From 8fcd8e85dc2825fdda8bc5ffe72bc1a7b4a9bd0f Mon Sep 17 00:00:00 2001
From: gitea_admin <thomas.mota@studentfr.ch>
Date: Mon, 4 May 2026 16:27:38 +0000
Subject: [PATCH] Add: Gitignore and .env.example

---
 .env                     |   9 ++-
 .env.example             |  15 +++++
 .gitignore               |   2 +
 docker-compose.yml       | 116 ++++++++++++++++++++++++++++++++++++++-
 gitea-runner/config.yaml |   8 +++
 5 files changed, 146 insertions(+), 4 deletions(-)
 create mode 100644 .env.example
 create mode 100644 .gitignore
 create mode 100644 gitea-runner/config.yaml

diff --git a/.env b/.env
index 7d1899b..a415e51 100644
--- a/.env
+++ b/.env
@@ -1,4 +1,11 @@
 POSTGRES_PASSWORD=postegres_project.m169
 GITEA_DB_PASSWORD=gitea_project.m169
+GITEA_RUNNER_REGISTRATION_TOKEN=7bs8jdNZ5Bj5g0T1zl54Cwjsx18a9sP41NX3TFOW
 KEYCLOAK_DB_PASSWORD=keycloak_project.m169
-SONAR_TOKEN=sqp_7f2cc6a53802da339b7fe6c9a24a74549b2b02bc
+SONAR_DB_PASSWORD=sonar
+OAUTH2_PROXY_CLIENT_ID=traefik
+OAUTH2_PROXY_CLIENT_SECRET=m3ZHftbacZ11NY8zEspcOGBgyb8GTp7L
+OAUTH2_PROXY_COOKIE_SECRET=oBmYaxLkk6X9KZUK5NJhZXCwpB2eiL7RFNgJchMSi7Y=
+CODE_SERVER_OAUTH2_CLIENT_ID=code-server
+CODE_SERVER_OAUTH2_CLIENT_SECRET=7OedgP03xM9iOnjDbnU0Wqa5qVk4yQrv
+CODE_SERVER_OAUTH2_COOKIE_SECRET=37e1e3cbb48d22922caa388aafb91a7d
diff --git a/.env.example b/.env.example
new file mode 100644
index 0000000..045afa1
--- /dev/null
+++ b/.env.example
@@ -0,0 +1,15 @@
+# GITEA
+GITEA_DB_PASSWORD=changer_ce_mot_de_passe
+GITEA_RUNNER_REGISTRATION_TOKEN=token_runner_gitea
+
+# OAUTH2
+OAUTH2_PROXY_CLIENT_ID=traefik
+OAUTH2_PROXY_CLIENT_SECRET=secret_client_traefik_keycloak
+OAUTH2_PROXY_COOKIE_SECRET=valeur_base64_32_bytes
+
+CODE_SERVER_OAUTH2_CLIENT_ID=code-server
+CODE_SERVER_OAUTH2_CLIENT_SECRET=secret_client_code_server_keycloak
+CODE_SERVER_OAUTH2_COOKIE_SECRET=valeur_base64_32_bytes
+
+# KEYCLOAK
+KEYCLOAK_DB_PASSWORD=changer_ce_mot_de_passe
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..2c2b13c
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+.env
+workspace/
diff --git a/docker-compose.yml b/docker-compose.yml
index 3d366d3..3bb3150 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -21,6 +21,49 @@ services:
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - traefik_letsencrypt:/letsencrypt
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik.rule=Host(`traefik.mota-thomas.com`)"
+      - "traefik.http.routers.traefik.entrypoints=websecure"
+      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.traefik.service=api@internal"
+      - "traefik.http.routers.traefik.middlewares=traefik-errors-403,traefik-errors-401,traefik-auth"
+      - "traefik.http.routers.traefik.priority=1"
+      - "traefik.http.middlewares.traefik-auth.forwardauth.address=http://oauth2-proxy:4180/oauth2/auth"
+      - "traefik.http.middlewares.traefik-auth.forwardauth.trustForwardHeader=true"
+      - "traefik.http.middlewares.traefik-auth.forwardauth.authResponseHeaders=X-Auth-Request-User,X-Auth-Request-Email"
+      - "traefik.http.middlewares.traefik-errors-401.errors.status=401"
+      - "traefik.http.middlewares.traefik-errors-401.errors.service=oauth2-proxy@docker"
+      - "traefik.http.middlewares.traefik-errors-401.errors.query=/oauth2/sign_in?rd=https://traefik.mota-thomas.com/dashboard/"
+      - "traefik.http.middlewares.traefik-errors-403.errors.status=403"
+      - "traefik.http.middlewares.traefik-errors-403.errors.service=oauth2-proxy@docker"
+      - "traefik.http.middlewares.traefik-errors-403.errors.query=/oauth2/sign_out?rd=/oauth2/sign_in"
+
+  oauth2-proxy:
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
+    restart: unless-stopped
+    environment:
+      OAUTH2_PROXY_PROVIDER: oidc
+      OAUTH2_PROXY_OIDC_ISSUER_URL: https://keycloak.mota-thomas.com/auth/realms/dev-platform
+      OAUTH2_PROXY_CLIENT_ID: ${OAUTH2_PROXY_CLIENT_ID}
+      OAUTH2_PROXY_CLIENT_SECRET: ${OAUTH2_PROXY_CLIENT_SECRET}
+      OAUTH2_PROXY_COOKIE_SECRET: ${OAUTH2_PROXY_COOKIE_SECRET}
+      OAUTH2_PROXY_EMAIL_DOMAINS: "*"
+      OAUTH2_PROXY_REDIRECT_URL: https://traefik.mota-thomas.com/oauth2/callback
+      OAUTH2_PROXY_UPSTREAMS: static://200
+      OAUTH2_PROXY_HTTP_ADDRESS: 0.0.0.0:4180
+      OAUTH2_PROXY_REVERSE_PROXY: "true"
+      OAUTH2_PROXY_SCOPE: "openid email profile"
+      OAUTH2_PROXY_OIDC_GROUPS_CLAIM: groups
+      OAUTH2_PROXY_ALLOWED_GROUPS: admins
+      OAUTH2_PROXY_PROMPT: "login"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.oauth2.rule=Host(`traefik.mota-thomas.com`) && PathPrefix(`/oauth2/`)"
+      - "traefik.http.routers.oauth2.entrypoints=websecure"
+      - "traefik.http.routers.oauth2.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.oauth2.priority=100"
+      - "traefik.http.services.oauth2.loadbalancer.server.port=4180"
 
