Compare commits

..

1 Commits
k3s ... prod

Author SHA1 Message Date
f231efb04e feat: renovatebot (#2)
All checks were successful
/ deploy (push) Successful in 19s
Reviewed-on: #2
2024-12-23 02:44:15 +00:00
10 changed files with 45 additions and 223 deletions

4
.env
View File

@ -1,3 +1,3 @@
PROD_URL=git.gmoker.com
IMAGEAPP=docker.gitea.com/gitea:1.23.7-rootless
IMAGERUNNER=docker.gitea.com/act_runner:0.2.11-dind-rootless
IMAGEAPP=docker.io/gitea/gitea:1.22.6-rootless
IMAGERUNNER=docker.io/gitea/act_runner:0.2.11-dind-rootless

View File

@ -11,7 +11,7 @@ jobs:
if [ "${{ gitea.ref_name }}" == prod ] && [ -n "$PROD_URL" ]; then
BASE_URL="$PROD_URL"
else
BASE_URL="${{ gitea.ref_name }}.$(tr / '\n' <<< "${{ gitea.repository }}" | tac | tr '\n' .)k3s.gmoker.com"
BASE_URL="${{ gitea.ref_name }}.$(tr / '\n' <<< "${{ gitea.repository }}" | tac | tr '\n' .)k8s.gmoker.com"
fi
cat <<EOF >> .env
BASE_URL="$BASE_URL"
@ -20,4 +20,4 @@ jobs:
- uses: actions/k8sdeploy@v1
with:
kubeconfig: "${{ secrets.K3S }}"
kubeconfig: "${{ secrets.K8S }}"

View File

@ -51,7 +51,7 @@ RUN_USER = ; git
RUN_MODE = prod
;;
;; The working directory, see the comment of AppWorkPath above
WORK_PATH = /var/lib/gitea
;WORK_PATH =
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -81,10 +81,6 @@ DOMAIN = $BASE_URL
;; Overwrite the automatically generated public URL. Necessary for proxies and docker.
ROOT_URL = https://%(DOMAIN)s/
;;
;; For development purpose only. It makes Gitea handle sub-path ("/sub-path/owner/repo/...") directly when debugging without a reverse proxy.
;; DO NOT USE IT IN PRODUCTION!!!
;USE_SUB_URL_PATH = false
;;
;; when STATIC_URL_PREFIX is empty it will follow ROOT_URL
;STATIC_URL_PREFIX =
;;
@ -306,8 +302,6 @@ LANDING_PAGE = explore
;; Enables git-lfs support. true or false, default is false.
LFS_START_SERVER = false
;;
;; Enables git-lfs SSH protocol support. true or false, default is false.
;LFS_ALLOW_PURE_SSH = false
;;
;; LFS authentication secret, change this yourself
;LFS_JWT_SECRET =
@ -324,10 +318,6 @@ LFS_START_SERVER = false
;; Maximum number of locks returned per page
;LFS_LOCKS_PAGING_NUM = 50
;;
;; When clients make lfs batch requests, reject them if there are more pointers than this number
;; zero means 'unlimited'
;LFS_MAX_BATCH_SIZE = 0
;;
;; Allow graceful restarts using SIGHUP to fork
;ALLOW_GRACEFUL_RESTARTS = true
;;
@ -513,9 +503,6 @@ REVERSE_PROXY_TRUSTED_PROXIES = *
;; stemming from cached/logged plain-text API tokens.
;; In future releases, this will become the default behavior
;DISABLE_QUERY_AUTH_TOKEN = false
;;
;; On user registration, record the IP address and user agent of the user to help identify potential abuse.
;; RECORD_USER_SIGNUP_METADATA = false
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -532,8 +519,7 @@ REVERSE_PROXY_TRUSTED_PROXIES = *
;; HMAC to encode urls with, it **is required** if camo is enabled.
;HMAC_KEY =
;; Set to true to use camo for https too lese only non https urls are proxyed
;; ALLWAYS is deprecated and will be removed in the future
;ALWAYS = false
;ALLWAYS = false
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -554,7 +540,7 @@ ENABLED = false
;;
;; OAuth2 authentication secret for access and refresh tokens, change this yourself to a unique string. CLI generate option is helpful in this case. https://docs.gitea.io/en-us/command-line/#generate
;; This setting is only needed if JWT_SIGNING_ALGORITHM is set to HS256, HS384 or HS512.
;JWT_SECRET =
JWT_SECRET =
;;
;; Alternative location to specify OAuth2 authentication secret. You cannot specify both this and JWT_SECRET, and must pick one
JWT_SECRET_URI = file:/etc/gitea/secrets/oauth2_jwt_secret
@ -583,7 +569,7 @@ JWT_SECRET_URI = file:/etc/gitea/secrets/oauth2_jwt_secret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Root path for the log files - defaults to %(GITEA_WORK_DIR)/log
ROOT_PATH = data/log
ROOT_PATH = /var/lib/gitea/data/log
;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Main Logger
@ -774,10 +760,7 @@ DISABLE_REGISTRATION = true
;ALLOW_ONLY_EXTERNAL_REGISTRATION = false
;;
;; User must sign in to view anything.
;; After 1.23.7, it could be set to "expensive" to block anonymous users accessing some pages which consume a lot of resources,
;; for example: block anonymous AI crawlers from accessing repo code pages.
;; The "expensive" mode is experimental and subject to change.
;REQUIRE_SIGNIN_VIEW = false
REQUIRE_SIGNIN_VIEW = false
;;
;; Mail notification
;ENABLE_NOTIFY_MAIL = false
@ -787,13 +770,6 @@ DISABLE_REGISTRATION = true
;; Please note that setting this to false will not disable OAuth Basic or Basic authentication using a token
;ENABLE_BASIC_AUTHENTICATION = true
;;
;; Show the password sign-in form (for password-based login), otherwise, only show OAuth2 or passkey login methods if they are enabled.
;; If you set it to false, maybe it also needs to set ENABLE_BASIC_AUTHENTICATION to false to completely disable password-based authentication.
;ENABLE_PASSWORD_SIGNIN_FORM = true
;;
;; Allow users to sign-in with a passkey
;ENABLE_PASSKEY_AUTHENTICATION = true
;;
;; More detail: https://github.com/gogits/gogs/issues/165
;ENABLE_REVERSE_PROXY_AUTHENTICATION = false
; Enable this to allow reverse proxy authentication for API requests, the reverse proxy is responsible for ensuring that no CSRF is possible.
@ -921,24 +897,6 @@ SHOW_REGISTRATION_BUTTON = false
;; Valid site url schemes for user profiles
;VALID_SITE_URL_SCHEMES=http,https
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;[service.explore]
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; Only allow signed in users to view the explore pages.
;REQUIRE_SIGNIN_VIEW = false
;;
;; Disable the users explore page.
;DISABLE_USERS_PAGE = false
;;
;; Disable the organizations explore page.
;DISABLE_ORGANIZATIONS_PAGE = false
;;
;; Disable the code explore page.
;DISABLE_CODE_PAGE = false
;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -954,7 +912,7 @@ SHOW_REGISTRATION_BUTTON = false
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Root path for storing all repository data. By default, it is set to %(APP_DATA_PATH)s/gitea-repositories.
;; A relative path is interpreted as _`AppWorkPath`_/%(ROOT)s
ROOT = git/repositories
ROOT = /var/lib/gitea/git/repositories
;;
;; The script type this server supports. Usually this is `bash`, but some users report that only `sh` is available.
;SCRIPT_TYPE = bash
@ -982,7 +940,7 @@ DEFAULT_PRIVATE = private
;;
;; Preferred Licenses to place at the top of the List
;; The name here must match the filename in options/license or custom/options/license
;PREFERRED_LICENSES = Apache License 2.0,MIT License
PREFERRED_LICENSES = GPL-3.0-only
;;
;; Disable the ability to interact with repositories using the HTTP protocol
;DISABLE_HTTP_GIT = false
@ -1017,14 +975,6 @@ DEFAULT_PRIVATE = private
;; The set of allowed values and rules are the same as DEFAULT_REPO_UNITS.
;DEFAULT_FORK_REPO_UNITS = repo.code,repo.pulls
;;
;; Comma separated list of default mirror repo units.
;; The set of allowed values and rules are the same as DEFAULT_REPO_UNITS.
;DEFAULT_MIRROR_REPO_UNITS = repo.code,repo.releases,repo.issues,repo.wiki,repo.projects,repo.packages
;;
;; Comma separated list of default template repo units.
;; The set of allowed values and rules are the same as DEFAULT_REPO_UNITS.
;DEFAULT_TEMPLATE_REPO_UNITS = repo.code,repo.releases,repo.issues,repo.pulls,repo.wiki,repo.projects,repo.packages
;;
;; Prefix archive files by placing them in a directory named after the repository
;PREFIX_ARCHIVE_FILES = true
;;
@ -1046,13 +996,9 @@ DEFAULT_PRIVATE = private
;; Don't allow download source archive files from UI
;DISABLE_DOWNLOAD_SOURCE_ARCHIVES = false
;; Allow to fork repositories without maximum number limit
;; Allow fork repositories without maximum number limit
;ALLOW_FORK_WITHOUT_MAXIMUM_LIMIT = true
;; Allow to fork repositories into the same owner (user or organization)
;; This feature is experimental, not fully tested, and may be changed in the future
;ALLOW_FORK_INTO_SAME_OWNER = false
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;[repository.editor]
@ -1109,7 +1055,7 @@ ENABLED = false
;REOPEN_KEYWORDS = reopen,reopens,reopened
;;
;; Set default merge style for repository creating, valid options: merge, rebase, rebase-merge, squash, fast-forward-only
DEFAULT_MERGE_STYLE = squash
DEFAULT_MERGE_STYLE = fast-forward-only
;;
;; In the default merge message for squash commits include at most this many commits
;DEFAULT_MERGE_MESSAGE_COMMITS_LIMIT = 50
@ -1388,9 +1334,6 @@ ALLOW_DOMAIN = %(DOMAIN)s
;;
;; Maximum allowed file size in bytes to render CSV files as table. (Set to 0 for no limit).
;MAX_FILE_SIZE = 524288
;;
;; Maximum allowed rows to render CSV files. (Set to 0 for no limit)
;MAX_ROWS = 2500
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -1488,10 +1431,6 @@ ISSUE_INDEXER_TYPE = db
;REPO_INDEXER_EXCLUDE =
;;
