AUTOMATION REPO feat TERRARIUM-GIT

list off the runners
backup strategy

Self-hosted Git server with CI/CD, MinIO LFS, OIDC, and multi-arch builds

Current Versions

Component	Version	Image
Gitea	1.23	`gitea/gitea:1.23`
PostgreSQL	17	`postgres:17-alpine`
MinIO	2024-12-18	`minio/minio:RELEASE.2024-12-18T13-15-44Z`
Nginx	alpine	`nginx:alpine`
Act Runners	latest	`gitea/act_runner:latest`
Buildx	stable-1	`moby/buildkit:buildx-stable-1`
Watchtower	latest	`containrrr/watchtower:latest`

Quick Install (macOS)

Run this one-liner to install the latest version:

curl -fsSL https://raw.githubusercontent.com/yalefox/branches-cli/main/tools/branches/install-branches.sh | bash
cd terrarium-git_official
chmod +x 00-install-terrarium-git.sh
./00-install-terrarium-git.sh

Production (Linux)

git clone https://git.terrarium.network/yalefox/terrarium-git_official.git
cd terrarium-git_official
chmod +x 01-install-production.sh
sudo ./01-install-production.sh

Environment Files

File	Purpose
`.env.staging`	Local/dev deployments (macOS, Docker Desktop)
`.env.production`	Production Linux servers
`.env`	Active config (created from template)
`.password`	Admin password (auto-generated, idempotent)
`.minio-credentials`	MinIO credentials (auto-generated, idempotent)

Architecture

Note: Checkpoint (Traefik/Mantrae) runs on a SEPARATE server. It only manages routing rules - it does NOT run your containers. All terrarium-git containers (Gitea, MinIO, PostgreSQL, runners, etc.) run on YOUR server.

┌─────────────────────────────────────────────────────────────┐
│                    External Traffic                          │
│         https://terrarium-git.terrarium.network              │
│         https://terrarium-git-minio1.terrarium.network       │
└──────────────────────────┬──────────────────────────────────┘
                           │
                           ▼
┌──────────────────────────────────────────────────────────────┐
│  Checkpoint Server (SEPARATE from terrarium-git)             │
│  ├── Traefik: TLS termination, reverse proxy                │
│  └── Mantrae: Web UI at https://checkpoint.terrarium.network │
│                                                              │
│  Mantrae tells Traefik: "Route terrarium-git.terrarium.network│
│  to <your-server-ip>:3000"                                   │
└──────────────────────────┬──────────────────────────────────┘
                           │
           ┌───────────────┼───────────────┐
           │               │               │
           ▼               ▼               ▼
      :3000           :9001           :2222
┌──────────────────────────────────────────────────────────────┐
│  YOUR SERVER (terrarium-git VM/container)                    │
│                                                              │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐       │
│  │    Nginx     │  │    MinIO     │  │  Gitea SSH   │       │
│  │   (Proxy)    │  │  (Console)   │  │  (Git Clone) │       │
│  └──────┬───────┘  └──────────────┘  └──────────────┘       │
│         │                                                    │
│         ▼                                                    │
│  ┌──────────────────────────────────────────────────────┐   │
│  │  Gitea (Port 3000)                                   │   │
│  │  - Git repositories                                  │   │
│  │  - LFS → MinIO (S3)                                  │   │
│  │  - Actions/CI-CD                                     │   │
│  │  - OIDC (Pocket ID)                                  │   │
│  └────────┬─────────────────────────────┬───────────────┘   │
│           │                             │                    │
│           ▼                             ▼                    │
│  ┌──────────────────┐        ┌────────────────────────┐     │
│  │  PostgreSQL 17   │        │  Act Runners (x2+)     │     │
│  │  - Metadata      │        │  - Docker-in-Docker    │     │
│  │  - Users, Issues │        │  - SSH keys            │     │
│  └──────────────────┘        │  - Buildx multi-arch   │     │
│                              └────────────────────────┘     │
└──────────────────────────────────────────────────────────────┘

Data Storage & Backups

Storage Locations

Data	Location	Purpose
Git repos	`/opt/terrarium-git/data/gitea`	Repository files
LFS objects	`/opt/terrarium-git/data/minio`	Large binary files
Database	`/opt/terrarium-git/data/postgres`	Metadata, users
SSH keys	`./ssh/`	Runner authentication

Backup Commands

# Quick backup (local)
./scripts/backup.sh

# rsync to remote server
rsync -av /opt/terrarium-git/data/ backup-server:/backups/terrarium-git/

# PostgreSQL dump only (small, fast)
docker exec terrarium-git-postgres pg_dump -U gitea gitea > backup.sql

Recommended: Restic/Borg (TODO)

For production, configure Restic or Borg to external S3:

# Initialize
restic -r s3:s3.amazonaws.com/your-bucket/terrarium-git init

# Backup
restic -r s3:s3.amazonaws.com/your-bucket/terrarium-git backup \
  /opt/terrarium-git/data

Traefik Routes (Mantrae/Checkpoint)

Mantrae manages Traefik routes at: https://checkpoint.terrarium.network

Profile Token: b5pk6roume

Add Gitea Route

Login to Mantrae
Routers → Add Router:

Field	Value
Name	`terrarium-git`
Rule	`Host(\`terrarium-git.terrarium.network`)`
Service	`terrarium-git-svc` → `http://<server-ip>:3000`
Entrypoints	`websecure`
TLS	✅ Enabled

Add MinIO Console Route

Field	Value
Name	`terrarium-git-minio1`
Rule	`Host(\`terrarium-git-minio1.terrarium.network`)`
Service	`terrarium-git-minio-svc` → `http://<server-ip>:9001`
Entrypoints	`websecure`
TLS	✅ Enabled

DNS Records

Type	Name	Value
A	`terrarium-git.terrarium.network`	`<checkpoint-ip>`
A	`terrarium-git-minio1.terrarium.network`	`<checkpoint-ip>`

OIDC Configuration

Gitea OIDC (Pocket ID)

Setting	Value
Client ID	`3b5ec0af-31c0-4950-99e4-1627b7b7dd41`
Discovery URL	`https://auth.terrarium.network/.well-known/openid-configuration`

MinIO OIDC (svc-terrarium-git-lfs)

Setting	Value
Client ID	`c2bb536c-cd99-4e6a-b165-6c2298028c1c`
Client Launch URL	`https://terrarium-git-minio1.terrarium.network`
Callback URL	`https://terrarium-git-minio1.terrarium.network/oauth_callback`
Logout URL	`https://terrarium-git-minio1.terrarium.network`

SSH Keys for Runners

Runners have SSH keys for cloning private repositories.

Add Public Key to Gitea

Login as admin user
Settings → SSH/GPG Keys → Add Key
Paste contents of ./ssh/id_ed25519.pub

Generated Keys Location

./ssh/
├── id_ed25519        # Private key (mounted to runners)
├── id_ed25519.pub    # Public key (add to Gitea)
└── config            # SSH config (disables host checking)

Scripts

Script	Purpose
`00-install-terrarium-git.sh`	Staging installer (macOS/Linux)
`01-install-production.sh`	Production installer (Linux)
`scripts/setup-runners.sh <TOKEN>`	Configure CI/CD runners
`scripts/backup.sh`	Backup database + data
`scripts/update.sh`	Pull latest images, restart

Hardware Requirements

Environment	Cores	RAM	Runners
Minimum	2	4GB	1
Staging	4	8GB	2
Production	4+	16GB	5
Heavy CI/CD	8+	32GB	8

Management Commands

# Status
docker compose ps

# Logs
docker compose logs -f gitea
docker compose logs -f minio

# Restart
docker compose restart

# Update (staging)
./scripts/update.sh

# Stop
docker compose down

# Destroy (CAREFUL!)
./01-install-production.sh --destroy

Troubleshooting

Docker not running (macOS)

open -a Docker

MinIO bucket not created

docker exec terrarium-git-minio mc mb local/terrarium-git-lfs-01

LFS not working

Check Gitea → MinIO connection:

docker logs terrarium-git-server | grep -i lfs
docker logs terrarium-git-minio

Runners not connecting

Verify token in .env
Restart: docker compose restart runner1 runner2
Check logs: docker logs terrarium-git-runner-1

Version History

v0.3.0 - MinIO LFS, staging/production configs, SSH keys
- Added MinIO for S3-compatible LFS storage
- Separate staging and production environment files
- SSH key generation for runners
- Hardware/OS requirement checks
- Full Mantrae/Traefik documentation
v0.2.0 - Documentation and Mantrae integration
- README with architecture diagram
- Traefik route configuration guide
v0.1.0 - Initial consolidated release
- Docker Compose stack
- PostgreSQL 17, Gitea 1.23
- OIDC, AWS SES, Watchtower

License

MIT - Terrarium Network

Name		Name	Last commit message	Last commit date
Latest commit History 34 Commits
ansible		ansible
archives		archives
nginx		nginx
scripts		scripts
ssh		ssh
tools/branches		tools/branches
wazuh		wazuh
.env.example		.env.example
.env.production		.env.production
.env.staging		.env.staging
.gitignore		.gitignore
00-install-terrarium-git.sh		00-install-terrarium-git.sh
01-install-production.sh		01-install-production.sh
README.md		README.md
config.yaml.template		config.yaml.template
docker-compose.yml		docker-compose.yml

Folders and files

Latest commit

History

Repository files navigation

AUTOMATION REPO feat TERRARIUM-GIT

Current Versions

Quick Install (macOS)

Production (Linux)

Environment Files

Architecture

Data Storage & Backups

Storage Locations

Backup Commands

Recommended: Restic/Borg (TODO)

Traefik Routes (Mantrae/Checkpoint)

Add Gitea Route

Add MinIO Console Route

DNS Records

OIDC Configuration

Gitea OIDC (Pocket ID)

MinIO OIDC (svc-terrarium-git-lfs)

SSH Keys for Runners

Add Public Key to Gitea

Generated Keys Location

Scripts

Hardware Requirements

Management Commands

Troubleshooting

Docker not running (macOS)

MinIO bucket not created

LFS not working

Runners not connecting

Version History

License

About

Resources

Uh oh!

Stars

Watchers

Forks

Releases 1

Packages 0

Uh oh!

Contributors

Uh oh!

Languages

Packages