feat: enable external access to gitea (#344)

- add git.unkin.net to certbot - export haproxy resources for gitea - add be_gitea to haproxy, import the certbot cert - update the ROOT_URL for gitea instances Reviewed-on: #344
2025-07-06 13:47:56 +10:00 · 2025-07-06 13:47:56 +10:00 · 0063f68bc6
commit 0063f68bc6
parent 372d99893a
4 changed files with 53 additions and 2 deletions
--- a/hieradata/country/au/region/syd1/infra/halb/haproxy2.yaml
+++ b/hieradata/country/au/region/syd1/infra/halb/haproxy2.yaml
@ -7,6 +7,7 @@ profiles::haproxy::dns::vrrp_cnames:
  - readarr.main.unkin.net
  - prowlarr.main.unkin.net
  - nzbget.main.unkin.net
+  - git.unkin.net

 profiles::haproxy::mappings:
  fe_http:
@ -22,6 +23,7 @@ profiles::haproxy::mappings:
      - 'nzbget.main.unkin.net be_nzbget'
      - 'jellyfin.main.unkin.net be_jellyfin'
      - 'fafflix.unkin.net be_jellyfin'
+      - 'git.unkin.net be_gitea'
  fe_https:
    ensure: present
    mappings:
@ -35,6 +37,7 @@ profiles::haproxy::mappings:
      - 'nzbget.main.unkin.net be_nzbget'
      - 'jellyfin.main.unkin.net be_jellyfin'
      - 'fafflix.unkin.net be_jellyfin'
+      - 'git.unkin.net be_gitea'

 profiles::haproxy::frontends:
  fe_http:
@ -53,6 +56,7 @@ profiles::haproxy::frontends:
        - 'acl_nzbget req.hdr(host) -i nzbget.main.unkin.net'
        - 'acl_jellyfin req.hdr(host) -i jellyfin.main.unkin.net'
        - 'acl_fafflix req.hdr(host) -i fafflix.unkin.net'
+        - 'acl_gitea req.hdr(host) -i git.unkin.net'
        - 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
      use_backend:
        - "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
@ -68,6 +72,7 @@ profiles::haproxy::frontends:
        - 'set-header X-Frame-Options DENY if acl_nzbget'
        - 'set-header X-Frame-Options DENY if acl_jellyfin'
        - 'set-header X-Frame-Options DENY if acl_fafflix'
+        - 'set-header X-Frame-Options DENY if acl_gitea'
        - 'set-header X-Content-Type-Options nosniff'
        - 'set-header X-XSS-Protection 1;mode=block'

@ -215,6 +220,22 @@ profiles::haproxy::backends:
        - set-header X-Forwarded-Port %[dst_port]
        - add-header X-Forwarded-Proto https if { dst_port 443 }
      redirect: 'scheme https if !{ ssl_fc }'
+  be_gitea:
+    description: Backend for gitea cluster
+    collect_exported: false # handled in custom function
+    options:
+      balance: roundrobin
+      option:
+        - httpchk GET /
+        - forwardfor
+        - http-keep-alive
+        - prefer-last-server
+      cookie: SRVNAME insert indirect nocache
+      http-reuse: always
+      http-request:
+        - set-header X-Forwarded-Port %[dst_port]
+        - add-header X-Forwarded-Proto https if { dst_port 443 }
+      redirect: 'scheme https if !{ ssl_fc }'

 profiles::haproxy::certlist::enabled: true
 profiles::haproxy::certlist::certificates:
@ -227,6 +248,7 @@ profiles::haproxy::certlist::certificates:
  - /etc/pki/tls/letsencrypt/prowlarr.main.unkin.net/fullchain_combined.pem
  - /etc/pki/tls/letsencrypt/nzbget.main.unkin.net/fullchain_combined.pem
  - /etc/pki/tls/letsencrypt/fafflix.unkin.net/fullchain_combined.pem
+  - /etc/pki/tls/letsencrypt/git.unkin.net/fullchain_combined.pem
  - /etc/pki/tls/vault/certificate.pem

 # additional altnames
@ -252,3 +274,4 @@ certbot::client::domains:
  - prowlarr.main.unkin.net
  - nzbget.main.unkin.net
  - fafflix.unkin.net
+  - git.unkin.net
--- a/hieradata/roles/infra/git/server.yaml
+++ b/hieradata/roles/infra/git/server.yaml
@ -3,6 +3,7 @@ hiera_include:
  - profiles::sql::postgresdb
  - profiles::nginx::simpleproxy
  - profiles::gitea::user
+  - profiles::gitea::haproxy
  - gitea

 # additional altnames
@ -70,10 +71,15 @@ profiles::nginx::simpleproxy::proxy_port: 3000
 profiles::nginx::simpleproxy::proxy_path: '/'
 nginx::client_max_body_size: 1024M

+# enable external access via haproxy
+profiles::gitea::haproxy::enable: true
+
+# manage a pgsql database + user
 profiles::sql::postgresdb::cluster_name: "patroni-shared-%{facts.environment}"
 profiles::sql::postgresdb::dbname: gitea
 profiles::sql::postgresdb::dbuser: gitea

+# deploy gitea
 gitea::ensure: '1.22.4'
 gitea::checksum: 'd549104f55067e6fb156e7ba060c9af488f36e12d5e747db7563fcc99eaf8532'
 gitea::manage_user: false
@ -96,11 +102,11 @@ gitea::custom_configuration:
  server:
    PROTOCOL: 'http'
    DOMAIN: 'git.unkin.net'
-    ROOT_URL: 'https://git.query.consul'
+    ROOT_URL: 'https://git.unkin.net'
    HTTP_ADDR: '0.0.0.0'
    HTTP_PORT: 3000
    START_SSH_SERVER: false
-    SSH_DOMAIN: 'git.query.consul'
+    SSH_DOMAIN: 'git.unkin.net'
    SSH_PORT: 2222
    SSH_LISTEN_HOST: '0.0.0.0'
    OFFLINE_MODE: true
--- a/hieradata/roles/infra/pki/certbot.yaml
+++ b/hieradata/roles/infra/pki/certbot.yaml
@ -13,3 +13,4 @@ certbot::domains:
  - prowlarr.main.unkin.net
  - nzbget.main.unkin.net
  - fafflix.unkin.net
+  - git.unkin.net
--- a/site/profiles/manifests/gitea/haproxy.pp
+++ b/site/profiles/manifests/gitea/haproxy.pp
@ -0,0 +1,21 @@
+# enable external access via haproxy
+class profiles::gitea::haproxy (
+  Boolean $enable = false,
+){
+
+  # export haproxy balancemember
+  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_443":
+    service => 'be_gitea',
+    ports   => [443],
+    options => [
+      "cookie ${facts['networking']['hostname']}",
+      'ssl',
+      'verify none',
+      'check',
+      'inter 2s',
+      'rise 3',
+      'fall 2',
+    ]
+  }
+
+}