;MAX_FILE_SIZE = 1048576
;;
;; Bleve engine has performance problems with fuzzy search, so we limit the fuzziness to 0 by default to disable it.
;; If you'd like to enable it, you can set it to a value between 0 and 2.
;TYPE_BLEVE_MAX_FUZZINESS = 0
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -1517,7 +1456,7 @@ TYPE = redis
;; Batch size to send for batched queues
;BATCH_LENGTH = 20
;;
;; Connection string for redis queues this will store the redis (or Redis cluster) connection string.
;; Connection string for redis queues this will store the redis or redis-cluster connection string.
;; When `TYPE` is `persistable-channel`, this provides a directory for the underlying leveldb
;; or additional options of the form `leveldb://path/to/db?option=value&....`, and will override `DATADIR`.
CONN_STR = redis://$REDIS_HOST:$REDIS_PORT/$REDIS_DB
@ -1542,21 +1481,15 @@ CONN_STR = redis://$REDIS_HOST:$REDIS_PORT/$REDIS_DB
;;
;; Default configuration for email notifications for users (user configurable). Options: enabled, onmention, disabled
;DEFAULT_EMAIL_NOTIFICATIONS = enabled
;; Disabled features for users could be "deletion", "manage_ssh_keys", "manage_gpg_keys", "manage_mfa", "manage_credentials" more features can be disabled in future
;; Disabled features for users, could be "deletion", "manage_ssh_keys","manage_gpg_keys" more features can be disabled in future
;; - deletion: a user cannot delete their own account
;; - manage_ssh_keys: a user cannot configure ssh keys
;; - manage_gpg_keys: a user cannot configure gpg keys
;; - manage_mfa: a user cannot configure mfa devices
;; - manage_credentials: a user cannot configure emails, passwords, or openid
;USER_DISABLED_FEATURES =
;; Comma separated list of disabled features ONLY if the user has an external login type (eg. LDAP, Oauth, etc.), could be "deletion", "manage_ssh_keys", "manage_gpg_keys", "manage_mfa", "manage_credentials". This setting is independent from `USER_DISABLED_FEATURES` and supplements its behavior.
;; Comma separated list of disabled features ONLY if the user has an external login type (eg. LDAP, Oauth, etc.), could be `deletion`, `manage_ssh_keys`, `manage_gpg_keys`. This setting is independent from `USER_DISABLED_FEATURES` and supplements its behavior.
;; - deletion: a user cannot delete their own account
;; - manage_ssh_keys: a user cannot configure ssh keys
;; - manage_gpg_keys: a user cannot configure gpg keys
;; - manage_mfa: a user cannot configure mfa devices
;; - manage_credentials: a user cannot configure emails, passwords, or openid
;; - change_username: a user cannot change their username
;; - change_full_name: a user cannot change their full name
;;EXTERNAL_USER_DISABLE_FEATURES =
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -1732,10 +1665,6 @@ ENABLE_OPENID_SIGNIN = false
;; Sometimes it is helpful to use a different address on the envelope. Set this to use ENVELOPE_FROM as the from on the envelope. Set to `<>` to send an empty address.
;ENVELOPE_FROM =
;;
;; If gitea sends mails on behave of users, it will just use the name also displayed in the WebUI. If you want e.g. `Mister X (by CodeIt) <gitea@codeit.net>`,
;; set it to `{{ .DisplayName }} (by {{ .AppName }})`. Available Variables: `.DisplayName`, `.AppName` and `.Domain`.
;FROM_DISPLAY_NAME_FORMAT = {{ .DisplayName }}
;;
;; Mailer user name and password, if required by provider.
;USER =
;;
@ -1758,16 +1687,6 @@ ENABLE_OPENID_SIGNIN = false
;; convert \r\n to \n for Sendmail
;SENDMAIL_CONVERT_CRLF = true
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;[mailer.override_header]
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; This is empty by default, use it only if you know what you need it for.
;Reply-To = test@example.com, test2@example.com
;Content-Type = text/html; charset=utf-8
;In-Reply-To =
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;[email.incoming]
@ -1821,8 +1740,9 @@ ADAPTER = redis
;; For "memory" only, GC interval in seconds, default is 60
;INTERVAL = 60
;;
;; For "redis" and "memcache", connection host address
;; redis: `redis://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s` (or `redis+cluster://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s` for a Redis cluster)
;; For "redis", "redis-cluster" and "memcache", connection host address
;; redis: `redis://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s`
;; redis-cluster: `redis+cluster://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s`
;; memcache: `127.0.0.1:11211`
;; twoqueue: `{"size":50000,"recent_ratio":0.25,"ghost_ratio":0.5}` or `50000`
HOST = redis://$REDIS_HOST:$REDIS_PORT/$REDIS_DB
@ -1852,14 +1772,15 @@ HOST = redis://$REDIS_HOST:$REDIS_PORT/$REDIS_DB
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; Either "memory", "file", "redis", "db", "mysql", "couchbase", "memcache" or "postgres"
;; Either "memory", "file", "redis", "redis-cluster", "db", "mysql", "couchbase", "memcache" or "postgres"
;; Default is "memory". "db" will reuse the configuration in [database]
PROVIDER = redis
;;
;; Provider config options
;; memory: doesn't have any config yet
;; file: session file path, e.g. `data/sessions`
;; redis: `redis://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s` (or `redis+cluster://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s` for a Redis cluster)
;; redis: `redis://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s`
;; redis-cluster: `redis+cluster://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s`
;; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table`
PROVIDER_CONFIG = redis://$REDIS_HOST:$REDIS_PORT/$REDIS_DB
;;
@ -1885,7 +1806,7 @@ PROVIDER_CONFIG = redis://$REDIS_HOST:$REDIS_PORT/$REDIS_DB
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
AVATAR_UPLOAD_PATH = /var/lib/gitea/data/avatars
REPOSITORY_AVATAR_UPLOAD_PATH = data/repo-avatars
REPOSITORY_AVATAR_UPLOAD_PATH = /var/lib/gitea/data/repo-avatars
;;
;; How Gitea deals with missing repository avatars
;; none = no avatar will be displayed; random = random avatar will be displayed; image = default image will be used
@ -1930,7 +1851,7 @@ REPOSITORY_AVATAR_UPLOAD_PATH = data/repo-avatars
;ENABLED = true
;;
;; Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types.
;ALLOWED_TYPES = .avif,.cpuprofile,.csv,.dmp,.docx,.fodg,.fodp,.fods,.fodt,.gif,.gz,.jpeg,.jpg,.json,.jsonc,.log,.md,.mov,.mp4,.odf,.odg,.odp,.ods,.odt,.patch,.pdf,.png,.pptx,.svg,.tgz,.txt,.webm,.webp,.xls,.xlsx,.zip
;ALLOWED_TYPES = .csv,.docx,.fodg,.fodp,.fods,.fodt,.gif,.gz,.jpeg,.jpg,.log,.md,.mov,.mp4,.odf,.odg,.odp,.ods,.odt,.patch,.pdf,.png,.pptx,.svg,.tgz,.txt,.webm,.xls,.xlsx,.zip
;;
;; Max size of each file. Defaults to 2048MB
MAX_SIZE = 16
@ -1943,32 +1864,22 @@ MAX_SIZE = 16
;STORAGE_TYPE = local
;;
;; Allows the storage driver to redirect to authenticated URLs to serve files directly
;; Currently, only `minio` and `azureblob` is supported.
;; Currently, only `minio` is supported.
;SERVE_DIRECT = false
;;
;; Path for attachments. Defaults to `attachments`. Only available when STORAGE_TYPE is `local`
;; Relative paths will be resolved to `${AppDataPath}/${attachment.PATH}`
PATH = data/attachments
PATH = /var/lib/gitea/data/attachments
;;
;; Minio endpoint to connect only available when STORAGE_TYPE is `minio`
;MINIO_ENDPOINT = localhost:9000
;;
;; Minio accessKeyID to connect only available when STORAGE_TYPE is `minio`.
;; If not provided and STORAGE_TYPE is `minio`, will search for credentials in known
;; environment variables (MINIO_ACCESS_KEY_ID, AWS_ACCESS_KEY_ID), credentials files
;; (~/.mc/config.json, ~/.aws/credentials), and EC2 instance metadata.
;; Minio accessKeyID to connect only available when STORAGE_TYPE is `minio`
;MINIO_ACCESS_KEY_ID =
;;
;; Minio secretAccessKey to connect only available when STORAGE_TYPE is `minio`
;MINIO_SECRET_ACCESS_KEY =
;;
