gilgamezh
261aebfd10
Bumped gitea helm chart 12.4.0->12.6.0 (app 1.24.6->1.26.1). The chart default RollingUpdate (maxSurge 100%/maxUnavailable 0) surges a second pod that can't mount the single RWO NFS PVC, deadlocking 'helm upgrade --wait'. Recreate avoids it. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
134 lines
3.1 KiB
YAML
134 lines
3.1 KiB
YAML
# Gitea configuration for TuringPi K3s cluster
|
|
# Self-hosted Git server for ArgoCD integration
|
|
|
|
# Single replica for homelab
|
|
replicaCount: 1
|
|
|
|
# Gitea data lives on a single RWO NFS PVC, so two pods can't run at once.
|
|
# The chart default (RollingUpdate maxSurge 100%/maxUnavailable 0) surges a
|
|
# second pod and deadlocks on upgrade -- use Recreate instead.
|
|
strategy:
|
|
type: Recreate
|
|
|
|
# Service configuration - LoadBalancer for direct access
|
|
service:
|
|
http:
|
|
type: LoadBalancer
|
|
port: 3000
|
|
# MetalLB will assign an IP
|
|
ssh:
|
|
type: LoadBalancer
|
|
port: 22
|
|
# For git SSH access
|
|
|
|
# Ingress for web access
|
|
ingress:
|
|
enabled: true
|
|
className: traefik
|
|
pathType: Prefix
|
|
annotations:
|
|
# Restrict to LAN access via Traefik v3 Middleware (resources/gitea-middleware.yaml)
|
|
traefik.ingress.kubernetes.io/router.middlewares: "gitea-lan-only@kubernetescrd"
|
|
cert-manager.io/cluster-issuer: "letsencrypt-production"
|
|
hosts:
|
|
- host: gitea.gilgamezh.me
|
|
paths:
|
|
- path: /
|
|
pathType: Prefix
|
|
tls:
|
|
- secretName: gitea-tls
|
|
hosts:
|
|
- gitea.gilgamezh.me
|
|
|
|
# Storage using your NFS setup
|
|
persistence:
|
|
enabled: true
|
|
create: true
|
|
storageClass: "nfs-client" # Your existing NFS storage class
|
|
size: 20Gi
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
|
|
# Database - use PostgreSQL for production-ready setup
|
|
postgresql:
|
|
enabled: true
|
|
auth:
|
|
username: gitea
|
|
database: gitea
|
|
# Password will be auto-generated
|
|
primary:
|
|
persistence:
|
|
enabled: true
|
|
storageClass: "nfs-client"
|
|
size: 10Gi
|
|
|
|
# Disable PostgreSQL HA (since we're enabling regular postgresql)
|
|
postgresql-ha:
|
|
enabled: false
|
|
|
|
# Disable Valkey cluster (Redis alternative) - not needed for homelab
|
|
valkey-cluster:
|
|
enabled: false
|
|
|
|
# Gitea configuration
|
|
gitea:
|
|
cache:
|
|
enabled: false
|
|
admin:
|
|
username: admin
|
|
password: "gitea-admin-pass" # Change this!
|
|
email: "admin@gilgamezh.me"
|
|
|
|
config:
|
|
APP_NAME: "TuringPi Gitea"
|
|
RUN_MODE: prod
|
|
|
|
server:
|
|
DOMAIN: gitea.gilgamezh.me
|
|
SSH_DOMAIN: gitea.gilgamezh.me
|
|
ROOT_URL: https://gitea.gilgamezh.me
|
|
PROTOCOL: http
|
|
DISABLE_SSH: false
|
|
SSH_PORT: 22
|
|
LFS_START_SERVER: true
|
|
|
|
database:
|
|
DB_TYPE: postgres
|
|
|
|
security:
|
|
INSTALL_LOCK: true
|
|
|
|
service:
|
|
DISABLE_REGISTRATION: false # Allow user registration
|
|
REQUIRE_SIGNIN_VIEW: false # Allow anonymous viewing of public repos
|
|
|
|
ui:
|
|
DEFAULT_THEME: gitea-dark
|
|
|
|
repository:
|
|
DEFAULT_PRIVATE: false # Public repos by default for easier ArgoCD access
|
|
|
|
ssh.minimum_key_sizes:
|
|
RSA: 1024 # Allow 2048-bit RSA keys
|
|
ECDSA: 256
|
|
ED25519: 256
|
|
|
|
# Resource limits (adjust based on your node capacity)
|
|
resources:
|
|
limits:
|
|
cpu: 1000m
|
|
memory: 1Gi
|
|
requests:
|
|
cpu: 100m
|
|
memory: 256Mi
|
|
|
|
# Node affinity (prefer worker nodes, avoid control plane)
|
|
affinity:
|
|
nodeAffinity:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
- weight: 100
|
|
preference:
|
|
matchExpressions:
|
|
- key: node-role.kubernetes.io/control-plane
|
|
operator: DoesNotExist
|