Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 Gitea Actions Bot
|
85f9fff442 |
@@ -30,21 +30,6 @@ data:
|
||||
fi
|
||||
}
|
||||
|
||||
delete_rule() {
|
||||
local table_args=()
|
||||
if [ "${1:-}" = "-t" ]; then
|
||||
table_args=("$1" "$2")
|
||||
shift 2
|
||||
fi
|
||||
|
||||
local chain="$1"
|
||||
shift
|
||||
|
||||
while iptables "${table_args[@]}" -D "${chain}" "$@" >/dev/null 2>&1; do
|
||||
true
|
||||
done
|
||||
}
|
||||
|
||||
ensure_append_rule() {
|
||||
local table_args=()
|
||||
if [ "${1:-}" = "-t" ]; then
|
||||
@@ -71,7 +56,6 @@ data:
|
||||
|
||||
sysctl -w net.ipv4.ip_forward=1
|
||||
|
||||
delete_rule INPUT -i tailscale0 -p udp -m comment --comment amneziawg-block-tailscale -j DROP
|
||||
ensure_insert_rule INPUT -i "${EXT_IF}" -p udp --dport "${PORT}" -m comment --comment amneziawg-allow-external -j ACCEPT
|
||||
ensure_insert_rule INPUT -i tailscale0 -p udp --dport "${PORT}" -m comment --comment amneziawg-block-tailscale -j DROP
|
||||
ensure_append_rule INPUT -i awg0 -m comment --comment amneziawg-awg-input -j ACCEPT
|
||||
@@ -116,7 +100,6 @@ data:
|
||||
fi
|
||||
|
||||
delete_rule INPUT -i tailscale0 -p udp --dport "${PORT}" -m comment --comment amneziawg-block-tailscale -j DROP
|
||||
delete_rule INPUT -i tailscale0 -p udp -m comment --comment amneziawg-block-tailscale -j DROP
|
||||
delete_rule INPUT -i awg0 -m comment --comment amneziawg-awg-input -j ACCEPT
|
||||
delete_rule FORWARD -i awg0 -m comment --comment amneziawg-forward-in -j ACCEPT
|
||||
delete_rule FORWARD -o awg0 -m comment --comment amneziawg-forward-out -j ACCEPT
|
||||
|
||||
@@ -41,18 +41,18 @@ spec:
|
||||
- name: GITEA__service__REGISTER_MANUAL_CONFIRM
|
||||
value: "true"
|
||||
- name: GITEA__service__ENABLE_CAPTCHA
|
||||
value: "true"
|
||||
- name: GITEA__service__REQUIRE_CAPTCHA_FOR_LOGIN
|
||||
value: "false"
|
||||
- name: GITEA__service__REQUIRE_CAPTCHA_FOR_LOGIN
|
||||
value: "true"
|
||||
- name: GITEA__service__REQUIRE_EXTERNAL_REGISTRATION_CAPTCHA
|
||||
value: "true"
|
||||
- name: GITEA__service__CAPTCHA_TYPE
|
||||
value: "cfturnstile"
|
||||
value: "hcaptcha"
|
||||
- name: GITEA__webhook__ALLOWED_HOST_LIST
|
||||
value: "*"
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: gitea-runner-act-runner-secrets
|
||||
name: gitea-recapcha-creds
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 3000
|
||||
|
||||
@@ -13,10 +13,6 @@ spec:
|
||||
data:
|
||||
token: |-
|
||||
{{ .password }}
|
||||
GITEA__service__CF_TURNSTILE_SITEKEY: |-
|
||||
{{ .CF_TURNSTILE_SITEKEY }}
|
||||
GITEA__service__CF_TURNSTILE_SECRET: |-
|
||||
{{ .CF_TURNSTILE_SECRET }}
|
||||
data:
|
||||
- secretKey: password
|
||||
sourceRef:
|
||||
@@ -26,19 +22,38 @@ spec:
|
||||
remoteRef:
|
||||
key: e475b5ab-ea3c-48a5-bb4c-a6bc552fc064
|
||||
property: login.password
|
||||
- secretKey: CF_TURNSTILE_SITEKEY
|
||||
|
||||
---
|
||||
apiVersion: external-secrets.io/v1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: gitea-recapcha-creds
|
||||
spec:
|
||||
refreshInterval: 1m
|
||||
target:
|
||||
name: gitea-recapcha-creds
|
||||
deletionPolicy: Delete
|
||||
template:
|
||||
type: Opaque
|
||||
data:
|
||||
GITEA__service__HCAPTCHA_SITEKEY: |-
|
||||
{{ .HCAPTCHA_SITEKEY }}
|
||||
GITEA__service__HCAPTCHA_SECRET: |-
|
||||
{{ .HCAPTCHA_SECRET }}
|
||||
data:
|
||||
- secretKey: HCAPTCHA_SITEKEY
|
||||
sourceRef:
|
||||
storeRef:
|
||||
name: vaultwarden-login
|
||||
kind: ClusterSecretStore
|
||||
remoteRef:
|
||||
key: e475b5ab-ea3c-48a5-bb4c-a6bc552fc064
|
||||
property: fields[0].value
|
||||
- secretKey: CF_TURNSTILE_SECRET
|
||||
key: 89c8d8d2-6b53-42c5-805f-38a341ef163e
|
||||
property: login.username
|
||||
- secretKey: HCAPTCHA_SECRET
|
||||
sourceRef:
|
||||
storeRef:
|
||||
name: vaultwarden-login
|
||||
kind: ClusterSecretStore
|
||||
remoteRef:
|
||||
key: e475b5ab-ea3c-48a5-bb4c-a6bc552fc064
|
||||
property: fields[1].value
|
||||
key: 89c8d8d2-6b53-42c5-805f-38a341ef163e
|
||||
property: login.password
|
||||
@@ -5,6 +5,6 @@ resources:
|
||||
- app.yaml
|
||||
- external-secrets.yaml
|
||||
- deployment.yaml
|
||||
- user-unban-cronjob.yaml
|
||||
- service.yaml
|
||||
- ingress.yaml
|
||||
|
||||
|
||||
@@ -1,60 +0,0 @@
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: gitea-user-unban
|
||||
labels:
|
||||
app: gitea-user-unban
|
||||
spec:
|
||||
schedule: "*/10 * * * *"
|
||||
concurrencyPolicy: Forbid
|
||||
successfulJobsHistoryLimit: 3
|
||||
failedJobsHistoryLimit: 3
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: gitea-user-unban
|
||||
spec:
|
||||
restartPolicy: OnFailure
|
||||
nodeSelector:
|
||||
kubernetes.io/hostname: master.tail2fe2d.ts.net
|
||||
volumes:
|
||||
- name: storage
|
||||
hostPath:
|
||||
path: /k8s/gitea
|
||||
type: Directory
|
||||
containers:
|
||||
- name: sqlite-unban
|
||||
image: 'gitea/gitea:latest'
|
||||
imagePullPolicy: IfNotPresent
|
||||
resources:
|
||||
requests:
|
||||
memory: "32Mi"
|
||||
cpu: "10m"
|
||||
limits:
|
||||
memory: "128Mi"
|
||||
cpu: "100m"
|
||||
command:
|
||||
- /bin/sh
|
||||
- -ec
|
||||
- |
|
||||
sqlite3 -cmd ".timeout 30000" /data/gitea/gitea.db "
|
||||
UPDATE \"user\"
|
||||
SET is_active = 1,
|
||||
prohibit_login = 0,
|
||||
updated_unix = unixepoch()
|
||||
WHERE lower(email) = lower('ab@hexor.cy')
|
||||
AND (is_active <> 1 OR prohibit_login <> 0);
|
||||
|
||||
SELECT printf(
|
||||
'gitea user watchdog: id=%d login=%s email=%s is_active=%d prohibit_login=%d updated_unix=%d',
|
||||
id, lower_name, email, is_active, prohibit_login, updated_unix
|
||||
)
|
||||
FROM \"user\"
|
||||
WHERE lower(email) = lower('ab@hexor.cy');
|
||||
"
|
||||
volumeMounts:
|
||||
- name: storage
|
||||
mountPath: /data
|
||||
@@ -1,45 +0,0 @@
|
||||
---
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: auth-proxy
|
||||
spec:
|
||||
forwardAuth:
|
||||
address: http://auth-proxy.auth-proxy.svc:80/auth
|
||||
trustForwardHeader: true
|
||||
authResponseHeaders:
|
||||
- X-Auth-Request-User
|
||||
- X-Auth-Request-Email
|
||||
- X-Auth-Request-Groups
|
||||
---
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: prometheus
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt
|
||||
spec:
|
||||
entryPoints:
|
||||
- websecure
|
||||
routes:
|
||||
- match: Host(`prom.hexor.cy`)
|
||||
kind: Rule
|
||||
middlewares:
|
||||
- name: auth-proxy
|
||||
services:
|
||||
- name: prometheus-kube-prometheus-prometheus
|
||||
port: 9090
|
||||
tls:
|
||||
secretName: prometheus-tls
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: prometheus-tls
|
||||
spec:
|
||||
secretName: prometheus-tls
|
||||
issuerRef:
|
||||
name: letsencrypt
|
||||
kind: ClusterIssuer
|
||||
dnsNames:
|
||||
- prom.hexor.cy
|
||||
@@ -4,7 +4,6 @@ kind: Kustomization
|
||||
resources:
|
||||
- persistentVolume.yaml
|
||||
- external-secrets.yaml
|
||||
- ingress.yaml
|
||||
- grafana-alerting-configmap.yaml
|
||||
- alertmanager-config.yaml
|
||||
- dashboards/telemt-dashboard-cm.yaml
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
|
||||
alertmanager:
|
||||
config:
|
||||
global:
|
||||
@@ -24,7 +25,7 @@ alertmanager:
|
||||
{{ end }}
|
||||
|
||||
ingress:
|
||||
enabled: false
|
||||
enabled: true
|
||||
ingressClassName: traefik
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt
|
||||
@@ -45,7 +46,7 @@ alertmanager:
|
||||
|
||||
prometheus:
|
||||
ingress:
|
||||
enabled: false
|
||||
enabled: true
|
||||
ingressClassName: traefik
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt
|
||||
|
||||
@@ -16,10 +16,6 @@ proxy_applications = {
|
||||
domain = "pass.hexor.cy"
|
||||
allowed_groups = ["hexor-admin", "app-pass"]
|
||||
}
|
||||
Prometheus = {
|
||||
domain = "prom.hexor.cy"
|
||||
allowed_groups = ["hexor-admin"]
|
||||
}
|
||||
}
|
||||
|
||||
oauth2_applications = {
|
||||
|
||||
Reference in New Issue
Block a user