;; Preferred IAM Endpoint to override Minio's default IAM Endpoint resolution only available when STORAGE_TYPE is `minio`.
;; If not provided and STORAGE_TYPE is `minio`, will search for and derive endpoint from known environment variables
;; (AWS_CONTAINER_AUTHORIZATION_TOKEN, AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE, AWS_CONTAINER_CREDENTIALS_RELATIVE_URI,
;; AWS_CONTAINER_CREDENTIALS_FULL_URI, AWS_WEB_IDENTITY_TOKEN_FILE, AWS_ROLE_ARN, AWS_ROLE_SESSION_NAME, AWS_REGION),
;; or the DefaultIAMRoleEndpoint if not provided otherwise.
;MINIO_IAM_ENDPOINT =
;;
;; Minio bucket to store the attachments only available when STORAGE_TYPE is `minio`
;MINIO_BUCKET = gitea
;;
@ -1986,24 +1897,6 @@ PATH = data/attachments
;;
;; Minio checksum algorithm: default (for MinIO or AWS S3) or md5 (for Cloudflare or Backblaze)
;MINIO_CHECKSUM_ALGORITHM = default
;;
;; Minio bucket lookup method defaults to auto mode; set it to `dns` for virtual host style or `path` for path style, only available when STORAGE_TYPE is `minio`
;MINIO_BUCKET_LOOKUP_TYPE = auto
;; Azure Blob endpoint to connect only available when STORAGE_TYPE is `azureblob`,
;; e.g. https://accountname.blob.core.windows.net or http://127.0.0.1:10000/devstoreaccount1
;AZURE_BLOB_ENDPOINT =
;;
;; Azure Blob account name to connect only available when STORAGE_TYPE is `azureblob`
;AZURE_BLOB_ACCOUNT_NAME =
;;
;; Azure Blob account key to connect only available when STORAGE_TYPE is `azureblob`
;AZURE_BLOB_ACCOUNT_KEY =
;;
;; Azure Blob container to store the attachments only available when STORAGE_TYPE is `azureblob`
;AZURE_BLOB_CONTAINER = gitea
;;
;; override the azure blob base path if storage type is azureblob
;AZURE_BLOB_BASE_PATH = attachments/
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -2563,11 +2456,6 @@ ENABLED = false
;STORAGE_TYPE = local
;; override the minio base path if storage type is minio
;MINIO_BASE_PATH = packages/
;; override the azure blob base path if storage type is azureblob
;AZURE_BLOB_BASE_PATH = packages/
;; Allows the storage driver to redirect to authenticated URLs to serve files directly
;; Currently, only `minio` and `azureblob` is supported.
;SERVE_DIRECT = false
;;
;; Path for chunked uploads. Defaults to APP_DATA_PATH + `tmp/package-upload`
;CHUNKED_UPLOAD_PATH = tmp/package-upload
@ -2618,8 +2506,7 @@ ENABLED = false
;LIMIT_SIZE_SWIFT = -1
;; Maximum size of a Vagrant upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
;LIMIT_SIZE_VAGRANT = -1
;; Enable RPM re-signing by default. (It will overwrite the old signature ,using v4 format, not compatible with CentOS 6 or older)
;DEFAULT_RPM_SIGN_ENABLED = false
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; default storage for attachments, lfs and avatars
@ -2642,8 +2529,6 @@ ENABLED = false
;;
;; override the minio base path if storage type is minio
;MINIO_BASE_PATH = repo-archive/
;; override the azure blob base path if storage type is azureblob
;AZURE_BLOB_BASE_PATH = repo-archive/
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -2665,25 +2550,8 @@ ENABLED = false
;; Where your lfs files reside, default is data/lfs.
;PATH = data/lfs
;;
;; Allows the storage driver to redirect to authenticated URLs to serve files directly
;; Currently, only `minio` and `azureblob` is supported.
;SERVE_DIRECT = false
;;
;; override the minio base path if storage type is minio
;MINIO_BASE_PATH = lfs/
;;
;; override the azure blob base path if storage type is azureblob
;AZURE_BLOB_BASE_PATH = lfs/
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; settings for Gitea's LFS client (eg: mirroring an upstream lfs endpoint)
;;
;[lfs_client]
;; Limit the number of pointers in each batch request to this number
;BATCH_SIZE = 20
;; Limit the number of concurrent upload/download operations within a batch
;BATCH_OPERATION_CONCURRENCY = 8
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -2698,28 +2566,18 @@ ENABLED = false
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; customize storage
