Alex 4a4a0351aa feat: Gitea deployment with 1Password and Caddy
Complete infrastructure deployment including:
- Docker Compose templates with 1Password integration (op://)
- Caddy reverse proxy configuration for git.terraphim.cloud
- Automated deployment script (deploy-to-bigbox.sh)
- Comprehensive documentation and deployment article
- Network isolation: Public (Gitea) + Tailscale (Prometheus/S3)
- Security: No hardcoded secrets, all via 1Password

Services deployed:
- Gitea 1.22.6 (Git hosting)
- PostgreSQL 15 (Database)
- SeaweedFS (S3-compatible storage)
- Prometheus (Monitoring)

Excludes:
- docker-compose.yml (contains resolved secrets)
- s3_config.json (contains resolved secrets)
- Data directories (gitea/, postgres/, seaweedfs/)

Refs: Private deployment on bigbox with TerraphimPlatform vault
2026-02-16 19:40:19 +00:00

Ultimate Build Machine using Gitea

Self-hosted Git infrastructure with S3-compatible storage, monitoring, and proper secrets management.

Stack Components

  • Gitea (1.22.6) - Git hosting with Actions and LFS support
  • PostgreSQL (15) - Database
  • SeaweedFS - Distributed S3-compatible object storage
  • Prometheus (v2.21.0) - Metrics and monitoring
  • Caddy - Reverse proxy with automatic HTTPS
  • 1Password - Secrets management via op inject

Quick Start

Prerequisites

  1. 1Password Vault Items - Create in zesticai-non-prod vault:

    op item create --vault="zesticai-non-prod" --category=login \
      --title="gitea-postgres" --generate-password=20 username=gitea
    
    op item create --vault="zesticai-non-prod" --category=custom \
      --title="gitea-s3" access-key="$(openssl rand -hex 20)" \
      secret-key="$(openssl rand -hex 40)"
    
  2. SSH Access - Ensure ssh bigbox works

  3. 1Password Service Account - ~/op_zesticai_non_prod.sh on bigbox

Deploy to Bigbox

./deploy-to-bigbox.sh

Access Services

After deployment:

Public (via HTTPS on terraphim.cloud):

Tailscale Network Only (100.106.66.7):

Note: Prometheus and S3 are only accessible within the Tailscale VPN network, not from the public internet.

Documentation

Security

  • No hardcoded secrets - All credentials managed via 1Password
  • Template files (.template) contain op:// references
  • Generated files excluded from git (.gitignore)
  • Caddy provides automatic HTTPS
  • Secret injection at deployment time via op inject

TODO

  • Automatic spin up and registration of gitea runners (github compatible)
  • Earthly buildkit daemon (not satellite - with gitea runners we don't need earthly satellites)
Description
Gitea deployment configuration with 1Password, Caddy, and Tailscale
Readme 637 KiB
Languages
Shell 100%