1.3.0 Release gitea

.gitignore

@@ -1,3 +1,4 @@
+.ansible
 data/bin/*
 data/volumes/*
 data/images/*

ansible/inventory/group_vars/all.yaml

@@ -72,3 +72,6 @@ version:
     vectorchord: "0.5.3"
     # Auth
     authelia: "4.39.15"
+    # App
+    vaultwarden: "1.35.4"
+    gitea: "1.25.5"

ansible/playbooks/app/site.yaml

@@ -153,6 +153,30 @@
           tags: ["site", "kopia"]
       tags: ["site", "kopia"]
 
+    - name: Set caddy
+      ansible.builtin.include_role:
+        name: "common"
+        tasks_from: "services/set_caddy"
+        apply:
+          tags: ["site", "caddy"]
+      tags: ["site", "caddy"]
+
+    - name: Set vaultwarden
+      ansible.builtin.include_role:
+        name: "app"
+        tasks_from: "services/set_vaultwarden"
+        apply:
+          tags: ["site", "vaultwarden"]
+      tags: ["site", "vaultwarden"]
+
+    - name: Set gitea
+      ansible.builtin.include_role:
+        name: "app"
+        tasks_from: "services/set_gitea"
+        apply:
+          tags: ["site", "gitea"]
+      tags: ["site", "gitea"]
+
     - name: Flush handlers right now
       ansible.builtin.meta: "flush_handlers"
 

ansible/roles/app/handlers/main.yaml

@@ -0,0 +1,22 @@
+---
+- name: Restart vaultwarden
+  ansible.builtin.systemd:
+    name: "vaultwarden.service"
+    state: "restarted"
+    enabled: true
+    scope: "user"
+    daemon_reload: true
+  changed_when: false
+  listen: "notification_restart_vaultwarden"
+  ignore_errors: true # noqa: ignore-errors
+
+- name: Restart gitea
+  ansible.builtin.systemd:
+    name: "gitea.service"
+    state: "restarted"
+    enabled: true
+    scope: "user"
+    daemon_reload: true
+  changed_when: false
+  listen: "notification_restart_gitea"
+  ignore_errors: true # noqa: ignore-errors

ansible/roles/app/tasks/services/set_gitea.yaml

@@ -0,0 +1,54 @@
+---
+- name: Set gitea container subuid
+  ansible.builtin.set_fact:
+    gitea_subuid: "100999"
+
+- name: Create gitea directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/{{ item }}"
+    state: "directory"
+    owner: "{{ gitea_subuid }}"
+    group: "svadmins"
+    mode: "0770"
+  loop:
+    - "data/containers/gitea"
+    - "containers/gitea"
+    - "containers/gitea/ssl"
+  become: true
+
+- name: Deploy root certificate
+  ansible.builtin.copy:
+    content: |
+      {{ hostvars['console']['ca']['root']['crt'] }}
+    dest: "{{ node['home_path'] }}/containers/gitea/ssl/ilnmors_root_ca.crt"
+    owner: "{{ gitea_subuid }}"
+    group: "svadmins"
+    mode: "0440"
+  become: true
+  notify: "notification_restart_gitea"
+  no_log: true
+
+- name: Register secret value to podman secret
+  containers.podman.podman_secret:
+    name: "GITEA__database__PASSWD"
+    data: "{{ hostvars['console']['postgresql']['password']['gitea'] }}"
+    state: "present"
+    force: true
+  no_log: true
+
+- name: Deploy container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/gitea/gitea.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/gitea.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  notify: "notification_restart_gitea"
+
+- name: Enable gitea.service
+  ansible.builtin.systemd:
+    name: "gitea.service"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+    scope: "user"

