volumes:
  traefik: { driver: local }

services:
  traefik:
    image: docker.io/traefik:${TRAEFIK_RELEASE:-v2.9.8}
    restart: always
    command:
      - --api.insecure=false
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entryPoint.to=websecure
      - --entrypoints.web.http.redirections.entryPoint.scheme=https
      - --entrypoints.websecure.address=:443
      - --certificatesresolvers.le.acme.tlschallenge=true
      - --certificatesresolvers.le.acme.email=${LETSENCRYPT_EMAIL?need email for cert expiry notifications}
      - --certificatesresolvers.le.acme.storage=/letsencrypt/acme.json
    ports:
      - 80:80
      - 443:443
    volumes:
      - traefik:/letsencrypt:rw
      - /run/docker.sock:/var/run/docker.sock:ro
    networks:
      - default

  gitea:
    image: gitea/gitea:1.22.3-rootless
    environment:
      # Database
      - GITEA__database__DB_TYPE=mysql
      - GITEA__database__HOST=db:3306
      - GITEA__database__NAME=${GITEA__database__NAME}
      - GITEA__database__USER=${GITEA__database__USER}
      - GITEA__database__PASSWD=${GITEA__database__PASSWD}
      # Mailer
      - GITEA__mailer__ENABLED=true
      - GITEA__mailer__FROM=${GITEA__mailer__FROM:?GITEA__mailer__FROM not set}
      - GITEA__mailer__SMTP_ADDR=${GITEA__mailer__SMTP_ADDR:?GITEA__mailer__SMTP_ADDR not set}
      - GITEA__mailer__USER=${GITEA__mailer__USER:-apikey}
      - GITEA__mailer__PASSWD=${GITEA__mailer__PASSWD:?GITEA__mailer__PASSWD not set}
      - GITEA__mailer__SMTP_PORT=${GITEA__mailer__SMTP_PORT:?GITEA__mailer__SMTP_PORT not set}
      - GITEA__mailer__PROTOCOL=${GITEA__mailer__PROTOCOL:?GITEA__mailer__PROTOCOL not set}
      # Service
      - GITEA__service__REGISTER_EMAIL_CONFIRM=true
      - GITEA__service__ENABLE_CAPTCHA=true
      - GITEA__service__REQUIRE_CAPTCHA_FOR_LOGIN=true
      - GITEA__service__KEEP_EMAIL_PRIVATE=true
      - GITEA__service__DEFAULT_ALLOW_CREATE_ORGANIZATION=false
      # Repository
      - GITEA__repository__DEFAULT_PRIVATE=true
      - GITEA__repository__MAX_CREATION_LIMIT=0
      - GITEA__repository__DISABLE_MIGRATIONS=false
      # Default
      # Fails due to special character - override in app.ini
      # - GITEA__APP_NAME="moeny: git moeny with a cup of gitea"
      - GITEA__RUN_MODE=prod
      # Security
      - GITEA__security__INSTALL_LOCK=true
      - GITEA__security__MIN_PASSWORD_LENGTH=8
    restart: always
    volumes:
      - ./data:/var/lib/gitea
      - ./config:/etc/gitea
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    ports:
      - "3000:3000"
      - "2222:2222"
    depends_on:
      - db
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.gitea.rule=Host(`${DOMAIN:?DOMAIN not set}`)"
      - "traefik.http.routers.gitea.entrypoints=websecure"
      - "traefik.http.routers.gitea.tls=true"
      - "traefik.http.routers.gitea.tls.certresolver=le"
      - "traefik.http.services.gitea.loadbalancer.server.port=3000"
    networks:
      - default

  db:
    image: mysql:8
    restart: always
    environment:
      - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
      - MYSQL_USER=${MYSQL_USER}
      - MYSQL_PASSWORD=${MYSQL_PASSWORD}
      - MYSQL_DATABASE=${MYSQL_DATABASE}
    volumes:
      - ./mysql:/var/lib/mysql
    networks:
      - default

networks:
  default:
    name: gitea_default