diff --git a/kubernetes/services/forgejo/forgejo.yml b/kubernetes/services/forgejo/forgejo.yml index cdde98d..3fe29b6 100644 --- a/kubernetes/services/forgejo/forgejo.yml +++ b/kubernetes/services/forgejo/forgejo.yml @@ -1,747 +1,30 @@ -# Default values for gitea. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. -## @section Global -# -## @param global.imageRegistry global image registry override -## @param global.imagePullSecrets global image pull secrets override; can be extended by `imagePullSecrets` -## @param global.storageClass global storage class override -## @param global.hostAliases global hostAliases which will be added to the pod's hosts files global: - imageRegistry: "" - ## E.g. - ## imagePullSecrets: - ## - myRegistryKeySecretName - ## - imagePullSecrets: [] storageClass: "longhorn" - hostAliases: [] - # - ip: 192.168.137.2 - # hostnames: - # - example.com -## @param replicaCount number of replicas for the deployment -replicaCount: 1 - -## @section strategy -## @param strategy.type strategy type -## @param strategy.rollingUpdate.maxSurge maxSurge -## @param strategy.rollingUpdate.maxUnavailable maxUnavailable -strategy: - type: "RollingUpdate" - rollingUpdate: - maxSurge: "100%" - maxUnavailable: 0 - -## @param clusterDomain cluster domain -clusterDomain: cluster.local - -## @section Image -## @param image.registry image registry, e.g. gcr.io,docker.io -## @param image.repository Image to start for this pod -## @param image.tag Visit: [Image tag](https://code.forgejo.org/forgejo/-/packages/container/forgejo/versions). Defaults to `appVersion` within Chart.yaml. -## @param image.digest Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest` -## @param image.pullPolicy Image pull policy -## @param image.rootless Wether or not to pull the rootless version of Forgejo -## @param image.fullOverride Completely overrides the image registry, path/image, tag and digest. **Adjust `image.rootless` accordingly and review [Rootless defaults](#rootless-defaults).** -image: - registry: code.forgejo.org - repository: forgejo/forgejo - # Overrides the image tag whose default is the chart appVersion. - tag: "" - digest: "" - pullPolicy: IfNotPresent - rootless: true - fullOverride: "" - -## @param imagePullSecrets Secret to use for pulling the image -imagePullSecrets: [] - -## @section Security -# Security context is only usable with rootless image due to image design -## @param podSecurityContext.fsGroup Set the shared file system group for all containers in the pod. -podSecurityContext: - fsGroup: 1000 - -## @param containerSecurityContext Security context -containerSecurityContext: {} -# allowPrivilegeEscalation: false -# capabilities: -# drop: -# - ALL -# # Add the SYS_CHROOT capability for root and rootless images if you intend to -# # run pods on nodes that use the container runtime cri-o. Otherwise, you will -# # get an error message from the SSH server that it is not possible to read from -# # the repository. -# # https://gitea.com/gitea/helm-chart/issues/161 -# add: -# - SYS_CHROOT -# privileged: false -# readOnlyRootFilesystem: true -# runAsGroup: 1000 -# runAsNonRoot: true -# runAsUser: 1000 - -## @deprecated The securityContext variable has been split two: -## - containerSecurityContext -## - podSecurityContext. -## @param securityContext Run init and Forgejo containers as a specific securityContext -securityContext: {} - -## @param podDisruptionBudget Pod disruption budget -podDisruptionBudget: {} -# maxUnavailable: 1 -# minAvailable: 1 - -## @section Service -service: - ## @param service.http.type Kubernetes service type for web traffic - ## @param service.http.port Port number for web traffic - ## @param service.http.clusterIP ClusterIP setting for http autosetup for deployment is None - ## @param service.http.loadBalancerIP LoadBalancer IP setting - ## @param service.http.nodePort NodePort for http service - ## @param service.http.externalTrafficPolicy If `service.http.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation - ## @param service.http.externalIPs External IPs for service - ## @param service.http.ipFamilyPolicy HTTP service dual-stack policy - ## @param service.http.ipFamilies HTTP service dual-stack familiy selection,for dual-stack parameters see official kubernetes [dual-stack concept documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/). - ## @param service.http.loadBalancerSourceRanges Source range filter for http loadbalancer - ## @param service.http.annotations HTTP service annotations - ## @param service.http.labels HTTP service additional labels - ## @param service.http.loadBalancerClass Loadbalancer class - http: - type: ClusterIP - port: 3000 - clusterIP: None - loadBalancerIP: - nodePort: - externalTrafficPolicy: - externalIPs: - ipFamilyPolicy: - ipFamilies: - loadBalancerSourceRanges: [] - annotations: {} - labels: {} - loadBalancerClass: - ## @param service.ssh.type Kubernetes service type for ssh traffic - ## @param service.ssh.port Port number for ssh traffic - ## @param service.ssh.clusterIP ClusterIP setting for ssh autosetup for deployment is None - ## @param service.ssh.loadBalancerIP LoadBalancer IP setting - ## @param service.ssh.nodePort NodePort for ssh service - ## @param service.ssh.externalTrafficPolicy If `service.ssh.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation - ## @param service.ssh.externalIPs External IPs for service - ## @param service.ssh.ipFamilyPolicy SSH service dual-stack policy - ## @param service.ssh.ipFamilies SSH service dual-stack familiy selection,for dual-stack parameters see official kubernetes [dual-stack concept documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/). - ## @param service.ssh.hostPort HostPort for ssh service - ## @param service.ssh.loadBalancerSourceRanges Source range filter for ssh loadbalancer - ## @param service.ssh.annotations SSH service annotations - ## @param service.ssh.labels SSH service additional labels - ## @param service.ssh.loadBalancerClass Loadbalancer class - ssh: - type: ClusterIP - port: 22 - clusterIP: None - loadBalancerIP: - nodePort: - externalTrafficPolicy: - externalIPs: - ipFamilyPolicy: - ipFamilies: - hostPort: - loadBalancerSourceRanges: [] - annotations: {} - labels: {} - loadBalancerClass: - -## @section Ingress -## @param ingress.enabled Enable ingress -## @param ingress.className Ingress class name -## @param ingress.annotations Ingress annotations -## @param ingress.hosts[0].host Default Ingress host -## @param ingress.hosts[0].paths[0].path Default Ingress path -## @param ingress.hosts[0].paths[0].pathType Ingress path type -## @param ingress.tls Ingress tls settings -## @extra ingress.apiVersion Specify APIVersion of ingress object. Mostly would only be used for argocd. ingress: enabled: true - # className: nginx - className: - annotations: - {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" hosts: - host: git.example.com paths: - path: / pathType: Prefix - tls: [] - # - secretName: chart-example-tls - # hosts: - # - git.example.com - # Mostly for argocd or any other CI that uses `helm template | kubectl apply` or similar - # If helm doesn't correctly detect your ingress API version you can set it here. - # apiVersion: networking.k8s.io/v1 -## @section deployment -# -## @param resources Kubernetes resources -resources: - {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -## Use an alternate scheduler, e.g. "stork". -## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ -## -## @param schedulerName Use an alternate scheduler, e.g. "stork" -schedulerName: "" - -## @param nodeSelector NodeSelector for the deployment -nodeSelector: {} - -## @param tolerations Tolerations for the deployment -tolerations: [] - -## @param affinity Affinity for the deployment -affinity: {} - -## @param topologySpreadConstraints TopologySpreadConstraints for the deployment -topologySpreadConstraints: [] - -## @param dnsConfig dnsConfig for the deployment -dnsConfig: {} - -## @param priorityClassName priorityClassName for the deployment -priorityClassName: "" - -## @param deployment.env Additional environment variables to pass to containers -## @param deployment.terminationGracePeriodSeconds How long to wait until forcefully kill the pod -## @param deployment.labels Labels for the deployment -## @param deployment.annotations Annotations for the Forgejo deployment to be created -deployment: - env: - [] - # - name: VARIABLE - # value: my-value - terminationGracePeriodSeconds: 60 - labels: {} - annotations: {} - -## @section ServiceAccount - -## @param serviceAccount.create Enable the creation of a ServiceAccount -## @param serviceAccount.name Name of the created ServiceAccount, defaults to release name. Can also link to an externally provided ServiceAccount that should be used. -## @param serviceAccount.automountServiceAccountToken Enable/disable auto mounting of the service account token -## @param serviceAccount.imagePullSecrets Image pull secrets, available