# gitea — self-hosted git server (cloud only)
# Hostname: git.wbd-rd.nl (reverse-proxied via nginx-proxy; HTTP internally)
# Networks: app (UI) + data (postgres backend)
# Auth: SSO via Keycloak (`wbd` realm, client `gitea`)
# OIDC auth source is added via CLI post-deploy — see README.

services:
  gitea:
    image: gitea/gitea:1.22
    restart: unless-stopped
    networks: [app, data]
    environment:
      # User / TZ
      USER_UID: "1000"
      USER_GID: "1000"
      TZ: ${TZ:-Europe/Amsterdam}

      # Server posture — nginx terminates TLS, gitea speaks HTTP on 3000
      GITEA__server__ROOT_URL: ${GITEA_ROOT_URL}
      GITEA__server__DOMAIN: ${GITEA_DOMAIN:-git.wbd-rd.nl}
      GITEA__server__PROTOCOL: http
      GITEA__server__DISABLE_SSH: "true"
      GITEA__server__OFFLINE_MODE: "false"

      # Skip web installer (admin user + OIDC source provisioned via CLI)
      GITEA__security__INSTALL_LOCK: "true"

      # Database — postgres on sql stack (DB+role auto-provisioned)
      GITEA__database__DB_TYPE: postgres
      GITEA__database__HOST: ${GITEA_DB_HOST:-sql:5432}
      GITEA__database__NAME: ${GITEA_DB_NAME:-gitea}
      GITEA__database__USER: ${GITEA_DB_USER:-gitea}
      GITEA__database__PASSWD: ${GITEA_DB_PASSWORD}

      # Disable local registration; users come in via Keycloak OIDC
      GITEA__service__DISABLE_REGISTRATION: "true"
      GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION: "true"
      GITEA__service__SHOW_REGISTRATION_BUTTON: "false"
      GITEA__service__REQUIRE_SIGNIN_VIEW: "true"
      GITEA__openid__ENABLE_OPENID_SIGNIN: "false"
      GITEA__openid__ENABLE_OPENID_SIGNUP: "false"

      # OIDC client behavior — auth source itself added via CLI (see README)
      GITEA__oauth2_client__ENABLE_AUTO_REGISTRATION: "true"
      GITEA__oauth2_client__UPDATE_AVATAR: "true"
      GITEA__oauth2_client__USERNAME: nickname
      GITEA__oauth2_client__ACCOUNT_LINKING: auto

      # Mail (flip ENABLED to true after postfix stack is up)
      GITEA__mailer__ENABLED: "false"
      GITEA__mailer__SMTP_ADDR: postfix
      GITEA__mailer__SMTP_PORT: "25"
      GITEA__mailer__FROM: ${GITEA_MAIL_FROM:-gitea@wbd-rd.nl}

      # Repo defaults
      GITEA__repository__DEFAULT_PRIVATE: private
      GITEA__repository__DEFAULT_PUSH_CREATE_PRIVATE: "true"

      # Exposed inside the container so the OIDC-source CLI command can pick them up
      # (gitea itself doesn't read these — they're only for the post-deploy CLI step)
      GITEA_OAUTH_CLIENT_ID: ${GITEA_OAUTH_CLIENT_ID:-gitea}
      GITEA_OAUTH_CLIENT_SECRET: ${GITEA_OAUTH_CLIENT_SECRET}
      GITEA_OAUTH_DISCOVERY_URL: ${GITEA_OAUTH_DISCOVERY_URL:-https://auth.wbd-rd.nl/realms/wbd/.well-known/openid-configuration}

    volumes:
      - gitea-data:/data

networks:
  app:
  data:

volumes:
  gitea-data: