traPtitech · uni-kakurenbo · Sep 24, 2025 · Jan 6, 2026 · Mar 25, 2026 · Mar 25, 2026
diff --git a/gitea-dev/certificate.yaml b/gitea-dev/certificate.yaml
@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: gitea
+
+spec:
+  issuerRef:
+    kind: ClusterIssuer
+    name: dns-cluster-issuer
+  secretName: gitea-tls
+  duration: 2160h0m0s # 90d
+  renewBefore: 720h0m0s # 30d
+  dnsNames:
+    - git-dev.trapti.tech
diff --git a/gitea-dev/config/app.ini b/gitea-dev/config/app.ini
@@ -0,0 +1,101 @@
+APP_NAME = traP Gitea Develop
+RUN_MODE = prod
+WORK_PATH = /data/gitea
+
+[repository]
+ROOT = /data/git/repositories
+DISABLED_REPO_UNITS = repo.wiki
+
+[repository.local]
+LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
+
+[repository.upload]
+TEMP_PATH = /data/gitea/uploads
+
+[server]
+APP_DATA_PATH = /data/gitea
+DOMAIN = git-dev.trapti.tech
+SSH_DOMAIN = git-dev.trapti.tech
+HTTP_PORT = 3000
+ROOT_URL = https://git-dev.trapti.tech/
+DISABLE_SSH = false
+SSH_PORT = 2222
+SSH_LISTEN_PORT = 2222
+LFS_START_SERVER = true
+START_SSH_SERVER = true
+
+[database]
+PATH = /data/gitea/gitea.db
+DB_TYPE = mysql
+HOST = private.kmbk.tokyotech.org:33060
-HOST = private.kmbk.tokyotech.org:33060
+HOST = tailscale.kmbk.tokyotech.org:33060
-HOST = private.kmbk.tokyotech.org:33060
+HOST = tailscale.kmbk.tokyotech.org:33060
+NAME = service_gitea_dev
+USER = service_gitea_dev
+LOG_SQL = false
+
+[indexer]
+ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
+
+[session]
+PROVIDER_CONFIG = /data/gitea/sessions
+
+[picture]
+AVATAR_UPLOAD_PATH = /data/gitea/avatars
+REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
+
+[attachment]
+STORAGE_TYPE = minio
+
+[log]
+MODE = console
+LEVEL = Debug
+ROOT_PATH = /data/gitea/log
+
+[security]
+INSTALL_LOCK = true
+REVERSE_PROXY_LIMIT = 1
+REVERSE_PROXY_TRUSTED_PROXIES = *
+REVERSE_PROXY_AUTHENTICATION_EMAIL = X-Forwarded-User-Email
+REVERSE_PROXY_AUTHENTICATION_USER = X-Forwarded-User
+
+[service]
+DISABLE_REGISTRATION = true
+REQUIRE_SIGNIN_VIEW = true
+ENABLE_REVERSE_PROXY_AUTHENTICATION = false
+ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = true
+NO_REPLY_ADDRESS = trap.jp
+ENABLE_REVERSE_PROXY_EMAIL = true
+DEFAULT_KEEP_EMAIL_PRIVATE = true
+DEFAULT_ORG_MEMBER_VISIBLE = true
+ENABLE_NOTIFY_MAIL = true
+ENABLE_BASIC_AUTHENTICATION = false
+
+[lfs]
+STORAGE_TYPE = minio
+
+[storage.minio]
+MINIO_ENDPOINT = s3.ap-northeast-1.wasabisys.com
+MINIO_BUCKET = trap-gitea-dev
+MINIO_LOCATION = ap-northeast-1
+MINIO_USE_SSL = true
+MINIO_CHECKSUM_ALGORITHM = md5
+
+[actions]
+DEFAULT_ACTIONS_URL = github
+
+[openid]
+ENABLE_OPENID_SIGNIN = false
+
+[default]
+APP_NAME = traP Git Develop
+
+[mailer]
+ENABLED = true
+
+[metrics]
+ENABLED = true
+
+[oauth2]
+ENABLED = false
+
+[admin]
+USER_DISABLED_FEATURES = deletion,change_username,change_full_name
diff --git a/gitea-dev/deployment.yaml b/gitea-dev/deployment.yaml
@@ -0,0 +1,49 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: gitea
+  name: gitea
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: gitea
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: gitea
+    spec:
+      containers:
+        - env:
+            - name: USER_GID
+              value: "1002"
+            - name: USER_UID
+              value: "996"
-      containers:
-        - env:
-            - name: USER_GID
-              value: "1002"
-            - name: USER_UID
-              value: "996"
+      containers:
+        - env:
+            - name: USER_GID
+              value: "1002"
+            - name: USER_UID
+              value: "996"
+          envFrom:
+            - secretRef:
+                name: gitea-secrets
-      containers:
-        - env:
-            - name: USER_GID
-              value: "1002"
-            - name: USER_UID
-              value: "996"
+      containers:
+        - env:
+            - name: USER_GID
+              value: "1002"
+            - name: USER_UID
+              value: "996"
+          envFrom:
+            - secretRef:
+                name: gitea-secrets
+          image: gitea-latest
+          name: gitea
+          ports:
+            - containerPort: 3000
+              protocol: TCP
+            - containerPort: 2222
+              hostPort: 2222
+              protocol: TCP
+          volumeMounts:
+            - name: storage
+              mountPath: /data
+            - name: config
+              mountPath: /app.ini
+      restartPolicy: Always
+      volumes:
+        - name: storage
+          persistentVolumeClaim:
+            claimName: gitea-storage
+        - name: config
+          configMap:
+            name: gitea-config
+            items:
+            - key: app.ini
+              path: app.ini
+              mode: 0666
diff --git a/gitea-dev/ingress-route.yaml b/gitea-dev/ingress-route.yaml
@@ -0,0 +1,20 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gitea
+spec:
+  entryPoints:
+    - websecure
+  tls:
+    secretName: gitea-tls
+  routes:
+    - kind: Rule
+      match: Host(`git-dev.trapti.tech`)
+      services:
+        - name: gitea
+          port: 3000
+    - kind: Rule
+      match: Host(`git-dev.trapti.tech`)
+      services:
+        - name: gitea
+          port: 2222
-    - kind: Rule
-      match: Host(`git-dev.trapti.tech`)
-      services:
-        - name: gitea
-          port: 2222
-    - kind: Rule
-      match: Host(`git-dev.trapti.tech`)
-      services:
-        - name: gitea
-          port: 2222
diff --git a/gitea-dev/ksops.yaml b/gitea-dev/ksops.yaml
@@ -0,0 +1,11 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: ksops
+  annotations:
+    config.kubernetes.io/function: |
+      exec:
+        path: ksops
+
+files:
+  - ./secrets/secrets.yaml
diff --git a/gitea-dev/kustomization.yaml b/gitea-dev/kustomization.yaml
@@ -0,0 +1,19 @@
+resources:
+- certificate.yaml
+- deployment.yaml
+- ingress-route.yaml
+- service.yaml
+- volume-storage.yaml
+
+images:
+- name: gitea-latest
+  newName: ghcr.io/traptitech/gitea
+  newTag: latest
+
+generators:
+  - ksops.yaml
+
+configMapGenerator:
+- name: gitea-config
+  files:
+    - ./config/app.ini
