version: "3"

networks:
  gitea:
    external: false
  traefik:
    external: true
  immich_default:
    external: true

volumes:
  gitea-data:
  postgres-data:
  traefik-certs:

services:
  traefik:
    image: traefik:v2.9
    container_name: traefik
    restart: always
    ports:
      - "8080:80"      # HTTP (changed from 80 to 8080 for ISP testing)
      - "8443:443"     # HTTPS (changed from 443 to 8443 for ISP testing)
      - "8081:8080"    # Dashboard (changed to avoid conflict)

    networks:
      - gitea
      - traefik
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - traefik-certs:/letsencrypt
    command:
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.network=traefik"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.letsencrypt.acme.email=bennett.l.david@gmail.com"
      - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
      - "--api=true"
      - "--api.dashboard=true"
      - "--api.insecure=true"
      - "--log.level=DEBUG"
    
  server:
    image: gitea/gitea:latest
    container_name: gitea
    environment:
      - USER_UID=1000
      - USER_GID=1000
      - GITEA__database__DB_TYPE=postgres
      - GITEA__database__HOST=db:5432
      - GITEA__database__NAME=gitea
      - GITEA__database__USER=gitea
      - GITEA__database__PASSWD=gitea
      # Server Configuration
      - GITEA__server__DOMAIN=bee8333.ddns.net
      - GITEA__server__ROOT_URL=https://bee8333.ddns.net/gitea/
      - GITEA__server__PROTOCOL=http
      - GITEA__server__HTTP_PORT=3000
      - GITEA__server__SSH_DOMAIN=bee8333.ddns.net
      - GITEA__server__SSH_PORT=2224
      - GITEA__server__SSH_LISTEN_PORT=22
      - GITEA__server__START_SSH_SERVER=false
      - GITEA__server__OFFLINE_MODE=false
      - GITEA__server__ENABLE_GZIP=true
      # Reverse Proxy Settings
      - GITEA__server__USE_PROXY_PROTOCOL=false
      - GITEA__server__PROXY_PROTOCOL_TLS_BRIDGING=false
    restart: always
    networks:
      - gitea
      - traefik
    volumes:
      - gitea-data:/data
#      - /etc/timezone:/etc/timezone:ro
#      - /etc/localtime:/etc/localtime:ro
    ports:
      - "2224:22"    # SSH: Host port 2224 -> Container port 22
    depends_on:
      - db
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik"
      # HTTPS Configuration for /gitea subpath
      - "traefik.http.routers.gitea.rule=Host(`bee8333.ddns.net`) && PathPrefix(`/gitea`)"
      - "traefik.http.routers.gitea.entrypoints=websecure"
      - "traefik.http.routers.gitea.tls.certresolver=letsencrypt"
      - "traefik.http.routers.gitea.priority=10"
      - "traefik.http.services.gitea.loadbalancer.server.port=3000"
      - "traefik.http.middlewares.gitea-stripprefix.stripprefix.prefixes=/gitea"
      - "traefik.http.middlewares.gitea-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.gitea.middlewares=gitea-stripprefix@docker,gitea-headers@docker"
      # HTTP Configuration for HTTP -> HTTPS redirection
      - "traefik.http.routers.gitea-http.rule=Host(`bee8333.ddns.net`) && PathPrefix(`/gitea`)"
      - "traefik.http.routers.gitea-http.entrypoints=web"
      - "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.https-redirect.redirectscheme.permanent=true"
      - "traefik.http.routers.gitea-http.middlewares=https-redirect@docker"

  headscale:
    image: headscale/headscale:latest
    container_name: headscale
    restart: unless-stopped
    ports:
      - "3478:3478/udp"  # STUN for DERP relay
    volumes:
      - ./headscale/config:/etc/headscale
      - ./headscale/data:/var/lib/headscale
    command: serve
    networks:
      - gitea
      - traefik
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik"
      # HTTPS Configuration for /headscale subpath
      - "traefik.http.routers.headscale.rule=Host(`bee8333.ddns.net`) && PathPrefix(`/headscale`)"
      - "traefik.http.routers.headscale.entrypoints=websecure"
      - "traefik.http.routers.headscale.tls.certresolver=letsencrypt"
      - "traefik.http.services.headscale.loadbalancer.server.port=8080"
      - "traefik.http.middlewares.headscale-stripprefix.stripprefix.prefixes=/headscale"
      - "traefik.http.middlewares.headscale-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.headscale.middlewares=headscale-stripprefix@docker,headscale-headers@docker"
      # HTTP Configuration for HTTP -> HTTPS redirection
      - "traefik.http.routers.headscale-http.rule=Host(`bee8333.ddns.net`) && PathPrefix(`/headscale`)"
      - "traefik.http.routers.headscale-http.entrypoints=web"
      - "traefik.http.routers.headscale-http.middlewares=https-redirect@docker"

  db:
    image: postgres:14
    container_name: gitea-db
    restart: always
    environment:
      - POSTGRES_USER=gitea
      - POSTGRES_PASSWORD=gitea
      - POSTGRES_DB=gitea
    networks:
      - gitea
    volumes:
      - postgres-data:/var/lib/postgresql/data