Initial sanitized deployment snapshot

git-kc/compose.yaml

@@ -0,0 +1,112 @@
+# Draft target path on vps.git: ~/git-kc/compose.yaml
+# Notes:
+# - Keep nginx on the host.
+# - Keep MySQL private inside the Docker network.
+# - First migration run: Keycloak uses --import-realm.
+#   After successful import, you may remove --import-realm for steady-state.
+# - This draft assumes Gitea SSH is disabled for phase 1.
+
+services:
+  mysql:
+    image: ${MYSQL_IMAGE}
+    container_name: git-kc-mysql
+    restart: unless-stopped
+    env_file:
+      - .env
+    environment:
+      TZ: ${TZ}
+      MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
+    command:
+      - --character-set-server=utf8mb4
+      - --collation-server=utf8mb4_0900_ai_ci
+      - --default-authentication-plugin=caching_sha2_password
+      - --skip-name-resolve
+    volumes:
+      - ./mysql/data:/var/lib/mysql
+      - ./mysql/init:/docker-entrypoint-initdb.d:ro
+    healthcheck:
+      test: ["CMD-SHELL", "mysqladmin ping -uroot -p$$MYSQL_ROOT_PASSWORD --silent"]
+      interval: 10s
+      timeout: 5s
+      retries: 12
+      start_period: 20s
+    networks:
+      - git-kc-net
+
+  gitea:
+    image: ${GITEA_IMAGE}
+    container_name: git-kc-gitea
+    restart: unless-stopped
+    depends_on:
+      mysql:
+        condition: service_healthy
+    env_file:
+      - .env
+    user: "${GITEA_UID}:${GITEA_GID}"
+    environment:
+      TZ: ${TZ}
+      USER_UID: ${GITEA_UID}
+      USER_GID: ${GITEA_GID}
+      HOME: /home/git
+      GITEA_WORK_DIR: /var/lib/gitea
+      GITEA_CUSTOM: /var/lib/gitea/custom
+    working_dir: /var/lib/gitea
+    command: ["gitea", "web", "--config", "/etc/gitea/app.ini"]
+    ports:
+      - "${GITEA_HOST_BIND}:${GITEA_HTTP_PORT}:3000"
+    volumes:
+      - /var/lib/gitea:/var/lib/gitea
+      - /home/git:/home/git
+      - ./gitea/app.ini:/etc/gitea/app.ini:ro
+    healthcheck:
+      test: ["CMD-SHELL", "wget -q -O /dev/null http://localhost:3000/ || exit 1"]
+      interval: 15s
+      timeout: 5s
+      retries: 10
+      start_period: 30s
+    networks:
+      - git-kc-net
+
+  keycloak:
+    image: ${KEYCLOAK_IMAGE}
+    container_name: git-kc-keycloak
+    restart: unless-stopped
+    depends_on:
+      mysql:
+        condition: service_healthy
+    env_file:
+      - .env
+    environment:
+      TZ: ${TZ}
+      KC_DB: mysql
+      KC_DB_URL_HOST: ${KC_DB_URL_HOST}
+      KC_DB_URL_PORT: ${KC_DB_URL_PORT}
+      KC_DB_URL_DATABASE: ${KC_DB_URL_DATABASE}
+      KC_DB_USERNAME: ${KC_DB_USERNAME}
+      KC_DB_PASSWORD: ${KC_DB_PASSWORD}
+      KC_HOSTNAME: ${KC_HOSTNAME}
+      KC_HTTP_ENABLED: "true"
+      KC_PROXY_HEADERS: xforwarded
+      KC_HEALTH_ENABLED: "true"
+      KC_METRICS_ENABLED: "true"
+      KC_BOOTSTRAP_ADMIN_USERNAME: ${KC_BOOTSTRAP_ADMIN_USERNAME}
+      KC_BOOTSTRAP_ADMIN_PASSWORD: ${KC_BOOTSTRAP_ADMIN_PASSWORD}
+    command:
+      - start
+    ports:
+      - "${KEYCLOAK_HOST_BIND}:${KEYCLOAK_HTTP_PORT}:8080"
+    volumes:
+      - ./keycloak/import:/opt/keycloak/data/import:ro
+    healthcheck:
+      test: ["CMD-SHELL", "bash -c 'exec 3<>/dev/tcp/localhost/8080' && exit 0 || exit 1"]
+      interval: 15s
+      timeout: 5s
+      retries: 20
+      start_period: 45s
+    networks:
+      - git-kc-net
+
+networks:
+  git-kc-net:
+    name: ${DOCKER_NETWORK_NAME}
+    driver: bridge