mirror of
https://github.com/terraphim/gitea-infrastructure.git
synced 2026-07-16 01:00:33 +02:00
Complete infrastructure deployment including: - Docker Compose templates with 1Password integration (op://) - Caddy reverse proxy configuration for git.terraphim.cloud - Automated deployment script (deploy-to-bigbox.sh) - Comprehensive documentation and deployment article - Network isolation: Public (Gitea) + Tailscale (Prometheus/S3) - Security: No hardcoded secrets, all via 1Password Services deployed: - Gitea 1.22.6 (Git hosting) - PostgreSQL 15 (Database) - SeaweedFS (S3-compatible storage) - Prometheus (Monitoring) Excludes: - docker-compose.yml (contains resolved secrets) - s3_config.json (contains resolved secrets) - Data directories (gitea/, postgres/, seaweedfs/) Refs: Private deployment on bigbox with TerraphimPlatform vault
324 lines
9.4 KiB
Markdown
324 lines
9.4 KiB
Markdown
# Gitea Stack Deployment Summary
|
|
|
|
**Date**: 2026-02-16
|
|
**Target**: bigbox (via SSH)
|
|
**Status**: Ready for deployment
|
|
|
|
## What Was Done
|
|
|
|
### 1. Disciplined Research (Phase 1)
|
|
Created comprehensive research document analyzing:
|
|
- Current Docker Compose stack (Gitea, PostgreSQL, SeaweedFS, Prometheus)
|
|
- Bigbox environment (125GB RAM, 367GB free, Docker 28.1.1, 1Password CLI installed)
|
|
- Security requirements (eliminate hardcoded credentials)
|
|
- Caddy reverse proxy integration
|
|
|
|
**File**: `.docs/RESEARCH-gitea-bigbox-deployment.md`
|
|
|
|
### 2. Disciplined Design (Phase 2)
|
|
Created implementation plan with:
|
|
- 1Password secrets management using `op inject`
|
|
- Template files with `op://` references
|
|
- Caddy reverse proxy configuration with automatic HTTPS
|
|
- 10-step deployment process
|
|
- Complete rollback plan
|
|
|
|
**File**: `.docs/IMPLEMENTATION-gitea-bigbox-deployment.md`
|
|
|
|
### 3. Implementation Artifacts Created
|
|
|
|
#### Template Files (Safe to Commit)
|
|
- `docker-compose.yml.template` - Docker Compose with 1Password references
|
|
- `s3_config.json.template` - SeaweedFS S3 config with 1Password references
|
|
- `Caddyfile` - Caddy reverse proxy configuration
|
|
- `.gitignore` - Excludes secrets and data directories
|
|
|
|
#### Deployment Script
|
|
- `deploy-to-bigbox.sh` - Automated deployment script
|
|
|
|
#### Generated Files (NOT in Git - Created at Deploy Time)
|
|
- `docker-compose.yml` - Secrets injected via `op inject`
|
|
- `s3_config.json` - Secrets injected via `op inject`
|
|
|
|
## 1Password Integration
|
|
|
|
### Prerequisites on Bigbox
|
|
1. 1Password CLI installed (`/usr/bin/op`)
|
|
2. Service account script: `~/op_zesticai_non_prod.sh`
|
|
3. Valid service account token configured
|
|
|
|
### Required Vault Items
|
|
Create these in the `zesticai-non-prod` vault:
|
|
|
|
```bash
|
|
# Create gitea-postgres item
|
|
op item create \
|
|
--vault="zesticai-non-prod" \
|
|
--category=login \
|
|
--title="gitea-postgres" \
|
|
--generate-password=20,letters,digits \
|
|
username=gitea
|
|
|
|
# Create gitea-s3 item
|
|
op item create \
|
|
--vault="zesticai-non-prod" \
|
|
--category=custom \
|
|
--title="gitea-s3" \
|
|
access-key="$(openssl rand -hex 20)" \
|
|
secret-key="$(openssl rand -hex 40)"
|
|
```
|
|
|
|
### How It Works
|
|
1. **Template Creation**: Files use `op://vault/item/field` syntax
|
|
2. **Authentication**: Source `op_zesticai_non_prod.sh` to set `OP_SERVICE_ACCOUNT_TOKEN`
|
|
3. **Secret Injection**: Run `op inject --in-file template --out-file config`
|
|
4. **Deployment**: Use injected config files with Docker Compose
|
|
|
|
## Network Architecture
|
|
|
|
### Public Access (via Caddy HTTPS)
|
|
Bigbox already runs Caddy with existing services (terraphim.cloud, privacy1st.org). We add Gitea to the existing instance:
|
|
|
|
| Service | Domain | Backend | Access |
|
|
|---------|--------|---------|--------|
|
|
