gwg313/homelab-gitops
1
0
Fork 0
mirror of https://github.com/gwg313/homelab-gitops.git synced 2026-06-21 12:19:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

apps restructure

Browse source 
Signed-off-by: gwg313 <gwg313@pm.me>
This commit is contained in:
gwg313 2026-05-17 14:45:00 -04:00
parent 8d74a625bc
commit 0b69038d79
Signed by: gwg313
GPG key ID: 60FF63B4826B7400
11 changed files with 36 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

55
apps/forgejo/deployment.yaml Normal file
View file

@ -0,0 +1,55 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: forgejo
namespace: forgejo
labels:
app: forgejo
spec:
strategy:
type: Recreate
replicas: 1
selector:
matchLabels:
app: forgejo
template:
metadata:
labels:
app: forgejo
spec:
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
terminationGracePeriodSeconds: 30
containers:
- name: forgejo
image: codeberg.org/forgejo/forgejo:11-rootless
ports:
- containerPort: 3000
- containerPort: 2222
resources:
requests:
cpu: "50m"
memory: "128Mi"
limits:
cpu: "1000m"
memory: "512Mi"
env:
- name: FORGEJO__server__ROOT_URL
value: "https://git.gwg313.xyz/"
- name: FORGEJO__ssh__START_SSH_SERVER
value: "false"
- name: FORGEJO__webhook__ALLOWED_HOST_LIST
value: "ci.gwg313.xyz"
volumeMounts:
- name: forgejo-volume
mountPath: /var/lib/gitea
subPath: data
- name: forgejo-volume
mountPath: /etc/gitea
subPath: config
volumes:
- name: forgejo-volume
persistentVolumeClaim:
claimName: forgejo-pvc

0
apps/forgejo/forgejo-iscsi-auth.sealed.yaml Normal file
View file

12
apps/forgejo/kustomization.yaml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- storage.yaml
- forgejo-iscsi-auth.sealed.yaml
- secrets-sealed.yaml
- network-policy.yaml
- deployment.yaml
- service.yaml
- route.yaml

4
apps/forgejo/namespace.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: forgejo

134
apps/forgejo/network-policy.yaml Normal file
View file

@ -0,0 +1,134 @@
# ----------------------------------------------------
# Default deny (namespace baseline)
# ----------------------------------------------------
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: default-deny
namespace: forgejo
spec:
endpointSelector: {}
ingress: []
egress: []
---
# ----------------------------------------------------
# Ingress only from Gateway API
# ----------------------------------------------------
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-ingress
namespace: forgejo
spec:
endpointSelector:
matchLabels:
app: forgejo
ingress:
- fromEntities:
- ingress
toPorts:
- ports:
- port: "3000"
protocol: TCP
---
# ----------------------------------------------------
# DNS (cluster DNS only)
# ----------------------------------------------------
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-dns
namespace: forgejo
spec:
endpointSelector:
matchLabels:
app: forgejo
egress:
- toEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: ANY
rules:
dns:
- matchPattern: "*"
# ---
# # ----------------------------------------------------
# # CI runner access (in-cluster service)
# # ----------------------------------------------------
# apiVersion: cilium.io/v2
# kind: CiliumNetworkPolicy
# metadata:
# name: allow-ci-runner
# namespace: forgejo
# spec:
# endpointSelector:
# matchLabels:
# app: forgejo
#
# egress:
# - toEndpoints:
# - matchLabels:
# app: ci-runner # adjust to your runner labels
# toPorts:
# - ports:
# - port: "80"
# protocol: TCP
# - port: "443"
# protocol: TCP
#
---
# ----------------------------------------------------
# External git providers (FQDN restricted)
# ----------------------------------------------------
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-git-egress
namespace: forgejo
spec:
endpointSelector:
matchLabels:
app: forgejo
egress:
- toFQDNs:
- matchName: github.com
- matchName: api.github.com
- matchName: raw.githubusercontent.com
toPorts:
- ports:
- port: "443"
protocol: TCP
---
# ----------------------------------------------------
# OPTIONAL: unrestricted egress (disabled by default)
# Enable ONLY when required for troubleshooting or apps
# ----------------------------------------------------
# apiVersion: cilium.io/v2
# kind: CiliumNetworkPolicy
# metadata:
# name: allow-all-egress
# namespace: forgejo
# spec:
# endpointSelector:
# matchLabels:
# app: forgejo
#
# egress:
# - toEntities:
# - world
# toPorts:
# - ports:
# - port: "443"
# protocol: TCP
# - port: "80"
# protocol: TCP