ansible/roles/app/tasks/services/set_vaultwarden.yaml

@@ -0,0 +1,56 @@
+---
+- name: Create vaultwarden directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/{{ item }}"
+    state: "directory"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0770"
+  loop:
+    - "data/containers/vaultwarden"
+    - "containers/vaultwarden"
+    - "containers/vaultwarden/ssl"
+
+- name: Deploy root certificate
+  ansible.builtin.copy:
+    content: |
+      {{ hostvars['console']['ca']['root']['crt'] }}
+    dest: "{{ node['home_path'] }}/containers/vaultwarden/ssl/ilnmors_root_ca.crt"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0440"
+  become: true
+  notify: "notification_restart_vaultwarden"
+  no_log: true
+
+- name: Register secret value to podman secret
+  containers.podman.podman_secret:
+    name: "{{ item.name }}"
+    data: "{{ item.value }}"
+    state: "present"
+    force: true
+  loop:
+    - name: "VW_ADMIN_TOKEN"
+      value: "{{ hostvars['console']['vaultwarden']['admin']['hash'] }}"
+    - name: "VW_DATABASE_URL"
+      value: "postgresql://vaultwarden:{{ hostvars['console']['postgresql']['password']['vaultwarden'] | urlencode | replace('/', '%2F') }}\
+        @{{ infra_uri['postgresql']['domain'] }}/vaultwarden_db?sslmode=verify-full&sslrootcert=/etc/ssl/vaultwarden/ilnmors_root_ca.crt"
+  notify: "notification_restart_vaultwarden"
+  no_log: true
+
+- name: Deploy container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/vaultwarden/vaultwarden.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/vaultwarden.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  notify: "notification_restart_vaultwarden"
+
+- name: Enable vaultwarden.service
+  ansible.builtin.systemd:
+    name: "vaultwarden.service"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+    scope: "user"

ansible/roles/infra/tasks/services/set_postgresql.yaml

@@ -10,6 +10,8 @@
       - "ldap"
       - "authelia"
       - "grafana"
+      - "vaultwarden"
+      - "gitea"
 
 - name: Create postgresql directory
   ansible.builtin.file:

config/node/app/nftables.conf.j2

@@ -5,17 +5,27 @@ define NET4_SERVER = {{ hostvars['fw']['network4']['subnet']['server'] }}
 define NET6_SERVER = {{ hostvars['fw']['network6']['subnet']['server'] }}
 define HOSTS4_CONSOLE = { {{ hostvars['fw']['network4']['console'].values() | join(', ') }} }
 define HOSTS6_CONSOLE = { {{ hostvars['fw']['network6']['console'].values() | join(', ') }} }
+define HOSTS4_AUTH = {{ hostvars['fw']['network4']['auth']['server'] }}
+define HOSTS6_AUTH = {{ hostvars['fw']['network6']['auth']['server'] }}
 define PORTS_SSH = 22
+define PORTS_HTTP = 80
+define PORTS_HTTP_FORWARD = 2080
+define PORTS_HTTPS = 443
+define PORTS_HTTPS_FORWARD = 2443
 
 table inet nat {
     chain prerouting {
         type nat hook prerouting priority dstnat; policy accept;
+        tcp dport $PORTS_HTTP dnat to :$PORTS_HTTP_FORWARD comment "dnat http ports to $PORTS_HTTP_FORWARD"
+        tcp dport $PORTS_HTTPS dnat to :$PORTS_HTTPS_FORWARD comment "dnat https ports to $PORTS_HTTPS_FORWARD"
     }
     chain postrouting {
 
     }
     chain output {
         type nat hook output priority dstnat; policy accept;
+        oifname "lo" tcp dport $PORTS_HTTP dnat to :$PORTS_HTTP_FORWARD comment "dnat http ports to $PORTS_HTTP_FORWARD out of LOCALHOST"
+        oifname "lo" tcp dport $PORTS_HTTPS dnat to :$PORTS_HTTPS_FORWARD comment "dnat https ports to $PORTS_HTTPS_FORWARD out of LOCALHOST"
     }
 }
 
