version: "3.8"

# Forgejo para CI/CD self-hosted
# Substitui o GitHub Actions sem perder a experiencia visual
# NOTA: O runner roda como servico systemd, nao como container no Swarm

services:
  forgejo:
    image: codeberg.org/forgejo/forgejo:11
    environment:
      - USER_UID=1000
      - USER_GID=1000
      # Configuracoes do Forgejo
      - FORGEJO__database__DB_TYPE=sqlite3
      - FORGEJO__database__PATH=/data/gitea/forgejo.db
      - FORGEJO__server__DOMAIN=git.esdrasrenan.com.br
      - FORGEJO__server__ROOT_URL=https://git.esdrasrenan.com.br/
      - FORGEJO__server__SSH_DOMAIN=git.esdrasrenan.com.br
      - FORGEJO__server__SSH_PORT=2222
      - FORGEJO__server__HTTP_PORT=3000
      - FORGEJO__server__OFFLINE_MODE=false
      # Actions habilitado
      - FORGEJO__actions__ENABLED=true
      - FORGEJO__actions__DEFAULT_ACTIONS_URL=https://code.forgejo.org
      # Seguranca - INSTALL_LOCK=true apos instalacao inicial
      - FORGEJO__security__INSTALL_LOCK=true
      - FORGEJO__service__DISABLE_REGISTRATION=true
      # Logs
      - FORGEJO__log__MODE=console
      - FORGEJO__log__LEVEL=Info
    volumes:
      - forgejo_data:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    networks:
      - traefik_public
      - forgejo_internal
    ports:
      # SSH para git clone via SSH (exposto diretamente)
      - "2222:2222"
    deploy:
      mode: replicated
      replicas: 1
      update_config:
        parallelism: 1
        order: start-first
        failure_action: rollback
        delay: 10s
        monitor: 30s
      resources:
        limits:
          memory: "1G"
        reservations:
          memory: "256M"
      restart_policy:
        condition: any
        delay: 5s
        max_attempts: 3
        window: 120s
      placement:
        constraints:
          - node.role == manager
      labels:
        - traefik.enable=true
        - traefik.docker.network=traefik_public
        # Web UI
        - traefik.http.routers.forgejo.rule=Host(`git.esdrasrenan.com.br`)
        - traefik.http.routers.forgejo.entrypoints=websecure
        - traefik.http.routers.forgejo.tls=true
        - traefik.http.routers.forgejo.tls.certresolver=le
        - traefik.http.services.forgejo.loadbalancer.server.port=3000
    healthcheck:
      test: ["CMD", "curl", "-fsSL", "http://localhost:3000/api/healthz"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 60s

volumes:
  forgejo_data:

networks:
  traefik_public:
    external: true
  forgejo_internal:
    driver: overlay