From e8e6f9743598c8ab7e763b13ce8890ba807a3e28 Mon Sep 17 00:00:00 2001
From: rto <tom.reincke@mailbox.org>
Date: Sun, 15 Mar 2026 13:34:22 +0100
Subject: [PATCH] Adding gitea config guide.

---
 docker-compose.yml | 145 +++++++++++++++++++++++++++++++++++++++++++++
 gitea-ssh.sh       |   2 +
 guide.md           | 132 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 279 insertions(+)
 create mode 100644 docker-compose.yml
 create mode 100755 gitea-ssh.sh
 create mode 100644 guide.md

diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..90ba432
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,145 @@
+services:
+  traefik:
+    image: traefik:latest
+    container_name: traefik
+    command:
+      - --providers.docker=true
+      - --entrypoints.web.address=:80
+      - --entrypoints.websecure.address=:443
+      - --certificatesresolvers.letsencrypt.acme.httpchallenge=true
+      - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
+      - --certificatesresolvers.letsencrypt.acme.email=tom.reincke@mailbox.org
+      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
+    restart: unless-stopped
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - letsencrypt:/letsencrypt
+      - /var/run/docker.sock:/var/run/docker.sock:rw
+    networks:
+      - traefik-net
+      - proxy
+    dns:
+      - 1.1.1.1
+
+  gitea:
+    image: gitea/gitea:1.22
+    container_name: gitea
+    restart: unless-stopped
+    environment:
+      USER_UID: 999
+      USER_GID: 989
+      GITEA__server__DOMAIN: gitea.${DOMAIN}
+      GITEA__server__ROOT_URL: https://gitea.${DOMAIN}/
+      GITEA__server__PROTOCOL: http
+      GITEA__server__SSH_AUTHORIZED_KEYS_FILE: /git/.ssh/authorized_keys
+      GITEA__server__SSH_DOMAIN: gitea.${DOMAIN}
+      GITEA__server__SSH_PORT: 2222
+      GITEA__server__SSH_LISTEN_PORT: 2223
+      GITEA__server__SSH_COMMAND: /usr/local/bin/gitea-ssh.sh
+      GITEA__server__SSH_AUTHORIZED_KEYS_COMMAND_TEMPLATE: /usr/local/bin/gitea-ssh.sh --config={{.CustomConf}} serv key-{{.Key.ID}}
+      SSH_LISTEN_PORT: 2222
+      GITEA__server__START_SSH_SERVER: "false"
+      GITEA__security__INSTALL_LOCK: "true"
+      GITEA__database__DB_TYPE: postgres
+      GITEA__database__HOST: db:5432
+      GITEA__database__NAME: gitea
+      GITEA__database__USER: gitea
+      GITEA__database__PASSWD: NOPE
+      # GITEA__database__PASSWD: "qmr]tN3epDfSd&uf5xW9tY&Ndomkrbu"
+    volumes:
+      - gitea-data:/data
+      - /srv/gitea/git/.ssh:/data/git/.ssh
+    labels:
+      - "traefik.enable=true"
+
+      - "traefik.http.routers.gitea.rule=Host(`gitea.${DOMAIN}`)"
+      - "traefik.http.routers.gitea.entrypoints=websecure"
+      - "traefik.http.routers.gitea.tls=true"
+      - "traefik.http.routers.gitea.tls.certresolver=letsencrypt"
+      - "traefik.http.services.gitea.loadbalancer.server.port=3000"
+    networks:
+      - proxy
+    depends_on:
+      - db
+  db:
+    image: docker.io/library/postgres:14
+    restart: always
+    environment:
+      - POSTGRES_USER=gitea
+      - POSTGRES_DB=gitea
+      - POSTGRES_PASSWORD=NOPE
+    volumes:
+      - ./postgres:/var/lib/postgresql/data
+    networks:
+      - proxy
+  db_nextcloud:
+    image: docker.io/library/postgres:14
+    container_name: nextcloud-db
+    restart: always
+    environment:
+      - POSTGRES_USER=nextcloud
+      - POSTGRES_PASSWORD="nextcloud_passwd"
+      - POSTGRES_DB=nextcloud
+    volumes:
+      - ./postgres_nextcloud:/var/lib/postgresql/data
+    networks:
+      - proxy
+  whoami:
+    image: traefik/whoami
+    container_name: whoami
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.services.whoami.loadbalancer.server.port=80"
+      - "traefik.http.routers.app.rule=Host(`home.tanzgebot.xyz`)"
+    networks:
+      - traefik-net
+  doh:
+    image: whiskeyjay/doh-proxy:latest
+    container_name: doh
+    restart: always
+    cap_add:
+      - NET_BIND_SERVICE   # needed if binding to 53 inside container
+    # Optionally set upstream DoH servers
+    environment:
+      - DOH_SERVERS=https://9.9.9.9/dns-query,https://94.140.14.14/dns-query,https://1.1.1.1/dns-query
+      - LISTEN_ADDR=0.0.0.0:53
+    dns:
+      - 172.25.0.1
+  nextcloud:
+   image: nextcloud:29
+   container_name: nextcloud_app
+   restart: unless-stopped
+   volumes:
+     - nextcloud-data:/var/www/html
+   labels:
+     - "traefik.enable=true"
+     - "traefik.http.routers.nextcloud.rule=Host(`home.${DOMAIN}`)"
+     - "traefik.http.routers.nextcloud.entrypoints=websecure"
+     - "traefik.http.routers.nextcloud.tls=true"
+     - "traefik.http.routers.nextcloud.tls.certresolver=letsencrypt"
+     - "traefik.http.services.nextcloud.loadbalancer.server.port=80"
+     - "traefik.http.routers.nextcloud-http.entrypoints=web"
+     - "traefik.http.routers.nextcloud-http.middlewares=redirect-to-https"
+     - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+   environment:
+     - POSTGRES_HOST=db_nextcloud
+     - POSTGRES_USER=nextcloud
+     - POSTGRES_PASSWORD="nextcloud_passwd"
+     - POSTGRES_DB=nextcloud
+   networks:
+     - proxy
+   depends_on:
+     - db_nextcloud
+volumes:
+  gitea-data:
+  nextcloud-data:
+  pihole-data:
+  dnsmasq-data:
+  letsencrypt:
+
+networks:
+  proxy:
+  traefik-net:
+    external: true
diff --git a/gitea-ssh.sh b/gitea-ssh.sh
new file mode 100755
index 0000000..24847e7
--- /dev/null
+++ b/gitea-ssh.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec /usr/bin/docker exec -e SSH_ORIGINAL_COMMAND="$SSH_ORIGINAL_COMMAND" --user git -i gitea /usr/local/bin/gitea $@
diff --git a/guide.md b/guide.md
new file mode 100644
index 0000000..b3ef855
--- /dev/null
+++ b/guide.md
@@ -0,0 +1,132 @@
+# Installing gitlab on your local ssh with SSH
+This guide showcases my experience with installing gitea
+within a docker compose.
+
+## Step 1: The traefik service
+If you use rootful podman, make sure that the container has access to a few
+DNS servers. (configure it in the corresponding DNS provider.)
+If you use podman, make sure to map the corresponding podman socket into the
+container, instead of "/var/run/docker.sock".
+Otherwise you should not change the config.
+
+```yaml
+services:
+  traefik:
+    image: traefik:latest
+    container_name: traefik
+    command:
+      - --providers.docker=true
+      - --entrypoints.web.address=:80
+      - --entrypoints.websecure.address=:443
+      - --certificatesresolvers.letsencrypt.acme.httpchallenge=true
+      - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
+      - --certificatesresolvers.letsencrypt.acme.email=<your-email>
+      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
+    restart: unless-stopped
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - letsencrypt:/letsencrypt
+      - /var/run/docker.sock:/var/run/docker.sock:rw
+    networks:
+      - traefik-net
+      - proxy
+    dns:
+      - 1.1.1.1
+```
+
+
+## Step 2: The gitea service
+You should add the script "/usr/local/bin/gitea-ssh.sh".
+
+```bash
+#!/bin/sh
+exec /usr/bin/docker exec -e SSH_ORIGINAL_COMMAND="$SSH_ORIGINAL_COMMAND" --user git -i gitea
+/usr/local/bin/gitea $@
+```
+
+Otherwise you can simply change
+`GITEA__server__SSH_AUTHORIZED_KEYS_COMMAND_TEMPLATE` option to include the
+docker command. If you would use rootful podman you should also add the `-c`
+parameter and corresponding value for specifiying the connection.
+As you can see command uses the git user.
+It is necessary to set the "USER_UID" and "USER_GID" to the ones of your git
+local git user/group. That is because the "authorized_keys" file is mapped into
+a directory which does outside of the container and is used for external ssh
+connections.
+In theory you could use another user for ssh, but I don't know how that would
+translate into another gitea config. For the ssh config you would simply replace
+the user in the snippet below.
+
+Add the following config snippet to your sshd config. It can be in a separate
+file or at the end of your "sshd_config" file.
+
+```sshd
+Match User git
+  AllowTcpForwarding no
+  PermitTTY yes
+  X11Forwarding no
+  PasswordAuthentication no
+  AuthorizedKeysFile  /srv/gitea/git/.ssh/authorized_keys
+```
+
+
+For the database you can use any database inside the docker compose
+file you just have to specify the options "host", "name", "user" and "type".
+
+To change the domain, you have to add under "gitea.rule" the domain.
+
+```yaml
+  gitea:
+    image: gitea/gitea:1.22
+    container_name: gitea
+    restart: unless-stopped
+    environment:
+      USER_UID: 999
+      USER_GID: 989
+      GITEA__server__DOMAIN: gitea.${DOMAIN}
+      GITEA__server__ROOT_URL: https://gitea.${DOMAIN}/
+      GITEA__server__PROTOCOL: http
+      GITEA__server__SSH_AUTHORIZED_KEYS_FILE: /git/.ssh/authorized_keys
+      GITEA__server__SSH_DOMAIN: gitea.${DOMAIN}
+      GITEA__server__SSH_LISTEN_PORT: 2223
+      GITEA__server__SSH_AUTHORIZED_KEYS_COMMAND_TEMPLATE: /usr/local/bin/gitea-ssh.sh --config={{.CustomConf}} serv key-{{.Key.ID}}
+      GITEA__server__START_SSH_SERVER: "false"
+      GITEA__security__INSTALL_LOCK: "true"
+      GITEA__database__DB_TYPE: postgres
+      GITEA__database__HOST: db:5432
+      GITEA__database__NAME: gitea
+      GITEA__database__USER: gitea
+      GITEA__database__PASSWD: NOPE
+    volumes:
+      - gitea-data:/data
+      - /srv/gitea/git/.ssh:/data/git/.ssh
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.gitea.rule=Host(`gitea.${DOMAIN}`)"
+      - "traefik.http.routers.gitea.entrypoints=websecure"
+      - "traefik.http.routers.gitea.tls=true"
+      - "traefik.http.routers.gitea.tls.certresolver=letsencrypt"
+      - "traefik.http.services.gitea.loadbalancer.server.port=3000"
+    networks:
+      - proxy
+    depends_on:
+      - db
+```
+
+## Step 3. Include a postgres database.
+Simply add this service with the corresponding password.
+```yaml
+  db:
+    image: docker.io/library/postgres:14
+    restart: always
+    environment:
+      - POSTGRES_USER=gitea
+      - POSTGRES_DB=gitea
+      - POSTGRES_PASSWORD=NOPE
+    volumes:
+      - ./postgres:/var/lib/postgresql/data
+    networks:
+      - proxy
+```