This commit is contained in:
@@ -32,3 +32,58 @@ jobs:
|
|||||||
kube_ca_base64: ${{ secrets.HOSTING_KUBE_CA_BASE64 }}
|
kube_ca_base64: ${{ secrets.HOSTING_KUBE_CA_BASE64 }}
|
||||||
kube_token: ${{ secrets.HOSTING_KUBE_TOKEN }}
|
kube_token: ${{ secrets.HOSTING_KUBE_TOKEN }}
|
||||||
|
|
||||||
|
- name: Deploy
|
||||||
|
env:
|
||||||
|
# cron jobs env
|
||||||
|
CRONJOBS_BACKUPS_SECRETS_PBS_REPOSITORY: ${{ secrets.CRONJOBS_BACKUPS_SECRETS_PBS_REPOSITORY }}
|
||||||
|
CRONJOBS_BACKUPS_SECRETS_PBS_PASSWORD: ${{ secrets.CRONJOBS_BACKUPS_SECRETS_PBS_PASSWORD }}
|
||||||
|
CRONJOBS_BACKUPS_SECRETS_PBS_FINGERPRINT: ${{ secrets.CRONJOBS_BACKUPS_SECRETS_PBS_FINGERPRINT }}
|
||||||
|
CRONJOBS_BACKUPS_SECRETS_BORG_REPO: ${{ secrets.CRONJOBS_BACKUPS_SECRETS_BORG_REPO }}
|
||||||
|
CRONJOBS_BACKUPS_SECRETS_BORG_PASSPHRASE: ${{ secrets.CRONJOBS_BACKUPS_SECRETS_BORG_PASSPHRASE }}
|
||||||
|
CRONJOBS_BACKUPS_SECRETS_OFFSITE_TARGET_FOLDER: ${{ secrets.CRONJOBS_BACKUPS_SECRETS_OFFSITE_TARGET_FOLDER }}
|
||||||
|
CRONJOBS_BACKUPS_SECRETS_ID_RSA: ${{ secrets.CRONJOBS_BACKUPS_SECRETS_ID_RSA }}
|
||||||
|
CRONJOBS_BACKUPS_SECRETS_BORG_KEY: ${{ secrets.CRONJOBS_BACKUPS_SECRETS_BORG_KEY }}
|
||||||
|
|
||||||
|
# helm chart values
|
||||||
|
APP_HELM_VALUE_VALKEY_GLOBAL_PASSWORD: ${{ secrets.APP_HELM_VALUE_VALKEY_GLOBAL_PASSWORD }}
|
||||||
|
APP_HELM_VALUE_POSTGRESQL_AUTH_POSTGRESPASSWORD: ${{ secrets.APP_HELM_VALUE_POSTGRESQL_AUTH_POSTGRESPASSWORD }}
|
||||||
|
APP_HELM_VALUE_POSTGRESQL_AUTH_PASSWORD: ${{ secrets.APP_HELM_VALUE_POSTGRESQL_AUTH_PASSWORD }}
|
||||||
|
APP_HELM_VALUE_POSTGRESQL_AUTH_DATABASE: ${{ secrets.APP_HELM_VALUE_POSTGRESQL_AUTH_DATABASE }}
|
||||||
|
APP_HELM_VALUE_POSTGRESQL_AUTH_USERNAME: ${{ secrets.APP_HELM_VALUE_POSTGRESQL_AUTH_USERNAME }}
|
||||||
|
APP_HELM_VALUE_GITEA_ADMIN_USERNAME: ${{ secrets.APP_HELM_VALUE_GITEA_ADMIN_USERNAME }}
|
||||||
|
APP_HELM_VALUE_GITEA_ADMIN_PASSWORD: ${{ secrets.APP_HELM_VALUE_GITEA_ADMIN_PASSWORD }}
|
||||||
|
APP_HELM_VALUE_GITEA_ADMIN_EMAIL: ${{ secrets.APP_HELM_VALUE_GITEA_ADMIN_EMAIL }}
|
||||||
|
APP_HELM_VALUE_GITEA_CONFIG_OAUTH2_JWT_SECRET: ${{ secrets.APP_HELM_VALUE_GITEA_CONFIG_OAUTH2_JWT_SECRET }}
|
||||||
|
APP_HELM_VALUE_GITEA_CONFIG_SERVER_LFS_JWT_SECRET: ${{ secrets.APP_HELM_VALUE_GITEA_CONFIG_SERVER_LFS_JWT_SECRET }}
|
||||||
|
APP_HELM_VALUE_GITEA_CONFIG_SECURITY_SECRET_KEY: ${{ secrets.APP_HELM_VALUE_GITEA_CONFIG_SECURITY_SECRET_KEY }}
