The great reset, we moved infra into two clusters (sekibanki et seija)

apps/sekibanki/gitea/configmap.yaml

@@ -0,0 +1,64 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: gitea-config
+data:
+  GITEA__DEFAULT__RUN_USER: git
+  GITEA__DEFAULT__RUN_MODE: prod
+  GITEA__DEFAULT__APP_NAME: prettysunflower's gitea
+  GITEA__DEFAULT__WORK_PATH: /var/lib/gitea
+  GITEA__repository__ROOT: /var/lib/gitea/git
+  GITEA__repository__SCRIPT_TYPE: sh
+  GITEA__repository__DISABLE_STARS: "true"
+  GITEA__server__STATIC_ROOT_PATH: /usr/share/webapps/gitea
+  GITEA__server__APP_DATA_PATH: /var/lib/gitea/data
+  GITEA__server__LFS_START_SERVER: "true"
+  GITEA__server__SSH_DOMAIN: git.default.svc.sekibanki.prettysunflower.moe
+  GITEA__server__DOMAIN: git.prettysunflower.moe
+  GITEA__server__HTTP_PORT: "3000"
+  GITEA__server__ROOT_URL: https://git.prettysunflower.moe/
+  GITEA__server__DISABLE_SSH: "false"
+  GITEA__server__SSH_PORT: "22"
+  GITEA__server__OFFLINE_MODE: "false"
+  GITEA__server__PUBLIC_URL_DETECTION: auto
+  GITEA__database__DB_TYPE: postgres
+  GITEA__database__SSL_MODE: disable
+  GITEA__database__HOST: 100.110.40.2:5432
+  GITEA__database__NAME: gitea
+  GITEA__database__SCHEMA: public
+  GITEA__database__LOG_SQL: "false"
+  GITEA__session__PROVIDER: redis
+  GITEA__log__MODE: console
+  GITEA__log__LEVEL: info
+  GITEA__mailer__ENABLED: "true"
+  GITEA__mailer__FROM: gitea@prettysunflower.moe
+  GITEA__mailer__PROTOCOL: smtp+starttls
+  GITEA__mailer__SMTP_ADDR: mail.prettysunflower.moe
+  GITEA__mailer__SMTP_PORT: "587"
+  GITEA__storage__STORAGE_TYPE: minio
+  GITEA__storage__MINIO_ENDPOINT: t3.storage.dev:443
+  GITEA__storage__MINIO_ACCESS_KEY_ID: tid_uCZAvxLOlpVdEusuMYvVmsOvMgVccrwxGJwqauuhSucI_MwddN
+  GITEA__storage__MINIO_BUCKET: prettysunflower-gitea
+  GITEA__storage__MINIO_LOCATION: auto
+  GITEA__storage__MINIO_USE_SSL : "true"
+  GITEA__storage__SERVE_DIRECT: "true"
+  GITEA__service__REGISTER_EMAIL_CONFIRM: "false"
+  GITEA__service__ENABLE_NOTIFY_MAIL: "false"
+  GITEA__service__DISABLE_REGISTRATION: "true"
+  GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION: "false"
+  GITEA__service__ENABLE_CAPTCHA: "false"
+  GITEA__service__REQUIRE_SIGNIN_VIEW: "false"
+  GITEA__service__DEFAULT_KEEP_EMAIL_PRIVATE: "false"
+  GITEA__service__DEFAULT_ALLOW_CREATE_ORGANIZATION: "true"
+  GITEA__service__DEFAULT_ENABLE_TIMETRACKING: "true"
+  GITEA__service__NO_REPLY_ADDRESS: noreply.localhost
+  GITEA__openid__ENABLE_OPENID_SIGNIN: "true"
+  GITEA__openid__ENABLE_OPENID_SIGNUP: "true"
+  GITEA__cron_0X2E_update_checker__ENABLED: "false"
+  GITEA__repository_0X2E_pull_0X2D_request__DEFAULT_MERGE_STYLE: merge
+  GITEA__repository_0X2E_signing__DEFAULT_TRUST_MODEL: committer
+  GITEA__security__INSTALL_LOCK: "true"
+  GITEA__security__PASSWORD_HASH_ALGO: argon2
+  GITEA__cache__ADAPTER: redis
+  GITEA__cache__HOST: redis://127.0.0.1:6379/0
+  GITEA__cache_0X2E_last_commit__COMMITS_COUNT: "1"

apps/sekibanki/gitea/deployment.yaml

@@ -0,0 +1,92 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gitea
+  labels:
+    app.kubernetes.io/name: gitea
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: gitea
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: gitea
+    spec:
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: gitea-pvc
+        - name: config
+          persistentVolumeClaim:
+            claimName: gitea-config-pvc
+        - name: valkey
+          emptyDir:
+            sizeLimit: 128Mi
+            medium: Memory
+      dnsPolicy: "None"
+      dnsConfig:
+        nameservers:
+          - 100.96.226.96
+      containers:
+        - image: docker.gitea.com/gitea:1.24.3-rootless 
+          name: gitea
+          ports:
+            - containerPort: 3000
+              protocol: TCP
+              name: http
+            - containerPort: 2222
+              protocol: TCP
+              name: ssh
+          volumeMounts:
+          - name: data
+            mountPath: /var/lib/gitea
+          - name: config
+            mountPath: /etc/gitea
+          envFrom:
+            - configMapRef:
+                name: gitea-config
+            - secretRef:
+                name: gitea-secrets
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
+          livenessProbe:
+            httpGet:
+              path: /api/healthz
+              port: http
+            initialDelaySeconds: 200
+            timeoutSeconds: 5
+            periodSeconds: 10
+            successThreshold: 1
+            failureThreshold: 10
+        - image: valkey/valkey:alpine
+          name: valkey
+          command: ["valkey-server"]
+          ports:
+            - containerPort: 6379
+              protocol: TCP
+          env:
+            - name: VALKEY_EXTRA_FLAGS
+              value: "--save 60 1"
+          volumeMounts:
+          - name: valkey
+            mountPath: "/data"
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault

apps/sekibanki/gitea/kustomization.yaml

@@ -0,0 +1,6 @@
+resources:
+- deployment.yaml
+- pvc.yaml
+- svc.yaml
+- secrets.yaml
+- configmap.yaml

apps/sekibanki/gitea/pvc.yaml

@@ -0,0 +1,24 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: gitea-pvc
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 50G
+  storageClassName: nfs-csi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: gitea-config-pvc
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 64M
+  storageClassName: nfs-csi

