privacy-in-design/gitea-migration
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c2087d5087663fb62b1a6be607e0fb1562d79242
gitea-migration/.env.example
S b799cb7970 feat: add phases 10-11, enhance phase 8 direct-check mode, and update Caddy migration 
- Phase 10: local repo cutover (rename origin→github, add Gitea remote, push branches/tags)
- Phase 11: custom runner infrastructure with toolchain-based naming
  (go-node-runner, jvm-android-runner) and repo variables via Gitea API
- Add container_options support to manage_runner.sh for KVM passthrough
- Phase 8: add --allow-direct-checks flag for LAN/split-DNS staging
- Phase 7.5: add Cloudflare TLS block, retry logic for probes, multi-upstream support
- Add toggle_dns.sh helper and update orchestration scripts for phases 10-11

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-03 14:14:11 -06:00

153 lines
9.4 KiB
Plaintext
Raw Blame History

# =============================================================================
# .env.example — Gitea Migration Configuration
# Copy to .env and populate all PRE-POPULATED values before running preflight
# AUTO-POPULATED values will be filled in by scripts during execution
# =============================================================================
# -----------------------------------------------------------------------------
# UNRAID SERVER
# -----------------------------------------------------------------------------
UNRAID_IP= # Static IP of Unraid server
UNRAID_SSH_USER= # SSH username for Unraid
UNRAID_SSH_PORT=22 # SSH port (default 22)
UNRAID_GITEA_DATA_PATH= # Absolute path on NVMe for Gitea data (e.g. /mnt/nvme/gitea)
UNRAID_COMPOSE_DIR=/mnt/files/docker-compose/projects # Docker Compose project directory on Unraid (all compose files go here)
UNRAID_SSH_KEY= # FULL path to SSH key (e.g. /Users/you/.ssh/id_ed25519) — NOT just the filename. Empty = use default keys (~/.ssh/id_*)
# -----------------------------------------------------------------------------
# FEDORA SERVER
# -----------------------------------------------------------------------------
FEDORA_IP= # Static IP of Fedora server
FEDORA_SSH_USER= # SSH username for Fedora
FEDORA_SSH_PORT=22 # SSH port (default 22)
FEDORA_GITEA_DATA_PATH= # Absolute path on NVMe for Gitea data (e.g. /mnt/nvme/gitea)
FEDORA_COMPOSE_DIR=/home/eai/docker-compose/projects # Docker Compose project directory on Fedora (all compose files go here)
FEDORA_SSH_KEY= # FULL path to SSH key (e.g. /Users/you/.ssh/id_ed25519) — NOT just the filename. Empty = use default keys (~/.ssh/id_*)
# -----------------------------------------------------------------------------
# DOCKER NETWORKING (macvlan — each container gets its own LAN IP)
# -----------------------------------------------------------------------------
UNRAID_MACVLAN_PARENT= # Host network interface (e.g. br0, eth0)
UNRAID_MACVLAN_SUBNET= # LAN subnet in CIDR (e.g. 192.168.1.0/24)
UNRAID_MACVLAN_GATEWAY= # LAN gateway (e.g. 192.168.1.1)
UNRAID_MACVLAN_IP_RANGE= # IP range for containers (e.g. 192.168.1.192/28 — 16 IPs)
UNRAID_GITEA_IP= # Static LAN IP for Gitea container
UNRAID_CADDY_IP= # Static LAN IP for Caddy container
FEDORA_MACVLAN_PARENT= # Host network interface (e.g. eth0)
FEDORA_MACVLAN_SUBNET= # LAN subnet in CIDR (e.g. 192.168.1.0/24)
FEDORA_MACVLAN_GATEWAY= # LAN gateway (e.g. 192.168.1.1)
FEDORA_MACVLAN_IP_RANGE= # IP range for containers (e.g. 192.168.1.208/28 — 16 IPs)
FEDORA_GITEA_IP= # Static LAN IP for Gitea container
# -----------------------------------------------------------------------------
# GITEA — SHARED CREDENTIALS (used on both Unraid + Fedora instances)
# -----------------------------------------------------------------------------
GITEA_ADMIN_USER= # Admin username (same on both instances)
GITEA_ADMIN_PASSWORD= # Admin password (min 8 chars, same on both instances)
GITEA_ADMIN_EMAIL= # Admin email (same on both instances)
GITEA_ORG_NAME= # Organization name to create (e.g. mifi-llc)
GITEA_INSTANCE_NAME= # Display name for the Gitea instance (e.g. MIFI Git)
GITEA_DB_TYPE=sqlite3 # Database type: sqlite3, mysql, postgres, or mssql
GITEA_VERSION=1.25 # Gitea Docker image tag (e.g. 1.25, 1.25.4, latest)
# Database connection (ignored for sqlite3 — only required for mysql/postgres/mssql)
# DB host is automatic — Docker internal DNS resolves the service name.
GITEA_DB_PORT= # Database port (mysql=3306, postgres=5432, mssql=1433)
GITEA_DB_NAME=gitea # Database name
GITEA_DB_USER=gitea # Database user
GITEA_DB_PASSWD= # Database password (min 8 chars)
ACT_RUNNER_VERSION=0.3.0 # act_runner version for all runners (e.g. 0.3.0, latest)
# -----------------------------------------------------------------------------
# GITEA — PRIMARY INSTANCE (Unraid)
# -----------------------------------------------------------------------------
GITEA_DOMAIN= # Public domain/subdomain pointing to Unraid (e.g. git.yourdomain.com)
