Update Docker configurations for balanced security and functionality

- Simplify daemon.json to minimal working version, removing problematic
  security settings that caused read-only filesystem issues
- Update Gitea docker-compose.yml to working configuration:
  - Remove read-only filesystem (breaks s6-overlay init)
  - Keep user privilege dropping via USER_UID/USER_GID
  - Bind SSH port directly for Git operations
  - Maintain localhost binding for web interface

config/docker/daemon.json

@@ -1,32 +1,17 @@
-# Docker Daemon Security Configuration
+# Docker Daemon Configuration (Minimal Working Version)
 # Deploy to: /etc/docker/daemon.json
 # 
 # Setup commands:
 #   sudo cp config/docker/daemon.json /etc/docker/
 #   sudo systemctl restart docker
+#
+# Note: Removed problematic security settings that caused read-only filesystem issues.
+# Only keeping essential logging configuration.
 
 {
   "log-driver": "json-file",
   "log-opts": {
-    "max-size": "50m",
+    "max-size": "100m",
     "max-file": "3"
-  },
+  }
-  "live-restore": true,
-  "userland-proxy": false,
-  "no-new-privileges": true,
-  "seccomp-profile": "/etc/docker/seccomp-default.json",
-  "default-ulimits": {
-    "nproc": {
-      "hard": 65536,
-      "soft": 65536
-    },
-    "nofile": {
-      "hard": 65536,
-      "soft": 65536
-    }
-  },
-  "storage-driver": "overlay2",
-  "storage-opts": [
-    "overlay2.override_kernel_check=true"
-  ]
 }

config/docker/gitea/docker-compose.yml

@@ -3,12 +3,10 @@
 # Create data directory: sudo mkdir -p /opt/docker/gitea/data
 # Set permissions: sudo chown -R hoborg:hoborg /opt/docker/gitea
 
-# HARDENED CONFIGURATION - Updated for security
+# WORKING CONFIGURATION - Balanced security and functionality
 # - Ports bound to localhost only
 # - Non-root user (1000:1000)
-# - Resource limits applied
+# - Removed read-only filesystem (causes s6-svscan issues)
-# - Security options enabled
-# - Read-only root filesystem where possible
 
 networks:
   gitea:
@@ -21,21 +19,12 @@ services:
     environment:
       - USER_UID=1000
       - USER_GID=1000
+      - GITEA__server__ROOT_URL=https://ak-homelab.duckdns.org/gitea/
+      - GITEA__server__SSH_PORT=2223
     restart: unless-stopped
 
-    # Security hardening
+    # Let Gitea container handle user switching internally (USER_UID/USER_GID)
-    user: "1000:1000"
+    # DO NOT set user: directive - breaks s6-overlay init system
-    read_only: true
-    tmpfs:
-      - /tmp:noexec,nosuid,size=100m
-    cap_drop:
-      - ALL
-    cap_add:
-      - CHOWN
-      - SETUID
-      - SETGID
-    security_opt:
-      - no-new-privileges:true
 
     networks:
       - gitea
@@ -47,17 +36,13 @@ services:
     # Bind ports to localhost only for reverse proxy
     ports:
       - "127.0.0.1:3000:3000"
-      - "127.0.0.1:2223:22"
+      - "2223:22"
 
-    # Resource limits
+    # Reasonable resource limits
     deploy:
       resources:
         limits:
-          cpus: '1.0'
           memory: 1G
-        reservations:
-          cpus: '0.25'
-          memory: 512M
 
     # Health check
     healthcheck:
@@ -65,4 +50,4 @@ services:
       interval: 30s
       timeout: 10s
       retries: 3
-      start_period: 40s
+      start_period: 40s