limbosolutions.com/git.limbosolutions.com
1
0
Fork 0
Code Issues Pull Requests Actions Projects Releases Wiki Activity

project reorganization

Browse Source
This commit is contained in:
Márcio Fernandes
2025-09-27 10:38:43 +00:00
parent 4e777b8b86
commit a49c5e8514
11 changed files with 132 additions and 141 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
deploy/README.md Normal file
View File

@@ -0,0 +1,61 @@
# Deploy
- [kubernetes Namespace](#kubernetes-namespace)
- [Backups](#backups)
- [secrets](#secrets)
- [Proxmox Backup Server (kubernetes cron job)](#proxmox-backup-server-kubernetes-cron-job)
- [Borg and Offsite sync (kubernetes cron job)](#borg-and-offsite-sync-kubernetes-cron-job)
```bash
# run for setup/update
# using helm chart
./setup.sh
```
## kubernetes Namespace
```yaml
apiVersion: v1
kind: Namespace
metadata:
name: git-limbosolutions-com
labels:
name: git-limbosolutions-com
```
## Backups
### secrets
```bash
set -a
source ./backups/.env
set +a
envsubst < ./backups/backup-secrets.yaml | kubectl apply -n git-limbosolutions-com -f -
SSH_ID_RSA=$(echo -n "$SSH_ID_RSA" | base64 -w 0)
BORG_KEY=$(echo -n "$BORG_KEY" | base64 -w 0)
kubectl patch secret gitea-backup-secret --patch "{\"data\":{\"ssh_id_rsa\":\"$SSH_ID_RSA\"}}" -n git-limbosolutions-com
kubectl patch secret gitea-backup-secret --patch "{\"data\":{\"borg_key\":\"$BORG_KEY\"}}" -n git-limbosolutions-com
```
### Proxmox Backup Server (kubernetes cron job)
```bash
# deploy cronjon
kubectl apply -f ./backups/backup-pbs-cronjob.yaml -n git-limbosolutions-com
```
[kubernetes cron job](./backups/backup-pbs-cronjob.yaml)
### Borg and Offsite sync (kubernetes cron job)
```bash
# deploy cronjon
kubectl apply -f ./backups/backup-borg-offsite-cronjob.yaml -n git-limbosolutions-com
```
[kubernetes cron job](./backups/borgbackup-offsite-cronjob.yaml)

