# Forgejo Stack — self-hosted Git hosting with Authentik SSO
# Part of M7.1 (Operations & Documentation Foundation)
# Network: traefik-public (public via Traefik) + forgejo-internal (service ↔ DB)

services:
  forgejo:
    image: codeberg.org/forgejo/forgejo:10
    container_name: forgejo
    restart: unless-stopped
    env_file: .env
    environment:
      USER_UID: "1000"
      USER_GID: "1000"
      FORGEJO__database__DB_TYPE: postgres
      FORGEJO__database__HOST: forgejo-db:5432
      FORGEJO__database__NAME: forgejo
      FORGEJO__database__USER: forgejo
      FORGEJO__database__PASSWD: ${DB_PASSWORD}
      FORGEJO__server__DOMAIN: code.sdda.eu
      FORGEJO__server__ROOT_URL: https://code.sdda.eu/
      FORGEJO__server__SSH_DOMAIN: code.sdda.eu
      FORGEJO__server__SSH_PORT: "222"
      FORGEJO__server__START_SSH_SERVER: "true"
      FORGEJO__server__SSH_LISTEN_PORT: "2222"
      FORGEJO__server__HTTP_PORT: "3000"
      FORGEJO__server__LFS_START_SERVER: "true"
      FORGEJO__security__INSTALL_LOCK: "true"
      FORGEJO__security__SECRET_KEY: ${FORGEJO_SECRET_KEY}
      FORGEJO__security__INTERNAL_TOKEN: ${FORGEJO_INTERNAL_TOKEN}
      FORGEJO__service__DISABLE_REGISTRATION: "true"
      FORGEJO__service__ALLOW_ONLY_EXTERNAL_REGISTRATION: "true"
      FORGEJO__service__SHOW_REGISTRATION_BUTTON: "false"
      FORGEJO__service__ENABLE_NOTIFY_MAIL: "true"
      FORGEJO__service__DEFAULT_KEEP_EMAIL_PRIVATE: "true"
      FORGEJO__openid__ENABLE_OPENID_SIGNIN: "false"
      FORGEJO__openid__ENABLE_OPENID_SIGNUP: "false"
      FORGEJO__oauth2_client__ENABLE_AUTO_REGISTRATION: "true"
      FORGEJO__oauth2_client__USERNAME: email
      FORGEJO__oauth2_client__UPDATE_AVATAR: "true"
      FORGEJO__oauth2_client__ACCOUNT_LINKING: "auto"
      FORGEJO__mailer__ENABLED: "true"
      FORGEJO__mailer__PROTOCOL: smtp
      FORGEJO__mailer__SMTP_ADDR: 10.0.0.2
      FORGEJO__mailer__SMTP_PORT: "587"
      FORGEJO__mailer__FROM: "Forgejo <forgejo@sdda.eu>"
      FORGEJO__mailer__USER: ${SMTP_USER}
      FORGEJO__mailer__PASSWD: ${SMTP_PASSWORD}
      FORGEJO__log__LEVEL: Info
    volumes:
      - forgejo-data:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    networks:
      - traefik-public
      - forgejo-internal
    ports:
      - "222:2222"
    depends_on:
      forgejo-db:
        condition: service_healthy
    healthcheck:
      test: ["CMD", "wget", "--spider", "-q", "http://127.0.0.1:3000/api/healthz"]
      interval: 30s
      timeout: 5s
      retries: 5
      start_period: 30s
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik-public"
      - "traefik.http.services.forgejo.loadbalancer.server.port=3000"
      - "traefik.http.routers.forgejo.rule=Host(`code.sdda.eu`)"
      - "traefik.http.routers.forgejo.entrypoints=websecure"
      - "traefik.http.routers.forgejo.tls=true"
      - "traefik.http.routers.forgejo.tls.certresolver=letsencrypt"
      - "traefik.http.routers.forgejo.service=forgejo"

  forgejo-db:
    image: postgres:16-alpine
    container_name: forgejo-db
    restart: unless-stopped
    environment:
      POSTGRES_DB: forgejo
      POSTGRES_USER: forgejo
      POSTGRES_PASSWORD: ${DB_PASSWORD}
    volumes:
      - forgejo-db-data:/var/lib/postgresql/data
    networks:
      - forgejo-internal
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U forgejo -d forgejo"]
      interval: 10s
      timeout: 5s
      retries: 5

volumes:
  forgejo-data:
  forgejo-db-data:

networks:
  traefik-public:
    external: true
  forgejo-internal:
    driver: bridge