first

Dockerfile

@@ -0,0 +1,7 @@
+ARG GITEA_VERSION=1.21.10
+
+FROM gitea/gitea:${GITEA_VERSION}
+
+COPY ./docker/entrypoint /
+ENTRYPOINT ["/docker-entrypoint.sh", "/usr/bin/entrypoint"]
+CMD ["/bin/s6-svscan","/etc/s6"]

docker-compose.yml

@@ -0,0 +1,53 @@
+networks:
+  gitea:
+    external: false
+  caddy_caddy:
+    external: true
+volumes:
+  git-nfs:
+    driver_opts:
+      type: "nfs"
+      o: "addr=10.0.20.252,rw,noatime,nolock,soft,rsize=131072,wsize=131072,tcp,timeo=14"
+      device: ":/mnt/pile/drive/git"
+
+services:
+  gitea:
+    image: gitea/gitea:1.21.10
+    container_name: gitea
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
+      - GITEA__database__DB_TYPE=postgres
+      - GITEA__database__HOST=DOCKER-SECRET->gitea.db.host
+      - GITEA__database__NAME=DOCKER-SECRET->gitea.db.name
+      - GITEA__database__USER=DOCKER-SECRET->gitea.db.user
+      - GITEA__database__PASSWD=DOCKER-SECRET->gitea.db.passwd
+    restart: always
+    networks:
+      - gitea
+      - caddy_caddy
+    volumes:
+      - type: volume
+        source: git-nfs
+        target: /data
+        volume:
+          subpath: gitea
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    secrets:
+      - gitea.db.user
+      - gitea.db.passwd
+      - gitea.db.name
+      - gitea.db.host
+    ports:
+      - "3000:3000"
+      - "222:22"
+secrets:
+  gitea.db.user:
+    external: true
+  gitea.db.passwd:
+    external: true
+  gitea.db.name:
+    external: true
+  gitea.db.host:
+    external: true

docker/entrypoint/docker-entrypoint.d/.env-from-docker-secrets

@@ -0,0 +1,45 @@
+# EXPANDING VARIABLES FROM DOCKER SECRETS
+: ${ENV_SECRETS_DIR:=/run/secrets}
+
+env_secret_debug()
+{
+    if [ ! -z "$ENV_SECRETS_DEBUG" ]; then
+        echo -e "\033[1m$@\033[0m"
+    fi
+}
+
+# usage: env_secret_expand VAR
+#    ie: env_secret_expand 'XYZ_DB_PASSWORD'
+# (will check for "$XYZ_DB_PASSWORD" variable value for a placeholder that defines the
+#  name of the docker secret to use instead of the original value. For example:
+# XYZ_DB_PASSWORD="DOCKER-SECRET->:my-db_secret"
+env_secret_expand() {
+    var="$1"
+    eval val=\$$var
+    if secret_name=$(expr match "$val" "DOCKER-SECRET->\([^}]\+\)$"); then
+        secret="${ENV_SECRETS_DIR}/${secret_name}"
+        env_secret_debug "Secret file for $var: $secret"
+        if [ -f "$secret" ]; then
+            val=$(cat "${secret}")
+            export "$var"="$val"
+            env_secret_debug "Expanded variable: $var=$val"
+        else
+            env_secret_debug "Secret file does not exist! $secret"
+        fi
+    fi
+}
+
+env_secrets_expand() {
+    for env_var in $(printenv | cut -f1 -d"=")
+    do
+        env_secret_expand $env_var
+    done
+
+    if [ ! -z "$ENV_SECRETS_DEBUG" ]; then
+        echo -e "\n\033[1mExpanded environment variables\033[0m"
+        printenv
+    fi
+}
+
+env_secrets_expand
+

docker/entrypoint/docker-entrypoint.sh

@@ -0,0 +1,32 @@
+#!/bin/sh
+# vim:sw=4:ts=4:et
+
+set -e
+
+. /docker-entrypoint.d/.env-from-docker-secrets
+
+if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then
+    echo "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration"
+
+    echo "$0: Looking for shell scripts in /docker-entrypoint.d/"
+    find "/docker-entrypoint.d/" -follow -type f -print | sort -V | while read -r f; do
+    case "$f" in
+        *.sh)
+            if [ -x "$f" ]; then
+                echo "$0: Launching $f";
+                "$f"
+            else
+                # warn on shell scripts without exec bit
+                echo "$0: Ignoring $f, not executable";
+            fi
+            ;;
+        *) echo "$0: Ignoring $f";;
+    esac
+done
+
+echo "$0: Configuration complete; ready for start up"
+else
+    echo "$0: No files found in /docker-entrypoint.d/, skipping configuration"
+fi
+
+exec "$@"