homelab-nomad/services/gitea.tf

module "gitea" {
  source = "./service"

  name  = "git"
  image = "gitea/gitea:1.21"

  resources = {
    cpu    = 200
    memory = 512
  }

  env = {
    # Custom files should be part of the task
    GITEA_WORK_DIR = "$${NOMAD_TASK_DIR}"
    GITEA_CUSTOM   = "$${NOMAD_TASK_DIR}/custom"
  }

  ingress      = true
  service_port = 3000
  use_wesher   = var.use_wesher
  ports = [
    {
      name = "ssh"
      to   = 22
    }
  ]
  service_check = {
    path = "/api/healthz"
  }

  custom_services = [
    {
      name = "git-ssh"
      port = "ssh"
      tags = [
        "traefik.enable=true",
        "traefik.tcp.routers.git-ssh.entryPoints=gitssh",
        "traefik.tcp.routers.git-ssh.rule=HostSNI(`*`)",
        "traefik.tcp.routers.git-ssh.tls=false",
      ]
    },
  ]

  use_smtp = true
  mysql_bootstrap = {
    enabled = true
  }

  host_volumes = [
    {
      name      = "gitea-data"
      dest      = "/data"
      read_only = false
    },
  ]

  # TODO: Bootstrap OIDC with
  # su -- git gitea admin auth add-oauth --name authelia --provider openidConnect --key gitea --secret "{{ .oidc_secret }}" --auto-discover-url https://authelia.thefij.rocks/.well-known/openid-configuration --skip-local-2fa

  templates = [
    {
      data  = <<EOF
{{ with nomadVar "nomad/jobs/git" }}
GITEA__server__DOMAIN=git.thefij.rocks
GITEA__server__SSH_PORT=2222
GITEA__server__ROOT_URL=https://git.thefij.rocks

GITEA__security__INSTALL_LOCK=true

GITEA__database__DB_TYPE=mysql
GITEA__database__HOST=127.0.0.1:3306
GITEA__database__NAME={{ .db_name }}
GITEA__database__USER={{ .db_user }}

GITEA__service__DISABLE_REGISTRATION=false
GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION=true
GITEA__service__SHOW_REGISTRATION_BUTTON=false

GITEA__openid__ENABLE_OPENID_SIGNIN=true
GITEA__openid__ENABLE_OPENID_SIGNUP=true
GITEA__openid__WHITELISTED_URIS=authelia.thefij.rocks

GITEA__log__ROOT_PATH={{ env "NOMAD_TASK_DIR" }}/log

GITEA__mailer__ENABLED=true
GITEA__mailer__FROM={{ .smtp_sender }}

GITEA__session__provider=db
{{ end }}
EOF
      env   = true
      mount = false
      dest  = "env"
    },
    # TODO: Gitea writes these out to the ini file in /local anyway
    # Find some way to get it to write to /secrets
    {
      data        = <<EOF
{{ with nomadVar "nomad/jobs/git" }}
GITEA__security__SECRET_KEY="{{ .secret_key }}"
GITEA__database__PASSWD={{ .db_pass }}
{{ end }}
{{ with nomadVar "secrets/smtp" }}
GITEA__mailer__SMTP_ADDR={{ .server }}
GITEA__mailer__SMTP_PORT={{ .port }}
GITEA__mailer__USER={{ .user }}
GITEA__mailer__PASSWD={{ .password }}
{{ end }}
      EOF
      env         = true
      mount       = false
      dest        = "env"
      dest_prefix = "$${NOMAD_SECRETS_DIR}"
    }
  ]
}