---
version: "3.8"

services:
  app:
    image: "gitea/gitea:1.21.11-rootless"
    configs:
      - source: app_ini
        target: /etc/gitea/app.ini
      - source: docker_setup_sh
        target: /usr/local/bin/docker-setup.sh
        mode: 0555
    secrets:
      - db_password
      - internal_token
      - jwt_secret
      - secret_key
    environment:
      - GITEA_ALLOW_ONLY_EXTERNAL_REGISTRATION
      - GITEA_APP_NAME
      - GITEA_AUTO_WATCH_NEW_REPOS
      - GITEA_DISABLE_REGISTRATION
      - GITEA_DOMAIN=${DOMAIN}
      - GITEA_ENABLE_NOTIFY_MAIL
      - GITEA_ENABLE_OPENID_SIGNIN
      - GITEA_ENABLE_OPENID_SIGNUP
      - GITEA_SMTP_MAILER_ENABLED
      - GITEA_SSH_PORT
      - GITEA_DISABLE_GRAVATAR
      - GITEA_ENABLE_FEDERATED_AVATAR
      - GITEA_REGISTER_EMAIL_CONFIRM
      - GITEA_ENABLE_AUTO_REGISTRATION
      - GITEA_OAUTH2_USERNAME
      - GITEA_UPDATE_AVATAR
      - GITEA_ACCOUNT_LINKING
      - GITEA_OAUTH2_CLIENT_ENABLED
      - GITEA_CORS_ALLOW_DOMAIN
      - GITEA_LANDING_PAGE
      - GITEA_REPO_UPLOAD_ENABLED
      - GITEA_REPO_UPLOAD_ALLOWED_TYPES
      - GITEA_REPO_UPLOAD_MAX_SIZE
      - GITEA_REPO_UPLOAD_MAX_FILES
      - GITEA_REPO_INDEXER_ENABLED
      - GITEA_ISSUE_INDEXER_TYPE
      - GITEA_STARTUP_TIMEOUT
      - GITEA_SHOW_USER_EMAIL
      - GITEA_DISABLE_REGULAR_ORG_CREATION
      - GITEA_DEFAULT_KEEP_EMAIL_PRIVATE
      - GITEA_DEFAULT_ALLOW_CREATE_ORGANIZATION
      - GITEA_ENABLE_USER_HEATMAP
      - GITEA_DEFAULT_USER_VISIBILITY
      - GITEA_ALLOWED_USER_VISIBILITY_MODES
      - GITEA_DEFAULT_ORG_VISIBILITY
      - GITEA_REQUIRE_SIGNIN_VIEW
    volumes:
      - data:/var/lib/gitea
      - config:/etc/gitea
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    networks:
      - proxy
      - internal
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:3000/api/healthz"]
      interval: 30s
      timeout: 10s
      retries: 10
      start_period: 1m
    deploy:
      update_config:
        failure_action: rollback
        order: start-first
      labels:
        - "backupbot.backup=true"
        - "traefik.enable=true"
        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=3000"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
        - "traefik.tcp.routers.${STACK_NAME}-ssh.rule=HostSNI(`*`)"
        - "traefik.tcp.routers.${STACK_NAME}-ssh.entrypoints=gitea-ssh"
        - "traefik.tcp.services.${STACK_NAME}-ssh.loadbalancer.server.port=${GITEA_SSH_PORT}"
        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}_cors"
        - "traefik.http.middlewares.${STACK_NAME}_cors.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
        - "traefik.http.middlewares.${STACK_NAME}_cors.headers.accesscontrolalloworiginlist=https://${GITEA_CORS_ALLOW_DOMAIN}"
        - "traefik.http.middlewares.${STACK_NAME}_cors.headers.accesscontrolmaxage=100"
        - "traefik.http.middlewares.${STACK_NAME}_cors.headers.addvaryheader=true"
        - coop-cloud.${STACK_NAME}.version=2.7.0+1.21.11-rootless


networks:
  internal:
  proxy:
    external: true

configs:
  app_ini:
    name: ${STACK_NAME}_app_ini_${APP_INI_VERSION}
    file: app.ini.tmpl
    template_driver: golang
  docker_setup_sh:
    name: ${STACK_NAME}_docker_setup_sh_${DOCKER_SETUP_SH_VERSION}
    file: docker-setup.sh.tmpl
    template_driver: golang

secrets:
  internal_token:
    name: ${STACK_NAME}_internal_token_${SECRET_INTERNAL_TOKEN_VERSION}
    external: true
  jwt_secret:
    name: ${STACK_NAME}_jwt_secret_${SECRET_JWT_SECRET_VERSION}
    external: true
  secret_key:
    name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
    external: true

volumes:
  data:
  config: