made changes in order to make gitea work

homelab/applications/README.md

@@ -0,0 +1,9 @@
+# NAxS Homelab
+Prerequisites: 
+- Create a default network called homelab
+```
+docker network create homelab
+```
+
+// TODO: Create template script
+Template script which helps with setting up new applications (asks for potential secrets needs, adds default network to compose file, creates new users/groups to run containers rootless)

homelab/applications/gitea/README.md

@@ -0,0 +1,34 @@
+// TODO: refactor for gitea
+# Gitea
+## Set up database
+- Create database called `gitea`
+- Create database user called `gitea` incl. password
+- Store database credentials in 1Password
+
+## Set up non-root user for container
+We are providing a non-root user to the container to limit the attack surface for privilege escalations. In order for this to work in our setup, please make sure to check if you have a user called `gitea-user` & group called `gitea-group` set up. 
+
+1. Check if user `postgres` exists and if the UID is 1002
+
+```
+cat /etc/passwd | grep gitea
+```
+
+In case the `postgres` user exists but the UID is not 1002, please adjust it via 
+```
+sudo usermod -u 1002 postgres
+```
+
+In case the `postgres` user doesn't exist at all, please create the user incl. the right UID by running
+```
+sudo useradd -u 1002 postgres
+```
+
+## About secrets
+In order to manage secrets centrally in 1Password and due to the need for secrets in Postgres, using `docker compose` directly in the terminal does not work. 
+
+## Bring up/tear down container
+Please use the `start.sh` to spin up the container
+### Prerequisites start.sh
+- User executing the script is part of the `docker` group
+- Env variable `OP_SERVICE_ACCOUNT_TOKEN` is set up \[check out top-level README.md for more information on how to set this up\]

homelab/applications/gitea/compose.yml

@@ -1,14 +1,26 @@
-  services:
+secrets:
-   server:
+  gitea_postgres_password:
-     image: docker.gitea.com/gitea:latest
+      environment: GITEA_POSTGRES_PASSWORD
+services:
+  gitea:
+    image: docker.gitea.com/gitea:1-rootless
     container_name: gitea
+    user: "1003:1003"
     environment:
-       - USER_UID=1000
+      USER_UID: "1003"
-       - USER_GID=1000
+      USER_GID: "1003"
-       - DISABLE_REGISTRATION=true
+      DISABLE_REGISTRATION: true
+      GITEA__database__DB_TYPE: postgres
+      GITEA__database__HOST: postgres:5432
+      GITEA__database__NAME: gitea
+      GITEA__database__USER: gitea
+      GITEA__database__PASSWD_FILE: /run/secrets/gitea_postgres_password
     restart: always
-     volumes:
+    volumes: ['./data:/var/lib/gitea', './config:/etc/gitea']
-       - ./data:/data
+    ports: ['8030:3000', '2222:2222']
-     ports:
+    secrets: ['gitea_postgres_password']
-       - "8030:3000"
+    networks: ['homelab']
-       - "222:22"
+
+networks:
+  homelab:
+    external: true

homelab/applications/gitea/start.sh

@@ -0,0 +1,12 @@
+#!/bin/zsh
+# Exit immediately if a command exits with a non-zero status.
+set -e
+
+echo "--- Starting Docker Secret Management ---"
+# Mount secrets
+export GITEA_POSTGRES_PASSWORD="$(op read 'op://NAxS Homelab/Gitea Postgres credentials/password')"
+
+# Bring up container
+docker compose up -d
+
+echo "--- Docker Secret Management Complete ---"

homelab/applications/postgres/compose.yml

@@ -16,3 +16,8 @@ services:
     secrets: ['postgres_password', 'postgres_user']
     ports: ['5432:5432']
     volumes: ['./data:/var/lib/postgresql']
+    networks: ['homelab']
+
+networks:
+  homelab:
+    external: true