas: ENC[AES256_GCM,data:lXtgvRD9ov1llpAWnK7RwYulfp0umpcZw7qHhjCWHc1ag0dEeMKOveehqz+kIUfqLe+L3ETXOoyeDgYlXMCzkw==,iv:Bve8VOl42fTVZ5QNxKuVwGzLnkKihjm5vRHW8A0J+R0=,tag:q7QnJsJtSF6oo9DoHCwL4Q==,type:str]
     restic-password-b2: ENC[AES256_GCM,data:th+gQw51kZDy0zGsqiUSUfBwOBOGaQxqgIj4aJV706OQ2IPmL5Z7JX4r8d30O5ezZ3Cyxniw7PFx+UgNUmg0pg==,iv:HxHsvvHkwjef3/E3/Ix+e8PgyK+uCd8Yl8qZPhhsnjw=,tag:bKRTdd88Mo53/wmf4aQEiA==,type:str]
     B2_ACCOUNT_ID: ENC[AES256_GCM,data:2GCe4rtcCdz0iaNWnEf3rFzd3Qh9CNMqaA==,iv:aiHojCbIisaUfDh5GIR6tY0IW6MVZEII6apW6KV0r90=,tag:FER2E8ZzIML0/0ZeaAwHsA==,type:str]
@@ -20,7 +20,7 @@ sops:
             U2ZxL2VvbUF1Wk93TmxseHcvVWNOc2sKNmTJhYwOuV2gE/PGFodfxsQS6Okwv+Yq
             a0V7VAhKutBT+b+1lmdCvQy/wOTzHRo4tJ6wDReu9bwT8pj8ya/hkw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-11T19:58:21Z"
+    lastmodified: "2026-04-15T11:37:07Z"
-    mac: ENC[AES256_GCM,data:nJFnd5587Vv1+EzBnBMm8sEy+8jINWS2Fm8oW0lcOkeUbuBmBvQXpOSZf6IMvcPCIHdIwBRk8etI2kvH2GB8XtkhKJtGodRmRjfYnwBMWMdAjrYpK7eazHLQdsp1lyYZ5YaqS6oSaZtc4nJAhfO7Z9rpOZC0oTrZSnF+HEmsEds=,iv:Kn56EjcCZk1UNg4tFtogucNlNx9Xoh0SNDa9+hApMJE=,tag:ITbEbv5Q4HkbLVueOcl5GQ==,type:str]
+    mac: ENC[AES256_GCM,data:wpm26S/DoAybezV0oIkUwLkpl8KJAaBqHIMhitErCYEKamy6ysJrNbXPQVbFLRspFZpXSx8XY981+yJ4puE72Vf43MrjcUBAJb373fWvWtiw/3UrGGCZIHTM478efemkErkip2nxRprTc/vMAdWyGezXIUnTJunuovcBuf1Ogwo=,iv:kLxrIJTtRotsovidkFshOK1irOcL546uiy+DRNXoTNQ=,tag:/q5NGIjiR+mRW8YVuYyeHg==,type:str]
     encrypted_regex: ^(data|stringData|email)$
-    version: 3.12.1
+    version: 3.12.2

kubernetes/app/media/release-seerr.yaml

@@ -18,7 +18,7 @@ spec:
   targetNamespace: media
   values:
     image:
-      tag: v3.1.0
+      tag: v3.2.0
     podLabels:
       app: seerr
     extraEnv:

kubernetes/config/cluster-vars.sops.yaml

@@ -33,6 +33,8 @@ stringData:
     CRYPTPAD_DATA_NFS_PATH: ENC[AES256_GCM,data:dNOxsmge//CgcBO0GIQUdcIBfaiGI1IVxXJ8IjmQl+Wh3A==,iv:hfuLuSWuSnbiItweWBSKxpxZJFgAWgUJCZNLcLZQVgw=,tag:7o353kHezQVRqb5BtC7rYw==,type:str]
     CRYPTPAD_CONFIG_NFS_PATH: ENC[AES256_GCM,data:VJ4h7ADenNgFIiNIFK7pJKMrUBYc4e9c4MdVzqGoR4TDWGYL,iv:8ZhMHiZLh2C4J/vh/8L96R6VIkKoWc7ib/bUAQ5rZE0=,tag:HgvJjjYybCgxatUbcRFY7Q==,type:str]
     SEERR_HOST: ENC[AES256_GCM,data:l64ttp+rLNU8GfwIE4fhJROSMDEb,iv:1vHOw0LyGN9OMhYemhtRq9GE2fc4J2EprZU3bp/h4kk=,tag:WNV0Jh7816ra7IIOBMspBg==,type:str]
+    FIREFLY_HOST: ENC[AES256_GCM,data:EQdrW33PVlD/brZCqh/sTkqLdPWW/bo=,iv:zbNnjsT1J6lpCEWtvNyL4A3bjWsusCjI5goWcZ8hajk=,tag:VwA6YA056bsyYIKB+X59bw==,type:str]
+    GITEA_HOST: ENC[AES256_GCM,data:Ky3tXS9E9iadabpVzoK5zEbigmtn,iv:t6OdQeQ7Kxzb7qbi+KeoOkJd0XE2Dse5P1fFyiHM6tg=,tag:GpmHtVDr0IQVbpbALVx40g==,type:str]
     BACKUP_LOCAL_HOST: ENC[AES256_GCM,data:ABaTI3NKkhF7K2FpPwvvrHA0l/tCxAi4Qek=,iv:34ixxSpKU1c12uoMdk4nz2Vo/+5A/npB7NWMsWFytIM=,tag:qjw2fQBebCKnqCnAPiBHaw==,type:str]
 sops:
     age:
@@ -45,7 +47,7 @@ sops:
             MGJ6TFpwR0diNjlEN2syZkhNMFNwRDQK9pzmQGB0GQu6ogMIJW+kugvBNj3w+dxW
             bfEF9GAznIM/N5rPytF4wNgqwfoAF7GwumgA+iD43wprKtUJn+6dqw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-24T07:43:54Z"
+    lastmodified: "2026-04-29T19:47:22Z"
-    mac: ENC[AES256_GCM,data:HDM/kZW9TxuIN6FBpE2kIdac2IU3yam807hfOAMRmX5l9DgaItPHmW6s/mSV2Mb9jDmWB1LjPipVcgPGdU/Lr4V6QcVPsaf+/KA73kAw4BBgiBOPFwBS0gdqGKfXbHS9uh3BTtjenvFnDD+tTnBsEOHSYjvfYFucE4A1GQc2EzU=,iv:lBEz0ayGP7dyNZ6YMIjpHMg2c11YdCWGpC7QLfTxy+8=,tag:nWCffX0iISgld7uGcdN9EQ==,type:str]
+    mac: ENC[AES256_GCM,data:WgVeGY1tGl3Y97FRGNVEkM2J4WKeHil6ki2Jsww1QOsAdGyL7QaL0vPpfRfDc8FRHhyeahS7ShacUvBKnL5Lihxnrqhkd8wA0BgxONk0k/W8/WtU/tvhXpTwxTWgQ5VyPtX3QwwkAcGTARBu+Xrp2y9QGXU8NPO56eH6cUGPEW4=,iv:KjZbbRfhy4ZHtv38MHlX8jxK+9pp/U2aGaX+d8HRK3E=,tag:wcdQVdpYR9czzeYMi554oQ==,type:str]
     encrypted_regex: ^(data|stringData|email)$
-    version: 3.12.1
+    version: 3.12.2

kubernetes/infrastructure/controllers/authelia/redis-release.yaml

@@ -20,7 +20,9 @@ spec:
     architecture: standalone
     auth:
       enabled: false
+    commonConfiguration: |-
+      appendonly no
+      save ""
     master:
       persistence:
-        storageClass: nfs-synology-ssd
+        enabled: false
-        size: 256Mi