From 14dc3fdefd9075517a4e8dae0b851c9e747ecc14 Mon Sep 17 00:00:00 2001
From: JulienAldon <julien.aldon@wanadoo.fr>
Date: Sun, 11 Jan 2026 16:43:06 +0100
Subject: [PATCH] Add first module : Gitea app

---
 .gitignore                                    |  40 ++++
 main.tf                                       |  60 +++++
 modules/apps/gitea/cloud-init/service.yaml    |  85 +++++++
 modules/apps/gitea/install.sh                 | 209 ++++++++++++++++++
 .../apps/gitea/lib/scripts/create-backup.sh   |  10 +
 modules/apps/gitea/lib/scripts/env.sh         |  12 +
 .../apps/gitea/lib/scripts/install-gitea.sh   |  90 ++++++++
 .../apps/gitea/lib/scripts/restore-backup.sh  |  62 ++++++
 modules/apps/gitea/lib/services/gitea.service |  42 ++++
 .../gitea/lib/services/restore-backup.service |  11 +
 .../gitea/lib/services/weekly-backup.service  |  10 +
 .../gitea/lib/services/weekly-backup.timer    |   9 +
 modules/apps/gitea/main.tf                    |  34 +++
 modules/apps/gitea/variables.tf               |  52 +++++
 modules/vm/cloud-init/meta_data               |   0
 modules/vm/main.tf                            |  78 +++++++
 modules/vm/outputs.tf                         |   7 +
 modules/vm/variables.tf                       |  56 +++++
 terraform.tfvars.example                      |   4 +
 variables.tf                                  |  19 ++
 20 files changed, 890 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 main.tf
 create mode 100644 modules/apps/gitea/cloud-init/service.yaml
 create mode 100644 modules/apps/gitea/install.sh
 create mode 100644 modules/apps/gitea/lib/scripts/create-backup.sh
 create mode 100644 modules/apps/gitea/lib/scripts/env.sh
 create mode 100644 modules/apps/gitea/lib/scripts/install-gitea.sh
 create mode 100644 modules/apps/gitea/lib/scripts/restore-backup.sh
 create mode 100644 modules/apps/gitea/lib/services/gitea.service
 create mode 100644 modules/apps/gitea/lib/services/restore-backup.service
 create mode 100644 modules/apps/gitea/lib/services/weekly-backup.service
 create mode 100644 modules/apps/gitea/lib/services/weekly-backup.timer
 create mode 100644 modules/apps/gitea/main.tf
 create mode 100644 modules/apps/gitea/variables.tf
 create mode 100644 modules/vm/cloud-init/meta_data
 create mode 100644 modules/vm/main.tf
 create mode 100644 modules/vm/outputs.tf
 create mode 100644 modules/vm/variables.tf
 create mode 100644 terraform.tfvars.example
 create mode 100644 variables.tf

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..0e35890
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,40 @@
+# Created by https://www.toptal.com/developers/gitignore/api/terraform
+# Edit at https://www.toptal.com/developers/gitignore?templates=terraform
+
+### Terraform ###
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+# End of https://www.toptal.com/developers/gitignore/api/terraform
diff --git a/main.tf b/main.tf
new file mode 100644
index 0000000..9ad1604
--- /dev/null
+++ b/main.tf
@@ -0,0 +1,60 @@
+terraform {
+  required_providers {
+    proxmox = {
+      source  = "bpg/proxmox"
+      version = "0.42.0"
+    }
+  }
+}
+
+provider "proxmox" {
+  endpoint  = var.proxmox_endpoint
+  api_token = var.proxmox_api_token
+  insecure  = true
+
+  ssh {
+    agent    = true
+    username = "root"
+  }
+}
+
+# module "bookshelf" {
+#   source = "./modules/vm"
+
+#   providers = {}
+
+#   name      = "bookshelf"
+#   hostname  = "bookshelf"
+#   domain    = "aldon.fr"
+#   vm_id     = 210
+#   node_name = "mop"
+
+#   template_id = 103
+
+#   cores     = 1
+#   memory    = 1024
+#   disk_size = 16
+
+#   ssh_public_key  = var.ssh_public_key
+#   proxmox_host_ip = var.proxmox_host_ip
+# }
+
+module "gitea" {
+  source    = "./modules/apps/gitea"
+  providers = {}
+
+  name      = "gitea"
+  hostname  = "gitea"
+  domain    = "aldon.fr"
+  vm_id     = 212
+  node_name = "mop"
+
+  template_id = 103
+
+  cores     = 2
+  memory    = 2048
+  disk_size = 16
+
+  ssh_public_key  = var.ssh_public_key
+  proxmox_host_ip = var.proxmox_host_ip
+}
diff --git a/modules/apps/gitea/cloud-init/service.yaml b/modules/apps/gitea/cloud-init/service.yaml
new file mode 100644
index 0000000..b621a9f
--- /dev/null
+++ b/modules/apps/gitea/cloud-init/service.yaml
@@ -0,0 +1,85 @@
+#cloud-config
+hostname: ${hostname}
+local-hostname: ${hostname}
+fqdn: ${hostname}.${domain}
+manage_etc_hosts: true
+
+groups:
+  - git
+
+users:
+  - default
+  - name: ${hostname}
+    groups: sudo,git
+    shell: /bin/bash
+    sudo: ALL=(ALL) NOPASSWD:ALL
+    ssh_authorized_keys:
+      - ${ssh_key}
+
+disable_root: true
+
+package_update: true
+package_upgrade: false
+
+packages:
+  - git
+  - nfs-common
+  - docker.io
+  - docker-compose
+  - curl
+  - unzip
+  - postgresql
+  - postgresql-client
+
+write_files:
+  - path: /etc/fstab
+    permissions: "0644"
+    content: |
+      ${proxmox_host_ip}:/main/backups /backups nfs defaults,_netdev 0 0
+  - path: /opt/gitea/env.sh
+    permissions: "0644"
+    content: |
+      ${environment-setup-script}
+  - path: /usr/local/bin/restore-backup.sh
+    permissions: "0755"
+    content: |
+      ${restore-backup-script}
+  - path: /etc/systemd/system/restore-backup.service
+    permissions: "0644"
+    content: |
+      ${restore-backup-service}
+  - path: /usr/local/bin/backup.sh
+    permissions: "0755"
+    content: | 
+      ${create-backup-script}
+  - path: /etc/systemd/system/weekly-backup.timer
+    permissions: "0644"
+    content: |
+      ${create-backup-timer}
+  - path: /etc/systemd/system/weekly-backup.service
+    permissions: "0644"
+    content: |
+      ${create-backup-service}
+  - path: /etc/systemd/system/gitea.service
+    permissions: "0644"
+    content: |
+      ${gitea-service}
+  - path: /opt/gitea/install-gitea.sh
+    permissions: "0755"
+    content: |
+      ${install-gitea-script}
+
+runcmd:
+  # Backup setup
+  - mkdir -p /backups
+  - mount -t nfs ${proxmox_host_ip}:/main/backups /backups
+  - systemctl enable --now weekly-backup.timer
+  # Docker setup
+  - systemctl enable docker
+  - systemctl start docker
+  - usermod -aG docker ${hostname}
+  # gitea setup
+  - /opt/gitea/install-gitea.sh
+
+final_message: |
+  Base system ready for ${hostname}
\ No newline at end of file
diff --git a/modules/apps/gitea/install.sh b/modules/apps/gitea/install.sh
new file mode 100644
index 0000000..eeb3880
--- /dev/null
+++ b/modules/apps/gitea/install.sh
@@ -0,0 +1,209 @@
+#!/bin/bash
+set -euo pipefail
+
+sudo apt install postgresql postgresql-client unzip -y
+
+GITEA_HOME="/var/lib/gitea"
+GITEA_CONF="$GITEA_HOME/app.ini"
+GITEA_USER="git"
+GITEA_VERSION="1.25.3"
+GITEA_BINARY="/usr/local/bin/gitea"
+GITEA_SERVICE="/etc/systemd/system/gitea.service"
+DB_NAME="giteadb"
+DB_USER="gitea"
+GITEA_BACKUPS_DIR="/backups/gitea"
+
+# Gitea user
+if ! id -u $GITEA_USER >/dev/null 2>&1; then
+    adduser \
+        --system \
+        --shell /bin/bash \
+        --gecos 'Git Version Control' \
+        --group \
+        --disabled-password \
+        --home /home/git \
+        $GITEA_USER
+fi
+echo "---- Gitea user created ----"
+
+# Gitea folder structure
+mkdir -p $GITEA_HOME/{custom,data,log}
+chown -R $GITEA_USER:$GITEA_USER $GITEA_HOME
+chmod -R 750 $GITEA_HOME
+
+if [ ! -f $GITEA_BINARY ]; then
+    wget -O /tmp/gitea "https://dl.gitea.com/gitea/$GITEA_VERSION/gitea-$GITEA_VERSION-linux-amd64"
+    chmod +x /tmp/gitea
+    mv /tmp/gitea $GITEA_BINARY
+fi
+echo "---- Gitea folder structure created ----"
+
+# Postgres first config
+DB_PASS=$(openssl rand -base64 12)
+sudo -u postgres psql <<EOF
+CREATE ROLE $DB_USER WITH LOGIN PASSWORD '$DB_PASS';
+CREATE DATABASE $DB_NAME WITH OWNER $DB_USER TEMPLATE template0 ENCODING UTF8 LC_COLLATE 'en_US.UTF-8' LC_CTYPE 'en_US.UTF-8';
+EOF
+
+# Create restore-backup.sh script
+cat > /usr/local/bin/restore-backup.sh <<RESTORE_EOF
+sudo -u postgres psql <<DROP_DB_USER
+DO \$\$
+BEGIN
+   IF EXISTS (SELECT FROM pg_database WHERE datname = '$DB_NAME') THEN
+       EXECUTE 'DROP DATABASE $DB_NAME';
+   END IF;
+   IF EXISTS (SELECT FROM pg_roles WHERE rolname = '$DB_USER') THEN
+       EXECUTE 'DROP ROLE $DB_USER';
+   END IF;
+END
+\$\$;
+DROP_DB_USER
+
+LATEST_BACKUP=$(ls -1 $GITEA_BACKUPS_DIR/gitea-dump-*.zip 2>/dev/null | sort | tail -n1)
+# Restore backup database, data, repos, logs if exist
+if [ -n "\$LATEST_BACKUP" ] && [ -f "\$LATEST_BACKUP" ]; then
+    TMP_DIR=$(mktemp -d)
+    unzip -o \$LATEST_BACKUP -d \$TMP_DIR
+    if [ -d \$TMP_DIR/data ]; then
+        cp -a \$TMP_DIR/data/* /var/lib/gitea/data/
+    fi
+    if [ -d \$TMP_DIR/log ]; then
+        cp -a \$TMP_DIR/log/* /var/lib/gitea/log/
+    fi
+    if [ -d \$TMP_DIR/repos ]; then
+        cp -aH \$TMP_DIR/repos/. /var/lib/gitea/data/repositories/
+    fi
+    chown -R $GITEA_USER:$GITEA_USER $GITEA_HOME
+    sudo -u postgres psql -d $DB_NAME < \$TMP_DIR/gitea-db.sql
+    sudo -u postgres psql <<EOF
+ALTER ROLE $DB_USER WITH PASSWORD '$DB_PASS';
+ALTER DATABASE $DB_NAME OWNER TO $DB_USER;
+EOF
+    sudo -u postgres psql -d "$DB_NAME" <<EOF
+DO \$\$
+DECLARE
+  r RECORD;
+BEGIN
+  -- Tables
+  FOR r IN
+    SELECT schemaname, tablename
+    FROM pg_tables
+    WHERE schemaname = 'public'
+  LOOP
+    EXECUTE format(
+      'ALTER TABLE %I.%I OWNER TO $DB_USER;',
+      r.schemaname,
+      r.tablename
+    );
+  END LOOP;
+
+  -- Sequences
+  FOR r IN
+    SELECT sequence_schema, sequence_name
+    FROM information_schema.sequences
+    WHERE sequence_schema = 'public'
+  LOOP
+    EXECUTE format(
+      'ALTER SEQUENCE %I.%I OWNER TO $DB_USER;',
+      r.sequence_schema,
+      r.sequence_name
+    );
+  END LOOP;
+END
+\$\$;
+EOF
+    rm -rf /tmp/backup
+    echo "---- Gitea restore from existing backup /backup/gitea ----"
+
+fi
+RESTORE_EOF
+chmod +x /usr/local/bin/restore-backup.sh
+
+if ls -1 "$GITEA_BACKUPS_DIR"/gitea-dump-*.zip >/dev/null 2>&1; then
+    echo "---- Backup found, restoring Gitea ----"
+    /usr/local/bin/restore-backup.sh
+else
+    echo "---- No backup found in $GITEA_BACKUPS_DIR, skipping restore ----"
+fi
+
+# Save restore backup service
+cat > /etc/systemd/system/weekly-backup.service <<EOF
+${BACKUP_RESTORE_SERVICE}
+EOF
+
+sudo chown -R $GITEA_USER:$GITEA_USER $GITEA_BACKUPS_DIR
+sudo chmod -R 770 $GITEA_BACKUPS_DIR
+# Create systemd timer for weekly backup
+cat > /usr/local/bin/backup.sh <<EOF
+#!/bin/bash
+TIMESTAMP=$(date +'%Y-%m-%d_%H%M%S')
+sudo -u "$GITEA_USER" gitea dump -c "$GITEA_HOME/app.ini" -f $GITEA_BACKUPS_DIR/gitea-dump-\$TIMESTAMP.zip"
+ls -1dt $GITEA_BACKUPS_DIR/gitea-dump-*.zip | tail -n +5 | xargs -r rm -f
+echo "Gitea backup completed at \$TIMESTAMP"
+EOF
+chmod +x /usr/local/bin/backup.sh
+
+# Systemd service for backup
+cat > /etc/systemd/system/weekly-backup.service <<EOF
+${BACKUP_SERVICE}
+EOF
+
+# Systemd timer for backup
+cat > /etc/systemd/system/weekly-backup.timer <<EOF
+${BACKUP_SERVICE_TIMER}
+EOF
+
+# Generate /var/lib/gitea/app.ini with secrets.