diff --git a/gitea-dev/secrets/secrets.yaml b/gitea-dev/secrets/secrets.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: gitea-secrets
+    annotations:
+        kustomize.config.k8s.io/needs-hash: "true"
+stringData:
+    GITEA__server__LFS_JWT_SECRET: ENC[AES256_GCM,data:v0DWaK6X52SH+lMbbYakEvANpBb2x3SrqnA4yjlpsN6UkpBdu0HzlACuNw==,iv:RyOfNbBbJeiYO6qi3mgBVZntLVotdsjOdvik311pl94=,tag:v3sIfGjh134o1pXLmjYSpw==,type:str]
+    GITEA__database__PASSWD: ENC[AES256_GCM,data:yAkzbPoticTV8q8ueq2a+myH6XNWRvnvNEflbJhQjkQ=,iv:QaXygC1DFda2VubMuugvY9nvcnckFYaLhTfaFXAu3TE=,tag:UVjlyTRXenHvG79sMDgeHQ==,type:str]
+    GITEA__security__SECRET_KEY: ENC[AES256_GCM,data:CEtC6PTSefDrciCY8JC7tBYYvcdKp2bLzsTxma/jvPwKrVNKeq9NFfL1lZdcn4zY40flK81MeIjIcky2AoKsTw==,iv:rWYomg/n554GuNz8QKkIpVuu+j1rcDIkFJgA9w/d3ig=,tag:JeO/+e0R+fwBws+8LD0KFA==,type:str]
+    GITEA__security__INTERNAL_TOKEN: ENC[AES256_GCM,data:8h2ga9WR4ZxRd1lIN9fj4N60zK+4ZS308eEw0C7jbq3s4IlHA9lo0BX1QNBxZwSmNo/hx9ryJdswwNHytAK944oNRjD6+aem20x5tnTw+sYq2FxDIgBFbIFmnOu82oOWMdKJILzmMRt5,iv:9lKZEGHJ0ueZwTKGcmgEhuNJmIOkeeL7smsHlmLp6A0=,tag:TD6mF00DjX8aWlNX8/oheg==,type:str]
+    GITEA__storage_0X2E_minio__MINIO_ACCESS_KEY_ID: ENC[AES256_GCM,data:udb2Z1BrKj7LE8WqKkVsag0pCXQ=,iv:gr/MigXLuInqUdjXJkbmvx/Xc5DKV+7eAGbq+Y75sig=,tag:c0lntI535CuEo1RaYtO57g==,type:str]
+    GITEA__storage_0X2E_minio__MINIO_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:3gC+8470oS+TYaizsDNLF7NsEh+3/Hip1jkQ01fcchXQxENT/s9UNw==,iv:U9tC1N3q/uMuqeVfWk0l8OnCpOrbD8o25Tj7mkfoCDo=,tag:QZ9w8IMi9ZYXDph/sPU0aA==,type:str]
+    GITEA__oauth2__JWT_SECRET: ENC[AES256_GCM,data:2bDzDrgMZpV03XXLyqfmXwJiB7Xdl5S3UxmDUBj525jHwYj5xm+0NeoDDQ==,iv:/J0ctup2Qfj1IW7W3GkJVNDhU7KQyy8e5+b7KQeos+o=,tag:Jhfsyy0BcEeNHFoVugNc/w==,type:str]
+sops:
+    age:
+        - recipient: age156red4ptw5huzpwlfnrukg4htuucdweu9jg8usjz98ggmeyedces3xqplq
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCbWpkcHQzMy80RUhZYXpZ
+            TkRmVjZGcWtnUml5VWxNdnMrQURVdVVMaEJFCnRQTG9hVDBtb0xlTXpBang2Qmtu
+            M2NubGh3VDBNR2IwczVmOHRvRjZXdnMKLS0tIGZTSVd5RlZlMk42QVFyU1BpWVN0
+            SFBKQ2JhZ1FhbWJzbG04V3VIc3laa0UKb2u/tLkA653azNfBgWDC2EzmFWMYw6YY
+            iAIeQqDmr1sALoWxsRI4yRtkcVVkwyW//+5bRM4SEFvGmrMujxcx6w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-01-06T14:48:12Z"
+    mac: ENC[AES256_GCM,data:RJKSOHUnccFTsY+4LLtXW3Pm6A8Tkbtwsod9K6Xg1i+rAtOFT7xjiEIoTrY1SpozHDru161ej4ZZWjmnciBOLBwL8EXjVV/PYJmrcqHqMyDDcpnMrdcTWDnhYMC1wCuTtk70OtBAQTyvMYUsXhMMCcoHGKZfqzVPyrFWgmc0fco=,iv:mCRlnIeaHZ3ImhvGJNLKIRG2fa4Wk7G9OkeiSbEMyiU=,tag:huWiLfQdGJgHFPgnF7UZtQ==,type:str]
+    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
+    version: 3.10.2
diff --git a/gitea-dev/service.yaml b/gitea-dev/service.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: gitea
+  name: gitea
+spec:
+  ports:
+    - name: "3000"
+      port: 3000
+      targetPort: 3000
+  selector:
+    app: gitea
diff --git a/gitea-dev/volume-storage.yaml b/gitea-dev/volume-storage.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: gitea-storage
+spec:
+  resources:
+    requests:
+      storage: 100Mi
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteOnce