homelab/apps/base/gitea.yaml

---
apiVersion: v1
kind: Namespace
metadata:
  name: gitea
---
apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
  name: gitea-admin-password
  namespace: gitea
spec:
  itemPath: "vaults/cluster/items/gitea-admin-password"
---
apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
  name: gitea-valkey
  namespace: gitea
spec:
  itemPath: "vaults/cluster/items/gitea-valkey"
# ---
# apiVersion: onepassword.com/v1
# kind: OnePasswordItem
# metadata:
#   name: gitea-actions-token
#   namespace: gitea
# spec:
#   itemPath: "vaults/cluster/items/gitea-actions-token"
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
  name: gitea-repo
  namespace: flux-system
spec:
  interval: 15m0s
  url: https://dl.gitea.com/charts/
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: gitea
  namespace: gitea
spec:
  chart:
    spec:
      chart: gitea
      reconcileStrategy: ChartVersion
      sourceRef:
        kind: HelmRepository
        name: gitea-repo
        namespace: flux-system
      version: v12.3.x
  interval: 1m0s
  releaseName: gitea
  values:
    strategy:
      type: Recreate
    service:
      http:
        type: LoadBalancer
        externalTrafficPolicy: Local
        port: 80
        annotations:
          metallb.universe.tf/allow-shared-ip: gitea
      ssh:
        enabled: true
        type: LoadBalancer
        externalTrafficPolicy: Local
        port: 2222
        annotations:
          metallb.universe.tf/allow-shared-ip: gitea
    ingress:
      enabled: true
      hosts:
        - host: git.yadunut.dev
          paths:
            - path: /
              pathType: ImplementationSpecific
      tls:
        - secretName: wildcard-cert-i.yadunut.dev-prod
          hosts:
            - git.yadunut.dev
    # actions:
    #   enabled: 
    #   provisioning:
    #     enabled: true
    #   statefulset:
    #     actRunner:
    #       config: |
    #         log:
    #           level: debug
    #         cache:
    #           enabled: true
    #         runner:
    #           labels:
    #             - "ubuntu-latest:docker://catthehacker/ubuntu:act-latest"
    #             - "ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04"
    #             - "ubuntu-20.04:docker://catthehacker/ubuntu:act-20.04"
    #         container:
    #           options: |
    #             --add-host=docker:host-gateway -v /certs:/certs -e "DOCKER_HOST=tcp://docker:2376/" -e "DOCKER_TLS_CERTDIR=/certs" -e "DOCKER_TLS_VERIFY=1" -e "DOCKER_CERT_PATH=/certs/server"
    #           valid_volumes:
    #             - /certs
    #             - '**'
    valkey-cluster:
      enabled: false
    valkey:
      enabled: true
      image:
        repository: bitnamilegacy/valkey
      global:
        security:
          allowInsecureImages: true
      auth:
        existingSecret: gitea-valkey
        existingSecretPasswordKey: password
    postgresql:
      enabled: true
      image:
        repository: bitnamilegacy/postgresql
        tag: 16.3.0-debian-12-r23
      global:
        security:
          allowInsecureImages: true
    postgresql-ha:
      enabled: false

    persistence:
      enabled: true
      accessModes:
        - ReadWriteMany
    gitea:
      admin:
        existingSecret: gitea-admin-password
      config:
        server:
          SSH_PORT: 2222
          LANDING_PAGE: /yadunut
          LFS_START_SERVER: true
        database:
          DB_TYPE: postgres
        indexer:
          ISSUE_INDEXER_TYPE: bleve
          REPO_INDEXER_ENABLED: true
        openid:
          ENABLE_OPENID_SIGNUP: true
        service:
          DISABLE_REGISTRATION: false
          SHOW_REGISTRATION_BUTTON: false
          ALLOW_ONLY_EXTERNAL_REGISTRATION: true
        repository:
          ENABLE_PUSH_CREATE_USER: true
        packages:
          ENABLED: false
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
  name: gitea-ssh-ingress-route-tcp
  namespace: gitea
spec:
  entryPoints:
    - git-ssh
  routes:
    - match: HostSNI(`*`)
      services:
        - name: gitea-ssh
          port: 2222
# ---
# apiVersion: helm.toolkit.fluxcd.io/v2
# kind: HelmRelease
# metadata:
#   name: gitea-actions
#   namespace: gitea
# spec:
#   chart:
#     spec:
#       chart: actions
#       sourceRef:
#         kind: HelmRepository
#         name: gitea-repo
#         namespace: flux-system
#       version: v0.0.x
#   interval: 1m
#   values:
#     enabled: true
#     giteaRootURL: https://git.yadunut.dev
#
#     # Provide the runner registration token from 1Password-backed Secret
#     existingSecret: gitea-actions-token
#     existingSecretKey: token
#
#     statefulset:
#       replicas: 1
#       # Your custom runner config replicated here (labels, dind, volumes)
#       actRunner:
#         config: |
#           log:
#             level: debug
#           cache:
#             enabled: true
#           runner:
#             labels:
#               - "ubuntu-latest:docker://catthehacker/ubuntu:act-latest"
#               - "ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04"
#               - "ubuntu-20.04:docker://catthehacker/ubuntu:act-20.04"
#           container:
#             options: |
#               --add-host=docker:host-gateway -v /certs:/certs -e "DOCKER_HOST=tcp://docker:2376/" -e "DOCKER_TLS_CERTDIR=/certs" -e "DOCKER_TLS_VERIFY=1" -e "DOCKER_CERT_PATH=/certs/server"
#             valid_volumes:
#               - /certs
#               - '**'
#       dind:
#         extraVolumeMounts:
#           - name: certs
#             mountPath: /certs
#       extraVolumes:
#         - name: certs
#           emptyDir: {}