# Base Gitea Helm values (chart: gitea/gitea, v12.5.0).
# DOMAIN_SUFFIX is replaced by overlay patches.
# Reference: https://gitea.com/gitea/helm-gitea/src/branch/main/values.yaml

# Disable bundled DB and cache — we use shared CloudNativePG + Valkey
postgresql:
  enabled: false
postgresql-ha:
  enabled: false
valkey-cluster:
  enabled: false
valkey:
  enabled: false

gitea:
  admin:
    username: gitea_admin
    existingSecret: gitea-admin-credentials
    email: gitea@local.domain

  config:
    ui:
      DEFAULT_THEME: sunbeam
      THEMES: sunbeam

    server:
      DOMAIN:           src.DOMAIN_SUFFIX
      ROOT_URL:         https://src.DOMAIN_SUFFIX/
      SSH_DOMAIN:       src.DOMAIN_SUFFIX
      # Gitea advertises port 22 (users clone with git@src.DOMAIN_SUFFIX:org/repo.git).
      # The pod listens on 2222; Pingora forwards external port 22 → pod port 2222.
      SSH_PORT:              "22"
      SSH_LISTEN_PORT:       "2222"
      SSH_EXPOSE_ANONYMOUS:  "false"
      LFS_START_SERVER:      "true"
      LANDING_PAGE:     /studio

    database:
      DB_TYPE:  postgres
      HOST:     postgres-rw.data.svc.cluster.local:5432
      NAME:     gitea_db
      USER:     gitea
      SSL_MODE: disable
      # PASSWD injected via additionalConfigFromEnvs below

    cache:
      ADAPTER: redis
      # Valkey is Redis protocol-compatible; Gitea's redis adapter works against Valkey
      HOST:    redis://valkey.data.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s

    session:
      PROVIDER:        redis
      PROVIDER_CONFIG: redis://valkey.data.svc.cluster.local:6379/1?pool_size=100&idle_timeout=180s

    queue:
      TYPE:     redis
      CONN_STR: redis://valkey.data.svc.cluster.local:6379/2?pool_size=100&idle_timeout=180s

    oauth2_client:
      # Auto-redirect to Hydra OIDC on login — makes OIDC the primary auth method.
      OAUTH2_AUTO_REDIRECT_TO_PROVIDER: Sunbeam
      # Register new OIDC users automatically.
      ENABLE_AUTO_REGISTRATION: "true"

    storage:
      STORAGE_TYPE:   minio
      MINIO_ENDPOINT: seaweedfs-filer.storage.svc.cluster.local:8333
      MINIO_BUCKET:   sunbeam-git-lfs
      MINIO_USE_SSL:  "false"
      # MINIO_ACCESS_KEY_ID / MINIO_SECRET_ACCESS_KEY from gitea-s3-credentials Secret

  additionalConfigFromEnvs:
    - name: GITEA__DATABASE__PASSWD
      valueFrom:
        secretKeyRef:
          name: gitea-db-credentials
          key: password
    - name: GITEA__STORAGE__MINIO_ACCESS_KEY_ID
      valueFrom:
        secretKeyRef:
          name: gitea-s3-credentials
          key: access-key
    - name: GITEA__STORAGE__MINIO_SECRET_ACCESS_KEY
      valueFrom:
        secretKeyRef:
          name: gitea-s3-credentials
          key: secret-key

initPreScript: |
  mkdir -p /data/gitea/public/assets/css
  mkdir -p /data/gitea/public/assets/img

extraVolumes:
  - name: custom-theme
    configMap:
      name: gitea-custom-theme
  - name: mkcert-ca
    configMap:
      name: gitea-mkcert-ca
      optional: true   # only exists in local env; production omits it safely

extraContainerVolumeMounts:
  - name: custom-theme
    mountPath: /data/gitea/public/assets/css/theme-sunbeam.css
    subPath: theme-sunbeam.css
    readOnly: true
  - name: custom-theme
    mountPath: /data/gitea/public/assets/img/logo.svg
    subPath: logo.svg
    readOnly: true
  - name: mkcert-ca
    mountPath: /run/ca/ca.crt
    subPath: ca.crt
    readOnly: true

resources:
  limits:
    memory: 256Mi
  requests:
    memory: 128Mi
    cpu: 100m

service:
  ssh:
    # Pod listens on 2222 (SSH_LISTEN_PORT); Pingora proxies external port 22 → here.
    port: 2222

persistence:
  enabled: true
  size: 5Gi