apps/sekibanki/gitea/secrets.sops.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: gitea-secrets
+type: Opaque
+stringData:
+    GITEA__server__LFS_JWT_SECRET: ENC[AES256_GCM,data:lUGklHzgVyGtW7YWHqQlOEs9TlcKrAp+wOHKmvrnUx7g9NzrUOarqVwwqg==,iv:Fyr5WFaFps60Sc735FkcdaTUfP4Rf++3ZGFC8/x/beI=,tag:D11RCpU8j1YkqJnJghzbPw==,type:str]
+    GITEA__database__USER: ENC[AES256_GCM,data:J1WUgvw=,iv:f/PIxtSVYJD0M6oQATy/cCcLqBska2KbqJu0LOdgCnQ=,tag:6J1NjGpVEKQY+eII5aM2kQ==,type:str]
+    GITEA__database__PASSWD: ENC[AES256_GCM,data:MDsAOxL3BDmZD2s8NPE=,iv:nbs4k3kqZbJXW3ptyQy04M8ZehxXzzRiaJpCFbmeGXA=,tag:+EXlilcYXFdU1flRV+Y+nw==,type:str]
+    GITEA__mailer__USER: ENC[AES256_GCM,data:h3aLMQygmPalb53QGe4KP2DvQxpUaw==,iv:nsTin6xBu6aGEfElOULW7ScdvMUNoM5fbX3x+WSpwgc=,tag:w8Nvm/XOBQqDHdRBgmDc4w==,type:str]
+    GITEA__mailer__PASSWD: ENC[AES256_GCM,data:aDuDhi8miweNKBYV2N7p5Q==,iv:WPur5yPGtKOUPQ+17MfihHljinBAKgpFTnXPW/HGuO4=,tag:fEAUy5bfxwIFEUs5oYljtQ==,type:str]
+    GITEA__storage__MINIO_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:gDC9Xk6k01sar/AdG6FA7topLA1yzBklpXB3v11u7PseRXKtxSzbjg3yRSxDKfS7dz0uuChTx/Fj4yR3+MZSKMR+Av1UU9dA0koS,iv:lMvi+NCmeZZz7AtVhFJpM1qjweGf9tNmA0pXSJdsdL0=,tag:NbCmn20JTrYSzmbc2kgnBQ==,type:str]
+    GITEA__security__INTERNAL_TOKEN: ENC[AES256_GCM,data:LBD8u8OsXhkO69XSvhfP0vDCeZRfY+Yc1nKfaacCF2QL/T6v2054ymbvGjTvR+DM5g+XezwZWLYrE+AfY5LEa35EpC4S2c7kQAGikyBvGo9ANAcP6NxfC6ShraUBnGg5njrjf4ZVBGrd,iv:xH5amSwdV5e4rqneqr/x62hCdOWnjoPHFA30LwM3260=,tag:LhK1heV4xe3qUXwZ+pgfwg==,type:str]
+    GITEA__security__SECRET_KEY: ENC[AES256_GCM,data:mRdk8gS0wrV6PYr9jiSwvZAql4SyUjXEc0UNLdZMV3FOZsRKPHVWAsiw443HwPZ8pyBH6ucNHj1Zdj9qTMonHg==,iv:k8EIL2n+EGT+Fz0wTP4u+Tczyv2la478x0oV/jAHa/o=,tag:0gfQNJ3YQ6EK5WAPfzd6dg==,type:str]
+    GITEA__oauth2__JWT_SECRET: ENC[AES256_GCM,data:JoU3xarzXINK1Vs0slgtdVYGG9ilTENLzt2ggT69zFoQppQKt2lZUmqw5g==,iv:nAd74z6iMwpYN++0FQ8Ow3cg03sYBrV6790NiV4y2lk=,tag:KAvL0ugsZDzRfhpdoqzo/A==,type:str]
+sops:
+    age:
+        - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArUU5vdTVaS2t6OXpwaUEx
+            cUNTWFpUbkVmYStHT1VBRXBJWCsvZllzQWwwClZZV01aSFRaamI2VzR5SGNvR0ZE
+            VUQyU3hPVUZUY2dHT1NSMzdGdHVSeHMKLS0tIHRBRlVzRWR4b2tXb3o5UmxPdjNt
+            YXRHQkdHek1DTkM5WjhRenBaLzRxdEUKBypMt0YqbWUgzmcMgfWjEXDICOstdYya
+            sGqjC1GYuaffqCrpWScDq5ok/QXznbye3yEJwzV1opwbhKPrWmOgqQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-16T14:35:28Z"
+    mac: ENC[AES256_GCM,data:0N1JMKyxhHKsQ/Q5A9uCCAo+E5tvbhA75wJiVAX1fSRtPIfaJ7T6LdP7MLLxNXQTcl+LqcHn+XvIfU7z5XeZmH/qBZZEldgwj8CbEhPKjw3+kThoNWHV5nggxlIyFePE18bo/lpRV8Bqpyhocdd0F1fEDNEotnaO5Nle7SWAcWo=,iv:qWEv7WVf2v7aIr19S7OE/Q4Fu13FZ7hVF+bAdlZZv1s=,tag:/rzDd4uheETv+WugfaizEw==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2

apps/sekibanki/gitea/svc.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: git
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: gitea
+  ports:
+    - protocol: TCP
+      port: 22
+      targetPort: ssh
+      name: ssh
+    - protocol: TCP
+      port: 80
+      targetPort: http
+      name: http