migrate: gitea-dev (in-progress)

Author: uni-kakurenbo

gitea-dev/certificate.yaml

@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: gitea-dev
+
+spec:
+  issuerRef:
+    kind: ClusterIssuer
+    name: dns-cluster-issuer
+  secretName: gitea-dev-tls
+  duration: 2160h0m0s # 90d
+  renewBefore: 720h0m0s # 30d
+  dnsNames:
+    - git-dev.trapti.tech

gitea-dev/config/app.ini

@@ -0,0 +1,99 @@
+APP_NAME = traP Gitea Develop
+RUN_MODE = prod
+WORK_PATH = /data/gitea
+
+[repository]
+ROOT = /data/git/repositories
+DISABLED_REPO_UNITS = repo.wiki
+
+[repository.local]
+LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
+
+[repository.upload]
+TEMP_PATH = /data/gitea/uploads
+
+[server]
+APP_DATA_PATH = /data/gitea
+DOMAIN = git-dev.trapti.tech
+SSH_DOMAIN = git-dev.trapti.tech
+HTTP_PORT = 3000
+ROOT_URL = https://git-dev.trapti.tech/
+DISABLE_SSH = false
+SSH_PORT = 2200
+SSH_LISTEN_PORT = 2200
+LFS_START_SERVER = true
+START_SSH_SERVER = true
+
+[database]
+PATH = /data/gitea/gitea.db
+DB_TYPE = mysql
+HOST = private.kmbk.tokyotech.org:33060
+NAME = service_gitea_dev
+USER = service_gitea_dev
+LOG_SQL = false
+
+[indexer]
+ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
+
+[session]
+PROVIDER_CONFIG = /data/gitea/sessions
+
+[picture]
+AVATAR_UPLOAD_PATH = /data/gitea/avatars
+REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
+
+[attachment]
+PATH = /data/gitea/attachments
+
+[log]
+MODE = console
+LEVEL = Debug
+ROOT_PATH = /data/gitea/log
+
+[security]
+INSTALL_LOCK = true
+REVERSE_PROXY_LIMIT = 1
+REVERSE_PROXY_TRUSTED_PROXIES = *
+REVERSE_PROXY_AUTHENTICATION_EMAIL = X-Forwarded-User-Email
+REVERSE_PROXY_AUTHENTICATION_USER = X-Forwarded-User
+
+[service]
+DISABLE_REGISTRATION = true
+REQUIRE_SIGNIN_VIEW = true
+ENABLE_REVERSE_PROXY_AUTHENTICATION = false
+ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = true
+NO_REPLY_ADDRESS = trap.jp
+ENABLE_REVERSE_PROXY_EMAIL = true
+DEFAULT_KEEP_EMAIL_PRIVATE = true
+DEFAULT_ORG_MEMBER_VISIBLE = true
+ENABLE_NOTIFY_MAIL = true
+ENABLE_BASIC_AUTHENTICATION = false
+
+[lfs]
+STORAGE_TYPE = minio
+MINIO_ENDPOINT = s3.ap-northeast-1.wasabisys.com
+MINIO_BUCKET = trap-gitea-dev
+MINIO_LOCATION = ap-northeast-1
+MINIO_USE_SSL = true
+MINIO_CHECKSUM_ALGORITHM = md5
+
+[actions]
+DEFAULT_ACTIONS_URL = github
+
+[openid]
+ENABLE_OPENID_SIGNIN = false
+
+[default]
+APP_NAME = traP Git Develop
+
+[mailer]
+ENABLED = true
+
+[metrics]
+ENABLED = true
+
+[oauth2]
+ENABLED = false
+
+[admin]
+USER_DISABLED_FEATURES = deletion,change_username,change_full_name

gitea-dev/deployment.yaml

@@ -0,0 +1,48 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: gitea-dev
+  name: gitea-dev
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: gitea-dev
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: gitea-dev
+    spec:
+      containers:
+        - env:
+            - name: USER_GID
+              value: "996"
+            - name: USER_UID
+              value: "996"
+          image: gitea-latest
+          name: gitea-dev
+          ports:
+            - containerPort: 3000
+              protocol: TCP
+            - containerPort: 2200
+              protocol: TCP
+          volumeMounts:
+            - name: gitea-dev-storage
+              mountPath: /data
+            - name: gitea-dev-config
+              mountPath: /app.ini
+      restartPolicy: Always
+      volumes:
+        - name: gitea-dev-storage
+          persistentVolumeClaim:
+            claimName: gitea-dev
+        - name: gitea-dev-config
+          configMap:
+            name: gitea-dev
+            items:
+            - key: app.ini
+              path: app.ini
+              mode: 0666

gitea-dev/ingress-route.yaml

@@ -0,0 +1,20 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gitea-dev
+spec:
+  entryPoints:
+    - websecure
+  tls:
+    secretName: gitea-dev-tls
+  routes:
+    - kind: Rule
+      match: Host(`git-dev.trapti.tech`)
+      services:
+        - name: gitea-dev
+          port: 3000
+    - kind: Rule
+      match: Host(`git-dev.trapti.tech`)
+      services:
+        - name: gitea-dev
+          port: 2200

gitea-dev/ksops.yaml

@@ -0,0 +1,11 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: ksops
+  annotations:
+    config.kubernetes.io/function: |
+      exec:
+        path: ksops
+
+files:
+  - ./secrets/gitea-dev.yaml

gitea-dev/kustomization.yaml

@@ -0,0 +1,19 @@
+resources:
+- certificate.yaml
+- deployment.yaml
+- ingress-route.yaml
+- service.yaml
+- volume-storage.yaml
+
+images:
+- name: gitea-latest
+  newName: ghcr.io/traptitech/gitea
+  newTag: latest
+
+generators:
+  - ksops.yaml
+
+configMapGenerator:
+- name: gitea-dev
+  files:
+    - ./config/app.ini

gitea-dev/secrets/gitea-dev.yaml

@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: gitea-dev-secret
+    annotations:
+        kustomize.config.k8s.io/needs-hash: "true"
+stringData:
+    GITEA__server__LFS_JWT_SECRET: ENC[AES256_GCM,data:lpP9yggfBU7C953tI4HmPQK1Omcr9dXl2A2NlJQI8r0whJ3ZnXp4pf1QJw==,iv:BesPX2oosSwRZfMtTh1NGf7jjH4GtAqV71Xfg0Oybeg=,tag:SfawB+hlcXFJMr/FKOQ6NA==,type:str]
+    GITEA__database__PASSWD: ENC[AES256_GCM,data:mSj8U7fT8E/WFwvDL+zTaaAAYlEJmFTYgWfh6PoxJnw=,iv:9UvWElMtEenTWDX80TWSTfAQ+86zmcGn//FviUc9qUM=,tag:TV3Y3B/Pcr3+W26/SFF1nw==,type:str]
+    GITEA__security__SECRET_KEY: ENC[AES256_GCM,data:oTRNt/52ZU24qYovNxBBkOJFeMChUa5kWerOXorhoyIQFKBU9YNMTtXizTKuCnGyA7pmr0Ak79XUKxh6fakqVg==,iv:UidGRaAbbamad7m8WTwsnpGDykRya8XBDWHDqZ0lqq0=,tag:Yk5Hr5AV8Ak7c1fZoc8vdQ==,type:str]
+    GITEA__security__INTERNAL_TOKEN: ENC[AES256_GCM,data:8nVJclrXNVcj4bzsM0sTeXgWS0efcCcX/7s/6NQXKZ2mXVqpTIRQ8VO4AZGNxouOyHv1uApRJQjBMnsIXqCZvlSttTWGGZTmbdeww6Q1MLf9M5om1u1XngzC4uKkr/SlZxHizGodRPcK,iv:BRGnwEe2pPdtHZebpIWbg0H6W08UT6TP8LLZmBSH9UY=,tag:yAfQqOIvjZtFoFWXFFByKQ==,type:str]
+    GITEA__lfs__MINIO_ACCESS_KEY_ID: ENC[AES256_GCM,data:JhkdKHZsI3BPhVVNZo2WPL0Hqqg=,iv:izcJl5Y465qys/ujRTzHr7Xzoi+XzL3MNVscQ2y3AMY=,tag:hLdo4ZpeEwg9ECJj3cXPcw==,type:str]
+    GITEA__lfs__MINIO_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:AAyFxipxE3fk3QJ8hbLLw9RBHg4Yy0Z0vZsKF9jJaiUQOVTu//pREg==,iv:gU1/eUj8ugWjvPZvncNCtoPfsC+USwSfFOVvZrkPUdQ=,tag:6dXKZ5+EQ+mCXxnI/VwfGw==,type:str]
+    GITEA__oauth2__JWT_SECRET: ENC[AES256_GCM,data:wTtle6sapYVRfenjnuXlEU40yDu0luwya6a0xI/aZ2xNSn/ho3LeN+H8Hg==,iv:zoia7oqPPCIztz+dOqQnIG6j/Ng19vng9xegy9IiZZ0=,tag:K2OTdsuQlvCxL+oL6L5jBw==,type:str]
+sops:
+    age:
+        - recipient: age156red4ptw5huzpwlfnrukg4htuucdweu9jg8usjz98ggmeyedces3xqplq
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0VElFWXRQM29VVDJtbHRn
+            UGFQcGxYRCtndnloODBmQ1dodHlSK244SDNJClJvK1k1bThnTS9CaG1yWUlLSi9m
+            enUxdHE5UERub25sdzBmMlF6VTM2d2cKLS0tIE96SDlpTlRnL043U2lMM3NZTVJz
+            Ky9xckxxNGtZd0Y3R2FCQ3NVdlFhQkEK81ftmIE1ly0qWcrcNGiXmB+vsqP/YfzL
+            cc2aIjkSgUaRQOoXusQMLsnXmYqsWKMWG9MP/exSgjvoWJerkUlTsQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-09-24T11:05:31Z"
+    mac: ENC[AES256_GCM,data:1NucylRUClTDhUTtZdzIvNAUXV7nmlLjtDCEusfDCeyTy48VE6KZz+spP8cCa3J9CIdIiu1n6LGuXqtZhVeFOvc4TQN2zQiYaqU+si+nEbmqLIUSM+m/w6ht/15QezYSlKmt1bNH2jp++0NXis3kfWnE4Y/Uo06O+xyD7HRwOlQ=,iv:+YTnp0vw8b525g41zziD5u2SA7tm0EPeEJRU8lXpc8g=,tag:RGvyG5oBkIAsW1r/R+Dbuw==,type:str]
+    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
+    version: 3.10.2

gitea-dev/service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: gitea-dev
+  name: gitea-dev
+spec:
+  ports:
+    - name: "3000"
+      port: 3000
+      targetPort: 3000
+    - name: "2200"
+      port: 2200
+      targetPort: 2200
+  selector:
+    app: gitea-dev

gitea-dev/volume-storage.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    app: gitea-dev-storage
+  name: gitea-dev-storage
+spec:
+  resources:
+    requests:
+      storage: 100Mi
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteOnce