modified: deploy/app/helm-values.yaml

.gitea/workflows/app-continous-deploy.yaml

@@ -9,9 +9,7 @@ on:
       - main
 jobs:
   continuous-deploy:
-    runs-on: ubuntu-latest
-    container:
-      image: git.limbosolutions.com/kb/gitea/act:latest-network-stack
+    runs-on: ["deploy", "kubectl"]
     env:
       GITHUB_TEMP: ${{ runner.temp }} # fix missing GITHUB_TEMP on gitea
     steps:

README.md

@@ -4,14 +4,24 @@ Welcome to public repository of my [Git Server](https://git.limbosolutions.com)
 
 Using [gitea](https://git.limbosolutions.com/kb/gitea) as git server.
 
+- [SSO](#sso)
 - [Deploy](#deploy)
   - [Continuous Deploy](#continuous-deploy)
   - [App](#app)
   - [Infra](#infra)
 - [Backups](#backups)
 
+## SSO
+
+<https://integrations.goauthentik.io/development/gitea/>
+
 ## Deploy
 
+References:
+
+- <https://gitea.com/gitea/helm-gitea>
+- <https://dl.gitea.com/charts/>
+
 ### Continuous Deploy
 
 Executes [App Deploy](#app) using [Gitea workflow](./.gitea/workflows/app-continous-deploy.yaml).
@@ -32,7 +42,6 @@ Deploy App
 ```
 
 - [backups-kustomization](/deploy/app/kustomization.yaml)
-- <https://dl.gitea.com/charts/>
 
 ### Infra
 

deploy/act-runners/kb/deploy/app/deployment.yaml

@@ -13,6 +13,7 @@ spec:
     metadata:
       labels:
         app: act-runner
+        buildkit.infra.limbosolutions.com/allow-build: "true"
     spec:
       containers:
         - name: act-runner

deploy/act-runners/limbosolutions-com/deploy/app/deployment.yaml

@@ -13,6 +13,7 @@ spec:
     metadata:
       labels:
         app: act-runner
+        buildkit.infra.limbosolutions.com/allow-build: "true"
     spec:
       containers:
         - name: act-runner

deploy/act-runners/mf/README.md

@@ -0,0 +1,13 @@
+# mylimbo - act-runner
+
+**Deploy app:**
+
+```bash
+./deploy/ops-scripts/apply-app.sh
+```
+
+**Deploy Infra:**
+
+```bash
+./deploy/ops-scripts/apply-infra.sh
+```

deploy/act-runners/mf/deploy/app/.env.d/.gitignore

@@ -1,3 +1,2 @@
 **
 !.gitignore
-!*.example

deploy/act-runners/mf/deploy/app/configmap.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: act-runner
+data:
+  config.yaml: |
+    log:
+      level: info
+
+    runner:
+      capacity: 1
+      labels:
+        - oci-image-builder
+        - kubectl
+        - helm
+        - ansible
+        - ubuntu
+        - network-utils
+        - deploy
+        - amd64
+        - limbosolutions-com
+    cache:
+      enabled: false
+
+    host:
+      workdir: "/data/runner"

deploy/act-runners/mf/deploy/app/deployment.yaml

@@ -0,0 +1,67 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: act-runner
+  labels:
+    app: act-runner
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: act-runner
+  template:
+    metadata:
+      labels:
+        app: act-runner
+        buildkit.infra.limbosolutions.com/allow-build: "true"
+    spec:
+      containers:
+        - name: act-runner
+          image: git.limbosolutions.com/kb/gitea/act_runner:0.3-fatboy
+ 
+          imagePullPolicy: Always
+          env:
+            - name: LOG_LEVEL
+              value: "trace"
+
+            - name: CONFIG_FILE
+              value: /etc/act_runner/config.yaml
+            - name: GITEA_INSTANCE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: act-runner
+                  key: GITEA_INSTANCE_URL
+            - name: GITEA_RUNNER_REGISTRATION_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: act-runner
+                  key: GITEA_RUNNER_REGISTRATION_TOKEN
+            - name: GITEA_RUNNER_NAME
+              valueFrom:
+                secretKeyRef:
+                  name: act-runner
+                  key: GITEA_RUNNER_NAME
+
+            - name: GITEA_RUNNER_EPHEMERAL
+              value: "0"
+              
+          resources:
+            requests:
+              memory: "128Mi"
+              cpu: "100m"
+            limits:
+              memory: "1024Mi"
+              cpu: "1000m"
+          volumeMounts:
+            - name: config-map
+              mountPath: /etc/act_runner/config.yaml
+              subPath: config.yaml
+            - name: runner-data
+              mountPath: /data/runner
+              
+      volumes:
+      - name: config-map
+        configMap: 
+          name: act-runner
+      - name: runner-data
+        emptyDir: {}   # or PVC if you want persistence across pod restarts

deploy/act-runners/mf/deploy/app/kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - configmap.yaml
+  - deployment.yaml
+
+generatorOptions:
+  disableNameSuffixHash: true
+
+secretGenerator:
+  - name: act-runner
+    envs: 
+      - .env.d/.env
+

deploy/act-runners/mf/ops-scripts/apply-app.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+set -e
+NAMESPACE=mf-cicd
+kubectl kustomize deploy/app | kubectl --namespace ${NAMESPACE} apply -f - 

deploy/act-runners/mf/ops-scripts/apply-infra.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+set -e
+NAMESPACE=mf-cicd
+kubectl create namespace ${NAMESPACE} || true

deploy/act-runners/myLimbo/README.md

@@ -0,0 +1,13 @@
+# mylimbo - act-runner
+
+**Deploy app:**
+
+```bash
+./deploy/ops-scripts/apply-app.sh
+```
+
+**Deploy Infra:**
+
+```bash
+./deploy/ops-scripts/apply-infra.sh
+```

deploy/act-runners/myLimbo/deploy/app/.env.d/.gitignore

@@ -0,0 +1,2 @@
+**
+!.gitignore

deploy/act-runners/myLimbo/deploy/app/configmap.yaml

@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: act-runner
+data:
+  config.yaml: |
+    log:
+      level: info
+
+    runner:
+      capacity: 4
+      labels:
+        - oci-image-builder
+        - kubectl
+        - helm
+        - ansible
+        - ubuntu
+        - network-utils
+        - deploy
+        - amd64
+    cache:
+      enabled: false
+
+    host:
+      workdir: "/data/runner"

deploy/act-runners/myLimbo/deploy/app/deployment.yaml

@@ -0,0 +1,67 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: act-runner
+  labels:
+    app: act-runner
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: act-runner
+  template:
+    metadata:
+      labels:
+        app: act-runner
+        buildkit.infra.limbosolutions.com/allow-build: "true"
+    spec:
+      containers:
+        - name: act-runner
+          image: git.limbosolutions.com/kb/gitea/act_runner:0.3-fatboy
+ 
+          imagePullPolicy: Always
+          env:
+            - name: LOG_LEVEL
+              value: "trace"
+
+            - name: CONFIG_FILE
+              value: /etc/act_runner/config.yaml
+            - name: GITEA_INSTANCE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: act-runner
+                  key: GITEA_INSTANCE_URL
+            - name: GITEA_RUNNER_REGISTRATION_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: act-runner
+                  key: GITEA_RUNNER_REGISTRATION_TOKEN
+            - name: GITEA_RUNNER_NAME
+              valueFrom:
+                secretKeyRef:
+                  name: act-runner
+                  key: GITEA_RUNNER_NAME
+
+            - name: GITEA_RUNNER_EPHEMERAL
+              value: "0"
+              
+          resources:
+            requests:
+              memory: "128Mi"
+              cpu: "100m"
+            limits:
+              memory: "512Mi"
+              cpu: "400m"
+          volumeMounts:
+            - name: config-map
+              mountPath: /etc/act_runner/config.yaml
+              subPath: config.yaml
+            - name: runner-data
+              mountPath: /data/runner
+              
+      volumes:
+      - name: config-map
+        configMap: 
+          name: act-runner
+      - name: runner-data
+        emptyDir: {}   # or PVC if you want persistence across pod restarts

deploy/act-runners/myLimbo/deploy/app/kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - configmap.yaml
+  - deployment.yaml
+
+generatorOptions:
+  disableNameSuffixHash: true
+
+secretGenerator:
+  - name: act-runner
+    envs: 
+      - .env.d/.env
+

deploy/act-runners/myLimbo/deploy/ops-scripts/apply-app.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+set -e
+NAMESPACE=mylimbo-com-cicd
+kubectl kustomize deploy/app | kubectl --namespace ${NAMESPACE} apply -f - 

deploy/act-runners/myLimbo/deploy/ops-scripts/apply-infra.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+set -e
+NAMESPACE=mylimbo-com-cicd
+kubectl create namespace ${NAMESPACE} || true

deploy/app/helm-values.yaml

@@ -1,34 +1,100 @@
+global:
+  # forcing docker.io to use cache from harbor
+  imageRegistry: "docker.io" 
+
 image:
-  registry: ""
+  # IMPORTANT:
+  # The default image used by the Gitea Helm chart is the *rootless* variant.
+  # Rootless Gitea does NOT include an SSH server, so enabling SSH in the chart
+  # will NOT work unless you explicitly switch to the rootful image.
+  #
+  # Default chart image (rootless, SSH disabled):
+  #   registry: "docker.gitea.com"
+  #   repository: gitea
+  #
+  # Correct rootful image (SSH enabled):
+  #   repository: gitea/gitea
+  #
+  # This ensures the container includes OpenSSH and can expose the SSH port.
   repository: gitea/gitea
   pullPolicy: Always
-  tag: "1"
-
-cache:
-  enabled: false
-
 valkey-cluster:
   enabled: false
 
+# dependency:
+# https://github.com/bitnami/charts/blob/main/bitnami/valkey/Chart.yaml
 valkey:
   enabled: true
   architecture: standalone
   global:
     valkey:
       password: "???"
-  master:
-    count: 1
-    service:
-      ports:
-        valkey: 6379
 
+  # Disable NetworkPolicy creation in the Bitnami valkey subchart.
+  # This deployment runs inside a controlled namespace where network
+  # boundaries are enforced by the platform (Infra team), not by Helm.
+  #
+  # CI/CD pipelines use a restricted ServiceAccount that is intentionally
+  # NOT allowed to create or modify NetworkPolicies. Leaving this enabled
+  # would cause Helm upgrades to fail with RBAC errors.
+  #
+  # Infra-owned NetworkPolicies are applied separately and independently
+  # of application charts to maintain a clean separation of responsibilities.
+  networkPolicy:
+    enabled: false
+
+  serviceAccount:
+    # serviceAccount resources are owned and managed by the Infrastructure layer.
+    # The CI/CD ServiceAccount used for application deployments does not have
+    # permissions to create or modify serviceAccounts, by design.
+    #
+    # In this setup Valkey does not require its own ServiceAccount, so enabling
+    # this would provide no benefit and would cause Helm upgrades to fail due
+    # to RBAC restrictions. 
+    create: false 
+    name: "default"
+
+  primary:
+    pdb:
+      # Disable the PodDisruptionBudget for PostgreSQL.
+      #
+      # This deployment uses a single‑instance (non‑HA) valkey, so a PDB
+      # provides no real benefit — Kubernetes cannot evict the only pod anyway.
+      #
+      # More importantly, PodDisruptionBudgets are considered an Infra‑owned
+      # resource in this cluster. The CI/CD ServiceAccount intentionally lacks
+      # permissions to create or modify PDBs, and enabling this would cause
+      # Helm upgrades to fail with RBAC errors.
+      #
+      # The platform team applies disruption policies separately at the
+      # infrastructure layer, keeping a clean separation of responsibilities.
+      create: false 
+    serviceAccount:
+      # serviceAccount resources are owned and managed by the Infrastructure layer.
+      # The CI/CD ServiceAccount used for application deployments does not have
+      # permissions to create or modify serviceAccounts, by design.
+      #
+      # In this setup Valkey does not require its own ServiceAccount, so enabling
+      # this would provide no benefit and would cause Helm upgrades to fail due
+      # to RBAC restrictions. 
+      create: false 
+      name: "default"   
+
+
+
+# dependency:
+# https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml
+postgresql-ha:
+  enabled: false
+
+# dependency:
+# https://github.com/bitnami/charts/blob/main/bitnami/postgresql
 postgresql:
   enabled: true
   image:
-    registry: ""
-    repository: bitnami/postgresql
+    repository: bitnamilegacy/postgresql
     tag: 16
-    imagePullPolicy: IfNotPresent
+    imagePullPolicy: Always
   global:
     postgresql:
       auth:
@@ -36,29 +102,59 @@ postgresql:
         password: "???"
         database: "???"
         username: "???"
-      service:
-        ports:
-          postgresql: 5432
+
+  serviceAccount:
+    # serviceAccount resources are owned and managed by the Infrastructure layer.
+    # The CI/CD ServiceAccount used for application deployments does not have
+    # permissions to create or modify serviceAccounts, by design.
+    # In this setup postgresql does not require its own ServiceAccount, so enabling
+    # this would provide no benefit and would cause Helm upgrades to fail due
+    # to RBAC restrictions. 
+    create: false
+
+
   primary:
+    networkPolicy:
+     # Disable NetworkPolicy creation in the Bitnami PostgreSQL subchart.
+      # This deployment runs inside a controlled namespace where network
+      # boundaries are enforced by the platform (Infra team), not by Helm.
+      #
+      # CI/CD pipelines use a restricted ServiceAccount that is intentionally
+      # NOT allowed to create or modify NetworkPolicies. Leaving this enabled
+      # would cause Helm upgrades to fail with RBAC errors.
+      #
+      # Infra-owned NetworkPolicies are applied separately and independently
+      # of application charts to maintain a clean separation of responsibilities.
+      enabled: false 
+    pdb:
+      # Disable the PodDisruptionBudget for PostgreSQL.
+      #
+      # This deployment uses a single‑instance (non‑HA) PostgreSQL, so a PDB
+      # provides no real benefit — Kubernetes cannot evict the only pod anyway.
+      #
+      # More importantly, PodDisruptionBudgets are considered an Infra‑owned
+      # resource in this cluster. The CI/CD ServiceAccount intentionally lacks
+      # permissions to create or modify PDBs, and enabling this would cause
+      # Helm upgrades to fail with RBAC errors.
+      #
+      # The platform team applies disruption policies separately at the
+      # infrastructure layer, keeping a clean separation of responsibilities.
+      create: false 
+
+
     persistence:
       size: 10Gi
   metrics:
-    enabled: true
-    collectors:
-      wal: false
- 
-postgresql-ha:
-  enabled: false
+    enabled: false
 
 persistence:
   enabled: true
+
 service:
   ssh:
-      type: LoadBalancer
-      enabled: true
-      port: 2222
-      loadBalancerIP: "" # optional
-      externalTrafficPolicy: Local
+    clusterIP: ""   # empty string → Kubernetes assigns a routable ClusterIP
+    type: ClusterIP
+    port: 2222
   http:
     clusterIP: ""   # empty string → Kubernetes assigns a routable ClusterIP
     type: ClusterIP
@@ -129,22 +225,12 @@ gitea:
       INTERNAL_TOKEN: "???"
       PASSWORD_HASH_ALGO: "???"
 
+  # Ingress resources are owned and managed by the Infrastructure layer.
+  # The CI/CD ServiceAccount used for application deployments does not have
+  # permissions to create or modify Ingress objects, by design.
+  # for ingress setup check infra folder
 ingress:
-  enabled: true
-  className: traefik
-  annotations:
-    kubernetes.io/ingress.class: traefik
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure, public-https
-  hosts:
-    - host: git.limbosolutions.com
-      paths:
-        - path: /
-          pathType: Prefix
-  tls:
-    - secretName: limbosolutions-com-tls
-      hosts:
-       - "git.limbosolutions.com"
+  enabled: false
 
 
 

deploy/backups/.env.d/secrets.example

@@ -1,6 +1,6 @@
-PBS_REPOSITORY="pbs repository"
-PBS_PASSWORD="pbs access password"
-PBS_FINGERPRINT="00:00:00:00:00" # the pbs finger print
+PBS_REPOSITORY=xxx@pbs@server_address:collection
+PBS_PASSWORD=pbs access password
+PBS_FINGERPRINT=00:00:00:00:00 # pbs server fingerprint
 BORG_REPO="ssh://user@server/path" # required by offsite backup
 BORG_PASSPHRASE="borg passphrase" # required by offsite backup
 OFFSITE_TARGET_FOLDER="test:target_path" # follow rclone naming convention

deploy/backups/cronjobs/backup-borg-offsite.yaml

@@ -12,11 +12,12 @@ spec:
       template:
         metadata:
           labels:
-            app: offsite-backup
+            dbAccess: "true"
+            backups.infra.limbosolutions.com/ssh: "true"
         spec:
           restartPolicy: Never
           initContainers:
-            - name: postgres-export
+            - name: postgres
               resources:
                 limits:
                   memory: "512Mi"
@@ -46,7 +47,7 @@ spec:
 
      
           containers:
-            - name: borg-client
+            - name: borg-backup
               image: git.limbosolutions.com/kb/borg-backup:latest
               imagePullPolicy: Always
               resources:
@@ -81,7 +82,7 @@ spec:
                   value: ssh -p 2222 -o StrictHostKeyChecking=no -o LogLevel=ERROR
 
                 - name: REPO_SYNC_MAX_SIZE
-                  value: "21474836480" # 20GB
+                  value: "5368709120" # 5GB
 
                 - name: MODE
                   value: SHELL
@@ -98,7 +99,7 @@ spec:
                 # done
                 
                 borg create ${BORG_REPO}::postgresql-export-$(date +%Y%m%d%H%M%S) /data/postgresql-export
-                borg create ${BORG_REPO}::gitea-data-$(date +%Y%m%d%H%M%S) /data/gitea-data --exclude /data/packages --exclude /data/tmp
+                borg create ${BORG_REPO}::gitea-data-$(date +%Y%m%d%H%M%S) /data/gitea-data --exclude /data/gitea-data/packages --exclude /data/gitea-data/tmp
 
                 #cleanup
                 borg prune -v --list --keep-daily=10 --keep-weekly=7 --keep-monthly=-1 ${BORG_REPO} --glob-archives='gitea-data*'

deploy/backups/cronjobs/backup-pbs.yaml

@@ -11,11 +11,13 @@ spec:
       template:
         metadata:
           labels:
-            app: pbs-backup
+            dbAccess: "true"
+            app: backup-pbs
+            backups.infra.limbosolutions.com/pbs: "true"
         spec:
           restartPolicy: Never
           initContainers:
-            - name: postgres-export
+            - name: postgres
               image: postgres:latest
               resources:
                 limits:
@@ -49,8 +51,8 @@ spec:
                 readOnly: true
 
           containers:
-            - name: gitea-pbs-client
-              image: git.limbosolutions.com/kb/pbsclient
+            - name: pbs-client
+              image: git.limbosolutions.com/kb/pbs-client
               imagePullPolicy: Always
               resources:
                 limits:

deploy/backups/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - cronjobs/borg-offsite-cronjob.yaml
-  - cronjobs/pbs-cronjob.yaml
+  - cronjobs/backup-borg-offsite.yaml
+  - cronjobs/backup-pbs.yaml
 
 secretGenerator:
 - name: gitea-backup

deploy/buidkit/deployment.yaml

@@ -1,61 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: buildkit-cache
-  namespace: buildkit
-spec:
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 20Gi
----
-
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: buildkitd
-  namespace: buildkit
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: buildkitd
-  template:
-    metadata:
-      labels:
-        app: buildkitd
-    spec:
-      containers:
-        - name: buildkitd
-          image: moby/buildkit:v0.12.5
-          args:
-            - "--addr"
-            - "tcp://0.0.0.0:1234"
-            - "--root"
-            - "/var/lib/buildkit"
-          ports:
-            - containerPort: 1234
-          securityContext:
-            privileged: true
-          volumeMounts:
-            - name: buildkit-cache
-              mountPath: /var/lib/buildkit
-      volumes:
-        - name: buildkit-cache
-          persistentVolumeClaim:
-            claimName: buildkit-cache
-
----            
-apiVersion: v1
-kind: Service
-metadata:
-  name: buildkitd
-  namespace: buildkit
-spec:
-  selector:
-    app: buildkitd
-  ports:
-    - name: buildkit
-      port: 1234
-      targetPort: 1234

deploy/infra/.env.d/.env.example

@@ -1 +0,0 @@
-EGRESS_BACKUPSRV_CIDR="BACKUPSRV-IP-ADDRESS/32"

deploy/infra/cd-serviceaccount.yaml

@@ -24,7 +24,7 @@ metadata:
   name: continuous-deploy
 rules:
 - apiGroups: [""]
-  resources: ["pods", "services", "secrets", "configmaps", "persistentvolumeclaims", "endpoints", "serviceaccounts"]
+  resources: ["pods", "services", "secrets", "configmaps", "persistentvolumeclaims"]
   verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
 
 - apiGroups: ["apps"]
@@ -35,15 +35,6 @@ rules:
   resources: ["cronjobs", "jobs"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 
-- apiGroups: ["networking.k8s.io"]
-  resources: ["networkpolicies", "ingresses"]
-  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
-
-- apiGroups: ["policy"]
-  resources: ["poddisruptionbudgets"]
-  verbs: ["get", "list", "watch", "update", "patch"]
-
-
 ---
 
 apiVersion: rbac.authorization.k8s.io/v1

deploy/infra/certificate.yaml

@@ -0,0 +1,11 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: limbosolutions-com-tls
+spec:
+  secretName: limbosolutions-com-tls
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer
+  dnsNames:
+    - git.limbosolutions.com

deploy/infra/ingress-ssh-public.yaml

@@ -0,0 +1,14 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: ssh-public
+  annotations:
+    kubernetes.io/ingress.class: traefik-public
+spec:
+  entryPoints:
+    - tcp2222
+  routes:
+    - match: HostSNI(`*`)
+      services:
+        - name: gitea-ssh
+          port: 2222

deploy/infra/ingress-ssh.yaml

@@ -0,0 +1,14 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: ssh
+  annotations:
+    kubernetes.io/ingress.class: traefik
+spec:
+  entryPoints:
+    - tcp2222
+  routes:
+    - match: HostSNI(`*`)
+      services:
+        - name: gitea-ssh
+          port: 2222

deploy/infra/ingress-web-public.yaml

@@ -0,0 +1,17 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: web-public
+  annotations:
+    kubernetes.io/ingress.class: traefik-public
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`git.limbosolutions.com`) && !PathPrefix(`/-/admin`)
+      kind: Rule
+      services:
+        - name: gitea-http
+          port: 3000
+  tls:
+      secretName: limbosolutions-com-tls

deploy/infra/ingress-web.yaml

@@ -0,0 +1,17 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: web
+  annotations:
+    kubernetes.io/ingress.class: traefik
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`git.limbosolutions.com`)
+      kind: Rule
+      services:
+        - name: gitea-http
+          port: 3000
+  tls:
+      secretName: limbosolutions-com-tls

deploy/infra/kustomization.yaml

@@ -2,26 +2,14 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - namespace.yaml
-  - continuous-deploy-account.yaml
-  - network-policies/egress.yaml
-  - network-policies/egress-local-services.yaml
+  - cd-serviceaccount.yaml
+  - network-policies.yaml
+  - certificate.yaml
+  - ingress-web.yaml
+  - ingress-web-public.yaml
+  - ingress-ssh.yaml
+  - ingress-ssh-public.yaml
 generatorOptions:
   disableNameSuffixHash: true
 
-configMapGenerator:
-  - name: infra-setup-vars
-    namespace: git-limbosolutions-com
-    envs:
-      - ./.env.d/.env
 
-replacements:
-  - source:
-      kind: ConfigMap
-      name: infra-setup-vars
-      fieldPath: data.EGRESS_BACKUPSRV_CIDR
-    targets:
-      - select:
-          kind: NetworkPolicy
-          name: git-limbosolutions-com-egress-local
-        fieldPaths:
-          - spec.egress.0.to.0.ipBlock.cidr

deploy/infra/network-policies.yaml

@@ -0,0 +1,60 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-same-namespace-ingress
+spec:
+  endpointSelector: {}   # All pods in this namespace
+  ingress:
+    - fromEndpoints:
+        - matchExpressions:
+            - key: k8s:io.kubernetes.pod.namespace
+              operator: In
+              values:
+                - git-limbosolutions-com
+
+    
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-traefik-ingress
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: gitea
+
+  ingress:
+    # -------------------------------------------------------------
+    # Allow Traefik (internal and public) to reach Gitea on port 3000 (web)
+    # -------------------------------------------------------------
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: traefik
+          matchExpressions:
+            - key: k8s:io.kubernetes.pod.namespace
+              operator: In
+              values:
+                - traefik
+                - traefik-public
+      toPorts:
+        - ports:
+            - port: "3000"
+    
+              protocol: TCP
+
+    # -------------------------------------------------------------
+    # Allow Traefik (internal) to reach Gitea on port 3000 (ssh)
+    # -------------------------------------------------------------
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: traefik
+          matchExpressions:
+            - key: k8s:io.kubernetes.pod.namespace
+              operator: In
+              values:
+                - traefik
+
+      toPorts:
+        - ports:
+            - port: "2222"
+              protocol: TCP

deploy/infra/network-policies/egress-local-services.yaml

@@ -1,21 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: git-limbosolutions-com-egress-local
-  namespace: git-limbosolutions-com
-spec:
-  podSelector: {}   # apply to all pods in the namespace
-  policyTypes:
-    - Egress
-  egress:
-    # allow backup server
-    - to:
-        - ipBlock:
-            cidr: ${BACKUPSRV_CIDR}
-
-
-
-
-
-
-

deploy/infra/network-policies/egress.yaml

@@ -1,38 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: git-limbosolutions-com-egress
-  namespace: git-limbosolutions-com
-spec:
-  podSelector: {}   # apply to all pods in the namespace
-  policyTypes:
-    - Egress
-  egress:
-      # Allow DNS to kube-system
-    - to:
-        - namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: kube-system
-      ports:
-        - protocol: UDP
-          port: 53
-
-    # allow namespace communication
-    - to: 
-        - namespaceSelector: 
-            matchLabels: 
-              kubernetes.io/metadata.name: git-limbosolutions-com
-          podSelector: {}
-
-    # Allow all egress EXCEPT private networks
-    - to:
-        - ipBlock:
-            cidr: 0.0.0.0/0 # first allow everything
-            except: # remove local network (so it means blocking, cidr is allowing everything )
-              - 10.0.0.0/8
-              - 172.16.0.0/12
-              - 192.168.0.0/16
-              - 169.254.0.0/16
-              - 127.0.0.0/8
-              - 224.0.0.0/4
-              - 240.0.0.0/4

deploy/ops/bork-backup-sidekick/pod.yaml

@@ -5,6 +5,8 @@ metadata:
   namespace: git-limbosolutions-com
   labels:
     app: borg-backup-sidekick
+    dbAccess: "true"
+    backups.infra.limbosolutions.com/ssh: "true"
 spec:
   containers:
       - name: borg-backup-sidekick
@@ -21,14 +23,14 @@ spec:
           - name: BORG_REPO
             valueFrom:
               secretKeyRef:
-                name: gitea-backup-secret
-                key: borg_repo
+                name: gitea-backup
+                key: BORG_REPO
 
           - name: BORG_PASSPHRASE
             valueFrom:
               secretKeyRef:
-                name: gitea-backup-secret
-                key: borg_passphrase
+                name: gitea-backup
+                key: BORG_PASSPHRASE
 
           - name: BORG_RSH
             value: ssh -p 2222 -o StrictHostKeyChecking=no -o LogLevel=ERROR
@@ -47,12 +49,12 @@ spec:
         
         - name: gitea-backup-secrets
           mountPath: /root/.ssh/id_rsa
-          subPath: ssh_id_rsa
+          subPath: SSH_ID_RSA
           readOnly: true
 
         - name: gitea-backup-secrets
           mountPath: /app/borg/key
-          subPath: borg_key
+          subPath: BORG_KEY
   volumes:
     - name: gitea-backup-secrets
       secret:

docs/act-runner.md

@@ -1,63 +0,0 @@
-# Git Action
-
-## runners
-
-## lxc container - proxmox
-
-Template : debian-12-turnkey-core_18.1-1_amd64.tar.gz
-
-- Unprivileged contrainer - Yes
-- Nesting -Yes
-
-```bash
-# setup new lxc container with docker
-
-apt update -y
-apt upgrade -y
-curl -fsSL https://get.docker.com -o get-docker.sh
-sh ./get-docker.sh
-```
-
-### act runner
-
-```bash
-nano setup-act-runners.sh
-```
-
-```bash
-#/bin/bash
-
-setup(){
-
-CONTAINER_NAME=${OWNER}_act_runner
-
-docker container stop $CONTAINER_NAME
-docker container rm $CONTAINER_NAME
-
-docker run \
-    --restart=unless-stopped \
-    -v ${CONTAINER_NAME}_data:/data \
-    -v /var/run/docker.sock:/var/run/docker.sock \
-    -e GITEA_INSTANCE_URL=${INSTANCE_URL} \
-    -e GITEA_RUNNER_REGISTRATION_TOKEN=${REGISTRATION_TOKEN} \
-    -e GITEA_RUNNER_NAME=${OWNER}_ubuntu_default \
-    --name ${CONTAINER_NAME} \
-    -d gitea/act_runner
-}
-
-INSTANCE_URL=https://git.limbosolutions.com
-OWNER=kb
-REGISTRATION_TOKEN=???
-setup
-
-
-OWNER=????
-REGISTRATION_TOKEN=???
-setup
-
-```
-
-```bash
-chmod +x setup-act-runners.sh
-./setup-act-runners.sh
-```

ops-scripts/apply-app.sh

@@ -1,5 +1,6 @@
 #/bin/bash
-kubectl kustomize deploy/backups | kubectl apply -f -
+
+# load environment variables from file
 
 if [ -f "deploy/app/.env.d/.env" ]; then
   # Export all variables from the file
@@ -10,11 +11,12 @@ if [ -f "deploy/app/.env.d/.env" ]; then
 fi
 
 if [ -n "${APP_HELM_VALUE_GITEA_ADMIN_USERNAME:-}" ]; then
-  echo "Executing helm deploy."
 
-    helm repo add gitea-charts https://dl.gitea.com/charts/
-    helm repo update
-    helm upgrade --install gitea gitea-charts/gitea --version 12.5.0 \
+    echo "Executing helm deploy."
+
+    helm repo add gitea-charts https://dl.gitea.com/charts/ --force-update
+
+    helm upgrade --install gitea gitea-charts/gitea --version 12.5.3 \
     --values deploy/app/helm-values.yaml \
     --set valkey.global.valkey.password=${APP_HELM_VALUE_VALKEY_GLOBAL_PASSWORD} \
     --set postgresql.global.postgresql.auth.postgresPassword=${APP_HELM_VALUE_POSTGRESQL_AUTH_POSTGRESPASSWORD} \
@@ -32,4 +34,7 @@ if [ -n "${APP_HELM_VALUE_GITEA_ADMIN_USERNAME:-}" ]; then
     --set gitea.config.security.PASSWORD_HASH_ALGO=${APP_HELM_VALUE_GITEA_CONFIG_SECURITY_PASSWORD_HASH_ALGO} \
     --set gitea.config.service.oauth2.JWT_SECRET=${APP_HELM_VALUE_GITEA_CONFIG_SERVICE_OAUTH2_JWT_SECRET} \
     --namespace=git-limbosolutions-com
+
+    echo "executing deploy of backups jobs."
+    kubectl kustomize deploy/backups | kubectl -n git-limbosolutions-com apply -f -
 fi

ops-scripts/apply-infra.sh

@@ -2,6 +2,6 @@
 set -e
 echo "Executing infra deploy."
 
-kubectl kustomize deploy/infra | kubectl apply -f -
+kubectl kustomize deploy/infra | kubectl -n git-limbosolutions-com apply -f -