From 065d1b02f15e6ccab494bedcbfe1bb4152fbaa4b Mon Sep 17 00:00:00 2001
From: Bernd Worsch <bernd.worsch@gmail.com>
Date: Tue, 31 Mar 2026 11:52:54 +0000
Subject: [PATCH] feat(gitea): update Helm values with external DB/cache config
 and add SOPS policy

Restores the newer local gitea-values.sops.yaml (2026-03-27) over the
upstream scaffold (2026-03-10). Adds database, cache, session, and queue
sections pointing to external PostgreSQL/Valkey (S3 platform services),
and disables bundled postgresql/redis/valkey sub-charts.

Also adds .sops.yaml encryption policy for railiance-apps.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .sops.yaml                  |  8 ++++
 helm/gitea-values.sops.yaml | 80 +++++++++++++++++++++----------------
 2 files changed, 54 insertions(+), 34 deletions(-)
 create mode 100644 .sops.yaml

diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..7713fd6
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,8 @@
+# SOPS encryption policy for railiance-apps
+# Encrypts any file matching *.sops.yaml using the shared age key.
+
+creation_rules:
+  - path_regex: \.sops\.yaml$
+    key_groups:
+      - age:
+          - age1aq8twfd78wvpra0had8cezcnj96tj4q0068edrz5jez8d6xwmflqdepsh4
diff --git a/helm/gitea-values.sops.yaml b/helm/gitea-values.sops.yaml
index 1891089..30b9184 100644
--- a/helm/gitea-values.sops.yaml
+++ b/helm/gitea-values.sops.yaml
@@ -1,46 +1,58 @@
-#ENC[AES256_GCM,data:RznLDXAkDpHVhaXHZrlMYo6z8+cZyTjRMkku6XrF2Zjzulkt+Ve/8Q==,iv:EHVhhpSUcDGR1ARNfNbSdJ0Gjjq6CyEfXMU+cAnIgc4=,tag:0OWESOcslvCB5wHH6IWE6g==,type:comment]
-#ENC[AES256_GCM,data:RJvbPFrBALVhJm5+rkcdgTqE9G59vRnfjddwXU+G+B3u1saEttf98sTXV/Mim/FK6gAilvSr,iv:h1QLn5NthfdVAayrpvqcPzTXV1sEQATNREAHLRT6c1Y=,tag:32UpAGaIyDbFnnAa3zveAQ==,type:comment]
+#ENC[AES256_GCM,data:jLG3K9KRtV7zKrLfJ0J42LAc17nX8UKbB2KWJSXZPFQ+5cZjA3RFbQ==,iv:Ync2fzES+Oj1L/yfSLxInef5IgQWpJdK9Wd8fTLinSU=,tag:gHEiHLzOI1eiuAhntcCU2A==,type:comment]
+#ENC[AES256_GCM,data:z6zvj2FcfFTmf7D8ZgbW8Wi68s4O,iv:kwaB3n64IQR4slfLFnQqjtQO9oxm5MkVqvtt53BArqc=,tag:ftjV1jtGa57QSpLOJGGDqA==,type:comment]
+#ENC[AES256_GCM,data:ty8rXwAdeJjr7wA0hXpdDOmpPVaqnCavzzO6/RI9SYpcQ3pnIsBxmIpcdx6hqbkH,iv:YDYrEMvrKX0sGIPIBYbJUdOcPwx84CFQQSmR8+QIZuA=,tag:P/0IbdxCxofZPn+OlSLU0Q==,type:comment]
