fix: add eli and hansi to ocenographers acl

Update Helm release gatus to v1.4.5

See merge request oceanbox/manifests!71

charts/docs/.helmignore

@@ -0,0 +1,26 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+base/
+prod/
+staging/
+review/

charts/docs/Chart.yaml

@@ -0,0 +1,18 @@
+apiVersion: v2
+name: docs
+description: Oceanbox Documentation
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+version: v0.1.0
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application.
+appVersion: v0.1.0

charts/docs/templates/NOTES.txt

@@ -0,0 +1,22 @@
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "docs.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "docs.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "docs.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "docs.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}

charts/docs/templates/_helpers.tpl

@@ -0,0 +1,63 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "docs.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "docs.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "docs.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "docs.labels" -}}
+helm.sh/chart: {{ include "docs.chart" . }}
+{{ include "docs.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "docs.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "docs.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "docs.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "docs.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}

charts/docs/templates/cluster.yaml

@@ -0,0 +1,24 @@
+{{- if .Values.cluster.enabled -}}
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: {{ include "docs.fullname" . }}
+  annotations:
+    linkerd.io/inject: disabled
+  labels:
+    {{- include "docs.labels" . | nindent 4 }}
+spec:
+  instances: {{ .Values.cluster.instances | default "2" }}
+
+  # Example of rolling update strategy:
+  # - unsupervised: automated update of the primary once all
+  #                 replicas have been upgraded (default)
+  # - supervised: requires manual supervision to perform
+  #               the switchover of the primary
+  primaryUpdateStrategy: unsupervised
+  backup:
+    retentionPolicy: {{ .Values.cluster.backupRetention | default "60d" }}
+
+  storage:
+    size: {{ .Values.cluster.size | default "5Gi" }}
+{{- end }}

charts/docs/templates/deployment.yaml

@@ -0,0 +1,84 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "docs.fullname" . }}
+  labels:
+    {{- include "docs.labels" . | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "docs.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "docs.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "docs.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+          env:
+            - name: LOG_LEVEL
+              value: "3"
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+          - name: data
+            mountPath: /data
+      {{- if .Values.init.enabled }}
+      initContainers:
+      - name: init
+        image: {{ .Values.init.image }}
+        command: {{- toYaml .Values.init.command | nindent 10 }}
+        volumeMounts:
+        - name: data
+          mountPath: /data
+      {{- end }}
+      volumes:
+      - name: data
+      {{- if .Values.persistence.enabled }}
+        persistentVolumeClaim:
+          claimName: {{ .Values.persistence.existingClaim | default (include "docs.fullname" .) }}
+      {{- else }}
+        emptyDir: {}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

charts/docs/templates/hpa.yaml

@@ -0,0 +1,28 @@
+{{- if .Values.autoscaling.enabled }}
+apiVersion: autoscaling/v2beta1
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "docs.fullname" . }}
+  labels:
+    {{- include "docs.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "docs.fullname" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    {{- end }}
+{{- end }}

charts/docs/templates/ingress.yaml

@@ -0,0 +1,61 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "docs.fullname" . -}}
+{{- $svcPort := .Values.service.port -}}
+{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
+  {{- end }}
+{{- end }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{- include "docs.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
+            pathType: {{ .pathType }}
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $svcPort }}
+              {{- else }}
+              serviceName: {{ $fullName }}
+              servicePort: {{ $svcPort }}
+              {{- end }}
+          {{- end }}
+    {{- end }}
+{{- end }}

charts/docs/templates/pvc.yaml

@@ -0,0 +1,25 @@
+{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ template "docs.fullname" . }}
+{{- with .Values.persistence.annotations  }}
+  annotations:
+{{ toYaml . | indent 4 }}
+{{- end }}
+  labels:
+{{ include "docs.labels" . | indent 4 }}
+spec:
+  accessModes:
+    - {{ .Values.persistence.accessMode | quote }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.size | quote }}
+{{- if .Values.persistence.storageClass }}
+{{- if (eq "-" .Values.persistence.storageClass) }}
+  storageClassName: ""
+{{- else }}
+  storageClassName: "{{ .Values.persistence.storageClass }}"
+{{- end }}
+{{- end }}
+{{- end }}

charts/docs/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "docs.fullname" . }}
+  labels:
+    {{- include "docs.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "docs.selectorLabels" . | nindent 4 }}

charts/docs/templates/serviceaccount.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "docs.serviceAccountName" . }}
+  labels:
+    {{- include "docs.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

charts/docs/values.yaml

@@ -0,0 +1,82 @@
+# Default values for docs.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+replicaCount: 1
+image:
+  repository:  registry.gitlab.com/oceanbox/documentation
+  tag: v0.1.0
+  pullPolicy: IfNotPresent
+init:
+  enabled: false
+  image: ubuntu:rolling
+  command: ["/bin/sh", "-c", "true"]
+env:
+  - name: LOG_LEVEL
+    value: "2"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
+imagePullSecrets:
+  - name: gitea-pull-secret
+nameOverride: ""
+fullnameOverride: ""
+serviceAccount:
+  create: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+podAnnotations: {}
+podSecurityContext:
+  fsGroup: 2000
+securityContext:
+  capabilities:
+    drop:
+      - ALL
+  readOnlyRootFilesystem: false
+  runAsNonRoot: false
+  runAsUser: 0
+service:
+  type: ClusterIP
+  port: 8080
+ingress:
+  enabled: true
+  className: nginx
+persistence:
+  enabled: false
+  size: 1G
+  storageClass: ""
+  accessMode: ReadWriteOnce
+cluster:
+  enabled: false
+  instances: 2
+  backupEnabled: true
+  backupRetention: 60d
+  size: 5Gi
+resources: {}
+# We usually recommend not to specify default resources and to leave this as a conscious
+# choice for the user. This also increases chances charts run on environments with little
+# resources, such as Minikube. If you do want to specify resources, uncomment the following
+# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+# limits:
+#   cpu: 100m
+#   memory: 128Mi
+# requests:
+#   cpu: 100m
+#   memory: 128Mi
+
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 100
+  targetCPUUtilizationPercentage: 80
+  # targetMemoryUtilizationPercentage: 80
+nodeSelector: {}
+tolerations: []
+affinity: {}

charts/makai/values.yaml

@@ -3,7 +3,7 @@
 # Declare variables to be passed into your templates.
 replicaCount: 1
 image:
-  repository: registry.gitlab.com/oceanbox/makai
+  repository: git.oceanbox.io/oceanbox/makai/makai
   tag: v0.1.0
   pullPolicy: IfNotPresent
 init:

helmfile.d/argo.yaml.gotmpl

@@ -27,7 +27,7 @@ releases:
 - name: argocd-apps
   namespace: argocd
   chart: argo/argocd-apps
-  version: 2.0.3
+  version: 2.0.4
   condition: argo.apps.enabled
   values:
   - ../values/argo/values/apps.yaml.gotmpl

helmfile.d/docs.yaml.gotmpl

@@ -0,0 +1,38 @@
+bases:
+ - ../envs/environments.yaml.gotmpl
+
+commonLabels:
+  tier: oceanbox
+
+releases:
+- name: docs
+  namespace: {{ .Environment.Name }}-docs
+  chart: ../charts/docs
+  condition: docs.enabled
+  values:
+  - ../values/docs/values/values.yaml
+  - ../values/docs/values/values-{{ .Environment.Name }}.yaml
+  postRenderer: ../bin/kustomizer
+  postRendererArgs:
+  - ../values/docs/kustomize/{{ .Environment.Name }}
+  missingFileHandler: Info
+- name: manifests
+  namespace: {{ .Environment.Name }}-docs
+  chart: manifests
+  condition: docs.enabled
+  missingFileHandler: Info
+  values:
+  - ../values/env.yaml
+  - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
+  - ../values/docs/env.yaml.gotmpl
+  - ../values/docs/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
+  hooks:
+  - events: [ prepare, cleanup ]
+    showlogs: true
+    command: ../bin/helmify
+    args:
+    - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
+    - '{{`{{ .Release.Chart }}`}}'
+    - '{{`{{ .Environment.Name }}`}}'
+    - ../values/docs/manifests
+    - manifests

helmfile.d/drupal.yaml.gotmpl

@@ -0,0 +1,43 @@
+bases:
+ - ../envs/environments.yaml.gotmpl
+
+#repositories:
+#- name: drupal
+# url: "https://drupalwxt.github.io/helm-drupal/index.yaml"
+
+commonLabels:
+  tier: system
+
+releases:
+- name: drupal
+  namespace: drupal
+  #chart: drupal/drupal
+  #version: v1.3.0
+  condition: drupal.enabled
+  values:
+  - ../values/drupal/values/drupal.yaml.gotmpl
+  - ../values/drupal/values/drupal-{{ .Environment.Name }}.yaml.gotmpl
+  postRenderer: ../bin/kustomizer
+  postRendererArgs:
+  - ../values/drupal/kustomize/{{ .Environment.Name }}
+  missingFileHandler: Info
+- name: manifests
+  namespace: drupal
+  chart: manifests
+  condition: drupal.enabled
+  missingFileHandler: Info
+  values:
+  - ../values/env.yaml
+  - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
+  - ../values/drupal/env.yaml.gotmpl
+  - ../values/drupal/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
+  hooks:
+  - events: [ prepare, cleanup ]
+    showlogs: true
+    command: ../bin/helmify
+    args:
+    - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
+    - '{{`{{ .Release.Chart }}`}}'
+    - '{{`{{ .Environment.Name }}`}}'
+    - ../values/drupal/manifests
+    - manifests

helmfile.d/gatus.yaml.gotmpl

@@ -12,7 +12,7 @@ releases:
 - name: gatus
   namespace: uptime
   chart: gatus/gatus
-  version: 1.4.4
+  version: 1.4.5
   condition: gatus.enabled
   values:
   - ../values/gatus/values/values.yaml

helmfile.d/gitea.yaml.gotmpl

@@ -2,35 +2,36 @@ bases:
  - ../envs/environments.yaml.gotmpl
 
 repositories:
-  - name: stevehipwell
-    url: 'https://stevehipwell.github.io/helm-charts/'
+- name: gitea
+  oci: true
+  url: docker.gitea.com/charts
 
 commonLabels:
   tier: system
 
 releases:
-- name: nexus3
-  namespace: nexus
-  chart: stevehipwell/nexus3
-  version: 5.9.0
-  condition: nexus.enabled
+- name: gitea
+  namespace: gitea
+  chart: gitea/gitea
+  version: 12.5.0
+  condition: gitea.enabled
   values:
-  - ../values/nexus/values/nexus.yaml.gotmpl
-  - ../values/nexus/values/nexus-{{ .Environment.Name }}.yaml.gotmpl
+  - ../values/gitea/values/values.yaml
+  - ../values/gitea/values/values-{{ .Environment.Name }}.yaml
   postRenderer: ../bin/kustomizer
   postRendererArgs:
-  - ../values/nexus/kustomize/{{ .Environment.Name }}
+  - ../values/gitea/kustomize/{{ .Environment.Name }}
   missingFileHandler: Info
 - name: manifests
-  namespace: nexus
+  namespace: gitea
   chart: manifests
-  condition: nexus.enabled
+  condition: gitea.enabled
   missingFileHandler: Info
   values:
   - ../values/env.yaml
   - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
-  - ../values/nexus/env.yaml.gotmpl
-  - ../values/nexus/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
+  - ../values/gitea/env.yaml.gotmpl
+  - ../values/gitea/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
   hooks:
   - events: [ prepare, cleanup ]
     showlogs: true
@@ -39,5 +40,5 @@ releases:
     - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
     - '{{`{{ .Release.Chart }}`}}'
     - '{{`{{ .Environment.Name }}`}}'
-    - ../values/nexus/manifests
+    - ../values/gitea/manifests
     - manifests

helmfile.d/postfix.yaml.gotmpl

@@ -2,36 +2,35 @@ bases:
  - ../envs/environments.yaml.gotmpl
 
 repositories:
-- name: forgejo
-  oci: true
-  url: code.forgejo.org/forgejo-helm
+- name: postfix
+  url: https://bokysan.github.io/docker-postfix
 
 commonLabels:
   tier: system
 
 releases:
-- name: forgejo
-  namespace: forgejo
-  chart: forgejo/forgejo
-  version: 16.0.0
-  condition: forgejo.enabled
+- name: postfix
+  namespace: postfix
+  chart: postfix/mail
+  version: 5.1.0
+  condition: postfix.enabled
   values:
-  - ../values/forgejo/values/values.yaml
-  - ../values/forgejo/values/values-{{ .Environment.Name }}.yaml
+  - ../values/postfix/values/values.yaml
+  - ../values/postfix/values/values-{{ .Environment.Name }}.yaml
   postRenderer: ../bin/kustomizer
   postRendererArgs:
-  - ../values/forgejo/kustomize/{{ .Environment.Name }}
+  - ../values/postfix/kustomize/{{ .Environment.Name }}
   missingFileHandler: Info
 - name: manifests
-  namespace: forgejo
+  namespace: postfix
   chart: manifests
-  condition: forgejo.enabled
+  condition: postfix.enabled
   missingFileHandler: Info
   values:
   - ../values/env.yaml
   - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
-  - ../values/forgejo/env.yaml.gotmpl
-  - ../values/forgejo/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
+  - ../values/postfix/env.yaml.gotmpl
+  - ../values/postfix/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
   hooks:
   - events: [ prepare, cleanup ]
     showlogs: true
@@ -40,5 +39,5 @@ releases:
     - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
     - '{{`{{ .Release.Chart }}`}}'
     - '{{`{{ .Environment.Name }}`}}'
-    - ../values/forgejo/manifests
+    - ../values/postfix/manifests
     - manifests

