mirror of
https://github.com/terraphim/gitea-infrastructure.git
synced 2026-07-16 00:00:32 +02:00
Complete infrastructure deployment including: - Docker Compose templates with 1Password integration (op://) - Caddy reverse proxy configuration for git.terraphim.cloud - Automated deployment script (deploy-to-bigbox.sh) - Comprehensive documentation and deployment article - Network isolation: Public (Gitea) + Tailscale (Prometheus/S3) - Security: No hardcoded secrets, all via 1Password Services deployed: - Gitea 1.22.6 (Git hosting) - PostgreSQL 15 (Database) - SeaweedFS (S3-compatible storage) - Prometheus (Monitoring) Excludes: - docker-compose.yml (contains resolved secrets) - s3_config.json (contains resolved secrets) - Data directories (gitea/, postgres/, seaweedfs/) Refs: Private deployment on bigbox with TerraphimPlatform vault
236 lines
5.4 KiB
Markdown
236 lines
5.4 KiB
Markdown
# Repository Setup Guide
|
|
|
|
## What to Include in Git
|
|
|
|
### ✅ Include These Files:
|
|
|
|
**Configuration Templates (Safe):**
|
|
- `docker-compose.yml.template` - Template with op:// references
|
|
- `s3_config.json.template` - Template with op:// references
|
|
- `Caddyfile` - Caddy configuration (no secrets)
|
|
|
|
**Documentation:**
|
|
- `README.md` - Project overview
|
|
- `ARTICLE-gitea-deployment.md` - Deployment article
|
|
- `.docs/` - All documentation
|
|
|
|
**Scripts:**
|
|
- `deploy-to-bigbox.sh` - Deployment automation
|
|
|
|
**Git Configuration:**
|
|
- `.gitignore` - Excludes secrets and data
|
|
|
|
### ❌ DO NOT Include:
|
|
|
|
**Files with Resolved Secrets:**
|
|
- ❌ `docker-compose.yml` - Contains actual passwords
|
|
- ❌ `s3_config.json` - Contains actual credentials
|
|
- ❌ `.env` - Environment variables with secrets
|
|
|
|
**Data Directories:**
|
|
- ❌ `gitea/` - Application data
|
|
- ❌ `postgres/` - Database files
|
|
- ❌ `seaweedfs/` - Object storage data
|
|
- ❌ `seaweedfs_filter/` - Filer data
|
|
|
|
**Logs:**
|
|
- ❌ `*.log` - Log files
|
|
|
|
## Step-by-Step: Create Repository and Push
|
|
|
|
### Step 1: Initialize Repository Locally
|
|
|
|
```bash
|
|
cd /home/alex/infrastructure/gitea_config
|
|
|
|
# Remove any existing git history (if needed)
|
|
# rm -rf .git
|
|
|
|
# Initialize fresh repository
|
|
git init
|
|
|
|
# Add all safe files
|
|
git add README.md
|
|
|
|
git add ARTICLE-gitea-deployment.md
|
|
|
|
git add Caddyfile
|
|
|
|
git add deploy-to-bigbox.sh
|
|
|
|
git add docker-compose.yml.template
|
|
|
|
git add s3_config.json.template
|
|
|
|
git add .gitignore
|
|
|
|
git add .docs/
|
|
|
|
# Commit
|
|
git commit -m "Initial commit: Gitea deployment configuration
|
|
|
|
- Docker Compose templates with 1Password integration
|
|
- Caddy reverse proxy configuration
|
|
- Deployment automation script
|
|
- Documentation and article
|
|
- Security: No secrets or data included"
|
|
```
|
|
|
|
### Step 2: Create Repository in Gitea
|
|
|
|
**Option A: Via Web Interface**
|
|
1. Go to https://git.terraphim.cloud
|
|
2. Click "+" → "New Repository"
|
|
3. Owner: Select "terraphim" organization
|
|
4. Repository Name: `gitea-infrastructure`
|
|
5. Visibility: **Private**
|
|
6. Check "Initialize Repository" (optional)
|
|
7. Click "Create Repository"
|
|
|
|
**Option B: Via Gitea CLI (if installed)**
|
|
```bash
|
|
# Create repository under terraphim org
|
|
gitea admin repo create \
|
|
--owner terraphim \
|
|
--name gitea-infrastructure \
|
|
--private \
|
|
--description "Gitea deployment configuration with 1Password and Caddy"
|
|
```
|
|
|
|
