---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: gitea
  namespace: gitea
spec:
  dnsNames:
    - git.k-space.ee
  issuerRef:
    kind: ClusterIssuer
    name: default
  secretName: git-tls
---
apiVersion: codemowers.cloud/v1beta1
kind: SecretClaim
metadata:
  name: gitea-security-secret-key
spec:
  size: 32
  mapping:
    - key: secret
      value: "%(plaintext)s"
---
apiVersion: codemowers.cloud/v1beta1
kind: SecretClaim
metadata:
  name: gitea-security-internal-token
spec:
  size: 32
  mapping:
    - key: secret
      value: "%(plaintext)s"
---
apiVersion: codemowers.io/v1alpha1
kind: OIDCGWClient
metadata:
  name: gitea
spec:
  displayName: Gitea
  uri: https://git.k-space.ee/user/oauth2/OpenID
  redirectUris:
    - https://git.k-space.ee/user/oauth2/OpenID/callback
  allowedGroups:
    - k-space:floor
    - k-space:friends
  grantTypes:
    - authorization_code
    - refresh_token
  responseTypes:
    - code
  availableScopes:
    - openid
    - profile
  pkce: false
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: gitea
  labels:
    app.kubernetes.io/name: gitea
spec:
  revisionHistoryLimit: 0
  serviceName: gitea
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: gitea
  template:
    metadata:
      labels:
        app.kubernetes.io/name: gitea
    spec:
      enableServiceLinks: false
      securityContext:
        fsGroup: 1000
        runAsUser: 1000
        runAsGroup: 1000
        runAsNonRoot: true
      containers:
        - name: gitea
          image: gitea/gitea:1.20.2-rootless
          imagePullPolicy: IfNotPresent
          securityContext:
            readOnlyRootFilesystem: true
          env:
            - name: GITEA__REPOSITORY__DISABLED_REPO_UNITS
              value: repo.releases,repo.wiki
            - name: GITEA__ADMIN__DISABLE_REGULAR_ORG_CREATION
              value: "true"
            - name: GITEA__SERVER__SSH_SERVER_HOST_KEYS
              value: ssh/gitea.rsa,ssh/gitea.ecdsa,ssh/gitea.ed25519
            - name: GITEA__SERVER__START_SSH_SERVER
              value: "true"
            - name: GITEA__SERVER__CERT_FILE
              value: "/cert/tls.crt"
            - name: GITEA__SERVER__KEY_FILE
              value: "/cert/tls.key"
            - name: GITEA__SERVER__SSH_PORT
              value: "22"
            - name: GITEA__SERVER__PROTOCOL
              value: https
            - name: GITEA__SERVER__REDIRECT_OTHER_PORT
              value: "true"
            - name: GITEA__SERVER__PORT_TO_REDIRECT
              value: "8080"
            - name: GITEA__SERVER__DOMAIN
              value: git.k-space.ee
            - name: GITEA__SERVER__SSH_DOMAIN
              value: git.k-space.ee
            - name: GITEA__SERVER__HTTP_ADDR
              value: 0.0.0.0
            - name: GITEA__SERVER__ROOT_URL
              value: https://git.k-space.ee
            - name: GITEA__SSH.MINIMUM_KEY_SIZES__DSA
              value: "-1"
            - name: GITEA__DATABASE__DB_TYPE
              value: mysql
            - name: GITEA__DATABASE__HOST
              value: mariadb.infra.k-space.ee:3306
            - name: GITEA__DATABASE__NAME
              value: kspace_git
            - name: GITEA__DATABASE__USER
              value: kspace_git
            - name: GITEA__DATABASE__SSL_MODE
              value: disable
            - name: GITEA__DATABASE__LOG_SQL
              value: "false"
            - name: GITEA__SECURITY__INSTALL_LOCK
              value: "true"
            - name: GITEA__SERVICE__REGISTER_EMAIL_CONFIRM
              value: "true"
            - name: GITEA__SERVICE__DISABLE_REGISTRATION
              value: "true"
            - name: GITEA__SERVICE__ENABLE_NOTIFY_MAIL
              value: "true"
            - name: GITEA__MAILER__ENABLED
              value: "true"
            - name: GITEA__MAILER__HOST
              value: mail.k-space.ee:465
            - name: GITEA__MAILER__FROM
              value: Gitea <git@k-space.ee>
            - name: GITEA__MAILER__USER
              value: git
            - name: GITEA__MAILER__USE_PLAIN_TEXT
              value: "false"
            - name: GITEA__SESSION__PROVIDER
              value: file
            - name: GITEA__SESSION__COOKIE_SECURE
              value: "true"
            - name: GITEA__LOG__ENABLE_XORM_LOG
              value: "false"
            - name: GITEA__CRON__ENABLED
              value: "true"
            - name: GITEA__DATABASE__PASSWD
              valueFrom:
                secretKeyRef:
                  name: gitea-secrets
                  key: GITEA__DATABASE__PASSWD
            - name: GITEA__MAILER__PASSWD
              valueFrom:
                secretKeyRef:
                  name: gitea-secrets
                  key: GITEA__MAILER__PASSWD
            - name: GITEA__OAUTH2__JWT_SECRET
              valueFrom:
                secretKeyRef:
                  name: gitea-secrets
                  key: GITEA__OAUTH2__JWT_SECRET
            - name: GITEA__SECURITY__INTERNAL_TOKEN
              valueFrom:
                secretKeyRef:
                  name: gitea-security-internal-token
                  key: secret
            - name: GITEA__SECURITY__SECRET_KEY
              valueFrom:
                secretKeyRef:
                  name: gitea-security-secret-key
                  key: secret
          ports:
            - containerPort: 8080
              name: http
            - containerPort: 3000
              name: https
            - containerPort: 2222
              name: ssh
          volumeMounts:
            - mountPath: /tmp
              name: tmp
            - mountPath: /etc/gitea
              name: etc
            - mountPath: /cert
              name: cert
            - mountPath: /var/lib/gitea
              name: data
      volumes:
        - name: tmp
          emptyDir: {}
        - name: etc
          emptyDir: {}
        - name: cert
          secret:
            secretName: git-tls
  volumeClaimTemplates:
    - metadata:
        name: data
      spec:
        accessModes:
          - ReadWriteOnce
        storageClassName: gitea
        resources:
          requests:
            storage: 10Gi
---
apiVersion: v1
kind: Service
metadata:
  name: gitea
  namespace: gitea
  annotations:
    external-dns.alpha.kubernetes.io/hostname: git.k-space.ee
spec:
  type: LoadBalancer
  externalTrafficPolicy: Local
  selector:
    app.kubernetes.io/name: gitea
  ports:
  - port: 22
    name: ssh
    targetPort: 2222
  - port: 80
    name: http
    targetPort: 8080
  - port: 443
    name: https
    targetPort: 3000
  sessionAffinity: ClientIP