mirror of
https://github.com/terraphim/gitea-infrastructure.git
synced 2026-07-16 01:00:33 +02:00
Complete infrastructure deployment including: - Docker Compose templates with 1Password integration (op://) - Caddy reverse proxy configuration for git.terraphim.cloud - Automated deployment script (deploy-to-bigbox.sh) - Comprehensive documentation and deployment article - Network isolation: Public (Gitea) + Tailscale (Prometheus/S3) - Security: No hardcoded secrets, all via 1Password Services deployed: - Gitea 1.22.6 (Git hosting) - PostgreSQL 15 (Database) - SeaweedFS (S3-compatible storage) - Prometheus (Monitoring) Excludes: - docker-compose.yml (contains resolved secrets) - s3_config.json (contains resolved secrets) - Data directories (gitea/, postgres/, seaweedfs/) Refs: Private deployment on bigbox with TerraphimPlatform vault
5.4 KiB
5.4 KiB
Repository Setup Guide
What to Include in Git
✅ Include These Files:
Configuration Templates (Safe):
docker-compose.yml.template- Template with op:// referencess3_config.json.template- Template with op:// referencesCaddyfile- Caddy configuration (no secrets)
Documentation:
README.md- Project overviewARTICLE-gitea-deployment.md- Deployment article.docs/- All documentation
Scripts:
deploy-to-bigbox.sh- Deployment automation
Git Configuration:
.gitignore- Excludes secrets and data
❌ DO NOT Include:
Files with Resolved Secrets:
- ❌
docker-compose.yml- Contains actual passwords - ❌
s3_config.json- Contains actual credentials - ❌
.env- Environment variables with secrets
Data Directories:
- ❌
gitea/- Application data - ❌
postgres/- Database files - ❌
seaweedfs/- Object storage data - ❌
seaweedfs_filter/- Filer data
Logs:
- ❌
*.log- Log files
Step-by-Step: Create Repository and Push
Step 1: Initialize Repository Locally
cd /home/alex/infrastructure/gitea_config
# Remove any existing git history (if needed)
# rm -rf .git
# Initialize fresh repository
git init
# Add all safe files
git add README.md
git add ARTICLE-gitea-deployment.md
git add Caddyfile
git add deploy-to-bigbox.sh
git add docker-compose.yml.template
git add s3_config.json.template
git add .gitignore
git add .docs/
# Commit
git commit -m "Initial commit: Gitea deployment configuration
- Docker Compose templates with 1Password integration
- Caddy reverse proxy configuration
- Deployment automation script
- Documentation and article
- Security: No secrets or data included"
Step 2: Create Repository in Gitea
Option A: Via Web Interface
- Go to https://git.terraphim.cloud
- Click "+" → "New Repository"
- Owner: Select "terraphim" organization
- Repository Name:
gitea-infrastructure - Visibility: Private
- Check "Initialize Repository" (optional)
- Click "Create Repository"
Option B: Via Gitea CLI (if installed)
# Create repository under terraphim org
gitea admin repo create \
--owner terraphim \
--name gitea-infrastructure \
--private \
--description "Gitea deployment configuration with 1Password and Caddy"
Step 3: Add Remote and Push
# Add the Gitea remote
git remote add origin https://git.terraphim.cloud/terraphim/gitea-infrastructure.git
# Or use SSH:
# git remote add origin ssh://git@bigbox:222/terraphim/gitea-infrastructure.git
# Push to main branch
git branch -M main
git push -u origin main
Step 4: Verify Repository
# Check repository on Gitea
curl -s https://git.terraphim.cloud/terraphim/gitea-infrastructure | head -20
# Or visit in browser:
# https://git.terraphim.cloud/terraphim/gitea-infrastructure
Repository Structure After Push
gitea-infrastructure/
├── .docs/
│ ├── RESEARCH-gitea-bigbox-deployment.md
│ ├── IMPLEMENTATION-gitea-bigbox-deployment.md
│ ├── DEPLOYMENT-SUMMARY.md
│ └── summary-*.md
├── .gitignore
├── ARTICLE-gitea-deployment.md
├── Caddyfile
├── README.md
├── deploy-to-bigbox.sh
├── docker-compose.yml.template
└── s3_config.json.template
Security Checklist
Before pushing, verify:
- No
docker-compose.ymlin repository (only.template) - No
s3_config.jsonin repository (only.template) - No
.envfile - No data directories (
gitea/,postgres/, etc.) - No log files
- All secrets use
op://references in templates .gitignoreproperly configured
Quick Verification Script
#!/bin/bash
echo "Checking for files that should NOT be committed..."
FORBIDDEN=(
"docker-compose.yml"
"s3_config.json"
".env"
"*.secret"
"*.decrypted"
)
for file in "${FORBIDDEN[@]}"; do
if [ -f "$file" ]; then
echo "❌ WARNING: $file exists (should not be committed)"
fi
done
echo ""
echo "Checking .gitignore..."
if grep -q "docker-compose.yml" .gitignore; then
echo "✅ docker-compose.yml is ignored"
else
echo "❌ docker-compose.yml is NOT ignored"
fi
if grep -q "s3_config.json" .gitignore; then
echo "✅ s3_config.json is ignored"
else
echo "❌ s3_config.json is NOT ignored"
fi
echo ""
echo "Files ready to commit:"
git ls-files
Deploying from Repository
After cloning on a new machine:
# Clone repository
git clone https://git.terraphim.cloud/terraphim/gitea-infrastructure.git
cd gitea-infrastructure
# Create 1Password vault items (if not exist)
# See ARTICLE-gitea-deployment.md for instructions
# Source credentials and deploy
source ~/op_zesticai_non_prod.sh
op inject --in-file docker-compose.yml.template --out-file docker-compose.yml
op inject --in-file s3_config.json.template --out-file s3_config.json
# Start services
docker compose up -d
Maintenance Workflow
To update configuration:
- Edit
.templatefiles - Commit and push
- On bigbox:
git pulland re-run deployment
To rotate secrets:
- Update in 1Password vault
- On bigbox: Re-run
op injectanddocker compose up -d - No git changes needed!
To backup data (NOT in git):
# Backup data directories separately
rsync -avz bigbox:~/gitea-stack/gitea /backup/
rsync -avz bigbox:~/gitea-stack/postgres /backup/
Repository: https://git.terraphim.cloud/terraphim/gitea-infrastructure