defined basic stack

2026-01-08 13:05:18 +01:00
commit 619e7433fe
3 changed files with 109 additions and 0 deletions
--- a/README.md
+++ b/README.md
@@ -0,0 +1,42 @@
+This is stack definition for Gite server running as Docker container.
+
+# Specs
+
+* HTTPS publishing
+    * published via Traefik at "gitea.budakova.org"
+    * uses TLS provided by Let's Encrypt
+* uses `/home/knee-cola/docker/d-gitea/` as root in which directories mounted for Gitea image reside
+
+## Why TLS
+
+TLS is used to that docker registry, which is a part of Gitea can be served over HTTPS using LAN IP address.
+
+# Installation
+
+1. create directories on docker host machine
+
+```bash
+cd /home/knee-cola/docker/
+mkdir -p ./d-gitea
+mkdir -p ./d-gitea/data
+mkdir -p ./d-gitea/config
+sudo chown 1000:1000 ./d-gitea/config/ ./d-gitea/data/
+```
+
+2. Deploy stack/service
+
+Use Portainer to deploy `docker-compose.yaml`
+
+This container doesn't use any env variables.
+
+3. Publish the Gitea web console
+
+At Cloudflare under ZeroTrust configure tunnel connecting the machine to CloudFlare: add a new published website `gitea.budakova.org` pointing to `https://10.10.1.200`
+
+4. Publish Gitea registry
+
+At CloudFlare create a new A DNS record `registry.budakova.org` pointing to local IP address `10.10.1.200`.
+
+5. Access the UI console
+
+Complete the setup in web console at https://gitea.budakova.org
--- a/deploy.sh
+++ b/deploy.sh
@@ -0,0 +1,5 @@
+# creating volumes which will be mounted as volume in container
+mkdir -p config
+mkdir -p data
+
+sudo chown 1000:1000 config/ data/
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -0,0 +1,62 @@
+version: "3.9"
+
+networks:
+  traefik-network:
+    name: traefik-network
+    external: true
+
+services:
+  server:
+    image: docker.gitea.com/gitea:1.25.3-rootless
+    networks:
+      - traefik-network
+    restart: always
+    stop_grace_period: 1m # Allow Gitea time to shut down gracefully
+    healthcheck:
+      test: ["CMD", "wget", "-q", "--spider", "http://localhost:3000/api/healthz"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 200s
+
+    volumes:
+      - ./data:/var/lib/gitea
+      - ./config:/etc/gitea
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+
+    # HTTP handled by Traefik; expose is optional but clarifies intent
+    expose:
+      - "3000"
+    ports:
+      - "2222:2222" # SSH port
+
+    environment:
+      # Ensure Gitea generates correct URLs (adjust if you terminate TLS at Traefik)
+      - GITEA__server__DOMAIN=gitea.rezije.app
+      - GITEA__server__ROOT_URL=https://gitea.rezije.app/
+      - GITEA__server__PROTOCOL=http # Traefik handles TLS
+      - GITEA__server__SSH_PORT=2222
+      # Enable Docker Registry support
+      - GITEA__packages__ENABLED=true
+      # Set public URL detection to auto so that server
+      # supports multiple hostnames (for registry and web console)
+      - GITEA__server__PUBLIC_URL_DETECTION=auto
+
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-network
+      - traefik.http.services.gitea.loadbalancer.server.port=3000
+
+      # Web Console
+      - traefik.http.routers.gitea.entrypoints=https
+      - traefik.http.routers.gitea.rule=Host(`gitea.rezije.app`)
+      - traefik.http.routers.gitea.tls=true
+      - traefik.http.routers.gitea.tls.certresolver=letsencrypt
+    
+      # Registry (only /v2)
+      - traefik.http.routers.gitea-registry.entrypoints=https
+      - traefik.http.routers.gitea-registry.rule=Host(`registry.budakova.org`) && PathPrefix(`/v2`)
+      - traefik.http.routers.gitea-registry.tls=true
+      - traefik.http.routers.gitea-registry.tls.certresolver=letsencrypt
+      - traefik.http.routers.gitea-registry.service=gitea