;[storage.minio]
;[storage.my_minio]
;STORAGE_TYPE = minio
;;
;; Minio endpoint to connect only available when STORAGE_TYPE is `minio`
;MINIO_ENDPOINT = localhost:9000
;;
;; Minio accessKeyID to connect only available when STORAGE_TYPE is `minio`.
;; If not provided and STORAGE_TYPE is `minio`, will search for credentials in known
;; environment variables (MINIO_ACCESS_KEY_ID, AWS_ACCESS_KEY_ID), credentials files
;; (~/.mc/config.json, ~/.aws/credentials), and EC2 instance metadata.
;; Minio accessKeyID to connect only available when STORAGE_TYPE is `minio`
;MINIO_ACCESS_KEY_ID =
;;
;; Minio secretAccessKey to connect only available when STORAGE_TYPE is `minio`
;MINIO_SECRET_ACCESS_KEY =
;;
;; Preferred IAM Endpoint to override Minio's default IAM Endpoint resolution only available when STORAGE_TYPE is `minio`.
;; If not provided and STORAGE_TYPE is `minio`, will search for and derive endpoint from known environment variables
;; (AWS_CONTAINER_AUTHORIZATION_TOKEN, AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE, AWS_CONTAINER_CREDENTIALS_RELATIVE_URI,
;; AWS_CONTAINER_CREDENTIALS_FULL_URI, AWS_WEB_IDENTITY_TOKEN_FILE, AWS_ROLE_ARN, AWS_ROLE_SESSION_NAME, AWS_REGION),
;; or the DefaultIAMRoleEndpoint if not provided otherwise.
;MINIO_IAM_ENDPOINT =
;;
;; Minio bucket to store the attachments only available when STORAGE_TYPE is `minio`
;MINIO_BUCKET = gitea
;;
@ -2731,25 +2589,6 @@ ENABLED = false
;;
;; Minio skip SSL verification available when STORAGE_TYPE is `minio`
;MINIO_INSECURE_SKIP_VERIFY = false
;;
;; Minio bucket lookup method defaults to auto mode; set it to `dns` for virtual host style or `path` for path style, only available when STORAGE_TYPE is `minio`
;MINIO_BUCKET_LOOKUP_TYPE = auto
;[storage.azureblob]
;STORAGE_TYPE = azureblob
;;
;; Azure Blob endpoint to connect only available when STORAGE_TYPE is `azureblob`,
;; e.g. https://accountname.blob.core.windows.net or http://127.0.0.1:10000/devstoreaccount1
;AZURE_BLOB_ENDPOINT =
;;
;; Azure Blob account name to connect only available when STORAGE_TYPE is `azureblob`
;AZURE_BLOB_ACCOUNT_NAME =
;;
;; Azure Blob account key to connect only available when STORAGE_TYPE is `azureblob`
;AZURE_BLOB_ACCOUNT_KEY =
;;
;; Azure Blob container to store the attachments only available when STORAGE_TYPE is `azureblob`
;AZURE_BLOB_CONTAINER = gitea
;[proxy]
;; Enable the proxy, all requests to external via HTTP will be affected
@ -2765,14 +2604,6 @@ ENABLED = false
;;
;; Default platform to get action plugins, `github` for `https://github.com`, `self` for the current Gitea instance.
DEFAULT_ACTIONS_URL = self
;; Logs retention time in days. Old logs will be deleted after this period.
;LOG_RETENTION_DAYS = 365
;; Log compression type, `none` for no compression, `zstd` for zstd compression.
;; Other compression types like `gzip` are NOT supported, since seekable stream is required for log view.
;; It's always recommended to use compression when using local disk as log storage if CPU or memory is not a bottleneck.
;; And for object storage services like S3, which is billed for requests, it would cause extra 2 times of get requests for each log view.
;; But it will save storage space and network bandwidth, so it's still recommended to use compression.
;LOG_COMPRESSION = zstd
;; Default artifact retention time in days. Artifacts could have their own retention periods by setting the `retention-days` option in `actions/upload-artifact` step.
;ARTIFACT_RETENTION_DAYS = 90
;; Timeout to stop the task which have running status, but haven't been updated for a long time
@ -2793,9 +2624,3 @@ DEFAULT_ACTIONS_URL = self
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; storage type
;STORAGE_TYPE = local
;[global_lock]
;; Lock service type, could be memory or redis
;SERVICE_TYPE = memory
;; Ignored for the "memory" type. For "redis" use something like `redis://127.0.0.1:6379/0`
;SERVICE_CONN_STR =

