{ pkgs, inputs, tflib, elib, ... }: let inherit (elib) copyNixNGImage ; inherit (elib.kube) pvAndPvc ; inherit (tflib) tf ; in { imports = [ (pvAndPvc { name = "gitea-data"; namespace = "gitea"; capacity = "20Gi"; labels.type = "local"; hostPath = "/data/gitea/data"; }) (pvAndPvc { name = "gitea-database"; namespace = "gitea"; capacity = "2Gi"; labels.type = "local"; hostPath = "/data/gitea/database"; }) (copyNixNGImage { name = "gitea"; image = (inputs.nix-snapshotter.packages.${pkgs.stdenv.system}.nix-snapshotter.buildImage { name = "gitea"; resolvedByNix = true; config.entrypoint = ["${inputs.self.nixngConfigurations.gitea.config.system.build.toplevel}/init"]; }) .image; hosts = [ "blowhole.hosts.in.redalder.org" ]; }) ]; resource."kubernetes_namespace"."gitea" = { metadata = { name = "gitea"; labels = { visibility = "public"; # has to be kept in sync with `prepare` profile "istio.io/rev" = "1-22-0"; }; }; }; resource."kubernetes_manifest"."gitea-deployment" = { manifest = { apiVersion = "apps/v1"; kind = "Deployment"; metadata = { name = "gitea"; namespace = "gitea"; labels = { app = "gitea"; }; }; spec = { replicas = 1; strategy.type = "Recreate"; selector.matchLabels.app = "gitea"; template = { metadata.labels.app = "gitea"; spec = { containers = [ { name = "gitea"; image = tf "data.external.nixng-image-gitea.result.out"; ports = [ { containerPort = 3000; } ]; volumeMounts = [ { name = "gitea-data"; mountPath = "/var/lib/gitea"; } { name = "gitea-database"; mountPath = "/var/lib/postgresql"; } ]; } ]; volumes = [ { name = "gitea-data"; persistentVolumeClaim.claimName = "gitea-data"; } { name = "gitea-database"; persistentVolumeClaim.claimName = "gitea-database"; } ]; }; }; }; }; }; resource."kubernetes_manifest"."gitea-service" = { manifest = { apiVersion = "v1"; kind = "Service"; metadata = { name = "gitea"; namespace = "gitea"; }; spec = { ports = [ { port = 80; protocol = "TCP"; targetPort = 3000; } ]; selector.app = "gitea"; }; }; }; resource."kubernetes_manifest"."gitea-reference-grant" = { manifest = { apiVersion = "gateway.networking.k8s.io/v1alpha2"; kind = "ReferenceGrant"; metadata = { name = "gitea"; namespace = "gitea"; }; spec = { from = [ { group = "gateway.networking.k8s.io"; kind = "HTTPRoute"; namespace = "ingress"; } ]; to = [ { group = ""; kind = "Service"; name = "gitea"; } ]; }; }; }; resource."kubernetes_manifest"."gitea_authorization_policy" = { manifest = { apiVersion = "security.istio.io/v1"; kind = "AuthorizationPolicy"; metadata = { name = "gitea"; namespace = "gitea"; }; spec = { action = "ALLOW"; rules = [ { from = [ { source = { namespaces = ["ingress"]; }; } ]; to = [ { operation = { methods = ["*"]; paths = ["/*"]; }; } ]; } ]; selector = { matchLabels.app = "gitea"; }; }; }; }; resource."kubernetes_manifest"."gitea-httproute" = { manifest = { apiVersion = "gateway.networking.k8s.io/v1"; kind = "HTTPRoute"; metadata = { name = "gitea"; namespace = "ingress"; }; spec = { parentRefs = [ {name = "website";} ]; hostnames = ["gitea.redalder.org"]; rules = [ { backendRefs = [ { name = "gitea"; namespace = "gitea"; port = 80; } ]; } ]; }; }; }; }