version: "3.9"

services:

  ### https://github.com/traefik/traefik
  ## Files for basicauth middleware should be generated with the following:
  # $ htpasswd -c "${filename}" "${username}"
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    environment:
      - "CF_DNS_API_TOKEN=${CLOUDFLARE_API_TOKEN:?not set}"
      - "TZ=${TIMEZONE:?not set}"
    command:
      - "--accesslog=true"
      - "--accesslog.bufferingsize=100"
      - "--accesslog.fields.names.StartUTC=drop"
      - "--accesslog.filepath=/var/log/access.log"
      - "--api"
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.letsencrypt.acme.storage=/certs/acme.json"
      - "--entrypoints.http.address=:80"
      - "--entrypoints.https.address=:443"
      - "--entrypoints.https.http3"
      - "--experimental.http3=true"
      - "--log.filePath=/var/log/traefik.log"
      - "--log.level=ERROR"
      - "--providers.docker=true"
      - "--providers.docker.exposedByDefault=false"
      - "--providers.docker.network=traefik"
      - "--providers.file.directory=/conf"
      - "--providers.file.watch=true"
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.compress.compress=true"
      - "traefik.http.middlewares.secure.headers.browserxssfilter=true"
      - "traefik.http.middlewares.secure.headers.contenttypenosniff=true"
      - "traefik.http.middlewares.secure.headers.customframeoptionsvalue=SAMEORIGIN"
      - "traefik.http.middlewares.secure.headers.customresponseheaders.Expect-CT=enforce,max-age=86400"
      - "traefik.http.middlewares.secure.headers.customresponseheaders.Permissions-Policy=geolocation=(), midi=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), fullscreen=(), payment=()"
      - "traefik.http.middlewares.secure.headers.customresponseheaders.Server=GNU-Netcat/0.7.1"
      - "traefik.http.middlewares.secure.headers.customresponseheaders.X-Clacks-Overhead=GNU Terry Pratchett"
      - "traefik.http.middlewares.secure.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.middlewares.secure.headers.forcestsheader=true"
      - "traefik.http.middlewares.secure.headers.framedeny=true"
      - "traefik.http.middlewares.secure.headers.referrerpolicy=strict-origin"
      - "traefik.http.middlewares.secure.headers.sslredirect=true"
      - "traefik.http.middlewares.secure.headers.stsincludesubdomains=true"
      - "traefik.http.middlewares.secure.headers.stspreload=true"
      - "traefik.http.middlewares.secure.headers.stsseconds=63072000"
      - "traefik.http.routers.traefik.rule=Host(`dashboard.crimson.seedno.de`)"
      - "traefik.http.routers.traefik.entrypoints=https"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
      - "traefik.http.routers.traefik.middlewares=adminauth"
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    networks:
      traefik:
        ipv4_address: 10.160.3.254
      prometheus:
    volumes:
      - type: bind
        source: /docker/traefik/certs
        target: /certs
      - type: bind
        source: /docker/traefik/config
        target: /conf
        read_only: true
      - type: bind
        source: /docker/traefik/logs
        target: /var/log
      - type: bind
        source: /var/run/docker.sock
        target: /var/run/docker.sock
        read_only: true


### https://github.com/go-gitea/gitea
  gitea:
    image: gitea/gitea:latest
    container_name: gitea
    restart: unless-stopped
    depends_on:
      - gitea-db
    environment:
      - "TMPDIR=/data/backups"
      - "USER_UID=${UID:?not set}"
      - "USER_GID=${GID:?not set}"
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.gitea.headers.contentSecurityPolicy=default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; img-src 'self' https: data:; manifest-src 'self' data:"
      - "traefik.http.routers.gitea.rule=Host(`git.seedno.de`)"
      - "traefik.http.routers.gitea.entrypoints=https"
      - "traefik.http.routers.gitea.service=gitea"
      - "traefik.http.routers.gitea.tls=true"
      - "traefik.http.routers.gitea.tls.certresolver=letsencrypt"
      - "traefik.http.routers.gitea.middlewares=compress,secure,gitea"
      - "traefik.http.services.gitea.loadbalancer.server.port=3000"
    ports:
      - "9023:22"
    networks:
      - traefik
      - gitea
    volumes:
      - type: bind
        source: /docker/gitea/data
        target: /data
      - type: bind
        source: /etc/localtime
        target: /etc/localtime
        read_only: true
      - type: bind
        source: /docker/gitea/conf/sshd_config
        target: /etc/ssh/sshd_config
        read_only: true

  gitea-db:
    image: postgres:13-alpine
    container_name: gitea-db
    restart: unless-stopped
    environment:
      - "POSTGRES_DB=${GITEA_DATABASE_NAME:?not set}"
      - "POSTGRES_USER=${GITEA_DATABASE_USER:?not set}"
      - "POSTGRES_PASSWORD=${GITEA_DATABASE_PASS:?not set}"
    networks:
      - gitea
    volumes:
      - type: bind
        source: /docker/gitea/database
        target: /var/lib/postgresql/data

networks:
  traefik:
    name: traefik
    driver: bridge
    driver_opts:
      com.docker.network.bridge.name: br_traefik
    ipam:
      driver: default
      config:
        - subnet: 10.160.0.0/22
  gitea:
    name: gitea
    internal: true