### Step 3: Add Remote and Push
|
|
|
|
```bash
|
|
# Add the Gitea remote
|
|
git remote add origin https://git.terraphim.cloud/terraphim/gitea-infrastructure.git
|
|
|
|
# Or use SSH:
|
|
# git remote add origin ssh://git@bigbox:222/terraphim/gitea-infrastructure.git
|
|
|
|
# Push to main branch
|
|
git branch -M main
|
|
git push -u origin main
|
|
```
|
|
|
|
### Step 4: Verify Repository
|
|
|
|
```bash
|
|
# Check repository on Gitea
|
|
curl -s https://git.terraphim.cloud/terraphim/gitea-infrastructure | head -20
|
|
|
|
# Or visit in browser:
|
|
# https://git.terraphim.cloud/terraphim/gitea-infrastructure
|
|
```
|
|
|
|
## Repository Structure After Push
|
|
|
|
```
|
|
gitea-infrastructure/
|
|
├── .docs/
|
|
│ ├── RESEARCH-gitea-bigbox-deployment.md
|
|
│ ├── IMPLEMENTATION-gitea-bigbox-deployment.md
|
|
│ ├── DEPLOYMENT-SUMMARY.md
|
|
│ └── summary-*.md
|
|
├── .gitignore
|
|
├── ARTICLE-gitea-deployment.md
|
|
├── Caddyfile
|
|
├── README.md
|
|
├── deploy-to-bigbox.sh
|
|
├── docker-compose.yml.template
|
|
└── s3_config.json.template
|
|
```
|
|
|
|
## Security Checklist
|
|
|
|
Before pushing, verify:
|
|
|
|
- [ ] No `docker-compose.yml` in repository (only `.template`)
|
|
- [ ] No `s3_config.json` in repository (only `.template`)
|
|
- [ ] No `.env` file
|
|
- [ ] No data directories (`gitea/`, `postgres/`, etc.)
|
|
- [ ] No log files
|
|
- [ ] All secrets use `op://` references in templates
|
|
- [ ] `.gitignore` properly configured
|
|
|
|
## Quick Verification Script
|
|
|
|
```bash
|
|
#!/bin/bash
|
|
echo "Checking for files that should NOT be committed..."
|
|
|
|
FORBIDDEN=(
|
|
"docker-compose.yml"
|
|
"s3_config.json"
|
|
".env"
|
|
"*.secret"
|
|
"*.decrypted"
|
|
)
|
|
|
|
for file in "${FORBIDDEN[@]}"; do
|
|
if [ -f "$file" ]; then
|
|
echo "❌ WARNING: $file exists (should not be committed)"
|
|
fi
|
|
done
|
|
|
|
echo ""
|
|
echo "Checking .gitignore..."
|
|
if grep -q "docker-compose.yml" .gitignore; then
|
|
echo "✅ docker-compose.yml is ignored"
|
|
else
|
|
echo "❌ docker-compose.yml is NOT ignored"
|
|
fi
|
|
|
|
if grep -q "s3_config.json" .gitignore; then
|
|
echo "✅ s3_config.json is ignored"
|
|
else
|
|
echo "❌ s3_config.json is NOT ignored"
|
|
fi
|
|
|
|
echo ""
|
|
echo "Files ready to commit:"
|
|
git ls-files
|
|
```
|
|
|
|
## Deploying from Repository
|
|
|
|
After cloning on a new machine:
|
|
|
|
```bash
|
|
# Clone repository
|
|
git clone https://git.terraphim.cloud/terraphim/gitea-infrastructure.git
|
|
cd gitea-infrastructure
|
|
|
|
# Create 1Password vault items (if not exist)
|
|
# See ARTICLE-gitea-deployment.md for instructions
|
|
|
|
# Source credentials and deploy
|
|
source ~/op_zesticai_non_prod.sh
|
|
op inject --in-file docker-compose.yml.template --out-file docker-compose.yml
|
|
op inject --in-file s3_config.json.template --out-file s3_config.json
|
|
|
|
# Start services
|
|
docker compose up -d
|
|
```
|
|
|
|
## Maintenance Workflow
|
|
|
|
**To update configuration:**
|
|
1. Edit `.template` files
|
|
2. Commit and push
|
|
3. On bigbox: `git pull` and re-run deployment
|
|
|
|
**To rotate secrets:**
|
|
1. Update in 1Password vault
|
|
2. On bigbox: Re-run `op inject` and `docker compose up -d`
|
|
3. No git changes needed!
|
|
|
|
**To backup data (NOT in git):**
|
|
```bash
|
|
# Backup data directories separately
|
|
rsync -avz bigbox:~/gitea-stack/gitea /backup/
|
|
rsync -avz bigbox:~/gitea-stack/postgres /backup/
|
|
```
|
|
|
|
---
|
|
|
|
**Repository:** https://git.terraphim.cloud/terraphim/gitea-infrastructure
|