version: "3"

services:
  gitea:
    # You can use gitea/gitea:latest-rootless, but it tends to be behind gitea:latest for some reason :/
    image: gitea/gitea:latest-rootless
    container_name: gitea
    restart: unless-stopped
    volumes:
      - gitea-data:/var/lib/gitea
      - gitea-config:/etc/gitea
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    ports:
      - "2222:2222"
    depends_on:
      - mariadb
    networks:
      - gitea
      - mariadb
    read_only: true
    user: "1000:1000"
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL

  mariadb:
    image: mariadb:latest
    container_name: mariadb
    restart: unless-stopped
    environment:
      - MYSQL_ROOT_PASSWORD=changeme
      - MYSQL_USER=gitea
      - MYSQL_PASSWORD=changeme
      - MYSQL_DATABASE=gitea
    volumes:
      - mariadb:/var/lib/mysql
    networks:
      - mariadb
    user: "999:999"
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL

  swag:
    image: ghcr.io/linuxserver/swag
    container_name: swag
    restart: unless-stopped
    environment:
      - PUID=1000
      - PGID=1000
      - URL=yourdomain.tld
      - SUBDOMAINS=git
      - VALIDATION=http
      - EMAIL=changeme@yourdomain.tld
      - ONLY_SUBDOMAINS=true
    volumes:
      - ./swag:/config:Z
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    ports:
      - 443:443
      - 80:80
    networks:
      - gitea
    security_opt:
      - no-new-privileges:true
    cap_add:
      - NET_ADMIN

networks:
  gitea:
  mariadb:

volumes:
  gitea-data:
  gitea-config:
  mariadb: