squash all

Mostly copied over from my old repo and modified for app of apps. Cleaning up the mess from migration Signed-off-by: gwg313 <gwg313@pm.me>
2026-06-21 05:29:49 +00:00 · 2025-07-03 08:02:33 -04:00 · 2025-07-03 08:02:33 -04:00 · 52933116f0
commit 52933116f0
parent 471f30f0b1
104 changed files with 2532 additions and 44 deletions
--- a/forgejo/certificate.yaml
+++ b/forgejo/certificate.yaml
@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: forgejo-cert
+  namespace: istio-system
+spec:
+  secretName: forgejo-cert
+  issuerRef:
+    name: letsencrypt-dns
+    kind: ClusterIssuer
+  dnsNames:
+    - git.local.gwg313.xyz
+    - git.gwg313.xyz
+    - git.zerotier.gwg313.xyz
--- a/forgejo/deployment.yaml
+++ b/forgejo/deployment.yaml
@ -0,0 +1,48 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: forgejo
+  namespace: forgejo
+  labels:
+    app: forgejo
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: forgejo
+  template:
+    metadata:
+      labels:
+        app: forgejo
+    spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      terminationGracePeriodSeconds: 30
+      containers:
+        - name: forgejo
+          image: codeberg.org/forgejo/forgejo:11-rootless
+          ports:
+            - containerPort: 3000
+            - containerPort: 2222
+          env:
+            - name: FORGEJO__server__ROOT_URL
+              value: "https://git.gwg313.xyz/"
+            - name: FORGEJO__ssh__START_SSH_SERVER
+              value: "false"
+            - name: FORGEJO__webhook__ALLOWED_HOST_LIST
+              value: "ci.gwg313.xyz"
+          volumeMounts:
+            - name: forgejo-volume
+              mountPath: /var/lib/gitea
+              subPath: data
+            - name: forgejo-volume
+              mountPath: /etc/gitea
+              subPath: config
+      volumes:
+        - name: forgejo-volume
+          persistentVolumeClaim:
+            claimName: forgejo-pvc
--- a/forgejo/destinationrule.yaml
+++ b/forgejo/destinationrule.yaml
@ -0,0 +1,12 @@
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: forgejo
+  namespace: forgejo
+spec:
+  host: forgejo.forgejo.svc.cluster.local
+  trafficPolicy:
+    outlierDetection:
+      consecutive5xxErrors: 1
+      interval: 5s
+      baseEjectionTime: 30s
--- a/forgejo/gateway.yaml
+++ b/forgejo/gateway.yaml
@ -0,0 +1,20 @@
+apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+  name: forgejo-gateway
+  namespace: forgejo
+spec:
+  selector:
+    istio: gateway
+  servers:
+    - port:
+        number: 443
