Update a lot of releases

installations/applications/helmfile.yaml

@@ -44,10 +44,10 @@ releases:
       - template: default-env-secrets
       - template: ext-database
     
-  - name: gitea
+  - name: gitea-archived
     chart: gitea/gitea
     version: 10.4.0
-    namespace: applications
+    namespace: archive
     inherit:
       - template: default-env-values
       - template: default-env-secrets

installations/platform/helmfile.yaml

@@ -12,6 +12,8 @@ repositories:
     url: https://zotregistry.dev/helm-charts/
   - name: bedag
     url: https://bedag.github.io/helm-charts/
+  - name: percona 
+    url: https://percona.github.io/percona-helm-charts/
 
 releases:
   - name: argocd
@@ -45,3 +47,10 @@ releases:
     inherit:
       - template: default-env-values
       - template: default-env-secrets
+
+  - name: pg-operator
+    chart: percona/pg-operator
+    installed: false
+    version: 2.4.0
+    createNamespace: false
+    namespace: platform

installations/storage/helmfile.yaml

@@ -22,6 +22,8 @@ releases:
     installed: true
     namespace: rook-ceph
     version: v1.14.8
+    needs:
+      - rook-ceph/rook-ceph
     inherit:
       - template: default-env-values
 

values/badhouseplants/secrets.gitea-archived.yaml

@@ -0,0 +1,48 @@
+gitea:
+    admin:
+        username: ENC[AES256_GCM,data:jWOKYLR8wEY=,iv:obfaa7iVArqZsfXI9glfNVhnEzNPnoPvA9WZrqzURd8=,tag:ZQykUfckAD6CcRsAxYLfww==,type:str]
+        password: ENC[AES256_GCM,data:ckwTYUA05SSl+3KD9G/XtQW+nnM=,iv:reeJTq7vWcfjggl9X+/t0yYzaz7xuiZLZM0xW7zlfcI=,tag:x0Dtf3ea53+1c0jhn2C5zw==,type:str]
+    config:
+        mailer:
+            PASSWD: ENC[AES256_GCM,data:ZXMbptf1Tn8QVf9H6gLuLIpI+gs=,iv:QsHjgoEWy4mEf/NNBnuPFpXBFHoACn8pfQmbF1wI2ZM=,tag:/T6PGia+mkzmcUkWANO25w==,type:str]
+        database:
+            PASSWD: ENC[AES256_GCM,data:mfMbZf7Kbn+5gwLi2JGMt6otMlQ=,iv:r2H7aSJKraBoDydV6N29hsRiH6bLUM0aJHPmo3dbSP4=,tag:WwBHKRYdJIv6IGQehO2yEg==,type:str]
+        session:
+            PROVIDER_CONFIG: ENC[AES256_GCM,data:YexjXlIj5mtwhv5HD2rmpzo3hqIXpZkyPk0njFYe3tceDV2uclpLCmIrZOumwo4TdWtIZ5Axs336vXtFvi4LFSyyrzSnqSPNxC1aNHwmj4keMY1qvPG0qRCoS7Q7JcCak41gRopbx+RLn7BENZ6s0e19u5PXLDSB,iv:pkY0LBpXhnSr40YoZpklytGWmKe7CdsgPpQySXfON5g=,tag:96UXoPksLxE+mJzyjzjqEA==,type:str]
+        cache:
+            HOST: ENC[AES256_GCM,data:C4GD2Nbb9Yi7TTKvipoPW3wM7e9BvQziBqweB/AUTq78pk20c2QoirNDETqcGaA002Phr8SwttdljnjVhCMr/w+Np/XkNy2rSB00A6R8t5/gDDoxUE92R2RLFIRB3Ao4UwKdL2X/YvzX1xDq/WC/i7VmvPTnLbas,iv:NMTgSxxvrut/Pxi5lZa6mbP/eOMt6rk2leFJESl5SJQ=,tag:bKJ1P6KXdjHC3bFmreD7OA==,type:str]
+        queue:
+            CONN_STR: ENC[AES256_GCM,data:28O5cVRnezFBWnyILjGxLf39SrS7nYNuI0km29qz5Q2qPGwojiLziyTsBb9AUlLZc5nLcGEUIJ5vnXONtw96aOobDwwyLmPE8X/QnpRvjRN4DmAF7LO98AuyTrTXEOSNMp3Dee88F9T9wdwr5ekh1Fb/gBSJpkkt,iv:PP0ZPxBulXce/bIUTuuQgiaOBWNcjMe2V/BgFGJm77Q=,tag:BDteA6nftpa6q6djyhivGg==,type:str]
+    oauth:
+        - name: ENC[AES256_GCM,data:DWCdEzwP,iv:fJrSGxRPSljBLSnRRRCjsa3QCa730NGRyKJCVJe8YNE=,tag:vQFTYVUQXPcB3Mx9/qGfVw==,type:str]
+          provider: ENC[AES256_GCM,data:mSnq2rOw,iv:XC1JS1oqZxbBZoraWemzXWGSnpvn9NTx8OA57HV1B8w=,tag:kPxdj8h8Qk9oGayi3Di7yQ==,type:str]
+          key: ENC[AES256_GCM,data:ft+Zqnu7oXHxMnMcRFpT934TGL0=,iv:qFj+BT37ZKIH69ikEf1YMwE1LC+dyAW7tBXhY5X6mYY=,tag:+p+3+GX5zakkXyi41H7Iog==,type:str]
+          secret: ENC[AES256_GCM,data:CSGrxpxfGoKs4wHKl25s37Nenw/0nuagCa6Ed++nE9lnQlZ8G193CQ==,iv:oTOGJmZi/26OvKG5gkrUoFVaJ8erkHfVi44FTy9kb1M=,tag:upHqogYqdVZlUyJT3BG0/g==,type:str]
+        - name: ENC[AES256_GCM,data:iZ2gRgmkZGcG,iv:N16HI6nVh8euitBKEq4yr3kr2cpLRb12XWKupXGR98A=,tag:L+rWF5wbrwWHhSus1JGP2Q==,type:str]
+          provider: ENC[AES256_GCM,data:2HlYsjvxnOx1sHuKlw==,iv:aXOjLsl1ZF3NCPpqyGrSM25lX3OLKoRpGzrRW47lGVg=,tag:LzGsYa36wqgch/nw+en6oA==,type:str]
+          skip_local_2fa: ENC[AES256_GCM,data:QYsYyg==,iv:tZt+yIvuDbFa9BWsoeUvcOpIonlufb9FO7YU59mGkVs=,tag:+2rr0Q7c9XfwjFR7C+ikuA==,type:str]
+          key: ENC[AES256_GCM,data:4/jJ0cc=,iv:iu8l1dGDIou4ytXhub7YKlIGs8WDEAAjKVbwd81m0Uc=,tag:D2BiWDfubzbK0cJl1Bk/0Q==,type:str]
+          secret: ENC[AES256_GCM,data:iRRUJl5r7wJQY4SWaSMF2ut2+I37CGPhXOpCkMENNRm6dvFp7YNyiHVQT61PsWnoyWz9lFJMkjCnY98JDjvjWuYCW8O30IEklq/N4KYSgD5TLEWu1OCcPC8A7yMZJSI8rxTLKcevuGJD7ZT8hWl3nZDTkUwTEJy0qREqyhc8caQ=,iv:KOLmK6UddEq9hv938m409ldxVpR8pQLiJwk7Sr0W4mA=,tag:ZDBZwa6ZAQw4qGU9C+Z/xQ==,type:str]
+          autoDiscoverUrl: ENC[AES256_GCM,data:YxqoKonuM10Fawz8qJiOVILsoJDKuRotf4SHw/Vvw0srWvc26rpwzKoP+kj1u/UFv6pDmnBvrAgYVPGyJt/e4TgmsPDYfH6D0IVngaFLI5KDRll5aIUaAeQ=,iv:4U9CIgObfPwuqi/vxky4pNkL9R4BbStJ3YQ3MBH8LYo=,tag:Ouwcj0tjKu7eykoT3Rnkwg==,type:str]
+          iconUrl: ENC[AES256_GCM,data:OmHXFvlKnclwjbTc9AXbcMZOb7qW7om7Tgf7b3uHLgOmakuyTq7QhXM3oFQN+T/+J+Cna8MP27coLBDW8TL7RefT1TapSA==,iv:py3p4kh90W6BgAHmI2MIBu92y90M8QhQDmic0pX3m5c=,tag:yqci0Lu7K16/JBlJGkoXng==,type:str]
+          scopes: ENC[AES256_GCM,data:IvNV7Q+7vPJn7EJZ7Q==,iv:S/aUhW0ASL4yAwe9IaeYdjokHrE+4MViEAGa+5wQlyY=,tag:OxkVQCSfjCQePnJqt+EcNg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDeU9sbjV2b0JjcVZsbFUv
+            OWpSYVhBSlBrR2FOVWlDZnhTRk84YmlpK3hRClBZeTQvclE1VkhkMkltbjMrN3Vk
+            cko2M2VsNkpNSjhPZExUUTB4enV6WTQKLS0tIHdOV0FidU5wN0ltNTVlNVF6MVJB
+            ajlnQzNTK3NzcnJZN0FGVmx1VjhQVk0K2m9pzSB9gqIkOLBr/WwnrZfcj5633tFJ
+            PI+H+aXZwJtKuN4YOw0rlp5Jp4iQ9aD/9TLqYT6xQJbU1nibqCca1w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-07-21T12:10:40Z"
+    mac: ENC[AES256_GCM,data:JlINn9gcMkhLNbCuOmfrnhB5f2K94KO+8qSOeKf5KjeJFv5AmGP/ssCPVRxko8Mi68l7JueggjTLJUgRRuLr2JdH9lI3URK8Oh63d5iYbn/y0LIPJC//mw/WWrNO15H5tR4dt1vPOzi0KwozvpLt0R8SYYwU+IIF3Ej/kG2KMyk=,iv:ZKsYYVkeCjvPptzH00V2SFKFQ0St/TOnxSAbqWpWWZI=,tag:NSG4lsk+Adglo3R/e8ZceA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0

values/badhouseplants/values.argocd.yaml

@@ -63,6 +63,18 @@ server:
   servicePort:
     servicePortHttp: 80
     servicePortHttps: 80
+  ingressGrpc:
+    enabled: true
+    annotations:
+      kubernetes.io/tls-acme: "true"
+      kubernetes.io/ingress.allow-http: "false"
+      kubernetes.io/ingress.global-static-ip-name: ""
+      cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+    ingressClassName: traefik
+    hostname: "argogrpc.badhouseplants.net"
+    path: /
+    pathType: Prefix
+    tls: true
 
 repoServer:
   metrics:

values/badhouseplants/values.gitea-archived.yaml

@@ -0,0 +1,151 @@
+# ------------------------------------------
+# -- Database extension is used to manage
+# --  database with db-operator
+# ------------------------------------------
+ext-database:
+  enabled: true
+  name: gitea-postgres16
+  instance: postgres16-gitea
+
+traefik:
+  enabled: true
+  tcpRoutes:
+    - name: gitea-ssh
+      service: gitea-archived-ssh
+      match: HostSNI(`*`) 
+      entrypoint: ssh
+      port: 22
+# ------------------------------------------
+# -- Kubernetes related values
+# ------------------------------------------
+ingress:
+  enabled: true
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    kubernetes.io/tls-acme: "true"
+    kubernetes.io/ingress.allow-http: "false"
+    kubernetes.io/ingress.global-static-ip-name: ""
+    cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+  hosts:
+    - host: git.badhouseplants.net
+      paths:
+        - path: /
+          pathType: Prefix
+  tls:
+    - secretName: gitea-tls-secret
+      hosts:
+        - git.badhouseplants.net
+replicaCount: 1
+clusterDomain: cluster.local
+
+resources:
+  limits:
+    cpu: 512m
+    memory: 1024Mi
+  requests:
+    cpu: 512m
+    memory: 256Mi
+
+persistence:
+  enabled: true
+  size: 15Gi
+  accessModes:
+    - ReadWriteOnce
+
+# ------------------------------------------
+# -- Main Gitea settings
+# ------------------------------------------
+gitea:
+  metrics:
+    enabled: true
+    serviceMonitor:
+    # -- TODO(@allanger): Enable it once prometheus is configured
+      enabled: false
+  config:
+    database:
+      DB_TYPE: postgres
+      HOST: postgres16-gitea-postgresql.databases.svc.cluster.local
+      NAME: applications-gitea-postgres16
+      USER: applications-gitea-postgres16
+    APP_NAME: Bad Houseplants Gitea
+    ui:
+      meta:
+        AUTHOR: Bad Houseplants
+        DESCRIPTION: ...by allanger
+    repository:
+      DEFAULT_BRANCH: main
+      MAX_CREATION_LIMIT: 0
+      DISABLED_REPO_UNITS: repo.wiki
+    service:
+      DISABLE_REGISTRATION: false
