backups added resources limits, set offsite backup size limit to 15GB

.devcontainer/.gitignore

@@ -1 +0,0 @@
-.kube/**

.devcontainer/.zshrc

@@ -1,111 +0,0 @@
-# If you come from bash you might have to change your $PATH.
-# export PATH=$HOME/bin:$HOME/.local/bin:/usr/local/bin:$PATH
-
-# Path to your Oh My Zsh installation.
-export ZSH="$HOME/.oh-my-zsh"
-
-# Set name of the theme to load --- if set to "random", it will
-# load a random theme each time Oh My Zsh is loaded, in which case,
-# to know which specific one was loaded, run: echo $RANDOM_THEME
-# See https://github.com/ohmyzsh/ohmyzsh/wiki/Themes
-ZSH_THEME="gnzh"
-
-# Set list of themes to pick from when loading at random
-# Setting this variable when ZSH_THEME="devcontainers"
-# a theme from this variable instead of looking in $ZSH/themes/
-# If set to an empty array, this variable will have no effect.
-# ZSH_THEME_RANDOM_CANDIDATES=( "robbyrussell" "agnoster" )
-
-# Uncomment the following line to use case-sensitive completion.
-# CASE_SENSITIVE="true"
-
-# Uncomment the following line to use hyphen-insensitive completion.
-# Case-sensitive completion must be off. _ and - will be interchangeable.
-# HYPHEN_INSENSITIVE="true"
-
-# Uncomment one of the following lines to change the auto-update behavior
-# zstyle ':omz:update' mode disabled  # disable automatic updates
-# zstyle ':omz:update' mode auto      # update automatically without asking
-# zstyle ':omz:update' mode reminder  # just remind me to update when it's time
-
-# Uncomment the following line to change how often to auto-update (in days).
-# zstyle ':omz:update' frequency 13
-
-# Uncomment the following line if pasting URLs and other text is messed up.
-# DISABLE_MAGIC_FUNCTIONS="true"
-
-# Uncomment the following line to disable colors in ls.
-# DISABLE_LS_COLORS="true"
-
-# Uncomment the following line to disable auto-setting terminal title.
-# DISABLE_AUTO_TITLE="true"
-
-# Uncomment the following line to enable command auto-correction.
-# ENABLE_CORRECTION="true"
-
-# Uncomment the following line to display red dots whilst waiting for completion.
-# You can also set it to another string to have that shown instead of the default red dots.
-# e.g. COMPLETION_WAITING_DOTS="%F{yellow}waiting...%f"
-# Caution: this setting can cause issues with multiline prompts in zsh < 5.7.1 (see #5765)
-# COMPLETION_WAITING_DOTS="true"
-
-# Uncomment the following line if you want to disable marking untracked files
-# under VCS as dirty. This makes repository status check for large repositories
-# much, much faster.
-# DISABLE_UNTRACKED_FILES_DIRTY="true"
-
-# Uncomment the following line if you want to change the command execution time
-# stamp shown in the history command output.
-# You can set one of the optional three formats:
-# "mm/dd/yyyy"|"dd.mm.yyyy"|"yyyy-mm-dd"
-# or set a custom format using the strftime function format specifications,
-# see 'man strftime' for details.
-# HIST_STAMPS="mm/dd/yyyy"
-
-# Would you like to use another custom folder than $ZSH/custom?
-# ZSH_CUSTOM=/path/to/new-custom-folder
-
-# Which plugins would you like to load?
-# Standard plugins can be found in $ZSH/plugins/
-# Custom plugins may be added to $ZSH_CUSTOM/plugins/
-# Example format: plugins=(rails git textmate ruby lighthouse)
-# Add wisely, as too many plugins slow down shell startup.
-plugins=(git timer web-search ssh kubectl helm colorize zsh-autosuggestions fast-syntax-highlighting)
-ZSH_COLORIZE_TOOL=chroma
-
-source $ZSH/oh-my-zsh.sh
-
-# User configuration
-
-# export MANPATH="/usr/local/man:$MANPATH"
-
-# You may need to manually set your language environment
-# export LANG=en_US.UTF-8
-
-# Preferred editor for local and remote sessions
-# if [[ -n $SSH_CONNECTION ]]; then
-#   export EDITOR='vim'
-# else
-#   export EDITOR='nvim'
-# fi
-
-# Compilation flags
-# export ARCHFLAGS="-arch $(uname -m)"
-
-# Set personal aliases, overriding those provided by Oh My Zsh libs,
-# plugins, and themes. Aliases can be placed here, though Oh My Zsh
-# users are encouraged to define aliases within a top-level file in
-# the $ZSH_CUSTOM folder, with .zsh extension. Examples:
-# - $ZSH_CUSTOM/aliases.zsh
-# - $ZSH_CUSTOM/macos.zsh
-# For a full list of active aliases, run `alias`.
-#
-# Example aliases
-# alias zshconfig="mate ~/.zshrc"
-# alias ohmyzsh="mate ~/.oh-my-zsh"
-DISABLE_AUTO_UPDATE=true
-DISABLE_UPDATE_PROMPT=true
-export FAST_HIGHLIGHT_CHROMA_PATH="/home/vscode/lib/chroma"
-export FAST_HIGHLIGHT_CHROMA=1
-export PATH=$PATH:/home/vscode/lib
-