+GITEA_SECRET_KEY=$("$GITEA_BINARY" generate secret SECRET_KEY)
+GITEA_JWT_SECRET=$("$GITEA_BINARY" generate secret JWT_SECRET)
+GITEA_INTERNAL_TOKEN=$("$GITEA_BINARY" generate secret INTERNAL_TOKEN)
+
+mkdir -p $(dirname "$GITEA_CONF")
+cat > "$GITEA_CONF" <<EOF
+[database]
+DB_TYPE = postgres
+HOST = 127.0.0.1:5432
+NAME = $DB_NAME
+USER = $DB_USER
+PASSWD = $DB_PASS
+SSL_MODE = disable
+
+[security]
+INSTALL_LOCK = true
+SECRET_KEY = $GITEA_SECRET_KEY
+JWT_SECRET = $GITEA_JWT_SECRET
+INTERNAL_TOKEN = $GITEA_INTERNAL_TOKEN
+
+[server]
+DOMAIN = gitea.aldon.fr
+HTTP_PORT = 3000
+ROOT_URL = https://gitea.aldon.fr
+DISABLE_SSH = false
+SSH_PORT = 22
+
+[repository]
+ROOT = /var/lib/gitea/data/repositories
+
+[service]
+DISABLE_REGISTRATION = true
+EOF
+echo "---- Generated Gitea app.ini with secrets ----"
+
+chown git:git $GITEA_CONF
+chmod 640 $GITEA_CONF
+
+if [ ! -f "$GITEA_SERVICE" ]; then
+    cat <<'EOF' > "$GITEA_SERVICE"
+${GITEA_SERVICE_CONTENT}
+EOF
+    systemctl daemon-reload
+    systemctl enable gitea
+fi
+
+# Enable timer for backup
+sudo systemctl enable --now weekly-backup.timer
+sudo systemctl status weekly-backup.timer
+
+systemctl is-active --quiet gitea || systemctl start gitea
+echo "---- Gitea installation completed ----"
\ No newline at end of file
diff --git a/modules/apps/gitea/lib/scripts/create-backup.sh b/modules/apps/gitea/lib/scripts/create-backup.sh
new file mode 100644
index 0000000..9726781
--- /dev/null
+++ b/modules/apps/gitea/lib/scripts/create-backup.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+set -euo pipefail
+
+source /opt/gitea/env.sh
+
+TIMESTAMP=$(date +'%Y-%m-%d_%H%M%S')
+
+sudo -u "$GITEA_USER" gitea dump -c "$GITEA_HOME/app.ini" -f $GITEA_BACKUPS_DIR/gitea-dump-\$TIMESTAMP.zip
+
+ls -1dt $GITEA_BACKUPS_DIR/gitea-dump-*.zip | tail -n +5 | xargs -r rm -f
diff --git a/modules/apps/gitea/lib/scripts/env.sh b/modules/apps/gitea/lib/scripts/env.sh
new file mode 100644
index 0000000..10ef664
--- /dev/null
+++ b/modules/apps/gitea/lib/scripts/env.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+set -euo pipefail
+
+GITEA_HOME="/var/lib/gitea"
+GITEA_CONF="$GITEA_HOME/app.ini"
+GITEA_USER="git"
+GITEA_VERSION="1.25.3"
+GITEA_BINARY="/usr/local/bin/gitea"
+GITEA_SERVICE="/etc/systemd/system/gitea.service"
+DB_NAME="giteadb"
+DB_USER="gitea"
+GITEA_BACKUPS_DIR="/backups/gitea"
diff --git a/modules/apps/gitea/lib/scripts/install-gitea.sh b/modules/apps/gitea/lib/scripts/install-gitea.sh
new file mode 100644
index 0000000..629961f
--- /dev/null
+++ b/modules/apps/gitea/lib/scripts/install-gitea.sh
@@ -0,0 +1,90 @@
+#!/bin/bash
+set -euo pipefail
+
+source /opt/gitea/env.sh
+
+# Gitea user
+if ! id -u $GITEA_USER >/dev/null 2>&1; then
+    adduser \
+        --system \
+        --shell /bin/bash \
+        --gecos 'Git Version Control' \
+        --group \
+        --disabled-password \
+        --home /home/git \
+        $GITEA_USER
+fi
+echo "---- Gitea user created ----"
+
+# Gitea folder structure
+mkdir -p $GITEA_HOME/{custom,data,log}
+chown -R $GITEA_USER:$GITEA_USER $GITEA_HOME
+chmod -R 750 $GITEA_HOME
+
+if [ ! -f $GITEA_BINARY ]; then
+    wget -O /tmp/gitea "https://dl.gitea.com/gitea/$GITEA_VERSION/gitea-$GITEA_VERSION-linux-amd64"
+    chmod +x /tmp/gitea
+    mv /tmp/gitea $GITEA_BINARY
+fi
+echo "---- Gitea folder structure created ----"
+
+# Postgres initial config
+DB_PASS=$(openssl rand -base64 12)
+sudo -u postgres psql <<EOF
+CREATE ROLE $DB_USER WITH LOGIN PASSWORD '$DB_PASS';
+CREATE DATABASE $DB_NAME WITH OWNER $DB_USER TEMPLATE template0 ENCODING UTF8 LC_COLLATE 'en_US.UTF-8' LC_CTYPE 'en_US.UTF-8';
+EOF
+
+if ls -1 "$GITEA_BACKUPS_DIR"/gitea-dump-*.zip >/dev/null 2>&1; then
+    echo "---- Backup found, restoring Gitea ----"
+    /usr/local/bin/restore-backup.sh
+else
+    echo "---- No backup found in $GITEA_BACKUPS_DIR, skipping restore ----"
+fi
+
+sudo chown -R $GITEA_USER:$GITEA_USER $GITEA_BACKUPS_DIR
+sudo chmod -R 770 $GITEA_BACKUPS_DIR
+
+GITEA_SECRET_KEY=$("$GITEA_BINARY" generate secret SECRET_KEY)
+GITEA_JWT_SECRET=$("$GITEA_BINARY" generate secret JWT_SECRET)
+GITEA_INTERNAL_TOKEN=$("$GITEA_BINARY" generate secret INTERNAL_TOKEN)
+
+mkdir -p $(dirname "$GITEA_CONF")
+cat > "$GITEA_CONF" <<EOF
+[database]
+DB_TYPE = postgres
+HOST = 127.0.0.1:5432
+NAME = $DB_NAME
+USER = $DB_USER
+PASSWD = $DB_PASS
+SSL_MODE = disable
+
+[security]
+INSTALL_LOCK = true
+SECRET_KEY = $GITEA_SECRET_KEY
+JWT_SECRET = $GITEA_JWT_SECRET
+INTERNAL_TOKEN = $GITEA_INTERNAL_TOKEN
+
+[server]
+DOMAIN = gitea.aldon.fr
+HTTP_PORT = 3000
+ROOT_URL = https://gitea.aldon.fr
+DISABLE_SSH = false
+SSH_PORT = 22
+
+[repository]
+ROOT = /var/lib/gitea/data/repositories
+
+[service]
+DISABLE_REGISTRATION = true
+EOF
+echo "---- Generated Gitea app.ini with secrets ----"
+
+chown git:git $GITEA_CONF
+chmod 640 $GITEA_CONF
+
+systemctl daemon-reload
+systemctl enable gitea
+
+systemctl is-active --quiet gitea || systemctl start gitea
+echo "---- Gitea installation completed ----"
\ No newline at end of file
diff --git a/modules/apps/gitea/lib/scripts/restore-backup.sh b/modules/apps/gitea/lib/scripts/restore-backup.sh
new file mode 100644
index 0000000..951aabd
--- /dev/null
+++ b/modules/apps/gitea/lib/scripts/restore-backup.sh
@@ -0,0 +1,62 @@
+#!/bin/bash
+set -euo pipefail
+
+source /opt/gitea/env.sh
+
+sudo -u postgres psql <<EOF
+DO \$\$
+BEGIN
+   IF EXISTS (SELECT FROM pg_database WHERE datname = '$DB_NAME') THEN
+       EXECUTE 'DROP DATABASE $DB_NAME';
+   END IF;
+   IF EXISTS (SELECT FROM pg_roles WHERE rolname = '$DB_USER') THEN
+       EXECUTE 'DROP ROLE $DB_USER';
+   END IF;
+END
+\$\$;
+EOF
+
+LATEST_BACKUP=$(ls -1 $GITEA_BACKUPS_DIR/gitea-dump-*.zip 2>/dev/null | sort | tail -n1)
+
+if [ -n "$LATEST_BACKUP" ] && [ -f "$LATEST_BACKUP" ]; then
+    TMP_DIR=$(mktemp -d)
+    unzip -o $LATEST_BACKUP -d $TMP_DIR
+    [ -d $TMP_DIR/data ] && cp -a $TMP_DIR/data/* /var/lib/gitea/data/
+    [ -d $TMP_DIR/log ] && cp -a $TMP_DIR/log/* /var/lib/gitea/log/
+    [ -d $TMP_DIR/repos ] && cp -aH $TMP_DIR/repos/. /var/lib/gitea/data/repositories/
+    chown -R $GITEA_USER:$GITEA_USER $GITEA_HOME
+    sudo -u postgres psql -d $DB_NAME < $TMP_DIR/gitea-db.sql
+    sudo -u postgres psql -d "$DB_NAME" <<EOF
+DO \$\$
+DECLARE
+  r RECORD;
+BEGIN
+  -- Tables
+  FOR r IN
+    SELECT schemaname, tablename
+    FROM pg_tables
+    WHERE schemaname = 'public'
+  LOOP
+    EXECUTE format(
+      'ALTER TABLE %I.%I OWNER TO $DB_USER;',
+      r.schemaname,
+      r.tablename
+    );
+  END LOOP;
+
+  -- Sequences
+  FOR r IN
+    SELECT sequence_schema, sequence_name
+    FROM information_schema.sequences
+    WHERE sequence_schema = 'public'
+  LOOP
+    EXECUTE format(
+      'ALTER SEQUENCE %I.%I OWNER TO $DB_USER;',
+      r.sequence_schema,
+      r.sequence_name
+    );
+  END LOOP;
+END
+\$\$;
+EOF
+fi
\ No newline at end of file
diff --git a/modules/apps/gitea/lib/services/gitea.service b/modules/apps/gitea/lib/services/gitea.service
new file mode 100644
index 0000000..e8b3be8
--- /dev/null
+++ b/modules/apps/gitea/lib/services/gitea.service
@@ -0,0 +1,42 @@
+[Unit]
+Description=Gitea (Git with a cup of tea)
+After=network.target
+
+#Wants=postgresql.service
+#After=postgresql.service
+[Service]
+# Uncomment the next line if you have repos with lots of files and get a HTTP 500 error because of that
+# LimitNOFILE=524288:524288
+RestartSec=2s
+Type=simple
+User=git
+Group=git
+WorkingDirectory=/var/lib/gitea/
+# If using Unix socket: tells systemd to create the /run/gitea folder, which will contain the gitea.sock file
+# (manually creating /run/gitea doesn't work, because it would not persist across reboots)
+#RuntimeDirectory=gitea
+ExecStart=/usr/local/bin/gitea web --config /var/lib/gitea/app.ini
+Restart=always
+Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea
+# If you install Git to directory prefix other than default PATH (which happens
+# for example if you install other versions of Git side-to-side with
+# distribution version), uncomment below line and add that prefix to PATH
+# Don't forget to place git-lfs binary on the PATH below if you want to enable
+# Git LFS support
+#Environment=PATH=/path/to/git/bin:/bin:/sbin:/usr/bin:/usr/sbin
+# If you want to bind Gitea to a port below 1024, uncomment
+# the two values below, or use socket activation to pass Gitea its ports as above
+###
+#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+#AmbientCapabilities=CAP_NET_BIND_SERVICE
+###
+# In some cases, when using CapabilityBoundingSet and AmbientCapabilities option, you may want to
+# set the following value to false to allow capabilities to be applied on gitea process. The following
+# value if set to true sandboxes gitea service and prevent any processes from running with privileges
+# in the host user namespace.
+###
+#PrivateUsers=false
+###
+
+[Install]
+WantedBy=multi-user.target
diff --git a/modules/apps/gitea/lib/services/restore-backup.service b/modules/apps/gitea/lib/services/restore-backup.service
new file mode 100644
index 0000000..f617ae0
--- /dev/null
+++ b/modules/apps/gitea/lib/services/restore-backup.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Restore latest Gitea backup
+After=network.target postgresql.service gitea.service
+Requires=postgresql.service gitea.service
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/usr/local/bin/restore-backup.sh
+WorkingDirectory=/var/lib/gitea
+TimeoutStartSec=600
\ No newline at end of file
diff --git a/modules/apps/gitea/lib/services/weekly-backup.service b/modules/apps/gitea/lib/services/weekly-backup.service
new file mode 100644
index 0000000..3f78fed
--- /dev/null
+++ b/modules/apps/gitea/lib/services/weekly-backup.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Weekly Gitea Backup
+Wants=network.target
+After=network.target gitea.service
+Before=shutdown.target reboot.target halt.target
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/usr/local/bin/backup.sh
\ No newline at end of file
diff --git a/modules/apps/gitea/lib/services/weekly-backup.timer b/modules/apps/gitea/lib/services/weekly-backup.timer
new file mode 100644
index 0000000..abf3e34
--- /dev/null
+++ b/modules/apps/gitea/lib/services/weekly-backup.timer
@@ -0,0 +1,9 @@
+[Unit]
+Description=Run Gitea backup weekly
+
+[Timer]
+OnCalendar=Sun *-*-* 01:00:00
+Persistent=true
+
+[Install]
+WantedBy=timers.target
\ No newline at end of file
diff --git a/modules/apps/gitea/main.tf b/modules/apps/gitea/main.tf
new file mode 100644
index 0000000..8186fdf
--- /dev/null
+++ b/modules/apps/gitea/main.tf
@@ -0,0 +1,34 @@
+module "vm" {
+  source      = "../../vm"
+  name        = var.name
+  hostname    = var.hostname
+  domain      = var.domain
+  vm_id       = var.vm_id
+  node_name   = var.node_name
+
+  template_id = var.template_id
+
+  cores       = var.cores
+  memory      = var.memory
+  disk_size   = var.disk_size
+
+  ssh_public_key  = var.ssh_public_key
+  proxmox_host_ip = var.proxmox_host_ip
+  cloudinit_config = templatefile(
+      "${path.module}/cloud-init/service.yaml",
+      {
+        hostname        = var.hostname
+        domain          = var.domain
+        ssh_key         = var.ssh_public_key
+        proxmox_host_ip = var.proxmox_host_ip
+        environment-setup-script = indent(6, file("${path.module}/lib/scripts/env.sh"))
+        restore-backup-script = indent(6, file("${path.module}/lib/scripts/restore-backup.sh"))
+        restore-backup-service = indent(6, file("${path.module}/lib/services/restore-backup.service"))
+        create-backup-script = indent(6, file("${path.module}/lib/scripts/create-backup.sh"))
+        create-backup-service = indent(6, file("${path.module}/lib/services/weekly-backup.service"))
+        create-backup-timer = indent(6, file("${path.module}/lib/services/weekly-backup.timer"))
+        install-gitea-script = indent(6, file("${path.module}/lib/scripts/install-gitea.sh"))
+        gitea-service = indent(6, file("${path.module}/lib/services/gitea.service"))
+      }
+    )
+}
\ No newline at end of file
diff --git a/modules/apps/gitea/variables.tf b/modules/apps/gitea/variables.tf
new file mode 100644
index 0000000..c837103
--- /dev/null
+++ b/modules/apps/gitea/variables.tf
@@ -0,0 +1,52 @@
+variable "name" {
+  type = string
+}
+
+variable "vm_id" {
+  type = number
+}
+
+variable "node_name" {
+  type    = string
+  default = "mop"
+}
+
+variable "cores" {
+  type    = number
+  default = 2
+}
+
+variable "memory" {
+  type    = number
+  default = 2048
+}
+
+variable "template_id" {
+  type = number
+}
+
+variable "ssh_public_key" {
+  type        = string
+  description = "Public SSH key for cloud-init user"
+}
+
+variable "hostname" {
+  description = "VM hostname"
+  type        = string
+  default     = "test"
+}
+
+variable "domain" {
+  description = "VM domain"
+  type        = string
+  default     = ""
+}
+
+variable "disk_size" {
+  type    = number
+  default = 10
+}
+
+variable "proxmox_host_ip" {
+  type = string
+}
\ No newline at end of file
diff --git a/modules/vm/cloud-init/meta_data b/modules/vm/cloud-init/meta_data
new file mode 100644
index 0000000..e69de29
diff --git a/modules/vm/main.tf b/modules/vm/main.tf
new file mode 100644
index 0000000..bee61ca
--- /dev/null
+++ b/modules/vm/main.tf
@@ -0,0 +1,78 @@
+terraform {
+  required_providers {
+    proxmox = {
+      source  = "bpg/proxmox"
+      version = "0.42.0"
+    }
+  }
+}
+
+resource "proxmox_virtual_environment_file" "cloud_user_config" {
+  content_type = "snippets"
+  datastore_id = "local"
+  node_name    = var.node_name
+
+  source_raw {
+    data = var.cloudinit_config
+
+    file_name = "${var.hostname}.${var.domain}-user.yaml"
+  }
+}
+
+resource "proxmox_virtual_environment_file" "cloud_meta_config" {
+  content_type = "snippets"
+  datastore_id = "local"
+  node_name    = var.node_name
+
+  source_raw {
+    data = templatefile("${path.module}/cloud-init/meta_data",
+      {
+        instance_id    = sha1(var.hostname)
+        local_hostname = var.hostname
+      }
+    )
+
+    file_name = "${var.hostname}.${var.domain}-meta_data.yaml"
+  }
+}
+
+resource "proxmox_virtual_environment_vm" "vm" {
+  name      = var.name
+  vm_id     = var.vm_id
+  node_name = var.node_name
+
+  clone {
+    vm_id = var.template_id
+  }
+
+  cpu {
+    cores = var.cores
+  }
+
+  memory {
+    dedicated = var.memory
+  }
+
+  disk {
+    interface    = "scsi0"
+    iothread     = true
+    datastore_id = "local-lvm"
+    size         = var.disk_size
+    discard      = "ignore"
+  }
+
+  agent {
+    enabled = true
+  }
+
+  network_device {
+    bridge = "vmbr0"
+  }
+
+  initialization {
+    datastore_id      = "local-lvm"
+    interface         = "ide2"
+    user_data_file_id = proxmox_virtual_environment_file.cloud_user_config.id
+    meta_data_file_id = proxmox_virtual_environment_file.cloud_meta_config.id
+  }
+}
\ No newline at end of file
diff --git a/modules/vm/outputs.tf b/modules/vm/outputs.tf
new file mode 100644
index 0000000..946a402
--- /dev/null
+++ b/modules/vm/outputs.tf
@@ -0,0 +1,7 @@
+output "vm_name" {
+  value = proxmox_virtual_environment_vm.vm.name
+}
+
+output "vm_id" {
+  value = proxmox_virtual_environment_vm.vm.vm_id
+}
\ No newline at end of file
diff --git a/modules/vm/variables.tf b/modules/vm/variables.tf
new file mode 100644
index 0000000..00e9b28
--- /dev/null
+++ b/modules/vm/variables.tf
@@ -0,0 +1,56 @@
+variable "name" {
+  type = string
+}
+
+variable "vm_id" {
+  type = number
+}
+
+variable "node_name" {
+  type    = string
+  default = "mop"
+}
+
+variable "cores" {
+  type    = number
+  default = 2
+}
+
+variable "memory" {
+  type    = number
+  default = 2048
+}
+
+variable "template_id" {
+  type = number
+}
+
+variable "ssh_public_key" {
+  type        = string
+  description = "Public SSH key for cloud-init user"
+}
+
+variable "hostname" {
+  description = "VM hostname"
+  type        = string
+  default     = "test"
+}
+
+variable "domain" {
+  description = "VM domain"
+  type        = string
+  default     = ""
+}
+
+variable "disk_size" {
+  type    = number
+  default = 10
+}
+
+variable "proxmox_host_ip" {
+  type = string
+}
+
+variable "cloudinit_config" {
+  type = string
+}
\ No newline at end of file
diff --git a/terraform.tfvars.example b/terraform.tfvars.example
new file mode 100644
index 0000000..0e553c3
--- /dev/null
+++ b/terraform.tfvars.example
@@ -0,0 +1,4 @@
+ssh_public_key = "<ssh-public-key>"
+proxmox_api_token = "<proxmox-api-token>"
+proxmox_endpoint = "http://mop:8006"
+proxmox_host_ip = "192.168.1.121"
\ No newline at end of file
diff --git a/variables.tf b/variables.tf
new file mode 100644
index 0000000..d9a6e9a
--- /dev/null
+++ b/variables.tf
@@ -0,0 +1,19 @@
+variable "proxmox_api_token" {
+  description = "Token to connect Proxmox API"
+  type        = string
+}
+
+variable "ssh_public_key" {
+  description = "SSH client public key"
+  type        = string
+}
+
+variable "proxmox_endpoint" {
+  description = "Proxmox endpoint"
+  type        = string
+}
+
+variable "proxmox_host_ip" {
+    description = "Proxmox ip for backup nfs share"
+    type = string
+}
\ No newline at end of file