@@ -28,6 +38,10 @@ table inet filter {
         meta l4proto { icmp, icmpv6 } accept comment "allow icmp connection"
         ip saddr $HOSTS4_CONSOLE tcp dport $PORTS_SSH accept comment "allow ipv4 ssh connection: CONSOLE > APP"
         ip6 saddr $HOSTS6_CONSOLE tcp dport $PORTS_SSH  accept comment "allow ipv6 ssh connection: CONSOLE > APP"
+        ip saddr { $HOSTS4_CONSOLE, $HOSTS4_AUTH } tcp dport $PORTS_HTTP_FORWARD ct original proto-dst $PORTS_HTTP accept comment "allow ipv4 http connection: CONSOLE, AUTH > APP"
+        ip6 saddr { $HOSTS6_CONSOLE, $HOSTS6_AUTH } tcp dport $PORTS_HTTP_FORWARD ct original proto-dst $PORTS_HTTP accept comment "allow ipv6 http connection: CONSOLE, AUTH > APP"
+        ip saddr { $HOSTS4_CONSOLE, $HOSTS4_AUTH } tcp dport $PORTS_HTTPS_FORWARD ct original proto-dst $PORTS_HTTPS accept comment "allow ipv4 https connection: CONSOLE, AUTH > APP"
+        ip6 saddr { $HOSTS6_CONSOLE, $HOSTS6_AUTH } tcp dport $PORTS_HTTPS_FORWARD ct original proto-dst $PORTS_HTTPS accept comment "allow ipv6 https connection: CONSOLE, AUTH > APP"
     }
     chain forward {
         type filter hook forward priority 0; policy drop;

config/node/common/resolved/global.conf.j2

@@ -3,4 +3,4 @@
 DNS=1.1.1.2 1.0.0.2
 DNS=2606:4700:4700::1112 2606:4700:4700::1002
 {% endif %}
-cache=false
+cache=false

config/secrets/secrets.yaml

@@ -113,6 +113,8 @@ postgresql:
         ldap: ENC[AES256_GCM,data:mJrxIhXynHxJhncw3upHpOkXIw+Ka9bmDBJwkDjYl+D9Pg4RDvL6WzBjthw=,iv:y8MUYo6VhgTzbWh/+n7/hf1Jw+L2KcdxKvulPJ67xn8=,tag:4ZFpj1UdOwXmaZjYvC/s3A==,type:str]
         grafana: ENC[AES256_GCM,data:P9okJ7bcsqmeGstkSwbDq/RgnG+lFrgAOvcj8A5lOTpmHaSlXGiKG+ybXa0=,iv:Di1ghnxIbAb/u7uo/mJCC3QYVjdweTHaQDZmXTx8OG4=,tag:DT3a1zgU9sTr0BXpyoZ/SQ==,type:str]
         authelia: ENC[AES256_GCM,data:OqyloAADO6KKEaBjGLsJc9GTe77wn6IvA1VCD2dfCWxx+zgzUYh87fK1XX8=,iv:QIOHNTdNnzcY/f3Co8dPdNHykhBnYRhm43nt35hbALM=,tag:DLQq58GrZd+Ul7MSn6s9uQ==,type:str]
+        vaultwarden: ENC[AES256_GCM,data:BPj5eFo54DTZ82n3yTIqEbm7kb/jWT0n2kZY//oV5q48eRch3C2RBuxn/Ko=,iv:DGC4ipHMyVs25gc4sNMt8LN1RsHjiR/b303vgiFoxMY=,tag:k1eb4DoRPLKvvMstSI1faQ==,type:str]
+        gitea: ENC[AES256_GCM,data:l+pBCzyQa3000SE9z1R4htD0V0ONsBtKy92dfgsVYsZ3XlEyVJDIBOsugwM=,iv:5t/oHW1vFAmV/s2Ze/cV9Vuqo96Qu6QvZeRbio7VX2s=,tag:4zeQaXiXIzBpy+tXsxmN7Q==,type:str]
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
@@ -170,6 +172,29 @@ authelia:
 #ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
 #
 #
+#ENC[AES256_GCM,data:MiobmVqj3dPargzws5q7Cpggnvw=,iv:VzBh1ZWqyByyTDn90pl0//TsjAYO5QLpfbrxnMF5OU4=,tag:7Y16L9i/homdtEpWynzsdg==,type:comment]
+vaultwarden:
+    admin:
+        password: ENC[AES256_GCM,data:FzD80H5lPNyjTRGd/IcIGir35KLF8gN3qmTzEQrlfutHh08mk0Vh9X8irHA=,iv:cfn5432g2MvkuBJLB2zDJmU0sLgMefVvpy0bP/4/oPY=,tag:7MHEv8XswdQZNTARvxs55g==,type:str]
+        hash: ENC[AES256_GCM,data:Ae7bhnL5pxfNV3+r/PCDIpxx0tHcNiB/s4sm7OoxVpp+tcEpXZ9vsv38sZjx+Z8t2vlmiYHc72PEdapcAihleuLMBPM1dAVn8LqzzWtVhfmCOoUZI8Z5L3VL8eyyz6npiw==,iv:c2MEIbrnVsR+bUx3zLLTnKSElFTH7JRl23HmmTlWEBg=,tag:mnMrER9pQEKAdloYMeRa3g==,type:str]
+    il:
+        password: ENC[AES256_GCM,data:mhLb55ENatpE59Rbzk2Uq6iBKc0Jj/9x4fOANJOHR0WvSxTQRKJ94cCq9Ykp/chWbdgYYPrwU5oD0Yo17zqb,iv:6bzKq5WaKhuOsQ8zSSH9ZrQYbDPB1nv/bFoQou1ycL4=,tag:bSmuUodl+/9nzxZ7YBoezA==,type:str]
+    morsalin:
+        password: ENC[AES256_GCM,data:ibg5/MfLH7pSY2pEmjM=,iv:+aV5muP/9BYoKwTGQxKEL+IGY9P+O3GVKGgSuTzT+U0=,tag:rgqcmJvd1RtvWJ91PCxYIg==,type:str]
+#ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
+#
+#
+#ENC[AES256_GCM,data:HAN9BBEl1CW11LAf3x8=,iv:hwqCErtmPqGJ+y86D9MoxJwixvbcJONlyT900Y5DOug=,tag:kCxsG353ltbOCKLe85adCg==,type:comment]
+gitea:
+    il:
+        password: ENC[AES256_GCM,data:Bs5/t5mNbSv5+ek9gNHZp5qqxitM4Kq0Xgh2JV6LiFw9lZJSOVT4JPLRP5M=,iv:z50+naWOTVL8lEgBgm51j6hLjS8ve2UcRRKukvtykM0=,tag:TF9rPxjoLe/vAyvl23PiCg==,type:str]
+        token: ENC[AES256_GCM,data:CiYEXEKLLRDp++iga5YmhyPB2bSvqhhDgSOhmiulp9n9SsBVQ3s5MQ==,iv:+oetgEH/IORz74Xoz5zgDjD3BLyledZTqlYlCWaDrRk=,tag:S9O09YEMuSexuNW3ojEw5Q==,type:str]
+    oidc:
+        secret: ENC[AES256_GCM,data:qjQosi83oaK47wX4VtDktDFlIU3FQgmDpwyiSgJNPDq2Dtc/QEKzdv5/ZpQ=,iv:aUJx5a6Wj7lhaD19aPiZWIE/MWKUgH0muxtTSkwfg8M=,tag:DttjXee7ntxRAbqbFq6qeQ==,type:str]
+        hash: ENC[AES256_GCM,data:iVls8UzdP6JTfRosET6nsk3RcEtFQ8ak6GtPuBjcqAv3lyA9oSLwvvC8MvGaT1aHCB+5y/lspuloHEaAcVGNuzGCIVLg9Adut4a7LYDTHNOZnJIKLj8ldL1ytD5XVdbeBhZGCqoTs088oO0HVCQiDzpJL5NdmM3Ru6egyYBCLLUOlPA=,iv:er63GEC+kxNDscvspvvLiq17VSg0GeZ2w3jmGojF9PM=,tag:F1pDpaQrVdomIlZ8psVpAw==,type:str]
+#ENC[AES256_GCM,data:ODXFUxxxdQ==,iv:s9zJVx6wo6x517tbNvC+FZ0dFzqbjqeLI6rXBq72hQA=,tag:bXoV2I3LbpmQyddJrtS3Qg==,type:comment]
+#
+#
 #ENC[AES256_GCM,data:T4Wtn49AAxPd2QUFTR+q,iv:bH5goGWBDqumAat9dUv2OwfCUJUpuVqncTMqMBZUXhI=,tag:G+W6hHA+yftQ+4RJpXrxHg==,type:comment]
 switch:
     password: ENC[AES256_GCM,data:qu0f9L7A0eFq/UCpaRs=,iv:W8LLOp3MSfd/+EfNEZNf91K8GgI5eUfVPoWTRES2C0Y=,tag:Q5FlAOfwqwJwPvd7k6i+0g==,type:str]
@@ -199,7 +224,7 @@ sops:
             UmliaFNxVTBqRkI1QWJpWGpTRWxETW8KEY/8AfU73UOzCGhny1cNnd5dCNv7bHXt
             k+uyWPPi+enFkVaceSwMFrA66uaWWrwAj11sXEB7yzvGFPrnAGezjQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-14T19:40:47Z"
-    mac: ENC[AES256_GCM,data:EUVSxs6FPhKMSSmHe8P/d0IyBZsNb3q7AYj06j98bklAMYYVOludVePdh45MSvn92lDn712Muy6pqcJzDpsPWyxgXngywTu2SGV1yRCyA7U7RloRxlNROuDiugMkJWOtHcKArytVChUHT2PnzagAJR2kBSApbjUsC/xUTMBpsNM=,iv:SsJW2fMNEJHT2M+gjW5TKu6AYoxsf9jKf5T9KgJoF40=,tag:ItVweaSxts2Cm1VKkLp0/w==,type:str]
+    lastmodified: "2026-03-14T21:11:56Z"
+    mac: ENC[AES256_GCM,data:cTm/Vrukt1cnq5xWmfF7J3xhDrVH94ampOK1IqZgsBICuJgDm6VYbntElCcnrmPE4BrIAFr8SyDQa28QgLf+e2UBn36yVUNZTor1kx24WkMsjj4MIRJRlYSQoFAg1iJSGTshqiwgQQMfj1nOCctLXdNAyQFWHt+E+9zqeXFB/l8=,iv:/dDIeqEW8/T5V8glumE3cTTy9e3bFAvg3GaMHAYkFi0=,tag:7eUKYIkju8wniz+/xmGfgg==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.12.1