.devcontainer/devcontainer.json

@@ -1,43 +1,34 @@
 // For format details, see https://aka.ms/devcontainer.json. For config options, see the
 // README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu
 {
-	"name": "git-limbosolutions-com-dev-container",
-	// Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
-	"image": "mcr.microsoft.com/devcontainers/base:jammy",
-	"features": {
-		"ghcr.io/devcontainers/features/kubectl-helm-minikube:1": {}
-	},
+	"name": "git-limbosolutions-com-dev",
+	"image": "git.limbosolutions.com/mylimbo/devcontainers/devops:latest",
 	"runArgs": ["--hostname=git-limbosolutions-com-dev-container"],
-	// "features": {},
-
-	// Use 'forwardPorts' to make a list of ports inside the container available locally.
-	// "forwardPorts": [],
-	// Configure tool-specific properties.
-	// "customizations": {},
-	
+	"remoteUser": "vscode",
 	"mounts": [
-		"source=${localWorkspaceFolder}/.devcontainer/.zshrc,target=/home/vscode/.zshrc,type=bind",
-		"source=${localWorkspaceFolder}/.devcontainer/.kube,target=/home/vscode/.kube,type=bind",
-		"source=${localEnv:HOME}/.gitconfig,target=/home/vscode/.gitconfig,type=bind,consistency=cached",
-		"source=${localEnv:HOME}/.ssh,target=/home/vscode/.ssh,type=bind,consistency=cached"
+		"source=${localWorkspaceFolder}/.kube,target=/home/vscode/.kube,type=bind",
+		"source=${localEnv:HOME}/.gitconfig,target=/home/vscode/.gitconfig,type=bind",
+		"source=${localEnv:HOME}/.ssh,target=/home/vscode/.ssh,type=bind"
 	],
-	"remoteEnv": {
-	
-	},
-	"postCreateCommand": "bash .devcontainer/scripts/postCreate.sh",
 	"customizations": {
 		"vscode": {
 			"extensions": [
 				"ms-kubernetes-tools.vscode-kubernetes-tools",
+				"redhat.ansible",
 				"mtxr.sqltools-driver-mysql",
 				"stateful.runme",
 				"yzhang.markdown-all-in-one",
 				"davidanson.vscode-markdownlint",
-				"eamodio.gitlens"
-			],
-			"settings": {
-				"terminal.integrated.defaultProfile.linux": "zsh"
-			}
+				"eamodio.gitlens",
+				"m4ns0ur.base64",
+				"rogalmic.bash-debug",
+				"streetsidesoftware.code-spell-checker",
+				"ms-azuretools.vscode-containers",
+				"eamodio.gitlens",
+				"shd101wyy.markdown-preview-enhanced",
+				"bierner.markdown-preview-github-styles"
+
+			]
 		}
 	}
 }

.devcontainer/scripts/postCreate.sh

@@ -1,11 +0,0 @@
-#!/bin/zsh
-
-#setup chroma for zsh colorize
-mkdir -p ~/lib
-curl -Lo ~/lib/chroma https://github.com/alecthomas/chroma/releases/latest/download/chroma-linux-amd64
-chmod +x ~/lib/chroma
-
-git clone https://github.com/zdharma-continuum/fast-syntax-highlighting.git ~/.oh-my-zsh/custom/plugins/fast-syntax-highlighting
-git clone https://github.com/zsh-users/zsh-autosuggestions ~/.oh-my-zsh/custom/plugins/zsh-autosuggestions
-
-

