apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: gitea namespace: flux-system spec: chart: spec: chart: gitea version: 12.5.3 reconcileStrategy: ChartVersion sourceRef: kind: HelmRepository name: gitea namespace: flux-system targetNamespace: gitea interval: 1m0s install: remediation: retries: 3 upgrade: remediation: retries: 3 # Patch the init script: Gitea 1.26 removed environment-to-ini; use built-in subcommand instead. # Remove once helm-gitea chart ships a release with the fix (commit 1baf2d0). postRenderers: - kustomize: patches: - target: kind: Secret name: gitea-gitea patch: | apiVersion: v1 kind: Secret metadata: name: gitea-gitea stringData: config_environment.sh: | #!/usr/bin/env bash set -euo pipefail function env2ini::log() { printf "$${1}\n" } function env2ini::read_config_to_env() { local section="$${1}" local line="$${2}" if [[ -z "$${line}" ]]; then # skip empty line return fi # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line local setting="$(awk -F '=' '{print $1}' <<< "$${line}" | xargs echo -n)" if [[ -z "$${setting}" ]]; then env2ini::log ' ! invalid setting' exit 1 fi local value='' local regex="^$${setting}(\s*)=(\s*)(.*)" if [[ $line =~ $regex ]]; then value="$${BASH_REMATCH[3]}" else env2ini::log ' ! invalid setting' exit 1 fi env2ini::log " + '$${setting}'" if [[ -z "$${section}" ]]; then export "GITEA____$${setting^^}=$${value}" # '^^' makes the variable content uppercase return fi local masked_section="$${section//./_0X2E_}" # '//' instructs to replace all matches masked_section="$${masked_section//-/_0X2D_}" export "GITEA__$${masked_section^^}__$${setting^^}=$${value}" # '^^' makes the variable content uppercase } function env2ini::reload_preset_envs() { env2ini::log "Reloading preset envs..." while read -r line; do if [[ -z "$${line}" ]]; then # skip empty line return fi # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line local setting="$(awk -F '=' '{print $1}' <<< "$${line}" | xargs echo -n)" if [[ -z "$${setting}" ]]; then env2ini::log ' ! invalid setting' exit 1 fi local value='' local regex="^$${setting}(\s*)=(\s*)(.*)" if [[ $line =~ $regex ]]; then value="$${BASH_REMATCH[3]}" else env2ini::log ' ! invalid setting' exit 1 fi env2ini::log " + '$${setting}'" export "$${setting^^}=$${value}" # '^^' makes the variable content uppercase done < "$TMP_EXISTING_ENVS_FILE" rm $TMP_EXISTING_ENVS_FILE } function env2ini::process_config_file() { local config_file="$${1}" local section="$(basename "$${config_file}")" if [[ $section == '_generals_' ]]; then env2ini::log " [ini root]" section='' else env2ini::log " $${section}" fi while read -r line; do env2ini::read_config_to_env "$${section}" "$${line}" done < <(awk 1 "$${config_file}") # Helm .toYaml trims the trailing new line which breaks line processing; awk 1 ... adds it back while reading } function env2ini::load_config_sources() { local path="$${1}" if [[ -d "$${path}" ]]; then env2ini::log "Processing $(basename "$${path}")..." while read -d '' configFile; do env2ini::process_config_file "$${configFile}" done < <(find "$${path}" -type l -not -name '..data' -print0) env2ini::log "\n" fi } function env2ini::generate_initial_secrets() { # These environment variables will either be # - overwritten with user defined values, # - initially used to set up Gitea # Anyway, they won't harm existing app.ini files export GITEA__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN) export GITEA__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY) export GITEA__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET) export GITEA__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET) env2ini::log "...Initial secrets generated\n" } # save existing envs prior to script execution. Necessary to keep order of preexisting and custom envs env | (grep -e '^GITEA__' || [[ $? == 1 ]]) > $TMP_EXISTING_ENVS_FILE # MUST BE CALLED BEFORE OTHER CONFIGURATION env2ini::generate_initial_secrets env2ini::load_config_sources "$ENV_TO_INI_MOUNT_POINT/inlines/" env2ini::load_config_sources "$ENV_TO_INI_MOUNT_POINT/additionals/" # load existing envs to override auto generated envs env2ini::reload_preset_envs env2ini::log "=== All configuration sources loaded ===\n" # safety to prevent rewrite of secret keys if an app.ini already exists if [ -f $${GITEA_APP_INI} ]; then env2ini::log 'An app.ini file already exists. To prevent overwriting secret keys, these settings are dropped and remain unchanged:' env2ini::log ' - security.INTERNAL_TOKEN' env2ini::log ' - security.SECRET_KEY' env2ini::log ' - oauth2.JWT_SECRET' env2ini::log ' - server.LFS_JWT_SECRET' unset GITEA__SECURITY__INTERNAL_TOKEN unset GITEA__SECURITY__SECRET_KEY unset GITEA__OAUTH2__JWT_SECRET unset GITEA__SERVER__LFS_JWT_SECRET fi gitea config edit-ini --apply-env --config "$GITEA_APP_INI" --out "$GITEA_APP_INI" values: strategy: type: RollingUpdate podSecurityContext: seccompProfile: type: RuntimeDefault image: # renovate: currentValue=1.26.1-rootless currentDigest=sha256:4c4256497e2e237ddebdd30986c7ce52cb6f936b3e90c34bb9f4665714599f62 tag: 1.26.1 digest: sha256:4c4256497e2e237ddebdd30986c7ce52cb6f936b3e90c34bb9f4665714599f62 rootless: true pullPolicy: IfNotPresent postgresql-ha: enabled: false postgresql: enabled: false valkey-cluster: enabled: false valkey: enabled: false persistence: enabled: true create: true claimName: gitea-data size: 20Gi storageClass: nfs-synology-ssd accessModes: - ReadWriteOnce extraVolumes: - name: gitea-extra persistentVolumeClaim: claimName: gitea-extra extraContainerVolumeMounts: - name: gitea-extra mountPath: /data/extra resources: requests: cpu: 100m memory: 256Mi limits: memory: 1Gi service: http: type: ClusterIP port: 3000 ssh: type: NodePort port: 22 nodePort: 32022 ingress: enabled: true className: traefik annotations: cert-manager.io/cluster-issuer: letsencrypt hosts: - host: ${GITEA_HOST} paths: - path: / pathType: Prefix tls: - secretName: gitea-tls hosts: - ${GITEA_HOST} gitea: admin: existingSecret: gitea-admin passwordMode: keepUpdated oauth: - name: authelia provider: openidConnect existingSecret: gitea-oauth-authelia autoDiscoverUrl: https://auth.${AUTHELIA_DOMAIN}/.well-known/openid-configuration config: repository: DEFAULT_BRANCH: master server: DOMAIN: ${GITEA_HOST} ROOT_URL: https://${GITEA_HOST}/ SSH_DOMAIN: ${GITEA_HOST} SSH_PORT: "22" SSH_LISTEN_PORT: "2222" LANDING_PAGE: login service: DISABLE_REGISTRATION: true ALLOW_ONLY_EXTERNAL_REGISTRATION: true SHOW_REGISTRATION_BUTTON: false ENABLE_PASSWORD_SIGNIN_FORM: false ENABLE_PASSKEY_AUTHENTICATION: false REQUIRE_SIGNIN_VIEW: false "service.explore": DISABLE_USERS_PAGE: true DISABLE_ORGANIZATIONS_PAGE: true openid: ENABLE_OPENID_SIGNIN: false ENABLE_OPENID_SIGNUP: false oauth2_client: ENABLE_AUTO_REGISTRATION: true USERNAME: preferred_username OPENID_CONNECT_SCOPES: "email profile groups" ACCOUNT_LINKING: auto UPDATE_AVATAR: true REGISTER_EMAIL_CONFIRM: false actions: ENABLED: true DEFAULT_ACTIONS_URL: github LOG_RETENTION_DAYS: 7 ARTIFACT_RETENTION_DAYS: 7 LOG_COMPRESSION: zstd "storage.packages": PATH: /data/extra/packages "storage.actions_log": PATH: /data/extra/actions_log "storage.actions_artifacts": STORAGE_TYPE: local PATH: /data/extra/actions_artifacts additionalConfigFromEnvs: - name: GITEA__database__DB_TYPE value: postgres - name: GITEA__database__HOST value: gitea-db:5432 - name: GITEA__database__NAME valueFrom: secretKeyRef: name: gitea-credentials key: DB_DATABASE_NAME - name: GITEA__database__USER valueFrom: secretKeyRef: name: gitea-credentials key: DB_USERNAME - name: GITEA__database__PASSWD valueFrom: secretKeyRef: name: gitea-credentials key: DB_PASSWORD