admin/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
homelab/infrastructure/terraform/gitea.tf
Gonçalo Rodrigues 92fc9843c2 fix(gitea): use Recreate strategy to prevent LevelDB lock conflict 
SQLite and LevelDB can't be accessed by two pods simultaneously.
RollingUpdate starts a new pod before the old one stops, causing
the queue lock to fail on startup. Recreate terminates the old
pod first.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-26 22:08:24 +01:00

168 lines
4.3 KiB
HCL
Raw Blame History

resource "random_password" "gitea_admin" {
count = var.enable_gitea ? 1 : 0
length = 24
special = false
}
resource "kubernetes_secret" "gitea_admin" {
count = var.enable_gitea ? 1 : 0
metadata {
name = "gitea-admin"
namespace = kubernetes_namespace.domains["gitea"].metadata[0].name
}
data = {
username = "admin"
password = random_password.gitea_admin[0].result
email = "admin@${var.domain}"
}
}
resource "helm_release" "gitea" {
count = var.enable_gitea ? 1 : 0
name = "gitea"
namespace = kubernetes_namespace.domains["gitea"].metadata[0].name
repository = "https://dl.gitea.com/charts/"
chart = "gitea"
version = "~> 12.0"
atomic = true
timeout = 300
values = [yamlencode({
gitea = {
admin = {
existingSecret = kubernetes_secret.gitea_admin[0].metadata[0].name
}
config = {
APP_NAME = "Homelab Git"
server = {
DOMAIN = "git.${var.domain}"
ROOT_URL = "${local.scheme}://git.${var.domain}"
SSH_DOMAIN = "localhost"
SSH_PORT = 30001
}
database = { DB_TYPE = "sqlite3" }
queue = { TYPE = "level" }
cache = { ADAPTER = "memory" }
session = { PROVIDER = "memory" }
packages = { ENABLED = "true" }
service = { DISABLE_REGISTRATION = "true" }
log = { LEVEL = "Warn" }
}
}
"postgresql-ha" = { enabled = false }
"valkey-cluster" = { enabled = false }
ingress = {
enabled = true
className = "traefik"
annotations = {
"traefik.ingress.kubernetes.io/router.tls" = "true"
"traefik.ingress.kubernetes.io/router.tls.certresolver" = "letsencrypt"
}
hosts = [{
host = "git.${var.domain}"
paths = [{ path = "/", pathType = "Prefix" }]
}]
tls = [{
hosts = ["git.${var.domain}"]
}]
}
# NodePort 30002: used by k3d containerd registry mirror (see k3d/config.yaml)
service = {
http = {
type = "NodePort"
port = 3000
nodePort = 30002
}
ssh = {
type = "NodePort"
port = 22
nodePort = 30001
}
}
persistence = {
enabled = true
size = "10Gi"
storageClass = "local-path"
}
strategy = {
type = "Recreate"
}
resources = {
requests = { cpu = "100m", memory = "256Mi" }
limits = { cpu = "500m", memory = "512Mi" }
}
})]
}
resource "kubernetes_secret" "gitea_runner_token" {
count = var.enable_gitea ? 1 : 0
metadata {
name = "gitea-runner-token"
namespace = kubernetes_namespace.domains["gitea"].metadata[0].name
}
data = { token = "" }
lifecycle {
ignore_changes = [data]
}
}
resource "terraform_data" "gitea_runner_registration" {
count = var.enable_gitea ? 1 : 0
depends_on = [helm_release.gitea, kubernetes_secret.gitea_runner_token]
triggers_replace = [random_password.gitea_admin[0].id]
provisioner "local-exec" {
interpreter = ["/bin/sh", "-c"]
command = <<-EOT
set -e
echo "Waiting for Gitea to be ready..."
until curl -sf "${local.scheme}://git.${var.domain}/api/v1/version" > /dev/null 2>&1; do
sleep 5
done
PASSWORD=$(kubectl get secret gitea-admin -n gitea \
-o jsonpath='{.data.password}' | base64 -d)
TOKEN=$(curl -sf \
-u "admin:$PASSWORD" \
"${local.scheme}://git.${var.domain}/api/v1/admin/runners/registration-token" \
| grep -o '"token":"[^"]*"' | cut -d'"' -f4)
kubectl patch secret gitea-runner-token -n gitea \
-p "{\"data\":{\"token\":\"$(printf '%s' "$TOKEN" | base64)\"}}"
echo "Runner registration token written to gitea-runner-token secret."
EOT
}
}
locals {
app_namespaces = ["auth", "finance", "home", "test"]
}
resource "kubernetes_secret" "gitea_registry" {
for_each = var.enable_gitea ? toset(local.app_namespaces) : toset([])
metadata {
name = "gitea-registry"
namespace = kubernetes_namespace.domains[each.value].metadata[0].name
}
type = "kubernetes.io/dockerconfigjson"
data = {
".dockerconfigjson" = jsonencode({
auths = {
"git.${var.domain}" = {
auth = base64encode("admin:${random_password.gitea_admin[0].result}")
}
}
})
}
}
Reference in New Issue View Git Blame Copy Permalink