othrayte/infra
1
0
Fork 0
Code Issues 1 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

Add gitea

Browse Source
This commit is contained in:
Adrian Cowan
2025-05-19 22:45:33 +10:00
parent 3ab392b50b
commit f7c4defe7d
5 changed files with 215 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
2-nomad-config/.terraform.lock.hcl generated
View File

@@ -16,6 +16,27 @@ provider "registry.terraform.io/carlpett/sops" {
]
}
provider "registry.terraform.io/cyrilgdn/postgresql" {
version = "1.25.0"
hashes = [
"h1:4Hlupc8gYrPnFKisesXs9lypK6LXslU4L4tjBZOhmiE=",
"zh:0f9db6e1274603d642e96b58eaf6cc4223f7118f2d7ce909dc4812d332cc002a",
"zh:1819470f0304c6a60b2b51817cb43f6ff59a49e08cc9e50644b86b3a76c91601",
"zh:27bfb544983cac101a7c7c2e4cb9939a712dffcdd7ddcab83c2f8afc334e33c5",
"zh:46166f6f05771b0495df18459fdf3a63fae8b38e95a1b2754f03d006e17ea33d",
"zh:64d53afc52f26e8214990acc3e07f3b47bef628aa6b317595a8faec05b252209",
"zh:944d7ded418c022dd3ee513246677d601376fa38d76c9c4aecff2c2eefcaa35b",
"zh:9819551b61542a6d322d6a323bbb552ce02e769ce2222fd9bb1935473c7c4b3c",
"zh:c38bd73e208fe216efab48d099c85b8ad1e51ff102b3892443febc9778e7236e",
"zh:c73de133274dcc7a03e95f598550facc59315538f355e57e14b36e222b298826",
"zh:c7af02f5338bfe7f1976e01d3fcf82e05b3551893e732539a84c568d25571a84",
"zh:d1aa3d7432c7de883873f8f70e9a6207c7b536d874486d37aee0ca8c8853a890",
"zh:e17e9809fc7cc2d6f89078b8bfe6308930117b2270be8081820da40029b04828",
"zh:e1b21b7b7022e0d468d72f4534d226d57a7bfd8c96a4c7dc2c2fa0bb0b99298d",
"zh:f24b73645d8bc225f692bdf9c035411099ef57138569f45f3605ec79ac872e3b",
]
}
provider "registry.terraform.io/hashicorp/nomad" {
version = "2.5.0"
hashes = [

21
2-nomad-config/1-infra.tf
View File

@@ -1,7 +1,3 @@
provider "nomad" {
address = "http://jaglan-beta-m01:4646"
}
terraform {
backend "local" {
path = "./.tfstate/terraform.tfstate"
@@ -14,7 +10,14 @@ terraform {
source = "carlpett/sops"
version = "~> 0.5"
}
postgresql = {
source = "cyrilgdn/postgresql"
}
}
}
provider "nomad" {
address = "http://jaglan-beta-m01:4646"
}
data "sops_file" "secrets" {
@@ -72,6 +75,16 @@ resource "nomad_variable" "postgres" {
}
}
provider "postgresql" {
host = "jaglan-beta-m01"
port = 5432
database = "postgres"
username = "postgres"
password = data.sops_file.secrets.data["postgres.postgres"]
sslmode = "disable"
connect_timeout = 15
}
resource "nomad_csi_volume_registration" "unraid_database_dump" {
#Note: Before chaning the definition of this volume you need to stop the jobs that are using it
depends_on = [data.nomad_plugin.smb]

49
2-nomad-config/2-services.tf
View File

@@ -58,4 +58,53 @@ resource "nomad_csi_volume_registration" "unraid_appdata_transferfilebrowser" {
}
}
resource "nomad_job" "gitea" {
jobspec = file("gitea.nomad.hcl")
}
resource "nomad_variable" "gitea" {
path = "nomad/jobs/gitea"
items = {
internal_token = data.sops_file.secrets.data["gitea.internal_token"]
jwt_secret = data.sops_file.secrets.data["gitea.jwt_secret"]
}
}
resource "postgresql_role" "gitea" {
name = "gitea"
password = "gitea"
login = true
}
resource "postgresql_database" "gitea" {
name = "gitea"
owner = postgresql_role.gitea.name
}
resource "nomad_csi_volume_registration" "unraid_appdata_gitea" {
#Note: Before chaning the definition of this volume you need to stop the jobs that are using it
depends_on = [data.nomad_plugin.smb]
plugin_id = "smb"
volume_id = "unraid_appdata_gitea"
name = "unraid_appdata_gitea"
external_id = "unraid_appdata_gitea"
capability {
access_mode = "single-node-writer"
attachment_mode = "file-system"
}
context = {
source = "//192.168.1.192/appdata"
subDir = "gitea" # Note: Needs to be manually created on the share
}
secrets = {
"username" = "nomad"
"password" = data.sops_file.secrets.data["unraid.nomad"]
}
}

