add devops

This commit is contained in:
2026-05-11 09:17:23 +02:00
parent 49a1f1e2d7
commit 076449cdf9
12 changed files with 276 additions and 1 deletions

2
.gitignore vendored
View File

@@ -1,3 +1,5 @@
/.terraform/providers/registry.opentofu.org
/terraform.tfstate
/terraform.tfstate.backup
/manifests/secrets
/manifests/devops/gitea-action-secrets.yaml

View File

@@ -4,3 +4,4 @@ resources:
- ./manifests/jellyfin/
- ./manifests/cert-manager/
- ./manifests/argo/
- ./manifests/secrets/

View File

@@ -10,4 +10,31 @@ spec:
kind: ClusterIssuer
dnsNames:
- gitea.milasholsting.dk
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: harbor-tls
namespace: devops
spec:
secretName: harbor-tls
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- reg.milasholsting.dk
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: grafana-tls
namespace: devops
spec:
secretName: grafana-tls
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- grafana.milasholsting.dk

View File

@@ -0,0 +1,58 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: gitea-runner
namespace: devops
spec:
serviceName: gitea-runner
replicas: 1
selector:
matchLabels:
app: gitea-runner
template:
metadata:
labels:
app: gitea-runner
spec:
containers:
- name: runner
image: gitea/act_runner:latest
env:
- name: GITEA_INSTANCE_URL
value: "https://gitea.milasholsting.dk"
- name: GITEA_RUNNER_REGISTRATION_TOKEN
valueFrom:
secretKeyRef:
name: actions-secret
key: registerKey
- name: DOCKER_HOST
value: unix:///var/run/docker/docker.sock
- name: GITEA_RUNNER_LABELS
value: "ubuntu-latest:docker://catthehacker/ubuntu:act-latest"
volumeMounts:
- name: data
mountPath: /data
- name: docker-sock
mountPath: /var/run/docker
- name: dind
image: reg.milasholsting.dk/devops/docker:dind
command: ["dockerd"]
args: ["--host=unix:///var/run/docker/docker.sock", "--host=tcp://0.0.0.0:2375"]
securityContext:
privileged: true
env:
- name: DOCKER_TLS_CERTDIR
value: "" # Explicitly disable TLS to stick to the socket
volumeMounts:
- name: dind-storage
mountPath: /var/lib/docker
- name: docker-sock
mountPath: /var/run/docker
volumes:
- name: dind-storage
emptyDir: {}
- name: data
emptyDir: {}
- name: docker-sock
emptyDir: {}

View File

@@ -0,0 +1,14 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: gitea-ssh
namespace: devops # Ensure this is your Gitea namespace
spec:
entryPoints:
- ssh # This MUST match the name used in your Traefik config
routes:
- match: HostSNI(`*`)
services:
- name: gitea-ssh # Replace with the service name from Step 1
port: 22

View File

@@ -39,7 +39,12 @@ spec:
server:
DOMAIN: gitea.milasholsting.dk
ROOT_URL: https://gitea.milasholsting.dk/
START_SSH_SERVER: true
SSH_DOMAIN: gitea.milasholsting.dk
SSH_PORT: 22
SSH_LISTEN_PORT: 22
podSecurityContext:
fsGroup: 1000
persistence:
size: 20Gi
storageClass: local-path

View File

@@ -0,0 +1,23 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: grafana-ingress
annotations:
spec.ingressClassName: traefik
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
rules:
- host: grafana.milasholsting.dk
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: grafana
port:
number: 80
tls:
- secretName: grafana-tls
hosts:
- grafana.milasholsting.dk

View File

@@ -0,0 +1,12 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: grafana
namespace: devops
spec:
repo: https://grafana-community.github.io/helm-charts
chart: grafana
targetNamespace: devops
version: 11.6.0
valuesContent: |-

View File

@@ -0,0 +1,57 @@
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: grafana
namespace: devops
spec:
valuesContent: |-
# Disable etcd monitoring. See https://github.com/cablespaghetti/k3s-monitoring/issues/4
kubeEtcd:
enabled: false
# Disable kube-controller-manager and kube-scheduler monitoring. See https://github.com/cablespaghetti/k3s-monitoring/issues/2
kubeControllerManager:
enabled: false
kubeScheduler:
enabled: false
prometheus:
prometheusSpec:
retention: 3d
storageSpec:
spec:
accessModes:
- ReadWriteOnce
storageClassName: local-path
resources:
requests:
storage: 20Gi
grafana:
plugins:
- grafana-piechart-panel
enabled: true
grafana.ini:
users:
viewers_can_edit: true
auth:
disable_login_form: false
disable_signout_menu: false
auth.anonymous:
enabled: false
org_role: Admin
auth.basic:
enabled: true
persistence:
enabled: true
type: pvc
storageClassName: local-path
accessModes:
- ReadWriteOnce
size: 4Gi
finalizers:
- kubernetes.io/pvc-protection
# ALTERNATIVELY IF YOU HAVE AN EXISTING CLAME YOU WISH TO USE/REUSE
# existingClaim: prom-grafana

View File

@@ -0,0 +1,12 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: harbor
namespace: devops
spec:
repo: https://helm.goharbor.io
chart: harbor
targetNamespace: devops
version: 1.18.2
valuesContent: |-

View File

@@ -0,0 +1,55 @@
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: harbor
namespace: devops
spec:
valuesContent: |-
expose:
type: ingress
tls:
certSource: secret
secret:
# The name of secret which contains keys named:
# "tls.crt" - the certificate
# "tls.key" - the private key
secretName: "harbor-tls"
ingress:
className: traefik
hosts:
core: reg.milasholsting.dk
notary: notary.reg.milasholsting.dk
externalURL: https://reg.milasholsting.dk
harborAdminPassword: "ChangeMe123!"
persistence:
persistentVolumeClaim:
registry:
storageClass: local-path
size: 100Gi
chartmuseum:
storageClass: local-path
size: 5Gi
jobservice:
storageClass: local-path
size: 2Gi
database:
storageClass: local-path
size: 10Gi
redis:
storageClass: local-path
size: 2Gi
database:
internal:
image:
repository: goharbor/harbor-db
tag: v2.11.0
redis:
internal:
image:
repository: goharbor/redis-photon
tag: v2.11.0

View File

@@ -4,4 +4,13 @@ resources:
- ./namespace.yaml
- ./gitea-admin-secret.yaml
- ./gitea.yaml
- ./giteaChartConfig.yaml
- ./cert.yaml
- ./harbor.yaml
- ./harborChartValues.yaml
- ./gitea-ssh-ingress.yaml
- ./gitea-actions.yaml
- ./gitea-action-secrets.yaml
- ./grafana-ingress.yaml
- ./grafana.yaml
- ./grafanaChartConfig.yaml