From ffa0140d0b776f74e81a3bb2d466ccccaf765ac3 Mon Sep 17 00:00:00 2001
From: Moritz Graf <github@moritzgraf.de>
Date: Sat, 7 Feb 2026 08:48:10 +0100
Subject: [PATCH] Adding new gitea deployment

---
 k8s/development/gitea.secret.yml      | 139 ++++++++++++++++++++------
 k8s/development/registry.secret.yaml  | Bin 615 -> 762 bytes
 k8s/development/registry_ingress.yaml |  42 ++++++++
 3 files changed, 150 insertions(+), 31 deletions(-)
 create mode 100644 k8s/development/registry_ingress.yaml

diff --git a/k8s/development/gitea.secret.yml b/k8s/development/gitea.secret.yml
index 4bdb885..2963444 100644
--- a/k8s/development/gitea.secret.yml
+++ b/k8s/development/gitea.secret.yml
@@ -1,42 +1,119 @@
-persistence:
-  annotations:
-    "helm.sh/resource-policy": keep
+# --- Resource Optimization: Disable HA Clusters ---
+postgresql-ha:
+  enabled: false
+valkey-cluster:
+  enabled: false
+
+# --- Lightweight Database (PostgreSQL) ---
+postgresql:
   enabled: true
-  storageClass: openebs-hostpath
-  accessMode: ReadWriteOnce
-    
+  global:
+    postgresql:
+      auth:
+        database: gitea
+        username: gitea
+        password: "eexai7ohHoameo3aefah" # <--- [1] DB Password
+  # Reduce DB resources for private use
+  primary:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 128Mi
+      limits:
+        memory: 512Mi
+    persistence:
+      size: 5Gi
+      storageClass: openebs-hostpath
+
+# --- Lightweight Cache (Valkey Standalone) ---
+valkey:
+  enabled: true
+  architecture: standalone
+  global:
+    valkey:
+      password: "Aid0eiy1ohghoagahjo3" # <--- [2] Cache Password
+  master:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 64Mi
+      limits:
+        memory: 128Mi
+    persistence:
+      enabled: false # Ephemeral cache is fine for home use (saves disk I/O)
+
+# --- Gitea Configuration ---
+image:
+  tag: "1.21.5"
+  rootless: true
+
+# Limit Gitea's own resources
 resources:
   gitea:
     requests:
-      memory: 200Mi
+      memory: 256Mi
       cpu: 100m
+    limits:
+      memory: 1Gi
+      cpu: 1000m
 
-mariadb:
+persistence:
   enabled: true
-  rootUser:
-    password: chu6ohzat4zae2iPhuoy
-  db:
-    user: gitea
-    name: gitea
-    password: OohoX6vahsh1mahshujo
+  storageClass: openebs-hostpath
+  size: 10Gi
+  accessModes:
+    - ReadWriteOnce
 
-ingress:
-  enabled: true
-  certManager: true
-  annotations:
-    kubernetes.io/ingress.class: "nginx"    
-    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-  hosts:
-  - name: git.moritzgraf.de
-  tls:
-  - hosts:
-    - "git.moritzgraf.de"
-    secretName: git-moritzgraf-de
+gitea:
+  admin:
+    username: "moritz"
+    password: "oongaeY9ohw4eith2Aiv" # <--- [3] Admin Password
+    email: "moritz@moritzgraf.de"
+
+  config:
+    security:
+      INSTALL_LOCK: true
+      SECRET_KEY: "eew5quoo3jeiPheeb7eereeTaik2Ieth" # <--- [4] Secret Key
+    server:
+      DOMAIN: git.moritzgraf.de
+      ROOT_URL: "https://git.moritzgraf.de/"
+      SSH_DOMAIN: git.moritzgraf.de
+      SSH_PORT: "2222"         # External display port
+      SSH_LISTEN_PORT: "2222"  # Internal container port
+      START_SSH_SERVER: true
+    
+    # Connect to our standalone Valkey instance
+    # The default host for the subchart is usually: <release-name>-valkey-master
+    cache:
+      ADAPTER: redis
+      HOST: "redis://:Aid0eiy1ohghoagahjo3@gitea-valkey-master:6379/0" # <--- [2] Cache Password
+    session:
+      PROVIDER: redis
+      PROVIDER_CONFIG: "redis://:Aid0eiy1ohghoagahjo3@gitea-valkey-master:6379/0" # <--- [2] Cache Password
+    queue:
+      TYPE: redis
+      CONN_STR: "redis://:Aid0eiy1ohghoagahjo3@gitea-valkey-master:6379/0" # <--- [2] Cache Password
 
 service:
   ssh:
-    serviceType: ClusterIP
-    port: 22
-    externalPort: 2222
-    externalHost: git.moritzgraf.de
+    type: NodePort
+    port: 2222
+    targetPort: 2222
+    nodePort: 30222 # Open this port on your firewall/router if needed
+
+ingress:
+  enabled: true
+  className: nginx
+  annotations:
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    nginx.ingress.kubernetes.io/proxy-body-size: "512m"
+  hosts:
+    - host: git.moritzgraf.de
+      paths:
+        - path: /
+          pathType: Prefix
+  tls:
+    - secretName: git-moritzgraf-de
+      hosts:
+        - git.moritzgraf.de
\ No newline at end of file
diff --git a/k8s/development/registry.secret.yaml b/k8s/development/registry.secret.yaml
index f63cdb3cec62c24db800b35c64d4438b17774b14..74d27eb4c48a78957c4feeb50a8037a66257a4c2 100644
GIT binary patch
literal 762
zcmV<W0tNj5M@dveQdv+`0HY?@cwB@}q0sV|eDrwFH+TD8P#LAkTt2%|&-%2!0i~}=
zB_+iLL{IBvCa`J_VZUh4{L46FW%LLE75*ZLwYsf-HlV0`F8;seg=KKyDKo+KP!Hso
z!Ak7m-m`!2sEC)Nbky^Mx6mz(Ur%stw|Kk(+I_QHUCi>MWF6Vjdjs%g@|6jqBd727
zAM@m>Bn&KZO=^TfU`S6Y>ES0b&w5=gnJC6vT>H<#I$rnm65SL|buS6?>v;2MJ|CI`
zeZdvpViDn1<rEt=UI{`7nHV)(^IaW%6+#>hBPYSA7*LtZc3O2?cpWl7EbA}u)k)Pc
zqI?BMk4dPfSXSUn;HAc9(JfkOH4c(d&G)TYkyR-@nA&lqpgE%B5vwt?De0VNVu5-(
zi@Y$knAbD%#nbv%N6w)EE0m6RDTmG`Y;tJT%QRm@eK)-LL`}-0DGRW%ghes_!!jZR
z6_o_3A$F-^^7WQ=&08`E9eh|GIP?`7=!1R~@9s`Ae&rwJv<)<Ik&XaMJK5U$z*=lm
zPA7euZKvPO$GD8JQndW_&pBbQ-;Ks!98K0KYW0itanM>Jqk;EJgMj~?`SZIU<WBfe
z@0sbq9SArJ=T}b(2b|_D7Kj&7Y>GERkrwSE1I*49RP~3|o&)oC3Wrig)#W8MI@t4C
z;ax?;+iCNojF{hO$_mK7pwT=_6^f3G+`IlI^(>RfEd-wY_G{7c70JajNz?qKpJ*0l
z(iVMo_e8zwtx$p#Zx8mGPI@<wsPmyGL>hYa&<Q)P=-jL~*6pISw-xUJ9Xq}v+}6yn
z%WJV1_<08w!^<&@DkRL^itm_{w#@`aj-9Rbr&48Wwq2d8qYVdM%9QpV%%gtpWFH>M
z{ili|Bn)=%i2aKdhd|{>*I0nOao39u*kPCHMsyK29a?gF5+h29PmQ2qZY=$1P3;V!
s&pKIZOir1RM|fZig@u4L^S!pQ&M42#ob)X_!=fdSgNDQYwuoQ#RL3rTvH$=8

literal 615
zcmV-t0+{^(M@dveQdv+`09T?}h!TT0w(5*W3KcbsNu?i^LoARXh6p#f=P0L<Q#)et
zjOu>x#_PZpi9QA-QMz_L#V&>!;1g?~XhKPp<n1dy>(6g=n!%Bf_MO}&so$F1|LH4;
zhhi<6_&Jjw<MzV;{%LF>ay7u8ZBh4Y-lofbawoERs{iP(fc92?JP)9`&z-G6GJx|b
z&u6&$lS#Zh`0ZXhK<Wy)!Jl!W%qn0hMDC~6d?YO;y_gYmv;fS*M=zcxeH}a`mGO+|
z;wL&e$p_Y)9pZQMAL0=QWQ4Ac;A#RR>Ys`Y9qT!WY%7~>%dQ`{Ys3u0+BpjaPDvWx
zd(iCOQ<$O)ydhro>@C)tXTh4IZxL>B1#*j5i8}!7n=JDijGDN6@x#RMj9Wua8W}}(
z;;0grjzgiF4wp!1azFoxv{0NK2PaLonJXoH@LcvhaMy5r5D9U?+yeQCS7^4UtJDr1
zM!R8MKHB2=w(@MX0j)o=e0JA$V8w)yN!r$tcQTgu5xgvCFM(#2vWB>p=*7Bj$A7xt
znSfllZ4JGXW>;2?JSY+&K!MCx{E9ZhvUQJR{fv_OPuWlAR9Yl-+WXm|q&Om*zkAJ)
zdqtNt@#<C7!z0W06Gx^A{F?-6R&i^I#a1!GuSzhVw*1TD(m|JJvMrO)P+e_zhX|o3
zuq9KdBzO8AexRdKsAwjH>py1%=U4&!EV9`rUuef&AA4cn73D4_3~yBi2g8nhX2r#1
zktv!aI(a0g;^m{81U06*tMB+XN>%Z~>5!w!zV$gTfKV`Fk`O+o9r%<**~n+?DacF(
BGVK5W

diff --git a/k8s/development/registry_ingress.yaml b/k8s/development/registry_ingress.yaml
new file mode 100644
index 0000000..d44a200
--- /dev/null
+++ b/k8s/development/registry_ingress.yaml
@@ -0,0 +1,42 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: docker-registry
+  namespace: development
+  annotations:
+    # --- ADDED: Match the working configuration ---
+    kubernetes.io/tls-acme: "true"
+    # ----------------------------------------------
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    kubernetes.io/ingress.class: nginx
+    meta.helm.sh/release-name: docker-registry
+    meta.helm.sh/release-namespace: development
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+  labels:
+    app: docker-registry
+    app.kubernetes.io/managed-by: Helm
+    chart: docker-registry-1.9.2
+    heritage: Helm
+    release: docker-registry
+spec:
+  # --- ADDED: Critical for modern K8s ---
+  ingressClassName: nginx 
+  # --------------------------------------
+  rules:
+  - host: registry.haumdaucher.de
+    http:
+      paths:
+      - backend:
+          service:
+            name: docker-registry
+            port:
+              number: 5000
+        path: /
+        # --- CHANGED: Recommended for consistency ---
+        pathType: Prefix
+        # --------------------------------------------
+  tls:
+  - hosts:
+    - registry.haumdaucher.de
+    secretName: registry-haumdaucher-de
\ No newline at end of file