services:
  server:
    image: gitea/gitea@sha256:1926e89ad28358ef2146bb8a1b9c3ba24bae681cb02b72d2df11125fdc675abe
    container_name: gitea
    restart: unless-stopped
    depends_on:
      db:
        condition: service_healthy
    environment:
      - GITEA__database__DB_TYPE=postgres
      - GITEA__database__HOST=db:5432
      - GITEA__database__NAME=gitea
      - GITEA__database__USER=gitea
      - GITEA__database__PASSWD_FILE=/run/secrets/gitea_db_password

      - GITEA__server__DOMAIN=${GITEA_DOMAIN}
      - GITEA__server__ROOT_URL=https://${GITEA_DOMAIN}
      - GITEA__server__SSH_PORT=2222
      - GITEA__server__SSH_LISTEN_PORT=2222

      - GITEA__service__DISABLE_REGISTRATION=true
      - GITEA__service__ENABLE_BASIC_AUTHENTICATION=false
      - GITEA__service__ENABLE_PASSWORD_SIGNIN_FORM=false
      - GITEA__service__ENABLE_PASSKEY_AUTHENTICATION=false
      - GITEA__openid__ENABLE_OPENID_SIGNIN=false
      - GITEA__openid__ENABLE_OPENID_SIGNUP=false

      - GITEA__actions__ENABLED=true
      - GITEA__packages__ENABLED=true
    networks:
      - homelab_apps
      - gitea_db_net
    ports:
      - "2222:2222"
    volumes:
      - gitea_data:/var/lib/gitea
      - gitea_config:/etc/gitea
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    secrets:
      - gitea_db_password
    labels:
      - traefik.enable=true
      - traefik.docker.network=homelab_apps
      - traefik.http.routers.gitea.rule=Host(`${GITEA_DOMAIN}`)
      - traefik.http.routers.gitea.entrypoints=websecure
      - traefik.http.routers.gitea.tls=true
      - traefik.http.routers.gitea.tls.certresolver=le
      - traefik.http.services.gitea.loadbalancer.server.port=3000

  db:
    image: postgres@sha256:035b9ab53cfa147d7202b61f5f7782b939ae815b7d6bc81c96b7b42ff1fca950
    container_name: gitea_db
    restart: unless-stopped
    environment:
      - POSTGRES_DB=gitea
      - POSTGRES_USER=gitea
      - POSTGRES_PASSWORD_FILE=/run/secrets/gitea_db_password
    networks:
      - gitea_db_net
    volumes:
      - gitea_db_data:/var/lib/postgresql
    secrets:
      - gitea_db_password
    healthcheck:
      interval: 30s
      retries: 5
      start_period: 20s
      test:
        - CMD-SHELL
        - pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}
      timeout: 5s

  runner:
    image: gitea/act_runner:latest
    container_name: gitea_runner
    restart: unless-stopped
    depends_on:
      - server
    environment:
      GITEA_INSTANCE_URL: https://${GITEA_DOMAIN}
      GITEA_RUNNER_REGISTRATION_TOKEN_FILE: /run/secrets/gitea_runner_token
      GITEA_RUNNER_NAME: homelab-runner
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - gitea_runner_data:/data
    secrets:
      - gitea_runner_token

volumes:
  gitea_data:
    driver: local
  gitea_config:
    driver: local
  gitea_db_data:
    driver: local
  gitea_runner_data:
    driver: local

networks:
  homelab_apps:
    external: true
  gitea_db_net:
    internal: true

secrets:
  gitea_db_password:
    environment: GITEA_DB_PASSWORD
  gitea_runner_token:
    environment: GITEA_RUNNER_TOKEN