# Gitea Mirror deployment configuration
# Standard deployment with automatic database maintenance

services:
  gitea-mirror:
    image: ${DOCKER_REGISTRY:-ghcr.io}/${DOCKER_IMAGE:-raylabshq/gitea-mirror}:${DOCKER_TAG:-latest}
    build:
      context: .
      dockerfile: Dockerfile
      platforms:
        - linux/amd64
        - linux/arm64
      cache_from:
        - ${DOCKER_REGISTRY:-ghcr.io}/${DOCKER_IMAGE:-raylabshq/gitea-mirror}:${DOCKER_TAG:-latest}
    container_name: gitea-mirror
    restart: unless-stopped
    ports:
      - "4321:4321"
    volumes:
      - gitea-mirror-data:/app/data
      # Mount custom CA certificates - choose one option:
      # Option 1: Mount individual CA certificates from certs directory
      # - ./certs:/app/certs:ro
      # Option 2: Mount system CA bundle (if your CA is already in system store)
      # - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
    environment:
      # For a complete list of all supported environment variables, see:
      # docs/ENVIRONMENT_VARIABLES.md or .env.example
      - NODE_ENV=production
      - DATABASE_URL=file:data/gitea-mirror.db
      - HOST=0.0.0.0
      - PORT=4321
      - BETTER_AUTH_SECRET=${BETTER_AUTH_SECRET:-your-secret-key-change-this-in-production}
      - BETTER_AUTH_URL=${BETTER_AUTH_URL:-http://localhost:4321}
      # Optional: ENCRYPTION_SECRET will be auto-generated if not provided
      # - ENCRYPTION_SECRET=${ENCRYPTION_SECRET:-}
      # GitHub/Gitea Mirror Config
      - GITHUB_USERNAME=${GITHUB_USERNAME:-}
      - GITHUB_TOKEN=${GITHUB_TOKEN:-}
      - GITHUB_EXCLUDED_ORGS=${GITHUB_EXCLUDED_ORGS:-}
      - SKIP_FORKS=${SKIP_FORKS:-false}
      - PRIVATE_REPOSITORIES=${PRIVATE_REPOSITORIES:-false}
      - MIRROR_ISSUES=${MIRROR_ISSUES:-false}
      - MIRROR_WIKI=${MIRROR_WIKI:-false}
      - MIRROR_STARRED=${MIRROR_STARRED:-false}
      - MIRROR_ORGANIZATIONS=${MIRROR_ORGANIZATIONS:-false}
      - PRESERVE_ORG_STRUCTURE=${PRESERVE_ORG_STRUCTURE:-false}
      - ONLY_MIRROR_ORGS=${ONLY_MIRROR_ORGS:-false}
      - SKIP_STARRED_ISSUES=${SKIP_STARRED_ISSUES:-false}
      - GITEA_URL=${GITEA_URL:-}
      - GITEA_TOKEN=${GITEA_TOKEN:-}
      - GITEA_USERNAME=${GITEA_USERNAME:-}
      - GITEA_ORGANIZATION=${GITEA_ORGANIZATION:-github-mirrors}
      - GITEA_ORG_VISIBILITY=${GITEA_ORG_VISIBILITY:-public}
      - DELAY=${DELAY:-3600}
      # Optional: Skip TLS verification (insecure, use only for testing)
      # - GITEA_SKIP_TLS_VERIFY=${GITEA_SKIP_TLS_VERIFY:-false}
      # Header Authentication (for Reverse Proxy SSO)
      - HEADER_AUTH_ENABLED=${HEADER_AUTH_ENABLED:-false}
      - HEADER_AUTH_USER_HEADER=${HEADER_AUTH_USER_HEADER:-X-Authentik-Username}
      - HEADER_AUTH_EMAIL_HEADER=${HEADER_AUTH_EMAIL_HEADER:-X-Authentik-Email}
      - HEADER_AUTH_NAME_HEADER=${HEADER_AUTH_NAME_HEADER:-X-Authentik-Name}
      - HEADER_AUTH_AUTO_PROVISION=${HEADER_AUTH_AUTO_PROVISION:-false}
      - HEADER_AUTH_ALLOWED_DOMAINS=${HEADER_AUTH_ALLOWED_DOMAINS:-}
    healthcheck:
      test: ["CMD", "wget", "--no-verbose", "--tries=3", "--spider", "http://localhost:4321/api/health"]
      interval: 30s
      timeout: 10s
      retries: 5
      start_period: 15s

# Define named volumes for database persistence
volumes:
  gitea-mirror-data:    # Database volume