.gitea/workflows/app-continous-deploy.yaml

@@ -0,0 +1,93 @@
+on:
+  schedule:
+    - cron: '0 9 * * 0' # every sunday 9 am
+  push:
+    branches:
+      - main
+  pull_request:
+      branches:
+      - main
+jobs:
+  continuous-deploy:
+    runs-on: ubuntu-latest
+    container:
+      image: git.limbosolutions.com/kb/gitea/act:latest-network-stack
+    env:
+      GITHUB_TEMP: ${{ runner.temp }} # fix missing GITHUB_TEMP on gitea
+    steps:
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: limbo public actions
+        env: 
+          WORKSPACE: "${{ gitea.workspace }}"
+        run: |
+          curl -fsSL https://git.limbosolutions.com/kb/gitea/raw/branch/main/cloud-scripts/setup-limbo-actions.sh | bash 2>&1
+
+
+      # limbo custom actions required https://git.limbosolutions.com/kb/gitea/raw/branch/main
+      - name: Configure kubectl config
+        uses: ./.gitea/limbo_actions/kubectl-setup
+        with:
+          kube_server: ${{ secrets.HOSTING_KUBE_SERVER }}
+          kube_ca_base64: ${{ secrets.HOSTING_KUBE_CA_BASE64 }}
+          kube_token: ${{ secrets.HOSTING_KUBE_TOKEN }}
+
+      - name: Deploy
+        shell: bash
+        env:
+          # cron jobs env
+          CRONJOBS_BACKUPS_SECRETS_PBS_REPOSITORY: ${{ secrets.CRONJOBS_BACKUPS_SECRETS_PBS_REPOSITORY }}
+          CRONJOBS_BACKUPS_SECRETS_PBS_PASSWORD: ${{ secrets.CRONJOBS_BACKUPS_SECRETS_PBS_PASSWORD }}
+          CRONJOBS_BACKUPS_SECRETS_PBS_FINGERPRINT: ${{ secrets.CRONJOBS_BACKUPS_SECRETS_PBS_FINGERPRINT }}
+          CRONJOBS_BACKUPS_SECRETS_BORG_REPO: ${{ secrets.CRONJOBS_BACKUPS_SECRETS_BORG_REPO }}
+          CRONJOBS_BACKUPS_SECRETS_BORG_PASSPHRASE: ${{ secrets.CRONJOBS_BACKUPS_SECRETS_BORG_PASSPHRASE }}
+          CRONJOBS_BACKUPS_SECRETS_OFFSITE_TARGET_FOLDER: ${{ secrets.CRONJOBS_BACKUPS_SECRETS_OFFSITE_TARGET_FOLDER }}
+          CRONJOBS_BACKUPS_SECRETS_ID_RSA: ${{ secrets.CRONJOBS_BACKUPS_SECRETS_ID_RSA }}
+          CRONJOBS_BACKUPS_SECRETS_BORG_KEY: ${{ secrets.CRONJOBS_BACKUPS_SECRETS_BORG_KEY }}
+
+          # helm chart values
+          APP_HELM_VALUE_VALKEY_GLOBAL_PASSWORD: ${{ secrets.APP_HELM_VALUE_VALKEY_GLOBAL_PASSWORD }}
+          APP_HELM_VALUE_POSTGRESQL_AUTH_POSTGRESPASSWORD: ${{ secrets.APP_HELM_VALUE_POSTGRESQL_AUTH_POSTGRESPASSWORD }}
+          APP_HELM_VALUE_POSTGRESQL_AUTH_PASSWORD: ${{ secrets.APP_HELM_VALUE_POSTGRESQL_AUTH_PASSWORD }}
+          APP_HELM_VALUE_POSTGRESQL_AUTH_DATABASE: ${{ secrets.APP_HELM_VALUE_POSTGRESQL_AUTH_DATABASE }}
+          APP_HELM_VALUE_POSTGRESQL_AUTH_USERNAME: ${{ secrets.APP_HELM_VALUE_POSTGRESQL_AUTH_USERNAME }}
+          APP_HELM_VALUE_GITEA_ADMIN_USERNAME: ${{ secrets.APP_HELM_VALUE_GITEA_ADMIN_USERNAME }}
+          APP_HELM_VALUE_GITEA_ADMIN_PASSWORD: ${{ secrets.APP_HELM_VALUE_GITEA_ADMIN_PASSWORD }}
+          APP_HELM_VALUE_GITEA_ADMIN_EMAIL: ${{ secrets.APP_HELM_VALUE_GITEA_ADMIN_EMAIL }}
+          APP_HELM_VALUE_GITEA_CONFIG_OAUTH2_JWT_SECRET: ${{ secrets.APP_HELM_VALUE_GITEA_CONFIG_OAUTH2_JWT_SECRET }}
+          APP_HELM_VALUE_GITEA_CONFIG_SERVER_LFS_JWT_SECRET: ${{ secrets.APP_HELM_VALUE_GITEA_CONFIG_SERVER_LFS_JWT_SECRET }}
+          APP_HELM_VALUE_GITEA_CONFIG_SECURITY_SECRET_KEY: ${{ secrets.APP_HELM_VALUE_GITEA_CONFIG_SECURITY_SECRET_KEY }}
+          APP_HELM_VALUE_GITEA_CONFIG_SECURITY_REVERSE_PROXY_TRUSTED_PROXIES: ${{ secrets.APP_HELM_VALUE_GITEA_CONFIG_SECURITY_REVERSE_PROXY_TRUSTED_PROXIES }}
+          APP_HELM_VALUE_GITEA_CONFIG_SECURITY_INTERNAL_TOKEN: ${{ secrets.APP_HELM_VALUE_GITEA_CONFIG_SECURITY_INTERNAL_TOKEN }}
+          APP_HELM_VALUE_GITEA_CONFIG_SECURITY_PASSWORD_HASH_ALGO: ${{ secrets.APP_HELM_VALUE_GITEA_CONFIG_SECURITY_PASSWORD_HASH_ALGO }}
+          APP_HELM_VALUE_GITEA_CONFIG_SERVICE_OAUTH2_JWT_SECRET: ${{ secrets.APP_HELM_VALUE_GITEA_CONFIG_SERVICE_OAUTH2_JWT_SECRET }}
+
+        run: |
+          set -euo pipefail
+
+          # ensure cleanup always runs
+          trap 'rm -f \
+                    deploy/app/cronjobs/backups/.env.d/secrets \
+                    deploy/app/cronjobs/backups/.env.d/id_rsa \
+                    deploy/app/cronjobs/backups/.env.d/borg_key' EXIT
+
+          # setup env for cronjobs backups
+          echo "PBS_REPOSITORY=${CRONJOBS_BACKUPS_SECRETS_PBS_REPOSITORY}" >> deploy/app/cronjobs/backups/.env.d/secrets
+          echo "PBS_PASSWORD=${CRONJOBS_BACKUPS_SECRETS_PBS_PASSWORD}" >> deploy/app/cronjobs/backups/.env.d/secrets
+          echo "PBS_FINGERPRINT=${CRONJOBS_BACKUPS_SECRETS_PBS_FINGERPRINT}" >> deploy/app/cronjobs/backups/.env.d/secrets
+          echo "BORG_REPO=${CRONJOBS_BACKUPS_SECRETS_BORG_REPO}" >> deploy/app/cronjobs/backups/.env.d/secrets
+          echo "BORG_PASSPHRASE=${CRONJOBS_BACKUPS_SECRETS_BORG_PASSPHRASE}" >> deploy/app/cronjobs/backups/.env.d/secrets
+          echo "OFFSITE_TARGET_FOLDER=${CRONJOBS_BACKUPS_SECRETS_OFFSITE_TARGET_FOLDER}" >> deploy/app/cronjobs/backups/.env.d/secrets
+          
+          echo "${CRONJOBS_BACKUPS_SECRETS_ID_RSA}" >> deploy/app/cronjobs/backups/.env.d/id_rsa
+          echo "${CRONJOBS_BACKUPS_SECRETS_BORG_KEY}" >> deploy/app/cronjobs/backups/.env.d/borg_key
+          
+          # enforce security
+          chmod 600 deploy/app/cronjobs/backups/.env.d/secrets
+          chmod 600 deploy/app/cronjobs/backups/.env.d/id_rsa
+          chmod 600 deploy/app/cronjobs/backups/.env.d/borg_key
+
+          # invoke deploy script
+          ops-scripts/apply-app.sh

.gitignore

@@ -2,4 +2,4 @@ tmp
 **.env
 **.private.**
 **.local.**
-kb
+.kube/**

.vscode/settings.json

@@ -0,0 +1,5 @@
+{
+    "cSpell.words": [
+        "valkey"
+    ]
+}

README.md

@@ -4,13 +4,41 @@ Welcome to public repository of my [Git Server](https://git.limbosolutions.com)
 
 Using [gitea](https://git.limbosolutions.com/kb/gitea) as git server.
 
-- [Deploy and Setup](#deploy-and-setup)
+- [Deploy](#deploy)
+  - [App](#app)
+  - [Continuous Deploy](#continuous-deploy)
+  - [Infra](#infra)
 - [Backups](#backups)
 
-## Deploy and Setup
+## Deploy
 
-for more information [check readme](./deploy/README.md).
+### App
 
+**Environment files:**
+
+- ./deploy/app/cronjobs/backups/.env.d/secrets [Example](./deploy/app/cronjobs/backups/.env.d/secrets.example)
+- ./deploy/app/cronjobs/backups/.env.d/borg_key [Example](./deploy/app/cronjobs/backups/.env.d/borg_key.example)
+- ./deploy/app/cronjobs/backups/.env.d/id_rsa [Example](./deploy/app/cronjobs/backups/.env.d/id_rsa.example)
+- ./deploy/helm/.env [Example](./deploy/helm/.env.example)
+
+```bash
+./ops-scripts/apply-app.sh
+```
+
+- [kustomization](/deploy/app/kustomization.yaml)
+
+### Continuous Deploy
+
+Executes [App Deploy](#app) using [Gitea workflow](./.gitea/workflows/app-deploy.yaml).
+
+### Infra
+
+```bash
+./ops-scripts/apply-infra.sh
+```
+
+- [kustomization](/deploy/infra/kustomization.yaml)
+  
 ## Backups
 
 for more information [check readme](./docs/backups.md).

deploy/README.md

@@ -1,60 +0,0 @@
-# Deploy
-
-- [kubernetes Namespace](#kubernetes-namespace)
-- [Backups](#backups)
-  - [secrets](#secrets)
-  - [Proxmox Backup Server (kubernetes cron job)](#proxmox-backup-server-kubernetes-cron-job)
-  - [Borg and Offsite sync (kubernetes cron job)](#borg-and-offsite-sync-kubernetes-cron-job)
-
-```bash
-# run for setup/update 
-# using helm chart
-./setup.sh
-```
-
-## kubernetes Namespace
-
-```yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: git-limbosolutions-com
-  labels:
-    name: git-limbosolutions-com
-
-```
-
-## Backups
-
-### secrets
-
-```bash
-set -a
-source ./backups/.env
-set +a
-envsubst < ./backups/backup-secrets.yaml | kubectl apply -n git-limbosolutions-com -f -
-
-SSH_ID_RSA=$(echo -n "$SSH_ID_RSA" | base64 -w 0)
-BORG_KEY=$(echo -n "$BORG_KEY" | base64 -w 0)
-
-kubectl patch secret gitea-backup-secret --patch "{\"data\":{\"ssh_id_rsa\":\"$SSH_ID_RSA\"}}" -n git-limbosolutions-com 
-kubectl patch secret gitea-backup-secret --patch "{\"data\":{\"borg_key\":\"$BORG_KEY\"}}" -n git-limbosolutions-com 
-```
-
-### Proxmox Backup Server (kubernetes cron job)
-
-```bash
-# deploy cronjon
-kubectl apply -f ./backups/backup-pbs-cronjob.yaml -n git-limbosolutions-com
-```
-
-[kubernetes cron job](./backups/backup-pbs-cronjob.yaml)
-
-### Borg and Offsite sync (kubernetes cron job)
-
-```bash
-# deploy cronjon
-kubectl apply -f ./backups/backup-borg-offsite-cronjob.yaml  -n git-limbosolutions-com
-```
-
-[kubernetes cron job](./backups/borgbackup-offsite-cronjob.yaml)

deploy/app/cronjobs/backups/.env.d/.gitignore

@@ -0,0 +1,3 @@
+**
+!.gitignore
+!*.example

deploy/app/cronjobs/backups/.env.d/borg_key.example

@@ -0,0 +1 @@
+BORG_KEY an valid borg key

deploy/app/cronjobs/backups/.env.d/id_rsa.example

@@ -0,0 +1,3 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+AND VALID PRIVATE SSH KEY WITH ACCESS TO SSH SERVER  
+-----END OPENSSH PRIVATE KEY-----

deploy/app/cronjobs/backups/.env.d/secrets.example

@@ -0,0 +1,7 @@
+PBS_REPOSITORY="pbs repository"
+PBS_PASSWORD="pbs access passwordd"
+PBS_FINGERPRINT="00:00:00:00:00" # the pbs finger print
+BORG_REPO="ssh://user@reposerver/path" # required by offsite babckup
+BORG_PASSPHRASE="borg passphare" # required by offsite babckup
+OFFSITE_TARGET_FOLDER="test:target_path" # follow rclone naming convension
+

