feat: Gitea | activate internal tls

utility-services/gitea/server/index.ts

@@ -0,0 +1,110 @@
+import * as fs from "fs";
+import * as path from "path";
+import { Release } from "@cdktf/provider-helm/lib/release";
+import { Construct } from "constructs";
+
+import {
+  OnePasswordSecret,
+  PublicIngressRoute,
+  IngressRouteTcp,
+  PrivateCertificate,
+} from "../../../utils";
+import type { Providers } from "../../../types";
+
+type GiteaServerOptions = {
+  providers: Providers;
+  name: string;
+  namespace: string;
+  r2Endpoint: string;
+};
+
+export class GiteaServer extends Construct {
+  constructor(scope: Construct, id: string, options: GiteaServerOptions) {
+    super(scope, id);
+
+    const { kubernetes, helm } = options.providers;
+    const { name, namespace, r2Endpoint } = options;
+
+    new OnePasswordSecret(this, "admin", {
+      provider: kubernetes,
+      name: "gitea-admin",
+      namespace,
+      itemPath: "vaults/Lab/items/gitea-admin",
+    });
+
+    new OnePasswordSecret(this, "oauth", {
+      provider: kubernetes,
+      name: "gitea-oauth",
+      namespace,
+      itemPath: "vaults/Lab/items/gitea-oauth",
+    });
+
+    new OnePasswordSecret(this, "smtp", {
+      provider: kubernetes,
+      name: "gitea-smtp-token",
+      namespace,
+      itemPath: "vaults/Lab/items/smtp-token",
+    });
+
+    new OnePasswordSecret(this, "r2", {
+      provider: kubernetes,
+      name: "gitea-cloudflare-token",
+      namespace,
+      itemPath: "vaults/Lab/items/cloudflare",
+    });
+
+    new PrivateCertificate(this, "internal-cert", {
+      provider: kubernetes,
+      namespace,
+      name: "gitea-tls-internal",
+      secretName: "gitea-tls-internal",
+      dnsNames: [
+        "git.dogar.dev",
+        "gitea",
+        "gitea.homelab.svc",
+        "gitea.homelab.svc.cluster.local",
+      ],
+      usages: ["digital signature", "key encipherment", "server auth"],
+    });
+
+    new Release(this, id, {
+      ...options,
+      provider: helm,
+      repository: "https://dl.gitea.com/charts",
+      chart: "gitea",
+      namespace,
+      createNamespace: true,
+      set: [
+        {
+          name: "gitea.config.storage.MINIO_ENDPOINT",
+          value: r2Endpoint,
+        },
+      ],
+      values: [
+        fs.readFileSync(path.join(__dirname, "values.yaml"), {
+          encoding: "utf8",
+        }),
+      ],
+    });
+
+    new IngressRouteTcp(this, "ssh-ingress", {
+      provider: kubernetes,
+      namespace,
+      name,
+      match: "HostSNI(`*`)",
+      entryPoint: "ssh",
+      serviceName: `${name}-ssh`,
+      servicePort: 22,
+    });
+
+    new PublicIngressRoute(this, "http-ingress", {
+      provider: kubernetes,
+      namespace,
+      name,
+      host: "git.dogar.dev",
+      serviceName: `${name}-http`,
+      servicePort: 3000,
+      serviceProtocol: "https",
+    });
+  }
+}

utility-services/gitea/server/values.yaml

@@ -0,0 +1,201 @@
+global:
+  storageClass: longhorn
+podSecurityContext:
+  fsGroup: 1000
+  fsGroupChangePolicy: "OnRootMismatch"
+image:
+  rootless: false
+service:
+  http:
+    annotations:
+      metallb.universe.tf/allow-shared-ip: gitea
+  ssh:
+    annotations:
+      metallb.universe.tf/allow-shared-ip: gitea
+ingress:
+  enabled: false
+gitea:
+  podAnnotations:
+    prometheus.io/scrape: "true"
+    prometheus.io/port: "6060"
+  admin:
+    existingSecret: gitea-admin
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+      scheme: "https"
+      tlsConfig:
+        insecureSkipVerify: false
+        caFile: /internal-ca/ca.crt
+  config:
+    server:
+      ENABLE_PPROF: true
+      ENABLE_GZIP: true
+      LFS_START_SERVER: true
+      PROTOCOL: https
+      CERT_FILE: /certs/tls.crt
+      KEY_FILE: /certs/tls.key
+      ROOT_URL: https://git.dogar.dev/
+      SSH_DOMAIN: git.dogar.dev
+      DISABLE_SSH: false
+      SSH_LISTEN_PORT: 2222
+      SSH_PORT: 22
+    database:
+      DB_TYPE: postgres
+      HOST: postgres-cluster-rw
+      NAME: gitea
+      USER: gitea
+      SSL_MODE: verify-full
+    metrics:
+      ENABLED: true
+    cache:
+      ADAPTER: memory
+    session:
+      PROVIDER: db
+      PROVIDER_CONFIG: ""
+    queue:
+      TYPE: channel
+    storage:
+      STORAGE_TYPE: minio
+      MINIO_USE_SSL: true
+      MINIO_BUCKET_LOOKUP_STYLE: path
+      MINIO_LOCATION: auto
+    service:
+      DISABLE_REGISTRATION: true
+    oauth2_client:
+      ENABLE_AUTO_REGISTRATION: true
+    mailer:
+      ENABLED: true
+      PROTOCOL: smtp+starttls
+      SMTP_ADDR: smtp.protonmail.ch
+      SMTP_PORT: 587
+      FROM: git@dogar.dev
+    picture:
+      GRAVATAR_SOURCE: gravatar
+  oauth:
+    - name: "authentik"
+      provider: "openidConnect"
+      existingSecret: gitea-oauth
+      autoDiscoverUrl: "https://auth.dogar.dev/application/o/gitea/.well-known/openid-configuration"
+      iconUrl: "https://goauthentik.io/img/icon.png"
+      scopes: "email profile"
+  additionalConfigFromEnvs:
+    - name: GITEA__MAILER__PASSWD
+      valueFrom:
+        secretKeyRef:
+          name: gitea-smtp-token
+          key: gitea-password
+    - name: GITEA__PACKAGES__CHUNKED_UPLOAD_PATH
+      value: "/tmp/gitea-uploads"
+    - name: GITEA__PACKAGES__CHUNKED_UPLOAD_CONCURRENCY
+      value: "4"
+    - name: GITEA__STORAGE__MINIO_ACCESS_KEY_ID
+      valueFrom:
+        secretKeyRef:
+          name: gitea-cloudflare-token
+          key: access_key_id
+    - name: GITEA__STORAGE__MINIO_SECRET_ACCESS_KEY
+      valueFrom:
+        secretKeyRef:
+          name: gitea-cloudflare-token
+          key: secret_access_key
+  livenessProbe:
+    httpGet:
+      path: /api/healthz
+      port: 3000
+      scheme: HTTPS
+    initialDelaySeconds: 5
+    periodSeconds: 10
+  readinessProbe:
+    httpGet:
+      path: /api/healthz
+      port: 3000
+      scheme: HTTPS
+    initialDelaySeconds: 5
+    periodSeconds: 10
+  startupProbe:
+    httpGet:
+      path: /api/healthz
+      port: 3000
+      scheme: HTTPS
+    initialDelaySeconds: 5
+    periodSeconds: 10
+persistence:
+  labels:
+    recurring-job.longhorn.io/source: "enabled"
+    recurring-job.longhorn.io/daily-backup: "enabled"
+  enabled: true
+  size: 50Gi
+  accessModes:
+    - ReadWriteMany
+postExtraInitContainers:
+  - name: fix-gitea-ssh-perms
+    image: alpine:3
+    command:
+      - sh
+      - -c
+      - |
+        echo "Fixing /data/ssh permissions..."
+        mkdir -p /data/ssh
+        chown -R 1000:1000 /data/ssh
+        chmod 700 /data/ssh
+    volumeMounts:
+      - name: data
+        mountPath: /data
+deployment:
+  env:
+    - name: PGSSLMODE
+      value: verify-full
+    - name: PGSSLROOTCERT
+      value: /opt/gitea/.postgresql/root.crt
+    - name: PGSSLCERT
+      value: /opt/gitea/.postgresql/postgresql.crt
+    - name: PGSSLKEY
+      value: /opt/gitea/.postgresql/postgresql.key
+resources:
+  requests:
+    cpu: 100m
+    memory: 128Mi
+  limits:
+    cpu: 6
+    memory: 6Gi
+extraVolumes:
+  - name: ssl-bundle
+    projected:
+      sources:
+        - secret:
+            name: gitea-client-cert
+            items:
+              - key: tls.crt
+                path: postgresql.crt
+              - key: tls.key
+                path: postgresql.key
+                mode: 0600
+        - secret:
+            name: postgres-server-cert
+            items:
+              - key: ca.crt
+                path: root.crt
+  - name: gitea-tls-internal
+    secret:
+      secretName: gitea-tls-internal
+  - name: gitea-temp
+    emptyDir: {}
+extraInitVolumeMounts:
+  - name: ssl-bundle
+    mountPath: /opt/gitea/.postgresql
+    readOnly: true
+extraContainerVolumeMounts:
+  - name: ssl-bundle
+    mountPath: /opt/gitea/.postgresql
+    readOnly: true
+  - name: gitea-tls-internal
+    mountPath: /certs
+    readOnly: true
+  - name: gitea-temp
+    mountPath: /tmp/gitea-uploads
+postgresql-ha:
+  enabled: false
+valkey-cluster:
+  enabled: false