+#ENC[AES256_GCM,data:2LqlFLbhpKrQH0r6RrgECOpxD74+zK7Ksl26BEhsKukOYBzk8sAfHkRcH2G7Ndk/cgCJjD7Ndk7ogh1d,iv:Z7ueOEVthvm/peyDAT4XpuIvl4if346iitWne7/1HFs=,tag:ziXDL/9d00jGGxOJtK5C8Q==,type:comment]
 #
-#ENC[AES256_GCM,data:mzm+3mIPOZBEuFAZUppd3i2UnJ94mP+pXGVLdkfZ8SOTDgnw6dJa1A==,iv:cO/dj0wp9MlEUUcYU4qOGG1qJ2LWHHgRGoYii7aKMMg=,tag:4jiRnvmaRa3nDoSJ2W6sWw==,type:comment]
-#ENC[AES256_GCM,data:h7vlbkUu+TMbRU83E+nx5F/4FCcovoIPdgRmD4/QVUFPimDGxZ6CtnhJbYQjVw==,iv:kXozUXpTdhy+MPk2y956Pqofww/iDVLUE/bSH0+mHaU=,tag:LsB6Ijmw/sT0d3S+rMbAsQ==,type:comment]
-#ENC[AES256_GCM,data:Uw46ZrbHN5fxwHV/mU9t+z2xYkRE0gUxmlzRfzPVt31qH7SwxvVvcSMRIw==,iv:/nnvTn3ABdKBtCRytjg73T4jl3w+8JRZIaSsw7l9Iyk=,tag:Bn4WRZDMj6lc0o8Z6d/ZXQ==,type:comment]
-#ENC[AES256_GCM,data:6871AIBTjtOWM5CCXlo/MDCYMhBdl4kVCQnxhlW7cyZ6Ucy+0Tg3yn5LO28DDQl2y8f/2ACfttT4KHiGqe7bhg0a0DouN1NLRmXlxNUAADo88FqW33C41EBJ7v50ng==,iv:qOjN0OBPaNNBC33CXwGUPVNdk+eerCa5mOdkcqwQKXM=,tag:U0xLzSBcAR4ILRQHGaoWLg==,type:comment]
-#
-#ENC[AES256_GCM,data:FRaxggcnSudMRfPAMH3nzX04cwkWQ4LhyGk0qMmH5tiSPYMnVoedoLN6TEnk5skCg6UmOaV2jcJo36zpkKoQBf6u,iv:CQoIAYQO09d+jqsvgycCFHZme9SFhgGWaut3JjeEQ5w=,tag:0i56ycYqWuKMOcjentGplw==,type:comment]
-#ENC[AES256_GCM,data:weGb36lC8sz19REjFOI8EagSEnDisNSHteSr+SZmTWAbfxnUk+/G4d5q/KMWHS+Y0SimGbufwDuvj0AiwIl0GZ/46Lqfdg==,iv:IIZCqRFIEp0IxGQkv5aTknJyYA3DG7vxtu6CGhrUh0k=,tag:/X3OGfgurgiNsz1vf6oPxw==,type:comment]
+#ENC[AES256_GCM,data:G6Jzdr5V/IKyvcG3j6lmD1N6i1vYrOnYWLAQ1e/gnctgMufKqcW7kJA9Cdj7Vw==,iv:093mO8+QElI5tqs6DgTJiO71OLAppbxvGafmpXlt6G0=,tag:MRzd9UupZkdsk3DRKKbp0g==,type:comment]
+#ENC[AES256_GCM,data:DHEo5mRMm0hiEAR++0uJdnmMuZFuecKXfl0rrYeQxNWRAUqgjL8+y0E97Q==,iv:qh7rewpXW0XEe1wLM8nTipByShnG2SO9UGVXgm3Gcd4=,tag:FfC/iiBnaqnP5gZiYmBomA==,type:comment]
+#ENC[AES256_GCM,data:7nU7Z8dZ2JP+WfTIBcc4zoEZUaaqyOiip/Vn/txJm7Eetc9mso7JGKTHSkXV/a9Kqp96yZG6mEaXoh0jFQfmX1ItJOAq6uUtUav0I76FK2coQ2lnTTpPt5LzRWH3Gw==,iv:p7/MR5adZt48uJtpuLHnydcy7af6YOcjRj9Mgknc8aw=,tag:gqvosX3nSHsDLR0E6BJ9MA==,type:comment]
 gitea:
     config:
         server:
-            DOMAIN: ENC[AES256_GCM,data:R2HrjW5sW0nvDNIWd0G00ReltOA=,iv:CWZ+Fy+y/hIKNzqCTstaGFpgHgDJvEe6mF0Q7QKbvmE=,tag:+oA9F7xTgaSXLIPmYNkY5A==,type:str]
-            ROOT_URL: ENC[AES256_GCM,data:li2QBHIkm3hVSqGbzuBG2os8qx7tHuiyOttn,iv:2q0LXgp+bhv7t4FG1kBNNlq1ZqSpIpUf7e0hdKhJosg=,tag:h+Mu0/jo/pb78qOWU7W0TQ==,type:str]
