From baeb4480ca2454f45b67c0b00bcdadd8467cc58a Mon Sep 17 00:00:00 2001 From: "ryan-distrust.co" Date: Mon, 15 May 2023 21:51:42 -0400 Subject: [PATCH] k/forgejo: initial WIP commit --- kustomizations/forgejo/app_template.ini | 89 ++++++++++++++ .../forgejo/forgejo-config.enc.yaml | 79 ++++++++++++ .../forgejo/forgejo-env-vars.patch.yaml | 39 ++++++ kustomizations/forgejo/ingress.yaml | 24 ++++ .../forgejo/keycloak-client-config.enc.yaml | 80 +++++++++++++ kustomizations/forgejo/kustomization.yaml | 27 +++++ kustomizations/forgejo/namespace.yaml | 4 + kustomizations/forgejo/postgres-auth.enc.yaml | 83 +++++++++++++ kustomizations/forgejo/resources.yaml | 112 ++++++++++++++++++ .../scripts/generate-forgejo-secret.sh | 33 ++++++ kustomizations/forgejo/secret-generator.yaml | 8 ++ 11 files changed, 578 insertions(+) create mode 100644 kustomizations/forgejo/app_template.ini create mode 100644 kustomizations/forgejo/forgejo-config.enc.yaml create mode 100644 kustomizations/forgejo/forgejo-env-vars.patch.yaml create mode 100644 kustomizations/forgejo/ingress.yaml create mode 100644 kustomizations/forgejo/keycloak-client-config.enc.yaml create mode 100644 kustomizations/forgejo/kustomization.yaml create mode 100644 kustomizations/forgejo/namespace.yaml create mode 100644 kustomizations/forgejo/postgres-auth.enc.yaml create mode 100644 kustomizations/forgejo/resources.yaml create mode 100755 kustomizations/forgejo/scripts/generate-forgejo-secret.sh create mode 100644 kustomizations/forgejo/secret-generator.yaml diff --git a/kustomizations/forgejo/app_template.ini b/kustomizations/forgejo/app_template.ini new file mode 100644 index 0000000..a3b0bb1 --- /dev/null +++ b/kustomizations/forgejo/app_template.ini @@ -0,0 +1,89 @@ +RUN_MODE = prod +RUN_USER = git + +[repository] +ROOT = /data/git/repositories + +[repository.local] +LOCAL_COPY_PATH = /data/gitea/tmp/local-repo + +[repository.upload] +TEMP_PATH = /data/gitea/uploads + +[server] +APP_DATA_PATH = /data/gitea +HTTP_PORT = 8080 +DISABLE_SSH = false +SSH_PORT = 22 +SSH_LISTEN_PORT = 22 +LFS_START_SERVER = true +OFFLINE_MODE = false + +[database] +DB_TYPE = postgres +LOG_SQL = false +SCHEMA = +SSL_MODE = require +CHARSET = utf8 + +[indexer] +ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve + +[session] +PROVIDER_CONFIG = /data/gitea/sessions +PROVIDER = file + +[picture] +AVATAR_UPLOAD_PATH = /data/gitea/avatars +REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars + +[attachment] +PATH = /data/gitea/attachments + +[log] +MODE = console +LEVEL = info +ROUTER = console +ROOT_PATH = /data/gitea/log + +[security] +INSTALL_LOCK = true +REVERSE_PROXY_LIMIT = 1 +REVERSE_PROXY_TRUSTED_PROXIES = * +PASSWORD_HASH_ALGO = pbkdf2_hi + +[service] +DISABLE_REGISTRATION = true +REQUIRE_SIGNIN_VIEW = false +REGISTER_EMAIL_CONFIRM = false +ENABLE_NOTIFY_MAIL = false +ALLOW_ONLY_EXTERNAL_REGISTRATION = false +ENABLE_CAPTCHA = false +DEFAULT_KEEP_EMAIL_PRIVATE = false +DEFAULT_ALLOW_CREATE_ORGANIZATION = true +DEFAULT_ENABLE_TIMETRACKING = true + +[lfs] +PATH = /data/git/lfs + +[mailer] +ENABLED = false + +[openid] +ENABLE_OPENID_SIGNIN = false +ENABLE_OPENID_SIGNUP = false + +[oauth2] +ENABLE = false + +[oauth2_client] +ENABLE_AUTO_REGISTRATION = true + +[cron.update_checker] +ENABLED = false + +[repository.pull-request] +DEFAULT_MERGE_STYLE = merge + +[repository.signing] +DEFAULT_TRUST_MODEL = committer diff --git a/kustomizations/forgejo/forgejo-config.enc.yaml b/kustomizations/forgejo/forgejo-config.enc.yaml new file mode 100644 index 0000000..23482df --- /dev/null +++ b/kustomizations/forgejo/forgejo-config.enc.yaml @@ -0,0 +1,79 @@ +apiVersion: v1 +kind: Secret +metadata: + name: forgejo-config +stringData: + GITEA__SERVER__LFS_JWT_SECRET: ENC[AES256_GCM,data:PMPjQesE7LMTm9345yiT0te/jD3c4ea/YB2RpAmUBXzWEkOf1xDmTF924g==,iv:4U01ffSZMbd7nbIdJ3galwn9GLfjz1YRzY8O3CiulAs=,tag:gOMuErB4aL32tkf5WVoPFw==,type:str] + GITEA__SECURITY__SECRET_KEY: ENC[AES256_GCM,data:9YAR3AfcAnhsrTfKmtGEY/L/RP4lIN+zG3gG9a58qrO7KVp/Awr8Ag8dDat3rZQhjfqZEAweok/PCZk6j8rtbA==,iv:7aVM2ElvBFy8ZWv/wC9Ne4SQ4Jd4VfaTbuSbdqgjirQ=,tag:2nv+oVdVhfnxi82R0vpNXA==,type:str] + GITEA__SECURITY__INTERNAL_TOKEN: ENC[AES256_GCM,data:Zo/HXJSy4CMDOD0f9Y9qhnlHWE7LhAH+gJBG6jAxXelqmVnfqBq7EnspNpf8IJmbRpbZs0O0JmRYcaczZUZDs6V+brxnN9dis35CCH9mqqrKUgda4OI0M4EQiCvJEbY3V4kyMRtea+6c,iv:+o5qWVQqZBr5+FyWJ4SQ560eXQ1BygKChZjU9GKoXw4=,tag:oGiSX2hzhBfzOMiZRrjOlg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-05-16T01:04:13Z" + mac: ENC[AES256_GCM,data:Z4I7wqmTH8sq8BbNUT/yfW8IIChL8eeCFh+aNwDdeVBfhTJke8QatVUsPsq366lDqYcrkNft89hUuYZ0ny69ksqQANQl4547gJrJ9kg25qN7i9M4qON/drlg7iJV+B/MLXouHdY23XQM7s7JZF9o4XOqy4o6X4d/mWf/oLVlZGU=,iv:3IYg7h1DZhM5eBJFhldAauiT9gdERBAlRIGZdMtykwM=,tag:2Xabp+Tn79WasynoMnSfYQ==,type:str] + pgp: + - created_at: "2023-05-16T01:04:10Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA82rPM2mSf/aAQ//Wyw0+UV0AMqRCM+X27tKwSEt2RGaQb3ELbJW4Op9xraJ + lJAdOKqLhTkpR3DLumSjlVU3pukiBoq003FqwizVIbjD1Yp8z42HNL/KqlmGn8eK + WB+vz96L34SJP48uK7qSsJ9lxYlSlWZCRPoTKdoxZR3AYClpVWsr9B6WkGkbC8mn + /oTu/MVA5tq/POdxDy+K3ZtVLudnwvpOD1VwH97+kJqwJNjMNE33uPr9O+z8JfZ6 + NIgdljVE67FJM7Dk3wcyRKEJHhFajhTLI4acZGWGASjIXP4j/w2mCX7gv3J8Gerb + 3shY5oN+cDjO7bQBvvbER4Xkl2oLn/6h7Vu7pQki2ggjIJg5f4wlLz7y9CDLsS4Y + BHpBYRljHqzblTG6IeiQE6Oz2GMBibJBEv/MmGriZ+ON9bu6Vmn9QBwzUGOKEc7F + F+WF+On2ntGcpMUW14L8KLeK3kHZxJuioOCNOB77Xwg6c04p0nh+VmWtLWrMeEIr + 1M9p29K1HXQto0NhgNQAMGr1jIlEDKxD7XOaK3w80qZivyYmgGDIM8g4bpDYbaCV + gjaHyfLUTwdReiarSK/xjq4/udjAJN+VBWB1dggTqc+a/rhiUOXsdXy2X/+N627g + 1NEDNkOpmJLz8HMhBZPLTOJJHp9/mwcL5X5viBz824deh4ZQX8CqzrtSZhoPRUnS + UQFSD7+NCg1koARk98aoX7pW4OwBjA9pxuLxAmx0nFagj1wMu/MNZLlbdj4H47fF + 6v3EjZqvJJwjE9GPugjFE4Xxc7Y38j92yY7RFd2qOP08EQ== + =I1Lu + -----END PGP MESSAGE----- + fp: 6B61ECD76088748C70590D55E90A401336C8AAA9 + - created_at: "2023-05-16T01:04:10Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMAw95Vf08z8oUARAA2CMPzEZxtU/wsobnddpJmZHUzjynaStWN1bnP3uC6RgC + /IvzxW7g9sUqGgjVLVqWfvsbUZNFQyJ0LLkXUwAC9rjP+Hj/WJ8C48tf0sKmrI1e + k+ebafZFlpTNk3Il/hzUagUhuA/1mPDq3jxhxy3GYmwxn78pt8m9egpdZFsoZZnG + bEQiyAeF4QOQsgwXjBCmuzY4Gz5q8gYIgZbvE7YvknsQHVUx0gRieQFgwWuE3jXY + nxCf97tmb6pPT4KBbmDXW3y/38SX5Hq9OyJxPN/rF2PlGdXbCcrrzmPqRits3Q/4 + G1LixHIU2G8R894etl+eewj3KH2uzLMF7iu3dRa83qELdmv6rNW8PaGCceRk77I/ + HCHqIKhMpAuX4DMCcq2W0b975tDZFdY3V+tPhNuqDbuVsUuKN9BdsXrb/mvOLntS + MOSo7ymyDNE0WEmjgz79CftPpX69qkV0LK9oSb7iK2Ro0qaTJI5+so0l8s+XaY8W + EjMNMEr92UVQeUUDHTpvkbCfnNZcw0P0Plsg6gbp3FYRlwyVGJ2wLwATbxQaLhW3 + 2zUjohJ0bhHZzL1Nfxs7tRwAv7I0wGUjAdB0r+m2tt0fq4xMcWNsGNA2nYIVw7tk + nhJXgoiqTzY542FcbdkT5E1SRgqtliK+WllBQpxiG7hdMd+kE8yVIIBtMDyP3jXS + UQEBMk1W1uM8paV6mN/vUo+GywmsIY6YVz1sClGvqWUib3D7TjIC19CpJpsA3mEu + 71PTUmlyu5Fv110khriLDT7n4wvlCGxcAUedPhfaJ29j7A== + =L9c6 + -----END PGP MESSAGE----- + fp: 88823A75ECAA786B0FF38B148E401478A3FBEF72 + - created_at: "2023-05-16T01:04:10Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA0/D4ws+/KPtAQ/8D5FK8KboAoDIR25r+ZGDzvU0B/kKFtdrULfjZ82DWv+2 + TicQcfzjqoxxJdGppe3MUNliX7E5C03Y0cTYaI8HxAuUpsuj3T5XuQuK+7v6hVP3 + 0MmSOii8OiZMJxHL7RUJfJ7z/VvLxcUw88Vdogu/9DYEtENyFi3eYMik4J6YIpVh + 23Kn9/jT2qTs0d4wA56wKCRMG71eZj6U38Tfc5XCzJhi929j7qhHbSMNPFVxZWIh + 6atXx412N+VOx8aaYAAp3TXHNf+8vpSvtNByl5cRRFUuqccO8Erie8rJ4y4rHZna + FG0Yj3NDecLo+VC4r7v5v9OIlRECCnS9DfVHCJIpA1lTprXyvrQTH9Z2Ko0pJik6 + zUCF5wqxd80oVm2P2iOmLLoF9oxo16nua/eLarMPKElhfj/g8Rw16b1/NO1I4qjK + /Nh8uE7BXtrMV/BlYRHv8KoHwAyNpQLD8B3tCnBNZAtdhmdCPNl2XU6NifKmsMzj + hCGvqUiTycb69T3Nek5aCcHQKyVwOhizHpjCpLAEgBlyFsvYtIQdu9PGoFSCnSMw + RM9bCh1l2zzsdi3aH1UaVE9fGIFOUbOvxAH6MKOTYw01xW4tF/+2qSZ3qU4XVU6T + zi1SoSzxuCea7Ik/7QUp4LBOq0eXBMKHQSUw2YgVJte1wm5xw12k+RxiikPWfY/S + UQEYNVZNXLfICgm8f143jUI3/Uu6I3Xs7SxJSbJMRLh9bl7QuRFpDCI+ymdUBjUN + gTRhUQVQEVCFUu+OOYeuBIe/T6BTmrcyvHH3PiJIIoRntA== + =vMUS + -----END PGP MESSAGE----- + fp: 3D7C8D39E8C4DF771583D3F0A8A091FD346001CA + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/kustomizations/forgejo/forgejo-env-vars.patch.yaml b/kustomizations/forgejo/forgejo-env-vars.patch.yaml new file mode 100644 index 0000000..505f710 --- /dev/null +++ b/kustomizations/forgejo/forgejo-env-vars.patch.yaml @@ -0,0 +1,39 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: forgejo +spec: + template: + spec: + initContainers: + - name: config-templater + envFrom: + - configMapRef: + name: forgejo-config + - secretRef: + name: forgejo-config + env: + - name: GITEA__DATABASE__HOST + valueFrom: + secretKeyRef: + name: database-configuration + key: address + - name: GITEA__DATABASE__NAME + valueFrom: + secretKeyRef: + name: database-configuration + key: dbname + - name: GITEA__DATABASE__USER + valueFrom: + secretKeyRef: + name: database-configuration + key: name + - name: GITEA__DATABASE__PASSWD + valueFrom: + secretKeyRef: + name: database-configuration + key: password + - name: forgejo-oidc + envFrom: + - secretRef: + name: keycloak-client-config diff --git a/kustomizations/forgejo/ingress.yaml b/kustomizations/forgejo/ingress.yaml new file mode 100644 index 0000000..c33cb77 --- /dev/null +++ b/kustomizations/forgejo/ingress.yaml @@ -0,0 +1,24 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: forgejo + annotations: + cert-manager.io/cluster-issuer: letsencrypt + external-dns.alpha.kubernetes.io/hostname: forgejo.distrust.co +spec: + ingressClassName: nginx + rules: + - host: forgejo.distrust.co + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: forgejo + port: + number: 80 + tls: + - hosts: + - forgejo.distrust.co + secretName: website-tls diff --git a/kustomizations/forgejo/keycloak-client-config.enc.yaml b/kustomizations/forgejo/keycloak-client-config.enc.yaml new file mode 100644 index 0000000..0f72d0f --- /dev/null +++ b/kustomizations/forgejo/keycloak-client-config.enc.yaml @@ -0,0 +1,80 @@ +apiVersion: v1 +kind: Secret +metadata: + name: keycloak-client-config +stringData: + AUTH_PROVIDER_NAME: ENC[AES256_GCM,data:Io2mXly2E3g=,iv:WWskGOsSUUxDAmVj/nMUHVp8yWvuzTmhszG7EY8UGnI=,tag:RYvROXLs+x6az+GMOHpRbQ==,type:str] + AUTH_PROVIDER_KEY: ENC[AES256_GCM,data:xj/J1eb8GQ==,iv:lDnD8wQXH+5ELmPQU7feO3nz9VgDQkCIqlk1qaU3AIM=,tag:IzkSEIH2kmu6seALTkMIZQ==,type:str] + AUTH_PROVIDER_SECRET: ENC[AES256_GCM,data:zo1+LnYE2l4HgJPuhi+naCqdgnX3Y6+DJBoEpTydDT8=,iv:LCo341HG1khZxfLVCd0WWDKL5Jdr3IliSBI59FUNvVI=,tag:+5JagjfDs9WxbJOPpUIYDA==,type:str] + AUTH_PROVIDER_URL: ENC[AES256_GCM,data:mJ0O17EFLLOACryKpfRA1Gi+/PCBm+u6323H7RVhiMbK0G3WXtWgPF1BWPwSXa5V0C7QmvCswIjHaM1zy1k18Qbpi6ciud2+LSLNb3k=,iv:3Y7tQd2thz1PqBU2hfa4fC6sQfiZlfrxLvMKrA7pyTU=,tag:VL/3bj6pekimKuJRkLbMXg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-05-16T01:39:54Z" + mac: ENC[AES256_GCM,data:0GRi7AsCBvb4g77HRGC+Y84GBtoM/wNJ7+omrNWojH5IleTBEUC039IgSlMjBkYOnE5jnAWYVjywD3l4E5v0+fy4g5+q+iaRDm/fKoNupm6aigdumihuh1KcoM+q+qBmfSi28ZJKvXuLfvmBGf4K/BkDvd57j7v2fiIoB5I1kes=,iv:y9h13Mtce0ylsGu0JvHD3Dn0CwM9I0N+hBKUiDp2dE8=,tag:7vxPXIU41zgrnAfcUfsVwg==,type:str] + pgp: + - created_at: "2023-05-16T01:39:37Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA82rPM2mSf/aAQ/+ObNAqozTfRQ3E2WB7wCrn9xgQ4hMPe1XVRQGqgBaDsvk + axlOdWH7nbR+7WbJvbBeIWU184OnICfmONpb0XHQMdGUiuyuE7uZFubsQupROui6 + 6CA/4tmRAC26WZMa7CHfbkT8sCiKuGHBR803VQno9Yqh+b76TB0K+jnGatTpbokW + 9hdz8UcB6eq9Sqa1EPXljj6GxLLE6H5K9gpxXJPHiQYSwUFDdBnaU9ewA2AGoIuu + iGX/et36eIHWVuoptFI8t7LDXfkoEFj8MKlPoskkgOAh9e2gX/BhyLQ02xhZMaYj + 8A5r7anNWoUL1gDhIoB121gVuwD21pei3pK4rLgW8pOw4ZheztiQrWeF8sUmb+WJ + 4TN/op7owiLJBJokZvLCPgeOkcmhLsp+mhHzWj4AfNcDYcnzBnChpd/6I9Y5s/0a + oBsnThSywf2XZG4QX37WYmORWoqkaq6Qjd3IADYsTOY8lcpfl31Z67YOt+C0gwgZ + GOYMYdNySzCEXPVhcC50XRj1SWz2hTuOCpjW7vc/vTBhc1AlU+RPI2RnyxuXjxeb + zw2wLAZGbwhUcbaKMBJ+LlWH8hlPuvotPXty0JuhkJ3BN+yNEMLlJv9gDhqfam+S + jSNl3iWx7k2w01ztqtfq7lwRo2uyu5hctje916yN33poiugjIPP4+mXLHXnL93nS + UQHBxSTVnVkJybgAdx7JgK2Liiteq+Yu1QxtAK1C/RQ0RxcbJXT+LgpSP7AIAL0K + 62J/869NK7y1XX3EV0yPklSKgbN6rybKq/0lyvRoA6WdeA== + =DZ0t + -----END PGP MESSAGE----- + fp: 6B61ECD76088748C70590D55E90A401336C8AAA9 + - created_at: "2023-05-16T01:39:37Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMAw95Vf08z8oUARAAoiPfLJmhhn6tR76JvB6CMk4WwMVURBN9FPabyujgRUkq + opw5IBNu+ou813SK4JHvMrJht1Kk+wMxgoxXr4MJGtBPaepuqO21a5udmeAseGq6 + QBFeuEWi2D7HMC6i9xr3WrhpaNoGzfFuuYW/zEEpO5p5Z5hYl+37sA/vfkzvDMkX + X0+poVVoizjy3EWYF8MzBzaZv+J45BYWAxVnrr0/RI1+IasN5/Mc1F1hzky3n4VP + LsgNPiJ722Km0ORytf15l5//n1oVKrtPcmNoCiwb3OIWGy/uKfvPHMvZJwMpO/Rm + eFOTLCI8rF91TOT4OJk6NS8xVfRO7b1n8NhJ5uwY4hBREOmjlZ5uPgKN1rTOuVDL + 5QbH5FlbszO73zyYRBzajyPuC2cD6DbAgb4mnrQ+NpcDR11NLGQY2HcRX+qxJRLS + Kkx++/vNDS+dZtQlIFHWX8MPc1k2kIrgphWCY9ztoiZcrM+IMfnatFR0MQGiv4Bg + qJaVurV/pkQQe9U1f0UEurnnDWFzt/T16fkr2r+9tlQee0qV+VtlivWYRNBkKb8B + jKy4RIBdCYg0fhz7pfjKwEXkHKKPXiKnoOX4kNO0VoIA5N4hHD6xHfpBnFXoil1Z + 4dnxGHe6OTDqVXiJ9oo3it2reQTWdJZqU/YtND55YAvC+k61xnO4Vucczg6cGRfS + UQFLAMkkenHVO7rHYX1io7Ua3t5061h53Lil2BlVVQ2L4N51lVUnkjT26lICqYP4 + vPZ7/xpTPthlIBPX2cPDvq1pgn1sqIInMSeGdO2P1ixXow== + =xXwH + -----END PGP MESSAGE----- + fp: 88823A75ECAA786B0FF38B148E401478A3FBEF72 + - created_at: "2023-05-16T01:39:37Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA0/D4ws+/KPtAQ/+K4pZscts0jF53I0wX7htbFK3WyE7EOsDs3KKa682Zkgo + Vhou8x0iCDMQ3oyp2rM14LTv6feRc/Iy/WMAR9WVHeLlCQwl5puyHmyI+0M2uIM+ + kTqVrRysGHhbSZaiwcydXwEhxInuXmoxD6zDGaLzkuy9hgwc4Ejyeu/gCF5kPqim + v3DgaBBUOl0Tfp0Q73onUfz+cqeRVG27TbE3Izrljho8sTAFOBQHKCuVqh+TnRfl + PdPzImv0/HJzFQLnO0p3VTEU36JD9h270ATbTt5pjeYYCtMJAP6tH5Yo3tDU/9XR + QDE9hJfJSTJdL6JWuvwKslqgNV6lS3kUSstKO3Y6H/0Jv3iSYzNqlCHoi7c/h6H0 + fprOfT4ymOmV++BSYlsH5/AqXCMWsB6yFUMvTNGdQjRtYY5NAXwDQUaNIHSX1VMC + SXx9qqQOVEfvgDRtzKW8Hexz2EAAG0B5DvQA4C1PrENmYqpcZmDOTvO17LgipWeD + MWHLoyIjOcNy7u0XNgagn9pJFM/FYhOpkleq6pUGY3whyA/+UnCoX2YPieuyTatD + S8yocJveqIwmGBya7oGQcYRorZGVH02DGMUq0G+aNPnJg43WPsrxGAEm2y8Eg3iI + jZCIQPf1bnxRpwS7iFJxh3eRW6ncuSa9DX4GL0u31m7Ophlk/hijfGlzhkNvWWvS + UQFmR9wKqXcB47FjY9dwNiydeHmUXJqNVA7ajRXsNe9WXweZ27TVip430it+yurV + ulL2yONfKWI6RHiQ/1mS/nZTuQkzIDZzGYu5oe2UhGKkNw== + =9V2r + -----END PGP MESSAGE----- + fp: 3D7C8D39E8C4DF771583D3F0A8A091FD346001CA + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/kustomizations/forgejo/kustomization.yaml b/kustomizations/forgejo/kustomization.yaml new file mode 100644 index 0000000..60caa86 --- /dev/null +++ b/kustomizations/forgejo/kustomization.yaml @@ -0,0 +1,27 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: forgejo +resources: +- namespace.yaml +- resources.yaml +- ingress.yaml +patches: +- path: forgejo-env-vars.patch.yaml + target: + group: apps + version: v1 + kind: StatefulSet + name: forgejo +generators: +- secret-generator.yaml +configMapGenerator: +- name: forgejo-config + literals: + - GITEA__DEFAULT__APP_NAME=Forgejo + - GITEA__SERVER__DOMAIN=forgejo.distrust.co + - GITEA__SERVER__SSH_DOMAIN=forgejo.distrust.co + - GITEA__SERVER__ROOT_URL=https://forgejo.distrust.co + - GITEA__SERVICE__NO_REPLY_ADDRESS=noreply.distrust.co +- name: forgejo-config-template + files: + - app_template.ini diff --git a/kustomizations/forgejo/namespace.yaml b/kustomizations/forgejo/namespace.yaml new file mode 100644 index 0000000..6521f89 --- /dev/null +++ b/kustomizations/forgejo/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: forgejo diff --git a/kustomizations/forgejo/postgres-auth.enc.yaml b/kustomizations/forgejo/postgres-auth.enc.yaml new file mode 100644 index 0000000..0fbeaf4 --- /dev/null +++ b/kustomizations/forgejo/postgres-auth.enc.yaml @@ -0,0 +1,83 @@ +apiVersion: v1 +kind: Secret +metadata: + name: database-configuration +stringData: + address: ENC[AES256_GCM,data:FVtSkk5ti72nc5sgQ2yzCDN6hvWqd17YwpSS8EkqnerxX1iebtS7P+nkQqaNiN5BaTp4xirjEdkMMVYGfAchYsY=,iv:BtysOt0wWM1Q+9SMw2FoQtHd2rXCCjNvDC16dXsaHzY=,tag:7EggMyJJ8TVwQE1c4u18XQ==,type:str] + dbname: ENC[AES256_GCM,data:9yBojYPVsw==,iv:yvw5Nbgk73rZuInG+PByq26oGLDe0Sszm+LrVC0W/Uk=,tag:Nt2XJXOg4SHB+py86KX6ig==,type:str] + host: ENC[AES256_GCM,data:v/kW45090UONtO3fjE8J2IRr0vz2HbLb2k5inBKPDrVqmIrC/XbBPU6S/ar023bdQb2wHn1mcZU52m0=,iv:99+XaSJmavGkJmkIVyUNCuxM3Dsqme5/dvOXmXgIRUM=,tag:VECgfR80Npazn6daJzdRJA==,type:str] + jdbc_url: ENC[AES256_GCM,data:584+73EqTWRc6h1q/fci21SSXhHIAKwsq2zMUrCqxyti2DF9BLvYGhlioIqWUsZ991BWtAv1UdHCU5tzx2/rCoYtI7zGF9WSz/fEU0gN4SqGLUbg5swtUcKg96LGHfTKWqtP6Qcx/CGDfj8=,iv:oFm+sYaim5+a3qmJwYxI8cHC7Ydj40RieRUMwQFe2u4=,tag:RlDqjKY0/RIm3Ps6b3kDtw==,type:str] + name: ENC[AES256_GCM,data:yruLsayHYA==,iv:yc10JFsc+1Z94chPrVl1BGFLlML9Ls/2Gn89oYess54=,tag:TodFxbFT5FzHY62pZDp0Hw==,type:str] + password: ENC[AES256_GCM,data:Lrz0uDbJ9t8sO1Pq3Lrfy1Cf8Xdf4F2d,iv:qkO2ik2cSxttjJigtqXHlsq3VnmuSiFvL4uc7jZtKyw=,tag:9w9ebhaFUWaHV+/KwSm+6Q==,type:str] + port: ENC[AES256_GCM,data:2o0wuVg=,iv:AqxRgfSq1AzhjXlpiNPTkYV7NTUi61brSOcErr/VhtU=,tag:T2tnz80QdwansDcFqCjYHA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-05-16T00:07:06Z" + mac: ENC[AES256_GCM,data:TJpATzRb1pItqtHpecpfmEt6AwpcP8AJz5cn6Ra/fzEdP8k21lkJkaZHZeIlZzfZ9FK/oynZqydley4pILxvT+I9M2xwTVZOK1HZ+n7wlDxpTodv+jnzLPBMcuDR0SwCK9WbKuUSbUJpEgYszMJ73f7vGc15oCp4qc7ial64SgY=,iv:073Q5MHchlhCXi8/S/nSFf6lQvk3YahQWweNk14cZjc=,tag:cFIjs4d2nVfucU8MsNKawQ==,type:str] + pgp: + - created_at: "2023-05-16T00:07:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA82rPM2mSf/aAQ/+JM09ezDH98a+8K//Le1bk7yjADNJGB6jvtnLXNr7YNoi + qdTOTuNwbwErRg9iZK63moryzKBy49xMZb4pKDVE58p2UHb7jkTQ3IHblYZHBW/N + OPCZY7sDMl8gLqpJeRkWe7JY5Y6oi8bYYBCmVicDoqrqpK1FAO+ERpgdMPmK/gkG + fFfbtTBV2dsE4DkNlL2FxB5pbLjTW3TPu8MNQH3bjrGlXF4FbXklx+OwdOyapt+c + VQvh0VY071nFoh2wOCXG+uLIWcYClbxwM1/i639hv0I6jefnjqDTdy0CTaCAbPx5 + Bjes3gdOIm/yharVAAyWboxX6I/LE6HMM3NwjXh0kJzsHdNiJCrliC9Td6RNlj/i + r3Q0kfNmZaSEMCJq/ADFu3l2FTu1iJcGeD+pauzRZUMy2+7dqmwX0OJWYvE3jvNc + xv5Tp0j6AvXoMlP0bREitot/GrLNa8FwbCSzCsgBGeP6oZn5+e4qZnj/eRM+x/Ie + 795Lxz6rMXKUS5lRel/pSDQA4tT9mYo359p1kyNlwTURtbCEXHjCniWTCm8zGqW+ + 6HMVW3GpJkJooy1z5w5mBGyk4DYHnO0jds/Yvb1V99J1iY6ihPRhWyXj0X6QQzN6 + MUTjcuNbdE6nCiQcpX2I4qdSSFlW1WP3OPLdDoGd4sF1jKSmjDeS4+7HvWjF/g3S + UQGIJDmwUsxRZzbvaZS/kDOG9iGmfa050cEQUhdZyrlCbFG/0xxhwAmbUv6uojHb + 0kmIhW33tlBfpwfSAJZW6na2AEhMIfV6HpG0RveKKCKeVA== + =EZL3 + -----END PGP MESSAGE----- + fp: 6B61ECD76088748C70590D55E90A401336C8AAA9 + - created_at: "2023-05-16T00:07:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMAw95Vf08z8oUAQ//SxyVJiGf47+Xpp1TiY2wdTugfGHc2VocNQ9CbLeNAmDE + jA/qcxOVSeetqpLNQmg6UFlmmUIFdBnDJ0H5ZBBpu0gXHF8XTxXNk5vUoRM29XXk + PjKVgVQCGYVhmWDhYh1+my66xDMKbymOYJGuCj10bBwVScHxPXM9w/EbXx1lcDP3 + 4kYfckbO5b/Xf9J4+JB4sBdEpHcuKdrxAn1cWgN1KpGGec/M5Sos9zBk54ZcA9WV + 1RYYpkUUALtAdg1VcoPg4GkvKBT93K3xklOAdYoQI0fWR8/YtUN3yRG6BP48QKjd + QJnntAyWTEQ1zdfxo6x4W8nWxDf9haySflUdt3o57o56S3GTw17NSbUZNsSpkPz4 + 5TRDUYPvyK/yyeKAVAx4n7pKbEkoDv8SP4cymicAfOWOWjNnj2jbhDuTVCd/Xcht + xocPNGegCn7Y2MSpcGgS8scDcfGu8pI5ZkeLxVrS4fLWtmp8jntU253hOSPQ0tl0 + c1fxIYkrUWh+1YwBH9UnZ2aBaWx0exgbmymK7eKEKRTGgE+oZqIWy/q1Z/mS79mC + tNCCtzD4pxkhvuHUFjH+SvLwKLF1Azm+budRbEDc5qITjEWlHSrQBpie5p2dKKBc + EnJuMn1HtyEzi5vTDhnjq+hI0OIfRAL+K3pA7QwqvH2m/ElWhk2GsosZ06dJMy/S + UQHXJcTkLSK0ktV75bEcDfPiORnpzHgJdOJx20MV4Dzfeagn/v/Y4VKOdxn6pM2K + EJ4zjMp7cURoRa4otGRL0myXlJqwyNhLC1OLKv+NjfrlxA== + =fP0Y + -----END PGP MESSAGE----- + fp: 88823A75ECAA786B0FF38B148E401478A3FBEF72 + - created_at: "2023-05-16T00:07:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA0/D4ws+/KPtARAAnEl/8yu68nzqGMjeUGNcMHqCm5yseivXx4bdXougk8mz + xYUkEneL3uYMdlGhs9C/moTc3qQbjX280+RCGjHyLipGYUjS7sboP4Rx0kWJB3gI + 6feqDW5uCAyaKfhZihNNEfcFglVdF2LHuJBkaw57jIcxqcK905Be3117a1PtMmJn + gXRqHvi+cDliZ7Qm89LCTKHVuDZKYVkkN9JfqkOXNyz1j/S8f2vGID+yxQLCkHv/ + 3+xB7umDONCNviZ4cUqQ9ZCGRB7OhT4VwrNjkFFMbrWr7eLAty+CDwpDq/cmjrV2 + oFuJJgKqD8+BAXMMlEN2dzrmr+ojBmr7via03Awn13Q0CNXSkdm8aeYZn6o8D7Ok + KweR2+RczpKxeN//vBEJdeku+3+0sDqCPRJKYDZyClCSDf3IGGPpNwb6IDJZYb2q + Im+p2DXGFfMGnAjMH+oGQ+2zuV/JHu5lnBbbmYn9C3WEZBzstLWIdjNFiiOZcs++ + npfciP1R6jXQGLnUwYdlg7H6ZpNeKCxtky6yWbrYgh8Dma61/T1WTc+561YYBlLg + FOBuCwKd5Qw0o/wObPm6CgUC5i7+qW0MuB/aIVypQA5/qE7zLtksCXSxOl2YYrVP + klB/hq/vcl+46YE8Uk9f30WuvEvVe8nboosDlSrrD/NAoulr4B5bu6w+Oi5rmfPS + UQGb73b5HiOHD6Y5OMF3AUy+qz1Ga0WQem59v0PbBUbueSX7VgpiNjTobyaQxGwU + uBNRWaMrfmelYUbNr05XrB2BGGfro+HzmGe8rD1maNl0JA== + =HRlU + -----END PGP MESSAGE----- + fp: 3D7C8D39E8C4DF771583D3F0A8A091FD346001CA + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/kustomizations/forgejo/resources.yaml b/kustomizations/forgejo/resources.yaml new file mode 100644 index 0000000..0355a89 --- /dev/null +++ b/kustomizations/forgejo/resources.yaml @@ -0,0 +1,112 @@ +apiVersion: v1 +kind: Service +metadata: + name: forgejo + labels: + app: forgejo +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: forgejo + type: ClusterIP +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: forgejo + labels: + app: forgejo +spec: + replicas: 1 + selector: + matchLabels: + app: forgejo + serviceName: forgejo + template: + metadata: + labels: + app: forgejo + spec: + # To allow ssh and web to coexist + shareProcessNamespace: true + initContainers: + - name: config-templater + image: codeberg.org/forgejo/forgejo:1.19.3-0 + command: ["environment-to-ini"] + args: + - --config + - /input/app_template.ini + - --out + - /output/app.ini + volumeMounts: + - name: forgejo-config-template + mountPath: /input + - name: forgejo-config + mountPath: /output + - name: forgejo-migrate + image: codeberg.org/forgejo/forgejo:1.19.3-0 + command: ["forgejo"] + args: + - -c + - /etc/forgejo/app.ini + - migrate + volumeMounts: + - name: forgejo-data + mountPath: /data + - name: forgejo-config + mountPath: /etc/forgejo + - name: forgejo-oidc + image: codeberg.org/forgejo/forgejo:1.19.3-0 + command: ["sh"] + args: + - -c + - >- + forgejo -c /etc/forgejo/app.ini admin auth add-oauth + --name $(AUTH_PROVIDER_NAME) + --provider openidConnect + --key $(AUTH_PROVIDER_KEY) + --secret $(AUTH_PROVIDER_SECRET) + --auto-discover-url $(AUTH_PROVIDER_URL) + || true + volumeMounts: + - name: forgejo-data + mountPath: /data + - name: forgejo-config + mountPath: /etc/forgejo + containers: + - name: forgejo-web + image: codeberg.org/forgejo/forgejo:1.19.3-0 + command: ["forgejo"] + args: + - -c + - /etc/forgejo/app.ini + - web + ports: + - containerPort: 8080 + name: http + volumeMounts: + - name: forgejo-data + mountPath: /data + - name: forgejo-config + mountPath: /etc/forgejo + volumes: + - name: forgejo-config + emptyDir: {} + - name: forgejo-config-template + configMap: + name: forgejo-config-template + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + volumeClaimTemplates: + - metadata: + name: forgejo-data + spec: + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 10Gi diff --git a/kustomizations/forgejo/scripts/generate-forgejo-secret.sh b/kustomizations/forgejo/scripts/generate-forgejo-secret.sh new file mode 100755 index 0000000..98ebda9 --- /dev/null +++ b/kustomizations/forgejo/scripts/generate-forgejo-secret.sh @@ -0,0 +1,33 @@ +#!/bin/sh + +if test -t 1; then + # This is not foolproof. Can easily be beat by doing |cat. This is just to + # make it less likely that secrets are output to terminal. + echo "Error: Not outputting secret to stdout; redirect output to a file or" \ + "pipe output to \`sops\`." >/dev/stderr + exit 1 +fi + +FORGEJO_VERSION="1.19.3" +FORGEJO_TAG="sha256:e1e2a9930afe7e4e6c53b7d250072e5f890894da71df681510b6b513f38d0c36" +FORGEJO_SLUG="${FORGEJO_VERSION}@${FORGEJO_TAG}" + +forgejo() { + # TODO: make this extract image tag from kustomization? + docker run "codeberg.org/forgejo/forgejo:$FORGEJO_SLUG" forgejo "$@" +} + +GITEA__SERVER__LFS_JWT_SECRET="$(forgejo generate secret LFS_JWT_SECRET)" +GITEA__SECURITY__SECRET_KEY="$(forgejo generate secret SECRET_KEY)" +GITEA__SECURITY__INTERNAL_TOKEN="$(forgejo generate secret INTERNAL_TOKEN)" + +cat <