electric-horses-infra/stacks/forgejo/docker-compose.yml

# Forgejo Stack — self-hosted Git hosting with Authentik SSO
# Part of M7.1 (Operations & Documentation Foundation)
# Network: traefik-public (public via Traefik) + forgejo-internal (service ↔ DB)

services:
  forgejo:
    image: codeberg.org/forgejo/forgejo:10
    container_name: forgejo
    restart: unless-stopped
    env_file: .env
    environment:
      USER_UID: "1000"
      USER_GID: "1000"
      FORGEJO__database__DB_TYPE: postgres
      FORGEJO__database__HOST: forgejo-db:5432
      FORGEJO__database__NAME: forgejo
      FORGEJO__database__USER: forgejo
      FORGEJO__database__PASSWD: ${DB_PASSWORD}
      FORGEJO__server__DOMAIN: code.sdda.eu
      FORGEJO__server__ROOT_URL: https://code.sdda.eu/
      FORGEJO__server__SSH_DOMAIN: code.sdda.eu
      FORGEJO__server__SSH_PORT: "222"
      FORGEJO__server__START_SSH_SERVER: "true"
      FORGEJO__server__SSH_LISTEN_PORT: "2222"
      FORGEJO__server__HTTP_PORT: "3000"
      FORGEJO__server__LFS_START_SERVER: "true"
      FORGEJO__security__INSTALL_LOCK: "true"
      FORGEJO__security__SECRET_KEY: ${FORGEJO_SECRET_KEY}
      FORGEJO__security__INTERNAL_TOKEN: ${FORGEJO_INTERNAL_TOKEN}
      FORGEJO__service__DISABLE_REGISTRATION: "true"
      FORGEJO__service__ALLOW_ONLY_EXTERNAL_REGISTRATION: "true"
      FORGEJO__service__SHOW_REGISTRATION_BUTTON: "false"
      FORGEJO__service__ENABLE_NOTIFY_MAIL: "true"
      FORGEJO__service__DEFAULT_KEEP_EMAIL_PRIVATE: "true"
      FORGEJO__openid__ENABLE_OPENID_SIGNIN: "false"
      FORGEJO__openid__ENABLE_OPENID_SIGNUP: "false"
      FORGEJO__oauth2_client__ENABLE_AUTO_REGISTRATION: "true"
      FORGEJO__oauth2_client__USERNAME: email
      FORGEJO__oauth2_client__UPDATE_AVATAR: "true"
      FORGEJO__oauth2_client__ACCOUNT_LINKING: "auto"
      FORGEJO__mailer__ENABLED: "true"
      FORGEJO__mailer__PROTOCOL: smtp
      FORGEJO__mailer__SMTP_ADDR: 10.0.0.2
      FORGEJO__mailer__SMTP_PORT: "587"
      FORGEJO__mailer__FROM: "Forgejo <forgejo@sdda.eu>"
      FORGEJO__mailer__USER: ${SMTP_USER}
      FORGEJO__mailer__PASSWD: ${SMTP_PASSWORD}
      FORGEJO__log__LEVEL: Info
    volumes:
      - forgejo-data:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    networks:
      - traefik-public
      - forgejo-internal
    ports:
      - "222:2222"
    depends_on:
      forgejo-db:
        condition: service_healthy
    healthcheck:
      test: ["CMD", "wget", "--spider", "-q", "http://127.0.0.1:3000/api/healthz"]
      interval: 30s
      timeout: 5s
      retries: 5
      start_period: 30s
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik-public"
      - "traefik.http.services.forgejo.loadbalancer.server.port=3000"
      - "traefik.http.routers.forgejo.rule=Host(`code.sdda.eu`)"
      - "traefik.http.routers.forgejo.entrypoints=websecure"
      - "traefik.http.routers.forgejo.tls=true"
      - "traefik.http.routers.forgejo.tls.certresolver=letsencrypt"
      - "traefik.http.routers.forgejo.service=forgejo"

  forgejo-db:
    image: postgres:16-alpine
    container_name: forgejo-db
    restart: unless-stopped
    environment:
      POSTGRES_DB: forgejo
      POSTGRES_USER: forgejo
      POSTGRES_PASSWORD: ${DB_PASSWORD}
    volumes:
      - forgejo-db-data:/var/lib/postgresql/data
    networks:
      - forgejo-internal
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U forgejo -d forgejo"]
      interval: 10s
      timeout: 5s
      retries: 5

volumes:
  forgejo-data:
  forgejo-db-data:

networks:
  traefik-public:
    external: true
  forgejo-internal:
    driver: bridge
feat(stacks/forgejo): add self-hosted Git stack First stack mirrored 1:1 from /opt/ai-apps/forgejo/ on the server. Includes docker-compose.yml (forgejo + postgres 16), .env.example template (NO real secrets), backup.sh (nightly pg_dump + tar), plus Agent.md and README.md. Known gotchas documented in Agent.md: - Volume mount on /data not /var/lib/gitea - SSH port 2222 in container (system sshd occupies 22) - OIDC config lives in DB table login_source, not app.ini Refs OP#1119 2026-04-11 22:19:25 +02:00			`# Forgejo Stack — self-hosted Git hosting with Authentik SSO`
			`# Part of M7.1 (Operations & Documentation Foundation)`
			`# Network: traefik-public (public via Traefik) + forgejo-internal (service ↔ DB)`

			`services:`
			`forgejo:`
			`image: codeberg.org/forgejo/forgejo:10`
			`container_name: forgejo`
			`restart: unless-stopped`
			`env_file: .env`
			`environment:`
			`USER_UID: "1000"`
			`USER_GID: "1000"`
			`FORGEJO__database__DB_TYPE: postgres`
			`FORGEJO__database__HOST: forgejo-db:5432`
			`FORGEJO__database__NAME: forgejo`
			`FORGEJO__database__USER: forgejo`
			`FORGEJO__database__PASSWD: ${DB_PASSWORD}`
			`FORGEJO__server__DOMAIN: code.sdda.eu`
			`FORGEJO__server__ROOT_URL: https://code.sdda.eu/`
			`FORGEJO__server__SSH_DOMAIN: code.sdda.eu`
			`FORGEJO__server__SSH_PORT: "222"`
			`FORGEJO__server__START_SSH_SERVER: "true"`
			`FORGEJO__server__SSH_LISTEN_PORT: "2222"`
			`FORGEJO__server__HTTP_PORT: "3000"`
			`FORGEJO__server__LFS_START_SERVER: "true"`
			`FORGEJO__security__INSTALL_LOCK: "true"`
			`FORGEJO__security__SECRET_KEY: ${FORGEJO_SECRET_KEY}`
			`FORGEJO__security__INTERNAL_TOKEN: ${FORGEJO_INTERNAL_TOKEN}`
			`FORGEJO__service__DISABLE_REGISTRATION: "true"`
			`FORGEJO__service__ALLOW_ONLY_EXTERNAL_REGISTRATION: "true"`
			`FORGEJO__service__SHOW_REGISTRATION_BUTTON: "false"`
			`FORGEJO__service__ENABLE_NOTIFY_MAIL: "true"`
			`FORGEJO__service__DEFAULT_KEEP_EMAIL_PRIVATE: "true"`
			`FORGEJO__openid__ENABLE_OPENID_SIGNIN: "false"`
			`FORGEJO__openid__ENABLE_OPENID_SIGNUP: "false"`
			`FORGEJO__oauth2_client__ENABLE_AUTO_REGISTRATION: "true"`
			`FORGEJO__oauth2_client__USERNAME: email`
			`FORGEJO__oauth2_client__UPDATE_AVATAR: "true"`
			`FORGEJO__oauth2_client__ACCOUNT_LINKING: "auto"`
			`FORGEJO__mailer__ENABLED: "true"`
			`FORGEJO__mailer__PROTOCOL: smtp`
			`FORGEJO__mailer__SMTP_ADDR: 10.0.0.2`
			`FORGEJO__mailer__SMTP_PORT: "587"`
			`FORGEJO__mailer__FROM: "Forgejo <forgejo@sdda.eu>"`
			`FORGEJO__mailer__USER: ${SMTP_USER}`
			`FORGEJO__mailer__PASSWD: ${SMTP_PASSWORD}`
			`FORGEJO__log__LEVEL: Info`
			`volumes:`
			`- forgejo-data:/data`
			`- /etc/timezone:/etc/timezone:ro`
			`- /etc/localtime:/etc/localtime:ro`
			`networks:`
			`- traefik-public`
			`- forgejo-internal`
			`ports:`
			`- "222:2222"`
			`depends_on:`
			`forgejo-db:`
			`condition: service_healthy`
			`healthcheck:`
			`test: ["CMD", "wget", "--spider", "-q", "http://127.0.0.1:3000/api/healthz"]`
			`interval: 30s`
			`timeout: 5s`
			`retries: 5`
			`start_period: 30s`
			`labels:`
			`- "traefik.enable=true"`
			`- "traefik.docker.network=traefik-public"`
			`- "traefik.http.services.forgejo.loadbalancer.server.port=3000"`
			- "traefik.http.routers.forgejo.rule=Host(`code.sdda.eu`)"
			`- "traefik.http.routers.forgejo.entrypoints=websecure"`
			`- "traefik.http.routers.forgejo.tls=true"`
			`- "traefik.http.routers.forgejo.tls.certresolver=letsencrypt"`
			`- "traefik.http.routers.forgejo.service=forgejo"`

			`forgejo-db:`
			`image: postgres:16-alpine`
			`container_name: forgejo-db`
			`restart: unless-stopped`
			`environment:`
			`POSTGRES_DB: forgejo`
			`POSTGRES_USER: forgejo`
			`POSTGRES_PASSWORD: ${DB_PASSWORD}`
			`volumes:`
			`- forgejo-db-data:/var/lib/postgresql/data`
			`networks:`
			`- forgejo-internal`
			`healthcheck:`
			`test: ["CMD-SHELL", "pg_isready -U forgejo -d forgejo"]`
			`interval: 10s`
			`timeout: 5s`
			`retries: 5`

			`volumes:`
			`forgejo-data:`
			`forgejo-db-data:`

			`networks:`
			`traefik-public:`
			`external: true`
			`forgejo-internal:`
			`driver: bridge`