From dc81d91f398171df1fd42e629c8edcefd095aac8 Mon Sep 17 00:00:00 2001
From: Zoe Roux <zoe.roux@zoriya.dev>
Date: Sun, 24 Aug 2025 17:00:07 +0200
Subject: [PATCH] Add gitea

---
 apps/gitea.yaml            | 150 +++++++++++++++++++++++++++++++++++++
 apps/openebs/volumes.yaml  |  14 ++++
 apps/postgres/cluster.yaml |   3 +
 3 files changed, 167 insertions(+)
 create mode 100644 apps/gitea.yaml

diff --git a/apps/gitea.yaml b/apps/gitea.yaml
new file mode 100644
index 0000000..5cf12a2
--- /dev/null
+++ b/apps/gitea.yaml
@@ -0,0 +1,150 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: gitea
+  namespace: argocd
+spec:
+  project: default
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: gitea
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true
+  source:
+    repoURL: https://dl.gitea.com/charts/
+    chart: gitea
+    targetRevision: 12.2.0
+    helm:
+      valuesObject:
+        gitea:
+          config:
+            database:
+              DB_TYPE: postgres
+              HOST: postgres-cluster-rw.postgres
+              NAME: gitea
+              USER: gitea
+              SSL_MODE: verify-full
+            service:
+              DISABLE_REGISTRATION: false
+              ALLOW_ONLY_EXTERNAL_REGISTRATION: true
+              SHOW_REGISTRATION_BUTTON: false
+              DEFAULT_ALLOW_CREATE_ORGANIZATION: false
+              DEFAULT_USER_IS_RESTRICTED: true
+          admin:
+            existingSecret: gitea-admin
+          oauth:
+          - name: authentik
+            existingSecret: gitea-oidc
+            provider: openidConnect
+            autoDiscoverUrl: https://authentik.sdg.moe/application/o/gitea/.well-known/openid-configuration
+            scopes: email profile
+        ingress:
+          enabled: true
+          className: cilium
+          annotations:
+            cert-manager.io/cluster-issuer: letsencrypt
+            acme.cert-manager.io/http01-edit-in-place: "true"
+          hosts:
+          - host: gitea.sdg.moe
+            paths:
+            - path: /
+              pathType: Prefix
+          tls:
+          - hosts:
+              - gitea.sdg.moe
+            secretName: gitea-ssl
+        valkey-cluster:
+          enabled: false
+        postgresql-ha:
+          enabled: false
+        persistence:
+          enabled: true
+          claimName: gitea-projects
+        extraVolumes:
+        - name: postgres-ssl
+          secret:
+            defaultMode: 0640
+            secretName: postgres-gitea
+        extraVolumeMounts:
+        - name: postgres-ssl
+          mountPath: /var/postgres-ssl
+        deployment:
+          env:
+          - name: PGSSLCERT
+            value: /var/postgres-ssl/tls.crt
+          - name: PGSSLKEY
+            value: /var/postgres-ssl/tls.key
+          - name: PGSSLROOTCERT
+            value: /var/postgres-ssl/ca.crt
+        extraDeploy:
+        - apiVersion: postgresql.cnpg.io/v1
+          kind: Database
+          metadata:
+            name: gitea-db
+            namespace: postgres
+          spec:
+            name: gitea
+            owner: gitea
+            schemas:
+            - name: gitea
+              owner: gitea
+            cluster:
+              name: postgres-cluster
+            databaseReclaimPolicy: delete
+
+        - apiVersion: cert-manager.io/v1
+          kind: Certificate
+          metadata:
+            name: postgres-gitea
+          spec:
+            secretName: postgres-gitea
+            usages:
+              - client auth
+            # same as pg user
+            commonName: gitea
+            issuerRef:
+              name: postgres-ca
+              kind: ClusterIssuer
+              group: cert-manager.io
+
+        - apiVersion: external-secrets.io/v1
+          kind: ExternalSecret
+          metadata:
+            name: gitea-admin
+          spec:
+            refreshPolicy: CreatedOnce
+            target:
+              template:
+                type: kubernetes.io/basic-auth
+                engineVersion: v2
+                data:
+                  username: "{{ `{{ .uuid }}` }}"
+                  password: "{{ `{{ .password }}` }}"
+            dataFrom:
+            - sourceRef:
+                generatorRef:
+                  apiVersion: generators.external-secrets.io/v1alpha1
+                  kind: ClusterGenerator
+                  name: uuid
+            - sourceRef:
+                generatorRef:
+                  apiVersion: generators.external-secrets.io/v1alpha1
+                  kind: ClusterGenerator
+                  name: password
+
+        - apiVersion: external-secrets.io/v1
+          kind: ExternalSecret
+          metadata:
+            name: gitea-oidc
+          spec:
+            refreshInterval: 24h
+            secretStoreRef:
+              name: bitwarden
+              kind: ClusterSecretStore
+            dataFrom:
+            - extract:
+                key: gitea-sso
diff --git a/apps/openebs/volumes.yaml b/apps/openebs/volumes.yaml
index 4a13faf..084b904 100644
--- a/apps/openebs/volumes.yaml
+++ b/apps/openebs/volumes.yaml
@@ -53,3 +53,17 @@ spec:
   shared: "yes"
 status:
   state: Ready
+---
+apiVersion: zfs.openebs.io/v1
+kind: ZFSVolume
+metadata:
+  name: projects
+spec:
+  capacity: 16Ti
+  fsType: zfs
+  ownerNodeID: kadan
+  poolName: ocean
+  volumeType: DATASET
+  shared: "yes"
+status:
+  state: Ready
diff --git a/apps/postgres/cluster.yaml b/apps/postgres/cluster.yaml
index 85a3bf2..56e1e38 100644
--- a/apps/postgres/cluster.yaml
+++ b/apps/postgres/cluster.yaml
@@ -31,3 +31,6 @@ spec:
     - name: atuin
       login: true
       disablePassword: true
+    - name: gitea
+      login: true
+      disablePassword: true