mirror of
https://github.com/terraphim/gitea-infrastructure.git
synced 2026-07-16 00:00:32 +02:00
feat: Gitea deployment with 1Password and Caddy
Complete infrastructure deployment including: - Docker Compose templates with 1Password integration (op://) - Caddy reverse proxy configuration for git.terraphim.cloud - Automated deployment script (deploy-to-bigbox.sh) - Comprehensive documentation and deployment article - Network isolation: Public (Gitea) + Tailscale (Prometheus/S3) - Security: No hardcoded secrets, all via 1Password Services deployed: - Gitea 1.22.6 (Git hosting) - PostgreSQL 15 (Database) - SeaweedFS (S3-compatible storage) - Prometheus (Monitoring) Excludes: - docker-compose.yml (contains resolved secrets) - s3_config.json (contains resolved secrets) - Data directories (gitea/, postgres/, seaweedfs/) Refs: Private deployment on bigbox with TerraphimPlatform vault
This commit is contained in:
@@ -1,8 +1,69 @@
|
||||
# Ultimate build machine using gitea
|
||||
# Ultimate Build Machine using Gitea
|
||||
|
||||
Kind of kitchen sink everything is included
|
||||
Self-hosted Git infrastructure with S3-compatible storage, monitoring, and proper secrets management.
|
||||
|
||||
## Stack Components
|
||||
|
||||
- **Gitea** (1.22.6) - Git hosting with Actions and LFS support
|
||||
- **PostgreSQL** (15) - Database
|
||||
- **SeaweedFS** - Distributed S3-compatible object storage
|
||||
- **Prometheus** (v2.21.0) - Metrics and monitoring
|
||||
- **Caddy** - Reverse proxy with automatic HTTPS
|
||||
- **1Password** - Secrets management via `op inject`
|
||||
|
||||
## Quick Start
|
||||
|
||||
### Prerequisites
|
||||
|
||||
1. **1Password Vault Items** - Create in `zesticai-non-prod` vault:
|
||||
```bash
|
||||
op item create --vault="zesticai-non-prod" --category=login \
|
||||
--title="gitea-postgres" --generate-password=20 username=gitea
|
||||
|
||||
op item create --vault="zesticai-non-prod" --category=custom \
|
||||
--title="gitea-s3" access-key="$(openssl rand -hex 20)" \
|
||||
secret-key="$(openssl rand -hex 40)"
|
||||
```
|
||||
|
||||
2. **SSH Access** - Ensure `ssh bigbox` works
|
||||
|
||||
3. **1Password Service Account** - `~/op_zesticai_non_prod.sh` on bigbox
|
||||
|
||||
### Deploy to Bigbox
|
||||
|
||||
```bash
|
||||
./deploy-to-bigbox.sh
|
||||
```
|
||||
|
||||
### Access Services
|
||||
|
||||
After deployment:
|
||||
|
||||
**Public (via HTTPS on terraphim.cloud):**
|
||||
- **Gitea Web**: https://git.terraphim.cloud
|
||||
- **Gitea SSH**: ssh://bigbox:222
|
||||
|
||||
**Tailscale Network Only (100.106.66.7):**
|
||||
- **Prometheus**: http://100.106.66.7:9000
|
||||
- **S3 API**: http://100.106.66.7:8333
|
||||
|
||||
*Note: Prometheus and S3 are only accessible within the Tailscale VPN network, not from the public internet.*
|
||||
|
||||
## Documentation
|
||||
|
||||
- [Research Document](.docs/RESEARCH-gitea-bigbox-deployment.md) - Phase 1 analysis
|
||||
- [Implementation Plan](.docs/IMPLEMENTATION-gitea-bigbox-deployment.md) - Phase 2 design
|
||||
- [Deployment Summary](.docs/DEPLOYMENT-SUMMARY.md) - Post-deployment guide
|
||||
|
||||
## Security
|
||||
|
||||
- **No hardcoded secrets** - All credentials managed via 1Password
|
||||
- **Template files** (`.template`) contain `op://` references
|
||||
- **Generated files** excluded from git (`.gitignore`)
|
||||
- **Caddy** provides automatic HTTPS
|
||||
- **Secret injection** at deployment time via `op inject`
|
||||
|
||||
## TODO
|
||||
|
||||
- [ ] Automatic spin up and registration of gitea runners (github compatible)
|
||||
- [ ] Earthly buildkit demon (not sattelite - with gitea runners we don't need earthly sattelites)
|
||||
- [ ] Earthly buildkit daemon (not satellite - with gitea runners we don't need earthly satellites)
|
||||
|
||||
Reference in New Issue
Block a user