# Gitea - Git server
# Port: 3000
# Lightweight self-hosted Git service

services:
  db:
    image: postgres:16-bookworm
    container_name: Gitea-DB
    hostname: gitea-db
    security_opt:
      - no-new-privileges:true
    healthcheck:
      test: ["CMD", "pg_isready", "-q", "-d", "gitea", "-U", "giteauser"]
      timeout: 45s
      interval: 10s
      retries: 10
    user: 1026:100
    volumes:
      - /volume1/docker/gitea/db:/var/lib/postgresql/data:rw
    environment:
      - POSTGRES_DB=gitea
      - POSTGRES_USER=giteauser
      - POSTGRES_PASSWORD="REDACTED_PASSWORD"
    restart: unless-stopped

  web:
    image: gitea/gitea:latest
    container_name: Gitea
    hostname: gitea
    security_opt:
      - no-new-privileges:true
    healthcheck:
      test: wget --no-verbose --tries=1 --spider http://localhost:3000/ || exit 1
    ports:
      - 3052:3000
      - 2222:22
    volumes:
      - /volume1/docker/gitea/data:/data
      - /etc/TZ:/etc/TZ:ro
      - /etc/localtime:/etc/localtime:ro
    environment:
      - USER_UID=1026
      - USER_GID=100
      - GITEA__database__DB_TYPE=postgres
      - GITEA__database__HOST=gitea-db:5432
      - GITEA__database__NAME=gitea
      - GITEA__database__USER=giteauser
      - GITEA__database__PASSWD="REDACTED_PASSWORD"
      - ROOT_URL=https://git.vish.gg
      # Authentik OAuth2 SSO Configuration
      - GITEA__oauth2_client__ENABLE_AUTO_REGISTRATION=true
      - GITEA__oauth2_client__ACCOUNT_LINKING=auto
      - GITEA__oauth2_client__UPDATE_AVATAR=true
      - GITEA__oauth2_client__OPENID_CONNECT_SCOPES=openid email profile
    restart: unless-stopped