feat: renovatebot (#2)

Reviewed-on: #2

.env

@@ -1,3 +1,3 @@
 PROD_URL=git.gmoker.com
-IMAGEAPP=docker.gitea.com/gitea:1.23.7-rootless
-IMAGERUNNER=docker.gitea.com/act_runner:0.2.11-dind-rootless
+IMAGEAPP=docker.io/gitea/gitea:1.22.6-rootless
+IMAGERUNNER=docker.io/gitea/act_runner:0.2.11-dind-rootless

.gitea/workflows/deploy.yaml

@@ -11,7 +11,7 @@ jobs:
           if [ "${{ gitea.ref_name }}" == prod ] && [ -n "$PROD_URL" ]; then
             BASE_URL="$PROD_URL"
           else
-            BASE_URL="${{ gitea.ref_name }}.$(tr / '\n' <<< "${{ gitea.repository }}" | tac | tr '\n' .)k3s.gmoker.com"
+            BASE_URL="${{ gitea.ref_name }}.$(tr / '\n' <<< "${{ gitea.repository }}" | tac | tr '\n' .)k8s.gmoker.com"
           fi
           cat <<EOF >> .env
           BASE_URL="$BASE_URL"
@@ -20,4 +20,4 @@ jobs:
 
       - uses: actions/k8sdeploy@v1
         with:
-          kubeconfig: "${{ secrets.K3S }}"
+          kubeconfig: "${{ secrets.K8S }}"

config/app.ini

@@ -51,7 +51,7 @@ RUN_USER = ; git
 RUN_MODE = prod
 ;;
 ;; The working directory, see the comment of AppWorkPath above
-WORK_PATH = /var/lib/gitea
+;WORK_PATH =
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -81,10 +81,6 @@ DOMAIN = $BASE_URL
 ;; Overwrite the automatically generated public URL. Necessary for proxies and docker.
 ROOT_URL = https://%(DOMAIN)s/
 ;;
-;; For development purpose only. It makes Gitea handle sub-path ("/sub-path/owner/repo/...") directly when debugging without a reverse proxy.
-;; DO NOT USE IT IN PRODUCTION!!!
-;USE_SUB_URL_PATH = false
-;;
 ;; when STATIC_URL_PREFIX is empty it will follow ROOT_URL
 ;STATIC_URL_PREFIX =
 ;;
@@ -306,8 +302,6 @@ LANDING_PAGE = explore
 ;; Enables git-lfs support. true or false, default is false.
 LFS_START_SERVER = false
 ;;
-;; Enables git-lfs SSH protocol support. true or false, default is false.
-;LFS_ALLOW_PURE_SSH = false
 ;;
 ;; LFS authentication secret, change this yourself
 ;LFS_JWT_SECRET =
@@ -324,10 +318,6 @@ LFS_START_SERVER = false
 ;; Maximum number of locks returned per page
 ;LFS_LOCKS_PAGING_NUM = 50
 ;;
-;; When clients make lfs batch requests, reject them if there are more pointers than this number
-;; zero means 'unlimited'
-;LFS_MAX_BATCH_SIZE = 0
-;;
 ;; Allow graceful restarts using SIGHUP to fork
 ;ALLOW_GRACEFUL_RESTARTS = true
 ;;
@@ -513,9 +503,6 @@ REVERSE_PROXY_TRUSTED_PROXIES = *
 ;; stemming from cached/logged plain-text API tokens.
 ;; In future releases, this will become the default behavior
 ;DISABLE_QUERY_AUTH_TOKEN = false
-;;
-;; On user registration, record the IP address and user agent of the user to help identify potential abuse.
-;; RECORD_USER_SIGNUP_METADATA = false
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -532,8 +519,7 @@ REVERSE_PROXY_TRUSTED_PROXIES = *
 ;; HMAC to encode urls with, it **is required** if camo is enabled.
 ;HMAC_KEY =
 ;; Set to true to use camo for https too lese only non https urls are proxyed
-;; ALLWAYS is deprecated and will be removed in the future
-;ALWAYS = false
+;ALLWAYS = false
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -554,7 +540,7 @@ ENABLED = false
 ;;
 ;; OAuth2 authentication secret for access and refresh tokens, change this yourself to a unique string. CLI generate option is helpful in this case. https://docs.gitea.io/en-us/command-line/#generate
 ;; This setting is only needed if JWT_SIGNING_ALGORITHM is set to HS256, HS384 or HS512.
-;JWT_SECRET =
+JWT_SECRET =
 ;;
 ;; Alternative location to specify OAuth2 authentication secret. You cannot specify both this and JWT_SECRET, and must pick one
 JWT_SECRET_URI = file:/etc/gitea/secrets/oauth2_jwt_secret
@@ -583,7 +569,7 @@ JWT_SECRET_URI = file:/etc/gitea/secrets/oauth2_jwt_secret
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; Root path for the log files - defaults to %(GITEA_WORK_DIR)/log
-ROOT_PATH = data/log
+ROOT_PATH = /var/lib/gitea/data/log
 ;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; Main Logger
@@ -774,10 +760,7 @@ DISABLE_REGISTRATION = true
 ;ALLOW_ONLY_EXTERNAL_REGISTRATION = false
 ;;
 ;; User must sign in to view anything.
-;; After 1.23.7, it could be set to "expensive" to block anonymous users accessing some pages which consume a lot of resources,
-;; for example: block anonymous AI crawlers from accessing repo code pages.
-;; The "expensive" mode is experimental and subject to change.
-;REQUIRE_SIGNIN_VIEW = false
+REQUIRE_SIGNIN_VIEW = false
 ;;
 ;; Mail notification
 ;ENABLE_NOTIFY_MAIL = false
@@ -787,13 +770,6 @@ DISABLE_REGISTRATION = true
 ;; Please note that setting this to false will not disable OAuth Basic or Basic authentication using a token
 ;ENABLE_BASIC_AUTHENTICATION = true
 ;;
-;; Show the password sign-in form (for password-based login), otherwise, only show OAuth2 or passkey login methods if they are enabled.
-;; If you set it to false, maybe it also needs to set ENABLE_BASIC_AUTHENTICATION to false to completely disable password-based authentication.
-;ENABLE_PASSWORD_SIGNIN_FORM = true
-;;
-;; Allow users to sign-in with a passkey
-;ENABLE_PASSKEY_AUTHENTICATION = true
-;;
 ;; More detail: https://github.com/gogits/gogs/issues/165
 ;ENABLE_REVERSE_PROXY_AUTHENTICATION = false
 ; Enable this to allow reverse proxy authentication for API requests, the reverse proxy is responsible for ensuring that no CSRF is possible.
@@ -921,24 +897,6 @@ SHOW_REGISTRATION_BUTTON = false
 ;; Valid site url schemes for user profiles
 ;VALID_SITE_URL_SCHEMES=http,https
 
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;[service.explore]
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;;
-;; Only allow signed in users to view the explore pages.
-;REQUIRE_SIGNIN_VIEW = false
-;;
-;; Disable the users explore page.
-;DISABLE_USERS_PAGE = false
-;;
-;; Disable the organizations explore page.
-;DISABLE_ORGANIZATIONS_PAGE = false
-;;
-;; Disable the code explore page.
-;DISABLE_CODE_PAGE = false
-;;
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -954,7 +912,7 @@ SHOW_REGISTRATION_BUTTON = false
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; Root path for storing all repository data. By default, it is set to %(APP_DATA_PATH)s/gitea-repositories.
 ;; A relative path is interpreted as _`AppWorkPath`_/%(ROOT)s
-ROOT = git/repositories
+ROOT = /var/lib/gitea/git/repositories
 ;;
 ;; The script type this server supports. Usually this is `bash`, but some users report that only `sh` is available.
 ;SCRIPT_TYPE = bash
@@ -982,7 +940,7 @@ DEFAULT_PRIVATE = private
 ;;
 ;; Preferred Licenses to place at the top of the List
 ;; The name here must match the filename in options/license or custom/options/license
-;PREFERRED_LICENSES = Apache License 2.0,MIT License
+PREFERRED_LICENSES = GPL-3.0-only
 ;;
 ;; Disable the ability to interact with repositories using the HTTP protocol
 ;DISABLE_HTTP_GIT = false
@@ -1017,14 +975,6 @@ DEFAULT_PRIVATE = private
 ;; The set of allowed values and rules are the same as DEFAULT_REPO_UNITS.
 ;DEFAULT_FORK_REPO_UNITS = repo.code,repo.pulls
 ;;
-;; Comma separated list of default mirror repo units.
-;; The set of allowed values and rules are the same as DEFAULT_REPO_UNITS.
-;DEFAULT_MIRROR_REPO_UNITS = repo.code,repo.releases,repo.issues,repo.wiki,repo.projects,repo.packages
-;;
-;; Comma separated list of default template repo units.
-;; The set of allowed values and rules are the same as DEFAULT_REPO_UNITS.
-;DEFAULT_TEMPLATE_REPO_UNITS = repo.code,repo.releases,repo.issues,repo.pulls,repo.wiki,repo.projects,repo.packages
-;;
 ;; Prefix archive files by placing them in a directory named after the repository
 ;PREFIX_ARCHIVE_FILES = true
 ;;
@@ -1046,13 +996,9 @@ DEFAULT_PRIVATE = private
 ;; Don't allow download source archive files from UI
 ;DISABLE_DOWNLOAD_SOURCE_ARCHIVES = false
 
-;; Allow to fork repositories without maximum number limit
+;; Allow fork repositories without maximum number limit
 ;ALLOW_FORK_WITHOUT_MAXIMUM_LIMIT = true
 
-;; Allow to fork repositories into the same owner (user or organization)
-;; This feature is experimental, not fully tested, and may be changed in the future
-;ALLOW_FORK_INTO_SAME_OWNER = false
-
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;[repository.editor]
@@ -1109,7 +1055,7 @@ ENABLED = false
 ;REOPEN_KEYWORDS = reopen,reopens,reopened
 ;;
 ;; Set default merge style for repository creating, valid options: merge, rebase, rebase-merge, squash, fast-forward-only
-DEFAULT_MERGE_STYLE = squash
+DEFAULT_MERGE_STYLE = fast-forward-only
 ;;
 ;; In the default merge message for squash commits include at most this many commits
 ;DEFAULT_MERGE_MESSAGE_COMMITS_LIMIT = 50
@@ -1388,9 +1334,6 @@ ALLOW_DOMAIN = %(DOMAIN)s
 ;;
 ;; Maximum allowed file size in bytes to render CSV files as table. (Set to 0 for no limit).
 ;MAX_FILE_SIZE = 524288
-;;
-;; Maximum allowed rows to render CSV files. (Set to 0 for no limit)
-;MAX_ROWS = 2500
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -1488,10 +1431,6 @@ ISSUE_INDEXER_TYPE = db
 ;REPO_INDEXER_EXCLUDE =
 ;;
 ;MAX_FILE_SIZE = 1048576
-;;
-;; Bleve engine has performance problems with fuzzy search, so we limit the fuzziness to 0 by default to disable it.
-;; If you'd like to enable it, you can set it to a value between 0 and 2.
-;TYPE_BLEVE_MAX_FUZZINESS = 0
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -1517,7 +1456,7 @@ TYPE = redis
 ;; Batch size to send for batched queues
 ;BATCH_LENGTH = 20
 ;;
-;; Connection string for redis queues this will store the redis (or Redis cluster) connection string.
+;; Connection string for redis queues this will store the redis or redis-cluster connection string.
 ;; When `TYPE` is `persistable-channel`, this provides a directory for the underlying leveldb
 ;; or additional options of the form `leveldb://path/to/db?option=value&....`, and will override `DATADIR`.
 CONN_STR = redis://$REDIS_HOST:$REDIS_PORT/$REDIS_DB
@@ -1542,21 +1481,15 @@ CONN_STR = redis://$REDIS_HOST:$REDIS_PORT/$REDIS_DB
 ;;
 ;; Default configuration for email notifications for users (user configurable). Options: enabled, onmention, disabled
 ;DEFAULT_EMAIL_NOTIFICATIONS = enabled
-;; Disabled features for users could be "deletion", "manage_ssh_keys", "manage_gpg_keys", "manage_mfa", "manage_credentials" more features can be disabled in future
+;; Disabled features for users, could be "deletion", "manage_ssh_keys","manage_gpg_keys" more features can be disabled in future
 ;; - deletion: a user cannot delete their own account
 ;; - manage_ssh_keys: a user cannot configure ssh keys
 ;; - manage_gpg_keys: a user cannot configure gpg keys
-;; - manage_mfa: a user cannot configure mfa devices
-;; - manage_credentials: a user cannot configure emails, passwords, or openid
 ;USER_DISABLED_FEATURES =
-;; Comma separated list of disabled features ONLY if the user has an external login type (eg. LDAP, Oauth, etc.), could be "deletion", "manage_ssh_keys", "manage_gpg_keys", "manage_mfa", "manage_credentials". This setting is independent from `USER_DISABLED_FEATURES` and supplements its behavior.
+;; Comma separated list of disabled features ONLY if the user has an external login type (eg. LDAP, Oauth, etc.), could be `deletion`, `manage_ssh_keys`, `manage_gpg_keys`. This setting is independent from `USER_DISABLED_FEATURES` and supplements its behavior.
 ;; - deletion: a user cannot delete their own account
 ;; - manage_ssh_keys: a user cannot configure ssh keys
 ;; - manage_gpg_keys: a user cannot configure gpg keys
-;; - manage_mfa: a user cannot configure mfa devices
-;; - manage_credentials: a user cannot configure emails, passwords, or openid
-;; - change_username: a user cannot change their username
-;; - change_full_name: a user cannot change their full name
 ;;EXTERNAL_USER_DISABLE_FEATURES =
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -1732,10 +1665,6 @@ ENABLE_OPENID_SIGNIN = false
 ;; Sometimes it is helpful to use a different address on the envelope. Set this to use ENVELOPE_FROM as the from on the envelope. Set to `<>` to send an empty address.
 ;ENVELOPE_FROM =
 ;;
-;; If gitea sends mails on behave of users, it will just use the name also displayed in the WebUI. If you want e.g. `Mister X (by CodeIt) <gitea@codeit.net>`,
-;; set it to `{{ .DisplayName }} (by {{ .AppName }})`. Available Variables: `.DisplayName`, `.AppName` and `.Domain`.
-;FROM_DISPLAY_NAME_FORMAT = {{ .DisplayName }}
-;;
 ;; Mailer user name and password, if required by provider.
 ;USER =
 ;;
@@ -1758,16 +1687,6 @@ ENABLE_OPENID_SIGNIN = false
 ;; convert \r\n to \n for Sendmail
 ;SENDMAIL_CONVERT_CRLF = true
 
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;[mailer.override_header]
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;; This is empty by default, use it only if you know what you need it for.
-;Reply-To = test@example.com, test2@example.com
-;Content-Type = text/html; charset=utf-8
-;In-Reply-To =
-
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;[email.incoming]
@@ -1821,8 +1740,9 @@ ADAPTER = redis
 ;; For "memory" only, GC interval in seconds, default is 60
 ;INTERVAL = 60
 ;;
-;; For "redis" and "memcache", connection host address
-;; redis: `redis://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s` (or `redis+cluster://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s` for a Redis cluster)
+;; For "redis", "redis-cluster" and "memcache", connection host address
+;; redis: `redis://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s`
+;; redis-cluster: `redis+cluster://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s`
 ;; memcache: `127.0.0.1:11211`
 ;; twoqueue: `{"size":50000,"recent_ratio":0.25,"ghost_ratio":0.5}` or `50000`
 HOST = redis://$REDIS_HOST:$REDIS_PORT/$REDIS_DB
@@ -1852,14 +1772,15 @@ HOST = redis://$REDIS_HOST:$REDIS_PORT/$REDIS_DB
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
-;; Either "memory", "file", "redis", "db", "mysql", "couchbase", "memcache" or "postgres"
+;; Either "memory", "file", "redis", "redis-cluster", "db", "mysql", "couchbase", "memcache" or "postgres"
 ;; Default is "memory". "db" will reuse the configuration in [database]
 PROVIDER = redis
 ;;
 ;; Provider config options
 ;; memory: doesn't have any config yet
 ;; file: session file path, e.g. `data/sessions`
-;; redis: `redis://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s` (or `redis+cluster://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s` for a Redis cluster)
+;; redis: `redis://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s`
+;; redis-cluster: `redis+cluster://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s`
 ;; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table`
 PROVIDER_CONFIG = redis://$REDIS_HOST:$REDIS_PORT/$REDIS_DB
 ;;
@@ -1885,7 +1806,7 @@ PROVIDER_CONFIG = redis://$REDIS_HOST:$REDIS_PORT/$REDIS_DB
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
 AVATAR_UPLOAD_PATH = /var/lib/gitea/data/avatars
-REPOSITORY_AVATAR_UPLOAD_PATH = data/repo-avatars
+REPOSITORY_AVATAR_UPLOAD_PATH = /var/lib/gitea/data/repo-avatars
 ;;
 ;; How Gitea deals with missing repository avatars
 ;; none = no avatar will be displayed; random = random avatar will be displayed; image = default image will be used
@@ -1930,7 +1851,7 @@ REPOSITORY_AVATAR_UPLOAD_PATH = data/repo-avatars
 ;ENABLED = true
 ;;
 ;; Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types.
-;ALLOWED_TYPES = .avif,.cpuprofile,.csv,.dmp,.docx,.fodg,.fodp,.fods,.fodt,.gif,.gz,.jpeg,.jpg,.json,.jsonc,.log,.md,.mov,.mp4,.odf,.odg,.odp,.ods,.odt,.patch,.pdf,.png,.pptx,.svg,.tgz,.txt,.webm,.webp,.xls,.xlsx,.zip
+;ALLOWED_TYPES = .csv,.docx,.fodg,.fodp,.fods,.fodt,.gif,.gz,.jpeg,.jpg,.log,.md,.mov,.mp4,.odf,.odg,.odp,.ods,.odt,.patch,.pdf,.png,.pptx,.svg,.tgz,.txt,.webm,.xls,.xlsx,.zip
 ;;
 ;; Max size of each file. Defaults to 2048MB
 MAX_SIZE = 16
@@ -1943,32 +1864,22 @@ MAX_SIZE = 16
 ;STORAGE_TYPE = local
 ;;
 ;; Allows the storage driver to redirect to authenticated URLs to serve files directly
-;; Currently, only `minio` and `azureblob` is supported.
+;; Currently, only `minio` is supported.
 ;SERVE_DIRECT = false
 ;;
 ;; Path for attachments. Defaults to `attachments`. Only available when STORAGE_TYPE is `local`
 ;; Relative paths will be resolved to `${AppDataPath}/${attachment.PATH}`
-PATH = data/attachments
+PATH = /var/lib/gitea/data/attachments
 ;;
 ;; Minio endpoint to connect only available when STORAGE_TYPE is `minio`
 ;MINIO_ENDPOINT = localhost:9000
 ;;
-;; Minio accessKeyID to connect only available when STORAGE_TYPE is `minio`.
-;; If not provided and STORAGE_TYPE is `minio`, will search for credentials in known
-;; environment variables (MINIO_ACCESS_KEY_ID, AWS_ACCESS_KEY_ID), credentials files
-;; (~/.mc/config.json, ~/.aws/credentials), and EC2 instance metadata.
+;; Minio accessKeyID to connect only available when STORAGE_TYPE is `minio`
 ;MINIO_ACCESS_KEY_ID =
 ;;
 ;; Minio secretAccessKey to connect only available when STORAGE_TYPE is `minio`
 ;MINIO_SECRET_ACCESS_KEY =
 ;;
-;; Preferred IAM Endpoint to override Minio's default IAM Endpoint resolution only available when STORAGE_TYPE is `minio`.
-;; If not provided and STORAGE_TYPE is `minio`, will search for and derive endpoint from known environment variables
-;; (AWS_CONTAINER_AUTHORIZATION_TOKEN, AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE, AWS_CONTAINER_CREDENTIALS_RELATIVE_URI,
-;; AWS_CONTAINER_CREDENTIALS_FULL_URI, AWS_WEB_IDENTITY_TOKEN_FILE, AWS_ROLE_ARN, AWS_ROLE_SESSION_NAME, AWS_REGION),
-;; or the DefaultIAMRoleEndpoint if not provided otherwise.
-;MINIO_IAM_ENDPOINT =
-;;
 ;; Minio bucket to store the attachments only available when STORAGE_TYPE is `minio`
 ;MINIO_BUCKET = gitea
 ;;
@@ -1986,24 +1897,6 @@ PATH = data/attachments
 ;;
 ;; Minio checksum algorithm: default (for MinIO or AWS S3) or md5 (for Cloudflare or Backblaze)
 ;MINIO_CHECKSUM_ALGORITHM = default
-;;
-;; Minio bucket lookup method defaults to auto mode; set it to `dns` for virtual host style or `path` for path style, only available when STORAGE_TYPE is `minio`
-;MINIO_BUCKET_LOOKUP_TYPE = auto
-;; Azure Blob endpoint to connect only available when STORAGE_TYPE is `azureblob`,
-;; e.g. https://accountname.blob.core.windows.net or http://127.0.0.1:10000/devstoreaccount1
-;AZURE_BLOB_ENDPOINT =
-;;
-;; Azure Blob account name to connect only available when STORAGE_TYPE is `azureblob`
-;AZURE_BLOB_ACCOUNT_NAME =
-;;
-;; Azure Blob account key to connect only available when STORAGE_TYPE is `azureblob`
-;AZURE_BLOB_ACCOUNT_KEY =
-;;
-;; Azure Blob container to store the attachments only available when STORAGE_TYPE is `azureblob`
-;AZURE_BLOB_CONTAINER = gitea
-;;
-;; override the azure blob base path if storage type is azureblob
-;AZURE_BLOB_BASE_PATH = attachments/
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -2563,11 +2456,6 @@ ENABLED = false
 ;STORAGE_TYPE = local
 ;; override the minio base path if storage type is minio
 ;MINIO_BASE_PATH = packages/
-;; override the azure blob base path if storage type is azureblob
-;AZURE_BLOB_BASE_PATH = packages/
-;; Allows the storage driver to redirect to authenticated URLs to serve files directly
-;; Currently, only `minio` and `azureblob` is supported.
-;SERVE_DIRECT = false
 ;;
 ;; Path for chunked uploads. Defaults to APP_DATA_PATH + `tmp/package-upload`
 ;CHUNKED_UPLOAD_PATH = tmp/package-upload
@@ -2618,8 +2506,7 @@ ENABLED = false
 ;LIMIT_SIZE_SWIFT = -1
 ;; Maximum size of a Vagrant upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
 ;LIMIT_SIZE_VAGRANT = -1
-;; Enable RPM re-signing by default. (It will overwrite the old signature ,using v4 format, not compatible with CentOS 6 or older)
-;DEFAULT_RPM_SIGN_ENABLED  = false
+
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; default storage for attachments, lfs and avatars
@@ -2642,8 +2529,6 @@ ENABLED = false
 ;;
 ;; override the minio base path if storage type is minio
 ;MINIO_BASE_PATH = repo-archive/
-;; override the azure blob base path if storage type is azureblob
-;AZURE_BLOB_BASE_PATH = repo-archive/
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -2665,25 +2550,8 @@ ENABLED = false
 ;; Where your lfs files reside, default is data/lfs.
 ;PATH = data/lfs
 ;;
-;; Allows the storage driver to redirect to authenticated URLs to serve files directly
-;; Currently, only `minio` and `azureblob` is supported.
-;SERVE_DIRECT = false
-;;
 ;; override the minio base path if storage type is minio
 ;MINIO_BASE_PATH = lfs/
-;;
-;; override the azure blob base path if storage type is azureblob
-;AZURE_BLOB_BASE_PATH = lfs/
-
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;; settings for Gitea's LFS client (eg: mirroring an upstream lfs endpoint)
-;;
-;[lfs_client]
-;; Limit the number of pointers in each batch request to this number
-;BATCH_SIZE = 20
-;; Limit the number of concurrent upload/download operations within a batch
-;BATCH_OPERATION_CONCURRENCY = 8
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -2698,28 +2566,18 @@ ENABLED = false
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; customize storage
-;[storage.minio]
+;[storage.my_minio]
 ;STORAGE_TYPE = minio
 ;;
 ;; Minio endpoint to connect only available when STORAGE_TYPE is `minio`
 ;MINIO_ENDPOINT = localhost:9000
 ;;
-;; Minio accessKeyID to connect only available when STORAGE_TYPE is `minio`.
-;; If not provided and STORAGE_TYPE is `minio`, will search for credentials in known
-;; environment variables (MINIO_ACCESS_KEY_ID, AWS_ACCESS_KEY_ID), credentials files
-;; (~/.mc/config.json, ~/.aws/credentials), and EC2 instance metadata.
+;; Minio accessKeyID to connect only available when STORAGE_TYPE is `minio`
 ;MINIO_ACCESS_KEY_ID =
 ;;
 ;; Minio secretAccessKey to connect only available when STORAGE_TYPE is `minio`
 ;MINIO_SECRET_ACCESS_KEY =
 ;;
-;; Preferred IAM Endpoint to override Minio's default IAM Endpoint resolution only available when STORAGE_TYPE is `minio`.
-;; If not provided and STORAGE_TYPE is `minio`, will search for and derive endpoint from known environment variables
-;; (AWS_CONTAINER_AUTHORIZATION_TOKEN, AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE, AWS_CONTAINER_CREDENTIALS_RELATIVE_URI,
-;; AWS_CONTAINER_CREDENTIALS_FULL_URI, AWS_WEB_IDENTITY_TOKEN_FILE, AWS_ROLE_ARN, AWS_ROLE_SESSION_NAME, AWS_REGION),
-;; or the DefaultIAMRoleEndpoint if not provided otherwise.
-;MINIO_IAM_ENDPOINT =
-;;
 ;; Minio bucket to store the attachments only available when STORAGE_TYPE is `minio`
 ;MINIO_BUCKET = gitea
 ;;
@@ -2731,25 +2589,6 @@ ENABLED = false
 ;;
 ;; Minio skip SSL verification available when STORAGE_TYPE is `minio`
 ;MINIO_INSECURE_SKIP_VERIFY = false
-;;
-;; Minio bucket lookup method defaults to auto mode; set it to `dns` for virtual host style or `path` for path style, only available when STORAGE_TYPE is `minio`
-;MINIO_BUCKET_LOOKUP_TYPE = auto
-
-;[storage.azureblob]
-;STORAGE_TYPE = azureblob
-;;
-;; Azure Blob endpoint to connect only available when STORAGE_TYPE is `azureblob`,
-;; e.g. https://accountname.blob.core.windows.net or http://127.0.0.1:10000/devstoreaccount1
-;AZURE_BLOB_ENDPOINT =
-;;
-;; Azure Blob account name to connect only available when STORAGE_TYPE is `azureblob`
-;AZURE_BLOB_ACCOUNT_NAME =
-;;
-;; Azure Blob account key to connect only available when STORAGE_TYPE is `azureblob`
-;AZURE_BLOB_ACCOUNT_KEY =
-;;
-;; Azure Blob container to store the attachments only available when STORAGE_TYPE is `azureblob`
-;AZURE_BLOB_CONTAINER = gitea
 