|
||||||
|
APP_HELM_VALUE_GITEA_CONFIG_SECURITY_REVERSE_PROXY_TRUSTED_PROXIES: ${{ secrets.APP_HELM_VALUE_GITEA_CONFIG_SECURITY_REVERSE_PROXY_TRUSTED_PROXIES }}
|
||||||
|
APP_HELM_VALUE_GITEA_CONFIG_SECURITY_INTERNAL_TOKEN: ${{ secrets.APP_HELM_VALUE_GITEA_CONFIG_SECURITY_INTERNAL_TOKEN }}
|
||||||
|
APP_HELM_VALUE_GITEA_CONFIG_SECURITY_PASSWORD_HASH_ALGO: ${{ secrets.APP_HELM_VALUE_GITEA_CONFIG_SECURITY_PASSWORD_HASH_ALGO }}
|
||||||
|
APP_HELM_VALUE_GITEA_CONFIG_SERVICE_OAUTH2_JWT_SECRET: ${{ secrets.APP_HELM_VALUE_GITEA_CONFIG_SERVICE_OAUTH2_JWT_SECRET }}
|
||||||
|
|
||||||
|
run: |
|
||||||
|
#!/bin/bash
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
# ensure cleanup always runs
|
||||||
|
trap 'rm -f \
|
||||||
|
/deploy/app/cronjobs/backups/.env.d/secrets \
|
||||||
|
/deploy/app/cronjobs/backups/.env.d/id_rsa \
|
||||||
|
/deploy/app/cronjobs/backups/.env.d/borg_key' EXIT
|
||||||
|
|
||||||
|
# setup env for cronjobs backups
|
||||||
|
mkdir -p /deploy/app/cronjobs/backups/.env.d
|
||||||
|
echo "PBS_REPOSITORY=${CRONJOBS_BACKUPS_SECRETS_PBS_REPOSITORY}" >> /deploy/app/cronjobs/backups/.env.d/secrets
|
||||||
|
echo "PBS_PASSWORD=${CRONJOBS_BACKUPS_SECRETS_PBS_PASSWORD}" >> /deploy/app/cronjobs/backups/.env.d/secrets
|
||||||
|
echo "PBS_FINGERPRINT=${CRONJOBS_BACKUPS_SECRETS_PBS_FINGERPRINT}" >> /deploy/app/cronjobs/backups/.env.d/secrets
|
||||||
|
echo "BORG_REPO=${CRONJOBS_BACKUPS_SECRETS_BORG_REPO}" >> /deploy/app/cronjobs/backups/.env.d/secrets
|
||||||
|
echo "BORG_PASSPHRASE=${CRONJOBS_BACKUPS_SECRETS_BORG_PASSPHRASE}" >> /deploy/app/cronjobs/backups/.env.d/secrets
|
||||||
|
echo "OFFSITE_TARGET_FOLDER=${CRONJOBS_BACKUPS_SECRETS_OFFSITE_TARGET_FOLDER}" >> /deploy/app/cronjobs/backups/.env.d/secrets
|
||||||
|
|
||||||
|
# enforce security
|
||||||
|
chmod 600 /deploy/app/cronjobs/backups/.env.d/secrets
|
||||||
|
chmod 600 /deploy/app/cronjobs/backups/.env.d/id_rsa
|
||||||
|
chmod 600 /deploy/app/cronjobs/backups/.env.d/borg_key
|
||||||
|
|
||||||
|
# invoke deploy script
|
||||||
|
deploy/apply-app.sh
|
||||||
|
|||||||
@@ -10,27 +10,27 @@ if [ -f "deploy/helm/.env" ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
if [ -n "${GITEA_ADMIN_USERNAME:-}" ]; then
|
if [ -n "${APP_HELM_VALUE_GITEA_ADMIN_USERNAME:-}" ]; then
|
||||||
echo "Executing helm deploy."
|
echo "Executing helm deploy."
|
||||||
|
|
||||||
helm repo add gitea-charts https://dl.gitea.com/charts/
|
helm repo add gitea-charts https://dl.gitea.com/charts/
|
||||||
helm repo update
|
helm repo update
|
||||||
helm upgrade --install gitea gitea-charts/gitea \
|
helm upgrade --install gitea gitea-charts/gitea \
|
||||||
--values deploy/helm/values.yaml \
|
--values deploy/helm/values.yaml \
|
||||||
--set valkey.global.valkey.password=${VALKEY_GLOBAL_PASSWORD} \
|
--set valkey.global.valkey.password=${APP_HELM_VALUE_VALKEY_GLOBAL_PASSWORD} \
|
||||||
--set postgresql.global.postgresql.auth.postgresPassword=${POSTGRESQL_AUTH_POSTGRESPASSWORD} \
|
--set postgresql.global.postgresql.auth.postgresPassword=${APP_HELM_VALUE_POSTGRESQL_AUTH_POSTGRESPASSWORD} \
|
||||||
--set postgresql.global.postgresql.auth.password=${POSTGRESQL_AUTH_PASSWORD} \
|
--set postgresql.global.postgresql.auth.password=${APP_HELM_VALUE_POSTGRESQL_AUTH_PASSWORD} \
|
||||||
--set postgresql.global.postgresql.auth.database=${POSTGRESQL_AUTH_DATABASE} \
|
--set postgresql.global.postgresql.auth.database=${APP_HELM_VALUE_POSTGRESQL_AUTH_DATABASE} \
|
||||||
--set postgresql.global.postgresql.auth.username=${POSTGRESQL_AUTH_USERNAME} \
|
--set postgresql.global.postgresql.auth.username=${APP_HELM_VALUE_POSTGRESQL_AUTH_USERNAME} \
|
||||||
--set gitea.admin.username=${GITEA_ADMIN_USERNAME} \
|
--set gitea.admin.username=${APP_HELM_VALUE_GITEA_ADMIN_USERNAME} \
|
||||||
--set gitea.admin.password=${GITEA_ADMIN_PASSWORD} \
|
--set gitea.admin.password=${APP_HELM_VALUE_GITEA_ADMIN_PASSWORD} \
|
||||||
--set gitea.admin.email=${GITEA_ADMIN_EMAIL} \
|
--set gitea.admin.email=${APP_HELM_VALUE_GITEA_ADMIN_EMAIL} \
|
||||||
--set gitea.config.oauth2.JWT_SECRET=${GITEA_CONFIG_OAUTH2_JWT_SECRET} \
|
--set gitea.config.oauth2.JWT_SECRET=${APP_HELM_VALUE_GITEA_CONFIG_OAUTH2_JWT_SECRET} \
|
||||||
--set gitea.config.server.LFS_JWT_SECRET=${GITEA_CONFIG_SERVER_LFS_JWT_SECRET} \
|
--set gitea.config.server.LFS_JWT_SECRET=${APP_HELM_VALUE_GITEA_CONFIG_SERVER_LFS_JWT_SECRET} \
|
||||||
--set gitea.config.security.SECRET_KEY=${GITEA_CONFIG_SECURITY_SECRET_KEY} \
|
--set gitea.config.security.SECRET_KEY=${APP_HELM_VALUE_GITEA_CONFIG_SECURITY_SECRET_KEY} \
|
||||||
--set gitea.config.security.REVERSE_PROXY_TRUSTED_PROXIES=${GITEA_CONFIG_SECURITY_REVERSE_PROXY_TRUSTED_PROXIES} \
|
--set gitea.config.security.REVERSE_PROXY_TRUSTED_PROXIES=${APP_HELM_VALUE_GITEA_CONFIG_SECURITY_REVERSE_PROXY_TRUSTED_PROXIES} \
|
||||||
--set gitea.config.security.INTERNAL_TOKEN=${GITEA_CONFIG_SECURITY_INTERNAL_TOKEN} \
|
--set gitea.config.security.INTERNAL_TOKEN=${APP_HELM_VALUE_GITEA_CONFIG_SECURITY_INTERNAL_TOKEN} \
|
||||||
--set gitea.config.security.PASSWORD_HASH_ALGO=${GITEA_CONFIG_SECURITY_PASSWORD_HASH_ALGO} \
|
--set gitea.config.security.PASSWORD_HASH_ALGO=${APP_HELM_VALUE_GITEA_CONFIG_SECURITY_PASSWORD_HASH_ALGO} \
|
||||||
--set gitea.config.service.oauth2.JWT_SECRET=${GITEA_CONFIG_SERVICE_OAUTH2_JWT_SECRET} \
|
--set gitea.config.service.oauth2.JWT_SECRET=${APP_HELM_VALUE_GITEA_CONFIG_SERVICE_OAUTH2_JWT_SECRET} \
|
||||||
--namespace=git-limbosolutions-com
|
--namespace=git-limbosolutions-com
|
||||||
fi
|
fi
|
||||||
@@ -1,15 +1,15 @@
|
|||||||
VALKEY_GLOBAL_PASSWORD="????"
|
APP_HELM_VALUE_VALKEY_GLOBAL_PASSWORD="????"
|
||||||
POSTGRESQL_AUTH_POSTGRESPASSWORD="????"
|
APP_HELM_VALUE_POSTGRESQL_AUTH_POSTGRESPASSWORD="????"
|
||||||
POSTGRESQL_AUTH_PASSWORD="????"
|
APP_HELM_VALUE_POSTGRESQL_AUTH_PASSWORD="????"
|
||||||
POSTGRESQL_AUTH_DATABASE="????"
|
APP_HELM_VALUE_POSTGRESQL_AUTH_DATABASE="????"
|
||||||
POSTGRESQL_AUTH_USERNAME="????"
|
APP_HELM_VALUE_POSTGRESQL_AUTH_USERNAME="????"
|
||||||
GITEA_ADMIN_USERNAME=m"????"
|
APP_HELM_VALUE_GITEA_ADMIN_USERNAME="????"
|
||||||
GITEA_ADMIN_PASSWORD="????"
|
APP_HELM_VALUE_GITEA_ADMIN_PASSWORD="????"
|
||||||
GITEA_ADMIN_EMAIL="????"
|
APP_HELM_VALUE_GITEA_ADMIN_EMAIL="????"
|
||||||
GITEA_CONFIG_OAUTH2_JWT_SECRET=i"????"
|
APP_HELM_VALUE_GITEA_CONFIG_OAUTH2_JWT_SECRET="????"
|
||||||
GITEA_CONFIG_SERVER_LFS_JWT_SECRET="????"
|
APP_HELM_VALUE_GITEA_CONFIG_SERVER_LFS_JWT_SECRET="????"
|
||||||
GITEA_CONFIG_SECURITY_INTERNAL_TOKEN="????"
|
APP_HELM_VALUE_GITEA_CONFIG_SECURITY_SECRET_KEY="????"
|
||||||
GITEA_CONFIG_SECURITY_PASSWORD_HASH_ALGO="????"
|
APP_HELM_VALUE_GITEA_CONFIG_SECURITY_REVERSE_PROXY_TRUSTED_PROXIES="????"
|
||||||
GITEA_CONFIG_SECURITY_REVERSE_PROXY_TRUSTED_PROXIES="????"
|
APP_HELM_VALUE_GITEA_CONFIG_SECURITY_INTERNAL_TOKEN="????"
|
||||||
GITEA_CONFIG_SECURITY_SECRET_KEY="????"
|
APP_HELM_VALUE_GITEA_CONFIG_SECURITY_PASSWORD_HASH_ALGO="????"
|
||||||
GITEA_CONFIG_SERVICE_OAUTH2_JWT_SECRET="????"
|
APP_HELM_VALUE_GITEA_CONFIG_SERVICE_OAUTH2_JWT_SECRET="????"
|
||||||
|
|||||||
Reference in New Issue
Block a user