Merge 9be2905d09 into ba0f6170af

config.yaml

@@ -4,10 +4,7 @@ copyright: Dave Gallant
 title: davegallant.ca
 enableGitInfo: true
 enableRobotsTXT: true
-
+noJSConfigInAssets: true
-build:
-  noJSConfigInAssets: true
-  writeStats: true
 
 params:
   author: Dave Gallant

content/blog/setting-up-gitea-actions-with-tailscale/index.md

@@ -29,18 +29,17 @@ Actions (gitea's implementation) has me excited because it makes spinning up a n
 
 ## Integration with Tailscale
 
-> **2024-02-10**: I had originally written this post to include [Tailscale-Traefik Proxy Integration](https://traefik.io/blog/exploring-the-tailscale-traefik-proxy-integration/), but I have since decided to remove it in favour of Tailscale Serve and Funnel after learning from this [example](https://github.com/tailscale-dev/docker-guide-code-examples). This simplifies the setup and reduces the number of moving parts.
+So how does Tailscale help here? Well, more recently I've been exposing my self-hosted services through a combination of traefik and the tailscale (through the tailscale-traefik proxy integration described [here](https://traefik.io/blog/exploring-the-tailscale-traefik-proxy-integration/)). This allows for a nice looking dns name (i.e. gitea.my-tailnet-name.ts.net) and automatic tls certificate management. I can also share this tailscale node securely with other tailscale users without configuring any firewall rules on my router.
-
-So how does Tailscale help here? Well, more recently I've been exposing my self-hosted services using Tailscale [Serve](https://tailscale.com/kb/1312/serve) and [Funnel](https://tailscale.com/kb/1223/funnel). This allows for a nice looking dns name (i.e. gitea.my-tailnet-name.ts.net), automatic tls certificate management, and optionally allowing the address to be publically accessible (using Funnel).
 
 ## Deploying Gitea, Traefik, and Tailscale
 
 In my case, the following is already set up:
 
 - [docker-compose is installed](https://docs.docker.com/compose/install/linux/)
+- [tailscale is installed on the gitea host](https://tailscale.com/kb/1017/install/)
 - [tailscale magic dns is enabled](https://tailscale.com/kb/1081/magicdns/)
 
-My preferred approach to deploying code in a homelab environment is with docker compose. I have deployed this in a lxc container on Proxmox. You could run this on a virtual machine or a physical host as well.
+My preferred approach to deploying code in a homelab environment is with docker compose. I have deployed this in a [proxmox lxc container](https://pve.proxmox.com/wiki/Linux_Container) based on debian with a hostname `gitea`. This could be deployed in any environment and with any hostname (as long you updated the tailscale machine name to your preferred subdomain for magic dns).
 
 The `docker-compose.yaml` file looks like:
 
@@ -50,7 +49,6 @@ services:
   gitea:
     image: gitea/gitea:1.21.1
     container_name: gitea
-    network_mode: service:ts-gitea
     environment:
       - USER_UID=1000
       - USER_GID=1000
@@ -64,38 +62,54 @@ services:
       - ./data:/data
       - /etc/timezone:/etc/timezone:ro
       - /etc/localtime:/etc/localtime:ro
-  ts-gitea:
+  traefik:
-    image: tailscale/tailscale:v1.58
+    image: traefik:v3.0.0-beta4
-    container_name: ts-gitea
+    container_name: traefik
-    hostname: gitea
+    security_opt:
-    environment:
+      - no-new-privileges:true
-      - TS_AUTHKEY=<FILL THIS IN>
-      - TS_SERVE_CONFIG=/config/gitea.json
-      - TS_STATE_DIR=/var/lib/tailscale
-    volumes:
-      - ${PWD}/state:/var/lib/tailscale
-      - ${PWD}/config:/config
-      - /dev/net/tun:/dev/net/tun
-    cap_add:
-      - net_admin
-      - sys_module
     restart: unless-stopped
+    ports:
+      - 80:80
+      - 443:443
+    volumes:
+      - ./traefik/data/traefik.yaml:/traefik.yaml:ro
+      - ./traefik/data/dynamic.yaml:/dynamic.yaml:ro
+      - /var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock
 ```
 
-Note that you must specify a `TS_AUTHKEY` in the `ts-gitea` service. You can generate an auth key [here](https://login.tailscale.com/admin/settings/keys).
+`traefik/data/traefik.yaml`:
-
-`config/gitea.json`:
 
 ```yaml
-{
+entryPoints:
-  "TCP": { "443": { "HTTPS": true } },
+  https:
-  "Web":
+    address: ":443"
-    {
+providers:
-      "${TS_CERT_DOMAIN}:443":
+  file:
-        { "Handlers": { "/": { "Proxy": "http://127.0.0.1:3000" } } },
+    filename: dynamic.yaml
-    },
+certificatesResolvers:
-  "AllowFunnel": { "${TS_CERT_DOMAIN}:443": true },
+  myresolver:
-}
+    tailscale: {}
+log:
+  level: INFO
+```
+
+and finally `traefik/data/dynamic/dynamic.yaml`:
+
+```yaml
+http:
+  routers:
+    gitea:
+      rule: Host(`gitea.my-tailnet-name.ts.net`)
+      entrypoints:
+        - "https"
+      service: gitea
+      tls:
+        certResolver: myresolver
+  services:
+    gitea:
+      loadBalancer:
+        servers:
+          - url: "http://gitea:3000"
 ```
 
 Something to consider is whether or not you want to use ssh with git. One method to get this to work with containers is to use [ssh container passthrough](https://docs.gitea.com/installation/install-with-docker#ssh-container-passthrough). I decided to keep it simple and not use ssh, since communicating over https is perfectly fine for my use case.

themes/hugo-theme-gruvbox/postcss.config.js

@@ -25,14 +25,6 @@ module.exports = () => ({
       ? [
           require("postcss-preset-env"),
           require("cssnano"),
-          require("@fullhuman/postcss-purgecss")({
-            content: ["./hugo_stats.json"],
-            defaultExtractor: (content) => {
-              let els = JSON.parse(content).htmlElements;
-              return els.tags.concat(els.classes, els.ids);
-            },
-            safelist: ["data-theme"],
-          }),
         ]
       : []),
   ],