From 2abe1a601d8e20a3d5200ce49305ec3bb822cd1c Mon Sep 17 00:00:00 2001
From: Stephan D <sdeshevikh@yandex.ru>
Date: Wed, 5 Nov 2025 13:50:51 +0100
Subject: [PATCH] initial infra commit

---
 infra/gitea/docker-compose.yml | 159 +++++++++++++++++++++++++++++++++
 1 file changed, 159 insertions(+)
 create mode 100644 infra/gitea/docker-compose.yml

diff --git a/infra/gitea/docker-compose.yml b/infra/gitea/docker-compose.yml
new file mode 100644
index 0000000..43dd8d2
--- /dev/null
+++ b/infra/gitea/docker-compose.yml
@@ -0,0 +1,159 @@
+networks:
+  cicd:
+    external: true
+
+volumes:
+  gitea_data:
+  gitea_db:
+  vault_gitea_secrets:
+    driver: local
+    driver_opts:
+      type: tmpfs
+      device: tmpfs
+      o: size=16m,uid=1000,gid=1000,mode=0700
+
+secrets:
+  gitea_vault_role_id:
+    external: true
+  gitea_vault_secret_id:
+    external: true
+
+services:
+  # --- Vault Agent for Gitea ---
+  vault-agent-gitea:
+    image: hashicorp/vault:latest
+    networks: [cicd]
+    cap_add: ["IPC_LOCK"]
+    environment:
+      VAULT_ADDR: "http://vault:8200"
+    secrets:
+      - source: gitea_vault_role_id
+        target: /vault/secrets/role_id
+      - source: gitea_vault_secret_id
+        target: /vault/secrets/secret_id
+    volumes:
+      - ./vault:/etc/vault:ro
+      - vault_gitea_secrets:/vault/secrets:rw
+    command: >
+      sh -lc 'vault agent -config=/etc/vault/agent.hcl'
+    deploy:
+      placement:
+        constraints: [node.role == manager]
+      restart_policy:
+        condition: on-failure
+    healthcheck:
+      test: ["CMD-SHELL",
+             "test -s /vault/secrets/minio_access_key -a -s /vault/secrets/minio_secret_key -a -s /vault/secrets/gitea_db_pass" ]
+      interval: 10s
+      timeout: 3s
+      retries: 12
+      start_period: 5s
+
+  # --- PostgreSQL Database for Gitea ---
+  gitea-db:
+    image: postgres:18
+    networks: [cicd]
+    environment:
+      - POSTGRES_USER=gitea
+      - POSTGRES_DB=gitea
+      - POSTGRES_PASSWORD_FILE=/vault/secrets/gitea_db_pass
+    volumes:
+      - gitea_db:/var/lib/postgresql
+      - vault_gitea_secrets:/vault/secrets:ro
+    deploy:
+      placement:
+        constraints: [node.role == manager]
+      restart_policy:
+        condition: on-failure
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U gitea -d gitea -h 127.0.0.1"]
+      interval: 10s
+      timeout: 3s
+      retries: 12
+      start_period: 10s
+
+  # --- Gitea Service ---
+  gitea:
+    image: gitea/gitea:latest
+    networks: [cicd]
+    depends_on:
+      - gitea-db
+      - vault-agent-gitea
+    volumes:
+      - gitea_data:/data
+      - vault_gitea_secrets:/vault/secrets:ro
+    environment:
+      ## Database
+      - GITEA__database__DB_TYPE=postgres
+      - GITEA__database__HOST=gitea-db:5432
+      - GITEA__database__USER=gitea
+      - GITEA__database__PASSWD__FILE=/vault/secrets/gitea_db_pass
+      - GITEA__database__NAME=gitea
+
+      ## Server
+      - GITEA__server__LFS_START_SERVER=true
+      - GITEA__server__DOMAIN=git.sendico.io
+      - GITEA__server__ROOT_URL=https://git.sendico.io/
+      - GITEA__server__SSH_DOMAIN=git.sendico.io
+      - GITEA__server__SSH_PORT=222
+      - GITEA__security__INSTALL_LOCK=true
+
+      ## --- MinIO storage configuration ---
+
+      # Main storage (репозитории, wiki, аватары)
+      - GITEA__storage__STORAGE_TYPE=minio
+      - GITEA__storage__MINIO_ENDPOINT=s3.sendico.io
+      - GITEA__storage__MINIO_BUCKET=gitea-data
+      - GITEA__storage__MINIO_USE_SSL=true
+      - GITEA__storage__MINIO_BUCKET_LOOKUP_TYPE=path
+      - GITEA__storage__MINIO_ACCESS_KEY_ID__FILE=/vault/secrets/minio_access_key
+      - GITEA__storage__MINIO_SECRET_ACCESS_KEY__FILE=/vault/secrets/minio_secret_key
+
+      # Attachments (issues, wiki)
+      - GITEA__attachments__STORAGE_TYPE=minio
+      - GITEA__attachments__MINIO_ENDPOINT=s3.sendico.io
+      - GITEA__attachments__MINIO_BUCKET=gitea-attachments
+      - GITEA__attachments__MINIO_USE_SSL=true
+      - GITEA__attachments__MINIO_BUCKET_LOOKUP_TYPE=path
+      - GITEA__attachments__MINIO_ACCESS_KEY_ID__FILE=/vault/secrets/minio_access_key
+      - GITEA__attachments__MINIO_SECRET_ACCESS_KEY__FILE=/vault/secrets/minio_secret_key
+
+      # LFS (Large File Storage)
+      - GITEA__lfs__STORAGE_TYPE=minio
+      - GITEA__lfs__MINIO_ENDPOINT=s3.sendico.io
+      - GITEA__lfs__MINIO_BUCKET=gitea-lfs
+      - GITEA__lfs__MINIO_USE_SSL=true
+      - GITEA__lfs__MINIO_BUCKET_LOOKUP_TYPE=path
+      - GITEA__lfs__MINIO_ACCESS_KEY_ID__FILE=/vault/secrets/minio_access_key
+      - GITEA__lfs__MINIO_SECRET_ACCESS_KEY__FILE=/vault/secrets/minio_secret_key
+
+      ## Mail
+      - GITEA__mailer__ENABLED=true
+      - GITEA__mailer__FROM="Gitea <no-reply@sendico.io>"
+      - GITEA__mailer__PROTOCOL=smtp
+      - GITEA__mailer__SMTP_ADDR=mail.sendico.io
+      - GITEA__mailer__SMTP_PORT=587
+      - GITEA__mailer__USER__FILE=/vault/secrets/mail_account
+      - GITEA__mailer__PASSWD__FILE=/vault/secrets/mail_secret
+      - GITEA__mailer__USE_TLS=true
+
+    deploy:
+      placement:
+        constraints: [node.role == manager]
+      restart_policy:
+        condition: on-failure
+    labels:
+      traefik.enable: "true"
+      traefik.docker.network: "cicd"
+      traefik.http.routers.gitea.rule: "Host(`git.sendico.io`)"
+      traefik.http.routers.gitea.entrypoints: "websecure"
+      traefik.http.routers.gitea.tls: "true"
+      traefik.http.routers.gitea.tls.certresolver: "letsencrypt"
+      traefik.http.services.gitea.loadbalancer.server.port: "3000"
+    healthcheck:
+      test: ["CMD-SHELL",
+             "test -s /vault/secrets/minio_access_key -a -s /vault/secrets/minio_secret_key -a -s /vault/secrets/gitea_db_pass && wget -q --spider http://127.0.0.1:3000/ || exit 1" ]
+      interval: 10s
+      timeout: 3s
+      retries: 12
+      start_period: 30s
\ No newline at end of file