123 lines
4.7 KiB
Markdown
123 lines
4.7 KiB
Markdown
# Gitea setup checklist
|
|
|
|
## Secrets (must be done before committing)
|
|
|
|
- [+] Generate OIDC client secret:
|
|
```bash
|
|
docker run --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 \
|
|
--variant sha512 --iterations 310000 --random --random.length 72
|
|
```
|
|
- Plaintext → `secret.sops.yaml` (`gitea-oauth-authelia.secret`)
|
|
- Hash → Authelia configmap (`sops -d -i kubernetes/infrastructure/controllers/authelia/configmap.sops.yaml`, replace `CHANGE_ME_pbkdf2_hash`, `sops -e -i`)
|
|
|
|
- [+] Fill in `secret.sops.yaml` (`gitea-credentials`, `gitea-admin` passwords and email) then encrypt:
|
|
```bash
|
|
cd kubernetes && sops -e -i app/gitea/secret.sops.yaml
|
|
```
|
|
|
|
- [+] Fill in `secret-backup.sops.yaml` (both `CHANGE_ME` in repo URLs, restic passwords, B2 creds) then encrypt:
|
|
```bash
|
|
cd kubernetes && sops -e -i app/gitea/secret-backup.sops.yaml
|
|
```
|
|
|
|
## Synology / Backups
|
|
|
|
- [+] Add htpasswd user `gitea` on rest-server:
|
|
```bash
|
|
docker run --rm httpd:2-alpine htpasswd -nbB gitea 'YOUR_PW'
|
|
# append output to /volume1/docker/rest-server/config/htpasswd on Synology
|
|
```
|
|
|
|
- [+] Init restic repos:
|
|
```bash
|
|
restic -r "rest:http://gitea:OQXxm5MHxXNCQuXrzXSUjj8zHO6KKtRYtrWLINFVsmhJq2QuA6CclpA12lAZ4Zwj@synology.mgmt.lviv:8888/gitea-db/" init
|
|
restic -r "rest:http://gitea:OQXxm5MHxXNCQuXrzXSUjj8zHO6KKtRYtrWLINFVsmhJq2QuA6CclpA12lAZ4Zwj@synology.mgmt.lviv:8888/gitea-data/" init
|
|
B2_ACCOUNT_ID=003c68ad65aa815000000000f B2_ACCOUNT_KEY='K003NHIj6SX+UO04MhycojpI/NTgIiM' restic -r "b2:berezovskyi-backup-homelab-gitea:/db/" init
|
|
B2_ACCOUNT_ID=003c68ad65aa815000000000f B2_ACCOUNT_KEY='K003NHIj6SX+UO04MhycojpI/NTgIiM' restic -r "b2:berezovskyi-backup-homelab-gitea:/data/" init
|
|
```
|
|
|
|
- [+] Create B2 bucket `berezovskyi-backup-homelab-gitea` (if it doesn't exist yet)
|
|
|
|
## Network / DNS
|
|
|
|
- [+] Router: forward `WAN:22/tcp` → `<node-ip>:32022/tcp`
|
|
- [+] Ensure node firewall allows `32022/tcp` from router
|
|
- [+] DNS: point `gitea.berezovskyi.dev` → cluster external IP (same as other `*.berezovskyi.dev` services)
|
|
|
|
## Deploy & verify
|
|
|
|
- [+] Commit and push; wait for Flux to reconcile (~1 min):
|
|
```bash
|
|
flux get hr -n flux-system gitea
|
|
kubectl get pods -n gitea
|
|
```
|
|
|
|
- [+] Functional checks:
|
|
- `https://gitea.berezovskyi.dev` loads, only "Sign in with authelia" button visible (no local login form)
|
|
- Click SSO → Authelia 2FA → back to Gitea, logged in
|
|
- `ssh -T -p 32022 git@<node-ip>` → `Hi <user>! You've successfully authenticated...`
|
|
- Test backup: `kubectl create job --from=cronjob/gitea-db-backup gitea-db-backup-test -n gitea`
|
|
- Verify snapshot: `restic -r "rest:http://gitea:<pw>@synology.storage.lviv:8888/gitea-db/" snapshots`
|
|
|
|
## Actions + Container Registry (Phase 1 + Phase 2)
|
|
|
|
### Phase 1 — Gitea config, extra PVC, backup (single commit)
|
|
|
|
- [+] Init restic repo for `gitea-extra`:
|
|
```bash
|
|
restic -r "rest:http://gitea:OQXxm5MHxXNCQuXrzXSUjj8zHO6KKtRYtrWLINFVsmhJq2QuA6CclpA12lAZ4Zwj@synology.storage.lviv:8888/gitea-extra/" init
|
|
B2_ACCOUNT_ID=003c68ad65aa815000000000f B2_ACCOUNT_KEY='K003NHIj6SX+UO04MhycojpI/NTgIiM' \
|
|
restic -r "b2:berezovskyi-backup-homelab-gitea:/extra/" init
|
|
```
|
|
|
|
- [ ] Commit Phase 1 files (`release.yaml`, `pvc-extra.yaml`, `cronjob-backup.yaml`, `secret-backup.sops.yaml`, `networkpolicy.yaml`) → wait for Flux:
|
|
```bash
|
|
flux reconcile hr -n flux-system gitea
|
|
kubectl get pvc -n gitea gitea-extra
|
|
kubectl exec -n gitea gitea-0 -- ls -la /data/extra
|
|
```
|
|
|
|
- [ ] Test backup:
|
|
```bash
|
|
kubectl create job --from=cronjob/gitea-extra-backup gitea-extra-backup-test -n gitea
|
|
```
|
|
|
|
### Phase 2 — act_runner (separate commit, after token is generated)
|
|
|
|
- [ ] Generate runner registration token:
|
|
```bash
|
|
kubectl exec -n gitea gitea-0 -- gitea --config /data/gitea/conf/app.ini actions generate-runner-token
|
|
```
|
|
|
|
- [ ] Replace `REPLACE_ME_WITH_RUNNER_TOKEN` in `secret-runner.sops.yaml` with the value above, then encrypt:
|
|
```bash
|
|
cd kubernetes && sops -e -i app/gitea/secret-runner.sops.yaml
|
|
```
|
|
|
|
- [ ] Commit Phase 2 files (`secret-runner.sops.yaml`, `release-actions.yaml`).
|
|
|
|
- [ ] Verify runner:
|
|
```bash
|
|
kubectl get hr -n flux-system gitea-actions
|
|
kubectl logs -n gitea statefulset/gitea-actions-act-runner -c act-runner | tail -20
|
|
```
|
|
In UI: `https://gitea.berezovskyi.dev/-/admin/actions/runners` → runner with status `Idle`.
|
|
|
|
- [ ] Smoke-test workflow (in any repo, `.gitea/workflows/test.yaml`):
|
|
```yaml
|
|
on: push
|
|
jobs:
|
|
test:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- run: echo "ok"
|
|
```
|
|
|
|
- [ ] Smoke-test container registry:
|
|
```bash
|
|
echo "$GITEA_TOKEN" | docker login gitea.berezovskyi.dev -u <user> --password-stdin
|
|
docker tag alpine:3 gitea.berezovskyi.dev/<user>/test:latest
|
|
docker push gitea.berezovskyi.dev/<user>/test:latest
|
|
```
|