homelab/config/docker/gitea/docker-compose.yml

# DEPLOYMENT LOCATION: /opt/docker/gitea/docker-compose.yml
# Move this file with: sudo cp gitea-docker-compose.yml /opt/docker/gitea/docker-compose.yml
# Create data directory: sudo mkdir -p /opt/docker/gitea/data
# Set permissions: sudo chown -R hoborg:hoborg /opt/docker/gitea

# WORKING CONFIGURATION - Balanced security and functionality
# - Ports bound to localhost only
# - Non-root user (1000:1000)
# - Removed read-only filesystem (causes s6-svscan issues)

networks:
  gitea:
    external: false

services:
  server:
    image: gitea/gitea:latest
    container_name: gitea
    environment:
      - USER_UID=1000
      - USER_GID=1000
      - GITEA__server__ROOT_URL=https://ak-homelab.duckdns.org/gitea/
      - GITEA__server__SSH_PORT=2223
    restart: unless-stopped

    # Let Gitea container handle user switching internally (USER_UID/USER_GID)
    # DO NOT set user: directive - breaks s6-overlay init system

    networks:
      - gitea
    volumes:
      - ./data:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro

    # Bind ports to localhost only for reverse proxy
    ports:
      - "127.0.0.1:3000:3000"
      - "2223:22"

    # Reasonable resource limits
    deploy:
      resources:
        limits:
          memory: 1G

    # Health check
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:3000/api/healthz"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 40s