# AUTO-DERIVED at runtime (do not set manually):
# GITEA_INTERNAL_URL=http://${UNRAID_GITEA_IP}:3000
# AUTO-POPULATED by phase1 scripts:
GITEA_ADMIN_TOKEN= # API token for primary instance — do not fill manually
# -----------------------------------------------------------------------------
# GITEA — BACKUP INSTANCE (Fedora)
# -----------------------------------------------------------------------------
# AUTO-DERIVED at runtime (do not set manually):
# GITEA_BACKUP_INTERNAL_URL=http://${FEDORA_GITEA_IP}:3000
GITEA_BACKUP_MIRROR_INTERVAL=8h # How often Fedora pulls from Unraid (e.g. 8h, 24h)
BACKUP_STORAGE_PATH= # Absolute path on Fedora for backup archives (e.g. /mnt/nvme/gitea-backups)
BACKUP_RETENTION_COUNT=5 # Number of backup archives to keep (older ones are pruned)
# AUTO-POPULATED by phase2 scripts:
GITEA_BACKUP_ADMIN_TOKEN= # API token for backup instance — do not fill manually
# -----------------------------------------------------------------------------
# RUNNERS
# Runner definitions live in runners.conf (INI format, see runners.conf.example)
# Use manage_runner.sh to add/remove runners at any time
# -----------------------------------------------------------------------------
RUNNER_DEFAULT_IMAGE=catthehacker/ubuntu:act-latest # Default container image for docker runners
LOCAL_REGISTRY= # Local registry prefix (e.g. registry.local:5000), empty = Docker Hub
# AUTO-POPULATED by phase3 scripts — do not fill manually:
GITEA_RUNNER_REGISTRATION_TOKEN= # Retrieved from Gitea admin panel via API
# Custom runner image build contexts (phase 11)
# Absolute paths to directories containing Dockerfiles for custom runner images.
GO_NODE_RUNNER_CONTEXT= # Path to Go + Node toolchain Dockerfile (e.g. /path/to/augur/infra/runners)
JVM_ANDROID_RUNNER_CONTEXT= # Path to JDK + Android SDK toolchain Dockerfile (e.g. /path/to/periodvault/infra/runners)
# -----------------------------------------------------------------------------
# REPOSITORIES
# -----------------------------------------------------------------------------
# GitHub source repos (for migration import)
GITHUB_USERNAME= # GitHub username or org name
GITHUB_TOKEN= # GitHub PAT with repo scope (read+write, used for migration + push mirrors)
# Repo names — must match exactly as they appear on GitHub
REPO_NAMES= # Space-separated list of repo names to migrate (e.g. "myapp backend infra")
# Migration options (true/false)
MIGRATE_ISSUES=false # Migrate GitHub issues to Gitea
MIGRATE_LABELS=true # Migrate GitHub labels
MIGRATE_MILESTONES=false # Migrate GitHub milestones
MIGRATE_WIKI=false # Migrate GitHub wiki
MIGRATION_POLL_INTERVAL_SEC=3 # Poll interval while waiting for async migration completion
MIGRATION_POLL_TIMEOUT_SEC=600 # Max wait per repo migration before timeout (increase for large repos)
GITHUB_MIRROR_INTERVAL=8h # How often Gitea pushes to GitHub (offsite backup)
# -----------------------------------------------------------------------------
# TLS / REVERSE PROXY (Caddy — dedicated container per host)
# -----------------------------------------------------------------------------
TLS_MODE=cloudflare # TLS mode: "cloudflare" (DNS-01 via CF API) or "existing" (manual certs)
CADDY_DOMAIN= # Wildcard cert base domain (e.g. privacyindesign.com → cert for *.privacyindesign.com)
CADDY_DATA_PATH= # Absolute path on host for Caddy data (e.g. /mnt/nvme/caddy)
CLOUDFLARE_API_TOKEN= # Cloudflare API token with Zone:DNS:Edit (only if TLS_MODE=cloudflare)
PUBLIC_DNS_TARGET_IP= # Phase 8 Cloudflare A-record target for GITEA_DOMAIN (public ingress IP recommended)
PHASE8_ALLOW_PRIVATE_DNS_TARGET=false # true only for LAN-only/split-DNS setups using private RFC1918 target IPs
SSL_CERT_PATH= # Absolute path to SSL cert (only if TLS_MODE=existing)
SSL_KEY_PATH= # Absolute path to SSL key (only if TLS_MODE=existing)
# -----------------------------------------------------------------------------
# BRANCH PROTECTION
# -----------------------------------------------------------------------------
PROTECTED_BRANCH=main # Branch to protect across all repos
REQUIRE_PR_REVIEW=false # Require PR review before merge (true/false)
REQUIRED_APPROVALS=1 # Number of approvals required if above is true
# -----------------------------------------------------------------------------
# SECURITY (Phase 9 — post-migration)
# -----------------------------------------------------------------------------
SEMGREP_VERSION=latest # Semgrep OSS version to pin
TRIVY_VERSION=latest # Trivy version to pin
GITLEAKS_VERSION=latest # Gitleaks version to pin
SECURITY_FAIL_ON_ERROR=true # Block PR merge if security scan fails (true/false)
Reference in New Issue View Git Blame Copy Permalink