public
/
stack
5
0
Fork 1
Code Issues 4 Pull Requests 1 Packages Projects Releases Wiki Activity

k/forgejo: initial WIP commit

This commit is contained in:
ryan-distrust.co 2023-05-15 21:51:42 -04:00
parent 2e5a3e0802
commit baeb4480ca
Signed by untrusted user who does not match committer: ryan
GPG Key ID: 8E401478A3FBEF72
11 changed files with 578 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
kustomizations/forgejo/app_template.ini Normal file
View File

@ -0,0 +1,89 @@
RUN_MODE = prod
RUN_USER = git
[repository]
ROOT = /data/git/repositories
[repository.local]
LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
[repository.upload]
TEMP_PATH = /data/gitea/uploads
[server]
APP_DATA_PATH = /data/gitea
HTTP_PORT = 8080
DISABLE_SSH = false
SSH_PORT = 22
SSH_LISTEN_PORT = 22
LFS_START_SERVER = true
OFFLINE_MODE = false
[database]
DB_TYPE = postgres
LOG_SQL = false
SCHEMA =
SSL_MODE = require
CHARSET = utf8
[indexer]
ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
[session]
PROVIDER_CONFIG = /data/gitea/sessions
PROVIDER = file
[picture]
AVATAR_UPLOAD_PATH = /data/gitea/avatars
REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
[attachment]
PATH = /data/gitea/attachments
[log]
MODE = console
LEVEL = info
ROUTER = console
ROOT_PATH = /data/gitea/log
[security]
INSTALL_LOCK = true
REVERSE_PROXY_LIMIT = 1
REVERSE_PROXY_TRUSTED_PROXIES = *
PASSWORD_HASH_ALGO = pbkdf2_hi
[service]
DISABLE_REGISTRATION = true
REQUIRE_SIGNIN_VIEW = false
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = false
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
ENABLE_CAPTCHA = false
DEFAULT_KEEP_EMAIL_PRIVATE = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
DEFAULT_ENABLE_TIMETRACKING = true
[lfs]
PATH = /data/git/lfs
[mailer]
ENABLED = false
[openid]
ENABLE_OPENID_SIGNIN = false
ENABLE_OPENID_SIGNUP = false
[oauth2]
ENABLE = false
[oauth2_client]
ENABLE_AUTO_REGISTRATION = true
[cron.update_checker]
ENABLED = false
[repository.pull-request]
DEFAULT_MERGE_STYLE = merge
[repository.signing]
DEFAULT_TRUST_MODEL = committer

79
kustomizations/forgejo/forgejo-config.enc.yaml Normal file
View File

@ -0,0 +1,79 @@
apiVersion: v1
kind: Secret
metadata:
name: forgejo-config
stringData:
GITEA__SERVER__LFS_JWT_SECRET: ENC[AES256_GCM,data:PMPjQesE7LMTm9345yiT0te/jD3c4ea/YB2RpAmUBXzWEkOf1xDmTF924g==,iv:4U01ffSZMbd7nbIdJ3galwn9GLfjz1YRzY8O3CiulAs=,tag:gOMuErB4aL32tkf5WVoPFw==,type:str]
GITEA__SECURITY__SECRET_KEY: ENC[AES256_GCM,data:9YAR3AfcAnhsrTfKmtGEY/L/RP4lIN+zG3gG9a58qrO7KVp/Awr8Ag8dDat3rZQhjfqZEAweok/PCZk6j8rtbA==,iv:7aVM2ElvBFy8ZWv/wC9Ne4SQ4Jd4VfaTbuSbdqgjirQ=,tag:2nv+oVdVhfnxi82R0vpNXA==,type:str]
GITEA__SECURITY__INTERNAL_TOKEN: ENC[AES256_GCM,data:Zo/HXJSy4CMDOD0f9Y9qhnlHWE7LhAH+gJBG6jAxXelqmVnfqBq7EnspNpf8IJmbRpbZs0O0JmRYcaczZUZDs6V+brxnN9dis35CCH9mqqrKUgda4OI0M4EQiCvJEbY3V4kyMRtea+6c,iv:+o5qWVQqZBr5+FyWJ4SQ560eXQ1BygKChZjU9GKoXw4=,tag:oGiSX2hzhBfzOMiZRrjOlg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2023-05-16T01:04:13Z"
mac: ENC[AES256_GCM,data:Z4I7wqmTH8sq8BbNUT/yfW8IIChL8eeCFh+aNwDdeVBfhTJke8QatVUsPsq366lDqYcrkNft89hUuYZ0ny69ksqQANQl4547gJrJ9kg25qN7i9M4qON/drlg7iJV+B/MLXouHdY23XQM7s7JZF9o4XOqy4o6X4d/mWf/oLVlZGU=,iv:3IYg7h1DZhM5eBJFhldAauiT9gdERBAlRIGZdMtykwM=,tag:2Xabp+Tn79WasynoMnSfYQ==,type:str]
pgp:
- created_at: "2023-05-16T01:04:10Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA82rPM2mSf/aAQ//Wyw0+UV0AMqRCM+X27tKwSEt2RGaQb3ELbJW4Op9xraJ
lJAdOKqLhTkpR3DLumSjlVU3pukiBoq003FqwizVIbjD1Yp8z42HNL/KqlmGn8eK
WB+vz96L34SJP48uK7qSsJ9lxYlSlWZCRPoTKdoxZR3AYClpVWsr9B6WkGkbC8mn
/oTu/MVA5tq/POdxDy+K3ZtVLudnwvpOD1VwH97+kJqwJNjMNE33uPr9O+z8JfZ6
NIgdljVE67FJM7Dk3wcyRKEJHhFajhTLI4acZGWGASjIXP4j/w2mCX7gv3J8Gerb
3shY5oN+cDjO7bQBvvbER4Xkl2oLn/6h7Vu7pQki2ggjIJg5f4wlLz7y9CDLsS4Y
BHpBYRljHqzblTG6IeiQE6Oz2GMBibJBEv/MmGriZ+ON9bu6Vmn9QBwzUGOKEc7F
F+WF+On2ntGcpMUW14L8KLeK3kHZxJuioOCNOB77Xwg6c04p0nh+VmWtLWrMeEIr
1M9p29K1HXQto0NhgNQAMGr1jIlEDKxD7XOaK3w80qZivyYmgGDIM8g4bpDYbaCV
gjaHyfLUTwdReiarSK/xjq4/udjAJN+VBWB1dggTqc+a/rhiUOXsdXy2X/+N627g
1NEDNkOpmJLz8HMhBZPLTOJJHp9/mwcL5X5viBz824deh4ZQX8CqzrtSZhoPRUnS
UQFSD7+NCg1koARk98aoX7pW4OwBjA9pxuLxAmx0nFagj1wMu/MNZLlbdj4H47fF
6v3EjZqvJJwjE9GPugjFE4Xxc7Y38j92yY7RFd2qOP08EQ==
=I1Lu
-----END PGP MESSAGE-----
fp: 6B61ECD76088748C70590D55E90A401336C8AAA9
- created_at: "2023-05-16T01:04:10Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMAw95Vf08z8oUARAA2CMPzEZxtU/wsobnddpJmZHUzjynaStWN1bnP3uC6RgC
/IvzxW7g9sUqGgjVLVqWfvsbUZNFQyJ0LLkXUwAC9rjP+Hj/WJ8C48tf0sKmrI1e
k+ebafZFlpTNk3Il/hzUagUhuA/1mPDq3jxhxy3GYmwxn78pt8m9egpdZFsoZZnG
bEQiyAeF4QOQsgwXjBCmuzY4Gz5q8gYIgZbvE7YvknsQHVUx0gRieQFgwWuE3jXY
nxCf97tmb6pPT4KBbmDXW3y/38SX5Hq9OyJxPN/rF2PlGdXbCcrrzmPqRits3Q/4
G1LixHIU2G8R894etl+eewj3KH2uzLMF7iu3dRa83qELdmv6rNW8PaGCceRk77I/
HCHqIKhMpAuX4DMCcq2W0b975tDZFdY3V+tPhNuqDbuVsUuKN9BdsXrb/mvOLntS
MOSo7ymyDNE0WEmjgz79CftPpX69qkV0LK9oSb7iK2Ro0qaTJI5+so0l8s+XaY8W
EjMNMEr92UVQeUUDHTpvkbCfnNZcw0P0Plsg6gbp3FYRlwyVGJ2wLwATbxQaLhW3
2zUjohJ0bhHZzL1Nfxs7tRwAv7I0wGUjAdB0r+m2tt0fq4xMcWNsGNA2nYIVw7tk
nhJXgoiqTzY542FcbdkT5E1SRgqtliK+WllBQpxiG7hdMd+kE8yVIIBtMDyP3jXS
UQEBMk1W1uM8paV6mN/vUo+GywmsIY6YVz1sClGvqWUib3D7TjIC19CpJpsA3mEu
71PTUmlyu5Fv110khriLDT7n4wvlCGxcAUedPhfaJ29j7A==
=L9c6
-----END PGP MESSAGE-----
fp: 88823A75ECAA786B0FF38B148E401478A3FBEF72
- created_at: "2023-05-16T01:04:10Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA0/D4ws+/KPtAQ/8D5FK8KboAoDIR25r+ZGDzvU0B/kKFtdrULfjZ82DWv+2
TicQcfzjqoxxJdGppe3MUNliX7E5C03Y0cTYaI8HxAuUpsuj3T5XuQuK+7v6hVP3
0MmSOii8OiZMJxHL7RUJfJ7z/VvLxcUw88Vdogu/9DYEtENyFi3eYMik4J6YIpVh
23Kn9/jT2qTs0d4wA56wKCRMG71eZj6U38Tfc5XCzJhi929j7qhHbSMNPFVxZWIh
6atXx412N+VOx8aaYAAp3TXHNf+8vpSvtNByl5cRRFUuqccO8Erie8rJ4y4rHZna
FG0Yj3NDecLo+VC4r7v5v9OIlRECCnS9DfVHCJIpA1lTprXyvrQTH9Z2Ko0pJik6
zUCF5wqxd80oVm2P2iOmLLoF9oxo16nua/eLarMPKElhfj/g8Rw16b1/NO1I4qjK
/Nh8uE7BXtrMV/BlYRHv8KoHwAyNpQLD8B3tCnBNZAtdhmdCPNl2XU6NifKmsMzj
hCGvqUiTycb69T3Nek5aCcHQKyVwOhizHpjCpLAEgBlyFsvYtIQdu9PGoFSCnSMw
RM9bCh1l2zzsdi3aH1UaVE9fGIFOUbOvxAH6MKOTYw01xW4tF/+2qSZ3qU4XVU6T
zi1SoSzxuCea7Ik/7QUp4LBOq0eXBMKHQSUw2YgVJte1wm5xw12k+RxiikPWfY/S
UQEYNVZNXLfICgm8f143jUI3/Uu6I3Xs7SxJSbJMRLh9bl7QuRFpDCI+ymdUBjUN
gTRhUQVQEVCFUu+OOYeuBIe/T6BTmrcyvHH3PiJIIoRntA==
=vMUS
-----END PGP MESSAGE-----
fp: 3D7C8D39E8C4DF771583D3F0A8A091FD346001CA
encrypted_regex: ^(data|stringData)$
version: 3.7.3

39
kustomizations/forgejo/forgejo-env-vars.patch.yaml Normal file
View File

@ -0,0 +1,39 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: forgejo
spec:
template:
spec:
initContainers:
- name: config-templater
envFrom:
- configMapRef:
name: forgejo-config
- secretRef:
name: forgejo-config
env:
- name: GITEA__DATABASE__HOST
valueFrom:
secretKeyRef:
name: database-configuration
key: address
- name: GITEA__DATABASE__NAME
valueFrom:
secretKeyRef:
name: database-configuration
key: dbname
- name: GITEA__DATABASE__USER
valueFrom:
secretKeyRef:
name: database-configuration
key: name
- name: GITEA__DATABASE__PASSWD
valueFrom:
secretKeyRef:
name: database-configuration
key: password
- name: forgejo-oidc
envFrom:
- secretRef:
name: keycloak-client-config

24
kustomizations/forgejo/ingress.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: forgejo
annotations:
cert-manager.io/cluster-issuer: letsencrypt
external-dns.alpha.kubernetes.io/hostname: forgejo.distrust.co
spec:
ingressClassName: nginx
rules:
- host: forgejo.distrust.co
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: forgejo
port:
number: 80
tls:
- hosts:
- forgejo.distrust.co
secretName: website-tls

80
kustomizations/forgejo/keycloak-client-config.enc.yaml Normal file
View File

@ -0,0 +1,80 @@
apiVersion: v1
kind: Secret
metadata:
name: keycloak-client-config
stringData:
AUTH_PROVIDER_NAME: ENC[AES256_GCM,data:Io2mXly2E3g=,iv:WWskGOsSUUxDAmVj/nMUHVp8yWvuzTmhszG7EY8UGnI=,tag:RYvROXLs+x6az+GMOHpRbQ==,type:str]
AUTH_PROVIDER_KEY: ENC[AES256_GCM,data:xj/J1eb8GQ==,iv:lDnD8wQXH+5ELmPQU7feO3nz9VgDQkCIqlk1qaU3AIM=,tag:IzkSEIH2kmu6seALTkMIZQ==,type:str]
AUTH_PROVIDER_SECRET: ENC[AES256_GCM,data:zo1+LnYE2l4HgJPuhi+naCqdgnX3Y6+DJBoEpTydDT8=,iv:LCo341HG1khZxfLVCd0WWDKL5Jdr3IliSBI59FUNvVI=,tag:+5JagjfDs9WxbJOPpUIYDA==,type:str]
AUTH_PROVIDER_URL: ENC[AES256_GCM,data:mJ0O17EFLLOACryKpfRA1Gi+/PCBm+u6323H7RVhiMbK0G3WXtWgPF1BWPwSXa5V0C7QmvCswIjHaM1zy1k18Qbpi6ciud2+LSLNb3k=,iv:3Y7tQd2thz1PqBU2hfa4fC6sQfiZlfrxLvMKrA7pyTU=,tag:VL/3bj6pekimKuJRkLbMXg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2023-05-16T01:39:54Z"
mac: ENC[AES256_GCM,data:0GRi7AsCBvb4g77HRGC+Y84GBtoM/wNJ7+omrNWojH5IleTBEUC039IgSlMjBkYOnE5jnAWYVjywD3l4E5v0+fy4g5+q+iaRDm/fKoNupm6aigdumihuh1KcoM+q+qBmfSi28ZJKvXuLfvmBGf4K/BkDvd57j7v2fiIoB5I1kes=,iv:y9h13Mtce0ylsGu0JvHD3Dn0CwM9I0N+hBKUiDp2dE8=,tag:7vxPXIU41zgrnAfcUfsVwg==,type:str]
pgp:
- created_at: "2023-05-16T01:39:37Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA82rPM2mSf/aAQ/+ObNAqozTfRQ3E2WB7wCrn9xgQ4hMPe1XVRQGqgBaDsvk
axlOdWH7nbR+7WbJvbBeIWU184OnICfmONpb0XHQMdGUiuyuE7uZFubsQupROui6
6CA/4tmRAC26WZMa7CHfbkT8sCiKuGHBR803VQno9Yqh+b76TB0K+jnGatTpbokW
9hdz8UcB6eq9Sqa1EPXljj6GxLLE6H5K9gpxXJPHiQYSwUFDdBnaU9ewA2AGoIuu
