made changes in order to make gitea work

homelab/applications/gitea/README.md

@@ -0,0 +1,34 @@
+// TODO: refactor for gitea
+# Gitea
+## Set up database
+- Create database called `gitea`
+- Create database user called `gitea` incl. password
+- Store database credentials in 1Password
+
+## Set up non-root user for container
+We are providing a non-root user to the container to limit the attack surface for privilege escalations. In order for this to work in our setup, please make sure to check if you have a user called `gitea-user` & group called `gitea-group` set up. 
+
+1. Check if user `postgres` exists and if the UID is 1002
+
+```
+cat /etc/passwd | grep gitea
+```
+
+In case the `postgres` user exists but the UID is not 1002, please adjust it via 
+```
+sudo usermod -u 1002 postgres
+```
+
+In case the `postgres` user doesn't exist at all, please create the user incl. the right UID by running
+```
+sudo useradd -u 1002 postgres
+```
+
+## About secrets
+In order to manage secrets centrally in 1Password and due to the need for secrets in Postgres, using `docker compose` directly in the terminal does not work. 
+
+## Bring up/tear down container
+Please use the `start.sh` to spin up the container
+### Prerequisites start.sh
+- User executing the script is part of the `docker` group
+- Env variable `OP_SERVICE_ACCOUNT_TOKEN` is set up \[check out top-level README.md for more information on how to set this up\]

homelab/applications/gitea/compose.yml

@@ -1,14 +1,26 @@
-  services:
-   server:
-     image: docker.gitea.com/gitea:latest
-     container_name: gitea
-     environment:
-       - USER_UID=1000
-       - USER_GID=1000
-       - DISABLE_REGISTRATION=true
-     restart: always
-     volumes:
-       - ./data:/data
-     ports:
-       - "8030:3000"
-       - "222:22"
+secrets:
+  gitea_postgres_password:
+      environment: GITEA_POSTGRES_PASSWORD
+services:
+  gitea:
+    image: docker.gitea.com/gitea:1-rootless
+    container_name: gitea
+    user: "1003:1003"
+    environment:
+      USER_UID: "1003"
+      USER_GID: "1003"
+      DISABLE_REGISTRATION: true
+      GITEA__database__DB_TYPE: postgres
+      GITEA__database__HOST: postgres:5432
+      GITEA__database__NAME: gitea
+      GITEA__database__USER: gitea
+      GITEA__database__PASSWD_FILE: /run/secrets/gitea_postgres_password
+    restart: always
+    volumes: ['./data:/var/lib/gitea', './config:/etc/gitea']
+    ports: ['8030:3000', '2222:2222']
+    secrets: ['gitea_postgres_password']
+    networks: ['homelab']
+
+networks:
+  homelab:
+    external: true

homelab/applications/gitea/start.sh

@@ -0,0 +1,12 @@
+#!/bin/zsh
+# Exit immediately if a command exits with a non-zero status.
+set -e
+
+echo "--- Starting Docker Secret Management ---"
+# Mount secrets
+export GITEA_POSTGRES_PASSWORD="$(op read 'op://NAxS Homelab/Gitea Postgres credentials/password')"
+
+# Bring up container
+docker compose up -d
+
+echo "--- Docker Secret Management Complete ---"