-            SSH_DOMAIN: ENC[AES256_GCM,data:i0Vb19m1fbr4TluqQxjFg73X0eA=,iv:ff2Nhmpdc+S8lTye87fj0i5MFyIl4Mhq8+awknKlbTQ=,tag:lPGppk9JT7wR5thdwlmjTQ==,type:str]
+            DOMAIN: ENC[AES256_GCM,data:PxKHJeRtHMJFvQMpDl+VFSNcRv4=,iv:L1UtCaBrEoRlyJH36Yd55b7WFhTZMUTYAP6knC6Qfxc=,tag:hFton+zOgXPF+gCzqNEKyQ==,type:str]
+            ROOT_URL: ENC[AES256_GCM,data:tDJQG/468fYtXlyKGcl43bmMALvlEJhgxM4/,iv:4u4WzQbZZ1utshFrdtTXmxYMHSX9Mei5rq1I+z8iwpY=,tag:ibrCAk7esdOArFrhB4Qi3w==,type:str]
+            SSH_DOMAIN: ENC[AES256_GCM,data:bz41+PZAvGMoJPcNPpSMPfi5L5A=,iv:qG78QHcxFgxmgv+hOcAR3JadM5fL4euBtXk392ILI7A=,tag:M23NRlCTxcAchTfE8S5nKg==,type:str]
+        database:
+            DB_TYPE: ENC[AES256_GCM,data:A9DE1lAHDLQ=,iv:BJz5BmhvZBNmZ/wL/f/160tNFUN1QOS+cj4jmCrxILA=,tag:D8XHegqVEOYTtMScKoRkeg==,type:str]
+            HOST: ENC[AES256_GCM,data:eWWPMjljR4EY63qUmXvtS5VW7evpP261nOCiLljy79Ft+j8pwkAnEA2+iaY=,iv:cJIB2SbEIA+BeAViwJZNP+eOhTP1Y3vFgN8JKGUKQWE=,tag:Ej1YhpzuNcJXy9jbg8LnIw==,type:str]
+            NAME: ENC[AES256_GCM,data:8Zp5FNs=,iv:qhrWkp15Oy0SsCiJvGsUBg4vv6X0ez2x2NWqk3XUsno=,tag:4qj1XQf8vHkDGynjUa9JVg==,type:str]
+            USER: ENC[AES256_GCM,data:m4Ln0J8=,iv:BmNO265BQVtTCIIF/T5fbNRZBEPZz8tPSeam7ToVSAM=,tag:Lwr7AxxckJ3B/Ff4l+FNIg==,type:str]
+            PASSWD: ENC[AES256_GCM,data:tIKMvA4=,iv:FxnmkHazpThExFgsRqeMfFQhTbhPH6+o0fK9xURwqBs=,tag:1mohGBT+ynExzUoM3CtU5Q==,type:str]
+            SSL_MODE: ENC[AES256_GCM,data:MHrNNVnCUw==,iv:V5voIFrtJicropHf5FpTWlq6Gk+Vvw1z7ax24fAzcAU=,tag:/DoDYoBb/tv9egi1lJ7xdw==,type:str]
+        cache:
+            ADAPTER: ENC[AES256_GCM,data:mFEneE8=,iv:fwJm8bK1QH8WoVbFa2oCRQivdVkw0RjPVFNPc5Ecn5U=,tag:XhgsZmHoaReE43JJb9XdGw==,type:str]
+            HOST: ENC[AES256_GCM,data:0dx6Jh8lf/VWCEUMCi48oJdB0Yfkrk0zkkyVI9pRJeUV3y6XRZnTYP/e0zTXxhMfXS3bNnGqacZSelgVy4jc7pl354iU94EcIz1Rh2x3bs0W18rzMy5ATuOhdhnlY/Ly1BSWwPkldEPTSw==,iv:cyAPLzWPOeJo7LDXaw27in4IblZxcR3pVXPegqV9Vp4=,tag:UYSmXMDDkPWXE3fO+z6MiA==,type:str]
+        session:
+            PROVIDER: ENC[AES256_GCM,data:I/43BCQ=,iv:IHbcRbE8C8g8h5sTOyKqUafEVZ6QJuLo71j69Z49AIw=,tag:oiz4f/BF827YbH5jJKp8uQ==,type:str]
+            PROVIDER_CONFIG: ENC[AES256_GCM,data:2Qu3Fd7Fov5Qw/E/YXwvynwojFwZpWyOvlvKmRs03Ir8usjlRctRCvfcmW3g8EolkY2xQhmZzd9All/33nJMetA1bZ0MAU5ct5U1tkxiOBEcrruix8WzuokQi+5cPxTfu0bHZYDvrtlpIQ==,iv:3xDoJeUa5OLN9dGJEIqIK2SN9bVZE9Gf2sP1rOYyzEk=,tag:D+9iPT+YYxOOOZckqO+KbQ==,type:str]
+        queue:
+            TYPE: ENC[AES256_GCM,data:lk3WVMg=,iv:vy2hD1xZf123IwqWbI3a9cI1GUmMpOc+Klw80seQj44=,tag:Y2WkIaCszv201aV7NRPPtw==,type:str]
+            CONN_STR: ENC[AES256_GCM,data:/vl9QR4MYnGngiIhXT2bum1rWXZwNz/FyqfWG8QmdKrpNE+vquXWACFiTWhH9Hf8g+OUWzaOqZqn+ph8yZNHFaZqzBNZPyGyyVk7sU1SeUs0iUhPf29/jQGRFHOxxFSx/2FIVVblMhtA7A==,iv:WUx7iG2LqxdoPDNDbhk/tVhRWqgIXjCePMHOM4SpicU=,tag:Xnk7qomvqys2APA4t5Vf9A==,type:str]
 postgresql-ha:
-    postgresql:
-        #ENC[AES256_GCM,data:kRJ/o1D24opEpW87UbrSWzGjOAgRD0GTMrP9wI2x9xY=,iv:hepYzpp2stw6zjHpS2vr84rZrgifhEBK/UovRUWoV6c=,tag:XDwJc1rbI2F9gEr6o5tzgw==,type:comment]
-        password: ENC[AES256_GCM,data:AkkKp+w=,iv:juctW3iHu67VJ8aTOW0XmqCyzr/mXnQ6g4/1G+i+2rY=,tag:LCfo9IyhBMpqEdtMy/iNaA==,type:str]
-        #ENC[AES256_GCM,data:w8IVl9bCaSuivbgZ0XGH9NiM6lb3j7x9WX/hnIawG4ka6ayzkE/J3hf3dHuODQ==,iv:SbtCWprptkkCu8GIOQeh6gAYLuD+T1dyxZE1BOOLMns=,tag:Fa00ndoNxRIcSXDZFaH08Q==,type:comment]
-        postgresPassword: ENC[AES256_GCM,data:2BxdJ++kXX3t,iv:sARgDgLtsKve/KnqMxH2T8bTtyVZDtCWD8/EHIoXkqs=,tag:AJAkFd8EM+zEzd8YgRZlng==,type:str]
-        #ENC[AES256_GCM,data:xz+TDvCisDuBzo7xIsJXUanl1yELabUonk8dRUg1hoaU3EYIJQ==,iv:cWfTjhwfaUNLralnQRe1lmx8lcyxofXPrZU/LZEcQfc=,tag:jUukbPltv6NUOQKRCSoORw==,type:comment]
-        repmgrPassword: ENC[AES256_GCM,data:FC5NW9Jnm1CX,iv:/c1g/luv39LCBDI6Ayhw7O5SzOqgR5RFLtAouuHFWvQ=,tag:wP7xx0ga8i3lzVyVm2iiOQ==,type:str]
-        #ENC[AES256_GCM,data:3w4zrmvevybTsZzr5wgwF3h1UMJuizBQ0+wjyq++X899LCp0ild6YOcPR2KiOvn5zNitG7RW8LpwyWkw+hzK,iv:HnJl+UhEu/M9HeLy2ws/437lMC1ZjTlbEgMnEpG0FY4=,tag:Nxxj4q7eOh0+zmVLhXArcQ==,type:comment]
-        pgpoolPassword: ENC[AES256_GCM,data:MF8mAi9UpHwh,iv:TYvqtUtqFH+JcoHWfUk3SIrh/MsmEitRoGn4FWXyjNE=,tag:bJeGbXI7V8Vcn6EoEfzzHQ==,type:str]
-    pgpool:
-        #ENC[AES256_GCM,data:mwdpjpgs38LDNg0BQukw5t61RN5EHbvbGgDquuMezXCviYMViA==,iv:9QLGDdAAcUOMJAp40cOBC3qN3aBeuXvcj76UWbnazq8=,tag:kRW1CVpoaK7sXOHU4uHpcw==,type:comment]
-        adminPassword: ENC[AES256_GCM,data:9aheOLxvanH9,iv:q7CEnryzyh5zVJHqJ2veAVr9lRVNFPwM6ownxmI12Wg=,tag:EFOOxW7LPLCRJxuhwreo1A==,type:str]
-        #ENC[AES256_GCM,data:FAZHI4BENIuUyILlBh4m/vluaursEkO/yWuKp5mPpYnxYy3vI0Ichehu1o8405ENp1UjyN1bEA==,iv:CBjvgAF4RIEb0wpD+NV1oXAZCZof6X94S0Ny7JrKy5Q=,tag:ytSlhX8knkwKouX5wSO31A==,type:comment]
-        srCheckPassword: ENC[AES256_GCM,data:S5tluU9DfVKV,iv:5pdvQcnebpoBaQq422PTeIdvQKc0AJ3M+PyapnSe0hM=,tag:/sHw4GoqPOiOAnDVqnizqQ==,type:str]
+    enabled: ENC[AES256_GCM,data:f0h+GvU=,iv:RDIU37NlWBC1KE3eFSZJxiAkudEIgtwLAicfOcYDcVI=,tag:7GlCCxpNXjyP/tuwG+aA6A==,type:bool]
+postgresql:
+    enabled: ENC[AES256_GCM,data:P4WyaR0=,iv:iIiB5j0ZJrizO1LTzGUp1u1i+8L8AispkEUT2sr1gws=,tag:HqNdr1rPSgb8xAv7jhL1UA==,type:bool]
+redis-cluster:
+    enabled: ENC[AES256_GCM,data:7h2ZNb0=,iv:qOWCgiCfnbv79EddfSNbBKT/q8JB24gMKfmlEX0g++U=,tag:iNW/PRCqRBX2oPop1ERALg==,type:bool]
+valkey-cluster:
+    enabled: ENC[AES256_GCM,data:9ffS+Mo=,iv:GVVBb/JN1Zzj4h6j0jVpoMMHnkFpsJdr5VgSpUXhmUY=,tag:N9vypan+ueWk+RcpL5K6Fw==,type:bool]
 sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
     age:
         - recipient: age1aq8twfd78wvpra0had8cezcnj96tj4q0068edrz5jez8d6xwmflqdepsh4
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3eCtCczBraGlibTRpVTI5
-            WGNVV0N3c2NZZ2dmL1lQTXBHcGtJODlTR2tFCnFmOTBCaDhOYW4raFg1WkJhYUxN
-            Q1Y0cnNkYUp6T0ZNUVNUY1RLNkZicEkKLS0tIGZDRkg0TmdkTGNvd1RQTWVacXRs
-            R0RHWml2LzRHcmpDUGRnY1Bwa3BOeWMKN52lakQFLMBflYC/KOTXLECJb6qlTVNG
-            xFlPrgVhMaF2dwTje/5QsSAOuvwQ4HJ7ot3KsUkQAhheqYeiOAxdPg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVbHdUNmpkaFozVDJMY2tG
+            TlVBeUJNSlJPcTR5aXhVMkN1MUVLMHJ3NXdVClhkdDhGVTJ6NEdWeGVHeEo2SkZB
+            aldWZ25kK3JDcWxsL0Q2c3BYbGI2c2cKLS0tIDU5bEdxTjVvKzlSUlpIZGhRMS9Q
+            MnNPMnl0SEc3NVRvVHJhNW53aWxiWTAK2TIz10Md0eNyTzpuxml1CDvCW9Cq6gEt
+            8zHyWNA1LayXct2mvcgVmMWyO8+nl7ZIaqhZHGNzC0cLaOqwD2o4bQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-10T13:36:49Z"
-    mac: ENC[AES256_GCM,data:3D5CtE5lcEc20pH2iyLF3UaPRqlp3BFF1xbSjVtv6R/YYnnemjBcDKT8kbMWb5mGCGOYlJ7AE+ewmix3KdY1FZnNENRSXkTSMqlu8luRzXNq+QuXSA7ofAtC24VMiHGnCSgY+rxSbbKLC1dcdF4KblcAmKp5tv0/8XyzSWkswAI=,iv:xQ/OotVy329F150A8HEeUgf0l8iZB3LJm9/zm/b+SJg=,tag:pxotV1XcTJfgd3HGdS/eKQ==,type:str]
+    lastmodified: "2026-03-27T09:02:37Z"
+    mac: ENC[AES256_GCM,data:a1pdWiw64d16D1IFRd8PskvOsjAP6YFBzGZICfaN4ABHiQfNeIrSfeYxtvF6SwfK2bXxIfEcvC2Ofl6VKQtXwftmu1jruZeXSGtpAybwsVx8XPxmJNWKJwpfQaSUoE+/Wg1nmpJYBVUPDhVUwnGumnYQB+sXLdrMQD24HjbT4Zc=,iv:ETirgEDjX4aWNLVe1n86jsU2ShdWY728YMgBkMl4JSE=,tag:jX052pHamAbdaB8wJbYaSA==,type:str]
+    pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.9.0