Add Gitea - Git with a cup of tea

README.md

@@ -7,7 +7,8 @@ This repository contains the configuration for my personal homelab stack, includ
 | **Vaultwarden** | Self-hosted password manager (Bitwarden-compatible) | `https://vault.example.com` |
 | **2FAuth** | Self-hosted two-factor authentication manager | `https://auth.example.com` |
 | **Filebrowser** | Self-hosted file hosting service | `https://storage.example.com` |
-| **Wg-easy** | Wireguard VPN with management console | `https://vpn.example.com` |
+| **Wg-easy** | Git with a cup of tea! | `https://vpn.example.com` |
+| **Gitea** | Wireguard VPN with management console | `https://git.example.com` |
 | **Caddy** | Reverse proxy with automatic HTTPS | *No direct UI* |
 | **Portainer** | Makes Docker life 100x easier (visual container manager) | `https://<SERVER_IP>:9443` |
 | **Uptime Kuma** | Monitors homelab/domain uptime | `http://<SERVER_IP>:3001` |
@@ -27,6 +28,16 @@ The setup is built with Docker Compose and is designed to be simple, secure, and
     └── compose.yml       # Docker Compose stack for all services
 ```
 
+## Port Forwarding on Your Router
+
+| Service / Purpose            | External Port | Internal Port | Protocol | Required?                | Notes                                                |
+| ---------------------------- | ------------- | ------------- | -------- | ------------------------ | ---------------------------------------------------- |
+| **HTTPS (Caddy)**            | **443**       | 443           | TCP/UDP  | ✅ Yes                    | Needed for all domains + HTTP/3/QUIC                 |
+| **HTTP (Caddy, ACME)**       | **80**        | 80            | TCP      | ✅ Yes                    | Required for certificate issuance + redirect         |
+| **WireGuard VPN**            | **51820**     | 51820         | UDP      | ✅ Yes                    | Main WireGuard tunnel port                           |
+| **WG-Easy Web UI**           | 51821         | 51821         | TCP      | Optional                 | Only forward if you want to access admin UI remotely |
+| **Gitea SSH (Git over SSH)** | **222**       | 22            | TCP      | Optional but recommended | Required for `git clone ssh://...`                   |
+
 ## Secrets and Environment Variables
 
 Before deploying, you **must** replace all placeholder values in the config files. See `.env.example`.
@@ -68,6 +79,7 @@ The **homelab/** folder contains:
   - `https://<auth-domain>` → 2FAuth
   - `https://<storage-domain>` → Filebrowser
   - `https://<vpn-domain>` → Wireguard
+  - `https://<git-domain>` → Gitea
 
 ### Start the stack
 
@@ -85,7 +97,9 @@ mkdir -p services/vaultwarden \
          services/filebrowser/srv \
          services/filebrowser/database \
          services/filebrowser/config \
-         services/wg-easy/data
+         services/wg-easy/data \
+         services/gitea/data \
+         services/gitea/postgres
 ex```
 
 ### Stop the stack
@@ -129,7 +143,7 @@ Then restart the containers:
 
 ```bash
 cd homelab
-docker compose restart vaultwarden 2fauth filebrowser portainer dozzle uptime-kuma netdata
+docker compose restart caddy vaultwarden 2fauth wg-easy gitea filebrowser portainer dozzle uptime-kuma netdata
 ```
 
 ## Updating

homelab/.env.example

@@ -2,8 +2,10 @@ VAULT_DOMAIN=vault.example.com
 AUTH_DOMAIN=auth.example.com
 STORAGE_DOMAIN=storage.example.com
 VPN_DOMAIN=vpn.example.com
+GITEA_DOMAIN=gitea.example.com
 EMAIL=mail@example.com
 TWOFAUTH_APP_KEY=32characterslongrandomstring!
 WG_EASY_PASSWORD_HASH=your_bcrypt_hashed_password
 PORKBUN_API_KEY=your_porkbun_api_key
-PORKBUN_API_SECRET=your_porkbun_api_secret
+PORKBUN_API_SECRET=your_porkbun_api_secret
+GITEA_DB_PASSWORD=your_gitea_database_password

homelab/Caddyfile

@@ -55,3 +55,15 @@
     reverse_proxy wg-easy:51821
 }
 
+# ===========================
+# Gitea
+# ===========================
+{env.VPN_DOMAIN} {
+    import dns_porkbun
+
+    encode gzip
+    tls internal
+    reverse_proxy gitea:3000
+}
+
+

homelab/compose.yml

@@ -77,6 +77,49 @@ services:
     networks:
       - proxy
 
+  # ==========================
+  # Gitea Database (PostgreSQL)
+  # ==========================
+  gitea-db:
+    image: postgres:15
+    container_name: gitea-db
+    restart: always
+    environment:
+      POSTGRES_USER: gitea
+      POSTGRES_PASSWORD: ${GITEA_DB_PASSWORD}
+      POSTGRES_DB: gitea
+    volumes:
+      - ./services/gitea/postgres:/var/lib/postgresql/data
+    networks:
+      - proxy
+
+  # ==========================
+  # Gitea (Git service)
+  # ==========================
+  gitea:
+    image: gitea/gitea:latest
+    container_name: gitea
+    restart: always
+    depends_on:
+      - gitea-db
+    environment:
+      USER_UID: 1000
+      USER_GID: 1000
+      GITEA__database__DB_TYPE: postgres
+      GITEA__database__HOST: gitea-db:5432
+      GITEA__database__NAME: gitea
+      GITEA__database__USER: gitea
+      GITEA__database__PASSWD: ${GITEA_DB_PASSWORD}
+    volumes:
+      - ./services/gitea/data:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - "3000:3000"
+      - "222:22"
+    networks:
+      - proxy
+
   # ==========================
   # Caddy (Reverse proxy)
   # ==========================
@@ -100,6 +143,7 @@ services:
       AUTH_DOMAIN: ${AUTH_DOMAIN}
       STORAGE_DOMAIN: ${STORAGE_DOMAIN}
       VPN_DOMAIN: ${VPN_DOMAIN}
+      GITEA_DOMAIN: ${GITEA_DOMAIN}
       EMAIL: ${EMAIL}
       PORKBUN_API_KEY: ${PORKBUN_API_KEY}
       PORKBUN_API_SECRET: ${PORKBUN_API_SECRET}
@@ -166,5 +210,5 @@ services:
       - /sys:/host/sys:ro
 
 networks:
-  default:
+  proxy:
     driver: bridge