networks:
  gitea:
    external: false

services:
  server:
    image: ${GITEA_IMAGE:-gitea/gitea:1.25}
    container_name: gitea
    environment:
      - USER_UID=1000
      - USER_GID=1000
      # ---- 数据库 (MySQL) ----
      - GITEA__database__DB_TYPE=mysql
      - GITEA__database__HOST=db:3306
      - GITEA__database__NAME=gitea
      - GITEA__database__USER=gitea
      - GITEA__database__PASSWD=${DB_PASSWORD}
      # ---- 域名与访问 ----
      - GITEA__server__DOMAIN=${GITEA_DOMAIN}
      - GITEA__server__SSH_DOMAIN=${GITEA_DOMAIN}
      - GITEA__server__ROOT_URL=https://${GITEA_DOMAIN}
      - GITEA__server__HTTP_PORT=3000
      - GITEA__server__SSH_PORT=${SSH_PORT:-2222}
      - GITEA__server__SSH_LISTEN_PORT=2222
      - GITEA__server__LFS_START_SERVER=true
      # ---- Git LFS ----
      - GITEA__lfs__STORAGE_TYPE=local
      # ---- SSH 密钥 ----
      - GITEA__server__START_SSH_SERVER=true
      - GITEA__server__DISABLE_SSH=false
      # ---- GPG 签名 ----
      - GITEA__repository__ENABLE_PUSH_CREATE_USER=true
      - GITEA__repository__DEFAULT_BRANCH=master
      - GITEA__repository_0X2E_signing__SIGNING_KEY=default
      - GITEA__repository_0X2E_signing__SIGNING_NAME=${GPG_SIGNING_NAME:-Gitea}
      - GITEA__repository_0X2E_signing__SIGNING_EMAIL=${GPG_SIGNING_EMAIL:-gitea@localhost}
      - GITEA__repository_0X2E_signing__INITIAL_COMMIT=always
      - GITEA__repository_0X2E_signing__DEFAULT_TRUST_MODEL=committer
      # ---- 安全 ----
      - GITEA__service__DISABLE_REGISTRATION=${DISABLE_REGISTRATION:-false}
      - GITEA__service__REQUIRE_SIGNIN_VIEW=${REQUIRE_SIGNIN:-false}
      - GITEA__service__DEFAULT_KEEP_EMAIL_PRIVATE=true
      - GITEA__openid__ENABLE_OPENID_SIGNIN=false
      - GITEA__mailer__ENABLED=false
    restart: always
    networks:
      - gitea
    volumes:
      - ${GITEA_DATA_DIR:-/var/lib/gitea}:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    ports:
      - "127.0.0.1:3000:3000"
      - "0.0.0.0:${SSH_PORT:-2222}:2222"
    depends_on:
      db:
        condition: service_healthy

  db:
    image: mysql:8.4
    container_name: gitea-db
    restart: always
    environment:
      - MYSQL_ROOT_PASSWORD=${DB_ROOT_PASSWORD}
      - MYSQL_USER=gitea
      - MYSQL_PASSWORD=${DB_PASSWORD}
      - MYSQL_DATABASE=gitea
    command: >
      --character-set-server=utf8mb4
      --collation-server=utf8mb4_unicode_ci
      --mysql-native-password=ON
      --innodb-buffer-pool-size=256M
      --max-allowed-packet=256M
    networks:
      - gitea
    volumes:
      - ${MYSQL_DATA_DIR:-/var/lib/mysql/gitea}:/var/lib/mysql
    healthcheck:
      test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-u", "root", "-p${DB_ROOT_PASSWORD}"]
      interval: 10s
      timeout: 5s
      retries: 10
      start_period: 30s