chore(infra): disable Gitea and act-runner — postponed until dedicated server

Empties gitea.tf and act-runner.tf so terraform apply removes all Gitea
and runner resources. Drops the gitea namespace from the managed list.
Full config preserved in git history.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

infrastructure/terraform/act-runner.tf

@@ -1,200 +1,2 @@
-resource "kubernetes_service_account" "act_runner" {
+# Act runner disabled — postponed until dedicated server/VPS.
-  metadata {
+# See git history for the full configuration.
-    name      = "act-runner"
-    namespace = kubernetes_namespace.domains["gitea"].metadata[0].name
-  }
-}
-
-resource "kubernetes_cluster_role" "act_runner" {
-  metadata {
-    name = "act-runner"
-  }
-  # Allow deploying to finance namespace
-  rule {
-    api_groups = ["apps"]
-    resources  = ["deployments"]
-    verbs      = ["get", "list", "patch", "update"]
-  }
-  rule {
-    api_groups = [""]
-    resources  = ["pods", "pods/log"]
-    verbs      = ["get", "list"]
-  }
-  # Allow creating Kaniko build jobs in gitea namespace
-  rule {
-    api_groups = ["batch"]
-    resources  = ["jobs"]
-    verbs      = ["create", "get", "list", "watch", "delete"]
-  }
-}
-
-resource "kubernetes_cluster_role_binding" "act_runner" {
-  metadata {
-    name = "act-runner"
-  }
-  role_ref {
-    api_group = "rbac.authorization.k8s.io"
-    kind      = "ClusterRole"
-    name      = kubernetes_cluster_role.act_runner.metadata[0].name
-  }
-  subject {
-    kind      = "ServiceAccount"
-    name      = kubernetes_service_account.act_runner.metadata[0].name
-    namespace = kubernetes_namespace.domains["gitea"].metadata[0].name
-  }
-}
-
-# ConfigMap for act runner config (host executor mode — steps run directly in runner container)
-resource "kubernetes_config_map" "act_runner" {
-  metadata {
-    name      = "act-runner-config"
-    namespace = kubernetes_namespace.domains["gitea"].metadata[0].name
-  }
-  data = {
-    "config.yaml" = yamlencode({
-      log = { level = "info" }
-      runner = {
-        capacity           = 2
-        fetch_timeout      = "5s"
-        fetch_interval     = "2s"
-        report_interval    = "1s"
-        envs               = {}
-      }
-      cache = { enabled = false }
-      container = {
-        network         = "host"
-        # Allow pipeline steps to mount the SA token for kubectl
-        valid_volumes = [
-          "/var/run/secrets/kubernetes.io/serviceaccount",
-        ]
-        docker_host = "tcp://localhost:2375"
-      }
-    })
-  }
-}
-
-resource "kubernetes_deployment" "act_runner" {
-  depends_on = [helm_release.gitea, kubernetes_secret.gitea_runner_token]
-
-  metadata {
-    name      = "act-runner"
-    namespace = kubernetes_namespace.domains["gitea"].metadata[0].name
-    labels    = { app = "act-runner" }
-  }
-
-  spec {
-    replicas = 1
-    selector {
-      match_labels = { app = "act-runner" }
-    }
-    template {
-      metadata {
-        labels = { app = "act-runner" }
-      }
-      spec {
-        service_account_name = kubernetes_service_account.act_runner.metadata[0].name
-
-        # act runner — runs steps using Docker (provided by dind sidecar)
-        container {
-          name  = "runner"
-          image = "gitea/act_runner:latest"
-
-          command = ["/bin/sh", "-c"]
-          args = [<<-EOT
-            set -e
-            # Register if not yet registered
-            if [ ! -f /data/.runner ]; then
-              act_runner register \
-                --no-interactive \
-                --instance http://gitea-http.gitea.svc.cluster.local:3000 \
-                --token "$(cat /etc/runner-token/token)" \
-                --name "k3d-runner-$(hostname)" \
-                --labels ubuntu-latest
-            fi
-            exec act_runner daemon --config /etc/act-runner/config.yaml
-          EOT
-          ]
-
-          env {
-            name  = "DOCKER_HOST"
-            value = "tcp://localhost:2375"
-          }
-          # Make the runner's KUBERNETES_SERVICE env accessible to pipeline steps
-          env {
-            name = "KUBERNETES_SERVICE_HOST"
-            value_from {
-              field_ref { field_path = "status.hostIP" }
-            }
-          }
-
-          volume_mount {
-            name       = "runner-data"
-            mount_path = "/data"
-          }
-          volume_mount {
-            name       = "runner-config"
-            mount_path = "/etc/act-runner"
-          }
-          volume_mount {
-            name       = "runner-token"
-            mount_path = "/etc/runner-token"
-            read_only  = true
-          }
-
-          resources {
-            requests = { cpu = "100m", memory = "128Mi" }
-            limits   = { cpu = "500m", memory = "512Mi" }
-          }
-        }
-
-        # Docker-in-Docker: provides a Docker daemon for the pipeline steps
-        container {
-          name  = "dind"
-          image = "docker:27-dind"
-
-          security_context {
-            privileged = true
-          }
-          args = [
-            "--insecure-registry=gitea-http.gitea.svc.cluster.local:3000",
-          ]
-          env {
-            name  = "DOCKER_TLS_CERTDIR"
-            value = ""
-          }
-
-          volume_mount {
-            name       = "docker-storage"
-            mount_path = "/var/lib/docker"
-          }
-
-          resources {
-            requests = { cpu = "200m", memory = "256Mi" }
-            limits   = { cpu = "1", memory = "1Gi" }
-          }
-        }
-
-        volume {
-          name = "runner-data"
-          empty_dir {}
-        }
-        volume {
-          name = "docker-storage"
-          empty_dir {}
-        }
-        volume {
-          name = "runner-config"
-          config_map {
-            name = kubernetes_config_map.act_runner.metadata[0].name
-          }
-        }
-        volume {
-          name = "runner-token"
-          secret {
-            secret_name = kubernetes_secret.gitea_runner_token.metadata[0].name
-          }
-        }
-      }
-    }
-  }
-}

infrastructure/terraform/gitea.tf

@@ -1,165 +1,2 @@
-resource "random_password" "gitea_admin" {
+# Gitea and registry pull secrets disabled — postponed until dedicated server/VPS.
-  length  = 24
+# See git history for the full configuration.
-  special = false
-}
-
-resource "kubernetes_secret" "gitea_admin" {
-  metadata {
-    name      = "gitea-admin"
-    namespace = kubernetes_namespace.domains["gitea"].metadata[0].name
-  }
-  data = {
-    username = "admin"
-    password = random_password.gitea_admin.result
-    email    = "admin@homelab.local"
-  }
-}
-
-resource "helm_release" "gitea" {
-  name       = "gitea"
-  namespace  = kubernetes_namespace.domains["gitea"].metadata[0].name
-  repository = "https://dl.gitea.com/charts/"
-  chart      = "gitea"
-  version    = "~> 12.0"
-  atomic     = true
-  timeout    = 300
-
-  values = [yamlencode({
-    gitea = {
-      admin = {
-        existingSecret = kubernetes_secret.gitea_admin.metadata[0].name
-      }
-      config = {
-        APP_NAME = "Homelab Git"
-        server = {
-          DOMAIN     = "git.homelab.local"
-          ROOT_URL   = "http://git.homelab.local"
-          SSH_DOMAIN = "localhost"
-          SSH_PORT   = 30001
-        }
-        database = { DB_TYPE = "sqlite3" }
-        queue    = { TYPE = "level" }
-        cache    = { ADAPTER = "memory" }
-        session  = { PROVIDER = "memory" }
-        packages = { ENABLED = "true" }
-        service  = { DISABLE_REGISTRATION = "true" }
-        log      = { LEVEL = "Warn" }
-      }
-    }
-
-    "postgresql-ha"  = { enabled = false }
-    "valkey-cluster" = { enabled = false }
-
-    ingress = {
-      enabled   = true
-      className = "traefik"
-      hosts = [{
-        host  = "git.homelab.local"
-        paths = [{ path = "/", pathType = "Prefix" }]
-      }]
-    }
-
-    # NodePort 30002: used by k3d containerd registry mirror (see k3d/config.yaml)
-    service = {
-      http = {
-        type     = "NodePort"
-        port     = 3000
-        nodePort = 30002
-      }
-      ssh = {
-        type     = "NodePort"
-        port     = 22
-        nodePort = 30001
-      }
-    }
-
-    persistence = {
-      enabled      = true
-      size         = "10Gi"
-      storageClass = "local-path"
-    }
-
-    resources = {
-      requests = { cpu = "100m", memory = "256Mi" }
-      limits   = { cpu = "500m", memory = "512Mi" }
-    }
-  })]
-}
-
-# Placeholder secret created by Terraform; data is populated by the
-# terraform_data bootstrapper below after Gitea is reachable.
-resource "kubernetes_secret" "gitea_runner_token" {
-  metadata {
-    name      = "gitea-runner-token"
-    namespace = kubernetes_namespace.domains["gitea"].metadata[0].name
-  }
-  data = { token = "" }
-
-  lifecycle {
-    # After the bootstrapper writes the real token we must not overwrite it
-    # with the empty placeholder on subsequent applies.
-    ignore_changes = [data]
-  }
-}
-
-# On first apply: poll until Gitea is up, call the admin API to obtain a
-# runner registration token, and patch the secret in place.
-# On subsequent applies this resource is a no-op (terraform_data only
-# re-runs its provisioner when triggers_replace changes).
-resource "terraform_data" "gitea_runner_registration" {
-  depends_on = [helm_release.gitea, kubernetes_secret.gitea_runner_token]
-
-  # Re-bootstrap only if the admin password rotates.
-  triggers_replace = [random_password.gitea_admin.id]
-
-  provisioner "local-exec" {
-    interpreter = ["/bin/sh", "-c"]
-    command     = <<-EOT
-      set -e
-
-      echo "Waiting for Gitea to be ready..."
-      until curl -sf "http://git.homelab.local/api/v1/version" > /dev/null 2>&1; do
-        sleep 5
-      done
-
-      PASSWORD=$(kubectl get secret gitea-admin -n gitea \
-        -o jsonpath='{.data.password}' | base64 -d)
-
-      TOKEN=$(curl -sf \
-        -u "admin:$PASSWORD" \
-        "http://git.homelab.local/api/v1/admin/runners/registration-token" \
-        | grep -o '"token":"[^"]*"' | cut -d'"' -f4)
-
-      kubectl patch secret gitea-runner-token -n gitea \
-        -p "{\"data\":{\"token\":\"$(printf '%s' "$TOKEN" | base64)\"}}"
-
-      echo "Runner registration token written to gitea-runner-token secret."
-    EOT
-  }
-}
-
-# imagePullSecret for all app namespaces — allows k8s to pull images from the
-# local Gitea registry. Containerd mirrors "git.homelab.local" to localhost:30002
-# (see k3d/config.yaml) and forwards these credentials to authenticate.
-locals {
-  app_namespaces = ["auth", "finance", "home", "test"]
-}
-
-resource "kubernetes_secret" "gitea_registry" {
-  for_each = toset(local.app_namespaces)
-
-  metadata {
-    name      = "gitea-registry"
-    namespace = kubernetes_namespace.domains[each.value].metadata[0].name
-  }
-  type = "kubernetes.io/dockerconfigjson"
-  data = {
-    ".dockerconfigjson" = jsonencode({
-      auths = {
-        "git.homelab.local" = {
-          auth = base64encode("admin:${random_password.gitea_admin.result}")
-        }
-      }
-    })
-  }
-}

infrastructure/terraform/namespaces.tf

@@ -1,5 +1,5 @@
 locals {
-  namespaces = ["auth", "home", "finance", "test", "monitoring", "infrastructure", "gitea"]
+  namespaces = ["auth", "home", "finance", "test", "monitoring", "infrastructure"]
 }
 
 resource "kubernetes_namespace" "domains" {