122
2-nomad-config/gitea.nomad.hcl Normal file
View File

@@ -0,0 +1,122 @@
# TODOs
# - Map /data/ to unraid appdata
# - Move database config to /data/gitea/conf/app.ini (where it would be copied on first run)
job "gitea" {
group "gitea" {
network {
mode = "bridge"
port "http" {
to = 3000
}
}
service {
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "postgres"
local_bind_port = 5432
}
}
}
}
}
service {
name = "code"
port = "http"
tags = [
"traefik.enable=true",
"traefik.http.routers.gitea.middlewares=auth@file",
]
# check {
# type = "http"
# path = "/"
# interval = "10s"
# timeout = "2s"
# }
}
task "gitea" {
driver = "docker"
config {
image = "gitea/gitea:latest"
ports = ["http"]
volumes = ["local/app.ini:/data/gitea/conf/app.ini"]
}
env = {
USER_UID = "1000"
USER_GID = "1000"
}
resources {
cpu = 500
memory = 256
}
volume_mount {
volume = "unraid_appdata_gitea"
destination = "/data"
read_only = false
}
template {
data = <<EOF
# Gitea configuration file
WORK_PATH = /data/
[database]
DB_TYPE = postgres
HOST = localhost:5432
NAME = gitea
USER = gitea
PASSWD = gitea
[repository]
ROOT = /data/git/repositories
[server]
DOMAIN = code.othrayte.one
ROOT_URL = https://code.othrayte.one/
[lfs]
PATH = /data/git/lfs
[log]
MODE = console
LEVEL = info
ROOT_PATH = /data/gitea/log
[security]
INSTALL_LOCK = true
INTERNAL_TOKEN = {{ with nomadVar "nomad/jobs/gitea" }}{{ .internal_token }}{{ end }}
PASSWORD_HASH_ALGO = pbkdf2
[oauth2]
JWT_SECRET = {{ with nomadVar "nomad/jobs/gitea" }}{{ .jwt_secret }}{{ end }}
EOF
destination = "local/app.ini"
}
}
volume "unraid_appdata_gitea" {
type = "csi"
read_only = false
source = "unraid_appdata_gitea"
access_mode = "single-node-writer"
attachment_mode = "file-system"
mount_options {
mount_flags = ["uid=1000", "gid=1000"]
}
}
}
}

8
2-nomad-config/secrets.enc.json
View File

@@ -10,6 +10,10 @@
"postgres": {
"postgres": "ENC[AES256_GCM,data:lKuLcVTuUbfrlVhRdCs=,iv:TsbtAbXYTysxuiCi08F0hJsgoolzzgE2EPdFdPMQ+NQ=,tag:9oNua06hHdeCzE7nB22c0g==,type:str]"
},
"gitea": {
"internal_token": "ENC[AES256_GCM,data:teIsV+6nUPWO9/amas3FmK6uv44YEZNpV780ncTwUkQDygDvQRr7A3KEbk/rYFcTjfxK6Kw8nmqi0rBrcBNX1bSVNg8jwfYHhY2TxFMgCo4tkQxLf3eSBUhlPGsfpsskACKIPnZ1RQ2m,iv:NAKPw0YVNtLlyEp7wld9ml4zQlVxo/takiOid6YQlfA=,tag:QIk+USh8MLZDzJkQsglJ+w==,type:str]",
"jwt_secret": "ENC[AES256_GCM,data:/dPDqJdn4Af3Wo005V7lU9b8RbN/wyF0Tx66827cdyaZfi4QPOSj23wNqw==,iv:yJW2PiAGGr97q0DoBr64X88eFNpuVPZX0SPyNDp5QjQ=,tag:p27XTUbMC0WDMTNJCscmGQ==,type:str]"
},
"sops": {
"age": [
{
@@ -17,8 +21,8 @@
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUWM4ZDVVbGFrUGdMRHBX\nUFBmU3Nlc0RBSzhFK0tHNHpkQXUvUVdiZUZJCmpRN1lFdENpWW0rcThjVlVQNUl6\nWnlLU0RnQ3FZby81Ly8xTFBrek9nMncKLS0tIFQ4UTRNOC9CRmx4OFJWem1wckZz\nUDFTSzdWZldFK3FqcTNWTWRyNDhHQ2MKS811mR5xn7qiC/aVgPFYJ5c6Q3zxRfcr\nHcvxUvB01vNJKZpRg92vvKPkV6lQO3DXCT98OdfwiymlEOvYxg71Pg==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-05-18T13:38:16Z",
"mac": "ENC[AES256_GCM,data:9rGE16ZuAOQZN/h+qYx/RHHAlU3BewKvBWQFIRqIRwPT5mKfu1mwzWSZPGU7EnLWIVvX+iPUltf7RkZOBPzE90w7kcXBTxsA+hKNZKTa2Bz4/95UKX2BBR/J6t6Leayb+W8hKwQ9QF+UTXh2GOwx4yIvQXVPDxr7D9Hwzz9yDYY=,iv:9tBdheTDN3XrRbL+V6K5HBvhuvLkZ7Vn/bGpBkh+hGg=,tag:gCd6TJAOf1+gITaKzxQA7Q==,type:str]",
"lastmodified": "2025-05-19T12:11:30Z",
"mac": "ENC[AES256_GCM,data:BjUuMWp3bE0iHLZZ9lHh/sSKSDF3sBgRr4CmKKqjXaY1CJ6k9wESgZmxjT2FOTfzJ5tZaBXdm4WKwagE6frke0eNfYDIWC+FQfX/4geUe8OyQFW/22i7I60uS4bVv9PAO/JJKTNCZxOdtLsK7fZ8rS4Jve9mAdhEbKfPmQHIiy4=,iv:cqi4rpbJLxLr8zjKrx80mKJBbSuU1D0XjUbBg1CYDRk=,tag:+8Hl9WQ2ZUY6BPMw/GMtpQ==,type:str]",
"encrypted_regex": "^(.*)$",
"version": "3.10.2"
}