| Gitea | git.terraphim.cloud | localhost:3000 | Public HTTPS |
|
|
|
|
### Tailscale Network Only (100.106.66.7)
|
|
These services are bound to the Tailscale interface and are NOT accessible from the public internet:
|
|
|
|
| Service | Address | Purpose |
|
|
|---------|---------|---------|
|
|
| Prometheus | 100.106.66.7:9000 | Monitoring |
|
|
| S3 API | 100.106.66.7:8333 | Object storage |
|
|
| S3 Metrics | 100.106.66.7:9327 | Prometheus metrics |
|
|
|
|
### SSH Access
|
|
- **Port 222**: Git over SSH (exposed on all interfaces)
|
|
- **Command**: `git clone ssh://git@bigbox:222/owner/repo.git`
|
|
|
|
### Internal Services (Docker Network Only)
|
|
- PostgreSQL: Internal Docker network only
|
|
- SeaweedFS Master, Volume, Filer: Internal Docker network only
|
|
|
|
### Caddy Configuration
|
|
- **Existing Instance**: Caddy already running on bigbox
|
|
- **Route Addition**: Gitea route added via Caddy Admin API
|
|
- **SSL**: Automatic HTTPS via Let's Encrypt
|
|
- **Logging**: JSON format to `/var/log/caddy/gitea-access.log`
|
|
|
|
## Deployment Steps
|
|
|
|
### Option 1: Automated (Recommended)
|
|
```bash
|
|
# 1. Create 1Password items first (see above)
|
|
|
|
# 2. Run deployment script
|
|
./deploy-to-bigbox.sh
|
|
```
|
|
|
|
### Option 2: Manual Step-by-Step
|
|
See `.docs/IMPLEMENTATION-gitea-bigbox-deployment.md` for detailed manual steps.
|
|
|
|
## Post-Deployment
|
|
|
|
### Access URLs
|
|
After deployment, services will be available at:
|
|
|
|
**Public Access (HTTPS via Caddy):**
|
|
- **Gitea Web**: https://git.terraphim.cloud
|
|
- **Gitea SSH**: ssh://bigbox:222
|
|
|
|
**Tailscale Network Only (requires Tailscale connection):**
|
|
- **Prometheus**: http://100.106.66.7:9000
|
|
- **S3 API**: http://100.106.66.7:8333
|
|
- **S3 Metrics**: http://100.106.66.7:9327
|
|
|
|
**Local Development (on bigbox):**
|
|
- **Gitea**: http://localhost:3000
|
|
|
|
**Important:** Prometheus and S3 are intentionally NOT accessible from the public internet. They are bound to the Tailscale interface (100.106.66.7) and require connection to the Tailscale VPN.
|
|
|
|
### Immediate Actions
|
|
1. **Update DNS**: Add entries to your DNS or local `/etc/hosts`
|
|
2. **Gitea Setup**: Complete initial setup at http://bigbox:3000
|
|
3. **Change Password**: Update default admin password immediately
|
|
4. **Verify Caddy**: Check SSL certificates are generated
|
|
|
|
### Useful Commands
|
|
```bash
|
|
# Check service status
|
|
ssh bigbox "cd ~/gitea-stack && docker compose ps"
|
|
|
|
# View logs
|
|
ssh bigbox "cd ~/gitea-stack && docker compose logs -f"
|
|
|
|
# View Caddy logs
|
|
ssh bigbox "sudo tail -f /var/log/caddy/*.log"
|
|
|
|
# Restart services
|
|
ssh bigbox "cd ~/gitea-stack && docker compose restart"
|
|
|
|
# Reload Caddy config
|
|
ssh bigbox "sudo caddy reload --config /etc/caddy/Caddyfile"
|
|
```
|
|
|
|
## Security Improvements
|
|
|
|
### Before (Hardcoded Secrets)
|
|
- S3 credentials in `s3_config.json`
|
|
- Database password in `docker-compose.yml`
|
|
- Secrets committed to git
|
|
|
|
### After (1Password Managed)
|
|
- All secrets in 1Password vault
|
|
- Template files only contain references (`op://`)
|
|
- Secrets injected at deployment time
|
|
- Easy secret rotation via 1Password
|
|
- `.gitignore` prevents accidental commits
|
|
|
|
### Caddy Security
|
|
- Automatic HTTPS (Let's Encrypt)
|
|
- No manual certificate management
|
|
- Request logging for audit trail
|
|
- Easy to add basic authentication
|
|
|
|
## Rollback
|
|
|
|
If deployment fails:
|
|
```bash
|
|
# Stop services
|
|
ssh bigbox "cd ~/gitea-stack && docker compose down"
|
|
|
|
# Stop Caddy
|
|
ssh bigbox "sudo pkill caddy || sudo systemctl stop caddy"
|
|
|
|
# Remove deployment
|
|
ssh bigbox "rm -rf ~/gitea-stack"
|
|
|
|
# Remove Caddy config
|
|
ssh bigbox "sudo rm /etc/caddy/Caddyfile"
|
|
```
|
|
|
|
## Files Changed/Created
|
|
|
|
### New Files
|
|
1. `.docs/RESEARCH-gitea-bigbox-deployment.md` - Research findings
|
|
2. `.docs/IMPLEMENTATION-gitea-bigbox-deployment.md` - Implementation plan
|
|
3. `docker-compose.yml.template` - Compose template with 1Password refs
|
|
4. `s3_config.json.template` - S3 config template with 1Password refs
|
|
5. `Caddyfile` - Caddy reverse proxy configuration
|
|
6. `.gitignore` - Excludes secrets and data
|
|
7. `deploy-to-bigbox.sh` - Automated deployment script
|
|
8. `.docs/DEPLOYMENT-SUMMARY.md` - This file
|
|
|
|
### Modified Files
|
|
- None (original docker-compose.yml and s3_config.json remain unchanged)
|
|
|
|
### Files Excluded from Git
|
|
- `docker-compose.yml` (contains resolved secrets)
|
|
- `s3_config.json` (contains resolved secrets)
|
|
- `.env` (if created)
|
|
- `gitea/`, `postgres/`, `seaweedfs/` (data directories)
|
|
|
|
## Next Steps
|
|
|
|
1. **Create 1Password Items**: Run the `op item create` commands
|
|
2. **Update Domains**: Caddyfile already configured for `git.terraphim.cloud`
|
|
3. **Run Deployment**: Execute `./deploy-to-bigbox.sh`
|
|
4. **Verify**: Check all services are accessible
|
|
5. **Document**: Update this summary with actual domain names and any issues
|
|
|
|
## Troubleshooting
|
|
|
|
### 1Password Authentication Fails
|
|
```bash
|
|
# Test on bigbox
|
|
ssh bigbox
|
|
source ~/op_zesticai_non_prod.sh
|
|
op vault list
|
|
|
|
# If it fails, check service account token is valid
|
|
```
|
|
|
|
### Caddy Route Not Working
|
|
```bash
|
|
# Check if Caddy is running
|
|
ssh bigbox "pgrep -x caddy"
|
|
|
|
# Check existing Caddy routes
|
|
ssh bigbox "curl -s http://localhost:2019/config/apps/http/servers/srv0/routes | grep git.terraphim"
|
|
|
|
# Check Caddy logs
|
|
ssh bigbox "sudo tail -f /var/log/caddy/*.log"
|
|
|
|
# Verify Gitea is responding on localhost:3000
|
|
ssh bigbox "curl http://localhost:3000/api/healthz"
|
|
```
|
|
|
|
### Services Not Accessible
|
|
```bash
|
|
# Check container logs
|
|
ssh bigbox "cd ~/gitea-stack && docker compose logs"
|
|
|
|
# Check if containers are running
|
|
ssh bigbox "cd ~/gitea-stack && docker compose ps"
|
|
|
|
# Check Gitea (public via Caddy)
|
|
curl https://git.terraphim.cloud/api/healthz
|
|
|
|
# Check Prometheus/S3 (Tailscale only - must be on Tailscale network)
|
|
curl http://100.106.66.7:9000/-/healthy
|
|
curl http://100.106.66.7:8333
|
|
```
|
|
|
|
### Cannot Access Prometheus or S3
|
|
These services are bound to the Tailscale interface (100.106.66.7) only:
|
|
```bash
|
|
# Verify you're connected to Tailscale
|
|
tailscale status
|
|
|
|
# Verify you can reach the Tailscale IP
|
|
ping 100.106.66.7
|
|
|
|
# Then access services
|
|
curl http://100.106.66.7:9000/-/healthy
|
|
curl http://100.106.66.7:8333
|
|
```
|
|
|
|
### Secret Injection Fails
|
|
```bash
|
|
# Test op inject manually
|
|
ssh bigbox "cd ~/gitea-stack && source ~/op_zesticai_non_prod.sh && op inject --in-file docker-compose.yml.template --dry-run"
|
|
```
|
|
|
|
## Maintenance
|
|
|
|
### Rotating Secrets
|
|
1. Update secret in 1Password vault
|
|
2. Re-run deployment: `./deploy-to-bigbox.sh`
|
|
3. Or manually:
|
|
```bash
|
|
ssh bigbox "cd ~/gitea-stack && source ~/op_zesticai_non_prod.sh && op inject --in-file docker-compose.yml.template --out-file docker-compose.yml && docker compose up -d"
|
|
```
|
|
|
|
### Backup
|
|
```bash
|
|
# Backup data directories
|
|
rsync -avz bigbox:~/gitea-stack/gitea ./backup/
|
|
rsync -avz bigbox:~/gitea-stack/postgres ./backup/
|
|
rsync -avz bigbox:~/gitea-stack/seaweedfs ./backup/
|
|
```
|
|
|
|
### Updates
|
|
```bash
|
|
# Update images
|
|
ssh bigbox "cd ~/gitea-stack && docker compose pull && docker compose up -d"
|
|
|
|
# Update Caddy
|
|
ssh bigbox "sudo apt update && sudo apt upgrade caddy"
|
|
```
|
|
|
|
---
|
|
|
|
**Ready to deploy!** Run `./deploy-to-bigbox.sh` after creating the 1Password vault items.
|