https://uclab.dev/tags/forgejo/ Recent content in Forgejo on DevOps von UCLAB Hugo en Wed, 04 Mar 2026 19:06:41 +0000 https://uclab.dev/posts/hugo-blog-gitops-hardening/ Wed, 04 Mar 2026 19:06:41 +0000 https://uclab.dev/posts/hugo-blog-gitops-hardening/ <h2 id="securing-the-cicd-chain">Securing the CI/CD Chain</h2> <p>In the <a href="https://uclab.dev/posts/hugo-blog-gitops/">previous post</a> we built a full GitOps pipeline: push to Forgejo, build a Hugo image, ship it to k3s via Flux. It worked. But it was naive in a few ways — running nginx as root, no image scanning, no signing, and deploying by mutable tag.</p> <figure><img src="https://uclab.dev/posts/hugo-blog-gitops-hardening/images/gemini3.png" alt="Hardening"> </figure> <p>This post covers the fixes. Three independent improvements, each worth doing on its own:</p> <ol> <li><strong>Unprivileged nginx</strong> — drop root from the container entirely</li> <li><strong>Trivy</strong> — scan the image for HIGH/CRITICAL CVEs before it ever touches the registry</li> <li><strong>Cosign</strong> — sign the image so the cluster can verify it came from CI</li> </ol> <p>The full updated files are at the bottom. Here is the reasoning behind each change.</p> https://uclab.dev/posts/forgejo/ Sun, 01 Mar 2026 19:30:11 +0000 https://uclab.dev/posts/forgejo/ <p>Forgejo is a lightweight, self-hosted Git service — a community fork of Gitea. In this post I&rsquo;ll walk through how I deployed it on my home k3s cluster backed by a CloudNativePG (CNPG) PostgreSQL database, MinIO S3-compatible object storage for backups, and exposed it via Cilium&rsquo;s Gateway API with automatic TLS through cert-manager.</p> <figure><img src="https://uclab.dev/posts/forgejo/images/gemini6.png" alt="forgejo"> </figure> <h2 id="architecture-overview">Architecture Overview</h2> <p>The setup involves three main layers:</p> <ul> <li><strong>App layer</strong> — the Forgejo deployment, services, and ingress (Gateway + HTTPRoute)</li> <li><strong>Database layer</strong> — a CloudNativePG PostgreSQL cluster with WAL archiving to MinIO</li> <li><strong>Secrets layer</strong> — External Secrets Operator pulling credentials from Vault</li> </ul> <p>Here&rsquo;s the directory structure I&rsquo;m using in my GitOps repo:</p> https://uclab.dev/posts/hugo-blog-gitops/ Sun, 01 Mar 2026 07:39:04 +0000 https://uclab.dev/posts/hugo-blog-gitops/ <h2 id="forgejo--k3s-with-flux">Forgejo → k3s with Flux</h2> <hr> <h2 id="overview">Overview</h2> <p><strong>Stack:</strong> Hugo + Risotto theme (git submodule) → Forgejo Actions → Forgejo Container Registry → k3s → Flux</p> <p><strong>Flow:</strong></p> <pre tabindex="0"><code>git push → Forgejo Actions builds Hugo image → pushes to Forgejo registry → updates image tag in k8s manifest → commits back to repo → Flux detects commit → applies Deployment → k3s rolls out new image </code></pre><p>No Bitnami charts. No Flux image automation controllers. No runtime git cloning. Just a plain nginx Deployment running your pre-built static site.</p>