feat: gitea

.env

@@ -0,0 +1,3 @@
+PROD_URL=git.gmoker.com
+IMAGEAPP=docker.io/gitea/gitea:1.22.0-rc1-rootless
+IMAGERUNNER=docker.io/gitea/act_runner:0.2.10-dind-rootless

.gitea/workflows/deploy.yaml

@@ -0,0 +1,23 @@
+on: push
+
+jobs:
+  deploy:
+    runs-on: debian
+    steps:
+      - uses: actions/checkout@v1
+      - name: setup env
+        run: |
+          . ./.env || true
+          if [ "${{ gitea.ref_name }}" == prod ] && [ -n "$PROD_URL" ]; then
+            BASE_URL="$PROD_URL"
+          else
+            BASE_URL="${{ gitea.ref_name }}.$(tr / '\n' <<< "${{ gitea.repository }}" | tac | tr '\n' .)k8s.gmoker.com"
+          fi
+          cat <<EOF >> .env
+          BASE_URL="$BASE_URL"
+          EOF
+          cat .env
+
+      - uses: actions/k8sdeploy@v1
+        with:
+          kubeconfig: "${{ secrets.K8S }}"

README.md

@@ -0,0 +1 @@
+# Gitea

compose.yaml

@@ -0,0 +1,35 @@
+---
+services:
+  db:
+    image: docker.io/postgres:15
+    restart: unless-stopped
+    environment:
+      - POSTGRES_DB=db
+      - POSTGRES_USER=db
+      - POSTGRES_PASSWORD=db
+    volumes:
+      - db:/var/lib/postgresql/data/
+
+  gitea:
+    image: "$IMAGEAPP"
+    restart: unless-stopped
+    ports:
+      - "8080:3000"
+      - "2222:2222"
+    environment:
+      - POSTGRES_HOST=db
+      - GITEA__database__DB_TYPE=postgres
+      - GITEA__database__HOST=db
+      - GITEA__database__USER=db
+      - GITEA__database__PASSWD=db
+      - GITEA__service__DISABLE_REGISTRATION=true
+    volumes:
+      - data:/var/lib/gitea/
+      - config:/etc/gitea/
+    depends_on:
+      - db
+
+volumes:
+  config: {}
+  data: {}
+  db: {}

diff.sh

@@ -0,0 +1,7 @@
+#!/bin/bash -e
+
+URL='https://raw.githubusercontent.com'
+REPO='go-gitea/gitea'
+TAG="v$(awk -F: '/^IMAGEAPP/{sub("-rootless", ""); print $2}' .env)"
+
+$EDITOR -d -c "wincmd l" -- "$URL/$REPO/$TAG/custom/conf/app.example.ini" app.ini

manifests/bin/deploy.sh

@@ -0,0 +1,68 @@
+#!/bin/bash -e
+set -o pipefail
+
+function kapply() {
+    for f in "$@"; do
+        kubectl apply -f \
+            <(envsubst "$(env | xargs printf '$%s ')" < "manifests/$f")
+    done
+}
+
+function kcreatesec() {
+    kubectl create secret generic --save-config --dry-run=client -oyaml "$@" | kubectl apply -f-
+}
+
+function kcreatecm() {
+    kubectl create configmap --dry-run=client -oyaml "$@" | kubectl apply -f-
+}
+
+function kgseckey() {
+    local sec="$1"; shift
+    local key="$1"; shift
+
+    kubectl get secret "$sec" -o jsonpath="{.data.$key}" | base64 -d
+}
+
+function kgcmkey() {
+    local cm="$1"; shift
+    local key="$1"; shift
+
+    kubectl get configmap "$cm" -o jsonpath="{.data.$key}"
+}
+
+
+kapply common/db.yaml
+
+export REDIS_HOST=redis
+export REDIS_DB=0
+export REDIS_PORT=6379
+export POSTGRES_HOST;     POSTGRES_HOST="$(kgseckey postgres-app host)"
+export POSTGRES_PORT;     POSTGRES_PORT="$(kgseckey postgres-app port)"
+export POSTGRES_DB;       POSTGRES_DB="$(kgseckey postgres-app dbname)"
+export POSTGRES_USER;     POSTGRES_USER="$(kgseckey postgres-app user)"
+export POSTGRES_PASSWORD; POSTGRES_PASSWORD="$(kgseckey postgres-app password)"
+
+kcreatesec gitea-admin \
+    --from-literal=email="gitea@$BASE_URL" \
+    --from-literal=username="$(kgseckey gitea-admin username || echo gitea)" \
+    --from-literal=password="$(kgseckey gitea-admin password || openssl rand -hex 32)"
+
+kcreatesec gitea-secrets \
+    --from-literal=secret_key="$(kgseckey gitea-secrets secret_key || openssl rand -hex 32)"  \
+    --from-literal=internal_token="$(kgseckey gitea-secrets internal_token || openssl rand -hex 32)"
+
+kcreatecm gitea-config \
+    --from-file=app.ini=<(envsubst "$(env | xargs printf '$%s ')" < app.ini)
+
+kapply common/job.yaml \
+    common/redis.yaml \
+    common/app.yaml
+
+kubectl rollout restart statefulset app
+
+RUNNER_TOKEN="$(curl "http://$GITEA_USERNAME:$GITEA_PASSWORD@app/api/v1/admin/runners/registration-token" | jq .token || true)"
+if [ -n "$RUNNER_TOKEN" ]; then
+    kcreatesec runner-secret --from-literal=token="$RUNNER_TOKEN"
+    kapply common/runner.yaml
+    kubectl rollout restart statefulset runner
+fi

