services:
  gitea:
    image: docker.gitea.com/gitea:1.24.6-rootless
    container_name: gitea
    restart: always
    labels:
      - traefik.enable=true
      - traefik.http.routers.gitea.rule=Host(`${SUBDOMAIN}.${DOMAIN_NAME}`)
      - traefik.http.routers.gitea.tls=true
      - traefik.http.routers.gitea.entrypoints=web,websecure
      - traefik.http.routers.gitea.tls.certresolver=cloudflare
      - traefik.http.middlewares.gitea.headers.SSLRedirect=true
      - traefik.http.middlewares.gitea.headers.STSSeconds=315360000
      - traefik.http.middlewares.gitea.headers.browserXSSFilter=true
      - traefik.http.middlewares.gitea.headers.contentTypeNosniff=true
      - traefik.http.middlewares.gitea.headers.forceSTSHeader=true
      - traefik.http.middlewares.gitea.headers.SSLHost=${DOMAIN_NAME}
      - traefik.http.middlewares.gitea.headers.STSIncludeSubdomains=true
      - traefik.http.middlewares.gitea.headers.STSPreload=true
      - traefik.http.middlewares.gitea.headers.frameDeny=true
      - traefik.http.routers.gitea.middlewares=gitea@docker
      - traefik.http.services.gitea.loadbalancer.server.port=3000
      - traefik.tcp.routers.gitea-ssh.rule=HostSNI(`${SUBDOMAIN}.${DOMAIN_NAME}`)
      - traefik.tcp.routers.gitea-ssh.entrypoints=ssh
      - traefik.tcp.routers.gitea-ssh.service=gitea-ssh
      - traefik.tcp.services.gitea-ssh.loadbalancer.server.port=558
      - traefik.tcp.routers.gitea-ssh.tls=true
      - traefik.docker.network=mgmt
    env_file:
      - .env
    secrets:
      - DB_PASS
      - SSH_PORT
    volumes:
      - gitea-data:/var/lib/gitea
      - ./config:/etc/gitea
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    # ports:
    #   - "3000:3000"
    #   - "2222:2222"
    networks:
      - mgmt
      - db
volumes:
  gitea-data:
    name: gitea-data
networks:
  mgmt:
    external: true
  db:
    external: true
secrets:
  DB_PASS:
    file: .secrets/DB_PASS
  SSH_PORT:
    file: .secrets/SSH_PORT