   gitea-db:
     image: postgres:15
@@ -42,6 +85,7 @@ services:
       GITEA__database__USER: gitea
       GITEA__database__PASSWD: ${GITEA_DB_PASSWORD}
       GITEA__server__ROOT_URL: https://gitea.mota-thomas.com/
+      GITEA__actions__ENABLED: "true"
     volumes:
       - gitea_data:/data
     labels:
@@ -51,6 +95,22 @@ services:
       - "traefik.http.routers.gitea.tls.certresolver=letsencrypt"
       - "traefik.http.services.gitea.loadbalancer.server.port=3000"
 
+  gitea-runner:
+    image: gitea/act_runner:latest
+    restart: unless-stopped
+    depends_on:
+      - gitea
+    environment:
+      CONFIG_FILE: /config.yaml
+      GITEA_INSTANCE_URL: https://gitea.mota-thomas.com
+      GITEA_RUNNER_REGISTRATION_TOKEN: ${GITEA_RUNNER_REGISTRATION_TOKEN}
+      GITEA_RUNNER_NAME: dev-platform-runner
+      GITEA_RUNNER_LABELS: ubuntu-latest:docker://node:20-bookworm
+    volumes:
+      - ./gitea-runner/config.yaml:/config.yaml
+      - gitea_runner_data:/data
+      - /var/run/docker.sock:/var/run/docker.sock
+
   keycloak-db:
     image: postgres:15
     environment:
@@ -89,7 +149,7 @@ services:
     container_name: sonarqube-db
     environment:
       POSTGRES_USER: sonar
-      POSTGRES_PASSWORD: sonar
+      POSTGRES_PASSWORD: ${SONAR_DB_PASSWORD}
       POSTGRES_DB: sonarqube
     volumes:
       - sonarqube_db_data:/var/lib/postgresql/data
@@ -102,7 +162,7 @@ services:
     environment:
       SONAR_JDBC_URL: jdbc:postgresql://sonarqube-db:5432/sonarqube
       SONAR_JDBC_USERNAME: sonar
-      SONAR_JDBC_PASSWORD: sonar
+      SONAR_JDBC_PASSWORD: ${SONAR_DB_PASSWORD}
     volumes:
       - sonarqube_data:/opt/sonarqube/data
       - sonarqube_logs:/opt/sonarqube/logs
@@ -114,12 +174,62 @@ services:
       - "traefik.http.routers.sonarqube.tls.certresolver=letsencrypt"
       - "traefik.http.services.sonarqube.loadbalancer.server.port=9000"
 