+        name: https
+        protocol: HTTPS
+      tls:
+        mode: SIMPLE
+        credentialName: forgejo-cert
+      hosts:
+        - git.local.gwg313.xyz
+        - git.gwg313.xyz
+        - git.zerotier.gwg313.xyz
--- a/forgejo/sealed-secret.yaml
+++ b/forgejo/sealed-secret.yaml
@ -0,0 +1,18 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: forgejo-iscsi-auth
+  namespace: forgejo
+spec:
+  encryptedData:
+    discovery.sendtargets.auth.password: AgAcRgPxIe/pBpeUWcSJzzf8HVUpFe8pl9U8qzs1eutcun91clbW5m/sra3oKV6KmmFgd69I2M3w38wtSGG7iztZdIPcCkVXZSqX3ANKrWIwiJXUBqfNtXAD0IxGu8SdkHRp7fGWR9NlynT7WDEZpTNNQrQE0O4GQrM7gMy9wzy22Foxk8hhUCOKW9o2q/HefBBp4BHHhdAmnaya26Cm2Fdji6U2bnORlY8SESRAyty7jkQFI4FcUlXXUhamVccFGVxufhRNkJP+90iPQbD48VDPSGHQS11EbfoSaoXlt+NTRt/FCwSMc2h5L5AtuZHTh72PGCk2+coYDLQb2IL0o+jujsf0hVlRAzMvHi5nDrwNVh+gbuV1MmC1SED3CA6nkevTeEj5mmK+kviZua1Ezi4LQ9daFPhOGjobCtPyZZsHwIzKceqWM5dULvckzgvNLecwkJgDOYRd9j3/G1wgsCUNZj4OhZZgO6rfG+XXMZfFnoRR1x0NK6jInaNm5oG+vYgBjN1WlR7dgEdUN8W0dC0uqmbpsoCTEyjOnumB7ecqknonh/syU8GqlB8KLBv5pZs9YR2fdMgDwh+RW/oPXcNCbbjsGi8N6+R6TdM7hp7NYh4yQaI/qkruCuUgGLEmziFUgrcWfjpwsmhNIuYG2lC0MC+oFlLiS1vF2mIkAM6AnbGgnwnWUU1FK6Y9q0aUjsPKp6Yv169oXgsyHqMk0EzD
+    discovery.sendtargets.auth.username: AgCCpqxtivSysp6XGnnh3xhyqg0I6/RLlwjJMsyQ5RJRoRSxKspKEuaW2+oIzVbCrCm6JS1Amrjk9MgR9jGNo+MtGNXTIWGcy3IAV+Cg6JZSyD/MGCHMQh/NIfZQnAPt2AuFAsXUUbcZbuVS5BYf+27KD8a9sCRH9McPv6IqSPC4tVSWOrdGD+FeL4oZhWhMuMiqAVwXi18tx+bu8TmCXjUUS/bYD64KnwBo+xyGAkiem+0NLqn9b85YMZQ68RWUepfFVZywbxWDuO0cQALHTUPPnVRCZPFImhz6vitlEY1dOkEmBYWQ9NoJZhTdiQA0pnnCvs7bDpGiqOK2qvlSyR6Bii5ZEUSBVfbtFDLQqcw+4mwOr1o+Zh1tSYZspHrm3ogAf3tzgEgHuZdWwXe/MFxDiaUviBjRwWAeCapl39+kn/PUSNQuta87DAOH9WecGE4vE5cvytDs21R+TXuY5IRtXngumEIuxex8Pm0CzjHt5JarWnhLs6kSMpJ2erI129mHh6OclC7ahACuKIMneQhVyWOHoGYdU3YuitRYPz9opYRi0tR1FilUmxKebHhOzu00FjtQTwIME4WIZpRXzvSHapNmx3k/aAX19Ow/lzr0fcszJNebc0p9cRsK+amxB9vIttpFTvhShd0+RQ5R/xAsoj49h0fyKT0Y/pNybZFRMtdMTbYLH2HxZj0DEz71HC5Y3bxGhWQS
+    node.session.auth.password: AgBfFtXL40WF/RcyVHRZ4LxDfFEpzaldSWjahyOQUJAKAgb5flbMdP99nEpL1Z+ZChMXMIn1hU5AbbbdYiMTeSAGyyg8/MHnikv5dvNzUWRYIT2jK++XvqfMWBvFC5Tc9TVFrsc2nFBeNgQ1E5a9W8vLv42sC4MTEHNvCsMxARCcDoxSzzmrZUV+RNy2ze20kp9pgWPxqcsaouynS2Kxdo0L3Tch6wcAOKewi6VKgtmsqrQjdl1wFCiHZrHl421c7Z18kQFsMnq8bF1tbELxm+KB2B78jaPQNHBYKM0aURmt6mnKI99XIIUf42s7fqlInceQwCRx7Q8HYOMWgI2FPwGVAOKRh4CS7woXfwbEga44uBRA91F5UV6i2VHkpfEnF7i6aZ/wKqnlVZQVvs5zZvumn+TuPDXibExTl///dCof7v2Q5xY8OLr2YUScfW3gokj7QUmCqfANG0sUxx+UqeNArXPaSRAw5gvTqRGtDAEZMBevPJSpcoWNJuKOkHST+lgF4T56s3KdyQoe10nrsgTmTEamOn9inkJOtNIlIpDjUHVHrTUgs24Tjfm9LKkrvP+/finuUbVJob6ltA6iU7tHDAAo2XgV2KfFTJC1ogv0hKltZA5TqPiqwUBF9w9iI1aEN2ghjc7+s1YcRtUFHCRnKdg9kU8LraxY166Iwajl1PESQ58LFMXqdLYRb2xIvZGATRYhG8qfhUYokMWTwpAj
+    node.session.auth.username: AgCKkZz7+v4qNvKCoxJUQK+ti3ptzvB3tQFrAhhtz14ifumuPhewFWwDMesWrzavnSm6jtD1U+8rnwgRvS1yyJ4ZtypohbJGWJlp1b/Pk0RT4lwxVLj0zRPvATYHTNSvRhFrnMeLBWMQbAfFNRdGUXN03qp3oq9uWr1I4jJ9fOHfCsqa4j7SH5raZ8qvDO1lPPrUioysbWkMjgP8DG+C8w+LEazgZu86WO/whCG4mEEHSaXs1aofSKfygYRxpd7GKcdmdflU9xbmIWdJMdQ6COWRZb9G8gJE1RsFum3pF5xfx6nxUOm6FkPbRBjtroMEKd4EWAGfl+P2AWWZ3xpA1WSoxjUztDRRvy7xGnU2QOZV3EEXqjG1/H4VUY9kd/3v10rFB9N1UgdatqRZpcxweNzaMJcUUGHMO5TsCjrwcPOD9gCLtWtsbYlvvUFTN2jfPiS2hzquEZI/hdr+qJC9sPJSu9OUvmFx+quT7DzVjvov/HjkdKd+N/dDpXHFVsL2oDq7mjUmT5mzqg3F/6/YkKn8b2X0LTgXUONXxF8xTUsI4HKCSBoANUuT/ePwBY3tVyz0AY+sUQd5Pxq708HeHC2edNTUwmY6ucuLWtTorXzFXSBXQXfeGZqjONtkYCE60CsTp7+RUtdNnG23CNDMFAUujVxLQVa1XfNFlfk9znBQ1IxUBLkU6JJm9kw3hYn6Bk06B/+mOOim
+  template:
+    metadata:
+      creationTimestamp: null
+      name: forgejo-iscsi-auth
+      namespace: forgejo
+    type: kubernetes.io/iscsi-chap
--- a/forgejo/service.yaml
+++ b/forgejo/service.yaml
@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: forgejo
+  namespace: forgejo
+spec:
+  selector:
+    app: forgejo
+  ports:
+    - name: http
+      port: 80
+      targetPort: 3000
+  type: ClusterIP
--- a/forgejo/storage.yaml
+++ b/forgejo/storage.yaml
@ -0,0 +1,36 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: forgejo-pv
+spec:
+  capacity:
+    storage: 20Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  iscsi:
+    targetPortal: truenas.local.gwg313.xyz:3260
+    iqn: iqn.2005-10.org.freenas.ctl:forgejo
+    lun: 0
+    fsType: ext4
+    chapAuthDiscovery: true
+    chapAuthSession: true
+    secretRef:
+      name: forgejo-iscsi-auth
+  claimRef:
+    namespace: forgejo
+    name: forgejo-pvc
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: forgejo-pvc
+  namespace: forgejo
+spec:
+  storageClassName: manual
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 20Gi
+  volumeName: forgejo-pv
--- a/forgejo/virtualservice.yaml
+++ b/forgejo/virtualservice.yaml
@ -0,0 +1,21 @@
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: forgejo
+  namespace: forgejo
+spec:
+  hosts:
+    - git.local.gwg313.xyz
+    - git.gwg313.xyz
+    - git.zerotier.gwg313.xyz
+  gateways:
+    - forgejo-gateway
+  http:
+    - match:
+        - uri:
+            prefix: /
+      route:
+        - destination:
+            host: forgejo
+            port:
+              number: 80