feat: Gitea deployment with 1Password and Caddy

Complete infrastructure deployment including:
- Docker Compose templates with 1Password integration (op://)
- Caddy reverse proxy configuration for git.terraphim.cloud
- Automated deployment script (deploy-to-bigbox.sh)
- Comprehensive documentation and deployment article
- Network isolation: Public (Gitea) + Tailscale (Prometheus/S3)
- Security: No hardcoded secrets, all via 1Password

Services deployed:
- Gitea 1.22.6 (Git hosting)
- PostgreSQL 15 (Database)
- SeaweedFS (S3-compatible storage)
- Prometheus (Monitoring)

Excludes:
- docker-compose.yml (contains resolved secrets)
- s3_config.json (contains resolved secrets)
- Data directories (gitea/, postgres/, seaweedfs/)

Refs: Private deployment on bigbox with TerraphimPlatform vault
This commit is contained in:
Alex
2026-02-16 19:40:19 +00:00
parent 850d8b7680
commit 4a4a0351aa
13 changed files with 2620 additions and 200 deletions
+64 -3
View File
@@ -1,8 +1,69 @@
# Ultimate build machine using gitea
# Ultimate Build Machine using Gitea
Kind of kitchen sink everything is included
Self-hosted Git infrastructure with S3-compatible storage, monitoring, and proper secrets management.
## Stack Components
- **Gitea** (1.22.6) - Git hosting with Actions and LFS support
- **PostgreSQL** (15) - Database
- **SeaweedFS** - Distributed S3-compatible object storage
- **Prometheus** (v2.21.0) - Metrics and monitoring
- **Caddy** - Reverse proxy with automatic HTTPS
- **1Password** - Secrets management via `op inject`
## Quick Start
### Prerequisites
1. **1Password Vault Items** - Create in `zesticai-non-prod` vault:
```bash
op item create --vault="zesticai-non-prod" --category=login \
--title="gitea-postgres" --generate-password=20 username=gitea
op item create --vault="zesticai-non-prod" --category=custom \
--title="gitea-s3" access-key="$(openssl rand -hex 20)" \
secret-key="$(openssl rand -hex 40)"
```
2. **SSH Access** - Ensure `ssh bigbox` works
3. **1Password Service Account** - `~/op_zesticai_non_prod.sh` on bigbox
### Deploy to Bigbox
```bash
./deploy-to-bigbox.sh
```
### Access Services
After deployment:
**Public (via HTTPS on terraphim.cloud):**
- **Gitea Web**: https://git.terraphim.cloud
- **Gitea SSH**: ssh://bigbox:222
**Tailscale Network Only (100.106.66.7):**
- **Prometheus**: http://100.106.66.7:9000
- **S3 API**: http://100.106.66.7:8333
*Note: Prometheus and S3 are only accessible within the Tailscale VPN network, not from the public internet.*
## Documentation
- [Research Document](.docs/RESEARCH-gitea-bigbox-deployment.md) - Phase 1 analysis
- [Implementation Plan](.docs/IMPLEMENTATION-gitea-bigbox-deployment.md) - Phase 2 design
- [Deployment Summary](.docs/DEPLOYMENT-SUMMARY.md) - Post-deployment guide
## Security
- **No hardcoded secrets** - All credentials managed via 1Password
- **Template files** (`.template`) contain `op://` references
- **Generated files** excluded from git (`.gitignore`)
- **Caddy** provides automatic HTTPS
- **Secret injection** at deployment time via `op inject`
## TODO
- [ ] Automatic spin up and registration of gitea runners (github compatible)
- [ ] Earthly buildkit demon (not sattelite - with gitea runners we don't need earthly sattelites)
- [ ] Earthly buildkit daemon (not satellite - with gitea runners we don't need earthly satellites)