Files
Alex 4a4a0351aa feat: Gitea deployment with 1Password and Caddy
Complete infrastructure deployment including:
- Docker Compose templates with 1Password integration (op://)
- Caddy reverse proxy configuration for git.terraphim.cloud
- Automated deployment script (deploy-to-bigbox.sh)
- Comprehensive documentation and deployment article
- Network isolation: Public (Gitea) + Tailscale (Prometheus/S3)
- Security: No hardcoded secrets, all via 1Password

Services deployed:
- Gitea 1.22.6 (Git hosting)
- PostgreSQL 15 (Database)
- SeaweedFS (S3-compatible storage)
- Prometheus (Monitoring)

Excludes:
- docker-compose.yml (contains resolved secrets)
- s3_config.json (contains resolved secrets)
- Data directories (gitea/, postgres/, seaweedfs/)

Refs: Private deployment on bigbox with TerraphimPlatform vault
2026-02-16 19:40:19 +00:00

5.4 KiB

Repository Setup Guide

What to Include in Git

Include These Files:

Configuration Templates (Safe):

  • docker-compose.yml.template - Template with op:// references
  • s3_config.json.template - Template with op:// references
  • Caddyfile - Caddy configuration (no secrets)

Documentation:

  • README.md - Project overview
  • ARTICLE-gitea-deployment.md - Deployment article
  • .docs/ - All documentation

Scripts:

  • deploy-to-bigbox.sh - Deployment automation

Git Configuration:

  • .gitignore - Excludes secrets and data

DO NOT Include:

Files with Resolved Secrets:

  • docker-compose.yml - Contains actual passwords
  • s3_config.json - Contains actual credentials
  • .env - Environment variables with secrets

Data Directories:

  • gitea/ - Application data
  • postgres/ - Database files
  • seaweedfs/ - Object storage data
  • seaweedfs_filter/ - Filer data

Logs:

  • *.log - Log files

Step-by-Step: Create Repository and Push

Step 1: Initialize Repository Locally

cd /home/alex/infrastructure/gitea_config

# Remove any existing git history (if needed)
# rm -rf .git

# Initialize fresh repository
git init

# Add all safe files
git add README.md

git add ARTICLE-gitea-deployment.md

git add Caddyfile

git add deploy-to-bigbox.sh

git add docker-compose.yml.template

git add s3_config.json.template

git add .gitignore

git add .docs/

# Commit
git commit -m "Initial commit: Gitea deployment configuration

- Docker Compose templates with 1Password integration
- Caddy reverse proxy configuration
- Deployment automation script
- Documentation and article
- Security: No secrets or data included"

Step 2: Create Repository in Gitea

Option A: Via Web Interface

  1. Go to https://git.terraphim.cloud
  2. Click "+" → "New Repository"
  3. Owner: Select "terraphim" organization
  4. Repository Name: gitea-infrastructure
  5. Visibility: Private
  6. Check "Initialize Repository" (optional)
  7. Click "Create Repository"

Option B: Via Gitea CLI (if installed)

# Create repository under terraphim org
gitea admin repo create \
  --owner terraphim \
  --name gitea-infrastructure \
  --private \
  --description "Gitea deployment configuration with 1Password and Caddy"

Step 3: Add Remote and Push

# Add the Gitea remote
git remote add origin https://git.terraphim.cloud/terraphim/gitea-infrastructure.git

# Or use SSH:
# git remote add origin ssh://git@bigbox:222/terraphim/gitea-infrastructure.git

# Push to main branch
git branch -M main
git push -u origin main

Step 4: Verify Repository

# Check repository on Gitea
curl -s https://git.terraphim.cloud/terraphim/gitea-infrastructure | head -20

# Or visit in browser:
# https://git.terraphim.cloud/terraphim/gitea-infrastructure

Repository Structure After Push

gitea-infrastructure/
├── .docs/
│   ├── RESEARCH-gitea-bigbox-deployment.md
│   ├── IMPLEMENTATION-gitea-bigbox-deployment.md
│   ├── DEPLOYMENT-SUMMARY.md
│   └── summary-*.md
├── .gitignore
├── ARTICLE-gitea-deployment.md
├── Caddyfile
├── README.md
├── deploy-to-bigbox.sh
├── docker-compose.yml.template
└── s3_config.json.template

Security Checklist

Before pushing, verify:

  • No docker-compose.yml in repository (only .template)
  • No s3_config.json in repository (only .template)
  • No .env file
  • No data directories (gitea/, postgres/, etc.)
  • No log files
  • All secrets use op:// references in templates
  • .gitignore properly configured

Quick Verification Script

#!/bin/bash
echo "Checking for files that should NOT be committed..."

FORBIDDEN=(
  "docker-compose.yml"
  "s3_config.json"
  ".env"
  "*.secret"
  "*.decrypted"
)

for file in "${FORBIDDEN[@]}"; do
  if [ -f "$file" ]; then
    echo "❌ WARNING: $file exists (should not be committed)"
  fi
done

echo ""
echo "Checking .gitignore..."
if grep -q "docker-compose.yml" .gitignore; then
  echo "✅ docker-compose.yml is ignored"
else
  echo "❌ docker-compose.yml is NOT ignored"
fi

if grep -q "s3_config.json" .gitignore; then
  echo "✅ s3_config.json is ignored"
else
  echo "❌ s3_config.json is NOT ignored"
fi

echo ""
echo "Files ready to commit:"
git ls-files

Deploying from Repository

After cloning on a new machine:

# Clone repository
git clone https://git.terraphim.cloud/terraphim/gitea-infrastructure.git
cd gitea-infrastructure

# Create 1Password vault items (if not exist)
# See ARTICLE-gitea-deployment.md for instructions

# Source credentials and deploy
source ~/op_zesticai_non_prod.sh
op inject --in-file docker-compose.yml.template --out-file docker-compose.yml
op inject --in-file s3_config.json.template --out-file s3_config.json

# Start services
docker compose up -d

Maintenance Workflow

To update configuration:

  1. Edit .template files
  2. Commit and push
  3. On bigbox: git pull and re-run deployment

To rotate secrets:

  1. Update in 1Password vault
  2. On bigbox: Re-run op inject and docker compose up -d
  3. No git changes needed!

To backup data (NOT in git):

# Backup data directories separately
rsync -avz bigbox:~/gitea-stack/gitea /backup/
rsync -avz bigbox:~/gitea-stack/postgres /backup/

Repository: https://git.terraphim.cloud/terraphim/gitea-infrastructure