iGX/et36eIHWVuoptFI8t7LDXfkoEFj8MKlPoskkgOAh9e2gX/BhyLQ02xhZMaYj
8A5r7anNWoUL1gDhIoB121gVuwD21pei3pK4rLgW8pOw4ZheztiQrWeF8sUmb+WJ
4TN/op7owiLJBJokZvLCPgeOkcmhLsp+mhHzWj4AfNcDYcnzBnChpd/6I9Y5s/0a
oBsnThSywf2XZG4QX37WYmORWoqkaq6Qjd3IADYsTOY8lcpfl31Z67YOt+C0gwgZ
GOYMYdNySzCEXPVhcC50XRj1SWz2hTuOCpjW7vc/vTBhc1AlU+RPI2RnyxuXjxeb
zw2wLAZGbwhUcbaKMBJ+LlWH8hlPuvotPXty0JuhkJ3BN+yNEMLlJv9gDhqfam+S
jSNl3iWx7k2w01ztqtfq7lwRo2uyu5hctje916yN33poiugjIPP4+mXLHXnL93nS
UQHBxSTVnVkJybgAdx7JgK2Liiteq+Yu1QxtAK1C/RQ0RxcbJXT+LgpSP7AIAL0K
62J/869NK7y1XX3EV0yPklSKgbN6rybKq/0lyvRoA6WdeA==
=DZ0t
-----END PGP MESSAGE-----
fp: 6B61ECD76088748C70590D55E90A401336C8AAA9
- created_at: "2023-05-16T01:39:37Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMAw95Vf08z8oUARAAoiPfLJmhhn6tR76JvB6CMk4WwMVURBN9FPabyujgRUkq
opw5IBNu+ou813SK4JHvMrJht1Kk+wMxgoxXr4MJGtBPaepuqO21a5udmeAseGq6
QBFeuEWi2D7HMC6i9xr3WrhpaNoGzfFuuYW/zEEpO5p5Z5hYl+37sA/vfkzvDMkX
X0+poVVoizjy3EWYF8MzBzaZv+J45BYWAxVnrr0/RI1+IasN5/Mc1F1hzky3n4VP
LsgNPiJ722Km0ORytf15l5//n1oVKrtPcmNoCiwb3OIWGy/uKfvPHMvZJwMpO/Rm
eFOTLCI8rF91TOT4OJk6NS8xVfRO7b1n8NhJ5uwY4hBREOmjlZ5uPgKN1rTOuVDL
5QbH5FlbszO73zyYRBzajyPuC2cD6DbAgb4mnrQ+NpcDR11NLGQY2HcRX+qxJRLS
Kkx++/vNDS+dZtQlIFHWX8MPc1k2kIrgphWCY9ztoiZcrM+IMfnatFR0MQGiv4Bg
qJaVurV/pkQQe9U1f0UEurnnDWFzt/T16fkr2r+9tlQee0qV+VtlivWYRNBkKb8B
jKy4RIBdCYg0fhz7pfjKwEXkHKKPXiKnoOX4kNO0VoIA5N4hHD6xHfpBnFXoil1Z
4dnxGHe6OTDqVXiJ9oo3it2reQTWdJZqU/YtND55YAvC+k61xnO4Vucczg6cGRfS
UQFLAMkkenHVO7rHYX1io7Ua3t5061h53Lil2BlVVQ2L4N51lVUnkjT26lICqYP4
vPZ7/xpTPthlIBPX2cPDvq1pgn1sqIInMSeGdO2P1ixXow==
=xXwH
-----END PGP MESSAGE-----
fp: 88823A75ECAA786B0FF38B148E401478A3FBEF72
- created_at: "2023-05-16T01:39:37Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA0/D4ws+/KPtAQ/+K4pZscts0jF53I0wX7htbFK3WyE7EOsDs3KKa682Zkgo
Vhou8x0iCDMQ3oyp2rM14LTv6feRc/Iy/WMAR9WVHeLlCQwl5puyHmyI+0M2uIM+
kTqVrRysGHhbSZaiwcydXwEhxInuXmoxD6zDGaLzkuy9hgwc4Ejyeu/gCF5kPqim
v3DgaBBUOl0Tfp0Q73onUfz+cqeRVG27TbE3Izrljho8sTAFOBQHKCuVqh+TnRfl
PdPzImv0/HJzFQLnO0p3VTEU36JD9h270ATbTt5pjeYYCtMJAP6tH5Yo3tDU/9XR
QDE9hJfJSTJdL6JWuvwKslqgNV6lS3kUSstKO3Y6H/0Jv3iSYzNqlCHoi7c/h6H0
fprOfT4ymOmV++BSYlsH5/AqXCMWsB6yFUMvTNGdQjRtYY5NAXwDQUaNIHSX1VMC
SXx9qqQOVEfvgDRtzKW8Hexz2EAAG0B5DvQA4C1PrENmYqpcZmDOTvO17LgipWeD
MWHLoyIjOcNy7u0XNgagn9pJFM/FYhOpkleq6pUGY3whyA/+UnCoX2YPieuyTatD
S8yocJveqIwmGBya7oGQcYRorZGVH02DGMUq0G+aNPnJg43WPsrxGAEm2y8Eg3iI
jZCIQPf1bnxRpwS7iFJxh3eRW6ncuSa9DX4GL0u31m7Ophlk/hijfGlzhkNvWWvS
UQFmR9wKqXcB47FjY9dwNiydeHmUXJqNVA7ajRXsNe9WXweZ27TVip430it+yurV
ulL2yONfKWI6RHiQ/1mS/nZTuQkzIDZzGYu5oe2UhGKkNw==
=9V2r
-----END PGP MESSAGE-----
fp: 3D7C8D39E8C4DF771583D3F0A8A091FD346001CA
encrypted_regex: ^(data|stringData)$
version: 3.7.3

27
kustomizations/forgejo/kustomization.yaml Normal file
View File

@ -0,0 +1,27 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: forgejo
resources:
- namespace.yaml
- resources.yaml
- ingress.yaml
patches:
- path: forgejo-env-vars.patch.yaml
target:
group: apps
version: v1
kind: StatefulSet
name: forgejo
generators:
- secret-generator.yaml
configMapGenerator:
- name: forgejo-config
literals:
- GITEA__DEFAULT__APP_NAME=Forgejo
- GITEA__SERVER__DOMAIN=forgejo.distrust.co
- GITEA__SERVER__SSH_DOMAIN=forgejo.distrust.co
- GITEA__SERVER__ROOT_URL=https://forgejo.distrust.co
- GITEA__SERVICE__NO_REPLY_ADDRESS=noreply.distrust.co
- name: forgejo-config-template
files:
- app_template.ini

4
kustomizations/forgejo/namespace.yaml Normal file
View File

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: forgejo

83
kustomizations/forgejo/postgres-auth.enc.yaml Normal file
View File

@ -0,0 +1,83 @@
apiVersion: v1
kind: Secret
metadata:
name: database-configuration
stringData:
address: ENC[AES256_GCM,data:FVtSkk5ti72nc5sgQ2yzCDN6hvWqd17YwpSS8EkqnerxX1iebtS7P+nkQqaNiN5BaTp4xirjEdkMMVYGfAchYsY=,iv:BtysOt0wWM1Q+9SMw2FoQtHd2rXCCjNvDC16dXsaHzY=,tag:7EggMyJJ8TVwQE1c4u18XQ==,type:str]
dbname: ENC[AES256_GCM,data:9yBojYPVsw==,iv:yvw5Nbgk73rZuInG+PByq26oGLDe0Sszm+LrVC0W/Uk=,tag:Nt2XJXOg4SHB+py86KX6ig==,type:str]
host: ENC[AES256_GCM,data:v/kW45090UONtO3fjE8J2IRr0vz2HbLb2k5inBKPDrVqmIrC/XbBPU6S/ar023bdQb2wHn1mcZU52m0=,iv:99+XaSJmavGkJmkIVyUNCuxM3Dsqme5/dvOXmXgIRUM=,tag:VECgfR80Npazn6daJzdRJA==,type:str]
jdbc_url: ENC[AES256_GCM,data:584+73EqTWRc6h1q/fci21SSXhHIAKwsq2zMUrCqxyti2DF9BLvYGhlioIqWUsZ991BWtAv1UdHCU5tzx2/rCoYtI7zGF9WSz/fEU0gN4SqGLUbg5swtUcKg96LGHfTKWqtP6Qcx/CGDfj8=,iv:oFm+sYaim5+a3qmJwYxI8cHC7Ydj40RieRUMwQFe2u4=,tag:RlDqjKY0/RIm3Ps6b3kDtw==,type:str]
name: ENC[AES256_GCM,data:yruLsayHYA==,iv:yc10JFsc+1Z94chPrVl1BGFLlML9Ls/2Gn89oYess54=,tag:TodFxbFT5FzHY62pZDp0Hw==,type:str]
password: ENC[AES256_GCM,data:Lrz0uDbJ9t8sO1Pq3Lrfy1Cf8Xdf4F2d,iv:qkO2ik2cSxttjJigtqXHlsq3VnmuSiFvL4uc7jZtKyw=,tag:9w9ebhaFUWaHV+/KwSm+6Q==,type:str]
port: ENC[AES256_GCM,data:2o0wuVg=,iv:AqxRgfSq1AzhjXlpiNPTkYV7NTUi61brSOcErr/VhtU=,tag:T2tnz80QdwansDcFqCjYHA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2023-05-16T00:07:06Z"
mac: ENC[AES256_GCM,data:TJpATzRb1pItqtHpecpfmEt6AwpcP8AJz5cn6Ra/fzEdP8k21lkJkaZHZeIlZzfZ9FK/oynZqydley4pILxvT+I9M2xwTVZOK1HZ+n7wlDxpTodv+jnzLPBMcuDR0SwCK9WbKuUSbUJpEgYszMJ73f7vGc15oCp4qc7ial64SgY=,iv:073Q5MHchlhCXi8/S/nSFf6lQvk3YahQWweNk14cZjc=,tag:cFIjs4d2nVfucU8MsNKawQ==,type:str]
pgp:
- created_at: "2023-05-16T00:07:02Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA82rPM2mSf/aAQ/+JM09ezDH98a+8K//Le1bk7yjADNJGB6jvtnLXNr7YNoi
qdTOTuNwbwErRg9iZK63moryzKBy49xMZb4pKDVE58p2UHb7jkTQ3IHblYZHBW/N
OPCZY7sDMl8gLqpJeRkWe7JY5Y6oi8bYYBCmVicDoqrqpK1FAO+ERpgdMPmK/gkG
fFfbtTBV2dsE4DkNlL2FxB5pbLjTW3TPu8MNQH3bjrGlXF4FbXklx+OwdOyapt+c
VQvh0VY071nFoh2wOCXG+uLIWcYClbxwM1/i639hv0I6jefnjqDTdy0CTaCAbPx5
Bjes3gdOIm/yharVAAyWboxX6I/LE6HMM3NwjXh0kJzsHdNiJCrliC9Td6RNlj/i
r3Q0kfNmZaSEMCJq/ADFu3l2FTu1iJcGeD+pauzRZUMy2+7dqmwX0OJWYvE3jvNc
xv5Tp0j6AvXoMlP0bREitot/GrLNa8FwbCSzCsgBGeP6oZn5+e4qZnj/eRM+x/Ie
795Lxz6rMXKUS5lRel/pSDQA4tT9mYo359p1kyNlwTURtbCEXHjCniWTCm8zGqW+
6HMVW3GpJkJooy1z5w5mBGyk4DYHnO0jds/Yvb1V99J1iY6ihPRhWyXj0X6QQzN6
MUTjcuNbdE6nCiQcpX2I4qdSSFlW1WP3OPLdDoGd4sF1jKSmjDeS4+7HvWjF/g3S
UQGIJDmwUsxRZzbvaZS/kDOG9iGmfa050cEQUhdZyrlCbFG/0xxhwAmbUv6uojHb
0kmIhW33tlBfpwfSAJZW6na2AEhMIfV6HpG0RveKKCKeVA==
=EZL3
-----END PGP MESSAGE-----
fp: 6B61ECD76088748C70590D55E90A401336C8AAA9
- created_at: "2023-05-16T00:07:02Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMAw95Vf08z8oUAQ//SxyVJiGf47+Xpp1TiY2wdTugfGHc2VocNQ9CbLeNAmDE
jA/qcxOVSeetqpLNQmg6UFlmmUIFdBnDJ0H5ZBBpu0gXHF8XTxXNk5vUoRM29XXk
PjKVgVQCGYVhmWDhYh1+my66xDMKbymOYJGuCj10bBwVScHxPXM9w/EbXx1lcDP3
4kYfckbO5b/Xf9J4+JB4sBdEpHcuKdrxAn1cWgN1KpGGec/M5Sos9zBk54ZcA9WV
1RYYpkUUALtAdg1VcoPg4GkvKBT93K3xklOAdYoQI0fWR8/YtUN3yRG6BP48QKjd
QJnntAyWTEQ1zdfxo6x4W8nWxDf9haySflUdt3o57o56S3GTw17NSbUZNsSpkPz4
5TRDUYPvyK/yyeKAVAx4n7pKbEkoDv8SP4cymicAfOWOWjNnj2jbhDuTVCd/Xcht
xocPNGegCn7Y2MSpcGgS8scDcfGu8pI5ZkeLxVrS4fLWtmp8jntU253hOSPQ0tl0
c1fxIYkrUWh+1YwBH9UnZ2aBaWx0exgbmymK7eKEKRTGgE+oZqIWy/q1Z/mS79mC
tNCCtzD4pxkhvuHUFjH+SvLwKLF1Azm+budRbEDc5qITjEWlHSrQBpie5p2dKKBc
EnJuMn1HtyEzi5vTDhnjq+hI0OIfRAL+K3pA7QwqvH2m/ElWhk2GsosZ06dJMy/S
UQHXJcTkLSK0ktV75bEcDfPiORnpzHgJdOJx20MV4Dzfeagn/v/Y4VKOdxn6pM2K
EJ4zjMp7cURoRa4otGRL0myXlJqwyNhLC1OLKv+NjfrlxA==
=fP0Y
-----END PGP MESSAGE-----
fp: 88823A75ECAA786B0FF38B148E401478A3FBEF72
- created_at: "2023-05-16T00:07:02Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA0/D4ws+/KPtARAAnEl/8yu68nzqGMjeUGNcMHqCm5yseivXx4bdXougk8mz
xYUkEneL3uYMdlGhs9C/moTc3qQbjX280+RCGjHyLipGYUjS7sboP4Rx0kWJB3gI
6feqDW5uCAyaKfhZihNNEfcFglVdF2LHuJBkaw57jIcxqcK905Be3117a1PtMmJn
gXRqHvi+cDliZ7Qm89LCTKHVuDZKYVkkN9JfqkOXNyz1j/S8f2vGID+yxQLCkHv/
3+xB7umDONCNviZ4cUqQ9ZCGRB7OhT4VwrNjkFFMbrWr7eLAty+CDwpDq/cmjrV2
oFuJJgKqD8+BAXMMlEN2dzrmr+ojBmr7via03Awn13Q0CNXSkdm8aeYZn6o8D7Ok
KweR2+RczpKxeN//vBEJdeku+3+0sDqCPRJKYDZyClCSDf3IGGPpNwb6IDJZYb2q
Im+p2DXGFfMGnAjMH+oGQ+2zuV/JHu5lnBbbmYn9C3WEZBzstLWIdjNFiiOZcs++
npfciP1R6jXQGLnUwYdlg7H6ZpNeKCxtky6yWbrYgh8Dma61/T1WTc+561YYBlLg
FOBuCwKd5Qw0o/wObPm6CgUC5i7+qW0MuB/aIVypQA5/qE7zLtksCXSxOl2YYrVP
klB/hq/vcl+46YE8Uk9f30WuvEvVe8nboosDlSrrD/NAoulr4B5bu6w+Oi5rmfPS
UQGb73b5HiOHD6Y5OMF3AUy+qz1Ga0WQem59v0PbBUbueSX7VgpiNjTobyaQxGwU
uBNRWaMrfmelYUbNr05XrB2BGGfro+HzmGe8rD1maNl0JA==
=HRlU
-----END PGP MESSAGE-----
fp: 3D7C8D39E8C4DF771583D3F0A8A091FD346001CA
encrypted_regex: ^(data|stringData)$
version: 3.7.3

112
kustomizations/forgejo/resources.yaml Normal file
View File

@ -0,0 +1,112 @@
apiVersion: v1
kind: Service
metadata:
name: forgejo
labels:
app: forgejo
spec:
ports:
- name: http
port: 80
targetPort: 8080
selector:
app: forgejo
type: ClusterIP
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: forgejo
labels:
app: forgejo
spec:
replicas: 1
selector:
matchLabels:
app: forgejo
serviceName: forgejo
template:
metadata:
labels:
app: forgejo
spec:
# To allow ssh and web to coexist
shareProcessNamespace: true
initContainers:
- name: config-templater
image: codeberg.org/forgejo/forgejo:1.19.3-0
command: ["environment-to-ini"]
args:
- --config
- /input/app_template.ini
- --out
- /output/app.ini
volumeMounts:
- name: forgejo-config-template
mountPath: /input
- name: forgejo-config
mountPath: /output
- name: forgejo-migrate
image: codeberg.org/forgejo/forgejo:1.19.3-0
command: ["forgejo"]
args:
- -c
- /etc/forgejo/app.ini
- migrate
volumeMounts:
- name: forgejo-data
mountPath: /data
- name: forgejo-config
mountPath: /etc/forgejo
- name: forgejo-oidc
image: codeberg.org/forgejo/forgejo:1.19.3-0
command: ["sh"]
args:
- -c
- >-
forgejo -c /etc/forgejo/app.ini admin auth add-oauth
--name $(AUTH_PROVIDER_NAME)
--provider openidConnect
--key $(AUTH_PROVIDER_KEY)
--secret $(AUTH_PROVIDER_SECRET)
--auto-discover-url $(AUTH_PROVIDER_URL)
|| true
volumeMounts:
- name: forgejo-data
mountPath: /data
- name: forgejo-config
mountPath: /etc/forgejo
containers:
- name: forgejo-web
image: codeberg.org/forgejo/forgejo:1.19.3-0
command: ["forgejo"]
args:
- -c
- /etc/forgejo/app.ini
- web
ports:
- containerPort: 8080
name: http
volumeMounts:
- name: forgejo-data
mountPath: /data
- name: forgejo-config
mountPath: /etc/forgejo
volumes:
- name: forgejo-config
emptyDir: {}
- name: forgejo-config-template
configMap:
name: forgejo-config-template
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
volumeClaimTemplates:
- metadata:
name: forgejo-data
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 10Gi

33
kustomizations/forgejo/scripts/generate-forgejo-secret.sh Executable file
View File

@ -0,0 +1,33 @@
#!/bin/sh
if test -t 1; then
# This is not foolproof. Can easily be beat by doing |cat. This is just to
# make it less likely that secrets are output to terminal.
echo "Error: Not outputting secret to stdout; redirect output to a file or" \
"pipe output to \`sops\`." >/dev/stderr
exit 1
fi
FORGEJO_VERSION="1.19.3"
FORGEJO_TAG="sha256:e1e2a9930afe7e4e6c53b7d250072e5f890894da71df681510b6b513f38d0c36"
FORGEJO_SLUG="${FORGEJO_VERSION}@${FORGEJO_TAG}"
forgejo() {
# TODO: make this extract image tag from kustomization?
docker run "codeberg.org/forgejo/forgejo:$FORGEJO_SLUG" forgejo "$@"
}
GITEA__SERVER__LFS_JWT_SECRET="$(forgejo generate secret LFS_JWT_SECRET)"
GITEA__SECURITY__SECRET_KEY="$(forgejo generate secret SECRET_KEY)"
GITEA__SECURITY__INTERNAL_TOKEN="$(forgejo generate secret INTERNAL_TOKEN)"
cat <<EOF
apiVersion: v1
kind: Secret
metadata:
name: forgejo-config
stringData:
GITEA__SERVER__LFS_JWT_SECRET: ${GITEA__SERVER__LFS_JWT_SECRET}
GITEA__SECURITY__SECRET_KEY: ${GITEA__SECURITY__SECRET_KEY}
GITEA__SECURITY__INTERNAL_TOKEN: ${GITEA__SECURITY__INTERNAL_TOKEN}
EOF

8
kustomizations/forgejo/secret-generator.yaml Normal file
View File

@ -0,0 +1,8 @@
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
name: forgejo
files:
- ./forgejo-config.enc.yaml
- ./keycloak-client-config.enc.yaml
- ./postgres-auth.enc.yaml