 ;[proxy]
 ;; Enable the proxy, all requests to external via HTTP will be affected
@@ -2765,14 +2604,6 @@ ENABLED = false
 ;;
 ;; Default platform to get action plugins, `github` for `https://github.com`, `self` for the current Gitea instance.
 DEFAULT_ACTIONS_URL = self
-;; Logs retention time in days. Old logs will be deleted after this period.
-;LOG_RETENTION_DAYS = 365
-;; Log compression type, `none` for no compression, `zstd` for zstd compression.
-;; Other compression types like `gzip` are NOT supported, since seekable stream is required for log view.
-;; It's always recommended to use compression when using local disk as log storage if CPU or memory is not a bottleneck.
-;; And for object storage services like S3, which is billed for requests, it would cause extra 2 times of get requests for each log view.
-;; But it will save storage space and network bandwidth, so it's still recommended to use compression.
-;LOG_COMPRESSION = zstd
 ;; Default artifact retention time in days. Artifacts could have their own retention periods by setting the `retention-days` option in `actions/upload-artifact` step.
 ;ARTIFACT_RETENTION_DAYS = 90
 ;; Timeout to stop the task which have running status, but haven't been updated for a long time
@@ -2793,9 +2624,3 @@ DEFAULT_ACTIONS_URL = self
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; storage type
 ;STORAGE_TYPE = local
-
-;[global_lock]
-;; Lock service type, could be memory or redis
-;SERVICE_TYPE = memory
-;; Ignored for the "memory" type. For "redis" use something like `redis://127.0.0.1:6379/0`
-;SERVICE_CONN_STR =

diff.sh

@@ -4,4 +4,4 @@ URL='https://raw.githubusercontent.com'
 REPO='go-gitea/gitea'
 TAG="release/v$(awk -F: '/^IMAGEAPP/{sub(".[0-9]+-rootless", ""); print $2}' .env)"
 
-$EDITOR -d -- config/app.ini "$URL/$REPO/$TAG/custom/conf/app.example.ini"
+$EDITOR -d -c "wincmd l" -- "$URL/$REPO/$TAG/custom/conf/app.example.ini" config/app.ini

manifests/bin/deploy.sh

@@ -3,32 +3,34 @@ set -o pipefail
 
 function kapply() {
     for f in "$@"; do
-        kubectl apply --server-side -f<(envsubst < "manifests/$f")
+        kubectl apply -f <(envsubst < "manifests/$f")
     done
 }; export -f kapply
 
 function kcreatesec() {
-    kubectl apply --server-side \
-        -f<(kubectl create secret generic --dry-run=client -oyaml "$@")
+    kubectl create secret generic --save-config --dry-run=client -oyaml "$@" | kubectl apply -f-
 }; export -f kcreatesec
 
 function kcreatecm() {
-    kubectl apply --server-side \
-        -f<(kubectl create configmap --dry-run=client -oyaml "$@")
+    kubectl create configmap --dry-run=client -oyaml "$@" | kubectl apply -f-
 }; export -f kcreatecm
 
 function kgseckey() {
     local sec="$1"; shift
     local key="$1"; shift
 
-    kubectl get secret "$sec" -ojson | jq -re ".data.\"$key\"" | base64 -d
+    if ! kubectl get secret "$sec" -ojson | jq -re ".data.\"$key\" // empty" | base64 -d; then
+        return 1
+    fi
 }; export -f kgseckey
 
 function kgcmkey() {
     local cm="$1";  shift
     local key="$1"; shift
 
-    kubectl get configmap "$cm" -ojson | jq -re ".data.\"$key\""
+    if ! kubectl get configmap "$cm" -ojson | jq -re ".data.\"$key\" // empty"; then
+        return 1
+    fi
 }; export -f kgcmkey
 
 

manifests/bin/prod.sh

@@ -7,5 +7,5 @@ export NB_REPLICAS=1
 . ./manifests/bin/deploy.sh
 
 if [ "$GITHUB_REF_NAME" = prod ]; then
-    kapply prod/ports.yaml
+    kapply prod/ssh.yaml
 fi

manifests/common/app.yaml

@@ -54,8 +54,6 @@ spec:
       labels:
         app: app
     spec:
-      nodeSelector:
-        type: main
       containers:
         - name: app
           image: "$IMAGEAPP"
@@ -65,13 +63,13 @@ spec:
             - name: ssh
               containerPort: 2222
           volumeMounts:
+            - name: data
+              mountPath: /var/lib/gitea/
             - name: config
               mountPath: /etc/gitea/app.ini
               subPath: app.ini
             - name: secrets
               mountPath: /etc/gitea/secrets/
-            - name: data
-              mountPath: /var/lib/gitea/
       securityContext:
         fsGroup: 1000
       volumes:
@@ -87,6 +85,7 @@ spec:
       spec:
         accessModes:
           - ReadWriteOnce
+        storageClassName: nfs-csi
         resources:
           requests:
             storage: 1Gi

manifests/common/db.yaml

@@ -7,6 +7,3 @@ spec:
   instances: $NB_REPLICAS
   storage:
     size: 1Gi
-  affinity:
-    nodeSelector:
-      type: main

manifests/common/runner.yaml

@@ -17,8 +17,6 @@ spec:
     spec:
       securityContext:
         fsGroup: 1000
-      nodeSelector:
-        type: data
       containers:
         - name: runner
           image: "$IMAGERUNNER"
@@ -49,6 +47,7 @@ spec:
       spec:
         accessModes:
           - ReadWriteOnce
+        storageClassName: nfs-csi
         resources:
           requests:
             storage: 10Mi