networks:
  cicd:
    external: true

volumes:
  gitea_data:
  gitea_db:
  vault_gitea_secrets:
    driver: local
    driver_opts:
      type: tmpfs
      device: tmpfs
      o: size=16m,uid=1000,gid=1000,mode=0700

secrets:
  gitea_vault_role_id:
    external: true
  gitea_vault_secret_id:
    external: true

services:
  # --- Vault Agent for Gitea ---
  vault-agent-gitea:
    image: hashicorp/vault:latest
    networks: [cicd]
    cap_add: ["IPC_LOCK"]
    environment:
      VAULT_ADDR: "http://vault:8200"
    secrets:
      - source: gitea_vault_role_id
        target: /vault/secrets/role_id
      - source: gitea_vault_secret_id
        target: /vault/secrets/secret_id
    volumes:
      - ./vault:/etc/vault:ro
      - vault_gitea_secrets:/vault/secrets:rw
    command: >
      sh -lc 'vault agent -config=/etc/vault/agent.hcl'
    deploy:
      placement:
        constraints: [node.role == manager]
      restart_policy:
        condition: on-failure
    healthcheck:
      test: ["CMD-SHELL",
             "test -s /vault/secrets/minio_access_key -a -s /vault/secrets/minio_secret_key -a -s /vault/secrets/gitea_db_pass" ]
      interval: 10s
      timeout: 3s
      retries: 12
      start_period: 5s

  # --- PostgreSQL Database for Gitea ---
  gitea-db:
    image: postgres:18
    networks: [cicd]
    environment:
      - POSTGRES_USER=gitea
      - POSTGRES_DB=gitea
      - POSTGRES_PASSWORD_FILE=/vault/secrets/gitea_db_pass
    volumes:
      - gitea_db:/var/lib/postgresql
      - vault_gitea_secrets:/vault/secrets:ro
    deploy:
      placement:
        constraints: [node.role == manager]
      restart_policy:
        condition: on-failure
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U gitea -d gitea -h 127.0.0.1"]
      interval: 10s
      timeout: 3s
      retries: 12
      start_period: 10s

  # --- Gitea Service ---
  gitea:
    image: gitea/gitea:latest
    networks: [cicd]
    depends_on:
      - gitea-db
      - vault-agent-gitea
    volumes:
      - gitea_data:/data
      - vault_gitea_secrets:/vault/secrets:ro
    environment:
      ## Database
      - GITEA__database__DB_TYPE=postgres
      - GITEA__database__HOST=gitea-db:5432
      - GITEA__database__USER=gitea
      - GITEA__database__PASSWD__FILE=/vault/secrets/gitea_db_pass
      - GITEA__database__NAME=gitea

      ## Server
      - GITEA__server__LFS_START_SERVER=true
      - GITEA__server__DOMAIN=git.sendico.io
      - GITEA__server__ROOT_URL=https://git.sendico.io/
      - GITEA__server__SSH_DOMAIN=git.sendico.io
      - GITEA__server__SSH_PORT=222
      - GITEA__security__INSTALL_LOCK=true

      ## --- MinIO storage configuration ---

      # Main storage (репозитории, wiki, аватары)
      - GITEA__storage__STORAGE_TYPE=minio
      - GITEA__storage__MINIO_ENDPOINT=s3.sendico.io
      - GITEA__storage__MINIO_BUCKET=gitea-data
      - GITEA__storage__MINIO_USE_SSL=true
      - GITEA__storage__MINIO_BUCKET_LOOKUP_TYPE=path
      - GITEA__storage__MINIO_ACCESS_KEY_ID__FILE=/vault/secrets/minio_access_key
      - GITEA__storage__MINIO_SECRET_ACCESS_KEY__FILE=/vault/secrets/minio_secret_key

      # Attachments (issues, wiki)
      - GITEA__attachments__STORAGE_TYPE=minio
      - GITEA__attachments__MINIO_ENDPOINT=s3.sendico.io
      - GITEA__attachments__MINIO_BUCKET=gitea-attachments
      - GITEA__attachments__MINIO_USE_SSL=true
      - GITEA__attachments__MINIO_BUCKET_LOOKUP_TYPE=path
      - GITEA__attachments__MINIO_ACCESS_KEY_ID__FILE=/vault/secrets/minio_access_key
      - GITEA__attachments__MINIO_SECRET_ACCESS_KEY__FILE=/vault/secrets/minio_secret_key

      # LFS (Large File Storage)
      - GITEA__lfs__STORAGE_TYPE=minio
      - GITEA__lfs__MINIO_ENDPOINT=s3.sendico.io
      - GITEA__lfs__MINIO_BUCKET=gitea-lfs
      - GITEA__lfs__MINIO_USE_SSL=true
      - GITEA__lfs__MINIO_BUCKET_LOOKUP_TYPE=path
      - GITEA__lfs__MINIO_ACCESS_KEY_ID__FILE=/vault/secrets/minio_access_key
      - GITEA__lfs__MINIO_SECRET_ACCESS_KEY__FILE=/vault/secrets/minio_secret_key

      ## Mail
      - GITEA__mailer__ENABLED=true
      - GITEA__mailer__FROM="Gitea <no-reply@sendico.io>"
      - GITEA__mailer__PROTOCOL=smtp
      - GITEA__mailer__SMTP_ADDR=mail.sendico.io
      - GITEA__mailer__SMTP_PORT=587
      - GITEA__mailer__USER__FILE=/vault/secrets/mail_account
      - GITEA__mailer__PASSWD__FILE=/vault/secrets/mail_secret
      - GITEA__mailer__USE_TLS=true

    deploy:
      placement:
        constraints: [node.role == manager]
      restart_policy:
        condition: on-failure
    labels:
      traefik.enable: "true"
      traefik.docker.network: "cicd"
      traefik.http.routers.gitea.rule: "Host(`git.sendico.io`)"
      traefik.http.routers.gitea.entrypoints: "websecure"
      traefik.http.routers.gitea.tls: "true"
      traefik.http.routers.gitea.tls.certresolver: "letsencrypt"
      traefik.http.services.gitea.loadbalancer.server.port: "3000"
    healthcheck:
      test: ["CMD-SHELL",
             "test -s /vault/secrets/minio_access_key -a -s /vault/secrets/minio_secret_key -a -s /vault/secrets/gitea_db_pass && wget -q --spider http://127.0.0.1:3000/ || exit 1" ]
      interval: 10s
      timeout: 3s
      retries: 12
      start_period: 30s