deploy/app/cronjobs/backups/backup-borg-offsite-cronjob.yaml

@@ -17,6 +17,13 @@ spec:
           restartPolicy: Never
           initContainers:
             - name: postgres-export
+              resources:
+                limits:
+                  memory: "512Mi"
+                  cpu: "500m"
+                requests:
+                  memory: "256Mi"
+                  cpu: "250m"
               image: postgres:latest
               command: ["sh", "-c"]
               args:
@@ -42,39 +49,39 @@ spec:
             - name: borg-client
               image: git.limbosolutions.com/kb/borg-backup:latest
               imagePullPolicy: Always
-              # resources:
-              #   limits:
-              #     memory: "512Mi"
-              #     cpu: "500m"
-              #   requests:
-              #     memory: "256Mi"
-              #     cpu: "250m"
+              resources:
+                limits:
+                  memory: "512Mi"
+                  cpu: "500m"
+                requests:
+                  memory: "256Mi"
+                  cpu: "250m"
               env:
                 - name: BORG_REPO
                   valueFrom:
                     secretKeyRef:
-                      name: gitea-backup-secret
-                      key: borg_repo
+                      name: gitea-backup
+                      key: BORG_REPO
 
                 - name: BORG_PASSPHRASE
                   valueFrom:
                     secretKeyRef:
-                      name: gitea-backup-secret
-                      key: borg_passphrase
+                      name: gitea-backup
+                      key: BORG_PASSPHRASE
 
           
                 - name: OFFSITE_TARGET_FOLDER
                   valueFrom:
                     secretKeyRef:
-                      name: gitea-backup-secret
-                      key: offsite_target_folder
+                      name: gitea-backup
+                      key: OFFSITE_TARGET_FOLDER
 
 
                 - name: BORG_RSH
                   value: ssh -p 2222 -o StrictHostKeyChecking=no -o LogLevel=ERROR
 
                 - name: REPO_SYNC_MAX_SIZE
-                  value: "10737418240" # 10GB
+                  value: "16106127360" # 15GB
 
                 - name: MODE
                   value: SHELL
@@ -108,7 +115,7 @@ spec:
                 else 
                   # Repository size is within limits for offsite sync
                   # ssh to backup server and enforce rclone to onedrive
-                  remote-connect "rclone sync $SSH_FOLDER $OFFSITE_TARGET_FOLDER --progress" && \
+                  remote-connect "rclone sync $SSH_FOLDER $OFFSITE_TARGET_FOLDER --stats=0" && \
                   echo "INFO: Finished Backup of git.limbosolutions.com (offsite) ($((SCRIPT_DURATION / 60 / 60)):$((SCRIPT_DURATION / 60)):$((SCRIPT_DURATION % 60))) "
                 fi
 
@@ -124,14 +131,14 @@ spec:
                   mountPath: /data/postgresql-export
                   subPath: postgresql-export
               
-                - name: gitea-backup-secret
+                - name: gitea-backup-secrets
                   mountPath: /root/.ssh/id_rsa
-                  subPath: ssh_id_rsa
+                  subPath: SSH_ID_RSA
                   readOnly: true
 
-                - name: gitea-backup-secret
+                - name: gitea-backup-secrets
                   mountPath: /app/borg/key
-                  subPath: borg_key
+                  subPath: BORG_KEY
 
           volumes:
 
@@ -143,9 +150,9 @@ spec:
               secret:
                 secretName: gitea-inline-config
 
-            - name: gitea-backup-secret
+            - name: gitea-backup-secrets
               secret:
-                secretName: gitea-backup-secret
+                secretName: gitea-backup
                 defaultMode: 0600
 
             - name: backup-var-data

deploy/app/cronjobs/backups/backup-pbs-cronjob.yaml

@@ -17,6 +17,13 @@ spec:
           initContainers:
             - name: postgres-export
               image: postgres:latest
+              resources:
+                limits:
+                  memory: "512Mi"
+                  cpu: "500m"
+                requests:
+                  memory: "256Mi"
+                  cpu: "250m"
               command: ["sh", "-c"]
               args:
                 - |
@@ -45,24 +52,31 @@ spec:
             - name: gitea-pbs-client
               image: git.limbosolutions.com/kb/pbsclient
               imagePullPolicy: Always
+              resources:
+                limits:
+                  memory: "512Mi"
+                  cpu: "500m"
+                requests:
+                  memory: "256Mi"
+                  cpu: "250m"
               env:  
                 - name: MODE
                   value: shell
                 - name: PBS_REPOSITORY
                   valueFrom:
                     secretKeyRef:
-                      name: gitea-backup-secret
-                      key:  pbs_repository
+                      name: gitea-backup
+                      key:  PBS_REPOSITORY
                 - name: PBS_PASSWORD
                   valueFrom:
                     secretKeyRef:
-                      name: gitea-backup-secret
-                      key: pbs_password
+                      name: gitea-backup
+                      key: PBS_PASSWORD
                 - name: PBS_FINGERPRINT
                   valueFrom:
                     secretKeyRef:
-                      name: gitea-backup-secret
-                      key: pbs_fingerprint
+                      name: gitea-backup
+                      key: PBS_FINGERPRINT
 
               command: ["bash", "-c"]
               args:

deploy/app/kustomization.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cronjobs/backups/backup-borg-offsite-cronjob.yaml
+  - cronjobs/backups/backup-pbs-cronjob.yaml
+
+secretGenerator:
+- name: gitea-backup
+  namespace: git-limbosolutions-com
+  envs:
+    - cronjobs/backups/.env.d/secrets
+  files:
+    - BORG_KEY=cronjobs/backups/.env.d/borg_key
+    - SSH_ID_RSA=cronjobs/backups/.env.d/id_rsa
+    
+generatorOptions:
+  disableNameSuffixHash: true