to the ServiceAccount -## @param serviceAccount.annotations Custom annotations for the ServiceAccount -## @param serviceAccount.labels Custom labels for the ServiceAccount -serviceAccount: - create: false - name: "" - automountServiceAccountToken: false - imagePullSecrets: [] - # - name: private-registry-access - annotations: {} - labels: {} - -## @section Persistence -# -## @param persistence.enabled Enable persistent storage -## @param persistence.create Whether to create the persistentVolumeClaim for shared storage -## @param persistence.mount Whether the persistentVolumeClaim should be mounted (even if not created) -## @param persistence.claimName Use an existing claim to store repository information -## @param persistence.size Size for persistence to store repo information -## @param persistence.accessModes AccessMode for persistence -## @param persistence.labels Labels for the persistence volume claim to be created -## @param persistence.annotations.helm.sh/resource-policy Resource policy for the persistence volume claim -## @param persistence.storageClass Name of the storage class to use -## @param persistence.subPath Subdirectory of the volume to mount at -## @param persistence.volumeName Name of persistent volume in PVC -persistence: +postgresql-ha: enabled: true - create: true - mount: true - claimName: gitea-shared-storage - size: 10Gi - accessModes: - - ReadWriteOnce - labels: {} - storageClass: - subPath: - volumeName: "" - annotations: - helm.sh/resource-policy: keep + diagnosticMode: + enabled: false + postgresql: + image: + tag: 16.4.0-debian-12-r34 -## @param extraVolumes Additional volumes to mount to the Forgejo deployment -extraVolumes: [] -# - name: postgres-ssl-vol -# secret: -# secretName: gitea-postgres-ssl - -## @param extraContainerVolumeMounts Mounts that are only mapped into the Forgejo runtime/main container, to e.g. override custom templates. -extraContainerVolumeMounts: [] - -## @param extraInitVolumeMounts Mounts that are only mapped into the init-containers. Can be used for additional preconfiguration. -extraInitVolumeMounts: [] - -## @deprecated The extraVolumeMounts variable has been split two: -## - extraContainerVolumeMounts -## - extraInitVolumeMounts -## As an example, can be used to mount a client cert when connecting to an external Postgres server. -## @param extraVolumeMounts **DEPRECATED** Additional volume mounts for init containers and the Forgejo main container -extraVolumeMounts: [] -# - name: postgres-ssl-vol -# readOnly: true -# mountPath: "/pg-ssl" - -## @section Init -## @param initPreScript Bash shell script copied verbatim to the start of the init-container. -initPreScript: "" -# -# initPreScript: | -# mkdir -p /data/git/.postgresql -# cp /pg-ssl/* /data/git/.postgresql/ -# chown -R git:git /data/git/.postgresql/ -# chmod 400 /data/git/.postgresql/postgresql.key - -## @param initContainers.resources.limits initContainers.limits Kubernetes resource limits for init containers -## @param initContainers.resources.requests.cpu initContainers.requests.cpu Kubernetes cpu resource limits for init containers -## @param initContainers.resources.requests.memory initContainers.requests.memory Kubernetes memory resource limits for init containers -initContainers: - resources: - limits: {} - requests: - cpu: 100m - memory: 128Mi - -# Configure commit/action signing prerequisites -## @section Signing -# -## @param signing.enabled Enable commit/action signing -## @param signing.gpgHome GPG home directory -## @param signing.privateKey Inline private gpg key for signed internal Git activity -## @param signing.existingSecret Use an existing secret to store the value of `signing.privateKey` -signing: +postgresql: enabled: false - gpgHome: /data/git/.gnupg - privateKey: "" - # privateKey: |- - # -----BEGIN PGP PRIVATE KEY BLOCK----- - # ... - # -----END PGP PRIVATE KEY BLOCK----- - existingSecret: "" -## @section Gitea -# -gitea: - ## @param gitea.admin.username Username for the Forgejo admin user - ## @param gitea.admin.existingSecret Use an existing secret to store admin user credentials - ## @param gitea.admin.password Password for the Forgejo admin user - ## @param gitea.admin.email Email for the Forgejo admin user - ## @param gitea.admin.passwordMode Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated - admin: - # existingSecret: gitea-admin-secret - username: gitea_admin - password: r8sA8CPHD9!bt6d - email: "gitea@local.domain" - passwordMode: keepUpdated - - ## @param gitea.metrics.enabled Enable Forgejo metrics - ## @param gitea.metrics.serviceMonitor.enabled Enable Forgejo metrics service monitor - metrics: - enabled: false - serviceMonitor: - enabled: false - # additionalLabels: - # prometheus-release: prom1 - - ## @param gitea.ldap LDAP configuration - ldap: - [] - # - name: "LDAP 1" - # existingSecret: - # securityProtocol: - # host: - # port: - # userSearchBase: - # userFilter: - # adminFilter: - # emailAttribute: - # bindDn: - # bindPassword: - # usernameAttribute: - # publicSSHKeyAttribute: - - # Either specify inline `key` and `secret` or refer to them via `existingSecret` - ## @param gitea.oauth OAuth configuration - oauth: - [] - # - name: 'OAuth 1' - # provider: - # key: - # secret: - # existingSecret: - # autoDiscoverUrl: - # useCustomUrls: - # customAuthUrl: - # customTokenUrl: - # customProfileUrl: - # customEmailUrl: - - ## @param gitea.additionalConfigSources Additional configuration from secret or configmap - additionalConfigSources: [] - # - secret: - # secretName: gitea-app-ini-oauth - # - configMap: - # name: gitea-app-ini-plaintext - - ## @param gitea.additionalConfigFromEnvs Additional configuration sources from environment variables - additionalConfigFromEnvs: [] - - ## @param gitea.podAnnotations Annotations for the Forgejo pod - podAnnotations: {} - - ## @param gitea.ssh.logLevel Configure OpenSSH's log level. Only available for root-based Forgejo image. - ssh: - logLevel: "INFO" - - ## @section `app.ini` overrides - ## @descriptionStart - ## - ## Every value described in the [Cheat - ## Sheet](https://forgejo.org/docs/latest/admin/config-cheat-sheet/) can be - ## set as a Helm value. Configuration sections map to (lowercased) YAML - ## blocks, while the keys themselves remain in all caps. - ## - ## @descriptionEnd - config: - # values in the DEFAULT section - # (https://forgejo.org/docs/latest/admin/config-cheat-sheet/#overall-default) - # are un-namespaced - - ## @param gitea.config.APP_NAME Application name, used in the page title - APP_NAME: "Forgejo: Beyond coding. We forge." - - ## @param gitea.config.RUN_MODE Application run mode, affects performance and debugging: `dev` or `prod` - RUN_MODE: prod - - ## @param gitea.config.repository General repository settings - repository: {} - - ## @param gitea.config.cors Cross-origin resource sharing settings - cors: {} - - ## @param gitea.config.ui User interface settings - ui: {} - - ## @param gitea.config.markdown Markdown parser settings - markdown: {} - - ## @param gitea.config.server [object] General server settings - server: - SSH_PORT: 22 # rootful image - SSH_LISTEN_PORT: 2222 # rootless image - - ## @param gitea.config.database Database configuration (only necessary with an [externally managed DB](https://code.forgejo.org/forgejo-helm/forgejo-helm#external-database)). - database: {} - - ## @param gitea.config.indexer Settings for what content is indexed and how - indexer: {} - - ## @param gitea.config.queue Job queue configuration - queue: {} - - ## @param gitea.config.admin Admin user settings - admin: {} - - ## @param gitea.config.security Site security settings - security: {} - - ## @param gitea.config.camo Settings for the [camo](https://github.com/cactus/go-camo) media proxy server (disabled by default) - camo: {} - - ## @param gitea.config.openid Configuration for authentication with OpenID (disabled by default) - openid: {} - - ## @param gitea.config.oauth2_client OAuth2 client settings - oauth2_client: {} - - ## @param gitea.config.service Configuration for miscellaneous Forgejo services - service: {} - - ## @param gitea.config.ssh.minimum_key_sizes SSH minimum key sizes - ssh.minimum_key_sizes: {} - - ## @param gitea.config.webhook Webhook settings - webhook: {} - - ## @param gitea.config.mailer Mailer configuration (disabled by default) - mailer: {} - - ## @param gitea.config.email.incoming Configuration for handling incoming mail (disabled by default) - email.incoming: {} - - ## @param gitea.config.cache Cache configuration - cache: {} - - ## @param gitea.config.session Session/cookie handling - session: {} - - ## @param gitea.config.picture User avatar settings - picture: {} - - ## @param gitea.config.project Project board defaults - project: {} - - ## @param gitea.config.attachment Issue and PR attachment configuration - attachment: {} - - ## @param gitea.config.log Logging configuration - log: {} - - ## @param gitea.config.cron Cron job configuration - cron: {} - - ## @param gitea.config.git Global settings for Git - git: {} - - ## @param gitea.config.metrics Settings for the Prometheus endpoint (disabled by default) - metrics: {} - - ## @param gitea.config.api Settings for the Swagger API documentation endpoints - api: {} - - ## @param gitea.config.oauth2 Settings for the [OAuth2 provider](https://forgejo.org/docs/latest/admin/oauth2-provider/) - oauth2: {} - - ## @param gitea.config.i18n Internationalization settings - i18n: {} - - ## @param gitea.config.markup Configuration for advanced markup processors - markup: {} - - ## @param gitea.config.highlight.mapping File extension to language mapping overrides for syntax highlighting - highlight.mapping: {} - - ## @param gitea.config.time Locale settings - time: {} - - ## @param gitea.config.migrations Settings for Git repository migrations - migrations: {} - - ## @param gitea.config.federation Federation configuration - federation: {} - - ## @param gitea.config.packages Package registry settings - packages: {} - - ## @param gitea.config.mirror Configuration for repository mirroring - mirror: {} - - ## @param gitea.config.lfs Large File Storage configuration - lfs: {} - - ## @param gitea.config.repo-avatar Repository avatar storage configuration - repo-avatar: {} - - ## @param gitea.config.avatar User/org avatar storage configuration - avatar: {} - - ## @param gitea.config.storage General storage settings - storage: {} - - ## @param gitea.config.proxy Proxy configuration (disabled by default) - proxy: {} - - ## @param gitea.config.actions Configuration for [Forgejo Actions](https://forgejo.org/docs/latest/user/actions/) - actions: {} - - ## @param gitea.config.other Uncategorized configuration options - other: {} - - ## @section LivenessProbe - # - ## @param gitea.livenessProbe.enabled Enable liveness probe - ## @param gitea.livenessProbe.tcpSocket.port Port to probe for liveness - ## @param gitea.livenessProbe.initialDelaySeconds Initial delay before liveness probe is initiated - ## @param gitea.livenessProbe.timeoutSeconds Timeout for liveness probe - ## @param gitea.livenessProbe.periodSeconds Period for liveness probe - ## @param gitea.livenessProbe.successThreshold Success threshold for liveness probe - ## @param gitea.livenessProbe.failureThreshold Failure threshold for liveness probe - # Modify the liveness probe for your needs or completely disable it by commenting out. - livenessProbe: - enabled: true - tcpSocket: - port: http - initialDelaySeconds: 200 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 10 - - ## @section ReadinessProbe - # - ## @param gitea.readinessProbe.enabled Enable readiness probe - ## @param gitea.readinessProbe.tcpSocket.port Port to probe for readiness - ## @param gitea.readinessProbe.initialDelaySeconds Initial delay before readiness probe is initiated - ## @param gitea.readinessProbe.timeoutSeconds Timeout for readiness probe - ## @param gitea.readinessProbe.periodSeconds Period for readiness probe - ## @param gitea.readinessProbe.successThreshold Success threshold for readiness probe - ## @param gitea.readinessProbe.failureThreshold Failure threshold for readiness probe - # Modify the readiness probe for your needs or completely disable it by commenting out. - readinessProbe: - enabled: true - tcpSocket: - port: http - initialDelaySeconds: 5 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - - # # Uncomment the startup probe to enable and modify it for your needs. - ## @section StartupProbe - # - ## @param gitea.startupProbe.enabled Enable startup probe - ## @param gitea.startupProbe.tcpSocket.port Port to probe for startup - ## @param gitea.startupProbe.initialDelaySeconds Initial delay before startup probe is initiated - ## @param gitea.startupProbe.timeoutSeconds Timeout for startup probe - ## @param gitea.startupProbe.periodSeconds Period for startup probe - ## @param gitea.startupProbe.successThreshold Success threshold for startup probe - ## @param gitea.startupProbe.failureThreshold Failure threshold for startup probe - startupProbe: - enabled: false - tcpSocket: - port: http - initialDelaySeconds: 60 - timeoutSeconds: 1 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 10 - -## @section Redis® Cluster -## @descriptionStart -## Redis® Cluster is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/redis-cluster) if enabled in the values. -## Complete Configuration can be taken from their website. -## Redis cluster and [Redis](#redis) cannot be enabled at the same time. -## @descriptionEnd -# -## @param redis-cluster.enabled Enable redis cluster -## @param redis-cluster.usePassword Whether to use password authentication -## @param redis-cluster.cluster.nodes Number of redis cluster master nodes -## @param redis-cluster.cluster.replicas Number of redis cluster master node replicas +# TODO: Fix Redis properly redis-cluster: enabled: true - usePassword: false - cluster: - nodes: 3 # default: 6 - replicas: 0 # default: 1 -## @section Redis® -## @descriptionStart -## Redis® is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/redis) if enabled in the values. -## Complete Configuration can be taken from their website. -## Redis and [Redis cluster](#redis-cluster) cannot be enabled at the same time. -## @descriptionEnd -# -## @param redis.enabled Enable redis standalone or replicated -## @param redis.architecture Whether to use standalone or replication -## @param redis.global.redis.password Required password -## @param redis.master.count Number of Redis master instances to deploy -redis: - enabled: false - architecture: standalone - global: - redis: - password: changeme - master: - count: 1 - -## @section PostgreSQL HA -## @descriptionStart -## PostgreSQL HA is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/postgresql-ha) if enabled in the values. -## Complete Configuration can be taken from their website. -## @descriptionEnd -# -## @param postgresql-ha.enabled Enable PostgreSQL HA chart -## @param postgresql-ha.postgresql.password Password for the `gitea` user (overrides `auth.password`) -## @param postgresql-ha.global.postgresql.database Name for a custom database to create (overrides `auth.database`) -## @param postgresql-ha.global.postgresql.username Name for a custom user to create (overrides `auth.username`) -## @param postgresql-ha.global.postgresql.password Name for a custom password to create (overrides `auth.password`) -## @param postgresql-ha.postgresql.repmgrPassword Repmgr Password -## @param postgresql-ha.postgresql.postgresPassword postgres Password -## @param postgresql-ha.pgpool.adminPassword pgpool adminPassword -## @param postgresql-ha.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`) -## @param postgresql-ha.primary.persistence.size PVC Storage Request for PostgreSQL HA volume -postgresql-ha: - global: - postgresql: - database: gitea - password: gitea - username: gitea - enabled: false - postgresql: - repmgrPassword: changeme2 - postgresPassword: changeme1 - password: changeme4 - pgpool: - adminPassword: changeme3 - service: - ports: - postgresql: 5432 - primary: - persistence: - size: 10Gi - -## @section PostgreSQL -## @descriptionStart -## PostgreSQL is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) if enabled in the values. -## Complete Configuration can be taken from their website. -## @descriptionEnd -# -## @param postgresql.enabled Enable PostgreSQL -## @param postgresql.global.postgresql.auth.password Password for the `gitea` user (overrides `auth.password`) -## @param postgresql.global.postgresql.auth.database Name for a custom database to create (overrides `auth.database`) -## @param postgresql.global.postgresql.auth.username Name for a custom user to create (overrides `auth.username`) -## @param postgresql.global.postgresql.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`) -## @param postgresql.primary.persistence.size PVC Storage Request for PostgreSQL volume -postgresql: - enabled: true - global: - postgresql: - auth: - password: gitea - database: gitea - username: gitea - service: - ports: - postgresql: 5432 - primary: - persistence: - size: 10Gi - -# By default, removed or moved settings that still remain in a user defined values.yaml will cause Helm to fail running the install/update. -# Set it to false to skip this basic validation check. -## @section Advanced -## @param checkDeprecation Set it to false to skip this basic validation check. -## @param test.enabled Set it to false to disable test-connection Pod. -## @param test.image.name Image name for the wget container used in the test-connection Pod. -## @param test.image.tag Image tag for the wget container used in the test-connection Pod. -checkDeprecation: true -test: - enabled: true - image: - name: busybox - tag: latest - -## @param extraDeploy Array of extra objects to deploy with the release -## -extraDeploy: [] +gitea: + config: + server: + LFS_START_SERVER: true diff --git a/kubernetes/services/hcaptcha/hcaptcha/ingress.yml b/kubernetes/services/hcaptcha/hcaptcha/ingress.yml new file mode 100644 index 0000000..750e6e3 --- /dev/null +++ b/kubernetes/services/hcaptcha/hcaptcha/ingress.yml @@ -0,0 +1,17 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: hcaptcha-terah-dev-ingress + namespace: hcaptcha +spec: + rules: + - host: mcaptcha.terah.dev + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: hcaptcha-terah-dev + port: + name: web diff --git a/kubernetes/services/hcaptcha/hcaptcha/project.ini b/kubernetes/services/hcaptcha/hcaptcha/project.ini new file mode 100644 index 0000000..936667f --- /dev/null +++ b/kubernetes/services/hcaptcha/hcaptcha/project.ini @@ -0,0 +1,26 @@ +[meta] +format_ver = 1 + +[hcaptcha.terah.dev_website] +depends_on = traefik:hcaptcha_postgres:hcaptcha_secrets +mode = k3s + +[#hcaptcha.terah.dev_website/k3s] +mode = install +yml_path = ./website.yml + +[hcaptcha.terah.dev_service] +depends_on = hcaptcha.terah.dev_website +mode = k3s + +[#hcaptcha.terah.dev_service/k3s] +mode = install +yml_path = ./service.yml + +[hcaptcha.terah.dev_ingress] +depends_on = hcaptcha.terah.dev_website +mode = k3s + +[#hcaptcha.terah.dev_ingress/k3s] +mode = install +yml_path = ./ingress.yml diff --git a/kubernetes/services/hcaptcha/hcaptcha/service.yml b/kubernetes/services/hcaptcha/hcaptcha/service.yml new file mode 100644 index 0000000..041c730 --- /dev/null +++ b/kubernetes/services/hcaptcha/hcaptcha/service.yml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: hcaptcha-terah-dev + namespace: hcaptcha +spec: + ports: + - name: web + port: 80 + targetPort: web + selector: + app: hcaptcha-terah-dev diff --git a/kubernetes/services/hcaptcha/hcaptcha/website.yml b/kubernetes/services/hcaptcha/hcaptcha/website.yml new file mode 100644 index 0000000..f138508 --- /dev/null +++ b/kubernetes/services/hcaptcha/hcaptcha/website.yml @@ -0,0 +1,46 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: hcaptcha-terah-dev + namespace: hcaptcha + labels: + app: hcaptcha-terah-dev +spec: + replicas: 1 + selector: + matchLabels: + app: hcaptcha-terah-dev + template: + metadata: + labels: + app: hcaptcha-terah-dev + spec: + containers: + - name: http + image: mcaptcha/mcaptcha:latest + env: + - name: RUST_LOG + value: debug + - name: MCAPTCHA_allow_registration + value: "false" + - name: MCAPTCHA_server_DOMAIN + value: "mcaptcha.terah.dev" + - name: DATABASE_URL + value: postgres://hcaptcha:hcaptcha@postgres-postgresql:5432/hcaptcha + - name: MCAPTCHA_redis_URL + value: redis://redis-master + - name: PORT + value: "80" + - name: MCAPTCHA_captcha_SALT + valueFrom: + secretKeyRef: + name: hcaptcha-secrets + key: captcha-salt + - name: MCAPTCHA__server_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: hcaptcha-secrets + key: cookie-secret + ports: + - name: web + containerPort: 80 diff --git a/kubernetes/services/hcaptcha/namespace.yml b/kubernetes/services/hcaptcha/namespace.yml new file mode 100644 index 0000000..135bc8b --- /dev/null +++ b/kubernetes/services/hcaptcha/namespace.yml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: hcaptcha diff --git a/kubernetes/services/hcaptcha/postgres/postgres.yml b/kubernetes/services/hcaptcha/postgres/postgres.yml new file mode 100644 index 0000000..bf593fc --- /dev/null +++ b/kubernetes/services/hcaptcha/postgres/postgres.yml @@ -0,0 +1,13 @@ +global: + postgresql: + auth: + username: hcaptcha + database: hcaptcha + password: hcaptcha +primary: + persistence: + enabled: true + storageClass: longhorn + resources: + limits: + memory: 1024Mi diff --git a/kubernetes/services/hcaptcha/postgres/project.ini b/kubernetes/services/hcaptcha/postgres/project.ini new file mode 100644 index 0000000..c71fd59 --- /dev/null +++ b/kubernetes/services/hcaptcha/postgres/project.ini @@ -0,0 +1,14 @@ +[meta] +format_ver = 1 + +[hcaptcha_postgres] +description = Postgres configuration for hcaptcha +mode = helm +depends_on = hcaptcha_namespace + +[#hcaptcha_postgres/helm] +mode = upgrade +name = postgres +repo = oci://registry-1.docker.io/bitnamicharts/postgresql +options_file = ./postgres.yml +namespace = hcaptcha diff --git a/kubernetes/services/hcaptcha/project.ini b/kubernetes/services/hcaptcha/project.ini new file mode 100644 index 0000000..1d0f334 --- /dev/null +++ b/kubernetes/services/hcaptcha/project.ini @@ -0,0 +1,23 @@ +[meta] +format_ver = 1 + +[hcaptcha_namespace] +description = Namespace for hCaptcha to reside in +mode = k3s +depends_on = traefik:nfs_provisioner + +[#hcaptcha_namespace/k3s] +mode = install +yml_path = ./namespace.yml + +[hcaptcha_db_project] +mode = include +path = ./postgres/project.ini + +[hcaptcha_cache_project] +mode = include +path = ./redis/project.ini + +[hcaptcha_app_project] +mode = include +path = ./hcaptcha/project.ini diff --git a/kubernetes/services/hcaptcha/redis/project.ini b/kubernetes/services/hcaptcha/redis/project.ini new file mode 100644 index 0000000..21322ce --- /dev/null +++ b/kubernetes/services/hcaptcha/redis/project.ini @@ -0,0 +1,14 @@ +[meta] +format_ver = 1 + +[hcaptcha_redis] +description = Postgres configuration for hcaptcha +mode = helm +depends_on = hcaptcha_namespace + +[#hcaptcha_redis/helm] +mode = upgrade +name = redis +repo = oci://registry-1.docker.io/bitnamicharts/redis +options_file = ./redis.yml +namespace = hcaptcha diff --git a/kubernetes/services/hcaptcha/redis/redis.yml b/kubernetes/services/hcaptcha/redis/redis.yml new file mode 100644 index 0000000..588e4ae --- /dev/null +++ b/kubernetes/services/hcaptcha/redis/redis.yml @@ -0,0 +1,16 @@ +image: + repository: mcaptcha/cache + tag: v0.1.0 +global: + security: + allowInsecureImages: true +master: + command: + ["redis-server", "--loadmodule", "/usr/lib/redis/modules/libcache.so"] + persistence: + enabled: true + storageClass: longhorn +auth: + enabled: false +replica: + replicaCount: 0 diff --git a/kubernetes/services/project.ini b/kubernetes/services/project.ini index a75edfe..54fc244 100644 --- a/kubernetes/services/project.ini +++ b/kubernetes/services/project.ini @@ -32,3 +32,11 @@ path = ./immich/project.ini [matrix_dendrite_personal_project] mode = include path = ./matrix-dendrite-personal/project.ini + +[website_projects] +mode = include +path = ./www/project.ini + +[hcaptcha_projects] +mode = include +path = ./hcaptcha/project.ini diff --git a/kubernetes/services/tailscale/connectors.yml b/kubernetes/services/tailscale/connectors.yml index 9ede1e8..0618c5b 100644 --- a/kubernetes/services/tailscale/connectors.yml +++ b/kubernetes/services/tailscale/connectors.yml @@ -8,5 +8,6 @@ spec: advertiseRoutes: - "10.0.0.0/24" - "192.168.0.0/24" + - "192.168.1.0/24" - "192.168.2.0/24" exitNode: true diff --git a/kubernetes/services/www/project.ini b/kubernetes/services/www/project.ini new file mode 100644 index 0000000..5571352 --- /dev/null +++ b/kubernetes/services/www/project.ini @@ -0,0 +1,6 @@ +[meta] +format_ver = 1 + +[terah.dev] +mode = include +path = ./terah.dev/project.ini diff --git a/kubernetes/services/www/terah.dev/ingress.yml b/kubernetes/services/www/terah.dev/ingress.yml new file mode 100644 index 0000000..cd1d700 --- /dev/null +++ b/kubernetes/services/www/terah.dev/ingress.yml @@ -0,0 +1,16 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: www-terah-dev-ingress +spec: + rules: + - host: terah.dev + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: www-terah-dev + port: + name: web diff --git a/kubernetes/services/www/terah.dev/project.ini b/kubernetes/services/www/terah.dev/project.ini new file mode 100644 index 0000000..1c5f411 --- /dev/null +++ b/kubernetes/services/www/terah.dev/project.ini @@ -0,0 +1,26 @@ +[meta] +format_ver = 1 + +[terah.dev_website] +depends_on = traefik +mode = k3s + +[#terah.dev_website/k3s] +mode = install +yml_path = ./website.yml + +[terah.dev_service] +depends_on = terah.dev_website +mode = k3s + +[#terah.dev_service/k3s] +mode = install +yml_path = ./service.yml + +[terah.dev_ingress] +depends_on = terah.dev_website +mode = k3s + +[#terah.dev_ingress/k3s] +mode = install +yml_path = ./ingress.yml diff --git a/kubernetes/services/www/terah.dev/service.yml b/kubernetes/services/www/terah.dev/service.yml new file mode 100644 index 0000000..ea2a781 --- /dev/null +++ b/kubernetes/services/www/terah.dev/service.yml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: www-terah-dev +spec: + ports: + - name: web + port: 80 + targetPort: web + selector: + app: www-terah-dev diff --git a/kubernetes/services/www/terah.dev/website.yml b/kubernetes/services/www/terah.dev/website.yml new file mode 100644 index 0000000..7e73717 --- /dev/null +++ b/kubernetes/services/www/terah.dev/website.yml @@ -0,0 +1,22 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: www-terah-dev + labels: + app: www-terah-dev +spec: + replicas: 2 + selector: + matchLabels: + app: www-terah-dev + template: + metadata: + labels: + app: www-terah-dev + spec: + containers: + - name: http + image: ghcr.io/imterah/personal-www:v1.0.2 + ports: + - name: web + containerPort: 80