manifests/bin/devel.sh

@@ -0,0 +1,5 @@
+#!/bin/bash -e
+
+export NB_REPLICAS=1
+
+. ./manifests/bin/deploy.sh

manifests/bin/prod.sh

@@ -0,0 +1,8 @@
+#!/bin/bash -e
+
+# TODO: 3
+export NB_REPLICAS=1
+
+. ./manifests/bin/deploy.sh
+
+#kapply prod/ssh.yaml

manifests/common/app.yaml

@@ -0,0 +1,93 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: app
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    nginx.ingress.kubernetes.io/proxy-body-size: "512M"
+spec:
+  ingressClassName: nginx
+  tls:
+    - secretName: tls-app
+      hosts:
+        - "$BASE_URL"
+  rules:
+    - host: "$BASE_URL"
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: app
+                port:
+                  name: http
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: app
+  labels:
+    app: app
+spec:
+  selector:
+    app: app
+  ports:
+    - name: http
+      port: 80
+      targetPort: http
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: app
+  labels:
+    app: app
+spec:
+  replicas: $NB_REPLICAS
+  selector:
+    matchLabels:
+      app: app
+  template:
+    metadata:
+      labels:
+        app: app
+    spec:
+      containers:
+        - name: app
+          image: "$IMAGEAPP"
+          ports:
+            - name: http
+              containerPort: 3000
+            - name: ssh
+              containerPort: 2222
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/gitea/
+            - name: config
+              mountPath: /etc/gitea/app.ini
+              subPath: app.ini
+              readOnly: true
+            - name: secrets
+              mountPath: /etc/gitea/secrets/
+              readOnly: true
+      securityContext:
+        fsGroup: 1000
+      volumes:
+        - name: config
+          configMap:
+            name: gitea-config
+        - name: secrets
+          secret:
+            secretName: gitea-secrets
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        storageClassName: nfs-csi
+        resources:
+          requests:
+            storage: 1Gi

manifests/common/db.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: postgres
+spec:
+  instances: $NB_REPLICAS
+  storage:
+    size: 1Gi

manifests/common/job.yaml

@@ -0,0 +1,35 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: createadminuser
+spec:
+  template:
+    spec:
+      restartPolicy: Never
+      containers:
+        - name: createadminuser
+          image: "$IMAGEAPP"
+          envFrom:
+            - secretRef:
+                name: gitea-admin
+          command:
+            - bash
+            - -c
+            - 'gitea migrate && { gitea admin user change-password --username "$username" --password "$password" 2> /dev/null || gitea admin user create --admin --email "$email" --username "$username" --password "$password"; }'
+          volumeMounts:
+            - name: config
+              mountPath: /etc/gitea/app.ini
+              subPath: app.ini
+              readOnly: true
+            - name: secrets
+              mountPath: /etc/gitea/secrets/
+              readOnly: true
+      volumes:
+        - name: config
+          configMap:
+            name: gitea-config
+        - name: secrets
+          secret:
+            secretName: gitea-secrets
+  backoffLimit: 4

manifests/common/redis.yaml

@@ -0,0 +1,41 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis
+  labels:
+    app: redis
+spec:
+  selector:
+    app: redis
+  ports:
+    - name: redis
+      port: 6379
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: redis
+spec:
+  selector:
+    matchLabels:
+      app: redis
+  serviceName: redis
+  replicas: $NB_REPLICAS
+  template:
+    metadata:
+      labels:
+        app: redis
+    spec:
+      containers:
+        - name: redis
+          image: docker.io/redis:latest
+          ports:
+            - name: redis
+              containerPort: 6379
+          volumeMounts:
+            - name: data
+              mountPath: /data/
+      volumes:
+        - name: data
+          emptyDir: {}

manifests/common/runner.yaml

@@ -0,0 +1,53 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: runner
+  labels:
+    app: runner
+spec:
+  replicas: $NB_REPLICAS
+  selector:
+    matchLabels:
+      app: runner
+  template:
+    metadata:
+      labels:
+        app: runner
+    spec:
+      securityContext:
+        fsGroup: 1000
+      containers:
+        - name: runner
+          image: "$IMAGERUNNER"
+          securityContext:
+            privileged: true
+          env:
+            - name: DOCKER_HOST
+              value: tcp://localhost:2376
+            - name: DOCKER_CERT_PATH
+              value: /certs/client
+            - name: DOCKER_TLS_VERIFY
+              value: "1"
+            - name: GITEA_INSTANCE_URL
+              value: "$BASE_URL"
+            - name: GITEA_RUNNER_LABELS
+              value: "debian:docker:$BASE_URL/actions/debian:latest"
+            - name: GITEA_RUNNER_REGISTRATION_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: runner-secret
+                  key: token
+          volumeMounts:
+            - name: data
+              mountPath: /data/
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        storageClassName: nfs-csi
+        resources:
+          requests:
+            storage: 10Mi

manifests/prod/ssh.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ssh
+  labels:
+    app: app
+spec:
+  type: NodePort
+  selector:
+    app: app
+  ports:
+    - name: ssh
+      port: 22
+      targetPort: ssh
+      nodePort: 30022