Add Gitea self-hosted git/CI/registry to replace GitHub

Deploy Gitea via Helm with dedicated CloudNativePG database,
in-cluster Actions runner (DinD), and built-in container registry.
ArgoCD repoURLs updated to use in-cluster Gitea SSH. Preview
ApplicationSet switched from GitHub PR generator to Gitea PR
generator. App images now pull from gitea.coreworlds.io registry.

Remaining setup after deploy: seal runner token, ArgoCD API token,
and registry pull secret once Gitea is running. Add ArgoCD deploy
key to Gitea repo settings.

.gitea/workflows/ci.yaml

@@ -0,0 +1,87 @@
+name: CI
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+concurrency:
+  group: ${{ gitea.workflow }}-${{ gitea.ref }}
+  cancel-in-progress: true
+
+jobs:
+  changes:
+    runs-on: ubuntu-latest
+    outputs:
+      apps: ${{ steps.filter.outputs.apps }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Detect changed apps
+        id: filter
+        run: |
+          if [ "${{ gitea.event_name }}" = "pull_request" ]; then
+            CHANGED=$(git diff --name-only origin/main...HEAD)
+          else
+            CHANGED=$(git diff --name-only HEAD~1)
+          fi
+          APPS="[]"
+          for app in web api harness; do
+            if echo "$CHANGED" | grep -qE "^(apps/${app}/|packages/)"; then
+              APPS=$(echo "$APPS" | jq -c ". + [\"${app}\"]")
+            fi
+          done
+          echo "apps=$APPS" >> "$GITHUB_OUTPUT"
+
+  lint-and-test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: pnpm/action-setup@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: pnpm
+
+      - run: pnpm install --frozen-lockfile
+
+      - run: pnpm turbo lint test
+
+  build:
+    needs: [changes, lint-and-test]
+    runs-on: ubuntu-latest
+    if: needs.changes.outputs.apps != '[]'
+    strategy:
+      matrix:
+        app: ${{ fromJson(needs.changes.outputs.apps) }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: pnpm/action-setup@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: pnpm
+
+      - run: pnpm install --frozen-lockfile
+
+      - run: pnpm turbo build --filter=@homelab/${{ matrix.app }}
+
+      - name: Build Docker image
+        run: |
+          docker build \
+            -t gitea.coreworlds.io/julia/homelab-${{ matrix.app }}:${{ gitea.sha }} \
+            -t gitea.coreworlds.io/julia/homelab-${{ matrix.app }}:pr-${{ gitea.event.number }} \
+            apps/${{ matrix.app }}
+
+      - name: Push to registry
+        if: gitea.event_name == 'push' || gitea.event_name == 'pull_request'
+        run: |
+          echo "${{ secrets.GITEA_TOKEN }}" | docker login gitea.coreworlds.io -u ${{ gitea.actor }} --password-stdin
+          docker push gitea.coreworlds.io/julia/homelab-${{ matrix.app }}:${{ gitea.sha }}

.gitea/workflows/deploy-preview.yaml

@@ -0,0 +1,64 @@
+name: Deploy Preview
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: pnpm/action-setup@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: pnpm
+
+      - run: pnpm install --frozen-lockfile
+
+      - name: Determine changed apps
+        id: changes
+        run: |
+          APPS=$(pnpm turbo build --filter='...[origin/main]' --dry-run=json | jq -r '[.packages[] | select(startswith("@homelab/")) | sub("@homelab/";"") ] | join(",")')
+          echo "apps=$APPS" >> "$GITHUB_OUTPUT"
+
+      - name: Build and push images
+        if: steps.changes.outputs.apps != ''
+        run: |
+          echo "${{ secrets.GITEA_TOKEN }}" | docker login gitea.coreworlds.io -u ${{ gitea.actor }} --password-stdin
+          IFS=',' read -ra APPS <<< "${{ steps.changes.outputs.apps }}"
+          for app in "${APPS[@]}"; do
+            docker build \
+              -t gitea.coreworlds.io/julia/homelab-${app}:${{ gitea.sha }} \
+              apps/${app}
+            docker push gitea.coreworlds.io/julia/homelab-${app}:${{ gitea.sha }}
+          done
+
+      - name: Update image tags in preview overlay
+        if: steps.changes.outputs.apps != ''
+        run: |
+          IFS=',' read -ra APPS <<< "${{ steps.changes.outputs.apps }}"
+          for app in "${APPS[@]}"; do
+            cd apps/${app}/k8s/overlays/preview
+            kustomize edit set image gitea.coreworlds.io/julia/homelab-${app}=gitea.coreworlds.io/julia/homelab-${app}:${{ gitea.sha }}
+            cd -
+          done
+
+      - name: Comment preview URL
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const { owner, repo } = context.repo;
+            const issue_number = context.issue.number;
+            const body = `## Preview Deploy\nNamespace: \`preview-${issue_number}\`\nArgoCD will sync automatically from branch \`${context.payload.pull_request.head.ref}\`.`;
+            await fetch(`${process.env.GITHUB_API_URL}/repos/${owner}/${repo}/issues/${issue_number}/comments`, {
+              method: 'POST',
+              headers: {
+                'Authorization': `token ${process.env.GITHUB_TOKEN}`,
+                'Content-Type': 'application/json'
+              },
+              body: JSON.stringify({ body })
+            });

.gitea/workflows/deploy-production.yaml

@@ -0,0 +1,59 @@
+name: Deploy Production
+
+on:
+  push:
+    branches: [main]
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: pnpm/action-setup@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: pnpm
+
+      - run: pnpm install --frozen-lockfile
+
+      - name: Determine changed apps
+        id: changes
+        run: |
+          APPS=$(pnpm turbo build --filter='...[HEAD~1]' --dry-run=json | jq -r '[.packages[] | select(startswith("@homelab/")) | sub("@homelab/";"") ] | join(",")')
+          echo "apps=$APPS" >> "$GITHUB_OUTPUT"
+
+      - name: Build and push images
+        if: steps.changes.outputs.apps != ''
+        run: |
+          echo "${{ secrets.GITEA_TOKEN }}" | docker login gitea.coreworlds.io -u ${{ gitea.actor }} --password-stdin
+          IFS=',' read -ra APPS <<< "${{ steps.changes.outputs.apps }}"
+          for app in "${APPS[@]}"; do
+            docker build \
+              -t gitea.coreworlds.io/julia/homelab-${app}:${{ gitea.sha }} \
+              -t gitea.coreworlds.io/julia/homelab-${app}:latest \
+              apps/${app}
+            docker push gitea.coreworlds.io/julia/homelab-${app}:${{ gitea.sha }}
+            docker push gitea.coreworlds.io/julia/homelab-${app}:latest
+          done
+
+      - name: Update image tags in production overlay
+        if: steps.changes.outputs.apps != ''
+        run: |
+          IFS=',' read -ra APPS <<< "${{ steps.changes.outputs.apps }}"
+          for app in "${APPS[@]}"; do
+            cd apps/${app}/k8s/overlays/production
+            kustomize edit set image gitea.coreworlds.io/julia/homelab-${app}=gitea.coreworlds.io/julia/homelab-${app}:${{ gitea.sha }}
+            cd -
+          done
+
+      - name: Commit image tag updates
+        if: steps.changes.outputs.apps != ''
+        run: |
+          git config user.name "gitea-actions[bot]"
+          git config user.email "gitea-actions[bot]@coreworlds.io"
+          git add apps/*/k8s/overlays/production/
+          git diff --staged --quiet || git commit -m "deploy: update production images to ${{ gitea.sha }}"
+          git push

CLAUDE.md

@@ -10,7 +10,7 @@ GitOps via ArgoCD, bare-metal provisioning via Ansible, Turborepo for app builds
 - **Infrastructure**: k3s, ArgoCD, Ansible
 - **Platform**: Traefik, cert-manager, CloudNativePG, Valkey, Longhorn, Sealed Secrets
 - **Observability**: kube-prometheus-stack, Loki, Promtail, Grafana
-- **CI/CD**: GitHub Actions → ghcr.io → ArgoCD
+- **CI/CD**: Gitea Actions → gitea.coreworlds.io registry → ArgoCD
 - **Task Runner**: Taskfile (go-task)
 
 ## Directory Structure
@@ -28,7 +28,9 @@ GitOps via ArgoCD, bare-metal provisioning via Ansible, Turborepo for app builds
 - Secrets are sealed with kubeseal before committing
 - Branch deploys create `preview-<PR#>` namespaces automatically
 - Use `task <command>` for all operations (see Taskfile.yaml)
-- Docker images tagged with git SHA, pushed to ghcr.io
+- Docker images tagged with git SHA, pushed to gitea.coreworlds.io registry
+- Git hosted on self-hosted Gitea, GitHub is a read-only push mirror
+- Gitea Actions runners: in-cluster (amd64), Mac (arm64), Windows (WSL2)
 
 ## Common Commands
 ```bash

Taskfile.yaml

@@ -95,6 +95,40 @@ tasks:
     cmds:
       - kubectl port-forward -n platform svc/homelab-pg-rw 5432:5432
 
+  # Gitea
+  gitea:status:
+    desc: Check Gitea runners and mirror sync status
+    cmds:
+      - |
+        echo "=== Gitea Runners ==="
+        curl -s -H "Authorization: token $(kubectl get secret argocd-gitea-token -n argocd -o jsonpath='{.data.token}' | base64 -d)" \
+          https://gitea.coreworlds.io/api/v1/admin/runners | jq '.[] | {name, online, labels}'
+        echo ""
+        echo "=== Mirror Sync ==="
+        curl -s -H "Authorization: token $(kubectl get secret argocd-gitea-token -n argocd -o jsonpath='{.data.token}' | base64 -d)" \
+          https://gitea.coreworlds.io/api/v1/repos/julia/homelab | jq '{mirror: .mirror, mirror_updated: .mirror_updated}'
+
+  gitea:runner:register:
+    desc: Register an external Gitea Actions runner
+    cmds:
+      - |
+        echo "Run on the target machine:"
+        echo "  act_runner register --instance https://gitea.coreworlds.io --token <TOKEN> --labels '<labels>'"
+        echo ""
+        echo "Labels:"
+        echo "  Mac:     macos-arm64:host,arm64:host,self-hosted:host"
+        echo "  Windows: windows:host,wsl2:host,self-hosted:host"
+
+  gitea:runner:mac:start:
+    desc: Start Gitea runner on Mac (run on Mac)
+    cmds:
+      - act_runner daemon
+
+  gitea:runner:mac:stop:
+    desc: Stop Gitea runner on Mac (run on Mac)
+    cmds:
+      - pkill act_runner || true
+
   # Linting
   lint:ansible:
     desc: Lint Ansible playbooks

apps/api/k8s/base/deployment.yaml

@@ -15,10 +15,10 @@ spec:
         app: api
     spec:
       imagePullSecrets:
-        - name: ghcr-pull-secret
+        - name: gitea-pull-secret
       containers:
         - name: api
-          image: ghcr.io/lazorgurl/homelab-api:latest
+          image: gitea.coreworlds.io/julia/homelab-api:latest
           ports:
             - containerPort: 4000
               name: http

apps/api/k8s/base/ghcr-pull-secret-sealed.yaml

@@ -1,14 +0,0 @@
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  name: ghcr-pull-secret
-  namespace: apps
-spec:
-  encryptedData:
-    .dockerconfigjson: AgB7twUw+WM+H96XJQlZNqTTY5uweBab7NfDuK/CEFJ7062A6+1U3ZRGRhA1QXJJBnITlRT6rNAlVmhGw4aEPWeGeBzutpBcOT2JytQY0NbVf1cpTIkNv8ca/oUQMKbTEbCZ6lBcX2NzJjkTQI/MrN+bH7yCfgWKJUFxy6h41go37RlBj+G3uso4wQ7mTEV6dNIPw/vFfHyygDK4XUmYV6tFfVkYC/wPBxUlQvQqjKFvCVcNm7cog9vJqdRmiRgwUqehzHnGIqiUH+0Da6kwxs3+Rw9blFB4PBSDSa0YVUVvAvW2QpE8ZvfoAbj79x7i2fl8gDO3176vTkzen1hZl5TtIk+Hr2GChFkiNslOXKgsJVuWISQtnaTA4j9aOE8kona7zzE6J7vTQOmnlVSGHDjY/TAHjnB7qsodl6Vma6FLShcbG75E2+iAhJzxgbu2gLMcLFD8CuHNSur5rfnnhDeYhedQIyf4qcocXgL0yO+/NTv2hH76cfFPsn2dAwwwL6iVJWvFgA7pywAD0jr8r7PMLRZjQrJxOu1vqgXPMo2656A7yD9Mk87Z8W0g7LgP9XKITxwIW5B47kEdOkifwP/doazgsHs153eZSmbN8oVXXM4EGrAPMOJs+MVt9/pBcKA8Ct5QuCHpSKBZVWVOVbT1r2jFY+b7jHWb2zg93WYP8kU+ZN8a1D52h0zKgb9nTBn6qaDK2gSRCj0CSl11JVUynVAA60ZSHalQriZV2+ZAo1SHx4/uMhOpnJVU9mY9sIbXrMCJTGtWgyOlAg1UpdOefCJyfxEihm+n82Xp12fqmKjiptXgQX5YHF9stpo3VKOPpxfk6kfMIRh9ckuD3JXS3xJZV/7t/dSHXc0NsZxp/FTbP31pAcgWXS4s9qF681IyjXx3IGnxcyd16ADtXCvVfjDCZZceNWatxb7SABQg2F7h
-  template:
-    metadata:
-      name: ghcr-pull-secret
-      namespace: apps
-    type: kubernetes.io/dockerconfigjson

apps/api/k8s/base/gitea-pull-secret-sealed.yaml

@@ -0,0 +1,22 @@
+# PLACEHOLDER: Re-seal with Gitea registry credentials
+# kubectl create secret docker-registry gitea-pull-secret \
+#   --namespace apps \
+#   --docker-server=gitea.coreworlds.io \
+#   --docker-username=julia \
+#   --docker-password=<token> \
+#   --dry-run=client -o yaml | kubeseal --format yaml \
+#     --controller-namespace kube-system --controller-name sealed-secrets-helm
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: gitea-pull-secret
+  namespace: apps
+spec:
+  encryptedData:
+    .dockerconfigjson: PLACEHOLDER_SEAL_ME
+  template:
+    metadata:
+      name: gitea-pull-secret
+      namespace: apps
+    type: kubernetes.io/dockerconfigjson

apps/api/k8s/base/kustomization.yaml

@@ -4,6 +4,6 @@ resources:
   - deployment.yaml
   - service.yaml
   - ingress.yaml
-  - ghcr-pull-secret-sealed.yaml
+  - gitea-pull-secret-sealed.yaml
   - api-secrets-sealed.yaml
   - servicemonitor.yaml

apps/api/k8s/overlays/production/kustomization.yaml

@@ -14,6 +14,6 @@ patches:
     kind: Deployment
     name: api
 images:
-- name: ghcr.io/lazorgurl/homelab-api
+- name: gitea.coreworlds.io/julia/homelab-api
-  newName: ghcr.io/lazorgurl/homelab-api
+  newName: gitea.coreworlds.io/julia/homelab-api
   newTag: da95687db90d2790cac12ad2e66fa16388712871

apps/harness/k8s/base/deployment.yaml

@@ -15,10 +15,10 @@ spec:
         app: harness
     spec:
       imagePullSecrets:
-        - name: ghcr-pull-secret
+        - name: gitea-pull-secret
       containers:
         - name: harness
-          image: ghcr.io/lazorgurl/homelab-harness:latest
+          image: gitea.coreworlds.io/julia/homelab-harness:latest
           ports:
             - containerPort: 3100
           env:

apps/harness/k8s/overlays/production/kustomization.yaml

@@ -14,6 +14,6 @@ patches:
     kind: Deployment
     name: harness
 images:
-- name: ghcr.io/lazorgurl/homelab-harness
+- name: gitea.coreworlds.io/julia/homelab-harness
-  newName: ghcr.io/lazorgurl/homelab-harness
+  newName: gitea.coreworlds.io/julia/homelab-harness
   newTag: latest

apps/web/k8s/base/deployment.yaml

@@ -15,10 +15,10 @@ spec:
         app: web
     spec:
       imagePullSecrets:
-        - name: ghcr-pull-secret
+        - name: gitea-pull-secret
       containers:
         - name: web
-          image: ghcr.io/lazorgurl/homelab-web:latest
+          image: gitea.coreworlds.io/julia/homelab-web:latest
           ports:
             - containerPort: 3000
           resources:

apps/web/k8s/base/ghcr-pull-secret-sealed.yaml

@@ -1,14 +0,0 @@
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  name: ghcr-pull-secret
-  namespace: apps
-spec:
-  encryptedData:
-    .dockerconfigjson: AgB7twUw+WM+H96XJQlZNqTTY5uweBab7NfDuK/CEFJ7062A6+1U3ZRGRhA1QXJJBnITlRT6rNAlVmhGw4aEPWeGeBzutpBcOT2JytQY0NbVf1cpTIkNv8ca/oUQMKbTEbCZ6lBcX2NzJjkTQI/MrN+bH7yCfgWKJUFxy6h41go37RlBj+G3uso4wQ7mTEV6dNIPw/vFfHyygDK4XUmYV6tFfVkYC/wPBxUlQvQqjKFvCVcNm7cog9vJqdRmiRgwUqehzHnGIqiUH+0Da6kwxs3+Rw9blFB4PBSDSa0YVUVvAvW2QpE8ZvfoAbj79x7i2fl8gDO3176vTkzen1hZl5TtIk+Hr2GChFkiNslOXKgsJVuWISQtnaTA4j9aOE8kona7zzE6J7vTQOmnlVSGHDjY/TAHjnB7qsodl6Vma6FLShcbG75E2+iAhJzxgbu2gLMcLFD8CuHNSur5rfnnhDeYhedQIyf4qcocXgL0yO+/NTv2hH76cfFPsn2dAwwwL6iVJWvFgA7pywAD0jr8r7PMLRZjQrJxOu1vqgXPMo2656A7yD9Mk87Z8W0g7LgP9XKITxwIW5B47kEdOkifwP/doazgsHs153eZSmbN8oVXXM4EGrAPMOJs+MVt9/pBcKA8Ct5QuCHpSKBZVWVOVbT1r2jFY+b7jHWb2zg93WYP8kU+ZN8a1D52h0zKgb9nTBn6qaDK2gSRCj0CSl11JVUynVAA60ZSHalQriZV2+ZAo1SHx4/uMhOpnJVU9mY9sIbXrMCJTGtWgyOlAg1UpdOefCJyfxEihm+n82Xp12fqmKjiptXgQX5YHF9stpo3VKOPpxfk6kfMIRh9ckuD3JXS3xJZV/7t/dSHXc0NsZxp/FTbP31pAcgWXS4s9qF681IyjXx3IGnxcyd16ADtXCvVfjDCZZceNWatxb7SABQg2F7h
-  template:
-    metadata:
-      name: ghcr-pull-secret
-      namespace: apps
-    type: kubernetes.io/dockerconfigjson

apps/web/k8s/base/gitea-pull-secret-sealed.yaml

@@ -0,0 +1,22 @@
+# PLACEHOLDER: Re-seal with Gitea registry credentials
+# kubectl create secret docker-registry gitea-pull-secret \
+#   --namespace apps \
+#   --docker-server=gitea.coreworlds.io \
+#   --docker-username=julia \
+#   --docker-password=<token> \
+#   --dry-run=client -o yaml | kubeseal --format yaml \
+#     --controller-namespace kube-system --controller-name sealed-secrets-helm
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: gitea-pull-secret
+  namespace: apps
+spec:
+  encryptedData:
+    .dockerconfigjson: PLACEHOLDER_SEAL_ME
+  template:
+    metadata:
+      name: gitea-pull-secret
+      namespace: apps
+    type: kubernetes.io/dockerconfigjson

apps/web/k8s/base/kustomization.yaml

@@ -4,4 +4,4 @@ resources:
   - deployment.yaml
   - service.yaml
   - ingress.yaml
-  - ghcr-pull-secret-sealed.yaml
+  - gitea-pull-secret-sealed.yaml

apps/web/k8s/overlays/production/kustomization.yaml

@@ -14,6 +14,6 @@ patches:
     kind: Deployment
     name: web
 images:
-- name: ghcr.io/lazorgurl/homelab-web
+- name: gitea.coreworlds.io/julia/homelab-web
-  newName: ghcr.io/lazorgurl/homelab-web
+  newName: gitea.coreworlds.io/julia/homelab-web
   newTag: da95687db90d2790cac12ad2e66fa16388712871

infra/kubernetes/argocd/app-of-apps.yaml

@@ -8,7 +8,7 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: git@github.com:lazorgurl/homelab.git
+    repoURL: ssh://git@gitea-ssh.platform.svc:2222/julia/homelab.git
     targetRevision: main
     path: infra/kubernetes/argocd
   destination:

infra/kubernetes/argocd/appsets/apps.yaml

@@ -8,7 +8,7 @@ spec:
   goTemplateOptions: ["missingkey=error"]
   generators:
     - git:
-        repoURL: git@github.com:lazorgurl/homelab.git
+        repoURL: ssh://git@gitea-ssh.platform.svc:2222/julia/homelab.git
         revision: main
         directories:
           - path: apps/*/k8s/overlays/production
@@ -18,7 +18,7 @@ spec:
     spec:
       project: default
       source:
-        repoURL: git@github.com:lazorgurl/homelab.git
+        repoURL: ssh://git@gitea-ssh.platform.svc:2222/julia/homelab.git
         targetRevision: main
         path: "{{ .path.path }}"
       destination:

infra/kubernetes/argocd/appsets/platform.yaml

@@ -8,7 +8,7 @@ spec:
   goTemplateOptions: ["missingkey=error"]
   generators:
     - git:
-        repoURL: git@github.com:lazorgurl/homelab.git
+        repoURL: ssh://git@gitea-ssh.platform.svc:2222/julia/homelab.git
         revision: main
         directories:
           - path: infra/kubernetes/platform/*
@@ -18,7 +18,7 @@ spec:
     spec:
       project: default
       source:
-        repoURL: git@github.com:lazorgurl/homelab.git
+        repoURL: ssh://git@gitea-ssh.platform.svc:2222/julia/homelab.git
         targetRevision: main
         path: "{{ .path.path }}"
       destination:

infra/kubernetes/argocd/appsets/previews.yaml

@@ -8,9 +8,13 @@ spec:
   goTemplateOptions: ["missingkey=error"]
   generators:
     - pullRequest:
-        github:
+        gitea:
-          owner: lazorgurl
+          owner: julia
           repo: homelab
+          api: http://gitea-http.platform.svc:3000
+          tokenRef:
+            secretName: argocd-gitea-token
+            key: token
         requeueAfterSeconds: 60
   template:
     metadata:
@@ -18,7 +22,7 @@ spec:
     spec:
       project: default
       source:
-        repoURL: git@github.com:lazorgurl/homelab.git
+        repoURL: ssh://git@gitea-ssh.platform.svc:2222/julia/homelab.git
         targetRevision: "{{ .branch }}"
         path: apps/*/k8s/overlays/preview
         kustomize:

infra/kubernetes/argocd/argocd-gitea-repo-sealed.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: argocd-gitea-repo
+  namespace: argocd
+spec:
+  encryptedData:
+    sshPrivateKey: AgCF7JM8/SG7P9QziuakXwRkDjfTRdOgu+Qk7OcEqrZGcXmZ4mivymYkBnD4jWR0eEg+ZN4FUmhYX04eFbYJX4HyqfvC4nPlofP3E58JlWYd8khr5mkai9XLK2v3zRs3hMAJASCNBfJdKYcgpoY0G8qFe7RddemoBlqugD+xyiEKcgc349w0W69CdBRpXTG2jcvwgeaWFABMvZdZj6SIkxonpcPZTh5TuXFRjByqvWGfIu1n3pitQ1jAcQ9zogezMrYVQ/aqWFWuEoV1hc5C7cslSNC5L+r790M630yNyFuhaESkrUGEACjb6uY0/BfqW3iW5jOYkk8OEpQ+ZU0PiEREHBrz1xL+1p1mtf+4j2yBIBPkKqiuUNeKIeDF6uF22SIfZukJfYkQlmZp7V41bt1kU3I29RgLlBEsQgr3l1yPFTwI0MFBr5IJZEnPjqPiFdItZCtwUknyqEmzXUZOtjHfOCXqKmeJob99XqLGK3pUpYL2GXJMCS57C1CIkwBUG08DpUIga0NldYT8ihTiXh+4JpcWSy+mS6Oqr+KbU0o/MwpZk6ZeAan4ctM28vh5Zv4vdkISiVNmuxP2vyEnQIBmBRxKfs6059jRZ5yJIyWlP5VPnI1aZkJAhj+nxo9pCakHdC5tlqXWJB7jvBonELK/Xqgi8aU/HYnjQL7CoaCr37ld3GHmT6J30PYtPUWaAKuBy1CQKsg3O0WU4gGLsjERql3UCjIx1fsww4xw4aHPeyrNMRURhkZXDJHUs5NWeoAd8EPAPAJ774tU44fPkQ+apDJKHkD1WOtle159GRqHqfCkEwkthFuq2fTDj/km4w4x6r3HtuXG+yvI5gVgelQxmL12zb8B4DlEBRh06nVujXCbSHfMDVu2j8xYF/yLBkrN7FE+VMbYPQiw5dbLNvmOoxn+O0m/ayyunbcWO8rYsr1FVnOFK9jv+extjirESHDb06xkZodt87X5OGSrYziM+e/IZWznJHxvmpMnRMJKxWLQ/adSPZQsFfmPf7NuOjta75glVWhnvbA2qSaaOUI5H+o23yNDA7eLZTyBeTPW/ms2nsL1mAOmJYpbzkMHX4pQRD9E/zPeNgXp+fsLWfimuyXc46CWQwFPUHF28d0SS0DG8e2gqdjUYTw/scuvI1dQbhFmIlM4hUKqEoKPTPskHlaoOs2Sm6bn1pPrQ6NLNPSpZ6S10S1Bd54CP35Y+VnZxi8vGrRG4U0M+7O7GYGiF0v2hqmxT1Xiz/g=
+    type: AgAUNa57yRMSeMyoGBVn4xTGQTWd1XC0sO870PMf3m+53crp5iO2kOGFdvBcOSox8BbUez1Zg/m+ugQ2D1OdNjaPEZhmLmKwPFwSxFDI/s/YkwJRoUWEC7sBI5AjLccViWvw2ggqy6Mskjx2wH8WGs5p4uxufEc/3agV4Eu6kSFHkwUHfqy07p3BRF033s9NX2KprHIX+yFm1M27fbNEVGc+vzYnarbeCdk4noFZmuhFj3MkPkHlrayRIFhegOPcpp7/nioG8W+CpWWQgCMkVa5BuU0XdaAOfcd03JeO4l7A3GPn2DcOEjGf5C+CWO1HSAdT4+pMxFsagtLRyxEuc0e9I7xYsf4LslMGDlzMqiL8f9RXs2+Apcvku8DjkMiso+i8WPBHS8MkHIB0r4uAASUvPrfbd9hLTVTd7gUJfxXZhm8JBWgHf3ga2YaBtfrxvonhl5ns+YaODzK1NMW891oj5FvuHke26uqT1LRMTK0dQrazX5CeBik47GZiq58r/LJgmbArqseI2wi7frcIglCF2bcWUAaoZ0eWy15UVSKlwBYvtYcHj7BrYzyt1VlQ2bnW0Hmtan1wmEQ2RVuzWl59FLgNMv3pqNcgW77sUcCP1naSTYAnmhjw0f+te4r7ZNnH+RNpfQAIctj/x61z7mzY7zuDPVammQlGW3NzMclZK9OQ2fFzlj1n44M1wfOmFgvYMA8=
+    url: AgB6CwiasFG/1p3V4dx5JdLnG/E7wOtOJQ/Y8qKciyNn1LSBoDVTiD/DpbClt4xmNuX1DvDKDmhIOcHnj8MYSwKSdMVTVypl4wXyuJkupB+lV4dbAChC6NwsY08uuSbpA3aQfUmQrlYGwknlbXKNHCcVP3wnquWckXwJH4Mgt2dCTbQ1Tuiz1aCFZgljs1HwT5sZFqXWSZNdqvw62B4wOwXOrtHIPZSE4pUUFeFl6uev+HHue8xou24kQR9h3+suZWex5ntT9zRbjtO/HxnH8zTx9rtGZ3lkNVNfn6jo55jP8SQF9RHTFewkIbBa1YPGSChEkHTTR/UTcIraHNX6iT2nKNlwMfcq/i6Pjoj9CUsXa1pBT8ol/cf7HymXARssOwPgwihLdgXkFGB9ZzK/qlr9VQis0kpqcj42TlubNMcYcRyMIsFleaJf2wrmgp5N3IU/CDpMf3ube7iK+UPPCyoqEvo2CE6pUEYLb1FAT4DfvxD8yBBofnIQSQLfW0jscKxwpXSnw+6jERtQTUj/qhsRqXV1/ZsPP8PWbMY3SQ2pBWokUxFgtE5a9uHb4LN7qfAczllt9hn1F6jReC2HPRq3OY14TiSSASCnx7FfM+Fo0QaRNfxel4P/AT2zvbOBx2uy6X0KDd66V9KHxRptBAdc4KvP05T7PpvO/c3NY76q9NhwxVmcNkg08Mu/qPmt75W6O2pUcBB1q8Qauqa1TGPxzBZykS0Xu7P/LCfEONgAkmk3F7W3gGt0n+rtA7Y6FRHcpYpW0ft8
+  template:
+    metadata:
+      name: argocd-gitea-repo
+      namespace: argocd
+      labels:
+        argocd.argoproj.io/secret-type: repository

infra/kubernetes/argocd/argocd-gitea-token-sealed.yaml

@@ -0,0 +1,15 @@
+# PLACEHOLDER: Re-seal with Gitea API token for PR generator
+# ./scripts/seal-secret.sh argocd-gitea-token argocd token=<gitea-api-token>
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: argocd-gitea-token
+  namespace: argocd
+spec:
+  encryptedData:
+    token: PLACEHOLDER_SEAL_ME
+  template:
+    metadata:
+      name: argocd-gitea-token
+      namespace: argocd

infra/kubernetes/argocd/kustomization.yaml

@@ -8,6 +8,8 @@ resources:
   - appsets/platform.yaml
   - appsets/apps.yaml
   - appsets/previews.yaml
+  - argocd-gitea-repo-sealed.yaml
+  - argocd-gitea-token-sealed.yaml
   - servicemonitor.yaml
 patches:
   - target:

infra/kubernetes/platform/gitea-pg/cluster.yaml

@@ -0,0 +1,44 @@
+# Prerequisites: CloudNativePG operator must be installed first.
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: gitea-pg
+  namespace: platform
+spec:
+  instances: 1
+  primaryUpdateStrategy: unsupervised
+
+  storage:
+    storageClass: longhorn-nvme
+    size: 5Gi
+
+  postgresql:
+    parameters:
+      max_connections: "100"
+      shared_buffers: 128MB
+      effective_cache_size: 256MB
+      work_mem: 4MB
+
+  bootstrap:
+    initdb:
+      database: gitea
+      owner: gitea
+      secret:
+        name: gitea-pg-credentials
+
+  backup:
+    barmanObjectStore:
+      destinationPath: s3://gitea-pg-backups/
+      endpointURL: http://minio.platform.svc:9000
+      s3Credentials:
+        accessKeyId:
+          name: pg-backup-s3-credentials
+          key: ACCESS_KEY_ID
+        secretAccessKey:
+          name: pg-backup-s3-credentials
+          key: SECRET_ACCESS_KEY
+    retentionPolicy: "30d"
+
+  monitoring:
+    enablePodMonitor: true

infra/kubernetes/platform/gitea-pg/gitea-pg-credentials-sealed.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: gitea-pg-credentials
+  namespace: platform
+spec:
+  encryptedData:
+    password: AgCOM3lECbwltUOFNj4QZtwaPR+jBO+1L16Si8YETh5B5cC5eArOPpHGMQ7yK7ov9X+S/iIhPiolyHrQb7Tw3kSX/NHj933YHx1bITf1i5wF1LKRDbsw4XXox6bsG+GITMhUxtlVYdfY0OdoStHSpjGDHChHDHL74BjgdMS/jBSQGyicOXH6RYYH3/N7QeiwDmTAFrkhNp0DPQXG/xJ7Qi+lp9PR7ddwFZ5B1R2bVRB3KhwtMbPs4Qlo22tJh+khGgBv2yuWXB13Eu1QWOTTL58qRbwjPMB+jNMdyvGq/bWzulkIyjn17ijGn4R1XMJNyhsLSphnrqceDHyT5RroryO6cxMkFn06ZJ9xSk9GqTm4b8Rf7Hq5vvzVpeZ2MBxBO4teOyuWPED0SL4eAp36DOmczSHM1U7Uyq4sYgHJjYwnFjviaw0kmS/nhL2ZBpsuXpSd2qh2fJlZzp+pW6i54Ckvggt7ukMqT8XaENTYHLVD1uqCBwTiOJpB8VqpKXpnOLvGj44NAkub3t5ScNFzQtVcR+25zT3YaIr8g1SRoxmlPWqLcDsqnqCowYU95Vah3VWWytEToax5J3iNWRFByjNucRWHFssNsnKEXGZOuyG0tIQ1U2a/uPx7yiz1sCaxnSkai6es3GTX7Azi7OOWio5jGYJpF9iNRsHlRH8FadhjkGiIj7EUl858AfX8EPzXaMvyEMcgpOzxsanItwmMBhsVO38t1AN2Q/xbkNJBOX8=
+    username: AgB551yjCY/y0tZFq7gj4iCBmyvHZqEu9kwwqWrLMUUqMfQ3p+3hpprEJROt+Egixz7LTX5iv/YcJLLMsAJJSws70+Cm0l3buRPeVLuL5aQ1xCLOAHLrimg432eVnQ+FuEXxZhOWXfimZFNSW5IsyLabtt4SsSoA99WD4srZmfXcQCbIS1lO9fPNtLyvOp2o1BtYAstW5NOHE+/bEDAQoyAAn3ZQ5k59xjlBrLSlC6xt/QoivEiA20YBYnwaaLDpxEI1hpsFf9Jp9NC0nJfuFnBKnIuxhcU5tWyfxGmnpWtVQ1t5TgsktuxjBE65fXIqEYQOu2J2OPbjMjVyS1maNTj6s9OZgFi1gsNG8oRxoaVgs5lyDOzkJTtbGmSua09UEY7Lux4PWxQsc2P11sPA9zCJgPF7kN+sGXrx2WrQ01qE7z7p67rvLGAgXH4js0hUXaa57Ip+2tk0qQUUySENv0ufPCG9zOe3zkMh9c844HoJoZ1y+s3QoD7veLMS5UlLrNF9U888yGQtpwaxTb9EBGwvfiXwRO4C0r6ylm/nqroQrS073NKee4+CP/B1N6sMVp6/476eAmpgEn2Gb/TP601PxIXS76HKCn9yJ8+Y9JWCQ4rhLOR6q8SbNMmCch6W9wSoKVL8PYP5n2453Ie3Npd4YlBzu5P24yhWzmqdoUwKuNIPGsemFNoU4pYHJtn0h7E1/ovS8Q==
+  template:
+    metadata:
+      name: gitea-pg-credentials
+      namespace: platform

infra/kubernetes/platform/gitea-pg/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cluster.yaml
+  - gitea-pg-credentials-sealed.yaml

infra/kubernetes/platform/gitea-runner/deployment.yaml

@@ -0,0 +1,75 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gitea-runner
+  namespace: platform
+  labels:
+    app: gitea-runner
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: gitea-runner
+  template:
+    metadata:
+      labels:
+        app: gitea-runner
+    spec:
+      containers:
+        - name: runner
+          image: gitea/act_runner:latest
+          env:
+            - name: GITEA_INSTANCE_URL
+              value: http://gitea-http.platform.svc:3000
+            - name: GITEA_RUNNER_REGISTRATION_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: gitea-runner-token
+                  key: token
+            - name: GITEA_RUNNER_LABELS
+              value: "ubuntu-latest:docker://node:20-bookworm,linux/amd64:docker://node:20-bookworm,cluster:docker://node:20-bookworm"
+            - name: DOCKER_HOST
+              value: tcp://localhost:2376
+            - name: DOCKER_TLS_VERIFY
+              value: "1"
+            - name: DOCKER_CERT_PATH
+              value: /certs/client
+          volumeMounts:
+            - name: docker-certs
+              mountPath: /certs/client
+              readOnly: true
+            - name: runner-data
+              mountPath: /data
+          resources:
+            requests:
+              memory: 256Mi
+              cpu: 200m
+            limits:
+              memory: 1Gi
+
+        - name: dind
+          image: docker:dind
+          securityContext:
+            privileged: true
+          env:
+            - name: DOCKER_TLS_CERTDIR
+              value: /certs
+          volumeMounts:
+            - name: docker-certs
+              mountPath: /certs
+            - name: dind-storage
+              mountPath: /var/lib/docker
+          resources:
+            requests:
+              memory: 512Mi
+              cpu: 500m
+            limits:
+              memory: 4Gi
+
+      volumes:
+        - name: docker-certs
+          emptyDir: {}
+        - name: runner-data
+          emptyDir: {}
+        - name: dind-storage
+          emptyDir: {}

infra/kubernetes/platform/gitea-runner/gitea-runner-token-sealed.yaml

@@ -0,0 +1,15 @@
+# PLACEHOLDER: Generate token from Gitea admin panel, then re-seal with:
+# ./scripts/seal-secret.sh gitea-runner-token platform token=<registration-token>
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: gitea-runner-token
+  namespace: platform
+spec:
+  encryptedData:
+    token: PLACEHOLDER_SEAL_ME
+  template:
+    metadata:
+      name: gitea-runner-token
+      namespace: platform

infra/kubernetes/platform/gitea-runner/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - deployment.yaml
+  - gitea-runner-token-sealed.yaml

infra/kubernetes/platform/gitea/application.yaml

@@ -0,0 +1,77 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: gitea-helm
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+spec:
+  project: default
+  source:
+    repoURL: https://dl.gitea.com/charts/
+    chart: gitea
+    targetRevision: 10.6.0
+    helm:
+      valuesObject:
+        # Disable bundled dependencies — we use external DB and Valkey
+        postgresql:
+          enabled: false
+        postgresql-ha:
+          enabled: false
+        redis-cluster:
+          enabled: false
+        redis:
+          enabled: false
+
+        gitea:
+          admin:
+            existingSecret: gitea-admin-credentials
+          config:
+            database:
+              DB_TYPE: postgres
+              HOST: gitea-pg-rw.platform.svc:5432
+              NAME: gitea
+              USER: gitea
+              PASSWD:
+                _secret: gitea-pg-credentials
+                _key: password
+            cache:
+              ADAPTER: redis
+              HOST: redis://valkey.platform.svc:6379/0
+            session:
+              PROVIDER: redis
+              PROVIDER_CONFIG: redis://valkey.platform.svc:6379/1
+            server:
+              DOMAIN: gitea.coreworlds.io
+              ROOT_URL: https://gitea.coreworlds.io
+              SSH_DOMAIN: gitea.coreworlds.io
+              SSH_PORT: 2222
+              SSH_LISTEN_PORT: 2222
+            actions:
+              ENABLED: true
+              DEFAULT_ACTIONS_URL: github
+            packages:
+              ENABLED: true
+
+        persistence:
+          enabled: true
+          storageClass: longhorn-nvme
+          size: 20Gi
+
+        service:
+          http:
+            type: ClusterIP
+            port: 3000
+          ssh:
+            type: NodePort
+            port: 2222
+            nodePort: 30022
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: platform
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

infra/kubernetes/platform/gitea/gitea-admin-credentials-sealed.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: gitea-admin-credentials
+  namespace: platform
+spec:
+  encryptedData:
+    email: AgCUJ0iYfg51FPWXoSXTzpMk3ReEZudIevqdAPHGtLiK6lMEe0bmhjcjEvB2hokfZvSunRcdUi7a1w7ADsqNe6E2rhbnuHs9pZ6cRsY6ugYPj5BPShK+5rSS2Q4mnG/XjU9/qk73TheV2aaWMWRcZSicsbOddpl+f9OVMoG7lqwfwbO+ooW++2r7avmx2lqx2Cw7fr8rBqojxh3lRMjO2emcvPZj/H+tNiguNFecicKl9c0I8fE1lJZXNOUGpj12dvr0zUuCoZW9lGMGa4gbDH9mntvx+VG2P3dO866gcOwtdN/Ra7JuddG+ipV3plp8woYqY9DDsHY2HHqXEOTPXIvihQilAfPBCMS2tC6Qu/bOISVK7D79iV2aYYiPXKKKIYaa0JuUHA8vI+RAuDdvpwzGqFHJ5WuYS7v4eN2ASOj5COufwKDeq9g83hbL6khT7HzUeEqk6cfZCeWliZCi/Nndgh0a7Y64YpvIcGWO2zuNhf0HRtnoVbvym1TTfORhWEUcR3wX7RuEE1l74MY86g6UuqsQIVtV5YnMqn45X3/HolyjEl77R4IF64MVyqa7+b3NErMrlv0WzFhyBGDQYyGc+7mRTfkapn1RSvOfP+HRntKZTHVQSg8AvE9qSockqhj3Di0AsbYqlhvCfuPqHDEbF72+6r4Nf0vwk4R5iSNS4xL0cFOa5s64QSFmsn140D2F7YKWqsXR7+oKn4H7SvXmzczL
+    password: AgB7JW83nITsjEE9/0IBogh9DoZy/5VRhmmDkhh20O1IMfxLiSCcWa4N06hTWKZNN9+w1ISbwu4MQqOQF2P2v5gJa7m9Ofb82H0mzBWyXqNHWAmZrH/FWVy18Z8ZR7vTr2c0WnD2awXKcVxxwA2NREHLSC8N1MTKaCKkqA1F4ICSmWsaOK6F9drJOej7m7QlgQ5kBMgGgAy5UmZEOLrIFn4w7qMg68o7OSBSrcjSYbLUJwvAY58Alaa+8cfsqpmaDvLEvKM+13d+B2qfduGla9lKL++alN4Jz3g3BJplQw7x2vdui2uNvMMiCEzlAZVfLdnVk0N+vnCUUWpYodTKjagC19yhNl+dPEweYnM3/bUIciwuhr6LinFy5HpOABZSlVkuGmYoSQldDTu+XmLXW5glPl9NcCSL4c8NQ6dWXy3SzBxIEKZoWzRs/uW+yNvLx8Dh4SApRObKiBmRmiPwQT1JqNzjccdjt/RUOxWYfqfAp0eJePmT+3uqjAaYC6eutFV61clFbmmTJq73FBjPL0j5gIG3Q/ujWvot7QTfGk6GUYflz3J5gkU/rTWp6M/rRTQ4DV0GEozz25dvN1mQcT9ic2NmvN7jO0xNb76wAw2SYzzwEyMZpT259dFcyZL7XQuf1nqagdUiqfQwpiMW6ANQhojuM/x8CxdgPFmcAHD/21ypYOXZTipkdLd9cD+tRsjhk6cq1rx/G7TamiRaU0B424V1djbe/xsFCfaMyiNSfg==
+    username: AgB6BwW09UpcuuaSleENE6cSq7scTB0i0TJenoV9Jj0XPWiMY+PV+S5evntouQejSd8ULcHs7A3g1Gmz3VofQiHck/V1+BJQByEbm4W3s5xn1rVnAfSHiApS7EaJwOEvUIPVmah/f7oKttHyOSEs7C0jTVbZViHoJemNo1KR+PE3+N1g4Gvse6/4LsoQ9+OTRZ1HDGKA8XybpZhrcNE/iSC9yqAxw4hblHnSsUSo9zDz7erz6MUwmz/ExBwLqIdOp5FUL6DEjdnOucXFW6Fi0v1iKOjqz1SPqnFFrRvqR6WK9aYS2iOYQVre5WosdQokV843mc6akjyJ4lvqL27h3vpJsHmfETbhVO/UBLyUMXOVnXNHBeJU0sjDz1wkM+Ffsjm8R+nG/99PUpTNzZfSWRPdpCyUWJP2n31TfeUteYubfQOZTtjMZWAZjcR9KB7grku5rNMSTyg9QTOhqsi0gxPTQ5KWeN3JRf5G+rCInRmISw8YMHqnIIUZrTuQSgxzXmN9TPXqjxhyWZcPtR3w7W51xwqPyBp4whdA8W8NTcUOSP1lgUWJroevPGz0bfOxnudq6W8myhtlALF39KNnJZMbn8v9ND6UJkOZ8X1OxiupwmwV8rrd9+8vQ2d601/u35gwJqXkMzZ8SaWTH6nh1iM37fqerrp6KKqQ21QSBPIXjLls9zm99XdDjEYqHcytCUlBnK9ZDg==
+  template:
+    metadata:
+      name: gitea-admin-credentials
+      namespace: platform

infra/kubernetes/platform/gitea/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - application.yaml
+  - gitea-admin-credentials-sealed.yaml

infra/kubernetes/platform/traefik/certificate-internal.yaml

@@ -49,3 +49,16 @@ spec:
     kind: ClusterIssuer
   dnsNames:
     - harness.coreworlds.io
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: gitea-tls
+  namespace: platform
+spec:
+  secretName: gitea-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  dnsNames:
+    - gitea.coreworlds.io

infra/kubernetes/platform/traefik/ingressroute-gitea.yaml

@@ -0,0 +1,19 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gitea
+  namespace: platform
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`gitea.coreworlds.io`)
+      kind: Rule
+      services:
+        - name: gitea-http
+          namespace: platform
+          port: 3000
+  tls:
+    secretName: gitea-tls

infra/kubernetes/platform/traefik/kustomization.yaml

@@ -8,5 +8,6 @@ resources:
   - ingressroute-grafana.yaml
   - ingressroute-longhorn.yaml
   - ingressroute-harness.yaml
+  - ingressroute-gitea.yaml
   - certificate-internal.yaml
   - servicemonitor.yaml