153
deploy/backups/backup-borg-offsite-cronjob.yaml Normal file
View File

@@ -0,0 +1,153 @@
apiVersion: batch/v1
kind: CronJob
metadata:
name: backup-borg-offsite
namespace: git-limbosolutions-com
spec:
schedule: "0 16 * * 0" #every sunday at 4pm
jobTemplate:
spec:
backoffLimit: 1
template:
spec:
restartPolicy: Never
initContainers:
- name: postgres-export
image: postgres:latest
command: ["sh", "-c"]
args:
- |
set -e
. /root/.gitea-inline-config/database
export PGPASSWORD=$PASSWD
pg_dump -h gitea-postgresql.git-limbosolutions-com.svc.cluster.local -U $USER -d $NAME > /data/postgresql-export/db_backup.sql
volumeMounts:
- name: backup-var-data
mountPath: /data/postgresql-export
subPath: postgresql-export
- name: gitea-inline-config
mountPath: /root/.gitea-inline-config
readOnly: true
containers:
- name: borg-client
image: git.limbosolutions.com/kb/borg-backup:latest
imagePullPolicy: Always
resources:
limits:
memory: "512Mi"
cpu: "500m"
requests:
memory: "256Mi"
cpu: "250m"
env:
- name: BORG_REPO
valueFrom:
secretKeyRef:
name: gitea-backup-secret
key: borg_repo
- name: BORG_PASSPHRASE
valueFrom:
secretKeyRef:
name: gitea-backup-secret
key: borg_passphrase
- name: OFFSITE_TARGET_FOLDER
valueFrom:
secretKeyRef:
name: gitea-backup-secret
key: offsite_target_folder
- name: BORG_RSH
value: ssh -p 2222 -o StrictHostKeyChecking=no -o LogLevel=ERROR
- name: REPO_SYNC_MAX_SIZE
value: "10737418240" # 10GB
- name: MODE
value: SHELL
args:
- |
set -e
SCRIPT_START_TIME=$(date +%s)
# while true; do
# sleep 5
# done
borg create ${BORG_REPO}::postgresql-export-$(date +%Y%m%d%H%M%S) /data/postgresql-export
borg create ${BORG_REPO}::gitea-data-$(date +%Y%m%d%H%M%S) /data/gitea-data
#cleanup
borg prune -v --list --keep-daily=10 --keep-weekly=7 --keep-monthly=-1 ${BORG_REPO} --glob-archives='gitea-data*'
borg prune -v --list --keep-daily=10 --keep-weekly=7 --keep-monthly=-1 ${BORG_REPO} --glob-archives='postgresql-export*'
borg compact ${BORG_REPO}
# check repo size
REPO_SIZE_IN_BYTES=$(remote-get-folder-size)
echo "Repository size: $((REPO_SIZE_IN_BYTES / 1024 / 1024))MB"
if [ $REPO_SIZE_IN_BYTES -gt $REPO_SYNC_MAX_SIZE ]; then \
echo "ERROR: Repository size $((REPO_SIZE_IN_BYTES / 1024 / 1024))MB exceeds $((REPO_SYNC_MAX_SIZE / 1024 / 1024))MB";
exit 1;
else
# Repository size is within limits for offsite sync
# ssh to backup server and enforce rclone to onedrive
remote-connect "rclone sync $SSH_FOLDER $OFFSITE_TARGET_FOLDER --progress" && \
echo "INFO: Finished Backup of git.limbosolutions.com (offsite) ($((SCRIPT_DURATION / 60 / 60)):$((SCRIPT_DURATION / 60)):$((SCRIPT_DURATION % 60))) "
fi
#outputs info
borg info ${BORG_REPO}
#borg info ${BORG_REPO} --json
volumeMounts:
- name: gitea-data
mountPath: /data/gitea-data
- name: backup-var-data
mountPath: /data/postgresql-export
subPath: postgresql-export
- name: gitea-backup-secret
mountPath: /root/.ssh/id_rsa
subPath: ssh_id_rsa
readOnly: true
- name: gitea-backup-secret
mountPath: /app/borg/key
subPath: borg_key
volumes:
- name: gitea-data
persistentVolumeClaim:
claimName: gitea-shared-storage
- name: gitea-inline-config
secret:
secretName: gitea-inline-config
- name: gitea-backup-secret
secret:
secretName: gitea-backup-secret
defaultMode: 0600
- name: backup-var-data
emptyDir: {}

106
deploy/backups/backup-pbs-cronjob.yaml Normal file
View File

@@ -0,0 +1,106 @@
apiVersion: batch/v1
kind: CronJob
metadata:
name: backup-pbs
namespace: git-limbosolutions-com
spec:
schedule: "0 1 * * *"
jobTemplate:
spec:
backoffLimit: 1
template:
spec:
restartPolicy: Never
initContainers:
- name: postgres-export
image: postgres:latest
command: ["sh", "-c"]
args:
- |
#echo "INFO: Starting export"
. /root/.gitea-inline-config/database
export PGPASSWORD=$PASSWD
#echo "INFO: Exporting database"
pg_dump -h gitea-postgresql.git-limbosolutions-com.svc.cluster.local -U $USER -d $NAME > /data/postgresql-export/db_backup.sql
if [ $? -ne 0 ]; then
echo "ERROR: Exporting database failed"
exit 1
fi
#echo "INFO: Exporting database finished"
volumeMounts:
- name: backup-run-data
mountPath: /data/postgresql-export
subPath: postgresql-export
- name: gitea-inline-config
mountPath: /root/.gitea-inline-config
readOnly: true
containers:
- name: gitea-pbs-client
image: git.limbosolutions.com/kb/pbsclient
imagePullPolicy: Always
env:
- name: MODE
value: shell
- name: PBS_REPOSITORY
valueFrom:
secretKeyRef:
name: gitea-backup-secret
key: pbs_repository
- name: PBS_PASSWORD
valueFrom:
secretKeyRef:
name: gitea-backup-secret
key: pbs_password
- name: PBS_FINGERPRINT
valueFrom:
secretKeyRef:
name: gitea-backup-secret
key: pbs_fingerprint
command: ["bash", "-c"]
args:
- |
set -e
# while true; do
# sleep 1s
# done
SCRIPT_START_TIME=$(date +%s)
proxmox-backup-client backup gitea-data.pxar:/data/gitea-data postgresql-data.pxar:/data/postgresql-data postgresql-export.pxar:/data/postgresql-export --include-dev /data/postgresql-data --include-dev /data/postgresql-export --include-dev /data/gitea-data --backup-id "gitea-full" -ns git.limbosolutions.com
SCRIPT_DURATION=$(($(date +%s) - SCRIPT_START_TIME))
echo "INFO: Finished Backup of git.limbosolutions.com ($((SCRIPT_DURATION / 60 / 60)):$((SCRIPT_DURATION / 60)):$((SCRIPT_DURATION % 60))) "
volumeMounts:
- name: gitea-shared-storage
mountPath: /data/gitea-data
- name: db-postgresql-data
mountPath: /data/postgresql-data
- name: backup-run-data
mountPath: /data/postgresql-export
subPath: postgresql-export
- name: backup-run-data
mountPath: /tmp
subPath: tmp
volumes:
- name: gitea-shared-storage
persistentVolumeClaim:
claimName: gitea-shared-storage
- name: db-postgresql-data
persistentVolumeClaim:
claimName: data-gitea-postgresql-0
- name: backup-run-data
emptyDir: {}
- name: gitea-inline-config
secret:
secretName: gitea-inline-config

17
deploy/backups/backup-secrets.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: v1
kind: Secret
metadata:
name: gitea-backup-secret
namespace: git-limbosolutions-com
type: Opaque
stringData:
pbs_repository: ${PBS_REPOSITORY}
pbs_password: ${PBS_PASSWORD}
pbs_fingerprint: ${PBS_FINGERPRINT}
borg_repo: ${BORG_REPO}
borg_passphrase: ${BORG_PASSPHRASE}
offsite_target_folder: ${OFFSITE_TARGET_FOLDER}
#SSH_ID_RSA: ""
#BORG_KEY: ""

61
deploy/backups/borgbackup-sidekick.yaml Normal file
View File

@@ -0,0 +1,61 @@
apiVersion: v1
kind: Pod
metadata:
name: borgbackup-sidekick
namespace: git-limbosolutions-com
labels:
app: borgbackup-sidekick
spec:
containers:
- name: borgbackup-sidekick
image: git.limbosolutions.com/kb/borg-backup:latest
imagePullPolicy: Always
resources:
limits:
memory: "512Mi"
cpu: "500m"
requests:
memory: "256Mi"
cpu: "250m"
env:
- name: BORG_REPO
valueFrom:
secretKeyRef:
name: gitea-backup-secret
key: borg_repo
- name: BORG_PASSPHRASE
valueFrom:
secretKeyRef:
name: gitea-backup-secret
key: borg_passphrase
- name: BORG_RSH
value: ssh -p 2222 -o StrictHostKeyChecking=no -o LogLevel=ERROR
- name: borg_key_file
value: /root/.borg/key
command: ["sh", "-c"]
args:
- |
while true; do
sleep 1s
done
volumeMounts:
- name: gitea-backup-secret
mountPath: /root/.ssh/id_rsa
subPath: ssh_id_rsa
readOnly: true
- name: gitea-backup-secret
mountPath: /app/borg/key
subPath: borg_key
volumes:
- name: gitea-backup-secret
secret:
secretName: gitea-backup-secret
defaultMode: 0600

9
deploy/setup.sh Executable file
View File

@@ -0,0 +1,9 @@
helm repo add gitea-charts https://dl.gitea.com/charts/
helm repo update
helm upgrade --install gitea gitea-charts/gitea \
--values ./values.yaml \
--values ./values.private.yaml \
--namespace=git-limbosolutions-com
kubectl apply -f ./ssh-ingress.yaml