View File

@ -4,4 +4,4 @@ URL='https://raw.githubusercontent.com'
REPO='go-gitea/gitea'
TAG="release/v$(awk -F: '/^IMAGEAPP/{sub(".[0-9]+-rootless", ""); print $2}' .env)"
$EDITOR -d -- config/app.ini "$URL/$REPO/$TAG/custom/conf/app.example.ini"
$EDITOR -d -c "wincmd l" -- "$URL/$REPO/$TAG/custom/conf/app.example.ini" config/app.ini

View File

@ -3,32 +3,34 @@ set -o pipefail
function kapply() {
for f in "$@"; do
kubectl apply --server-side -f<(envsubst < "manifests/$f")
kubectl apply -f <(envsubst < "manifests/$f")
done
}; export -f kapply
function kcreatesec() {
kubectl apply --server-side \
-f<(kubectl create secret generic --dry-run=client -oyaml "$@")
kubectl create secret generic --save-config --dry-run=client -oyaml "$@" | kubectl apply -f-
}; export -f kcreatesec
function kcreatecm() {
kubectl apply --server-side \
-f<(kubectl create configmap --dry-run=client -oyaml "$@")
kubectl create configmap --dry-run=client -oyaml "$@" | kubectl apply -f-
}; export -f kcreatecm
function kgseckey() {
local sec="$1"; shift
local key="$1"; shift
kubectl get secret "$sec" -ojson | jq -re ".data.\"$key\"" | base64 -d
if ! kubectl get secret "$sec" -ojson | jq -re ".data.\"$key\" // empty" | base64 -d; then
return 1
fi
}; export -f kgseckey
function kgcmkey() {
local cm="$1"; shift
local key="$1"; shift
kubectl get configmap "$cm" -ojson | jq -re ".data.\"$key\""
if ! kubectl get configmap "$cm" -ojson | jq -re ".data.\"$key\" // empty"; then
return 1
fi
}; export -f kgcmkey

View File

@ -7,5 +7,5 @@ export NB_REPLICAS=1
. ./manifests/bin/deploy.sh
if [ "$GITHUB_REF_NAME" = prod ]; then
kapply prod/ports.yaml
kapply prod/ssh.yaml
fi

View File

@ -54,8 +54,6 @@ spec:
labels:
app: app
spec:
nodeSelector:
type: main
containers:
- name: app
image: "$IMAGEAPP"
@ -65,13 +63,13 @@ spec:
- name: ssh
containerPort: 2222
volumeMounts:
- name: data
mountPath: /var/lib/gitea/
- name: config
mountPath: /etc/gitea/app.ini
subPath: app.ini
- name: secrets
mountPath: /etc/gitea/secrets/
- name: data
mountPath: /var/lib/gitea/
securityContext:
fsGroup: 1000
volumes:
@ -87,6 +85,7 @@ spec:
spec:
accessModes:
- ReadWriteOnce
storageClassName: nfs-csi
resources:
requests:
storage: 1Gi

View File

@ -7,6 +7,3 @@ spec:
instances: $NB_REPLICAS
storage:
size: 1Gi
affinity:
nodeSelector:
type: main

View File

@ -17,8 +17,6 @@ spec:
spec:
securityContext:
fsGroup: 1000
nodeSelector:
type: data
containers:
- name: runner
image: "$IMAGERUNNER"
@ -49,6 +47,7 @@ spec:
spec:
accessModes:
- ReadWriteOnce
storageClassName: nfs-csi
resources:
requests:
storage: 10Mi