Compare commits
2 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
376a5b1a96
|
|||
|
9012cb559d
|
@@ -0,0 +1,122 @@
|
||||
# Gitea setup checklist
|
||||
|
||||
## Secrets (must be done before committing)
|
||||
|
||||
- [+] Generate OIDC client secret:
|
||||
```bash
|
||||
docker run --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 \
|
||||
--variant sha512 --iterations 310000 --random --random.length 72
|
||||
```
|
||||
- Plaintext → `secret.sops.yaml` (`gitea-oauth-authelia.secret`)
|
||||
- Hash → Authelia configmap (`sops -d -i kubernetes/infrastructure/controllers/authelia/configmap.sops.yaml`, replace `CHANGE_ME_pbkdf2_hash`, `sops -e -i`)
|
||||
|
||||
- [+] Fill in `secret.sops.yaml` (`gitea-credentials`, `gitea-admin` passwords and email) then encrypt:
|
||||
```bash
|
||||
cd kubernetes && sops -e -i app/gitea/secret.sops.yaml
|
||||
```
|
||||
|
||||
- [+] Fill in `secret-backup.sops.yaml` (both `CHANGE_ME` in repo URLs, restic passwords, B2 creds) then encrypt:
|
||||
```bash
|
||||
cd kubernetes && sops -e -i app/gitea/secret-backup.sops.yaml
|
||||
```
|
||||
|
||||
## Synology / Backups
|
||||
|
||||
- [+] Add htpasswd user `gitea` on rest-server:
|
||||
```bash
|
||||
docker run --rm httpd:2-alpine htpasswd -nbB gitea 'YOUR_PW'
|
||||
# append output to /volume1/docker/rest-server/config/htpasswd on Synology
|
||||
```
|
||||
|
||||
- [+] Init restic repos:
|
||||
```bash
|
||||
restic -r "rest:http://gitea:OQXxm5MHxXNCQuXrzXSUjj8zHO6KKtRYtrWLINFVsmhJq2QuA6CclpA12lAZ4Zwj@synology.mgmt.lviv:8888/gitea-db/" init
|
||||
restic -r "rest:http://gitea:OQXxm5MHxXNCQuXrzXSUjj8zHO6KKtRYtrWLINFVsmhJq2QuA6CclpA12lAZ4Zwj@synology.mgmt.lviv:8888/gitea-data/" init
|
||||
B2_ACCOUNT_ID=003c68ad65aa815000000000f B2_ACCOUNT_KEY='K003NHIj6SX+UO04MhycojpI/NTgIiM' restic -r "b2:berezovskyi-backup-homelab-gitea:/db/" init
|
||||
B2_ACCOUNT_ID=003c68ad65aa815000000000f B2_ACCOUNT_KEY='K003NHIj6SX+UO04MhycojpI/NTgIiM' restic -r "b2:berezovskyi-backup-homelab-gitea:/data/" init
|
||||
```
|
||||
|
||||
- [+] Create B2 bucket `berezovskyi-backup-homelab-gitea` (if it doesn't exist yet)
|
||||
|
||||
## Network / DNS
|
||||
|
||||
- [+] Router: forward `WAN:22/tcp` → `<node-ip>:32022/tcp`
|
||||
- [+] Ensure node firewall allows `32022/tcp` from router
|
||||
- [+] DNS: point `gitea.berezovskyi.dev` → cluster external IP (same as other `*.berezovskyi.dev` services)
|
||||
|
||||
## Deploy & verify
|
||||
|
||||
- [+] Commit and push; wait for Flux to reconcile (~1 min):
|
||||
```bash
|
||||
flux get hr -n flux-system gitea
|
||||
kubectl get pods -n gitea
|
||||
```
|
||||
|
||||
- [+] Functional checks:
|
||||
- `https://gitea.berezovskyi.dev` loads, only "Sign in with authelia" button visible (no local login form)
|
||||
- Click SSO → Authelia 2FA → back to Gitea, logged in
|
||||
- `ssh -T -p 32022 git@<node-ip>` → `Hi <user>! You've successfully authenticated...`
|
||||
- Test backup: `kubectl create job --from=cronjob/gitea-db-backup gitea-db-backup-test -n gitea`
|
||||
- Verify snapshot: `restic -r "rest:http://gitea:<pw>@synology.storage.lviv:8888/gitea-db/" snapshots`
|
||||
|
||||
## Actions + Container Registry (Phase 1 + Phase 2)
|
||||
|
||||
### Phase 1 — Gitea config, extra PVC, backup (single commit)
|
||||
|
||||
- [+] Init restic repo for `gitea-extra`:
|
||||
```bash
|
||||
restic -r "rest:http://gitea:OQXxm5MHxXNCQuXrzXSUjj8zHO6KKtRYtrWLINFVsmhJq2QuA6CclpA12lAZ4Zwj@synology.storage.lviv:8888/gitea-extra/" init
|
||||
B2_ACCOUNT_ID=003c68ad65aa815000000000f B2_ACCOUNT_KEY='K003NHIj6SX+UO04MhycojpI/NTgIiM' \
|
||||
restic -r "b2:berezovskyi-backup-homelab-gitea:/extra/" init
|
||||
```
|
||||
|
||||
- [ ] Commit Phase 1 files (`release.yaml`, `pvc-extra.yaml`, `cronjob-backup.yaml`, `secret-backup.sops.yaml`, `networkpolicy.yaml`) → wait for Flux:
|
||||
```bash
|
||||
flux reconcile hr -n flux-system gitea
|
||||
kubectl get pvc -n gitea gitea-extra
|
||||
kubectl exec -n gitea gitea-0 -- ls -la /data/extra
|
||||
```
|
||||
|
||||
- [ ] Test backup:
|
||||
```bash
|
||||
kubectl create job --from=cronjob/gitea-extra-backup gitea-extra-backup-test -n gitea
|
||||
```
|
||||
|
||||
### Phase 2 — act_runner (separate commit, after token is generated)
|
||||
|
||||
- [ ] Generate runner registration token:
|
||||
```bash
|
||||
kubectl exec -n gitea gitea-0 -- gitea --config /data/gitea/conf/app.ini actions generate-runner-token
|
||||
```
|
||||
|
||||
- [ ] Replace `REPLACE_ME_WITH_RUNNER_TOKEN` in `secret-runner.sops.yaml` with the value above, then encrypt:
|
||||
```bash
|
||||
cd kubernetes && sops -e -i app/gitea/secret-runner.sops.yaml
|
||||
```
|
||||
|
||||
- [ ] Commit Phase 2 files (`secret-runner.sops.yaml`, `release-actions.yaml`).
|
||||
|
||||
- [ ] Verify runner:
|
||||
```bash
|
||||
kubectl get hr -n flux-system gitea-actions
|
||||
kubectl logs -n gitea statefulset/gitea-actions-act-runner -c act-runner | tail -20
|
||||
```
|
||||
In UI: `https://gitea.berezovskyi.dev/-/admin/actions/runners` → runner with status `Idle`.
|
||||
|
||||
- [ ] Smoke-test workflow (in any repo, `.gitea/workflows/test.yaml`):
|
||||
```yaml
|
||||
on: push
|
||||
jobs:
|
||||
test:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- run: echo "ok"
|
||||
```
|
||||
|
||||
- [ ] Smoke-test container registry:
|
||||
```bash
|
||||
echo "$GITEA_TOKEN" | docker login gitea.berezovskyi.dev -u <user> --password-stdin
|
||||
docker tag alpine:3 gitea.berezovskyi.dev/<user>/test:latest
|
||||
docker push gitea.berezovskyi.dev/<user>/test:latest
|
||||
```
|
||||
Reference in New Issue
Block a user