+  code-server:
+    image: lscr.io/linuxserver/code-server:latest
+    container_name: code-server
+    environment:
+      PUID: 1000
+      PGID: 1000
+      TZ: Europe/Zurich
+      DEFAULT_WORKSPACE: /config/workspace
+    volumes:
+      - code_server_config:/config
+      - ./workspace:/config/workspace
+    networks:
+      - default
+    restart: unless-stopped
+
+  oauth2-proxy-code:
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.8.1
+    container_name: oauth2-proxy-code
+    depends_on:
+      - code-server
+    environment:
+      OAUTH2_PROXY_PROVIDER: keycloak-oidc
+      OAUTH2_PROXY_CLIENT_ID: ${CODE_SERVER_OAUTH2_CLIENT_ID}
+      OAUTH2_PROXY_CLIENT_SECRET: ${CODE_SERVER_OAUTH2_CLIENT_SECRET}
+      OAUTH2_PROXY_COOKIE_SECRET: ${CODE_SERVER_OAUTH2_COOKIE_SECRET}
+      OAUTH2_PROXY_COOKIE_SECURE: "true"
+      OAUTH2_PROXY_EMAIL_DOMAINS: "*"
+      OAUTH2_PROXY_REDIRECT_URL: https://code.mota-thomas.com/oauth2/callback
+      OAUTH2_PROXY_OIDC_ISSUER_URL: https://keycloak.mota-thomas.com/auth/realms/dev-platform
+      OAUTH2_PROXY_UPSTREAMS: http://code-server:8443
+      OAUTH2_PROXY_HTTP_ADDRESS: 0.0.0.0:4180
+      OAUTH2_PROXY_REVERSE_PROXY: "true"
+      OAUTH2_PROXY_PASS_ACCESS_TOKEN: "true"
+      OAUTH2_PROXY_PASS_USER_HEADERS: "true"
+      OAUTH2_PROXY_SET_XAUTHREQUEST: "true"
+      OAUTH2_PROXY_WHITELIST_DOMAINS: .mota-thomas.com
+      OAUTH2_PROXY_COOKIE_DOMAINS: .mota-thomas.com
+      OAUTH2_PROXY_COOKIE_NAME: "_oauth2_proxy_code"
+      OAUTH2_PROXY_CODE_CHALLENGE_METHOD: S256
+    labels:
+      traefik.enable: "true"
+      traefik.http.routers.code-server.rule: Host(`code.mota-thomas.com`)
+      traefik.http.routers.code-server.entrypoints: websecure
+      traefik.http.routers.code-server.tls.certresolver: letsencrypt
+      traefik.http.services.code-server.loadbalancer.server.port: "4180"
+    networks:
+      - default
+    restart: unless-stopped
+
 volumes:
   gitea_db_data:
   gitea_data:
+  gitea_runner_data:
   keycloak_db_data:
   traefik_letsencrypt:
   sonarqube_db_data:
   sonarqube_data:
   sonarqube_logs:
-  sonarqube_extensions:
+  code_server_config:
diff --git a/gitea-runner/config.yaml b/gitea-runner/config.yaml
new file mode 100644
index 0000000..8aa7a13
--- /dev/null
+++ b/gitea-runner/config.yaml
@@ -0,0 +1,8 @@
+log:
+  level: info
+
+runner:
+  file: /data/.runner
+
+container:
+  network: dev-platform_default