36
apps/forgejo/route.yaml Normal file
View file

@ -0,0 +1,36 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: forgejo
namespace: forgejo
spec:
parentRefs:
- name: shared-edge-gateway
namespace: cilium-ingress
hostnames:
- git.local.gwg313.xyz
- git.gwg313.xyz
- git.zerotier.gwg313.xyz
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: forgejo
port: 80
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
name: allow-gateway-to-forgejo
namespace: forgejo
spec:
from:
- group: gateway.networking.k8s.io
kind: Gateway
namespace: cilium-ingress
to:
- group: ""
kind: Service
name: forgejo

19
apps/forgejo/secrets-sealed.yaml Normal file
View file

@ -0,0 +1,19 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: forgejo-iscsi-auth
namespace: forgejo
spec:
encryptedData:
discovery.sendtargets.auth.password: AgBZLJUnoO0gXUm6JOw54TkFkY+Qw8JirPJhSX1OBduIcIP9Oj20sCnqwK/9Ty79oK60hV0CStWq3uLIs5bkjaA6pJQ78rJBf0pX/KC+LHKDbddtE1u8ew8jZ4J+5owKWp+INvsQlOut3gZHc1VB04L5V286KF6D98iynEpSl0t943zabgHFASY7Q/GKl7n8Ng9Wy+ZIREh+MYzjUiOJZCTSm5TYcuhJhHkxGgnJVwvz7kF0UKZ5Geb0FcqmxgQqVYa2qV6s4SKSMnip3Kj72nLtoz6H0dBuavCQlyAtRLe9JuaGzsjs896qcrfDYD8r2gdubvll+7CVn6mRXzTYG2eYGkU+91m2mp4oWYQPG4LG4zDm5pkDHKDb/SRvqYkxPoW6gpwz9xeLwzt14SQpNvjDnDGzu6N5nOHmatAzDUeTb4VJTeNyacrqDtZhJqrJ2origsyUqNA72IWiiPl06l1sdgnUCnzanQBuQi5s29gNLwFQKXmzVJldzg2U9ITAnxpTzrg+USQOg2Lc9SaJlriTbXe6iJWH1ytM93RU9sKZh+yf4cnrIRQzADTfkuqUrmC8wD52nEJ32aeGBVUWJ/csxCM+s5OzxF+h/NaL8LNDWfpPm89/UvrsrAOefd2AvZaASEBr5iIpQpEk8My1sM9xlwwr3e3EJkH8pZNHGVDDXP8NoPOtlgY5VfURsb0vqoLiPR5MVZF6sRvvC0UMZPoI2g==
discovery.sendtargets.auth.username: AgCv3k4TDn6/VVNROVgWpMYdHb3QDBX75mbKe9y6QG+k1+jQVL4QT8Bv02TEKlSh9xLKXA1z4kkhKgC8AA70TbycHTmDLjmDhYG9Kv5f0lyF18Wk9GtjIqmO7ySQJsK3wftkkk0dYQN1J0x30aegWhC6xACwmdPGhO3BTGq5r2qVEI8fHIV95YWEOq8HOMOnmpXGco7kauBiqoKMre6BleXkZQFde9rz5IjkK32KEIEUGrQeqLuhBY05qmggm3rYhShrHOm8xjw7asY45b6SriLaaVqI7V0TpZdVfcULchq5t6dUzYgwDIJ53P5czN7NFzeciKKML1sz6UwQDl5+rJFGhDMpbLbrr3eEDfh1oO22+UhtcklXBmYnMPySXQfVwRzAYkZxPM+kywhye+8x0uGz94RN1t0loBnNbPhqwMY7ke5aDv3B+PsGOc/6kn1fio3QhpuEjR0+mpzkrpSlIP55xmTO1htcuOANhUjWVhkioj7YjMtJAt3TH2GS+p3+Rk7qvtLkHHz9yCUi8l+GDoLtpdqYw8lfgoHIpFLH9zcuPLVq2IiiZXe5nmus61Rh4ShDU+Cjqlds3BXRzJwXlx/NDORqY7hXKMJ00LaV1Us198aNLnkl2LjFdYID2DVW8bd6oh/Ci/t2g9wEjh+x026kr93YSJVy7w2IU63g++2o8sbdl0HESxz9rZImYmLWhTxX6NCpuWqzkA==
node.session.auth.password: AgAnq5whAUIXyQaoecTRHbQ6Cz2BB9sLDtSBtkrE/16aAj+mKC4Eaxr/sJUo85NAo86w1QsRzfUrS74M9Rh57vE++YgNwRdkFJluWfvamPeS6G1QQjzuatNWI+XBQPtWYmStPNsCej0EbpKWiBljzfDuZk/+K/eqlfIJ5LvnHNBd2iZw/X3kOV86QpQfjxmnqgf47caRlxXCHmgwlcDTJ4lB1LZVCUK+gMJ7kJgg4jM273b0b2YCXsa8Dx+gRZV5KywtcVrQEFEoPRYdmz0AXGiXHp46EuOgOhg9O44+wfi7pIZQ34/0iTVoC6XU1MkfNTNneHX3ynCMLDIjyf6+jxSgoZYO0efHH6tW7X79HtUQWFAfZRXxkYs+jXO2dAPq/uYV0Js0B8yF/ddW5+dnDjU54Yf7mEnkTJBncoSLbZvrSACUjC+T/C0mkZywV6zEuFMi7OktY6xpg9Mlq/XgxKV+1XbG3ERBg3bGYDlsFlj8OzNWy1hfTIaFLWRXAGABcabiSbvV+0lzLc65JmDOeYbWNcUJJelvX3Dr/Csz5lTFNUhf5z12gGn4I/V8X0jKtk4kj7DU477uxxApSPNlZ9E35MKYbsbjd4l0h5FZ3gYZdCQmSfklluPCFz7rCeg9mmjQSyW0T8FTzysh7VamHSv2oTYtVV2q2WFTUUmQmOMRqH9q2/WqbinBpqNgseeKbu0ZF/Xk5Fw3OWw0QkC7/yx0oA==
node.session.auth.username: AgASuZZTJBbuFNMtl5bs7O7oxxfAbYS1+/iauTRTYAEEKraL2Lq4k4tZuJyDn6KPU4158e1yJlkWZ7dQCxdH6376Q7D+eFyXi68FrUDSsuVN2usKHs4z3L0c5cLD4iEpVTfCIGFBnvZdEUANgbc9dMPCb9RyNNBz8e3BJRFE2NpcrdoA0K4TeBPFmn/OOu/zpTz+uI+dMaDfNAtT9Ma2K20h15XVVK5IGwVUA4BmG7nvwF8H1Y2ryrJMEBTnqgeXdXCusjs7ye+6VYzlgWDQHu2q0C9Ua5bwAXEPpPZRJDAvIBto7nzIWAxcTN74v3PCT1M1jOwcfERA75tXaCvI2SF++bJussZZyLqo/0WBYeXmpj48Aeu1+SRxifY0mC/XdNmRgp9pjCqNVKDgXp+ULTmxmKTYNcnq3phq/yEO4iTEavSs5P8ZkMAqVAHE75wRZUclUQUygsptaoyhy9Rce9srhdRkH43YrkZfTHVBiqxbT2x9Nrg91uAuY1aMNOs5oCUXKeJ6iWEY67/7jyFk7jy4NRtTs//AsgShmEQxJSyRn3QKIWLNXq7kl6z5lsBBFjXpZqo40oE+nPKw5gkxaToNrVdL61q7KIxW48krglye/WhzEupLADWiHYysPymZE1EPEQ8ISWAD7K2wgtetFlIK2G8cXPI+rAuCBF+QtJKQRXADQuBK2TwnwvscO2Z5/sO1EhFqjOwozg==
template:
metadata:
creationTimestamp: null
name: forgejo-iscsi-auth
namespace: forgejo
type: kubernetes.io/iscsi-chap

13
apps/forgejo/service.yaml Normal file
View file

@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: forgejo
namespace: forgejo
spec:
selector:
app: forgejo
ports:
- name: http
port: 80
targetPort: 3000
type: ClusterIP

36
apps/forgejo/storage.yaml Normal file
View file

@ -0,0 +1,36 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: forgejo-pv
spec:
capacity:
storage: 20Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
iscsi:
targetPortal: truenas.local.gwg313.xyz:3260
iqn: iqn.2005-10.org.freenas.ctl:forgejo
lun: 0
fsType: ext4
chapAuthDiscovery: true
chapAuthSession: true
secretRef:
name: forgejo-iscsi-auth
claimRef:
namespace: forgejo
name: forgejo-pvc
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: forgejo-pvc
namespace: forgejo
spec:
storageClassName: manual
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi
volumeName: forgejo-pv