apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: gitea namespace: flux-system spec: chart: spec: chart: gitea version: 12.5.3 reconcileStrategy: ChartVersion sourceRef: kind: HelmRepository name: gitea namespace: flux-system targetNamespace: gitea interval: 1m0s install: remediation: retries: 3 upgrade: remediation: retries: 3 # Patch the init script: Gitea 1.26 removed environment-to-ini; use built-in subcommand instead. # Remove once helm-gitea chart ships a release with the fix (commit 1baf2d0). postRenderers: - kustomize: patches: - target: kind: Secret name: gitea-gitea patch: | - op: replace path: /data/config_environment.sh value: IyEvdXNyL2Jpbi9lbnYgYmFzaApzZXQgLWV1byBwaXBlZmFpbAoKZnVuY3Rpb24gZW52MmluaTo6bG9nKCkgewogIHByaW50ZiAiJHsxfVxuIgp9CgpmdW5jdGlvbiBlbnYyaW5pOjpyZWFkX2NvbmZpZ190b19lbnYoKSB7CiAgbG9jYWwgc2VjdGlvbj0iJHsxfSIKICBsb2NhbCBsaW5lPSIkezJ9IgoKICBpZiBbWyAteiAiJHtsaW5lfSIgXV07IHRoZW4KICAgICMgc2tpcCBlbXB0eSBsaW5lCiAgICByZXR1cm4KICBmaQoKICAjICd4YXJncyBlY2hvIC1uJyB0cmltcyBhbGwgbGVhZGluZy90cmFpbGluZyB3aGl0ZXNwYWNlcyBhbmQgYSB0cmFpbGluZyBuZXcgbGluZQogIGxvY2FsIHNldHRpbmc9IiQoYXdrIC1GICc9JyAne3ByaW50ICQxfScgPDw8ICIke2xpbmV9IiB8IHhhcmdzIGVjaG8gLW4pIgoKICBpZiBbWyAteiAiJHtzZXR0aW5nfSIgXV07IHRoZW4KICAgIGVudjJpbmk6OmxvZyAnICAhIGludmFsaWQgc2V0dGluZycKICAgIGV4aXQgMQogIGZpCgogIGxvY2FsIHZhbHVlPScnCiAgbG9jYWwgcmVnZXg9Il4ke3NldHRpbmd9KFxzKik9KFxzKikoLiopIgogIGlmIFtbICRsaW5lID1+ICRyZWdleCBdXTsgdGhlbgogICAgdmFsdWU9IiR7QkFTSF9SRU1BVENIWzNdfSIKICBlbHNlCiAgICBlbnYyaW5pOjpsb2cgJyAgISBpbnZhbGlkIHNldHRpbmcnCiAgICBleGl0IDEKICBmaQoKICBlbnYyaW5pOjpsb2cgIiAgICArICcke3NldHRpbmd9JyIKCiAgaWYgW1sgLXogIiR7c2VjdGlvbn0iIF1dOyB0aGVuCiAgICBleHBvcnQgIkdJVEVBX19fXyR7c2V0dGluZ15efT0ke3ZhbHVlfSIgICAgICAgICAgICAgICAgICAgICAgICAgICAjICdeXicgbWFrZXMgdGhlIHZhcmlhYmxlIGNvbnRlbnQgdXBwZXJjYXNlCiAgICByZXR1cm4KICBmaQoKICBsb2NhbCBtYXNrZWRfc2VjdGlvbj0iJHtzZWN0aW9uLy8uL18wWDJFX30iICAgICAgICAgICAgICAgICAgICAgICAgICAgICMgJy8vJyBpbnN0cnVjdHMgdG8gcmVwbGFjZSBhbGwgbWF0Y2hlcwogIG1hc2tlZF9zZWN0aW9uPSIke21hc2tlZF9zZWN0aW9uLy8tL18wWDJEX30iCgogIGV4cG9ydCAiR0lURUFfXyR7bWFza2VkX3NlY3Rpb25eXn1fXyR7c2V0dGluZ15efT0ke3ZhbHVlfSIgICAgICAgICMgJ15eJyBtYWtlcyB0aGUgdmFyaWFibGUgY29udGVudCB1cHBlcmNhc2UKfQoKZnVuY3Rpb24gZW52MmluaTo6cmVsb2FkX3ByZXNldF9lbnZzKCkgewogIGVudjJpbmk6OmxvZyAiUmVsb2FkaW5nIHByZXNldCBlbnZzLi4uIgoKICB3aGlsZSByZWFkIC1yIGxpbmU7IGRvCiAgICBpZiBbWyAteiAiJHtsaW5lfSIgXV07IHRoZW4KICAgICAgIyBza2lwIGVtcHR5IGxpbmUKICAgICAgcmV0dXJuCiAgICBmaQoKICAgICMgJ3hhcmdzIGVjaG8gLW4nIHRyaW1zIGFsbCBsZWFkaW5nL3RyYWlsaW5nIHdoaXRlc3BhY2VzIGFuZCBhIHRyYWlsaW5nIG5ldyBsaW5lCiAgICBsb2NhbCBzZXR0aW5nPSIkKGF3ayAtRiAnPScgJ3twcmludCAkMX0nIDw8PCAiJHtsaW5lfSIgfCB4YXJncyBlY2hvIC1uKSIKCiAgICBpZiBbWyAteiAiJHtzZXR0aW5nfSIgXV07IHRoZW4KICAgICAgZW52MmluaTo6bG9nICcgICEgaW52YWxpZCBzZXR0aW5nJwogICAgICBleGl0IDEKICAgIGZpCgogICAgbG9jYWwgdmFsdWU9JycKICAgIGxvY2FsIHJlZ2V4PSJeJHtzZXR0aW5nfShccyopPShccyopKC4qKSIKICAgIGlmIFtbICRsaW5lID1+ICRyZWdleCBdXTsgdGhlbgogICAgICB2YWx1ZT0iJHtCQVNIX1JFTUFUQ0hbM119IgogICAgZWxzZQogICAgICBlbnYyaW5pOjpsb2cgJyAgISBpbnZhbGlkIHNldHRpbmcnCiAgICAgIGV4aXQgMQogICAgZmkKCiAgICBlbnYyaW5pOjpsb2cgIiAgKyAnJHtzZXR0aW5nfSciCgogICAgZXhwb3J0ICIke3NldHRpbmdeXn09JHt2YWx1ZX0iICAgICAgICAgICAgICAgICAgICAgICAgICAgIyAnXl4nIG1ha2VzIHRoZSB2YXJpYWJsZSBjb250ZW50IHVwcGVyY2FzZQogIGRvbmUgPCAiJFRNUF9FWElTVElOR19FTlZTX0ZJTEUiCgogIHJtICRUTVBfRVhJU1RJTkdfRU5WU19GSUxFCn0KCgpmdW5jdGlvbiBlbnYyaW5pOjpwcm9jZXNzX2NvbmZpZ19maWxlKCkgewogIGxvY2FsIGNvbmZpZ19maWxlPSIkezF9IgogIGxvY2FsIHNlY3Rpb249IiQoYmFzZW5hbWUgIiR7Y29uZmlnX2ZpbGV9IikiCgogIGlmIFtbICRzZWN0aW9uID09ICdfZ2VuZXJhbHNfJyBdXTsgdGhlbgogICAgZW52MmluaTo6bG9nICIgIFtpbmkgcm9vdF0iCiAgICBzZWN0aW9uPScnCiAgZWxzZQogICAgZW52MmluaTo6bG9nICIgICR7c2VjdGlvbn0iCiAgZmkKCiAgd2hpbGUgcmVhZCAtciBsaW5lOyBkbwogICAgZW52MmluaTo6cmVhZF9jb25maWdfdG9fZW52ICIke3NlY3Rpb259IiAiJHtsaW5lfSIKICBkb25lIDwgPChhd2sgMSAiJHtjb25maWdfZmlsZX0iKSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIyBIZWxtIC50b1lhbWwgdHJpbXMgdGhlIHRyYWlsaW5nIG5ldyBsaW5lIHdoaWNoIGJyZWFrcyBsaW5lIHByb2Nlc3Npbmc7IGF3ayAxIC4uLiBhZGRzIGl0IGJhY2sgd2hpbGUgcmVhZGluZwp9CgpmdW5jdGlvbiBlbnYyaW5pOjpsb2FkX2NvbmZpZ19zb3VyY2VzKCkgewogIGxvY2FsIHBhdGg9IiR7MX0iCgogIGlmIFtbIC1kICIke3BhdGh9IiBdXTsgdGhlbgogICAgZW52MmluaTo6bG9nICJQcm9jZXNzaW5nICQoYmFzZW5hbWUgIiR7cGF0aH0iKS4uLiIKCiAgICB3aGlsZSByZWFkIC1kICcnIGNvbmZpZ0ZpbGU7IGRvCiAgICAgIGVudjJpbmk6OnByb2Nlc3NfY29uZmlnX2ZpbGUgIiR7Y29uZmlnRmlsZX0iCiAgICBkb25lIDwgPChmaW5kICIke3BhdGh9IiAtdHlwZSBsIC1ub3QgLW5hbWUgJy4uZGF0YScgLXByaW50MCkKCiAgICBlbnYyaW5pOjpsb2cgIlxuIgogIGZpCn0KCmZ1bmN0aW9uIGVudjJpbmk6OmdlbmVyYXRlX2luaXRpYWxfc2VjcmV0cygpIHsKICAjIFRoZXNlIGVudmlyb25tZW50IHZhcmlhYmxlcyB3aWxsIGVpdGhlciBiZQogICMgICAtIG92ZXJ3cml0dGVuIHdpdGggdXNlciBkZWZpbmVkIHZhbHVlcywKICAjICAgLSBpbml0aWFsbHkgdXNlZCB0byBzZXQgdXAgR2l0ZWEKICAjIEFueXdheSwgdGhleSB3b24ndCBoYXJtIGV4aXN0aW5nIGFwcC5pbmkgZmlsZXMKCiAgZXhwb3J0IEdJVEVBX19TRUNVUklUWV9fSU5URVJOQUxfVE9LRU49JChnaXRlYSBnZW5lcmF0ZSBzZWNyZXQgSU5URVJOQUxfVE9LRU4pCiAgZXhwb3J0IEdJVEVBX19TRUNVUklUWV9fU0VDUkVUX0tFWT0kKGdpdGVhIGdlbmVyYXRlIHNlY3JldCBTRUNSRVRfS0VZKQogIGV4cG9ydCBHSVRFQV9fT0FVVEgyX19KV1RfU0VDUkVUPSQoZ2l0ZWEgZ2VuZXJhdGUgc2VjcmV0IEpXVF9TRUNSRVQpCiAgZXhwb3J0IEdJVEVBX19TRVJWRVJfX0xGU19KV1RfU0VDUkVUPSQoZ2l0ZWEgZ2VuZXJhdGUgc2VjcmV0IExGU19KV1RfU0VDUkVUKQoKICBlbnYyaW5pOjpsb2cgIi4uLkluaXRpYWwgc2VjcmV0cyBnZW5lcmF0ZWRcbiIKfQoKIyBzYXZlIGV4aXN0aW5nIGVudnMgcHJpb3IgdG8gc2NyaXB0IGV4ZWN1dGlvbi4gTmVjZXNzYXJ5IHRvIGtlZXAgb3JkZXIgb2YgcHJlZXhpc3RpbmcgYW5kIGN1c3RvbSBlbnZzCmVudiB8IChncmVwIC1lICdeR0lURUFfXycgfHwgW1sgJD8gPT0gMSBdXSkgPiAkVE1QX0VYSVNUSU5HX0VOVlNfRklMRQoKIyBNVVNUIEJFIENBTExFRCBCRUZPUkUgT1RIRVIgQ09ORklHVVJBVElPTgplbnYyaW5pOjpnZW5lcmF0ZV9pbml0aWFsX3NlY3JldHMKCmVudjJpbmk6OmxvYWRfY29uZmlnX3NvdXJjZXMgIiRFTlZfVE9fSU5JX01PVU5UX1BPSU5UL2lubGluZXMvIgplbnYyaW5pOjpsb2FkX2NvbmZpZ19zb3VyY2VzICIkRU5WX1RPX0lOSV9NT1VOVF9QT0lOVC9hZGRpdGlvbmFscy8iCgojIGxvYWQgZXhpc3RpbmcgZW52cyB0byBvdmVycmlkZSBhdXRvIGdlbmVyYXRlZCBlbnZzCmVudjJpbmk6OnJlbG9hZF9wcmVzZXRfZW52cwoKZW52MmluaTo6bG9nICI9PT0gQWxsIGNvbmZpZ3VyYXRpb24gc291cmNlcyBsb2FkZWQgPT09XG4iCgojIHNhZmV0eSB0byBwcmV2ZW50IHJld3JpdGUgb2Ygc2VjcmV0IGtleXMgaWYgYW4gYXBwLmluaSBhbHJlYWR5IGV4aXN0cwppZiBbIC1mICR7R0lURUFfQVBQX0lOSX0gXTsgdGhlbgogIGVudjJpbmk6OmxvZyAnQW4gYXBwLmluaSBmaWxlIGFscmVhZHkgZXhpc3RzLiBUbyBwcmV2ZW50IG92ZXJ3cml0aW5nIHNlY3JldCBrZXlzLCB0aGVzZSBzZXR0aW5ncyBhcmUgZHJvcHBlZCBhbmQgcmVtYWluIHVuY2hhbmdlZDonCiAgZW52MmluaTo6bG9nICcgIC0gc2VjdXJpdHkuSU5URVJOQUxfVE9LRU4nCiAgZW52MmluaTo6bG9nICcgIC0gc2VjdXJpdHkuU0VDUkVUX0tFWScKICBlbnYyaW5pOjpsb2cgJyAgLSBvYXV0aDIuSldUX1NFQ1JFVCcKICBlbnYyaW5pOjpsb2cgJyAgLSBzZXJ2ZXIuTEZTX0pXVF9TRUNSRVQnCgogIHVuc2V0IEdJVEVBX19TRUNVUklUWV9fSU5URVJOQUxfVE9LRU4KICB1bnNldCBHSVRFQV9fU0VDVVJJVFlfX1NFQ1JFVF9LRVkKICB1bnNldCBHSVRFQV9fT0FVVEgyX19KV1RfU0VDUkVUCiAgdW5zZXQgR0lURUFfX1NFUlZFUl9fTEZTX0pXVF9TRUNSRVQKZmkKCmdpdGVhIGNvbmZpZyBlZGl0LWluaSAtLWFwcGx5LWVudiAtLWNvbmZpZyAiJEdJVEVBX0FQUF9JTkkiIC0tb3V0ICIkR0lURUFfQVBQX0lOSSIK values: strategy: type: RollingUpdate podSecurityContext: seccompProfile: type: RuntimeDefault image: # renovate: currentValue=1.26.1-rootless currentDigest=sha256:d671880e8fd3e337ea7ce3870bfe8fd37709060cd48224e4df2501c141b85443 tag: 1.26.1 digest: sha256:d671880e8fd3e337ea7ce3870bfe8fd37709060cd48224e4df2501c141b85443 rootless: true pullPolicy: IfNotPresent postgresql-ha: enabled: false postgresql: enabled: false valkey-cluster: enabled: false valkey: enabled: false persistence: enabled: true create: true claimName: gitea-data size: 20Gi storageClass: nfs-synology-ssd accessModes: - ReadWriteOnce extraVolumes: - name: gitea-extra persistentVolumeClaim: claimName: gitea-extra extraContainerVolumeMounts: - name: gitea-extra mountPath: /data/extra resources: requests: cpu: 100m memory: 256Mi limits: memory: 1Gi service: http: type: ClusterIP port: 3000 ssh: type: NodePort port: 22 nodePort: 32022 ingress: enabled: true className: traefik annotations: cert-manager.io/cluster-issuer: letsencrypt hosts: - host: ${GITEA_HOST} paths: - path: / pathType: Prefix tls: - secretName: gitea-tls hosts: - ${GITEA_HOST} gitea: admin: existingSecret: gitea-admin passwordMode: keepUpdated oauth: - name: authelia provider: openidConnect existingSecret: gitea-oauth-authelia autoDiscoverUrl: https://auth.${AUTHELIA_DOMAIN}/.well-known/openid-configuration config: repository: DEFAULT_BRANCH: master server: DOMAIN: ${GITEA_HOST} ROOT_URL: https://${GITEA_HOST}/ SSH_DOMAIN: ${GITEA_HOST} SSH_PORT: "22" SSH_LISTEN_PORT: "2222" LANDING_PAGE: login service: DISABLE_REGISTRATION: true ALLOW_ONLY_EXTERNAL_REGISTRATION: true SHOW_REGISTRATION_BUTTON: false ENABLE_PASSWORD_SIGNIN_FORM: false ENABLE_PASSKEY_AUTHENTICATION: false REQUIRE_SIGNIN_VIEW: false "service.explore": DISABLE_USERS_PAGE: true DISABLE_ORGANIZATIONS_PAGE: true openid: ENABLE_OPENID_SIGNIN: false ENABLE_OPENID_SIGNUP: false oauth2_client: ENABLE_AUTO_REGISTRATION: true USERNAME: preferred_username OPENID_CONNECT_SCOPES: "email profile groups" ACCOUNT_LINKING: auto UPDATE_AVATAR: true REGISTER_EMAIL_CONFIRM: false actions: ENABLED: true DEFAULT_ACTIONS_URL: github LOG_RETENTION_DAYS: 7 ARTIFACT_RETENTION_DAYS: 7 LOG_COMPRESSION: zstd "storage.packages": PATH: /data/extra/packages "storage.actions_log": PATH: /data/extra/actions_log "storage.actions_artifacts": STORAGE_TYPE: local PATH: /data/extra/actions_artifacts additionalConfigFromEnvs: - name: GITEA__database__DB_TYPE value: postgres - name: GITEA__database__HOST value: gitea-db:5432 - name: GITEA__database__NAME valueFrom: secretKeyRef: name: gitea-credentials key: DB_DATABASE_NAME - name: GITEA__database__USER valueFrom: secretKeyRef: name: gitea-credentials key: DB_USERNAME - name: GITEA__database__PASSWD valueFrom: secretKeyRef: name: gitea-credentials key: DB_PASSWORD