nix/sources.json

@@ -9,15 +9,15 @@
       },
       "branch": "master",
       "submodules": false,
-      "revision": "f0927703b7b1c8d97511c4116eb9b4ec6645a0fa",
-      "url": "https://github.com/cachix/git-hooks.nix/archive/f0927703b7b1c8d97511c4116eb9b4ec6645a0fa.tar.gz",
-      "hash": "sha256-6MkqajPICgugsuZ92OMoQcgSHnD6sJHwk8AxvMcIgTE="
+      "revision": "a1ef738813b15cf8ec759bdff5761b027e3e1d23",
+      "url": "https://github.com/cachix/git-hooks.nix/archive/a1ef738813b15cf8ec759bdff5761b027e3e1d23.tar.gz",
+      "hash": "sha256-Efs3VUPelRduf3PpfPP2ovEB4CXT7vHf8W+xc49RL/U="
     },
     "nixpkgs": {
       "type": "Channel",
       "name": "nixpkgs-unstable",
-      "url": "https://releases.nixos.org/nixpkgs/nixpkgs-26.05pre927565.13868c071cc7/nixexprs.tar.xz",
-      "hash": "sha256-wufp5c0nWh/87f9eK7xy1eZXms5zd4yl6S4SR+LfA08="
+      "url": "https://releases.nixos.org/nixpkgs/nixpkgs-26.05pre930822.ed142ab1b3a0/nixexprs.tar.xz",
+      "hash": "sha256-XH6awru9NnBc/m+2YhRNT8r1PAKEiPGF3gs//F3ods0="
     }
   },
   "version": 7

renovate.json

@@ -6,7 +6,6 @@
   "dependencyDashboard": true,
   "semanticCommits": "disabled",
   "ignorePaths": [
-    "**/attic/**",
     "**/bootstrap/**"
   ],
   "helmfile": {

shell.nix

@@ -38,7 +38,7 @@ pkgs.mkShellNoCC {
       # cmctl
       # rclone
       # velero
-      # renovate
+      renovate
 
       # dapr
       dapr-cli
@@ -46,7 +46,7 @@ pkgs.mkShellNoCC {
     ++ checks.enabledPackages;
 
   # Environment variables
-  ARGOCD_ENV_CLUSTER_NAME = "hel1";
+  ARGOCD_ENV_CLUSTER_NAME = "ekman";
   HELM_GIT_ACCESS_TOKEN = "glpat-xxx";
 
   shellHook = builtins.concatStringsSep "\n" [

values/argo/manifests/sys-project.yaml

@@ -88,11 +88,14 @@ spec:
     server: https://kubernetes.default.svc
   - namespace: uptime
     server: https://kubernetes.default.svc
-  - namespace: forgejo
+  - namespace: gitea
+    server: https://kubernetes.default.svc
+  - namespace: postfix
     server: https://kubernetes.default.svc
   sourceRepos:
   - https://argoproj.github.io/argo-helm
   - https://kubernetes-sigs.github.io/metrics-server/
+  - https://git.oceanbox.io/oceanbox/manifests
   - https://gitlab.com/oceanbox/manifests.git
   - https://kubernetes.github.io/ingress-nginx
   - https://cloudnative-pg.github.io/charts
@@ -120,12 +123,13 @@ spec:
   - https://open-telemetry.github.io/opentelemetry-helm-charts
   - https://ghcr.io/slinkyproject/charts/slurm-operator
   - https://ghcr.io/slinkyproject/charts/slurm-operator-crds
+  - https://bokysan.github.io/docker-postfix/
   - ghcr.io/slinkyproject/charts
   - ghcr.io/slinkyproject/charts/slurm-operator
   - ghcr.io/slinkyproject/charts/slurm-operator-crds
   - ghcr.io/spegel-org/helm-charts
   - ghcr.io/dragonflydb/dragonfly-operator/helm/dragonfly-operator
-  - code.forgejo.org/forgejo-helm
+  - docker.gitea.com
   - https://operator.mariadb.com/mariadb-enterprise-operator
   - https://operator.mariadb.com
   - https://ot-container-kit.github.io/helm-charts

values/atlantis/values/values-staging.yaml.gotmpl

@@ -1,6 +1,6 @@
 replicaCount: 1
 image:
-  tag: 503ccbb2-debug
+  tag: 8e824d4a-debug
 podAnnotations:
   dapr.io/app-id: "staging-atlantis"
 env:

values/attic/manifests/attic.yaml

@@ -4,15 +4,15 @@ metadata:
   name: attic
   namespace: argocd
   finalizers:
-  - resources-finalizer.argocd.argoproj.io
+    - resources-finalizer.argocd.argoproj.io
 spec:
   destination:
     namespace: attic
-    server: 'https://kubernetes.default.svc'
+    server: "https://kubernetes.default.svc"
   sources:
-  - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: HEAD
-    path: values/attic/manifests
+    - repoURL: https://git.oceanbox.io/oceanbox/manifests.git
+      targetRevision: HEAD
+      path: values/attic/manifests
   project: aux
   syncPolicy:
     managedNamespaceMetadata:

values/cilium/env.yaml.gotmpl

@@ -1,6 +1,6 @@
 cilium:
   enabled: false
-  autosync: true
+  autosync: false
   spire:
     enabled: false
   envoy:
@@ -30,4 +30,3 @@ cilium:
   loadbalancerPool:
     enabled: false
     cidr: []
-

values/docs/env-oceanbox.yaml.gotmpl

@@ -1,3 +1,2 @@
-plausible:
+docs:
   enabled: true
-

values/docs/env.yaml.gotmpl

@@ -0,0 +1,4 @@
+docs:
+  enabled: true
+  autosync: {{ if eq .Environment.Name "prod" }} false {{ else }} true {{ end }}
+  env: {{ .Environment.Name }}

values/docs/manifests/docs.yaml

@@ -1,13 +1,19 @@
-{{- if .Values.clusterConfig.argo.enabled }}
+{{ if .Values.clusterConfig.argo.enabled }}
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: plausible-analytics
+  name: {{ .Values.docs.env }}-docs
   namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    argocd.argoproj.io/compare-options: ServerSideDiff=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
 spec:
   destination:
-    namespace: plausible
-    server: 'https://kubernetes.default.svc'
+    namespace: {{ .Values.docs.env }}-docs
+    server: https://kubernetes.default.svc
+  project: default
   sources:
   - repoURL: {{ .Values.clusterConfig.manifests }}
     targetRevision: HEAD
@@ -18,27 +24,16 @@ spec:
       - name: CLUSTER_NAME
         value: {{ .Values.clusterConfig.cluster }}
       - name: HELMFILE_ENVIRONMENT
-        value: default
+        value: {{ .Values.docs.env }}
       - name: HELMFILE_FILE_PATH
-        value: plausible.yaml.gotmpl
-  project: aux
+        value: docs.yaml.gotmpl
   syncPolicy:
-    managedNamespaceMetadata:
-      labels:
-        component: aux
     syncOptions:
       - CreateNamespace=true
       - ApplyOutOfSyncOnly=true
-    {{- if .Values.plausible.autosync }}
+    {{- if .Values.docs.autosync }}
     automated:
       prune: true
-      selfHeal: true
+      selfHeal: false
     {{- end }}
-  ignoreDifferences:
-    - kind: Secret
-      name: plausible-analytics
-      jqPathExpressions:
-        - '.data'
-        - '.metadata.labels'
-        - '.metadata.annotations'
 {{- end }}

values/docs/values/values-prod.yaml

@@ -0,0 +1,25 @@
+replicaCount: 1
+env:
+  - name: APP_VERSION
+    value: "1.5.0"
+  - name: LOG_LEVEL
+    value: "2"
+ingress:
+  enabled: true
+  className: "nginx"
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+    nginx.ingress.kubernetes.io/backend-protocol: HTTP
+    nginx.ingress.kubernetes.io/enable-cors: "true"
+    nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    oceanbox.io/expose: internal
+  hosts:
+    - host: docs.oceanbox.io
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+  tls:
+    - hosts:
+        - docs.oceanbox.io
+      secretName: docs-tls

values/docs/values/values-staging.yaml

@@ -0,0 +1,27 @@
+replicaCount: 1
+image:
+  tag: "c172ad11-debug"
+env:
+  - name: APP_VERSION
+    value: "0.0.0-staging"
+  - name: LOG_LEVEL
+    value: "1"
+ingress:
+  enabled: true
+  className: "nginx"
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+    nginx.ingress.kubernetes.io/backend-protocol: HTTP
+    nginx.ingress.kubernetes.io/enable-cors: "true"
+    nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    oceanbox.io/expose: internal
+  hosts:
+    - host: docs.dev.oceanbox.io
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+  tls:
+    - hosts:
+        - docs.dev.oceanbox.io
+      secretName: staging-docs-tls

values/env-rossby.yaml

@@ -1,5 +1,5 @@
 clusterConfig:
-  manifests: https://gitlab.com/oceanbox/manifests.git
+  manifests: https://git.oceanbox.io/oceanbox/manifests.git
   cilium:
     enabled: false
   env: "prod"

values/forgejo/values/values.yaml

@@ -1,134 +0,0 @@
-replicaCount: 1
-image:
-  registry: code.forgejo.org
-  repository: forgejo/forgejo
-
-resources:
-  requests:
-    cpu: 200m
-    memory: 512Mi
-
-gitea:
-  metrics:
-    enabled: false
-    serviceMonitor:
-      enabled: false
-  config:
-    APP_NAME: 'Forgejo: With a cup of tea.'
-    cache:
-      ENABLED: true
-      ADAPTER: redis
-      HOST: redis://dragonfly-forgejo.forgejo.svc:6379/0
-    session:
-      PROVIDER: redis
-      PROVIDER_CONFIG: redis://dragonfly-forgejo.forgejo.svc:6379/1
-    queue:
-      TYPE: redis
-      CONN_STR: redis://dragonfly-forgejo.forgejo.svc:6379/2
-    storage:
-      STORAGE_TYPE: minio
-      MINIO_ENDPOINT: hel1.your-objectstorage.com
-      MINIO_USE_SSL: true
-      MINIO_LOCATION: hel1
-      MINIO_BUCKET: obx-forgejo
-    security:
-      INSTALL_LOCK: true
-    service:
-      DISABLE_REGISTRATION: false
-    server:
-      APP_DATA_PATH: "/data/gitea"
-      DOMAIN: git.svc.hel1.obx
-      ROOT_URL: https://git.svc.hel1.obx
-      SSH_DOMAIN: git.svc.hel1.obx
-      SSH_PORT: 22
-      SSH_SERVER_USE_PROXY_PROTOCOL: true
-      LANDING_PAGE: "explore"
-    oauth2_client:
-      ENABLE_AUTO_REGISTRATION: true
-      UPDATE_AVATAR: true
-      ACCOUNT_LINKING: auto
-    database:
-      DB_TYPE: postgres
-      MAX_OPEN_CONNS: 90
-    openid:
-      ENABLE_OPENID_SIGNIN: false
-      ENABLE_OPENID_SIGNUP: false
-  oauth:
-    - name: 'Oceanbox'
-      provider: 'openidConnect'
-      existingSecret: forgejo-oauth-oceanbox
-      autoDiscoverUrl: 'https://login.microsoftonline.com/3f737008-e9a0-4485-9d27-40329d288089/.well-known/openid-configuration'
-      scopes: 'openid profile email groups'
-      groupClaimName: 'groups'
-      adminGroup: '/oceanbox/devel'
-      restrictedGroup: ''
-  additionalConfigFromEnvs:
-    - name: FORGEJO__STORAGE__MINIO_ACCESS_KEY_ID
-      valueFrom:
-        secretKeyRef:
-          name: forgejo-s3
-          key: access_key
-    - name: FORGEJO__STORAGE__MINIO_SECRET_ACCESS_KEY
-      valueFrom:
-        secretKeyRef:
-          name: forgejo-s3
-          key: secret_key
-    - name: FORGEJO__DATABASE__PASSWD
-      valueFrom:
-        secretKeyRef:
-          name: forgejo-db-app
-          key: password
-    - name: FORGEJO__DATABASE__NAME
-      valueFrom:
-        secretKeyRef:
-          name: forgejo-db-app
-          key: dbname
-    - name: FORGEJO__DATABASE__USER
-      valueFrom:
-        secretKeyRef:
-          name: forgejo-db-app
-          key: user
-    - name: FORGEJO__DATABASE__HOST
-      valueFrom:
-        secretKeyRef:
-          name: forgejo-db-app
-          key: host
-    - name: FORGEJO__DATABASE__DB_TYPE
-      value: postgres
-
-ingress:
-  enabled: true
-  className: nginx
-  annotations:
-    cert-manager.io/cluster-issuer: ca-issuer
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/proxy-body-size: "0"
-    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
-    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24,100.64.0.0/12
-  hosts:
-    - host: git.svc.hel1.obx
-      paths:
-      - backend:
-          service:
-            name: forgejo-http
-            port:
-              number: 3000
-        path: /
-        pathType: ImplementationSpecific
-  tls:
-    - secretName: forgejo-tls
-      hosts:
-        - git.svc.hel1.obx
-
-# service:
-  # ssh:
-    # type: LoadBalancer
-    # port: 22
-    # annotations:
-      # load-balancer.hetzner.cloud/location: hel1
-      # load-balancer.hetzner.cloud/uses-proxyprotocol: 'false'
-
-persistence:
-  enabled: true
-  size: 1Gi

values/gitea/env-hel1.yaml.gotmpl

@@ -1,3 +1,3 @@
-forgejo:
+gitea:
   enabled: true
   backup: true

values/gitea/env.yaml.gotmpl

@@ -1,4 +1,4 @@
-forgejo:
+gitea:
   enabled: false
   backup: false
   autosync: {{ if eq .Environment.Name "prod" }} false {{ else }} true {{ end }}

values/gitea/manifests/backup.yaml

@@ -2,11 +2,11 @@ apiVersion: barmancloud.cnpg.io/v1
 kind: ObjectStore
 metadata:
   name: hel-store
-  namespace: forgejo
+  namespace: gitea
 spec:
   retentionPolicy: "7d"
   configuration:
-    destinationPath: s3://obx-cnpg/hel1/forgejo-db
+    destinationPath: s3://obx-cnpg/hel1/gitea-db
     endpointURL: https://hel1.your-objectstorage.com
     s3Credentials:
       accessKeyId:
@@ -21,13 +21,13 @@ spec:
 apiVersion: postgresql.cnpg.io/v1
 kind: ScheduledBackup
 metadata:
-  name: forgejo-db
-  namespace: forgejo
+  name: gitea-db
+  namespace: gitea
 spec:
   schedule: "0 0 1 * * *"
   backupOwnerReference: self
   cluster:
-    name: forgejo-db
+    name: gitea-db
   method: plugin
   pluginConfiguration:
     name: barman-cloud.cloudnative-pg.io

values/gitea/manifests/database.yaml

@@ -1,11 +1,11 @@
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
-  name: forgejo-db
-  namespace: forgejo
+  name: gitea-db
+  namespace: gitea
 spec:
   instances: 1
-  imageName: ghcr.io/cloudnative-pg/postgresql:18-minimal-trixie
+  imageName: ghcr.io/cloudnative-pg/postgresql:18-system-trixie
   storage:
     resizeInUseVolumes: true
     size: 10Gi

values/gitea/manifests/dragonfly.yaml

@@ -1,8 +1,8 @@
 apiVersion: dragonflydb.io/v1alpha1
 kind: Dragonfly
 metadata:
-  name: dragonfly-forgejo
-  namespace: forgejo
+  name: dragonfly-gitea
+  namespace: gitea
 spec:
   replicas: 1
   resources:

values/gitea/manifests/gitea.yaml

@@ -2,7 +2,7 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: forgejo
+  name: gitea
   namespace: argocd
   annotations:
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
@@ -10,7 +10,7 @@ metadata:
   - resources-finalizer.argocd.argoproj.io
 spec:
   destination:
-    namespace: forgejo
+    namespace: gitea
     server: https://kubernetes.default.svc
   project: sys
   sources:
@@ -23,9 +23,9 @@ spec:
       - name: CLUSTER_NAME
         value: {{ .Values.clusterConfig.cluster }}
       - name: HELMFILE_ENVIRONMENT
-        value: {{ .Values.forgejo.env }}
+        value: {{ .Values.gitea.env }}
       - name: HELMFILE_FILE_PATH
-        value: forgejo.yaml.gotmpl
+        value: gitea.yaml.gotmpl
   syncPolicy:
     managedNamespaceMetadata:
       labels:
@@ -34,7 +34,7 @@ spec:
       - CreateNamespace=true
       - ApplyOutOfSyncOnly=true
       # - ServerSideApply=true
-    {{- if .Values.forgejo.autosync }}
+    {{- if .Values.gitea.autosync }}
     automated:
       prune: true
       # selfHeal: false

values/gitea/manifests/monitoring.yaml

@@ -1,11 +1,11 @@
 apiVersion: monitoring.coreos.com/v1
 kind: PodMonitor
 metadata:
-  name: forgejo-db-monitor
-  namespace: forgejo
+  name: gitea-db-monitor
+  namespace: gitea
 spec:
   selector:
     matchLabels:
-      cnpg.io/cluster: forgejo-db
+      cnpg.io/cluster: gitea-db
   podMetricsEndpoints:
     - port: metrics

values/gitea/values/values.yaml

@@ -0,0 +1,185 @@
+# yaml-language-server: $schema=https://gitea.com/gitea/helm-gitea/src/branch/main/values.yaml
+replicaCount: 1
+image:
+  registry: "docker.gitea.com"
+  repository: gitea
+  tag: "1.25.4"
+
+resources:
+  requests:
+    cpu: 200m
+    memory: 512Mi
+
+strategy:
+  type: Recreate
+  rollingUpdate:
+    maxSurge: "100%"
+    maxUnavailable: 0
+
+gitea:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+  config:
+    APP_NAME: "Gitea: With a cup of tea."
+    admin:
+      existingSecret: gitea-admin-secret
+      email: admin@oceanbox.io
+    metrics:
+      ENABLED: true
+      ENABLED_ISSUE_BY_LABEL: true
+      ENABLED_ISSUE_BY_REPOSITORY: true
+    cache:
+      ENABLED: true
+      ADAPTER: redis
+      HOST: redis://dragonfly-gitea.gitea.svc:6379/0
+      ITEM_TTL: "72h" # increased from default 16h
+    session:
+      COOKIE_SECURE: true
+      PROVIDER: redis
+      PROVIDER_CONFIG: redis://dragonfly-gitea.gitea.svc:6379/1
+      SESSION_LIFE_TIME: "432000" # 5 days
+    queue:
+      TYPE: redis
+      CONN_STR: redis://dragonfly-gitea.gitea.svc:6379/2
+    storage:
+      STORAGE_TYPE: minio
+      MINIO_ENDPOINT: hel1.your-objectstorage.com
+      MINIO_USE_SSL: true
+      MINIO_LOCATION: hel1
+      MINIO_BUCKET: obx-gitea
+    security:
+      INSTALL_LOCK: true
+    service:
+      DISABLE_REGISTRATION: false
+      SHOW_REGISTRATION_BUTTON: true
+      ENABLE_NOTIFY_MAIL: true
+      AUTO_WATCH_NEW_REPOS: false
+    server:
+      APP_DATA_PATH: "/data/gitea"
+      DOMAIN: git.oceanbox.io
+      ROOT_URL: https://git.oceanbox.io
+      SSH_DOMAIN: git.obx
+      SSH_PORT: 22
+      SSH_LISTEN_PORT: 22
+      SSH_SERVER_USE_PROXY_PROTOCOL: true
+      PROXY_PROTOCOL: true
+      LANDING_PAGE: "explore"
+    ui:
+      ONLY_SHOW_RELEVANT_REPOS: true
+    oauth2_client:
+      REGISTER_EMAIL_CONFIRM: false
+      ENABLE_AUTO_REGISTRATION: true
+      ACCOUNT_LINKING: "login"
+      USERNAME: "nickname"
+    mailer:
+      ENABLED: true
+      FROM: "gitea@oceanbox.io"
+      PROTOCOL: "smtp"
+      SMTP_ADDR: "postfix-mail.postfix.svc.cluster.local"
+      SMTP_PORT: 587
+    database:
+      DB_TYPE: postgres
+      MAX_OPEN_CONNS: 90
+    openid:
+      ENABLE_OPENID_SIGNIN: false
+      ENABLE_OPENID_SIGNUP: false
+  oauth:
+    - name: "Oceanbox"
+      provider: "openidConnect"
+      existingSecret: gitea-oauth-oceanbox
+      autoDiscoverUrl: "https://login.microsoftonline.com/3f737008-e9a0-4485-9d27-40329d288089/.well-known/openid-configuration"
+      scopes: "openid profile email groups"
+  additionalConfigFromEnvs:
+    - name: GITEA__STORAGE__MINIO_ACCESS_KEY_ID
+      valueFrom:
+        secretKeyRef:
+          name: gitea-s3
+          key: access_key
+    - name: GITEA__STORAGE__MINIO_SECRET_ACCESS_KEY
+      valueFrom:
+        secretKeyRef:
+          name: gitea-s3
+          key: secret_key
+    - name: GITEA__DATABASE__PASSWD
+      valueFrom:
+        secretKeyRef:
+          name: gitea-db-app
+          key: password
+    - name: GITEA__DATABASE__NAME
+      valueFrom:
+        secretKeyRef:
+          name: gitea-db-app
+          key: dbname
+    - name: GITEA__DATABASE__USER
+      valueFrom:
+        secretKeyRef:
+          name: gitea-db-app
+          key: user
+    - name: GITEA__DATABASE__HOST
+      valueFrom:
+        secretKeyRef:
+          name: gitea-db-app
+          key: host
+    - name: GITEA__DATABASE__DB_TYPE
+      value: postgres
+    - name: GITEA__repository__DEFAULT_PRIVATE
+      value: "true"
+    - name: GITEA__repository__DEFAULT_PUSH_CREATE_PRIVATE
+      value: "true"
+    - name: GITEA__repository__ENABLE_PUSH_CREATE_USER
+      value: "true"
+    - name: GITEA__repository__ENABLE_PUSH_CREATE_ORG
+      value: "true"
+
+ingress:
+  enabled: true
+  className: nginx
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/backend-protocol: HTTP
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24,100.64.0.0/12,185.125.160.4/32,37.27.203.38/32
+  hosts:
+    - host: git.oceanbox.io
+      paths:
+        - backend:
+            service:
+              name: gitea-http
+              port:
+                number: 3000
+          path: /
+          pathType: ImplementationSpecific
+  tls:
+    - secretName: gitea-tls
+      hosts:
+        - git.oceanbox.io
+
+service:
+  ssh:
+    enabled: true
+    type: NodePort
+    nodePort: 30022
+    port: 22
+    externalTrafficPolicy: Local
+
+defaultPodOptions:
+  securityContext:
+    runAsUser: 1000
+    runAsGroup: 1000
+    runAsNonRoot: true
+    fsGroup: 1000
+    fsGroupChangePolicy: "Always"
+
+postgresql-ha:
+  enabled: false
+valkey-cluster:
+  enabled: false
+
+persistence:
+  enabled: true
+  size: 1Gi

values/headscale/values/values.yaml

@@ -115,6 +115,8 @@ configMaps:
               "isa.rosso@oceanbox.io",
               "jonathan.lilly@oceanbox.io",
               "faith.iha@oceanbox.io",
+              "elianne.ersdal@oceanbox.io",                                                                              │
+              "hanskristian.djuve@oceanbox.io",
             ],
             "group:manager": [
               "svenn.hanssen@oceanbox.io",
@@ -213,9 +215,10 @@ configMaps:
               ],
               "dst": [
                  "tag:mumindalen:*",
+                 "tag:hel1:*",
                  "tag:hpc:22,80,443",
                  "dc.tos.net:22,80,443",
-                 "dc.hel1.net:443",
+                 "dc.hel1.net:22,443",
               ]
             },
             {
@@ -264,6 +267,7 @@ configMaps:
            { "name": "codex.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
 
            { "name": "auth.oceanbox.io", "type": "A", "value": "10.255.241.11" },
+           { "name": "docs.oceanbox.io", "type": "A", "value": "10.255.241.11" },
            { "name": "auth.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
            { "name": "keycloak.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
            { "name": "grafana.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
@@ -281,6 +285,7 @@ configMaps:
            { "name": "cache.srv.oceanbox.io", "type": "A", "value": "10.255.241.11" },
            { "name": "makai.srv.oceanbox.io", "type": "A", "value": "10.255.241.11" },
            { "name": "makai.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
+           { "name": "docs.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
 
            { "name": "slurm.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
            { "name": "slurm-gateway.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
@@ -295,6 +300,9 @@ configMaps:
            { "name": "plume.data.oceanbox.io", "type": "A", "value": "10.255.241.99" },
            { "name": "slurm-agent.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
 
+           { "name": "git.obx", "type": "A", "value": "10.0.1.9" },
+           { "name": "git.oceanbox.io", "type": "A", "value": "10.0.1.3" },
+
            { "name": "kueue.dev.tos.obx", "type": "A", "value": "10.255.241.99" },
 
            { "name": "slurm-agent.rossby.oceanbox.io", "type": "A", "value": "172.16.239.222" },

values/kueue/values/values.yaml

@@ -13,7 +13,7 @@ controllerManager:
           - batch/job
           - jobset.x-k8s.io/jobset
       internalCertManagement:
-        enable: true
+        enable: false
 enableCertManager: false
 enablePrometheus: true
 metrics:

values/makai/values/values-staging.yaml

@@ -1,6 +1,6 @@
 replicaCount: 1
 image:
-  tag: "ce1340fa-debug"
+  tag: "436608af-debug"
 env:
   - name: APP_VERSION
     value: "0.0.0-staging"

values/ncps/manifests/.gitkeep

@@ -1 +0,0 @@
-

values/nexus/env-oceanbox.yaml.gotmpl

@@ -1,3 +0,0 @@
-nexus:
- enabled: true
- autosync: true

values/nexus/env.yaml.gotmpl

@@ -1,3 +0,0 @@
-nexus:
- enabled: false
- autosync: false

values/nexus/manifests/admin-secret.yaml

@@ -1,8 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: nexus-admin-password
-  namespace: nexus
-type: Opaque
-stringData:
-  password: "changeme-admin-password-here"

values/nexus/values/nexus.yaml.gotmpl

@@ -1,60 +0,0 @@
-image:
-  tag: 3.74.0
-
-ingress:
-  enabled: true
-  ingressClassName: nginx
-  hosts:
-    - host: mochi.tos.oceanbox.io
-      paths:
-        - path: /
-          pathType: Prefix
-  tls:
-    - secretName: nexus-tls
-      hosts:
-        - mochi.tos.oceanbox.io
-
-persistence:
-  enabled: true
-  storageClass: "ceph-rbd"
-  size: 8Gi
-
-env:
-  - name: INSTALL4J_ADD_VM_PARAMS
-    value: "-Xms1024m -Xmx1024m -XX:MaxDirectMemorySize=1024m -Djava.util.prefs.userRoot=/nexus-data/javaprefs"
-
-resources:
-  requests:
-    cpu: 200m
-    memory: 1Gi
-  limits:
-    memory: 1Gi
-
-config:
-  enabled: true
-  data:
-    nexus.properties: |
-      nexus.s3.blobstore.enabled=true
-  rootPassword:
-    secret: nexus-admin-password
-    key: password
-
-serviceAccount:
-  create: true
-
-additionalConfigMaps:
-  - name: nexus-s3-config
-    data:
-      s3-blobstore.json: |
-        {
-          "name": "s3-nuget",
-          "type": "S3",
-          "attributes": {
-            "s3": {
-              "bucket": "nexus-nuget-registry",
-              "region": "us-east-1",
-              "prefix": "nuget/",
-              "expiration": -1
-            }
-          }
-        }

values/plausible/env.yaml.gotmpl

@@ -1,4 +0,0 @@
-plausible:
-  enabled: false
-  autosync: false
-

values/plausible/manifests/cnpg.yaml

@@ -1,13 +0,0 @@
-apiVersion: postgresql.cnpg.io/v1
-kind: Cluster
-metadata:
-  name: plausible-db
-  namespace: plausible
-spec:
-  imageName: ghcr.io/cloudnative-pg/postgresql:16.3
-  primaryUpdateStrategy: unsupervised
-  instances: 1
-  monitoring:
-    enablePodMonitor: true
-  storage:
-    size: 10Gi

values/plausible/manifests/network/CiliumNetworkPolicy-allow-ext.yaml

@@ -1,16 +0,0 @@
-{{- if .Values.clusterConfig.cilium.enabled }}
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: allow-plausible-secure-external
-  namespace: plausible
-spec:
-  description: Allow Plausible External
-  egress:
-    - toFQDNs:
-        - matchName: data.iana.org
-        - matchName: raw.githubusercontent.com
-  endpointSelector:
-    matchLabels:
-      app.kubernetes.io/name: plausible-analytics
-{{- end }}

values/plausible/manifests/network/CiliumNetworkPolicy-allow-gravatar.yaml

@@ -1,17 +0,0 @@
-{{- if .Values.clusterConfig.cilium.enabled }}
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: allow-plausible-secure-gravatar
-  namespace: plausible
-spec:
-  description: Allow Plausible Gravatar
-  egress:
-    - toFQDNs:
-        - matchName: secure.gravatar.com
-        - matchName: gravatar.com
-        - matchName: www.gravatar.com
-  endpointSelector:
-    matchLabels:
-      app.kubernetes.io/name: plausible-analytics
-{{- end }}

values/plausible/values/values.yaml

@@ -1,26 +0,0 @@
-baseURL: https://plausible.adm.oceanbox.io
-databaseURL: postgres://app:password@plausible-db-rw:5432/app
-clickhouse:
-  resources:
-    requests:
-      cpu: 500m
-      ephemeral-storage: 50Mi
-      memory: 512Mi
-postgresql:
-  enabled: false
-ingress:
-  enabled: true
-  ingressClassName: nginx
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    oceanbox.io/expose: internal
-  hosts:
-    - plausible.adm.oceanbox.io
-  paths:
-  - /
-  pathType: ImplementationSpecific
-  tls:
-  - secretName: plausible-tls
-    hosts:
-    - plausible.adm.oceanbox.io

values/postfix/env-hel1.yaml.gotmpl

@@ -0,0 +1,2 @@
+postfix:
+  enabled: true

values/postfix/env.yaml.gotmpl

@@ -0,0 +1,4 @@
+postfix:
+  enabled: false
+  autosync: {{ if eq .Environment.Name "prod" }} false {{ else }} true {{ end }}
+  env: {{ .Environment.Name }}

values/postfix/manifests/postfix.yaml

@@ -2,12 +2,17 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: nexus
+  name: postfix
   namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
 spec:
   destination:
-    namespace: nexus
-    server: 'https://kubernetes.default.svc'
+    namespace: postfix
+    server: https://kubernetes.default.svc
+  project: sys
   sources:
   - repoURL: {{ .Values.clusterConfig.manifests }}
     targetRevision: HEAD
@@ -18,10 +23,9 @@ spec:
       - name: CLUSTER_NAME
         value: {{ .Values.clusterConfig.cluster }}
       - name: HELMFILE_ENVIRONMENT
-        value: default
+        value: {{ .Values.postfix.env }}
       - name: HELMFILE_FILE_PATH
-        value: nexus.yaml.gotmpl
-  project: sys
+        value: postfix.yaml.gotmpl
   syncPolicy:
     managedNamespaceMetadata:
       labels:
@@ -29,9 +33,10 @@ spec:
     syncOptions:
       - CreateNamespace=true
       - ApplyOutOfSyncOnly=true
-      - ServerSideApply=true
-    {{- if .Values.nexus.autosync }}
+      # - ServerSideApply=true
+    {{- if .Values.postfix.autosync }}
     automated:
       prune: true
+      # selfHeal: false
     {{- end }}
 {{- end }}

values/postfix/values/values.yaml

@@ -0,0 +1,48 @@
+# https://github.com/bokysan/docker-postfix/blob/master/helm/mail/values.yaml
+service:
+  type: ClusterIP
+  port: 587
+
+# We don't attach a PVC, meaning messages may get lost when the pod is restarted,
+# but that's okay for us.
+persistence:
+  enabled: false
+
+recreateOnRedeploy: false
+
+container:
+  postfix:
+    securityContext:
+      privileged: false
+      allowPrivilegeEscalation: false
+
+readinessProbe:
+  periodSeconds: 60
+livenessProbe:
+  periodSeconds: 60
+
+config:
+  general:
+    TZ: "UTC"
+    LOG_FORMAT: "json"
+    ALLOW_EMPTY_SENDER_DOMAINS: "true"
+    ALLOWED_SENDER_DOMAINS: "oceanbox.io"
+    RELAYHOST: "[smtp.office365.com]:587"
+    RELAYHOST_USERNAME: "gitea@oceanbox.io"
+    XOAUTH2_CLIENT_ID: "00c73c4a-1ad5-477d-b773-d5d63986061e"
+    XOAUTH2_SECRET: "3E18Q~ONNftFcCmHIHZmPbLtVqwLDBSCwI9hGagV"
+    XOAUTH2_TOKEN_ENDPOINT: https://login.microsoftonline.com/3f737008-e9a0-4485-9d27-40329d288089/oauth2/v2.0/token
+    # XOAUTH2_INITIAL_ACCESS_TOKEN: ""
+    # XOAUTH2_INITIAL_REFRESH_TOKEN: ""
+    XOAUTH2_SYSLOG_ON_FAILURE: "no"
+    XOAUTH2_FULL_TRACE: "no"
+  postfix:
+    smtp_tls_security_level: "encrypt"
+
+resources:
+  limits:
+    cpu: 200m
+    memory: 200Mi
+  requests:
+    cpu: 50m
+    memory: 50Mi

values/rabbitmq/values/values-prod.yaml

@@ -34,8 +34,8 @@ ingress:
 resources:
   limits:
     ephemeral-storage: 1Gi
-    memory: 512Mi
+    memory: 2Gi
   requests:
     cpu: 250m
     ephemeral-storage: 50Mi
-    memory: 512Mi
+    memory: 2Gi

values/wordpress/values.yaml

@@ -1,95 +0,0 @@
-wordpressUsername: admin
-wordpressPassword: "identify stimulus whacky unluckily"
-existingSecret: ""
-wordpressEmail: info@oceanbox.io
-wordpressFirstName: Svenn
-wordpressLastName: Hanssen
-wordpressBlogName: Oceanbox.io
-wordpressScheme: https
-wordpressSkipInstall: false # NOTE: useful if you use an external database that already contains WordPress data
-smtpHost: smtpgw.itpartner.no
-smtpPort: 465
-smtpUser: utvikling
-smtpPassword: S0m3rp0m@de#21!
-smtpProtocol: ssl
-smtpExistingSecret: ""
-allowEmptyPassword: true
-
-multisite:
-  enable: false
-  host: ""
-  networkType: subdomain
-  enableNipIoRedirect: false
-
-replicaCount: 1
-resources:
-  limits: {}
-  requests:
-    memory: 512Mi
-    cpu: 300m
-containerPorts:
-  http: 8080
-  https: 8443
-
-service:
-  type: LoadBalancer
-  ports:
-    http: 80
-    https: 443
-  httpsTargetPort: https
-  nodePorts:
-    http: ""
-    https: ""
-
-ingress:
-  enabled: true
-  pathType: ImplementationSpecific
-  apiVersion: ""
-  ingressClassName: ""
-  hostname: oceanbox.io
-  path: /
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production
-    kubernetes.io/ingress.class: nginx
-    nginx.ingress.kubernetes.io/backend-protocol: HTTP
-    nginx.ingress.kubernetes.io/proxy-body-size: 1024m
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
-  tls: false
-  selfSigned: false
-  extraHosts:
-    - name: www.oceanbox.io
-      path: /
-    - name: wp.oceanbox.io
-      path: /
-  extraPaths: []
-  extraTls:
-    - hosts:
-      - oceanbox.io
-      - www.oceanbox.io
-      - wp.oceanbox.io
-      secretName: oceanbox-tls
-
-persistence:
-  enabled: true
-  storageClass: ""
-  accessModes:
-    - ReadWriteOnce
-  accessMode: ReadWriteOnce
-  size: 10Gi
-  existingClaim: ""
-
-mariadb:
-  enabled: true
-  architecture: standalone
-  auth:
-    rootPassword: ""
-    database: bitnami_wordpress
-    username: bn_wordpress
-    password: ""
-  primary:
-    persistence:
-      enabled: true
-      storageClass: ""
-      accessModes:
-        - ReadWriteOnce
-      size: 8Gi

vcluster/.envrc

@@ -1,9 +0,0 @@
-#!/usr/bin/env bash
-# the shebang is ignored, but nice for editors
-
-if type -P lorri &>/dev/null; then
-  eval "$(lorri direnv)"
-else
-  echo 'while direnv evaluated .envrc, could not find the command "lorri" [https://github.com/nix-community/lorri]'
-  use nix
-fi

vcluster/.gitignore

@@ -1,2 +0,0 @@
-~
-_*

vcluster/README.md

@@ -1,7 +0,0 @@
-# Oceanbox k8s vcluster setup
-
-The script `./create-vcluster.sh` provisions a personal vcluster on a Kubernetes cluster, for usage
-with Tilt. It also automatically provisions a local `Dapr` installation on the cluster, and sets up a
-CNPG psql database cluster on the host system, and tunnels it to the vcluster for Archmeister. In
-addition, it sets up an ingress and a kubeconfig.yaml for convenient access, if `vcluster connect` isn't
-available.

vcluster/create-vcluster.sh

@@ -1,69 +0,0 @@
-#!/usr/bin/env bash
-
-if [ ! $# -ge 1 ]; then
-    echo "usage: $0 cluster [helm args]"
-    exit 1
-fi
-
-k='kubectl --context oceanbox'
-
-name=$1
-ns=$name-vcluster
-shift
-
-yq ".clusters[]|select(.name|contains(\"$name-vcluster\")).name" ~/.kube/config | grep -q "$name"
-
-if [ $? = 0 ]; then
-    $k get ns $ns >/dev/null 2>&1 || $k create ns $ns
-    # helm template -n $ns $@ $name oceanbox/atlantis-vcluster | $k apply -f -
-    helm template -n $ns $@ $name ../charts/vcluster | $k apply -f -
-
-    echo "waiting for vcluster $name to appear... "
-    while true; do
-        $k wait -n $ns --for=condition=ready pod -l app=vcluster 2>&1 > /dev/null
-        if [ $? != 0 ]; then
-            echo "zzz..."
-            sleep 15
-        else
-            break
-        fi
-    done
-    vcluster connect $name-vcluster -- kubectl -n dapr-system wait pod --for=condition=ready -l app=dapr-operator
-    echo "wating 20s for Dapr..."
-    sleep 20
-    tmp=/tmp/$name-vlcuster.tmp$$
-    kubectl kustomize ../resources/atlantis/manifests/staging > $tmp
-    vcluster connect $name-vcluster -- kubectl apply -f $tmp
-    rm $tmp
-else
-    cat << EOF
-***
-*** $name-vcluster must be defined in ~/.kube/config
-***
-clusters:
-- cluster:
-    insecure-skip-tls-verify: true
-    server: https://$name-vcluster.beta.oceanbox.io
-  name: $name-vcluster
-contexts:
-- context:
-    cluster: $name-vcluster
-    namespace: atlantis
-    user: oidc
-  name: $name-vcluster
-users:
-- name: oidc
-  user:
-    exec:
-      apiVersion: client.authentication.k8s.io/v1beta1
-      args:
-      - oidc-login
-      - get-token
-      - --oidc-issuer-url=https://login.microsoftonline.com/3f737008-e9a0-4485-9d27-40329d288089/v2.0
-      - --oidc-client-id=9b6daef0-02fa-4574-8949-f7c1b5fccd15
-      - --oidc-client-secret=[redacted]
-      command: kubectl
-EOF
-fi
-
-

vcluster/install-staging-vcluster.sh

@@ -1,3 +0,0 @@
-#!/bin/sh
-
-./create-vcluster.sh staging --set persistence=true

vcluster/oidc-cluster-admin.yaml

@@ -1,12 +0,0 @@
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: oidc-cluster-admin
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-- kind: Group
-  name: eb17a659-4ce6-41bc-9153-d9b117c44479
-

vcluster/scripts/update-argo-cluster-connection-token.sh

@@ -1,22 +0,0 @@
-#!/usr/bin/env bash
-#
-
-if [ ! $# -ge 1 ]; then
-    echo "usage: $0 cluster [helm args]"
-    exit 1
-fi
-
-if [ ! -f create-vcluster.sh ]; then
-    echo "error: must be run from toplevel directory"
-    exit 1
-fi
-
-k='kubectl --context oceanbox'
-
-name=$1
-cluster=$name-vcluster
-shift
-
-token=$(kubectl get secret --context $cluster -n kube-system admin-token -o json | jq .data.token | tr -d '"' | base64 -d)
-config=$(echo "{\"bearerToken\": \"$token\", \"tlsClientConfig\": { \"insecure\" : true }}" | base64 -w0)
-$k patch -n argocd secret cluster-$cluster -p "{\"data\":{\"config\":\"$config\"}}"

vcluster/scripts/update-kubeconfig.sh

@@ -1,10 +0,0 @@
-#!/bin/sh
-
-vcluster connect $1-vcluster -n $1-vcluster \
-    --context oceanbox \
-    --update-current=true \
-    --kube-config-context-name $1-vcluster \
-    --insecure --cluster-role cluster-admin \
-    --service-account kube-system/admin \
-    --server https://$1-vcluster.beta.oceanbox.io
-

vcluster/shell.nix

@@ -1,9 +0,0 @@
-with import <nixpkgs> {};
-mkShell rec {
-  nativeBuildInputs = [
-    dapr-cli
-    vcluster
-  ];
-
-  shellHook = '' '';
-}