From 7106bf5e14aa3fd8a2438d4c421ce04bd10d1fe8 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Fri, 29 Mar 2024 15:49:34 +0100 Subject: [PATCH] migrate forgejo to kubernetes --- docker_swarm/playbooks/stacks.yml | 1 - .../roles/traefik/docker-stack.yml.j2 | 6 + nix/flake/kubenix/default.nix | 1 + nix/flake/kubenix/forgejo.nix | 231 ++++++++++++++++++ .../networking/dmz_services/dnsmasq.nix | 1 + 5 files changed, 239 insertions(+), 1 deletion(-) create mode 100644 nix/flake/kubenix/forgejo.nix diff --git a/docker_swarm/playbooks/stacks.yml b/docker_swarm/playbooks/stacks.yml index 3b2fd9e..13f0fad 100644 --- a/docker_swarm/playbooks/stacks.yml +++ b/docker_swarm/playbooks/stacks.yml @@ -3,6 +3,5 @@ hosts: manager roles: - {role: traefik, tags: traefik} - - {role: forgejo, tags: forgejo} - {role: swarm_dashboard, tags: swarm_dashboard} - {role: media, tags: media} diff --git a/docker_swarm/roles/traefik/docker-stack.yml.j2 b/docker_swarm/roles/traefik/docker-stack.yml.j2 index 679b8d4..b289f56 100644 --- a/docker_swarm/roles/traefik/docker-stack.yml.j2 +++ b/docker_swarm/roles/traefik/docker-stack.yml.j2 @@ -114,6 +114,12 @@ services: - traefik.http.routers.kitchenowl.rule=Host(`boodschappen.kun.is`) - traefik.http.routers.kitchenowl.tls=true - traefik.http.routers.kitchenowl.tls.certresolver=letsencrypt + + - traefik.http.routers.forgejo.entrypoints=websecure + - traefik.http.routers.forgejo.service=k3s@file + - traefik.http.routers.forgejo.rule=Host(`git.kun.is`) + - traefik.http.routers.forgejo.tls=true + - traefik.http.routers.forgejo.tls.certresolver=letsencrypt volumes: - type: bind source: /var/run/docker.sock diff --git a/nix/flake/kubenix/default.nix b/nix/flake/kubenix/default.nix index 54c9a1a..ff90232 100644 --- a/nix/flake/kubenix/default.nix +++ b/nix/flake/kubenix/default.nix @@ -18,6 +18,7 @@ # ./hedgedoc.nix ./paperless-ngx.nix ./kitchenowl.nix + ./forgejo.nix ]; kubernetes.kubeconfig = "~/.kube/config"; kubenix.project = "home"; diff --git a/nix/flake/kubenix/forgejo.nix b/nix/flake/kubenix/forgejo.nix new file mode 100644 index 0000000..808fc17 --- /dev/null +++ b/nix/flake/kubenix/forgejo.nix @@ -0,0 +1,231 @@ +{ + kubernetes.resources = { + configMaps = { + forgejo-config.data = { + # TODO: Generate from nix code. + config = '' + APP_NAME = Forgejo: Beyond coding. We forge. + RUN_MODE = prod + RUN_USER = git + WORK_PATH=/data/gitea + + [repository] + ROOT = /data/git/repositories + DEFAULT_BRANCH = master + + [repository.local] + LOCAL_COPY_PATH = /data/gitea/tmp/local-repo + + [repository.upload] + TEMP_PATH = /data/gitea/uploads + + [server] + APP_DATA_PATH = /data/gitea + DOMAIN = git.kun.is + SSH_DOMAIN = ssh.git.kun.is + HTTP_PORT = 3000 + ROOT_URL = https://git.kun.is + DISABLE_SSH = false + SSH_PORT = 56287 + SSH_LISTEN_PORT = 22 + LFS_START_SERVER = true + LFS_JWT_SECRET = ref+file:///home/pim/.config/home/vals.yaml#/forgejo/lfsJwtSecret + OFFLINE_MODE = false + + [database] + PATH = /data/gitea/gitea.db + DB_TYPE = sqlite3 + HOST = localhost:3306 + NAME = gitea + USER = root + PASSWD = + LOG_SQL = false + SCHEMA = + SSL_MODE = disable + CHARSET = utf8 + + [indexer] + ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve + ISSUE_INDEXER_TYPE = db + + [session] + PROVIDER_CONFIG = /data/gitea/sessions + PROVIDER = file + + [picture] + AVATAR_UPLOAD_PATH = /data/gitea/avatars + REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars + ENABLE_FEDERATED_AVATAR = false + + [attachment] + PATH = /data/gitea/attachments + + [log] + MODE = console + LEVEL = info + logger.router.MODE = console + ROOT_PATH = /data/gitea/log + logger.access.MODE=console + + [security] + INSTALL_LOCK = true + SECRET_KEY = + REVERSE_PROXY_LIMIT = 1 + REVERSE_PROXY_TRUSTED_PROXIES = * + INTERNAL_TOKEN = ref+file:///home/pim/.config/home/vals.yaml#/forgejo/internalToken + PASSWORD_HASH_ALGO = pbkdf2 + + [service] + DISABLE_REGISTRATION = true + REQUIRE_SIGNIN_VIEW = false + REGISTER_EMAIL_CONFIRM = false + ENABLE_NOTIFY_MAIL = false + ALLOW_ONLY_EXTERNAL_REGISTRATION = false + ENABLE_CAPTCHA = false + DEFAULT_KEEP_EMAIL_PRIVATE = true + DEFAULT_ALLOW_CREATE_ORGANIZATION = true + DEFAULT_ENABLE_TIMETRACKING = true + NO_REPLY_ADDRESS = noreply.localhost + + [lfs] + PATH = /data/git/lfs + + [mailer] + ENABLED = false + + [openid] + ENABLE_OPENID_SIGNIN = true + ENABLE_OPENID_SIGNUP = false + + [repository.pull-request] + DEFAULT_MERGE_STYLE = merge + + [repository.signing] + DEFAULT_TRUST_MODEL = committer + + [ui] + DEFAULT_THEME = forgejo-light + + [oauth2] + ENABLE=false + ''; + }; + + forgejo-env.data = { + USER_UID = "1000"; + USER_GID = "1000"; + }; + }; + + deployments.forgejo = { + metadata.labels.app = "forgejo"; + + spec = { + selector.matchLabels.app = "forgejo"; + + template = { + metadata.labels.app = "forgejo"; + + spec = { + containers.forgejo = { + image = "codeberg.org/forgejo/forgejo:1.20"; + envFrom = [{ configMapRef.name = "forgejo-env"; }]; + + ports = [ + { + containerPort = 3000; + protocol = "TCP"; + } + { + containerPort = 22; + protocol = "TCP"; + } + ]; + + volumeMounts = [ + { + name = "data"; + mountPath = "/data"; + } + { + name = "config"; + mountPath = "/data/gitea/conf/app.ini"; + subPath = "config"; + } + ]; + }; + + volumes = [ + { + name = "data"; + persistentVolumeClaim.claimName = "forgejo"; + } + { + name = "config"; + configMap.name = "forgejo-config"; + } + ]; + }; + }; + }; + }; + + persistentVolumes.forgejo.spec = { + capacity.storage = "1Mi"; + accessModes = [ "ReadWriteMany" ]; + + nfs = { + server = "lewis.hyp"; + path = "/mnt/data/nfs/forgejo"; + }; + }; + + persistentVolumeClaims.forgejo.spec = { + accessModes = [ "ReadWriteMany" ]; + storageClassName = ""; + resources.requests.storage = "1Mi"; + volumeName = "forgejo"; + }; + + services = { + forgejo-web.spec = { + selector.app = "forgejo"; + + ports = [{ + protocol = "TCP"; + port = 80; + targetPort = 3000; + }]; + }; + + forgejo-ssh.spec = { + type = "LoadBalancer"; + loadBalancerIP = "192.168.30.132"; + selector.app = "forgejo"; + + ports = [{ + port = 56287; + targetPort = 22; + }]; + }; + }; + + ingresses.foregejo.spec = { + ingressClassName = "traefik"; + + rules = [{ + host = "git.kun.is"; + + http.paths = [{ + path = "/"; + pathType = "Prefix"; + + backend.service = { + name = "forgejo-web"; + port.number = 80; + }; + }]; + }]; + }; + }; +} diff --git a/nix/modules/networking/dmz_services/dnsmasq.nix b/nix/modules/networking/dmz_services/dnsmasq.nix index 794f0b3..78ab5a3 100644 --- a/nix/modules/networking/dmz_services/dnsmasq.nix +++ b/nix/modules/networking/dmz_services/dnsmasq.nix @@ -46,5 +46,6 @@ in "/ns.pizzapim.nl/${cfg.dmz.ipv4.services}" "/ns.pizzapim.nl/${cfg.dmz.ipv6.services}" "/kms.kun.is/192.168.30.129" + "/ssh.git.kun.is/192.168.30.132" ]; }