mirror of
https://github.com/terraphim/gitea-infrastructure.git
synced 2026-07-16 00:00:32 +02:00
feat: Gitea deployment with 1Password and Caddy
Complete infrastructure deployment including: - Docker Compose templates with 1Password integration (op://) - Caddy reverse proxy configuration for git.terraphim.cloud - Automated deployment script (deploy-to-bigbox.sh) - Comprehensive documentation and deployment article - Network isolation: Public (Gitea) + Tailscale (Prometheus/S3) - Security: No hardcoded secrets, all via 1Password Services deployed: - Gitea 1.22.6 (Git hosting) - PostgreSQL 15 (Database) - SeaweedFS (S3-compatible storage) - Prometheus (Monitoring) Excludes: - docker-compose.yml (contains resolved secrets) - s3_config.json (contains resolved secrets) - Data directories (gitea/, postgres/, seaweedfs/) Refs: Private deployment on bigbox with TerraphimPlatform vault
This commit is contained in:
@@ -0,0 +1,235 @@
|
||||
# Repository Setup Guide
|
||||
|
||||
## What to Include in Git
|
||||
|
||||
### ✅ Include These Files:
|
||||
|
||||
**Configuration Templates (Safe):**
|
||||
- `docker-compose.yml.template` - Template with op:// references
|
||||
- `s3_config.json.template` - Template with op:// references
|
||||
- `Caddyfile` - Caddy configuration (no secrets)
|
||||
|
||||
**Documentation:**
|
||||
- `README.md` - Project overview
|
||||
- `ARTICLE-gitea-deployment.md` - Deployment article
|
||||
- `.docs/` - All documentation
|
||||
|
||||
**Scripts:**
|
||||
- `deploy-to-bigbox.sh` - Deployment automation
|
||||
|
||||
**Git Configuration:**
|
||||
- `.gitignore` - Excludes secrets and data
|
||||
|
||||
### ❌ DO NOT Include:
|
||||
|
||||
**Files with Resolved Secrets:**
|
||||
- ❌ `docker-compose.yml` - Contains actual passwords
|
||||
- ❌ `s3_config.json` - Contains actual credentials
|
||||
- ❌ `.env` - Environment variables with secrets
|
||||
|
||||
**Data Directories:**
|
||||
- ❌ `gitea/` - Application data
|
||||
- ❌ `postgres/` - Database files
|
||||
- ❌ `seaweedfs/` - Object storage data
|
||||
- ❌ `seaweedfs_filter/` - Filer data
|
||||
|
||||
**Logs:**
|
||||
- ❌ `*.log` - Log files
|
||||
|
||||
## Step-by-Step: Create Repository and Push
|
||||
|
||||
### Step 1: Initialize Repository Locally
|
||||
|
||||
```bash
|
||||
cd /home/alex/infrastructure/gitea_config
|
||||
|
||||
# Remove any existing git history (if needed)
|
||||
# rm -rf .git
|
||||
|
||||
# Initialize fresh repository
|
||||
git init
|
||||
|
||||
# Add all safe files
|
||||
git add README.md
|
||||
|
||||
git add ARTICLE-gitea-deployment.md
|
||||
|
||||
git add Caddyfile
|
||||
|
||||
git add deploy-to-bigbox.sh
|
||||
|
||||
git add docker-compose.yml.template
|
||||
|
||||
git add s3_config.json.template
|
||||
|
||||
git add .gitignore
|
||||
|
||||
git add .docs/
|
||||
|
||||
# Commit
|
||||
git commit -m "Initial commit: Gitea deployment configuration
|
||||
|
||||
- Docker Compose templates with 1Password integration
|
||||
- Caddy reverse proxy configuration
|
||||
- Deployment automation script
|
||||
- Documentation and article
|
||||
- Security: No secrets or data included"
|
||||
```
|
||||
|
||||
### Step 2: Create Repository in Gitea
|
||||
|
||||
**Option A: Via Web Interface**
|
||||
1. Go to https://git.terraphim.cloud
|
||||
2. Click "+" → "New Repository"
|
||||
3. Owner: Select "terraphim" organization
|
||||
4. Repository Name: `gitea-infrastructure`
|
||||
5. Visibility: **Private**
|
||||
6. Check "Initialize Repository" (optional)
|
||||
7. Click "Create Repository"
|
||||
|
||||
**Option B: Via Gitea CLI (if installed)**
|
||||
```bash
|
||||
# Create repository under terraphim org
|
||||
gitea admin repo create \
|
||||
--owner terraphim \
|
||||
--name gitea-infrastructure \
|
||||
--private \
|
||||
--description "Gitea deployment configuration with 1Password and Caddy"
|
||||
```
|
||||
|
||||
### Step 3: Add Remote and Push
|
||||
|
||||
```bash
|
||||
# Add the Gitea remote
|
||||
git remote add origin https://git.terraphim.cloud/terraphim/gitea-infrastructure.git
|
||||
|
||||
# Or use SSH:
|
||||
# git remote add origin ssh://git@bigbox:222/terraphim/gitea-infrastructure.git
|
||||
|
||||
# Push to main branch
|
||||
git branch -M main
|
||||
git push -u origin main
|
||||
```
|
||||
|
||||
### Step 4: Verify Repository
|
||||
|
||||
```bash
|
||||
# Check repository on Gitea
|
||||
curl -s https://git.terraphim.cloud/terraphim/gitea-infrastructure | head -20
|
||||
|
||||
# Or visit in browser:
|
||||
# https://git.terraphim.cloud/terraphim/gitea-infrastructure
|
||||
```
|
||||
|
||||
## Repository Structure After Push
|
||||
|
||||
```
|
||||
gitea-infrastructure/
|
||||
├── .docs/
|
||||
│ ├── RESEARCH-gitea-bigbox-deployment.md
|
||||
│ ├── IMPLEMENTATION-gitea-bigbox-deployment.md
|
||||
│ ├── DEPLOYMENT-SUMMARY.md
|
||||
│ └── summary-*.md
|
||||
├── .gitignore
|
||||
├── ARTICLE-gitea-deployment.md
|
||||
├── Caddyfile
|
||||
├── README.md
|
||||
├── deploy-to-bigbox.sh
|
||||
├── docker-compose.yml.template
|
||||
└── s3_config.json.template
|
||||
```
|
||||
|
||||
## Security Checklist
|
||||
|
||||
Before pushing, verify:
|
||||
|
||||
- [ ] No `docker-compose.yml` in repository (only `.template`)
|
||||
- [ ] No `s3_config.json` in repository (only `.template`)
|
||||
- [ ] No `.env` file
|
||||
- [ ] No data directories (`gitea/`, `postgres/`, etc.)
|
||||
- [ ] No log files
|
||||
- [ ] All secrets use `op://` references in templates
|
||||
- [ ] `.gitignore` properly configured
|
||||
|
||||
## Quick Verification Script
|
||||
|
||||
```bash
|
||||
#!/bin/bash
|
||||
echo "Checking for files that should NOT be committed..."
|
||||
|
||||
FORBIDDEN=(
|
||||
"docker-compose.yml"
|
||||
"s3_config.json"
|
||||
".env"
|
||||
"*.secret"
|
||||
"*.decrypted"
|
||||
)
|
||||
|
||||
for file in "${FORBIDDEN[@]}"; do
|
||||
if [ -f "$file" ]; then
|
||||
echo "❌ WARNING: $file exists (should not be committed)"
|
||||
fi
|
||||
done
|
||||
|
||||
echo ""
|
||||
echo "Checking .gitignore..."
|
||||
if grep -q "docker-compose.yml" .gitignore; then
|
||||
echo "✅ docker-compose.yml is ignored"
|
||||
else
|
||||
echo "❌ docker-compose.yml is NOT ignored"
|
||||
fi
|
||||
|
||||
if grep -q "s3_config.json" .gitignore; then
|
||||
echo "✅ s3_config.json is ignored"
|
||||
else
|
||||
echo "❌ s3_config.json is NOT ignored"
|
||||
fi
|
||||
|
||||
echo ""
|
||||
echo "Files ready to commit:"
|
||||
git ls-files
|
||||
```
|
||||
|
||||
## Deploying from Repository
|
||||
|
||||
After cloning on a new machine:
|
||||
|
||||
```bash
|
||||
# Clone repository
|
||||
git clone https://git.terraphim.cloud/terraphim/gitea-infrastructure.git
|
||||
cd gitea-infrastructure
|
||||
|
||||
# Create 1Password vault items (if not exist)
|
||||
# See ARTICLE-gitea-deployment.md for instructions
|
||||
|
||||
# Source credentials and deploy
|
||||
source ~/op_zesticai_non_prod.sh
|
||||
op inject --in-file docker-compose.yml.template --out-file docker-compose.yml
|
||||
op inject --in-file s3_config.json.template --out-file s3_config.json
|
||||
|
||||
# Start services
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
## Maintenance Workflow
|
||||
|
||||
**To update configuration:**
|
||||
1. Edit `.template` files
|
||||
2. Commit and push
|
||||
3. On bigbox: `git pull` and re-run deployment
|
||||
|
||||
**To rotate secrets:**
|
||||
1. Update in 1Password vault
|
||||
2. On bigbox: Re-run `op inject` and `docker compose up -d`
|
||||
3. No git changes needed!
|
||||
|
||||
**To backup data (NOT in git):**
|
||||
```bash
|
||||
# Backup data directories separately
|
||||
rsync -avz bigbox:~/gitea-stack/gitea /backup/
|
||||
rsync -avz bigbox:~/gitea-stack/postgres /backup/
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
**Repository:** https://git.terraphim.cloud/terraphim/gitea-infrastructure
|
||||
Reference in New Issue
Block a user