From 8f0057787a0f4fc06f8696b96731b43447143eb1 Mon Sep 17 00:00:00 2001
From: Earl Warren <contact@earl-warren.org>
Date: Sun, 20 Oct 2024 18:05:04 +0200
Subject: [PATCH] k8s forgejo instance helpers

---
 .gitignore                              |  1 +
 k8s-forgejo.md                          | 59 ++++++------------
 k8s-forgejo/forgejo-secrets.yml.example |  6 ++
 k8s-forgejo/forgejo-values.yml          | 36 +++++++++++
 k8s-forgejo/next-values.yml             | 81 +++++++++++++++++++++++++
 5 files changed, 141 insertions(+), 42 deletions(-)
 create mode 100644 k8s-forgejo/forgejo-secrets.yml.example
 create mode 100644 k8s-forgejo/forgejo-values.yml
 create mode 100644 k8s-forgejo/next-values.yml

diff --git a/.gitignore b/.gitignore
index 0178e91..a805a90 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 *~
 k3s-host/secrets.sh
 k3s-host/variables.sh
+k8s-forgejo/*-secrets.yml
diff --git a/k8s-forgejo.md b/k8s-forgejo.md
index 772e1f8..0f2742d 100644
--- a/k8s-forgejo.md
+++ b/k8s-forgejo.md
@@ -1,48 +1,23 @@
-## Forgejo
+# Forgejo k8s instance
 
-[forgejo](https://code.forgejo.org/forgejo-helm/forgejo-helm) configuration in [ingress](https://code.forgejo.org/forgejo-helm/forgejo-helm#ingress) for the reverse proxy (`traefik`) to route the domain and for the ACME issuer (`cert-manager`) to obtain a certificate. And in [service](https://code.forgejo.org/forgejo-helm/forgejo-helm#service) for the `ssh` port to be bound to the desired IPs of the load balancer (`metallb`).
+[forgejo](https://code.forgejo.org/forgejo-helm/forgejo-helm) configuration in [ingress](https://code.forgejo.org/forgejo-helm/forgejo-helm#ingress) for the reverse proxy (`traefik`) to route the domain and for the ACME issuer (`cert-manager`) to obtain a certificate. And in [service](https://code.forgejo.org/forgejo-helm/forgejo-helm#service) for the `ssh` port to be bound to the desired IPs of the load balancer (`metallb`). A [PVC](https://code.forgejo.org/forgejo-helm/forgejo-helm#persistence) is created on the networked storage.
 
-```
-ingress:
-  enabled: true
-  annotations:
-	# https://cert-manager.io/docs/usage/ingress/#supported-annotations
-	# https://github.com/cert-manager/cert-manager/issues/2239
-	cert-manager.io/cluster-issuer: letsencrypt-http
-	cert-manager.io/private-key-algorithm: ECDSA
-	cert-manager.io/private-key-size: 384
-	kubernetes.io/ingress.class: traefik
-	traefik.ingress.kubernetes.io/router.entrypoints: websecure
-  tls:
-	- hosts:
-		- t1.forgejo.org
-	  secretName: tls-forgejo-t1-ingress-http
-  hosts:
-	- host: t1.forgejo.org
-	  paths:
-		- path: /
-		  pathType: Prefix
+## Secrets
 
-service:
-  http:
-	type: ClusterIP
-	ipFamilyPolicy: PreferDualStack
-	port: 3000
-  ssh:
-	type: LoadBalancer
-	annotations:
-	  metallb.universe.tf/loadBalancerIPs: 188.40.16.47,2a01:4f8:fff2:48::2
-	  metallb.universe.tf/allow-shared-ip: "key-to-share-failover"
-	ipFamilyPolicy: PreferDualStack
-	port: 2222
-```
+### New
 
-[Instruct the forgejo pod](https://code.forgejo.org/forgejo-helm/forgejo-helm#persistence) to use the `forgejo-data` pvc.
+- `cp forgejo-secrets.yml.example $name-secrets.yml`
+- edit
+- `kubectl create secret generic forgejo-$name-secrets --from-file=value=$name-secrets.yml`
 
-```yaml
-persistence:
-  enabled: true
-  create: false
-  claimName: forgejo-data
-```
+### Existing
 
+- `kubectl get secret forgejo-$name-secrets -o json | jq -r  '.data.value' | base64 -d > $name-secrets.yml`
+
+## Storage
+
+- `../k3s-host/setup.sh setup_k8s_pvc forgejo-$name 4Gi 1000`
+
+## Pod
+
+- `../k3s-host/subst.sh forgejo-values.yml | helm upgrade forgejo-$name -f - -f $name-values.yml -f $name-secrets.yml oci://code.forgejo.org/forgejo-helm/forgejo --atomic --wait --install`
diff --git a/k8s-forgejo/forgejo-secrets.yml.example b/k8s-forgejo/forgejo-secrets.yml.example
new file mode 100644
index 0000000..a368c36
--- /dev/null
+++ b/k8s-forgejo/forgejo-secrets.yml.example
@@ -0,0 +1,6 @@
+gitea:
+  admin:
+    password: "***"
+  config:
+    mailer:
+      PASSWD: "***"
diff --git a/k8s-forgejo/forgejo-values.yml b/k8s-forgejo/forgejo-values.yml
new file mode 100644
index 0000000..c6cf783
--- /dev/null
+++ b/k8s-forgejo/forgejo-values.yml
@@ -0,0 +1,36 @@
+strategy:
+  type: 'Recreate'
+
+ingress:
+  enabled: true
+  annotations:
+    # https://cert-manager.io/docs/usage/ingress/#supported-annotations
+    # https://github.com/cert-manager/cert-manager/issues/2239
+    cert-manager.io/cluster-issuer: letsencrypt-http
+    cert-manager.io/private-key-algorithm: ECDSA
+    cert-manager.io/private-key-size: 384
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+
+service:
+  http:
+    type: ClusterIP
+    ipFamilyPolicy: PreferDualStack
+    port: 3000
+  ssh:
+    type: LoadBalancer
+    annotations:
+      metallb.universe.tf/loadBalancerIPs: $failover_ipv4,$failover_ipv6
+      metallb.universe.tf/allow-shared-ip: "key-to-share-failover"
+    ipFamilyPolicy: PreferDualStack
+
+redis-cluster:
+  enabled: false
+postgresql:
+  enabled: false
+postgresql-ha:
+  enabled: false
+
+persistence:
+  enabled: true
+  create: false
diff --git a/k8s-forgejo/next-values.yml b/k8s-forgejo/next-values.yml
new file mode 100644
index 0000000..ca471b1
--- /dev/null
+++ b/k8s-forgejo/next-values.yml
@@ -0,0 +1,81 @@
+image:
+  registry: codeberg.org
+  repository: forgejo-experimental/forgejo
+  tag: '8.0-test'
+  rootless: false
+
+ingress:
+  tls:
+    - hosts:
+        - next.forgejo.org
+      secretName: tls-forgejo-next-ingress-http
+  hosts:
+    - host: next.forgejo.org
+      paths:
+        - path: /
+          pathType: Prefix
+
+service:
+  ssh:
+    port: 2020
+
+persistence:
+  claimName: forgejo-next
+
+gitea:
+  admin:
+    username: earl-warren
+    email: 'contact@earl-warren.org'
+  config:
+    APP_NAME: "Forgejo v8.0 demo"
+    APP_SLOGAN: "ARCHIVED USE v8.next.forgejo.org instead"
+    APP_DISPLAY_NAME_FORMAT: "{APP_NAME} [{APP_SLOGAN}]"
+    log:
+      LEVEL: "info"
+    server:
+      ROOT_URL: https://next.forgejo.org/
+      DOMAIN: next.forgejo.org
+      SSH_DOMAIN: next.forgejo.org
+      SSH_PORT: "2020"
+      LFS_START_SERVER: true
+      OFFLINE_MODE: true
+    repository:
+      ROOT: /data/git/repositories
+    service:
+      REGISTER_EMAIL_CONFIRM: true
+      DEFAULT_KEEP_EMAIL_PRIVATE: true
+      ENABLE_NOTIFY_MAIL: true
+      DISABLE_REGISTRATION: true
+    actions:
+      ENABLED: false
+    mirror:
+      ENABLED: false
+    federation:
+      ENABLED: true
+    admin:
+      SEND_NOTIFICATION_EMAIL_ON_NEW_USER: true
+    cors:
+      ENABLED: true
+      ALLOW_DOMAIN: "*"
+      HEADERS: "Access-Control-Allow-Origin"
+    mailer:
+      ENABLED: true
+      FROM: "noreply@forgejo.org"
+      PROTOCOL: "smtp+starttls"
+      SMTP_ADDR: "ssl0.ovh.net"
+      SMTP_PORT: "587"
+      USER: "next@forgejo.org"
+    database:
+      PATH: /data/gitea.db
+      DB_TYPE: sqlite3
+    session:
+      PROVIDER: db
+    cache:
+      ADAPTER: memory
+    queue:
+      TYPE: level
+    indexer:
+      REPO_INDEXER_ENABLED: true
+    cron.archive_cleanup:
+      SCHEDULE: "@hourly"
+      OLDER_THAN: "2h"