From 6dd7592ac959850e59fc4d949d456d7bc5d6976d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gon=C3=A7alo=20Rodrigues?=
 <95761178+GoncaloRodri@users.noreply.github.com>
Date: Fri, 26 Jun 2026 22:06:06 +0100
Subject: [PATCH] fix(gitea): add TLS, scheme helper, and Skaffold registry
 config (#41)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Changes from PR #40 that didn't make it into main:
- local.scheme derived from var.domain (http for homelab.local, https otherwise)
- Gitea ROOT_URL and runner bootstrap URLs use local.scheme
- Gitea Helm ingress gets TLS + letsencrypt certresolver annotations
- Skaffold CI profile sets defaultRepo=git.gugagr.xyz/admin

Co-authored-by: Gonçalo Rodrigues <guga@Goncalos-MacBook-Pro.local>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 infrastructure/terraform/gitea.tf     | 13 ++++++++++---
 infrastructure/terraform/variables.tf |  4 ++++
 skaffold.yaml                         |  6 ++++++
 3 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/infrastructure/terraform/gitea.tf b/infrastructure/terraform/gitea.tf
index 561fd26..0eaeb30 100644
--- a/infrastructure/terraform/gitea.tf
+++ b/infrastructure/terraform/gitea.tf
@@ -36,7 +36,7 @@ resource "helm_release" "gitea" {
         APP_NAME = "Homelab Git"
         server = {
           DOMAIN     = "git.${var.domain}"
-          ROOT_URL   = "http://git.${var.domain}"
+          ROOT_URL   = "${local.scheme}://git.${var.domain}"
           SSH_DOMAIN = "localhost"
           SSH_PORT   = 30001
         }
@@ -56,10 +56,17 @@ resource "helm_release" "gitea" {
     ingress = {
       enabled   = true
       className = "traefik"
+      annotations = {
+        "traefik.ingress.kubernetes.io/router.tls"              = "true"
+        "traefik.ingress.kubernetes.io/router.tls.certresolver" = "letsencrypt"
+      }
       hosts = [{
         host  = "git.${var.domain}"
         paths = [{ path = "/", pathType = "Prefix" }]
       }]
+      tls = [{
+        hosts = ["git.${var.domain}"]
+      }]
     }
 
     # NodePort 30002: used by k3d containerd registry mirror (see k3d/config.yaml)
@@ -112,7 +119,7 @@ resource "terraform_data" "gitea_runner_registration" {
     command     = <<-EOT
       set -e
       echo "Waiting for Gitea to be ready..."
-      until curl -sf "http://git.${var.domain}/api/v1/version" > /dev/null 2>&1; do
+      until curl -sf "${local.scheme}://git.${var.domain}/api/v1/version" > /dev/null 2>&1; do
         sleep 5
       done
 
@@ -121,7 +128,7 @@ resource "terraform_data" "gitea_runner_registration" {
 
       TOKEN=$(curl -sf \
         -u "admin:$PASSWORD" \
-        "http://git.${var.domain}/api/v1/admin/runners/registration-token" \
+        "${local.scheme}://git.${var.domain}/api/v1/admin/runners/registration-token" \
         | grep -o '"token":"[^"]*"' | cut -d'"' -f4)
 
       kubectl patch secret gitea-runner-token -n gitea \
diff --git a/infrastructure/terraform/variables.tf b/infrastructure/terraform/variables.tf
index 86cc658..fa71cc4 100644
--- a/infrastructure/terraform/variables.tf
+++ b/infrastructure/terraform/variables.tf
@@ -15,3 +15,7 @@ variable "domain" {
   type        = string
   default     = "homelab.local"
 }
+
+locals {
+  scheme = var.domain == "homelab.local" ? "http" : "https"
+}
diff --git a/skaffold.yaml b/skaffold.yaml
index e800e2d..5db2035 100644
--- a/skaffold.yaml
+++ b/skaffold.yaml
@@ -18,3 +18,9 @@ profiles:
     activation:
       - kubeContext: k3d-homelab
   - name: ci
+    build:
+      local:
+        push: true
+      tagPolicy:
+        gitCommit: {}
+    defaultRepo: git.gugagr.xyz/admin