config/services/containers/app/gitea/gitea.container.j2

@@ -0,0 +1,51 @@
+[Quadlet]
+DefaultDependencies=false
+
+[Unit]
+Description=Gitea
+
+After=network-online.target
+Wants=network-online.target
+
+[Container]
+Image=docker.io/gitea/gitea:{{ version['containers']['gitea'] }}
+
+ContainerName=gitea
+HostName=gitea
+
+PublishPort=3000:3000/tcp
+
+Volume=%h/data/containers/gitea:/data:rw
+Volume=%h/containers/gitea/ssl:/etc/ssl/gitea:ro
+
+# General
+Environment="TZ=Asia/Seoul"
+Environment="GITEA__server__DISABLE_SSH=true"
+# Database
+Environment="GITEA__database__DB_TYPE=postgres"
+Environment="GITEA__database__HOST={{ infra_uri['postgresql']['domain'] }}:{{ infra_uri['postgresql']['ports']['tcp'] }}"
+Environment="GITEA__database__NAME=gitea_db"
+Environment="GITEA__database__USER=gitea"
+Secret=GITEA__database__PASSWD,type=env
+Environment="GITEA__database__SSL_MODE=verify-full"
+Environment="PGSSLROOTCERT=/etc/ssl/gitea/ilnmors_root_ca.crt"
+# OAuth2 client
+Environment="GITEA__oauth2_client__ACCOUNT_LINKING=auto"
+# OIDC configuration
+Environment="GITEA__openid__ENABLE_OPENID_SIGNIN=false"
+Environment="GITEA__openid__ENABLE_OPENID_SIGNUP=true"
+Environment="GITEA__openid__WHITELISTED_URIS=authelia.ilnmors.com"
+# automatic create user via authelia
+Environment="GITEA__service__DISABLE_REGISTRATION=false"
+Environment="GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION=true"
+Environment="GITEA__service__SHOW_REGISTRATION_BUTTON=false"
+
+
+[Service]
+ExecStartPre=/usr/bin/nc -zv {{ infra_uri['postgresql']['domain'] }} {{ infra_uri['postgresql']['ports']['tcp'] }}
+Restart=always
+RestartSec=10s
+TimeoutStopSec=120
+
+[Install]
+WantedBy=default.target

config/services/containers/app/vaultwarden/vaultwarden.container.j2

@@ -0,0 +1,34 @@
+[Quadlet]
+DefaultDependencies=false
+
+[Unit]
+Description=Vaultwarden
+
+After=network-online.target
+Wants=network-online.target
+
+[Container]
+Image=docker.io/vaultwarden/server:{{ version['containers']['vaultwarden'] }}
+
+ContainerName=vaultwarden
+HostName=vaultwarden
+
+PublishPort=8000:80/tcp
+
+Volume=%h/data/containers/vaultwarden:/data:rw
+Volume=%h/containers/vaultwarden/ssl:/etc/ssl/vaultwarden:ro
+
+Environment="TZ=Asia/Seoul"
+Environment="DOMAIN=https://vault.ilnmors.com"
+Environment="SIGNUPS_ALLOWED=false"
+Secret=VW_ADMIN_TOKEN,type=env,target=ADMIN_TOKEN
+Secret=VW_DATABASE_URL,type=env,target=DATABASE_URL
+
+[Service]
+ExecStartPre=/usr/bin/nc -zv {{ infra_uri['postgresql']['domain'] }} {{ infra_uri['postgresql']['ports']['tcp'] }}
+Restart=always
+RestartSec=10s
+TimeoutStopSec=120
+
+[Install]
+WantedBy=default.target

config/services/containers/auth/authelia/config/authelia.yaml.j2

@@ -131,3 +131,24 @@ identity_providers:
         userinfo_signed_response_alg: 'none'
         # [ client_secret_post | client_secret_basic ]
         token_endpoint_auth_method: 'client_secret_post'
+      # https://www.authelia.com/integration/openid-connect/clients/gitea/
+      - client_id: 'gitea'
+        client_name: 'gitea'
+        client_secret: '{{ hostvars['console']['gitea']['oidc']['hash'] }}'
+        public: false
+        authorization_policy: 'one_factor'
+        require_pkce: false
+        pkce_challenge_method: ''
+        redirect_uris:
+          - 'https://gitea.ilnmors.com/user/oauth2/authelia/callback'
+        scopes:
+          - 'openid'
+          - 'email'
+          - 'profile'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+        access_token_signed_response_alg: 'none'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_basic'

config/services/containers/common/caddy/etc/app/Caddyfile.j2

@@ -0,0 +1,42 @@
+{
+        servers {
+                # Only accept packets from auth main caddy
+                trusted_proxies static {{ hostvars['fw']['network4']['auth']['server'] }} {{ hostvars['fw']['network6']['auth']['server'] }}
+        }
+}
+# Private TLS ACME with DNS-01-challenge
+(private_tls) {
+        tls {
+                issuer acme {
+                        dir https://{{ infra_uri['ca']['domain'] }}:{{ infra_uri['ca']['ports']['https'] }}/acme/acme@ilnmors.internal/directory
+                        dns rfc2136 {
+                                server {{ infra_uri['bind']['domain'] }}:{{ infra_uri['bind']['ports']['dns'] }}
+                                key_name acme-key
+                                key_alg hmac-sha256
+                                key "{file./run/secrets/CADDY_ACME_KEY}"
+                        }
+                }
+        }
+}
+
+app.ilnmors.internal {
+        import private_tls
+        metrics
+}
+# test.app.ilnmors.internal {
+#         import private_tls
+#         root * /usr/share/caddy
+#         file_server
+# }
+vault.app.ilnmors.internal {
+        import private_tls
+        reverse_proxy host.containers.internal:8000 {
+               header_up Host {http.request.header.X-Forwarded-Host}
+        }
+}
+gitea.app.ilnmors.internal {
+        import private_tls
+        reverse_proxy host.containers.internal:3000 {
+               header_up Host {http.request.header.X-Forwarded-Host}
+        }
+}

