4.7 KiB
Gitea setup checklist
Secrets (must be done before committing)
-
[+] Generate OIDC client secret:
docker run --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 \ --variant sha512 --iterations 310000 --random --random.length 72- Plaintext →
secret.sops.yaml(gitea-oauth-authelia.secret) - Hash → Authelia configmap (
sops -d -i kubernetes/infrastructure/controllers/authelia/configmap.sops.yaml, replaceCHANGE_ME_pbkdf2_hash,sops -e -i)
- Plaintext →
-
[+] Fill in
secret.sops.yaml(gitea-credentials,gitea-adminpasswords and email) then encrypt:cd kubernetes && sops -e -i app/gitea/secret.sops.yaml -
[+] Fill in
secret-backup.sops.yaml(bothCHANGE_MEin repo URLs, restic passwords, B2 creds) then encrypt:cd kubernetes && sops -e -i app/gitea/secret-backup.sops.yaml
Synology / Backups
-
[+] Add htpasswd user
giteaon rest-server:docker run --rm httpd:2-alpine htpasswd -nbB gitea 'YOUR_PW' # append output to /volume1/docker/rest-server/config/htpasswd on Synology -
[+] Init restic repos:
restic -r "rest:http://gitea:OQXxm5MHxXNCQuXrzXSUjj8zHO6KKtRYtrWLINFVsmhJq2QuA6CclpA12lAZ4Zwj@synology.mgmt.lviv:8888/gitea-db/" init restic -r "rest:http://gitea:OQXxm5MHxXNCQuXrzXSUjj8zHO6KKtRYtrWLINFVsmhJq2QuA6CclpA12lAZ4Zwj@synology.mgmt.lviv:8888/gitea-data/" init B2_ACCOUNT_ID=003c68ad65aa815000000000f B2_ACCOUNT_KEY='K003NHIj6SX+UO04MhycojpI/NTgIiM' restic -r "b2:berezovskyi-backup-homelab-gitea:/db/" init B2_ACCOUNT_ID=003c68ad65aa815000000000f B2_ACCOUNT_KEY='K003NHIj6SX+UO04MhycojpI/NTgIiM' restic -r "b2:berezovskyi-backup-homelab-gitea:/data/" init -
[+] Create B2 bucket
berezovskyi-backup-homelab-gitea(if it doesn't exist yet)
Network / DNS
- [+] Router: forward
WAN:22/tcp→<node-ip>:32022/tcp - [+] Ensure node firewall allows
32022/tcpfrom router - [+] DNS: point
gitea.berezovskyi.dev→ cluster external IP (same as other*.berezovskyi.devservices)
Deploy & verify
-
[+] Commit and push; wait for Flux to reconcile (~1 min):
flux get hr -n flux-system gitea kubectl get pods -n gitea -
[+] Functional checks:
https://gitea.berezovskyi.devloads, only "Sign in with authelia" button visible (no local login form)- Click SSO → Authelia 2FA → back to Gitea, logged in
ssh -T -p 32022 git@<node-ip>→Hi <user>! You've successfully authenticated...- Test backup:
kubectl create job --from=cronjob/gitea-db-backup gitea-db-backup-test -n gitea - Verify snapshot:
restic -r "rest:http://gitea:<pw>@synology.storage.lviv:8888/gitea-db/" snapshots
Actions + Container Registry (Phase 1 + Phase 2)
Phase 1 — Gitea config, extra PVC, backup (single commit)
-
[+] Init restic repo for
gitea-extra:restic -r "rest:http://gitea:OQXxm5MHxXNCQuXrzXSUjj8zHO6KKtRYtrWLINFVsmhJq2QuA6CclpA12lAZ4Zwj@synology.storage.lviv:8888/gitea-extra/" init B2_ACCOUNT_ID=003c68ad65aa815000000000f B2_ACCOUNT_KEY='K003NHIj6SX+UO04MhycojpI/NTgIiM' \ restic -r "b2:berezovskyi-backup-homelab-gitea:/extra/" init -
Commit Phase 1 files (
release.yaml,pvc-extra.yaml,cronjob-backup.yaml,secret-backup.sops.yaml,networkpolicy.yaml) → wait for Flux:flux reconcile hr -n flux-system gitea kubectl get pvc -n gitea gitea-extra kubectl exec -n gitea gitea-0 -- ls -la /data/extra -
Test backup:
kubectl create job --from=cronjob/gitea-extra-backup gitea-extra-backup-test -n gitea
Phase 2 — act_runner (separate commit, after token is generated)
-
Generate runner registration token:
kubectl exec -n gitea gitea-0 -- gitea --config /data/gitea/conf/app.ini actions generate-runner-token -
Replace
REPLACE_ME_WITH_RUNNER_TOKENinsecret-runner.sops.yamlwith the value above, then encrypt:cd kubernetes && sops -e -i app/gitea/secret-runner.sops.yaml -
Commit Phase 2 files (
secret-runner.sops.yaml,release-actions.yaml). -
Verify runner:
kubectl get hr -n flux-system gitea-actions kubectl logs -n gitea statefulset/gitea-actions-act-runner -c act-runner | tail -20In UI:
https://gitea.berezovskyi.dev/-/admin/actions/runners→ runner with statusIdle. -
Smoke-test workflow (in any repo,
.gitea/workflows/test.yaml):on: push jobs: test: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - run: echo "ok" -
Smoke-test container registry:
echo "$GITEA_TOKEN" | docker login gitea.berezovskyi.dev -u <user> --password-stdin docker tag alpine:3 gitea.berezovskyi.dev/<user>/test:latest docker push gitea.berezovskyi.dev/<user>/test:latest