17
deploy/ssh-ingress.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: git-limbosolutions-com-ssh-ingress
namespace: git-limbosolutions-com
spec:
entryPoints:
- ssh-git
routes:
- match: HostSNI(`*`)
services:
- name: gitea-ssh
port: 2222
weight: 10
terminationDelay: 90000
proxyProtocol:
version: 1

146
deploy/values.yaml Normal file
View File

@@ -0,0 +1,146 @@
image:
registry: ""
repository: gitea/gitea
pullPolicy: Always
tag: "1"
cache:
enabled: false
valkey-cluster:
enabled: false
valkey:
enabled: true
architecture: standalone
global:
valkey:
password: "????"
master:
count: 1
service:
ports:
valkey: 6379
postgresql:
enabled: true
image:
registry: ""
repository: bitnami/postgresql
tag: 16
imagePullPolicy: IfNotPresent
global:
postgresql:
# volumePermissions:
# enabled: true
auth:
postgresPassword: "???"
password: "???"
database: "???"
username: "???"
service:
ports:
postgresql: "???"
primary:
persistence:
size: 10Gi
metrics:
enabled: true
collectors:
wal: false
postgresql-ha:
enabled: false
persistence:
enabled: true
service:
ssh:
enabled: true
port: 2222
annotations:
metallb.universe.tf/allow-shared-ip: test
gitea:
admin:
username: "???"
password: "???"
email: "???"
config:
actions:
ENABLED: true
database:
DB_TYPE: postgres
indexer:
ISSUE_INDEXER_TYPE: bleve
REPO_INDEXER_ENABLED: true
picture:
AVATAR_UPLOAD_PATH: /data/avatars
server:
DOMAIN: git.limbosolutions.com
SSH_DOMAIN: git.limbosolutions.com
#HTTP_PORT: 3000
ROOT_URL: https://git.limbosolutions.com
DISABLE_SSH: false
SSH_PORT: 2222
SSH_LISTEN_PORT: 2222
LFS_START_SERVER: true
START_SSH_SERVER: true
LFS_PATH: /data/git/lfs
LFS_JWT_SECRET: "???"
OFFLINE_MODE: false
#MFF 03/08/2024
REPO_INDEXER_ENABLED: true
REPO_INDEXER_PATH: indexers/repos.bleve
MAX_FILE_SIZE: 1048576
REPO_INDEXER_INCLUDE:
REPO_INDEXER_EXCLUDE: resources/bin/**
####
service:
DISABLE_REGISTRATION: "???"
REQUIRE_SIGNIN_VIEW: "???"
REGISTER_EMAIL_CONFIRM: "???"
ENABLE_NOTIFY_MAIL: "???"
ALLOW_ONLY_EXTERNAL_REGISTRATION: "???"
ENABLE_CAPTCHA: "???"
DEFAULT_KEEP_EMAIL_PRIVATE : "???"
DEFAULT_ALLOW_CREATE_ORGANIZATION: "???"
DEFAULT_ENABLE_TIMETRACKING: "???"
NO_REPLY_ADDRESS: noreply.localhost
oauth2:
JWT_SECRET: "???"
mailer:
ENABLED: false
openid:
ENABLE_OPENID_SIGNIN: true
ENABLE_OPENID_SIGNUP: true
security:
INSTALL_LOCK: true
SECRET_KEY: "???"
REVERSE_PROXY_LIMIT: 1
REVERSE_PROXY_TRUSTED_PROXIES:
INTERNAL_TOKEN: "???"
PASSWORD_HASH_ALGO: "???"
ingress:
enabled: true
className: traefik
annotations:
kubernetes.io/ingress.class: traefik
cert-manager.io/cluster-issuer: "letsencrypt-prod"
traefik.ingress.kubernetes.io/router.entrypoints: websecure, public-https
hosts:
- host: git.limbosolutions.com
paths:
- path: /
pathType: Prefix
tls:
- secretName: limbosolutions-com-secret-tls
hosts:
- "git.limbosolutions.com"