+    server:
+      DOMAIN: git.badhouseplants.net
+      ROOT_URL: https://git.badhouseplants.net
+      LFS_START_SERVER: true
+      LANDING_PAGE: explore
+      START_SSH_SERVER: true
+    admin:
+      DISABLE_REGULAR_ORG_CREATION: true
+    packages:
+      ENABLED: true
+    cron:
+      enabled: true
+    attachment:
+      MAX_SIZE: 100
+    actions:
+      ENABLED: true
+    oauth2_client:
+      REGISTER_EMAIL_CONFIRM: false
+      ENABLE_AUTO_REGISTRATION: true
+    session:
+      PROVIDER: redis
+    cache:
+      ENABLED: true
+      ADAPTER: redis
+    queue:
+      TYPE: redis
+    mailer:
+      ENABLED: true
+      FROM: gitea@badhouseplants.net
+      PROTOCOL: smtp+startls
+      SMTP_ADDR: badhouseplants.net
+      SMTP_PORT: 587
+      USER: overlord@badhouseplants.net
+    indexer:
+      REPO_INDEXER_ENABLED: true
+      REPO_INDEXER_PATH: indexers/repos.bleve
+      MAX_FILE_SIZE: 1048576
+      REPO_INDEXER_EXCLUDE: resources/bin/**
+    picture:
+      ENABLE_FEDERATED_AVATAR: false
+service:
+  ssh:
+    type: ClusterIP
+    port: 22
+    clusterIP:
+# ------------------------------------------
+# -- Disabled dependencies
+# ------------------------------------------
+postgresql-ha:
+  enabled: false
+redis-cluster:
+  enabled: false
+
+    # extraDeploy:
+    #   - |
+    #       {{- if $.Capabilities.APIVersions.Has "traefik.io/v1alpha1/IngressRouteTCP" }}
+    #       apiVersion: traefik.io/v1alpha1
+    #       kind: IngressRouteTCP
+    #       metadata:
+    #         name: {{ include "gitea.fullname" . }}-ssh
+    #       spec:
+    #         entryPoints:
+    #           - ssh
+    #         routes:
+    #           - match: HostSNI('*')
+    #             services:
+    #               - name: "{{ include "gitea.fullname" . }}-ssh"
+    #                 port: 22
+    #                 nativeLB: true
+    #       {{- end }}

values/badhouseplants/values.gitea.yaml

@@ -51,7 +51,7 @@ persistence:
   enabled: true
   size: 15Gi
   accessModes:
-    - ReadWriteOnce
+    - ReadWriteMany
 
 # ------------------------------------------
 # -- Main Gitea settings

values/badhouseplants/values.mailu.yaml

@@ -91,6 +91,10 @@ front:
       value: "mail"
     - name: REAL_IP_FROM
       value: "192.168.0.0/16,10.43.0.0/16"
+    - name: AUTH_RATELIMIT_IP
+      value: 100/hour
+    - name: AUTH_RATELIMIT_USER
+      value: 50/day
 admin:
   resources:
     requests:

values/badhouseplants/values.traefik.yaml

@@ -1,8 +1,5 @@
 globalArguments:
   - "--serversTransport.insecureSkipVerify=true"
-service:
-  spec:
-    externalTrafficPolicy: Local
 ports:
   web:
     redirectTo: