From 31a9568fd4b68fe2289fe69ad97efcbbd66416e3 Mon Sep 17 00:00:00 2001
From: Arpad Krejczinger <krejczinger.arpad@gmail.com>
Date: Sat, 13 Sep 2025 20:51:53 +0200
Subject: [PATCH] Add gitea security notes

---
 docs/security-configurations.md | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/docs/security-configurations.md b/docs/security-configurations.md
index 886eef5..dbdd60a 100644
--- a/docs/security-configurations.md
+++ b/docs/security-configurations.md
@@ -45,11 +45,19 @@ This document catalogs all security-related configuration files in the homelab r
 
 ### Gitea Security
 - **Config File**: `config/docker/gitea/docker-compose.yml`
+- **Deploy To**: `/opt/docker/gitea/docker-compose.yml`
 - **Security Features**:
-  - Custom SSH port (2223)
-  - Database isolation
-  - Volume permissions
-  - Network restrictions
+  - Custom SSH port (2223) for Git operations
+  - Web UI bound to localhost only (127.0.0.1:3000) for reverse proxy
+  - Non-root user operation via USER_UID/USER_GID environment variables
+  - Resource limits (1G memory)
+  - Health checking for service monitoring
+  - s6-overlay compatible configuration (no read-only filesystem)
+- **Security Notes**:
+  - SSH port 2223 bound to all interfaces for external Git access
+  - Web port 3000 bound to localhost only for nginx proxy security
+  - Avoid Docker `user:` directive (breaks s6-overlay init system)
+  - Use environment variables for privilege dropping instead
 
 ### Jellyfin Security  
 - **Config File**: `config/docker/jellyfin/docker-compose.yml`