config/services/containers/common/caddy/etc/auth/Caddyfile.j2

@@ -41,17 +41,44 @@ authelia.ilnmors.com {
                 reverse_proxy host.containers.internal:9091
         }
 }
-test.ilnmors.com {
+# test.ilnmors.com {
+#         import crowdsec_log
+#         route {
+#                 crowdsec
+#                 forward_auth host.containers.internal:9091 {
+#                         # Authelia Forward Auth endpoint URI
+#                         uri /api/authz/forward-auth
+#                         copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
+#                 }
+#                 root * /usr/share/caddy
+#                 file_server
+#         }
+# }
+# test.app.ilnmors.com {
+#         import crowdsec_log
+#         route {
+#                 crowdsec
+#                 reverse_proxy https://test.app.ilnmors.internal {
+#                         header_up Host {http.reverse_proxy.upstream.host}
+#                 }
+#         }
+# }
+vault.ilnmors.com {
         import crowdsec_log
         route {
                 crowdsec
-                forward_auth host.containers.internal:9091 {
-                        # Authelia Forward Auth endpoint URI
-                        uri /api/authz/forward-auth
-                        copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
+                reverse_proxy https://vault.app.ilnmors.internal {
+                        header_up Host {http.reverse_proxy.upstream.host}
+                }
+        }
+}
+gitea.ilnmors.com {
+        import crowdsec_log
+        route {
+                crowdsec
+                reverse_proxy https://gitea.app.ilnmors.internal {
+                        header_up Host {http.reverse_proxy.upstream.host}
                 }
-                root * /usr/share/caddy
-                file_server
         }
 }
 

config/services/containers/infra/ca/config/ca.json.j2

@@ -22,7 +22,8 @@
 				"allow": {
 					"dns": [
 						"ilnmors.internal",
-						"*.ilnmors.internal"
+						"*.ilnmors.internal",
+						"*.app.ilnmors.internal"
 					]
 				},
 				"allowWildcardNames": true

docs/runbook/07-git.md

@@ -69,3 +69,27 @@ git tag -a 0.0.1-caddy-app -m "caddy-app: Start caddy-app branch"
 git switch main
 git merge caddy-app
 ```
+
+## Connect local git and remote git
+
+- Set this after gitea is implemented
+
+```bash
+# Add git remote repository
+git config --global credential.helper store
+git remote add origin https://gitea.ilnmors.com/il/ilnmors-homelab.git
+# For first time to make connection between local and remote git
+git push -u origin main
+# Username for 'https://gitea.ilnmors.com': il
+# Password for 'https://il@gitea.ilnmors.com': gitea.il.token
+git push --tags
+# After first connection, -u origin main option is not needed
+git add $PATH
+git commit -m "comment"
+git tag -a $VERSION -m "comment"
+git push && git push --tags
+# -f and --force-with-lease can be used in commit and tags
+# -f option and --force-with-lease
+# -f: just overwrite forcefully without any condition. it is dangerous, because it doesn't care the changes (commit) from other local git
+# --force-with-lease: overwrite forcefully only when there's no changes (commit) from other local git
+```

docs/services/app/gitea.md

@@ -0,0 +1,94 @@
+# gitea
+
+## Prerequisite
+
+### Create database
+
+- Create the password with `openssl rand -base64 32`
+  - Save this value in secrets.yaml in `postgres.password.gitea`
+  - Access infra server to create gitea_db with `podman exec -it postgresql psql -U postgres`
+
+```SQL
+CREATE USER gitea WITH PASSWORD 'gitea.password.vaultwarden';
+CREATE DATABASE gitea_db;
+ALTER DATABASE gitea_db OWNER TO gitea;
+```
+
+### Create oidc secret and hash
+
+- Create the secret with `openssl rand -base64 32`
+- access to auth vm
+  - `podman exec -it authelia sh`
+  - `authelia crypto hash generate pbkdf2 --password 'gitea.oidc.secret'`
+- Save this value in secrets.yaml in `gitea.oidc.secret` and `gitea.oidc.hash`
+
+### Create admin password
+
+- Create the secret with `openssl rand -base64 32`
+- Save this value in secrets.yaml in `gitea.admin.password`
+- 
+### Add postgresql dump backup list
+
+- [set_postgresql.yaml](../../../ansible/roles/infra/tasks/services/set_postgresql.yaml)
+
+```yaml
+- name: Set connected services list
+  ansible.builtin.set_fact:
+    # telegraf has no database
+    connected_services:
+      - ...
+      - "gitea"
+```
+
+## Configuration
+
+### Site installation
+
+- **!CAUTION!** This is needed Only when first installing. This process isn't needed when the data is restored on `~/data/containers/gitea`
+- https://gitea.ilnmors.com
+- General setting
+  - Site Title: Gitea: ilnmors
+- Administrator Account Setting
+  - Administrator Username: il
+  - Email Address il@ilnmors.internal
+  - Password & confirm password: gitea.il.password
+- Install Gitea
+
+### Oauth configuration
+
+- Site Administration
+- Identity & Access: Authentication Sources: Add Authentication Source
+- Configure the following options:
+  - Authentication Type: OAuth2
+  - Authentication Name: authelia
+  - OAuth2 Provider: OpenID Connect
+  - Client ID (Key): gitea
+  - Client Secret: gitea.oidc.secret
+  - OpenID Connect Auto Discovery URL: https://authelia.ilnmors.com/.well-known/openid-configuration
+
+### Link Account via OAuth2
+
+- Login with autheila
+  - Register New Account
+  - Link to Existing Account
+    - Link the account of administrational account which set at the inital install page
+    - id and password
+
+### Set repository access token
+
+- Settings: Applications: Generate New Token
+  - Token name: ilnmors-homelab
+  - Repository and Organization Access: All
+  - repository - Read and Write
+- Generate Token
+- Copy token value and save this in `secrets.yaml`
+
+## Connect with loacl git repository
+
+### Create remote git repository
+
+- Repository: `+`
+  - Name: ilnmors-homelab
+  - etc: default vaules
+
+- Following [07-git.md](../../runbook/07-git.md)

docs/services/app/vaultwarden.md

@@ -0,0 +1,50 @@
+# vaultwarden
+
+## Prerequisite
+
+### Create database
+
+- Create the password with `openssl rand -base64 32`
+  - Save this value in secrets.yaml in `postgres.password.vaultwarden`
+  - Access infra server to create vaultwarden_db with `podman exec -it postgresql psql -U postgres`
+
+```SQL
+CREATE USER vaultwarden WITH PASSWORD 'postgres.password.vaultwarden';
+CREATE DATABASE vaultwarden_db;
+ALTER DATABASE vaultwarden_db OWNER TO vaultwarden;
+```
+
+### Create admin hash
+
+- Create the password with `openssl rand -base64 32`
+  - https://argon2.online/
+  - salt: auto generate
+  - parallelism: factor 4
+  - memory cost: 65536
+  - iterations: 3
+  - hash length: 32
+  - type: argon2id
+- Save this value in secrets.yaml in `vaultwarden.admin.password` and `vaultwarden.admin.hash`
+
+### Add postgresql dump backup list
+
+- [set_postgresql.yaml](../../../ansible/roles/infra/tasks/services/set_postgresql.yaml)
+
+```yaml
+- name: Set connected services list
+  ansible.builtin.set_fact:
+    # telegraf has no database
+    connected_services:
+      - ...
+      - "vaultwarden"
+
+```
+
+## Configuration
+
+- https://vault.ilnmors.com/admin
+  - token value: vaultwarden.admin.password
+- Users:Invite User:Email
+  - add
+- https://vault.ilnmors.com
+  - Create account and input the Email which added in admin page

docs/services/common/caddy.md

@@ -28,17 +28,23 @@ test.ilnmors.com
     import crowdsec_log
     route {
         crowdsec
-        reverse_proxy https://test.app.ilnmors.internal
+        reverse_proxy https://test.app.ilnmors.internal {
+            header_up Host {http.reverse_proxy.upstream.host}
+        }
     }
 }
 # App server
+{
+    servers {
+        trusted_proxies static {{ hostvars['fw']['network4']['auth']['server'] }} {{ hostvars['fw']['network6']['auth']['server'] }}
+    }
+}
 test.app.ilnmors.internal
 {
      import internal_tls
-     trusted_proxies {{ hostvars['fw']['network4']['auth']['server'] }} {{ hostvars['fw']['network6']['auth']['server'] }}
      route {
         reverse_proxy host.containers.internal:3000 {
-            header_up Host {header.X-Forwarded-Host} {Host}
+            header_up Host {http.request.header.X-Forwarded-Host}
         }
      }
 }