deploy/backups/backup-secrets.yaml

@@ -1,17 +0,0 @@
-
-apiVersion: v1
-kind: Secret
-metadata:
-  name: gitea-backup-secret
-  namespace: git-limbosolutions-com
-type: Opaque
-stringData:
-  pbs_repository: ${PBS_REPOSITORY}
-  pbs_password: ${PBS_PASSWORD}
-  pbs_fingerprint: ${PBS_FINGERPRINT}
-  borg_repo: ${BORG_REPO}
-  borg_passphrase: ${BORG_PASSPHRASE}
-  offsite_target_folder: ${OFFSITE_TARGET_FOLDER}
-  #SSH_ID_RSA: ""
-  #BORG_KEY: ""
-  

deploy/helm/.env.example

@@ -0,0 +1,15 @@
+APP_HELM_VALUE_VALKEY_GLOBAL_PASSWORD="????"
+APP_HELM_VALUE_POSTGRESQL_AUTH_POSTGRESPASSWORD="????"
+APP_HELM_VALUE_POSTGRESQL_AUTH_PASSWORD="????"
+APP_HELM_VALUE_POSTGRESQL_AUTH_DATABASE="????"
+APP_HELM_VALUE_POSTGRESQL_AUTH_USERNAME="????"
+APP_HELM_VALUE_GITEA_ADMIN_USERNAME="????"
+APP_HELM_VALUE_GITEA_ADMIN_PASSWORD="????"
+APP_HELM_VALUE_GITEA_ADMIN_EMAIL="????"
+APP_HELM_VALUE_GITEA_CONFIG_OAUTH2_JWT_SECRET="????"
+APP_HELM_VALUE_GITEA_CONFIG_SERVER_LFS_JWT_SECRET="????"
+APP_HELM_VALUE_GITEA_CONFIG_SECURITY_SECRET_KEY="????"
+APP_HELM_VALUE_GITEA_CONFIG_SECURITY_REVERSE_PROXY_TRUSTED_PROXIES="????"
+APP_HELM_VALUE_GITEA_CONFIG_SECURITY_INTERNAL_TOKEN="????"
+APP_HELM_VALUE_GITEA_CONFIG_SECURITY_PASSWORD_HASH_ALGO="????"
+APP_HELM_VALUE_GITEA_CONFIG_SERVICE_OAUTH2_JWT_SECRET="????"

deploy/helm/values.yaml

@@ -15,7 +15,7 @@ valkey:
   architecture: standalone
   global:
     valkey:
-      password: "????"
+      password: "???"
   master:
     count: 1
     service:
@@ -31,8 +31,6 @@ postgresql:
     imagePullPolicy: IfNotPresent
   global:
     postgresql:
-      # volumePermissions:
-      #   enabled: true
       auth:
         postgresPassword: "???"
         password: "???"
@@ -40,7 +38,7 @@ postgresql:
         username: "???"
       service:
         ports:
-          postgresql: "???"
+          postgresql: 5432
   primary:
     persistence:
       size: 10Gi
@@ -60,13 +58,18 @@ service:
       port: 2222
       annotations:
         metallb.universe.tf/allow-shared-ip: test
-
+  http:
+    clusterIP: ""   # empty string → Kubernetes assigns a routable ClusterIP
+    type: ClusterIP
+    port: 3000
 gitea:
   admin:
     username: "???"
     password: "???"
     email: "???"
   config:
+    oauth2:
+      JWT_SECRET: "???"
     actions:
       ENABLED: true
     database:
@@ -79,7 +82,6 @@ gitea:
     server:
       DOMAIN: git.limbosolutions.com
       SSH_DOMAIN: git.limbosolutions.com
-      #HTTP_PORT: 3000
       ROOT_URL: https://git.limbosolutions.com
       DISABLE_SSH: false
       SSH_PORT: 2222
@@ -98,15 +100,15 @@ gitea:
       ####
     
     service:
-      DISABLE_REGISTRATION: "???"
-      REQUIRE_SIGNIN_VIEW: "???"
-      REGISTER_EMAIL_CONFIRM: "???"
-      ENABLE_NOTIFY_MAIL: "???"
-      ALLOW_ONLY_EXTERNAL_REGISTRATION: "???"
-      ENABLE_CAPTCHA: "???"
-      DEFAULT_KEEP_EMAIL_PRIVATE : "???"
-      DEFAULT_ALLOW_CREATE_ORGANIZATION: "???"
-      DEFAULT_ENABLE_TIMETRACKING: "???"
+      DISABLE_REGISTRATION: true
+      REQUIRE_SIGNIN_VIEW: false
+      REGISTER_EMAIL_CONFIRM: false
+      ENABLE_NOTIFY_MAIL: false
+      ALLOW_ONLY_EXTERNAL_REGISTRATION: false
+      ENABLE_CAPTCHA: true
+      DEFAULT_KEEP_EMAIL_PRIVATE : true
+      DEFAULT_ALLOW_CREATE_ORGANIZATION: true
+      DEFAULT_ENABLE_TIMETRACKING:  true
       NO_REPLY_ADDRESS: noreply.localhost
       oauth2:
           JWT_SECRET: "???"
@@ -114,15 +116,15 @@ gitea:
       ENABLED: false
 
     openid:
-      ENABLE_OPENID_SIGNIN: true
-      ENABLE_OPENID_SIGNUP: true
+      ENABLE_OPENID_SIGNIN: false
+      ENABLE_OPENID_SIGNUP: false
     
 
     security:
       INSTALL_LOCK: true
       SECRET_KEY: "???"
       REVERSE_PROXY_LIMIT: 1
-      REVERSE_PROXY_TRUSTED_PROXIES:
+      REVERSE_PROXY_TRUSTED_PROXIES: "???"
       INTERNAL_TOKEN: "???"
       PASSWORD_HASH_ALGO: "???"
 
@@ -139,8 +141,9 @@ ingress:
         - path: /
           pathType: Prefix
   tls:
-    - secretName: limbosolutions-com-secret-tls
+    - secretName: limbosolutions-com-tls
       hosts:
        - "git.limbosolutions.com"
 
 
+

deploy/infra/cd-service-account-rbac.yaml

@@ -0,0 +1,43 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: git-limbosolutions-com
+  name: continuous-deploy
+rules:
+- apiGroups: [""]
+  resources: ["pods", "services", "secrets", "configmaps", "persistentvolumeclaims", "endpoints", "serviceaccounts"]
+  verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
+
+- apiGroups: ["apps"]
+  resources: ["deployments", "statefulsets"]
+  verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
+
+- apiGroups: ["batch"]
+  resources: ["cronjobs", "jobs"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+
+- apiGroups: ["networking.k8s.io"]
+  resources: ["networkpolicies", "ingresses"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+
+- apiGroups: ["policy"]
+  resources: ["poddisruptionbudgets"]
+  verbs: ["get", "list", "watch", "update", "patch"]
+
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: continuous-deploy
+  namespace:  git-limbosolutions-com
+subjects:
+- kind: ServiceAccount
+  name: continuous-deploy
+  namespace: git-limbosolutions-com
+roleRef:
+  kind: Role
+  name: continuous-deploy
+  apiGroup: rbac.authorization.k8s.io
+

deploy/infra/cd-service-account-token.yaml

@@ -0,0 +1,8 @@
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: continuous-deploy
+  annotations:
+    kubernetes.io/service-account.name: continuous-deploy
+type: kubernetes.io/service-account-token

deploy/infra/cd-service-account.yaml

@@ -0,0 +1,6 @@
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: continuous-deploy
+  namespace: git-limbosolutions-com

deploy/infra/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - cd-service-account.yaml
+  - cd-service-account-token.yaml
+  - cd-service-account-rbac.yaml
+

deploy/infra/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: git-limbosolutions-com
+  labels:
+    name: git-limbosolutions-com

deploy/ops/bork-backup-sidekick/pod.yaml

@@ -1,13 +1,13 @@
 apiVersion: v1
 kind: Pod
 metadata:
-  name: borgbackup-sidekick
+  name: borg-backup-sidekick
   namespace: git-limbosolutions-com
   labels:
-    app: borgbackup-sidekick
+    app: borg-backup-sidekick
 spec:
   containers:
-      - name: borgbackup-sidekick
+      - name: borg-backup-sidekick
         image: git.limbosolutions.com/kb/borg-backup:latest
         imagePullPolicy: Always
         resources:
@@ -45,17 +45,17 @@ spec:
 
         volumeMounts:
         
-        - name: gitea-backup-secret
+        - name: gitea-backup-secrets
           mountPath: /root/.ssh/id_rsa
           subPath: ssh_id_rsa
           readOnly: true
 
-        - name: gitea-backup-secret
+        - name: gitea-backup-secrets
           mountPath: /app/borg/key
           subPath: borg_key
   volumes:
-    - name: gitea-backup-secret
+    - name: gitea-backup-secrets
       secret:
-        secretName: gitea-backup-secret
+        secretName: gitea-backup
         defaultMode: 0600
 

deploy/setup.sh

@@ -1,9 +0,0 @@
-helm repo add gitea-charts https://dl.gitea.com/charts/
-helm repo update
-
-helm upgrade --install gitea gitea-charts/gitea \
---values ./values.yaml \
---values ./values.private.yaml \
---namespace=git-limbosolutions-com
-
-kubectl apply -f ./ssh-ingress.yaml

deploy/ssh-ingress.yaml

@@ -1,17 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRouteTCP
-metadata:
-  name: git-limbosolutions-com-ssh-ingress
-  namespace: git-limbosolutions-com
-spec:
-  entryPoints:
-    - ssh-git
-  routes:
-    - match: HostSNI(`*`)
-      services:
-        - name: gitea-ssh
-          port: 2222
-          weight: 10
-          terminationDelay: 90000
-          proxyProtocol:
-            version: 1

docs/act-runner.md

@@ -18,7 +18,7 @@ curl -fsSL https://get.docker.com -o get-docker.sh
 sh ./get-docker.sh
 ```
 
-### act tunner
+### act runner
 
 ```bash
 nano setup-act-runners.sh

docs/backups.md

@@ -1,14 +1,27 @@
 # borgbackup sidekick
 
+**Create borgbackup-sidekick pod:**
+
+```bash
+kubectl apply -f deploy/ops/borg-backup-sidekick/pod.yaml
+```
+
+**Remove borgbackup-sidekick pod:**
+
+```bash
+# delete the sidekick pod after use
+kubectl delete pod -l app=borg-backup-sidekick
+```
+
 ```bash
 # attach to borgbackup-sidekick
-POD_NAME=$(kubectl get pod -l app=borgbackup-sidekick -n git-limbosolutions-com -o jsonpath='{.items[0].metadata.name}')
+POD_NAME=$(kubectl get pod -l app=borg-backup-sidekick -n git-limbosolutions-com -o jsonpath='{.items[0].metadata.name}')
 kubectl exec -it ${POD_NAME}  -- bash
 ```
 
 ```bash
 # list borg repo
-POD_NAME=$(kubectl get pod -l app=borgbackup-sidekick -n git-limbosolutions-com -o jsonpath='{.items[0].metadata.name}')
+POD_NAME=$(kubectl get pod -l app=borg-backup-sidekick -n git-limbosolutions-com -o jsonpath='{.items[0].metadata.name}')
 kubectl exec -it ${POD_NAME} -- bash -c "\
 borg list ${BORG_REPO} \
 "
@@ -16,39 +29,8 @@ borg list ${BORG_REPO} \
 
 ```bash
 # get borg info
-POD_NAME=$(kubectl get pod -l app=borgbackup-sidekick -n git-limbosolutions-com -o jsonpath='{.items[0].metadata.name}')
+POD_NAME=$(kubectl get pod -l app=borg-backup-sidekick -n git-limbosolutions-com -o jsonpath='{.items[0].metadata.name}')
 kubectl exec -it ${POD_NAME} -- bash -c "\
 borg info ${BORG_REPO}\
 "
 ```
-
-```bash
-POD_NAME=$(kubectl get pod -l app=borgbackup-sidekick -n git-limbosolutions-com -o jsonpath='{.items[0].metadata.name}')
-# Check if repository size is greater than 4GB
-kubectl exec -it ${POD_NAME} -- bash -c "\
-MAX_SIZE=\$((4 * 1024 * 1024 * 1024))
-SIZE_IN_BYTES=\$(\${BORG_RSH} mf@backupsrv01.dev.lan \"du -b ~/borg-repos/git.limbosolutions.com --max-depth=0 | cut -f1 \") && \
-echo \"Repository size: \$((SIZE_IN_BYTES / 1024 / 1024)) MB\" && \
-if [ \$SIZE_IN_BYTES -gt \$MAX_SIZE ]; then \
-   echo 'Repository size exceeds \$MAX_SIZE'; \
-   exit 1; \
-else \
-   echo 'Repository size is within limits for offsite sync'; \
-fi \
-
-"
-```
-
-**Create borgbackup-sidekick pod:**
-
-```bash
-kubectl apply -f ../deploy/backups/borgbackup-sidekick.yaml
-```
-
-**Remove borgbackup-sidekick pod:**
-
-```bash
-# delete the sidekick pod after use
-kubectl delete pod -l app=borgbackup-sidekick
-```
-

ops-scripts/apply-app.sh

@@ -0,0 +1,36 @@
+#/bin/bash
+kubectl kustomize deploy/app | kubectl apply -f -
+
+if [ -f "deploy/helm/.env" ]; then
+  # Export all variables from the file
+  echo "export variables from file helm/.env" 
+  set -a
+  . deploy/helm/.env
+  set +a
+fi
+
+
+if [ -n "${APP_HELM_VALUE_GITEA_ADMIN_USERNAME:-}" ]; then
+  echo "Executing helm deploy."
+
+    helm repo add gitea-charts https://dl.gitea.com/charts/
+    helm repo update
+    helm upgrade --install gitea gitea-charts/gitea --version 12.4.0 \
+    --values deploy/helm/values.yaml \
+    --set valkey.global.valkey.password=${APP_HELM_VALUE_VALKEY_GLOBAL_PASSWORD} \
+    --set postgresql.global.postgresql.auth.postgresPassword=${APP_HELM_VALUE_POSTGRESQL_AUTH_POSTGRESPASSWORD} \
+    --set postgresql.global.postgresql.auth.password=${APP_HELM_VALUE_POSTGRESQL_AUTH_PASSWORD} \
+    --set postgresql.global.postgresql.auth.database=${APP_HELM_VALUE_POSTGRESQL_AUTH_DATABASE} \
+    --set postgresql.global.postgresql.auth.username=${APP_HELM_VALUE_POSTGRESQL_AUTH_USERNAME} \
+    --set gitea.admin.username=${APP_HELM_VALUE_GITEA_ADMIN_USERNAME} \
+    --set gitea.admin.password=${APP_HELM_VALUE_GITEA_ADMIN_PASSWORD} \
+    --set gitea.admin.email=${APP_HELM_VALUE_GITEA_ADMIN_EMAIL} \
+    --set gitea.config.oauth2.JWT_SECRET=${APP_HELM_VALUE_GITEA_CONFIG_OAUTH2_JWT_SECRET} \
+    --set gitea.config.server.LFS_JWT_SECRET=${APP_HELM_VALUE_GITEA_CONFIG_SERVER_LFS_JWT_SECRET} \
+    --set gitea.config.security.SECRET_KEY=${APP_HELM_VALUE_GITEA_CONFIG_SECURITY_SECRET_KEY} \
+    --set gitea.config.security.REVERSE_PROXY_TRUSTED_PROXIES=${APP_HELM_VALUE_GITEA_CONFIG_SECURITY_REVERSE_PROXY_TRUSTED_PROXIES} \
+    --set gitea.config.security.INTERNAL_TOKEN=${APP_HELM_VALUE_GITEA_CONFIG_SECURITY_INTERNAL_TOKEN} \
+    --set gitea.config.security.PASSWORD_HASH_ALGO=${APP_HELM_VALUE_GITEA_CONFIG_SECURITY_PASSWORD_HASH_ALGO} \
+    --set gitea.config.service.oauth2.JWT_SECRET=${APP_HELM_VALUE_GITEA_CONFIG_SERVICE_OAUTH2_JWT_SECRET} \
+    --namespace=git-limbosolutions-com
+fi

ops-scripts/apply-infra.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+set -e
+echo "Executing infra deploy."
+
+kubectl kustomize deploy/infra | kubectl apply -f -
+
+