Add gitea config. Extract secrets to sops encrypted file.

hosts/home-morefine/docker/gitea/.env

@@ -0,0 +1,18 @@
+# Host git user. Owns git repo. Used for Ssh
+USER=git
+USER_UID=134
+USER_GID=139
+
+GITEA__DATABASE__DB_TYPE=postgres
+GITEA__DATABASE__HOST=db:5432
+GITEA__DATABASE__NAME=gitea
+GITEA__DATABASE__USER=gitea
+#GITEA__DATABASE__PASSWD=secrets.sops.env
+
+GITEA__MAILER__ENABLED=true
+GITEA__MAILER__FROM=gitea@catmedved.com
+GITEA__MAILER__PROTOCOL=smtp+starttls
+GITEA__MAILER__SMTP_PORT=587
+GITEA__MAILER__SMTP_ADDR=smtp.fastmail.com
+#GITEA__MAILER__USER=secrets.sops.env
+#GITEA__MAILER__PASSWD=secrets.sops.env

hosts/home-morefine/docker/gitea/docker-compose.yaml

@@ -0,0 +1,43 @@
+services:
+  gitea:
+    image: gitea/gitea:latest
+    container_name: gitea
+    env_file:
+      - .env
+    restart: unless-stopped
+    networks:
+      - caddy_internal
+      - gitea_db_net
+    volumes:
+      - /srv/rundata/gitea/data:/data
+    # `authorized_keys` file is shared between the host git user and the container git user
+      - /home/git/.ssh:/data/git/.ssh
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      #- "3007:3000"
+      - "127.0.0.1:2222:22" # SSHing Shim (with authorized_keys)
+    depends_on:
+      - gitea_db
+
+  gitea_db:
+    image: postgres:14
+    container_name: gitea_pg_db
+    restart: unless-stopped
+    environment:
+      - USER_UID=${USER_UID}
+      - USER_GID=${USER_GID}
+      - POSTGRES_USER=${GITEA__DATABASE__USER}
+      - POSTGRES_PASSWORD=${GITEA__DATABASE__PASSWD}
+      - POSTGRES_DB=${GITEA__DATABASE__NAME}
+    networks:
+      - gitea_db_net
+    volumes:
+      - /srv/rundata/gitea/postgres:/var/lib/postgresql/data
+
+networks:
+  caddy_internal:
+    name: caddy_internal
+    external: true
+  gitea_db_net:
+    internal: true

hosts/home-morefine/docker/gitea/secrets.sops.env

@@ -0,0 +1,11 @@
+GITEA__DATABASE__PASSWD=ENC[AES256_GCM,data:MXvGPgNtBYhm+6K4,iv:yPKVBAbx+C2Sg40C27bU1S59GF62oK5ON57BiMkc2PE=,tag:q1LQA6oPAei0zBCOLNCXcA==,type:str]
+GITEA__MAILER__USER=ENC[AES256_GCM,data:pmX02eG9T2u44g5fADVOPmtr,iv:cGr4PF7p9apeyQ0AzstESZ38hE33YL7ISKbqR3bxc1o=,tag:uMwBTvyCMXhlPEsERH4CCw==,type:str]
+GITEA__MAILER__PASSWD=ENC[AES256_GCM,data:V3Q/B1RXqBrqyrk/3mrPMQ==,iv:dkFVuC6zFh0lE4C5Cbo0BDplx4gnJxCZWeuAGb/AHm0=,tag:YaV+Z+MYn6Sl0BsB5n5cYQ==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGQVA0U24xcTk2UDdOdnlz\nYnk0UHZ1T1BVcEJwN2ExVmlQLzRFdk10dkRFClN3SWkrakxLOEo0T0hwK2ZhaEdI\nNnFYM1kvZGhDL3lEZlUwbnZXbFRpWEUKLS0tIHRseWVwNUIwREFFMXdGbjY0VVF1\nSnY1cVdKQWxuUFJCTzdrWVNhcThhQ1EKPXVMMmutPt2wF6aJCA++3r4o1b+bMXUn\nfHw4Sx8ZhcGoMfN35dGGODLwpd1ZwpanVyjme3YjRytitT0UIXayXg==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk
+sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNNEVaWjcxT3JxenE5MTRJ\nQXM2TWFCbm1pZHpESzB0M1lHdGphL2JYTUVJCjdnTHkra3lubkhRblhtVWZnM3Z6\nQzFsc2t0a1BRcHdyT2RDYmFpc1R1VlUKLS0tIGtCYmNYcCtaUW5abjA2OVFzNjBU\neGNlZ1FEeWQ3aVYzdmsveUFnMXgvMlUKloULOaPVfDlwaq0Mf9VB08+ySUqaINen\niMJe2XOqVYflJNn334yuuLfnC5lTeowkCedFd4BlS1TxNld+64ewLw==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_1__map_recipient=age1nw388umnlxfj3cg9lqjyltghfx6w709nam8s2x826c3nxla9famq3uya73
+sops_lastmodified=2026-02-12T08:48:06Z
+sops_mac=ENC[AES256_GCM,data:1RngTw6NF9uPiIfCFQjjjzyVFaEpXJBeeL3VmbtKhQMTTPC415Ozuqk79GOhVBn6asSoa0GYMwMtrRMasVNYdxpuMCmYSmfQU+P7OjZyYqRKY+53Bur+C7uJnzKk/FIE4E5/vfk10OZ4MongW7Vk9YHcbg4cRPS/Tjk5znkHjDQ=,iv:+wPd1yxadhjsNesC501Rfl3IHFICy9HdgZX8DYiBh5M=,tag:FBFtY8bCfXEj4RAjSLSvvQ==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.11.0