apiVersion: apps/v1 kind: Deployment metadata: name: forgejo namespace: ai spec: replicas: 1 strategy: type: Recreate # PVC RWO : pas de deux pods qui montent /data en parallèle selector: matchLabels: app: forgejo template: metadata: labels: app: forgejo spec: containers: - name: forgejo image: codeberg.org/forgejo/forgejo:11 ports: - containerPort: 3000 name: http env: # --- Base PostgreSQL sur storage-01 (hors cluster), pattern Ghostfolio/n8n --- - name: FORGEJO__database__DB_TYPE value: "postgres" - name: FORGEJO__database__HOST value: "192.168.10.1:5432" - name: FORGEJO__database__NAME value: "forgejo" - name: FORGEJO__database__USER value: "forgejo" - name: FORGEJO__database__PASSWD valueFrom: secretKeyRef: name: forgejo-secret key: pg-password # --- Serveur : URL canonique = domaine HTTPS (split-horizon dnsmasq en LAN) --- - name: FORGEJO__server__DOMAIN value: "git.funklab.online" - name: FORGEJO__server__ROOT_URL value: "https://git.funklab.online/" - name: FORGEJO__server__HTTP_PORT value: "3000" # Pas de git-over-SSH : miroir + consultation en HTTPS uniquement (aucun # port 22 supplémentaire exposé). Le clone/pull passe par HTTPS. - name: FORGEJO__server__DISABLE_SSH value: "true" # --- Service : SSO uniquement. DISABLE_REGISTRATION doit rester false, sinon # il bloque AUSSI l'auto-provisioning OIDC ("inscriptions désactivées"). # ALLOW_ONLY_EXTERNAL_REGISTRATION=true masque le formulaire local et # n'autorise la création de compte QUE via Authentik (1er login OIDC). --- - name: FORGEJO__service__DISABLE_REGISTRATION value: "false" - name: FORGEJO__service__ALLOW_ONLY_EXTERNAL_REGISTRATION value: "true" - name: FORGEJO__service__ENABLE_BASIC_AUTHENTICATION value: "true" # clone HTTPS avec token perso # --- Sécurité : install déjà verrouillée (config par env), clé stable --- - name: FORGEJO__security__INSTALL_LOCK value: "true" - name: FORGEJO__security__SECRET_KEY valueFrom: secretKeyRef: name: forgejo-secret key: secret-key # Miroir : ne tire que depuis GitHub. La migration appelle plusieurs hôtes : # api.github.com (issues/releases), codeload.github.com (archives) et # objects.githubusercontent.com (assets de release) — sinon # « migration can only call allowed HTTP servers ... deny ». - name: FORGEJO__migrations__ALLOWED_DOMAINS value: "github.com,*.github.com,*.githubusercontent.com" - name: USER_UID value: "1000" - name: USER_GID value: "1000" - name: TZ value: "Europe/Paris" volumeMounts: - name: data mountPath: /data resources: requests: cpu: 100m memory: 256Mi limits: cpu: "1000m" memory: 768Mi readinessProbe: httpGet: path: /api/healthz port: 3000 initialDelaySeconds: 20 periodSeconds: 15 livenessProbe: httpGet: path: /api/healthz port: 3000 initialDelaySeconds: 60 periodSeconds: 30 volumes: - name: data persistentVolumeClaim: claimName: forgejo-data